0 1 #1 © Max Dauven
Cyber Attacks: When Traditional Defenses are no Longer Sufficient
Attacks on the 2016 U.S. presidential election, Ukrainian electricity suppliers in 2015, and the encryption software WannaCry in 2017 are just three examples that have demonstrated that cyber operations are increasingly being used to influence elections, to spy, to blackmail, and to manipulate via the internet. For states cybersecurity thus becomes an elementary component of national and international security. Dr Sven Herpig, head of the Transatlantic Cyber Forum at the Stiftung Neue Verantwortung, will shed light on the interplay between cyber resources – hacking tools – and international conflict resolution.
Dr Herpig – to what extent are international conflicts carried out online today?
International conflicts are increasingly taking place in cyber and information space. If we take a look at history, we see that the first cyber operations were carried out in the 1990s. At first it was political espionage, later increasingly economic espionage as well. In the early 2000s, several disruptive events took place, which used malicious software for the first time, designed not to spy but to sabotage institutions and operational processes. In 2007, the Estonian parliament and other government agencies, as well as banks and the media were attacked. In 2012, cyber-attacks were directed at the Saudi oil company Saudi Aramco.
As a result, Estonia’s parliament and government websites were temporarily unavailable and business transactions, such as online banking, were disrupted. At Saudi Aramco, the production process could not be directly affected, but the hard drives of 30,00 computers were erased and rendered useless. In addition to the well-known Stuxnet cyber operation against uranium enrichment plants in Iran in 2010, these two events initiated the transition to the current phase, in which the political IT infrastructure is also increasingly under attack.
Examples include the attack on the German Bundestag in 2015, the US election campaign in 2016 and the French election campaign in 2017. Another development that we will probably still experience is the migration of terrorist acts into cyberspace. So far, terrorists only use it to communicate with one another and to promote their cause. Even the conventional military still rarely uses cyber weapons – but this is where developments are likely headed. Thus, we see both a quantitative and a qualitative expansion of international conflict resolution with hacking tools.
“Whereas a spy had to be infiltrated somewhere, nowadays the internet can be used to spy from anywhere in the world”
Economic and political espionage, as well as less direct ways of exerting influence, are not new phenomena. What is the difference between digital and analogue international disputes?
One of the main differences is that today most of these actions can be carried out from afar. Whereas a spy had to be infiltrated somewhere, meaning physically present, nowadays the internet can be used to spy from anywhere in the world. Furthermore, due to the large amounts of data transmitted on the internet within a short amount of time, attacks can be much more effective. In addition, more and more documents and conversations are digitised, thus increasing the surface of attack.
Countries like North Korea or Iran are frequently referred to when it comes to the leading global hacker groups even though they are rather local powers working on an analogue level. Do these characteristics of cyberspace shift the international power balance?
North Korea and Iran are certainly among the top 15 cybernations. For these states, a power projection is taking place, therefore they seem more powerful than they are in terms of their conventional capabilities. The WannaCry encryption software – possibly from North Korea – brought hospitals, global logistics companies, and car manufacturers all over the world to a standstill last year. It is quite clear that an attack of such global scale, using conventional analogue means, would never have been feasible from North Korea.
The same applies to Iran, where several cyber operations were uncovered this spring that would probably have been very difficult for the state to carry out with conventional means. Therefore, these states appear to be more powerful by using cyber weapons and thus, are perceived to be much stronger. Whether these operations ultimately have a greater impact than traditional means of warfare, however, depends on our understanding of conflict resolution. If we look at the part that takes place below the threshold of armed conflict, cyber weapons clearly reach a new quality. However, if we look beyond this threshold, it is still completely uncertain whether cyber weapons alone could make a big qualitative difference in international power relations.
“Cyberspace has a completely different nature than the traditional domains of land, air, sea, and space”
WannaCry prompted a debate on how states can take even more security measures to protect themselves from these types of attacks. Why is it not possible to rely on the same defense mechanisms in cyberspace as in traditional active defence?
This is because cyberspace presents a completely different nature than the traditional domains of land, air, sea, and space. The systems and software used in cyberspace are man-made; they can be altered, removed or simply disconnected from the internet within a short period of time. Thus, this comparison does not work. Another aspect are Hackbacks, currently under discussion, in which an offensive cyber operation is carried out to fend off an ongoing offensive cyber operation by the opponent: here, the comparison to the air defense is often referred to, which shoots down enemy aircrafts that have invaded our airspace in order to drop bombs on our country. This analogy might work anywhere, but not in cyberspace. Rather, imagine it this way: someone shoots a rocket from A to B and you place a rocket launcher at the border and shoot back over a wall, not knowing what you might hit. That would be a more appropriate analogy.
“In Germany, the one who shouts the loudest that we need to expand our offensive means of action is currently winning the debate”
What would alternative defence mechanisms look like? In your opinion, how should cyber security for the state, the economy and civil society be improved?
It would help if we were to focus more on our defensive capabilities. In Germany, the one who shouts the loudest that we need to expand our offensive means of action is currently winning the debate. In my opinion, this is a complete misjudgement. We can achieve more by using resources in our defense and that is where we must invest in. If we split the little resources, we currently have, between new agencies, offensive and defensive measures, we will get to a point at which neither the offense nor the defense are working properly.
Let’s go back to the compromised German government networks. At the beginning of the year it was revealed that the attackers had been inside the systems of the Foreign Ministry for over a year. For a long time, it was unclear who was responsible. Why is it so difficult to identify a perpetrator in cyberspace?
First of all, I do not consider identification to be the most relevant aspect of such an operation. It is certainly good to know who it was to avoid further attacks and to impose sanctions. But it is more important to question how this happened and how we can protect ourselves better in the future. There are several reasons why identifying an attack is so difficult. On the one hand, many technical “fingerprints” of an attack – for example from where it is carried out, which means are used, etcetera – can be forged.
Of course, we know that certain groups operate with certain tools, for example code elements, which they use repeatedly as well as certain IT infrastructures. However, these can also be imitated by a third actor. In the past, for example, Americans have been systematically investigating how different groups of attackers proceed to partially copy those approaches and to disguise who they are. Thus, this means that a truly technically flawless forensic investigation requires a lot of patience, good people and possibly the support of various intelligence agencies. This takes a lot of time and resources. Even if we find out that the attack originated from computer B in country Z, we still do not know who exactly used this computer.
We do not even know if any of the groups responsible are supported or tolerated by the respective government or paid by someone entirely different. In the past, we have seen that some hacker groups have both economic and political interests. This means that, for example, they encrypt foreign computers and release them for ransom, but at the same time scan all the data for specific keywords such as “NATO” and then extract those documents. In the case of such conflations it is quite difficult to pinpoint an attack.
Which possibilities of identification ultimately remain?
Overall, there are two ways which can help to conclusively identify where an attack originated. On the one hand, there are cases in which intelligence agencies infiltrated entire networks. In the case of the attack on Sony Pictures it was speculated that the Americans were able to prove the attack so well because they had infiltrated the North Korean infrastructure and could thus also see and understand the attacks first-hand. On the other hand, there is also the previously mentioned aspect of how big groups often use the same approaches, code snippets, and infrastructures. If one manages to clearly assign individuals to an intelligence agency, as, for example, the Dutch domestic intelligence agency did with the Russian attacks on the US election, then one can, of course, examine which other operations are very similar in their approach.
“We need to provide more resources to establish cyber security in Germany”
What consequences does the complicated allocation have on international political relations?
If cyber operations cannot be clearly identified it allows the defense to not react at all or to do so in secret. This is beneficial if the government does not want to publicly denounce the alleged attacking country, for example, due to overriding political interests or important international relationships.
Given the circumstances, what recommendations would you make to the German federal government?
First, we need to promote a strategic understanding of what those attacks mean, where we position ourselves, and how we want to react. Second, we need to provide more resources to establish cyber security in Germany. But we also must ensure that our cyber security architecture does not fray, so that we do not end up having ten departments, all of whom are doing something cyber related, but rather that we have a central person in charge in the department of defence. In Germany this is the Federal Office for Information Security, which is set up in a civil and defensive manner and is the central body for all cyber security measures.
If we continue to establish new departments or give existing departments new responsibilities in cyberspace, the existing structure will duplicate itself and we will not make adequate use of our resources. Ultimately, this makes us rather vulnerable, not safer. I would advise the Federal Government against pursuing this approach. Especially, considering the growing number of actors using this new, relatively inexpensive tool worldwide. If we set the wrong strategic focus, we will lose this race.
Interview: Tabea Breternitz
Translation: Hannah Riegert-Wirtz
Dr Sven Herpig, head of the Transatlantic Cyber Forum at the Berlin-based think tank StiftungNeueVerantwortung, works on standards of government hacking, political IT infrastructure protection in election campaigns and elections, government IT vulnerability management and EU cyber diplomacy. He is also a lecturer at the University of Bonn. Prior to that, he was a member of the IT security staff at the Federal Foreign Office and Deputy Head of Unit at the Federal Office for Information Security.