What Are the Rules of Cyberwarfare?

We are now well into the era of cyberwarfare—the use of computers and computer networks in military, terrorist, and diplomatic conflicts.  But to judge by the recent tiff between President Obama and Russian President Vladimir Putin, neither the U. S. nor Russia has figured out exactly how to use these new weapons, or how to defend against them effectively.

Last July, Wikileaks unleashed a flood of embarrassing emails hacked from the Democratic National Committee, leading to the resignation of that organization's chairwoman Debbie Wassermann Schultz and undoubtedly influencing the Presidential selection process, though to what degree it is impossible to say.  In December, the CIA announced that they were confident that Russian hackers were responsible for stealing the emails and giving them to Wikileaks.  And on Dec. 23, President Obama announced that he was retaliating for the hacks by sending home 35 Russian diplomats and taking other actions against the Russian diplomatic corps in the U. S.  After initial talk by Russian officials of retaliation against the retaliation, Russian President Vladimir Putin surprised many by saying he would suspend any actions against U. S. diplomats in Russia, at least until the Trump administration takes office. 

Retaliation against diplomats has been around ever since there have been diplomats.  Over the decades, countries have developed traditional ways of treating official representatives from foreign lands with policies such as diplomatic immunity from routine prosecution, the suspension of normal customs inspection for diplomatic materials, special diplomatic zones around embassies, and other perks.  But one reason for all these special privileges is that they can be revoked at any time. 

This writer is old enough to recall some of the many times that the old Soviet Union (USSR) engaged in these kinds of games with the U. S. on any pretext or sometimes no pretext at all.  It was all part of the Cold War chess game, and watched closely for indications that the Soviets might be wanting to warm up the war a little.  Everyone agrees that sending a diplomat packing is a lot better than throwing bombs, so while tensions are raised by such incidents, it's usually a sign that serious conflicts are not in the immediate offing.

Still, there are a couple of notable and disturbing aspects of the DNC hacks and their consequences.  One concerns the identity of the hackers, and the other concerns what constitutes a truly effective response to such attacks.

It took nearly six months for the CIA to be confident enough to announce publicly that Russians were in fact responsible.  In that aspect, hacking and other hard-to-trace cyberattacks resemble terrorism, in that the identity of the terrorists responsible for a given attack is usually not immediately known, and may not ever be discovered.  Although good detective and investigative work often uncovers the perpetrators eventually, the delay between the attack and the discovery of who did it allows for uncertainty to dominate the situation, leading to general confusion, controversy, and other problems that are usually exactly what the attacker wants to achieve in the enemy camp.  It's possible that the CIA made its announcement when it did not because it took all that long to figure out who did it, but for other diplomatic or political reasons.  Still, it's hard to fight back against an enemy if you don't know who he is.

Identifying the source of a cyberattack is only the first step in an effective response.  As in conventional warfare, one doesn't want to overreact, but on the other hand, just letting an enemy get away with anything isn't good either.  An important factor in these not-yet-open-warfare conflicts is how the public perceives them.  Both the U. S. and the Russian presidents do everything with an eye to their constituents, so things done in secret which have secret effects are not that useful.  Instead of using the hacked emails for their own purposes, whoever hacked them (probably the Russians) gave them maximum publicity, and to the extent that the DNC was hampered in its operations, the attack was a success. 

What's new and disturbing about this particular incident is that it represents a significant intrusion into the domestic electoral process by a foreign power which overtly favored a particular candidate—one who will take office on Jan. 20, barring unforeseen circumstances.  What makes the situation worse is that the President-elect does not seem to be all that troubled about it.  Four years in office is a long time, though, and it's likely that Trump and Putin will at some point fail to agree on something, after which it's anyone's guess what will happen.

Part of what makes it so hard to defend against cyberattacks is the global nature of the Internet environment—Moscow or Paris or Adelaide is just as close to my Internet connection as the neighbor down the street.  Traditional military defenses were geographically fixed and you could draw contours of safety within them—here, you have to be concerned about ground attacks, there you are subject to air bombings, and way back behind the front lines, there was almost nothing to worry about.  But cyberattacks can go anywhere there's an Internet connection, and the targets are often only as well-defended as the private organizations and their IT people can make them.  As we know, these defenses range from the almost impregnable to the nearly nonexistent, and so many attractive cyber-targets are almost defenseless against a concerted attack by well-resourced agents of a foreign power.

It's not clear that the best defense is a good offense either, especially when it's not immediately clear who is doing the attacking.  And when many thefts of data are not discovered until months or years after the damage is done, it's even harder to mount an effective response.

It looks like international cyberwarfare will muddle along in this confused state unless and until such a major attack occurs that we get serious about some sort of national defense policy against foreign cyberwarfare.  There are serious concerns being voiced these days about the hacking of power grids and other vital infrastructure systems such as air-traffic control and the domestic Internet itself.  Our best defense for these systems right now is that nobody has a strong reason to attack them, but that could change at any time.  And if it does, I just hope we're ready for what comes afterwards.

Sources:  I referred to a report on President Obama's retaliatory actions against Russia carried by CNN on Dec. 29 at http://www.cnn.com/2016/12/29/politics/russia-sanctions-announced-by-white-house/, and also a report on Putin's non-response at https://www.washingtonpost.com/world/russia-plans-retaliation-and-serious-discomfortoverus-hacking-sanctions/2016/12/30/4efd3650-ce12-11e6-85cd-e66532e35a44_story.html.

