Vulnerabilities / Threats //

Advanced Threats

10/2/2018
12:30 PM
Dave Weinstein
Dave Weinstein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Stop Saying 'Digital Pearl Harbor'

Yes, there are serious dangers posed by malevolent nation-states. But the hype is distracting us from the reality of the threats.

Make no mistake: The global cyber-threat landscape is more active than ever. We're all aware of the US Department of Homeland Security's recent revelations about Russia's 2017 efforts to penetrate American electric utilities and other critical infrastructure sectors and the NotPetya worm that spread from Ukraine to over 130 countries, costing upward of $10 billion. Just this past July, multiple senior US officials said that "Iran is making preparations that would enable denial-of-service attacks against thousands of electric grids, water plants, and healthcare and technology companies" in the US, Europe, and Middle East.

Indeed, many nation-states are free to maneuver in cyberspace in a way they can't at sea, in the air, or on land, where surveillance technologies, deterrence regimes, and international laws and norms keep actors and activities in check. This shouldn't be a surprise. Deterrence, laws, and norms are largely absent from cyberspace, and while humans have better tools to thwart incidents than ever before, technology is no cure-all. The result is a disruptive infusion of non-kinetic (that is, not physically manifested) asymmetry between governments, often leaving businesses and individuals in the crosshairs. In this new competition, those who embrace digital hyperconnectivity and openness find themselves more vulnerable and subject to greater consequences than their less-connected counterparts.

Despite the alarming analogies to a "digital Pearl Harbor" and "cyber 9/11," the raucous rhetoric often distracts us from the more likely consequences of cyber threats to our critical infrastructure.

The military has a term for what's playing out in civilian cyberspace: intelligence preparation of the operational environment (IPOE) or "the process to analyze the adversary and other relevant aspects of the [operating environment] in order to identify possible course of action." IPOE was conceived for the physical world in which humans, aircraft, and satellites carry out operations to support military contingency plans. IPOE perfectly describes how some nations are employing hackers against critical infrastructure. Short of attacking, they're gaining persistent access to high-value targets and positioning themselves to remotely deliver payloads in the event of escalated hostilities or geopolitical turmoil.

Perhaps most concerning about these cyber preparations are the targets themselves, which are almost entirely civilian in nature and highly important to our daily lives and businesses. Russia's two-year campaign against critical infrastructure, for example, targeted companies in the energy, public utility, and nuclear sectors, as well as commercial vendors. Likewise, recently discovered malware known as VPNFilter primarily targets home and small-office routers. This revelation prompted the FBI to conscript the public into neutralizing the malware by urging citizens to reboot their devices.

Second, the time it takes to execute a pre-positioned cyber capability is measured in minutes and hours, compared with the days and weeks its takes to mobilize ground, naval, or aviation assets in the physical world. In industrial and critical infrastructure environments, once cyber actors gain persistent and credentialed access to the right equipment, they need not deploy sophisticated malware to affect a target. Instead, they can simply issue a few commands to change critical processes and logic. With the right understanding of the target environment, these changes can lead to physical damage and unsafe conditions.

Finally, there's the question of intent. Consider last year's operation that gained access to a safety system at a petrochemical plant in the Middle East. In this case, the hackers targeted a commercial asset specifically designed to prevent hazardous leaks or even explosions in industrial facilities. The malware was detected because of some faulty code that tripped the plant into safe mode, prompting the operators to shut down the facility. Upon investigating the incident, no payload was discovered.

Are we to assume that the perpetrators were just testing their tools, or did they intend to put lives at risk by disabling the petrochemical's safety equipment? In truth, intent is often impossible to assess with high confidence from technical forensics alone. As the former White House cyber coordinator Rob Joyce recently explained at Black Hat, this ambiguity is destabilizing and, under the right circumstances, could lead to an actual war between powers due to miscommunication and misunderstanding.

The frequency and volume of these operations will only increase if we don't start calling it like it is. Rhetorical representations of "cyber war" in the absence of neither observable, kinetic effects nor the political palatability to declare heightened conflict distorts the nature of the digital domain and sends mixed signals. Physical effects will not always be the minimum threshold for defining war, but it is the prevailing standard in most jurisdictions today.

Likewise, repeated analogies to historical acts of war are not just often ill-conceived, they also distract us from the more likely threats, such as subtle data manipulation and targeted anti-integrity attacks against industrial control systems that have already cost companies millions of dollars to recover from and puts peoples' safety at risk. And calling certain operations an "attack" when the actors intentionally refrained from pulling the trigger grants them domestic and international license to dismiss evidence as propaganda and continue to grow their access into our most critical networks.

Lastly, short of war, cyber activities almost always benefit the aggressor because their behavior is ungoverned by international law or diplomatic norms. Some technology executives representing the likes of Microsoft, Facebook, and Cisco recently called for a Cyber Geneva Convention to protect "innocent citizens and enterprises" from this gray area. We don't need a new charter, but we must adapt the existing one to account for sub-war activities in cyberspace that hold nonmilitary targets, and therefore civilians, at risk. In this regard, tech companies, not government appointees, must be our most vocal and active ambassadors.

We're not at cyber war, but a sub-war battle is raging. Industry, government, and civilization as a whole must work together to reverse this norm.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dave Weinstein is the vice president of threat research at Claroty and a non-resident fellow at New America.  Prior to joining Claroty, he was the chief technology officer of New Jersey, where he served in the governor's cabinet and was responsible for delivering and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MigoKedem
50%
50%
MigoKedem,
User Rank: Author
10/8/2018 | 11:53:29 AM
Interesting piece
Although the cyber risk can cause real harm (how many lives were impacted by WannaCry affecting NHS for days? ). There is a tendency to over market the risks we are facing.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.