Since the early days of the public internet, those of us lucky enough to have witnessed its growth and evolution have known that it would one day likely become an avenue for both great innovation and great potential disruption. With everything from smart coffee machines to personal health records connected online, the ability to cause disruption via remote access is no longer just a possibility, but an inevitability — one constantly being used for good and bad.
While many private organizations are doing their best to coordinate their cybersecurity efforts around alerting and threat mitigation to help control cyber attacks, typical capitalist-based economies rarely make cybersecurity a top priority without financial or legal incentives. This fact is what has driven the birth of GDPR, The California Consumer Privacy Act of 2018, U.S. Cyber Command and the new (unnamed) U.K. Cyber Defense Force.
The first two are laws that criminalize data breaches, forcing organizations to put cybersecurity best-practices in place, which helps stabilize the market. The second two are government organizations designed to treat cybersecurity as a new field of war.
“Good” of government-driven protection
In late September, the U.K. announced that the Ministry of Defense (MoD) and the Government Communications Headquarters (GCHQ) would be working together to create a joint Cyber Defense Force. It’s expected to be a 2,000-person organization staffed with military, government civilian, and private industry experts trained to counter the ongoing cyber threat posed by organizations such as ISIS, and countries like Russia and Iran.
These nation states use the internet as both a communication medium and as a distribution channel for misinformation campaigns. Unchecked, the efforts result in events like Russia’s interference in the 2016 U.S. presidential election. This is why many view government cyber units as necessary and good.
Beyond their core mission, here are a few ways these organizations’ efforts can have a positive effect on the society:
- These organizations bring cybersecurity to the forefront, forcing the general population to realize the enormity of the internet and its potential for both good and bad. The more organizations we have applying cybersecurity to their market or mission, the more innovation the rest of the world can take advantage of.
- Military organizations don’t do anything without extensive training. One of the issues the worldwide cybersecurity industry faces is a manpower shortage that is precipitated by a lack of organized and widely accepted training programs. The military will spend increasing amounts of time and money on contracting the development of a training program. Private industry can both directly and indirectly take advantage of this development. Directly, employers can take government training certificates as qualifications for sought after positions. Indirectly, private companies can take advantage of the quality of military training programs and replicate ready-to-teach programs that fulfill today’s needs.
- Government work tends to be stable work. Even in this age of cyber-everything, a cybersecurity job is only as stable as the company an individual works for. Bureaucracy aside, this means longer careers and steady opportunity for government security employees to make a meaningful impact on cybersecurity for their country and the world.
Before we dive into the issues with government cyber units, it’s important to understand what it takes for these organizations to accomplish their goals. The U.S. Military Joint Publication 3-13 defines cyber warfare (a.k.a. Computer Network Attack, or CNA) as “actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks…” and cyber intelligence gathering (a.k.a. Computer Network Exploitation, or CNE) as “intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.”
The success of these actions is wholly predicated on having access to the target’s computer or network. That access is accomplished, mostly, via tools called exploits that take advantage of software vulnerabilities. This might be a bit of an oversimplification, but instead of diving too deep into the technical aspects here, let’s concentrate on these exploit tools.
“Bad” of government-driven protection
In order to succeed, these cyber intelligence and warfare organizations must maintain a stockpile of usable exploits to gain access to their targets’ computers. The more types of exploits a cyber organization has on hand, the higher the likelihood of success. In most cases, an exploit is only good as long as the vulnerability it exploits remains un-patched. Were the public privy to such a vulnerability, it would be patched immediately, making the exploit unusable.
This inherently means that in order for an exploit to stay viable for use by a cyber organization, it must keep it secret.
Although the practice of stockpiling exploitation tools is pretty much a necessity for effective government cyber organizations, it does present a significant moral quandary. Here’s the problem: Every vulnerability discovered and used by a cyber organization could just as easily be discovered by another nation’s cyber organization or by cyber criminals.
Needless to say, keeping these vulnerabilities secret can put both public and private organizations at risk. Take EternalBlue, for example. This was an exploit developed by the NSA and disclosed by the Shadow Brokers in April, 2017. It exploits a vulnerability in the SMB protocol as implemented by Microsoft. Despite Microsoft’s best efforts, releasing a patch in March, 2017, this exploit was used in a worldwide ransomware campaign commonly referred to as WannaCry. Europol estimates that more than 200,000 computers across 150 countries were infected.
The rate at which private companies all over the world have fallen victim to cyber intrusions has led to millions of dollars in lost revenue. Some would say these secret exploits are a necessary evil, and well worth the risk. And there are those who’d argue otherwise. Quite the moral quandary indeed, as the government organizations both want to stockpile these exploits, but also want to protect organizations within their borders from external cyber attacks.
“Bureaucracy” of government-driven protection
Nothing comes for free — or quickly — in the world of government. While it’s good to hear that the U.K. is working towards unifying its military cyber operations, it would be faulty to think that we’ll see an immediate impact.
Starting a new government organization is a long and arduous process involving endless meetings, documentations and approvals. In these early days, a short-term agreement probably exists that allows for military personnel assigned to GCHQ to work on specific projects assigned to the fledgling Cyber Force. These will likely be related to the above-stated efforts against ISIS, Russia and Iran. Aside from resources assigned to a few specific missions, the defense apparatus will go into full planning mode.
Cybersecurity experts will get together with Ministry of Defense and GCHQ officials to start working out the roles and responsibilities and mission of this new organization. Personnel with the required experience have never been in high availability, so both the MoD and GCHQ will probably reassign a number of individuals to start the organization.
A massive wave of hiring and training will occur over the next two years to bring the organization up to speed and strength. During that time the military chain of command will find more and more missions to assign to the young organization until sometime in the next several years when it reaches full operational capability.
Even then, there’s a long, drawn out process of review by the chain of command and approvals from generals and possibly the Prime Minister before operations are approved. Simply put, just as with any other government organization, there will be no shortage of bureaucracy in these government cyber units.
So, what’s the verdict?
The world is becoming more and more digitized, and the only way to maintain our superiority on the world stage is to maintain a skilled workforce in cyber intelligence and warfare. That said, the cost to the private sector needs to be weighed against the upside of governments stockpiling exploits, and better understood.
While I personally believe in the necessary evil that is stockpiling exploits, there has to be some middle ground that can be reached: some way for the general public to start a dialog about this practice and put pressure on governments to be accountable. Considering the relative youth of the internet and these cyber organizations, time will decide their efficacy in the public’s eye.