We are currently dealing with a new, unknown and unfortunately not sufficiently researched challenge: enemy actors, who are using new methods, techniques, and sophisticated cyber tools to gain an advantage over the victim. Today’ s battles are fought with bits and bytes, not just with bombs and rifles.
The recent history of international conflicts has shown that with the increasing dependence of societies on computerisation, it was only a matter of time before cyberspace was used to achieve tactical, operational, and strategic superiority in combat. Humanity has therefore reached the point where cyberspace and cyberspace activities have become an essential part of hybrid activities. This has been achieved by making the acquisition and control of ICT networks, systems, and infrastructures more attractive. In modern civilisations, critical infrastructure for the functioning of the state (electricity, communications, water, transport, finance, etc.) is based on cyberspace. Military command and control support systems also depend on cyberspace, as do all the most advanced technologies in today’s battlefield.
The experience of modern conflicts shows how ingenious and dangerous actions are that use cyberspace to achieve their goals through anonymity. Even if the probability of the attribution is high, thanks to the good preparation of the cyber-attack, it will not be possible to identify its author unambiguously, and even if an opponent should be identifiable, the international legal system knows no conditions for drawing consequences against him. Therefore, any country that has certain cyber security capabilities, but does not have the appropriate policy in this area, must expect to fail in the future.
Cyber operations can be planned as part of hybrid operations and include, in particular, the activities of specialised military units, intelligence services, organisations, hacker groups, or insiders.
Cyberspace as a Battlefield
Cyberspace as a battlefield has unique features attractive from the point of view of military operations. It allows you to interact with an enemy at a considerable distance (sometimes out of reach of conventional forces) in a short time, without risking the lives of soldiers. Conducting activities in physical domains, for example on land, sea, air, or space depends on geographical conditions. However, activities using cyberspace are not geographically limited. Cyber actions, however, depend on distributed network infrastructures, for example the physical layer of cyberspace.
The physical network layer is created by ICT devices and infrastructure in other domains (land, sea, air, space). They provide storage, transmission and processing of information in cyberspace as well as databases and connections that transfer data between network components. Network components include equipment and infrastructure (e.g. computers, memory devices, network devices as well as wired and wireless connections). The components of the physical network layer require physical security measures to protect against physical damage or unauthorised physical access so that logical access can be achieved. The physical layer of the network during cyber activities is the first point of reference to determine the geographical location and appropriate legal framework.
Although geopolitical borders can be easily and quickly crossed in cyberspace, there are still sovereignty issues related to physical domains. Each material component of cyberspace is owned by a public or private entity that can control (sometimes restrict) access to its own resources. These unique features must be considered at all stages of the planning of activities.
From a cyber-security perspective, the ability to launch a quick cyber-attack forces you to have protection and defence systems that automatically respond to cyber-attacks in real or near real time. To be effective, these systems should have the best computing power possible.
The unique features of cyberspace make it attractive also in the breaks between activities of conventional forces. You can successfully perform cyber-attacks during such breaks.
Cyberspace also creates conditions for covert operations. Identification of cyber activities is mostly based on the method of accomplished facts. This means that analysed cyber-attacks are those that have already occurred. A well-prepared cyber-attack, even if it contains already known elements, is different, innovative (techniques, tools) compared to the previous ones. In addition, the anonymisation of operations mentioned above is a strong attribute of the attacker. An attacker has the option of acting anonymously in cyberspace, without leaving any trace of identification. It can hide behind other entities, such as individual users of ICT networks and systems, hacker groups, criminal entities or even foreign agencies or countries by using appropriate techniques and tools. Cyberspace allows the attacker to minimise the risk of disclosure, prosecution and counterattack. This is evidenced by the fact that so far no state has been punished for conducting cyber-attacks. In conventional operations on the battlefield, it is usually known who attacked first, what space was acquired. During operations in cyberspace it is not so obvious or impossible to determine at all.
Cyberspace creates conditions for actions that have conflicting consequences. On the one hand, the possibility of a counterattack may be limited (the attacked entity will have no grounds or ability to respond). On the other hand, there is also the possibility of uncontrolled escalation. This is related to another feature of cyberspace operations. Well, contrary to popular belief that activities using cyberspace are bloodless, cyber-attacks can cause death for a large number of people. Destruction and deprivation of human life may occur as a result of damage, disruption or destruction of objects critical to the functioning of the state (e.g. power plants, water dams, refineries or production plants) based on their functioning on networks and ICT systems. Anonymisation of cyber activities can mean that even if cyber-attacks cause fatalities and serious damage to health, no adequate response or even accountability will be possible due to the lack of solid identity cards of the attacker. Therefore, the possibility of causing great damage to the functioning of the state without destroying its physical infrastructure or killing people may be considered a desirable feature of cyberspace by those planning hostile activities.
Top Ten Cyber Threats
The attractiveness of cyberspace as an area of activity used during cyber-operations can be proved by the SANS Institute expert ranking. This classification indicates the top ten cyber threats:
- The increasing sophistication of attacks on websites that exploit browser vulnerabilities – especially on “trusted” sites;
- Increase of advancement and effectiveness of botnet attacks;
- Cyber-espionage activities carried out by organisations with appropriate resources that want to acquire large amounts of data – in particular through targeted phishing;
- Threats to mobile phones, especially iPhone phones, phones using the Android system, and those intended for VoIP (Voice over Internet Protocol) communication;
- Attacks of insiders;
- Advanced identity theft from permanent bots;
- Increase in malicious software from spyware;
- Exploiting vulnerabilities in web applications;
- Increased sophistication of social engineering, including combining phishing with the VoIP service and event phishing;
- Supply chain attacks infecting consumer devices (USB drives, GPS systems, photo frames, etc.) disseminated by trusted organisations (producers).
Standardisation is another feature that causes cyberspace to be used during conflicts. Cyberspace is mainly based on solutions of companies with global reach (e.g. Microsoft, Cisco, IBM, Hewlett-Packard, Intel, Lenovo, Check Point, 3Com, Juniper Networks, Fortinet, or even Huawey), whose products are located in countries around the world. The universal nature of the cyber-domain in question is also shaped by operating systems (for example, Windows, Unix, or the most popular Linux distributions). Standardisation involves a high risk for the attacked site. Hacking of commercial (non-dedicated) database security software can bring further successes to a successful attacker because of the source codes and software structures that are uncovered.
Cyberspace also creates conditions for hostile entities to obtain or change the value of many data from devices connected to the network and ICT systems. Geographical, thermal, mechanical or other data obtained from other domains using sensors in networks and ICT systems are converted into bits and vice versa. Based on this data, the effectors perform a specific action. The attacker, using cyberspace, can gain possession of this data, and by changing their parameters can affect the effects of many devices. Thanks to this, it can simultaneously create favourable conditions for conducting attacks in geographical domains.
LTC Robert Janczewski is Senior Specialist at the National Cyber Security Centre of the Polish Ministry of Defence.