Cyberwarfare: A 'Wild West' of nonkinetic weaponry
Cyberwarfare is akin to "a guerrilla warfare domain," where attackers hide behind proxies to maintain a level of plausible and diplomatic deniability.
The term cyberwarfare is so ambiguous – a solid definition that everyone can agree on remains elusive – and there is certainly no accepted set of rules to follow ... yet.
It tends to focus on “intentionally breaking or damaging the software that a critical system depends on to function so that it’s no longer functional or capable of carrying out its intended use,” says Bill Leigher, director of Raytheon’s government cybersecurity solutions business and a retired U.S. Navy rear admiral. Cyber and other nonkinetic capabilities “are an emerging class of weapons that will eventually mature and make their way into the arsenals of commanders.”
These noncombat attacks are used to “deny, deter, disrupt, or delay electronic communications of infrastructure, public confidence, or military technologies used to support combat operations,” explains Bryan Singer, director of Industrial Cybersecurity Services for security firm IOActive. “The intent of these cyber operations is to enhance the ‘fog of war’ against enemy nation states to impede their ability to support command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) in military operations.”
“Wild West” in terms of lack of rules and laws
So far, no treaty provisions deal specifically with cyberwarfare. “NATO produced the Tallinn Manual in an attempt to provide direction and guidance, but it’s a nonbinding study,” points out Neil Haskins, general manager, Middle East, for IOActive.
Once you begin developing capabilities that fit the description of a cyberweapon, “it must meet guidelines that we as a nation agree are appropriate – the weapon needs to be legal and not indiscriminately kill or cause civilian populations undue harm,” Leigher says. “It must be possible to responsibly control it, and a commander who uses it needs to have an understanding of the limits of its power and what really happens once they use it in a combat situation. This starts to define the nature of cyberweapons, and I think it needs to meet the same standards the International Law of War demands. But we’re not really there from in a mature way from a cyber perspective.”
Cyberwarfare is evolving in a variety of intriguing ways. It used to be “nation-states squaring off against other nation-states with their own hacking teams,” says Dennis Moreau, senior engineering architect, networking and security, for VMware. “That’s not what we’re seeing now. Cyberwarfare is being conducted in more of a guerrilla warfare domain where attackers use proxies to maintain a level of plausible and diplomatic deniability. But the victim is clearly a national interest, and we’re seeing these attacks across the very broad spectrum of their interests. Attackers are using every bit of the technical sophistication developed by nation-states, including the U.S.”
Deniability extends “not just to the malactors but also to the targets. For example, the attack on the Democratic National Committee, which the U.S. maintains didn’t reach the level of being cyberwarfare,” Moreau points out. “Yet, right now NATO is wrestling with the question: Does a cyberattack against critical infrastructure trigger Article 5 in a joint defense sort of response? This is a conversation about the definition of cyberwarfare – in terms of what’s considered to be an ‘act’ and what it means for policy – being discussed at the highest levels. So far it’s in flux as to where the lines are.”
What’s crystal clear, Moreau says, is that it’s no longer the case that only nation-states use advanced persistent threats (APTs) and go only after direct national military assets. “Cyberwarfare includes critical infrastructure, decision making, and population influence. In a broad sense, nothing is off the table,” he adds.
Not quite so clear is what exactly the U.S. is capable of in terms of cyberwarfare, because “very few people on the planet have accurate, detailed information about the true adversarial digital capabilities of the U.S.,” says Brad Hegrat, practice director, Advisory Services, for IOActive.
What’s being targeted with cyberwarfare? Ukraine seems to be providing a clear example of how things might play out, Moreau points out. “Since 2015, with the efforts of BlackEnergy and TeleBots, we’ve seen distributed denial of service (DDoS) attacks front and center there for denial of services of all sorts,” he says. “We expect to see information theft, especially logistical and deployment information directly related to the military. But also expect to see more strategic attacks, discovering and closing arms gaps, understanding defense posture, and strategic planning sorts of attacks.”
Even more so, expect “disinformation attacks to influence decision making by corrupting the intelligence or creating ‘intelligence fog.’ In Ukraine, we’re seeing a complex broad-sweeping stroke that is the difference between the classical view of cyberwarfare and what we’re seeing today,” Moreau continues. “I think we’ll see that full spectrum form of warfare – well beyond just turning off lights or interfering with the national gas.”
Not surprisingly, targets are continuing to expand. “In a lot of ways, what we’re seeing right now is proof-of-concept tests,” Moreau says. “It’s not so much large superpowers throwing cyberweapons at each other so much as smaller and emerging or independent states that don’t necessarily have the power to respond to attacks. We’re seeing a ‘toe dipping in the water’ in some broad sense.”
In Ukraine, attackers have gone after the media infrastructure, power grid, financial institutions, and quite possibly many other things. “A clearer picture will begin to emerge as more of the forensic aftermaths become visible,” Moreau says. “If you look at the information warfare associated with the cultivation of extremism, it’s being used as a proxy for a level of international policy expression or ‘rage.’ There’s no clear boundary – the targeted infrastructure and capabilities are becoming more diverse. We’ve seen everything from intellectual property theft to the attempt to close the arms gap by stealing R&D [research and development] and operational and testing information. But we’ve also seen direct attempts to disrupt operational activities to interfere with signals intelligence, control systems, satellites, and all of the communications infrastructure.”
The availability of “very high-end exploits and techniques” that don’t require the users to be rocket scientists are enabling record-setting attacks such as “a 600-Gbit DDoS carried out by leveraging compromised webcams,” Moreau notes. “Sophisticated malware becomes a tool that can be used without much capital investment or infrastructure, which effectively levels the playing field in terms of who can inflict devastating levels of disruption.”
Cyberwarfare tends to be a “passive-aggressive style of conflict,” according to Hegrat. “It’s equally suited to the removal of the enemy’s desire and ability for conflict. The aggressor in any scenario may have many goals and, like many nuanced campaigns, multiple fronts. On the ‘desire’ front, the focus would likely be on digital targets with the greatest physical and psychological impact. Attacks that disrupt people’s lives could range from catastrophic – power, water and wastewater, communications, and banking – to inconvenient.”
From a military standpoint, there is “little to no impact for operations across this spectrum,” Hegrat says. “This speaks to the ‘ability’ front. To deny an enemy the ability to wage conflict, targeting must focus on that enemy’s digital backbone. For example, the U.S. intelligence community refers to its own backbone as C4ISR capabilities. In targeting adversaries, removing the ability to engage in conflict doesn’t always need to be kinetic; the use of the cyber battlespace to deny adversarial use of its own C4ISR capabilities is the ideal use of this front.”
The types of cyberwarfare attacks launched depend largely upon targets and objectives.
Haskins categorizes them as advanced disruptive attack vectors. “If the aim is sabotage, for example, it could be something like targeting the opposition’s ability to generate power through a malware-based attack or disrupting normal function of a vital government or financial website with a DDOS attack. Alternatively, if the objective is espionage, the acquisition and exfiltration of an opposition’s tactical or strategic information – such as troop movements – could be the result of sustained phishing, social engineering, or malware-enabled attacks.”
The “sky is the limit” for attacks, adds Singer, although he doesn’t dismiss sky-based threats, which are all too real. “Low-intensity conflict or noncombat operations will likely see attacks ranging from low-order denial-of-service (DoS) and psychological operations (PSYOPS) to harassing infrastructure, such as events that have occurred in Ukraine. Combat operations could see similar attacks as well, ranging up to electromagnetic pulse (EMP) threats from ballistic missiles to pre-positioned satellites in space,” he says.
What kinds of cyberwarfare might we see?
Some attacks will be blatantly obvious, but many are often stealthy and never acknowledged.
In a war scenario, if you wanted to go after the U.S. banking structure, “you could figure out where a bank’s primary data centers are, for example, and lurk off the coast of the U.S. and launch a cruise missile to target and destroy them,” Leigher notes. “Or you could do the same thing with cybertargets much more subtly by learning how to get access to their network and taking control of the facility by either subverting its software or causing things to happen within the computing system that will flat-out break the computers. When you’re at war with a nation, we need to acknowledge that these two actions are fundamentally equivalent.”
The types of things Leigher worries about in this scenario include being able to do “the targeting that allows me access to a processor in an adversary’s aviation squadron maintenance shop so that when the next aircraft is connected to its maintenance console malware gets uploaded,” he says. “The next time or 15th time it flies, the pilot will get a warning that causes them to question the material condition of their aircraft so they can’t fly it anymore. Or malware that targets the engineering plant on a ship, because if a ship can’t make electricity its combat systems won’t work. The ship may go through the water, but it won’t be an effective warfighting platform.”
