28 July 2018

Cyberwar: What happens when a nation-state cyber attack kills?

By Danny Palmer

The increasing sophistication and power of state-backed cyber attacks has led some experts to fear that, sooner or later, by design or by accident, one of these incidents will result in somebody getting killed. It might sound far-fetched, but a former head of the UK's intelligence agency has already warned about the physical threat posed by cyber attacks and the potential damage they could do. "Nation-states are getting more sophisticated and they're getting more brazen. They're getting less worried about being caught and being named -- and of course that's a feature of geopolitics," said Robert Hannigan, who served as director general of GCHQ from 2014 to 2017.

"The problem is the risk of miscalculation is huge," he said, speaking at a security conference in London last month. "If you start to tamper with industrial control systems, if you start to tamper with health systems and networks, it feels like it's only a matter of time before somebody gets hurt and somebody is ultimately killed."

The mention of health systems is a reminder perhaps of last year's WannaCry ransomware outbreak, which crippled large parts of the UK's National Health Service. Thousands of appointments were cancelled, causing disruption and inconvenience for patients around the country.

No critical systems were hit, but given the nature of WannaCry -- which the US, UK, and others have blamed on North Korea -- that was likely due to luck rather than planning.

With attacks against hospitals, transport, power plants, or other critical national infrastructure, attackers are playing a dangerous game -- but that hasn't stopped clandestine, targeted campaigns against infrastructure.

Perhaps the most famous example is Stuxnet, malware designed to damage Iranian uranium centrifuges which was uncovered in 2010. The destructive attack on the industrial systems put Iran's nuclear program back by years, and is believed to have been a joint cyber operation by the US and Israel.

However, Stuxnet was designed to be limited in its impact: in the years since, those attacking industrial control systems are becoming more reckless. This was demonstrated in December last year when hackers used malware to disrupt emergency shutdown systems at a critical infrastructure firm in the Middle East.

Analysis of the Triton malware by researchers at security company FireEye suggests that the shutdown was unintentional and that it was inadvertently caused while preparing the malware to do physical damage.

The shutdown came as a result of a fail-safe mechanism and no physical damage was done -- but the unpredictable nature of the malware could have resulted in much worse.

"If the intent of the attacking group was to make the plant explode, lives lost by cyber attack could've happened," Jing Xie, senior threat intelligence analyst at Venafi, told ZDNet.

"I have no doubt it's just a matter of time that someday cyber attacks will definitely cause direct harm to people," she added.

So what happens when a cyber attack by one nation-state leads to loss of life inside another country?

In 2014, NATO updated its policy so that a serious cyber attack could be covered by Article 5, its collective defence clause. Legal experts have also made it clear that a serious digital attack could be considered to be the equivalent of an armed attack. But what would happen in reality is still uncertain.

"It's been a debate in policy circles for over a decade, if not longer: when does cyber activity cross over into a domain which needs a kinetic response from a military source?" said Jon Condra, director of Asia Pacific Research at Flashpoint.

"The current legal system which exists around war isn't necessary up to date with this type of problem. The borders of cyberspace are much more malleable and unclear, so it's not entirely clear when a nation-state has a moral or ethical right to react in a forceful way."

If one of these attacks did cause a substantial loss of life and could be clearly attributed to a nation-state, there would have to be some sort of very serious response, said Condra. "Even outside the ethical and moral factors, the political pressure inside the country affected to do something substantial would probably force hands."

Others take a more straightforward view.

For Giovanni Vigna, professor in the Department of Computer Science at the University of California in Santa Barbara and co-founder of security firm Lastline, it's simple: "It's an actual war," he said.

"It would very likely trigger hostilities," said Jonathan Reiber, chief strategy officer for cyber policy in the Office of the Secretary of Defense under the Obama administration, and now head of cyber security strategy at Illumio.

"That's because it's like an attack in any other domain," he continued, adding: "In 2015, we declared that cyber attacks of significant consequence will require a response and the US will respond in a time, manner, and place of its choosing to an attack on the United States. The response may not be through cyber means," he added, referring to the DoD cyber strategy report he authored.

One of the key issues with cyberwar is that it's often difficult to provide proof of who is behind attacks. Cyber attackers operating at all levels do as much as possible in order to cover their tracks and avoid being hit with the blame.

In the case of the Triton incident, the attacks haven't been formally attributed -- other than by researchers pointing to it being the work of a state-sponsored group.

"Attribution is the sticky bit. Attribution is broken to some extent," said Reschke.

A case in point is the Olympic Destroyer malware which targeted South Korea during this year's Winter Olympics. In the days following the attack, research firms published conflicting reports on attribution -- China, North Korea, and Russia were all claimed as the origin of the malware.

"The problem with attribution is it's extremely difficult, it becomes almost a guessing game," said Vigna.

"You might find artefacts that suggest a particular operation, but what if somebody left these to deceive -- somebody left something in Russian to blame the Russians? So, unless you have some sort of side channel to confirm this happened, it becomes very difficult to determine who did what."

But sometimes attackers do slip up and the authorities can determine who conducted the campaign: WannaCry was traced to North Korea and NotPetya has been attributed to the Russian military. In the case of a cyber attack which causes loss of life and can be traced to a perpetrator, it's highly likely that the victim would want to react, though not necessarily by another cyber attack.

The United States has issued sanctions against Russia for its involvement in cyber attacks, and an attack that resulted in loss of life would demand a greater response.


The Petya ransom note. The US has said Russia was responsible for the global attack. Image: Symantec

In the most extreme circumstances, a nation could decide that the only response to a harmful cyber attack on its soil could be a military response. Such a response would probably be in reaction to a substantial loss of life, but in the complex world of international geopolitics, even the smallest spark could lead to an unprecedented reaction.

"I don't know what point we get to when things start to get destructive and when that tipping point is. It's always hard to measure those tipping points when a country decides enough is enough," said Reschke.

Speaking at the Infosecurity Europe conference in London, Hannigan suggested an attack that lead to the death of citizens would lead to a physical response.

"If one of their attacks had ended up with patients in the US dying or being seriously harmed, the pressure on a US government to do something and to do something pretty physical and decisive would be huge. It would be for any Western politician, but particularly in the US," he said.

Fortunately, there has yet to be a nation-state backed cyber attack which is thought to have directly led to the harm or death of citizens in another country -- which means it isn't too late to come to agreements to what an appropriate response to such an event could be.

"The international community needs to come to some sort of consensus about how these types of activities are going to be responded to, what kind of consequences there will be for them," said Condra.

For Reiber, one way stop escalation is to ensure cyber attacks are punished to act as a deterrent.

"Any kind of cyber intrusion that occurs -- whether it's the theft of $50, a destructive attack, or election manipulation -- requires some sort of punitive cost back on the actor," he said.

"If actors perceive that a range of actions are permissive, they'll pursue a whole range we can't necessarily imagine. But if you begin to impose costs for all of them, then that says the world is rallying against what they're doing and need to stop."

But for all this talk of aggression and punishment, there's likely only one thing which could prevent a destructive cyber attack by a nation-state causing loss of life in the first place.

"Technology doesn't kill people, people kill people: to a degree, you have to take a step back and set the political conditions for resolving disputes between states or between peoples within a state at a political level," said Reiber.

"Over time, that will decrease the chance that a group will use cyberspace operations against an opposing party. Clearly, peace between a pair of states will decrease the likelihood of attacks."

No comments: