Last week Director of National Intelligence James Clapper released the 2015 Worldwide Threat Assessment of the US Intelligence Community and testified about it before the Senate Armed Services Committee. “Cyber” tops the list of “global threats” again this year. As others have noted (see here and here), the Assessment and DNI Clapper’s opening statement contained a number of reveals, including attributing the 2014 attack on the Las Vegas Sands Corporation to Iran and announcing that “the Russian cyber threat is more severe than we’ve previously assessed.” I want to focus in this post on a few additional issues raised by the Assessment: its effort to shift the debate on the nature of cyber risk; its emphasis on threats to integrity of information; and its repeated references to private parties as actors in national cyber strategy.
1. Changing the Debate on the Nature of Cyber Risk: The Assessment downplays the idea of a “Cyber Armageddon” (aka “Cyber Pearl Harbor,” aka “Cyber 9/11”), characterizing the “likelihood of a catastrophic attack from any particular actor” as “remote at this time.” Instead, it emphasizes the costs from “an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”
The choice to recharacterize the nature of the threat to the United States lays the groundwork for the Assessment’s treatment of cyber risk. The Assessment states, “the cyber threat cannot be eliminated; rather, cyber risk must be managed.” This manage-but-not-eliminate strategy depends on the recharacterization of the nature of the threat. It seems implausible that the DNI would articulate a goal of only managing the risk of a “Cyber Armageddon,” but by discounting that risk and redefining cyber risk as “ongoing . . . low-to-moderate level cyber attacks,” the intelligence community has shifted the nature of the threat into something that can be managed and need not be eliminated.
2. Threats to “Integrity of Information”: The Assessment also tries to shift public debate in another way, namely by highlighting threats to data integrity. It explains:
Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information, . . . In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e. accuracy and reliability) instead of deleting it or disrupting access to it. Decisionmaking by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.
In this instance, past may be prologue, as incidents impacting data integrity have already occurred and effectively impaired decisionmaking. One prominent example is the Stuxnet worm, which was designed to report normal operation of Iranian nuclear centrifuges, even as the centrifuges malfunctioned. As David Sanger reported in 2012:
[T]he code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. “This may have been the most brilliant part of the code,” one American official said.
Later, word circulated through the International Atomic Energy Agency, the Vienna-based nuclear watchdog, that the Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.
“The intent was that the failures should make them feel they were stupid, which is what happened,” the participant in the attacks said.
Future data integrity incidents may prove not just more common, as the Assessment suggests, but also more intractable. The data integrity compromise with respect to Stuxnet at least involved items in the real world; having someone watching bank accounts to “radio back” in response to a data integrity issue would be even less effective.
3. Role of Private Parties in National Strategy: The Assessment makes surprisingly frequent references to the private sector—not as a victim of cyber attacks but as a participant in investigation and attribution. In a post last fall (available here), I highlighted the role of “private intelligence-gathering” on cybersecurity, and the Assessment seems to take the role a step further, incorporating private parties’ actions into the national strategy on cybersecurity. The Assessment states (with emphases added):
- “A growing number of computer forensic studies by industry experts strongly suggest that several nations—including Iran and North Korea—have undertaken offensive cyber operations against private sector targets to support their economic and foreign policy objectives, at times concurrent with political crises.” (p. 1).
- “Governmental and private sector security professionals have made significant advances in detecting and attributing cyber intrusions.” (p. 2).
- “In December 2014 computer security experts reported that members of an Iranian organization were responsible for computer operations targeting US military, transportation, public utility, and other critical infrastructure networks.” (p. 2).
- “[U]nspecified Russian actors have successfully compromised the product supply chains of three ICS vendors so that customers download exploitative malware directly from the vendors’ websites along with routine software updates, according to private sector cyber security experts.” (p. 3).
- “The ‘advanced persistent threat’ activities [from China] continue despite detailed private sector reports, public indictments, and US demarches.” (p. 3).
Some of these references to private sector reports may be an effort to write-around classified information. For example, the reference to computer security experts attributing attacks to “an Iranian organization” in December 2014 does not necessarily indicate that the government hasn’t made the same attribution. It may simply show that the government prefers not to reveal its sources, methods, or capabilities for attribution.
However, other references, particularly the statement about the threat from China continuing “despite detailed private sector reports, public indictments, and US demarches,” are qualitatively different. They situate private sector actions within a broader—otherwise governmental—strategy, and provide some perspective on the complicated public-private nature of the national approach to addressing cybersecurity threats.