29 July 2021

Opinion | The Cyber Apocalypse Never Came. Here’s What We Got Instead.

JACQUELYN SCHNEIDER

Even for those of us who watch cyber warfare closely, the seeming barrage of cyber-related headlines in 2021 has felt remarkable. This spring, the Biden administration sanctioned Russia for last year’s breach of network software firm SolarWinds, which allowed Russian hackers to access major U.S. government agencies and over 18,000 companies. A few months later, Russian cyber attacks were back in the news, with purported Russian criminals extorting oil distributor Colonial Pipeline and meatpacking firm JBS for millions of dollars in ransomware payouts. Ransomware attacks have become so widespread that exhausted cybersecurity firms are turning away desperate customers.

Meanwhile, last week, the United States, NATO and the EU pointed the finger at China for a massive breach of a Microsoft exchange server, propagated by cyber mercenaries hired by the Chinese Ministry of State Security. The countries’ joint statement is all the more remarkable given both NATO and the EU’s unwillingness to brand China an “adversary.” And on the same day, researchers revealed a multi-state effort to hack and monitor presidents, monarchs, journalists and more, using spyware created not by the Russian government, China’s security apparatus or the National Security Agency—but by a private Israeli company called the NSO Group.

So what is going on in cyberspace, and did anyone see this coming? In 2011, hot off a social media-propelled democracy movement dubbed the Arab Spring, a cyber document released by the Obama administration waxed almost poetic about the promise of digital openness for the international order. But only a year later, then-Secretary of Defense Leon Panetta warned of “cyber Pearl Harbor,” followed in 2015 by Director of National Intelligence James Clapper’s “cyber Armageddon” warning.

What we got was neither the unbridled promise of digital cooperation nor a fiery cyber apocalypse. Instead, today’s cyber reality seems simultaneously less scary and more of a hot mess—a series of more frequent, less consequential attacks that add up not to a massive Hollywood disaster but rather to a vaguer sense of vulnerability. This can make it hard to understand what’s going on and how bad it really is. Are all these high-visibility cyber events more of the same, or are we living through a new era of cyber warfare?

In some ways, the events of the past few months aren’t that surprising given the trajectory of cyber activity over the last decade. They’re the evolution of a steady, somewhat inevitable shift toward using digital tools as a means of international statecraft and political contestation. However, what we are seeing is also subtly different from the way experts had previously thought cyber would affect the international landscape. Over the last decade, authoritarian governments have embraced digital tools and leaned on shadowy gangs of cyber criminals to do some of their dirty work, while the pandemic has made the world reliant on the internet and created a rich world of targets for those seeking money and leverage. As a result, cyberspace may be less apocalyptic than predicted, and more like a termite infestation, eating at the very foundations of our increasingly digital societies. The good news, though, is that the long-sought international consensus on appropriate uses of cyber means within foreign policy may be finally coming together—which means there’s hope that today’s cyber disorder may eventually abate.

It’s true that Russian cyber espionage, cyber criminals, Chinese intellectual property theft and private actors in cyberspace have been with us for years. Hackers affiliated with the Russian government have long used Ukraine as a testbed for hacks on critical infrastructure and governance and military capabilities, all while the Kremlin looked aside at burgeoning cyber criminal activity. Over the past few years, Xi Jinping’s China has also built up its cyber capabilities, embarking on large-scale espionage hacks (like the 2015 Office of Personnel Management data exfiltration) and courting widespread economic sanctions for its illicit efforts to steal intellectual property via cyberspace.

At the same time that Russia and China became more capable and more audacious in their cyber campaigns, non-state actors—who have always played an outsize role in cyberspace—were changing the balance of power in the cyber spyware competition. Companies like the Emirati-based DarkMatter recruited talent from across the globe (including former NSA employees) to develop cutting-edge software that can track targeted users’ phones, monitor their communications and even geolocate them. These commercially created spyware applications were then provided to governments—many authoritarian—to track dissidents, journalists and international leaders. Most notably, claims have been made that the assassination of Jamal Khashoggi was linked to spyware that the Israel-based NSO group provided to Saudi security officials, who purportedly used it to monitor Khashoggi’s movements and influence the investigation after the murder (both the Saudi government and NSO deny their involvement).

So, to an extent, Russian-linked ransomware attacks, the collective callout of China for the Microsoft hack and the revelations about the NSO group are more of the same. But there’s also something new going on.

First, the geopolitical context in which cyber battles are fought has changed fundamentally. The early Obama administration was relatively restrained in cyberspace, relying on deterrence, limited sanctions and efforts to establish cyber norms through the United Nations. This approach changed under Trump, whose foreign policy adopted a zero-sum view of the world, characterized by great power competition, trade wars and transactional relationships with allies. Accordingly, the Trump administration’s cyber efforts put more focus on “defending forward”—a more aggressive strategy that emphasizes preemptively entering adversaries’ networks before they launch cyber attacks—while sidelining efforts to create international consensus on cyber warfare. Meanwhile, the simultaneous rise of personalist regimes across the world ushered in a golden age for digital authoritarianism, with dictators embracing artificial intelligence, disinformation, deep fakes and “hack and reveal” campaigns to cement their power both domestically and in the fracturing international order.

Add to this digital tinderbox a pandemic that not only drove countries apart (physically and ideologically), but also forced them to become more digitally dependent as they turned to automation, remote work and digital bubbles to protect from the physical threat of Covid-19. As court systems, physicians, classrooms and local governance all went virtual, societies struggling with the pandemic became rich targets for cyber criminals. Ransomware attacks increased exponentially, both in scope and in economic cost.

Pandemic-induced vulnerabilities weren’t just lucrative cyber targets for criminals. They also created new access points for states looking to add more vulnerabilities to their cyber arsenals. Many of the critical infrastructure companies that went fully digital in response to the pandemic are also potential targets for states like North Korea or Iran that want to coerce the more militarily capable United States. The concern is that these states may use cyber vulnerabilities to attack power supplies, data centers or health and human services as the first salvo in a broader geopolitical crisis. This idea of using cyber attacks against critical infrastructure as “signals” to deter further escalation has been a major concern for onlookers worried that the uptick in cyber intrusions could not only create economic costs, but inadvertently escalate into violent conflict—thus creating exactly the situation these cyber attacks were meant to avoid.

A more competitive geopolitical landscape, the rise of digital authoritarians and Covid-induced vulnerability have helped create a final trend: the blurred line between state and non-state actions in cyberspace. Authoritarian governments have looked aside (sometimes purposefully) as groups of cyber criminals with loose or unclear ties to the state became cyber headliners. North Korea has always used cyber criminal campaigns to generate revenue for the regime. Russia has pursued strategic and willful ignorance about criminal cyber activity originating within its borders, and used cyber criminals as a patsy to avoid retribution for state-sanctioned hacking activities. Even China, which a few years ago made a concerted effort to clamp down on its cyber militia of patriotic hackers, seems to have rediscovered the value of state-sanctioned cyber side hustles. The White House’s recent statement on the Microsoft hack accuses China not just of ignoring cyber criminal activity, but actually contracting such criminals to pursue official foreign policy goals.

Governments are now using cyber criminals the way they use other non-state actors—like maritime militias or un-uniformed special operations forces—to achieve foreign policy objectives without engaging in outright conflict. This murky middle is what international relations scholars call the “grey zone.” Most directly, states can sanction cyber criminal activity to bring in revenue, use non-affiliated organizations to propagate disinformation, or lean on civilian companies and criminals to create technologies and exploits that states can then buy to use against adversaries. More indirectly, non-state actors can generate chaos, confusion and cost all while introducing enough uncertainty about who’s really responsible to dissuade states from retaliating. Scholars have frequently viewed these more shadowy cyber actions as less dangerous than traditional war, but they come with the risk of accidentally pushing too far and escalating into conflict.

So the post-pandemic cyber world has more vulnerabilities, more opportunities for economic and political exploitation, and more actors that blur the line between state and non-state involvement. The convergence of these bad-news trends certainly helps explain the battery of recent cyber headlines. However, there is some reason for optimism. The Biden administration’s announcement accusing China of the Microsoft hack noted that “an unprecedented group of allies and partners – including the European Union, the United Kingdom, and NATO – are joining the United States in exposing and criticizing the PRC’s malicious cyber activities.” This is a remarkable achievement given the difficulty of creating international consensus on what states should and should not do in cyberspace. Outside observers might be surprised to learn just how tough it is for states to agree on something even as basic as what a “cyber attack” is.

The joint callout of China comes a few months after a UN report signed by 25 countries (including China, Russia, and the US) emphasized the need to prevent cyber attacks on critical infrastructure. While this might seem like an obscure report, it was a diplomatic coup, reflecting a hard-fought, multi-year effort to create consensus among countries about how responsible states should behave in cyberspace. This agreement (and the recent US-NATO-EU statement against Chinese hacking) would not have been possible had pandemic-induced cyber vulnerabilities not galvanized international action. The succession of high-visibility cyber events in recent months, paired with a U.S. administration that is prioritizing cyber threats within its foreign policy, may have provided the impetus for the international community to slowly start agreeing on ways to punish problematic cyber activity.

Cyber attacks on hot dog plants or virtual elementary school classrooms may not look like the dystopian end times Panetta and Clapper warned about. But they insidiously eat away at the foundations of digital economies, societies and, ultimately, state power. Today, with these foundations crumbling, we may not need “cyber Pearl Harbor” analogies to understand the danger of cyber attacks. But can the U.S. and its now-energized allies build on this momentum to reverse the shifts wrought by authoritarian governments, the pandemic and the rise of non-state cyber criminals? Fingers crossed.

No comments: