We’ve been getting cyber wrong for years, new book claims
Save articles for later
Add articles to your saved list and come back to them any time.
China has been accused of hacking into American critical infrastructure. The Five Eyes intelligence sharing alliance responded by urging companies to protect themselves.
But increasingly simply raising cyber defences no longer suffices in the domain of cyber competition.
Not about coercion but persistence.Credit: Marija Ercegovac
If anything, the rules of engagement in cyberwars are proving fundamentally different to those of normal, physical wars.
Malware, one of the tools used for hacking, is simply computer code, which can be re-engineered and repurposed for positive or negative use. Network intrusions can be done for defensive reasons.
Now, a trio of researchers has proposed a new way to understand the real-world politics of hacking: they call it “cyber persistence theory”.
In “cyber persistence theory”, winners don’t dominate or coerce their enemies, as they would in the physical world of submarines, tanks and planes.
Instead, the winners effectively exploit their adversaries’ computer networks and determine the conditions those adversaries must compete in. Initiative, not force, is the key factor, the authors write. And for initiative to win, it must be applied persistently.
In 2021, a Chinese hacking group dubbed Hafnium was found installing backdoors on thousands of Microsoft exchange servers.
Once Microsoft became aware of the vulnerability on its exchange servers, the company issued a security patch. Yet before the day the patch was issued, and before it could go into effect, China enabled backdoor access. Initiative again.
The US cyber warriors then “seized back the initiative” by uninstalling the particular affected software on thousands of Microsoft exchange servers.
In each move, the particular corner of cyberspace’s landscape that affected Microsoft’s Exchange servers was subtly restructured.
“Cyberspace is actually a human-made structure that is mutable”, said Michael Fischerkeller, one of the theory’s US-based authors. “Because it is mutable there are a few ways to alter its structure in ways that favour you or disfavour an adversary.”
This constant restructuring is the “on-going dynamic” in cyberspace, said Fischerkeller, who is an analyst at the US-based Institute for Defence Analyses in Virginia.
The winners in cyber persistence theory are those who can show “persistence” in hacking, in exploiting vulnerabilities of their adversaries, but also in anticipating future exploits and preventing them.
Hence Five Eyes, and large technology providers like Microsoft becoming increasingly vocal about the steps needed to block exploits.
In another example, in December 2021, US and Ukrainian network operators discovered “wiper” malware, which could disable an entire network, on Ukraine’s railway system. They preemptively removed it.
Those same railways would be used by 1 million Ukrainians to evacuate from cities under Russian bombardment in the first 10 days of the full-scale invasion in 2022.
Americans and Ukrainians removed “wiper” malware placed on the train system’s network months before Russia’s full-scale invasion in 2022. Credit: AP
“If the malware had remained undiscovered and was triggered, ‘it could have been catastrophic’,” a Ukrainian official told the Financial Times last year.
Rather than monitoring networks as if they were a perimeter of a fort, and waiting for a problem to emerge, the US and Ukrainian partners actively searched for and removed malware. They used “initiative”.
In another contrast with the physical domain of warfighting, in cyberspace moves and counter-moves are taken with little resistance or awareness.
A target is usually oblivious to a malicious act until it is discovered (just ask Optus or Medibank.)
The building housing a People’s Liberation Army hacking unit on the outskirts of Shanghai, notorious for hacking and plundering Western trade secrets.Credit: AP
These acts are effectively what the authors call “cyber fait accompli” – forcing their opponents into a state of reaction to an act that has already happened.
(A “fait accompli” is defined as “a thing that has already happened or been decided before those affected hear about it, leaving them with no option but to accept it.” )
This helps explain the news cycle in which a hack is revealed, then the scope of the hack is revealed, and then – and only then – does the target respond.
In this way, Fischerkeller who along with Emily O. Goldman and Richard J. Harknett wrote the book Cyber Persistence Theory: Redefining National Security in Cyberspace argue that the cyber domain functions differently than existing domains of war.
The “winner” in the cyber domain is the side that shapes the strategic environment.
Fischerkeller claims that China and Russia have taken the initiative to shape the cyber environment since around 2008.
That is the period when China began to embark on a sustained campaign of economic cyber espionage against open democracies, targeting the intellectual property of whole industries.
Hacked intellectual property (business plans, proprietary commercial information) has then been strategically fed back to China’s industry, allowing them to leapfrog ahead in research and development in strategic areas.
In that time, the US repeatedly pleaded with China to agree to so-called “rules of the road” for what was fair in cyber hacking to no avail.
In reality, China was taking the initiative and shaping the strategic landscape the US and Australia had to contend with.
University of Adelaide Professor Debi Ashenden says ‘persistent engagement’ is a more accurate reflection of what happens in the cyber domain than the concepts of attack, defend and coericon seen in the physical world.
“The terms ‘offensive’ and ‘defensive’ are too binary and control of the cyber domain is not a zero-sum game where it’s ‘either/or’ … it’s ‘and’.”
“This is because of the complexity of the cyber domain – where statecraft and geopolitics become linked with technology, where the private sector and government have to act together, and events happen at speed.”
Evidence of a strategic re-think on cyber can be seen in the private sector.
Clyde & Co partner John Moran, who advises companies on cyber risk, said that in the past six to eight months clients have stopped spending money on network security alone.
“Now there is an assumption cyber intrusions will happen, so companies are investing in aspects that will make the breaches less severe,” he said.
Companies are becoming more strategic about the requirements around data use and storage.
The shift reflects the increase in frequency of cyber intrusions of corporate clients.
Sydney-based Moran’s team have managed 1500 cyber breaches in the last 12 months in Australia.
Companies are pivoting to the “longer tail aspects of incidence response – including how to mediate customers and how to minimise class action risk”, he said.
Fischerkeller says companies are being forced to adjust to the broader “cyber strategic environment”, and that can be seen in how they’re pivoting to tackle ransomware gangs and intellectual property theft.
Get a note directly from our foreign correspondents on what’s making headlines around the world. Sign up for the weekly What in the World newsletter here.
Most Viewed in World
From our partners
Source: Read Full Article