October 1, 2021
Can you fill in the blank?
“If we end up in a… real shooting war… it’s going to be as a consequence of ______,” President Joe Biden said in late July.
- “Chinese adventurism in the South China Sea”
- “House Speaker Nancy Pelosi wearing white shoes after Labor Day”
- “The price of gas rising to more than $4/gallon”
- “Netflix hiking its subscription fees again”
- “A cyber breach”
If you’ve been paying attention… you know that (A) is credible. (B) may well be the case for fashion mavens… and (C) for the Hummer owners who need their wheels to drive to the local Kroger. And (D) – well, no.
Biden’s words, which were part of a speech at the Office for the Director of National Intelligence (“ODNI”) – the entity that oversees the 18 (!) organizations that make up the American government’s intelligence community – were in fact in reference to (E), a cyber breach.
Cyberattacks’ Greatest Hits
In its Annual Risk Assessment report, released in April, ODNI explained that…
Foreign states use cyber operations to steal information, influence populations, and damage industry, including physical and digital critical infrastructure…
States’ increasing use of cyber operations as a tool of national power, including increasing use by militaries around the world, raises the prospect of more destructive and disruptive cyber activity. As states attempt more aggressive cyber operations, they are more likely to affect civilian populations and to embolden other states that seek similar outcomes.
It’s easy to deride the notion of (beware: oxymoron ahead) “government intelligence.” But the large and steadily increasing impact of cyberattacks – which are joining extreme weather as another kind of collateral damage of science and technology moving in toddler-going-after-a-bag-of-Skittles directions – is clear, dire, and severe. And it’s only going to get worse.
Cyberattacks are so big, so mind-bending, awful, and frequent, that it’s easy to lose track – just like the name of last season’s biggest west coast wildfire… or which state was hit worst by the most recent devastating hurricane… or how many millions of acres of the Amazon were chopped down last month. It all blurs together.
The below is a brief refresher of the highlights – lowlights – of just the past year, extracted from a terrifying timeline of cyber incidents put together by the Center for Strategic and International Studies at Johns Hopkins University…
- August 2021. T-Mobile suffered a data breach that led the hacker to access the personal details of more than 50 million people.
- July 2021. The United States, the European Union, NATO, and other world powers released joint statements condemning the Chinese government… They attributed responsibility to China for the Microsoft Exchange hack from early 2021 and the compromise of more than 100,000 servers worldwide.
- May 2021. The world’s largest meat processing company, Brazil-based JBS, was the victim of a ransomware attack. The attack shut down facilities in the U.S., Canada, and Australia.
- May 2021. The Colonial Pipeline, the largest fuel pipeline in America, was the target of a ransomware attack. The energy company shut down the pipeline…
- March 2021. The head of U.S. Cyber Command testified that the organization had conducted more than two dozen operations to confront foreign threats ahead of the 2020 U.S. elections…
- December 2020. More than 200 organizations around the world – including multiple U.S. government agencies – were revealed to have been breached by Russian hackers who compromised the software provider SolarWinds and exploited their access to monitor internal operations and exfiltrate data.
The complete list includes 95 “significant incidents” (defined as cyberattacks on government, defense, and tech companies, or which cause losses in excess of $1 million) in 2021 so far… And the tally back to 2006 extends to 63 won’t-sleep-tonight pages.
Who’s to blame? Two obvious candidates… and a third possibility that you won’t like…
Cyberwar Enemy No. 1: Russia
As the ODNI explained in its risk assessment report, “Although an increasing number of countries and nonstate actors have these capabilities, we remain most concerned about Russia, China, Iran, and North Korea”…
The order in which those countries are listed isn’t accidental. The report continued, “We assess that Russia will remain a top cyber threat as it refines and employs its espionage, influence, and attack capabilities.”
Why is Russia throwing cyber darts at America? Global-affairs experts Gzero explained in June…
The U.S. still sees itself as a global superpower and Russia is unwilling to accept second-fiddle status.
So while the U.S. considers Moscow a menace — meddling in elections, invading countries in Europe, backing dictators around the world — Moscow sees the U.S. as an arrogant colossus…
With an economy the size of New York state, the most that Russia can realistically aspire to on the world stage is to play the role of spoiler. As Irish dramatist Oscar Wilde said, “There is only one thing in life worse than being talked about, and that is not being talked about.” And if Russia can no longer hang with the big boys as the second global superpower… it wants to be talked about.
The quick (only) way for Russia to be noticed is disruption – and as any adolescent will tell you, bad attention is better than none at all. Cyberwar is a stealth way to sow discord, undercut the foundations of democracy, cultivate confusion, and otherwise throw sand in the gears of America.
And cyberwarfare is a lot easier than the real thing. At $30 million, the cost of one of the next-generation Russian fighter jets – the stealth fifth-generation Sukhoi “Checkmate” – can fund the lifestyles of a lot of socially awkward hackers who live with their mothers. Russia’s T-14 Armata tank costs around $4 million… a sum that can cause more damage – reputational and otherwise – than a thousand T-14s if funneled into cyberwarfare.
Why are Russians so good at cyberattacks? I asked an old friend who’s written books about cyberattacks. He says it’s due to a legacy of strong science-focused higher education, an entrepreneurial mindset (Russians are good at doing what has to be done), and a lack of legal constraints (in other words… flexible morality). (Interestingly enough, vodka and infinitely long, cold winters didn’t make his list.)
Cyberwar Enemy No. 2: China
“We assess that China presents a prolific and effective cyber-espionage threat, possesses substantial cyberattack capabilities, and presents a growing influence threat,” the ODNI wrote.
China has ambitions that are markedly more ambitious than those of Russia. As China expert Rush Doshi explains in the recently released The Long Game: China’s Grand Strategy to Displace American Order, “the [Chinese Communist] Party now seeks to restore China to its rightful place in the global hierarchy.”
China spent centuries at the top of the heap, and believes (knows) that it will eventually return… And it’s playing the long game to get back to the pinnacle of global power. While American politicians think in terms of electoral cycles, China plots in calendar blocks of centuries. Over the past few decades, China has been playing catch-up after a few centuries of having fallen behind.
And China is doing it in part through data – as much of it as it can get. As think-tank Rand Corporation explained last year…
China is aggressively working toward becoming a global leader in big data analytics as part of its plan to achieve great power status… Beijing’s efforts are guided by a national big data strategy, an effort that encompasses economic, military, police, and intelligence functions.
While Russia is content with throwing sand into the gears of the engine of the American – and global – economy, China is making a new engine to altogether overrun the earth… and it isn’t one that runs on oil.
Back in 2014 – in what, at the time, was a spectacular data breach but which has since become mundane – China hacked into the U.S. governments’ Office of Personnel Management to collect personal information on more than 22 million federal workers, contractors, friends, and family. The next year, cyberthieves said to be in China – by the U.S. government – took the names, birth dates, and Social Security numbers of 78 million customers of health care insurer Anthem.
When credit reporting agency Equifax was hacked two years later – by China again – credit information of 148 million Americans was the target. In 2018, a Marriott’s Starwood brand said that passport, credit-card, and other information on – wait for it – 500 million customers had been stolen by… yes, you know who.
As recently as July, China was accused by the U.S. and a bevy of allies of being behind an attack on e-mail software Microsoft Exchange, through which it stole e-mails, calendar data, files, contacts, and pretty much any other data that tens of thousands of businesses sent via Exchange.
All that data adds up. According to one estimate, China has much of the personal data on four of every five Americans… and it’s working on the last guy.
How is China going to use all this data? First, there’s the obvious and easy way: The Chinese government could use all it knows about you – yes, you… or, say, a person in a sensitive government, technology, or intelligence position who you might know – to get you to talk about whatever it believes you know and it wants to know.
