Published: October 13, 2017

Cyber-Threats: Clear and Present Dangers

Yesterday at the CACI Annual Meeting Luncheon, two of the nation’s leading experts on national security painted a dark and troubling picture of cyber-security threats that face the U.S.

More than 250 CACI members and guests attended the Luncheon at the Hyatt Regency Denver at the Colorado Convention Center.

Sponsored by the U.S. Chamber of Commerce, the two panelists were:

General Michael Hayden, U.S. Air Force (Retired), who is a now a Principal with The Chertoff Group. He served as director of both the Central Intelligence Agency (CIA) and the National Security Agency (NSA).

Michael Morell, former deputy director of the CIA, who twice served as acting CIA director. He is a 33-year veteran of the Agency and is now a Senior Counselor with Beacon Global Strategies.

The panel was moderated by Ann Beauchesne, Senior Vice President, National Security and Emergency Preparedness, U.S. Chamber of Commerce. October is “Cybersecurity Awareness Month,” she said.

In the U.S. each year, said Beauchesne, cyber-crime costs the U.S. $6 trillion. The Chamber encourages businesses to work together to improve the security of their information-technology (IT) networks to combat cyber-crime, she said.

The Challenge for Boards of Directors and C-Level Corporate Officers

Morrell said the issue of IT used to be just the province of IT professionals, but that is no longer the case. He said that, in the four years since he left the Federal Government, he has seen “the arc” of increased awareness among Board members and corporate executives when it comes to cyber-security. The 2013 case of Target was a major factor in this increasing awareness, he said.

Boards of Directors now understand that they are “under the threat” of responsibility for cyber-crimes committed against corporations just as boards are responsible for such risks as fraud and violations of the Federal Foreign Corrupt Practices Act, Morel said. Board members should think of cyber-crime as “like any other risk” to a corporation, he said, and then figure out how to manage that risk.

Boards should hold senior executives accountable for a company’s cyber-defenses, Morrell said, and require periodic briefings by chief executive officer and the chief information officers. “It’s as simple as that,” he said, “All Board members need to pay attention.”

Morrell said that, in 2009, he made a joint appearance in New York City before a “Wall Street crowd” to discuss cyber-security along with George Tenet, former CIA director, and Mike McConnell, former director of the National Security Agency (NSA) and former director of National Intelligence. After the trio had made their presentation, it was time for questions-and-answers with the audience, he said.

“How much is this gonna cost?” once audience member asked, Morrell said, noting that the questioner clearly saw cyber-security only as a “subtraction from” the bottom line.

Corporate executives and Board members should see the cost of cybersecurity “as integral as any other element” of how a business functions, Morrell said.

Boards should contain at least one member who has expertise in cyber-security, said Morell, just as they should have a member who has expertise with the Federal Sarbanes-Oxley Act. Cyber-security experts may be hard to find, he cautioned, to serve on a Board. Boards of Directors “need to take the pledge” to be vigilant about cybersecurity, Morrell urged.

If both the Board and the chief executives are vigilant when it comes to cyber-security, Morrell said, then a company’s workforce will understand that the company’s survival “depends on getting it right” when it comes to strengthening the company’s cyber-defenses.

“Phishing” has become the most common way for IT networks to be penetrated, Morrell said, and it accounts for 90 percent of penetrations. A company should educate its workforce to prevent clicking on links or opening attachments of phishing emails, he said.

Phishing emails have become much more sophisticated, Morrell warned, compared to the past when hackers sent out mass phishing emails, which were not successful. With the growth of information about a company or an individual on the Internet through social media, he said, targeted, sophisticated phishing emails now can be aimed directly at individuals. (Phishing attacks aimed at an individual are called “spear phishing.”)

Adversaries evolve their attacks just as targets evolve their defenses, Morell cautioned. “Be really aware,” he urged. Company C-suite officers are often unaware about how fast attacks can evolve, Morrell said.

The next topic to be discussed was “ransomware,” which is malware that hackers manage to install in a company’s IT system that locks up, or encrypts, data. The hackers then demand payment to release the data or they threaten to not unlock it or destroy it or sell it on Dark Web or the Deep Web.

Hayden urged the audience to be very careful about how they respond to ransomware attacks. He said the FBI urges businesses and individuals to not pay the ransom that hackers demand. Hackers may, however, only demand a relatively small amount of money to release the data, he said, which makes it difficult for corporate officials to decide whether or not to pay.

The Role of the Federal Government in Fighting Cyber-Crime in the Private Sector

A debate exists about whether or not the Federal Government should be brought into the world of corporate IT to defend against cyber-crime, Hayden said.

