By John Fanning
The mission of InfraGard has always been to protect America’s critical infrastructure. Over the years since its founding, the threats facing both tangible and intangible critical infrastructure have multiplied along with the methodologies used to breach the multiple defenses that have been developed. When it comes to cyber threats, the predominant perception of just whom and what we were confronting originally focused upon disgruntled employees and rogue hackers either working alone or in groups, endeavoring to steal, extort or simply create mayhem in cyberspace. After the attacks of 9/11, our vision expanded to include terrorist groups and stateless nations.
Beginning in 2010, the scope of our mission dramatically changed once again. Today, we confront cyberattacks from state actors or their surrogates. Working with virtually unlimited resources, the scope and prowess of these attacks have increased dramatically, and attempts to identify and hold such hackers accountable have been stymied and, in some cases, made impossible.
While state sponsored hacking activity has been suspected since at least the 1990s, it wasn’t until 2010 that the existence of state sponsored cyberwarfare was verified with disclosure of the sabotage-specific Stuxnet worm and an announcement by Google of a highly-sophisticated attack on their infrastructure originating from within China.
In 2012, David E. Sanger, a reporter with The New York Times, confirmed in a news story and subsequent book that the National Security Agency (NSA), working with Israel’s Unit 8200, had developed the Stuxnet worm and President Obama had, from his first months in office, secretly ordered increasingly sophisticated attacks on the computer systems of Iran.
One year later, following a reported hacking attack that targeted Sony Studios, FBI Director James Comey went on record at a cyber conference in New York to state that the U.S. “could see that the Internet protocol (IP) addresses that were being used to post and to send the e-mails (to Sony executives) were coming from IPs that were exclusively used by the North Koreans.” The New York Times went further, citing claims that the NSA had hacked North Korean computers as early as 2010, infecting them with malware that allowed the U.S. to monitor their cyber operations.
The byproduct of such disclosures and the lack of denial on the part of the U.S. could be construed as not only acknowledgement that the U.S. engaged in an offensive cyberattack against a sovereign nation, but also that it deems it acceptable for one nation to surreptitiously infiltrate the computer systems of another, even when all parties are in a state of peace.
More importantly, the disclosure may suggest that, at least from the point of view of the executive branch, the U.S. may launch such attacks with only the approval of the president and without the requirement of informing Congress. The War Powers Resolution, passed by Congress in 1973, never considered battles waged in cyberspace.
Fast-forward to November of 2016 as the ramifications of U.S. actions in cyberspace start to come home to roost. According to a recent investigation conducted by the Wall Street Journal, more than 60 nations are currently developing or have developed cyber tools for espionage and cyberattack. According to the U.S. Government Accounting Office, cyberattacks targeting 24 U.S. federal agencies increased 1,300 percent from 2006 to 2015 to total more than 77,000 attacks during the 2015 fiscal year alone. Of those detected intrusions, nearly 25 percent were attempts to insert malware into government computers or denial-of-service attacks.
The rules of engagement of state cyberwarfare have, perhaps unwittingly, been defined through disclosure of U.S. complicity in cyberwarfare activity. Those disclosures make it difficult for the U.S. to espouse a moral high ground when it comes to chastising other nations engaging in cyberespionage and cyberwarfare, or perhaps even in asserting a leadership role in any effort to enact global limitations on nation-state cyber intrusion.