As nation states battle it out for supremacy in cyber-space, Phil Muncaster asks what the future has in store.
In January, the UK’s defense secretary, Gavin Williamson, warned that Russian attacks on critical infrastructure (CNI) could cause “total chaos” in the country and lead to “thousands and thousands and thousands of deaths.” His comments were widely criticized at the time as intended merely to secure more Treasury funding. Yet, was he that wide of the mark?
Governments, CNI providers and enterprises are arguably more exposed to cyber-risk today than they’ve ever been, thanks to a reliance on data-driven, connected and cloud-based systems. Over the past couple of years alone, this dependence has imperiled everything from presidential elections to NHS operations and even the Olympic Games.
The question is, where are we headed? Is the planet hurtling towards a major cyber-conflict between superpowers, or are we already in a de facto cyber-Cold War? Perhaps most importantly, is there anything that organizations sandwiched in the middle of these escalating attacks can do to stay secure?
"Is the planet hurtling towards a major cyber-conflict between superpowers, or are we already in a de facto cyber-Cold War?"
Tit-for-Tat
It is well understood by most governments that foreign powers will try to gain intelligence which has geopolitical or military value. All nations with the right capabilities are thought to conduct this kind of cyber-espionage and, to an extent, they expect it of others. As Edward Snowden revealed, the NSA even tampered with Cisco products headed for foreign countries so it could eavesdrop on their eventual recipients.
However, the past few years have seen incident after incident in which the reach of nation state hackers has gone beyond these understood norms. Ground zero was arguably Stuxnet, an explosive revelation which showed the lengths the US and Israeli governments were prepared to go to in order to delay Iran’s nuclear program.
Then we learned that Chinese state-hackers were conducting mass ‘economic espionage’ against US firms. This led to the unprecedented Department of Justice (DoJ) indictment of five People’s Liberation Army officers for activities spanning 1006-14. Attorney general Eric Holder claimed it “should serve as a wake-up call to the seriousness of the on-going cyber-threat.”
It is the Putin administration, however, which seems to be conducting the highest profile information warfare campaign against nations. Russian hackers are said to have successfully targeted energy providers in Ukraine, causing blackouts for hundreds of thousands in 2015 and 2016. They have been probing UK telecoms, energy and media organizations, and were responsible for the destructive NotPetya attack of June 2017, according to the NCSC.
Over the past few years, the infamous APT28 group, part of Russian military intelligence agency the GRU, has conducted countless data-stealing raids on targets as varied as NATO, the White House, the US Senate, the world anti-doping agency (WADA) and numerous Olympic federations.
Perhaps most notable was the now notorious attack on the Democratic National Committee (DNC) and Hillary Clinton campaign, which resulted in sensitive emails being published in the run up to the 2016 election. This was combined with hacking of US election infrastructure and an all-out influence operation on social media designed to sow discord and sway the electorate in favor of Donald Trump. Although there’s no direct Putin involvement in the campaign, for which 13 Russians have now been indicted, the Internet Research Agency is thought to have close links with the Kremlin.
Then we have North Korea, increasingly flexing its muscles globally and said to be behind the WannaCry ransomware worm, the destructive malware attack on Sony Pictures Entertainment and even the $81m cyber-heist at the Bangladesh Bank.
Stuck in the Middle
The difference between nations, according to former GCHQ deputy director of cyber, Brian Lord, is that some “develop and apply such capabilities in a responsible way, governed through the legal, ethical and oversight controls put around them,” while others “act with less consequence for the damage and geopolitical tensions that are caused.” Lord, who is now managing director of cyber at consultancy PGI, claims that “adversarial state capability will continue to evolve, become more informed and sophisticated and outstrip organizational and governmental ability to counter the threat.”
Until now, China has been focused on IP, commercial and government theft, “which they steal in eye-wateringly large amounts,” and Russia on “manipulation and exploitation of global reliance upon the internet for news, interaction and communication,” he tells Infosecurity. However, both are also weaponizing destructive capabilities, along with North Korea – which has also been ramping up its efforts to steal and mine cryptocurrency.
Western state hackers are certainly highly active in cyber-space, but “tend to focus more on political and military targets and usually have less of a mission to help out private enterprise,” according to SANS Institute dean of research, Johannes Ullrich.
However, no matter who is attacking, anonymizing techniques will continue to provide the perfect cover for state-backed intrusions, experts agree.
“It is worth bearing in mind that quite often it is important for an attacking state to leave enough clues as to make the attacked state sure of its provenance, but enough fog as to have plausible deniability,” explains Lord. “When a nation plays as much into the political and public reaction space (for example, as the Russians do) then the public attribution/plausible deniability blend creates a perfect operating space for the clever state adversary.”
Whatever the outcome of these efforts, ordinary organizations will continue to be stuck in the middle, whether they’re directly targeted as CNI operators, holders of valuable IP or simply end up as collateral damage – as per 2017’s WannaCry and NotPetya ransomware campaigns.
“Nation states have recognized they can hide their activities using bespoke hacktivist groups that have been established to cover their [actions], and that ransomware is a powerful shield for destructive/disruptive attacks,” Crowdstrike VP of intelligence, Adam Meyers, tells Infosecurity. “The proliferation of these ideas are likely to continue in 2018.”
The question is that if CISOs find traditional cybercrime attacks increasingly hard to spot and block, how can they hope to compete against determined nation state operatives?
"It is important for an attacking state to leave enough clues as to make the attacked state sure of its provenance, but enough fog as to have plausible deniability”
Fighting Back
The key is not to focus on the attacker but the techniques used, according to SANS’ Ullrich. “There is very little difference in attacks launched by sophisticated criminals and by nation states. One of the common fallacies in cyber-defense is to focus on recent trends versus best principles,” he says. “Simple but effective defensive techniques, such as those outlined in the Center for Internet Security’s critical controls, will provide a solid foundation on which to then deploy more sophisticated defenses.”
For Meyers, passively waiting for traditional cybersecurity measures to detect attacks is not enough.
“Proactive threat hunting, led by human security experts driven by intelligence, is a requirement for any organization looking to achieve or improve real-time threat detection and incident response,” he argues.
“Evaluate the quality and effectiveness of your security program before an attack happens. Engaging in third-party security assessments will reveal organizational readiness to face both common and sophisticated attacks. In addition, participating in adversary emulation exercises, using real-world TTPs, will inform you about how to improve your incident response playbook and procedures.”
A Cyber-Cold War?
Experts are agreed that nation state cyber-activity will continue to increase in 2018. An alarming Chatham House report from January even claimed “inadvertent nuclear launches could stem from an unwitting reliance on false information and data.” So how far might online threats spill over into real-world geopolitical conflict?
“These kinds of operations significantly expand a nation’s options for international action in a way that is generally more acceptable than other types of similar activity. For example, surreptitious military action or symbolic weapon launches are widely criticized or denounced but state-sponsored cyber-espionage is not,” says FireEye senior analyst, Fred Plan.
“We believe that nation-states will likely leverage cyber-capabilities in the outbreak of major conflicts especially with regards to disrupting command and control systems. It should be noted that these capabilities are not limited to superpower countries; increasingly, regional powers and other countries are developing their own cyber-capabilities to gain an asymmetric advantage over rival states.”
SecureData head of security strategy, Charl van der Walt, agrees that cyber will become a “common feature on the modern battlefield,” but claims that in many ways, the war has already begun.
“Cyber-battle preparedness will mean different things, but in its one form it requires pre-emptively attacking and compromising systems in the future potential battle zone, or from which the future battle zone could be impacted, or simply from which useful intelligence might be gleaned,” he tells Infosecurity. “Effectively, this means that offensive cyber-battlefield operations need to take place all the time, and that just about any and every system is a target.”
This global ‘cyber-land grab’ by the world’s superpowers means smaller nations must align themselves with the software and hardware supply chain they trust most.
“One of the effects of this forced choice is the acceleration of ‘cyber balkanization’ – the splintering of the world into politically-aligned camps that all run the same hardware and software that is developed and controlled by the superpower,” claims van der Walt. “As running software controlled by a single nation state is effectively a form of voluntary compromise, the smaller state also loses its autonomy from that state and is fundamentally beholden to it.”
As we speed towards a world characterized by distrust, suspicion and cyber-fueled geopolitical tension, the cybercrime exploit marketplace continues to fill with state-developed tools and expertise. Security professionals faced with this onslaught may well find themselves wishing for simpler times – when spies used guns, not code.