20 March 2017

States of cyber warfare: negotiating a cyber-weapons treaty

By Martin Courtney

The destructive effect of cyber disruptions between nation states is leading to calls for cyber-weapon agreements. Should we look to nuclear arms treaties as our guide?

Cyber-attacks are damaging and disruptive when orchestrated by criminals and hacktivists with a point to prove, but they take on a more sinister and potentially catastrophic significance when carried out or supported by government-funded military or intelligence units.State-sponsored cyber espionage and cyber terrorism have been steadily growing in frequency and diversity over the last decade as national authorities become increasingly reliant on digital information and expansive networks.

The situation is considered so serious in some circles that calls to establish agreed rules on the use of cyber weapons against the critical national infrastructure (CNI) of individual countries are getting louder. Yet, as befitting the murky world of spies, it is hard to assess exactly how much progress has been made on any cyber warfare proliferation deals to date. Some question whether digital arms controls that restrict the use of specific types of cyber weapon, such as advanced persistent threats, distributed denial of service (DDoS) attacks or malware, are feasible in the first place.

Cyber-security vendors have noted a significant rise in the volume of sophisticated malware and hacking tools, some of which have caused disruption to government operations, while others have been successfully intercepted and neutralised before causing too much damage.

The biggest problem is identifying the source of an attack, with governments notoriously reluctant to admit their participation in cyber assaults on other states for fear of digital, or even physical, retaliation.

“We have seen an increase in the higher level of more sophisticated attacks, which are allegedly down to either nation states or organised crime,” says Waterfall chief executive Lior Frenkel. “You cannot be sure [the source is a nation state] because they will not admit to it, but that is no different from any other form of espionage.”

That is the beauty of a cyber attack – it is hard to detect, can cause tremendous disruption and is generally much easier to carry out compared to air strikes, bombings or military action.

“These cyber attacks are a greater threat than even kinetic terrorism,” agrees Eric O’Neil, national security strategist at Carbon Black. “They are cheaper to launch, easier to design and benefit from an inherent difficulty to track back to their source.”

Andrey Nikishin, future technologies projects director at Kaspersky Lab, believes nation state actors are going to great lengths to carefully conceal their activity, often by deliberately using less complex malware to disguise its origin.

“Only top experts can create top quality code, but a lot more people can produce average quality code,” says Nikishin. “When there’s no physical war, nation-state actors will be keen to make sure their destructive/disruptive (cyber) operations are not attributable, especially now that more nations have stated that cyber operations can be a cause for physical retaliation.”

Additionally, hackers are now paying a new generation of semi-professional criminals using bitcoin to carry out attacks for them using downloadable kits, which are freely available on the dark web – very similar to the drugs trade where large cartels use a network of regional and local dealers to cover their own tracks.

While perpetrators may have never admitted responsibility, there is strong evidence to suggest that nation-state actors have been behind many high-cyber incidents. One such attack, on the German parliament in 2015, caused widespread disruption by infecting 20,000 computers used by German politicians, support staff and civil servants, transmitting sensitive data back to the hackers and requiring several million euros in clean-up costs. A group of Russian nationalists demanding the Berlin government cease its support for Ukraine claimed responsibility, though Russian intelligence was thought to be standing in the wings.

Russian hacktivists with assumed links to the Russian state were also responsible for launching an attack that shut down many websites and online platforms run by the Estonian parliament and government. That hack followed the Estonian government’s decision to relocate a statue commemorating the Soviet Union’s victory in the Second World War, with Russian hackers also blamed for orchestrating similar cyber disruption during the Russo-Georgian conflict in 2008.

In 2015, Chinese state-backed hackers were accused of breaching the US Office of Personnel Management’s website to steal information on 22 million current and former US government employees. Along with evidence that Chinese hackers stole designs of US military aircraft, the incident led to Barack Obama’s call for a framework on cyber arms control “analogous” to nuclear arms treaties, the first progress the world has made towards establishing such a framework.