Speaking of targeting warships, when we recently saw a container ship smash into the U.S.S. Fitzgerald, an Arleigh Burke-class destroyer within the U.S. Navy, it prompted the question: Is it possible to hack and hijack a container ship? While no one is publicly suggesting that’s what occurred, it is indeed possible. (Figure 1.)
“There’s a wealth of satcom and GPS research that suggests shipborne telemetry and control assets are vulnerable to remote compromise and hijacking, so these types of attacks are absolutely possible,” Hegrat says. “But in a wartime scenario, a container ship is unlikely to be able to get within a few thousand feet of a combat vessel before it would be attacked, disabled, and likely sunk based on wartime rules of engagement.”
Moreau concurs that this sort of attack is entirely possible. “The underlying systems – navigation, tactical steering, broadscale GPS – can all be interfered with and we’ve seen attempts to interfere with them,” he elaborates. “Our most recent revision of the GPS system is intended to cultivate more resilience in our geopositioning and navigation capabilities, as well as to be more resistant to attacks on satellite infrastructure and those sorts of things. As we move to more autonomous and assisted technologies, we need to worry about interference with the underlying information systems. The right response is to make them more resilient by design – assuming that something can go wrong or be compromised and have the design and forethought in place to be able to confirm independently that things are doing what we intend them to do, as compared to what they’re demonstrating as automated behavior.”
Protecting U.S. infrastructure and military assets
One glaring difference between protecting U.S. infrastructure and military assets is control and responsibility. “The U.S. government handles both for the military, which means that maintenance, response, and protection are all under the purview of a single well-funded entity,” points out Hegrat. “But the vast majority of U.S. critical infrastructure is owned by individual corporations with differing goals, business drivers, operational responsibilities, budgets, constituents, and customers, which are only influenced by the market and regulation.”
Perhaps the biggest chink in our armor is that the U.S. has assets that have been around a very long time, with embedded technology that has a long life cycle, some based on outdated and unsupported technologies, Moreau says. “These were designed before the current threat profiles were known, so they don’t necessarily have the right kinds of hardening or protection and can get compromised when adversaries go after critical infrastructure. So the biggest concern is the legacy footprint of older technologies and their embedded vulnerabilities.”
There are current legislative initiatives aimed at making headway within this realm, including the work under the Modernizing Government Technology Act of 2017, which is largely focused on the basics of leveraging hosting and eliminating unsupportable platforms.
One way to protect U.S. infrastructure and military assets is by focusing on system resilience. Much of the cybersecurity discussion today centers on protecting networks, smarter passwords, better firewalls, and technical things, as Leigher points out, but we’re not discussing the systems that are connected to our networks enough.
“Any cybersecurity person will tell you that the only 100 percent impervious system is one that isn’t turned on,” Leigher says. “Even with our best cybersecurity, penetrations can occur.”
Attackers will “find ways to access the industrial-control systems and software that run our power plants, financial systems, and our lines of communications to aircraft, ships, and roads,” Leigher continues. “Everything is connected, so how do we think about protecting these systems in an IoT environment? What are critical infrastructure capabilities, and what’s the relationship between the network and the basic things connected to the network? How can they be made more resilient? It’s all about the resiliency of the system and the ability to withstand an attack.”
Software isn’t perfect and it isn’t likely to ever be perfect, so “the focus should be on system resiliency, which is the idea that we can design systems capable of tolerating attacks and continuing to operate with integrity,” Moreau says. “For example, this might leverage the ability to detect when something’s acting anomalously and, in response, reprovision or correct it from trustworthy sources. Cloud-platform operators do this to maintain services when they see an important service start using memory or resources differently … they simply reprovision it. It’s a compelling form of resilience.”
The idea of system resilience needs to become a first-class part of software design, right up there with performance, efficiency, and cost-effectiveness, Moreau says. “It doesn’t happen by accident,” he adds. “It happens by intention and focused action, so we need to cultivate a development culture that embraces resilience. The good news is that emerging technologies are creating the opportunity to do just that. Software-designed infrastructure, application/service blueprints, containers, and API [application program interface] brokering, virtualized security technologies, distributed scalable analytics, and granular instrumentation all are enablers of simpler, more effective security that’s ‘designed in’ rather than ‘bolted on’ after the fact.”