The ever-increasing role of technology in every aspect of our society has turned cybersecurity into a major sovereignty issue for all states. Due to their asymmetrical nature, offensive cyber-capabilities have been embraced by many countries that wouldn’t otherwise have the resources to compete on a military or economic level with the most powerful nations of the world. Most modern inter-state conflicts and tensions today also take place in so-called cyberspace and we strongly believe that this trend will persist.
Such conflicts can take a vast number of forms, based on the objectives an attacker might pursue to undermine a competitor. In the context of this article, we will only focus on two of them: (1) Cyber-warfare for intelligence purposes, and (2) sabotage and interference with strategic systems in order to hinder a state’s ability to govern or project power.
Cyberspace and intelligence
Attempts to collect intelligence through technical means have been documented for years. The earliest example dates all the way back to 1996’s infamous Moonlight Maze campaign, where attackers stole so many documents a printout would have stood “thrice as high as the Washington monument”. Twenty-five years later, Kaspersky tracks over a hundred groups who perform similar operations. Here are a few reasons why they are so widespread:
- Offensive security tools are readily available.
- Intrusion software just as sophisticated as the frameworks developed by APT actors is gradually released to the public for free. This includes widely available proofs of concepts for software vulnerabilities to gain access to target machines, open-source malware implants to establish persistence and a myriad of tools that allow lateral movement inside breached networks. Newcomers to the cyber game benefit from the experience acquired by their predecessors and the research conducted by the industry as a whole, which helps them bootstrap their operations at a very affordable cost.
- A flourishing market has developed around offensive security, where companies provide tools or even mercenary services. The ones that are willing to communicate about their activities swear that they will only do business with democratic governments, but it should be pointed out that they undergo virtually no oversight.
- The difficulty of reliable technical attribution of cyberattacks ensures that instigators face very limited diplomatic repercussions (although a number of countries have recently developed legal frameworks which allow them to impose sanctions). A few countries have public doctrines or strategies pertaining to cyber-engagements, though those documents don’t always provide detailed and full answers on how countries will react, particularly, in the case of cyberattacks posing a threat to their national security, which countermeasures they would take, when cyberattacks would be qualified as use of force and, broadly speaking, how the UN charter’s article 51 pertaining to legitimate defense should be interpreted and applied. The earliest example of such a policy we could find is from the United States, in which they argue that article 51 does apply to cyberspace. France also has one, and a few other countries have also published their official positions on the application of international law to cyberspace (Estonia, Australia, Austria, Czech Republic, Finland, Iran, the Netherlands and the UK).
Cyberespionage attempts have been observed from all types of nations (emerging and robust cyber powers, countries that find themselves at the center of international tensions, and even countries which are traditionally considered allies) against all sorts of actors (government and non-government organizations, multinational companies, small businesses and individuals) to try to collect intelligence of any nature (technological, military, strategic). While the newer actors are filling the skills gap quickly, the most advanced parties are scaling to obtain global surveillance capabilities through technological supremacy. This involves developing the standards for tomorrow’s communications infrastructures and ensuring that they are adopted on a worldwide scale.
A particular example stands at the intersection of these two axes: the dispute pitting the US against China on the 5G standard. The US Defense Innovation Board points out the crucial impact of network topology on industry development and notes that the Department of Defense (DoD) itself will use the new standard; as a result, it feels it should have at least some degree of control over it. The US government has also publicly accused foreign technology companies of facilitating espionage operations on various occasions.
- No state in the world has the technical ability to prevent cyberattacks, whether they target a country directly or target its industry.
- In the short term, only bilateral agreements (such as the one between China and the US in 2015) appear to significantly reduce the number of incidents.
- In the long term, a large number of experts needs to be trained to provide the private sector with enough resources to defend itself efficiently against cyberthreats.
- The existing international instruments, such as the Wassenaar agreements do not provide a sufficiently binding legal framework to prevent companies from earning a profit by selling attack tools or vulnerabilities. Decision-makers should look into the proliferation of ICTs that can be used for malicious use.
- The international community must find a way to create tomorrow’s standards conjointly. The competition between states to ensure control over the next technological tiers could result in a balkanization of the digital space.
- Foreign companies, especially those developing network equipment or handling sensitive data, can only overcome mistrust if they are willing to subject themselves to stringent scrutiny.
- States should adopt legislation detailing the obligations of any company willing to participate in public procurement for digital goods: source code access, formal proof of the software, having an audit conducted by a trusted third party.
Just because cyberspace conflicts take place in a virtual world doesn’t mean they cannot affect the physical realm. An overwhelming proportion of today’s human activity relies on information technology which implies that the former can be disrupted through the latter. A list of verticals that should be protected from foreign investments was introduced in French law: energy, water distribution, transportation, health, telecommunications. It’s easy enough to see that each of them is regulated by computer systems that constitute high-value targets for a hostile party.
The Ukrainian conflict, which seems to be used as a large-scale hybrid war experiment by some actors, gives an idea of the many ways cyberwarfare could be used to destabilize a country:
- In May 2014, three days before the Ukrainian elections, a company called Infosafe IT withstood an attack aimed at preventing election results from being centralized. The day results were published, a fake press release announcing the victory of a far-right candidate was distributed through the electoral commission’s website.
- A cyberattack against three Ukrainian energy providers on December 23, 2015, left 225,000 clients with no electricity for several hours. A similar incident happened in Kiev for about one hour on December 16, 2016.
- On June 27, 2017, a Ukrainian tax accounting package used by most companies in the country (MeDoc) downloaded a malicious update that contained ransomware. Further analysis revealed that data decryption was not possible and that it was likely an attempt to destroy data forever. The incident caused over $10 billion in damages, making it the most destructive cyberattack in history.
In other countries, the Stuxnet worm comes to mind. This piece of malware contained four 0day exploits and was design to infect SCADA systems in the Natanz nuclear plant in Iran. Infected systems would send erroneous commands to the underlying programmable logic controller (PLC) while still displaying expected results to the plant operators. This damaged the centrifuges and confused researchers, effectively slowing down Iran’s research in the nuclear physics field. But the general, modular design of Stuxnet indicates that variants could have been created to go after other types of SCADA system. This detail could be indicative of a larger (and unpublished) sabotage doctrine followed by the creators of Stuxnet.
It is unclear whether it followed Stuxnet’s precedent, but a couple of years later, a wave of destructive attacks was launched against the oil industry in the Middle East. Shamoon was far from the sophistication level of our previous example, but it did major damage nonetheless. It involved a wiper malware whose purpose was to erase files from the victim’s computers and render them unusable. When it was first used in 2012, it disabled over 30,000 computers.
Then, in 2017, a Saudi refinery was targeted by an attack against its safety systems in a deliberate attempt to cause physical harm. The malware, dubbed Triton, was designed to tamper with an industrial safety system’s emergency shutdown function. Thankfully, the attack only resulted in interruption to a chemical process and did not cause the uncontrolled energy buildup the attackers were likely trying to achieve.
In recent years, many incidents have involved wipers: Dark Seoul and the Sony hack as well as operation Blockbuster attributed to the Lazarus Group, and others involving the StoneDrill malware we discovered while investigating Shamoon. So far, we are not aware of any casualties caused by destructive cyberattacks, but there’s little doubt that they are used as coercive force and can be construed as a form of violence. An interesting question is whether they could be interpreted as “acts of war”.
