Until Americans get more serious about cybersecurity, the United States remains extraordinarily vulnerable to attacks from enemy nations–and even individual hackers–on our electric grid, hospitals, infrastructure, and companies large and small.
That was the sobering takeaway from the War Games: From Battlefield to Ballot Box panel of experts at South by Southwest Friday.
Representatives from the federal government, security firms, and private investors painted a bleak picture of the current state of our digital safety considering hackers’ increased ferocity in recent years.
“When I first got into cyber, it was a game for nation-states,” says Robert Johnston, the CEO of Adlumin, and the cyber sleuth who detected the Russian hacking of the Democratic National Committee. “Only nation-states would play at this level… The barriers to entry were so high, the knowledge you needed was so high. In today’s day and age, that’s not the case.”
Today, says the former Marine, who also led efforts to counter Russian cyberattacks against the U.S. Joint Chiefs of Staff, software has made it easy for even the smallest countries, or even private hackers, to carry out dangerous attacks.
Software has made it so easy, says Ann Cox, a program manager in the Department of Homeland Security’s Cyber Security Division, that bad actors can easily and cheaply buy tools with relatively simple graphical interfaces on the Dark Web. “Anyone who has an interest in doing malicious things, there’s a very low barrier to entry,” Cox says. It’ll cost “only a few hundred dollars.”
And while we might worry about the impacts of things like Russian hacks on national institutions, Cox says even these small hackers are now regularly carrying out coordinated shutdowns of things like 911 call centers by overwhelming them with phone calls.
A major bottleneck in efforts to thwart cyberattacks is complacency. While many companies and people may know the precautions they should implement to protect their systems, few do. Things as basic as regularly updating operating systems, using antivirus software, and two-factor authentication are not being done.
Even if everyone used best practices, it would still leave us vulnerable to between 10% and 20% of attacks, say Cox, and that’s a big reason few have foreseen the scale of the kinds of intrusions that have taken place, the rate at which they’re expanding.
To illustrate just how much worse things are, she detailed how in 2015 her agency launched a program to fight against distributed denial of service attacks and set a goal of being able to handle anything up to a 1,000 TB/second attack against a mid-size company. The program manager in charge of the effort got grief, she said, because few imagined such an attack was possible.
But a year later, the Mirai Botnet brought networks down across the U.S. by exceeding that level, and just within the last three weeks, she says, there have been two attacks that set records for scale. “Because of the way malware is evolving,” Cox says, “if they hit 2 TB/second, or 3 TB/second, we really don’t have a way to protect against that.”
And, we should be prepared for that to happen in the next two to three years, she adds.
While it seems like there are potentially insurmountable technical issues now, a bigger problem may be that a country like the United States has few viable deterrents to keep belligerents from hacking into our systems. Johnston pointed out that when it comes to the nuclear race, we’ve always relied on the concept of mutually-assured-destruction to avoid catastrophe. And in conventional warfare, few countries can withstand American military might that is capable of parking multiple carrier groups off an enemy shore in 18 hours.
But in cyberwarfare, the playing field levels out quick. “At any given time,” Johnston says, “any country can launch” a cyberattack. And while the U.S. certainly can mount its own, there is little we can do to prevent retaliation that’s as bad, or even worse.
He says that economic sanctions and diplomacy have proven to be the most effective deterrents, but that they’re only successful some of the time–when there’s relative economic parity between nations, such as Obama’s efforts to rein in Chinese hacking.
Such efforts won’t work with every country, Johnston says. For example, we’ve already had sanctions in place against North Korea for decades and that country continues its sub rosa cyberwarfare.
Americans probably need to accept that we’re in for a rough future, warns Johnston. He points to Russia, which has not been deterred from cyberattacking the U.S. despite past sanctions and the threat of new ones that President Donald Trump never implemented.
Russia has too many ways to retaliate against U.S. counterpunches—such as shutting off natural gas supplies. “You can’t pick on a big boy on the block,” Johnston says. “You have to find another way.”