As the under secretary responsible for U.S. cybersecurity at the Department of Homeland Security during the Obama administration, Suzanne Spaulding was watching out for signs of vote tampering or disruptions on Nov. 8, 2016, as citizens cast their ballots for the presidential candidate of their choice. On that Election Day, the agency was on heightened alert based on reports that Russian operatives had infiltrated voter registration databases in more than 20 states.
Local elections offices make up just one part of the critical U.S. infrastructure that Spaulding monitored as a government official, and she’s still watching over them now that she’s no longer in government. Now a senior adviser for homeland security at the Center for Strategic and International Studies (CSIS), a Washington, D.C.-based think tank, Spaulding and other cybersecurity experts mulled over the complexities of nation-state cyberattacks at a session of the RSA Conference this week in San Francisco.
Under what scenarios would an attack be defined as an act of war? That question, pondered by the RSA panel, would be easy to answer if foreign soldiers landed in Manhattan and laid siege to a big investment bank like Goldman Sachs. But what if Iranian hackers in Tehran brought down the bank’s computers? Would the U.S. Department of Defense be expected to repel the invaders?
Spaulding is among the experts thinking through these questions as the nation grapples with the fact that Russian operatives, according to U.S. intelligence agencies, have already hacked into the American power grid and interfered with the democratic election process in 2016. As the 2018 mid-term elections approach, she says, we shouldn’t be thinking only about the threats and vulnerabilities that face us in the future. We should be preparing now to deal with the damage if and when a foreign adversary executes a fateful cyber breach, such as bringing down a power plant or disrupting polling places, Spaulding told Xconomy in an interview.
“We’re not spending nearly enough time to understand the consequences to business, the community, and public health and safety—and how we can mitigate these consequences,” Spaulding says.
Cybersecurity and defense of democracy
Innovations by cybersecurity companies play a critical role in this era of international cyber hostilities that fall short of declared war, by helping businesses safeguard their data, their manufacturing processes, and their physical plants, Spaulding says.
One big current area of concern—and an opportunity for cybersecurity innovation—is ensuring the integrity of manufacturing supply chains, Spaulding says. The U.S. government has placed increasingly strict curbs on imports of equipment from the Chinese telecom companies Huawei and ZTE, partially due to concerns that their components could contain spyware. But the moves hurt their global trading partners, such as Qualcomm (NASDAQ: [[ticker:QCOM]]) and Apple (NASDAQ: [[ticker:AAPL]]).
“Banning anything from China or Russia is probably not going to be a sustainable policy,” Spaulding says. Tech innovation might solve the problem by providing tools to scan electronic components and detect weak points that could be misused, she says.
Cybersecurity companies have already made valuable advances, such as measures to search broadly for network activity that bears the general attributes of a malicious attack, rather than merely scanning for the known signatures of previously detected hackers, Spaulding says. “This raises the bar against something never seen before,” she says.
Security firms have also invented more sophisticated, technology-based ways to thwart the many attacks that start when hackers induce an unsuspecting employee to click on a link—a ploy called spear-phishing.
“Training employees, while admirable, is not going to solve that problem,” Spaulding says. But every technological defense eventually fails as cybercriminals devise ways to defeat it, she says. “It’s always a cat and mouse game.”
Spaulding is the principal author of a February report issued by the Center for Strategic and International Studies, which sums up the conclusions of a group of experts convened by the think tank. The report, “Countering Adversary Threats to Democratic Institutions,” calls for a national strategy to defend the United States from threats to its democracy by Russian operatives and other enemies. The report envisions a role not only for the Defense Department and other federal government agencies, but also for participation by local public agencies, technology companies, media organizations, schools, and other elements of civil society.
Cybersecurity for all these entities is a key element of the plan, not only to protect infrastructure, but also to prevent an erosion of public faith in democratic institutions, the report holds. Part of the Russian strategy is to hack into the accounts of trusted institutions, extract e-mails or other materials that might be embarrassing, and spread them via social media as alleged examples of corruption among officeholders and other influential figures such as news reporters, according to Spaulding’s report.
Spaulding, who holds a law degree, says she is working on educating judges and other court personnel about this danger as her particular focus. She also spends a lot of time talking to corporate boards to encourage them to formulate emergency response plans so their companies can keep operating and serving the public safely if a foreign adversary’s cyberattack disrupts essential services or utilities.
What technology can’t do
When it comes to recovering from the consequences of a severe attack, Spaulding says, sometimes the best solutions come from simple tools and skills that date back to a bygone era. “It may not be that whiz-bang technology solution. It may be a hand crank,” Spaulding says.
When a cyberattack sidelined a power plant in Ukraine, Spaulding recalls, workers who understood the plant’s layout of machinery manually re-set the breakers that had been tripped by hackers. She’s an advocate of such “physical redundancy” to backstop the processes we’ve entrusted to automation, connectivity, and data analysis.
Technology itself, such as social media networks and automated bot accounts, made it possible for Russian operatives to amplify the power of their election influence campaign in 2016, Spaulding notes in her report for CSIS. She and her fellow experts agreed that emerging technologies—in the form of vastly increasing computational power—will put even greater weapons in the hands of cyberattackers hostile to democracy.
“Of note, improvements in artificial intelligence (AI) and human emulation will allow malicious actors to share (dis)information with increasing speed and scope while raising the difficulty of distinguishing bots from real people unless countervailing technologies are developed,” the experts’ group concluded in the CSIS report. “Perhaps even more concerning, participants noted the development of technology capable of generating highly realistic audio and video files, further compounding the difficulty for the public to differentiate between real and fake sources.”
Continued innovation allows people to take advantage of the tremendous benefits of a networked world, Spaulding says. “But we need to be realistic about how dependent we can become on it.”
