Opinion | The Cyber Apocalypse Never Came. Heres What We Got Instead. – POLITICO

What we got was neither the unbridled promise of digital cooperation nor a fiery cyber apocalypse. Instead, todays cyber reality seems simultaneously less scary and more of a hot messa series of more frequent, less consequential attacks that add up not to a massive Hollywood disaster but rather to a vaguer sense of vulnerability. This can make it hard to understand whats going on and how bad it really is. Are all these high-visibility cyber events more of the same, or are we living through a new era of cyber warfare?

In some ways, the events of the past few months arent that surprising given the trajectory of cyber activity over the last decade. Theyre the evolution of a steady, somewhat inevitable shift toward using digital tools as a means of international statecraft and political contestation. However, what we are seeing is also subtly different from the way experts had previously thought cyber would affect the international landscape. Over the last decade, authoritarian governments have embraced digital tools and leaned on shadowy gangs of cyber criminals to do some of their dirty work, while the pandemic has made the world reliant on the internet and created a rich world of targets for those seeking money and leverage. As a result, cyberspace may be less apocalyptic than predicted, and more like a termite infestation, eating at the very foundations of our increasingly digital societies. The good news, though, is that the long-sought international consensus on appropriate uses of cyber means within foreign policy may be finally coming togetherwhich means theres hope that todays cyber disorder may eventually abate.

Its true that Russian cyber espionage, cyber criminals, Chinese intellectual property theft and private actors in cyberspace have been with us for years. Hackers affiliated with the Russian government have long used Ukraine as a testbed for hacks on critical infrastructure and governance and military capabilities, all while the Kremlin looked aside at burgeoning cyber criminal activity. Over the past few years, Xi Jinpings China has also built up its cyber capabilities, embarking on large-scale espionage hacks (like the 2015 Office of Personnel Management data exfiltration) and courting widespread economic sanctions for its illicit efforts to steal intellectual property via cyberspace.

At the same time that Russia and China became more capable and more audacious in their cyber campaigns, non-state actorswho have always played an outsize role in cyberspacewere changing the balance of power in the cyber spyware competition. Companies like the Emirati-based DarkMatter recruited talent from across the globe (including former NSA employees) to develop cutting-edge software that can track targeted users phones, monitor their communications and even geolocate them. These commercially created spyware applications were then provided to governmentsmany authoritarianto track dissidents, journalists and international leaders. Most notably, claims have been made that the assassination of Jamal Khashoggi was linked to spyware that the Israel-based NSO group provided to Saudi security officials, who purportedly used it to monitor Khashoggis movements and influence the investigation after the murder (both the Saudi government and NSO deny their involvement).

So, to an extent, Russian-linked ransomware attacks, the collective callout of China for the Microsoft hack and the revelations about the NSO group are more of the same. But theres also something new going on.

First, the geopolitical context in which cyber battles are fought has changed fundamentally. The early Obama administration was relatively restrained in cyberspace, relying on deterrence, limited sanctions and efforts to establish cyber norms through the United Nations. This approach changed under Trump, whose foreign policy adopted a zero-sum view of the world, characterized by great power competition, trade wars and transactional relationships with allies. Accordingly, the Trump administrations cyber efforts put more focus on defending forwarda more aggressive strategy that emphasizes preemptively entering adversaries networks before they launch cyber attackswhile sidelining efforts to create international consensus on cyber warfare. Meanwhile, the simultaneous rise of personalist regimes across the world ushered in a golden age for digital authoritarianism, with dictators embracing artificial intelligence, disinformation, deep fakes and hack and reveal campaigns to cement their power both domestically and in the fracturing international order.

Add to this digital tinderbox a pandemic that not only drove countries apart (physically and ideologically), but also forced them to become more digitally dependent as they turned to automation, remote work and digital bubbles to protect from the physical threat of Covid-19. As court systems, physicians, classrooms and local governance all went virtual, societies struggling with the pandemic became rich targets for cyber criminals. Ransomware attacks increased exponentially, both in scope and in economic cost.