“Over the past three years, catastrophic security breaches have stolen information, probed the infrastructure of major western countries, provided economic advantages to China, political advantages to Russia, fuelled the North Korean and Iranian need for revenge, and have fed the espionage machine of nations that spy,” says O’Neil. “Even ISIS and other terrorist organisations are getting into the game as they amass the capability to launch digital attacks.”

The US itself is no stranger to state-sponsored espionage, most famously a joint operation with Israel that targeted Iran’s nuclear programme between 2008 and 2010. The Stuxnet virus planted within computers managing industrial control systems at Iranian nuclear processing plants has since been attributed to General James E Cartwright. He was then the head of a small cyber operation within US Strategic Command who collaborated with the Israeli Defence Force Intelligence Corps Unit 8200 and the National Security Agency to deliver the payload. Cartwright was initially prosecuted for treason in leaking details of the Stuxnet operation to the press, but was pardoned by Obama in January 2017.

The US reputedly considered using a cyber offensive against Qaddafi’s regime in Libya ahead of air strikes, but refrained, fearing it would set a precedent for other countries. It also fell shy of using cyber warfare to prevent Pakistan’s radar systems detecting helicopters carrying US Special Forces on the hunt for Osama Bin Laden for the same reason.

Statements released by private sector cyber-attack victims also point to state-sponsored sources. The Yahoo! hack in December 2016 was blamed on state-sponsored hackers by Yahoo itself, though the US ISP didn’t say which state was to blame.

North Korean government hackers were blamed for the cyber attack on Sony Pictures in 2014 after the latter released the film ‘The Interview’, which depicts the death of the North Korean leader Kim Jong-Un. The FBI noted similarities in the code, encryption algorithms, data deletion methods and compromised networks found in malware previously known to have been used by North Korean hackers, and that several IP addresses associated with the country had been used.

Once you get over the more salacious aspects of the recent report prepared by an ex-British intelligence operative for the CIA concerning misdemeanours of President Donald Trump, there is a lot of detail suggesting that Russian state-sponsored hackers are targeting Western companies. Top of that list are financial institutions, attacks on which would cause huge economic disruption and steer governments to launch more conventional attacks that lead to all-out war.

“Crippling financials definitely fits within the realm of cyber war,” says Nikishin. “However, attribution is a problem. Given the state of cyber security, a group of dedicated hacktivists can decide they want to attack a particular company or sector and are likely to be successful. When there are geo-political tensions, this can be cause for serious escalation.”

With so much cyber espionage activity, some believe the world’s governments should decide on a cyber arms control treaty that sets out rules on how and when cyber weapons should be used.

Yet while the Law of Armed Conflict (LOAC) extends to cyberspace, there is confusion around its applicability, and no definitive agreements around cyber-warfare proliferation between states have emerged.

Multiple submissions to Nato calling for an internal code of conduct for information security going back a decade or more appear to have stalled, largely due to arguments around the legal definition of cyber warfare and disagreements (primarily between the US and Russia) as to whether it should be treated as a political, rather than a criminal, problem. Any agreements which have been successfully forged have focused on sharing threat intelligence and formulating coordinated responses to common attacks. Governments have been far less keen to reveal the extent of the cyber weapons they use on each other, much less talk about restricting them.

After around four years of negotiations, 30 countries signed a Council of Europe convention that outlines common definition of computer-related crimes and defines methods of criminal investigations and prosecution (Russia declined to sign up). Yet the Budapest convention on cybercrime has remained a collaborative agreement designed to stop criminal activity and coordinate a response, rather than limit the development or use of cyber weapons.

In 2015, the UN Group of Government Experts took discussions further, with a report proposing that states agree not to attack certain CNI elements in peacetime, which was endorsed by the Group of 20. It also recommended study by the UN Institute for Disarmament Research, and outlined its belief that the UN should play a leading role in developing common understandings on the norms, rules and principles for responsible state behaviour.

Last summer, Nato said it would designate cybercrime as an “operational domain”, bringing it into line with other forms of air, sea and land warfare. Importantly, it decided a cyber attack would be considered an armed attack according to Article 5 of the North Atlantic Treaty and would trigger the collective defence clause.

