Cybercrime often merges with cyberwarfare. The techniques of both are similar, even if their intentions are not. Yet, unlike their “real-world” counterparts, we can’t afford to treat the former as merely a law enforcement problem and the latter as a military problem.
Today’s gnat is tomorrow’s nuclear-tipped missile.
Directly, these attacks strike at parts of our electrical grid, our food supply, our energy providers, banks, business computer networks, and government systems. Indirectly, they threaten our livelihoods and our sense of security and stability. That is, at least for the present, the most important thing about them.
The SolarWinds hack of 2020 compromised a top-tier provider of IT management services by injecting malware into the company’s routine software update to its 33,000 customers. Those victimized customers included hundreds of large companies, as well as the federal departments of Treasury, Commerce, and even Homeland Security. The hack was extremely sophisticated and operated for months before it was discovered. Cybersecurity analysts in and out of the government say conclusively it was the work of a hacking group they call “Nobelium,” operating with the support, if not the direct control, of the Russian government.
Russian President Vladimir Putin’s regime has denied its involvement, as it always does. No one believes them.
This type of attack is cyber-espionage—stealing information without being detected. Like other types of spying, it enters the target unobtrusively and bides its time before it goes to work. Then, as it comes to life slowly, it steals information from within those networks. It masks its own activity to look like ordinary network traffic to evade anti-malware protections and traffic analysis software. Even when it is finally discovered and blunted, questions linger about exactly what was stolen, and whether the attack was, to press the military analogy, the main assault or an opening flank attack.
Cyber-extortion leaves no such doubts. It is a different sort of attack, and typically directed at private businesses and individuals rather than government entities. Attackers steal confidential data from a network, then contact the victims and threaten to sell it or release it publicly unless they are paid. As with other forms of blackmail, victims may or may not report it to the authorities. Hence, these attacks are often quiet.
Then, there are the louder “ransomware” attacks, such as the Colonial Pipeline ransomware hack and the recent ransomware attack called REvil. These attacks are not subtle: they make themselves known immediately by encrypting the contents of the file systems on the machines they attack, demanding a ransom to decrypt the target’s files on the screen. The goal is simply to make money by causing disruption.
Bolton then describes the ultimate and most extreme sort of cyberattack—cyberwar. This is the loudest one of all, an undisguised assault against military and civilian infrastructure meant to cripple the targeted country, destroy or damage its communications and command systems, and create immediate and total chaos among its people.
For the United States, the Biden administration must deal with this threat the same way the Trump administration did, with sanctions and the threat of retaliation. Here is one policy sphere where partisan differences really don’t matter. The only real question is how severely and quickly those punishments will be wielded. Bolton and others are thus far satisfied with the new administration’s responses to early tests, but Bolton warns that to protect the American people, the defense establishment needs to focus much more attention on early threat-recognition.
Professor Scott Jasper of the Naval Postgraduate School said that Russia views its cyberwarfare capabilities as one essential part of its larger strategy to make Russia a leading power. At the same time the cyberattack was going on, Russia was also making threatening troop movements in Ukraine, flying bombers near Alaska, and showing off three of its ballistic missile submarines in the Arctic.
For Wolf, a key question is: How can the private sector better protect itself, and how can private businesses and cybersecurity departments work better with the government to pool resources and share knowledge faster? The private sector, he said, has better and more capable people than the government, while the government has greater knowledge of ongoing and planned attacks. A faster, more nimble chain of notification needs to be developed.
Moreover, it’s clear the U.S. government must be more assertive in pointing the finger at Putin when a Russian attack is unmasked. Because this involves capabilities within not just U.S. intelligence services but within the U.S. Cyber Command organization, doing so risks exposing sources and methods to the attackers, as well as everyone else—not an easy problem to solve.
Part Two of this series explores other aspects to defending against what are known as Advanced Persistent Threat actors.