Cybersecurity: Setting the Stage

Cybersecurity: Setting the Stage


And that’s a really broad topic. And so, I’m going to narrow it to like, three things and I’m going to work
through. The first is not super interesting, but is super important, which are some basic
definitional and conceptual issues. And this matters because how the news
media tend to talk about cyber security and cyber attacks is different
from how people in academic and policy communities talk about these
issues. So, I’m going to work through what people
like me, social scientists and folks in the policy community mean when we
talk about cyber issues. Second I’ll talk a bit about why this is
on your syllabus as an independent subject. Why is cyber, why are computer networks
different from other kinds of technologies that we care about in
international politics? And last I’ll get into some of the policy
implications of the differences between cyber and other domains and where we are
now. Which is not very far, which makes it
really interesting and exciting for all of us as potential
scholars. And hopefully some of us will end up going
into policy too. So, I’ll start with a quick example,
before turning to the definitions and concepts, which introduces a lot of the reasoning that is really important to
understand regarding cyber security and why it is a different area from other
kinds of technologies. And the one that I’ve chosen is my
personal favorite. I like talking about devices because we
have devices every where that have computers. Your phone is now a computer. And it is connected to the internet with
lots of data flowing all of the time. And as these devices are put all over the
world, they’re put there for convenience. It’s creating some kind of behavior that
makes life easier or better for us. But every time we do that, it’s introducing some kind of new
vulnerability. So, the example I’ve chosen, my personal
favorite because it hits every level, from individual privacy up through
international security. And has a high creepiness factor, is
surveillance cameras. What your looking at is an image of a
hacked surveillance camera at a software company. So, all of the question marks are covering
up the logo for the company, so you can’t identify who’s
security was breached in this instance. And if you take a moment and think, okay, what can I do with a hacked
security camera? And why are security cameras getting
hacked? It starts to get into some of the really
interesting conceptual issues in cyber security. So, the reason we have internet based
surveillance cameras is because you can just take the camera out of a box, plug it
into the wall. And, if there’s WiFi, you create a
surveillance network. Wherever you put a camera, it can
communicate with other cameras and send a video feedback to a control room
somewhere. The old way you used to do this is closed
circuit. You would run wires through walls and have
lots of infrastructure to do security. So what this lets you do is in a really
cheap in terms of labor and capital way, create security for yourself. But you’re also creating insecurity for
yourself at the same time. So if you’re connected to the global
internet, it turns out that there are billions of
people on the global internet. And if they happen to know about software
vulnerabilities in whatever you’re using, they can exploit that and gain access
remotely. And part of the logic I’ll keep coming
back to is, any device, any computer, and any computer network that is intended to
interact with things in the world, is going to have some of these
vulnerabilities built into it. You cannot help the fact that there are
going to be software exploits. And so, this starts to get really
interesting when you think about it in the aggregate. So if I’m a company I would care about
this because what can you see if you’ve looked at my
surveillance camera, I can see people typing in user names and
passwords. I can see intellectual property, I can see
what’s on computer screens. So I know about unannounced software
products or if it’s a hardware company I can see the next generation phone that
they haven’t released yet. You can elevate network privileges after
getting usernames and passwords and having gotten onto that
company’s internal network. If you’re a military, you may care about
other things. In that case, it might be something like
physical security. You can see where all the security
personnel are, you get a sense for the hours of least activity. And that’s important, if you’re defending
a military base. But we use cameras for lots of other
things. One example from the insurgency in Iraq, was insurgents using less than $30
commercial off-the-shelf software to gain access to the video feed from
predator unmanned aerial vehicles. And this actually happened. This is not just a hypothetical of a
security researcher pointing out that you can hack cameras. It was actually using UAVs in theater to
watch insurgents to try to catch people planting IEDs and doing other nefarious
things in a counterinsurgency environment. And the insurgents were able to capture
the feed themselves. So they can see what the U.S. military was
looking at. And so, very quickly you get from what are
the individual privacy implications. You all have web cams on your computers. To the level of a company and what a
company cares about. And now the level of what militaries care
about. And it could actually get worse than just
gaining access for something like intelligence. So there’s actual malware, malware means,
malicious software, software intended to cause harm, found on
the control systems for unmanned aerial vehicles, the ones that
are run out of Nevada. And so, what does this mean? In this case it was probably a benign
event, somebody probably connected something to
the network that they shouldn’t have, and, thankfully they found the software, and
were able to clean it up, and they were able to deal with the malware
incident. But, we don’t know how many of these
exploits exist, and how many adversaries know about. And so the, in the event of a conflict,
you run into a problem where if you end up finding malware on your UAV fleet during
war, what does that mean for you in terms of making risk calculations
about whether or not your enemy can cause your own drones
to crash into your own people, and to fly into a barracks at some forward
operating base. And that’s capturing the kinds of issues
I’ll be talking about today across lots of different sorts of devices just having
started with this example.

Leave a Response

Your email address will not be published. Required fields are marked *