Dear Partners in thought,
As you know, Desperate Measures is a blog about the defense of Western liberal values in an unstable world which macro-events like the Trump ascent or now Brexit have made markedly worse from Western bloc standpoints be they related to NATO, the transatlantic relationship or the EU. Another sub- and linked facet of the blog is the discussion of conflicts in our world and their theaters, of which the newest one is doubtless cyber warfare.
I wanted to give you yet another glimpse at cyber warfare this time through “the Fifth Domain” the latest book of Richard A. Clarke and Robert K. Knake. The Fifth Domain is that of cyber after sea, air, land and space which have been the traditional “theaters of war”. Richard (Dick) A. Clarke, a 30 U.S. year government veteran, was one of the lead counter terrorism and indeed the first cyber warfare/security adviser to Bill Clinton and George W. Bush, and is now considered the foremost American expert on cyber warfare strategy while the younger Robert (Bob) K. Knake, now a senior Fellow at the Council on Foreign Relations, in New York was Director for Cyber Security Policy at the National Security Council under Barack Obama. Those who like to spend their time in the trenches of defense strategy matters will recall that they both published “Cyber War” which in 2010 was giving a preview many did not believe about a world that would be subjected to cyber-attacks or hacks from both nation-states and criminal gangs that would threaten countries’ infrastructures like power grids, the business and financial sectors not to mention our ways of life.
The book, covering the recent years of cyber warfare and its potential future, is about making us understand the cyber threat, its impact on our societies and defining ways that would make us stronger and one day immune from it. While going through many current facets of cyber warfare, Dick and Bob cover the topics of international cooperation, the protection of the integrity of elections, the impact of AI and Quantum Computing while making a number of proposals to improve cyber defense. It is clear that their approach and vantage point are very American and will thus involve a lot of things that Europeans may not directly relate to though many topics such as the role of government in protecting business and by which precise ways, triggering many sub-issues like privacy, may transcend borders (at least in the democratic West as cyber regulations are indeed simpler in China or Russia, this creating another sub-topic like the existence of one global or several internets in the future).
Rather than going through the whole book I would like to list via bullet points key thoughts and facts put forward by Dick and Bob about cyber warfare and its battlefield today.
- Cyber warfare is about the superiority of offense against defense, the latter which always has been so far in a catch-up mode. Cyber is about the Offense Preference even if defense is closing the gap by taking advantage of new technologies and a renewed focus on the part of governments and businesses.
- Leading businesses and governments are attacked several hundreds of thousands of times every day. Nearly all these attacks now fail but it takes one win for the offense to prevail.
- According to Dick and Bob, cybersecurity should be a shared responsibility between government and the private sector, with the onus for protecting computer systems falling on the owners and operators of those systems – a view that is not shared by some in government, notably by some in the military and intelligence communities who would see the fifth domain as a field where they should also lead the charge, all the more due to the threats caused by the direct and indirect hacks of nation states.
- “Cyber resilience” should be the main focus, this in building systems so that most attacks cause no harm, allowing for responses and recovery from attacks that do succeed, with minimal to no disruption. Cyber resilience would lead to shifting the traditional and often erroneously historically perceived advantage from the attacker to the defender.
- One of the objectives of the “defenders”, largely Western nation-states (even if they go at times preemptive or retaliatorily offensive) is now through resilience to make attacks more difficult and costlier to execute for criminal outfits at times acting as proxies for nation-states of for the latter themselves when emanating from one of their military or intelligence units.
- Identification of offenders can be complex and time-consuming as experienced hackers, whoever they may be, often use mundane ways to carry their attacks. One of these could be using a stolen credit card number bought for 50 cents on the dark web and setting up an Amazon Web Services account that would be used to carry out the attack.
- Offenders can be nation states and/or criminal gangs (sometimes combined) and identification is always challenging even if the culprits are well-known. Among nation states, Russia, China, North Korea and Iran are to some degree the worst offenders with Russia being the most dangerous and volatile is usually strategically politically motivated while China has traditionally been focused on IP theft, which it always considered a key element of its world leadership building ambitions. Offenders officially deny all cyberattacks or, if required, reject the blame on non-governmental entities, even if “patriotic” ones they state they would not control.
- For some nation-states like Russia, cyberwarfare is one of the elements of hybrid warfare, which along diplomacy, intelligence and other means short of actual war and as part of it even if not obvious at times can be deployed precisely like in the case of the seizure of Crimea and the activities of so-called local militias or “green men” in eastern Ukraine. Hybrid warfare is about “disruption” something cyber offense, a relatively cheap tactical tool, is focused on.
- Western powers, including the U.S. now also resort to preemptive strikes or offensive defense (the most well-known being Stuxnet when the U.S. and Israel struck at the Iranian Natanz nuclear processing facilities to stop nuclear enrichment). This attack that was both a success (it achieved it goals) was also a fiasco as the attackers were quickly discovered and the viruses hit well beyond Iran, spreading worldwide and ended up being stolen for re-use by a number of hacking groups also aiming at American businesses.
