Nations Seek the Elusive Cure for Cyberattacks
Nations Seek the Elusive Cure for Cyberattacks
By DAVID E. SANGER JAN. 21, 2018
WASHINGTON — When the “Wannacry” ransomware attack spread
across Britain, Japan Russia, Taiwan and places in between last May, it took
only a few days for private firms that looked at the code to come to some
pretty quick conclusions. The attack almost certainly came from North Korea.
The North Koreans almost certainly used computer code that had leaked from the
inner sanctum of the National Security Agency. And the ransomware part was a
scam: If you paid off the hackers, your data still wasn’t restored.
Yet it took until October for the British government to
identify North Korea as the culprit in an attack that paralyzed its health care
system for a few days, and until mid-December for the Trump administration, in
a presentation at the White House, to reach that same conclusion.
So what was the penalty for the government in Pyongyang
for unleashing a devastating cyberattack? There was none. Nothing. Not even the
kind of weak economic sanctions that the Obama administration imposed on the
North three years before for its attack on Sony Pictures Entertainment.
“President Trump has used just about every lever you can
use, short of starving the people of North Korea, to change their behavior,”
Mr. Trump’s Homeland Security adviser, Thomas P. Bossert, said when he made the
“name and shame” announcement blaming the North. “So we don’t have a lot of
room left here to apply pressure.”
Securing the world against cyberattacks — from nations,
criminal groups, vandals and teenagers — will be on the agenda when many of the
world’s top leaders gather at the World Economic Forum in Davos, Switzerland,
this week. As usual, there is a flurry of reports, and entrepreneurs will
declare they have technological solutions at hand. But the fact remains that
the major powers of the world have been unable to come up with a viable means
of deterring the most damaging attacks. It still takes too long to formally
identify the culprits, and the responses, as Mr. Bossert indicated, are
insufficient.
Efforts to establish “norms of behavior” got a promising
start, but are now falling apart. No one can even agree on when an act of
aggression in cyberspace amounts to an act of war. The Pentagon, in its first
nuclear strategy review since President Trump took office, is even proposing to
use the threat of unleashing nuclear weapons against a country or group that
delivered a devastating cyberattack against the critical infrastructure of the
United States or its allies. But that doesn’t help with the problem of everyday
attacks.
The most talented state sponsors of attacks — mostly
Russia, China, Iran and North Korea — have carefully calibrated their operations
in cyberspace to achieve their strategic aims while avoiding a real shooting
war. So far they have succeeded. While there have been indictments of Iranian
and Chinese hackers in major strikes on the United States, they have never seen
the inside of an American courtroom.
North Korea has been a case study in how a nation learns
to make use of its cyberweapons for disruption, revenge or profit, without fear
of serious retaliation. It has learned how to station hackers around the world
— in China, Malaysia, Thailand and elsewhere — and has gotten away with bolder
and bolder attacks, from Wannacry to its raid on Bangladesh’s central bank,
which nearly resulted in the theft of a billion dollars. (The transfers were
halted after $81 million had passed through the Swift system, the international
clearinghouse for transactions, after someone at the New York Fed discovered a
spelling error — the word “fandation” for “foundation” — and stopped the heist.
)
As James Lewis of the Center for Strategic and International
Studies put it recently, “North Korea is both cautious and cunning in its use
of force, including cyberattack.” But he added: “The North has been successful
only against poorly protected targets, of which there are many, suggesting that
there is a relatively low ceiling for its cyberattack capabilities.”
In fact, the explosion of state-sponsored, sophisticated
cyberattacks over the past seven or eight years has been fueled, in large part,
by the expansion of poorly protected targets. Yes, banks and major utilities
have, for the large part, tightened their defenses, and tens of billions of
dollars have been made by companies promising all kinds of cyber protections,
from the most basic programs loaded on your laptop to sophisticated systems
designed to anticipate future action, or watch for variations in the normal
behavior of users.
But none of that has prevented cyberspace from becoming
what President Barack Obama termed the “Wild, Wild West,” a territory of
anarchy, where adversaries take free shots at one another. In the past five
years, these attacks have become the cheapest way for nations to undercut one
another in the name of bigger strategic goals.
Yet the world has been unable to decide what constitutes
fair game, and what should be off limits. For years officials talked about
their fear of a “cyber Pearl Harbor,” a devastating strike against the power
grid that would turn out the lights from Boston to Washington, or London to
Rome. That has not happened, save for limited strikes in Ukraine, widely
attributed to Russian hackers, that seemed intended to send a message that they
could attack critical infrastructure at any time. Countries have sensed what
would happen if they went too far.
Instead, cyberattacks have taken a far more subtle turn.
The Russian-led attacks on the 2016 American election — and similar efforts in
France and Germany last year — are prime examples. While United Nations experts
had been struggling to come up with “norms of behavior” in cyberspace, a
consensus about what was off-limits — like attacks on power grids or safety
systems, for example — few were thinking about the use of the technology to
influence elections.
In fact, the election systems in the United States — the
foundation of American democracy — were never on the list of “critical
infrastructure” until Mr. Obama’s Homeland Security secretary, Jeh Johnson,
added them in the last days of the administration. By then it was too late.
Infrastructure is only part of the problem. The evidence
that has poured out of the United States after more than a year of congressional
investigations has left no doubt that Russian hackers — working largely on
behalf of two of Moscow’s spy services, the SVR and the GRU — did far more than
use cyber tools to break into the Democratic National Committee and the
accounts of key players in Hillary Clinton’s campaign.
The sophisticated use of “bots” to target key demographic
groups with Twitter messages, Facebook ads and just ordinary-looking social
media exchanges made it clear that we have entered a new world, in which states
marry some of the oldest propaganda techniques with the newest ways to
disseminate a divisive message.
Yet thinking about how to regulate that kind of activity
is tying the West in knots. President Emmanuel Macron in France is proposing
that government authorities be able to take down “fake news” during elections,
declaring in his New Year’s speech that “if we want to protect liberal
democracies, we must be strong and have clear rules.”
Yet those rules clearly could not survive in the United
States, where First Amendment protections would prohibit the government from
stepping in and declaring what is fake and what is not.
President Trump’s own declarations about what constitutes
“fake news” — including articles about the Russian election activity —
underscore the dangers of putting that power into government hands.
There are other complications. After the election hacks
in the United States, many called for “real identities” on the internet, so the
world would know exactly who is tweeting or posting. Sensible as it may sound,
it would also be a boon to the Russians, the Chinese and any authoritarian
government looking to crack down on dissent. In short, the best way to solve
the problem of election meddling and anonymous attacks would be a dictator’s
dream.
There have been a few successes in setting norms of
behavior, particularly when it comes to banning child pornography or cracking
down on intellectual property theft. But those are the easiest issues on which
to agree.
The United States, for example, would never support rules
that banned espionage. And what about rules prohibiting the placement of
“implants” in foreign computer networks, so that in the future they could
monitor activity or plant malware to bring a network down?
American and European officials raise the alarm whenever
they find such implants in their electrical grids. But they also quietly place
them in hundreds of thousands of foreign networks. That is how Presidents Bush
and Obama got inside Iran’s nuclear enrichment site at Natanz, with the Stuxnet
code.
It is a power that the United States and its allies, have
no intention of giving up.
David E. Sanger is national security correspondent for
The New York Times. His forthcoming book is “The Perfect Weapon: War, Sabotage
and Fear in the Cyber Age.”
A version of this article appears in print on January 23,
2018, on Page A11, in The International New York Times.
Comments
Post a Comment