Government has taken the lead in protecting the nation when the foreign threat comes by land, sea, air or space, Hayden said. These traditional “domains” are now joined by cyber-space, he said, and it’s not clear that government can protect the U.S. in cyber-space the way it has in the traditional four domains.

Cyber-threats are “sufficiently different” from threats in the other domains, Hayden said, and the response demands speed, technology and experience, which are more dominant in the private sector. Governmental intrusion into the networks of companies and individuals raises serious questions about privacy and civil liberties, he cautioned. “Do you want government spying on your home network?” he asked the audience.

Consequently, individuals and companies should be “more responsible” for cybersecurity threats than they are for threats in the four traditional domains, Hayden said, in which Government protects the country. Individuals and companies should provide their own security, he said, adding “That’s just the way it is.”

Publicizing Cyber-Threats

To focus more public attention on cyber-crime, Morrel said more leaders are needed. He said that the cost of cyber-crime exceeds that of the illegal drug trade. One strategy is to “tell stories” about the impact of cyber-crimes on individuals, who have had their identities stolen, as well as on consumers, who face higher prices for goods and services because of the cost that cyber-crime adds to prices, he said.

Hayden said the U.S. needs “digital natives” to develop the leadership to communicate the dangers of cyber-crime to the public. He called for a public education campaign about cyber-crime–similar to that for drunk driving which made driving while intoxicated socially unacceptable and increased penalties—to protect children from Internet predators as well as the finances of individuals and companies.

The Many Faces of Cyberthreats

Beauchesne said the FBI is seeing a “blurring of different kinds of threats” from organized crime, rouge nation-states (like North Korea, Russia, and Iran), drug cartels, “hacktivists,” and terrorist organizations.

In the past, small hacker groups were the main threat, Morell said, but there is now a growing number of nation-states and organized criminal enterprises that are pursuing cybercrime and acquisition of information, both economic and national security in nature.

Sometimes, there is a mixture of actors, Morell explained. A hacker may work for the Russian government during the day and go home and at night work for organized criminals. The skill level of hackers working for nation-states has increased more than that of organized crime, he said.

Are Small Businesses a Target?

Morell said small businesses are mistaken if they think that cyber-criminals are more focused only on major corporations. As large corporations beef up their cyber-security defenses, hackers will go after small firms, he said. Hackers will go after finances, intellectual resources and information about customers, Morell said, and executives have to decide what is important to protect.

The China Question

Hayden said many nation-states around the world routinely engage in industrial espionage for economic reasons but not such countries as the U.S., Canada, New Zealand, Australia and the European countries. In 2016, China agreed with the U.S. that cyberespionage should only be used for national security purposes and not for economic reasons. Since then, there has been some evidence that the number of cyber-attacks from China aimed at American businesses has decreased, he said.

There may be three reasons for this decrease, Hayden said:

The Chinese government may not be seeing attacks that originate within the country’s borders; China may be decreasing its governmental economic attacks; or China may be concerned that “cyber-piracy” will hurt it.

Hayden said the U.S. Department of Homeland Security is exploring how economic rewards and punishments can be used to influence foreign companies or governments that engage in economic spying.

From Russia, with Love; The U.S. 2016 Elections

Next, Hayden and Morell discussed the topic of Russian cyber-meddling in the 2016 American elections.

Morell said the Russians pursued three strategies:

Cyber-espionage that resulted in the penetration of the Democratic National Committee and the emails of John Podesta, chair of Hillary Clinton’s presidential campaign, which were then provided to WikiLeaks and made public; Attempted penetration of state election systems, which appears to have been unsuccessful; and “Weaponization of social media to push propaganda into our country.”

The use of social media by the Russians was the “most successful” of the three strategies, Morell said, and it “moved daily tracking polls” for the 2016 presidential race by being targeted down to the precinct and county levels. It will never be known, he said, if the effort actually “changed any votes.” Nonetheless, the Russian social-media campaign attacks damage “us was a people,” he said.

The social media attack and creation of “fake news” by the Russians was “much bigger, broader and deeper” that was initially known, Morell said, and it sought to exploit divisions based not just about politics and the presidential campaign but about divisions based on race, sex and income inequality.

For Russian President Vladimir Putin, Morell said, the cyber-campaign against the American election is an example of a much broader Russian strategy the combines military force, as in Crimea and the Ukraine, with cyber-initiatives that sow disinformation and confusion among those that Putin considers the enemies of Russia. Putin seeks to weaken America as a nation, he said.

The Russian cybercampaign continues today, Morell said, and Russian state hackers quickly reacted to exploit the recent quarrel between President Trump and the National Football League as well as the campaign aimed at President Trump’s National Security Advisor, H.R. McMaster.

What to Do about the Russians?

Morell said Congress could create a commission similar to the 9-11 Commission that could address the following two questions:

How do we defend ourselves?

How do we deter Putin from his campaign of cyber-attacks and use of social media against the U.S.?

Hayden said that the “hybrid warfare” strategy of integrating military force with cyber-weapons has publicly been articulated by a Russian general. Russia seeks to influence global events in addition to its military excursions into Crimea and the eastern Ukraine, he said.

Russia is taking aim not only at the U.S. but also at NATO and the European Union, Hayden said. “Russia has a full head of steam,” he said, “and it will continue with its cyber-offensive. We have to “heal ourselves” to keep the Russians from capitalizing on our cyber-weaknesses, he added.

In addition, Morell said, such other nation-states as China, North Korea and Iran are watching Russia’s actions to learn how to improve their own cyber-capabilities.

The Threat from Organized Crime

Hayden said organized crime is launching cyber-attacks on companies to obtain valuable information, which can then be used to extort money from companies. Cyber-crimes will put companies into a crisis “not of your own making,” he said.

The Challenge for American Tech Companies Operating Abroad

The perception that U.S. technology companies are cooperating with the Federal Government on cybersecurity will hurt them as they try to sell their goods and services abroad, Morell said. Such a perception overseas will hurt such firms as Apple, Cisco and Google, causing them to lose market share, he said.

Such firms have to tell their foreign customers that the U.S. government can’t “get inside” their products. An example was the iPhone of the 2015 San Bernardino mass shooter, which became the focus of a national debate and legal action when Apple refused to create a backdoor “key” to unlock the phone for investigators.

If Apple put such a key into its iPhones, Morell said, then the phones would be susceptible to cyber-attack. Instead, the FBI and the CIA should be challenged to “break into” the phone instead of the government trying to force Apple to create the key.

Hayden added that he also did not favor forcing American tech companies such as Apple to create keys to allow the government to access its devices.

Question-and-Answer Session

One question from an audience member concerned the Russian anti-virus software company, Kaspersky Labs, whose product the Federal Government last month ordered to be removed from computers at some two dozen agencies. About 400 million people around the world use the firm’s software. What should the Federal Government’s role be vis-à-vis private-sector anti-virus software that may be compromised?

According to The New York Times, Israeli intelligence agents discovered that Russian state hackers were using the Kaspersky Labs network to globally search for the names of American intelligence programs by using hacking tools stolen from the NSA.

Hayden said that one approach to this problem might be the creation of public-private effort that awards a “seal-of-approval” for anti-virus software similar to the work of Underwriters Laboratory. Government should not take control of anti-virus software and impose regulations, he said, because the private sector will be more efficient without government intrusion.

In response to a question about whether or not the U.S. should launch a cybersecurity effort similar to the 1960s “race to the moon,” Hayden said,”Sure.” But he pointed out that the space race was an industrial-era effort that only the Federal Government could do.

Now, in a new, post-industrial world characterized by global digital interconnectivity, Hayden said, the “heavy lifting” has to be done by the private sector when it comes to meeting cyber-security challenges with government playing a supporting role.

Morell said, “tensions are rising” between Congress and Silicon Valley over cyber-security, citing Congress’ initial negative to Facebook’s reluctance to provide information about Russian-connected ads on Facebook during the 2016 presidential election. Facebook then agreed to turn the ads over to Congress.

Hayden added that Silicon Valley is now recognizing the need to cooperate with the various Federal and Congressional investigations into the Russian interference in the 2016 elections.

In response to a question about whether or not the U.S. should consider a national identity card instead of Social Security numbers in the wake of the Equifax data breach, Hayden said there is no political support for such a card. The U.S. will instead stick with a mid-20th Century system of Social Security numbers for the purpose of personal identification, he said.

Morell added that biometrics may be used increasingly for personal identification.

In response to a question about what small companies should do to increase their cyber-security, Hayden said that they should buy anti-virus software from “reputable providers.”

Hayden explained that a company’s cyber-perimeter will be breached. Thus, a company should focus on protecting its valuable data, not its network.

Morell said that one of the most dangerous threats to a company’s cybersecurity is the disaffected employee, who may be angry at a company for any number of reasons. Edward Snowden succeeded in the theft of the NSA data because he picked the last part of the NSA network that was not monitored for activity, he said.

Resources of the U.S. Chamber of Commerce

Beauchesne detailed the activity of the U.S. Chamber on national security and cybersecurity, which are top priorities for the Chamber, and how it can act as a resource for U.S. companies.

The Chamber has three strategies for addressing the cybersecurity issue: