Katie Moussouris about cyberespionage: it is getting a lot muddier
Foes like Russia are now using cyber tools not purely for cyber espionage but exploit them down the road for financial, law enforcement, and any other gain in mind. Defensive capabilities will not catch up with the offensive capabilities of our adversaries, and deterrence is the way forward to keep enemies at bay.
It is quite tricky to parse out whether a cyberattack, such as SolarWinds, is an act of espionage or cyberwar.
“The Solarwinds attack is different. It is probably not as clean-cut that it is just pure espionage. We have seen quite a few espionage exploitations. The most prominent one is the OPM hack by the Chinese. We saw the other side of the spectrum too relatively clearly when Russia attacked either the financial infrastructure in the Baltics or the grid in Ukraine. These are closer to cyberwarfare,” Lieutenant Colonel Alexander S. Vindman, a Pritzker Military Fellow at Lawfare, said during the Collision tech conference.
The potential damage of cyberattacks leaves the domain of purely acquiring the information for espionage purposes.
“Oftentimes, there are stayed-behind programs left in the system that either is for backdoors or exploitation. It moves us away from standard espionage practices to something that potentially takes us into the cyberwar framework. It is becoming less and less clear as the size and scale of these attacks increase,” he said.
Hacker, the founder of Luta Security, Katie Moussouris, agreed that it is getting a lot muddier. She describes the current situation with a term borrowed from the American diplomat Chris Painter - cyber-rattling (derived from sabre-rattling, which means the display or threat of military force). She worries about “too extreme reactions” to cyber incidents.
“We are trying to come up with reasonable, appropriate responses that ideally would formulate some deterrence to our adversaries. We should shy away from overreacting, keeping in mind that some elements of cyber-rattling are potentially necessary for signaling to our adversaries. But we just cannot get carried away with it,” she said.
The unsettling thing is that both private and public sectors were not able to detect the SolarWinds attack for months. Even the best players in the private industry, such as FireEye that reported being compromised, failed to notice the intrusion early.
“The adversary has been present in their network for months before they were able to detect it. And they are built to detect this kind of thing,” she said.
Windman reckons that American defensive capabilities will not catch up with the offensive capabilities of our adversaries. Therefore, we need to employ the developed theories of deterrence.
"There is an element of concern over the fact that these exploits are increasing in scale and size, and we need to set the conditions for our own potentially offensive actions so that we can establish that deterrence framework. That is likely what needs to happen to deter these adversaries from pursuing these types of attacks,” he said.
When the US conducts its cyber operations, they tend to be more precise, have limited objectives and aims. On the contrary, adversaries like Russia are not too specific or limited in their aims.
“There were financial benefits, security services, law-enforcement benefits, there is a whole range of different things,” Vindman said.
When the US conducts its cyber operations, they tend to be more precise, have limited objectives and aims.
Kim Zetter, the author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, argued that there is a temptation to use the information you gathered to influence the actions of adversaries.
“Even Stuxnet began as an espionage operation. The US wanted to gain intelligence about how Iran was enriching Uranium, what kinds of equipment it was using, what computer systems could be attacked in that. It started absolutely with no intention of conducting sabotage. Then someone got the idea that if we have this information, let's see if we can retard the further enrichment of Uranium,” she said.
Cyberspace, according to Vindman, should be viewed and valued in the global context, and not disaggregating from everything else that is going on the global stage.
“We should be considering leveraging our alliances, so multilateralism. Making sure that we are on the same page with our closest allies that have firmly robust capabilities to understand the threat environment, and set up clear guidelines on what constitutes an attack, and what is espionage,” Vindman said.
As for deterrence tactics, it could be symmetrically done in the cyber domain, or be asymmetrical, for example, sanctions.
“That gets us closer to avoiding cyber-attacks because we know that it could be potentially catastrophic.”
Moussouris sees a need for international efforts, norms, and laws in cyberspace. She set the Tallinn Manual as a good example of such efforts. The Tallinn Manual is an academic, non-binding study on how international law applies to cyber conflicts and cyber warfare.
“We are completely outgunned in the defense realm,” she concluded.
More great CyberNews stories:
Subscribe to our newsletter