From new insights on why the US called 'no hack backs' after the 2012 DDoS attacks against banks to new security proposals by central banks, and a look (way back) at lessons from the world's first cyberattack, here's what I’m reading this week:
- Weaponized uncertainty: Earlier this week, former Director of National Intelligence James Clapper discussed the U.S. Government's initial desire to "attack back" against the Iranian operators that were DDoSing US banks in 2012. Clapper described how, although there was initially "quite a head of steam," they ultimately concluded that it simply wasn't the right move for two reasons. First, as Clapper put it, "unless you are very confident in your cyberdefenses, it's almost pointless to talk about cyberattacks." In other words, we were worried about a counter-counterattack. And second, it was very hard to predict what scale and scope that counterattack might have. There is plenty of wisdom in Clapper's analysis, but I'd highlight one point in particular. He is emphasizing the uncertainty of networked conflict, and making clear that uncertainty can be deadly. When you don't know how an opponent will react, you are necessarily driven to be more conservative unless you have impenetrable defenses – and no one has impenetrable defenses on the network. In other words, networked conflict today is rife with uncertainty, and that uncertainty favors the attackers.
I'm reading: "Clapper: U.S. shelved 'hack backs' due to counterattack fears."
- All your telegrams are belong to us: In the late 18th and early 19th century, the height of high-speed communications was a mechanical telegraph system that crisscrossed France. Composed of chains of towers with a system of movable wooden arms on top, tower operators would visually confirm the positioning of the arms on the previous tower, and then position theirs to match. It was a government-only network, but two bankers quickly figured out how to subvert the system by bribing an operator to slip hidden messages into the official channel. This exploit served our 19th century hackers for two years, until the bribed operator fell ill and revealed the details to a friend, hoping that he would take his place. With any technology, you can assume that shortly after its first use for its intended purpose, someone will find a way to use it for an unintended purpose (malicious or not). The challenges we face today (social media manipulation and influence operations, anyone?) aren't new – it's just the scope and pace that have changed. What's the lesson? Design resilient technologies – stop to think about unintended uses, then design for them. But no matter how hard you futurecast, you're going to miss something, so prepare for that, too. The one thing you shouldn't do is convince yourself that whatever use you envision today is the use that will be in vogue tomorrow, because if there's one thing the history of technology teaches us won't happen, it's that.
I'm reading: "The crooked timber of humanity."
- Sunlight on the VEP: Rob Joyce, White House Cybersecurity Coordinator, twice this last week spoke about a new "public charter" for the controversial Vulnerability Equities Process (VEP). He highlighted the intent to make the membership and deliberations of the group more transparent, and to answer some of the questions that critics have raised about the secrecy around the group. The process is just getting going, but this will definitely be interesting to watch.
I'm reading: "Drumpf administration will shine light on VEP with public charter."
- If we do not hang together...: In the wake of the SWIFT intrusions of 2016 and 2017, much attention has been focused on the new SWIFT customer security programme (CSP). Driven by SWIFT itself, it requires all SWIFT members to make certain security investments to protect their critical SWIFT application against intruders. But last week we heard about a different effort – not from SWIFT, but from the central banks themselves. The Commitee on Payments and Market Infrastructures (CPMI) issued a consultative document recommending that banks adopt seven high-level strategies, from measuring risk to investing in prevention and detection. The document is out for comment through the end of November but, as it stabilizes, it will be interesting to see what requirements – if any – it imposes on central banks.
I'm reading: "Central banks seek better security on inter-bank payments."