Should there be a Manhattan Project for cyber security?

Some security experts are calling for a task force on cyber security in the face of growing threats.

In calling for a Manhattan Project on cyber security author Marc Goodman laments that “We’ve wired the world, but failed to secure it.” Recent examples of computer systems faulting under attacks include Russian hackers allegedly leaking DNC emails, Oracles’ giant cash registry breach, and the Australian Bureau of Statistics nationwide census website being taken down.

To get an insight into a proposed Manhattan Project we spoke with Kate Miller from the Cyber Security Project at Harvard University.

ResearchGate: How can a virtual threat affect real life?

Kate Miller: A useful framework for thinking about virtual threats is the C-I-A model - standing for confidentiality, integrity, and availability. Malicious cyber activities can in many cases be categorized according to which of these three categories is compromised and it can be more than one. Confidentiality and availability can have real-world effects – unexplained charges on your credit card statement or a bank website rendered inaccessible by a distributed denial of service (DDoS) attack, for example.

Threats that compromise the integrity or reliability of information are the most troubling, from my perspective. This is because information that has been deleted or altered, especially in a way that prevents or constrains mitigation efforts, can easily have destructive physical effects, for example causing a motor to speed up or a computer to stop communicating with its network, or any of a number of other effects. Examples of this include the Shamoon malware, which according to media accounts essentially wiped some 30,000 PCs belonging to Saudi Aramco in 2012, rendering them unusable. Another example is the hack of the electrical grid in Ukraine in December 2015, which resulted in a power loss to some 200,000 or more customers.

RG: What needs to be secured?

Miller: This is one of the hardest questions when talking about cyber security, because it is so subjective – not only in terms of what needs to be secured, but who should be tasked with securing it. Ideally, all parties work together to produce the highest level of security across the board, but things are rarely that simple. Individual companies and industries are likely to perceive themselves as needing protection, especially if they are the target of sustained malicious activity, but they may not be truly, systematically important; or the scale and significance of an attack may fall below the threshold which provokes a response from the relevant government. As I mentioned, it's also unclear who bears responsibility for securing various systems – is it the government? The companies that rely on these networks, systems, or devices? The developers who put the software out there in the first place? This is an issue that many are still working on.

From a U.S. perspective, the Department of Homeland Security has designated 16 critical infrastructure sectors "whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety..." These include things like the chemical sector, communications, dams, energy, water systems, etc. So from the U.S. perspective, these are what need to be secured. More recently, there has been some discussion surrounding whether devices used in elections should also be designated critical infrastructure, although to my knowledge they are in only the beginning stages of that discussion.

RG: Who or what is a real and present threat to cyber security?

Miller: At this point in time, it appears that well-resourced, state or state-sponsored/supported actors are the only actors that present a significant, systematic threat to cyber security. There are only limited actors who have the capability-not just the intent-to inflict significant damage. This is in part because, to inflict serious damage that has a physically destructive effect - such as disrupting a power grid - often requires expertise in many different areas. Inflicting significant damage or damage that is hard to undo also often relies on the ability to establish persistence, to map and move between networks and systems without being discovered, learning how those systems work and interact. It's usually not simply a question of breaking into a network. That being said, there is a lower level of risk emanating from non-state actors that could become more significant as more and more poorly secured devices are connected to the Internet, as organizations with little experience in information security integrate connected devices, and as technical know-how proliferates.

RG: Which international organizations should take action?

Miller: Realistically, there is probably a role for every international organization in the effort to improve cyber security, simply because the issue is pervasive – there are few places unaffected by poor cyber security, and there will be increasingly less as the IoT grows and spreads. Traditional security alliances such as NATO certainly have a role to play, I think. NATO, for example, has its own networks that it must secure and relies on the national networks of its member states. It is thus in a position to develop and promote both best practices and minimum standards for security. This is true for other organizations. Even those that focus on non-security issues could have a role to play in establishing norms of acceptable behavior, for example. That being said, there is a great deal of difficulty tied to international action on cyber problems because of a number of issues including diverse perspectives on what constitutes the threat and what constitutes information security, what governments should be allowed to protect and regulate, concerns about sharing information on threats and vulnerabilities that potential or actual adversaries could exploit. Basically, it’s a very tricky area.

RG: What do you make of calls for a Manhattan Project on cyber security?

Miller: It is certainly an interesting proposition, and the idea is very appealing, but I'm not convinced of its feasibility. The objective of the actual Manhattan Project was to build – in secret, using a dedicated concentration of expertise – a massively destructive weapon. The proposed objective of a cyber Manhattan Project is to create systemic security that requires widespread support – or at least compliance – from the public and private sectors that already use the devices under consideration and have already developed protocols and practices for their use. These are incredibly different goals with very different stakeholders. A primary challenge is that when it comes to cyber security, everyone is a stakeholder. And getting everyone to buy in would be difficult at best. The very pervasiveness of industries that involve cyber security and connected devices could be a significant roadblock in getting a cyber Manhattan project off the ground. For better or for worse, many companies and consumers are not going to wait for a Manhattan Project to deliver a Hail Mary.

Which is not to say I'm opposed to the idea, or to finding creative solutions that address the issue of cyber security. One approach may be to attempt to change market incentives that do not only allow for but encourage moving highly insecurity products to market. There are some interesting efforts happening in Massachusetts on this. Renowned cyber security researcher Peiter Zatko (a.k.a Mudge) is creating a methodical approach to test, qualify, and compare the security and resiliency of software so buyers can more easily make informed decisions and choose more secure products. Thereby forcing developers to make security a primary – rather than secondary – concern. Another element to consider is the fact that a significant number of hacks take advantage of known vulnerabilities. Finding effective means of securing systems from these – in short, improving basic cyber hygiene – is a key step toward a more cyber-secure future.

Featured image courtesy of Flickr.