Cyber Warfare Can be Exerted by Any Nation With an Actual or Perceived Grievance Against Any Other Nation
The effect of geopolitics on cybersecurity can be seen daily – from Chinese cyber espionage to Russian attacks on the Ukraine and North Korea’s financially-motivated attacks against SWIFT and Bitcoins – and, of course, Russian interference in western elections and notably the US 2016 presidential election.
The primary cause is political mistrust between different geopolitical regions combined with the emergence of cyberspace as a de facto theater of war.
"Of course there is a connection between cybersecurity and geopolitics,” Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek. “Hackers are now acting as soldiers, and it's difficult to find a country that has never used a cyber weapon.”
A current example of geopolitical tensions can be seen in the recent ban on U.S. government agencies using a much-respected antivirus and endpoint protection product produced by Russian firm Kaspersky Lab. In September 2017, the U.S. Department of Homeland Security (DHS) issued a binding operational directive ordering government departments and agencies to stop using products from Kaspersky Lab, due to concerns regarding the company’s ties to Russian intelligence.
Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise.
“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,” it said in a statement.
There are many who believe that geopolitical mistrust is misplaced in the commercial world.
“Any cyber security strategy begins with trust,” comments Alan Levine, cyber security adviser to Wombat. “Can we trust the technology and services we procure? Has Kaspersky indicated even once that they can’t be trusted? Is this part of a parochial discussion about Russia equals bad? China bad? I’ve had colleagues in both countries, part of a trusted team I never had reason to second-guess.”
Nevertheless, the U.S. government’s distrust continues. It is against this background that we now examine the effect of geopolitics on cybersecurity; and ask whether there are any solutions to the problem.Cyber as a Theater of War
Although not necessarily recognized at government level, few people involved with cybersecurity have any doubt that cyber warfare is current and ongoing. Governments are reluctant to openly acknowledge this reality for fear that recognition will require retaliation – and the big fear then is that it could escalate into kinetic warfare. Kinetic provocation leads to kinetic responses; cyber provocation tends not to. Consider, for example, the U.S. response to North Korea’s missile tests compared to the response to North Korea’s cyber attacks against Sony and SWIFT.
Cyber warfare has further advantages: the difficulty of attribution provides plausible deniability.
Attribution is a major problem in cyberspace. Attackers can compromise servers in any part of the world. They can limit their activities to the working day of any geographical area. They can code in foreign languages; and they can reuse code snippets first used by different hacking groups. Such misdirection (false flags) is used by both nation state actors and cyber criminals.
An example of such occurred in 2015, when hackers initially thought to be the CyberCaliphate (that is, ISIS) almost destroyed the French TV5Monde television station. Attribution later turned to Fancy Bear (and by implication, the Russian state). Nevertheless, there remains no actual proof in the public domain that Fancy Bear has affiliations with the Russian Government.
Ironically, Kaspersky Lab researcher Juan Andrés Guerrero-Saade told SecurityWeek that if any organizations are equipped to accurately attribute attacks, it is the large nation signals intelligence agencies; that is, governments, because they have access to a much wider range of communications than is available to private researchers and research companies.
Governments also have access to old-fashioned spies, agents and other assets on the ground. When these resources provide physical evidence, intelligence agencies rarely acknowledge the source for fear of identifying their assets. The result is governments will sometimes make an attribution but decline to provide evidence; and it comes down to whether we trust our governments or not.
“Kaspersky is great software,” Eric O’Neill, General Counsel and Investigator at Carbon Black – and a former Investigative Specialist with the FBI – told SecurityWeek, “but I'd like to know what the U.S. Intelligence community isn't telling us.”
When it is impossible to openly prove the culprit, it is easy for the suspect to deny all knowledge. Following repeated denials of involvement in the US 2016 election hacks, Vladimir Putin finally suggested that it could have been ‘patriotic Russian hackers’.
“They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia,” he said. But at the same time, he stressed that it had nothing to do with the Russian government.
This has been interpreted by some as a comment verging on a taunt: we did it; you know we did it; but you just cannot prove we did it. This is plausible deniability.
Given the ease and success of cyber warfare attacks, it’s only natural that we see an escalation in its use. “In 2007, in Estonia,” explains Kenneth Geers, senior research scientist at Comodo and NATO Cyber Center Ambassador, “a distributed denial of service campaign primarily targeted online services. A decade later, in Ukraine, we have seen a far higher number and variety of attacks, spanning the political, diplomatic, business, military, critical infrastructure, and social media domains.”
The use of the internet as a means of disseminating political propaganda has also increased. Public awareness initially focused on Anonymous hacktivism, where the Anonymous group would deface or take down the websites of organizations or companies to which it objected.
This was followed by a series of social media account hacks by the Syrian Electronic Army (SEA), who used the accounts to disseminate pro-Assad views – often, it has to be said, through the use of humor.
This has now evolved into a complete and automated ‘fake news’ industry. In June 2017, Trend Micro published an analysis of this industry. Voter manipulation is available for a price. "Siguldin," says the report, "markets itself to be capable of manipulating almost any voting system in the Internet and bypassing security checks such as source IP address, Captcha, and authentication mechanisms in social media, SMS, and email as well as on-site registration among others."
During the run-up to the 2016 U.S. presidential elections, Fancy Bear allegedly broke into DNC servers to steal and release inflammatory emails – supposedly to manipulate the U.S. electorate into rejecting the Democrat candidate Hilary Clinton in favor of the Republican Donald Trump. The U.S. intelligence agencies have no doubt that this action was directed by the Kremlin – but, as with the accusations against Kaspersky Lab, there is no public proof offered.
While Russia is by no means the only nation engaging in cyber warfare (North Korea and Iran quickly come to mind), nevertheless Russia dominates the accusations. The technical excellence of the Russian hacking groups, whether or not affiliated to the FSB, escapes no-one: as long ago as September 2012, Trend Micro warned in the report Peter the Great vs. Sun Tzu, “East Asian hackers are not at the same skill level of maturity as their East European counterparts.”
It is against the background of rising US concern over Russian hacking that we should consider the current accusations levied against Kaspersky Lab. “I suspect that Kaspersky is merely a victim of the ongoing political fallout from the 2016 U.S. Presidential Election,” comments Geers. “This is what we must assume, absent published analysis of a demonstrable secret back door or intentionally weakened cryptography.”The Effect of Geopolitics on Cybersecurity
The fundamental cause of cyber warfare is international political mistrust. As this escalates, so international cyber incidents increase – and there is little doubt that political mistrust is as high as it has ever been since the end of the Cold War. Sino-American tensions remain high, complicated by the unpredictability of a newly nuclear North Korea. The War on Terror that replaced the Cold War has seen the emergence of Iran as a sponsor of terror; both on the streets and in cyberspace. And Russia’s new found energy wealth sees Putin apparently determined to make the Russian Federation as powerful as the old Soviet Union.
Kinetically, the United States is probably the world’s sole Super Power; perhaps followed by China. Cyberspace, however, is a huge leveler. “What you’re seeing today is technology straining and sometimes eclipsing the ability of traditional constraints and institutions to keep them in check,” Christopher Bray, SVP/GM Consumer at Cylance Inc, told SecurityWeek. “It’s also resulting in smaller nations punching above their weight when it comes to cyber defensive and offensive capabilities, and exerting these new-found technological powers in advancing their geopolitical agendas as well as their desire to monitor their own populations to various degrees. This monitoring is always done in the interest of ‘national security’, but depending on the government in question, it can also lead into a more Orwellian direction.”
In short, cyber warfare can be exerted by any nation with an actual or perceived grievance against any other nation; and the implication of that is that it will continue to grow. This is likely to have several negative effects on cyberspace.
The first negative effect is already being felt: it is the balkanization of the internet. There are two aspects to this: the first is to protect the national internet from the global internet; and the second is to promote the use of locally produced products over foreign-produced, and therefore suspect, products. The Iranian, North Korean and Chinese intranets are the best known examples. China has embarked on a locally-produced product policy (China’s Cybersecurity Law) which will see 80% of large Chinese business security expenditure will be on locally produced products.
Other countries are embarking on different routes towards the same end: banning or at least deprecating the use of foreign-produced products (China’s Huawei and perhaps Russia’s Kaspersky in the U.S., for example), or using internet censorship and press restraint to limit the citizen’s access to foreign or distrusted information sources (as increasingly happens in the UK).
The problem with this effect of geopolitics is that it increases rather than decreases mistrust – and this ‘balkanization’ will likely, but not necessarily, have further negative effects on both cyber and national security.
It is not at all clear that a ‘local product only’ policy can work. “Most major software products are written by personnel in numerous countries, and parent companies subcontract out much of the labor to coders whom they only know tenuously,” explains Geers. “Often, we have little choice but to use, for example, Chinese hardware, American software, French routers, and Israeli security applications… Are there spies working in many of the best-known software companies? Without a doubt. But in most cases, the companies in question do not know about them.”
Chris Roberts, chief security architect at Acalvio, agrees with this view. “Almost everything we have is brought in from somewhere else, manufactured elsewhere and/or supported elsewhere. Those microchips you have in your sensitive systems come from China… and if anyone is counting,” he added, “we (the U.S.) hold more in long term securities in Russia than they hold in us… so we’re basically shooting ourselves in our feet (with both barrels).”
The corollary is clear. Globalization market forces have produced the most efficient manner of producing high quality security products. Forced interference with that schema will likely lead to less than optimum cybersecurity. In our current example, if Kaspersky Lab’s protestation of innocence is true, then U.S. government agencies are restricted from purchasing an antivirus endpoint protection product that consistently performs at the top end of the spectrum in all third-party tests.
If cybersecurity is weakened by nationalism, then the national security that depends upon strong security products will also be weakened.
“Traditional political and military conflicts may drag us into a Cyber Cold War that will be bad both for technology and for the rule of domestic and international law,” says Geers. “The best place to see progress on cybersecurity, which is fundamentally an international problem that requires an international solution,” he continues, “is within the European Union and NATO, the world’s strongest political and military alliances. The combined law enforcement, network security, and intelligence power of 29 sovereign democracies far outweighs that of even Moscow or Beijing.”
The nationalism and ‘Britain First’ policies behind Brexit will weaken British and EU security. The full effect of a nationalist ‘America First’ policy will weaken global cybersecurity, and potentially – if it also weakens NATO – global kinetic security.
More complex business security
Concern over geopolitical influence on cybersecurity products simply makes a difficult job even more difficult. Steven Lentz, CSO at Samsung Research America, told SecurityWeek, “It's sad that we have to be aware of vendors like this, but that's the environment. Politics finds a way into everything nowadays. I just want a solution that does what it says and fits our environment. Now, with all the press of certain vendors in possible collusion with governments that may spy on the U.S., it makes it more complicated. I may like the vendor’s solution, but now I have to worry about possible malware or back doors,. It's sad.”
Martin Zinaich, ISO at the City of Tampa, doesn’t believe that the possibility of government backdoors in cybersecurity products makes an impossible job any more impossible. “If a government wanted to bury a backdoor, I have doubts that anyone would actually find it.” He also points out that the problem isn’t limited to to a nation’s own products. He notes the recent compromise of CCleaner, a product owned by Avast. Avast is a Czech-based antivirus company. There are suggestions that it was compromised by a hacking group known as Group 72; and there are further suggestions that Group 72 has affiliations with the Chinese government.
Is There a Solution?
There is no easy solution to the cybersecurity problems caused by geopolitics, although there are several proposals. The first is a set of internationally agreed ‘norms of cyber behavior’. One example was published by Microsoft in summer 2016.
The Microsoft Norms
The problem with norms is that they must first be agreed by everyone, and then obeyed by everyone before they can be called ‘norms’. “The impact of cybersecurity norms depends on whether they are implemented faithfully and whether violators are held accountable,” admits the report. However, accountability falls at the attribution problem – since it is almost impossible to prove attribution, it is impossible to hold deviant nations to account.
Microsoft’s proposed solution is an independent, international body of experts who would pronounce on attribution. “A public/private international body might be a highly constructive way to validate whether norms are being adhered to and may help create a more stable cyberspace in the future."
However, it is hard to see how this would work in practice: it is doubtful whether any state would accept responsibility just because a panel of adjudicators finds it culpable. Furthermore, each accused state would likely be supported strictly along the lines of their existing geopolitical spheres of influence.
For the foreseeable future, norms are not likely to be possible; and norms are most required when they are least achievable.
Product certification is an approach that offers a partial solution. The idea is simple – an independent authority should analyze a hardware or software product and, if satisfied, certify it free of weaknesses or backdoors. Both government and business could then treat the product as trustworthy, regardless of source.
Over the years there have been many attempts at developing product certification schemes. In the UK, GCHQ runs a Commercial Product Assurance (CPA) scheme via the NCSC. ‘Foundation Grade’ certification ‘means the product is proven to demonstrate good commercial security practice and is suitable for lower threat environments.’ Noticeably, it doesn’t say it is free from foreign government backdoors.
A more recent initiative comes from the European Commission: a regulation proposal on ‘Information and Communication Technology cybersecurity certification’, published Sept. 13, 2017. The proposal has two key elements: that the European Union Agency for Network and Information Security (ENISA) is put on a permanent footing as Europe’s cybersecurity agency; and that ENISA should develop and control a new pan-European product certification scheme.
“ICT cybersecurity certification becomes particularly relevant in view of the increased use of technologies which require a high level of cybersecurity, such as connected and automated cars, electronic health or industrial automation control systems (IACS),” says the proposal.
The European approach has one main advantage over the UK approach – ENISA is at arms length from the politicians, and two arms lengths from the intelligence agencies. The CPA is controlled by an intelligence agency.; so while CPA may be trusted within the UK, its value to other countries may be suspect simply because of geopolitical tensions.
However, all certification schemes suffer from the same ultimate flaw: certification can never guarantee that there is no backdoor, and that one won't be added through means such as remote updates. Certifications can only affirm that none have been found.
Reverse engineering software code is probably the most effective way of detecting flaws and backdoors; but it is too time-consuming and costly to be generally effective. It can be done, however, in special circumstances; and the Huawei Cyber Security Evaluation Center (HCSEC) in Banbury, UK, is an example.
China’s Huawei telecommunications products are not universally trusted – and were banned in the U.S. in 2012 for fear of backdoors leaking information to China. The company was also banned from bidding on a contract to work on Australia’s National Broadband Network (NBN). The same is not now true in the UK, albeit by an unusual route.
In 2005, BT awarded a telecommunications contract to Huawei – but government ministers what not informed of any security concerns until 2006. By this time the Cabinet Office had been informed that blocking the contract “could have had serious diplomatic and trade implications as well as exposing the government to a potential claim for hundreds of millions of pounds in compensation from BT under a provision in the 1984 Act that makes the Government liable to offset any losses sustained in complying with the direction.”
The solution was to retrofit trust. HCSEC, commonly called The Cell, was launched in November 2010. Under GCHQ and now NCSC oversight, and with cooperation from Huawei, the UK is able to reverse engineer Huawei code looking for any flaws or backdoors.
Since 2015, the HCSEC Oversight Board – chaired by NCSC CEO Ciaran Martin – has produced annual reports. The third of these (PDF), published in July 2017, concludes “that in the year 2016-17, HCSEC fulfilled its obligations in respect of the provision of assurance that any risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated. We are content to advise the National Security Adviser on this basis.”
In short, reverse engineering has retrofitted trust between the UK government and Huawei despite any geopolitical tensions that might exist between the UK and China. This is relevant to any discussion over geopolitics and Kaspersky Lab since the Russian firm has offered the same facility to the U.S. government.
In July 2017, Eugene Kaspersky told the Associated Press that the company will show its source code to the U.S. government if that gesture will foster trust. “Anything I can do to prove that we don’t behave maliciously I will do it,” he said. Kaspersky has continually reinforced his willingness to do so ever since.
Roberts believes that this could be a solution. “So, let’s go back to Russia given that’s the one that’s at the forefront of everyone’s mind.. why don’t we have a ‘gating’ system where we bring technologies in, assess them, reverse engineer them, and then when they’ve passed that ‘gate’ they can be let into the government etc? The UK does it, and as long as our geeks are more devious than their attackers we should be in good shape.”
There is no solution
Kaspersky Lab’s problem with the U.S. government is an example of the effect of geopolitics on cybersecurity – and the sad reality is that there is no way that Kaspersky Lab can prove its innocence. Consider, for example, the company’s statement on Russian law:
“Regarding the Russian policies and laws being misinterpreted, the laws and tools in question are applicable to telecom companies and Internet Service Providers (ISPs), and contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM), since the company doesn’t provide communication services. Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates and more.”
Carbon Black’s O’Neill responded, “I do not fault Kaspersky or the Federal Government for this decision. While the [DHS] directive may appear extreme, the Russia government has waged a silent war against the United States for years, most recently in attempting to influence our 2016 election.” He added, “Unfortunately for Kaspersky, our government has no good answer for whether Kaspersky could deny any request for assistance from Russian intelligence. While I expect that Kaspersky would immediately say no to any such request, the question is unfortunately not ‘would they’ but ‘could they’. I'm not certain Russian intelligence would take no for an answer.”
For so long as geopolitical tensions remain high, mistrust will prevail, and geopolitical effects on cybersecurity will increase.