What A Massive DDoS Attack Tells Us About International Cybersecurity

On a Friday in mid-October of last year, a large portion of the eastern seaboard of the United States found itself without internet. The outage was the result of a massive distributed denial of service (DDoS) attack on a managed Domain Name System provider, Dyn. To overwhelm the Dyn servers, the attackers employed an army of zombie machines in the 10s of thousands, known as the Mirai botnet. In an after action report, Incapsula noted that “IP addresses of Mirai-infected devices were spotted in 164 countries,” and were “highly dispersed, appearing in such remote locations as Montenegro, Tajikistan and Somalia.” It is difficult to find a better case study on the transnationality of cyberattacks and the interdependency of networks. It’s also difficult to find a better case study illustrating the imperativeness of better cybersecurity capacity building (C2B) internationally, a topic that we feel has been underserved by the cybersecurity policy community.

A great degree of global economic development is underpinned by information systems. Yet, as investment and expertise is expended to improve access to the internet, little heed is paid to the security of that access. As a corollary, international cybersecurity capacity building projects are currently underfunded. The first generation of the internet, which cropped up in fits and starts around the world, was not designed with security in mind. Yet, as time marches on those who help administer the ever growing network have realized the vulnerabilities and security threats to the entire system and have thus begun to innovate ways to build in greater security. A heavy reliance on legacy technology and network administrative practices, while neglecting the security of the networks underpinning the ICT for Development (ICT4D) efforts threatens to neglect important lessons that could be applied to build out new ICT networks in a more secure manner. Afterall, sustainable development underpinned by insecure networks is likely unsustainable in the end, as the security flaws of those networks erode the trust necessary for them to fulfill their potential.

The interconnected nature of the internet means that one country’s inability to secure its own systems could have a negative effect on another’s network security. The Dyn example deftly illustrates this point, but the same concept can extend beyond leveraging insecure systems to build massive botnets. Indeed, for years, Romania’s inability or unwillingness to crack down on financial cybercrime emanating from their borders led to headaches for policy and decision-makers from Washington to Beijing. In addition, as more and more individuals come online, lucrative opportunities for misuse of the internet will present themselves as readily as opportunities for proper use, as Microsoft’s Paul Nicholas, noted in a blog post last year. It is therefore in every government’s best interest to help build the capacity of others to both address threats emanating from their territory and steer their newly connected populations towards productive uses of the technology.

At New America, we see two opportunities in this space, one involving liking the cybersecurity community to the international development community, and the other involving infusing the practice of capacity building with data to help identify the most effective means of building capacity. Through a series of papers and workshops, this project will encourage and pioneer new thinking about how international cybersecurity capacity building is conceived of, funded, and delivered.

Working with the Elaine Korzak of the Middlebury Institute of International Studies (MIIS) at Monterey’s Cyber Initiative, New America will bring together leaders from both the international cybersecurity capacity building community and the international development community, including governments, the World Bank, regional development banks, international bodies, NGOs, private sector financial institutions, and other private sector players. The goal of this effort is to both begin the process of normalizing cybersecurity in the international development context and draw important lessons from the international development community for the cybersecurity capacity community.

Our writing on the topic will evolve over the next 12 months, but will explore open questions like: What lessons could the international cybersecurity capacity building community draw from the experience of the international sustainable development community? Given the importance of ICT and network technology in modern-day economic development efforts, what are the potential pitfalls of neglecting network security? What are the barriers to mainstreaming network security as a part of sustainable development efforts? What models might exist or be developed to help link the cybersecurity and international development communities?