On September 30, 2012 Washington Free Beacon editor Bill Gertz reported that hackers “linked to China’s government broke into one of the U.S. government’s most sensitive computer networks, breaching a system used by the White House Military Office (WHMO) for nuclear commands.” According to Gertz, the system breached includes the “nuclear football,” the president’s nuclear-weapons launch control. (On October 1, the White House confirmed the attack, though did not confirm China as its source.)
Although Chinese cyber attacks have been characterized as “persistent,” aspects of an ongoing military and commercial strategic policy, it is tempting to speculate that this particularly brazen incident was a response to the deployment of U.S. Navy and Marine assets to waters near Japan’s uninhabited Senkaku Islands, possession of which China is now actively disputing with Japan. If the cyber attack on the WHMO is in fact such a response, it dramatically illustrates the leverage potential of cyber warfare. Without risking an armed confrontation at sea, China may be seen as having delivered a strong military message in cyberspace: the penetration of a network terminating at 1600 Pennsylvania Avenue. Back in the era of the Cold War, superpowers prosecuted inherently limited (albeit bloody) proxy wars in places like Korea and Vietnam rather than risk thermonuclear Armageddon by directly confronting one another. These days, increasingly, the preferred battleground is cyberspace.
Gertz reports that an “Obama administration national security official” characterized the incident as “a spear phishing attack against an unclassified network” and that “the attack was identified, the system was isolated, and there is no indication whatsoever that any exfiltration of data took place.” In this comment, there is good news, bad news, and valuable news. The good news is that the attack (apparently) did not result in the theft (“exfiltration”) of data. The bad news is that the attack (apparently) got uncomfortably close to the holy of holies: the president’s nuclear-launch codes. The valuable news is that the hack was a “spear-phishing attack,” a species of e-mail “spoofing” fraud that seeks to dupe recipients in a specific organization, persuading them to click on a link that results in network infection by malware that yields unauthorized access to confidential data. Thus, whatever the level of technological sophistication involved in mounting the attack, the success or failure of the attack ultimately depended not on technology but on social engineering and human response. The weapon employed was less an arcane string of software code than a simple faith in human frailty.
And that is valuable news indeed.
It tells us that, while it is important to develop and provide the best high-tech defensive measures possible to protect high-value data and networks, cyberspace is, first and last, a human rather than a technological enterprise. The hardware may be silicon based, but at both the front and back ends of any computer network are carbon-based entities known as people; therefore, if you would protect the data in your digital castle, train your people. Harden them against the wily onslaught of social engineers. Understand that a technology-based anti-hacking defense, though absolutely critical, is a twenty-first-century Maginot Line. It is an obstacle to attackers, but also potentially an even greater hazard to defenders—if they allow themselves to become complacent in their passive reliance on exclusively technological protection. Like the Maginot Line of World War II, technology can always be circumvented by technology. The greatest threat to data security is human susceptibility. The most potent defense against susceptibility is likewise human. It consists of the highly trainable faculties of awareness, vigilance, and informed judgment.