Who is Surprised by a Cyberattack?

12217938098?profile=RESIZE_400xArticles on cyber warfare have consistently seen cyberattacks as a first-strike weapon for attacking countries before or at least at the onset of a moving conflict.  The speed with which these attacks occur and the difficulty in allowing for sufficient indications and warning for defenders to mitigate their intensity and volume successfully have bolstered cyberattacks as a legitimate capability for degradation, disruption, and destruction.  Cyberattacks in a moving conflict are synonymous with an aerial bombardment in which an onslaught of surprise digital strikes would help prepare the battlefield for a swift invasion force where timing, coordination, and maximum effectiveness would reap huge awards for the attacker.  Many believed that cyber would be such a weapon, a game changer, something that the Chinese refer to as an “Assassin’s Mace,” an asymmetric capability that can be levied against a technologically superior force and a weapon whose use benefitted from not being telegraphed ahead of deployment.[1]

The element of surprise has long been championed as a tremendous advantage for warring armies, a tactic that acclaimed war philosophers like Clausewitz and Sun Tzu have espoused.  History is rife with examples of battlefield commanders employing such tactics in concert with other actions, such as deceptions and feints to break hardened perimeters or outflank an adversary in battle.  The element of surprise has also been an important enabler for smaller forces to beat larger, better-equipped opponents successfully.  This can be seen in such examples as George Washington’s 1776 surprise attack against the Hessians in the Battle of Trenton and Germany’s invasion of France in 1940.  Aside from kinetic opportunity, successfully employing the element of surprise can also achieve a psychological advantage.  The shock of an unexpected assault can have a traumatic effect on a commander’s psyche, as well as in the minds of the boots-on-the-ground forces.  This is exceptionally important in the early stages of an armed conflict and can aid an attacker to achieve victory.

This philosophy in the context of cyberattacks has to be re-examined as they have evolved over the years.  With more state actors developing offensive and defensive capabilities, cyberattacks have not yielded the results many have suspected.  Looking at the evolution of state-influenced and state-driven cyberattacks, there has been interest in maximizing the effectiveness of a cyber strike.  With the continued integration of networks, it logically follows that exploiting systems could achieve an aggressor’s tactical objectives by impacting the very systems relied upon for command and control, logistics, supply, and general operations.  The more networks and endpoints, the more possible areas to attack.  Adding to that have been the perceptions that cyber weapons could be an awe-inspiring tool. After all, these weapons can be executed quickly, delivered surreptitiously, and can spread malevolently like cancer or punch a hole in their intended target like a missile.

In recent years, the volume of cyberattacks by state and non-state actors has propelled these weapons into the mainstream.  Cyber is no longer a foreign concept, and thanks to a proficient cybercrime ecosystem, few people in the world have been impacted in some way thanks to theft, a breach, or other forms of cyber-enabled malfeasance.  Press outlets and cybersecurity vendors have prodigiously informed the public of suspected state actor cyber operations, tools used, varying degrees of sophistication, and their impacts on sectors and industries.  Such attacks have become so common they are now expected, with even the cybersecurity community resorting to a “zero trust” security framework that assumes networks are always at risk of external and internal threats. As such, continuous attacks should be expected.

What has been learned over the past decade is that not only should cyberattacks be expected, but they also can be anticipated.  As Clausewitz presciently wrote, “War is not merely a political act but a real political instrument, a continuation of political intercourse, a carrying out of the same by other means.”  Like most wars that have been fought, geopolitical tensions between states can be a harbinger of future conflict and thus be a good indicator of future cyberattacks, whether from patriotic and nationalistic hackers or if tensions have escalated, by state actors seeking to demonstrate displeasure or cause disruption in advance of kinetic action.  Moreover, cyberattacks offer an opportunity that traditional weapons typically do not. They can be used as signaling agents, causing various degrees of damage without risking human life.  Such incidents can be seen in the Operation Ababil DDoS attacks, the attack against Sony Pictures Entertainment, or even the wiper attacks against Saudi Aramco, all cyberattacks catalyzed by geopolitics.

There is a big difference between waxing theoretic about how cyber weapons can be used as a precursor to kinetic conflict and operationalizing their deployment during such periods.  What works on paper does not always make the easy transition into the real world, especially in a domain where so much must be considered, including preparation of digital battle space, target packaging, weapons development, and predicting battle damage assessments and collateral damage fallout.  Since kinetic weapons have been known to go beyond the scope of the target, inflicting collateral damage over anticipated thresholds, their impact can be better quantified.  The same degree of fidelity cannot be applied to cyber weaponry, which has a way of escaping deep into the wild, as was seen with Stuxnet and NotPetya.