But that’s child’s play. The bigger picture is more scary, as National Public Radio explains…
[U.S.] officials believe the Chinese gather this information to help them construct the informational mosaic they need to build world-class AI [artificial intelligence]… [which is] becoming the mechanism by which insurance rates are calculated, credit is given, mortgages are approved, and health care data is calculated.
How will that affect you? Now’s the time to shudder…
After months of extraordinary gains, the U.S. stock market is now looking off. Investors worldwide now ask, “Is this the beginning of the end of the most epic stock rally in history?” All eyes are on September 28 for the answers. Here’s the entire story.
Cyberwar Enemy No. 3: No, It Couldn’t Be
America’s intelligence folk – who fancy themselves to be mighty intelligent – can trace many of the cyberattacks to people in Russia, China, and friends (whether or not they’re government supported).
The best scam is one that you don’t recognize until it’s over. And the best cyberattacks are ones that are untraceable. If you see the beehive, you can run away from it – but if the bees are swarming and you don’t know where they’re coming from, you’re done for.
When Uncle Sam doesn’t know who to blame, cyber villains Russia and/or China are convenient scapegoats for what could well be the work of cyberattacks that come from within America. The American media doesn’t need much convincing that the bad guys are over there… And given the ability of the average journalist, or the average person, to discern the quality of cyber sleuth evidence, it would be easy to convince any doubters.
White supremacists and other domestic terrorists aren’t known for their triple-digit IQs. But it only takes a few black-hat hackers holed up in a Wi-Fi-enabled cave in (insert name of an off-the-radar flyover state that you can never remember the capital of) with Internet access to wreak havoc.
Could these attacks – on America – emanate from America? Possibly. Would we find out if so? Probably not. The rally-’round-the-flag effect of foreign baddies is too powerful for any American politician to dilute.
But this suggests another question… Why isn’t America fighting back? Why aren’t we reading about the hacks by U.S. government spooks or American freelance hackers in the pocket of Uncle Sam of (say) Russian government employment databases… Chinese oil pipelines… North Korean missile systems?
Maybe it is happening, but it’s kept secret. But if so – why? Presumably there would be a big deterrent value (as in, other cyberwarriors would be less inclined to take on American cyber assets) in the American government claiming some big cyber kills. Junior hackers in North Korea, for example, may be less inclined to take on America if they know what happened to the last guy/country who tried.
Or is America too moral, too high-standing, to strike back? Hah, doubtful… The moral compass of the government that brought us Abu Ghraib prison torture and ignored lead-tainted water in Flint, Michigan and the Tuskegee syphilis study broke a long time ago. And in any case, there are no rules to cyberwarfare… The team that holds back because they don’t want to hurt the other guy too badly is the team that loses.
It’s Time to be Afraid
If cyberattacks were the action of just a few bad actors, then there might be a big come-together-and-sing-kumbaya global deal to prevent and fight cyberattacks.
Of course that’s not going to happen, since cyberwarfare is, well, war. There is no common good… there’s only winning, or losing. And even the good guys (a definition adjusted according to whose side you’re on) wouldn’t want to limit themselves in a kind of cyber–Geneva Convention since, well, it’s war, right?
We – as in, humankind, including (or maybe especially) those who are best placed to understand all the bad things that might hurt us – are terrible (unlucky?) at forecasting risk.
The World Economic Forum, (“WEF”) an international organization that hosts the Davos Forum, each year releases a report on the biggest risks the world faces. It compiles the Global Risk Report by surveying smart people in government, business, civil society, and elsewhere.
Disappointingly (but not surprisingly), “infectious diseases” didn’t make the top 5 of risks – in terms of neither likelihood nor impact, the two parameters the WEF uses – in 2019… or 2018… or 2017… or 2016 (it made it as No. 2 for impact in 2015). So the risk-aware folk failed at even getting a sniff of what’s been the biggest economic, political, social, and everything-else risk in generations.