However, there remains little evidence to suggest that Nato has any offensive cyber capability to combat those attacks, with its core policy being to protect its own networks. While there was much talk of strengthening collaboration among the 28 Nato member states to coordinate their defence against, and response to, cyber attacks, there was no mention of establishing a mutual proliferation agreement or cyber arms control treaty.

Where there does appear to have been genuine progress is a bilateral agreement between the US and China. In September 2015, President Obama and President Xi Jinping discussed rules governing cyber relations and reputedly agreed not to use cyber means for commercial espionage.

The two countries committed to “identify and promote appropriate norms of state behaviour in cyberspace within the international community”, widely heralded as the precursor to a broader agreement banning state-sponsored cyber attacks on each other’s CNI during peacetime, though no formal treaty has since been revealed.

“The interesting part of the recent US-China cyber-treaty is that it appears that Chinese attacks on US organisations have dropped by 90 per cent in the last two years,” says Mark Loman, Sophos director of engineering.

However, rather than representing any cyber arms control agreement, Frenkel believes any deal struck between the US and China was more likely to be the first step towards adopting a cooperative stance against a common enemy – a strategic political move to encourage closer ties between the two countries and warn others (almost certainly Russia) the two regimes would share intelligence and resources.

Some cyber-security vendors have called for a ‘Digital Geneva Convention’ that pushes governments to establish norms for engagement in digital warfare. Speaking at February’s 2017 RSA Conference, Microsoft president and chief legal officer Brad Smith applauded the 2015 agreement between the US and China and urged other regimes to use it as a model for their own online rules of engagement. His comments were echoed by Eugene Kaspersky, who first called for the international community to reach an agreement on the development, application and proliferation of cyber weapons in 2012.

“For now, once a state-sponsored attack is discovered and defeated there is no legal recourse when nation-states are behind such attacks,” adds Nikishin. “We need to work towards international treaties to deescalate the digital arms race happening online. Where states are involved, it has to come down to some kind of modern Strategic Arms Limitation Treaty.”

Frenkel, however, believes this type of treaty makes no sense and is extremely unlikely to work in practice as governments continue to invest millions in developing espionage technology.

“Do you really see two nation states saying ‘these are the rules of engagement for espionage and these are the tools which we are allowed to use’?” he says. “You cannot rely on allies not spying against you whether its espionage or cyber espionage, which is why individual governments need to focus on protecting their own CNI.”

“It would be easy for a government to disregard these agreements, as it is easy to route the attack or ask someone else to stage attacks from other countries,” adds Loman.

Few believe that a cyber arms treaty will succeed if modelled on nuclear arms treaties of the past. Any treaty needs to carefully consider the comparative ease with which cyber weapons can be both produced and concealed.

The first nuclear arms control agreement – the Limited Test Ban Treaty of 1963 – did not emerge until 18 years after Hiroshima, and it was a further five years before the Nuclear Non-Proliferation Treaty of 1968 was signed. Neither solved all the problems and any similar accords on cyber arms control could be equally as slow and piecemeal, even if consensus on their development is achieved.

A CIVILIAN’S GUIDE
Preventing state-sponsored cyber attacks

State-sponsored hackers do not always use state of the art, custom-made techniques. In many cases, familiar forms of malware and hacking tools are employed.

Five approaches to beefing up data security can limit the chances of being breached.

Educate employees – human error is responsible for a high proportion of data breaches. Encourage a culture that inspires staff not to click on suspicious web links or attachments.

Two-factor authentication – many attacks compromise user details and harness genuine user login and password credentials to insert malware and steal data. Strengthening the authentication process can help.

End-point protection – perimeter protection (firewalls, IDS/IPS) is not a comprehensive form of defence in the world of multiple fixed and wireless cloud-connected PCs, smartphones and tablets. Additional end-point protection puts security on every device attached to the network.

Data encryption – encrypting all sensitive data at rest and in transit can make it more difficult for hackers to intercept and decipher, especially on mobile devices.

Shared intelligence –swapping experience on discovered threats and methods of neutralising them with security vendors and industry peers can assist in both prevention and cure.

No comments: