War of the web

Wars are no longer only played out in the air, on the ground or at sea – modern warfare also involves conflict along the fibre optics and copper wire that connect us all.

This cyber arena adds another dimension to the unconventional warfare being fought between conventional foes, allowing countries to push boundaries and destabilise the geopolitical balance without the risk of direct, armed contact. While cyberwarfare is certainly not a new phenomenon, its prevalence and impact on everyday life is on a steep trajectory. Jinghua Lyu, a visiting scholar with the Cyber Policy Initiative at the Carnegie Endowment for International Peace in Washington, DC, says cyberattacks are accelerating at an alarming rate in terms of targets, techniques and scale. “The number of malicious cyber activities has increased at high speed, the targets are expanding to almost every industry and the techniques are improving every day,” she says.

“The wider application of cyber tools in every corner of human society is inevitably accompanied by an increase in malicious cyber activities.” However, according to Lyu, an increased focus on cyberwarfare has led to a distortion in terms of what actually constitutes an attack on national security. Cyberattacks now target both government and corporate entities – and the crossover in actors is muddying the waters.

“‘Cyberattack’ these days has been overused to describe all the activities in and through cyberspace, such as cyberespionage, inserting backdoors and implanting malware,” says Lyu. Cyberespionage is an extension of traditional espionage techniques used to safeguard national security or to identify risks, targets and intelligence. It can be more efficient and lower risk than traditional espionage – and it generally remains acceptable under international law, explains Lyu.

Other types of malicious cyber activities that are most definitely illegal – such as botnets that can launch ‘denial of service’ attacks from widely disparate geographical locations – cannot so easily be traced back to a specific government. In these instances, says Lyu, a government might consider it too dangerous to accuse a foreign adversary of an attack since such accusations would only serve to further compound suspicions and escalate tensions. The actors used in this digital battlefield vary, with state-sponsored freelancers often used to provide a buffer between the government and the attack, making attribution difficult. “The logistics of cyberattacks vary, with some countries using state resources to coordinate attacks and others outsourcing,” says Lyu. “It mostly depends on the intent of the cyber activities, the capabilities required and the capabilities owned by individual governments.”

Take a balanced perspective

Regardless, accusations need evidence to stick and – especially in the cyber domain – evidence is time consuming, expensive and technically difficult to acquire. The rhetoric in the West describing China as a powerhouse of cyberwarfare is clear for all to see, with coverage in the media and on the US President’s own Twitter account. But how does China’s perceived threat compare with reality?

One ground-breaking report by the cybersecurity company Mandiant (now FireEye) in 2013 offers an insight into the scope of activity coming out of China. The report outlined the formidable capabilities of a mysterious group that persistently hijacked the valuable data of hundreds of private companies across a wide range of industries worldwide – many aligned to strategic growth areas in China. The attacks focused on the English-speaking world, and overwhelmingly targeted the US. Access was shown to be achieved via sophisticated phishing techniques, with the group using tailored backdoor scripts to gain cyber footholds, steal documents and download staff emails. In one case, a five-year-long attack saw the servers at an African Union building in Addis Ababa, Ethiopia, regularly copied and sent to China, which had originally funded the building. Mandiant’s research revealed the group’s activities were closely aligned with – if not identical to – that of Unit 61398, a People’s Liberation Army cyber force operating from the same location and using the same optimised fibre optic infrastructure. They were, in all likelihood, one and the same, and therefore appeared to be conducting cyberespionage with the knowledge of the Chinese military and, by default, the Chinese Communist Party.

This is not to say, of course, that aggressive acts of cyberwarfare and espionage are the preserve of Beijing and Moscow. It must not be forgotten, says Lyu, that the US and other Nato countries are also agitators. “The countries that are more vocal in claiming themselves to be victims are actually those more capable of attribution,” she explains. “In fact, the largest scale cyberespionage disclosed to date was conducted by the US intelligence agencies, as shown by files released by Edward Snowden.”

In addition, a key component of the worldwide spread of WannaCry malware in 2017 was Eternal Blue, she adds, a cyberattack exploit developed by the US National Security Agency (NSA). Lyu says the US currently adopts an offensive cyber posture, a concept known as ‘defending forward’ that was devised by the US Cyber Command (USCYBERCOM).

Established in 2009, the organisation’s role and importance have developed rapidly in recent years, and it is now recognised as a combatant command. Originally set up to protect networks belonging to the Department of Defense, its scope has expanded to cover private sector networks, reinforcing the view that the future of cyberwarfare won’t be focused exclusively on government assets.

Nor is USCYBERCOM entirely defensive. In 2018, its vision statement - titled, aptly, ‘Achieve and Maintain Cyperspace Superiority’ – explained its pivot toward a more aggressive ‘defending forward’ strategy; in other words, defining cyberattacks as just another form of defence. The document goes on to outline how the US is pivoting towards persistent engagement rather than focusing on more reactionary operations, stating that “...defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins”.

It is telling that the US is now not only engaging in continuous or everyday cyberwarfare, but that it considers this activity eminently legal. Rather than viewing such exercises as an irregular threat or annoyance it must stifle, the US now sees cyberwarfare – and obtaining superiority in this theatre – as a priority. It is being used not just to offset or avoid issues relating to public and economic disruption, such as the hacking of banking infrastructure or the targeting of Covis-19 vaccine development research, but also to ensure that traditional fighting forces can operate without constraint. In this way, it is similar to how maritime or airspace superiority is used to pave the way for ‘boots on the ground’.

Ownership counts

Despite this transparency in terms of strategy, a lack of internationally agreed ‘cyber norms’ continues to contribute to the proliferation of state-sponsored cyberattacks. Lyu says an erosion in trust among global powers, coupled with enhanced geopolitical tensions and the emergence of cyber superiority as an indicator of a nation’s overall strength have all contributed to an increase in attacks co-ordinated at the highest level. The provenance of the very technology that makes up a country’s online infrastructure also plays an important role in the cyberwarfare debate, posing nationalistic questions that centre on perceived susceptibility versus cost and capability.

The fact that most major technology companies are based in the US is one factor influencing cybersecurity globally. “Firstly, it increases other countries’ concern about their national security when they have to use core information communication technology (ICT) products and services mostly provided by US-based companies,” explains Lyu “They are, therefore, forced to increase their offensive cyber capabilities, which makes them seem more aggressive.”

She says controversies such as the furore surrounding the Chinese tech giant Huawei and 5G illustrate how a concentration of ownership and allegiances can reverberate globally. “Some countries have to think about being more self-reliant in producing relevant products or even building a more enclosed intranet. These efforts lead to the fragmentation – or what we call the ‘Balkanization’ – of the internet, which itself has prospered because of its inherent interconnected and inclusive features.”

According to Lyu, a concentration of tech power in so few countries could lead to more autocratic governments – including in the US – with the threat of cyberwarfare used to progress national interests. Governments could increasingly use the guise of national security to pressure tech companies to help achieve political goals. Even so, governments and tech giants alike are constantly playing catchup as computer technology and detection software fails to keep pace with attacks. Lyu describes cyberspace as an “offence-dominant domain” due to the speed at which the offensive capability can be exploited.

Technology, she says, has been unable to keep pace with attack capability for a number of interconnected reasons. Firstly, the internet was designed with connectivity and speed – not security – in mind. “Secondly, the internet is globally connected, which means the attacker only needs to successfully exploit one node among numerous ones, whereas the defender has to secure all of them,” she says. “Thirdly, code is manually written, which cannot exclude errors that can be exploited by malicious actors.” She says a lack of in-time attribution capabilities largely reduces the risk of malicious actors being detected and prosecuted, while the enormous economic benefits of cybercrime encourage malicious actors to develop new tools.

The future success of nations in the cyber domain will require governments and their militaries to develop much closer relationships with the private sector companies that create, own and access the vast majority of the internet’s infrastructure. Governments will also need to predict, understand and counter ever-changing threats and ensure accurate attribution. Losing this battle could result in a loss of national capability and the very ability to fight and function.