Strife

The Academic Blog of the Department of War Studies, King's College London

You are here: Home / Archives for Cyber Security

Cyber Security

Offensive Cyber Series: Dr Daniel Moore on Cyber Operations, Part II

by

Photo Credit: Ecole polytechnique / Paris / France, licensed with CC BY-SA 2.0.

This is part II of Ed Stacey’s interview with Dr Daniel Moore on cyber operations for Strife’s Offensive Cyber Series. You can find Part I here.

ES: Thinking about alliances more broadly, what sort of opportunities and challenges do allies face when conducting joint operations in cyberspace?

DM: Allied operations on networks – I am not a fan of cyberspace – are contentious as well. They are a good measure more sensitive than any conventional equivalent that you can think of. It is not like having a joint military operation: it means putting your sensitive infrastructure and capabilities on the line alongside an ally. That is not to say it does not happen and there have been documented cases which were purportedly joint operations by multiple countries. So I think it will happen, but there are complexities involved. I know that NATO has already declared that they are together, as an alliance, bringing forward cyber capabilities that they will use jointly. I welcome that declaration, even if I am sceptical as to what it actually means.

I would tend to believe that, considering how porous NATO is as an entity and how there are varying levels of trust within NATO, truly sensitive capabilities will be kept off the table by individual member states in favour of their own arsenals and sets of strategic capabilities. This is not to say it is not possible, but it is unlikely that at a NATO level you will see joint operations that are truly strategic in nature. What you might see is allied members that are operating together. I do not think that, for example, a joint UK-US operation against a target is out of the question, especially if one brings a certain set of capabilities to the table and one brings others – somebody gives the tools, this unit has the relevant exploits, this intelligence organisation had already developed access to that adversary and so on. Melding that together has a lot of advantages, but it requires a level of operational intimacy that is higher than what you would be able to achieve at the NATO alliance level.

ES: Moving beyond the state, what role does the private sector play in the operational side of offensive cyber? Do we have the equivalent of private military contractors in cyberspace, for example?

DM: There is a massive role for the private sector across the entire operational chain within offensive cyber operations. I would say a few things on this. Yes, they cover the entire chain of operations and that includes vulnerability research, exploit development, malicious tool development and then even specific outfits that carry out the entire operational lifecycle, so actually conduct the intrusion itself for whatever purposes. In some cases, it is part of an industrial-defence complex like in the US, for example, where you have some of the giant players in defence developing offensive capabilities, both on the event- and presence-based side of things. And ostensibly you would have some of those folks contributing contractors and operators to actually facilitate operations.

But in other countries that have a more freeform or less mature public sector model for facilitating offensive cyber operations, the reliance on third party private organisations is immense. If you look, for example, at some of the US indictments against Iranian entities, you will see that they charged quite a few Iranian private companies for engaging in offensive cyber operations. The same happens in China as well, where you see private sector entities engaging in operations driven by public sector objectives. In some cases, they are entirely subsumed by a government entity, whereas in others they are just doing work on their behalf. In some cases, you actually see them use the same infrastructure in one beat for national security objectives, then the workday ends and they pivot and start doing ransomware to get some more cash in the evenings – using the same tools or infrastructure, or something slightly different. So, yes, the private sector plays an immense role throughout this entire ecosystem, mostly because the cost of entry is low and the opportunities are vast.

ES: Just to finish, you have a book coming out soon on offensive cyber. Can you tell us anything about what to expect and does it have a title or release date yet?

DM: The book is planned for release in October. It will be titled Offensive Cyber Operations: Understanding Intangible Warfare, and it is basically a heavily processed version of my PhD thesis that has been adapted, firstly, with some additional content to reflect more case studies, but also to appeal to anybody who is interested in the topic without necessarily having a background in cyber nor military strategy and doctrine. So it is trying to bridge the gap and make the book accessible, exactly to dispel some of the ambiguities around the utility of cyber operations. Questions like, how they are currently being used? What can they be used for? What does the “cyber war” narrative mean? When does an offensive cyber operation actually qualify as an act of cyber warfare? And, most importantly, what are the key differences between how different countries approach offensive cyber operations? Things like organisational culture, different levels of maturity, strategic doctrine and even just circumstance really shape how counties approach the space.

So I tackle four case studies – Russia, the US, China and Iran – and each one of those countries has unique advantages and disadvantages, they bring something else to the table and have an entirely different set of circumstances for how they engage. For example, the Iranians are incredibly aggressive and loud in their offensive cyber operations. But the other side to this is that they lack discipline, their tools tend to be of a lower quality and while they are able to achieve tactical impact, it does not always translate to long-term success.

The US is very methodical in its approach – you can see, taste and smell the bureaucracy in every major operation that it does. But that bureaucratic entanglement and the constant tension between the National Security Agency, Cyber Command and other involved military entities results in a more ponderous approach to cyber operations, although those organisations obviously bring a tonne of access and capability.

With the Russians, you can clearly see how they do not address cyber operations as a distinct field. Instead, they look at the information spectrum more holistically, which is of pivotal importance to them – so shaping what is “the truth” and creating the narrative for longer-term strategic success is more important than the specifics. That being said, they are also one of the most prolific offensive actors that we have seen, including multiple attacks against global critical infrastructure and various aggressive worms that exacted a heavy toll from targets. So for Russia, if you start looking at their military doctrine, you can see just how much they borrow, not only from their past in electronic warfare but also their extensive past in information operations, and how those blend together to create a broader spectrum of information capabilities in which offensive cyber operations are just one component.

And finally, the Chinese are prolific actors in cyber espionage – provably so. They have significant technical capabilities, perhaps somewhat shy of their American counterparts but they are high up there. They took interesting steps to solidify their cyber capabilities under a military mandate when they established the Strategic Support Force, which again – like the NCF – tried to resolve organisational tensions by coalescing those capabilities. But they are largely unproven in the offensive space. They do have an interesting scenario on their plate to which cyber could and may play a role, which is any attempt at reclaiming Taiwan – something I look at extensively in the book and how that shapes their offensive posture.

So the book is a combination of a broader analysis of the significance of cyber operations and then how they are concretely applied by different nations for different purposes.

The next interview in Strife’s Offensive Cyber Series is with Amy Ertan on AI and military innovation. It will be released in two parts on Thursday 17th and Friday 18th June 2021.

Cyber Security in the Age of COVID-19: An Interview with Marcus Willett

by

by Ed Stacey

The World Health Organisation has reported a fivefold increase in cyber attacks during COVID-19 (Image credit: Getty Images)

On 22 April 2020, Ed Stacey sat down with Marcus Willett to discuss his recent article for the International Institute for Strategic Studies (IISS). Marcus’ analysis draws parallels between the current coronavirus crisis and global cybersecurity challenges and warns against the Balkanisation of either response. In this exclusive interview, he expands on his thinking.

For more information on the IISS and the latest analysis of international security, strategy, and defence issues, visit them here or follow them on Facebook, Twitter (@IISS_org), and Instagram (@iissorg).

ES: In your article, you explore the idea of a global cyber ‘pandemic’ – what do you mean by this?

Marcus Willett: What the article tries to show is that we like to take a lot of language in the world of cybersecurity from the world of dealing with medical crises – like the horrible one we are currently facing. For example, terms like virus and infection. However, what we have not started doing is using words like endemic and pandemic. The article was merely trying to go that extra step and consider the applicability of these words to what is happening in cyberspace. If you just look at cyber-criminality, for instance, techniques that were developed by people in the most advanced and connected nations have now spread, and are being used, all over the globe, by individuals, hacktivist groups, criminals and, of course, states.

Sitting here at the moment, if a cybercriminal was to try and defraud us, that criminal is as likely to be in Eastern Europe, or Nigeria, or Vietnam, as anywhere else. So what I was trying to show is that the use of cyber has spread globally and that you can get infected – through your network or your device – from anywhere around the globe. ‘Pandemic’ feels like quite a good word to describe that phenomenon, particularly since we are all using it at the moment.

ES: Is there a cure for the cyber pandemic?

Marcus Willett: I do not think there is a silver bullet-like vaccine; a cure is more about how nations might approach the problem. The trouble with people who have worked in my sort of background is the thinking that there is always, waiting for you, some technical silver-bullet – a wonderful technical solution that will solve the world’s problems when it comes to cyber. I do not think that is right.

If you think about offensive cyber, for example, the incentives are not great for states to talk about their most sensitive capabilities. This is because the most advanced states still think they have got such an advantage in terms of cyber that it does not make sense to reveal what they have developed to the world. But I believe states need to start a dialogue about the risks involved in some of these cyber capabilities, building on stuff that is already being done around developing norms of behaviour, to think about how we might better manage them.

So, I think a cure is more in the territory of better understanding the risks and better managing those risks than pursuing technical solutions. And the only way we are going to get to that is to recreate the sort of cooperation we see with the response to the current health pandemic. Additionally, I think that the best way of having those sorts of conversations is not to start at the most difficult end, which is, say, to try and work out some big deterrence theory and proliferation control treaty around offensive cyber capabilities. Because that is going to get silence from some of the big actors from the very beginning.

Instead, it is better to pick an area like cybercrime, where all states have a vested interest in trying to combat the defrauding of their economies and use that as a way to start the dialogue between states about how we can better manage these risks. Always, however, with the goal of an internationally agreed regime over what is a responsible use of cyber capabilities. The same way we have ended up with the understanding that it is generally unacceptable that people use barrel bombs and cluster bombs – that a guided missile is more acceptable.

ES: Is the United Nations (UN) the best space for this dialogue to take place?

Marcus Willett: Whilst it needs to be under the auspices of the UN, I cannot help but feel there is a certain group of nations that need to start the conversation. I would love to see, particularly, the Americans and the Chinese talking about cybercrime. That would start a dialogue that might help bring some of the conversations they are having around technologies – take Huawei, for example – into a better place – and where they need to be. If we carry on with this sort of competitive conversation around the future of cyberspace, I think we will end up with results that are not very good for likeminded nations like ourselves and our allies.

ES: Russia has been quite active at the UN on cybercrime. Do you see their recent proposal as a viable alternative to the Budapest Convention?

Marcus Willett: One of the reasons I suggested the US and the Chinese are to draw that distinction with the Russians, who are quite fond of coming to the UN with grand proposals that are, frankly, a little bit transparent. I did a conference in Berlin last year on a panel around cyber and question number one from the audience came from the Russian cyber representative to the UN Group of Governmental Experts (GGE). She laid out, not a question, but a statement about how the Russians were the good guys around cyber, claiming that they had been arguing for all sorts of things – like the cybercrime treaty you just mentioned – and for the outlawing of any military use of cyber capabilities. This was just after the Skripal incident and when that GRU unit was exposed at the Hague. So you can imagine how the Dutchman to my right reacted; it was an ‘actions speak louder than words’ situation.

