21 February 2019

Cyber blitzkrieg replaces cyber Pearl Harbor

By Stilgherrian 

Since 2006, the US Department of Homeland Security (DHS) and allied nations have run exercises based on the concept of a Cyber Storm. They've focused on "policies, processes, and procedures for identifying and responding to a multi-sector cyber attack targeting critical infrastructure".

But we're now in the post-NotPetya era. Nation-states are actively mapping out each other's critical infrastructure. Last month, it was even reported that both China and Russia have already staged assets to launch cyber attacks that could at least temporarily disrupt US critical infrastructure.

Austin says that cyber storm thinking is now being replaced by a concept he calls "cyber blitzkrieg". It's effectively a more nuanced version of the somewhat tired "cyber Pearl Harbor" concept.


"We're really talking the plans by states to attack each other with multi-wave, multi-vector destructive cyber attacks across the entire civil and military infrastructure of the enemy," Austin told ZDNet.

"Nuclear war is unlikely. So is the multi-vector, multi-wave destructive cyber attacks against a country's infrastructure. What's different about this new cyber storm threat, or cyber blitzkrieg, is that states are exploring the use of related tactics very vigorously in a way in which they're not exploring similar tactics for nuclear warfare," he said.

Australia will be spending an estimated AU$60 billion on new submarines. Austin says we similarly need to decide on an appropriate spend to counter "the new intent of states on the cyber front".

"Even in the civil sector, and even in the criminal domain, threats are getting so serious, and we're realising how vulnerable we are to things like [disrupting] electricity infrastructure, that there is a very strong case for upping the ante at that lower end of extreme cyber emergency," he said.

"On the record, we have evidence from very early on of Chinese probes in electricity networks around places like San Antonio Air Force Base in the United States, where the US Air Force Cyber Command is based, for example. So there's zero doubt that the major powers have focused on that."

CYBER ATTACKS ON ENERGY GRIDS ARE 20 YEARS OLD

"There is a report from 1999 that the United States launched a cyber attack against the electricity grid of Belgrade, and I have that from the highest, a highest-level source in United States, at the highest military level possible, that that actually happened. It's a bit disputed in the literature," Austin told ZDNet.

"We're in an environment where the first use of cyber attack in war against electricity grids was in 1999, now 20 years on."

Yet Austin has identified 19 "Cyber Civil Defence Mini-Gaps" in major nations' preparedness to face those attacks, which he's outlined in a discussion paper, Civil Defence Gaps Under Cyber Blitzkrieg, released on Monday.

He has also suggested actions to fill the gaps.

Imagination gap: Have a (detailed) futuristic vision of cyber storm
Planning and documentation gap: Formalise comprehensive policy and publish a doctrine
Mobilisation gap: Crisis preparedness with public participation
Civil military gap: Set up a Cyber Civil Corps, led by a military officer
Private/public planning gap: Set up a multi-stakeholder National Resilience Task Force
Decision-making technologies gap: Elevate resilience spend by 500-1,000 percent
Techno-social gap: Institute cyber ecosystem planning
Interdependencies knowledge gap: Set up a dedicated national research centre
Information sharing gap: Frame protocols for sensitive information sharing
Communications protocol gap: Establish dedicated nationwide channels and formats
Situational awareness gap: Build a "high-performance" complex system
Trust gap: Build the highest-quality cyber civil defence system
Legal gap: Pass new and dedicated cyber civil defence law
Open-source/secrecy gap: Declassify what the "enemies" already know
Education gap: Set up a joint public/private National Cyber War College
Research gap: Fund at least one cyber civil defence research centre
Training gap: Formalise cyber civil defence training countrywide
Exercise gap: Plan annual nationwide exercises for senior executives
Evaluation gap: Commission formal three-year evaluations

"This is a huge policy agenda. In most countries, it has been subordinated to the urgency of setting in place or updating basic cybersecurity strategies, a challenge that has been exacerbated by constantly escalating threats and low-budget allocations in most sectors," Austin wrote.

"Those national jurisdictions that have moved on cyber civil defence have put in place some foundation stones, but these may wait a decade or more to see an edifice of mature cyber civil defence take form. This is especially the case in federal systems of governments where law enforcement and emergency response rests with sub-national governments."

CHINA AND RUSSIA THREATS AREN'T OVERBLOWN

"There's no doubt that the Chinese feel so vulnerable in cyberspace that they feel they've got to understand everything about the enemy and be able to strike first. They also feel vulnerable in relative military power. So in a Taiwan contingency, most people believe that the United States and its allies would, in a normal sort of military conflict with China, [at least a] short one, the United States would prevail. And RAND Corporation thinks that," Austin told ZDNet.

"If there was a military confrontation looming between China and the United States, we would see in the early part of that escalation increased activity against US and allied electricity infrastructure. Now whether that's to take it out, or just to position to take it out, or begin to disrupt it, who knows. But this is definitely on the military agenda of China, the United States, and Russia."

One of the "most amazing statements" Austin has heard in recent years was the UK government's announcement that it would be prepared to black-out Moscow in the event of certain contingencies.

"Absolutely mind-blowing. And it's that sort of thing which accounts for the Putin statement on isolating Russia from the internet, more than the domestic political control."

No comments: