When you’re talking about information that can be used, or useful, in conducting cyberwarfare, that type of data is different from the conventional identification data, which when released is an invasion of a person’s privacy, or could be used in a fraudulent manner. The missing cyberwarfare data is the data of companies like utilities, hospitals, ports, and other sorts of critical infrastructure.

The most feared and plausible cyberwarfare scenario is the crippling of the nation’s electric grid, which is the basis for the way we live our lives every day, especially insofar as it is the basis for providing critical healthcare needs of patients in medical facilities. About 85 percent of our vital national infrastructure—dams, highways, tunnels, bridges, electrical grid, sewers—is owned privately.

So any attempt to mandate the provision of that data, either to the United States government to develop counter-measures to cyberwarfare, or even to states and localities, has been strenuously resisted by the private sector. It has been resisted both as a knowing obstacle that is being set up to protect things like trade secrets and intellectual property; and it’s being resisted in an unknowing way, a knee-jerk adverse reaction to turning over any private commercial data to government institutions.

The government’s inability to access private sector data is probably the most fundamental weakness of our ability to fend off cyberwarfare attacks. The methodology that is in place now is, at best, based on incentive-driven cyber regulation, which tries to make it attractive to private organizations to turn data over to allow that data to be protected. However, volunteerism clearly is not working here, and it is therefore not enough to set up a defense to a full-scale, damaging infrastructure cyberattack.

Protecting the privacy of individual U.S. citizen data, where the government wants to collect mass amounts of private information, raises different kinds of issues. At the University of Maryland Carey Law School, I taught a class on “National Secrets, Foreign Intelligence and Privacy.” That entire course was driven by the Edward Snowden security leaks in June of 2013. Snowden demonstrated that there were various avenues the United States government was using to access private information of United States citizens.

The two central legal authorities that the United States was relying on were Section 215 of the Patriotic Act and Section 702 of the Foreign Intelligence Surveillance Act Amendments of 2008. Nobody outside of the federal government—and I would say most of the federal government itself—understood that these kind of surveillance activities were being undertaken.

Section 215 was the vehicle through which the National Security Agency vacuumed up so-called metadata, which is information about who a citizen calls. The data shows both the phone number of the arranger of the call, and the number of the person to whom the arranger places his call, as well as the amount of time that the call lasts.

It is not a content-driven, wiretapping surveillance—in other words, you do not know the substance or content of the call. But an outsider can tell a lot about somebody’s private life by knowing who they call on a regular basis and how long that call lasts. Knowledge of frequent calls to an HIV/AIDS advice line, Planned Parenthood, or a psychiatrist, tells the reviewer of this data important information that the caller would otherwise clearly want to be private.

This collection of metadata was further aggravated by the fact that when the metadata was accessed by the National Security Agency, if it dipped into the metadata, it could not only look at the telephone traffic between one caller and another caller, but it could search “three hops” of the data.

The first hop is “A calls B,” and the NSA could get that metadata; then the NSA could get the metadata of everybody that B calls. That’s hop #2. Then hop #3 is the metadata of everybody receiving calls from B. Therefore, with three hops you have a spider web of the metadata of hundreds of thousands of calls. When the program was made public in June of 2013 by the Snowden leaks, President Obama pledged soon thereafter: “We’re only going to collect two hops, not three hops.”

Then the next question becomes: How does the NSA access the details of the metadata it has collected? Originally, experienced intelligence officers supervised requests to access the specifics of the metadata. That was considered quite troublesome legally, because one basic tenet of a constitutional search is that a warrant is obtained from an independent court. By having intelligence officers decide whether the metadata could be searched, that tenet was violated.

One of the first things President Obama did in January 2014, besides eliminating three “hops,” was to impose the requirement that if the metadata was to be searched, the NSA, through the Justice Department, had to get a foreign intelligence surveillance warrant from the Foreign Intelligence Surveillance Court showing that there was probable cause that searching the metadata would concern an agent of a foreign power.

Even with President Obama’s adjustments, Section 215 was criticized broadly, both from the left by civil libertarians and from the right by libertarians.

The USA Freedom Act in 2015 repealed Section 215. However, that statute required phone service providers to hold onto their metadata records for a longer period of time, and if the NSA needed access to that metadata, it could go to the Foreign Intelligence Surveillance Court to obtain a warrant to examine the metadata if it showed that there was reasonable, articulable suspicion (“RAS”) that the metadata would lead to, inter alia, terrorist activity. Of course, showing RAS is, in legal terms, not “probable cause” of criminal activity, the classic threshold for a lawful search and seizure under the Fourth Amendment. At some point, therefore, the constitutionality of this new metadata provision may be challenged.

Section 215 was the legal basis of the first of the two legs of the surveillance revealed by the Snowden leaks. The other is based on Section 702 of the Foreign Intelligence Surveillance Act Amendments of 2008. Section 702 is driven by the fact that the target of the requested surveillance is reasonably believed to be outside the United States and is not a U.S. citizen, circumstances under which the Fourth Amendment would not apply.

But, in operation, Section 702 surveillance need only look to whether the communication at any time left the United States. Any email that at any time is routed outside our country—as many emails are—is subject to Section 702 surveillance. So that raises a very deep concern, because domestic emails are therefore subject to an NSA Section 702 search.

Our government is always quick to say: “We do not surveil United States citizens and only do so with a warrant.” Well, the 702 is not a warrant-driven mechanism as a predicate to the search. (The government needs to get FISA court clearance on a yearly basis for the methodology of 702 searches, but it is not required to get a warrant on a case-by-case basis.)

The NSA and the Justice Department are also quick to say that if, through Section 702 surveillance, they pick up anything that is entirely domestic, the government “minimizes” the search, or does not allow it into the intelligence inventory. However, the 702 exceptions to minimization are so broad that they swallow up the entire concept of minimization. The 702 statutory authority is set to expire later this year, and there is going to be a major debate over whether it should be extended. Section 702 has many supporters.

The Supreme Court has not ruled definitively on these surveillance issues. Even among the present eight Supreme Court justices, there is a likely majority who have signaled their doubts about surveillance that does not strictly follow Fourth Amendment “probable cause” jurisprudence. Even Justice Antonin Scalia, before his passing, was a strict enforcer of classic Fourth Amendment search and seizure doctrine. Moreover, there is evidence that Judge Gorsuch, if confirmed, will follow Scalia’s lead in this regard.

To date, the failure of challenges to these kinds of surveillances is the inability to demonstrate in court “standing” (or precise injury from the surveillance). The one Section 702 case to reach the Supreme Court in 2013 foundered on the inability of the plaintiffs to show with certitude that their communications had been read or heard. However, standing will doubtless be established in a case where evidence obtained under Section 702 is used to convict a criminal defendant. The defendant will have likely failed to suppress introduction of the evidence on grounds that it was obtained without a showing of probable cause. That criminal defendant will doubtless have standing and, if the case reaches the Supreme Court, that court will likely be able to resolve these issues on the merits.

In the end, one of the biggest cybersecurity problems is that the U.S. military-intelligence complex has far too easy access to private information that can be damaging to oneself, information that we reasonably expect to be kept private, and not put into the hands of the government without some showing that it’s directly related to a critical national need. The government has just too-ready access to far too much of everyone’s private information, and that access can be gotten without demonstrating to an independent court that there is a strong national need.

Another major cyber problem is that too many U.S. commercial interests are not using best cyber practices, best cyber technology, to protect sensitive data that, if stolen, enables crippling cyberwarfare against the United States. I do not think that failure has been given a serious enough concern. So losing your credit card information, your passport information, and other forms of privacy happens too easily. This is troublesome and worrying. But it is not the clear and present danger to our collective security of having our infrastructure data hacked and having a broad-based infrastructure break down.

The attempt to minimize the government’s access to personal private information is not a partisan issue. Libertarians on the right and civil libertarians on the left feel strongly that the government’s ability to invade privacy must be limited. However, it is hand-to-hand combat in Washington on these issues, and should there be another devastating terror attack, I think the scales will tip to the side of the government being able to collect whatever it wants, whenever it wants it.

The post What Happens When Personal Information Gets Weaponized appeared first on Zócalo Public Square.

For the U.S. military, the manifestations of this revolution have covered the full spectrum from the dramatic to the prosaic. Unmanned aerial vehicles, ships, and ground systems now carry increasingly sophisticated surveillance capabilities and precision guided weapons. Less visible, but also hugely important, has been development of the ability to integrate and analyze vast quantities of intelligence from all sources and determine precise locations of friendly and enemy elements. Finally, we cannot overlook growth of the seemingly matter-of-fact but nonetheless essential reliance on email, video teleconferences, and applications like PowerPoint to communicate, share information, plan, and perform the tasks of command and control.

Information technologies that did not exist at the time of the first Gulf War are now so fundamental to the conduct of military operations that it is difficult to imagine functioning without them. And the growth of the internet, social media, and now the “Internet of Things” represents a further stage in the information technology revolution whose full consequences are still unfolding. Nonetheless, some preliminary implications of such cyber capabilities for warfare are already clear.

First, cyberspace is itself now an entire new battlefield domain, adding to the existing domains of land, sea, air, subsea, and space. This reality has enormous ramifications for military doctrine, operations, organizational structures, training, materiel, leadership development, personnel requirements, and military facilities. Most significantly, it adds a powerful new element to the challenges of the simultaneous “multi-domain warfare” in which we are now already engaged and for which we need to do more to prepare in the future.

Second, cyber technology is adding another element to the already ongoing dispersion and fragmentation of global power. While no nation has contributed more to the growth of the internet and the digitized world than the United States (and no nation has developed more sophisticated cyber military capabilities), the nature of these technologies ultimately presents one more disruptive challenge to the preeminence that the U.S. has enjoyed since the end of the Cold War, as others exploit the potential of offensive cyber capabilities in new and increasingly sophisticated and diabolical ways. Examples of this include the use of cyberspace by extremist networks like ISIS and Al-Qaeda to inspire far-flung terrorist strikes; by Russia to wage ideological and political warfare that seeks to undermine the cohesion and self-confidence of the Western democracies; and by China to collect the technological know-how that is speeding its already rapid rise and undercutting America’s conventional military edge and industrial advantages.

Third, cyber capabilities are further blurring the boundaries between wartime and peacetime, and between civilian and military spaces. These are distinctions that have, for various reasons, been eroding in recent decades and which technological developments are now accelerating. At present, it is likewise clear that offensive capabilities are outstripping defensive and retaliatory options. And as long as difficulties in identifying and attributing responsibility for cyberattacks persist, that reality is likely to undercut deterrence and encourage aggression in cyberspace.

Yet even as technological changes inspire us to speculate on the future of warfare, perhaps the most important insights about the implications of the cyber age can be gleaned from the past.

While technology promises to disrupt the conduct of war, it is equally important to recognize what it will not alter—namely, the causes of war, which continue to lie in the character of humanity. As Thucydides documented more than two millennia ago, it is the elemental forces of fear, honor, and interest that are the wellsprings of conflict, and it is often the choices of individual leaders that determine how conflicts develop. It was for this reason, in fact, that, when I was in uniform, I argued against the concept of “network-centric warfare”—put forward in the late 1990s—and instead contended that a better formulation would be “network-enabled, leadership-centric warfare.” It is, after all, still leaders who determine strategies and make the key decisions. And even as development of autonomous weapons systems and other such capabilities proceeds, parameters for actions by such systems will continue to be established by human beings.

Furthermore, history suggests that humanity’s capacity for technical innovation often outpaces our strategic thinking and development of ethical norms. Indeed, the methodical development of doctrine around nuclear weapons by the “Wizards of Armageddon” in the 1950s and 1960s, which did much to help prevent a nuclear apocalypse, appears to have been the exception rather than the norm. More typical is the experience of the European powers of the early 20th century, which failed to recognize that the mass industrialized armies they were constructing were the components of a doomsday machine that would unleash a civilizational slaughter that none of the combatants had previously considered possible. As we and other major powers race to develop cutting-edge cyber capabilities—expanding swiftly into realms such as robotics, bioengineering, and artificial intelligence—we would be wise to devote equal energy and attention to considering the full implications of our ingenuity. Security in the century ahead will depend more on our moral imagination—and with it, the ability to develop concepts of restraint—than it will on amazing technological breakthroughs.

This in turn suggests a final reality about warfare in the age of cyber. Regardless of the innovations that lie ahead, technology by itself will neither doom nor rescue the world. Responsibility for our fate, for better or worse, will remain stubbornly human.

The post As Machines Wage War, Human Nature Endures appeared first on Zócalo Public Square.

At the same time, cyberattackers, and their rising diversity and sophistication, offer an opportunity to innovate and grow new markets. You can see what that looks like in San Diego, where I live and work.

San Diego has long been a center of America’s national defense, and the infrastructure and businesses that support it. The cyber age—and San Diego’s savvy response to it—has changed the nature of that defense. San Diego is now home to more than 100 cybersecurity companies that employ 4,230 people in the region. That’s on top of the 3,390 employees who work at the U.S. Navy’s Space and Naval Warfare Command (SPAWAR). And those numbers are growing rapidly.

In just two years, between 2013 and 2015, information security analysts grew by 13.9 percent per year on average in San Diego, nearly double the national 7 percent average, and employers expect their cybersecurity workforce to grow by an additional 13 percent in the coming year, according to a 2016 study for which my nonprofit and other San Diego institutions conducted research. The annual economic impact of the industry is already estimated at $1.9 billion—that’s the equivalent of hosting four Super Bowls each year—and puts San Diego on par with sister cyber hubs in Silicon Valley and Maryland.

This rapid growth is not merely a matter of technological change. It reflects strategic efforts by people and sectors across San Diego—the military and intelligence community, high tech industries, academia, municipalities, utilities, transportation agencies, and the region’s various governments—to become a leader in cybersecurity.

I play a role as leader of the San Diego Cyber Center of Excellence (CCOE), a nonprofit established in 2014 by cyber industry, higher education, and government leaders to address cybersecurity challenges here. To become a center of this new line of defense, the region has had to tackle three tasks crucial to the sector’s success. San Diego is cultivating a cyber workforce, showcasing its successes in cutting-edge technologies, and fostering a more secure cyber environment across the region’s institutions. (Being a leader in cybersecurity can make you a bigger target to attack.)

These challenges resulted from regional economic planning, in particular the San Diego Regional Economic Development Corporation’s cybersecurity economic impact study. In some places, regional economic reports get dismissed, but not this report and not here. The report identified a clear top challenge: the sourcing and development of a cyber workforce. This is what drew me to this work and the CCOE—the opportunity to help find and secure the next generation of cyberwarriors was too good to pass up.

To start, our team convened leaders in industry, government, and all 15 of the cybersecurity, computer science, and engineering deans from regional universities, colleges, and extended studies programs to discuss greater alignment between academic supply and industry demand. The collaboration has been highly productive. It helped create a catalogue of courses that universities and programs offered, or could add, to meet the skill sets sought by the industry. It also generated a regional cyber Job Board, as well as an Internship Pipeline and Link2Cyber programs that connect students, recent graduates, veterans, and seasoned professionals with career opportunities in the region. 

Not only are these cybersecurity positions in demand, but the average annual salary for analysts, computer scientists, and software developers is six figures, according to that 2016 economic impact study that CCOE helped conduct.

The combination of wages and opportunity have made San Diego a hotspot for talent, investment, and research and development. The region’s universities and colleges annually graduate 3,000 students in the computer science and engineering fields. The University of San Diego and California State University San Marcos recently launched cybersecurity masters programs with industry-driven curricula to help feed the pipelines. The region’s higher education sector also supports trailblazing research at facilities like the Super Computing Center at UC San Diego and the Advanced Computing Environments Laboratory at San Diego State University.

Demand for talent is being driven by a convergence of commercial security and defense security. This creates a real community around cybersecurity. Industry leaders such as Qualcomm, ESET, ViaSat, and iboss call San Diego home, citing access to clients, customers, vendors, suppliers, and proximity to SPAWAR as the region’s greatest strengths.

San Diego is likely to see more growth as the industry moves toward private sector customers. The share of firms focused primarily on the commercial market (as opposed to military and defense) has grown substantially, now constituting 47 percent of the sector in San Diego. This shift reflects the importance of practical applications of cybersecurity, like protecting healthcare and financial data, and energy and water grids. This is good news in an age where the Internet of Things (IoT), electromagnetic pulse (EMP) blasts, mass grid outages, and ransomware attacks are no longer just Marvel Comics storylines.

San Diego as a regional hub is also mobilizing to address potential threats to its own infrastructure. The Secure San Diego initiative, launched earlier this year, is, among other things, generating a regional cyber response map for businesses and a regional incident response management plan similar to state of emergency protocols used in natural disasters.

Sometimes I marvel at how threats and defense strategies have evolved since my time as commander of SPAWAR, but the one constant of war remains: You can’t go it alone. While San Diego has developed a cybersecurity sector, cyber threats have no geographic or industry bounds, and the need for qualified cybersecurity workers is increasing. My hope is that San Diego can serve as a template to mobilize other regions to adopt best practices and grow our nation’s next generation of cyberwarriors, defenses, and innovations.

The post In San Diego, Building a Cybersecurity State Is Good Business appeared first on Zócalo Public Square.

Anybody seeking to understand what war might look like in the cyber age should consider the disruptive force of air power and the revolution it wrought. One lasting lesson: War has the power to quickly transform our technological fantasies and anxieties into devastating, hard-to-control realities.

Even before the Wright Brothers launched at Kitty Hawk in 1903, fantasies about what the industrial revolution meant for the future of warfare became etched in Western culture. From Ignatius Donnelly’s 1890 Caesar’s Column to H.G. Wells’ 1897 The War of the Worlds to Mark Twain’s 1899 A Connecticut Yankee in King Arthur’s Court, turn-of-the-century novelists imagined apocalyptic machines reaping vast destruction on dense urban populations. In 1898, one Polish military leader described how future war would involve balloons dropping “explosive substances” on unsuspecting people far removed from any front.

“Le Combat dans la riviere” (1906). Illustration by Alvim Corrêa (1876-1910) for a work by science fiction author H.G. (Herbert George) Wells (1866-1946). Image courtesy of the Spencer Collection of the New York Public Library Digital Archive.

Michael Sherry, a leading historian of air power in the 20th century, has argued that while early aviation technologies had limited practical applications, those limitations were not always understood by military commanders and political leaders. Fantasies about air power’s destructive potential outstripped the reality of air power.

But before long, the experiences of war enabled military planners and national leaders to experiment with air power, giving the world an early taste of the terror. World War I introduced the practice of air raids on something approaching a mass scale, as dozens of German “Gotha” and “Zeppelin” raids on London killed an estimated 1,413 civilians.

The experimenting with air power in World War I led to a growing fascination with its destructive potential. In 1921, Italian military theorist Giulio Douhet published The Command of the Air. He argued that in any future wars air power would be decisive. Generals and statesmen would target civilian populations with heavy bombing, seeking to destroy the enemy’s military-industrial capacity and weaken the enemy’s civilian morale. Future battlefields, Douhet predicted, will no “longer be limited to actual combatants. On the contrary, the battlefield will be limited only by the boundaries of the nations at war, and all of their citizens will become combatants, since all of them will be exposed to the aerial offensives of the enemy.”

The world, he concluded, was entering an age of “total war,” with civilians the prime target of any offensive military operation. Similarly, cyberwarfare adds a whole other dimension to the concept of total war, using unseen tools almost anywhere on earth to cause mass civilian casualties and mass panic.

The coming of World War II put many of the post-WWI predictions to the test. And tragically, many proved prescient. Advanced aviation technologies coupled with fascist militarism helped warfare assume an unprecedented destructive scale. During Spain’s Civil War, Franco’s bombers killed thousands of civilians in attacks on Barcelona, Guernica, and other Spanish cities. In Canton, China, Japan’s air raids killed thousands of civilians in the mid-1930s.

Air power altered people’s conceptions about the constraints of time and space during military conflicts. Abraham Lincoln had once predicted that “the armies of Europe and Asia … could not by force take a drink from the Ohio River or make a track on the Blue Ridge in the trial of a thousand years.” The United States had long seen itself as immune from the military calamities that had befallen other nations, whose borders were in proximity to one another. The twin-ocean barriers on America’s coasts no longer appeared to protect the United States from the advances in air power. Fears of bombs falling on the continental United States soared in the 1930s and early 1940s.

President Franklin D. Roosevelt, who had served as Assistant Secretary of the Navy during World War I and had long admired sea power, concluded that modern aviation had upended military doctrine and put millions of U.S. civilians in harm’s way in their homes. The advances in aviation technologies meant that “so-called impregnable fortifications no longer exist,” FDR warned Americans in May 1940. (Cyberwarfare and online recruitment of potential terrorists have further lowered the protective walls of fortress America).

FDR’s repeated warnings did not prevent Pearl Harbor. But the war that ensued—which included the Allied firebombing of Dresden and Tokyo, where hundreds of thousands of civilians died, followed by the atomic bombing of Hiroshima and Nagasaki—matched some of the most horrific nightmares of early fantasists about air power.

In the years since World War II, air power has not always proven decisive, of course. During the Vietnam War, the United States dropped more tonnage of bombs than had been dropped by all combatants in World War II. Yet the most powerful military on earth lost to a determined, fierce guerrilla army fighting to defend its native soil.

The Bush Administration’s “shock and awe” air campaign at the start of the 2003 Iraq War wrought so much destruction that it arguably set the stage for the Iraqi Civil War that ensued two years later.

This history should provide this cold reassurance: It is highly unlikely that any single technology—including cyberwarfare—will prove decisive in military campaigns of the future.

But the history of air power also strongly suggests that at some point in the future, fantasies about cyberwar and the actual practice of cyberwar will merge.

So human beings, in contemplating how cyberwar may change the character of warfare itself, will be better off if we allow our fears to inspire our thinking, and anticipate new perils and consequences before they show up at all of our doorsteps.

The post To Understand the Future of Cyber Power, Look to the Past of Air Power appeared first on Zócalo Public Square.

The first question that policymakers might debate is whether such an attack deserves a military response. But several problems immediately arise. First, would the U.S. government—and specifically the National Security Agency—know for certain who had conducted the attack? 

Without being able to attribute the attack, or if there were some uncertainty about who was responsible, it would be very hard to strike back. Unlike conventional attacks, cyberattacks can be difficult to attribute with precision to specific actors. In the event of a major cyberattack, pressure to respond would be immediate—and probably intense. But if a country strikes back and the forensics are erroneous, then the retaliation will have unnecessarily and inadvertently started a war.

Russia’s alleged meddling in the 2016 U.S. presidential elections has brought the issue of cyberwar again to the top of the news, but the possibilities it raises are only the tip of the iceberg when it comes to the role of cyber operations in modern warfare. Most—although not all—analysts agree that cyber will be a key domain in the conflicts of the future. Exactly how cyber will impact these future conflicts, however, is hard to say with any certainty. Cyber weapons are not like missiles or tanks; because their initial impact is in the information domain, their effects are much harder to judge.

Even in cases where an attack is linked to one specific country—say, Russia—it could be hard to know for sure whether it was directed by the Russian government. 

This is because governments like the Russian government appear to rely heavily on third parties to develop their cyber weapons and conduct their attacks. This offers them many benefits—deniability being one of them—but it also offers them less control over what their cyber warriors actually do – creating a so called “principle agent problem.”

Wearing sailor’s uniform Russian Defense Minister Sergei Ivanov, left, and President Vladimir Putin, third from left, watch a missile launch aboard the nuclear-powered misile cruiser Peter the Great, while observing naval maneuvers of Russia’s Northern Fleet in the Barents Sea, Aug. 2005. Photo by Alexei Panov, ITAR-TASS, Presidential Press Service/Associated Press.

In other words, an attack that originates from within the Russian cyber world might be the work of the Kremlin—or it might not. This further complicates the choice of response.

Sometimes, the culprit will be clear, of course. But in these cases, the question is how, specifically, to respond. 

Some advisors might push for a cyber counter-attack that inflicts equal damage on the guilty party. But this isn’t always possible. If the perpetrator is a party like North Korea, then there is no equivalent financial system to target. But should the United States instead use conventional military weapons like a cruise missile, perhaps on Pyongyang’s cyber training facilities? A strike like that would clearly risk serious escalation of the conflict. It might be seen as disproportionate if the U.S. financial system had recovered in the interim with relatively minimal real damage.

Imagine, however, that the attack is against the U.S. power grid or oil and gas infrastructure. This kind of attack could easily have military consequences if it were extensive. The U.S. military has backup power generation capability as well as stocks of fuel reserves, but these stores are not infinite. If such an attack on U.S. infrastructure has military consequences, the case for a cyber retaliation—or even a Tomahawk cruise missile strike—starts looking a lot stronger.

Even if the U.S. power grid were seriously affected by a cyberattack, however, and the United States knew with a high degree of confidence who the guilty party was, there would be reasons for caution—especially if the attack was an isolated incident and there were no other signs of aggression or malign intent.

This is because cyberattacks can have unanticipated consequences. With any military strike, collateral damage is always possible, but with most conventional attacks, methods of assessing and avoiding collateral damage are well-developed, and based on well-established physics principles and observational experience.

But cyber weapons don’t operate like missiles or tanks. They attack the underlying network or computer systems. The possibility of unexpected effects in the cyber world is much greater.

For example, a cyberattack on an electrical grid might be intended to knock out the lights in a specific location, but end up affecting a whole region’s energy supply. The world saw this potential with the Stuxnet worm: Apparently intended for a very specific, isolated network (an Iranian control system), the worm was discovered precisely because it spread beyond its intended target into other related networked systems. Stuxnet did not attack other control systems, but only because the designers programmed in a self-destruct date. If the designers had been less cautious, its effects would have been much more widespread.

Therefore, before targeting a cruise missile at that (hypothetical) cyber hub in Pyongyang, the U.S. president would want to have at least some knowledge of both the intentions of the attacker and the consequences (including secondary effects) of the response—otherwise the United States might be starting a war by accident.

But a desperate foreign leader might miscalculate that he can get away with a surreptitious attack on U.S. infrastructure for exactly these reasons—and that in and of itself is cause for concern.

This is why context will make a big difference. It’s relatively easy to assess the damage done by an attack on America’s infrastructure, but less easy to assess the intent of that attack. If the U.S. power grid is seriously disrupted by a cyberattack during an ongoing war with a known aggressor it will be much easier to strike back—with kinetic (i.e. physical) force or with cyber weapons—simply because it will be easy to assume the attack was intentional.

Alternatively, a fearful foreign leader might lash out at the United States if she or he fears the United States is on the verge of conducting a devastating cyberattack. The hostility might come in the form of a massive, pre-emptive cyberattack, a conventional attack, or in the extreme, even a nuclear salvo.

Since the ability to mount cyberattacks depends on keeping targeted vulnerabilities secret, both sides may fear that their adversaries possess capabilities that have far-reaching destructive potential – even when they don’t. This fear in turn could increase the tendency toward pre-emptive action and hence escalation.

Cyber adds new and significant uncertainty to warfare, making it difficult both to deter and respond. It will take time and a great deal more research and analysis before the problem is fully understood.

The post Why It’s So Hard to Stop a Cyberattack—and Even Harder to Fight Back appeared first on Zócalo Public Square.

The CIA, in reporting on Russia’s intervention in the presidential election, determined that the RNC had been breached by Russian hackers during the election, but none of the information stolen from the party had been released, the New York Times reported. Following this report, RNC Chairman Reince Priebus, soon to become White House chief of staff, insisted in two television interviews that “the RNC was not hacked.” He apparently based this analysis on the fact that the FBI had previously reviewed its systems as well as the evidence provided by the “hacking detection systems” that the RNC has in place.

Anyone who confidently, categorically denies that his organization’s computer systems have been breached is either flat-out lying or dangerously delusional. The best-case scenario is the former. If the RNC is, in fact, aware that there are vulnerabilities in its systems (as there undoubtedly are) and is paying attention to whatever evidence the CIA has provided of breaches, then Priebus’ statements could amount to a (perhaps misguided) PR strategy, intended to reassure the public and deter other would-be attackers. (As a general rule, though, boldly claiming that you have never been hacked and trumpeting your infallible “hacking detection systems” is perhaps not the best way to deter potential intruders.)

But if Priebus is telling the truth—if he really has such blind faith in the technical tools that the RNC uses to detect intrusions, and refuses to believe, despite any evidence to the contrary, that those tools could possibly be evaded or that any deeper investigation could reveal things that previous ones had missed—then that’s much worse news. To proudly announce to the world not only that your security monitoring tactics have failed to prevent intrusions detected by other parties but also that you absolutely will not, under any circumstances, ever second-guess or investigate further beyond those tactics is to be ludicrously ignorant of how fallible such tools are.

From a cybersecurity standpoint, the best thing to hope for in a person running a powerful organization—whether it’s a political party or the White House—is someone who will be constantly searching for evidence of breaches and intrusions, someone who understands that the failure to find that evidence is a sign of a weak defense posture, not an absence of adversaries. Blind faith in the protective powers of technical tools is never a good sign—nor is the philosophy that no breach has occurred unless the stolen information has surfaced somewhere else, conclusively confirming a theft.

Many data breaches—especially those directed at governments for the purposes of espionage—do not result in public revelations of stolen information. The only reasons to reveal that you have successfully stolen data are to sell that data, to publicly humiliate or hurt the victims by influencing public opinion, or to extract a ransom from the victims. Often, incidents of political and economic cyberespionage are not motivated by any of these reasons, and the perpetrators therefore sit on their stolen data, quietly using it for their own purposes or waiting until it becomes useful.

Obviously, it’s easier to deny breaches that have no public component and harder to prove definitively that they’ve occurred. But just because the data stolen from the U.S. Office of Personnel Management has not been sold or published online does not mean that breach did not occur, or that it doesn’t matter, or that we should not be thinking about what we can learn from it and how we can better protect government agencies’ networks.

But to do that, you have to be willing to accept that some breaches are determined based on overwhelming evidence, absent any public announcement or confirmation by the perpetrators. Attackers often bypass technical defenses and protection mechanisms, and a slower, more in-depth investigation performed by more sophisticated analysts can reveal things an initial investigation may have missed; the fact that “evidence” of a hack hasn’t been found by the RNC is something to be concerned about, not something to brag about on national television. It’s the kind of thing you brag about when you want to advertise to adversaries not only how poor your network monitoring tools are but also how much false confidence you have placed in them. A government that refuses to accept or believe forensic evidence of data breaches is likely to be a very appealing—and very easy—target.

The post Just Because the RNC Says It Wasn’t Hacked Doesn’t Change Reality appeared first on Zócalo Public Square.

It’s not just the intriguing possibility of Russian involvement. Nor is it that FBI and Department of Homeland Security officials took the notable step of confirming the penetration and warning state election boards to conduct vulnerability scans.

It’s that the targets of the hacks—state and local election data—don’t have the same obvious incentives as attacks before them. Missing are the monetary rewards for the perpetrators of large retail data breaches; lacking is the espionage value of a hack like the massive compromise of data from the Office of Personnel Management. Instead, these intrusions target the system at the heart of our democracy, and the incidents are rightly being treated as a very serious problem. But how do we fix it?

For his part, Department of Homeland Security director Jeh Johnson has discussed the idea of including U.S. voting systems on the list of federally designated “critical infrastructure”—a protective designation it gives to resources such as nuclear power plants, banking and finance systems, and the electrical grid. However, unlike our nuclear or financial systems, both the institutional and network infrastructures that underpin our local elections have been cobbled together in troubling ways. They were done incredibly cheaply, over years and numerous eras of technology, and with virtually no standardization or even minimum security practices.

To be clear, it would actually be very hard for hackers to meaningfully alter a national vote count given our decentralized election systems. (As Johnson himself pointed out after the August state breaches, we’ve got some 9,000 jurisdictions at the state and local level involved in the process.) But changed ballots aren’t the only meaningful consequences that can result from such attacks. Other less clear costs—from weakened public confidence in election results to increased auditing expenses—pose serious concerns. Assessing this impact will be challenging, as will making changes to prevent future hacks. The vulnerabilities exposed by the Illinois and Arizona breaches, and credible concerns about the possibility of new ones, have exposed just how behind state and local governments are when it comes to protecting their systems and data.

Part of the reason for this comes down to serious funding and personnel constraints. Almost all local governments struggle to recruit and retain generally qualified IT professionals, let alone those specializing in cybersecurity. With short supply and high demand, many are unable to pay competitive salaries and often rely on contractors for most or even all of their information security. This wouldn’t be a problem if the local governments knew exactly what they needed and had sophisticated contracting capabilities, but this is often not the case. The most resource-constrained jurisdictions aren’t taking steps to beef up their cyberprotections. And when it comes to electoral processes, these local setbacks become national issues.

The other reason that state and municipal governments have fallen behind on cybersecurity is a phenomenon known as “security debt.” The idea behind the term is that computers and computer networks allowed institutions—companies, organizations, and governments alike—to decrease their costs, increase their efficiency, and shrink their staff levels. The problem is that the upsides of the switchover are front-loaded in the early years of deployment, and this new, efficient way of doing business becomes the norm. Only later, sometimes years down the line, do costs like network vulnerabilities become apparent. Malware and Trojans. Data breaches. Ransomware. Most result from pre-existing or unpatched vulnerabilities. This is the security debt coming due.

The problem is that too many organizations quickly adopted these new systems without sufficiently planning for their inevitable future costs and vulnerabilities. The resulting security debt is especially problematic for local governments, which are often unable to mitigate the unplanned costs in an era where their funding is declining and more is expected of them. And it’s not just electoral processes that have been put at risk. Think of all of the information your municipal government has on you—voting data, tax information, property records, criminal history, driver’s license numbers, Social Security numbers. Think of, if your kids go to public schools, all of the data they have on your children. There’s perhaps no better case study of governments diving into a new system without thinking of security and privacy pitfalls than the fast-paced adoption of educational technology. Few examples have a bigger security debt—what kind of data are these companies collecting? Who can use this sensitive student information? How secure is this data?—than these digital learning tools. The impulse to chase after the newest, shiniest technological aide doesn’t help either.

We expect our local governments to do quite a bit of work for us—from policing to collecting taxes to repairing roads to operating elections. In a modern world, all of those functions require information systems housing large amounts of sensitive data. Frankly, we haven’t thought enough about what goes into these processes. And when we have, we’ve mostly assumed that governments were taking reasonable measures to keep these systems secure. It’s not clear that those were good assumptions.

There are, however, ongoing discussions about how to fix these problems. They include ideas like having local governments consolidate, adopt cloud-computing solutions, outsource to managed security services, or connect with federal and state programs that would pool resource capabilities. All of these, if implemented with care, provide promising potential for future solutions. Until then, we should concede that we will be paying a high “interest” rate on our growing security debt—interest that is likely to manifest as data breaches, intrusions, and emergency costs to respond to incidents and patch vulnerabilities.

It’s also worth noting that, even with good tools, there are no simple answers to these challenges. Federal financial and technical support to better secure local electoral process, for example, are sometimes viewed skeptically. Numerous state election officials have suggested that this represents creeping federal control over their elections, something many don’t want to see. Roadblocks like these pose serious challenges for a nation that relies on selecting leaders at every level at local ballot boxes. As we do so, we’re pushing the operations of our voting infrastructure to the most underfunded, understaffed, and underequipped levels of government.

Justice Louis Brandeis famously described the states as the “laboratories of democracy.” In an age with more of our civic life online and more threats to it from around the world, we certainly have an interesting experiment on our hands.

The post The Hackers Could Be Coming For This Election appeared first on Zócalo Public Square.

That mystery, however, can be dangerous.

Younger Americans are more likely to use the Internet, but seniors are joining at faster rates than their younger counterparts. As of 2015, 81 percent of Americans between the ages of 50 and 64 use the Internet at least occasionally, as do 58 percent of those who are 65 and older. The Internet has proven to be an amazing resource for seniors, particularly those with physical limitations. It opens doors to keeping in better touch with family, pursuing new hobbies, and discovering new communities of people with similar interests.

But it also unlocks a whole new world of vulnerability. According to the FBI, seniors are specifically targeted online because they “are most likely to have a ‘nest egg,’ to own their home, and/or to have excellent credit—all of which make them attractive to con artists.” Furthermore, the FBI says,

“People who grew up in the 1930s, 1940s, and 1950s were generally raised to be polite and trusting. Con artists exploit these traits, knowing that it is difficult or impossible for these individuals to say ‘no’ or just hang up the telephone.” Con artists view the senior population as uniquely vulnerable, and they have come up with creative ways to try and exploit those vulnerabilities.”

