SBN

Cyberattacks: Contests or War?

I think that one of the major unresolved issues in cyberspace is differentiating between competitive activities and cyberwarfare. In a March 17, 2021 post on Security Boulevard, with the title “Winning the Cybersecurity Contest,” available at  Winning the Cybersecurity Contest – Security Boulevard, Charles Kolodgy states that “Cybersecurity is a competitive endeavor.” Indeed, it is. But it is important to distinguish between contests and war. Contests are regularly performed by hackers looking for personal gain. Wars are invoked by terrorists, nation states and those working for nation states in order to disrupt and/or destroy another country’s critical infrastructure and/or political processes. It is a matter of calling out the differences between adversaries (or competitors) and enemies. And the difference is governed by who did what to whom for what purpose regardless of the intent.

A ransomware attack, supposedly facilitated by DarkSide, a Ransomware-as-a-Service (RaaS) setup, resulted in Colonial Pipeline shutting down its supply chain that provides some 45 percent of the energy (gasoline, diesel oil, aircraft fuel, natural gas) to the southeast and eastern side of the United States. This was despite Colonial having reportedly paid around $4.4 million in ransom. Colonial claimed that shutting down the pipelines was “proactive,” although it appears to be somewhat reactive to me. What was interesting to note was DarkSide’s disingenuous assertion that it did not intend to cause any disruptions or harm to society—merely to pick up the ransom money. There was still significant government and law enforcement intervention, regardless of the intent. Indeed, causing the pipelines to go offline might be construed as an act of war with serious consequences, whereas a mere greedy play for money is not usually so considered, even if the funds are used by terrorists or nation-state enemies.

The reactions of Colonial to the cyberattack and the subsequent denials by Darkside of a desire to cause infrastructure damage both suggest a far more sinister situation—one that is of deep concern. And that is the possible inadvertent invoking of a cyberpandemic—an unintended, uncontrollable spreading of destructive software that could take down much, if not all, of the Internet or cause victims to react in ways that take down critical infrastructure.

Industrial espionage may be criminal but is not usually considered an act of war, whereas espionage to gain military secrets or disrupt the democratic processes are and should be dealt with as such.

Which brings us to the importance of how we describe these actors. If they are competitors or adversaries, then their actions might be legal if they are merely accessing open-source information or illegal if the means of accessing the data is unlawful. The response should follow legal processes if possible. Sanctions or similar methods might be applied. If they are enemies, then attempts to disrupt or destroy might be met with retaliatory and/or deterrent actions. As long as we have difficulty in categorizing particular activities, we will continue to be restrained from acting or responding appropriately. But first, we must call out the crime. And we should not understate the seriousness of the crime by calling it something less abrasive,

On March 16, 2021, the National Intelligence Council published a declassified report assessing “Foreign Threats to the 2020 US Federal Elections,” available at ICA-declass-16MAR21.pdf (dni.gov) The report describes hostile actions by Russia and Iran which may be construed to have been acts of war by enemies. That China contemplated such actions, but apparently did not invoke them, was adversarial thinking, bordering acts of war but seemingly not crossing the line. This would make China an adversary, but not an enemy. Let’s hope that everyone keeps it that way.

Until and unless we have a realistic means to distinguish between cyber contests and warfare, we will continue to see devastating attacks against which there are few, if any, deterrents. That is no way to proceed.

*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2021/06/07/cyberattacks-contests-or-war/?utm_source=rss&utm_medium=rss&utm_campaign=cyberattacks-contests-or-war