A cyber-weapon developed by the National Security Agency boomerangs after getting stolen, in all likelihood by Russia. After being used in ransomware attacks on U.S. businesses, “EternalBlue” is now crippling the computer systems of multiple American cities.
The big tech companies’ recommended strategy for preventing future attacks that could go much further, seriously threatening national security? An international disarmament summit – no great surprise considering the ideological proclivities of these trendy firms, like Microsoft, Google and Facebook.
But diplomats negotiating signatures onto pieces of paper never succeeded in disarming nuclear tyrants or terrorists, whether they were Communists or jihadists. And they won’t pacify cyber-attackers targeting the free world.
The lead story in the Sunday New York Times reveals that NSA’s compromised EternalBlue “exploit,” the term such cyber-weapons go by in hacking jargon, was a “key component of the malware that cybercriminals used in the attack” recently on the Baltimore city government computer system. And that “cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs.”
Attacks with the NSA’s stolen software weapon are now in the hundreds of thousands per day. And three years after the agency breach, and two years after Microsoft repaired the vulnerability in its software that facilitated EternalBlue’s design, systems that are vulnerable remain “widespread even to this day.”
We can blame the NSA, or the U.S. intelligence community as a whole, for another blunder, like the CIA confidently reporting that Moscow was at least four years away from building an atomic bomb even as the evidence that the Soviets had tested one in August, 1949 was being analyzed. Or failing to foresee India’s joining of the nuclear weapons club in 1998.
Unnamed officials told the Times more accountability within the NSA was needed, comparing the EternalBlue fiasco to leaving a warehouse of automatic weapons unguarded. We must not, however, blame our national security establishment for designing weapons in this newest realm of warfare, perhaps the most challenging theater of conflict we’ve every faced. Or demand that the U.S. government “exercise restraint in developing cyber weapons,” one of the tenets of Microsoft president Brad Smith’s proposed “Digital Geneva Convention.”
Terrorists Defy Treaties
Smith’s idea, floated in early 2017, of filling a room with international experts and “hammering out exactly what will and will not be allowed in cyberwarfare” is no new obsession for some on the left.
French President Emmanuel Macron’s similar “Paris Call for Trust and Security in Cyberspace has garnered 50 counties as signatories, plus the support of Google, Facebook, and Microsoft. Conspicuously absent, naturally, are China, Iran, North Korea, and Russia, the nations that commit cyberwarfare against the free world, and would use such weapons to cripple us if they could without consequence.
In touting his Digital Geneva, Smith naively endorsed “key principles that bar governments from engaging in malicious activity using information and communications technology or similarly damaging other nations’ critical infrastructure.” But for almost every country, this is tantamount to barring snowball making in Equador. For the handful of offenders at whom the principles are aimed, it’s like barring pyromaniacs from lighting matches.
One of Smith’s worst precepts is “We should pledge that we’ll continue to take no efforts to assist in offensive actions anywhere.” So cyber-weapons like Stuxnet, which successfully prevented Iran from building a nuclear bomb, never be used against deadly adversaries? You might as well have Boeing pledge not to build F-15s.
On the positive side, Smith suggests that “technical experts from across governments, the private sector, academia and civil society … examine specific attacks and share the evidence showing that a given attack was by a specific nation-state.” Although it’s debatable whether this must be in the form of a cyber version of the United Nations’ International Atomic Energy Agency, as he believes.
One If By Land, Two If By Cyber
The threat is real, and it is growing. China, for instance, at the close of 2015 established a branch of its People’s Liberation Army dedicated to cyber-warfare, the Strategic Support Force (SSF). The Defense Intelligence Agency this year reported that the SSF “may be the first step in the development of a cyber-force by combining cyber-reconnaissance, cyber-attack, and cyber-defense capabilities into one organization to reduce bureaucratic hurdles and centralize command and control of PLA cyber units.”
For decades we’ve been warned of the dangers of a nuclear-triggered electronic pulse devastating our national infrastructure. But chew on this hypothetical scenario for a moment: cyber-terrorists, maintaining watertight secrecy, fully prepare a powerful computer worm to be released on Election Day, November 3, 2020. It will render inoperative, say, 60 percent of the local vote-tallying computer systems in the country.
The majority of the votes cast for President and various House races, most of the U.S. Senate races taking place next year, and various state and local offices would be rendered uncountable for the short term. The nation would be propelled into weeks if not months of recount chaos as back-up paper ballots are scrutinized. January 20th, 2021, Inauguration Day, might come around with Americans still not knowing who their President is supposed to be. And of course, throughout the pandemonium, the establishment media would be accusing Donald Trump of exploiting the crisis to steal re-election.
A cyber version of Yalta, or Barack Obama and John Kerry’s Iran nuclear deal, is not the answer. What is is the ability and will of the West to use force, of any and every kind, against states that sponsor or orchestrate cyber attacks. And we must make it plain to one and all that we view computer attacks against us as akin to conventional land, air or sea attacks – with all of those options open to us in defending ourselves.
Instead of a Digital Geneva Convention we should be seeking instruments of digital surrender from such adversaries. They can send them via email.