Pages

1 May 2021

Hackers can stop the trains and the lights. But could they start a war?

By Sherryn Groch

On the morning of June 27, 2017, it seemed as if Ukraine had slipped back in time and into the wrong century – almost nothing worked. Not the ATMs, the trains, the airports, the television stations. Even the radiation monitors at the old Chernobyl nuclear plant were down.

Ukraine, in the midst of a long and undeclared war with Russia, had been hit by mysterious blackouts before but this was eating through computer networks at a terrifying pace, turning screens dark across the country. And it seemed to be spreading further than intended, out through Europe and around the globe, paralysing hospitals and companies from London to Denver, even the Cadbury chocolate factory in Tasmania, and bringing swathes of the world’s shipping to a halt. By the time the culprit – a wild variant of malicious computer code (or worm) known as NotPetya – was stopped hours later, it had looped back into Russia, where it originated, and racked up about $US10 billion ($12.9 billion) in damage worldwide, making it the most expensive cyber attack to date.

No one died but the world had been given a glimpse of a new reality, beyond cyber espionage or sabotage. This was cyberwar. With modern life more connected than ever, you could unplug a nation before you’d even fired a shot.

Today, cyber weapons feature in the opening moments of most countries’ war plans, but they are deployed in peacetime, too, and the line between espionage, vandalism and outright attack is far from clear.

In 2016, the Australian government broke its relative silence on the cyber threat, revealing for the first time that Australia was actively engaged in cyberwarfare (against the terrorist group Islamic State in Syria and Iraq) and warning of a coming “cyber storm”. The army’s newest head of Information Warfare, Major General Susan Coyle, says it is now seeing an “exponential growth” in the range and sophistication of cyber weapons. Top companies and universities have been mined for personal data or found their networks suddenly paralysed; even Parliament itself has been infiltrated. But Coyle says Australia’s cyber forces are being rapidly trained to meet the threat.

So what would happen if the skirmishes of cyberspace did break out into real-world death and destruction? When is a hack a declaration of war? How vulnerable is Australia to the kind of attack that knocked the lights out in Ukraine? And is there a way to keep the great cyber powers in check?

A message from the NotPetya worm projected on a young man; the attack used a variant of the ransomware Petya to destroy computers.CREDIT:ALEXANDER RYUMIN/GETTY

What is cyberwarfare anyway?

In 1993, just two years after the worldwide web first sparked to life, a US think tank warned “Cyberwar is coming!” It was right, in a sense, but exactly what that means can be hard to pin down. We hear about hacks all the time, about shady emails and weak passwords. Then, when tensions between nations come to a boil, we sometimes hear about military strikes, bases bombed or troops sent over borders. But the invisible weapons of cyberspace can reach into the real world, too.

In 2009, the world’s first such digital weapon was unleashed on a foreign state – a “worm” built by the US and Israel that became known as Stuxnet. Its target was Iran. At 15,000 lines of code, Stuxnet was designed to do more than steal data or crash computers. Like any good spy, it learnt and it lay in wait, feeding false information into the safety sensors at an Iranian uranium enrichment plant until one day it sent the site’s centrifuges into an unstoppable, destructive spin. The plant was so damaged it set back Iran’s nuclear program by months, likely years.

Only Stuxnet didn’t disappear as planned; it got out, infecting thousands of machines across the world. While the worm is now dormant, programmed to come to life only in specific conditions (such as arriving on software at an Iranian nuclear facility), this military-grade weapon has been out in the open, in the hands of security experts, rival states and criminals ever since. And experts say the game has only become more dangerous.

The internet may be the great connector but the access it opens up into each of our lives has long been exploited by hackers – be they spy, saboteur, thief, activist or bully. While this regular back and forth lends itself well to the war analogy, most of what goes on, even between nation states, still falls below the threshold of actual warfare. It lives in “the grey zone”, says Tom Uren, an ex-Defence cyber analyst now at the Australian Strategic Policy Institute (ASPI).

Stuxnet itself likely prevented real war, blunting Israel’s perceived need for a military strike against Iran. (And, a decade later, the Trump administration called off a planned strike on Iran in favour of another cyber attack.)

“The things done in the grey zone aren’t always adversarial,” Coyle says. “That’s how you learn what threats are out there, what everyone else is doing.”