Pandemic-induced vulnerabilities werent just lucrative cyber targets for criminals. They also created new access points for states looking to add more vulnerabilities to their cyber arsenals. Many of the critical infrastructure companies that went fully digital in response to the pandemic are also potential targets for states like North Korea or Iran that want to coerce the more militarily capable United States. The concern is that these states may use cyber vulnerabilities to attack power supplies, data centers or health and human services as the first salvo in a broader geopolitical crisis. This idea of using cyber attacks against critical infrastructure as signals to deter further escalation has been a major concern for onlookers worried that the uptick in cyber intrusions could not only create economic costs, but inadvertently escalate into violent conflictthus creating exactly the situation these cyber attacks were meant to avoid.

A more competitive geopolitical landscape, the rise of digital authoritarians and Covid-induced vulnerability have helped create a final trend: the blurred line between state and non-state actions in cyberspace. Authoritarian governments have looked aside (sometimes purposefully) as groups of cyber criminals with loose or unclear ties to the state became cyber headliners. North Korea has always used cyber criminal campaigns to generate revenue for the regime. Russia has pursued strategic and willful ignorance about criminal cyber activity originating within its borders, and used cyber criminals as a patsy to avoid retribution for state-sanctioned hacking activities. Even China, which a few years ago made a concerted effort to clamp down on its cyber militia of patriotic hackers, seems to have rediscovered the value of state-sanctioned cyber side hustles. The White Houses recent statement on the Microsoft hack accuses China not just of ignoring cyber criminal activity, but actually contracting such criminals to pursue official foreign policy goals.

Governments are now using cyber criminals the way they use other non-state actorslike maritime militias or un-uniformed special operations forcesto achieve foreign policy objectives without engaging in outright conflict. This murky middle is what international relations scholars call the grey zone. Most directly, states can sanction cyber criminal activity to bring in revenue, use non-affiliated organizations to propagate disinformation, or lean on civilian companies and criminals to create technologies and exploits that states can then buy to use against adversaries. More indirectly, non-state actors can generate chaos, confusion and cost all while introducing enough uncertainty about whos really responsible to dissuade states from retaliating. Scholars have frequently viewed these more shadowy cyber actions as less dangerous than traditional war, but they come with the risk of accidentally pushing too far and escalating into conflict.

So the post-pandemic cyber world has more vulnerabilities, more opportunities for economic and political exploitation, and more actors that blur the line between state and non-state involvement. The convergence of these bad-news trends certainly helps explain the battery of recent cyber headlines. However, there is some reason for optimism. The Biden administrations announcement accusing China of the Microsoft hack noted that an unprecedented group of allies and partners including the European Union, the United Kingdom, and NATO are joining the United States in exposing and criticizing the PRCs malicious cyber activities. This is a remarkable achievement given the difficulty of creating international consensus on what states should and should not do in cyberspace. Outside observers might be surprised to learn just how tough it is for states to agree on something even as basic as what a cyber attack is.

The joint callout of China comes a few months after a UN report signed by 25 countries (including China, Russia, and the US) emphasized the need to prevent cyber attacks on critical infrastructure. While this might seem like an obscure report, it was a diplomatic coup, reflecting a hard-fought, multi-year effort to create consensus among countries about how responsible states should behave in cyberspace. This agreement (and the recent US-NATO-EU statement against Chinese hacking) would not have been possible had pandemic-induced cyber vulnerabilities not galvanized international action. The succession of high-visibility cyber events in recent months, paired with a U.S. administration that is prioritizing cyber threats within its foreign policy, may have provided the impetus for the international community to slowly start agreeing on ways to punish problematic cyber activity.

Cyber attacks on hot dog plants or virtual elementary school classrooms may not look like the dystopian end times Panetta and Clapper warned about. But they insidiously eat away at the foundations of digital economies, societies and, ultimately, state power. Today, with these foundations crumbling, we may not need cyber Pearl Harbor analogies to understand the danger of cyber attacks. But can the U.S. and its now-energized allies build on this momentum to reverse the shifts wrought by authoritarian governments, the pandemic and the rise of non-state cyber criminals? Fingers crossed.

CLARIFICATION: This story has been updated to include a more recent estimate for the number of companies hackers were able to access through the Solarwinds breach.

See the original post here:
Opinion | The Cyber Apocalypse Never Came. Heres What We Got Instead. - POLITICO

Related Posts

Comments are closed.