Make no mistake: The global cyber-threat landscape is more active than ever. We're all aware of the US Department of Homeland Security's recent revelations about Russia's 2017 efforts to penetrate American electric utilities and other critical infrastructure sectors and the NotPetya worm that spread from Ukraine to over 130 countries, costing upward of $10 billion. Just this past July, multiple senior US officials said that "Iran is making preparations that would enable denial-of-service attacks against thousands of electric grids, water plants, and healthcare and technology companies" in the US, Europe, and Middle East.
Indeed, many nation-states are free to maneuver in cyberspace in a way they can't at sea, in the air, or on land, where surveillance technologies, deterrence regimes, and international laws and norms keep actors and activities in check. This shouldn't be a surprise. Deterrence, laws, and norms are largely absent from cyberspace, and while humans have better tools to thwart incidents than ever before, technology is no cure-all. The result is a disruptive infusion of non-kinetic (that is, not physically manifested) asymmetry between governments, often leaving businesses and individuals in the crosshairs. In this new competition, those who embrace digital hyperconnectivity and openness find themselves more vulnerable and subject to greater consequences than their less-connected counterparts.
Despite the alarming analogies to a "digital Pearl Harbor" and "cyber 9/11," the raucous rhetoric often distracts us from the more likely consequences of cyber threats to our critical infrastructure.
The military has a term for what's playing out in civilian cyberspace: intelligence preparation of the operational environment (IPOE) or "the process to analyze the adversary and other relevant aspects of the [operating environment] in order to identify possible course of action." IPOE was conceived for the physical world in which humans, aircraft, and satellites carry out operations to support military contingency plans. IPOE perfectly describes how some nations are employing hackers against critical infrastructure. Short of attacking, they're gaining persistent access to high-value targets and positioning themselves to remotely deliver payloads in the event of escalated hostilities or geopolitical turmoil.
Perhaps most concerning about these cyber preparations are the targets themselves, which are almost entirely civilian in nature and highly important to our daily lives and businesses. Russia's two-year campaign against critical infrastructure, for example, targeted companies in the energy, public utility, and nuclear sectors, as well as commercial vendors. Likewise, recently discovered malware known as VPNFilter primarily targets home and small-office routers. This revelation prompted the FBI to conscript the public into neutralizing the malware by urging citizens to reboot their devices.
Second, the time it takes to execute a pre-positioned cyber capability is measured in minutes and hours, compared with the days and weeks its takes to mobilize ground, naval, or aviation assets in the physical world. In industrial and critical infrastructure environments, once cyber actors gain persistent and credentialed access to the right equipment, they need not deploy sophisticated malware to affect a target. Instead, they can simply issue a few commands to change critical processes and logic. With the right understanding of the target environment, these changes can lead to physical damage and unsafe conditions.
Finally, there's the question of intent. Consider last year's operation that gained access to a safety system at a petrochemical plant in the Middle East. In this case, the hackers targeted a commercial asset specifically designed to prevent hazardous leaks or even explosions in industrial facilities. The malware was detected because of some faulty code that tripped the plant into safe mode, prompting the operators to shut down the facility. Upon investigating the incident, no payload was discovered.
Are we to assume that the perpetrators were just testing their tools, or did they intend to put lives at risk by disabling the petrochemical's safety equipment? In truth, intent is often impossible to assess with high confidence from technical forensics alone. As the former White House cyber coordinator Rob Joyce recently explained at Black Hat, this ambiguity is destabilizing and, under the right circumstances, could lead to an actual war between powers due to miscommunication and misunderstanding.
The frequency and volume of these operations will only increase if we don't start calling it like it is. Rhetorical representations of "cyber war" in the absence of neither observable, kinetic effects nor the political palatability to declare heightened conflict distorts the nature of the digital domain and sends mixed signals. Physical effects will not always be the minimum threshold for defining war, but it is the prevailing standard in most jurisdictions today.
Likewise, repeated analogies to historical acts of war are not just often ill-conceived, they also distract us from the more likely threats, such as subtle data manipulation and targeted anti-integrity attacks against industrial control systems that have already cost companies millions of dollars to recover from and puts peoples' safety at risk. And calling certain operations an "attack" when the actors intentionally refrained from pulling the trigger grants them domestic and international license to dismiss evidence as propaganda and continue to grow their access into our most critical networks.
Lastly, short of war, cyber activities almost always benefit the aggressor because their behavior is ungoverned by international law or diplomatic norms. Some technology executives representing the likes of Microsoft, Facebook, and Cisco recently called for a Cyber Geneva Convention to protect "innocent citizens and enterprises" from this gray area. We don't need a new charter, but we must adapt the existing one to account for sub-war activities in cyberspace that hold nonmilitary targets, and therefore civilians, at risk. In this regard, tech companies, not government appointees, must be our most vocal and active ambassadors.
We're not at cyber war, but a sub-war battle is raging. Industry, government, and civilization as a whole must work together to reverse this norm.
- Mirai Authors Escape Jail Time – But Here Are 7 Other Criminal Hackers Who Didn't
- How to Keep Up Security in a Bug-Infested World
- The Human Factor in Social Media Risk
- Hacking Back: Simply a Bad Idea
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.