SunBurst, the recent hacking of America’s government and some of its largest companies, is probably the single biggest attack in cyber-security history. Deploying malware via SolarWinds’ Orion products allowed the hackers broad access to some of the juiciest targets in the country. SolarWinds is a government and industry supplier of network management tools that includes application monitoring and network configuration. The Pentagon, US Treasury, the Department of Energy, and the Department of Homeland Security, along with companies like Microsoft, Yahoo, and Cisco, were among those penetrated.
Experts agree this was not the work of a few teenagers at Saturday night plug-fests. Rather, according to the Cybersecurity and Infrastructure Security Agency (CISA), the hack represented a concentrated effort for years [by] “…a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.” Fingers are pointed at Russia for its history of attacks, as well as its persistence and skills.
Network compromises in the Sunburst hack began in March 2020, or possibly earlier. Hackers monitored network traffic for months in affected organizations before being discovered. Remediation may take months and the whole impact may never be fully known. What is known, however, is cyber-attacks can have real-world consequences. America and Israel’s STUXNET attack on Iran’s nuclear program being one infamous example.
Every nation must be prepared to defend its territory, whether that territory is physical or virtual. Based on an increasing number of cyber-attacks with significant economic consequences, there is no argument cyber-warfare is real. The challenge is how nations can defend themselves while maintaining the economic and social benefits of computer networks. Simply disconnecting from the information grid is no longer a feasible option.
Few nations maintain open societies with completely unfettered, uncensored exchanges of information. Social norms in many western cultures drive criminal activities to ‘dark nets’, well outside common social media platforms. Police, lawmakers, and regulators are still catching up to sophisticated cyber-crimes. Some countries closely monitor and control their citizen’s access to information. China’s Great Firewall comes to mind, but even the UK limits cellphone user’s access to all kinds of websites including dating, fashion, and gambling.
Protecting digital assets and capabilities at the national level is the work of governments. As is preserving the rights and freedoms of the individual. Clearly too much is at stake for nation states to ignore cyber-security. That existing nations must contend with a massively complex array of existing interconnected services running the backbone of their economies, makes their task Sisyphean. Here, with a clean slate and digital-first design, is where a virtual nation has a disruptively positive competitive advantage.
A virtual nation should expect and plan for cyber-warfare. In our new world, such planning is primarily defensive. That said, understanding offensive cyber-warfare techniques, tools, methods, and potential for deployment, is the only practical means of creating an effective security system.
Because the weakest point of any IT security system is the human element, distributing the virtual nation’s infrastructure makes sense. The tools and methods for a such networks are well understood. Devolving discreet personal information securely via blockchains and distributed ledgers eliminates central data repositories by design. Citizen’s data and transactions with the virtual state stay with the individual, keeping security overheads to a minimum. Distributed systems provide a means for more rapid recovery in the event of an attack, while also maintaining a citizen’s sovereignty over their personal data.
Better still, once established the virtual nation would be in a good position to supply services to beleaguered nations unable to afford the transition to defensible digital infrastructures of their own.