It's a MAD, MAD, MAD Cyber World
Let’s start this discussion with a brief cybersecurity risk assessment:
1. Anything attached to a network can be hacked.
2. Everything is being attached to networks.
3. Everything is vulnerable.
This is Beckstrom’s Law of Cybersecurity and it shouldn’t come as a surprise to anyone.
The Internet is history’s biggest and most complex system but it wasn’t designed for security. It was intended to be open and engaging - a platform for sharing and collaboration that was accessible to everyone everywhere.
But the door we’ve opened to innovation and sharing comes with unintended consequences, and living with a serious cyber threat is our new global reality.
Factor in the dramatic increase in transparency in modern life, whether from so much information being posted online or from the involuntary transparency of being watched without your consent, and you have a major vulnerability to cyber attack. Add in our growing dependence on Internet-based transportation, food, power, water, military and government systems and we have the potential for major cyber disasters.
A few years ago, my colleague Ori Brafman and I wrote a book called The Starfish and the Spider: the Unstoppable Power of Leaderless Organizations. It’s based on the idea that decentralized networks – organizations like al Qaeda that have an amorphous leadership structure – are regenerating: when you cut off an arm or eliminate a senior leader they simply grow another one and move on.
The book proved popular among U.S. government leaders and that led to a request for me to help them better understand the evolving terror and cyber threats as the founding Director of the U.S. National Cybersecurity Center. This incredible job afforded me unique insight into the realities of the growing cyber threat. The center was a coordination point for protecting civilian, military and intelligence networks. And it eventually led me to a leadership role in global Internet governance as CEO of ICANN, helping to keep the global Internet open, resilient and decentralized for the benefit of the world.
The Starfish and The Spider introduced a model for thinking about decentralized networks, organizational leadership, strategy, competition and evolution. And it is helpful to consider the growing cyber threat in a comparable framework.
So today I would like to present a new cybersecurity model. It relates to what is really going on in our new, more vulnerable world - from a systems perspective, and from a realpolitik perspective.
And it starts with a basic fact. Through the impact and reach of the Internet, the world of power and politics has changed forever. We now live in a MAD, MAD, MAD cyber world.
What do I mean by this?
First, let’s look at the classic MAD: nuclear Mutually Assured Destruction. Nuclear MADevolved from the development and proliferation of nuclear weapons after World War II. It changed the nature of war and geopolitics and helped secure the precarious peace among superpowers that has held for almost seventy years while countless small regional wars have been fought.
The second MAD is cyber MAD, or Mutually Assured Disruption. It echoes the underlying concept of nuclear MAD: nation states and others have the ability to cripple each other’s power systems, industries and economies through broad-scale cyber attacks. And like nuclear MAD, cyber MAD leads to some level of deterrence among nation states. If one government launches a full-scale cyber attack on another, they or the people in their country are likely to receive the same back. And they know it.
But cyber MAD is fundamentally different from nuclear MAD. Nuclear weapons have not been used in war since 1945. But cyber weapons are used millions of times every second. Nuclear weapons are discrete, identifiable and easy to detect if detonated. Cyber weapons are pervasive, unidentified and often difficult or impossible to detect and attribute. So some of the lessons the Cold War taught to many of our current government policymakers are radically inapplicable to cyber MAD.
The third MAD is Mutually Assured Dependence on the Internet, or simply Internet MAD, reflecting our shared reliance on the Internet, and upon each other through the Internet, for communications, commerce, power, travel, shipping, infrastructure – in fact, for almost everything we do.
That makes Internet MAD a positive force that delivers incredible benefits to mankind. Most individuals and countries could not function very well without it, and our reliance is growing. A recent survey showed that 57 percent of American women would give up sex for a week before they would give up their smartphones. If that’s not a sign of Internet addiction, I don’t know what is.
The Internet benefits all nations, no matter their political orientation, and though they may disagree on some aspects of its use, most of them recognize the importance of keeping it working. Internet MAD helps hold our world together.
There are significant implications for nation states and for citizens of the world in this MAD, MAD, MAD cyber world. Governments and societies must evolve to cope with a new reality, just as the world learned to cope with nuclear MAD after World War II.
To understand these MAD concepts better, let’s consider a scenario using publicly available information to analyze the dynamics of Stuxnet - perhaps the most important malware ever developed.
Stuxnet was a by-product of nuclear MAD - an extremely complex computer worm that was unleashed upon Iran in 2010. It was the first malware crafted to disrupt nuclear production facilities. It was intended to prevent Iran from refining nuclear fuels that could be used to make a bomb.
Nuclear non-proliferation is a great success story and many governments around the world understandably do not wish to see new nations with nuclear weapons enter into this delicate balance of power. The U.S. government decided to interrupt Iran’s uranium enrichment program - not with bombs but with a cyber weapon.
Stuxnet corrupted the software in the centrifuges’ industrial controllers so they would spin faster than they were designed for and fail. The operators were fed false data on the spin rates so they would be unable to understand or fix the problem.
Stuxnet is a tool of the second MAD: mutually assured disruption. It disrupted and destroyed about 1,000 out of 9,000 centrifuges, and may have provided a temporary setback to Iran’s nuclear ambitions. But the Iranians eventually discovered it and so did hackers, who reverse-engineered much of the code and put it on the web for other hackers to use.
Iran did not take this lightly. According to reports, they have responded on multiple fronts. Iran has been credited with heavy and escalating denial-of-service attacks on U.S. and European banks, occasionally interrupting operations.
