The Pentagon has issued a report highlighting possible updates to the Nuclear Posture Review, which details the circumstances under which the U.S. will consider responding to an attack with nuclear force.
Previously, strict limitations left a narrow view of what warranted a nuclear response, such as attacks on the U.S. with biological weapons. But the report has revised the definition of “extreme circumstances” to “include significant non-nuclear strategic attacks” on U.S. infrastructure — in short, a cyberattack.
Most of the world hopes there’s never a nuclear response to anything. Yet, the fact that the Pentagon is considering the nuclear option in the event of a cyberattack indicates the growing sophistication and risk underpinning modern cyberwarfare.
Today’s Cyber Landscape
Published in 2010, “Cyber War: The Next Threat to National Security and What to Do About It” by Richard Clarke — former counterterrorism advisor under President Bill Clinton and special advisor on cybersecurity under President George W. Bush — discusses the increasingly frightening capabilities of cybercrime, whether it’s committed by individuals, criminal organizations, or state actors.
While most public utility services and industrial control systems have remained off the grid, for instance, the Internet of Things has changed (and is continuing to change) that. Billions of devices in homes and offices around the country are coming online, making it easier than ever for people to control their homes from work and their offices from home.
What is less widely publicized is the degree to which these devices are accessible from anywhere in the world by the right person or team. Likewise, people often misunderstand how disruptive they can be if hacked or corrupted. Because they’re relatively unsecured, devices like smart doorbells and DVD players connected to a vast network can be used to orchestrate a distributed denial of service attack. The fall 2016 attack against internet service provider Dyn — which took down Netflix, Twitter, Reddit, PayPal, and others — is a good example of that.
Overall, research by ESG Global indicates that 68 percent of critical infrastructure organizations experienced some form of a security breach over the two-year period during which they were surveyed, which included disruptions in critical operations or disruptions in IT system availability, such as ATM outages, power failures, and the failure of hospital information systems.
Tomorrow’s Risk Factors
Still, according to North American Electric Reliability Corp. Chief Security Officer Marcus Sachs, only the distribution component of the electrical grid is internet-facing, while generation and transmission are not. This ostensibly minimizes the risk to current control systems, though other experts believe our exposure to a cyberattack isn’t necessarily relegated to internet accessibility.
The Stuxnet virus responsible for sabotaging the Iranian nuclear program, for example, infiltrated systems without relying on internet connectivity. The malware, which was likely distributed via a USB drive and was designed to infect computers and propagate itself undetected, eventually reached the systems controlling the Iranian centrifuges that produced enriched uranium. There, it programmed the centrifuges to spin fast enough to destroy themselves. While the malware has been widely attributed to the United States or Israel, the fact remains that it’s incredibly hard to trace the source of such an attack.
Originating from state actors or not, this malware and other cyberthreats like it aren’t simply dangerous in their initial implementation. It’s much easier for nefarious individuals and organizations to repurpose the technology and tools of cyberthreats once they’ve been used. Criminal organizations typically lack the resources necessary for developing sophisticated cyber weapons, and they often attack organizations for money or exploitation, as opposed to the secrets that governments seek. But what they can do is reverse-engineer the tools governments have unleashed and alter their DNA to create the kinds of attacks they want.
Why Data Security Is a Priority
The fact remains that many enterprise security leaders feel helpless in the face of sophisticated cyberwarfare. They expect the government to step in and protect them, and a nuclear response to cyberattacks is a form of retaliation that provides little in the way of advanced protection.
For most companies, the biggest priority in terms of security should be continuing to mature their organization along the National Institute of Standards and Technology 800-34 framework. The key aspects of the framework are identifying, protecting, monitoring, and recovering, and few organizations besides some defense contractors are operating at a full NIST 800-34. An organization that wants to better understand its cybersecurity preparedness should also consider implementing a third-party validated audit structure across its IT infrastructure. With an ISO 27001 audited program, for instance, Equifax probably wouldn’t have been breached the way it was.
Because cybersecurity is a journey rather than a destination, organizations must know where they are, where they’ve been, and where they’re going. And the first (and most important) step in this journey is foregrounding data security, especially in the email inbox, where 91 percent of cyberattacks are initiated. Two-factor authentication and encryption for email are essential, as well as protecting data both in-transit and at-rest.
Ultimately, a multilayer cybersecurity strategy is the only real defense in today’s cyber landscape. Given how rapidly cyberattacks evolve — in both the private and public sectors — and the ease with which today’s hackers can co-opt or even purchase cyberattack tools, organizations are facing greater risks to their data and a greater burden in consumer protection. While the Pentagon’s public and potentially nuclear response to a large-scale cyberattack is itself a kind of deterrence, it also undermines our cybersecurity strategies and tools in its explicit lack of confidence.
Hopefully, our administration will never have to choose between dropping “the bomb” or dealing with massive cyberattack fallout. And there are concrete steps enterprise security leaders can take today to prevent such an attack from happening at their system level, such as understanding their vulnerabilities and protecting the most common attack vector: email. While only the government may harbor nuclear weapons, any organization can implement the best defense possible: a comprehensive cybersecurity strategy.