Jared Cohen - The New Digital Age

The United States will not take the same path of digital corporate espionage, as its laws are much stricter (and better enforced) and because illicit competition violates the American sense of fair play. This is a difference in values as much as a legal one—as we discussed earlier, China today does not rate intellectual property rights very highly. But the disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States at a distinct disadvantage. American firms will have to fiercely protect their own information and patrol their network’s borders, as well as monitor a range of internal threats (all of the individuals in the above examples legitimately worked for those companies), just to remain competitive.

• • •

The current economic espionage will continue for decades, both between the United States and China and between other nations that gain the required technical capabilities and see the competitive advantages it offers. There will be no dramatic escalation for the same reason that we’ll have an ongoing but relatively stable Code War: the lack of attribution in cyber attacks. The Chinese government is free to support or partake in any number of cyber attacks against foreign companies or human-rights organizations so long as their involvement cannot be definitively proven. 7

But there are strategies we can use to mitigate the damage caused by cyber attacks in addition to introducing some vulnerability on the part of the attackers. One idea comes from Microsoft’s Craig Mundie: virtual quarantine. As we’ve described, many cyber attacks today come in the form of DDoS attacks and regular denial-of-service (DoS) attacks, which require the use of one “open” or insecure computer on a network that the attacker can use as a base of operations to build his “zombie army” of compromised devices. (DoS attacks could be generated by a small number of hyperactive attacking machines; DDoS attacks are generated by a large, distributed —hence the extra “D”—network of attacking machines, often comprised of hacked computers owned by everyday users ignorant of the fact that their computers are being manipulated in this way.) One neglected or unprotected device on the network—a never-used laptop in a science lab, or a personal computer an employee brings to work—can become the attacker’s base and then compromise the whole system. 8

Quarantine mechanisms contain this attack by enabling the ISP to shut off an infected computer as soon as it recognizes it, unilaterally and without owner authorization, taking the computer off-line. “The basic premise is that when you have a network disease, you have to find a way to slow the spread rate,” Mundie explained. “We quarantine people involuntarily, but in cyberspace we haven’t yet decided that quarantining is the right thing to do.” When any machine shows signs of virus or disease, it must be “isolated, contained and healed before being exposed to healthy systems,” he added. Users often don’t recognize when their computers have been compromised, so allowing the ISPs to conduct these actions will bring about a much faster resolution. Depending on how the mechanism works and what kind of attack is being used, the attackers may or may not recognize that the infected device is off-line—but the user would find his Internet connection inoperable, by mandate of the ISP. By denying the attackers the ability to reach through the infected computer, the harm they can do is greatly reduced.

In Mundie’s vision, there would be a neutral international organization to which ISPs could report the IP addresses of infected computers. This way ISPs and states around the world could refuse to let quarantined IP addresses into their online space, cutting off the range of the cyber attack. In the meantime, investigators could watch the cyber attackers from a distance (the attackers would not know the device had been quarantined) and gather information about them to help trace the origin of the attacks. Only when the user had certifiably cleaned his device (with special antivirus software) would his IP address be released from quarantine. In addition to an international organization leading these changes, we might see in parallel the creation of an international treaty around the automatic takedown mechanism. International agreement about swift action to deal with infected networks would be a big step forward in fighting cyber attacks. States that do not agree to the treaty might risk having their whole country considered quarantined, thus putting it off-line for much of the world’s users.

Stronger network security will improve the odds for potential targets well before any quarantining is required. One of the basic problems in computer security is that it typically takes much more effort to build defenses than to penetrate them; sometimes programs to secure sensitive information rely on 10 million lines of code while attackers can penetrate them with only 125 lines. Regina Dugan, a senior vice-president at Google, is a former director of DARPA (the Defense Advanced Research Projects Agency), where her mandate included advancing cybersecurity for the U.S. government. She explained to us that, to effectively counter this imbalance, “We went after the technological shifts that would change that basic asymmetry.” And, like Mundie, Dugan and DARPA turned to biology as one of the ways to counter the imbalance: They brought together cybersecurity experts and infectious-disease scientists; the result was a program called CRASH, the Clean-Slate Design of Resilient, Adaptive, Secure Hosts.

The philosophy behind CRASH recognized that human bodies are genetically diverse and have immune systems designed to process and adapt to viruses that pass through them, while computers tend to be very similar in their structure, which enables malware to attack large numbers of systems efficiently. “What we observed in cybersecurity,” Dugan said, “is that we needed to create the equivalent of an adaptive immune system in computer security architecture.” Computers can continue to look and operate in similar ways, but there will have to be unique differences among them developed over time to protect and differentiate each system. “What that means is that an adversary now has to write one hundred and twenty-five lines of code against millions of computers—that’s how you shift the asymmetry.” The lesson learned is undoubtedly applicable beyond cybersecurity; as Dugan put it, “If that initial observation tells you this is a losing proposition, you need something foundationally different, and that in and of itself reveals opportunities.” In other words, if you can’t win the game, change the rules.

Still, despite some tools for dealing with cyber attacks, lack of attribution online will remain a serious challenge in computer and network security. As a general rule, with enough “anonymizing” layers between one node and another on the Internet, there is no way to trace data packets back to their source. While grappling with these issues, we must remember that the Internet was not built with criminals in mind—it was based on a model of trust. It’s challenging to determine who you are dealing with online. Information-technology (IT) security experts get better at protecting users, systems and information every day, but the criminal and anarchic elements on the web grow equally sophisticated. This is a cat-and-mouse game that will play out as long as the Internet exists. The publication of cyber-attack and malware details will help, on a net level; once the components of the Stuxnet worm were unpacked and published, the software it used was patched and cyber-security experts could work on how to protect systems against malware like it. Certain strategies, like universal user registration, might work too, but we have a long way to go before Internet security is effective enough everywhere to prevent simple cyber attacks. We are left once again with the duality of the online world: Anonymity can present opportunities for good or ill, whether the actor is a civilian, a state or a company, and it will ultimately depend on humans how these opportunities manifest themselves in the future.