For nearly 70 years, the NATO treaty has stood the test of time. Elegant in its simplicity, this two-page treaty has established the principle, and defined the terms, of collective defense. An attack against one ally constitutes an attack against all 28 member nations.
As one might expect of a document written in 1949, there are references to armed attacks on territories, troops, ships and planes. Not surprisingly, the word “cyber” appears nowhere. To try to address this gap, NATO Secretary General Jens Stoltenberg in June stated that a cyber attack could, in fact, be interpreted as an “armed attack” under the treaty. Left unstated is how significant or disabling that cyber attack must be before Article 5 would be triggered.
This uncertainty captures the challenge of relying on systems and protocols constructed decades ago to confront dynamic new threats like cyber.
When it comes to national security, change too often comes in the wake of tragic events that defy accepted paradigms. The most recent was September 11th, which caught political and military leaders by surprise.
With senior defense officials raising alarms about the potential for a “Cyber 9/11” or a “Cyber Pearl Harbor,” however, there is an opportunity to take decisive action now on the issue that is among the most critical to America’s physical and economic security. As President-elect Donald Trump assembles his national security team, the new administration and the business community should collaborate to develop a sophisticated, forward-looking cyber policy that is founded on three core principles:
First, understand the scale of the risk.
When most people think about cyber security right now, what comes to mind is the theft of personal data through hacking e-mails or stealing passwords. For the average American, the risk feels more like a nuisance than a threat to our existence.
Respected military officials, however, have asserted that cyber potentially poses a more immediate threat to our collective security than even nuclear weapons.
We must move away from the mindset that the damage caused by cyber attacks will be limited to data and the digital world. Our physical assets, in particular the industrial systems that control our country’s critical infrastructure, are vulnerable as well.
A July study by the University of Cambridge’s Centre for Risk Studies estimated that an attack on the power grid in the northeast could cause up to $1 trillion in damages. And as we move closer to a world of smart cities, driverless cars and a connected everything, the potential for crippling physical attacks only increases. Moreover, unlike other countries, more than 80% of our nation’s critical infrastructure is owned and operated by the private sector. When put in this context, cyber should and must be a critical focus of America’s national security.
Second, think best practices, not new regulations.
In the U.S., we have scores of regulations relating to cyber security and data privacy. The Trump administration can make tangible progress in enhancing our collective cyber resilience without necessarily pressing for additional laws or regulations.
In the interactions my firm, Marsh & McLennan, has with thousands of businesses across the country, executives are no longer under any illusions about the potential severity of the cyber threat to their companies. Accordingly, the goal should be to make “best practices” into “common practices.” The U.S. should be thinking about innovative technologies, enhanced security protocols and incentives that encourage greater collaboration between the public and private sectors.
One example involves the Domain Name System (DNS), which is essentially the telephone book of the internet. When a user types in an internet address, that address needs to be translated into the language of the internet (IP numbers like 10.100.10.10). DNS performs that translation. Hackers, however, have devised methods to misdirect internet traffic intended for one site and divert it to another, malicious site.
Fortunately, there is a relatively simple fix called “DNS filtering” to combat this new vector of attack. By reviewing millions of feeds from public and private sources, data scientists can identify malicious sites that are being used by hackers to launch cyber attacks. “DNS filtering” is equivalent to blacking out those pages, or sites, from the internet phone book.
Particularly for small and medium sized enterprises, this solution can be implemented in a matter of hours by IT staff. Despite its effectiveness and simplicity, however, only a fraction of companies have implemented this solution. For this reason, the Global Cyber Alliance, a public-private partnership led by the New York District Attorney, the City of London Police Commissioner, and the Center for Internet Security, has made global deployment of DNS filtering one of its top priorities.
A second example involves the Internet of Things. The recent Mirai “botnet” attack was a wakeup call about the threat posed by the Internet of Things. Hackers manipulated hundreds of thousands of common consumer devices like security cameras and thermostats to launch an extremely sophisticated attack. The manufacturers of these products distributed these devices to the public with simple default passwords like “12345” or even “password.” As a result, hackers were able to scan the internet for any device with these passwords and then reprogram these devices – at the appointed moment – to flood a target in a massive Distributed Denial of Service attack. If this attack had been directed at critical infrastructure, rather than the service provider for websites like Twitter and Spotify, the consequences would likely have been far more severe.
Once again, there are tangible steps that can be taken to mitigate this new threat. The Internet Engineering Task Force, a community of network designers, operators and researchers, has developed a potential framework for manufacturers to configure their products in a manner that will preclude their being weaponized in this fashion.
To accelerate this effort, government and industry should collaborate to develop a set of best practices for IoT products that would enhance their security and provide consumers with greater confidence in the products they buy.
Third, see the opportunities, not just the challenges.
America has always been adept at following Winston Churchill’s sage comment: “The optimist sees opportunity in every danger; the pessimist sees danger in every opportunity.” World War II led to a manufacturing boom that lifted the country out of the Great Depression. The Soviet threat of the 1960s spurred us to win the space race. Cyber security affords a similar opportunity.
A recent study by CyberSecurity Ventures predicts that the global market for cyber security will grow from $75 billion in 2015 to $170 billion in 2020. All of this investment will lead to the creation of new companies, and therefore, new jobs – especially for our veterans, who often leave our armed forces with unique knowledge and perspective on the digital battle lines of tomorrow. Just as in times past, the United States can take the lead, not just making our country and the world safer, but creating new jobs and opportunity in the process.
Peter J. Beshar is executive vice president and general counsel of Marsh & McLennan Companies.
