Recent Cyber Events and Possible Implications for Armed Forces
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Recent Cyber Events and Possible
Implications for Armed Forces
A look at the trends from 2020 and towards the future
#8 – January 2021
About this paper
This paper is the collaborative view of NATO CCDCOE researchers highlighting the potential effects
on the military of current events and of developments in cyberspace during 2020, based on publicly
available information. It does not set out to be exhaustive. While the authors have made every effort
to describe events from a perspective relevant to NATO and partner nations, there may be national
and regional differences which this paper does not address.
The authors of this paper are independent researchers at the NATO CCDCOE; they do not represent
NATO, nor does this paper reflect NATO’s position. The aim of the paper is not to replace information
about vulnerabilities and incidents provided by CSIRTs and providers of CIS products and services.
1. 2020 ends with a massive supply given military dependence on civilian
chain attack institutions for the operations and
maintenance of their ITC infrastructure.
In December 2020, several US government
agencies were breached by a software In some ways, the attack is reminiscent of the
supply-chain attack. The operation, which was NotPetya attack in 2017 which used updates
initially launched as early as March 2020, for a software package commonly used in
clearly shows how a breach of a trusted supply Ukraine as the vehicle to get malware into the
chain can affect a large number of targets and target systems. In the current case, the
how an advanced adversary can operate vehicle was the update chain of network
undetected for a long time. management software SolarWinds Orion. The
objective seems to have been espionage
rather than to disrupt operations, although the
‘The US has suffered a massive cyber backdoor may provide a future opportunity to
breach. It is hard to overstate how bad it exploit the vulnerability.
is.’ (Bruce Schneier in The Guardian)
Several sophisticated techniques both to
evade detection and to move laterally in
The full scope of the breach is still unfolding compromised networks have been found. This
but it is clear that a backdoor dubbed also allowed the adversary to maintain a
SUNBURST had been installed in thousands persistent presence in the networks. This
of networks. Research from FireEye and indicates that an advanced, probably state-
Microsoft indicate that about 50 organisations backed actor is behind the compromise. This
had been targeted and seriously affected, sophisticated attack is widely thought to be
including Microsoft and several US tied to Russia with the group APT29, also
government agencies. The number of targets known as ‘Cozy Bear’, being named in some
may number more than 250 organisations. reports. Russia has denied responsibility for
The number severely affected still remains the attacks.
low, relative to the large number of infections,
but this is most likely the result of the actor The security of the supplier’s software update
behind the attack picking the targets to attack mechanisms seems to have been lacking.
further. A joint statement released on 5 Reports suggest a weak password may have
January states that ‘fewer than 10’ US allowed access to the update servers. Better
government agencies were compromised. mechanisms to assess the security of the
The extent and method of the attack should be software supply chain are clearly needed. It is
a cause for concern for military organisations not feasible for every customer of a supplier toindependently audit the security measures put by an attacker when moving laterally in the
in place; this calls for interagency and network. More advanced detection systems
international cooperation in realising some such as using machine learning techniques in
type of independent assessment and detecting anomalies may help prevent
certification of software used in critical breaches like this going undetected for so
industries and the government. long.
Microsoft also reported that source code in
their network had been accessed as part of
the breach, but no code was modified. 2. Developments in international law
Undetected manipulation of, for example, and cyber norms during 2020
Windows or Microsoft Office source code While the COVID-19 pandemic has
would of course have provided an opportunity understandably obscured many other
for an even wider supply chain attack, but important events of 2020, it has also brought
there is no evidence of that. That the attackers new food for thought to those working on how
were able to view Microsoft source code, while international law applies to cyberspace in
not good, does not have to be a major security peacetime and in armed conflict.
concern. Software should never be designed
In the first place, the pandemic has shown the
so that its security relies on keeping the code
vulnerability of the healthcare sector and of
secret. Access to the code may, however, aid
those who depend on it. Cyber operations
an attacker in understanding the software and
against hospitals including those responsible
identifying previously unknown vulnerabilities.
