We live in a world exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.
When I talk to students or my interns about careers, one thing I tell them all: they must possess an above average understanding of cyber and technology. Inability to process the meaning and implications of technology on the geopolitical landscape will make it impossible to grasp the future trajectory of global security, inter-state relations, economics, politics and security.
For years, tech oriented analysts warned of quickening convergence between cyberthreats and traditional security threats – be it crime or the convergence of geopolitics, war, diplomacy and cyber warfare. Today, cyber and physical threats are becoming indivisible. Consider the rise of ISIS – which would not have taken shape as quickly or broadly without the internet – and especially social media. The protests of the Arab Spring, which, aided by social media, rose faster and pushed the Middle East further in a shorter time frame than anyone would’ve thought possible. And criminality, from human trafficking to drug smuggling to the most basic of crime: credit card fraud. You are more likely to have someone steal your credit card information virtually (or purchase it from a dark web site), than you are to be mugged on the street.
Cyberwarfare and technology form a major facet of the strategy of state and non-state actors. “Cyber” is nothing more than another tool used by a range of geopolitical and criminal actors to influence an outcome by force. When we discuss North Korea, for example, most reporting highlights developments in its missile program and the threat of traditional war. Much less is said about covert cyberwarfare that has purportedly been aimed at North Korea’s nuclear program for several years now. Even less is said of North Korea’s cyber capability and the attacks it has reportedly carried out against governments and major multi-national companies. Or the country’s purported role in the WannaCry virus that surfaced earlier this year, fashioned out of leaked CIA cybertools. None of this is a secret, but it is repeatedly left out of geopolitical analysis that examines how scenarios between North Korea and the rest of the world might unfold.
We cannot credibly assess future scenarios without taking the cyber capabilities of the actors – state or non-state – into account. Likewise – it is increasingly hard to do the opposite as well. That is, credible cyberthreat analysis cannot be undertaken without consideration of the geopolitical and security aims of the actor. Is the attack part of a broader strategy to attack our country or organization? Is it being carried out by a state or non-state actor? Is there a motive that stretches beyond money? Who are they connected to? And yet, we continue to separate our analysis into the cyber and the non-cyber – almost guaranteeing that we are not appreciating the whole picture.
Ukraine is the most obvious example of how cyberwarfare has become an integrated part of political and conflict strategy. Its become a virtual blueprint for what modern hybrid warfare looks like. It is the future of conflict, but it remains relatively unappreciated outside of a few well-informed circles of the geopolitical and cyber community. The Petya “not Petya” attacks in late June are one of the most recent examples. While ground warfare continues in and near separatist controlled Ukraine, an ongoing disinformation campaign has persisted for years. And critical infrastructure has been hit repeatedly, not by bombs (though that has also happened), but by cyberattacks. The Petya attack – while not spreading as far as WannaCry – impacted trains, airports, banks, electricity and several other types of critical infrastructure simultaneously. To that point – simultaneous attack of several types of critical infrastructure had not been accomplished by a malicious cyber actor, ever. The attack, disguised as an accounting software update, which was then disguised as a ransomware attack was actually created to wipe out hard drives, with no recovery. In addition to taking critical infrastructure of the intended recipient offline; it spread to global business, bringing supply chains and logistics to a grinding halt. Many affected businesses still have not fully recovered and will suffer significant losses from the recovery expense for Q2 this year.
While the probable state actor was identified quickly, given that Ukraine has suffered virtually non-stop cyber attacks for the past four years, it may have taken longer to make this connection had the attack targeted a country or company with a less clear cut adversary, potentially making mitigation and defensive measures harder to implement.
In order for us to improve the way we understand the world we have to better understand those things that may lie outside our expertise or comfort zone. Facebook’s Head of Global Security, Alex Stamos, made a similar point to the cyber community at the 20th Anniversary of Black Hat, an annual conference dedicated to hacking. In Stamos’ words, the hacking community has to become more diverse and inclusive. This is not just for diversity’s sake, but in order to better understand the implications of hacking, who it harms and how it harms them. It is estimated that the world will need around 2 million more cybersecurity experts in the next two years alone. Meanwhile, academics, intelligence professionals, business leaders – and especially governments – need to get much smarter about cyber, rather than dismissing it. Until we do, our analysis will be incomplete.