Still, the stakes are getting higher. The rise of artificial intelligence (AI), satellite technology and the internet of things (where more devices, from lights to door locks, are connected) means targets are opening up faster than we can patch vulnerabilities. China’s state hacking teams steal corporate secrets, as well as government data to blunt the West’s military advantage. Russia hijacks social media not just to spread propaganda but to manipulate democracies. And nations can turn these cyber weapons on their own citizens, too, to stamp out dissent.

“It’s not warfare but it’s definitely not peace either,” Uren says. “Some countries will push right up to the edge of that red line using covert, deniable methods … NotPetya is probably the closest we’ve come to real war.”

NotPetya hit during an actual physical invasion too – Russian troops (and bikie gangs) had already been sent into Ukraine without military insignia to seize Crimea and sow violence. Likewise in the former Soviet republic of Georgia in 2008, cyber attacks seemed to hit towns just ahead of Russian soldiers arriving to back pro-Russian separatists.

The year before, when Estonia, one of the most wired nations in the world, was unplugged, it went to NATO for help. There was even (brief) talk of invoking Article 5, which demands all other nations in the alliance defend one another from enemy assaults. But the world did not see a direct military retaliation to a cyber attack until Israel bombed a building linked to Hamas hackers in Gaza in 2019.

Ukraine has become Russia’s testing ground for cyber weapons, as Taiwan is now for China, says Professor Greg Austin, a former government adviser and analyst who heads a program of cyberwar study at UNSW. But, for all the Kremlin has unleashed on the Baltic nation, it’s still holding back. “It’s not looking to crush the Ukrainian government entirely,” Austin says. “In a major war then everything Russia is doing in Ukraine, it would do 100 times over to many more targets … And other countries have huge capabilities too.”

New York Times journalist David Sanger has watched cyber conflict heat up since he first helped unravel the mystery of Stuxnet in 2012. As luck would have it, he even found himself in Kyiv years later just as NotPetya was hitting (“I didn’t have any Ukrainian money, and all the ATMs were down”). But he agrees the world has not seen full-scale cyberwar yet. Digital weapons are still mostly deployed as “short of war” tools, he says, cheap, effective and often difficult to trace back to the state actor, making retaliation complicated.

Indeed, unlike regular weapons, cyber has become a tempting way for smaller nations to show their teeth without invoking devastating counterstrikes. Just nine countries have nuclear weapons but most have state-sponsored hackers. That means attacks can come from almost anywhere and, as many experts warn, could steer dangerously out of control.

“We are where we were with aeroplanes at the end of the First World War,” Sanger says. “It’s still mostly used for [surveillance] but the weapon is there.”

And, once that line is crossed and countries are at war, then cyberspace, just like air, land, sea and space, becomes another domain in which to take out the enemy.

South Korea’s Internet and Security Agency monitors possible cyber attacks during the global Wannacry attack launched by North Korea in 2017.CREDIT:AP
When do shots fired online count as acts of war?

After the cyber attacks on Estonia, dubbed Web War I, the question of what constitutes an armed attack in the digital age became live. Through NATO, academics drafted the Tallinn Manual, named for Estonia’s capital, to lay out how international laws of war might apply to cyberspace.

Professor Dale Stephens, a lawyer and former Navy captain, helped peer review the Tallinn Manual and is now working on a similar “user’s guide” to international law in space, known as the Woomera Manual. But space, he says, already has some well-established norms of behaviour. “It’s governed by five treaties. Russia and the US have already worked out their tolerances with each other.”

In cyberspace, he says, countries are still very much feeling out those boundaries. Under the laws set out in the Geneva Conventions and other treaties, blowing up a rival nation’s battleship is clearly warfare. “But suppose I take my ones and my zeroes [of computer code] and I manipulate your battleship’s systems until it’s damaged, or it blows up,” Stephens says. “At what point then am I crossing the line?”

Is the malicious code that both Russia and the US now implant in each other’s power grids, for example, just routine surveillance or the first act of a devastating strike? What if the pacemaker of a foreign leader was hacked or the medical records of soldiers mixed up? Even social media itself can be weaponised to gain a military advantage.

During the 2014 Islamic State campaign in Iraq, a carefully orchestrated jihadist storm online (featuring horrific videos of executions and overblown claims of victories) convinced the 25,000-strong Iraqi garrison that they didn’t stand a chance against the terror group. In reality, IS fighters in the area numbered only about 1500. “The Iraqis surrendered and gave IS [the city of] Mosul,” recalls Stephens, who was serving elsewhere in the region at the time.

“Most people can agree on the big stuff that’s crossing the line. But then there’s the stuff just below, where they’re using our systems against us in a kind of information war that [fractures] a state; that can be as threatening as destroying those systems entirely. Some of what’s going on may already be a use of force [under international law]. But what’s a proportional response? … Even the Tallinn Manual is still just recommendations.”

Airport staff in Kiev, Ukraine, struggle to get computers running during the NotPetya attack of July 2017.CREDIT:AP

“There are some things below an armed attack [in the law] which are still nasty,” adds Austin, recalling the deadly 1985 bombing of a Greenpeace ship in New Zealand by French intelligence agencies.

Years on from the Estonia hack, NATO now says it will invoke Article 5 in the event of a serious cyber assault against an ally (the mode of retaliation depending on the severity). In 2019, Australia solidified its own position: when a cyber attack poses an imminent risk of damage equivalent to a traditional armed attack, such as significant loss of life or critical infrastructure, then a country should be able to defend itself. France and Denmark have spoken of their right to sovereignty, not just safety, in cyberspace.

While Western democracies remain unlikely to retaliate in a way that would risk civilian lives, the US has left the door open to taking some extraordinary steps, even nuclear ones, against a serious cyber attack – and has loosened the reins on US Cyber Command, allowing the military to launch some strikes without presidential approval in the same way they do in other theatres of war. It’s part of a modern “defend forward” strategy on cyber, which Australia, as a member of the Five Eyes intelligence alliance, is also following to some degree.

Austin explains: “That means if China or Russia are persistently trying to penetrate our systems we’re going to stop them even if it means going into theirs.”

Coyle, who was the first woman to command all of the Australian Defence Force’s operations in the Middle East, can’t offer much detail due to “the classification level” of the cyber operations she now oversees. But she says everything the ADF does complies with the law, and commanders take pains to make sure no one steps outside those boundaries.

In America, still the world’s main target for cyber attacks, some warn that the slow wearing down, the “death by a thousand cuts” of China’s corporate espionage could be the biggest threat.CREDIT:AP
Who are the big cyber powers at play?

The online world looks a lot like the offline one – the US, China and Russia remain at the centre of power struggles. America is still considered to have the most advanced cyber capabilities in the world. But China, Russia, Israel, Britain, even Iran and North Korea, also have formidable cyber armies – think of the legions of hackers installed in St Petersburg or behind China’s great firewall.

Still, some countries are noisier than they are effective, Uren says. “Often a really great, well-executed operation you don’t know about.”

Russia, North Korea and Iran are conspicuous in cyberspace for the same reasons they are on the world stage: shows of force. Here they use digital weapons not just for espionage and war but political point-scoring, even harassment. Remember North Korea’s attack on US movie studio Sony Pictures in 2014 ahead of the release of a comedy critical of its leader Kim Jong Un? Or the hacks that paralysed broadcasts of the 2018 Winter Olympics after Russia’s doping scandal (these were even codenamed Sour Grapes by intelligence agencies linking them back to Russia).

Austin has been analysing the cyber arsenals of foreign governments and says that the smaller nations making headlines, such as Iran and North Korea, don’t have the same depth of capability as the big players. “They can still cause damage but they’re not able to launch something as sustained and wide-ranging. The big ones could shut us down, close off traffic lights, stop the trains running, and make it last longer.”

Still, these smaller nations consider they have one big advantage – they are not as wired as their Western adversaries, making their own exposure smaller.

In Australia, most attacks considered sophisticated enough to be attributed to another state are thought to have come from China, although the country has denied it, as it does all hacks. China is less brazen than Russia in its cyber attacks on the West, mostly sticking to espionage so far. Still, its restraint does not extend to Taiwan, where cyber attacks come almost daily. And, as diplomatic and trade disputes escalate with Western countries, notably Australia, some fear China is growing bolder. In March 2020, an attack crashed the website of a global coalition of MPs speaking out on China’s aggression.

