A portion of a city model glows red indicating a cyber threat to infrastructure at the DarkMatter booth during the Black Hat information security conference in Las Vegas, Nevada, July 26, 2017

commentary

(Inside Sources)

June 24, 2019

Fighting and Winning the Undeclared Cyber War

A portion of a city model glows red indicating a cyber threat to infrastructure at the Black Hat information security conference in Las Vegas, Nevada, July 26, 2017

Photo by Steve Marcus/Reuters

by Isaac R. Porche III

“War is no longer declared” says Austrian poet Ingeborg Bachmann: cyber warfare is transforming this line of poetry into reality.

American cities are battling cyber-criminals and nefarious foreign actors on a daily basis. The past month has witnessed a barrage of cyber-attacks against city government assets in Baltimore. The attacks were orchestrated by cyber-extortionists who took advantage of outdated software security mechanisms to freeze thousands of computers and basic communication functions, resulting in disruption of several key municipal operations.

While the hackers behind this operation remain unidentified, these same vulnerabilities represent an open door for nation-state cyber-attacks on state, federal and national infrastructure. In the current environment, the homeland is easy picking for even novice hackers, let alone nation-state actors.

In many ways, nation-state cyber-wars are already well underway. The lack of established international norms means that many cyber-attacks fall into a gray area below the threshold of total war. By exploiting this uncertainty, nation-state actors, such as Russia, Iran and China continue to pose serious risks to U.S. national security, including threats to critical infrastructure (CI) assets that support transportation, food delivery, utilities and commerce in general.

Losing water or power for even a short while can cause a shock to people's sense of security. Furthermore, any real or perceived tampering with the nation's electoral process could be equally shattering to Americans' sense of freedom.

The U.S. government has been faced with the need to implement a sustainable cybersecurity strategy to ensure national security objectives amid the ever-changing landscape of cyberwarfare. Three questions remain at the focus of this discussion: Who are the primary threat actors in this arena? Why are CI assets increasingly susceptible to attack? What actions or policies can the U.S. execute to achieve more comprehensive security in this area?

Russian cyber-attacks would appear to represent the paramount threat to U.S. critical infrastructure. Russian hacking operations have included major components of cyberwarfare activities, including cyber espionage and influence operations. Some of these hacking units have operated as a function of Russia's Federal Security Service while others have been backed by the Russian military intelligence agency, the GRU.

The lack of international norms means that many cyber-attacks fall into a gray area below the threshold of total war. Nation-state actors who exploit this uncertainty pose serious risks to U.S. security.

Share on Twitter

As reported by DHS and the FBI, the Russian government has executed deliberate intrusions into U.S. CI since at least 2011. These systems have not only included government entities and energy infrastructure but also commercial facilities, water resource plants and aviation institutions.

Deep within Russia's cyberwarfare apparatus is an organization known as Unit 26165. The unit is a specialized group within the GRU's signals intelligence arm. The organization is dedicated to actively targeting military, political, governmental and non-governmental organizations with “spear-phishing” emails and other computer intrusion attacks. Agents in Unit 26165 have operated internationally, conducting hacking operations through methods such as onsite attacks against the Wi-Fi networks of target organizations.

As indicated by the Mueller Report, significant effects can be felt with even small-scale nefarious activity. In 2017, the Department of Homeland Security announced that 21 states had been targeted by Russian efforts to hack their election systems in 2016. In seven of these states, Russian hackers gained access to systems that granted the ability to change and delete voter registration data.

In July 2018, Mueller indicted 12 Russian military intelligence officers (PDF) from the GRU for breaking into the Democratic National Committee's email servers, stealing information and leaking it through special online sites as well as through WikiLeaks. In April 2019, FBI Director Christopher Wray spoke to the “significant counterintelligence threat” posed by the potential Russian interference in the 2020 U.S. elections. These hacks combined with social media influence operations of the Russian company Internet Research Agency have posed a persistent threat to the American democratic process.

