Artículo Foreign Policy, 16.12.2020 Elisabeth Braw, académica del American Enterprise Institute
But as the Russian hack of the U.S. government shows, they are getting worse
APT29 has struck again. According to U.S. news sources, the Russian hacker collective known as Cozy Bear, believed to be affiliated to the country’s foreign intelligence service, the SVR, has successfully hacked the U.S. State, Treasury, Homeland Security, and Commerce departments, as well as other government agencies. The hack is just the latest scalp for the group, which has been linked to the 2016 hack on the Democratic National Committee and attacks on the Norwegian government, COVID-19 vaccine outfits, and the cybersecurity firm FireEye. For the United States and allied governments, the conclusion must be that their countries need not just better cybersecurity but, crucially, more innovative ways of retaliating. And they should be even more concerned about another aspect of cyber-aggression: cyber-weapon proliferation.
The four federal departments were just the last entries in a long list of ATP29’s victims this year. Others “have included government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East,” the Washington Post reported. Adding insult to injury, in the case of FireEye, APT29 stole the firm’s red-team tools, the tools with which a company or government agency impersonates attackers so as to improve its defense. When highly sophisticated hackers attacked COVID-19 vaccine research organizations in the United States, the United Kingdom, and Canada earlier this year, the British government’s National Cyber Security Agency not only identified APT29 but also noted that the group is “almost certainly part of the Russian intelligence services.”
APT29’s selection of targets this year demonstrates a clear trend: With businesses and institutions getting better at cybersecurity, garden-variety cyberattacks are decreasing while sophisticated and targeted intrusion is on the rise.
According to the annual Cyber Readiness Report compiled by Hiscox, an insurer, in the last 12 months, the share of companies affected by a cybersecurity event fell from 61 percent to 39 percent. At the same time, though, losses from successful attacks are skyrocketing.
The more targeted, large-scale aggression—sometimes used for disruption; sometimes (as in the case of the SVR-linked hackers) for espionage purposes—features people with the skills of APT29’s members and their colleagues in another Russian group, APT28 (also known as Fancy Bear), which is thought to be affiliated with Russia’s military intelligence agency, the GRU. In the past, GRU hackers have perpetrated catastrophic attacks such as NotPetya in 2017, which infamously crippled Ukrainian hospitals, banks, airports, government agencies, and much more. The group then went after global companies including Maersk, the world’s largest container-shipping company; the U.S. pharmaceutical giant Merck; snack giant Mondelez (think Oreo cookies); and others, causing some $1 billion in damages and leading to a lawsuit between Mondelez and its insurer. The insurer, Zurich American Insurance Company, rather logically argued that since Western governments had attributed NotPetya to the Russian government, the attack counted as an act of war and was thus exempt from insurance payout. In a separate development, this October, the U.S. Department of Justice indicted six hackers, all GRU officers, over NotPetya and cyberattacks on Georgia, France, and the 2018 Olympic Winter Games.
As it changes form, cyber-aggression is becoming an increasingly dangerous national security threat. A cyberattack can bring a country to its knees without a single soldier crossing a border. Targeted aggression means that defenders will have to work much harder to protect important firms and government services. Samu Konttinen, until last month CEO of Finnish cyber-security firm F-Secure and now chairman of the Finnish Information Security Cluster, said in a recent interview that “cyberattacks have become more sophisticated, and they’re being directed against specific targets. Opportunist attackers, the sort of attackers who used to dominate, don’t care who the target is. They just want the money.” But today’s top attackers don’t operate like that, Konttinen noted; instead, they go about their mission in a military-like way: “Armed forces are not opportunistic. They want to attack a particular country, not just any country … They’re becoming so sophisticated that you can’t stop them.” Indeed, you can’t even spot them. “Today it can take 100 days for a company to realize it has been attacked,” Konttinen said. That seems to be what happened to SolarWinds, the firm through which the U.S. government agencies were targeted. In a statement, the company said the virus may date back to May or June.
All this means that cyberdefense must include not just the better cybersecurity that businesses have for at least the past decade been told to focus on. Especially in the case of companies critical to the functioning of society—energy utilities, airports, water companies, grocery chains, internet providers—defense alone is clearly not enough. Some NATO member states already engage in offensive cyber, and last month the United States’ Cyber Command was joined by the United Kingdom’s new National Cyber Force. The question, as the U.S. Cyberspace Solarium Commission noted in its final report, is how to build cyber-deterrence that credible, agile, and fast.
Call it the defender’s dilemma: In cyberwarfare, eye-for-eye can’t be used as easily in the battle is between guns in a traditional war. The U.S. government would not deploy U.S. cyberattackers to steal Russian vaccine research in response to NPT29 incursions into Western pharma firms. The answer must instead be more asymmetry. If hostile state hackers were to, say, cripple Walmart or Britain’s Tesco supermarket chain, not to mention the tech, telecom, and oil and gas companies already attacked by NPT29 this year, the government or any of its allies should retaliate with a painful but legal surprise move (without violating any laws, of course). The British government’s response to the poisoning of Sergey and Yulia Skripal illustrates the options available: according to then-British National Security Advisor, the government responded by, among other things, “tackling some of the illicit money flows out of Russia.”
As if the changing nature of the threat weren’t enough to deal with, there’s a potentially even more dangerous trend: proliferation. Ever since nuclear weapons were invented, lots of countries have wanted them, and some been successful in obtaining them thanks to the shady world of proliferation. The same reality is taking hold in the realm of cyberweaponry. “Sometimes the technology leaks to criminals,” Konttinen noted. “It’s like nuclear weapons ending up in the hands of criminals. It’s very alarming.” In many ways, the prospect is even more dangerous because unlike nuclear weapons, digital mega-weapons are regularly handled by people outside a limited circle of government officials; indeed, the nature of cyber-aggression is for hostile governments to use proxies so attacks can’t be linked to them. What if someone got their hands on APT29’s formidable technology and deployed it against countries less able to defend their IT infrastructure than the United States?
By the 1960s, the majority of the world’s countries had become so concerned about nuclear proliferation that they agreed on a nuclear non-proliferation treaty. In total, 191 countries joined the NPT, which came into force in 1970. Today various groupings of countries are valiantly trying to agree on norms for cyberspace interaction. A much more urgent task is to stem cyberproliferation. To be sure, cyberweapons lose some of their power once they have been used, but they remain potent enough to inflict enormous damage. It’s in every country’s interest to limit cyber-weapons proliferation. The burning question is how to do it.