InfoSecurity Professional INSIGHTS
InfoSecurity Professional INSIGHTS is (ISC)²'s bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind.
InfoSecurity Professional INSIGHTS October Sponsor
Avoid Risk of Data Breach at Information End-Of-Life
|Organizations realize that proactively uncovering security threats pays off with earlier detection, faster response, and effective denial of future exploits that can damage business operations. Gain insight into the goals, adoption, and benefits of threat hunting in a survey conducted by Holger Schulze of the Information Security Community.
Learn More >>
War in the New Frontier: When Cyber Strikes Morph into Physical Attacks
BY SHAWNA McALEARNEY
Because of the business his own company conducts—antivirus, password management, endpoint security and vulnerability scanning—F-Secure’s Mikko Hypponen believes his interpretation of the Geneva Conventions makes even F-Secure “a legitimate target for bombing in time of war.”
What constitutes an act of war? Is responding to a cyberattack with military action disproportionate, or does it depend on what was attacked and its outcome? A cyberattack on a country heavily dependent on its technology may suffer disproportionally to one that is not. A power grid disruption may constitute a significant, long-term problem far out of scope from the underlying attack. Or the desired outcome may be to disable an opponent for quite some time. A guiding principle of warfare balanced with international humanitarian laws mandates that attacks be proportional in response.
“When we look at the countries of the world, the U.S. is the most exposed to cyberattack, the most reliant on tech,” F-Secure’s chief research officer said during a presentation at this year’s Black Hat conference in Las Vegas. “Other countries just aren’t as reliant.”
And much of the U.S. critical infrastructure is privately owned. With North Korea publicly outed by the United Nations for attacking financial institutions and cryptocurrency exchanges in 17 countries and using the approximately USD $2 billion in stolen funds for its weapons programs, one has to wonder if that might also be considered an act of war.
“There is no other government on this planet that would resort to stealing from other governments to fix their budget deficit [some reports say to fund their weapons program], but that’s exactly what North Korea has done,” Hypponen said.
The United States, the United Kingdom and even NATO are just a few entities to establish policies stating that computer attacks from nation-states can be considered an act of war and that they reserve the right to respond with any means necessary, including physical attacks.
For example, in February 2019, NATO endorsed a guide that further strengthens its ability to respond to significant malicious cyber activities—including political, diplomatic and military resources—to tackle cyber threats.
“The lines between real and virtual worlds are blurring fast,” Hypponen said. “Several governments have publicly stated that they reserve the right to respond to cyberattacks with kinetic force. Now we are seeing that happening.”
He cites the United States, Russia, North Korea and China as examples of countries that have the capability to win in the cyber realm.
And retaliation has already begun.
Recently, while conducting a missile strike on Israel, Hamas attempted a cyberattack against an Israeli civilian target. It failed, but the Israel Defense Forces (IDF) retaliated with an airstrike that destroyed the building and equipment housing Hamas’s cyber capability.
“Given that the IDF admitted that it had halted the attack prior to the airstrike, the question is now whether or not the response was appropriate,” said Andrew Liptak, a writer who holds a master’s degree in military history and serves as a “mad scientist” for the U.S. Army’s Training and Doctrine Command. This evolution in modern warfare is concerning, he said, given the threat that cyber attackers can pose to military forces or nations.
“What’s novel about this particular incident,” Liptak noted, “is that it appears to be the first time that a military has met a cyberattack with a real-world response during an ongoing battle.”
The United Nations advises that nation-states not conduct or knowingly support information and communications technologies activity that intentionally damages or otherwise impairs the use and operation of critical infrastructure, nor the information systems of the authorized emergency response teams of another state.
Impact on critical infrastructur
As to whether the United States will launch missiles in response to a cyberattack targeting critical infrastructure—private, public, military or other U.S. targets—only time will tell.
“Cyber is the next domain to defend,” Hypponen said. “It’s a lesson for both government and private companies.”
He added that while criminals looking for easy money are behind most attacks targeting companies, everything changes when another government is responsible for the attack. “When the attacker is from a government, the attacker is military and follows orders and will attack until he [or she] succeeds.”
“So, yes, we should respond to cyberattacks with missiles if all domains are in play and attribution is clear … but missiles should not be launched if the attacker is only launching cyberattacks because they can figure out how to bypass any mechanisms we currently use for attribution,” he concluded.
Value in deterrence?
Traditional weapons like tanks, jets and nuclear missiles provide a great deterrent to many enemies, but what about cyber weapons?
“You can show [traditional weapons] in a military parade; the power of nukes is in having them, not in using them,” said Hypponen. “Cyber weapons have little deterrence power currently because we have no idea who has what, but all developed nations are developing cyber defenses and offenses.”
He notes that between shorter shelf lives because of patches or new versions, and invisibility, cyber weapons may be more likely to be used than traditional weapons.
What is on the horizon?
Cyber as both an attack vector and threat surface will expand as technology dependencies grow and the technologies themselves improve. “The race to artificial intelligence is likely to generate even more conflict in the short term,” Hypponen said. “If someone comes up with super intelligence, it is game over; the one with AI will win everything, including every war. From a foreign government perspective, if they can’t be first, they will do whatever they can to steal it or destroy it.”
“AI is going to shape the face of conflict,” Hypponen said. “Whoever becomes the leader in this sphere will become the ruler of the world.”
SHAWNA McALEARNEY is a regular contributor who lives and works in Las Vegas.
For all past issues see the archives.