Press Release
Sechrist discusses vulnerabilities of information networks
Would you please talk about your work at the Belfer Center, how you got involved, and in what ways it has influenced your research.
I began at the Belfer Center in July and previously was at the Harvard Kennedy School studying a niche field of undersea communication cables – the protection thereof, security and economic policies around cables. That’s a field within the information technology area. My research has primarily revolved around starting an international partnership around the protection of these undersea communication cables. Most people don’t appreciate the significance of undersea communication cables in their everyday lives. These cables connect the internet together in many ways. Most of the traffic on which phone calls and the internet [depend?], resides on these cables so it’s important to protect them.
At the Belfer Center, I manage Project Minerva, which is a joint collaborative cyber security initiative between Harvard Kennedy School and MIT. Project Minerva seeks to engage students at the graduate and undergraduate level on research in cyberspace, particularly cyber international relations which is becoming a new field of study within the international relations field.
Minerva began in a 2008 speech by Defense Secretary Robert Gates, in which he announced that the Department of Defense is interested in working with social scientist to study emerging threats. One area of research that has come to light is this field of international cyber relations. At Harvard Kennedy School we’ve been pursuing that with our colleagues at MIT.
So this is a relatively new field of research even though undersea cables have been a fundamental infrastructure for communication for a long time. Maintaining, securing, and protecting them is still relatively new?
That’s right. The policy behind undersea communication cables, with regard to the industry and companies that lay them and own and operate them, is quite a new field of study.
Recently President Obama called attacks on our networks one of the most serious national security threats facing our nation. What, in your opinion, are the greatest cyber threats facing these networks? From whom do they come and what measures are in place (or should be in place) to prevent them?
It’s a multiple question, so I’ll take it in multiple parts. Cyberspace has grown to be an enormously important field of study from a public policy standpoint but also from a security standpoint, and in recent years the security of cyber space has gained much prominence due to a series of high profile attacks. And these attacks come through various means and methods. The most notable attacks that we’ve seen in recent years have come on companies like Google, have come on the Department of Defense, have come to the financial networks for which most of Americans’ daily financial transactions take place. It is important to protect all three of these areas going forward. One other area that’s important is the energy networks on which the power grid and future smart grid networks will reside.
Where are the most likely threats coming from? Rogue nations, regimes, individuals?
The most likely threats to cyberspace can originate from within the U.S. as well as outside the U.S. border. There’s really no way to pin down what nation-state might be responsible for the majority of attacks on these three infrastructure networks. That being said, there are some nation states that have more advanced capabilities than others. Typically, those are the nation-states that have produced the most numbers of advanced engineers, and computer scientists.
So your research is more focused on the threats as they come, less on the origin of these threats which could almost come from anywhere?
That’s right. Typically digital forensics is used to pinpoint the origin of an attack and that’s a different field of study from mine. I’m mainly focusing on the security policies that surround cyberspace in a federal context.
Do you feel there is a sense of urgency at the federal level for taking measures to secure these networks?
The context today is quite alarming. There are many different opinions about the threats and vulnerabilities that are out there. Some claim cyber Armageddon looms around the corner. Others claim the threat is significant but not as serious as that. I tend to lean towards the latter and to think that cyber security is a significant field – something the nation should rally around as a security threat – but not something that I see as potentially going to have your microwave jumping off the counter at home.
You are the author the research paper, “Preventing a Cyber 9/11.” Could you describe what a cyber 9/11 would look like? What would be most vulnerable in such a scenario?
“Preventing a Cyber 9/11,” was the first paper I wrote on the subject. Since that time my thinking has evolved to the realization that, although cyber security is a significant national security challenge, it is something that can possibly be handled and managed by federal government as well as by private industry. And so, I put it more in context: that we can see some networks and critical network infrastructure are threatened in today’s environment, but I don’t think we’re going to see whole-scale destruction of networks on a federal or state and local level.
Why is that? Is it the nature of internet and networks—that such a giant interdependent web is not vulnerable to a major attack that would shut it down or even a large percentage of it?
I think when most people think of the internet, they think of it as one large, contiguous entity. That’s not true. The internet is comprised of 12 to 14 thousand different networks that interlink, typically, in some fashion, through internet service providers. So, the internet is a network of networks.
Some computer scientists have described the internet as one of the most efficient machines—if you can call it that—ever built because, since its inception, it has been running more or less intact, non-stop. Is that another reason why you would say it is not as vulnerable to a large-scale attack?
That’s right. The way the internet is structured is that if one part of it were to suffer disruption, another part could fill that space, fill that gap, while minimizing the disruptive area. So, it’s not an area where you’d see a large-scale threat that can take down multiple networks, unless you reach some of the core nodes of the network. And those for the most part are pretty well-protected through a bunch of security standards and practices.
Could you talk more about the viral attacks that were used against Iran’s nuclear program? Apparently they were very effective. Richard Clarke, for example, has mentioned that these types of viruses could be used against other industrialized nations and their networks.
