“Russia must stop its reckless pattern of behaviour.” Such was the warning made by NATO Secretary General Jens Stoltenberg in early October 2018 in support of accusations made by the British and Dutch governments. In addition to the United States and Canada, these two European countries are also pointing the finger at Russia, claiming it is behind a host of major cyberattacks. The tense international climate has spread beyond land, sea, air and space to cyberspace, but to what extent?
A cyberwar story, in four chapters
“The more I speak to people, the more they think that the next Pearl Harbour is going to be a cyberattack,” said Tarah Wheeler, a cybersecurity expert at the OECD in Paris in June 2018. Indeed, certain events would suggest that a large-scale attack will one day take place, having a devastating effect on a world power. We can see how the story is developing thanks to several recent ‘chapters’.
Chapter one of the cyberwar: Estonia, 2007. After the removal of a Soviet-era war memorial, pro-Russian riots broke out in the Estonian capital. Shortly after, the country was hit by a wave of unprecedented cyberattacks, allegedly of Russian origin. Government sites, banks, the media and emergency and police services were the targets of Distributed Denial of Service attacks (DDoS). For some experts, this nationwide attack marked the beginning of a global cyberwar.
Chapter two: Iran, 2010. The first industrial attack of this magnitude was a computer worm, Stuxnet, which attacked the Iranian nuclear programme by falsifying information sent to and from uranium enrichment plants. It was later revealed that the United States and Israel were behind the virus, marking a new turning point in interstate conflicts.
Chapter three: Ukraine, 2017. Before spreading around the world, NotPetya ransomware infected the whole of Ukraine, crippling banks, ATMs, shops and transport infrastructure, all in just a few hours. The goal was simple: destroy as much data as possible. This was yet another episode in the conflict between Ukraine and its Russian neighbour.
It would seem the fourth chapter is still being written, with cyberspace, now more than ever, becoming a source of international tension, to the extent that NATO has officially recognised it as a possible battlefield. “This means they can respond to a cyberattack with conventional weapons and vice versa,” said Marco Genovese, Stormshield Network Security Product Manager. “There is virtually no difference between a cyberattack on a nuclear power plant and dropping a bomb on it.” Gérard Peliks, President of CyberEdu, adds: “Modern countries are setting up specific structures to wage cyberspace war. In China, for example, 200 soldiers from the Chinese National Army are spying on American and European networks in an twelve-storey building in the Shanghai suburbs."
There is virtually no difference between a cyberattack on a nuclear power plant and dropping a bomb on it.Marco Genovese, Product Manager Network Security at Stormshield
Meanwhile, “it is very easy to slip into doubt, uncertainty and fear, but I believe it is important to discuss the risks calmly,” says Markus Braendle, head of Airbus CyberSecurity. Thinking about cyber risks also requires breaking free from the military models of the past; if man is almost always the most vulnerable element in an information system, it could also be the case on a national level.
Beyond infrastructure, is democracy in danger?
In a report published on 17 April 2018, the French National Agency for Security Information Systems (ANSSI) identified two new reasons for launching cyberattacks: the destabilisation of democratic processes and economic processes. Elections have become prime targets. To believe it, you have but to take an interest in the most recent American and French elections, or talk to Andres Sepulveda, a Colombian hacker who admitted to having rigged several presidential elections in Latin America.
The instant and massive spread of information, especially on social media, means these attacks have the potential to cause considerable damage. Damage, ironically, which is often quite simple to provoke. For instance, Hillary Clinton's campaign manager had his account hacked by a common phishing e-mail. Meanwhile, in France, at least 20% of civil servants at the Ministry for the Economy and Finance do not seem particularly prepared for such foreign attacks. These attacks could easily cause just as much damage as the Stuxnet virus. “If someone attacked an infrastructure, you'd know immediately,” says Braendle. “But an attack in the form of influence can be much harder to detect. To a certain extent, it is also much more difficult to return the situation to normal.”
An attack in the form of influence can be much harder to detect.Markus Braendle, head of Airbus Cybersecurity
Cyberwarfare and its risks
With cyberattacks on citizens and state infrastructure becoming more widespread, could we see an escalation in cyberwarfare? Possibly. In a bill dating from autumn 2017, the United States planned to authorise hack-backs. This would allow companies to try to identify attackers and take the law into their own hands... along with the risk of making mistakes. “This is a huge difference compared to classic warfare”, states Braendle. “Placing blame for attacks is very complicated. You can look for signs in the code, or try reverse engineering the attack, but any shred of proof you may find could easily have been planted.” In an article on 'digital self-defence', Pierre-Yves Hentzen, CEO of Stormshield, explains: “The problem with digital self-defence is that, unlike the real world, it doesn't play by the rules: simultaneity, proportionality and response to the attacker.”
Besides the risk of falsely accusing a third party, there is nearly always the risk of an onslaught of attacks. After the Stuxnet virus attack, Iran strengthened its national defences and even recovered the Stuxnet code to create Shamoon, a virus sent to Saudi Arabia to paralyse oil production.
And as if that wasn't enough, the US government considered legitimising preventive cyberattacks, the goal being to annihilate enemy capabilities before they attack, using either an offensive or defensive strategy.
Faced with this escalation in cyberattacks, when can we expect new regulations for cyberspace? Since November 2017, Brad Smith, President and Chief Legal Officer of Microsoft, has been advocating a Digital Geneva Convention (still just a theory for now). Should multi-party discussions fail, could regulation not come about naturally, if a State managed to master a technology that would crush others? “Innovation could completely change how we see IT security,” says Braendle, referring to the quantum computer and its astronomical computing powers.
That said, preventative cyberattacks are not as new as they seem: all around the world, secret services are exploiting zero-day vulnerabilities to spy on each other. Such infiltrations happen regularly and are nothing new, even if they do spark a lot of interest when revealed to the public. Nevertheless, a certain balance of power seems to persist. But what if cyberattacks became the means to a new world order, like the possession of the atomic bomb?
But what if cyberattacks became the means to a new world order, like the possession of the atomic bomb?Pierre-Yves Hentzen, CEO of Stormshield