Tit-for-Tat: Cyber Retaliation

Many will be well-versed with the biblical adage: an eye for an eye, a tooth for a tooth. Underpinning the Book of Exodus, the law of even-handed justice formed the kernel of Old Testament justice. Yet, contemporary followers of the book allowed it to transmute into a justification for personal vengeance. It wasn’t until Jesus proselytized on a northwestern mount overlooking the Sea of Galilee that the meaning was renewed. Delivering his obiter dictum – his justificatory Sermon on the Mount – re-established the law as punishment commensurate to the crime.

However, as with most things, the meaning has been distorted in the sands of time. In its crudest form, it’s an expression of retaliatory action. A far cry from the proportional legal penalty borne out in the Christian Beatitudes, it has all-too-often been harnessed to justify 'tit-for-tat'.

Worryingly, it is this interpretation that has stubbornly endured: the Blitzkriegs of London; Berlin; the Cuban Missile Crisis; the 1980 and 1984 Olympic boycotts. The ‘I-hit-you-because-you-hit-me’ attitude litters our history and now, unsurprisingly, it’s finally reached cyber.

In recent weeks, two examples highlight the dangerous precedent of the tit-for-tat mentality in the cyber domain. First, the widely publicized hack of the US Democratic National Committee’s (DNC) servers. As a result, Hackers exposed opposition research on Trump and co. and stole a host of private emails, 20,000 of which WikiLeaks made public. US intelligence has high confidence that the Russian government orchestrated the theft.

The firm Crowdstrike was solicited to inspect the DNC’s servers and manage the fallout. They discovered two separate Russian intelligence-affiliated adversaries present in the DNC network, one group of which had access to the servers for almost a year. This comes against the backdrop of Russia breaching the email servers of the White House and State Department and gleaning information from President Obama’s Blackberry. The Kremlin, with the usual shrug of ignorance, has denied involvement. Then, five days later, Russia is hit by a cyber-attack – wham! The tat is returned to the tit – no sniggering people, this is a serious issue.

The Russian Federal Security Service (FSB) identified cyber espionage malware in the networks of approximately 20 Russian Government organizations. The Malware was delivered via a malicious email attachment, adapting to each system, intercepting network traffic, logging keystrokes and listening to phone calls. The hack was designed to target state organizations and the country’s critically important infrastructures. There is no evidence yet to indicate US involvement. Has the eagle swiped its talons back at the belligerent bear? Perhaps – who knows?

The second tit-for-tat example lies with China. In July, the Permanent Court of Arbitration ruled that China’s claim to the South China Sea territory over the Philippines had no legal basis. In 2013, China had poached control of the Scarborough Shoal reef, among others, leading to the construction of military outposts in the disputed island territory. After years of legal deliberation, the international tribunal at The Hague concluded that not only was China’s claim invalid, but the state had infringed Philippine sovereign rights inside the country’s 200-mile exclusive economic zone: unlawfully disrupting Philippine fishing activities and risking collisions with Philippine vessels.

On this occasion, no time was wasted. Retaliation against China’s detractors was already underway. As far back as January 2015, a Chinese network attack known as an Advanced Persistent Threat had been deploying malware identified as the NanHaiShu Remote Access Trojan to create a backdoor and gain administrative control over target computers to harvest sensitive data. Systems from the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit, and a major international law firm involved in the South China Sea arbitration process were all compromised. All three targets were considered to be of strategic national interest to the Chinese government.

Moreover, the attack code and infrastructure was traced to a developer in mainland China. Of course, this could be mere coincidence or worse, the product of adversarial groups intending to stir up regional divisions to further their cause. Nonetheless, it’s worrying stuff that has the potential to morph into something more sinister!

Retaliation often engenders escalation: something that the cyber domain facilitates with unprecedented ease. As nation states all-too-willingly adopt this tit-for-tat mentality, the prospect of attacks spilling over the ether into the conventional domains of war becomes increasingly likely.

As Russia’s revanchist activities in Ukraine show, asymmetric warfare has already begun to rear its head; its efficacy and desirability – a potent combination of cyber and tangible force – will make it the norm. Nation states should make a concerted effort to curtail a spiraling cyber arms race and ensure cooler heads prevail. Cyber’s destructive capacity and ability to destabilize international relationships deserves constant policing and attention. 

There is a Chinese proverb; he who seeks revenge should remember to dig two graves. The international community would do well to remember this. When it comes to tit-for-tat, there are no winners, only pyrrhic victories.

What’s Hot on Infosecurity Magazine?