Monday, April 4, 2022
Cyberwar History and Ukraine
People are much more drawn to images of blown-up building, fires, mushroom clouds, refugees in dire circumstances, color pictures of pain that are better in black and white than they are to explanations of code or even fallout from code if it’s not resulting in something blown-up, fiery, or pictures of people in pain that are better in black and white.
That is to say, while we see plenty of stories of ransomware, temporary business disruptions, and credit card & ID fraud, it’s not visceral. It goes by quickly on the page and in our minds.
So, whatever happened to the stories we saw before the cyberattack age? When the US Cybercommand was just a twinkle in some geeky eyes? What happened to the discussion that cyberattacks would engender kinetic responses? Bombs not electrons.
Perhaps it was a sense of proportion. Perhaps it was a recognition that we consider that an increasing cyberwar, if responded to with bullets, might just result in use seeing those images of things that would be better in black and white on our own doorstep?
Did we back off, or did sanity take hold in the minds of the planners?
Let’s look at a little history.
Back in 2003, a cyberattack originating from China – and christened, “Titan Rain,” by the US – managed to get access to loads of sensitive government information by compromising the systems of US government contractors and of government systems themselves. Only unclassified information was stolen, but the world woke up to this kind of attack.
In 2004, the Joint Chiefs of Staff declared cyberspace an important domain of conflict alongside the air, land, sea, and space domains. No doubt, this was prompted by the reality of Titan Rain. As a culture, we were just starting to think about these things on a national level.
In 2007, Estonia experienced a broad cyberattack that included their parliament, banks, and media. It was believed to have originated from Russia, or from Russian actors. NATO’s response was to create the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) in 2007. Now, continents were beginning to wake to the threat and the need to do something about it.
The Tailinn Manual
The CCDCOE began to develop an extensive study and code about what how international law applies to cyber conflicts and cyberwarfare; these previous acts were beginning to be recognized as acts of war. Calling on legal scholars and legal practitioners that were experienced in cyber issues, the CCDCOE produced Tailinn Manual on the International Law Applicable to Cyber Warfare in 2012.
The Tailinn Manual declared that killing hackers in response to certain cyberattacks was justifiable.
Killing hackers?!
Meanwhile, other state-sponsored cyberattacks marched their way into the public consciousness.
The Stuxnet Worm was developed to sabotage Iran’s nuclear development efforts – in particular, the centrifuges used to enrich uranium gas. It is believed to be the first malware designed to and succeeding in visiting physical destruction on physical equipment. Wired Magazine called it the first digital weapon.
Its widely considered that the US and Israel collaborated over a period of 5 years to develop this malware.
In 2009, Secretary of Defense, Robert Gates, recognizing how important AND vulnerable important computers and networks were (are), directed the creation of USCYBERCOM. It is the unified command for the cyberspace domain in the US and the world.
In 2016, the organization described the 2016 espionage ops against the Democratic National Committee while in the midst of a national election “serious business . . . [that] may destroy democracy.”
Administration officials at the time considered that cyber weapons were so potentially destructive that they should be unleashed only on the direct orders of the Commander in Chief, like nuclear weapons. I do not know if there is an equivalent “Cyber Football.”
Article 51 of the UN Charter allows individual countries to defend themselves and to band together to defend each other. It also allows the same if an armed attack is anticipated and recognizes the right to use force in such a situation. It allows cyberattacks to be considered an armed attack.
In 2019, Israel did just this, by conducing airstrikes on a building that they said had Hamas members inside that were planning to launch a cyberattack on Israel.
In 2021 the topic was up for noticeable public discussion again. NATO heads of state and government met at NATO’s North Atlantic Council meeting in Brussels and issued a communiqué that ultimately equates cyberattacks with kinetic attacks and leaves the possibility of military action against hackers on the table.
Still, what we generally see is that cyberattacks – or anticipated cyberattacks – by states are dealt with by preemptive and after-the-fact punishing cyberattacks. Tit for tat, as it were, and even before the tat.
Cyberwar in Action
What we have seen in practice in Georgia in 2008, Crimea in 2014 and in Ukraine in 2021 is the “softening up” cyberattack. The attack used to diminish and disable defensive and living systems before a kinetic attack, rather than a kinetic attack in response to a cyberattack.
Many said that the 2014-2015 cyberattacks were on a an entirely different – and grander – level than had been seen previously. Several Ukrainian banks and government agencies became inaccessible and malware – using a tool called “HermeticWiper” – was wiping data from hundreds of PCs and servers.
But we’ve gotten used to common DDOS attacks, data-wiping and ransomware in recent years on the civilian level. It’s kind of taken for granted that these things are ongoing and all over.
The use of cyberwar and kinetic war together has been labeled “hybrid warfare.”
And yet, the world seems surprised that Russian cyberattacks on Ukraine in 2021 and 2022have been substantially less severe than anticipated. To be sure, they were and are ongoingly widespread. Hackers caused the Viasat satellites to become inoperative. But that may have affected Russian soldiers and commanders to lose connectivity as well. And said attack has been mitigated somewhat by the Musk’s activation of Starlink Internet satellites over Ukraine.
Additionally, Ukrainian modems were zombie-fied by Russian malware, being used as nodes for targeted DDOD attacks within Ukraine.
But the ruination from malware that was expected has not really seemed to occur. We haven’t seen a cyber-Armageddon. Were they more prepared? Were the US and/or the EU pumping up Ukraine’s cyber defenses or attacking the offensive cyber capabilities of Russia? The newspapers wonder about this and government sources overtly express surprise and confusion that there isn’t more cyber damage.
I would be willing to wager that they know more about this than they are letting on. But then, isn’t that almost always the case?
The coming days and weeks will tell us more about cyberwar in Ukraine. It’s possible that all-out disruption of Ukraine’s Internet will come to pass. We hope not.
But one thing about this history stands out. We have not seen the kinetic response to cyberattacks on a wide scale that was being discussed a decade ago.
Luck? Cooler heads? Invisible cyber counterattacks? Thoughts of a Cyber version the Mutually Assured Destruction doctrine that has, in theory, kept the world from launching nuclear war? Or is physical destruction on a massive scale enough to satisfy those bent on domination?
These times we’re living in will surely shape the times we will be living in. Let us hope and work for that cyberwar doesn’t exceed the malign effects we have seen to date and that going forward we see fewer dire images because of fewer dire circumstances.
Contact Steve Burgess: steve@burgessforensics.com
(866) 345-3345 ; (805) 349-7676
http://www.burgessforensics.com