A more realistic conversation with the Russians, since a lot of cyber-criminality emanates from bits of their territory, would be around legal jurisdictions and Mutual Legal Assistance in Criminal Matters (MLAC) arrangements – to try and get their assistance in pursuing some of this criminal activity. As you know, they are very unlikely to agree to that. And these are difficult conversations because they are likely to end up in accusation and counter-accusation.

I like the idea of the Americans and the Chinese talking about it; both with a vested interest, both without the past of being connected to cybercriminal gangs. That has got a higher chance of success. Yes, the Russians need to be brought into those sorts of conversations, but I would not start there because, again, it feels like too difficult territory. Cybercrime between the US and China: easier territory. Cybercrime with Russia: very difficult territory. Offensive cyber and military capabilities: very difficult with everybody. It is about trying to find those baby steps.

ES: Is cooperation between the US and China on cybercrime possible in the current context of the ‘tech war’?

Marcus Willett: What I am trying to argue is that there is more potential for a conversation around cybercrime than there is for a conversation on anything else, given the context of the tech war. It would be the best way of starting a dialogue because it is a rare area of mutual interest. Of course, you would have to start the conversation with a very clear definition of what you meant by a ‘cybercriminal’. But there are millions being defrauded from the Chinese economy by cybercrime, just as there is from the US economy; they are both targets of cybercriminals. So, you have got a better chance of starting a conversation there than anywhere else.

Does that feel overly idealistic given what is going on? I would have thought there was a chance if you just had the tech war or even just the trade war. However, if this escalates into finger-pointing around COVID-19 and an inquiry turns into making China some sort of a pariah state, it would be less likely. And you can see already how some of the stuff coming out of the White House is only going to antagonise the US’ relationship with China even more. So, no – perhaps the prospects are not as good as they were a few months back, but it is about more than just the tech war.

ES: Why do states such as Russia and North Korea use cyber organised criminal groups (OCGs) – either by shielding or cooperating with, and perhaps even masquerading as, them – to augment their cyber capability?

Marcus Willett: Something you said earlier resonated with me. When you alluded to the issue of defining cyber-criminality and the Russians perhaps having a slightly different idea. I remember the same sort of trouble around early attempts to talk with the Chinese about counterterrorism. You had to be very careful to define what you meant by terrorism for them not to think that that was an excuse to go after Uighurs in their own country. For the Russians, unless you are very careful about defining cyber-criminality, for them, people that we might call cybercriminals are patriotic hackers – an extension of the Russian state. That definitional point is a problem.

Another thing to note is the sophistication of some of the capabilities that have been developed by the organised criminal fraternity. In a good, realpolitik way, a state like Russia can see an advantage in these sorts of capabilities being developed by people sitting on its own soil. As you know, beyond cyber, plenty of corruption goes on between criminal gangs and the Russian state – and has done for centuries.

I lived in Moscow in 1983-84 as a student, during the height of the Cold War. And even though you could not read about it in the press, every Russian you spoke to knew that all sorts of arrangements were going on between the Soviet government and people they called mafia bosses – the mafia boss in Leningrad, as it was then, or the mafia boss in Moscow. There was the official world and then there was what really happened. So, I cannot help feeling – as so often in cyber – what you see being played out in cyberspace is actually a reflection of what has been going on for a long time in the real world. Sorry to use this phrase and be the first one to use it, but cyber is just a new domain for old age stuff. It is an accident of history and culture, going back through Tsarist times, that some slightly shady stuff goes on between the Russian state and parts of its population. Why should we be surprised to see that being playing out in cyberspace?

In terms of the other point you are making, which is that some states pick up a modus operandi that makes them look like cyber OCGs – and I think you are mainly referring to North Korea there. Well, I wonder if that is out of choice or whether it is simply the case that the level of sophistication that they are able to attain is that of a cybercriminal group.

North Korea is a very interesting example. Everybody knows that they were behind WannaCry and the hack on Sony Pictures, and that they have been trying to defraud the global banking system – Swift and so on. I put it to you that North Korea is not able to do much more than that given its own massive vulnerabilities. For example, the number of connections that come out of North Korea to the global internet is extremely few, and so, for that reason, it often deploys its operatives overseas. It would certainly need to do that if it got involved in any sort of conflict, as it would have no chance of running offensive cyber operations from within its own territory if it was up against a capable cyber actor.

In other words, North Korea has had to develop these more distributed, low-level capabilities. I do not think they are deliberately trying to make themselves look like cybercriminals, it is just that is the sort of capability they know they can use and have access to.

Countries like North Korea and Iran have learnt from what other countries have done in cyberspace, which is perhaps not the lesson that was intended; it certainly was not the lesson intended for Iran around Stuxnet. They saw this activity and thought: ‘Oh, that is interesting. What could we do in cyberspace? And would that give us a reach beyond our own region that we have no chance of achieving with any of our other capabilities? Does it give us a reach even into the great Satan – the US?’. And low and behold, it does. Their attacks are not going to be of the level of sophistication that can bring down the US’ Critical National Infrastructure (CNI), but they can have strategic effect. Whether that is propaganda effect or just being an annoyance, it nevertheless can be used to say to their citizens: ‘Look, we can do harm to the US’.

It is the famous point about cyber, that what can look like unsophisticated capabilities can proliferate and be picked up easily by states, from groups like cybercriminals, and then utilised to have a strategic effect in the mainland of a superpower, in a way that they previously could not. So, North Korea, and I would add Iran, are very interesting studies in some of the risks associated with the proliferation of cyber capabilities.

Sitting in the back of our minds, always – and this is the other thing big, cyber-capable states need to talk about – is the proliferation of some of those more destructive capabilities to terrorist organisations, and what that could mean. Everybody always assesses international terrorist groups when they look at threat actors in cyberspace. And the answer for years has been: ‘They know about the potential; they are interested and looking for it, but they do not have it’. And so, every assessment ends with: ‘So there is no need to worry about them at the moment’. Well, that picture could change. If ever terrorists work out a means of delivering the same sorts of physical destruction that they can through the use of a bomb, with cyber means, that is a bad day for everybody.

ES: How real is the threat of a catastrophic cyber event?

Marcus Willett: Having talked about cyber-criminality, terrorism, and states realising the asymmetric advantages they can gain through cyber capabilities, nevertheless, these are not where I see the greatest risk of a cyber catastrophe. The greatest risk of a cyber catastrophe, in my mind, is what is happening every second of every day, with the reconnaissance and prepositioning by states against their potential adversaries’ CNI – infrastructure like power, transport, communications – the bringing down of which would have catastrophic humanitarian consequences, as well as technical dimensions. And, while I am sure no state short of a conflict situation would intend to do that, my worry is that – as has already been proven in WannaCry and NotPetya – states, in trying to either reconnoitre a network or preposition for a conflict scenario, may accidentally make a mistake.

Prepositioning is necessary because, to have an effect in a conflict situation, you cannot go from a standing start: you either have that presence in the network or you have not. In other words, you need to establish a presence in the network in peacetime to be able to have that capability should a conflict occur. So, states are not only doing reconnaissance, they are doing pre-positioning. And the chances of something going horribly wrong, I would say, are fairly high.

What worries me most about that is, even just the detection of that sort of activity – what some may define as a cyber attack – could cause escalation. And how states try and deescalate in a cyber catastrophe is still something we have not properly thought through. How a prime minister or a president would be brought into the discussions around such a technical subject, that had spilled out into real-world loss of life and escalation, in a way that could deescalate the situation, is an issue at the heart of where we need to get to around international conversations, under the auspices of the UN, for cyber.

My argument is that, although this is the biggest risk, you cannot start with this conversation amongst states. But you have to start the conversation somewhere, so have it about cyber-criminality. Do not be deceived, however, in forgetting that the biggest risk is the one I have just been through: a mistake by a state in cyberspace that is interpreted as a potential act of war. That is the biggest risk in cyberspace.

How likely is that sort of catastrophe? The sad thing is that we do not really know, except to say that it is probably more likely than we should be comfortable with. The problem is we still do not properly understand what is happening in cyberspace. But there is lots of reconnaissance and prepositioning going on, all the time, by states, against each other’s CNI. Do not be deceived as to what is reported in the press about there having been 200 cyber attacks in the last ten years, or whatever the figure is. It all depends on what you mean by a cyber attack.

ES: Your comment on translating technical information to world leaders really resonates with President Trump in the White House. With a lack of precedent for escalation in cyberspace, there is no knowing if and how he might act.

Marcus Willett: Unfortunately, if you are an official in the US administration at the moment, you know you dare not mention the word cyber to President Trump. Because – and this is a massive generalisation – to him, all he can equate cyber with is: ‘The hacking into of our electoral processes and people saying that cyber is the reason I got elected’. Whilst he has made statements about the use of cyber in the past, I know from private conversations with ex-colleagues who are in those positions, that cyber is a subject you have to handle very carefully. Otherwise, you press the wrong button with the President, and it ends up not being a conversation, but the receipt of an earful. So, it is a huge challenge.

ES: And finally, in the context of the coronavirus crisis – and discussions around sovereign capability, national tech companies, supply chains, and so on – is the Balkanisation of the internet preventable?

Marcus Willett: This is a very interesting question. Balkanisation, or even bifurcation of the internet, which is the other phrase that is thrown around, is the concept of two internets. One model is what we have at the moment: multi-stakeholder governance, free, with a balance between states, NGOs, the private sector and techy-coders; and then how that internet is developed and run, with a balance between the rights of individual citizens, the private sector and governments. And the second model, which is being pushed by the Chinese and the Russians, which entails greater state control over sovereign cyberspace. This can sound like just a technical issue, but the implications for how the global economy works, for example, are massive.

Why would states not want more control over the threats to them and their own sovereign bit of cyberspace? Well, the net result may be, instead of having a conversation about how you can achieve control with a single internet and a single global economy, you end up with two separate versions, then three, or four, and so on. And do not forget what the word Balkanisation means: it is the disintegration into individual components that compete, or even conflict. And if there were two separate internets, one Chinese and one US, broadly speaking (although there is talk of a RU.net and the Iranians have invested quite a lot of money into trying to develop their own intranet) the current risks around cyber that I described earlier, between states, become even greater.

Imagine if you had no vested interest in that other internet: it is not connected to your economy; none of your CNI is dependent upon it. What would the incentive then be for states to restrain themselves around their use of cyber capabilities?

