The history of warfare has been an interesting one. For millennia humans have confronted humans over disputes of land, religion, sovereignty, and more. As technology has evolved, so has our ability to create new and increasingly more devastating weaponry. From the spear to nuclear weapons, humans have invested heavily in both their offense and defense all in the name of “security.” The modern era is no different, however now that billions of people in every country are instantly connected thanks to the Internet, the rules of warfare have once again changed. With the rise of cyberwarfare, conflicts are conducted thousands of miles apart – critical sectors of a nation can be crippled with some deft code.
Last week, President Biden met with Russian President Vladimir Putin in Geneva, Switzerland for the G7 Summit. During this less than four-hour meeting, President Biden warned President Putin that the sixteen critical infrastructure sectors of the United States are officially off-limits to state-sponsored cyber-attacks. If Russia meddled in these crucial sectors, Biden warned, the United States would respond in kind. While the sentiment was appropriate and the message clear, this communication will essentially amount to the “same as it ever was” and offer no real change.
Despite Biden’s warning, the reality remains that Russia is fighting an asymmetrical cyberwar. The United States, with its large population and vast internet infrastructure, is a target-rich environment for all kinds of criminal and state-sponsored attackers to hit. Despite Russia’s geographical size, Russia has less than half the population and much less technical infrastructure to attack. Their primary economic driver is petroleum, and by all accounts, the technology running their largest companies is outdated compared to larger petroleum players in the world.
However, this last point is a double-edged sword in that while Russia has a much smaller surface area to attack it also means that Russia could be affected more deeply by a cyber-attack on its oil infrastructure. Any attack by the U.S. on said infrastructure may require escalation and retaliation on their part. This puts the United States in a tough position when picking significant but also less damaging targets to hit as a response to a cyber-attack.
The issue of nation-states hacking each other is years old at this point. Virtually every country with cyber capabilities is participating in at least the surveillance side of this equation. In other words, they’re not disrupting the critical operations of another country, but they are eavesdropping on state officials and even presidents and prime ministers.
The United States was famously caught surveilling German Chancellor Angela Merkel’s phones. The United Arab Emirates using a cyber-tool known as Karma to break into the iPhones of the Emir of Qatar, senior Turkish officials, and even a Nobel Peace laureate. In the world of cyber-attacks, Israel and the United States hit Iran’s secret nuclear weapons production facility with a virus known as Stuxnet that brought down the entire weapons project. Russia hit a power plant in Ukraine and knocked out power to 80,000 Ukrainians. They then hit the local phone infrastructure effectively making that population deaf and blind in what many analysts considered a test of their cyberwar tactics and capability.
In 2019, twenty-seven countries signed a U.N.-backed joint agreement on what is considered legal and illegal when it comes to attacks and surveillance in cyberspace. The two countries that conspicuously didn’t sign this treaty were Russia and China. Are the words of President Biden really going to ring true to President Putin?
Another concerning point is cyber warfare can be waged on multiple fronts. Outside of the cyber-attacks against critical infrastructure and the surveillance of government officials, is the online information warfare campaigns that continue to leverage open internet platforms like Facebook. The world saw in 2016 a massive disinformation advertising campaign hit the United States on Facebook from Russia’s Internet Research Agency that helped to drive a deep wedge into the electorate. President Putin has reportedly had a direct hand in overseeing this disinformation campaign. This isn’t in doubt either, anyone can download and read the ads here. President Biden’s remarks about cyber-attacks failed to cover this topic in any real way. Disinformation campaigns can be devastating to society as its intentions, in this case, seem to be to pit Americans against each other.
While President Biden drew a line in the sand on the sixteen critical infrastructure sectors of the United States that should be exempted from cyber-attack, the statement itself was rather vague in scope and carried an unquantifiable amount of weight to it.
First, it is impossible for a nation-state to actively police cyber-criminals and stop them in real-time from launching attacks. Recently, the United States went through a national panic as Colonial Pipeline’s billing system was hit by the Russian-based DarkSide ransomware gang. During that crisis, President Biden publicly did not blame the Russian government for the attack but held them accountable for essentially giving safe harbor to cyber-criminal gangs like DarkSide. No country, including the United States, is immune from these gangs using their internet infrastructure to level attacks against virtually any target they wish. Virtually all policing for cyber-attacks is retroactive by default which lessens this new statement by the president.
Secondly, the sixteen critical infrastructure sectors compromise millions of private companies. The level of criticality of each company varies in its size and scope and service to the federal government. The Defense Industrial Base, for example, is over 100,000 companies (300,000 if you count subcontractors) and they do everything from manufacture battleships to treating the metal for the battleship to making common parts that the general public could also purchase at a local home improvement store. While there really wasn’t a way for President Biden to be granular in a blanket statement like that, those sectors encompass way too much of the U.S. economy to draw a line for. What happens when another Russian-based cyber-criminal gang attacks what the U.S. considered critical infrastructure but had almost zero impact on the functionality of the nation? That’s a serious question that needs answering by the administration.
Finally, cyberwarfare is Russia’s best bet to try and keep pace with nations like the United States because it’s cheap to do. Economists will argue that one of the core reasons that the Soviet Union fell was that they went bankrupt trying to keep up with the spending that the United States was doing during the Cold War. Russia today has a smaller GDP than Italy despite its size and a sagging infrastructure that is supporting its petroleum production. Outside of their aging nuclear arsenal, they’re trying to modernize, their military is no condition to fight an actual war against the most funded military on the planet. Cyberwarfare, though, puts them on essentially an equal playing field with larger nations. Without firing a shot, they can bring down critical infrastructure, sew discord within a population and shift the politics of countries all without having to leave their borders. They have been doing this for years to multiple countries as I outlined in an older article I wrote in 2018 entitled “Cutting Through The ‘Fake News:’ Proof That Russia Is Hacking Everyone.” For President Putin to give up what is essentially his best advantage on the world stage is laughable at best given the history of this situation.
So, what can a country like the United States do about this? Shutting down the free and open internet cannot be the answer as both commerce and the economy would be seriously harmed, not to mention the cries of censorship by the general population. In this case, the old axiom of the best defense being good offense is somewhat turned around. Critical sectors of the United States, for years, have had compliance standards for cybersecurity that they have essentially paid lip service to. Corporations could self-attest that they were indeed implementing good security controls to mitigate cyber-attacks. Studies have shown that many are essentially ignoring these standards and only held accountable after a data breach thanks to their poor choices.
Fortunately, one critical sector, Defense, has now created a standard for compliance for cybersecurity that requires certification. The Cybersecurity Maturity Model Certification (CMMC) is soon to be required by all companies that work in the Defense Industrial Base and handle sensitive materials. This new standard is starting to be adopted by other federal agencies but should be pushed out and required for all critical sectors of the United States. This requirement alone would vastly mitigate events like cyber-attacks and ransomware attacks by making it significantly harder to break into companies and organizations. Also, the U.S. government needs to come up with a quantifiable and public retaliatory standard for cyber-attacks that are confirmed to be sponsored by other nations. Specific targets don’t need to be listed, however a public understanding that knocking out something like the world’s largest meat supplier will be met with steep consequences on the world stage. That will help deter these attacks, providing those standards are enforced.
President Biden, or any U.S. president for that matter, faces an uphill battle when dealing with Russia’s best equalizing weapon. No longer does the world tremble at the sound of Russian rockets, we tremble at the sound of a keyboard.
Nick Espinosa
Nick is the founder and CEO of Security Fantatics, the Cybersecurity/Cyberwarfare division of BSSi2dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations. As a member of the Board of Advisors for Roosevelt University’s College of Arts and Sciences as well as their Center for Cyber and Information Security, the Official Spokesperson for the COVID-19 Cyber Threat Coalition and a board member of Bits N’ Bytes Cybersecurity Education as well as Strategic Cybersecurity Advisor for the Private Directors Association, Nick helped to create an NSA certified curriculum that will help the Cybersecurity/Cyberwarfare community to keep defending our government, people and corporations from Cyber threats globally. In 2017 Nick was accepted into the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives, and is a regular contributor of articles which are published on forbes.com as well as smerconish.com.