Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10/2/2018
12:30 PM
Dave Weinstein
Dave Weinstein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Stop Saying 'Digital Pearl Harbor'

Yes, there are serious dangers posed by malevolent nation-states. But the hype is distracting us from the reality of the threats.

Make no mistake: The global cyber-threat landscape is more active than ever. We're all aware of the US Department of Homeland Security's recent revelations about Russia's 2017 efforts to penetrate American electric utilities and other critical infrastructure sectors and the NotPetya worm that spread from Ukraine to over 130 countries, costing upward of $10 billion. Just this past July, multiple senior US officials said that "Iran is making preparations that would enable denial-of-service attacks against thousands of electric grids, water plants, and healthcare and technology companies" in the US, Europe, and Middle East.

Indeed, many nation-states are free to maneuver in cyberspace in a way they can't at sea, in the air, or on land, where surveillance technologies, deterrence regimes, and international laws and norms keep actors and activities in check. This shouldn't be a surprise. Deterrence, laws, and norms are largely absent from cyberspace, and while humans have better tools to thwart incidents than ever before, technology is no cure-all. The result is a disruptive infusion of non-kinetic (that is, not physically manifested) asymmetry between governments, often leaving businesses and individuals in the crosshairs. In this new competition, those who embrace digital hyperconnectivity and openness find themselves more vulnerable and subject to greater consequences than their less-connected counterparts.

Despite the alarming analogies to a "digital Pearl Harbor" and "cyber 9/11," the raucous rhetoric often distracts us from the more likely consequences of cyber threats to our critical infrastructure.

The military has a term for what's playing out in civilian cyberspace: intelligence preparation of the operational environment (IPOE) or "the process to analyze the adversary and other relevant aspects of the [operating environment] in order to identify possible course of action." IPOE was conceived for the physical world in which humans, aircraft, and satellites carry out operations to support military contingency plans. IPOE perfectly describes how some nations are employing hackers against critical infrastructure. Short of attacking, they're gaining persistent access to high-value targets and positioning themselves to remotely deliver payloads in the event of escalated hostilities or geopolitical turmoil.

Perhaps most concerning about these cyber preparations are the targets themselves, which are almost entirely civilian in nature and highly important to our daily lives and businesses. Russia's two-year campaign against critical infrastructure, for example, targeted companies in the energy, public utility, and nuclear sectors, as well as commercial vendors. Likewise, recently discovered malware known as VPNFilter primarily targets home and small-office routers. This revelation prompted the FBI to conscript the public into neutralizing the malware by urging citizens to reboot their devices.

Second, the time it takes to execute a pre-positioned cyber capability is measured in minutes and hours, compared with the days and weeks its takes to mobilize ground, naval, or aviation assets in the physical world. In industrial and critical infrastructure environments, once cyber actors gain persistent and credentialed access to the right equipment, they need not deploy sophisticated malware to affect a target. Instead, they can simply issue a few commands to change critical processes and logic. With the right understanding of the target environment, these changes can lead to physical damage and unsafe conditions.

Finally, there's the question of intent. Consider last year's operation that gained access to a safety system at a petrochemical plant in the Middle East. In this case, the hackers targeted a commercial asset specifically designed to prevent hazardous leaks or even explosions in industrial facilities. The malware was detected because of some faulty code that tripped the plant into safe mode, prompting the operators to shut down the facility. Upon investigating the incident, no payload was discovered.

Are we to assume that the perpetrators were just testing their tools, or did they intend to put lives at risk by disabling the petrochemical's safety equipment? In truth, intent is often impossible to assess with high confidence from technical forensics alone. As the former White House cyber coordinator Rob Joyce recently explained at Black Hat, this ambiguity is destabilizing and, under the right circumstances, could lead to an actual war between powers due to miscommunication and misunderstanding.

The frequency and volume of these operations will only increase if we don't start calling it like it is. Rhetorical representations of "cyber war" in the absence of neither observable, kinetic effects nor the political palatability to declare heightened conflict distorts the nature of the digital domain and sends mixed signals. Physical effects will not always be the minimum threshold for defining war, but it is the prevailing standard in most jurisdictions today.

Likewise, repeated analogies to historical acts of war are not just often ill-conceived, they also distract us from the more likely threats, such as subtle data manipulation and targeted anti-integrity attacks against industrial control systems that have already cost companies millions of dollars to recover from and puts peoples' safety at risk. And calling certain operations an "attack" when the actors intentionally refrained from pulling the trigger grants them domestic and international license to dismiss evidence as propaganda and continue to grow their access into our most critical networks.

Lastly, short of war, cyber activities almost always benefit the aggressor because their behavior is ungoverned by international law or diplomatic norms. Some technology executives representing the likes of Microsoft, Facebook, and Cisco recently called for a Cyber Geneva Convention to protect "innocent citizens and enterprises" from this gray area. We don't need a new charter, but we must adapt the existing one to account for sub-war activities in cyberspace that hold nonmilitary targets, and therefore civilians, at risk. In this regard, tech companies, not government appointees, must be our most vocal and active ambassadors.

We're not at cyber war, but a sub-war battle is raging. Industry, government, and civilization as a whole must work together to reverse this norm.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dave Weinstein is the chief security officer of Claroty. Prior to joining Claroty, he served as the chief technology officer for the State of New Jersey, where he served in the Governor's cabinet and led the state's IT infrastructure agency. Prior to his appointment as CTO he ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MigoKedem
50%
50%
MigoKedem,
User Rank: Author
10/8/2018 | 11:53:29 AM
Interesting piece
Although the cyber risk can cause real harm (how many lives were impacted by WannaCry affecting NHS for days? ). There is a tendency to over market the risks we are facing.
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.