Cyber warfare is dangerous but not enough 03-Jul-2022

Cyber warfare isn’t what people imagine. It’s often unpredictable, highly secretive, takes a lot of time and effort, is esoteric, but also teenagers in their bedrooms can be very effective.

The Stuxnet virus might be the most famous cyber attack in the world. It’s all the things above, except of course it was not launched by a teenager in a bedroom. It was a highly coordinated, specifically targeted, and patient plan, to disrupt centrifuges in Iran’s nuclear material refinement. Their computers were not connected externally. Someone had to get it into their systems somehow. It targeted some very specific equipment, requiring very specialist knowledge. And after it was discovered, and after all that effort, the attack can’t be used ever again.

Nobody knows for sure who did it. Nobody can confidently retaliate.

Cyber warfare isn’t at all as straightforward as more conventional warfare.

Who is your daddy… - Who does cyber warfare?

There aren’t very many countries which are very capable at cyber warfare. The US is by far the most ahead, US allies trail, and then China, Russia, North Korea, Iran, and Israel have varying focuses and capabilities.

The focus of the US and its allies is mostly military. China is also very interested economically - intellectual property theft, corporate espionage, that kind of thing (CNN 04-May-2022). Russia is particularly well known for Denial of Service (Dos) and Distributed Denial of Service (DDoS) attacks, and other kinds of harassment. North Korea raises money through cyber attacks on banks (Dhaka Tribune 12-Mar-2016), for example, and makes propaganda-related attacks. It attacked Sony when it released an unflattering film about the NK leader, Kim Jong Un (Time 17-Dec-2014). Iran’s capabilities are small and on a similar level to NK.

Individuals can also be very effective. It’s believed that a single individual was responsible for blocking NK’s entire internet access earlier this year (Wired 02-Feb-2022). An amateur hacker from Scotland perpetrated what was called the “biggest military computer hack of all time” because he was looking for evidence of UFOs (BBC 30-Jul-2008).

Cyber warfare encompasses a wide range of activities and attacks. All it takes sometimes is one small exploit to be found. It sometimes doesn’t take much to find it and exploit it.

...And what does he do? - How is cyber warfare done?

There’s a very high overlap between cyber warfare, intelligence, and counter-intelligence.

It’s useful for surreptitious attacks like Stuxnet, or disrupting communications, but also for targeting. Imagine, for example, crippling communications at a primary outpost. This might allow you to then see where the enemy compensates from, allowing you to identify even more, secondary and tertiary outposts, so that you can destroy them.

Cyber warfare is only useful against certain kinds of targets. It’s mostly useless against an organisation like ISIS, for example, when compared to an attack on government nuclear facilities like Stuxnet. General Sir Patrick Sanders, the British Chief of the General Staff, put it this way “you can’t cyber your way across a river” (Sky News 28-Jun-2022).

Politicians and civil servants need to understand that, while cyber warfare might be very cheap compared to nuclear weapons and conventional forces, it has its limits and is not a quick and easy fix. Cyber warfare also takes a lot of training and individual intelligence. For these reasons it's also not possible to learn new techniques quickly. Few people are capable and willing to put in the work for certain kinds of militarily relevant payoffs.

Cyber warfare works mostly by finding and exploiting weaknesses in the enemy’s systems. Once these exploits have been used, you often can’t use them again. The enemy notices and fixes the gap. This means that there is an immense amount of secrecy around cyber warfare and that countries try to stockpile the amounts of exploits they’ve found.

It also means we don’t really know who knows what, who has what stockpiled, and what would happen if they were all used.

It’s not a tumour - Attribution and how you know who did it

The simultaneous secrecy and accessibility of cyber warfare makes it very hard to know who is attacking. That’s very peculiar for warfare.

There’s no better illustration of this phenomenon than the way cryptography used to be treated in the US. Cryptographic techniques, even, not just equipment, used to be listed as munitions under the relevant US laws and subject to heavy restrictions. There are some restrictions to this day. The problem began when certain cryptographic techniques were discovered by the military and again later in academia. Unfortunately for the US military, anyone can do mathematics. With the US 1st Amendment, it’s also very difficult to restrict free speech relating to independently discoverable mathematics.

It’s similar more broadly for all sorts of mixed military and civilian use software, for example. There’s no easy way to determine who has discovered what or if they’re sitting on the information. You won’t necessarily know or be safe until the attack happens or the software changes and renders the exploit out of date.

On the other hand, the highly specialised and esoteric nature of cyber warfare and necessary skills can make it easier to identify who did what. Russia is particularly good, for example, at harassment and disruption. Even so, what exactly is the line between, say, the pro-Russia hacking group Killnet, and an actual government hacking team? Are they in fact the same? This makes it very difficult to identify who is culpable for what. Killnet recently claimed it was behind cyber attacks on Lithuania (CNN 27-Jun-2022). Russia had a major dispute with Lithuania over access to Kaliningrad (Frontier Mogul 21-Jun-2022).

Another angle to consider on identification is masking. Those with greater capabilities can sometimes mimic those with lesser, but the reverse is very unlikely. If a certain kind of attack happens and it’s very sophisticated, there are very few who could have done it.

The secrecy and obfuscation around this kind of security and defence, and the overlap between certain civilian and military systems, is also a problem. There’s no responsibility for anyone to tell anyone else if they’ve found a security flaw in some software, or if you’ve been hacked.

This isn’t the only human factor cyber warfare specialists have to worry about. Humans are a big weakness in the system. Some cyber attacks happen because you leave a USB stick lying around an office, or drop one in a parking lot, and someone picks it up and puts it into their computer. If the USB is carrying a key logger or some other virus, the attack was successful because of human curiosity. If the person who picked it up was just plugging it in to find out who it belonged to, the attack was successful because of careless human helpfulness.

The question is, then, how do you deal with cyber warfare?

Crush your enemies, see them driven before you, and hear the lamentation of their women - How do you tackle cyber warfare?

One option is to just fight fire with fire.

Unfortunately the line between offensive and defensive cyber warfare isn’t entirely clear. There’s some speculation that this is why cyber warfare hasn’t played as much of a part in the Ukraine war as you might expect from a capable country like Russia. The defence or retaliation from either Ukraine, directly or passed on by its allies, could be enormous. It would be sparked by the likelihood that a cyber attack on Ukraine would likely take the form of a cyber attack on its allies, again, because of how nebulously positioned and overlapping a lot of technology systems are. Russia might be avoiding major cyber warfare in Ukraine because of a type of mutually assured destruction.

Cyber warfare means testing and poking and trying to find weaknesses. If you’re looking at your own technology and systems, some of which might even be shared if it’s civilian software, you’ll find your own weaknesses, but this also means you’re finding someone else’s weaknesses too.

This is only complicated by the idea that, if you’re under attack, disabling your attacker is a useful defensive move.

In a different arena, economic performance is also a security concern. If companies in your country are under attack, this ultimately weakens your country. If there’s no real legal requirement for one organisation or another, government or private, to tell anyone else about cyber attacks or vulnerabilities, this is a weakness in the cyber security of your country’s economy.

It gets worse. If it’s nearly impossible to determine who exactly launched a cyber attack, how can you legally pursue them, not just internationally, but within a country’s own borders? Does your country’s police have the necessary skills to investigate cyber attacks? Cyber warfare is secretive, international, and highly specialised. Jurisdiction and international legal agreement is necessary to properly pursue attackers, to handle chain of custody of evidence, and deal with all sorts of civil rights issues normally involved in criminal proceedings.

Proper identification and pursuit of individual cyber attacks can take many years and a lot of resources, even for a government. Is it worth it? Perhaps not if you can patch up the security flaw and the technology changes in less than a year anyway.

At the international level, nation states are becoming increasingly sophisticated in their attacks, tricky, and better at hiding.

What’s next?

Everyone is just going to have to keep getting better at defending themselves, at least in the short term.

And AI might be a game changing wildcard. Will it be more helpful for offence or defence?