Recently, when he was asked about Russian interference in America’s elections, the Secretary of State of the United States said: “if it’s their intention to interfere, they’re going to find ways to do that.” (Fox News interview, Bogota, Colombia, February 26, 2018).
That sounded very defeatist to some people, like the US is giving up, essentially admitting that the mighty United States of America is powerless to prevent digitally-enabled and internet-enhanced election meddling by a foreign power. Unfortunately, there is one very important sense in which Secretary Tillerson is right.
Words very similar to those of Mr. Tillerson have been spoken before. I have heard them uttered at numerous information security conferences stretching back dozens of years, often in this form:
“If the bad guys want to get in, they will.”
In this context, “get in” means gain unauthorized access to, and/or manipulate, someone else’s systems for your own purposes. Such statements are a way of expressing one of the ground truths of cybersecurity: there is no such thing as “100% secure”.
The reality that there is no foolproof security for digital systems has several important implications; here are two of them:
1. It doesn’t mean that we can’t raise the cost of exploiting that reality; for example, by making sure that we have implemented fundamental security controls. When properly implemented, these controls make it more expensive for determined adversaries to abuse our systems. We call that cybersecurity. (Hint: so far, as a nation, we are not doing so great at cybersecurity.)
2. It does mean that we need to persuade people that abusing our systems is a bad idea; for example, by demonstrating that we can catch them doing it and bring down swift justice upon them. We call that cybercrime deterrence. (Hint: so far, as a nation, we are not doing so great at cybercrime deterrence.)
Given some of Secretary Tillerson’s other comments about Russian interference in US elections, I want to focus on implication #2 (for the most part, implication #1 is well understood by security professionals, and there is plenty of scope for raising the cost of attacks to attackers far above what it is today).
With respect to implication #2, in that same interview, Mr. Tillerson had a message for Russia about deterrence: “I think it’s important we just continue to say to Russia, ‘Look…you need to stop. If you don’t, you’re going to just continue to invite consequences for yourself.’”
I’m probably not the only person who, upon hearing that remark, blurted out “What consequences?” After all, the current US administration has sought to roll back past consequences — sanctions imposed by the previous administration — and slow pedal on new sanctions that have overwhelming bipartisan support in the current congress.
That go slow approach to deterrence was defended in late January by Tillerson’s State Department, which declared: “sanctions on specific entities or individuals will not need to be imposed because the legislation [that provides for the new sanctions] is, in fact, serving as a deterrent” (Reuters). Yet, just eight days after that statement was issued, Tillerson confirmed, in his Fox News interview, that the US is currently seeing Russian interference in US elections (Bogota interview transcript).
Is that a straight up admission that what America has done so far to deter this particular type of cybercrime has not worked? That’s how I read it, and the facts on the ground show that to be the case, whether the Secretary of State admitted it or not.
So, I think it’s fair to say we are getting mixed messages: There’s no such thing as 100% security; we need deterrence; we’ve been trying deterrence; the current level of deterrence is working, or not.
And there was another right/wrong mashup in the same Tillerson interview. When the Secretary of State confirmed that the Russian election meddling is continuing in 2018, his interviewer, Rich Edson, asked if the US is better prepared this time around than 2016. The response was: “Well, I don’t know that I would say we’re better prepared because the Russians will adapt as well.”
Let me break that down:
- Information system security is an arms race in which new defensive measures result in new forms of attack: he’s right. (It was ever thus and will always be so, until we have negotiated the necessary cyber-arms treaties.)
- Because of this arms race we cannot stop the Russian interference: he’s wrong. (We can do a lot better than we have been doing, at both cybersecurity and cybercrime deterrence.)
- We are no better prepared than we were last year: he’s wrong. (Apart from the sterling efforts of a whole bunch of under-appreciated government employees and contractors who have been working diligently to tighten the security of government systems, we now have, thanks to the events of 2016 and 2017, a huge volunteer army of eagle-eyed watchers and researchers; they are alert to meddling and ready to track down meddlers.)
Hopefully, this analysis will help some folks to better understand a situation that is both complex and contrary. Cybersecurity is hard, a journey not a destination. In some ways it is a war without end, at least until we humans call a halt to cyberconflict and figure out how to deter all who are tempted to break the law in cyberspace. And right there you can see that mixed messages are par for the course: I go to work every day to solve a problem that some will say is unsolvable, but I still have hope that good will prevail.
That is why, when I heard Secretary of State Tillerson’s apparently contradictory statements, I decided not to dismiss them out of hand (and leave the casting of stones to those who have has never contradicted themselves in an interview). For me, it was better to use these widely reported remarks to raise awareness of the thorny issues that we face, and encourage our leaders to boost this country’s efforts at cybersecurity and cybercrime deterrence. One thing is certain: we can do way better than we have so far.