In 2007, the highly digital economy of Estonia was almost overwhelmed by days of sustained cyber assaults. In 2008, cyber warfare played an important role in the fighting between Russia and Georgia. In 2025, what will the cyber battlespace look like? Vanguard invited three leading experts in cyber security to share their thoughts.
After a long career in the military, business and government, Ron Kellison now works with 20q.net, an Ottawa-based artificial intelligence company.
Robert Schein is a senior security consultant with EDS and has extensive experience assisting clients with cyber security challenges.
Following many years with the Canadian Forces, Jim Robbins, president of EWA-Canada, is actively involved in the global cyber security community.
Vanguard: What do recent events tell us about future events? What might we expect in the year 2025?
Robert Schein: Let me start by saying the obvious, we ain’t seen nothin’ yet. To sum it up, in a number of different industries, technology is becoming more and more prevalent – areas like power industries, manufacturing, a lot of critical infrastructure. But what isn’t quite as apparent is a sea change in the way businesses will operate as a result of these technologies. The down side is that it opens up an enormous amount of attack surface. The Geneva Convention protects non-combatants and civilians in the event of warfare that is kinetic in nature but there is absolutely no standard, either formal or informal, that touches upon protection from cyber warfare. So I think we are going to see a dramatic and continuing increase in the incidents that take place and the ways in which these attacks can take place.
There are technologies out there, for example, Automated Metering Infrastructure (AMI), which over the next ten to 15 years will have a strong – perhaps strong is an understatement – impact on the delivery of electricity to individual users. At the same time, it also opens up a degree of risk if someone were to compromise the infrastructure that’s behind AMI, and that is just one example of how things could play out.
Ron Kellison: I think the one thing that will remain unchanged is that 20 years from now, most of the systems that we put into place to deal with advanced threats and sophisticated intrusions will still be vulnerable to zealots, especially if they are well-funded. A determined single individual will still be able to wreak an incredible amount of havoc, no matter what sort of electronic or policy protection is put in place. If I look at Georgia, it was not a sophisticated action. I see no indications that Mumbai was a sophisticated action, except in terms of its original planning. It was still individuals carrying standard ordnance and they had a plan that recognized the lack of tactical planning and response capabilities on the part of local security forces. If we are talking about governments and industry evolving a sophisticated, reliable means of protecting individuals and businesses, I have seen no evidence yet that any government anywhere is capable of doing that, because they are all balancing multiple interests. As a perfect example, we have only to look at the increasing lack of success that our government has had coming up with a way to deal with something as simple as spam.
Jim Robbins: The point that comes out to me is that the younger generation are going to be more technology capable than the older generation. So, in 2025 it will be the younger generation that has grown up with that technology and is familiar with how to use it. Step back to today and I would guess that 70, 80 percent of senior bureaucrats or decision makers have no idea what Facebook is, have no idea about MySpace or Twitter. All of those things and more are being used by the individuals involved in some of these actions. I think we will always find that our government organizations are not capable of acting in an agile manner to keep up with the latest technologies.
And that brings into question a whole series of things about acquisition, about planning, about strategies. They have to rethink what they are dealing with. If we look at the advent of technology over the last decade, and [the types of attacks] that will happen in the next two or three decades, it will again be the younger generation; we are talking about kids in their early twenties who perpetrated some of the activities in Mumbai. The isolated incidents now seem to involve younger kids who are easily influenced by the media. I think you are going to see more of that, in terms of harnessing the younger generation in ways that haven’t been done to date, from a war-fighting point of view. That is a sad state of affairs but I think it is probably a reality we are going to have to come to grips with.
What can we assume about cyber weapons in 2025? Smaller, smarter and more connected by wireless?
Schein: All of the above. Beyond that, I believe that we have essentially two simultaneous trends in computing. They seem like opposites but they coexist. One is towards distributed computing, but not in the normal sense of the word. Everyone is carrying a smart phone or a cell phone that is more powerful and feature filled than ever before. The connectivity between all these devices is also significantly more powerful and that enables a lot more in the way of richer applications. So I believe that constitutes one degree of risk – there is a lot more out there that isn’t tied to a traditional perimeter that can come under attack. Now they are connected via WiFi, via CDMA, via GSM, via Bluetooth and there are going to be more wireless technologies like wireless USB that may come into play later on, as well as mesh networking and wireless networking as local infrastructure for a company or a home. I think we are going to see more of the blurring of perimeter concepts that have already been taking place. That is going to go even further; perimeters will basically cease to exist. What that means for an attacker is an entirely different set of weapons. They are not going to be focused as much on getting past firewalls as they are about evading detection, because the only way to defend against this kind of distributed infrastructure is to have real depth in what you are observing and to have a good consolidation of the data that you are collecting so that you can draw better conclusions.
Current technologies for detecting attacks are a little bit like a person on the second floor of an apartment building observing what looks like it might be a mugging happening across the street, between two people he has never seen before. It looks like a mugging so he calls 911 and describes what he is seeing. He couldn’t hear what was said, and couldn’t see what transpired but it looked bad. In the future, the technology will be more like the person being mugged making the call to 911 themselves, giving a much more detailed and accurate representation of what happened. To draw that analogy out, I think it is like an individual application itself being able to report certain types of attacks.
Kellison: I think we have to put future threats into three categories. The first category is governments. The second would be people who wish to invade the infrastructure for personal gain, for example all those people who live in places like Odessa and St. Petersburg. And third, which will never be the largest but will get most of the attention, will be the people who are taking action for personal reasons, whether religious or political. We’re talking about an environment where traditional military forces will have essentially been displaced for everything except pro forma appearance. I don’t think they will be involved much in actual conflict, because we are talking about an electronic environment in which essentially all of the combatants are wearing civilian clothes and nobody is carrying a visible weapon. One of the results will be a willingness on the part of individuals to cede some of their privacy and rights to the state in return for technological means of protection, for example, biometrics that are not carried on a card, but are embedded and updateable. I think there will be a willing but grudging migration of individual rights in exchange for some perceived modicum of increased individual protection.
Robbins: I think the Wild, Wild West nature of the Internet and the other networks is going to change drastically. We’re going to mature in terms of secure infrastructure. But the targets are going to be more focused, in terms of what they are trying to attack. I don’t think they are going to be attacking the infrastructure; they’re going to be attacking the content. It isn’t about the technology anymore; it’s about how to manipulate information to get the desired results, whether that is for the decision maker or for the young kid who is carrying the gun. That is who the target is going to be. It’s what a friend used to call “viruses of the mind.” They are trying to influence people’s thoughts and the way they act, as opposed to influence the actual computer hardware and software: it is the content that is the target, not the infrastructure and not the technology. You might want to induce fear in someone on a battlefield, for example.
Kellison: Along with states with ownership or influence over brute force technologies, such as that employed against Estonia, I think you will see small groups and individuals claiming ownership of leading edge, bleeding edge technologies primarily in the software realm.
Do we need a digital coast guard to protect the electronic littoral space? Are existing structures like the military and law enforcement protecting nations from cyber attacks?
Schein: As much as I hate to say it, I think the empirical evidence is that they currently are not. I think that the motion toward creating a new branch of service is definitely the right choice, because of the nature of it. You wouldn’t expect the Air Force to focus on the technology needed to operate at sea, for example. It is almost like a race – there bad guys who are politically motivated and that would include terrorism for non-economic reasons, and bad guys who are just background noise. Against the last set, law enforcement is winning. They’re doing just fine. That threat has a limited capacity to grow and the economics aren’t there. When you get to nation state operators or criminal organizations, then it becomes a little more difficult because there are a lot of resources being thrown at the attacks. It is a challenge to catch up on the defence side, because the defender has to defend everything, and the attacker can focus on the weak spots.
Kellison: The one element that never seems to be mentioned in all this is the obligation of individuals and organizations to protect themselves. Most cyber incidents are enabled by the lack of awareness of the victim, by the owner of the bank account or the computer. On the criminal side, law enforcement can catch 95 percent of them and show excellent statistical proof of success. However, there will still be a top five percent in the criminal class that represents a very real threat. The biggest single difficulty to overcome is inertia and budgets, and change happens slowly, especially in large organization. We do not have an agile organization out there with a clear mandate, a decent budget, well trained, well paid and motivated people who do this because they can’t imagine doing anything else and they come in every day because it is satisfying and enjoyable. We probably won’t have an organization like that until after the first major incident. Hopefully, we will respond better than we did after the first bombing of the World Trade Centre.
Robbins: For me, the cyber world is embedded in almost everything we do these days, and to think that we are going to have a dedicated command to deal with cyber sort of baffles me. It is ingrained in everything and I don’t think there is going to be a separate cyber command. In my mind, certainly in Canada, recognizing our defence funding and everything else, I don’t think we are ever going to see a cyber command. If we are going to talk about the kinds of organizations you need – and I am not saying the military doesn’t have a need to develop very good specialists in understanding cyber security and cyber warfare – I think from a national perspective that is not the answer here. Globally, again stepping back several years ago, there was an organization called FIRST, the Forum of Incident Response and Security Teams, and their sole purpose as I understood it was to keep the infrastructure alive and well; they are still out there. Most countries have national computer emergency response teams. Canada is still probably the only G8, and probably G20 country, that doesn’t have a national computer emergency response team. We still don’t help citizens in incidents that involve Canadians.