That is my worry about Balkanisation and why I fear a tech war, to which the only solution is to ban bits of tech from your own networks, ends up being self-defeating. Not only immediately, as you can see with all the US tech providers, for example, going to the White House saying: ‘Do you not realise what that does to our own economy and our ability to export into those markets?’. That is almost putting an Iron Curtain down that virtual world of the internet. And if you think about how dependent we are all becoming – with the Internet of Things, smart cities, and smart homes, and so on – that virtual curtain could only be followed by a real-world equivalent. I think it is incredibly short-cited, and it can only lead to increased risk geostrategically.

Having said all that, if you are sitting here in a place like the UK you speak with two different voices. You certainly support the idea of a single, multi-stakeholder, free internet. But Ministers also worry about the UK’s ability to deal with terrorists and cybercriminals in its own bit of cyberspace because of issues such as the spread of ubiquitous encryption by big US tech companies. So, the UK also has a sovereign problem around understanding some of the biggest threats in cyberspace. It is a difficult question to answer, which becomes especially challenging for a middle-ranking country like the UK: one that instinctively does not want to see Balkanisation and cyber sovereignty, but also wants a bit more sovereign ability for national security reasons, over its little bit of cyberspace. It is a fascinating subject that is, I think, just going to roll. But I do not like the idea of banning tech from your own network; it is unrealistic and just not the way to go.

In some ways, the US has hit the strategic thing that is going on: a global competition about how the internet in the future will be developed, between itself and China – its main rival in this space. That is the big strategic point. And though the UK may not have woken up to that issue, the US tactic feels wrong. The UK tactic, ironically, perhaps not having recognised the strategic issue, feels better. And for those who love their deterrence theory, this is the idea of deterrence through entanglement – which everybody debates whether it really works or not. The notion that a potential adversary entangled with the global economy and in global cyberspace, is far easier to deter from bringing down that economy and that cyberspace than it would otherwise be.

And one more thing: look at this from China’s perspective. China is desperately dependent on eight US companies for how it runs its own networks. You could list them: Microsoft, Qualcomm, IBM, Intel, Cisco, and so on. They call them the eight guardian warriors. Yes, China does talk about having its own internet and ‘the Great Firewall’, and all that sort of stuff. But interestingly, two of those eight companies – Microsoft and Cisco, I believe – sit on China’s cybersecurity internal standards-setting body. IBM and the Bank of China develop technology supporting trillions of dollars of financial transactions around the globe. The People’s Liberation Army (PLA) uses Microsoft. I mean, that is just how it is – they are thoroughly entwined. Why would you try and persuade the Chinese that the better solution is for them to start developing everything indigenously; to not use anything American and wipe out half of the world’s population from your markets? I mean, why would you do that?

Ed Stacey is a BA International Relations student at King’s College London and a Student Ambassador for the International Institute for Strategic Studies (IISS). The #IISStudent Ambassador programme connects students interested in global security, political risk and military conflict with the Institute’s work and researchers.

Marcus Willett CB OBE is a Senior Adviser at the IISS. He helps to develop and deliver a programme at the IISS that researches the use of cyber and related technologies as levers of national power, including their role in future conflict. His initial focus is on developing a methodology for measuring cyber power to assist national-level decision-making.

Strife Series on Cyberwarfare and State Perspectives, Part III – The argument for a more critical analysis on the United States

by

By Shivali Bhatt

Military Operation in Action, Soldiers Using Military Grade Laptop Targeting Enemy with Satellite (Credit Image: Gorodenkoff / Stock Image)

A critical line of argument regarding cyber warfare today is how it has supposedly brought about contextual changes that challenge the balance of power in the international system. The broad consensus is that large, powerful states, like the United States, are losing leverage against those - traditionally - deemed small and weak. According to an article published earlier this year by the World Economic Forum Global Platform, the rising domain of cyber warfare can be somewhat seen to be causing a levelling effect in the world today. Any state or non-state entity with access to the Internet and digital technology can develop powerful cyber weapons. At the same time, some news sources have claimed how the much-anticipated cyberwar is already underway, and how the United States is not ready or will most likely lose. The simplistic nature of such discourse fails to allow for a more critical understanding of what factors influence the nature and reality of cyber warfare. This article shall critique these narratives by analysing the factors that influence the strategic efficacy of cyberwarfare. Bearing the current state of cyberwarfare in the United States in mind, it shall contextualise these factors.

The United States is the most powerful state in the world, particularly regarding its military and intelligence capacity. President Trump elevated the original Cyber Command to a Unified Combatant Command earlier this year.

 

The importance of intelligence and collaboration

While it takes a lot of skill and effort to appropriately develop a powerful cyber weapon, the most complicated part of this process is application or deployment. It is this stage that determines the extent to which a cyber operation will yield strategic leverage for a state; one that relies on intelligence agencies and international alliances. In other words, cyber weapons are generally part of an extensive collection of capabilities.

Theoretically, the state with the most resourced and well-connected intelligence community will likely reel in greater strategic benefits from the domain of cyberwarfare, on the basis they are active political players in global affairs. The more in-depth and holistic the collecting and analysing of intelligence data, the smarter the cyber offensive strategy. In this context, the United States has notable leverage. The U.S. spends approximately $1 trillion on establishments and organisations that serve a national security purpose; in which its intelligence community spans across seventeen federal agencies. Moreover, these bureaus have strictly woven relationships with a large number of agencies operating in other states, with bases and ground-level operatives in over forty countries, including Israel and the United Kingdom. As NATO’s Operation Locked Shields demonstrates, cyberwarfare is a multi-dimensional domain that is determined by the nature of cooperation and collaboration between states. The Stuxnet virus, for instance, was planted with the assistance of the CIA’s regional partners in Israel; assets that were crucial to such a clandestine and sensitive operation. These practical steps to implementing cyberwarfare strategies explain why the U.S. is still and will always technically be a dominant player in the field.

