Cyberwarfare escalation just took a new and dangerous turn
The rhetoric surrounding cyberwarfare has ratcheted up again, potentially creating an unwelcome development in an area where misunderstanding and confusion could easily lead to escalation.
The New York Times has reported that the US has escalated its plans to place malware in Russia power networks, in response to similar and ongoing online incursions by Russia-backed hackers.
This is the latest development in online hostilities involving power grids; energy companies have long been the targets of cyber-espionage, but in recent years the intent has switched from spying to creating outages.
SEE: 10 tips for new cybersecurity pros (free PDF)
Government hackers like to target energy companies because power outages can cause immediate chaos across wide areas.
There are plenty of reasons to be worried about the security of power grids, too. In 2016 -- the last year for which data is available -- the energy sector topped the table in terms of vulnerabilities dealt with by the US Industrial Control Systems Cyber Emergency Readiness Team, now part of the National Cybersecurity and Communications Integration Center (NCCIC).
Such attacks aren't just theoretical. Most notably, over Christmas 2015 Ukrainian households were hit by power cuts after a series of hacking attacks on three local power companies. Russia was blamed for the sophisticated attacks, which started with phishing emails.
Once the hackers gained access to the company network, they found their way to the operational systems that controlled the grid itself. A coordinated denial-of-service attack on the companies' call centres made it harder for customers to report the outages.
In January, Dan Coats, US director of national security, warned that Russia had the capability to execute cyberattacks against the US that could disrupt an electrical distribution network for at least a few hours -- similar to those demonstrated in Ukraine in 2015 and 2016.
"Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage," Coats warned.
A day before The New York Times published its story, security company Dragos warned that it had seen hackers probing US power utility networks, doing reconnaissance for potential future attacks, and trying to gain access to systems by trying out stolen passwords.
It warned that the hackers were the same group that had tried to interfere with the safety systems at a petrochemical plant in Saudi Arabia a few years back. Analysis of the malware by security company FireEye linked it to a Russian state-owned research lab.
"The most dangerous threat to [Industrial Control Systems] has new targets in its sights," said Dragos.
A wilderness of mirrors
In the murky world of espionage and cyberwarfare, it's never entirely clear what's going on. Does the US really have the capabilities to install malware in Russian energy systems? If so, why would the intelligence agencies be comfortable (as they seem to be) with the story being reported? Is this an attempt to warn Russia and make its government worry about malware that might not even exist?
But beyond the details of this particular story, there are at a number of major concerns here -- particularly around unexpected consequences and the escalation of cyberwarfare risks.
It's very hard for a company (or a government) to tell the difference between hackers probing a network as part of general reconnaissance and the early stages of an attack itself. So even probing critical infrastructure networks could raise tensions.
There's significant risk in planting malware inside another country's infrastructure with the aim of using it in future.
The code can be discovered, which is at the very least embarrassing and, worse, could be seen as a provocation. It could even be reverse-engineered and used against the country that planted it (or used against a third country with the aim of causing even more chaos -- such false-flag cyber operations are far from unknown).
SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | Download the PDF version
Also, energy companies -- like every other company -- have systems that have grown up over decades into unique shapes. Many of those systems are rock solid, but some are teetering towers. Hackers introducing their own malware code, with the aim of using it to launch an attack at a later date, could be enough to topple those systems and cause immediate outages. Alternatively, innocent updates to those systems by the companies themselves could dislodge one of these implants and trigger an outage at an unexpected time.
For the company that finds its systems down, and the angry government trying to decide how to respond, it's very hard to tell the difference between a scouting expedition gone wrong, an accidental triggering, and a deliberate attack.
The biggest problem is that there are no set rules here: what one side thinks is legitimate behaviour is regularly seen by the other as antagonistic and even aggressive.
Escalating tensions
Here's a closely-related example: some experts think that Hillary Clinton's public support for democracy protests in Russia back in 2011 were at least part of the reason for the Russian disinformation and hacking campaign in the run-up to the 2016 presidential election. Russia's leadership saw her stance as meddling in its affairs, which (to their minds) made its meddling in the US election an acceptable response.
Few in the West would agree with that justification, which is why Russia's election meddling wasn't something the US had considered a possibility. It's a classic example of how misunderstanding leads to an unexpected and dangerous escalation. And those misunderstandings and confusions are not going away.
One expert described the US malware plan as the gunboat diplomacy of the twenty-first century. But it's not really the same as parking a battleship off the coast of a rival. It's entirely possible that a country on the receiving end would consider this sort of malware intrusion to be more like mining their bridges. It's a step beyond, which hasn't previously been part of the military or diplomatic playbook, and one with apparently limited civilian oversight. The US may be attempting to create a cyber-deterrence strategy to stop Russian attacks. But the risk is that it will simply escalate tensions on both sides.
It's often mentioned that squirrels (and lightning strikes) are much more of a risk to power grids than government malware will ever be. That's true for now: the risk is that, with hot rhetoric about cyberwarfare, even commonplace grid failures like these will be seen as the product of aggressive actions by rival states.
Adding malware into the systems of a rival nation, at a time when cyberwarfare escalation could easily result, is a dangerous step to take.