2016 was a tumultuous year in cyber security. But there were three stories in particular that will likely have implications for events this year.
The first is Russia’s cyber influence campaign that helped Donald Trump win the 2016 US Presidential election. The Obama administration responded with targeted sanctions, the expulsion of 35 Russian embassy officials, and denying access to two Russian government owned compounds on US soil. Additionally, the FBI and Department of Homeland Security released a Joint Analysis Report containing technical information to help network defenders identify and detect malicious Russian cyber activities.
But those actions were too little, too late, and the benefits to Putin—Trump’s election—vastly outweigh the costs that were imposed on Russia. Similarly, the initial technical information released to aid network defenders was described as worse than useless. The second report released last month was vastly more helpful. The US has since indicted a number of Russian hackers and their associates for criminal cyber activities.
Revealing this type of technical information will impose a real cost on Russian intelligence as they’ll have to retool to some degree. Such releases should form one element of a broader deterrence strategy, but it does come with costs to US intelligence. There’s a real risk of losing visibility of the cyber actors conducting these attacks, and it clearly took some time for the intelligence community to come to grips with publishing this further technical detail. But they need to be prepared to do this more regularly, with greater speed, and ideally in a way that maximises deterrence and minimises loss of capability.
But the broader question for 2017 is whether future cyber influence operations will be deterred? Have norms against cyber interference in democratic elections been established? Upcoming elections in France in April and Germany in September will be a litmus test. WikiLeaks, Russian intelligence’s preferred publisher, is already involved in the French election and has released material on Presidential candidates François Fillon, Emmanuel Macron, and Marine Le Pen, although it’s not yet clear that new or hacked material is being released. I expect we’ll see further Russian interference in these two elections and that an earlier and more robust response is needed for successful deterrence.
The second significant cyber story in 2016 was the use of Internet of Things (IoT) botnets in Distributed Denial of Service (DDoS) attacks. First, let’s explain the jargon. IoT devices are everyday objects, like fridges, toasters and light bulbs, which have built-in internet connectivity. They often contain sensors and smarts that provide some real and genuine conveniences, but if poorly secured such devices present a massive opportunity for malicious actors. A botnet is a collection of internet-connected devices that can be controlled to conduct various tasks, typically without the knowledge of the devices’ legitimate owner. And a DDoS attack is a technique to take down a website by overwhelming it with fake traffic from many sources across the internet. The scale and distributed nature of these attacks (as seen with the Mirai botnet) makes them hard to deal with, and if directed at the wrong infrastructure, they would constitute a critical cyber threat.
The real significance of these large IoT botnets, however, is that they create vast overlap in the capabilities of state and non-state actors, and that gives rise to the potential for misattribution, misunderstandings between states, and potential escalation into state conflict. Individuals or small groups can generate powerful attacks that can be perceived as the work of a nation state. Bruce Schneier, a respected internet security commentator, has speculated that some DDoS attacks over the last year are the work of a nation state learning how to disrupt the internet. On the other hand Brian Krebs, an internet security journalist, thinks that the Mirai botnet was the work of a single individual. Developing cyber norms will be very difficult if we (and other states) can’t definitively identify what is, and isn’t, state behaviour.
Reducing the risk from poorly secured IoT devices is a large collective action problem that will require effort from governments, ISPs, device manufacturers, internet governance organisations and other stakeholders. It’s a space where government leadership could contribute positively. The signs that I hope to see this year are:
- US or European regulation that encourages the production of secure IoT devices;
- device makers taking responsibility and issuing recalls for insecure devices;
- ISPs implementing standards that make DDoS attacks more difficult; and
- security improvements in the protocols that underpin the internet.
I expect, however, that the threat of IoT botnets will get worse before it gets better, and that we’ll see many larger and more damaging DDoS attacks before the internet’s collective antibodies are roused to action.
And finally, the third significant story that will continue to unfold in 2017 was among the most underreported news of 2016: the success of the US–China agreement to not conduct economic cyber espionage, which Obama and Xi signed up to in September 2016. It appears that Chinese industrial hacking declined well before the formal meeting and announcement, so I expect that’ll be maintained.
What we should look for, however, is where that hacking activity went. It’s possible that Chinese state-sponsored cyber operators are now unemployed, in which case I’d have expect an observable rise in Chinese cybercrime. But I suspect that they’ve just been redeployed. Are they now conducting stealthier operations that we’ve yet to identify and attribute? Are they hacking countries other than the US? Or are they now focused solely on “legitimate” espionage targets?
Given the fluid nature of cyberspace, no doubt we’ll see some novel new malicious activity this year, but I don’t think we’ve yet reached the end of the road when it comes to the trends that started in 2016.