After the G20 summit, President Trump tweeted he’d like to form “an impenetrable Cyber Security unit” with the Russians. Commentators and Senators were quick to point out this was a stupid idea. I’d like to dig into why this is such a monumentally stupid plan.
Before I go into the reasons why this proposed unit is both naive and stupid, I’d like to look at Cyber Warfare. Because television and books often paint a very wrong picture of how this works.
One of the primary things you need to realize about cyber warfare is that there is no battlefield in the conventional sense. The media suggest hackers ‘penetrate’ defenses, ‘go into systems’, and can be blocked by ‘firewalls’. This all suggests a normal battleground: a physical space that has a fixed dimension and clear routes from A to B.
Surprise: the geography of the Internet is barely connected to actual geography.
When an IT specialist talks about firewalls, demilitarized zones, and attacks, they are aware that this is an oversimplification. Like I’ve written before, everything on the internet is a second away from everything else, and internet connections are thrown at all your devices from all sides all the time. Cyber warfare is not about grabbing control of a virtual piece of real-estate in a specific geographical place. My computer is as close to a hacker next door as to one in Florida.
Access is King
Geographical barriers mean relatively little in cyber warfare. Access is key. Hacking if about gaining access to information or functionality, or denying others that access. But that blade cuts two ways.
Trump’s tweet mentioned an ‘impenetrable’ cyber security unit. It’s very easy to make an impenetrable computer. Just remove its Wifi and Bluetooth cards and solder all access ports shut. It’s still fully functional but it has become completely impenetrable. It doesn’t have access to anything, though. In this day and age, you want to connect to things. You want access to other people’s stuff, but you don’t want other people to access your stuff.
Cyber warfare focuses on hackers gaining access to ‘enemy’ computers, and it tries to block legitimate access. Ever since the invasion on Crimea, Ukraine has been under a constant barrage of cyber attacks. They are aimed at gaining entry to their systems, but also at denying legitimate users access. The results can affect the real world, when the system is something like the power grid.
Tools of the Trade
One of the popular myths about cyber warfare is that securing a computer is like locking a house. People can have their keys stolen, or somebody could force their way in, but then you could catch them. This sounds nice, but it is dangerous to think about it that way.
Like I wrote above, everything on the Internet is close by. Imagine if your house were located in the worst part of town. Wait, no, imagine it being located simultaneously in every worst part of every town on Earth. Suddenly, people forcing their way in sounds a lot more frightening.
You think you can see when somebody was inside? Nope. Even when you know what you’re looking for, signs of who was there and what they did are hard to find.
And guess what. You don’t have a key, you have a password, not a key. You know that annoying thing IT forces you to change every month so now you just use the word ‘poop’ with the number of the month behind it? Yes, that password is what separates you from the worst of the worst on the internet.
You have that in order? Good for you. Unfortunately, the person who built your house accidentally put the hinges of your door on the outside. Even without the password, a hacker can lift the entire door out.
I’m talking about exploits of course. The Wannacry worm that recently invaded a gazillion computers used a mistake in the Windows OS that Microsoft had overlooked.
The tools of cyber warfare are people’s passwords, personal data (which can be used to reset their passwords), and exploits.
Working with Russia
As I’ve already written above, Russia has stepped smack into the center of the cyber arena. But don’t worry, the US, China, and virtually every other country is also there. There are no Geneva conventions there and everything is close to everything else. What is happening now is equivalent to throwing troops from every country on Earth together in a large arena with all the civilians and saying ‘everything goes’.
Bottom line, the Internet is a jungle where the only rule is ‘if you have access or you can deny access, you win’. Then comes along a US President who says, ‘well, you know, let’s give the Russians access to our most sensitive stuff so we can keep it secure together’. This is the cyber equivalent of saying ‘let’s pool our nuclear launch codes so we can secure them better’.
An important tool of cyber warfare is exploits. And those exploits work on all systems, not just those of your enemies. Keeping those exploits secret instead of patching them is one of the stupidest things government agencies currently do. Sharing them with foreign powers is the second stupidest.
It’s like keeping an Ebola vaccine secret so you can weaponize Ebola against your enemies. Yeah, you can do it, but chances are good it will backfire against your own people.
Wannacry is a perfect example of this. The NSA knew about the exploit for years when a month ago it infected – among others – FedEx and several hospitals in the UK . Apparently the NSA protects other things than infrastructure and hospitals.
It’s a stupid idea to sit on exploits, especially with countries like Russia not holding back. Russia is actively using cyber warfare to leverage real world power. There is no definitive proof that Russia is attacking the Ukraine in cyberspace, nor is there a smoking gun that they tried to hack the US elections, but all things point to them. They’ve also shown that they play for keeps, like in the Crimea. You don’t want to give them access to anything if you can help it.
You can’t create an ‘impenetrable’ cyber security unit. And since access is the goal of cyber warfare, giving a foreign power access is like handing over your arsenal and asking them to play nice.
It would be soooo much better to work on patching as many of those exploits as possible. Don’t hoard backdoors, cement them shut to keep the enemy out. Segment your networks, update your routers, harden your critical infrastructure.
That’s how you win the cyber warfare game.
Currently, we’re losing. Badly.