Max Fisher
The world woke up on Monday to revelations of a sort that have become disconcertingly routine.
Chinese hackers had breached governments and universities in a yearslong campaign to steal scientific research, according to a U.S. Justice Department indictment.
Separately, several governments, including the Biden administration, accused Beijing of hiring criminal hackers to infiltrate the world’s largest companies and governments for profit.
Only hours before, a consortium of news agencies reported that governments worldwide have used spyware sold by an Israeli company to monitor journalists, rights workers, opposition politicians and foreign heads of state.
The rush of allegations represent what cybersecurity and foreign policy experts say is a new normal of continuous, government-linked hacking that may now be a permanent feature of the global order.
Governments have become cannier at exploiting the connectivity of the digital era to advance their interests and weaken their enemies. So have freelance hackers who often sell their services to states, blurring the line between international cyberconflict and everyday crime.
Hacking has become a widely used tool of statecraft, oppression and raw economic gain. It is cheap, powerful, easy to outsource and difficult to trace. Anyone with a computer or smartphone is vulnerable.
And hacking bears a trait common to the most destabilizing weapons in history, from medieval siege devices to nuclear arms: It is far more effective for offensive than defensive use.
Still, after a decade in which military planners worried that cyberconflict might lead to the real thing, the emerging dangers of this new era are somewhat different than once imagined.
Rather than resembling a new kind of war, hacking is coming to play a role in the 21st century much like espionage did in the 20th, analysts and former officials believe. It is a never-ending cat-and-mouse game played by small states and great powers alike. Adversarial, even hostile, but tolerated within limits. Sometimes punished or prevented, but assumed to be constant.
But there is one important difference, experts say. The tools of espionage are mostly wielded by governments against other governments. The almost democratic nature of hacking — cheaper than setting up an intelligence agency — means that private individuals can get involved too, further muddying the digital waters. And, because it easily scales, almost no target is too small, leaving virtually anyone exposed.
Competition Within Bounds
President Obama speaking about Russian hacking during the election in December 2016.Credit...Al Drago/The New York Times
Since the first international cyberattacks in the 1990s, policymakers have worried that one government might go too far in targeting another’s systems, risking an escalation to war.
By 2010, Washington had institutionalized its view of cyberspace as a “war-fighting domain,” alongside land, sea, air and space, to be dominated by a new military outfit called Cyber Command. Hacking was seen as a new kind of warfare to be deterred and, if necessary, won.
But many attacks have been more spycraft than warfare.
China’s operators nabbed commercial and military patents. Russia’s broke into U.S. government emails and, later, released some to achieve a political impact. The Americans monitored foreign officials and slipped viruses into hostile governments’ systems.
Governments began treating foreign hackers more like foreign spies. They would disrupt a plot, indict or sanction the individuals directly responsible and chastise or punish the government behind it.
In 2015, after a series of such episodes, Washington reached an agreement with Beijing to limit hacking. Chinese attacks on American targets dropped immediately, some cybersecurity groups concluded. They spiked again in 2018 amid a rise in tensions under President Donald J. Trump, hinting at a new norm in which digital assaultsrise and fall with diplomatic relations.
Though governments largely abandoned military-style deterrence, they have come to punish especially severe attacks. North Korea suffered countrywide internet outages shortly after President Barack Obama said Washington would retaliate for North Korean hacking. He considered similar options against Russia for its attacks during the 2016 elections.
“Our goal continues to be to send a clear message to Russia or others not to do this to us, because we can do stuff to you,” he said shortly before leaving office. “Some of it, we will do publicly. Some of it we will do in a way that they know, but not everybody will.”
A New Gray Zone
A power plant in Moscow, Russia. American hackers infiltrated Russia’s power grid as retaliation for the country’s meddling in the U.S. election.Credit...Maxim Shemetov/Reuters
By the end of the decade, many military and intelligence planners had come around to a view articulated by Joshua Rovner, who was scholar-in-residence at the National Security Agency and U.S. Cyber Command until 2019.
In almost all cases, Mr. Rovner wrote in an essay for the site War on the Rocks, hacking had become not a kind of war but “an open-ended competition among rival states” that resembles, and is often an extension of, espionage.
That new understanding “puts the cyberspace competition in perspective,” he added, “but it requires a willingness to live with ambiguity.”
Espionage contests are never won. They carry gains and losses for all sides, and they operate in what military theorists call a “gray zone” that is neither war nor peace.
As governments have learned which operations will draw what sort of response, the world has gradually converged on unwritten rules for cyber-competition.
The scholars Michael P. Fischerkeller and Richard J. Harknett have described the result as “competitive interaction within those boundaries, rather than spiraling escalation to new levels of conflict.”
It is not that governments promise never to cross those bounds. Rather, they understand that doing so will bring certain punishments that may not be worth enduring.
The scholars called these norms “still in a formative phase,” waiting to be proven out by governments testing one another’s tolerance and the consequences of exceeding it. But they have gelled enough that the accepted contours are coming into view.
Mr. Obama’s reference to secret and public retaliations hinted at what has since become standard procedure. Routine hacks may provoke a secret retaliation — for instance taking down government systems responsible for the incident, to punish without risking escalation or a broader diplomatic breakdown.
But governments may answer major hacks with a public counterattack, signaling to the target and other governments that the incident went too far. The United States, for instance, let it be known that its hackers infiltrated Russia’s power grid, a calibrated escalation meant to convince Moscow that election meddling was not worth the trouble.
Russia’s 2016 conduct also led officials to pursue “deterrence by denial” — methods to make similar hacks less likely to succeed. The goal was to raise the cost of such attacks while reducing their benefit.
President Biden, in arraying world governments to condemn Chinese cybertheft this week, is attempting to impose a diplomatic cost to which Beijing may be more sensitive than Moscow. It is a tactic that appeared to work under Mr. Obama. But, with relations souring, Beijing may feel it has less to lose.
A Decentralized Danger
Students during a cyber security class at a school in New York City. Experts say that influence peddling and snooping are going to be the new normal in the coming era of cyber conflict.Credit...Chang W. Lee/The New York Times
There is little that can truly prevent governments from choosing to accept the risks that come with initiating a cyberattack. And, because offensive cybertechnology has so consistently outpaced defensive measures, some of those hacks will inevitably succeed.
That dynamic is only accelerating, analysts and officials say, as governments shift more of their hacking to private firms and outright criminals. Moscow was an early innovator, hiring freelance hackers abroad, including a 20-year-old Canadian, to infiltrate American government accounts.
The hacker-for-hire shadow industry has exploded in recent years. Security researchers have identified highly skilled groups targeting governments, legal and financial firms, real estate developers, Middle Eastern energy companies and the World Health Organization.
Most are thought to be hired through dark web platforms that offer anonymity for both parties. Though their labors seem to benefit certain governments or corporations, identifying their employer is often impossible, reducing the risk of retaliation.
Globalization and advances in consumer technology have opened a near-bottomless pool of hackers-for-hire. Many are thought to be young people in economically troubled countries, where legitimate work is scarce, especially during the pandemic. Off-the-shelf hacking software and expanding broadband allows almost anyone to put out a shingle.
Some operate openly. An Indian firm offered to help clients snoop on business rivals and partners. The Pegasus software at the center of this week’s allegations of worldwide hacks on journalists and dissidents is sold by NSO Group, an Israeli company.
The shifting landscape hints at the gap between what policymakers expected of the cyberconflict era and what it actually became. Major attacks like Washington’s against Iran or Russia’s during the 2016 elections happen less frequently than feared.
Rather, the new normal is small but constant hacks. Chinese-sponsored criminals raiding dozens of companies over years. Paranoid officials snooping on a local journalist, rival politician — or even nutrition advocates pushing for a soda tax. And all increasingly conducted through third parties or private software that may be less sophisticated but is easier to spread and easier to deny.
No one such hack is likely to upend the international order. But, cumulatively, they suggest a coming era of omnipresent digital theft, influence peddling and snooping. And it may now be a time in which, as many of the reported Pegasus victims learned this week, almost no one is too pedestrian to be targeted.
No comments:
Post a Comment