In mid-October, HBO released its documentary, The Perfect Weapon, about growing cyber security risks (trailer). A recent Cipher Brief webinar featured David Sanger, national security correspondent for The New York Times, who wrote the book on which the documentary was based, and Mary Brooks, who contributed to both his book and the documentary, and was moderated by Cipher Brief founder Suzanne Kelly.
Creating a documentary based on a detailed, fascinating, and chilling 340-page book is a challenge. It had to be more interesting than 000s and 111s scrolling down the screen. There was a history to lay out. Director John Maggio decided to render the technology aspects of earlier cyberattacks in broad strokes and to humanize the story by focusing on the victims. This approach not only revealed how many sectors of society are vulnerable to cyber criminals, but also how diverse are the sources of these attacks.
The first cyber attack receiving much play in the United States was North Korea’s 2014 takedown of Sony in response to a movie it didn’t like. For that segment, Maggio’s team could interview actors and executives. It was harder to get the story of the next significant attack—this one by the Iranians on the Sands Casino in Las Vegas—because the casino executives don’t want to publicize it.
Since then, attacks have continued, most recently with ransomware attacks on US hospitals already stretched thin by the coronavirus, and on local governments in Florida, for example—after crippling attacks on Baltimore and Atlanta.
Though costly and significant, these episodes have not been serious enough to trigger retribution by the US government. “They are short of war operations,” Sanger said, “and deliberately calculated to be so.” The potential for much more consequential acts definitely exists. It is known, for example, that malware has been placed in the US power grid, where it sits. Officials don’t want to talk about it, or remove it, ironically, because they don’t want the bad actors to understand our detection capabilities.
Of course, the United States isn’t inactive in this arena. In 2010, our government. and Israel used the malicious computer worm Stuxnet to disable Iran’s nuclear program, an action US officials won’t admit to even now, Sanger said. Unfortunately, the destructive Stuxnet code escaped into the wild and is now available to many black-hat hackers. Stuxnet “didn’t start the fire,” he said, “but it was an accelerant.”
Who is behind an attack can be murky. For various reason, organized crime has increasingly muscled its way into the cyber-threat business. Governments hire hackers or external organizations to create havoc, because it gives them deniability. “Not us,” they say.
The US Cyber Command’s goal is to “defend and advance national interests.” However, the job of preventing attacks is difficult. It’s a challenge that requires considerable imagination, given an environment where the risks are escalating rapidly, the technology is improving constantly, and the targets have no boundaries. You may have read about recent threats to COVID vaccine research.
What exactly are the “national interests,” when American businesses have suppliers, clients, and customers all over the world? Companies don’t want to be perceived as working against those relationships. Google, for example, declined to participate in a military program to make drone attacks more accurate. Similarly, though Microsoft and the Cyber Command were both attempting to disable TrickBot in the last few weeks, their efforts were independent and uncoordinated.
Thomas Donahue, Senior Analyst at the Center for Cyber Intelligence has said, “We cannot afford to protect everything to the maximum degree, so we’d better figure out what cannot fail,”