At a conference of chief technology officers in 2016, General Michael Hayden, former head of, at different times, both the NSA and the CIA, told the audience, “Cyberwar isn’t exactly war, but it’s not not-war, either.”
Cyberattacks, at the nation-state level, were already almost a decade old at that point. In 2007, over the course of 22 days a Russian attack on Estonia took out commercial and government servers, online banking, and the Domain Name System,” without which people can’t find or look up websites and online servers. The attack carried into the cyber realm an already heated political conflict between the two nations, and Estonia’s economy was as much under attack as its information infrastructure.
In 2010, we learned of the U.S.–Israeli attack on Iran and its uranium centrifuges, known as Stuxnet.
In 2015, a concerted attack, believed to have been Russian, on the power grid of another east European nation, Ukraine, left more than 200,000 people without electricity for at least several hours. It was the first attack on a grid, and perhaps the first large-scale SCADA attack—that is, on the control systems of critical infrastructure. Follow-up attacks struck the railway, television, and mining sectors.
In 2016, right around the time General Hayden was warning American audiences of the dangers of cyberwar, Russia, in conjunction with a private firm, Cambridge Analytica, and elements of the U.S. Republican party, crafted a disinformation campaign to influence the presidential election that year. Russia and Cambridge Analytica also undermined the Brexit referendum in the U.K. earlier that year.
Since then, we’ve seen entire families of malware appear, such as Trickbot. Arguably even worse was the recent SolarWinds hack, which in effect was an attack on what we might call the software supply chain. As many as 18 000 different organizations using SolarWinds may have been affected. Worse, the effects of the hack may have been reached out into other networks and therefore been exponential. For example, both Microsoft and security firm FireEye were affected, and they each have many enterprise customers.
As the fourth-century Roman poet Juvenal asked, Quis custodiet ipsos custodes? Who shall guard the guardians themselves?
A @RadioSpectrum1 conversation with Justin Cappos who heads the Secure Systems Laboratory at @NYU. On @Spotify and @IEEESpectrum https://spectrum.ieee.org/multimedia/podcasts