The Paradox of Technological Vulnerabilities: Anyone Can Use Them

Two document releases this week, the report of the US Defence Science Board’s Task Force on Cyber Deterrence and the Wikileaks ‘Vault 7’ release, demonstrate severe US digital vulnerabilities to malicious attack. The Defence Science Board paints a bleak picture of US readiness to deter extensive cyber attacks, while the Wikileaks documents provide evidence that the CIA were deliberately maintaining security weaknesses in digital platforms for their own purposes, even when those same vulnerabilities could facilitate access to adversaries.

Task Force on Cyber Deterrence

The February 2017 report of the Defense Science Board (DSB) Task Force on Cyber Deterrence, part of the US Department of Defense, assesses existing digital vulnerabilities in the US civilian and military infrastructure. These exist because of the degree to which our society has evolved an extensive dependency upon computerised tools, permeating every corner of modern life: from the flow of electricity, financial transactions, and traffic, to the management of our hospitals and government. This has created a technological paradox, that can both improve our lives and expose us to new threats, disruption and dominance from powerful or malign actors.

A serious attack on civilian digital infrastructure can both cause chaos and millions of dollars in damage: consider the Iranian DDOS attack on Wall Street in 2013 or the Chinese hacking and theft of intellectual property from US industry in 2016. Further, all states are either developing or importing extensive digital capabilities for military purposes. Yet these technologies can be a double-edged sword: technological superiority may give a state strategic or tactical advantages, but if states are over reliant on these technologies and they are found to be vulnerable, relative advantage might quickly change. For example, the Chinese theft of sensitive information detailing the long-awaited F-35 may have damaged the US technical edge. This raises disruptive questions about the weight and effect of the US’ conventional and nuclear deterrence postures.

The DSB report concludes the US and its allies are at constant risk of a major cyber attack, with far-reaching and long-lasting impacts on both civilian and military infrastructure, and identifies steps that could be taken to regain control in the next decade. These proposals are meant to attain parity with other nations and maybe gain initiative in possible upcoming scenarios:

1. Plan and Conduct Tailored Deterrence Campaigns: to determine an ‘appropriate response’ to possible future attacks on US data and infrastructure, which will vary depending on the attacker and their targets.

2. Create a Cyber-Resilient ‘Thin Line’ of Key U.S. Strike Systems: to create a second line of cyber resilient US military forces in the very near future. This force can be used to respond to any cyber attack without being paralyzed by any form of interference coming from a cyber first-strike by an advanced cyber actor. This would ensure that the US would keep a military response capability regardless of the situation.

3. Enhance Foundational Capabilities: to increase the general cyber resilience of US military forces and critical infrastructure (civilian or military), and develop new technologies to allow the US to regain initiative in the cyber realm. This is a long-term plan and as the authors note, it will take at least ten years to enact the necessary changes.

It is in the nature of defence departments to describe their challenges in stark terms, and request a greater budget to manage them. However, in the author’s view, the basic nature of these proposals indicate a general state of unreadiness of the current US military forces and infrastructure. This lack of preparedness is evident in the DSB’s need to propose defining different kinds of attacks and appropriate responses; in the reactive, stop-gap nature of the second measure; and in the implicit acceptance in the final proposal that the US is in a state of damage control rather than initiative.

Cyber warfare seems to be shaping up to be a new kind of cold war, in which nuclear deterrents are complemented or countered by cyber deterrents that limit the ability of states to step out of line without risking a major interstate cyber attacks. Our reliance on technology affects every aspect of modern life, and although (primarily bilateral) steps have been made towards cyber agreements, one is left to wonder whether – in spite of the difficulty of enforcement – there shouldn’t be a greater push for multilateral agreements limiting the use and development of cyber weapons.

Vault 7

The Wikileaks assessment of the documents it released this week claims that the CIA, against explicit Presidential orders intended to reduce the vulnerability of US citizens and organisations to attack, has not been reporting to manufacturers digital vulnerabilities it has discovered within critical civilian systems (such as iOS, Windows, Linux, and Android), the Internet of Things, and vehicle control systems. The purpose appears to have been to facilitate its own exploitation of these vulnerabilities for espionage activities, but the effect has been to leave these essential systems vulnerable to anyone who might discover the same vulnerabilities.

For instance, the vehicle control system vulnerability would allow hackers to take control of essential systems controlled by the vehicle’s computer (from fuel regulation, to steering, and brakes), with obvious implications to the safety of the people involved.

Wikileaks also claims that the CIA has ‘lost control’ of all of its hacking tools, meaning that states with advanced cyber and espionage programmes may be able to add them to their arsenals in addition to those they have developed themselves. This breach in protocol and security may have huge and lasting implications for the digital balance of power.

Conclusion

These reports raise major doubts about the security of the digital realm when it comes to ensuring security, including where they intersect with nuclear forces, which are just as dependent upon computers as civil infrastructure. Although much of the US nuclear command and control system is independent of the web, and some still dependent on floppy disk, Stuxnet and other cyber attacks have conclusively shown that ‘air gapping’ is a security myth.

Where does that leave nuclear deterrence and strategic stability, if the digital systems that control nuclear weapons cannot be positively trusted? BASIC’s initial primer on Trident vulnerabilities last year highlighted a number of important concerns, and the organisation expects to be publishing a more detailed report in the near future outlining the cyber threat to SLBMs. Clearly, it does not pay to overstate the problem. However, the level of complacency up to now could severely damage national security capabilities. Ultimately, if one cannot be sure these systems will remain uncompromised up until and including the point of use, the whole point of their deployment comes under question.