The Two Classes of Cyber Threats

Hands typing on a computer

There is one number that matters most in cybersecurity. No, it’s not the amount of money you’ve spent beefing up your information technology systems. And no, it’s not the number of PowerPoint slides needed to describe the sophisticated security measures protecting those systems, or the length of the encryption keys used to encode the data they hold. It’s really much simpler than that. The most important number in cybersecurity is how many people are mad at you.

Let’s say, for example, that your organization has done something that has angered a few hundred million people around the world. Suppose that 1 percent of them are computer whizzes, and 1 percent of that group has the time and inclination to devote themselves to waging war on your information technology infrastructure. That means you’re up against tens of thousands of people committed to bringing your systems down. Some of them are going to succeed.

Case in point: On Friday, Anonymous took over the U.S. Sentencing Commission’s website in response to the recent suicide of Aaron Swartz, who had been facing the prospect of more than 30 years in prison for downloading academic articles without authorization. In an action the group calls “Operation Last Resort,” Anonymous announced on the Sentencing Commission’s website that it has compromised and extracted secret files from multiple U.S. government systems. It threatened to release excerpts from those files in the coming weeks to various media outlets. After being intermittently restored to service, the Sentencing Commission’s website was hacked again on Sunday, this time turning into a playable game of Asteroids.

The image of Anonymous running roughshod over a Department of Justice website doesn’t inspire confidence in the level of U.S. government cybersecurity. In the DOJ’s defense, it could be pointed out that the Sentencing Commission site is merely an outward facing portal, and that most of the government’s systems and networks are buried behind many more layers of protection. But in today’s world, all electronic systems are connected. Even those that are separated from the rest of the Internet by an “air gap”—so that they don’t talk directly to the outside world—can be compromised via software delivered (and later extracted) by a USB stick or CD drive by a malicious or unwitting insider.

Anonymous, of course, is not the only group that might have an interest in compromising American computer systems. State actors have long been suspected of conducting industrial espionage on American companies, and unlike hacktivists, they aren’t likely to announce their successes. But it doesn’t take a genius to look at what Anonymous can do and conclude that true cybersecurity is an illusion, and that anyone who claims otherwise is lying, delusional, incompetent, or some combination thereof.

There are degrees of protection, and it is certainly possible and prudent to eliminate known vulnerabilities. But given the literally incomprehensible complexity of today’s systems, there is a never-ending stream of previously unknown vulnerabilities that cyberattackers are just as well-qualified—and in some instances better qualified than cyberdefenders—to find. Cybersecurity is a game of whack-a-mole on a large and rapidly expanding playing field, and when the number of moles is orders of magnitude higher than the number of people holding mallets, the moles will often have the upper hand.

Against this backdrop, it is interesting to consider a recent report that the government plans to add 4,000 people to the Department of Defense’s Cyber Command, which currently comprises only 900 personnel. In the current era of tightening federal spending, any staffing growth is unusual; an increase of this magnitude may be unmatched in any other sector of government. It telegraphs that the Department of Defense recognizes the increasingly critical role that cybersecurity plays in U.S. national security. And, to the extent that Cyber Command can help make critical infrastructure such as the power grid and financial system less vulnerable to a massive attack that could endanger the lives and livelihoods of tens of millions of people, its efforts will be an important and much-needed contribution.

If Cyber Command succeeds in safeguarding these systems, it will be in part thanks to the high skills and dedication of the people they will hire. But in large measure it will also be because there are few would-be hacktivists who would take any pleasure in an attack that could leave large swaths of America shivering in the dark on a cold winter night, or unable to purchase food because the country’s payment systems have stopped working.

Thus, what the government calls “critical infrastructure” really describes two different classes of systems that call for very different cybersecurity strategies: Some, like the power grid, are viewed by everyone as critical, and the number of people who might credibly target them is correspondingly smaller. Others, like the internal networks in the Pentagon, are viewed as a target by a much larger number of people. Providing a high level of protection to those systems is extremely challenging but feasible. Securing them completely is not. That’s a realization that, despite all evidence to the contrary, one suspects hasn’t fully sunk in inside the Beltway.