 

The broader political context

Given that cyberwarfare is an aspect of broader political strategy, states that are regularly engaged in international affairs are more likely to determine the context for cyber-attacks. The United States is considered extremely influential, while North Korea - regardless of how large, fast-growing or highly skilled its ‘cyber army’ appears - a back-seat driver. Narratives that present North Korea as a case study to exemplify the ‘levelling effect’ in the world today, often present highly fragmented arguments outside of context.

It is useful to consider how economics and politics are woven together into the strategic context of cyber warfare, given that a prime part of developing cyber warfare strategy involves gathering in-depth knowledge on a person or situation. Similar to how former President Obama’s administration exploited the weaknesses of Russia’s economy by imposing heavy sanctions against Moscow in 2014, Washington can gain a notable edge by targeting Putin’s private affairs offshore; the consequences of which would be determined by the extent to which Putin’s private affairs affect Russia’s domestic political context. According to a National Bureau of Economic Research paper, the total accumulation of Russian offshore holdings amounts to approximately between $800 billion and $1.3 trillion; most of which belongs to President Putin and associates. This wealth power has been a contributing factor to his political power and ability to maintain authority in Russia, enabling him to govern and preside over state institutions and the secret police. Targeting his foreign assets would be a strategic application of U.S. cyber power.

 

Underlying factors

In this discussion, it is useful to recognise the longer-term damage traditional military weapons can have on both intellectual and physical infrastructures, and how those induced by cyberspace have not yet demonstrated such ability. At the same time, the Stuxnet weapon and newer versions inspired from its technological layering, such as the relatively recent Triton bug, can act as catalysts to broader military strategy. However, the accurate deployment of such a weapon not only requires a significant amount of skill and resource, both of which are usually available to higher-earning economies but also can go wrong. In the case of Stuxnet, several sources confirmed that the Americans and Israelis ‘lost control’ of their act.

It goes without a doubt saying that the United States is a powerful influencer in the world today, and especially so in a context of increasing globalisation and digital technology. There are a lot of concepts, processes and cultural embedding that would also need to be in the firing line for this argument to hold any traction in the longer term.

 

Conclusion

Today, it is really popular to consider cyberwarfare as this rising domain that challenges all other pre-existing tenets of global politics, with the narrative being how weaker states such as North Korea are on the rise and those powerful ones such as the United States should watch their back. However, the authors of such arguments seem also to disregard any more in-depth aspects of warfare analysis, such as the power of alliance, broader context, and particularly the underlying factors found within societal construct and culture that have existed before the advent of the digital age. While cyber warfare has proven to be a powerful mechanism, its scope of threatening powerful actors like the United States needs to be assessed through a more critical lens. Further, doing so will help better conceptualise its strategic worth in comparison to more conventional methods of warfare strategy.

 

Shivali is currently pursuing her MA Intelligence and International Security at Department of War Studies, King’s College London. She is also a Series Editor at Strife, as well as a Creative Writer at cybersecurity startup PixelPin, where she contributes articles on ‘Thought Leadership’, encouraging readers to approach security issues through innovative means. Prior to that, she spent some time in Hong Kong under the InvestHK and EntrepreneurHK organisations, engaging with the cybersecurity and tech scene on the East Coast. Her core research interests include modern warfare and contemporary challenges, cybersecurity, and strategic policy analysis. You can follow her on @shivalixb

Image Source: https://www.istockphoto.com/gb/photo/military-operation-in-action-soldiers-using-military-grade-laptop-targeting-enemy-gm879913090-245205517

Strife Series on Cyberwarfare and State Perspectives, Part II – Deception in Cyberspace: Nation States and False Flag operations

by

Examining the use and effects of false flags in nation state cyberattacks, and how geopolitical analysis may be add value to attribution efforts.

By Amy Ertan

Credit Image: sangoiri (123RF)

 

‘The Problem of Attribution’

The problems with cyber attribution form a labyrinth that continue to trouble all those involved in cyber defence and wider security. The challenges determining what has taken place, to whom and by whom is an process that lacks repeatability and often any clear solution. Nonetheless, the value of attribution makes it an indispensable exercise on which to concentrate resources. Without the ability to tie a cyber-attack to an individual, group or nation state, there can be no political or legal enforcement of regulation or counter-action. This represents a huge limitation on international relations where cyber activity continues to grow, influencing diplomacy and conflict. What some may consider a technical investigation has, therefore, shown itself to be a major geopolitical problem. As Thomas Rid summarises, ‘attribution is what states make of it’.
 

Introducing False Flags

Attacks involving nation state actors involve unique challenges that further complicate attribution attempts. Amongst other factors, the use of ‘false flags’, where an attacker pretends to be someone other than themselves, is a tactic to ‘frame’ other threat actors. A false flag operation could be as simple as malicious ‘marketing’, inserting imagery appearing to show another threat actor claiming responsibility. It could also be as simple as inserting other languages into payload headers or malware. From 2012, Iranian hackers used Arabic rather than Farsi when attacking US banks, while suspected North Korean state-sponsored Lazarus group is often known for attempting language imitation. As well as enabling attackers to avoid detection, false flags may be used as a form of manipulation, directing the victim’s attention to potentially target third-party actors. Should investigators of an event fail to realise that the false flags are not genuine hints, they may incorrectly attribute an attack, which may extend to misdirected retribution.
 

Nation State Case Study: Russia

False flag operations are not a new aspect of Russian military strategy. The justification for deception can be explored through Russian military doctrines such as ‘provokatsiya’, (‘provocation’), whereby agents act surreptitiously to cause secret political effects, helping Moscow whilst damaging Moscow’s enemies. Further doctrine ‘maskirovka’ specifically concerns deceiving victims while also hiding the true intent of operations, complementing the ‘konspiritsiya’ (‘conspiracy’) doctrine and Russian espionage tradecraft. Themes displayed most obviously through and beyond the Cold War period, it is perhaps unsurprising that intelligence tactics have led to cyber false flags acting as ‘the Kremlin’s hidden cyber hand’. These tactics assist in furthering Russian geopolitical goals, typically through attacks against Western governments. Interference in elections are a clear example, with French and US elections compromised to suspected Russian actors. Similarly the NotPetya attacks, which the US, UK, Canada, Australia and New Zealand publically attributed to Russia, may be understood as part of a wider Russian state disregard for Ukranian sovereignty.

In 2015, ‘Cyber Caliphate’ jihadist propaganda flooded TV-Monde’s social media during a destructive cyberattack, an act ultimately traced back to Russian-based ‘Fancy Bear’, a group with links to Russian military intelligence. The flag was relatively simple: creating a fake online persona, a tactic mirrored by separate Russian threat actors with the ‘Guccifer 2.0’ persona in the 2016 DNC hack. These examples highlight a few Russian threat actors using false flags, alongside DC Leaks and Shadowbrokers.

In the 2018 Winter Olympics, Olympics IT systems were temporary disabled, with WiFi, monitors and the Olympics website unavailable. Analysts concluded Russian actors used North Korean IP addresses and attempted to forge malware used by Lazarus Group, a flag uncovered due to an error forced header. Analysts looked beyond the technical information to argue that the attack was designed to gain attention, where perpetrators ‘wanted to be discovered… as Lazarus Group’, concluding this attack was likely ‘setting the stage’ for further campaigns. Russia’s actions were assumed to link with their enforced non-participation in the event, alongside wider geopolitical tensions.

A Strategic Approach

Attribution capabilities are currently highly asymmetric, with only a handful of states thought to be capable of successfully attributing cyberattacks with high confidence. Given typical characteristics of false flag indicators, technical analysis is necessary but not sufficient when attempting attribution, for three reasons. Firstly, it is unreliable to be dependent on attackers making errors when determining whether evidence is a false flag. Errors such as poor language translation are unlikely to be repeated frequently in the long-term, given the capabilities of nation states dedicated to achieving cyber goals. Secondly, nation states and state-sponsored groups represent the most able threat actors. As offensive actors, states will often have multiple cyber units, alongside distributed command-and-control servers and resources to continually update sophisticated evasion techniques. It is expected this makes them considerably harder to detect and attribute against, compared with less skilled, purely criminal counterparts. Finally technical indicators of compromise for a cyber incident are often identical whether the event was a malicious cyberattack or not. Technical analysis, even if conducted by the most sophisticated and capable of actors, may not reveal information that proves itself to be actionable intelligence.

To understand false flag operations driven by nation-state actors, one must understand the context in which the attack took place. Professor Thomas Wingfield argues that ‘strategic attribution – fusing all sources of intelligence on a potential threat – allows a much higher level of confidence and more options … strategic attribution begins and ends with geopolitical analysis.’ Geopolitical threat profiling and strategic intelligence functions therefore become entwined with the technical attribution operation.

 

Concluding Thoughts

As Symantec security analyst Vikram Thakur neatly summarises, ‘We think the future is going to get even more complicated with actors relying more and more on false flags… throwing another group [under] the bus from an attribution standpoint.’ False flags are a tool for nation states. Not only can they deceive, misdirecting attention from an attack, but they can change agendas, create imaginary threats, or be used to communicate between states who can detect subtle flags (versus those who cannot). It is a task that matters - NATO CCDCOE stressed that without sufficient attribution, there cannot be official consequences. Getting to grips with the challenges and counter-approaches to an attack is a task that will weigh heavily in the context of rising geopolitical tensions observable today across the globe.

Amy Ertan is a PhD researcher within the Centre for Cyber Security at Royal Holloway, University of London. Amy previously studied Philosophy, Politics and Economics at the University of Oxford, where she first developed an interest in international security. Amy was part of the winning team in Atlantic Council’s international relations / cyber security 9/12 competition, and was also awarded Cyber Security Student of the Year at the 2018 SC Media Awards. Her main research interests continue to focus on international relations and cyber-warfare, as well as emerging cyber security threats relating to artificial intelligence.

