Cyber as Statecraft
As organizers prepared to kick off the 2018 Winter Olympics with an opening ceremony in Pyeongchang, South Korea, featuring performers and thousands of athletes from around the world, security personnel were also hard at work behind the scenes.
Specifically, the cybersecurity team, which was responding to a cyberattack that would ultimately cause the official Winter Olympics website to be taken offline and disrupt TV and Internet systems for 12 hours.
The cyber team was able to mitigate and eventually stop the attack, which Cisco's Talos Intelligence blog assessed was designed to disrupt one of the most globally anticipated events of the year. "During destructive attacks like these there often has to be a thought given to the nature of the attack," according to Talos' analysis. "Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony."
A post-incident investigation would later claim that Russia was behind the cyberattack, which was designed to appear to originate in North Korea. Some speculated that Russia targeted the Olympics because it was banned from participating in the 2018 games due to a major doping scandal involving its athletes and drug testing facilities.
The hack demonstrates a new threat era where world powers are increasingly using cyber means to further their goals or punish others for their actions. "The use of cyberattacks as a foreign policy tool outside of military conflict has been mostly limited to sporadic lower-level attacks," said U.S. Director of National Intelligence Daniel R. Coats in the annual Worldwide Threat Assessment of the U.S. Intelligence Community. "Russia, Iran, and North Korea, however, are testing more aggressive cyberattacks that pose growing threats to the United States and U.S. partners."
The assessment found that the "risk of interstate conflict" is now higher than at any time since the end of the Cold War, and that actors will use any means necessary—including cyber—to influence and shape outcomes.
"The risk is growing that some adversaries will conduct cyberattacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war," Coats wrote.
Adversaries that pose the greatest risk to the United States and its allies on the cyber front are Russia, China, Iran, and North Korea.
"These states are using cyber operations as a low-cost tool of statecraft, and we assess that they will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations," according to Coats' analysis.
Russia. At the forefront of the intelligence community's list is Russia, which Coats said would likely conduct "bolder and more disruptive" cyber operations in 2018, using Ukraine as a testing ground.
The intelligence community has also expressed concern about Russia's efforts to influence or interfere with elections in the United States, France, Germany, and the United Kingdom. In a hearing before the U.S. Senate Intelligence Committee, all six U.S. intelligence agencies said they view Russia as a threat to the 2018 midterm elections.
"We have seen Russian activity and intentions to have an impact on the next election cycle," said CIA Director Mike Pompeo in his testimony, and Coats added that he has not seen a change in Russia's behavior since the 2016 election cycle when it engaged in a social media influence campaign (See Security Management "Cyber War Games," April 2017).
Following the U.S. presidential election in 2016, France and Germany saw Russia engage in similar social media efforts in an attempt to influence the outcomes of their elections.
Despite this threat, U.S. President Donald Trump has not directed National Security Agency (NSA) and Cyber Command Director Admiral Mike Rogers to prevent these kinds of attacks. However, some agencies have begun working in that direction. "Based on the authority that I have as a commander, I've directed the national mission force to begin some specific work…using the authorities I retain as a mission commander in this space," Rogers said, adding that he could only go into more detail in a classified setting.
In addition to its activity around elections, Coats also said Russia is likely to continue its activities in Ukraine, including disrupting its energy-distribution networks, hack-and-leak influence operations, distributed denial of service attacks, and false flag operations.
"In the next year, Russian intelligence and security services will continue to probe U.S. and allied critical infrastructures, as well as target the United States, NATO, and allies for insights into U.S. policy," Coats said in his assessment.
China. Along with the threat from Russia, Coats also said that China will likely use cyber espionage to support its national security priorities.
"Most detected Chinese cyber operations against U.S. private industry are focused on cleared defense contractors or IT and communications firms whose products and services support government and private sector networks worldwide," Coats wrote. "China since 2015 has been advancing its cyber attack capabilities by integrating its military cyberattack and espionage resources in the Strategic Support Force (SSF), which it established in 2015."
While many details about the SSF are unknown, research by the RAND Corporation found that it was designed to integrate China's space program and cyber and electronic warfare capabilities.
"…the creation of the SSF suggests that information warfare, including space warfare, long identified by [China's] analysts as a critical element of future military operations, appears to have entered a new phase of development…one in which an emphasis on space and information warfare, long-range precision strikes, and the requirements associated with conducting operations at greater distances from China has necessitated the establishment of a new and different type of organization," it said in its recent report, The Creation of the PLA Strategic Support Force and Its Implications for Chinese Military Space Operations.
Iran. While Iran has not been publicly linked to any major cyberattacks, the U.S. intelligence community predicts that it will continue to engage in cyber activity. Specifically, Coats' assessment said Iran will focus on penetrating U.S. and allied networks to position itself for future attacks.
"Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran's recent restraint from conducting cyberattacks on the United States or Western allies," Coats wrote. "Iran's cyberattacks against Saudi Arabia in late 2016 and 2017 involved data deletion on dozens of networks across government and the private sector."
Those attacks, for instance, were on Saudi Aramco and used malware to manipulate corporate safety systems and cause physical damage to company sites, according to analysis by cyber firm FireEye.
"The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors," FireEye said in a blog post about the incident. "Intrusions of this nature do not necessarily indicate an immediate threat to disrupt targeted systems and may be preparation for a contingency."
North Korea. As of Security Management's press time, U.S. President Trump had agreed to meet with North Korean Leader Kim Jong-un to discuss denuclearization efforts. However, the intelligence community continues to view the North Korean regime as a threat.
In its analysis, it said that North Korea would likely use cyber means to raise funds and gather intelligence, or launch attacks on South Korea and the United States.
For instance, several nations—including the United States—have accused North Korea of developing and launching the WannaCry ransomware attack that spread across the globe, hitting scores of organizations and the healthcare sector.
"Pyongyang probably has a number of techniques and tools it can use to achieve a range of offensive effects with little or no warning, including distributed denial of service attacks, data deletion, and deployment of ransomware," Coats said in his analysis.
Other actors. Along with nation-state actors, Coats also expressed concerns about terrorist groups using cyber means to organize, recruit, spread propaganda, raise money, and coordinate operations.
"Given their current capabilities, cyber operations by terrorist groups most likely would result in personally identifiable information disclosures, website defacements, and denial-of-service attacks against poorly protected networks," Coats said.
Additionally, Coats said that criminals will continue to provide services for hire to enable cybercrime. One recent example of this was Russia's tactic of hiring threat actors to act as trolls to spread propaganda on social media in an effort to influence Western elections.
"We expect the line between criminal and nation-state activity to become increasingly blurred as states view cyber criminal tools as a relatively inexpensive and deniable means to enable their operations," declared Coats in the threat assessment.