In August 2019, NATO released a cyber-resilience supplement in which the organization stated: “a serious cyberattack could trigger Article 5, where an attack against one ally is treated as an attack against all”. While the notion of “serious cyberattack” is not clearly defined, it does send a strong political signal that actions taking place in cyberspace can be interpreted as an attack and may in fact cause a collective response from the alliance. In the military sense, this declaration establishes cyberspace as a battleground. Other countries appear to share this view: in 2019, Israel bombed a building it claimed was used by Hamas to conduct cyberattacks against its interests. While this was not the first time a state went after hackers in the physical world, it was an unprecedented example of immediate cyber-to-kinetic escalation. Those few nations (i.e., the US and France) who published cyber-engagement policies usually reserve the right to respond to attacks in cyberspace through any appropriate means, which implicitly includes lethal force.
Since sabotage operations disrupt a government’s ability to rule or have the power to shut down a country’s economy, they represent a major threat to sovereignty. In the most extreme case, attacks in cyberspace can lay the ground for (or support) traditional military operations, for instance by disabling security systems or communication devices that would usually help organize the defensive response.
In the coming years, we can expect that:
- The sort of attacks described above will become more widespread. The impact of these operations is now evident and they should be expected in any future armed conflict.
- Some sabotage attempts will happen under a false flag to muddle diplomatic relations between two countries. Some actors have already taken significant steps to influence the way their actions would be interpreted:
- The aforementioned MeDoc attack was disguised as a criminal ransomware attempt.
- French TV channel TV5 Monde was hacked and taken off air for 18 hours in a destructive attack that also destroyed data. The hack was claimed by an ISIS-aligned group (Cyber Caliphate), but is believed to have originated from a Russian threat actor instead.
- An attack against the PyeongChang Olympic games contained indicators implicating North Korea that we now know to be fake.
- Diplomatic duress or retaliation might take place in the form of sabotage and cyber-capabilities will be used to exert pressure between states. For instance, critical infrastructure could be disabled, or local companies could be taken down as a way to express discontent. Demonstrating such offensive cyber-capabilities would convey strong messages that would be less of a commitment than moving troops.
In the interest of promoting cyber-stability and reducing the impact of sabotage, we would like to propose the following:
- States should publish a doctrine that defines how they regard engagements in cyberspace, if they haven’t already done so. A more detailed call for transparency from Kaspersky can be found in the various contributions we submitted to the UN’s OEWG. This doctrine should take into account how uncertain the attribution process for cyberattacks is.
- Making sure that critical systems are located exclusively on networks that are not connected to the internet. By spearheading the concept of cyber immunity, Eugene Kaspersky provides additional recommendations to make such infrastructure more resilient.
- Clarifying rules of cyber-engagements at an international level as well as providing clarity on how they should be implemented both to ban and prevent destructive attacks targeting civilian infrastructure. We also advocate for greater clarity from states on how cyberconflicts can be de-escalated.
- Having a proactive approach that aims at detecting intrusions in strategic entities (as opposed to simply preventing them). A sabotage operation requires months of preparation after the victim’s network has been breached. During that time, the defenders have a chance to discover the attackers and contain them before actual harm has been done.
It may seem naïve to imagine that the international community could at this moment reach a broad consensus regarding the rules for cyberwarfare or how the existing IHL applies to cyberspace. Yet over the past century, the world managed to define a number of acceptable rules for military conflicts: the Geneva Convention defines rights afforded to non-combatants. But while in traditional warfare it is easy to evaluate the cost (usually in human lives) of being subjected to certain practices, the nature of cybersecurity makes this quite difficult: intelligence collection and data theft are invisible, information campaigns can’t always be identified as such and sabotage may be indistinguishable from accidents. In other words, decision-makers have data that shows the benefit of unregulated cyberwarfare, thanks to their own operations, but are oblivious to what it costs them. This partial vision, shared by all actors, does not encourage moderation.
And so, this article closes on a pessimistic note. Do any of the parties involved have an interest in regulating cyberwarfare? If they did, would they even be aware it? Historically, means of destruction could only be downsized thanks to civil protest and public pressure. In the end, no matter how far away or even unrealistic the dream of world peace seems to be, it is still one worth fighting for. As for the information technology field, it has been described as “young” and “growing” for the past 30 years. Maybe now is the time it became “adult”.