5 November 2018

The West Holds A Cyberwar Trump Card, But Victory Would Be Pyrrhic

Davey Winder

Who would win if cyberwar were to break out between Russia and the West?

Given the fragile nature of the geopolitical landscape, along with the increasingly sophisticated capabilities of nation states to launch cyberattacks on critical infrastructure and businesses alike, the question of cyberwar has never been more relevant. But what do we mean by cyberwarfare and who would likely win in the event of a cyberwar between Russia or China and the West?

As I reported earlier this week the Royal Navy's biggest ever aircraft-carrier, the HMS Queen Elizabeth, has been in New York hosting the inaugural Atlantic Future Forum. On Monday, aboard the HMS Queen Elizabeth, the Atlantic Future Forum Accord was signed to formalize a commitment from the UK and US to work with industry leaders in the fields of cybersecurity and artificial intelligence. UK Defense Secretary, Gavin Williamson, has referred to this as "combining our technical excellence, our professionalism, our war fighter ethos to design and increasingly use our offensive cyber capability."


If all of this sounds a little, well, like cyberwarfare talk that's because it is. Or at least it might be. The problem is that before you can categorize something under the cyberwarfare heading you have to be able to define exactly what cyberwarfare is. Which isn't as straightforward as you might like to think.

If the Stuxnet worm attack on Iran's nuclear program back in 2010, with all the evidence as is pointing to a joint US and Israeli operation, isn't an act of cyberwar then what is? More than 1,000 fuel enrichment centrifuges at the Natanz nuclear plant in Iran were destroyed by Stuxnet which caused the centrifuges, central to the production of enriched uranium used in nuclear weapons, to overheat and fail.

If alleged Russian meddling in the democratic processes of the west, including the last US Presidential race and the UK Brexit referendum isn't an act of cyberwar then what is?

I reached out to Trevor Reschke, currently head of threat intelligence at Trusted Knight for an answer. Trevor, you see, is a former counterintelligence special agent who specializes in digital investigations and managed the Incident Response Team and the Vulnerability Assessment Team for the US Army Regional CERT in Europe. "Any action by a government's military or other agency that supports strategic or tactical national efforts is unquestionably cyberwarfare" he insisted. The problem being that 'war' is a word that most governments will try very hard to avoid when talking about their offensive cyber activities, in what Reschke calls an attempt to soften the blow of their actions. "Countries are openly conducting activities that if done in person would cause wars" he concluded, adding "the vast majority of the activity is more of an intelligence effort than blatant acts of war so there are different rules."

Greg Martin has been a cybersecurity advisor to the FBI, US Secret Service and NASA in the past, currently he's CEO at JASK which brings AI into the security operations realm. He was a little more forthright when I asked about the Stuxnet and Russian meddling examples. "Those are both excellent examples of the cyberwar which has been playing out for over a decade between competing superpowers" Martin insisted, and then predicted that we will inevitably see more sophisticated cyber weapons with more destructive capabilities emerging. That said, Martin also pointed out that their election meddling was more an 'influence operation' with the cyber element more the medium and sitting secondary to the objective itself. "Influence operations are never an act of war" he concluded "an act of war requires aggression, damage to life or property or the use of armed forces."

I then spoke to Ian Trump, security head with AMTrust Europe who has served with the military intelligence branch of the Canadian Forces. "The natural conclusion is espionage, cyber-attacks and influence operations are merely manifestations of a policy clash between two competing powers or blocks" he told me. You have to think of cyber-attacks as just one of the many weapons available to achieve dominance over an adversary and they have advantages and disadvantages like all weapon systems do. It's on this basis that Trump believes, in isolation at least, cyber-attacks are not the same as cyber war. "War in my mind is an all-out nation state attempt to dominate an adversary" he explains "and cyber-attacks at present cannot achieve that level of dominance."

Warfare, of course, is already pretty well defined and the Geneva Convention sets out the rules as they apply in the physical world. Just as the definition of cyberwarfare is proving to be fuzzy at best, there is no clear definition of the rules as they apply to acts of war within the cyber realm.

"This may change when a cyberattack has a very real-world result, such as the power grid in the US or UK being taken down or the water supply being compromised" argues Rick McElroy. A security strategist at Carbon Black, McElroy is a former US Marine who has held security positions with the US Department of Defense. In both the scenarios he described, lives could easily be lost. Which is why protecting critical national infrastructure (CNI) is so important.

It's also why the fact that so much critical infrastructure appears to be failing the security test is so worrying. The 2019 Global ICS & IIoT Risk Report was published today by CyberX, and it makes depressing reading. An analysis of industrial and critical infrastructure, drive by data collected across 850 real-world industrial control networks in multiple sectors and six continents, some of the key findings are jaw-droppingly shocking.
That 69% of sites had plain text passwords traversing the network.
That 40% are not properly air-gapped, with at least one direct connection to the public internet.
That 53% were running on outdated Windows operating systems such as XP.
That 16% had at least one wireless access point.

While these findings don't necessarily mean that all CNI is inherently insecure, they do tend to confirm the opinion of many greybeard security researchers of my acquaintance who think nation states and industrial enterprises have learned little from the Stuxnet attacks eight years ago. It also led me to wonder just whether the West could defend itself adequately against the likes of China, Iran, North Korea or Russia in a cyberwar scenario? Perhaps just as importantly given the stakes are so high, could the West launch its own offensive cyberwarfare capabilities against these nations with any real chance of success?

Trevor Reschke is firm in his opinion that were there ever such open cyberwarfare, the West would have a massive advantage over China and Russia as both rely so heavily on the West for software. "Both China and Russia currently lack the oversight and compliance to achieve a strong security standing for themselves" Reschke told me "which limits the campaigns they will run against others out of fear of reprisals." Indeed, Reschke says that both also have vulnerable infrastructure, in particular China where the "sole defense from large scale compromise is the language barrier on their servers." As for North Korea, Reschke isn't too concerned as he says it doesn't possess any real cyberwarfare capabilities but rents these from others.

As for Ian Trump, he says there's either a war or no war scenario rather than a cyberwar one in isolation. He sees hostile cyber activity as simply being competition, with cyber-attacks related to competing geo-political agendas. As for winners and losers, Trump points out that without too much work the entire internet could be 'turned off' for any protagonist state, with consequential massive financial and operational loss, if there was an existential threat to the US from hostile cyber-related activities for example. "This is the giant hammer killing an annoying insect scenario" Trump insists "the US controls about 80% of internet traffic globally." With the capability to black-hole and degrade, if not eliminate, entire address ranges of countries it's in a dominant position on the cyber stage. Of course, doing so would likely disrupt the entire global financial network and every other national communication network costing all nations trillions of dollars. "The end-state of this would be true cyber Pyrrhic victory" Trump concludes "a victory that inflicts such a devastating toll on the victor that it is tantamount to defeat..."

In part two of this analysis I look at the role that cybersecurity vendors will play in any cyberwar scenario and why business needs to pay attention.

I have been covering the information security beat for three decades and Contributing Editor at PC Pro Magazine since the first issue way back in 1994. I contribute to the Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Infosecurity Magazine and Digital... MORE

You can follow me on Twitter, connect with me on LinkedIn and find more of my stories at happygeek.com

No comments: