A Cyber Year In Review: 2013

Another year past, another year full of cyber news.  I’ve been writing for roughly 2 years now, and in that time, there has been an explosion of cyber-related news stories.  I don’t know whether the news media is paying closer attention or whether there is more to report on (or both).  Regardless, it’s been a big year.

I’ve assembled what I feel to be the most significant cyber stories of 2012, broken down into categories.  Of course, these are just the highlights, so I’ve left off a large number of quite noteworthy news stories.  If you’re interested in some particular topic, I’d recommend using our categories feature to hunt down old blog posts.  Hopefully this list is useful, perhaps as a research tool, perhaps as just something to review in your free time.  If you’re interested, here’s 2011’s A Year in Review.

Reviewing my list, here’s my thoughts on 2012 and what we may see in 2013:

• China continued its campaign of pervasive cyberexploitation.  When I started writing for this blog in 2011, I was just shocked with the brazen way in which Chinese hacker’s vacuumed up IP.  They literally worked a 9-5 breaking into foreign computer systems and stealing everything they could find.  In my poor attempt attempt at a 2012 prediction post, I predicted that the highest levels of the USG would do something about it; maybe President Obama would get on national t.v. and demand the Chinese stop.  Well, that was naive, and nothing came from President Obama, but there was some response.  I noticed a perceptible change in lawmaker’s and commentator’s comments wherein they began publicly criticizing China.  SecDef Panetta and Secretary of State Clinton raised the cyberexploitation issue with Chinese leadership.  The Chinese played it off, of course, but it was still notable that both officials brought it up.  Then the whole Huawei/ZTE fiasco.  Then the news that the DOJ will go after foreign hackers.  My point is that officials within the USG are taking steps–albeit very measured steps–to let the Chinese know we’re sick of their game.  Diplomacy matters, so I doubt we’ll ever see a strongly worded rebuke from the highest levels of the USG.   And I doubt the Chinese really care about any of this anyways (don’t forget, they’re victims of cyberespionage too!).  But I’m at least mildly encouraged that the USG is taking some sort of action.  They’d better, because . . .

• The private sector is beginning to fight back.  In my mind, 2012 was the year in which hackback/private sector active defense/reprisal/cyber vigilantism/counterstriking fully entered the public discourse.  Just take a look below at all the stories on hackback.  Look at the ferocious debate it has started.  I’m interested to see if the USG will do anything about it: whether to enable the practice under extremely limited circumstances or explicitly outlaw it (say what you will, there’s still a sliver of uncertainty whether it’s legal under the CFAA and whether it’s legal notwithstanding the CFAA).  In any event, three things are clear to me: (1) there are companies currently engaged in hackback; (2) unregulated hackback is dangerous; and (3) hackback will remain on the legal/policy discussion plate well into 2013 and beyond.

• The military continued its takeover of cyberspace.  Yeah yeah, I know, the military doesn’t have the legal authority to defend domestic computer systems.  But just take a look at some of those stories below under the military and US Law/Policy headings.  A number of commentators feel that the U.S. military is creeping into domestic systems.  The NSA wanted to monitor domestic networks.  Is this good?  Bad?  Depends on who you ask.  I tend to like it because we’re immediately placing cybersecurity responsibility in the most capable hands during our hour of greatest need.  There’s a perception that civil liberties may suffer, but truth be told, I’d rather trust some Airmen who could care less about my browsing habits than the FBI/DHS/law enforcement community.  Anyways, $10 says CyberComm goes full Combatant Command status in 2013.

• Our elected officials failed to address cybersecurity.  I predicted–again naively–that Congress would pass cybersecurity legislation in 2012.  There was a lot of positive talk in December of 2011, and it seemed everyone agreed on the magnitude of the threat and the need for action.  Unfortunately, the rancorous debate over cybersecurity legislation stopped nearly everything in its tracks, and the best we could get was House passage of CISPA.  The sticking point was mostly over whether cybersecurity standards should be voluntary or mandatory.  A few news sources have reported that cybersecurity legislation will be back in 2013, but I’m not holding my breath.

• The failure of ACTA/PIPA/SOPA demonstrated that the Internet has a voice.  Remember Internet blackout day?  The day when a number of popular websites went offline in a coordinated protest against SOPA/PIPA?  That day proved that the denizens of our beloved internet have power.  SOPA/PIPA went down shortly after that day.  I remember reading that a number of lawmakers were nervous about touched cybersecurity legislation precisely because of the reaction against ACTA/PIPA/SOPA.  Any future cyber legislation (and probably cybersecurity legislation) will have to contend with a mobilized internet citizenry.

• The revelation (in that Sanger NYT article) that the US was behind Stuxnet was big.  I mean, not that big . . . pretty much everyone suspected the US was behind Stuxnet.  But Sanger’s article touched off a huge debate over whether the Stuxnet/Olympic Games reveal would hurt US strategic interests.  I didn’t think it really changed anything, but a number of commentators thought we crossed the Rubicon when Stuxnet was attributed back to us.  Then the news that the US was also (probably) behind Flame and mini-Flame followed.  I don’t know the implications of all this, but it’s going to make for an interesting 2013.

I’m not going to make a prediction post again, because I’ll probably embarrass myself.  Dan Lohrmann had an extremely useful blog post for Government Technology which surveyed all of the blogs/news sites/reports for their cybersecurity predictions.  Here’s Symantec’s 2013 predictions, via Lohrmann’s post:

–          “Cyber conflict becomes the norm – In 2013 and beyond, conflicts between nations, organizations, and individuals will play a key role in the cyber world….

