Symbolically, the White House Summit on Cybersecurity and Consumer Protection was about the White House reaching out to Silicon Valley and the need for collaboration between government, and the manufacturing, finance, and technology industries.
Substantively, the President signed an Executive Order to encourage the sharing of cyber threat information.
Government outreach efforts often talk about collaboration and working together but usually in a vague, aspirational, kumbaya kind of way. However, for cybersecurity the need for collaboration is pragmatic and pressing.
The ubiquity and power of information technology means that the biggest security risks exist at the intersection of disciplines and communities. Collaboration is the only way to mitigate these risks.
An intersectional perspective allows us to better understand why certain cyber attacks occur and are so damaging.
The recent attacks on Sony have accelerated the Obama administration’s efforts on cybersecurity. But why was the Sony attack such an unmitigated disaster for the moviemaker?
While this was definitely a cyber attack, it was also an international relations incident, a state sponsored terrorist attack on freedom of expression, and an example of Hollywood being ridiculous.
The damage occurred at the intersection of the actions of a sophisticated hacking group (or ‘advanced persistent threat’); poor cybersecurity practices by Sony; the leaking of damaging private corporate data; the use of terrorist threats to block the release of “The Interview” and the incompetent responses from Sony (including canceling then digitally releasing the movie, threats to sue Twitter and an alleged denial of service attack on servers hosting Sony’s leaked data).
While this was definitely a cyber attack, it was also an international relations incident, a state sponsored terrorist attack on freedom of expression, and an example of Hollywood being ridiculous.
The attack and its fallout could absolutely have been mitigated if Sony had a better IT department. But Sony would also have benefited from better leadership, a less toxic corporate culture and a crisis management team with the ability to call on government support.
Other factors beyond Sony’s control also played a critical role in this attack including, a poor relationship between the United States and China on cybersecurity, a lack of international protocols for dealing with cyberattacks and limited means for the United States to impose further political costs on North Korea.
Sony was on the receiving end of a sophisticated attack but simple attacks can also have outsized impact when they occur at the right set of intersections.
The Cyber Caliphate And CENTCOM
The so-called Cyber Caliphate’s ‘cyber attack’ on CENTCOM’s twitter account was not technically impressive but it took advantage of other factors. The attack occurred against the backdrop of ISIS’ social media savvy savagery, not just sharing graphic images but building Twitter apps and calling for the assassination of Twitter employees. This combined with the fact that many in the public don’t understand that military Twitter accounts are exactly the same as regular Twitter accounts and don’t have magical military security.
If ISIS could strike back at the U.S. military on their home turf what would it mean for fighting on the ground? Including some publicly available ‘leaked’ documents briefly gave the impression that the Cyber Caliphate had more serious skills. And this all occurred at a time when many are wondering about what the United States is doing in Syria, Iraq and the Middle East more generally.
Yes, CENTCOM could probably have avoided this embarrassment if it had used basic two-factor authentication on its Twitter account. But the attack would also have been less successful if the United States had a clearer strategy for defeating ISIS, if the public had a better understanding of Twitter security, or if the United States had not just left Iraq or was not still dealing with the aftermath of the Manning and Snowden leaks.
Hacking And The Financial Sector
The financial sector possesses some of the most sophisticated cyber defenses but despite their technical capabilities, Kaspersky Lab’s has just revealed that a cyber criminal group, dubbed Carbanak, has stolen up to $1 billion from as many as 100 financial institutions around the world over the past 2 years.
These attacks show yet another set of intersections. When the technical sophistication and, often, strong security practices of banks are comprised by spear phishing delivered malware, significant manipulation of transactions can go undetected.
Even when such attacks are noticed, banks are often unwilling to talk publicly or privately for fear of damaging customer confidence and their insurance premiums. Accepting the loss can be more cost effective in the short term but allows attackers to reuse their tactics again and again. Differing international laws, business competition and challenges of attribution make identifying the multi-national perpetrators extremely difficult, let alone capturing and prosecuting them.
In most cases, the motive for attacks on financial institutions is economic. But it arises from technical opportunity and a huge return on investment with relatively low risk when undertaken internationally across nations that don’t agree on internet governance or law enforcement. 100 banks from across the globe can’t all have terrible cyber security practices, meaning that the answers have to be about more than technology.
Collaboration And The Hacking Community
Technology experts already understand the importance of community and collaboration for cybersecurity. The hacker researcher community has a longstanding history and culture of online collaboration and real life conferences like DEF CON and Black Hat, DARPA ran the Cyber Fast Track program to collaborate with the hacker researcher community, Facebook has recently launched ThreatExchange, a social network for sharing threat information, and the White House has just announced the creation of the Cyber Threat Intelligence Integration Center to coordinate cyber related intelligence among federal agencies.
Collaborating with colleagues within our various specializations will remain important. But if we want to develop long-term solutions that address our cyber insecurity we need to collaborate outside of our various communities more effectively.
Assembling a team of experts with the necessary collective experience to address the particular combination of issues faced by Sony or CENTCOM or all of those banks would be time consuming, expensive and perhaps impossible. And substantially different teams would be required for each attack not to mention attacks on Target, Home Depot, the United States Postal Service, or Anthem health insurance.
This is why the President’s focus on community, connection and collaboration is warranted. The threats of cyber insecurity are intersectional and transgressive, ignoring geographic, organizational, disciplinary and cultural borders.
To be fair, good, early work has been done to bridge some of those gaps. The United States Government interagency community is far more tight knit and collaborative than other disciplines.
Government agencies communicate regularly with major industries through Information Sharing and Analysis Centers and centers for collaboration like the Microsoft Digital Crimes Unit and the NATO Cooperative Cyber Defence Center of Excellence have yielded early successes.
But these efforts are not scaling as rapidly as cyber threats and still leave large issues unaddressed, most notably the huge gap between the government and leading technology developers on the issue of surveillance. The CEOs of Google, Facebook and Yahoo were notably absent from the White House summit on Friday.
Creating intersectional understandings of cyber challenges is a critical first step toward creating communities that collaborate effectively to address the endemic risks of cyber insecurity. To do this effectively requires new thinking from diverse fields.
Intersectionality And Cybersecurity
Intersectionality is not a new concept. It comes from the critical race theory work of professor Kimberle W. Crenshaw. Professor Crenshaw identifies the issue of ‘single- axis’ analysis that separates problems of social injustice into distinct challenges facing specific groups, for example based on race, gender, sexual orientation or socioeconomic status.
Such analyses easily lead to conclusions that miss the bigger picture, creating divisive competition between issues and gaps that allow important problems to be overlooked. A single-axis analysis of the Sony attack might suggest that it was merely an issue of poor network security or the inevitable outcome of focused, state sponsored hacking.
Cybersecurity and social justice are markedly different fields but the core insight of intersectionality holds true for both: we must move beyond discussions over whether a core issue is about Problem A or Problem B and instead understand the relationships among Problem A and Problem B and Problem C and other related problems.
For cybersecurity, intersectionality can help us better understand the ways in which cyber challenges are not just technical but are simultaneously legal and governmental and cultural and economic and so on.
As the President said in his Stanford speech, cybersecurity “is a shared mission.” In order to truly work in a shared manner we must develop smart new ways of thinking that inform the technical and non-technical aspects of cybersecurity. It is through intellectual and cultural efforts that we can harness the existing creativity and capabilities of disparate experts to make Presidential speeches and executive orders actually mean something.
Editor’s Note: Ben FitzGerald is the Director of the Technology and National Security Program at the Center for a New American Security where he explores the intersection of strategy, technology and business.