The Fight Against Nation-State Cyberthreats.
Nation-states are becoming an increasing threat in the world of cyberattacks—not just through their intelligence agencies but through hackers and other outsiders they bring on board. To examine these threats, The Wall Street Journal’s Robert McMillan spoke with Michael Chertoff, co-founder and executive chairman of the Chertoff Group advisory firm and former secretary of Homeland Security, and Bob Lord, former chief information security officer for Yahoo and former head of Twitter’s information-security program. Here are edited excerpts.
MCMILLAN: The nation-state threat landscape is evolving. Maybe you could lay out what you’re seeing happening right now.
CHERTOFF: Broadly speaking, there are three categories of things we see nation-states, to some degree or another, pushing. One is getting an intellectual property. The second issue is intelligence purposes. The third and more concerning dimension are attacks that are actually designed to enable a military action or to somehow engage in a geopolitical struggle. In Ukraine, there were attacks on the energy infrastructure that caused the lights to go out. We’ve seen similar things in other parts of the world. When you ask people in the national-security area what are they most worried about, it would be a devastating attack on critical infrastructure.
MCMILLAN: We saw some of the dynamics you’re talking about, this sort of muddying of the state actors with criminal actors, in the Yahoo breach. Could you talk about that a little bit, Bob?
LORD: The Justice Department charged four individuals. Two of them were FSB officers. FSB is the largest of the successor agencies to the KGB. They then hired two criminal hackers. One was in Russia, so he’ll probably stay there. One was in Canada. He was extradited to San Francisco.
MCMILLAN: You can perhaps deter a low-level criminal actor. But when it comes to a nation-state attack, how should you think about deterrence?
CHERTOFF: If there are criminals that you can get hold of, you can threaten them with a prosecution. But if they’re doing this in Russia or in a country where they’re tacitly being encouraged, you’re not likely to ever get them inside an American courtroom. Obviously, there are things you can do in terms of sanctions that we’ve done with the Russians. My view is there is a limit to how far you can ride that horse before you exhaust it. There are people who argue that you should hack back. The problem with that is you could easily find yourself in an escalating situation. If you can make it difficult for the adversary, that discourages them to some extent. Unfortunately, we’ve not been successful in making that element of the strategy work as well as it might.
MCMILLAN: Sometimes the categories of attacks blur a bit—nation-states, criminals, insiders. I sometimes wonder if we pay so much attention to nation-state attacks because they’re interesting to write about. But are they overblown?
CHERTOFF: These aren’t mutually exclusive categories. A nation-state may co-opt an insider either by corrupting him or her intentionally or simply by fooling him or her. They may have criminals as well. An important part of this is to recognise that we tend to talk about this as if it is about the adversary having some fantastic tool. Sadly, often what gets by our defences is someone inside who maliciously or even more often negligently or carelessly admits the attacker.
LORD: When I talk to corporate security officers, I see a little bit of this fatalism, which is, “I can’t defend against the most sophisticated, nation-state attack. Therefore, it is a lost game. So I’m not going to start to think deeply about the problem.” But the nation-states aren’t going to be throwing the equivalent of a nuclear warhead when they can use a lockpick. They’re going to do what they need to do to get the job done with the least amount of effort and with the right kinds of tools. So if you’re planning sophisticated attacks but you haven’t really done the basics, the basic hygiene, you’re doing it wrong.
CHERTOFF: We’re attracted to the cutting-edge issues. Even people who are living in this area in the intelligence community, they’re gravitating to the hard problems. But basic stuff like knowing who’s on your network? Patch management, updating, all these kind of nuts and bolts, plain-vanilla things reduce the surface area for attacks. You don’t want to underestimate the importance of that.
MCMILLAN: There was an important development in 2016, the influence campaign on the U.S. election. Was that a cyber attack?
CHERTOFF: This is a very hot area, and we’re going to have to be careful about it. If you go to Russia and meet with Russian cyberpeople, they love the idea that we talk about information operations as cyber attacks. Only because their version of cybersecurity is, let’s get rid of all the content that we don’t like, starting with CNN and The Wall Street Journal. And that’s cybersecurity. We obviously as a free society don’t equate that with cybersecurity. Cybersecurity to me means protecting against people who are coming in to manipulate your system, steal your data, destroy your data, corrupt your data. But ideas that we don’t like aren’t cyberattacks. They’re dealt with the way we deal with any speech that we disagree with. We counteract it with the facts. We make contrary arguments. Maybe we expose the true identity of the person who was purveying the information. It is important to separate information operations from a classic cyberattack, which isn’t designed to persuade. It is designed to directly disrupt or destroy.
MCMILLAN: Is there something on the horizon that keeps you guys up at night?
CHERTOFF: One would be a significant, destructive attack against critical infrastructure. That would probably be an act of war. Right now, the major players tend to not want to go there. But you look at a country like North Korea, and they seem to operate under a different risk paradigm. The other issue I worry about is fragmentation, everybody pulling the internet into their borders. There’s always been a tension between a borderless internet and state sovereignty. The Chinese are moving somewhat in that direction. It wouldn’t result in the loss of human life, but it would deprive us of what is a very significant economic resource.
Credit: The Wall Street Journal, 18 December 2017.