2 years ago
In the wake of last week’s crippling cyberattack on the internet in the U.S., which affected companies such as Twitter and Spotify, it got us—as well as the president of the United States—interested in who could carry out such an attack and what we could do to thwart another one.
So we’ve tracked down Edward M. Stroz, a leading expert in cyber security and the man responsible for the FBI’s Computer Crime Squad in New York City, to hopefully quell our fears. He is being interviewed on RealClearLife’s Facebook Page by Pulitzer Prize–winning journalist and author David Vise.
Good afternoon. I’m David Vise for RealClearLife, and I’m delighted to be here today with Ed Stroz, the executive chairman of Stroz Friedberg, a digital risk management and cyber investigations firm. He’s here to answer some questions about the attack last week that shut down Amazon, Twitter, Spotify, PayPal, and numerous other sites on the web. Talk a little bit first about your background and company.
At this point, as you said, I’m executive chairman of Stroz Friedberg. We started the firm in 2000, and my background before that was in the Federal Bureau of Investigation for a 16-year career. The last four of those 16 years, I formed and supervised the Computer Crime Squad.
You founded the Cyber Crime Unit at the FBI?
In New York, yes, which was the third in the country at the time.
Wow. Tell us about the attack last week. Describe what happened, if you would, in terms that will help us understand why we couldn’t get to Netflix and why it went dark.
Well, you know this is a frustrating kind of attack. First thing to keep in mind is anybody can be attacked through the internet, because it’s an open network that has to communicate from device to device. What happened last week was that one of the key service providers, the backbone of the internet that makes things possible, [a] domain name service provider, was attacked in what is known as a “distributed denial of service” attack. It’s a very long [way] to say that signals were sent to the target’s computers that caused those computers to get clogged up with so many requests coming at them at the same time that they could not process them all, and it caused legitimate traffic to experience a lack of service, because the “junk traffic,” the fraudulent traffic, was tangling up the computers. It was at such a great volume from so many sources of attack, that it had the effect that you just referred to: People would go to their web browser, type in an address they were trying to reach, and find that they could not get there.
But how could websites like Amazon and Twitter be so unprotected that something like this could happen to them … when they have so much at stake in terms of being up all the time?
Well, that’s a very good question, and I think the answer to it is to keep in mind that the site you’re trying to reach is probably fine. But when you go to reach it, the plumbing of the internet requires that when you type in an address like strozfriedberg.com, amazon.com, [or] wsj.com, there are servers inside the internet that have to translate that name that you know into an IP address number, so that the signals can be routed to the correct destination and give you that page. It’s those domain name servers and the companies that run them that were under attack. So the intermediate devices, that stand between your computer screen and the computer that houses the websites that you’re trying to reach is what got contaminated and what was shut down in a way that made it impossible for the connection to be made to the ultimate site.
Was this bigger or more sophisticated than previous attacks on the internet, or did it just more press or publicity because of the sites involved?
That’s a question of degree. I wouldn’t say that it was the most sophisticated kind of attack, because it’s kind of a bombardment of computers with traffic. It’s not stealthy; it is more obvious; it was designed to be noticed.
You make it sound almost like closing a lot of lanes on a bridge to New Jersey, causing all the traffic to converge and back up, so that no one can get into Manhattan.
[laughs] You know, I hadn’t thought of that analogy, but there’s a certain relevance to that, because computers are designed to process requests; they have to be open to it. So if you deliberately flood them with requests that cannot be resolved, say, for example, website addresses that don’t exist, [then] the computer will work on it for a little while. But they’re receiving millions of them, from millions of different sources at the same time, [and] it can bring the server [down]. If it doesn’t crash it, it can slow it down so much that it doesn’t work for normal people.
Who’s most likely behind an attack like this, and what is their motivations? Are they hackers out there? Are they foreign governments with adverse interests towards the United States? What do you think?
For this particular attack, nobody knows yet, and one thing [I know] as a former FBI agent [is] you want to investigate and get the facts and not speculate. But I’ll try to be responsive to your question.
Did it bear the signature of any group?
I don’t think that’s known yet. But it may turn out that the investigation would show that, but what I might say is this: What’s helpful in cyber resilience and security is to look at the likelihood of you being attacked and targeted in some way, and if you just perform that type of analysis in what is reported to have happened here, it’s hard to see how a nation-state would find an incentive to want to stop traffic on web servers of this nature. I’m not sure what state objective would be met by that. Now, I can’t guarantee that isn’t it. It could just be hackers who felt that they wanted to prove a point. Or one thing that it could even be is somebody who is trying to demonstrate their expertise and bragging rights and to say, “Look, if I can do this, just imagine what other skills I have.”
Do you think it’s possible this is practice for something even bigger that could hit the internet?
Perhaps. Because it does demonstrate just how open and I’ll use the word “vulnerable” we are to these types of attacks. It’s a little bit like thinking about the problem of arson, in a way. We can have institutions and buildings and structures that work very well, but they have to be made out of certain materials in order to be constructed. It’s very hard to build them. It’s not so hard to attack [them].
You’re saying this is like digital arson.
It’s not a bad word to use to think about some of these attacks. This one and others, where you don’t have to be an architect to be an arsonist. Even an unskilled person with a little bit of fuel and a match can create great damage. There are certain aspects of our society, including digitally, where that kind of impact can be felt by either a small number of individuals or maybe even one individual.
Are there defenses being put into place to guard against something like this from happening or from happening again?
I would say that any time there’s an incident that gets publicity and is noticed, it ratchets up the importance of looking at your defenses. I would say that the defenses in this example have to be thought of from two perspectives: There’s the defenses of the attacked site or the service provider, Dyn, in this instance; that poor company actually was experiencing something that could’ve been directed at just about any company, and they fought it off, I think, from the press reports, pretty valiantly, but …
… they were overwhelmed.
But they were overwhelmed. I would say the overwhelmingness wasn’t just the volume of the data but the number of sources that it came from. Millions from the press reports. So this gets back to your question about security and protecting ourselves. The devices that were used to launch the attack, the millions and millions of them, also raise questions about what we can we do to improve the security of these devices so that they can’t be compromised and become the launching pad for these types of attacks. So protection, security, cyber resilience … both sides could improve in this area, and what they each have to do is a little bit different based on whether they’re being used as a launching platform or whether they’re being used as the target to receive the attack.
Given the ease with which this has seemingly happened, how much of the internet could get shut down in a real cyber war and for how long?
When I think of cyber war, I think of the nation-state. We’ve never seen anything where it has escalated to a real international war of those dimensions, but I think the capability at the nation-state level is extraordinary. The incentives to do something, I think, are pretty low, because you contaminate the very infrastructure that we’re all using to communicate. If you use cyber war in a more “war against criminal elements” [scenario], and [it’s perpetrated by] people who want to engage in social arson [or] hacktivists to make a social purpose, I think that is a different type of challenge, because they have great leverage to do a lot of damage as you saw in this instance. But you also have great cooperation to fight it on the part of nation-states and law enforcement when it occurs. It’s pretty complicated.
If I am Twitter, am I relying solely on this one piece of infrastructure at Dyn to bring traffic to me, or might I protect myself by duplicating the number of pieces of infrastructure that are there, if you will, by opening up more lanes, so that they’re coming from different directions, by having five bridges instead of one?
That’s a very good point. I think any time when you look at your outsourced relationships that you depend on on the internet or anywhere else, if you have a single point of dependency, you introduce more risk than if you have redundancy. Now, putting redundancy in place and having more than one service usually increases costs a little bit and companies want to be careful of that, and you’re estimating the likelihood that you will ever need that redundancy. I think in this example, yes, that approach can help mitigate the kind of experience that we saw here. But it usually requires a little bit more investment and foreshadowing and thinking ahead of what would occur and what would you need in order to cope with an attack of this nature. That’s why tabletop exercises that [Stroz Friedberg helps] companies run in advance can really bring these things to light in a safe context—so that you can sit around with people and run through a scenario. I have one with me right now that we’ll be doing with a company next week that says, “If you experience this type of an attack, tell us what you would do. Let’s just discuss it around the table.” It often brings out how strong or weak the internal command structure is of the company and it helps to highlight what third-party dependencies you might have and whether you have a way to overcome them if you suffer an attack.
What part of the government or the private sector is really responsible for putting up these defenses, and how does all that get coordinated? I mean, after all, hasn’t the internet become something that is so vast and important to the public that the government has some role to play in all of this?
I think the government definitely has a role to play, but they can’t be depended on to make sure that nothing ever goes wrong. The people that I speak with from the government and that I hear give talks, make the point that it is a partnership, so each individual organization or company has a role to play for their security, the infrastructure they own, the services they provide. But that isn’t going to protect you against deliberate, adversarial action from outside, or an inside problem that may arise. When it does occur, to protect it, to respond to it, to know how to manage it, government can play a part, especially if you’re dealing with an organized crime group with an overseas connection. But they’re not going to come in and fix your computer system or clean up the mess that has happened that you’ve suffered.
It sounds a lot like the physical world we live in.
Well, I think there are definite parallels.
Are there other bigger threats alongside this one? This seemed to be temporary by nature and severe in terms of being able to take some of the biggest and most powerful websites and make them go dark. But are there bigger threats that loom out there?
Well, I think if you look at the situation, there are some nuances we don’t want to lose sight of. One is the “internet of things,” and something that we’ve talked about for awhile: each point of presence on the internet that has an IP address, that has a computer embedded in it. You hear people talk about your digital cameras, toasters, refrigerators, digital cars. Those devices have the ability to carry out instructions. If you embed instructions into any of those devices to attack somebody else of the nature that we talked about here, it’s now showing us that the internet of things can be weaponized. Now I’m not against the internet of things; I mean, we all want the convenience, but I think we’re going to have to put up with a little inconvenience in order to ensure that these devices are properly protected. It’s not responsible to just take a device and not give any thought to the security associated with it and just expect it to do its job. If my toaster at home is part of the launching pad of the attack on Dyn or anybody else who’s out there, I would expect Dyn or other places to come back and say, “Really? Was it necessary for that device to be so open to infectious code to be aimed at me? Everything seems fine to you, Ed, at home, but what about our side?” I think what we don’t want to lose here is that the interdependency means that we each have a stake in each other’s security, and it’s very important that you be able to have a badge of honor to be able to say, “No, as part of security, as part of hygiene, I’m not going to just accept these things and let them run in the open, because they’re serving my need.” I’m also going to stop and think, “What is a responsible digital presence in today’s society?” Deactivate the password that came out of the box; change it in some way. Or subscribe to services that can maybe help you make sure that your devices are not weaponized and hurt somebody else. So I think we [need to] stop and look at [the fact that] the interdependencies that make it so convenient and wonderful to have all these devices have security implications. Let’s not forget that they need to be address and discussed.