In recent years, cyber-attacks and hacking have become bywords for the consequences of digitalisation. As governments come to recognise the potential consequences of the movement towards a fully digitalised society, a key question they must ask is what can be done to prevent such attacks. In an effort to gain a better understanding of these issues and their policy implications, it is necessary to step away from the public sector and consult those who are active in this field.
Angela-Gabrielle Palmer spoke to Karsten Nohl, Chief Scientist at Security Research Labs in Berlin, a risk management think tank specialising in emerging IT threats.
TGP: In mid-2016, the German Federal Ministry of Defence released its new White Paper on German Security Policy and the Future of the Bundeswehr, where cyber terrorism was identified as a key challenge. Is the public sector, including the military, prepared to meet these challenges?
Karsten Nohl: At the moment, I don’t think any military is well-equipped to handle such a challenge, in the same way that they are not well-equipped to respond to, say, a nuclear terrorist attack or a biological terrorist attack. Cyber terrorism is just another one of those threats that hasn’t happened yet. All we know is that if somebody was to try, there’s every chance they would be successful and that it would probably be disastrous.
Why terrorists haven’t tried to hack large-scale infrastructure, which would have a huge impact on society, is something I am not clear about. There’s a chance a cyber-attack doesn’t quite meet their requirements for a strong visual effect. At present, it’s the terrorists themselves who are deciding whether we will suffer the effects of a cyber-attack. So far, they’ve decided against using this strategy.
TGP: Do you think that, given that so many aspects of our lives are now digitalised, it’s only a matter of time before anti-state actors realise this would be a very effective way of attacking ordinary citizens?
KN: If I am honest, I am not convinced that the motivation exists on the part of the terrorists. I don’t think someone hacking into your new internet refrigerator has the same nightmare potential as a large-scale terrorist attack. In the security industry, we call this “junk hacking” – just because it’s possible to hack into a device doesn’t necessarily mean that someone is going to do it.
TGP: Since the US presidential election, there has been a lot of discussion about “hacktivism”. Without naming names, some state actors have allegedly accessed and released sensitive materials. Do you think there is much more going on that states need to become better aware of?
KN: We didn’t learn anything really significant about hacking from the US elections. The capabilities of certain state actors were already well-known. It should be assumed that ever since espionage agencies were created that states knew about other states’ secrets. What did change though is that some states, in particular Russia, have broken the unwritten rule of international diplomacy: you can steal information but you don’t make it public.
So, while this may be the first time we’ve seen state hacking played out in the public arena, this doesn’t necessarily mean that other states aren’t sitting on sensitive information. We saw this in 2013, when the details on the NSA’s secret surveillance programs were released and showed that the NSA was monitoring both their allies and their enemies.
There is also the case of the diplomatic papers being released via WikiLeaks. A government wasn’t involved in this case, at least not as publicly or as intensively as what we’ve seen with Russia hacking the DNC, but secrets will continue to be publicly leaked and governments will always be actively engaged in espionage against one another. The main difference we are seeing here is governments stealing sensitive information and putting it into the public domain. This in itself constitutes an effective means of causing strong political reactions from states.
Russia’s activity also demonstrates how vulnerable some states are to these sorts of attacks. That said, it does not necessarily mean they are more exposed than they were in the past. Rather, recent events have given us a new yardstick to measure the magnitude of secret stealing. Governments are often more afraid of sensitive information becoming public in their own states than external actors gaining access to this. On the whole, that’s much more embarrassing.
TGP: How should we deal with attribution issues when it comes to cases such as the hacking of the DNC records?
KN: Attribution on the internet is difficult. There is no such thing as simple attribution, which would mean we could blame a single IP address coming from one state, as the computers and IP addresses can both be hacked or purchased by parties operating in another jurisdiction. Often the methods that state actors use contain certain fingerprints, though. Building a cyber espionage regime takes years and you would need to repurpose tools across a number of different hacks to make that investment worthwhile.
This is how, just as an example, we are aware that the US is hacking other states. We know that the US was involved in an attack a few years ago against Iran, which affected some of their nuclear equipment. These same tools, or at least fragments of these tools, have appeared in other hacks. Similarly, Russia, China and North Korea are employing similar methods. In this way, some attribution is possible, but it’s always after the fact – it’s only after a pattern of hacks has emerged which points to a single nation state. Then we can go back and say for example “wherever these tools were used, it must have been Russia who initiated this attack”.
TGP: How would you advise future policymakers who are interested in these issues, but have only a limited degree of knowledge or experience, to become better versed in them?
KN: Public policy and corporate policy makers are largely missing from current debates on hacking, or if they are present, they are not taking the debate in a constructive direction. What do I mean by this? If you Google anything at all with the word “hacked” next to it, you will find information that shows what has been hacked or could be hacked. If everything has been hacked, we might as well all just go home now because everyone is going to die tomorrow. Clearly this isn’t the case. Instead, technology is hackable, but not all technology is hacked. It wasn’t hacked five years ago when this debate started, or in the five years since. So being scared of hackable technology is missing the point. Actual hacking incidents should drive policy instead.
The main determinator of whether something is hacked is the incentive to do so, as not every technical device shares the same degree of value. The purely technical information has yet to be translated into actionable information. This is where public policy should be in a position to step in, to ensure that systems are unattractive to anyone who is considering hacking and also, if there are any hacking cases, their consequences are bearable to whoever is operating the system.
Just as an example: How much data should a company be able to accumulate and retain in its systems? That is a policy decision. It immediately leads into a question about hacking incentives, as the more data you accumulate, the more liability you take on and the greater the likelihood is that you’ll be hacked. Bringing stakeholders together to better understand these hacking incentives and data liabilities is an area where public policy can take a leading role.
Karsten Nohl works at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specialising in emerging IT threats. He challenges security assumptions in proprietary systems and is fascinated by the security/innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
Angela-Gabrielle Palmer is a Second Year Executive Master of Public Administration Candidate at the Hertie School of Governance.