Prabir Purkayastha
Two major cyberhacks—of SolarWinds and Microsoft Exchange Server—have affected a whole range of computer systems worldwide. Both are supply chain hacks, meaning that they appeared to be routine software upgrades for particular components in these systems instead of inserted malicious codes.
In the SolarWinds hack, a backdoor in one of the components was downloaded to the systems of 18,000 organizations, including the U.S. Treasury and Commerce departments, the Department of Homeland Security and the State Department.
In the Microsoft Exchange Server hack, an estimated 250,000 machines worldwide might have been affected by a vulnerability that allowed hackers to control the machines and even infect other systems in the internal network of the targeted companies. Four major vulnerabilities in Microsoft Exchange Server were reported to Microsoft in early January. Unfortunately, it wasn’t until early March that Microsoft released patches, according to ZDNet. These vulnerabilities were used by the hackers during the period that Microsoft had either not released the patches, or companies had not upgraded their systems and installed the patches.
In the SolarWinds hack, the U.S. authorities and security companies that work closely with the U.S. government have blamed Russian intelligence agencies for the hack, which was discovered in late 2020. In the case of the recent Microsoft Exchange Server hack, Microsoft blamed “a Chinese state-sponsored group dubbed ‘Hafnium,’” according to PC Magazine. It is unlikely that either the Russians or Chinese spy agencies would execute such a widespread attack on systems. Their interests are better served by targeting a few critical systems and compromising them rather than infecting systems on such a wide scale.
The scale of the attacks multiplied exponentially, particularly after Microsoft announced the four vulnerabilities and released their patches. Many of the large number of organizations that use Microsoft Exchange for their email servers—including small companies and local governments—were slow to apply the patches. This allowed a huge number of rogue hackers to get into the act, setting off a feeding frenzy of hacking unprotected systems.
U.S. government agencies are looking at how to retaliate against Russia and China for the cyberattacks, with some lawmakers going as far as to wonder if “the [SolarWinds] cyber intrusion amounts to an ‘act of war,’” according to Breaking Defense. What these claims overlook is that all countries have offensive and defensive capabilities, and “stealing” data and knowledge from other countries is a time-honored tradition of spook agencies. It becomes an act of war only if it leads to physical damage to critical equipment or infrastructure.
Any identification of the cyberattacks as Russian or Chinese is based on the evidence of supposed Russian or Chinese “signatures” in the software. The CIA’s hacking tools, details of which are available in Vault 7 of WikiLeaks, show that such signatures can be faked by the agency. The NSA tools dumped by a group called the Shadow Brokers on the internet in 2017 show that the NSA can also spoof signatures of other countries or of hacker groups. A report from DarkOwl titled “Nation State Actors on the Darknet” says that NSA’s tools made public by the Shadow Brokers include UNITEDRAKE, which “provides the unique capability to disguise the origin of the attack, effectively projecting attribution onto another country or hacking group.” This problem is further compounded by the fact that these tools are now accessible to all hackers. This means that identifying the origin of software from code “signatures” is at best a conjecture.
Why does the United States expect Russia or China not to hack other country’s systems, when we all know that the NSA and the CIA have been routinely hacking systems from all over the world? The Edward Snowden revelations showed that the United States and its Five Eyes partners did everything (and then some) that they are today accusing Russia and China of doing. XKeyscore and Prism, two of the largest NSA programs, showed how systems across the world had been hacked or compromised by the intelligence agency. The NSA’s Tailored Access Operations hacked hardware that went to different countries, providing the NSA with physical backdoors into equipment in foreign networks. The U.S. and its Five Eyes partners hacked systems across the rest of the world, not even sparing their close NATO allies like Belgium and Germany. The NSA’s UK counterpart, the GCHQ, hacked Belgium’s largest telecom company, Belgacom (now known as Proximus), which operates a large number of data links internationally. It serves millions of people including top officials from the European Commission, the European Parliament, and the European Council. According to a February 2016 article in the Local, WikiLeaks documents revealed that the NSA even listened in on German “Chancellor Angela Merkel’s private conversations with world leaders.”