for COVID-19 testing (for example in France,
The knowledge of the attack we now have Spain, Thailand, the United States or the
affords many opportunities to detect and Czech Republic), cyber espionage activities
remove backdoors but the challenge is to attributed to state actors in respect of vaccine
ensure that the attacker does not maintain a research facilities and spreading
foothold in parts of a network when the initial disinformation and fake news online (including
backdoor is removed and that cyber by governments) have been unprecedented.
defenders can detect similar attacks. The
The developments have prompted several
attacker has likely tried to compromise other
reactions by the international law community.
parts of the network after getting initial access,
In the same spirit as the July 2020 ICRC
making cleaning the network more
proposal for adoption of a norm specifically
problematic. An even more difficult situation is
protecting medical facilities from cyberattacks,
if there is suspicion that data in the network
renowned international law experts have
may have been manipulated and can no
called for better protection in the Oxford
longer be trusted. A thorough investigation of
statements on international law protections
all parts of the compromised network is
against cyber operations targeting the
needed, including audits of logs and integrity
healthcare sector and on safeguarding
checks of installed software and data. This
vaccine research. Universal condemnation by
may require outside help if the organisation
states of this wave of malicious cyber
does not have sufficient competence or
operations against the healthcare sector puts
resources.
into perspective the refusal by some states to
Both the relative ease with which the initial acknowledge the application of international
malware was able to beacon and connect to humanitarian law (IHL) to cyberspace. If it is
command-and-control servers undetected unlawful to target hospitals with cyberattacks
and the way the attackers could then move including during an armed conflict, under what
around the compromised networks highlights body of law if not IHL?
the need for a strategy of defence in depth.
While IHL rules’ applicability to cyber may not
Strict restrictions on how even trusted
yet be accepted by all, the number of states
equipment is allowed to communicate inside
explicitly recognising it has grown in 2020. In
the enterprise network and with internet are
December 2020, Israel published its national
needed to make these operations more
position on international law following
difficult to execute. Insecure application
pronouncements by Finland, New Zealand,
programming interfaces (APIs), too much trust
and the Czech Republic. The Strategy and
in network equipment and reuse of credentials
Governance section of CCDCOE’s digital
for machine-to-machine communication are
library offers a collection of primary sources
examples of vulnerabilities that can be used
including statements on international law.
2States’ positions on international law are relevant to help nations and their militaries
continuously incorporated into and face new challenges. Amongst others,
operationalised in the scenarios of the Cyber universally accepted norms of state behaviour
Law Toolkit and reflected in the Centre’s in cyberspace and the certainty that comes
country reports series which has been with them are likely to provide greater
complemented by thematic webinars in 2020, deterrence to malicious state actions and offer
beginning with Italy. additional tools to bring offenders to
accountability. The time is ripe for Tallinn
With NATO recognising space as an
Manual 3.0, a project that will revise and
operational domain in December 2019,
expand the Tallinn Manual 2.0 on the
continued attention also needs to be given to
International Law Applicable to Cyber
cybersecurity aspects of space operations, as
Operations. The updates will address the
highlighted by researchers including those
evolving nature of cyber operations and state
from CCDCOE. Evolving technologies have
responses, and add new topics of importance
been among the Centre’s long-term interests.
such as official statements on international
A new book on autonomous capabilities seen
law and the UN-level discussions on
from a multidisciplinary perspective will enrich
responsible state behaviour in cyberspace.
the existing research on autonomous
capabilities and cyber means and methods of
warfare in 2021.
3. Supply chain risks a major
With the growing incidence of malicious cyber concern for governments as 5G
activities in cyberspace, the willingness of infrastructure is rolled out
states to denounce the attackers also
increases. 2020 saw the first practical The debate regarding 5G escalated in early
application of the 2017 EU Cyber Diplomacy 2019 along with growing concerns about the
Toolbox and targeted cyber sanctions. We security of both commercial and military
can expect more to come in the future, communications within national and Alliance
considering the recurring attacks on important networks. The conversation primarily focused
governmental institutions in Europe (e. g. on the risks posed by Huawei and other
Norway or Estonia). Chinese suppliers of 5G network technology.
