The Washington Post, in a December 9, 2016 article “Secret CIA assessment says Russia was trying to help Trump win White House” by Adam Entous, Ellen Nakashima and Greg Miller, leaked a CIA report claiming that the Russians had manipulated the U.S. election by hacking into both Democratic and Republican databases and choosing to leak only emails of Democrats while maintaining the secrecy of Republican emails. If these assertions prove to be true, could this be the tipping-point event that experts said would be needed for government to get its cybersecurity act together? I would hope so, but I don’t think that it will be the case.
At a February 23, 2010 hearing (Cybersecurity: Next Steps to Protect Our Critical Infrastructure) of the U.S. Senate Committee on Commerce Science, and Transportation (which I referenced in my March 29, 2010 BlogInfoSec column “Cybergeddon … Ho Hum”), Vice Admiral Michael McConnell, former Director of the National Security Agency (1992-1996) and Director of National Intelligence (2007-2009), made several very interesting statements as follows:
“If we were in a cyberwar today, the United States would lose.”
“We’re the most vulnerable. We’re the most connected. We have the most to lose.”
and, famously, that the risks from cyberattacks will not be mitigated until there is more active government involvement and that involvement will not be forthcoming until a “catastrophic event” happens.
There have been many egregious attacks, perhaps among the most distressing being the stealing the data records of some 21.5 million individuals from the U.S. government’s Office of Personnel Management, which is the custodian of personal data from those seeking and obtaining government security clearances. Yet these attacks have not prompted the kind of response needed to effectively shore up the numerous weak and vulnerable systems and networks that populate practically all organizations in both the public and private domains.
Why don’t I think that the alleged tampering of the U.S. election system by a hostile nation state will generate the kind of response that it deserves? It is because, first, it would require huge investments, easily in the high hundreds of billions of dollars, and possibly in the trillions. Second, the political will to take on such a gargantuan task is not there … not in the U.S. and not anywhere else. And, third, it would require the cooperation and financial commitment of each and every nation, and you know that that isn’t going to happen. It did materialize for Y2K, but that was a relatively easy-to-define problem and expenditures were estimated to be “only” of the order of $300 billion, and everyone recognized the potential for disastrous consequences were the relatively simple mitigation steps not taken.
Today we have a much more complex and extensive set of issues to deal with than with Y2K. It is no longer a matter of a known deficiency that was relatively easy to identify and fix. Overarching cybersecurity is huge, difficult to determine and analyze, and much, much harder to remediate … if indeed it would be possible.
So, what’s going to be? Chances are that “unanticipated catastrophic events,” or “black swans,” as Nassim Nicholas Taleb calls them in his books of the same name, will occur with increasing intensity, frequency, scope and consequences, and still no person or body will lead a concerted effort to mitigate the cybersecurity risks that enable such disasters. The direct and consequential impact of these events may eventually outweigh the benefits gleaned from the technologies that facilitate them. But by then it could be too late to fix. We are already seeing many of the consequences of our failure to secure our systems and networks. But, fasten your seat belts, because we ain’t seen nothing yet!