Author: Stefano Ricci – 01/08/2019
In a recent interview on the current state of affairs in the field of cyber-security, Pentagon’s consultant Michael Bayer stated that these are times of “declared cyber war” and that, at the moment, the United States is “losing that war”. Although the US cybernetic systems are capable of projecting beyond their virtual space and adapting to threats generated by Russia and China, at the level of information security they are, in fact, quite defenseless. Whether it is the case of a direct attack on the mainframe of a specific Pentagon contractor or the diffusion of fake news on the main social media, Security Info Watch explains, the United States (and its allied countries, it should be added) is far behind in developing specific countermeasures and, above all, in acquiring the maturity, in terms of political support and leadership, that such a threat would require. In this regard, South Dakota Senator Mike Rounds, chairman of the Senate Subcommittee Armed Services on Cybersecurity, has argued that there is still a long way to go.
Too many obstacles stand in the way of a full awareness of the cyber threat: bureaucratic elephantiasis, monopoly of the traditional military apparatus, inability to fully understand the cultural context in which the new strategic dimension represented by virtual space is born and operates.
On this last point, the opinion of Mike Gallagher, member of the House of Representatives for the State of Wisconsin and co-chairman of the Cyberspace Solarium Commission, must be analysed. Gallagher argues that “Ultimately our success or failure in cyber will come down not to algorithms or technology but to human beings”. It will be up to the individual user to play a leading role in this new geopolitical scenario. Not by chance, in 2014 alleged Chinese sources attempted (and succeeded) in hacking more than twenty-two million employees’ accounts of various American federal agencies, gaining full access to health, family and economic information.
Such information can be the best source of access to the main government databases.
Even Pentagon authorities had to admit that the main attacks conducted against the computer network of the Department of Defense of the United States of America have been carried out exploiting low severity vulnerabilities, such as improper use of passwords, erroneous disabling of firewalls in specific server rooms, infected USB keys and the non-use of encryption systems.
In other words, it is the cyber culture that is missing, not the tools to conduct the cyber war or to implement cyber security. The US government, last April, complained that there are more than 310,000 vacancies in the field of domestic cyber-security and that in the government structures there is a lack of advanced IT personnel. There is an underlying economic motivation: highly qualified workers, with a precise computer background, are more easily hired in private companies in Silicon Valley, where there is a higher economic reward and greater freedom to act and to build a career.
Rather than focusing the public debate on the spectacularization of ransomware, malware infiltration and attacks on specific public institutions, then, perhaps the time has come to bring to the attention of individuals the need to create computer awareness. Is this not the greatest strategic weakness? Despite a renewed interest on the part of the Trump administration in cyber matters, there are still too many obstacles to the equalization of the virtual dimension with the different traditional geopolitical dimensions. By way of illustration, the US government’s budget for fiscal year 2020 provides for only 2% of the total resources to be dedicated to the costs of implementing and improving the cybernetic sector; conventional weapon systems seem to still be the main focus, almost as if the collective opinion was convinced that there is a greater possibility of territorial invasion compared to the penetration of computer systems.
Using Michael Bayer’s words, the cyber threat is not even among the first twenty problems of national security, notwithstanding all those “grey areas” where the threat is, in fact, real and pressing.
In Europe, the issue does not seem to be dealt with differently: The European Cyber Security Organisation, founded in 2016, started to receive call for proposals only at the beginning of 2017, operating with a three-year budget of merely 450 million euros.
All in the hope that privates will contribute to the cyber-research, thus tripling the investments previously made.
Certainly not a very encouraging statement but, as Michael Bayer suggests, “you will not win by moving money or modifying existing structures, but by changing the culture of this era”.
A perhaps impossible goal, but one that represents the most effective system for countering the hybrid threat.
A version of this article was originally published in Italian at Vision & Global Trends. International Institute for Global Analyses.
Stefano Ricci is currently working as a data analyst for a major Italian import-export company and as a freelance cyber-security analyst. In the field of cyber studies, he is also author of the book: Cyber Warfare: Verso Un Nuovo Paradigma Strategico, 2017 (Cyber-Warfare – Towards a New Strategic Paradigm)