- The three main attacks that had a wide impact in recent years were those that took place in 2016 and 2017 and were named Petya, WannaCry and NotPetya. Two were Russian military-initiated (at times unwittingly) and one was North Korean-military sponsored.
- WannaCry, that was “officially” a ransomware attack, occurred in May 2017 and got well-known for one of its targets being the British NHS and its network of hospitals, many of which came to a standstill, not being able to proceed with planned, at times time-critical, surgeries. Seven months later WannyCry was identified as having being perpetrated by the North Korean Lazarus Group, an outfit part of the North Korean government and in line with the reaction against a movie that had mocked the country’s leader and for which an American studio had suffered a strong cyber attack.
- WannaCry was a prelude to NotPetya (named after a 2016 Russian-originated cyberattack against Microsoft servers globally which took its name after one of the bad Russian characters in a James Bond movie), which was launched by the Russian GRU with Ukraine in sight but which went well beyond Ukraine via the infection of computer systems operating globally. While 10% of all Ukrainian computer systems went down many global companies suddenly grounded to a halt. Maersk, Merck, Mondelez (the OJ Oreo cookies) or TNT Express were severely affected, even if they had not been intended GRU targets. (Interestingly Zurich Insurance denied paying for the cyber insurance coverage of Mondelez as it viewed the attack as not covered by the cyber policy as an act of war; the matter is currently being discussed in a court of law).
- For those who want to know how NotPetya took place, the GRU hacked into Linkos Group, the Ukrainian software company responsible to install and manage the accounting software of most companies and government ministries in Ukraine, sending periodic updates to programs. The updates were digitally signed by Linkos and thus recognized by all the firewalls of their clients. The GRU planted an attack package in one of the Linkos updates that exploited a known Microsoft server software vulnerability combined with a password-hacking tool and instructions that would spread to any connected device on the network, wiping them of all software. In doing so, the GRU would have not realized that global companies operating in Ukraine and their global network would be hit due to the virus spread over Virtual Private Networks and corporate fiber connections back to headquarters in locations like England, Denmark, the U.S. and elsewhere.
- To be sure Russia, China, Iran and North Korea are not the only offenders even if they tend to use cyber very liberally as a policy tool and are often starting cyber conflicts unlike the U.S. and Western powers. During the 2018 mid-terms, U.S. Cyber Command led massive attacks against Russian targets as a preemptive strike and doubtless a reminder of what happened with the astute attacks of Russian social networks during the 2016 presidential elections (it is to be noted that the Trump campaign and then administration which benefitted unwittingly – one will say – from these Russian attacks kept to the 20 year US cyber warfare strategy implemented by President Clinton, though allowing for cyber strikes to take pace without presidential authorization as required by President Obama, this to avoid dangerous and slippery slopes).
- Estimates put worldwide spending on cybersecurity (in the West) at USD 114bn in 2018 while venture capital investments in cybersecurity start-ups reached USD 5bn and cyber insurance, long a fringe market, reached USD 2bn in gross written premium that year. Cyberattacks created a new, substantial market that gave another life and segment to the tech sector among big and smaller operators.
- Leading banks, that have actually become tech companies that happen to lend money, spend today USD 500m on cyber defense tools per budget year so our bank accounts and data are protected with many of them feeling that in five years they should be immune from cyber threats. Their in-house cybersecurity teams number hundreds of staff. Each of these banks use and daily rotate upwards of five or six dozen different, layered software tools developed by as many cybersecurity vendors to detect and prevent attacks. Banks are the most impregnable targets for hackers, most low-level criminal hackers having left that field which is still pursued by nation states as shown in 2012 in the U.S. as a payback for Stuxnet. JP Morgan Chase, the leading U.S. bank spends USD 10bn a year in tech and employs 50,000 technologists (Facebook and Google in comparison have staffs of 35,000 and 61,000) while it spends 6% or USD 600m on IT security.
- Contrary to popular opinion “defense” when properly funded and equipped is winning against offense though knowing that the cost of the latter is a tiny fraction of that of the former. While offense is often a prevailing tactics to preempt or retaliate against cyberattacks (notoriously advocated by then NSC head John Bolton in 2018) many U.S. cyber experts also in government take the view that “those who live in glass houses should not throw stones”.
- Attackers’ helmets can be ripped off by defenders who can identify them but nothing is being done as the latter are operating from jurisdictions like Russia or Iran that will not cooperate with U.S. and Western European countries. Two well-known Iranian hackers (pure criminals in this case) are now living happily in the suburbs of Tehran, having earned several millions of dollars from a series of sophisticated ransomware hacks against businesses in 2018. However, one should add that they have to spend their ill-gotten gains in Iran…
- The risk of contagion through supply chains comprising thousands of SMEs for large industrial groups is one of the main weak points that require attention and is tricky due to the vast fragmentation of the segment and costs associated with the defense for SMEs. Cloud service providers that have dedicated thousands of people and billions of dollars to protecting data enable SMEs to operate more safely on-line.