Russian hacking operations also have capitalized on vulnerabilities in U.S. cyber defenses in powerplants. In many plants, physical and manual control systems have been upgraded to electronic operating systems and IT has been incorporated into all processes. Once IT is adopted in a system, it can be a struggle to stay current and maintain the latest IT with up-to-date security.

As seen in Baltimore, this deficiency is certainly found in municipal IT systems used to sustain governance. For the sake of efficiency, many infrastructure facilities, like water treatment plants, can now be operated remotely via the internet. As this Internet of Things continues to expand within industrial control sectors, the attack surface for nefarious actors has exponentially grown. While many CI organizations have leveraged new technology and connectivity solutions to increase operational efficiency, basic cybersecurity protections such as firewalls and intrusion detection systems have not been effectively prioritized and integrated (PDF) in many cases.

The DHS Industrial Control Systems Cyber Emergency Response Team highlights three primary cybersecurity vulnerabilities (PDF) that have been exploited in attacks against domestic CI.

The first vulnerability is found in the lack of effective software security. Many CI systems lack the necessary degree of secure software design and coding practices, resulting in “man-in-the-middle” attacks, unvalidated user inputs, and information leakage through vulnerable custom CI web services.

The second vulnerability is found in the improper configuration and maintenance of operating systems. When IT security personnel fail to deliver needed patches for operating systems or neglect the correct security options, systems become more vulnerable to malicious actors. Furthermore, the use of weak and default passwords as well as over-privileged users can result in compromised access and agent intrusion.

The third vulnerability is found within network security. By leaving network connections open or failing to effectively implement network segmentation within the expanding Internet of Things, CI information systems have built up larger attack surfaces and more easily fallen prey to hackers. Additionally, weak enforcement of remote login policies create significant vulnerabilities that can be exploited by hackers who seek to gain access to a user connection over an unsecured network, such as an open Wi-Fi hotspot.

Recently, at the Georgetown University Cybersecurity Law Institute, Cybersecurity and Infrastructure Security Agency Director Christopher Krebs spoke to the DHS priority of safeguarding industrial control systems against cyberthreats. He called domestic CI information technology infrastructure the “real frontier” in the cyber-threat environment. Gaining a stronger footing within CI cybersecurity could depend on an assessment and achieved understanding of the systemic risks and capability gaps. Given the substantial security, economic, and social implications of compromised CI, protecting from and responding to relevant cyber threats remain key priorities for both U.S. policymakers and intelligence agencies.

If the problems above seem overwhelming, that is because the outlook is indeed poor from a purely defensive standpoint. Offensive cyber operations maintain the advantage over (largely) defensive operations due to the element of surprise and the pace of technological refresh that continues to create new backdoors. However, as described in a recent New York Times article, the United States is now actively responding to Russia's incursion on U.S. CI with its own attacks on Russian power plants. As famed political scientist Robert Axelrod might argue, this is tit-for-tat (PDF), and could actually be effective in theory.

The DHS has offered (PDF) sound guidance toward development of a more robust cybersecurity strategy for the homeland that focuses on better defenses. Specifically, DHS has proposed that the United States seek to build deeper partnerships with industry to foster an aligned cybersecurity ecosystem. This partnership could enable more effective collaboration and information sharing.

Additionally, DHS has encouraged the accelerated use of innovative and emerging technologies such as artificial intelligence and machine learning, with an eye toward protecting CI. Furthermore, DHS has determined that the effects of cyber-attacks against CI could be better mitigated through the creation of comprehensive playbooks to unify government actions across defense, homeland security, law enforcement, intelligence and state agencies. This could drive uniformity in action across the national security enterprise for defensive measures.

This is all good. But for today's undeclared (but hot) cyber war with Russia, assertive and active offensive operations (along with enhanced defensive actions) could be one way for the United States to fight back smartly and win.


Isaac Porche is a senior engineer at the nonprofit, nonpartisan RAND Corporation.

This commentary originally appeared on Inside Sources on June 23, 2019. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.