The importance of secure communications,
including 5G, was stressed by NATO leaders
‘Most noteworthy was that there seems to at the meeting in London in December 2019.
be an increasing readiness amongst The meeting highlighted the need ‘to rely on
states to come forward with their positions secure and resilient systems’ to ensure
on international law’ (Overview of the UN national security as military communications
OEWG developments: continuation of begin to transition to 5G.
discussions on how international law
However, military operations do not take place
applies in cyberspace)
in a vacuum; they are, to a large extent, reliant
on civilian infrastructure to function. The
All these developments have been taking boundaries between civilian and military use
place against the backdrop of ongoing UN- of the internet and telecommunications
sponsored processes on norms of responsible networks, including 5G, are difficult to
behaviour in cyberspace, the UN determine. The roll-out of 5G networks will
Governmental Group of Experts and the increase both communication speed and with
Open-Ended Working Group. Although the a plethora of new possibilities such as wider
latter has had to postpone the presentation of adoption of the internet of things (IoT), a
its conclusions to the Secretary General due network of devices which depend on internet
to the COVID-19 pandemic, there have connectivity to function. With many
nonetheless been lively discussions on the interconnected IoT devices from self-driving
application of international law in cyberspace. cars to smart electrical grids and from remote
This shows that analogies of cyber to the Wild surgery to consumer devices, we will begin to
West or references to wars fought without understand the security of IoT and our
international norms are misplaced. While a networks, as well as end-user devices, is
certain level of norms-scepticism may be becoming increasingly important.
understandable, the developments in 2020
only confirm that international law is ever more
3either phased out, limited or, in some cases,
‘It is rational to demand the highest excluded these companies. The most notable
possible security assurance from 5G 5G technology supplier is Huawei, which has
technology used for critical experienced delays in the roll-out of its 5G
communication.’ (Huawei, 5G and China technology. Supported by the Chinese
as a Security Threat) government, Huawei provides
telecommunications networks and
infrastructure in many emerging markets as
The choice of supplier of 5G network
part of China’s Belt and Road Initiative (BRI).1
technology is a national matter which
With a keen eye for long term strategy, the
traditionally has been made by
Chinese will continue to compete to dominate
telecommunications operators. These choices
the market for future technologies such as 6G.
have consequences for both NATO and the
EU. Both organisations have added 5G Today many European countries are in the
security considerations to their risk process of updating their telecommunications
assessments and mitigation measures. legislation and enforcing new regulations in
However, stakeholders including national accordance with the recommendations of the
governments, telecommunications service EU 5G Toolbox and with EU and WTO trade
providers, technology suppliers and rules. The EU regulations are not specifically
government, business and individual end directed against China or any other country or
users have different risk perceptions and supplier, but will be a necessary legislative
appetites. The underlining principle for follow-up to the technological developments.
legislators, operators and suppliers must be to
As companies like Ericsson and Nokia have to
provide customers a ‘secure by design’
adhere to EU rules regarding state aid, they
network.
may not be able to compete on price with
Based on the EU coordinated risk assessment Chinese companies. With the close of 2020 it
of 5G networks security, the EU Toolbox for seems that countries have increasingly
5G security has laid out a range of security realised the importance of secure and resilient
measures. These initiatives provide telecommunications to national and Alliance
methodologies for risk mitigation to ensure security and are willing to pay the price for it.
secure 5G networks are deployed across With the IoT connectivity rates facilitated by
Europe. For each of the identified risks the 5G technology, it will also be necessary to look
toolbox sets out comprehensive plans for at the devices, applications and software at
mitigation and recommends a set of both key the end-user side and implement supply chain
strategic and technical measures to be taken risk management measures in these areas.
by member states and the Commission. The Again, common standards must be applied.
strategic measures include regulatory powers,
In 2021 the CCDCOE will launch a project
third party suppliers, diversification of
looking more closely at the supply chain and
suppliers and sustainability and diversity of
network security issues related to the 5G roll-
the 5G supply and value chain. The technical
out from technological, political and legal
measures include baseline and 5G-specific
perspectives to facilitate a common
measures for network security, requirements
understanding among NATO Allies and close
related to suppliers’ processes and equipment
partners.
and resilience and continuity.
The CCDCOE’s report on Huawei, 5G and
China as a security threat describes the legal
and political environment in China and the
possible security implications. As Chinese
companies are under a legal obligation to
cooperate with domestic intelligence services,
more and more countries in North-America,
Europe and the Asia-Pacific region have
1
Huawei built more than half of the wireless African countries. K4D: The Impact of the Belt and
towers, 70% of the Long-Term Evolution (LTE) Road Initiative Investment in Digital Connectivity
mobile broadband network, and more than and Information and Communication Technologies
50,000km of optical cable networks in over 50 on Achieving the SDGs
44. The future of AI and security run social media accounts would be more
difficult to detect and debunk than a deepfake
AI-enabled technology 2 has the potential to
of a public figure. AI-generated fake news is
transform modern warfare. Opportunities
likely to continue to be a major concern well
range across a wealth of military applications
into the next decade, as any attempt to detect
from autonomous vehicles, to data-processing
AI manipulation risks raising the bar for
in intelligence and decision-assistance and
attackers, making any detection tools swiftly
logistics and simulation technologies. Several
outdated.
states have announced a considerable
investment in AI for defence purposes, with
US AI-related R&D funding extending into Cybersecurity
billions of dollars annually and the UK funding
announcement for a new AI centre. Major AI also has several implications within the
emerging themes are summarised below. cyber domain; for example detecting and
mitigating threats to a network by using
Fake News machine learning to detect anomalous traffic
or using machine learning in email spam
The development of deepfakes 3 and natural filters. In a security operations centre (SOC),
language processing models like Microsoft’s this allows cyber defence analysts to spend
OpenAI’s GPT-3 could have a destabilising less time monitoring and more time on value-
effect on international security. GPT-3, which adding tasks; a significant advantage in
has over 175 billion parameters, was intelligence processing and a shift that has
celebrated due to its complexity and opportunities to improve the efficiency of
computing power but the technology has also national security centres and military SOCs
been recognised as a threat in the hands of across the world. AI may also be used
adversarial actors. Many fear that GPT-3 and offensively (through deepfakes, as explored
other text generators could be used to above) or to amplify, automate or evolve
generate large quantities of fake news, as cyberattacks. While still infrequent in the wild,
studies have shown these algorithms can it is likely that sophisticated actors will
generate fake news even more effectively experiment with cutting edge approaches
than humans. It is not farfetched to imagine a including incorporating machine learning into
scenario in which a hostile actor could use a attack tactics, techniques and procedures.
text generator like GPT-3 to quickly generate The presentation of Deeplocker in 2018
large amounts of fake news which could lead shows how machine learning may be
to a military conflict by heightening ethnic incorporated into malware. From the concerns
tensions or convincing a country that an attack of a ‘machine vs machine’ cyber defence
is underway. This kind of fake news could be landscape to the vulnerabilities of an AI
especially dangerous when combined with system to cyberattack, the cyber domain will
deepfakes. For instance, imagine a situation continue to evolve at pace.
in which a hostile actor releases a deepfake
showing the US President announcing a
nuclear attack on North Korea along with Interoperability and Collaboration
many AI-generated false articles discussing
the attack. North Korea, fearing a debilitating ‘We want to make sure our treaty allies,
strike, may launch its own ICBMs. Or imagine partners, people that—if we’re forced to
a situation in which an adversary generates an go to war, we’ll go to war with—that
army of social media bots, each of which has they’re taking safety and responsible AI
an AI-generated deepfake profile picture and very seriously.’ (Stephanie Culberson,
publishes AI-generated status updates Joint Artificial Intelligence Centre, US
containing destabilising fake news. These AI- Department of Defense)
2 AI may refer to a wide range of techniques which guide to artificial intelligence, machine learning,
refer to ‘knowledge based’ or ‘data based’ systems. and cognitive computing.
The AI referred to in this report is predominantly on 3
Deepfakes are ‘AI-generated fake videos or
a subset of current ‘data based’ systems machine audio recordings that look and sound like the real
learning capabilities. For an accessible overview on thing. They leverage powerful techniques from
the distinctions between subsets of AI see AI vs. machine learning (ML) and artificial intelligence
Machine Learning vs. Deep Learning vs. Neural (AI) called deep learning to manipulate or create
Networks: What’s the Difference? and A beginner’s visual and audio content’. Tessian: Deepfakes:
What are They and Why are They a Threat?
5NATO is one potential platform through which ransomware attacks, where commercial
Allies may choose to cooperate on military targets (private users, organisations, industrial
innovation, beyond a number of active systems) had been more common in previous
collaborative projects happening between years.
smaller groups of states; for example, France,
There could be several reasons why attackers
Greece, Italy and Spain have worked together
changed their focus toward healthcare
to develop the nEUROn demonstrator UAV
providers and facilities. The first was financial
which has several autonomous capabilities.
income – maybe perpetrators assumed that
hospitals would be more willing than usual to
‘There are considerable benefits of setting pay a ransom as they were a basic element of
up a transatlantic digital community the fight against the pandemic and the need to
cooperating on Artificial Intelligence (AI) restore functionality of their system was
and emerging and disruptive extraordinary. Another motivation could be
technologies, where NATO can play a key just to paralyse hospitals, cause more harm
role as a facilitator for innovation and and support the pandemic to inflict greater
exchange’ (NATO Deputy Secretary economic losses and a deeper crisis. With
General Mircea Geoană) research organisations developing vaccines,
one likely motivation was for the attacks to
slow down research and disadvantage victims
In September 2020, the US held a two-day
dialogue termed the ‘AI Partnership for in the vaccine development race. The
Defense’, inviting delegations from 12 other characteristics of the perpetrators thus
correspond to both criminals and state-
partner nations including the UK, Canada and
sponsored actors. Involvement of some states
Australia. Core to the Partnership was the
theme of interoperability between Allies, has already been reported.
particularly aspects including data-sharing The available analysis shows that a range of
and development. Mark Beall, the Joint vulnerabilities was exploited to deploy
Artificial Intelligence Center’s Head of ransomware during the attacks including
Strategy, has stated that he expects the vulnerabilities in browsers, remote access
Partnership to grow in number as states tools and browser plugins. It is thus difficult to
willing to collaborate with the US to ‘shape formulate one recommendation effective
what responsible AI looks like’. To date, the against all attacks. Since attackers
US is the only state with public Department of increasingly do not just encrypt data but steal
Defense Ethical Principles for Artificial and threaten to disclose files, backups are not
Intelligence, in an area through which sufficient to protect against the threat.
international norms and approaches have yet Perhaps only a responsible approach to patch
to reach any formal consensus. management and advanced technical security
solutions can help. Some governmental
entities have also introduced another way to
5. Ransomware attacks in 2020 mitigate ransomware activities – a
recommendation not to pay the ransom and
In recent years, ransomware attacks have
thus reduce attackers’ profit and discourage
become one of the most common threats. The
number of ransomware attacks continued to them from continuing other harmful activities.
rise during 2020 with a large number of Throughout 2020, the attention of these
reported incidents in open sources. The attackers appears to have been focused
COVID-19 pandemic was the most significant heavily on the healthcare sector, but if the
event in 2020 and played a considerable role. attacks were to be directed against military
targets, the same problems can be expected
Spring 2020 saw a rise in COVID-19 attacker
as the level of technology, personnel and
campaigns, with emails frequently referring to
finance is usually the same or similar across
the pandemic – for example, pretending to
offer important updates – to encourage the public administration.
receivers to open a link. Themed emails For guidance on how to prevent or mitigate
proved a lucrative way for attackers to deliver ransomware attacks please refer to CCDCOE
their ransomware ‘product’ to a large number Library products including the Malware
of victims. As mentioned above, the COVID- Reverse Engineering Handbook. This gives
19 pandemic made vaccine development and an overview of how to analyse malware
healthcare organisations common targets for executables that are targeting the Windows
6platform and presents the most common
techniques used in malware investigation ‘There is no difference between civilian
including setting up a lab environment, security and military strength, they’re one
network analysis, behavioural analysis and and the same.’ (Building transatlantic
static and dynamic code analysis. The reader resilience: Why critical infrastructure is a
will become familiar with disassemblers, matter of national security)
debuggers, sandboxes and system and
network monitoring tools. Tips learned from
Attacks against CI may have political
the handbook do not protect before attack but
implications. Both NATO and EU leaders have
can provide useful information about a
stated that harming CI is unacceptable and
malicious code including what vulnerability
that partners and allies will stand in unity
was exploited, what kind of data the malicious
against such malicious activities. The US
code interacted with and information about
National Security Agency (NSA) has warned
persistence and encryption.
of a perfect storm as a consequence of the
A similar product, the Cyber Investigator’s remote management of systems,
Handbook is scheduled for 2021. It will decentralised workforces, expanded
provide the cyber community with guidelines outsourcing and outdated software.
on managing and handling an incident. Topics Cyberspace is not limited by geographical
from incident response, forensics, malware boundaries and the resulting interconnectivity
analysis and network monitoring will be and interdependency between friendly and
covered. The handbook should support and hostile networks and systems provide many
speed up the analysis and response to an vectors for CI attacks.
incident and help prevent any reinvasion.
CI attacks need sophisticated planning and
resources. Although the general orientation of
the cybercriminal is that of financial
6. Critical infrastructure: a focal point enrichment through utility providers, 5 main
for attacks in 2020 threats against CI could be categorised as
Last year was shaped by an increase in cyber advanced persistent threats (APT), 6
events against critical infrastructure mercenaries and possibly state-backed
(CI). From the political to the tactical level, proxies. According to Microsoft, state actors
different organisations have stressed the often target Non-Governmental Organisations
importance of the protection of CI. The and there has been an increase in
COVID-19 pandemic has opened possibilities cyberattacks against IT service providers. A
for malicious actors to target critical recent example of this, although not directly
infrastructure including, for example, the rise against CI, is the SolarWinds supply chain
of ransomware attacks against German and compromise discussed above, where a
US hospitals covered in previous issues. private company was attacked in order to
Teleworking, spear-phishing and defacement breach the government’s protected IT
have presented opportunities for malicious systems. It can be assumed that APTs have
actors to disrupt or to get control of IT, some reservations about disclosing and using
operational technology (OT) 4 and industrial much of the information they have about state
control systems (ICS). These examples networks and critical infrastructure, as this
underline the need for enforcing best practices may have its usefulness on a later and
to defend networks and improve cooperation probably more serious occasion. In the
between stakeholders. meantime, the most attacked critical
infrastructure sector is ICT infrastructure.7
4
Industrial Control Systems (ICS), Supervisory such as advocacy groups, human rights
Control and Data Acquisition (SCADA) systems, organisations, non-profit organisations and think
Programmable Logic Controllers (PLC) etc. tanks focused on public policy, international
5
For example, see Recent Cyber Events #6, affairs, or security.’
October 2020. 7
‘Within the critical infrastructure sectors,
6
Meanwhile Microsoft Digital Defence Report from targeting of IT organisations represents over 60%
September 2020 states: ‘Interestingly, nation state of nation state activity, followed by commercial
activity is significantly more likely to target facilities, critical manufacturing, financial services,
organisations outside of the critical infrastructure and the defense industrial base.’ Microsoft Digital
sectors. The most frequently targeted sector has Defence Report from September 2020 (p 46)
been non-governmental organisations (NGOs),
72020 highlighted how cyberattacks can take Attacks against civilian infrastructure will
shape in a conflict situation. The Nagorno potentially affect military operations. It is a
Karabahk conflict showed that CI attacks can national security interest to protect critical
be used to inflict distress on governments and infrastructure, as this is a foundation for both
populations, a practice in line with ideas of civilian and military capabilities and will be
military theorists such as Douhet and targeted using cyber means in a hybrid
Trehnchard, who depicted a quick victory conflict. Besides good business continuity and
through inflicting damage on morale of society disaster recovery plans, it is necessary to
as whole. The situation also raises questions invest in training, exercises and effective
about the protection of society as a whole and information sharing between military and
what the military’s role should be in times of civilian actors.10
crisis and the protection of national critical
In light of the distribution of COVID-19 vaccine
infrastructure.
in 2021, it is becoming important to assure the
2020 saw a fusion of criminal activity with the cybersecurity of the full distribution network. In
tactical use of cyber elements. Examples of some countries, distribution has been
this are high profile attacks against water entrusted to military authorities which
treatment plants in Israel, where reports state requires, besides setting up a sophisticated
that attackers attempted to change the logistical system, consideration of supply
injection of treatment chemicals to unsafe chain security from a cyber perspective.
levels. According to media sources, Iranian
It is therefore important to think about the
cyber actors were behind this attack. These
protection of mobility and lines of
types of incidents can lead to casualties within
communication, as these will give access to
the population8 and, in a military context, may
the Joint Operations Area (JOA) and keep
directly impact the execution of operations
open timely support options when needed. It
because of the fundamental reliance on
is specifically relevant in the context of Anti-
civilian critical infrastructure, while also raising
Area/Access Denial (A2AD) situations where
legal questions.
a new paradigm of multi-domain operations
The Iranian port of Shahid Rajaee was the takes place.
victim of a cyberattack in May. The attack
Finally, the meaning of what can be
caused significant disruption to port traffic that
categorised as critical infrastructure may have
lasted at least several days. In this case, the
changed. Critical infrastructures have so far
media reported that Israel was behind this
been defined primarily by their property of
attack. Ports, railroads, airports, locks and
ensuring the maintenance of the functioning of
bridges are critical to military mobility, all
society. Facilities not previously listed as
depend on cyber infrastructure in one way or
critical infrastructure such as research
another and all vulnerable to cyberattack.
institutions and even grocery stores could be
Although there may be no active disruptive added to the list because of their essential
attacks against NATO’s or allies’ critical nature and the fact that they have become
infrastructure at the moment, compromises targets. Malicious actors not only intend to spy
that are part of preparations for such attacks but also to sabotage research and
may be ongoing. German intelligence and development. The COVID-19 outbreak
security agencies have reportedly warned showed where societies are weakest and
about the activities of the Russian-linked pointed to the crisis that could hit society and
hacking group ‘Berserk Bear’ against the military hardest.11 Collecting various types
companies in the energy, water and power of infrastructure under the term critical
sectors. Such attacks could include infrastructure raises the question of whether
reconnaissance, getting and maintaining a there is a scientifically sound reason for this or
foothold for future operations in the targeted whether it is just done for the sake of assuring
infrastructure.9 a certain level of cybersecurity. It can always
8
See the public discourse on the September 2020 10
For more see Bigelow in 11th International
ransomware attack on a German hospital and on Conference on Cyber Conflict: Silent Battle
whether the death was a casualty of a cyber- proceeding (p 191)
attack, for example AP News: German hospital 11
See also Recent Cyber Events #2, May 2020
hacked, patient taken to another city dies (p 5)
9
Recent Cyber Events #3, June 2020 (p 5)
8be argued, however, that even if all are not taken for granted. As soon as the COVID-19
critical, the need for protection is essential. outbreak put an abrupt stop to business travel,
many organisations searched for effective
An in-depth and practical perspective on the
ways to substitute traveling and in-person
subject is provided in the Cyber Commanders’
meetings. Thus, connectivity became the
Handbook published by the CCDCOE. In the
number one priority. In 2020, the conduct of
future, an Incident Responders’ Handbook will
business significantly changed as home office
also be available, which is particularly relevant
and online meetings have overtaken face-to-
for critical and essential infrastructures.
face meetings.
With a new way of working, new issues arise
7. 2020: Conclusions from the such as new platforms, new collaboration
accelerated digitalisation and the tools and all of this introduced on the go with
digital workspace little or no training. Many organisations quickly
acquired their own platforms or relied on third
NATO and nations have been talking about a
party services, raising questions of trust and
digital transformation for years, and yet 2020
security. With a lack of training for the new
showed us that we were unprepared. Even
working environment, we put ourselves at risk:
though global digitalisation took a significant
the absence of an online mind-set is followed
jump forward, it is safe to say that the majority
by a deficiency of awareness for implicit
of organisations, ranging from NATO
vulnerabilities.
Command Structure to COEs, had not
accounted for the extensive dependency on IT Key takeaways from the lessons learned
services needed for business continuity and these past months have been the importance
the additional resources and training this of a well-established information management
would require. system at the workplace that covers all
environments and the importance of providing
When a crisis such as the COVID-19
training and supporting the development of an
pandemic hits, having contingency plans to
‘online mindset’. Crises require quick reaction
ensure business continuity is essential. In a
but security issues should not be undermined.
very short time organisations all over the world
In the best case, a flexible system is in place
had to make a swift transition from familiar
that allows for change in times of crisis, while
face-to-face meetings and extensive travel to
in less optimal cases, course corrections must
the home office and online meetings.
be made based on problems identified.
A vast range of challenges arise when a crisis
Another central theme for 2020 was trial and
forces transition. There are budgetary
error: For the Cyberspace Operations
concerns, questions of what tools, platforms
Discipline, which CCDCOE is leading,
and training are required and every challenge
organising a big yearly event such as the
needs to be met while time is of the essence.
Annual Discipline Conference fully virtually
While trying to identify and meet the needs of
was an excellent opportunity to learn how to
the organisation, the change needs to be
cope in this reality. The lessons identified
balanced against a need for a compatible
during the process also apply to online
solution that does not violate security protocol
meetings and learning. Two central and
and leave the organisation open to new
sequential challenges that needed to be
vulnerabilities.
addressed were platform security issues of if
Looking at the CCDCOE’s handling of the a connection can be established and how to
situation allows parallels to be drawn with bring the community together in the virtual
other organisations and companies that faced space.
similar challenges over the past year. In the
Moving online was shaped by the importance
following paragraphs, conclusions are drawn
of re-designing the content to the medium,
from the accumulated experience of the
mainly keeping it short and simple. In the
Centre’s lessons learned process and
online environment, less is more. This means
observations about the change of format from
shorter sessions, fewer slides, and fewer
a physical conference to an online conference
participants if discussion is desired. There is
in order to put them in perspective with
no easier way to lose a virtual audience than
emerging cyber trends during the pandemic.
to neglect the need to be extra engaging on
Travel had become an integral part of the way your side of the screen. 2020 has not only
we conduct our daily business and had been made us acquire numerous new platforms but
9has also made many of us learn new ways of
presenting ourselves.
Looking into the future, it is important not to
dismiss the security concerns emerging from
IT tools and processes we use but to agree on
a compromise between usability and security
and to anticipate the next crisis with a
readiness plan to remain operational and
responsive. This means asking the hard
questions upfront and learning from this crisis
to avoid repeating issues and mistakes.
Central questions that emerged during this
pandemic were: ‘Does my video-
teleconferencing tool work for communication
with colleagues outside my organisation?’ and
‘Can I access necessary documents from
outside networks?’ Establishing clear security
policies on whether and how third-party and
off-premise technology and software may be
used and building the capability to fall back on
tools and services during a crisis by
implementing double-use possibilities for
everyday equipment and services by
factoring-in usability outside the traditional
office setting while remaining secure.
Previous issues
This paper is part of a series of monthly
reports. This issue as well as all previous
issues are available in the CCDCOE online
library.
Feedback
To continuously improve this regular report,
input from readers is essential. CCDCOE
encourages feedback on both how the reports
are of use to you and how you think they can
be made better.
Please send your comments and suggestions
to feedback@ccdcoe.org
10You can also read