The United States has, meanwhile, mounted a worldwide campaign against the Chinese multinational technology company Huawei for being a security risk for global networks and asserts that a clean network means no Chinese equipment. In March 2014, the New York Times and Der Spiegel reported on an NSA program code-named “Shotgiant” that hacked into Huawei systems and its network to find a link between Huawei and the People’s Liberation Army. As the New York Times report says, “But the plans went further: to exploit Huawei’s technology so that when the company sold equipment to other countries—including both allies and nations that avoid buying American products—the NSA could roam through their computer and telephone networks to conduct surveillance and, if ordered by the president, offensive cyberoperations.” The Times report adds, quoting an NSA document that it and Der Spiegel disclosed, “Many of our targets communicate over Huawei-produced products… We want to make sure that we know how to exploit these products… to ‘gain access to networks of interest’ around the world.”
The NSA document above shows that the NSA not only conducted surveillance operations in the networks of other countries but also carried out offensive cyber operations. So if the NSA or the CIA compromises the computers, routers or other equipment of a country, they not only exfiltrate data out of these networks but also have offensive capabilities of inserting logic bombs in the target network or equipment to bring them down.
In a reenactment of former President Obama’s campaign in 2013-14 against China and Russia on cyberwar and cyberespionage, the Biden administration is attributing all the major cyberhacks in the world to ‘evil’ Russian and Chinese actors. Obama’s campaign had to be aborted due to the damaging Snowden revelations. The United States appears to believe that the world by now has forgotten about Snowden. The time is ripe again for a renewed offensive on hacking against Russia and China, with the Biden administration continuing Trump’s confrontationist policies relating to both these countries.
The question is, with growing offensive capabilities, can we continue to play along this path of confrontation? Can we play this reckless game of cyber chicken without suffering devastating consequences? Can cyber offensive capabilities lead inadvertently to an attack that has physical consequences and, therefore, to a physical war?
With the Stuxnet attack on Iran’s centrifuges, a line of not causing physical damage using cyberweapons—the cyber Rubicon—was crossed. Dress it up any way we want, an attack on equipment processing radioactive material that could lead to possible radioactive leakage marked the first use of a cyberweapon.
In a repeat of the atom bomb era, where the United States thought that it had a long-term monopoly over nuclear weapons, the United States now considers its cyber dominance to be long-term. Commenting on the U.S.’s rejection of any proposal to ban cyberweapons—in a May 2012 report published by the international affairs think tank Chatham House, “Cyber Security and International Law”—Mary Ellen O’Connell from the University of Notre Dame Law School and Chatham House’s Louise Arimatsu explained that the United States’ resistance to proposals for a treaty may have been related to “U.S. plans to use the Internet for offensive purposes… U.S. officials claim publicly that Cyber Command is primarily defensive, but the reluctance to entertain the idea of a cyberspace disarmament treaty is raising questions about the true U.S. position.”
The United States and its NATO allies have turned down every attempt within the United Nations framework to ban cyberweapons. Russia, China and many other countries tried to have a UN process to discuss a cyber peace treaty. In 2009, Russia proposed a treaty modeled on the Chemical Weapons Convention that would ban cyberweapons, a call it has repeated in the UN. The United States has turned it down every time, arguing instead that every country should accept the Tallinn Manual. The Tallinn Manual is a nonbinding academic study sponsored by a group of NATO countries on how international law should be interpreted for cyberspace. It does not call for a ban on cyberweapons but only defines what a cyberweapon is and where its use would violate international law. Clearly, the Tallinn Manual is a far cry from a treaty on maintaining cyber peace and banning cyberweapons.
Cybersecurity threats are emerging as one of the most serious challenges of the 21st century. The Russians and Chinese are not the only ones promoting a cyber peace treaty—or at least negotiations of dos and don’ts in the cyber era. With the leak of the NSA’s tools on the internet and in the wake of WannaCry ransomware attacks, even tech giants like Microsoft started talking about nation-states (read: the NSA in this case) not stockpiling and exploiting vulnerabilities in systems.
The reality that the United States refuses to accept is that it is no longer the sole cyber hegemon. A report called the “National Cyber Power Index 2020” by the Harvard Kennedy School’s Belfer Center for Science and International Affairs ranked the cyber power of countries by both offensive and defensive capabilities. Although the United States is still the leading player, China is in second place and catching up fast. Russia, the UK and others are still some distance behind.
With computer systems and networks underpinning the global infrastructure, the risks of cyberweapons to the world are greater than ever before. If we do not work for cyber peace, we will inevitably tip over to a ruinous cyber exchange and possibly the splintering of the global internet with hard borders. It is critical that we do not enter the even more dangerous territory of a hot war that initially starts as a cyberwar.