A decade ago, when I was commanding NATO’s troops in Afghanistan, I sometimes felt as if I lived on video teleconferencing -- what the military calls “VTC.” The technology was uncertain, and there were frequent glitches like frozen screens, bad echoes, delayed speech patterns and missing slides. I had many briefings about troop levels and other strategic issues with my boss, Secretary of Defense Bob Gates, that were possible only because of his patience and the troubleshooting ability of my tech teams. But these remote sessions had one positive quality: They were largely secure and run over classified circuits. That’s not the case for much of the world today.
Much like the invisible enemy of coronavirus, cyberthreats can’t be seen until they manifest themselves in the kinetic world. But the triple threat of criminal activity, national security risks and non-state hackers is becoming all too apparent during this pandemic. As more of the world’s basic commerce, communications and governance goes online -- for the most part on unsecured, easily tapped platforms — the cybersphere becomes an increasingly target-rich environment.
Want inside information about a company’s earnings reports before they are issued? Tap into an online board meeting. Looking for an advantage in a manufacturing process? Most company’s engineers are working from home and discussing improvements on unclassified circuits. Feel the need to embarrass a big corporation? Jump into internal conferences via the systems of the human resources department. Most everyone is using highly vulnerable conferencing applications.
Naturally, America’s opponents – in both a criminal and a national security sense — are taking notice. U. intelligence agencies are seeing a significant rise in activity from four nations, none of which should surprise us. The first two are the recurrent bad actors Iran and North Korea. Both have highly capable cyberwar forces, and see the use of the so-called fifth domain as a good equalizer against the superior conventional military of the US. Russia, of course, is always at the forefront of the problem, and fosters a symbiotic relationship with the criminal world. But it is China we should be most concerned about: It has the most to gain from obtaining industrial information that can be used by its government and private sector, and has a well-documented history of doing so.
There are legitimate concerns about one of the most popular platforms, Zoom. It is a very good medium — clear video, good sound quality, and it’s very simple to use. But my longtime colleague General Michael Hayden, former director of both the CIA and National Security Agency, has raised alarms about Zoom’s links to China — including 700 employees based there. The company recently apologized after some calls initiated in North America were routed through China. Little wonder Taiwan has banned the use of Zoom for official communications.
While the company says it has been improving security controls and is responding vigorously to reports of its China links, its product is a prime example of vulnerabilities that could be exploited. Increasingly, companies are working to find more secure platforms that still are relatively intuitive to operate; Microsoft Corp. has used Zoom’s bad press to promote its Teams app. But the bottom line is that no service will be perfect.
It appears likely we are going to have to remain in the world of video teleconferences for months to come, and the coronavirus may lead to a permanent shift toward remote working. For the US, this will require collective action to secure the communications of government, the industrial base, the medical infrastructure, and other key sectors. Having a cocktail with old friends over an unsecured circuit is fine, but for serious use, a higher standard of encryption will be required.
A practical start for a medium-sized business, for example, might be to create a two-level system for information: Much day-to-day work could be allowed on less-secure systems that are easier to use, while highly sensitive dealings would be transmitted on more protected circuits. The government should play a major role in advising on this, and require that companies doing business with federal agencies demonstrate their adherence to high standards of classification, both in cyber generally and on videoconferencing in particular. For the Department of Defense — with its hundreds of thousands of contractors — this can be part of the Cybersecurity Maturity Model certification effort launched earlier this year.
The ubiquity of videoconferencing during this pandemic shows the great advances communications technology has made since I was discussing the Afghanistan war with Bob Gates over a shaky feed. But we must ensure that improvements in cybersecurity keep pace.
(Bloomberg)
