Every rung goes higher, higher

Once again, Ellen Nakashima of the Washington Post has broken a cybersecurity story:

A new intelligence assessment has concluded that the United States is the target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness, according to individuals familiar with the report.

The National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.

The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document.

I read the story at the ABA winter meeting, where Harvey Rishikof, Emily Frye, Steve Chabinsky, and I talked about whether private companies could do more to protect themselves than simply raise the wall around their systems:

The issue, agreed three experts who spoke on the panel, is to what extent private concerns may go to track down the intruders who break into their computer systems and where the intruders hide that data to avoid detection. The dilemma, said Steven Chabinsky, is that the federal government has the statutory authority to carry out such investigations but lacks the resources and capabilities, while the private sector has the capability but lacks clear legal authority.

The two events are tied together by something Steve Chabinsky said during the panel discussion: We’re used to the idea that cybersecurity is an arms race, with defense chasing offense and vice versa, and that the US and its adversaries are constantly trying to counter the other’s tactics.  What we haven’t absorbed is how quickly proliferation occurs.  

Once a nation has found a tool that overtops America’s national security defenses, the tool will only work for a while.  Eventually its thrust will be parried by the Defense Department. At that point, the code isn’t good for its original purpose, but it’s still plenty good for breaking into private networks, and it will keep working until a good defensive tactic has spread across the entire Internet. 

So as network attackers develop new tools, they have every reason to repurpose the old ones, either shifting the old attacks to softer targets or rewarding criminal allies and less talented nations like North Korea and Iran by handing them lightly used offensive tools. The Defense Department keeps building higher walls, and the Russians and Chinese keep building higher ladders. 

When the US wall gets to thirteen feet, what do the Russians do with all their twelve-foot ladders?  Naturally, they don’t want them to go to waste; they look around for companies that still have eleven-foot walls.

There’s a deeply discouraging aspect to this dynamic. It means that all of us, whether individuals, law firms, oil companies, banks, or human rights groups, are caught up in a race between governments.  And if our defenses aren’t good enough to keep out the most sophisticated governments, it won’t be long before those governments come after us, directly or by proxy. So all those comforting lists of defensive tactics that stop 90% of attacks suddenly aren’t so comforting.  Adopting those tactics is like building an eleven-foot wall.  It just increases the market value of used twelve-foot ladders.

I’m not sure I’ve fully plumbed the policy implications of the “used ladder market” effect, but some things seem clear. Using an arms race metaphor tends to trigger calls for American restraint and arms control negotiation. But that won’t work here; the only way to show restraint in this contest is to stop defending against new attacks.  And even then, attackers have a long-term incentive to hand off their used tools to other actors, so you’re leaving your network open to more and more bad guys.

I suspect that the used ladder effect is another argument for moving from pure defense to a mixed strategy that includes attribution, punishment, and deterrence.  The market for ladders wouldn’t be so robust if there were a pack of Dobermans on the other side of even the ten-foot walls.  But it also reveals just how much we’re going to need ways for DOD to share information about the attacks it is experiencing, because those attacks are bound to be heading our way, and soon.