Cyber Wars: The Digital Battlefield

The attackers were patient. By autumn 2019 they had made initial inroads into the computer system of Solarwinds, a US company that develops software used by big companies and organizations to administer and coordinate their own IT systems. With each update, the malware got closer and closer to those customers. It remained undetected for quite a while. It wasn't until shortly before Christmas in 2020 that the hackers were uncovered. By that time they had long since infiltrated several US governmental agencies, including the National Nuclear Security Administration.

People were horrified. The US initially retaliated verbally. Then-secretary of state Mike Pompeo quickly blamed hackers with connections to the Russian government for the cyber attacks. His boss Donald Trump resisted, but the new administration under US President Joe Biden doubled down and reacted in April of this year – with conventional diplomacy. Ten Russian diplomats were expelled, and sanctions were imposed on six Russian citizens. 

This example shows that the digital war is first and foremost a cold one – and usually a silent one. In secret, hackers first gain access to the computer systems of governments, agencies or core infrastructure. Then they have numerous options. Some are content to read and tap into information; others waste no time in encrypting essential data. But time and again, remote actors have been known to illicitly press the “off” button. When that happens, digital attacks result in concrete damage, like the Stuxnet malware that destroyed the Iranian nuclear processing plants in 2010. Or the BlackEnergy hacker consortium that brought down the Ukrainian electricity network in 2015 and 2016.

The borders of national defense are dissolving in the digital age

Countries know the potential danger of hacker attacks. According to the European Commission, “There is no longer a distinction between online and offline threats; digital and physical (risks) are now inextricably intertwined.” Governments and military authorities worldwide are faced with a challenge of creating and implementing an effective virtual defense strategy. “There are no physical borders in cyberspace, which makes it much more difficult to enforce existing rules of international law,” says Thomas Reinhold, research associate at the Chair of Science and Technology for Peace and Security at the Technical University of Darmstadt.

If enemy aircraft penetrates just a few meters into a country’s airspace, governments send up interceptors. In the digital realm, it’s much more difficult even to identify the enemy in the first place. Most attackers function rather like guerilla forces. Experts are convinced that national governments are financing, supporting and directing hackers. But all governments officially deny any connection. A study by criminologist Mike McGuire from the University of Surrey registered more than 200 cyber attacks since 2009 that directly or indirectly involved governments, most of them within the past three years.

For example, the Russian military intelligence agency is said to control a force known by such names as Sofacy Group, APT28 and Fancy Bear, which have been behind numerous attacks on US computer systems. North Korea has hundreds of state hackers at its disposal in the form of “Office 121,” which, among other things, allegedly tried to obtain vaccine data from the pharmaceutical company Pfizer in the spring. Also this spring, Amnesty International sharply criticized the Vietnamese government, accusing the “Ocean Lotus” group with connections to Hanoi of attacking the websites and social media profiles of human rights activists. Instead of billion-dollar arms programs, all it takes for targeted attacks are relatively small, digital troops. “Even smaller countries that can’t afford an effective army can get involved this way,” Reinhold says.

Complex coordination to counter cyber attacks

To be sure, countries are by no means powerless. But the strategies they are employing in the cyber wars differ greatly. The USA for example has for many years explicitly relied on the “defend forward” concept – in other words, pro-active defense. In cyber space, that means the military seeks out and independently creates access to relevant IT systems. On the one hand, this enables the US to take action against nations or groups of states. But it also allows the US to establish a threat in the virtual environment. “You can’t credibly assure others that you can turn the lights off on the attackers unless you’re already inside the systems yourself,” says Reinhold, who is critical of the American concept of deterrence.

The European Commission is focusing primarily on defense. Last December it announced plans for a new cyber security strategy. New guidelines are intended to specify a higher level of protection for hospitals, energy networks, and government data centers. With the help of artificial intelligence, it also aims to establish a “cyber protection shield” capable of identifying deviating, suspicious activity at an earlier stage. A new competence center will soon be established in Bucharest.

One step down in the international hierarchy, individual countries are establishing their own lines of defense. This February, France announced its “1-billion-euro plan for cyber security.” The money is intended to help build up government structures as well as finance start-ups in the area of IT security. In Germany, the federal parliament passed the “IT Security Act 2.0” in early May. “Digitalization is permeating every area of life, and the pandemic has accelerated this process enormously,” said interior minister Horst Seehofer. “Our defense mechanisms and protective strategies have to keep pace – that’s precisely what the IT Security Act 2.0 is for.”

Beyond the grand strategies, however, it is clear that coordinating defenses against agile attackers presents a tremendous challenge. The New Responsibility Foundation (Stiftung Neue Verantwortung, SNV) has been updating a document for many years that lists all the relevant players in the German cybersecurity architecture. The current version has 105 pages – from the European Union Agency for Cybersecurity (ENISA) to the Hessian Cyber Competence Center (Hessen3C). In principle, this kind of complex structure is the right approach and a good basis, says Sven Herpig, head of international cyber security policy at the SNV. “However, it’s also important for agencies and companies to have a local contact person.” The levels above that can then focus on sharing experience with dealing hackers and the gateways they use – as well as developing technical standards to seal potential attack points more securely.

Strengthen defenses instead of riding out attacks

Equally important, however, is that “the whole thing doesn't work unless the central players work effectively,” says Herpig. In the view of experts, this is not always the case in Germany. The governmental “Agency for Leap Innovations in Cybersecurity” was established just under three years ago. It has yet to launch any research projects – and in early May both the research director and the commercial director left the agency. The Cybersecurity Council advisory board also hasn’t reported any major findings. As an observer of the scene, Herpig would like to see the important bodies create an effective force, a “reasonable underpinning staffed with suitable professionals.” After all, the cyber defense center in Bonn is slated to have fewer personnel in the future – the cooperation hub for IT experts from the Federal Criminal Police Office, the Bundeswehr and the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI).

Just a few weeks ago the German Federal Intelligence Service kicked off a campaign to recruit junior staff with coding skills. They’re looking for new employees with a “License to hack.” On a fundamental level, however, the German and European plans are more strongly oriented toward defense than those of the USA, for example. “The most promising pathway is to make your own systems as secure as possible,” says computer scientist Reinhold. In an arms race to find the best ways to attack, one important resource is often missing, notwithstanding all the advertising campaigns – computer scientists and data specialists. This is because in addition to government agencies, business companies are also looking for these skilled workers – and they are not bound by the pay scales of the public sector.

Virtual disarmament

For legal reasons, too, many experts tend to advocate a more defensive strategy. “Surveillance tools are not a good investment if your goal is to strengthen IT security,” Herpig warns. The Bundeswehr, for example, theoretically would have to get parliamentary approval for cyber attacks.  That would be in line with the constitution – but it would also make virtually impossible to carry out preventive digital strikes effectively. “In principle, the Bundeswehr would have to have actively infiltrated the systems and thus the soil of foreign countries even in peacetime,” Reinhold says. “This urgently requires clarification on the judicial level.” In his view, it is a fundamental problem that as soon as state actors start seeking access to foreign systems, their integrity has been compromised. 

In the long term, states and organizations have not given up hope of a political solution. “The EU will further strengthen its instruments for cyber diplomacy,” the EU Commission’s draft states. However, it is not yet clear exactly how this will be implemented. One idealistic idea centers around a kind of global disarmament treaty for the digital space. “Of course, it’s difficult to capture non-state actors with this,” Reinhold admits, “but you can have hope that countries will then enforce it out of a certain self-interest.” As with other arms, this could be hedged by mutual insights into each other’s hacking arsenal – in time leading to a balance of cyber-attack capabilities.

Photo: Getty Images