Some of the new swindles resemble old door-to-door, mail, and phone scams, except that they now take advantage of massively efficient Internet communication. Think of the myriad of messages containing sob stories ending in pleas for large sums of money, solicitations for charities that don’t exist, offers of free prizes and gifts, or attempts to scare out personal information with threats of cutting off Social Security payments, health care coverage, or banking account access. There are also popular schemes in which a pop-up window informs a person their computer has been compromised and will be shut down unless the outside party is granted access to the machine. Or a message appears from what seems to be a friend or relative telling the user to “check out this awesome website!” Although these aren’t age-specific ploys, many scammers specifically target seniors, assuming that they are unfamiliar with the ways of the web and are easier to con.

So what can we realistically do about it? The success of these hacks and scams have led many software developers and security professionals to gripe about the so-called “stupid users” who simply cannot be saved from themselves and their terrible passwords. While it’s true, in a tautological sense, that removing all humans from the network would make it exceptionally secure, being “stupid” and being “poorly educated” are two very different things. There are a lot of smart people out there that simply don’t have the right information to keep themselves safe online, including seniors. As Slate columnist Josephine Wolff wrote in her beautifully titled piece “Calling Humans the ‘Weakest Link’ in Computer Security Is Dangerous and Unhelpful,” these mistakes show that technology is failing the human users, not the other way around. “The whole point of computers,” she writes, “is that they’re supposed to improve the lives of people, and yet, strangely, it’s the people who end up being painted as the problem.”

Yanking grandma and grandpa (or anyone else who doesn’t know how to respond to technogeek phrased pop-ups about ActiveX controls) offline is clearly not the answer. But given the rate at which seniors are being targeted, we could be doing a better job of getting basic information to this particularly vulnerable group. There are lots of places that offer excellent educational resources about online security and privacy, particularly from AARP, yet they don’t seem to be reaching their target audience. To understand why this information isn’t flowing, I had to reach out to people who don’t work in cybersecurity, who aren’t Internet natives like myself. I needed to talk to people who are much, much different than myself. So I called my parents.

My mom is a paralegal at a huge law firm, and she’s really good at it. She navigates complex tax and real estate regulations like Misty Copeland navigates the stage. My dad is retired now, but he spent years in banking, working his way up from teller to vice president. They’re very smart people. But they didn’t grow up with the Internet.

“So,” I asked my parents, kicking back on the couch in the home where I grew up, “Where do you get most of your information on online safety?”

“You,” they said in unison, without hesitation.

“Well, okay,” I said. “But other than me. Like if I’d gone into, I don’t know, forestry instead of tech. Where would you be getting that information?”

“There’s no really good place,” my dad said after thinking a moment. “The TV frightens me, because they just focus on fear, not what to actually do.”

“Do you think they should put something educational on TV about cybersecurity instead?” I asked. “At a level anyone could access?”

My mom frowned and shook her head. “I don’t think so. If they put something informational on TV, people would probably flip the channel to watch Star Trek instead.” I couldn’t disagree.

“I do learn a lot from work,” my mom said. “We have a good IT department. I guess there are classes at the college. But if you’re not involved with computers in some way, you don’t think about that stuff.”

“And what you learn from the experts at work doesn’t always translate to home,” my dad added. “I have a lot more to worry about here at home than I did in the office.”

My dad is right—workplace training covers only certain topics. But that training has really stuck with them. For example, my parents are pros when it comes to understanding spearphishing attacks. They know that an email isn’t always what it seems—that it might be a deliberate fraud by someone who knows about their personal habits, likes, or dislikes, and is using that information to entice a target to click on malicious links, or reply with personal information. “I’m paranoid about opening emails,” my dad said. “You have to know first who they’re really from.” Solid advice. At my mom’s work, the security team even sends fake spearphishing emails that redirect to an online training course if the links are clicked. It’s a great idea—although it requires a savvy educator.

“It has to be at a level that people understand,” my mom emphasized. “I like learning, but I like to learn quickly. What are the clues that something’s wrong? If it looks like junk in the email address, for example. Or how you should never click a link that’s sent to you if you don’t know what it is. Those are a few things that everyone could do that would help some.”

We talked a lot more about Internet safety. My parents agreed that without a smart and communicative security department at work (in the alternate universe where I am a park ranger), they wouldn’t have any source of good information. Since 13 percent of the U.S. population is 65 and over, and that percentage is growing, we can’t depend on workplace training to keep the older generations safe online.

I left my parents’ house feeling pretty happy with their level of knowledge. I also left with the understanding that they were lucky. They learned a lot from their corporate security departments and they have a daughter in cybersecurity who’s willing to personally engage with them after they retire to ensure they stay safe as vulnerabilities and and attack methods continue to evolve. It’s hard to create new pathways for knowledge—especially pathways that can reach everyone. As my mother reminded me, most aren’t the caricature of the hopeless senior completely incapable of learning anything new. The problem isn’t that seniors can’t learn. It’s that no one is there to teach them in the first place.

Some workplaces can and have filled this role, but it’s certainly not a guarantee. Even when they have, as people leave the workforce, they will need some other source of help continuing to stay safe online. As I mentioned earlier, AARP has some excellent resources for seniors, including tips on avoiding identify theft, spotting spearphishing scams on social media, and explaining ransomware, but you have to be motivated to seek them out. Some senior centers have stepped up to provide classes on computer safety, which is great, but not everyone who needs them can or will take them. Television depictions of cyber are grossly misleading. Mainstream media coverage of these issues is sporadic and can’t be relied upon to reach everyone at the right time.

But if you’re concerned about your parents, there is one last line of defense: you. So let’s all bake our parents a pan of brownies, sit down with them, and have a talk about the Internet. It might get a little awkward, just like the talk they once gave you. But protection, not abstinence, is the way to go when it comes to Internet safety. And who knows, maybe you’ll also learn a few things when you do.

The post It’s Not Your Grandparents’ Fault They Keep Getting Scammed Online appeared first on Zócalo Public Square.

Gutman and her boyfriend, May Kogan, whom she met through Magshimim, will spend this summer working at a camp for Israeli teenagers studying cybersecurity. They have just completed a final project that involved building an application to let teachers remotely control the computers of their students in order to administer an online class in the event that school is canceled due to “a war, or snow” (“what we have and what you have,” Gutman explained to me, referencing the different reasons for canceling school in Israel and the United States).

