As Republican FCC Commissioner Ajit Pai put it recently, it seems likely that the “days are numbered” for net neutrality rules And, notwithstanding candidate Donald Trump’s negative reaction to AT&T’s planned acquisition of Time Warner, sources close to the new administration are signaling through press reports that that deal and other mergers, such as the previously blocked Sprint acquisition of T-Mobile, are likely to win approval.
But rising tensions over Russian and Chinese government hacking operations suggest prospects for a slide into cyber warfare could soon become a preoccupying issue in relations between the industry and the federal government. In fact, given the scope of vulnerabilities, security-mandated rules could become a far greater concern for network service providers and commercial users of their facilities than any regulations promulgated while Tom Wheeler was FCC chairman.
Two comments in mid-December, one by Arizona Republican Senator John McCain, the other by White House press secretary Josh Earnest, convey in a nutshell the precarious state of affairs on the geopolitical stage. McCain characterized Russia’s hacking and public dissemination of communications among Democratic Party and Clinton campaign operatives during the 2016 election campaign as an “act of war.”
Earnest, commenting on the Obama Administration’s resistance to calls for more aggressive and public responses to Russian actions that national intelligence director James Clapper said in October could only have been authorized by “Russia’s senior-most officials,” suggested the U.S. would be at a disadvantage in a cyber conflict, “because we rely on 21st-century communications technology for just about everything in a way that lots of other societies and economies and countries don’t.”
In other words, we could be on the brink of war without adequate defenses to back up an aggressive response to attack. Where all this leads is anybody’s guess as a president-elect who calls national intelligence pointing to Russian government-backed hacking “ridiculous” enters office amid preparations for multiple hearings and investigations into the matter on the part of several congressional committees.
In the Senate, according to the Washington Post, a coordinated effort involving the Senate Select Intelligence Committee, the Senate Foreign Relations Committee and the McCain-chaired Armed Services Committee aims to expose what happened and the extent of Russia’s cyber warfare capabilities. McCain and many Democrats want to go farther with convening of a special 9/11-style commission to address the issue.
Adding to the pressure on President-elect Trump to change his stance is the vow of South Carolina Republican Senator Lindsey Graham, who chairs the Senate Appropriations Committee’s Subcommittee on State, Foreign Operations and Related Programs, to vote against confirming secretary of state nominee Rex Tillerson if he refuses to accept the intelligence community’s findings on the Russian role in pre-election hacking. Two other GOP senators, Kentucky’s Rand Paul and Florida’s Marco Rubio, have also threatened to block Tillerson, who as Exxon Mobile CEO has pursued close relations with Russian President Vladimir Putin.
Should the new president become persuaded that the intelligence is correct, it’s hard to imagine that he would abide public perceptions that he is reluctant to act more aggressively than President Obama. Moreover, Trump has already listed Chinese government-orchestrated cyberattacks as one of the reasons for taking a harsher stance toward that country.
Yet, as Earnest’s comment reminds us, the national defense leadership harbors anxiety over what is seen as America’s disadvantage against authoritarian governments whose economies are less reliant than ours on open e-commerce. Clearly, any escalation toward all-out cyber war would have to be accompanied by defensive measures that would require levels of security in Internet communications that far transcend what we have today.
Adding to the challenges the government faces in formulating a cyber security game plan is the fact that massive hacking incidents outside politics continue to pile up, including a recently revealed attack that compromised one billion Yahoo accounts in 2013 on top of the previously disclosed 2014 incident that hit 500 million users. Even without an escalation into cyber warfare, the assault on e-commerce poses a threat to the economy that the government can’t long ignore, no matter how laissez-faire its inclinations might be.
As we first reported in 2014 and have explored many times since, the Internet-of-Things phenomenon vastly broadens the threat as Internet-connected sensors with low computing power supporting minimal if any safeguards are embedded in everything from cameras, thermostats and light fixtures to industrial machinery. As Dan Kaufman, chief of the Defense Advanced Research Projects Agency’s Information Innovation Office, put it in a 60 Minutes interview last year, “Our fear is everything becomes networked.”
Several incidents in recent weeks have validated these fears. In October CDN operator Akamai reported hackers had gained entry into more than two million modems, routers, Wi-Fi access points, satellite antennas, video recorders and other points of connectivity. Exploiting the Secure Shell (SSH) protocol used to facilitate remote access, hackers created tunnels to set up a command-and-control system that manages these devices to generate malware. In one instance reported by Wired, all the hackers needed to do to penetrate a brand of video recorders was to use the publicly disseminated factory default password.
More worrisome still is the success of the Mirai botnet, which has become a persistent source of distributed denial of service attacks leveraging the same types of vulnerabilities in IoT devices. Mirai continuously scans for IoT devices that can be accessed by using factory default or hardcoded user names and passwords. In late October, for example, a Mirai attack used such devices to mount a domain name server attack that took out Twitter, Spotify, Reddit, The New York Times and other major sites.
The impact on government thinking about what might be required beyond past norms of acceptable action to deal with the growing cyber threat was illustrated by the Justice Department’s adoption on December1 of an amendment to rules regulating legal search and seizure. Under the revised Rule 41, the FBI upon obtaining a single warrant from any judge in a jurisdiction impacted by a cybercrime can search for and seize information stored on affected computers, phones and other devices no matter where they are or who owns them
Significantly, Congress had ample time to intervene in the DoJ’s action but didn’t. The changes, which went largely unreported in the mainstream media, represent a major escalation of government reach into the private sector in pursuit of cyber criminals. In a blog post the Electronic Frontier Foundation termed the action “a dangerous expansion of powers, and not something to be granted without any public debate on the topic.”
One indication of the effectiveness the regulation could have in combatting massive cyberattacks can be found in a DARPA project Kaufman described in his 60 Minutes interview. Kaufman demonstrated how a videogame-like display of all the nodes in a global network of tens of thousands of computers can be used to instantly identify any breach and take offline any impacted computers. Hypothetically, the FBI applying the technology under expedited authorization from a judge’s order could take down a national scale attack fairly quickly.
This, of course, would be just one line of defense the government could implement via new regulations. Rather than simply relying on new ways to react to attacks, the more straightforward approach would be to reduce vulnerabilities by requiring network owners, device manufacturers and other private sector participants in the e-economy to take protective measures that would be impossible without a government mandate.
For example, notes KC Claffy, director and principal investigator at the Center for Applied Internet Data Analysis (CAIDA), hackers’ ability to alter IP packet data to spoof points of origin has been a technically fixable problem from the beginning. “It’s an incredibly powerful vector for attack,” she says, but quickly adds that without regulatory fiat there’s no way to fix the problem.
Many innovations used to protect private IP networks offer hope for greater defense, but, as things stand, they’re not available for wide use, notes Ashkan Softani, former chief technologist at the Federal Trade Commission. “Fundamental flaws in the core Internet design are being addressed by some people, but expertise is not distributed equally,” Softani says. “When people are finding ways to button up the holes, those solutions need to be shared.”
Clearly, reliance on voluntary action by the private sector is not going to put the U.S. on the secure footing essential to taking a more aggressive stance in the cyberwars to come. Solving the security problem may be “table stakes” for the Internet, says Level 3 Communications CTO Jack Waters, “But it’s hard to find all the incentives that are needed to make this happen.”
Given the magnitude of those stakes for both e-commerce and the nation’s security, a bigger role for government seems inevitable, including promulgation of rules mandating new measures at the public network level. In other words, as building a cyber security wall becomes an urgent government priority, talk about deregulation could soon be subsumed by battles over what needs to be done and who should pay for it.