The Stuxnet worm, to which you refer, has been described as an F-35 on a World War I battlefield. I mean it’s so significant, so advanced, that you don’t find many instances of anything like it before. It kind of changes the game, in a way, because it attacks computers that aren’t connected to the internet and it influences them to affect industrial control processes. Industrial control processes run on systems that are called SCADA systems. And, these systems are what are the most protected in many instances. They run nuclear power plants, all the way to the energy grid. In the Stuxnet case, the computer worm attacked the nuclear power plants of mainly Iran and affected the centrifuge capabilities in that country.
With these kinds of attacks, would you say there’s a possibility for specific uses against us?
Right, some people say “cybotage.” It’s sort of like sabotaging critical nodes with a computer worm or virus – that’s certainly likely to rise going forward. I think there have actually been some adaptations to the Stuxnet now found on certain black market websites that can be traded for a certain price and used against a nation of your choice.
Is this the future we’re looking at for warfare, for ways of attacking one’s enemy, whether it’s a nation or a company or an individual? Are we at the beginning of a phase not unlike the phase of nuclear or biological warfare in the 1950s?
Yes, I think cyber space is an area of research that is not unlike the 1950s was for the nuclear industry and for the study of nuclear weapons. I think that cyber security as a field of study for public policy makers, as well as computer scientists, is only going to be on the rise. It’s great the Harvard Kennedy School is focusing on studying cyberspace from that perspective. There’s a large future for the study of cyberspace from a public policy standpoint. We recently established a class on cyber security at the Kennedy School entitled “The Future of Cyber Security,” taught by Richard Clark and Eric Rosenbach. The purpose of this class is to study future emerging threats and emerging technologies, and to look at how public policy makers could understand these threats better and protect against them.
During the civil uprising this spring in Egypt, the government allegedly shut down all internet networks, which seems to have been a remarkable technological feat. What are the implications and difficulties of this, and do you feel this might be a new form of oppression a nation could bring upon individuals?
The Egyptian case is quite alarming. It’s unprecedented in its scale. Nothing like it has ever taken place, especially for this duration. What we have seen is something that probably could not have happened in many countries for the mere fact that those countries are not authoritarian regimes. In the Egyptian case, the government had an ability to control internet service providers and tell them to essentially shut down their networks within Egypt and not allow traffic to move. This is a game changer for the study of cyber security. You’ve never had a nation so deliberately shut down networks. I think what you’re going to see happen is the need for an index – and I don’t know if the index is established by public policy students or others – an index that can determine the degree of digital trust between the government and the companies working in that country. So in the Egyptian case, the trust you might have as a consumer or a company – that you can go into the country and securely conduct business – was not very high. Something like Twitter, something like Facebook are now things these governments have to worry about. That’s a significant concern for freedom of the digital space.
There is federal legislation being considered in this country about having similar measures in place to shut down the internet in cases of national security to prevent mass chaos. Could you talk a little about where you are in your thinking on the issue?
There’re a lot of types of software products that allow for when you’re in those types of situations where the government shut down the network to get around it. Typically it revolves around internet filtering, but in the Egyptian case it involved wholesale government shutdown. If the U.S. were to engage in something like that in the future that would have a significantly detrimental effect on businesses and on the social sphere for which they use the internet tremendously. I can’t comment on whether that’s going to be a successful piece of legislation, but if the Egyptian case is any example, I wouldn’t pursue such legislation in the future. I think it affects digital freedoms in quite a negative way.
Do you feel there is a growing need for nations to come together to establish agreements for protecting their networks because there are certain things that are acts of war and there are certain things that are, as you say, just “cybotage.” Are we at that point?
I believe we are at a point where we move the discussion forward on an international level. I think nations are doing that in a couple ways. Obviously there have been talks in NATO conferences and within the Organization for Economic and Cooperative Development, but there’s still a lot of room for growth, even at the United Nations. There’s been some talk at a recent Munich security conference about defining what a cyber weapon might be, or what constitutes a cyber attack. I think this is very important. Because right now everyone has a different idea about what a cyber attack is.
How secure do you feel undersea communication cables are? Is information available about where they’re located?
You actually can drag a chain or anchor over an undersea cable and disrupt one. That’s one of the fears about identifying the location of these cables. There was actually a WikiLeaks cable—a secret trove of secret documents that was published—and one of them was the most vital infrastructure areas within the world. That leak identified almost every landing station on which a cable comes up from the ocean and onto land. So, from my area of research we even see cyber security and the aspects associated with cyber security to involve things like undersea communications cables and protecting a physical layer which connects all of us together in the internet.
How could we protect thousands and thousands of miles of cable?
My area of research at the Belfer Center has been to pursue the creation of and international public/private partnership where the nations team up with the industry and work together to protect cables as best they could. It’s an extremely large undertaking, but since I’ve been at the Kennedy School there has been the creation of an international cable partnership within an organization called the International Cable Protection Committee. Since that creation—which was only a few months ago—we’ve actually had the first government to sign up which has been the Australian government. This is a great feat in bridging the gap between nations and the industry. The next step is to get the United States involved and I’ve been working with colleagues within the federal government to bring them to join with the Australians in protecting cables.
Recommended citation
Leahy, Joseph. “A Conversation with Michael Sechrist.” Spring 2011