–          Ransomware is the new scareware – As fake antivirus begins to fade as a criminal enterprise, a new and harsher model will continue to emerge. Enter ransomware….

–          Madware adds to the insanity – Mobile adware, or “madware,” is a nuisance that disrupts the user experience and can potentially expose location details, contact information, and device identifiers to cybercriminals….

–          Monetization of social networks introduces new dangers – …Symantec anticipates an increase in malware attacks that steal payment credentials in social networks and trick users into providing payment details, and other personal and potentially valuable information, to fake social networks…

–          As users shift to mobile and cloud, so will attackers – Attackers will go where users go, and this continues to be to mobile devices and the cloud….”

See below for noteworthy stories of 2012:

China

• A Richard Clarke WSJ editorial on how China is stealing our secrets in “the greatest transfer of wealth in history.”
• China and the US engage in cyber war games, the PLA sees the US as a target and in decline. 

• Mike McConnel, Chertoff, and William Lynn write that China’s cyber thievery is National Policy-and must be challenged.

• The Chinese hacked into a unclassified White House network.

• After drubbing them for a few weeks, the House Intel Committee released its report on Huawei/ZTE . . . the results were not favorable to Huawei/ZTE. 

U.S. Law & Policy

• A draft version of the Obama administration Cyber EO, which has been criticized.
• Wonderful article about what is the role of lawyers in cyberwarfare . . . “lawyers don’t win wars . . . military lawyers are tying themselves into knots trying to articulate when a cyberattack can be classed as an armed attack.  . . .” 
• Nakashima reports on cyber ROEs, say cyberattacks on foreign computer systems need presidential approval
• Justice Department announces that it will train prosecutors to combat cyber espionage

• President Obama signed a secret directive allowing the military to act more aggressively to thwart cyberattacks in domestic systems.

• Is the US militarizing cyberspace?

• Nakashima WashPo article on when a cyberattack is an act of war

• Gen. Alexander provided insight on where responsibilities for cybersecurity lie throughout the federal government,   with video. 
• David Koh says LOAC applies in cyberspace

• The NSA really, really wanted to monitor private networks.

Legislation

• House passes CISPA
• SOPA/PIPA shelved
• Internet censorship day saw a number of popular websites go offline in protest of SOPA/PIPA, with excellent results.

•  Secure IT

• The Cybersecurity Act of 2012 (i.e. the Lieberma-Collins bill). 

Malware

• Here’s the bombshell NYT Sanger article establishing that the US was behind Stuxnet/Olympic Games. Also, fallout over the Stuxnet leak, and whether it makes US more vulnerable
• Meet Flame
• US sees Iran behind Shamoon, other cyber attacks

• Meet miniFlame

• US likely behind Flame

Technology

• US accelerating cyberweapon research

• Is War in the Sixth Domain the End of Clausewitz?
• Hacking the Human Brain

• Penetrating Sealed Networks

Military

• US Army/Marine Corps wants to allow front line troops to request offensive cyber support
• Military rapidly improving attribution
• Nakashima reports on cyber ROEs, say cyberattacks on foreign computer systems need presidential approval.
• Pentagon moved to fast-track cyberweapons acquisitions
• James Lewis on DoD taking over American cybersecurity

• Sec Def Panetta speech suggesting US has solved attribution, laying down when we will respond

• David Koh says LOAC applies in cyberspace
• Nakashima reports on cyber ROEs, say cyberattacks on foreign computer systems need presidential approval
• Is the US militarizing cyberspace?

• Nakashima WashPo article on when a cyberattack is an act of war

• Gen. Alexander provided insight on where responsibilities for cybersecurity lie throughout the federal government,   with video. 

International Law

• Tallinn Manual released 
• WCIT  came and went. 
• Sean Watts speech at ABA conference concerning international law & cyber.

• Nakashima WashPo article on when a cyberattack is an act of war

• David Koh says LOAC applies in cyberspace
• ACTA

Anon

• Sabu sells his soul

   

• For the Lulz: Great Wired article breaking down Anonymous

Hackback

• Hacked companies are fighting back…

• Going on the offensive against cyberattacks-WashPo

• Rep. Mike Rogers says cool it with private sector offensive cyber ops.

• Persuasive blog post arguing against hackback

• LA Times article on hackback, Crowdstrike

• Active Defense has high risk

• Steven Chabinsky (CrowdStrike) speaks at ABA conference.

• Hackback Debate (Volokh Conspiracy)
• Stewart Baker on rethinking cybersecurity, retribution, and the role of the private sector
• WashPo: cybersecurity should be more active
• How America’s biggest corporations became cyber vigilantes

Conferences/speakers

• Gen. Michael Hayden came to the Cuse to speak at SATSA’s national security conference.

• SecDef Panetta’s 12/18 speech to the National Press Club.
• Sean Watts speech at ABA conference concerning international law & cyber.
• Steven Chabinsky (CrowdStrike) speaks at ABA conference. 

Cyberespionage

• DOJ Plans to prosecute state-sponsored cyberespionage

• Law firms are particularly vulnerable to cyberattacks. 

Iran

• Iran creating domestic internet
• Major strikes against U.S. banks, likely by Iran