Then, on August 15, 2012, tens of thousands of computers at Saudi Aramco, the world’s largest oil company, went dark. Employees tried to switch their machines back on but couldn’t. Some point to Iran as the perpetrator, while others suspect a circle of dissident hackers.
In the last month, according to the May 24 Wall Street Journal, U.S. officials believe that Iran has hacked into many U.S. energy companies and collected sufficient information to create concerns about future possible attacks.
From a systems standpoint, the cyber offensive against Iran via Stuxnet has now led to a series of Iranian countermoves. A game of tit-for-tat is playing out that could bring us closer to the edge of mutually assured disruption. This is the very definition of cyber MAD: reciprocally escalating cyber attacks at the nation state level.
While it can take decades to develop a nuclear weapons capability, cyber weapons can often be copied immediately or reverse-engineered and deployed by nation states or hackers in just days or weeks. Even highly skilled lone hackers can launch major cyber attacks. This completely changes the dynamic from the precarious but peaceful détente of the nuclear era to a rapidly escalating, often invisible cyber hacking and conflict threat.
If it’s so easy to launch a serious attack, why haven’t there been more? We can’t be sure - and they could still come - but one reason is clear. Remember that positive Internet MAD – our mutual dependence and shared reliance on the Internet? Most of us need this global system to work to keep our lives running smoothly. There are many motivations for attacking systems: obtaining state secrets, accessing commercially sensitive information, stealing assets, political activism. But even those who hack and attack want the Internet to work. They know that without it, they couldn’t achieve their broader goals, whatever they may be.
Nonetheless, about 70,000 new strains of malware appear every day.
The growth of nuclear weapons was contained first by non-proliferation - limiting the number of nations with weapons - and then by arms negotiations to limit the number of weapons.
In cyber space, there are no effective containment policies and the scale, diversity, and growth rate of the Internet mean that none are likely to emerge in the near future. And the current rapid pace of tech development is far beyond that of nuclear development when nuclear MAD was in full play. According to reports, more than 100 nations are investing in offensive cyber capabilities. Relationships among cyber attackers – where they even exist - lack trust, engagement and cohesion, and an atmosphere of retaliation prevails. It’s like the Wild West - except that it engulfs the planet.
This produces a very different set of challenges for those who seek to contain the growing cyber threat.
As we learn to live in this MAD cyber world, we must work together to create a more stable and secure Internet, because the downside of Internet MAD’s positive mutual dependence is that the capacity for destruction at the hands of cyber attackers is immense. Cyber attacks can seriously undermine the security of the Internet and place entire economies at risk. The theoretical loss of life through a significant disruption of infrastructure or through militarization is huge.
Militarization may also lead countries to oppose the current multi-stakeholder governance of the Internet, where global non-profit bodies like ICANN, the Internet Engineering Task Force and others work to keep the Internet unified and to prioritize the needs of its three billion users.
Some might propose breaking up the Internet to protect their national interests, creating separate and self-contained national networks. But as we move steadily closer to connecting every person in the world, our economic future will depend even more on maintaining a unified global Internet. It is the foundation for continued innovation and economic growth and a platform for communication across cultural borders and political boundaries. Its unity is essential to our collective future.
So how do we defend ourselves against cyber attack?
It’s not easy. And no one has all the answers - we have to work through this new challenge together. I have developed this MAD, MAD, MAD model to provide a meaningful framework for understanding the new cyber reality and to contribute to a more informed discussion about solutions, because you have to understand a problem before you can solve it.
And in the spirit of collaboration, I have some ideas to contribute.
First, we must develop global definitions, norms and standards for cybersecurity. Right now we are about where nuclear MAD was in the 1950s. We need a common understanding of the threat to begin moving into real diplomatic dialogue. This won’t be easy, but it must be done and it needs to start now. Governments are part of the problem and must be part of the solution, but nation state solutions alone won’t work. The private sector has a key role in its own right and must also work with governments, including through multi-stakeholder bodies.
Second, we must build global trust. That means finding areas where positive steps can be taken together to build some level of confidence. Fighting global terrorism and coordinating law enforcement efforts against global cyber-bank robbers, human traffickers and drug traffickers, for example, are two areas with particular potential for effective collaboration.
Third, we need to use transparency and economic incentives to drive to a higher level of security. Regulation and strict reporting requirements alone do not work. Penetration testing and other methods of positive security assurance should be the norm in every important system. One of the best ways to determine if a network is secure is to authorize highly skilled parties to try to breach it. This has clear benefits. It identifies actual vulnerabilities - information that can then be used to improve security. It exposes the real-time state of a system, a key tool in assessing risk for potential business partners, contractors or investors. And having the right to test a system provides the evidence to establish trust – or not.
Lastly, we must build better security into the Internet itself. Greater research and investment are needed to strengthen its technical underpinnings. That includes investment to spread the deployment of more secure technologies like DNSSEC (Domain Name System Security Extensions) and PGP (Pretty Good Privacy), which help stop man-in-the-middle attacks. We also need new research into more secure Internet standards and protocols like DANE (DNS-based Authentication of Named Entities).
These ideas are just a beginning, a means of starting this crucial global discussion. I hope many others will contribute, and that Beckstrom’s Law of Cybersecurity and the MAD, MAD, MAD model will be a useful framework in considering the way forward.
The Internet is one of mankind’s greatest collective achievements and protecting it is fundamental to our future. The moment has come to bring sanity back to our MAD, MAD, MAD cyber world.
Remarks at the Personal Democracy Forum, New York City June 6, 2013