Image Source: https://www.123rf.com/photo_67396671_russia-spying-on-america-russian-hackers-threaten-us-computer-networks.html

Strife Series on Cyberwarfare and State Perspectives, Part I – Offensive Cyber Capabilities and Medium Powers: Two Case Studies

by

By Andreas Haggman

Credit Image: luzitanija (123RF)

 

Introduction

In recent years, traditional military capabilities have been supplemented by the development of offensive cyber capabilities. Examples of cyber capabilities have proved that effects can be achieved in both the kinetic (e.g. Stuxnet, Black Energy) and information spheres (e.g. Crimea, TV5 Monde). However, discussions in this area are often predictable in the actors that are considered. When commentators, both in the media and academia, talk about offensive cyber capabilities it is usually in reference to a list of usual suspects: the US, Russia, China, North Korea, and Iran are the primary state antagonists, with the UK, Israel, and sometimes France being cast in supporting roles. Anonymous and amorphous organised crime groups are often referenced as non-state actors, though the role of Anonymous seems to have subsided in the past couple of years.

This article seeks to highlight how offensive cyber capabilities augment the traditional capabilities of two lesser-mentioned state actors: Australia and Sweden. Although geographically distinct, both these countries can be classified as ‘medium powers’ who, in the words of Richard Hill, are ‘likely to have few resources to spare for the exercise of power beyond what is necessary to safeguard and, where possible, further its vital interest of territorial integrity, political independence and betterment.’ Importantly, in the context of cyber capabilities, both countries have declared either operational deployment of such capabilities or intent to develop them. This article discusses how cyber capabilities form part of both countries’ official policies and how these might be deployed for operational effect in their geopolitical contexts.

 

Australia

Australia published its first Cyber Security Strategy in 2016, which formally acknowledged the existence of Australian offensive cyber capabilities. In November 2016, Australian Prime Minister Malcolm Turnbull announced that the country had been conducting offensive cyber operations against ISIS targets. Australia therefore has a pedigree in the offensive cyber capability space and it also has a formulated policy on how these capabilities should be used: despite misplaced notions of deterrence expressed in the Cyber Security Strategy, later policy documents have stated that offensive cyber capabilities would be used to target cyber criminals.

Australia’s geopolitical situation means this approach of deprioritising state-based threats to instead focus on non-state actors (even if some these may have state-backing) is likely the best use of its offensive cyber capabilities. Geographically, politically, and economically, Australia’s most pressing concern is China: it’s attempted dominance of south east Asian sea routes, it’s influence in Australian politics, and its large investments in Australian industry, particularly the mining sector. However, deployment of offensive cyber capabilities against Chinese targets would not address any of these issues and they must instead be tackled with diplomatic, legal, and economic means.

A better use of offensive cyber capabilities is therefore to target non-state actors and criminal groups. For these targets, capabilities which cause disruption or enable better information gathering by law enforcement are more appropriate than capabilities which cause physical destruction. As an example, an extension of the Australian patrol boat scheme can be envisaged where Australia provides support to anti-piracy and anti-people smuggling operations in the south Pacific and Indian oceans. Capabilities that stain dark web traffic, allowing it to be tracked, can help identify the criminal actors which perpetrate these activities. Such capabilities may not be at the behest of the island nations which inhabit the south Pacific and Australia is well-placed to meaningfully contribute with its own capabilities.

 

Sweden

Sweden published a national cyber security strategy in 2016 which contains provisions for ‘a robust capability to conduct active operations in the cyber environment.’ However, as early as 2013 a report on long-term strategic planning had advocated for Sweden to develop offensive cyber capabilities. This view was backed by several people in the Government, who assessed that Sweden had to keep pace with technological developments – if everyone else were acquiring offensive cyber capabilities, so should Sweden.

Similar to Australia, Sweden has an obvious adversary in its immediate geographical locale: Russia. In this case, contemporary concerns about Russian behaviour (military manoeuvres, disinformation campaigns) are backed by a history of conflict between the countries – Russia is very much the old enemy. But since the 20th century Sweden has also positioned itself as a paragon of neutrality and all operational military activity has been strictly limited to UN peacekeeping missions. The utility of offensive cyber capabilities is less obvious in these missions because the critical component is a physical presence on the ground which serves a securing and deterring effect. This presence cannot be achieved with cyber capabilities.

Instead, Sweden may find a peacetime outlet for its offensive cyber capabilities if used as signalling devices. Russia regularly runs military flights provocatively close to, sometimes within, Swedish airspace. It could be envisaged that targeting one of these flights in a non-lethal capacity (for example by displaying a message on the pilot’s heads-up display) would send a message about the maturity of Swedish offensive cyber capabilities and their intent to use them. A key caveat here, however, is that the benefits of the operation must be carefully weighed against the cost, particularly if zero-day vulnerabilities need to be burned to achieve the desired effect.

 

Conclusion

Offensive cyber capabilities are not just the remit of great powers and rogue actors. Some states, such as Australia and Sweden discussed above, are technologically sophisticated yet perhaps do not have the remit to deploy cyber capabilities in the sort of arenas that make headlines. However, as suggested in the postulated deployment scenarios, these capabilities should not be discounted as means for achieving tactical and strategic effects in a limited context. The geopolitical situation of each country shapes these deployments and it is important to establish the desired effects before cyber capabilities are considered – they are not necessarily the most appropriate solution for every problem. Therefore, with careful deliberation, offensive cyber capabilities can be made to fit the imperatives of medium powers.

 

Andreas Haggman is a PhD researcher in the Centre for Doctoral Training in Cyber Security at Royal Holloway University of London. His thesis is a practical exploration of wargaming for cyber security education and awareness training. Andreas’ additional research interests span a wide spectrum of non-technical cyber security topics. He can be followed on Twitter @Andreas_Haggman.

Image Source: https://www.123rf.com/photo_49099172_puzzle-with-the-national-flag-of-sweden-and-australia-concept.html