- NotPetya which struck in June 2017 was launched by Fancy Bear, a.k.a. the GRU or Russian military intelligence’s cyber unit. According to the UK, the GRU operating as Sandworm attacked the Ukrainian power grid in 2015 and 2016. Operating under Cyber Caliphate, the GRU shut down TV5, the French television network. It interfered in the investigations of assassination attempts against dissidents in Bristol, England, the Russian doping of Olympic athletes and the downing of Malaysia Airlines Flight 17. And as we know too well it penetrated the Democratic National Committee during the U.S. presidential elections in 2016.
- As Dmitri Alperovitch, Chief Technology Officer (CTO) and founder of famed cybersecurity firm CrowdStrike, when at McAfee said: “There are two kinds of companies: those that have been hacked and know it; and those that have been hacked and don’t” (as an aside and as a tribute to their strong education system throughout the regimes and ages, there are many Russians involved on both sides of the cyber warfare equation!). Cyberwarfare has led to the emergence of many firms and a new segment with the likes of CrowdStrike, Dragos, Cylance and FireEye, not to mention Kaspersky (even if its Russian origins has cast a few shadows in some U.S. quarters recently) or Microsoft’s Advanced Threat Detection.
- There are 200 so-called groups propagating Advanced Persistent Threats or APTS and going after governments and leading businesses, 77 of them Chinese and focused on Intellectual Property Theft.
- Most sophisticated attacks today still rely on spear phishing, hoping that some individuals (only one) will click on the link or attachment of an email offering him or her a free vacation or an amazing date that was long overdue. No amount of training, even if consistently pursued, will eliminate what the “sector” calls the “Poor Dave” after a well-known cartoon showing a boxing ring with on one side, firewalls, encryption and anti-virus software and on the opposite corner an overweight, slovenly, middle-aged Dave sporting a silly grin and a T shirt that says Human Error…There is no training Daves as they always click. However, companies now increasingly do random tests so the Daves can be identified and made to reflect after they get a “you’ve got phished” message and a delightful invitation to HR.
- The future of technology will be impacted by Artificial Intelligence (AI), Quantum Computing, 5G (much in the news due to the Chinese control of the main 5G provider, Huawei and associated strategic issues) and IOT or the Internet of Things. While explaining the basics of these four key items and their developments, Dick and Bob go through technical details that apply to their current and future developments that will delight the tech-minded and security policy wonks alike.
- It would be bad not to address the key topic of cyber hygiene that concerns us all as telecommunication device users and which Dick and Bob do cover in the book. They offer a list of steps to be taken to prevent as much as possible the impact of cyberattacks even if in our case usually not emanating from nation-states or their proxies. The list is admittedly long and many of the steps are unlikely to be followed strictly as we are not corporations or governments or perhaps not all IT or cyber-interested. Anyway, here they are and some of these pieces of advices should be read in terms of what matters to you:
- If you are an American citizen, just stop worrying about your Personally Identifiable Information (PII). Your Social Security Number was already stolen several times.
- Keep your passwords differentiated even if they may number 20+, use ten digit passwords (no less), pepper them with #, ^and *, potentially obtain a password manager like those at LastPass, Dashlane or Zoho – admittedly not household names.
- Do not keep all your password on a yellow ticker on your laptop. Duh.
- If worried use one main password and a second certification like getting an SMS with a number to use as a second password. Many banks require this already.
- If worried, don’t use debit cards. Use only credit cards. Limit the monthly amount on them. For really unusually huge transactions, ask a human to call you for confirmation. Don’t be surprised if your transaction is stopped when you travel to and discover beautiful Chad at the last minute…Use answers to bank verification questions which are weird but yours (like if the question is what is your favorite baseball team and you are from Boston, don’t say the Red Sox. I know it’s hard).
- Beware of emails from Apple, Google, Microsoft and Facebook that look perfectly fine telling you need to rest your password. Just focus on the weird address of the sender with all these X, Z, w and its range of weird numbers. And don’t click, Dave!
- Beware of webcams on your devices including laptops and even if they look dormant. The same is true of cell phones (and why I always have to leave mine at the entrance of the US Embassy in Prague, this for several years. Strangely their French counterpart is more trustworthy…).
- I can’t do that but Dick and Bob advise to keep only two months of emails (back up the previous ones if you really to keep them) unless you want your prose potentially found in strange places, especially if you write incendiary or compromising pieces…
I know I wish we could all be so good and wise. By the way the final advice of Dick and Bob is also to enjoy all the wonderful things that the internet provides modern society and stop worrying about the threats lurking in the shadows.
I hope you enjoyed this Book Note on a topic that I would have never bothered with ten-fifteen years ago so tech-foreign I always was. However, it is great to keep up with our times and even fight the good fight while keeping young (even for those 1960ers like me!).
While I do not want to unduly advertise it, I am also a seed investor in a young UK cyber security start-up (yes even with the dreadful Brexit), Britain thanks to GCHQ being a beacon of cybersecurity excellence globally. If any of you may have a need in cyber risk prevention and management, so beyond managing the “after attack” and going after these guys in Tehran, I will always be very happy to put you in touch with my cyber warriors.