Doug DePeppe is the Founder of eosEdge Legal, a First-of-Kind cyberlaw and Services pure-play.
Part 1: Existential Cyber Threats and Risks Of a Destabilized World
The cyber landscape presents an existential risk to the West!
In labeling the cyber threat existential, my underlying premise must be stated: without structural change, former NSA Director General Alexander’s unsettling quote will prove to be true, revealing a destabilized global environment lacking respect for the rule of law.
General Alexander called cybercrime “the greatest transfer of wealth in history”. His warning about cybercrime was a financial warning, on par with his security concerns. The implication? The global economy, largely generated by Western nations, will disintegrate and societies will fundamentally change as a result.
If there’s legitimacy to the risk of global destabilization, brought about through cybercrime that undermines the global competitiveness of developed nations, then the West is faced with an existential risk.
For some, that cyber indeed represents a paradigm shift is clear on its face. Circumstances like nation state attacks on corporations and critical infrastructure, completely bypassing traditional sovereign border defenses, served as a moment of awakening to the new reality. Or just recently, Anonymous declaring war on a belligerent entity that has self-declared itself the modern caliphate. This war, evidently, will be one waged entirely in the virtual realm of cyberspace! The Pope is calling these unsettled times a “piecemeal third world war”. These simple anecdotes are enough for some to have little difficulty in recognizing that the world is changing, or has already changed without our recognizing it. And further, that structural change within society is needed to operate effectively and to improve stability.
For others, more data, study and perhaps just incremental change would be sufficient to meet a threat that, while different, is hardly an existential threat. After all, it is not logical to view the virtual realm of cyberspace, which is simply a network of machines, as possessing any sort of tangible meaning for the human condition, especially for the might and sophistication of Western societies and their economies.
And so, in this piece I will highlight a few dynamics of the cyber landscape that suggest an untenable situation, an emerging predicament that warrants analysis of its existentialism. The next part in this series will build upon the notion that this existential threat warrants structural changes to current societal approaches to cybersecurity. Indeed, new structural approaches for security and resilience, and even facilities for improved trust for a public-private partnership.
Monetization of Crime.
Market forces are the greatest tools known to man to cause fundamental change. Wealth opportunities generate appropriate risk taking. Innovation spurs economic activity. Disruptive technologies change entire markets.
The Darknet is growing unchecked because anonymity is a tonic for a wild west of criminality. It’s a place where ANYTHING can be, and usually IS SOLD. Drugs, arms trafficking, identity and stolen credit card inventories for sale, stolen bank customer logins, hacking tools and malware, even cybercrime training courses – it’s all available for purchase. Moreover, Bitcoin is the currency of this underworld of criminality. And importantly, for interpreting the destabilizing nature of the Darknet, Bitcoin is a non-sovereign currency system. In other words, criminals have less need to engage in money laundering. Bitcoin enables anonymous monetization in large measure (which is not to suggest that Bitcoin itself is illegal).
To analyze this scheme for the monetization of crime from an existential risk perspective, an exploding criminal marketplace (market forces used for illicit gains) means that there is a perverted market incentive to become wealthy through crime. Moreover, beside its anonymity, TOR networks are distributed. TOR nodes represent a P2P architecture whereby users can increase their anonymity, reduce their risk of detection, and maximize ‘business scaling’ of the architecture as more criminals enter the network with new TOR nodes. So, the perverted incentive builds upon itself unchecked. From a Western society standpoint, this means that the attacker ecosystem will continue to build and perverted incentives to disadvantaged societies will grow. The greatest transfer of wealth will get worse and worse on this trajectory.
As the saying goes, defenders need to stop every attack vector and plug every vulnerability, whereas the attacker just needs to find one weak point. Usually that’s a human being. More importantly, cybersecurity strategy has changed to an intelligence game. Like in warfare, better information about the attacker ecosystem is sought. An attack team will have a cellular structure, with teams performing malware development, attack strategy, monetization, and other functions along the stages of attack. Notwithstanding the size of a sophisticated attack team, their strategy will be deployed across entire industries. It is a scalable model. Conversely, defenders are cloistered in enclaves, called companies. In most instances, defenders have limited information about criminal plans and work under limited budgets.
To remedy the lack of intelligence, innovative cyber threat intelligence companies have entered the market. Additionally, platform-based threat intelligence sharing capabilities are being developed and deployed. Indeed, in the US, the President’s Executive Order on Information Sharing directed the Department of Homeland Security to institute a new information sharing regime (Information Sharing and Analysis Organizations - ISAO). The plan is to call upon communities to establish ISAOs in order to share intelligence and improve readiness and cyber defenses to withstand attack. The upshot of this strategy is that an army of analysts, intelligence source providers, and corporate intelligence personnel and systems will be needed. This will be costly and manpower intensive.
The ISAO approach is probably necessary. The ISAO construct is novel, mainly because it implicitly calls for a pooled organizational structure. That is, it will presumably become too costly for most companies to unilaterally invest in the manpower and systems needed to create a cyber-aware organization. From an existential risk standpoint, this approach increases the Defender-to-Attacker ratio. Unless Big Data Analytics dramatically reduces the manpower component, the growing attacker ecosystem will cause an increasingly larger commitment to the defense. While the numbers game of developing analysts is certainly a challenge, that is not a pivotal factor. As the monetization of cybercrime escalates however, the cost of committing more resources to defend against cyberattacks will further diminish profitability.
Part 1 Conclusion.
I am certain that Internet and cybersecurity scientists, practitioners, government officials, and thought leaders would offer more anecdotes and observations about game-changing dimensions of the modern cyber landscape that benefit the attacker. The two I have offered paint a bleak future for the West. Additional risks include manipulation of stock trades and financial transactions, such that trust in the financial system deteriorates. Hijacking of critical infrastructure control systems by foreign entities or terrorists. Or, another targeted hack of the top level domains and severe degradation or loss of the Internet.
I know there are many worst case scenarios that keep leaders up at night. In saying all this, it’s not to be sensational. Rather, this Part is intended to stir consideration about cyber risk being an existential threat. If it is, we must do much more in fundamental ways, not incremental ways. If we are not sure whether the risk is existential, then we should put more study into making a better calculation.
In my view, the risk is existential. The next part in this series will introduce structural change ideas.
This article was originally published on LinkedIn. You can find it here: LinkedIn
About the Author: Doug DePeppe is a former White House task force member for the 60 - day Cyberspace Policy Review. He has led Public-Private Cyber Partnership thought leadership since 2010. In his cyberlaw practice, his interdisciplinary team provides due diligence assessments and post-breach coaching. He also advises cyber intelligence developers on rules of the road in the collection of intelligence.
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky
View all comments