Cybersecurity Isn’t a Border-based Threat, it’s a Viral Threat

WASHINGTON — Much like Moore’s Law has provided a reliable pattern to chart the steady growth of computing capacity and decline in prices, the same precept could apply to the tools of weaponry in the digital age.

So argued Ben Hammersley, an editor at large with Wired UK magazine and the U.K. prime minister’s ambassador to East London Tech City, the main technology hub in the English capital.

In a presentation that touched on the evolving nature of cyber threats here at the Brookings Institution, Hammersley contended that the traditional notion of warfare among nation-states is rapidly becoming obsolete as acts of kinetic aggression are being replaced by online crimes and other disruptions that can be perpetrated by individuals or small groups.

Moreover, high-end technologies that originate in government labs or the military eventually become commodities, a process of democratization that figures to significantly broaden access to tools like drones or biological synthesis applications, just as the code to launch a denial of service attack can easily be downloaded online.

The result of this Moore’s Law progression, Hammersley said, will be a “constant state of asymmetric warfare.”

Cutting by half the price of technologies that can be used for destructive purposes every 12 to 18 months, as Moore’s Law would have it, will demand that policymakers rethink the core principles of national security, which would entail a reassessment of both the likely perpetrators and targets of an attack. A sober assessment of the changing threat landscape would shift some of the national security focus away from acts of war emanating from nation-states toward criminal activity and scammers, Hammersley said.

“And yet we seem to spend an awful lot [more] time thinking about China, for example, turning off the power grid and rolling their tanks …westwards across the Mongolian steppe, than we worry about the mafia stealing blueprints or Nigerian banks phishing for credit cards,” he said. “One of those is very, very present, and very damaging and the other one is an entertaining reason to spend billions of dollars.”

Too often, though, the response from senior government officials is rooted in the traditional military model, recalling the old saying about generals continually fighting the last war while ignoring the strategic implications of new technological advances.

Applied to cybersecurity, Hammersley said, that thinking is “based on entirely the wrong metaphor, entirely the wrong framing. It’s not a border-based threat, it’s a viral threat.”

As a viral issue, the corrective approach should be “epidemiological,” and we should start thinking of “botnets as bird flu,” he argued.

That approach would necessitate an address of the causes of the attacks, rather than confining the focus to hardening defenses and preparing for counterattacks. After all, if the threat is ambient, simply angling to shore up perimeter defenses is a losing strategy.

To a great extent, Hammersley argued, that will require social-justice initiatives that address the underlying challenges of inequality and the sense, embodied in the “Occupy” movement, that the game is rigged against the individual of modest means.

Asked about the emerging profile, to the extent that one can be drawn, of the future cyberattacker, Hammersley identified “the incredibly annoyed middle class white guy.”

“The people I’m most scared of over the next few years will be the computer engineer in the suburbs who can’t pay his mortgage anymore and freaks out,” he said.

“If you’re going to spend your entire time chasing the technological possibilities of something bad happening, you’re missing the point,” he said. “The point is it’s the social causes of those bad things happening that are things that we can fix. That’s what government can do.”

For Hammersley, that encompasses effective oversight of large corporate institutions. He pointed to the recent revelations about Barclays bank having manipulated the Libor, the benchmark interest rate of London’s interbank market, provocatively suggesting that it could be considered the “greatest piece of cyberwarfare ever.”

“It isn’t hyperbole at all I don’t think to say that Barclays fixing the Libor was a form of warfare. Whether it counts as warfare under the Geneva Convention is effectively irrelevant,” he said. “The effect was much the same — they did a thing that made life radically worse for millions of people. And they did it on purpose.”

He added, “Now if that had been done by Iran, say, rather than by Barclays bank, it would have been considered a major act of war.”

In keeping with his thesis about the waning power of the traditional nation-state, defined by a central government and clear territorial borders, Hammersley suggested that countries consider designating ambassadors to sprawling global companies like Google, Facebook and Wal-Mart. After all, for a country with a limited budget for fielding diplomatic missions, does it make more sense to forge a close relationship with the Maldives or ExxonMobil?

“The fact that one is a nation-state and the other one is a multinational corporation is really just a matter of definition,” he said.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.

Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.