Hacked At The Polls

Last month we learned that computer systems used by both the U. S. Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) were hacked into, possibly by Russia.  The initial news reports were confirmed by the FBI, which is investigating the breaches.  While no actual damage appears to have been done—yet—it is not clear what the hackers might have learned, and what they might do with the information.  At a minimum, it is a chilling reminder that foreign powers can now remotely meddle with systems vital to our democratic process:  a political party's internal analytical tools, not to mention electronic voting machines themselves.

A recent article on the Politico website enlarges on the latter possibility:  that hackers, either foreign or domestic, could diddle with electronic voting machines and the associated systems enough to throw an election.  Some computer scientists at Princeton have made a career out of showing how various brands of electronic voting machines can be hacked using simple methods that are accessible to clever teenagers.  Usually, the hacks require physical access to the machines for a time, but if polling-place workers are not quite vigilant enough, one can imagine this happening.  And then anything can happen, from blatant count manipulation to subtle effects that would be hard to catch in an audit.  The most vulnerable machines appear to be the touchscreen types that produce no paper audit trail.  Many states and counties have recognized this vulnerability and have switched to optically-scanned paper ballots which automatically produce a paper trail, but even these systems can be hacked into at the count-totalling level where laptops and computer networks are used to add up the results.  But there are still a lot of old vulnerable touchscreen systems in use.

The Politico article decries the inconsistent patchwork nature of our voting technology in the U. S., but fails to note that this can also be regarded as a strength.  For offshore hackers to arrange a major hijack of a national election and be fairly sure it would work, they would have to target up-for-grabs states (several of them), get detailed information on the wide variety of systems being used, and devise sub-hacks for each one.  While this kind of operation could be carried out, it's hard to see how, unless the foreign power had spies on the ground in the various states to provide information that would not be available any other way.  Nevertheless, huge elections can come down to a few critical votes in a few critical states, or even one, as the "hanging-chad" adventures of the Florida vote count of 2000 proved, leaving the whole nation in suspense for weeks and making the U. S. Supreme Court an unwilling participant in the election as well. 

While I normally eschew discussions of politics in this blog, I will limit my comments on the current Presidential contest to a phrase I heard from someone whose position prevented him from venting a more frank opinion about the candidates:  "It's a pity." 

Pitiful or not, national electons are a vital part of the way the U. S. government is made beholden to the people, and it is in the interest of every citizen to see that the process is as fair and transparent as possible.  If a foreign country manages to put its thumb on the scales, so to speak, it would betray the election's whole purpose and be tantamount to invasion by a foreign power.  For the same reason, contributions to domestic political campaigns by foreign entities are generally prohibited by law.

Voting in elections is an odd mix of the highly traditional and the cutting-edge high-tech.  Most applications of engineering have fairly clearcut goals:  build a bridge here to carry so much traffic and cost this much and take that long to build, for instance.  But in voting, it's not always clear what problems engineers are being called upon to solve. 

Some readers may know that Thomas Edison's first patent was for an electric vote recorder that received votes made by pushing buttons, and printed out a paper tally of the results.  He patented it in 1869 and a colleague tried to get the U. S. Congress to adopt it.  But getting through a roll-call vote faster by machine was not something that the committee evaluating the machine wanted to do.  As the committee chairman reportedly said, "If there is any invention on earth that we don't want down here, that is it."  It wasn't until the 1880s that any kind of voting machine was used in the U. S. in a general election, and legislatures were among the last entities to adopt them for their own voting process.  So even the great inventive genius himself misjudged what highly political organizations really want in the way of automated voting.

Increasingly today, politics is about power.  Power has always been a factor, but as other cultural forces—tradition, religion, courtesy, even fairness—wane in influence, the vacuum tends to be filled by the raw lust for power.  So it is understandable that regimes and individuals who see power as the mainspring and goal of politics will stop at nothing to attain their aims.  Just as our military has to exercise constant vigilance to keep armed threats at bay, we now have to defend the integrity of our elections from foreign interference, which is a new thing to a lot of local officials whose worst concern used to be finding enough volunteers to man the polls. 

One of the best ideas for safeguarding election integrity was proposed by a Princeton cybersecurity expert quoted in the Politico article.  If each lowly precinct simply posts its results in real time, on paper (and I would add, on the Internet too), allowing independent vote-checking agencies to compile vote totals, this step essentially eliminates any chance of an outside entity hacking into the vote-totaling systems, because the multiple independent tallies would agree and call into question the "official" total.  To some extent, news agencies already do this, but the exact data paths by which they obtain their vote totals is not obvious to the viewer, and making it so would both raise their credibility and help ensure the integrity of the whole system.

Casting a meaningful ballot is one of the most important privileges of living in a democratic society.  It is up to engineers and programmers to make sure that the voting systems this fall will allow every qualified citizen to do that.  But it is up to the citizens to use that power wisely.

Sources:  I thank my wife for drawing my attention to the Politico article, "How to Hack an Election in 7 Minutes" by Ben Wofford, published online on Aug. 5, 2016 at http://www.politico.com/magazine/story/2016/08/2016-elections-russia-hack-how-to-hack-an-election-in-seven-minutes-214144.  I also referred to a July 30 NBC News article about the hacking of the Democratic Party systems at http://www.nbcnews.com/news/us-news/clinton-campaign-computer-system-was-hacked-report-n620051.  Details of Edison's first patented invention, the vote recorder that nobody wanted, can be found at http://www.techtimes.com/articles/132791/20160211/thomas-edisons-first-patented-invention-could-have-drastically-changed-u-s-history.htm.