Many countries, including the United States, have programs designed to teach elementary and high school students coding and computer science skills; many have programs aimed at attracting diverse students to those subjects. But Israel—in large part because of the constant threat of war or cyber attack—is one of the only nations to boast a thriving program for training teenagers from underrepresented groups to focus specifically on cybersecurity.

Beginning in ninth grade, Israeli teenagers from the nation’s “periphery” (that is, outside the well-populated and wealthier cities in Israel) are screened for the afterschool cybersecurity program, which places a particular emphasis on recruiting girls. Magshimim was launched in 2011 by the Rashi Foundation, a philanthropic organization focused on supporting underprivileged Israeli youth, and has been co-sponsored by the Israeli Ministry of Defense since 2013. More than 530 students have successfully completed the program, and it is in the process of trying to scale up the size of its classes tenfold, from roughly 400 students to 4,800 participants over the course of the next five years.

Magshimim accepts roughly 30 percent of the students who apply, following a series of tests and interviews during which the program screens for determination, dedication, and sociability—but not prior computing experience. That’s how Gutman and students like Revital Baron, 17, were able to make the cut, despite having no background in computing. “I just knew how to use Facebook and play computer games,” Baron said of her familiarity with computers prior to entering Magshimim. Now she, like Gutman, is finishing the program and has built, for her final project, a robot that can create a visual map of the space it occupies using ultrasonic sensors to compute the distance from walls and other obstacles.

The students selected for the program attend three-hour cybersecurity training sessions after school two days per week from 10th through 12th grade. Over the course of three years, they work on programming projects, study computing theory, implement cryptographic protocols, reverse-engineer malware, and study the architecture and design of computer networks. They finish high school with a skillset comparable to that of many college juniors and seniors who study computer science in the United States. (Many of them also finish high school fluent in English—a skill born of many hours poring over the forums on Stack Overflow to help answer technical questions, they told me.)

In the short term, these students are being groomed to enter the Israeli Defense Force’s elite cyber branches during their compulsory military service. In particular, the teenagers in Magshimim hope to join Unit 8200, the intelligence and cybersecurity team featured in Richard Behar’s recent Forbes article as “Israel’s secret startup machine” because so many of its alums enter the private sector and launch successful tech (and often specifically security) companies. If Unit 8200 provides the pipeline for Israel’s start-up economy, then Magshimim provides the pipeline for Unit 8200.

In the United States, we talk a lot about the “pipeline problem” in technology—the lack of women and underrepresented minority students finishing college with degrees in engineering and computer science and the resulting lack of diversity at many major tech firms. Israel is concerned about these same issues, and so Magshimim is not just any pipeline—it’s specifically designed to recruit from underrepresented populations in cybersecurity, including girls, religious students, and children outside the major cities. To attract these populations into cybersecurity, it’s important to recruit students when they’re young, before they form too many ideas about what they can and can’t do or should and shouldn’t be interested in, before they begin to feel that they’ve already fallen behind and can’t compete with their peers. In fact, the program is now working on extending its recruitment even earlier, to include training for eighth and ninth graders.

Perhaps in part because “Magshimim not only looks for smart people, but also social people,” one student told me, and perhaps in part because it includes so many girls, the students in Magshimim are an astonishingly outgoing bunch. When I was visiting Israel recently for their 2016 Cyberweek symposium at Tel Aviv University, which included a Youth Conference for hundreds of Israeli high school students studying cybersecurity, many of them were eager to tell me how important the program has been for them socially, as well as technically.

“I really feel like Magshimim is my second home,” Baron said. “All of my best friends are from Magshimim.” Gutman and Kogan, meanwhile, are quick to credit the program with their relationship. A WhatsApp group keeps all of the seniors in the program across Israel, some 150 students, connected online, and the program also hosts regular overnight “Cyber Nights” and challenge events that seem to combine elements of military or law enforcement exercises with the free-food, stay-up-all-night ethos of the hack-a-thons that are commonplace on American college campuses.

For instance, one Magshimim event, a few years ago, required students to investigate a stolen pizza delivery by accessing a building’s security feeds to retrieve surveillance video footage of the theft. “Then we found the pizza and we ate it,” recalled Omer Greenboim Friman. In another exercise, there was a simulated crisis in which the building’s internet access had been completely shut off and the students had to find a way to re-establish connectivity with the outside world.

Underlying all of Israel’s efforts to ramp up its cybersecurity education and training programs is the sense that such threats (internet blackouts, not pizza theft) are never very far away and that no one is too young to be thinking about and preparing for them. The students in Magshimim make it clear in conversation—sometimes to an extent that feels shocking to an observer from another country—that they understand this is about war.

“We are a little country and we have a lot of enemies so we need to secure our data,” Kogan said. “When we were just kids we didn’t have anything we could do about these threats, but now when we are getting into the army we finally have the power to do something about it.” Similarly, Gutman told me, “I really want to go to the army and contribute. My dream is maybe to stay in the army.”

It’s almost inconceivable to imagine hundreds of tech-savvy teenagers in the United States feeling that way about, say, joining the NSA. Daniel Ninyo, another Magshimim senior, has a life plan that might seem more familiar to U.S. high school students: After serving in the IDF, he hopes to launch a start-up company.

When students in the United States get excited about computer science, their interest often lies in building new tools for social change or games or slick, marketable apps, rather than security. Two uniformed soldiers in a classroom would be unlikely to pique the interest of many U.S. high school freshmen the way that they did Gutman’s. So is it possible to replicate the success of a program like Magshimim in the United States? In some regards, absolutely. The United States is, of course, a much larger country than Israel, with a much more decentralized education system and no compulsory military service. But it could still support competitive, well-regarded cybersecurity afterschool programs that target students from underrepresented communities who have no prior coding experience and offer them not just classes but also a rich social environment, regular mentoring from older alums of the program, and, occasionally, pizza.

And yet—it takes more than pizza to create a program that is held in as high regard as Magshimim, both by its participants and the rest of the country. (“I was in a restaurant with my friends once and the waitress looked at us and she said, ‘Are you guys from Magshimim, that cool cyber program?’” Gutman recalled.) To care deeply, passionately about security, I realize as I speak with the Magshimim students, it helps to feel truly, immediately threatened.

The post Do Israeli Teens Offer a Solution to Silicon Valley’s Pipeline Problem? appeared first on Zócalo Public Square.