At a glance.
- India's Defense Staff Chief talks about offensive cyber capabilities he'd rather not talk about.
- Cyber conflict as the new normal.
- Deterrence, patience, and the range of responses to cyberespionage.
- Leaked versions of a pending US cybersecurity Executive Order draw ho-hum reviews.
India prepares offensive cyber capabilities (but would rather not talk about them, too much).
The Times of India reports that General Bipin Rawat, Chief of India’s Defence Staff, said yesterday that the country was working to counter the cyber threat from China, and that India was itself developing offensive capabilities in response to that threat. “What we are trying to do is to ensure cyber-defence. We have, therefore, created a tri-service Cyber Defense Agency, to ensure that even if we come under a cyber attack, the downtime and effect doesn’t last long,” the general said. He was disinclined to discuss projected offensive capabilities, but he did say that India “was somewhere there.” He hopes to be able to turn India’s strong private sector IT capabilities to use in developing a full-spectrum defense against multidomain attacks.
The routinization of cyber conflict.
Bromium’s study “Nation States, Cyberconflict, and the Web of Profit,” written by University of Surrey lecturer Mike McGuire and sponsored by HP, says nation state attacks are growing in variety, frequency, and boldness. The one hundred percent increase of “significant” incidents over the past four years has brought the world closer than ever “to a point of ‘advanced cyberconflict.’” Leading targets are enterprise, cyber defense, and media/communications, closely followed by government agencies and critical infrastructure. Supply chain attacks are on the rise, and almost half of targeted assets have a physical element.
Industry experts draw attention to the “increasingly complex structures that intersect with the underground cybercrime economy.” Coronavirus research was attacked via tools likely developed by criminal networks, in an example of how states both benefit from and fuel the cybercrime market. Roughly ten percent of black market purchases are made by middlemen, and countries are apparently storing up Zero Days. Nation state tools also wind up on the dark web. Most experts think countries are profiting off cybercrimes, and a smaller majority believes countries are hiring more hoods.
On the bright side, nation states appear to be more interested in “listening than stealing”: half of all the tools studied were intended for spying, fifteen percent facilitated staging, fourteen percent were designed to cause harm, and eight percent enabled data exfiltration. Twenty percent of attacks used specialized tools, while fifty percent used ordinary dark web wares.
McGuire warns of the coming of second generation weapons—like Boomerang malware, deepfakes, and evil chatbots---that leverage advanced computing and AI technologies. “Cybercrime economies are shaping the character of nation state conflicts,” he cautions.
The scope of cyberespionage and the range of possible responses.
The attacks by Chinese operators on vulnerable Microsoft Exchange Server instances appear, the Wall Street Journal says, to have been long under preparation. In particular, investigators are leaning toward a theory that holds Hafnium’s operation was prepared by mining “troves of personal information acquired beforehand.” That would explain the surprising speed with which the compromise progressed. It also revives concerns about the effects of past Chinese collection of personal data in such breaches as those at the US Office of Personnel Management, Marriott, and Equifax.
“We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks,” the Journal quotes US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger as saying. “Their potential ability to operationalize that information at scale is a significant concern,” she adds.
Another point worth considering in relation to Hafnium’s operation is the value that even older personal data can have, especially when it’s in the hands of a patient and well-resourced intelligence service.
In any case, the incident points out that cyberespionage is now a well-established fixture of competition among nation-states. Meg King, Director of the Science And Technology Innovation Program at The Wilson Center in Washington, DC, commented that a contrasting look at Holiday Bear and Hafnium suggests that the former may have been inhibited by deterrence. The latter, not so much:
"Cyber espionage is here to stay. In the absence of international norms in cyberspace, establishing consequences for cyber operations like SolarWinds and Microsoft Exchange will be critical if we want adversaries to recalibrate both the scale and scope of their attacks on our networks and achieve even the slightest deterrence for future intrusions.
"The limited scope of Russia’s attack in comparison with China’s - which left major software vulnerabilities available to be exploited extensively by criminal actors - may suggest some previously limited deterrence measures have worked."
Leaked versions of US Executive Order on cybersecurity draw tepid reviews.
CSO Online says industry experts are doubtful that President Biden’s cybersecurity Executive Order will address the nation’s most pressing cyber needs. Some worry that reporting and build requirements will be overly burdensome, especially given the high rate of false positives, and will draw focus from designing for security and coding securely.
Others argue that while incident disclosure and security policies are important, they need to build off prior work, taking into account past failures. The focus on routine measures also risks overlooking emerging technologies like cloud infrastructures and neglecting innovative approaches. Some see detecting adversary incursion, for example, as more important than cataloguing vulnerabilities. Regulating for historical breaches might not address novel threats.
Prevailion CEO Karim Hijaz says the Cybersecurity and Infrastructure Security Agency’s handling of Holiday Bear didn’t inspire a lot of confidence, and, “At this stage of the game, you’re asking the same people to dust off the same playbook over and over again,” when “fresh blood” is needed.