Russia’s implementation of cyber has provided a better barometer by which to measure state evolution in how cyberattacks can be used as part of the military toolbox.  One of the earliest instances of state-influenced cyberattacks occurred in 2007 when Russian patriotic and nationalistic hackers engaged in DDoS attacks against Estonia that lasted 22 days.  The catalyst for these politically motivated attacks was relocating a Soviet-era statue in Tallinn. However, the relationship between the two countries had not been the best before that incident.  And while patriotic hacker attacks had been seen before (the hacker wars between China, the United States, and India-Pakistan come to mind), they had not been leveraged to that effect.  These attacks were organized and mobilized to respond to a specific incident and for a specific purpose, demonstrating how geopolitics could quickly motivate hostile cyber activity and produce it consistently.

The 2008 Georgia conflict showed an evolution in thinking about how cyberattacks could be used in concert with kinetic military operations.  Russia’s pretense of Georgia committing genocide in South Ossetia led to DDoS attacks that bombarded the country before Russian forces moved over the border.  In the months leading up to the attacks, Georgia and Russia had tumultuous relations that dated back to the 1990s with the dissolution of the Soviet Union.  When the Georgian president cracked down on separatists in South Ossetia, tensions escalated, prompting a Russian response.  Again, when such tensions reached a breaking point, Russia committed to invading under the auspices of protecting Russian nationals, showing how geopolitics was a strong indicator of a cyber response.

Six years later, Russia’s 2014 annexation of Crimea was spurned by a revolution that ejected Ukraine’s former president, sparking a political crisis that prompted Russia to invade” to protect Russian people” in the region.  Similar to the previous incidents listed, sympathetic Russian actors conducted an eight-minute DDoS days before the Crimean referendum to disrupt Ukrainian communication networks and filter and reroute traffic to occupied territories.  The intent may have been to divert attention away from Russian troops in Crimea.  One group of hackers even unsuccessfully attempted to change election results.  Again, geopolitics played a role in these operations.

Though political hostilities between Russia and Ukraine had been an ongoing occurrence, the Crimean annexation has been identified as the start of the current Ukraine conflict, with an ongoing barrage of cyberattacks victimizing Ukrainian networks and critical infrastructure in 2015.   Since Russia’s invasion of Ukraine in February 2022, cyberattacks meant to disrupt and destroy systems have continuously pummeled Ukrainian targets, though at this juncture, these attacks – at least those conducted by Russian government assets and state-sponsored ones – have been used more as a means of getting battlefield advantage than a political tool or signaling agent.  They started before the official invasion and have continued since, bringing in non-state actors into the cyber fray.  Before the invasion, governments and media sources anticipated Russia implementing cyberattacks, expecting a digital equivalent of “shock and awe” that never quite materialized. 

The fact that damages have not been as bad as many had predicted or expected has raised questions about Russia’s capabilities, intent, and concern over potential global repercussions.  One of the simplest responses to these questions is that Ukraine was prepared.  Before the invasion, Ukraine requested cyber defense assistance, getting governments to assist commercial technology and cybersecurity companies.  Early February 2022, Microsoft alerted the Ukrainian government to malware targeting the Ukrainian government and other IT organizations, opening a 24/7 hotline to help Kyiv.  Such activities dovetailed with U.S. cyber hunt-forward teams deployed months before the assault.  Not only were Russian cyberattacks expected, but an infrastructure was also in place to immediately assist in mitigating them once they commenced.  Attacks have diversified, volumes have increased, and targets have shifted, but Ukraine has withstood the cyber part of the conflict.  Perhaps the biggest takeaway from the crisis so far is that a cyber playbook has emerged that could be replicated in case another geopolitical hotspot should blow up.

As countries continue to understand the best ways to integrate cyberattacks into their military operations, it’s increasingly clear that the ability to execute a surprise cyberattack may not be feasible in today's environment.  Too many red flags will alert the global community that, when combined with geopolitics and the aggressor state’s history of offensive cyber measures, should provide ample heads-up for a state to enhance its cybersecurity alertness and defensive posture.  While there is an argument to be made that foreknowledge of attacks will not necessarily translate into what specific targets will be in the crosshairs, predicting what sectors should be prioritized for protection is not as much of a mystery.  Critical infrastructure will remain high-value targets, and understanding the adversary’s intent will better inform a state as to the purpose of the expected cyberattacks.  In this regard, they may not be as deceptive and limitless as people expect. Yes, there are potentially voluminous ways to cyberattack a target, but the target will remain the target.  Understanding what an adversary will attack and by what means falls to the defender's advantage even if the specific means remain unknown.

Regardless of the perception of the role of cyberattacks in Ukraine, the conflict has set the bar for how the world can respond to them, particularly if other states are brought in early into the fray as support elements.  This strategy gives credence to the value of regional blocs and like-minded country multilateralism, especially concerning cybersecurity cooperation.  More attentive eyes on the problem and a robust collaboration of shared assets should further reduce the ability of cyber offensives to surprise, further neutralizing what was once their biggest advantage.  This is not to say that this will work across the board, but the more focus placed on geopolitics with an eye toward cyberattacks, the better prepared and more resilient countries will be to them.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632  

 

[1] https://www.oodaloop.com/archive/2023/08/23/is-there-any-surprise-left-in-a-cyber-attack/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!