(Image source: iStock) |
Cybercrime often merges with cyberwarfare. The techniques of both are similar, even if their intentions are not. Yet, unlike their "real-world" counterparts, we cannot afford to treat the former as merely a law enforcement problem and the latter as a military problem. Today's gnat is tomorrow's nuclear-tipped missile.
In a recent article, former U.S. National Security Adviser John Bolton highlighted the cyberwarfare being waged on the West every day by Russia, China, Iran and North Korea. The assault is an accelerating proxy war, a coordinated terrorism campaign conducted by both hired criminals and military intelligence agencies, capable of great economic and societal damage. At the same time, even at lower intensity, it is a subtler attack on Western morale.
Directly, these attacks strike at parts of our electrical grid, our food supply, our energy providers, banks, business computer networks and government systems. Indirectly, they threaten our livelihoods and our sense of security and stability. That is, at least for the present, the most important thing about them.
The SolarWinds hack of 2020 compromised a top-tier provider of IT management services by injecting malware into the company's routine software update to its 33,000 customers. Those victimized customers included hundreds of large companies, as well as the federal departments of Treasury, Commerce, and even Homeland Security. The hack was extremely sophisticated and operated for months before it was discovered. Cybersecurity analysts in and out of the government say conclusively it was the work of a hacking group they call "Nobelium," operating with the support, if not the direct control, of the Russian government. Russian President Vladimir Putin's regime has denied its involvement, as it always does. No one believes them.
This type of attack is cyber-espionage -- stealing information without being detected. Like other types of spying, it enters the target unobtrusively and bides its time before it goes to work. Then, as it comes to life slowly, it steals information from within those networks. It masks its own activity to look like ordinary network traffic to evade anti-malware protections and traffic analysis software. Even when it is finally discovered and blunted, questions linger about exactly what was stolen, and whether the attack was, to press the military analogy, the main assault or an opening flank attack.
Cyber-extortion leaves no such doubts. It is a different sort of attack, and typically directed at private businesses and individuals rather than government entities. Attackers steal confidential data from a network, then contact the victims and threaten to sell it or release it publicly unless they are paid. As with other forms of blackmail, victims may or may not report it to the authorities. Hence, these attacks are often quiet.
Then, there are the louder "ransomware" attacks, such as the Colonial Pipeline ransomware hack and the recent ransomware attack called REvil. These attacks are not subtle: they make themselves known immediately by encrypting the contents of the file systems on the machines they attack, demanding ransom to decrypt the target's files on the screen. The goal is simply to make money by causing disruption.
Bolton then describes the ultimate and most extreme sort of cyber-attack -- cyberwar. This is the loudest one of all, an undisguised assault against military and civilian infrastructure meant to cripple the targeted country, destroy or damage its communications and command systems, and create immediate and total chaos among its people.
Russia's direct assaults against Georgia and Ukraine are examples of full-on cyberwar. These attacks, conducted directly in 2013 by a GRU group known in the community as "Sandworm," devastated banks, power grids, and internet communications in those countries as part of Russia's military moves. Later attacks in 2016 and particularly the "NotPetya" worm in 2017 affected not just Ukraine, but spread to infect and disable dozens of port facilities around the world.
For the U.S., the Biden administration must deal with this threat the same way the Trump administration did, with sanctions and the threat of retaliation. Here is one policy sphere where partisan differences really do not matter. The only real question is how severely and quickly those punishments will be wielded. Bolton and others are thus far satisfied with the new administration's responses to early tests, but Bolton warns that to protect the American people, the defense establishment needs to focus much more attention on early threat-recognition.
In a video symposium sponsored by the Heritage Foundation, two U.S. cyber warriors reviewed the SolarWinds hack and offered additional insights. The former acting director of DHS, Chad Wolf, stressed the need for better public-private coordination of cybersecurity efforts. He pointed out that the first detections of malware in the SolarWinds attack were noticed by a company called Palo Alto Networks in October of 2019, which reported them to SolarWinds. Nevertheless, the virus was not recognized until months later, after it had infected vast numbers of networks, including the public-facing network of DHS itself.
Prof. Scott Jasper of the Naval Postgraduate School said that Russia views its cyberwarfare capabilities as one essential part of its larger strategy to make Russia a leading power. At the same time the cyber-attack was going on, Russia was also making threatening troop movements in Ukraine, flying bombers near Alaska, and showing off three of its ballistic missile submarines in the Arctic.
For Wolf, a key question is: how can the private sector better protect itself, and how can private businesses and cybersecurity departments work better with the government to pool resources and share knowledge faster? The private sector, he said, has better and more capable people than the government, while the government has greater knowledge of ongoing and planned attacks. A faster, more nimble chain of notification needs to be developed.
Moreover, it is clear the U.S. government must be more assertive in pointing the finger at Vladimir Putin when a Russian attack is unmasked. Because this involves capabilities within not just U.S. intelligence services but within the United States Cyber Command organization, doing so risks exposing sources and methods to the attackers, as well as everyone else -- not an easy problem to solve.
Part Two of this series explores other aspects to defending against what are known as Advanced Persistent Threat actors.
Peter Schweizer, President of the Governmental Accountability Institute, is a Gatestone Institute Distinguished Senior Fellow and author of the best-selling books Profiles in Corruption, Secret Empires and Clinton Cash, among others.