Cheap, low-risk, effective and deniable, state-backed cyber attacks are attractive to nations such as Russia and China, particularly while their adversaries’ digital security remains so lax
For decades, cyber attacks were widely thought to be the preserve of tech-savvy individuals or gangs seeking to steal or extort money. In recent years, it’s become clear that nations are using cybercrime as a standard part of their armoury.
Ransomware, phishing and distributed denial-of-service attacks are just a few of the many weapons that states are using in geopolitical conflicts that are increasingly playing out in cyberspace rather than on the battlefield.
Mikko Hyppönen, chief research officer at IT security company F-Secure, has been helping authorities in North America, Europe and Asia to fight cybercrime for more than 30 years.
“In the 1990s, I wouldn’t have believed that national governments, intelligence agencies and the armed forces were developing and deploying malware against other countries. The notion would have sounded like science fiction to me,” he admits. “But it’s obvious in hindsight. It makes perfect sense. Cybertools are excellent weapons. They’re efficient, affordable and deniable.”
Hyppönen notes that all technically advanced nations are developing both defensive and offensive applications for these weapons as the battle for cyber supremacy escalates around the world.
A technological and social tipping point
Although state-backed cyber warfare is no longer novel, a tipping point has been reached as the offensive capabilities of the weaponry have become more sophisticated and the use of digital tech has become more ingrained in society. So says Dr Tim Stevens, senior lecturer in global security at King’s College London and head of its Cyber Security Research Group.
“A lot of what we’re seeing isn’t entirely new, but the scope and scale of it are increasing all the time,” he says “What’s readily apparent is that this is now an issue of public and global policy. It affects you and me every day.”
His point is backed by the most recent figures from the UK National Cyber Security Centre, which is a part of GCHQ. Last November it reported that it had protected the country from 723 cyber “incidents” in the 12 months to 31 August 2020. That was a 20% increase on the annual average total over the preceding three years.
There are two main reasons for this intensification, according to Stevens. First, there has been a significant increase in the size of the “attack surface” provided by the world’s most developed economies. Their digital transformation has advanced to the point where they’re offering a much bigger choice of potential entry points to target.
“This is unequivocally the risk management problem of the 21st century,” he says, adding that the second, related reason has been the rise of low-cost digital tech lacking in effective security features.
“We’re producing increasing amounts of data and we’re linking up devices that are demonstrably insecure,” Stevens says. “When you turn things over to the market, it’s a case of ‘pile ’em high and sell ’em cheap’. Billions of low-cost devices being sold don’t have good security.”
Alex Rice is the founder and CTO of HackerOne, a company that uses hackers to help organisations detect vulnerabilities in their own systems. He cites another factor behind the upsurge in state-sponsored cyber warfare.
“The amount of tech being developed that’s unique to particular governments is declining rapidly. Today, it is shared more or less across the board. This means that there are very few pieces of state technology that can’t be attacked,” he says. “How do we improve their defences? By focusing on private-sector and open-source technology. For example, there are two major mobile platforms – Apple and Android – in use. We secure government infrastructure by securing all private infrastructure and networks.”
A multi-pronged response to the cyber threat
Given the complexities of cyber warfare, Stevens believes that no single solution can ever be an effective defence. “A multi-pronged set of processes and initiatives is needed,” he says. “These will range from security standards to education and diplomacy.”
Although diplomacy has a key role in developing standards of behaviour, Stevens acknowledges that it would be hard to develop a framework that’s acceptable to all – and, even then, some states could sign up to it and then renege on the treaty.
“Russia, for instance, allows cybercriminals in the country to act as long as they don’t interfere with the state’s activities,” he notes. “But this is something that Biden and Putin could agree to prevent.”
Dr Vasileios Vasilakis, a lecturer in network security at the University of York, agrees with Stevens that “advanced persistent threats” – hacking groups affiliated with national governments – could be prevented through diplomacy. “It would be much more difficult for them to operate if Russia were to crack down on them,” he says.
Hyppönen suggests that another response to the cyber threat at the political level would be the establishment of a dedicated ministerial portfolio.
“This issue needs to be taken seriously and have the proper levels of leadership behind it,” he says. “Eventually, all countries will have minister- or cabinet-level representation for cyberspace. It’s going to become the norm.”
Rice believes that a more effective political response that could help to protect critical infrastructure would be the creation of a cyber warfare equivalent of the Geneva convention.
“It’s in our mutual interest to not attack each other’s power grids,” he says. “So we need to establish what’s allowed and what’s not, so that governments can be held accountable.”
Many analysts believe governments should also regulate any technology being sold in a country to ensure that it meets necessary security standards. For Hyppönen, an international certification scheme for security akin to the CE certification system for manufacturers selling products in the European Economic Area should be created. “We need to verify that the devices we are using are as safe as possible,” he says.
Others point to the support that governments could be offering SMEs in a capacity such as that of the UK Centre for the Protection of National Infrastructure. While “large corporations can hire their own teams to defend their networks, it is harder for small businesses to do” Vasilakis notes.
Role of individuals and private sector
The problem is not up to governments alone to tackle, says Jake Moore, a cybersecurity specialist at firewall provider ESET. The onus, he argues, is also on individuals and enterprises to support the effort by protecting themselves with encryption, firewalls and other defence mechanisms.
“There are serious players involved in this: Russia, China, North Korea,” Moore says. “They are throwing huge amounts of money behind it. That’s why a collaborative approach is desperately needed. We need the public to get involved and play their role, because governments aren’t always the quickest at seeing this issue.”
Nonetheless, experts are keen to stress that most cyber attacks are still committed by criminals rather than governments, which tend to use hacking as a tool for espionage and sabotage rather than theft. This means that any defensive measures should account for these varying contexts.
“Who is your enemy – what threat will you have to defend against?” Hyppönen says. “The answer could be so different depending on your enterprise. Pizza restaurant owners, unlike state agencies, don’t need to worry about foreign governments – but they do need to worry about ransomware attacks designed to gain access to payment systems.”
The cyber risks of the smart city
The 5G-enabled, highly connected smart city has been heralded by some as a utopia, offering seamless functionality between infrastructure systems ranging from power distribution grids to public transport networks and providing the ultimate in digital convenience for its citizens.
Yet security experts are concerned that, while such developments could drastically improve people’s quality of life, the smart city is vulnerable to being disrupted like never before.
“There’s a lot of talk about smart cities, but not so much talk about secure cities,” says Tim Stevens of King’s College London. “Critical infrastructure must be made absolutely secure. But we’re not quite there, especially in sectors such as energy –criminals are still working their way in.”
He cites the ransomware attack in May that successfully took control of the computer systems of Colonial Pipeline, a major US oil distribution network, forcing the company to spend $4.4m (£3.2m) to pay off the hackers.
“That was a wake-up call for a lot of people,” Stevens says. “Energy is one sector that really concerns the public because without it everything grinds to a halt. I find it remarkable that we haven’t yet seen many infrastructure disasters on this scale.”
The University of York’s Vasileios Vasilakis agrees, citing the first known successful cyber attack on an electrical grid in December 2015. Hackers believed to be linked to Russia delivered malware via a phishing email, which cut power to more than 230,000 people in Ukraine, fortunately for no more than six hours.
“Events such as this one could become more and more common,” he predicts.
Security professionals warn that, as a consequence, there may need to be a trade-off between a modern urban environment, made smarter by data, and a city where everyone’s privacy is protected.
“The explosion of the internet of things has made people’s lives easier, but few IoT devices have been designed with security in mind,” says Jake Moore of ESET. “We have far more IP addresses in our homes than ever. These can be exploited by all sorts of criminals. We need to think carefully about the implications.”
This threat is likely to become even more complex as systems become ever more reliant on the internet. Experts fear that, if the appropriate measures aren’t taken to agree stricter security protocols, hackers could take control of critical urban infrastructure.
“It’s like what we see in the movies, but some of it could actually be done for real,” says Mikko Hyppönen of F-Secure. “We’re becoming more and more efficient, but more and more vulnerable. Just imagine how much more reliant we will be in 10 or 20 years.”