26 July 2019

Cyber Warfare: U.S. Military Admits Immediate Danger Is 'Keeping Us Up At Night'

Zak Doffman

Cyber warfare has reached a new phase this year—at least in terms of public awareness of the nature of the threat. Nothing is especially new, in truth, at least not capability-wise. But there has been one major development: increased levels of integration between the physical and cyber domains—cyber warfare as an interchangeable battlefield tool, an attack in one domain and retaliation in another. And the catalyst has been the Middle East, the continuing escalation of tensions between the U.S. (and its allies) and Iran. And the small matter of China and Russia—the world's leading cyber and hybrid warfare protagonists—lurking menacingly on the sidelines.

"When people ask me what keeps you up at night," Lt. Gen. Robert Ashley, the director of the Defense Intelligence Agency, told a cyber conference in Aspen last week, "that is kind of the thing that keeps me up at night."


The cyber warfare playing out in the headlines is in itself multidimensional. You are seeing the mix of genuinely military offensive and defensive capabilities, with state-sponsored attacks on civilian targets. Iran clearly understands that retaliation against the U.S. military in the cyber domain might be akin to throwing rocks at a tank, but it can hit the vast and under-protected U.S. corporate sector at will. Make no mistake—everything is connected. Two weeks after U.S. Cyber Command hit Iran's command and control structure in the aftermath of the downing of a U.S. surveillance drone, came its warning that an Iranian-led hack was targeting the millions of unpatched Microsoft Outlook systems.

As I reported at the time, that U.S. cyber response was a game-changer, not the backtrack as was painted. A targeted missile strike makes for good television news, but it is not especially effective. Reaching into the enemy's most secure networks—seemingly at will—to frustrate operational capability carries terrifying implications, it is devastatingly effective.

You'll recall the Israeli military did this the other way round—retaliating against a cyber strike with a missile strike targeting the building Hamas cyber operatives had been working from. It was an effective response, and it also sent a message: we won't fight cyber offensives with clever software and internet stop-gaps—if we know where you are we will destroy you, devastatingly effective in a different way.

The U.S. is vulnerable to attacks on its networked technology infrastructure. And with the (literally) billions of new endpoints forecast to emerge under the push to IoT this will get much worse. "The internet of things creates a degree of vulnerability for all the things that are connected to it," General Ashley acknowledged in Aspen.

Iran is obviously not the Big Bad Wolf in this story, it is a tier-two player alongside North Korea. The real enemies are China and Russia—and those two countries are driving the fear that is being felt in the West. Again, it is multi-dimensional. In military cyber warfare, there is a mix of physical and technological—electronic systems are compromised by finding and exploiting physical vulnerabilities in the "real world," compromising individuals, accessing physical systems themselves. In the wider, non-military world, an enemy can strike without ever leaving their desks. And they do.

Mike Brown—the former CEO of Symantec who now leads defense innovation at the Pentagon, told the Aspen conference that "it's too easy for attackers—they only have to be right one time, so there's not enough cost. We have to figure out how are we are going to—as a government and as private companies—make that a lot more difficult and have it not pay." Brown explained that this is a mass-scale play. His point being that military cyber warfare is a dart aimed at a small section of a dartboard, but push your strike into the civilian sphere, and you have millions of darts and an (essentially) unlimited board to hit.

And this links into the broader sphere of hybrid warfare that is the real context behind what we are seeing now. Russia and China continue to develop a broad mix of cyber capabilities, they extend and consolidate their economic and military spheres of influence, they exploit the weaknesses inherent in open societies. Even the media plays its part. Again, make no mistake, the media doesn't just report events, the predictability of its response to those events is part of the "enemy's" planning process. China and (especially) Russia know full-well how the western media cycle works, the thirst for the drip-drip of ever new headlines, they factor this into what is done—how it will play, how they will keep it alive, the impact it will have. And that, in turn, links to the clear population interference that takes place through the abuse of social media platforms. Everything is connected.

Iran has now found itself the ultimate proxy in a much bigger game of chess being played out between the U.S., its allies, China and Russia. A game of chess that has been years in the making. "There are only four problems in cybersecurity," CrowdStrike's Dmitri Alperovitch said, again in Aspen, "They're called China, Russia, Iran, and North Korea." It's not a joke.

As reported for Forbes by fellow contributor Kate O'Flaherty, a Microsoft blog post aimed to coincide with Aspen reported that the company notified around 10,000 customers "targeted or compromised" by nation-state attacks last year. "The majority of nation-state activity in this period originated from actors in three countries," Microsoft reported, "Iran, North Korea and Russia." You can take it for granted that China is there as well, a lack of headline attribution is likely down to the sophistication and targets of the attacks.

When I said "nothing is especially new," that is misleading in one significant way. Cyber warfare has never been as openly reported as it is now. Offensive cyber capabilities are the most classified, restricted and nationalistic of military capabilities—with the exception of the handling of agents and senior sources in hostile territories. And it's linked, of course. Exposing network vulnerabilities requires on the ground activity, sources, compromises, and it can be months or years in the making. There is a realization in the U.S. that the integration of cyber and physical warfare changes the ability to maintain the absolute silence of the past. "For the longest time," the former NSA and CIA director Michael Hayden said in the "Zero Days" documentary, "I was in fear that I actually couldn’t say the phrase ‘computer network attack.'"

"This past September," reported the New Yorker, "the Department of Defense issued a strategic plan that not only confirmed the existence of cyber weapons but declared its commitment to using them 'to advance U.S. interests' and 'defend forward'. The cyberattack on Iran in June was a manifestation of this new, more aggressive approach."

And so to the Gulf. As the world watches and waits to see what happens next, the cybersphere in its more usual non-public guise is running at full speed. Networks are being probed, weaknesses and vulnerabilities are being tested and exploited, offensive actions are being planned. And when it makes strategic or tactical sense for us to know something, to be brought "inside" on the effective use of a cyber capability, the media will be primed and we will know. This is hybrid warfare in full effect.

One aspect that has yet to make significant headlines, although it will, is the emerging role of Iran as the first nation-state cyber proxy at scale. Teheran collaborates with Moscow and Beijing on its military and cyber capabilities. Iran will never be brought fully inside on the cyber capabilities in either Russia or China, but with the point application of technology and expertise, both Russia and China can poke and prod at the West with their hands superficially nowhere to be seen.

When Russia sends military capability into a battlefield like Syria, it is there for all to see—the media included. But when it provides electronic assistance, training, capability uplift, that is much harder. And the thought of one or both of China and Russia using Iran as a sharp pointy cyber stick to attack the West without direct attribution should terrify us all. If there's one thing Iran has proven over the years, it's the lack of a natural safety switch on the escalation of its actions. There is little doubt that China and Russia have the ability to create cyber havoc in the critical infrastructure and industrial sectors of the West. But they won't—because attribution would escalate out of control. Now, in the current cybersphere, they can act without running that risk.

No comments: