How do the Shadow Brokers’ attacks reveal the face of cyberwarfare?

Photo by Siri Stafford/Getty Images

Q&A with Herb Lin, the Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution and a senior research scholar at FSI’s Center for International Security and Cooperation.

A few years ago, a cyberattack that shut down Ukraine’s power grid, banks and government services — before spreading throughout Europe — would have devoured the media’s attention for days. But large-scale assaults like June’s Petya/NotPetya ransomware attack have become common since the Shadow Brokers published hacking tools stolen from the U.S. National Security Agency (NSA). What does this mean for cybersecurity and how can we protect ourselves? Herb Lin, a senior research scholar at CISAC, tells us what to expect.

There have been several attacks using the NSA tools published by the Shadow Brokers in recent months. Should we expect that trend to continue?

I hope not. I hope that this leak of NSA tools is the last one, and eventually the utility of what has been leaked will evaporate. If leaks of NSA tools continue, that raises the question of whether the NSA should be developing them. But assuming we can protect them and keep them from being published on the web, then I don’t think we necessarily have to worry about this kind of thing.

But if the question is whether we’re going to see more and more cyberattacks against things like the Ukrainian power grid, the answer is clearly yes. It just will not necessarily be because of leaked NSA tools.

How can we defend ourselves against these types of attacks?

That’s the $64 billion question. There are many things we can do to improve cybersecurity. Many of them are easy. For example, you don’t allow people to use passwords like “password” or “123456.” Turns out that most penetrations happen because people haven’t taken the most basic precautions. If you could only get people to do what we know they should be doing, you could improve our cybersecurity posture a lot. Would you ever eliminate these attacks because of this? No. But you could sure do a whole lot better. The problem is that we don’t do these things because we’d rather have passwords that are easy to use and remember. If you want security, you have to be willing to sacrifice some degree of convenience.

Is the NSA working on defense tools that could combat these sorts of attacks?

I think the answer is we don’t know. There is some evidence that Microsoft knew about some of the problems and in fact published a fix, but people didn’t install the fixes. The NSA is not the party responsible for the fixes — the vendor is responsible for developing the fix, and the user is responsible for installing it. The NSA can’t fix it for the whole world.

Are the types of attacks that we’ve been seeing recently the new face of cyberwarfare, or should we expect things to get worse?

We certainly haven’t seen the range of things that are possible. There’s lots of stuff that could get much, much worse. As an example, up until now, most of the cyberattacks that we’ve experienced have been thefts of information. Your credit card information was compromised, your social security number, your medical records. How about instead of stealing your medical records, I change your blood type or remove an allergy from your medical record? I could insert a record that falsely claimed you had a sexually transmitted disease or change your psychiatrist’s notes. All of these things could be a lot more devastating to you as an individual than just having your records on the street. If I have to choose between the integrity of my medical records and the confidentiality of my medical records, I’ll choose integrity every time. I want to protect confidentiality too, but integrity is more important. We’re moving into a world where threats to integrity have not been particularly significant, but just wait. Things could get a lot worse.