Myths make for good campfire stories. Over time, the legend grows in direct proportion to the size and scope of the perceived escapades. Pretty soon, Billy the Kid has taken on the entire Union Army by himself without nary a scratch.
Except history tells us differently about these cowboys. But never let facts get in the way of a good story, especially with Russia and China.
It’s not that Russia and China are that good on offense. It’s just we’re that bad on defense. One of the main reasons is because 77 percent of global business leaders admitted they don’t have a formal cybersecurity incident response plan, even though 65 percent of the same group said the “severity of cyberattacks is increasing”.
{mosads}It doesn’t exactly instill confidence as a consumer to know only one out of four are planning for the inevitable. Everyone gets hacked. Everyone. I sat in a briefing about two years ago given by John Carlin, at that time the assistant attorney general for National Security at the Department of Justice. Every one of the Fortune 500 has been breached. Every one.
The myth of powerful Russian and Chinese elite hackers plays out in stories like “‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer.” Or “How Chinese Hackers Became a Major Threat to the U.S.”. Putting Iran into the mix only adds to the mystique with a story like “Iranian Cyber Attack on New York Dam Shows Future of War”.
Are Russia and China that much better at offensive cyber operations than the United States? No; we still have superiority in the fifth domain. For now. But that doesn’t mean we can stop all attacks, especially against our energy grid and other critical infrastructure.
The loss of the NSA cyber weapons ended up in at least one attack by North Korea when they launched the devastating WannaCry ransomware campaign. Thanks to the 77 percent of companies without an incident response plan, hospitals and other vital institutions were severely damaged by the malware.
Quite frankly, Russia and China aren’t as good as you might think. But it doesn’t matter when they continue to penetrate government and private sector networks at will.
One reason is the construct of the intelligence apparatus. We don’t play by the same rules. And we don’t have the same level of transparency.
When is the last time your heard the National People’s Congress in China hold hearing on intelligence abuses committed by Unit 61398 of the People’s Liberation Army?
Is anyone holding their breath for Vladimir Putin and the Federal Assembly of the Russian Federation to subpoena witnesses to testify about the involvement of the GRU in the 2016 elections?
We hear about our failures on a routine basis, which are Russian and Chinese success stories. We hold hearings about the breaches in government, like the Office of Personnel Management and 21 million records stolen by the Chinese.
Or the Equifax debacle, State Department, and White House. The list goes on and on. We rarely hear about our success stories. Even though they exist in the shadows, they are not as visible as our failures.
Another reason for the false perception we’re not as good is freedom of the press. Reporters Without Borders published the 2017 World Freedom Press Index. The United States ranked 43rd, Russia 148th and China 176th. It’s not a level playing field for transparency and accountability.
Try searching online in China for Tiananmen Square. What does exist has been construed to lionize the soldiers and demonize the protestors. In Russia, critics of Vladimir Putin have died in “violent or suspicious ways”.
The ability to control the internal narrative is the chief weapon of Russia and China. And it feeds into the growing myth of the Russian and Chinese “super powers” when it comes to hacking our systems.
It’s a false narrative that is nurtured by the failures of business and government in protecting our personally identifiable information, our financial data and now our social media profiles.
In reality, most of the major breaches were not a sophisticated operation. They simply exploited human weakness, design weakness, policy failures and unpatched software. It’s not rocket science.
Getting serious about defense is the most viable option to protecting our national security, critical infrastructure and economy. With one-in-four businesses without a plan, there’s no better place to start.
In 98 AD, the Roman senator and historian Tacitus noted “This is an unfair thing about war: victory is claimed by all, failure to one alone.” It later morphed into “Success has many fathers, but failure is an orphan.”
It’s not that Russia and China are successful. We’re just failing with lots of company.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He’s currently a Senior Fellow at the Center for Digital Government. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.