Schein: There is a different flavour in the United States. The U.S. military cannot operate on U.S. soil, even virtually. It always has to be a law enforcement and homeland security function. But at some point I think there is a role for the military to develop offensive capabilities. I think there is already a joint command in the U.S. to deal with offensive capabilities.
Robbins: But their purpose is not to support the e-commerce activities of the United States, is it?
Robbins: And that is the fundamental problem. I agree with you that there needs to be an organization that understands the strategy and tactics related to using cyberspace to their advantage but at the same time, there must be a national organization to make sure the infrastructure is there for the commerce side.
Kellison: What about the concept of national borders?
Robbins: Do we still have them?
Kellison: The whole issue of borders, of national sovereignty, is one of the traditional yardsticks used by governments to define what they are responsible for protecting. However, if you look at even the current generation of the Internet, or if you look at the next generation, you are essentially talking about cloud computing, which you almost have to think about as a fourth dimension. It doesn’t physically exist anywhere. The boundaries are amorphous and constantly changing. You can get to anywhere from anywhere, by any route, any time. That is a much more complex operating theatre than many of the traditional environments that have been used to define tactics, responses and policies. The cost is coming down, power is going up and most interfaces are now designed so that idiots can use them. In other words, there will be more entry points for incidents that are going to generate news stories. I get very nervous if I try to define the technical and operating environment five years into the future, much less 2025, except to say, we can’t assume it is going to be wonderful. The one thing we should be able to say with certainty is that it is going to be very different. That is all we know right now.
Schein: I think the most important thing that is constantly increasing is not computing power, or transmission speeds, but just data. Data is the real target these days and that, I believe, will continue. One big concern is miniaturization. Devices, especially wireless devices, are getting smaller, so they can be embedded in more and more items in the supply chain. That has enormous benefits for logistics and inventory management, but the devices can magnify the scale of the data management problem.
Robbins: One of the things we have missed is the technology of our western communities compared with the emerging world, especially Asia and the Pacific. They have gone straight to the most recent technologies. In North America and Europe, we are still hamstrung by legacy technologies in terms of how we implement something new. We have to make it backwards compatible. We need a profound effort to recognize the fact that we are lagging. Problems like identity credentials and the use of smart cards have been solved in other parts of the world but not here. In Canada, there is a major problem with identity theft generating more funds for terrorist organizations than the drug trade these days, yet in North America we are still struggling with what is the right technology to use at our borders – should it be RFID or something else? We have certainly adopted very poor credentials for our borders. There are a lot of issues where we in North America are not well placed for what is coming for 2025. As we talk about investing in the context of the economic meltdown, someone needs to look at doing it not just for the next two years, but rather at putting infrastructure in place that will put us in the same position as we should be with the other nations of the world that we are going to be competing with in that time period.
Kellison: Try to tell most North Americans that, from a communications standpoint, they are backwards compared to many parts of Asia and Europe…
What needs to be done now to protect our cyber infrastructure in 2025?
Kellison: We have to be prepared to make a lot of mistakes, admit them and move on. Most platforms I have been involved in developing were two steps forward, and sometimes two or two and a half steps back. It is the only way you make progress. That said, you are dealing with a policy environment, a government environment and a public relations environment that hates to admit mistakes, assumes everything you do is going to be successful and if it isn’t somebody needs to be fired. That is counter-productive.
Schein: I can’t agree more about the need to accept mistakes. There needs to be experimentation along with funding – we need both. In the United States, we’ve gotten away from the investment in basic science and technology, even with the size of the U.S. budget. Unless we have a national focus on basic science around cyberspace, we are going to fall behind Asia Pacific and the Middle East.
Kellison: Something that very seldom gets discussed in all of this, and it’s been troubling me for quite some time, is ethics. For example, I am aware of research that works to better understand mental disabilities and Alzheimer’s. It doesn’t take much of a rocket scientist to figure out that if you have a technology that allows you to determine what is going on in a human brain, and predict what is going to happen next, you also have a tool that can easily be modified to influence what goes on in a human brain. At some point – I hope – you are going to wind up in an ethical discussion as to whether or not the technology should be developed. The discussion around stem cells, for example, has paralysed much of the research that could have been done, presumably with some positive results, because we are afraid of making a mistake. We are afraid we can’t go back and correct something. There are some really interesting technologies out there just beginning to emerge that can be used for good purposes, but you can bet they will also be employed by the very same people we are concerned about now. Does that mean we don’t develop the technologies or fund the research that might enable them?
Robbins: Watch the Chief Technology Officer who has just been appointed in the United States. As that role evolves, there will be a different level of advice than there has ever been before. Most technology advice has come out of the military community or has a security leaning to it, so I think the notion of a Chief Technology Officer reporting to the president of the U.S. is an interesting one. We should think about an equivalent here in Canada.