Instead, the No. 1 biggest risk in terms of likelihood over the past five years: Extreme weather. The biggest risk by impact in the 2021 report is – the horse has long since left the stable and is running down the road to find that cute mare – infectious diseases.
What this means is that the fact that cyberattacks didn’t crack the top of the chart for 2021 is hardly reassuring. And the big one is coming, as Kevin Mandia, the CEO of cybersecurity company FireEye, told news service Axios in February…
Apps won’t work. Appliances may not work. People don’t even know all the things they depend on. All of a sudden, the supply chain starts getting disrupted because computers don’t work…
Of course, Mandia is talking his book (the head of a cybersecurity company is about as likely to tell people not to worry about cybersecurity as Hershey’s is to remind people that sugar and candy is actually bad for you). But his warnings aren’t wrong…
Uncle Sam Can’t Help
Anyway, though, Americans – sheltered by powerful Uncle Sam – will be alright… right?
According to the Global Cybersecurity Index, a measure devised by the United Nations’ International Telecommunication Union that assesses the legal, technical, organizational and other cybersecurity dimensions of 193 countries, the U.S. is the gold standard of cybersecurity. It’s ranked first, followed by the United Kingdom, Saudi Arabia, and Estonia (which has come under frequent cyberattack from Russia). Pulling up the rear are Eretria and North Korea.
That might sound reassuring. But don’t be reassured…
The U.S. might be, by some measures, more prepared for cyberattacks than other countries… but as the seemingly endless series of cyber hack shows, that doesn’t mean you should use “password” as your password.
In fact, just the opposite, as an opinion piece in The Hill explained…
If a full on “turn the lights off” cyberwar were to happen today, we [the U.S.] would lose. Think about that. We would lose a cyberwar. With a few clicks of the mouse, and in just a few seconds, hackers in Beijing or Moscow could turn off our electricity, millions would lose heat, groceries would spoil, banking machines would not work, and people could not get gasoline.
Even if that hasn’t happened – yet – the skirmishes are already here, and they’re causing real damage. An estimate by Cybersecurity Ventures – again, an industry source, so take it with a nugget of salt – suggests that cybercrime in 2021 will cause damages of $6 trillion on the global economy (enough to make it, by value, the third-largest economy in the world).
And it can only get worse, as Wired magazine explained in 2019 – and, indeed, it’s only gotten worse since then…
The U.S. and other world powers still haven’t realized that they have more to lose in an exchange of scorched-earth cyberattacks than to gain. Until they do, the cyberwar machine will roll onward, with nothing less than the infrastructure of modern civilization in its destructive path.
At this point it’s even unclear which would be worse: The “real shooting war,” or the cyberattack that precedes, or causes, or comes after it.
Do This Now
There are a few things you can do to prepare if – when – it happens. For starters (you know this, but anyway), use strong – and different, across devices and websites – passwords. Never keep the default password (but you don’t, do you?). Keep your devices up to date, so that you have recent security updates and patches installed.
Back up your files (everywhere – the cloud, a removable hard drive, a thumb drive you keep around your neck). Even better, encrypt it… It’s not that difficult and it could save you a lot of grief. Download and save (and, if you’re really old school, print out) information like bank statements. Have a hard copy of important phone numbers.
Those fun Facebook quizzes that ask you the name of the street where you grew up… your first pet’s name… where you met your spouse?… It’s interesting how similar those are to the security questions that your bank asks you online to confirm that it’s you, isn’t it? Keep your personal information to yourself.
And IT administrators: Train your users with more than all-caps warnings. Launch fake phishing attacks so that employees know what to look out for. Try to trick your own people – and if they don’t fall for it, chances are they’ll be better equipped to sniff out the real thing if it happens.
Not “if”… but “when.” Because cyberattacks – on infrastructure, on databases, on companies, on you – are getting worse… and it’s happening right now.
Love us? Hate us? Let us know at [email protected].
Executive Editor, American Consequences
With Editorial Staff
October 1, 2021