By Tim Marshall.
The US government says the cyber attack on government computers, revealed this week, is part of an “ever evolving threat” by a “dedicated adversary”.
The personal records of four million employees are now in the hands of the hacker, which was, according to the US, China, an accusation Beijing denies.
America’s cyber security, at national government level, is overseen by the National Security Agency (NSA), which is part of the Dept of Defense (DOD).
Despite the impressive budgets, the formidable technology, and the brilliance of many IT specialists within the DOD, the breach of security, and others over the past few years, is not a surprise.
A DOD Cyber Strategy report published this spring underlined the efforts being made to keep the USA safe, but there was no hiding the weak spots in the defence.
The report nods at the truth that the roots of that weakness lie in the country’s strengths – which are, despite all of the criticism about ‘snooping’, and ‘intrusion’, and some of the troubling measures it has taken, that the USA remains a democracy and the government is bound by the law.
Because it is a relatively open society, the US government’s share of American cyber space is roughly ten percent. That leaves 90% of the ones and zeroes in the commercial sector, much of which cannot devote the resources to defence that the DOD is capable of. Therefore a hostile entity is partially pushing at an open door. Getting into the Americans system is easy, and once inside it is more difficult for the state to check who is where, and doing what, than it is in a dictatorship.
In 2011, as preemptive legal warning, the USA declared that cyber attacks constitute an act of war. Therefore legal action against individuals could be taken, economic sanctions could be imposed against states, and even military action could be justified, all underpinned by American, if not international, law.
But those threats are for acting after the event.
Cyber criminals, and states engaged in cyber warfare, act on the principle that the greatest crime is being caught and so devote considerable effort to hiding their tracks, at the least to the extent of being able to claim ‘plausible deniability’ in public.
Conversely, many non democratic states, have an inherent advantage in their own computer systems when the USA seeks to spy on, or attack them. In countries such as Iran, China, and North Korea, all Internet entry points and internal routes are controlled by the state. At the legal level, the Chinese government would find it laughable if told it would have genuinely to go through the courts to access a private company’s data, or close down a network. The Iranian media would never be allowed to publish leaks of classified information highlighting weaknesses or giving away state secrets, such as the West suffered with the Snowden affair. Given the constraints on America, and the secrecy of many of its enemies, cyber warfare is for now a relatively level playing field. The Americans have the technology and the budgets, while the Chinese, for example, have the sheer numbers of people required to operate a massive world wide hacking strategy, and are unencumbered by legal restraints.
The point of hacking America is far from only accessing government financial, political, and military systems. A hostile entity might seek to close down the electric grid of a city, disrupt water supply, tap into the telephone system, or take over a national TV network. Although they may be non governmental institutions, some still fall into the category of ‘critical infrastructure, and therefore it is the duty of the state to take an interest in their security. To do this the Pentagon has been involved in an ‘outreach programme’ with the commercial sector for many years. As the 2015 review states “The Defense Department will implement successful private sector exchange programs to bring measurable benefits to the Department of Defense…” The British intelligence services also now ‘reach out’ to private business hoping to co-operate on cyber defence, although not necessarily using exchange programs.
In the non democracies the state simply tells the commercial centre what to do. The USA’s cyber defence (and attack) is hamstrung by legal requirements. The US physical war machine is unparalled, no country is close to matching its prowess, but in cyber space it is a long way from being the clear dominant power.
*Next week Dr Moores, quoted in this article, is chairing the first ecrime congress to be held in China.