Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

12:30 PM
Dave Weinstein
Dave Weinstein
Connect Directly
E-Mail vvv

Stop Saying 'Digital Pearl Harbor'

Yes, there are serious dangers posed by malevolent nation-states. But the hype is distracting us from the reality of the threats.

Make no mistake: The global cyber-threat landscape is more active than ever. We're all aware of the US Department of Homeland Security's recent revelations about Russia's 2017 efforts to penetrate American electric utilities and other critical infrastructure sectors and the NotPetya worm that spread from Ukraine to over 130 countries, costing upward of $10 billion. Just this past July, multiple senior US officials said that "Iran is making preparations that would enable denial-of-service attacks against thousands of electric grids, water plants, and healthcare and technology companies" in the US, Europe, and Middle East.

Indeed, many nation-states are free to maneuver in cyberspace in a way they can't at sea, in the air, or on land, where surveillance technologies, deterrence regimes, and international laws and norms keep actors and activities in check. This shouldn't be a surprise. Deterrence, laws, and norms are largely absent from cyberspace, and while humans have better tools to thwart incidents than ever before, technology is no cure-all. The result is a disruptive infusion of non-kinetic (that is, not physically manifested) asymmetry between governments, often leaving businesses and individuals in the crosshairs. In this new competition, those who embrace digital hyperconnectivity and openness find themselves more vulnerable and subject to greater consequences than their less-connected counterparts.

Despite the alarming analogies to a "digital Pearl Harbor" and "cyber 9/11," the raucous rhetoric often distracts us from the more likely consequences of cyber threats to our critical infrastructure.

The military has a term for what's playing out in civilian cyberspace: intelligence preparation of the operational environment (IPOE) or "the process to analyze the adversary and other relevant aspects of the [operating environment] in order to identify possible course of action." IPOE was conceived for the physical world in which humans, aircraft, and satellites carry out operations to support military contingency plans. IPOE perfectly describes how some nations are employing hackers against critical infrastructure. Short of attacking, they're gaining persistent access to high-value targets and positioning themselves to remotely deliver payloads in the event of escalated hostilities or geopolitical turmoil.

Perhaps most concerning about these cyber preparations are the targets themselves, which are almost entirely civilian in nature and highly important to our daily lives and businesses. Russia's two-year campaign against critical infrastructure, for example, targeted companies in the energy, public utility, and nuclear sectors, as well as commercial vendors. Likewise, recently discovered malware known as VPNFilter primarily targets home and small-office routers. This revelation prompted the FBI to conscript the public into neutralizing the malware by urging citizens to reboot their devices.

Second, the time it takes to execute a pre-positioned cyber capability is measured in minutes and hours, compared with the days and weeks its takes to mobilize ground, naval, or aviation assets in the physical world. In industrial and critical infrastructure environments, once cyber actors gain persistent and credentialed access to the right equipment, they need not deploy sophisticated malware to affect a target. Instead, they can simply issue a few commands to change critical processes and logic. With the right understanding of the target environment, these changes can lead to physical damage and unsafe conditions.

Finally, there's the question of intent. Consider last year's operation that gained access to a safety system at a petrochemical plant in the Middle East. In this case, the hackers targeted a commercial asset specifically designed to prevent hazardous leaks or even explosions in industrial facilities. The malware was detected because of some faulty code that tripped the plant into safe mode, prompting the operators to shut down the facility. Upon investigating the incident, no payload was discovered.

Are we to assume that the perpetrators were just testing their tools, or did they intend to put lives at risk by disabling the petrochemical's safety equipment? In truth, intent is often impossible to assess with high confidence from technical forensics alone. As the former White House cyber coordinator Rob Joyce recently explained at Black Hat, this ambiguity is destabilizing and, under the right circumstances, could lead to an actual war between powers due to miscommunication and misunderstanding.

The frequency and volume of these operations will only increase if we don't start calling it like it is. Rhetorical representations of "cyber war" in the absence of neither observable, kinetic effects nor the political palatability to declare heightened conflict distorts the nature of the digital domain and sends mixed signals. Physical effects will not always be the minimum threshold for defining war, but it is the prevailing standard in most jurisdictions today.

Likewise, repeated analogies to historical acts of war are not just often ill-conceived, they also distract us from the more likely threats, such as subtle data manipulation and targeted anti-integrity attacks against industrial control systems that have already cost companies millions of dollars to recover from and puts peoples' safety at risk. And calling certain operations an "attack" when the actors intentionally refrained from pulling the trigger grants them domestic and international license to dismiss evidence as propaganda and continue to grow their access into our most critical networks.

Lastly, short of war, cyber activities almost always benefit the aggressor because their behavior is ungoverned by international law or diplomatic norms. Some technology executives representing the likes of Microsoft, Facebook, and Cisco recently called for a Cyber Geneva Convention to protect "innocent citizens and enterprises" from this gray area. We don't need a new charter, but we must adapt the existing one to account for sub-war activities in cyberspace that hold nonmilitary targets, and therefore civilians, at risk. In this regard, tech companies, not government appointees, must be our most vocal and active ambassadors.

We're not at cyber war, but a sub-war battle is raging. Industry, government, and civilization as a whole must work together to reverse this norm.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dave Weinstein is the chief security officer of Claroty. Prior to joining Claroty, he served as the chief technology officer for the State of New Jersey, where he served in the Governor's cabinet and led the state's IT infrastructure agency. Prior to his appointment as CTO he ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
10/8/2018 | 11:53:29 AM
Interesting piece
Although the cyber risk can cause real harm (how many lives were impacted by WannaCry affecting NHS for days? ). There is a tendency to over market the risks we are facing.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.