“China has learnt from Russian interventions in elections in the US and Europe,” Austin says. “They can do more things in cyber than they previously imagined.”

Stephens adds that the growing superpower is also investing heavily in new technology that will shape the future cyber battlefield such as AI, satellites and 5G networks. “China’s trying to jump that industrial step the West took of building big fleets of ships and airplanes and go straight to the next generation of weapons: cyber and AI.”

Back home, experts agree Australia is, at last, taking cyber more seriously, recruiting more hackers and rolling out new cyber security standards to shore up privately owned critical infrastructure. But, while we are not trailing the pack on cyber security internationally, we are still not doing enough.

“Look at what our adversaries are doing,” Austin says. “You see our big government departments starting to uplift their security and still only put in a moderate performance. And they’re only transparent [about attacks] when it suits them.”

America’s Cyber Command is thousands-strong, created in 2009, after a particularly embarrassing breach of Pentagon internal networks by the Russians. Australia didn’t have its own military cyber force until 2017, but it’s now about 400-strong, a mix of soldiers, contractors and public servants who work within defence and sometimes with Australia’s spy agency.

“We’ve come a long way very fast but we’re still learning,” Coyle says. “Of course, we’ll never be as big as US Cyber Command...But that’s the beauty of alliances and partnerships, you all bring different strengths. ”

Overall, Austin says, the West (specifically the US) is winning the cyber battle. “The broad narrative that China is winning is really a gross exaggeration; their cyber defences are weak,” he says. “And we never hear of all the times the West successfully hits them or Russia.”

As he took over US Cyber Command in 2018, General Paul Nakasone, pictured second from the right testifying before the Senate, warned America’s enemies “do not fear us” in cyberspace.CREDIT:GETTY
How likely is a cyberwar and how bad could it get?

To get a full-scale cyberwar, where nations are actively unplugging their enemies, experts say the world would have to be either already on the brink - or an attack would have to spiral rapidly out of control, into something interpreted as a clear act of war. Uren imagines it would take a big attack “something with the impact of [almost a] 9/11 where you had mass casualties, not just mass destruction of IT systems.”

We haven’t seen that yet. And while geopolitical tensions have only escalated during the COVID-19 pandemic, the superpowers remain reluctant to go to war. “Even calling an attack warfare means you have to respond,” Uren says.

Coyle adds: “I think we’d need some pretty incredible evidence to suggest something was an act of war, that it wasn’t an unnecessary escalation or a mistake. And I’d be surprised if somebody was stupid enough to want to do that, knowing that, collectively, countries would go against [them].”

But, while she is less concerned about one strike taking many lives – the doomsday “cyber Pearl Harbour” scenario – she says even a hack causing mass disruption, such as knocking out power, could hit with a force akin to a natural disaster. People could still die. “And economies can fail. We’ve seen it with COVID. Things can change quite rapidly. If we were to be attacked … Australia-wide, the impact would be far-reaching.”

Stephens says the greatest threat may come from attacks above, with cyberspace increasingly connected to satellites. GPS doesn’t just help you find where you’re driving and video chat to people on the other side of the world, it’s integral to military operations too.

“We can restore our systems down here but if I take down the satellites that help them run, that’s going to have a much bigger impact,” Stephens says. “We’ve just woken up to this vulnerability.”

Coyle agrees an attack on space infrastructure would be very concerning but stresses, “We don’t have one point of failure … We still use paper, for example, we can use compasses if space fails.”

And there are limits to cyber damage too. When it comes to hacking, Uren says many people think “it’s kind of like magic”. “A really good hacker could do whatever they want, but that’s not true.”

As Stephens puts it, “cyber ends at a certain point”. He doesn’t imagine it will ever pack the kind of knock-out blow of a nuclear weapon.

“There’s always a patch, there’s always a defence. I think the US has huge capabilities to unleash a devastating cyber retaliation. But the world will survive it. Of course, AI might change that. If I’m on an aircraft carrier on the South China Sea and I’m suddenly swarmed by a bunch of self-driving underwater drones, I’m not standing a chance.”

Austin agrees the marriage of AI with weaponry could ratchet up the stakes in the coming years. And Uren says that, while a “cyber Pearl Harbour” is unlikely, “with cyber it’s difficult to rule anything out”.

“It’s hard for me to imagine we’d get a first-strike capability that could disable another country’s military but … if you could switch off the air defence radars [of another nation], for example, you could just fly in your bombing planes.”

Locked Shields is the world’s biggest ‘live fire’ cyberwar training exercise, run here in Estonia in 2018 by NATO.CREDIT:NATO/CCDCOE
Could we have cyber peace? What about mutually assured destruction?

In his 2018 book The Perfect Weapon, Sanger warns that the current cyber arms race is running without the same level of public debate or oversight of the Cold War nuclear age, where mutually assured destruction kept weapons locked away.

“Everything that worked in the nuclear age won’t work for cyber,” he says now. “Deterrence won’t hold.”

The problem is that, in regular warfare, to deter an attack you must either be prepared to retaliate with a worse blow or make your attacker believe their assault was pointless, as your defences are too strong.

Neither is happening in cyberspace. Not only is cyber security weak across the board but nations are reluctant to strike back for fear of tipping cyber conflict closer to real war. They are also, despite the urging of experts, often unwilling to name and shame nations behind attacks.

“Imagine if we got it wrong and [blamed] the wrong country,” says Coyle.

In the shadows of cyberspace, states do not attack with national flags raised. To cover their tracks, they might even outsource hacks to criminals or cowboy civilians. Or an attack could be staged to look like ransomware (where criminals encrypt a computer’s data then demand money to unlock it), when really destruction, not cash, is the goal.

Still, Austin insists governments everywhere are getting “very good” at attributing attacks, especially those sophisticated enough to be considered state-sponsored. “It’s mostly politics [and] fear of exposing sensitive intelligence sources or methods of our own that stops nations [pointing fingers].”

After all, countries under siege are usually themselves launching attacks. “If Australia, the US, the UK go too far down the path of calling out every attack, China and Russia might start doing the same,” Austin says. “So far they only call out what they regard as attacks beyond the pale such as Sony and Ukraine [NotPetya].”

The world may not quite be in another Cold War but everyone agrees cyberspace will figure more prominently in conflict to come. Australia’s first ambassador for cyber affairs, Dr Toby Feakin, told an international forum hosted by the ANU in February that cyber had become central to foreign affairs in a “way we never could have imagined”. Cyber capabilities and technology such as AI will “fundamentally shape and shift the power dynamics of the 21st century,” he said.

Sanger and others argue that the world now needs a digital Geneva Convention to rein in this Wild West– keeping civilian targets such as hospitals and power grids off limits in a kind of “cyber no fly zone”.

Austin says existing international law covers cyberspace in a sense but he agrees there are still critical questions to answer about how it can be applied.

“So you can’t bomb a hospital but you could disable its computer systems so people will die. For most people, that should break [rules of war] too.”

But, with the big powers reluctant to muzzle their own capabilities, others fear a treaty will just be another piece of paper.

“We’ve had pretty successful prohibition of nuclear weapons because everyone is terrified of the consequences of using them, for good reason,” Uren says. “The problem is people are not deadly terrified of the consequences of cyber. We either have to get better at defending ourselves or make the consequences worse for attackers.”

Coyle agrees that getting the worst offenders to come to the treaty table would be almost impossible, given they already refuse to admit to hacks. “But if we could do it, it would be a wonderful thing.”

So is the threat of cyberwar looming larger today than when Stuxnet was unleashed?

Austin says the attacks are certainly getting more vicious, and the hackers more resourced, as computing power advances. But he thinks countries of all stripes will remain wary of putting the tens of trillions of dollars in the world’s online banking system at risk with all-out cyberwar. “Of course, it doesn’t mean they can’t navigate around it.”

What worries Coyle most is what she can’t see coming. “What’s out there that we’re not tracking? Has something been laid already? That’s why we always have a presence in cyberspace, we’re always wargaming, so we’re ready … But I’m an optimist, no one really wants to go to war.”

Uren, too, is hopeful cyber attacks will stay below the red line, even as he warns of increasing vulnerability in an increasingly connected world.

“On the whole, technology has made our lives better. There hasn’t been some existential hit to our society, there hasn’t been a catastrophe. At least, not yet.”

No comments:

Post a Comment