As a national correspondent covering intelligence and national security for The Daily Beast, Shane Harris spends a lot of time immersed in the world of cybersecurity. In his presentation at the 2015 CyberCrime Symposium, “The Internet is a Battlefield,” he took attendees through a sequence of events that built, brick by brick, revelation upon revelation, U.S. understanding of cybersecurity as a top national security issue.
”It’s very much top of mind for our national security officials, including the Commander in Chief,” Harris said. In 2015, “cyber” again topped the list of global threats issued by worldwide intelligence community, just as it did the two years prior.
What’s remarkable, said Harris, is that the entire cybersecurity conversation is out on the table. “We’ve arrived at this signal moment where discussions of this type no longer happen in the basement of some agency,” said Harris.
Indeed, officials speak frankly about Internet threats in high-profile settings—something unimaginable 10 years ago, according to Harris. Consider Navy Admiral Mike Rogers, US commander of the Cyber Command and NSA Director, telling Congress that the risk of a catastrophic attack on the national infrastructure “is not theoretical.” Or James Comey, FBI director, calling cyber-attacks "the most significant national security threat of the next decade.”
What got us to this point? Contributing were two very high-profile attacks—the first on Sony Pictures, and more recently, the one targeting the Office of Personnel Management (OPM). These events forced the military, intelligence community, and the Administration to start viewing cyberspace as a strategic national asset. They became signal moments in a series of smaller but no less significant events, which Harris discussed in a condensed timeline culled from material he covers in @War: the Rise of the Military-Internet Complex.In 2007, Director of National Intelligence Mike McConnell gets executive buy-in at the highest level. McConnell, former director of the NSA, returned to public office after a stint in the private sector to accept the DNI job. A key factor in his decision was the platform he’d have to position cybersecurity as a national priority. In an Oval Office meeting with President Bush and other top advisors, he didn’t pull punches. Using 9/11 as a reference point, he outlined a scenario where, instead of pilots in airplanes, hackers on computers breach a stock exchange or major financial institution, deleting databases or freely manipulating data. Henry Paulson, then Treasury Secretary, confirmed for Bush that this was not only possible, but that the U.S. had no disaster recovery plan that would come close to addressing it. They did, however, now have the president’s buy-in.
Later in 2007, CEOs from top defense contractors are called to the Pentagon. In a threat briefing, they were informed that hackers have successfully infiltrated not government networks, but their own networks, exfiltrating reams of classified information on US military aircraft, weapons systems, and programs. The upshot: Pentagon officials said they’d all have to share cybersecurity information to have any chance of mounting a defense. The result, said Harris, was a rudimentary system for bi-lateral information sharing between the public and private sectors.
This, said Harris, “was the emergence of what I call the Military-Internet Complex, a rare and even unprecedented event in American history, where the government agrees to share the fruits of espionage with private industry so it can protect itself, and thereby, protect the Internet as a strategic asset.”
In 2009, Obama gives a speech that leaves no doubt that Internet security will be treated as a highest-priority issue. He unequivocally stated that this “national asset” would be protected by both public and private sectors. Harris said this solidified the notion of cyberspace as the “fifth domain of warfare”—a strategic plane, like land, sea, airspace and outer-space, where adversaries fight to gain advantage.
In 2010, NSA drafts a “cooperative research and development agreement” so it can start working with Google. The still classified project involves information-sharing practices.
In 2011, the NSA brings ISPs and telecoms in the fold. The agency shared its threat signatures, so providers could program them into their systems to protect customers.
In 2014, Sony Pictures is hacked, setting the stage for national security policy to advance. The attack wreaked havoc on networks, systems, and reputations, and North Korea was the primary suspect. Obama referred to the breach not as an attack on a major U.S. company, but one on actual American values, and promised that a response would be forthcoming. Harris said the US did conduct targeted hack-backs on components of North Korean networks, but more as a show of strength than to inflict harm.
In 2015, the White House unveiled sanctions designed to punish anyone engaging in economic espionage against US targets. Again, said Harris, the announcement felt decidedly strategic, a slow flexing of the fist showing the country’s willingness to retaliate.
In June 2015, hackers penetrate the OPM’s network. “It was an astonishingly huge hack, but it didn’t necessarily fall in the economic espionage category, and it's the kind of activity the U.S. also engages in,” said Harris. The brazen nature and size of the attack, however, had the media holding its breath as to whether sanctions would follow.
In September 2015, a senior Chinese official travels to Washington for four days of meetings with law enforcement, intelligence and defense officials. Two weeks later, following talks between President Obama and Chinese President Xi at the White House, they agree that their respective countries will not conduct economic espionage in cyberspace.
Harris called this a significant moment in cybersecurity policy, as it illustrated U.S. willingness to “apply diplomatic and economic foreign policy pressure against their adversaries in cyberspace.” How government and business leaders proceed going forward will have enormous implications, as, according to Harris, “the response to cyber-threats promises to change the shape of cyberspace more than the threats themselves do.”
This is the 3rd in our series on key takeaways from Sage Data Security’s 2015 CyberCrime Symposium, held November 5-6, 2015. In this week’s spotlight is “The Internet is a Battlefield,” presented by Shane Harris, senior correspondent at The Daily Beast and author of 2014’s @War: the Rise of the Military-Internet Complex. In case you missed Sage’s sold-out event, “Collaboration & Information-Sharing,” check-in weekly for the latest installment featuring insight from select presentations.