IN recent years, the US and NATO have begun to incorporate some innovative new cyberwarfare games and exercises into its annual wargames.
But there is something missing.
If the US and NATO wants to see what nation-state hacking is like in the chaotic multi-actor online world, it needs to practice fending off some actual hackers.
In mid-November 2020, NATO conducted its 13th annual cybergames in Estonia, with about 1000 participants and observers from 33 states.
Through the five-day exercise, NATO simulated an attack against the fictional nation of Andvaria as well as defending against a cyberattack on a NATO member state’s critical infrastructure.
NATO specifically allowed and requested participating nations to practice working together in cyberspace and, for the first time, ran the entire simulation virtually due to the pandemic.
This was a wonderful opportunity that NATO mostly seized.
Moving the games online meant that every connection, every network, every target machine could be tested and at realistic and differing levels of vulnerability.
But in some key ways, the scenario played through by the various countries’ militaries did not reflect the actual state of the world during the pandemic.
The most recent US Treasury and Commerce Department hacks and the still developing US National Nuclear Security Administration hack show how in the cyber-realm, everything, including civilians and weapons of mass destruction, is a target.
Wargames have been used for centuries as a way to train and improve on military strategy.
NATO tried to replicate the online nation-state world by engaging with military and national security institutions using tried-and-true wargame planning.
However, retrofitting the two traditional wargaming models — either assuming perfect knowledge of the enemy or re-creating 200-year-old Napoleonic and Prussian campaigns — into cyberspace simulations just does not work.
In cyberspace, the fog of war can be exponentially greater, cyber-capabilities can be more completely hidden, and the enemy is using brand-new tactics with global focus.
Multiple battle fronts are possible and physical logistics is no longer a major issue.
The reality of the online world is much more chaotic than the NATO simulations presume.
There are independent actors, cybercriminals, white hats, respected security firms, broken infrastructures, country-sized firewalls, a massive and messy differential in power between the largest and smallest actors, and all the chaos of artificially intelligent (AI) tools that can automate overwhelming attacks based on leaked personal data and react in milliseconds.
Unfortunately, NATO does not include non-state actors in the annual cybergames.
This creates three problems.
First, there is no guarantee that an attack will come from uniformed soldiers of a hostile country.
Savvy nation states will use whatever lowcost (read cheap and nasty) hacks they can find, make, borrow, buy, or steal especially to distance themselves from conflicts.
Second – and crucially – defending cyberspace requires people who think differently.
Even the US Government has reached out to hackers to staff up agencies such as the FBI and National Security Agency, realising that traditional information technology education does not produce innovative offensive security researchers.
Limiting contributions to active military and public sector employees will result in a certain amount of groupthink.
It is critical for NATO to include non-state actors, independent researchers, and respected industry experts (who aren’t solely military contractors trying to pump up weapons sales by sponsoring these wargames).
Third, we in the cybersecurity industry have been long aware that medical facilities and research stations have not only been fair game, but the primary targets of international cyber attacks for years.
After we saw vaccine research stations targeted by North Korea and others at the beginning of the pandemic, we in the industry predicted repeatedly that vaccine production would be targeted by nation-state actors, and we are now seeing evidence in recently reported successful espionage attacks on Pfizer and BioNTech facilities that we were correct.
NATO should include in their cybergames the kinds of urgent current events we are already seeing play out in the news and adapt strategies accordingly.
In the past, NATO has been caught off guard when its cyber-exercises failed to account for real-world attackers.
In October 2018, 50,000 soldiers, sailors, and pilots from 31 countries simulated war off the coast of Norway.
NATO’s Operation Trident Juncture did not include cyberattacks in the wargames at all until real-world Russia actively began jamming the real GPS systems of the conventional weapons being tested on the battlefield as part of the simulated conflict.
Everyone planning the games had previously agreed on the polite and necessary fiction that the computers embedded in their vehicles and weapons – and managing their air, water; fuel, targeting, and health – were not permissible targets in this engagement.
Russia’s behavior highlighted the absurdity of NATO excluding cyberspace from conflict simulations.
Even after this realworld mid-scenario attack, NATO has still not incorporated the randomness of actual cyberspace in its simulations.
Recent attacks on vaccine production facilities show how failing to model cyberattacks appropriately will come back to bite you, and we predict that medical facilities will continue to be a popular target for cyberattackers in the future.
Therefore it is recommended that military and government cyberdefence forces should use hackers’ skills and non-institutional creativity to help predict attacker
tactics and devise cyberdefense policies and procedures.
Cyberwar is relatively new, and soldiers who have been conditioned to see only clearly delineated battlefields will enjoy the challenge of needing to think orthogonally, laterally, strangely, and innovatively with the assistance of cybersecurity experts.
The international information security community is filled with smart people who are not in a military structure, many of whom may be interested to pose as independent actors in any upcoming wargames.
Including them would increase the reality of the game and the skills of the soldiers building and training on these networks.
Hackers and cyberwar experts would demonstrate how industrial control systems such as power supply for refrigeration and temperature monitoring in vaccine production facilities are critical infrastructure; they’re easy targets and should be among NATO’s priorities at the moment.
I haven’t even considered the internet of things (IoT) devices which saturate these countries and leave major cybersecurity backdoors into the network.
Diversity of thought leads to better solutions.
Information security experts strongly support the involvement of fringe nonmilitary experts in the development and testing of future cyberwar scenarios.
We are hopeful that independent experts, many of whom may see sharing their skills as public service, would view participation in these cybergames as a challenge and agree to participate.
Ransomware gangs made at least $US350 million ($F715.58m) in 2020.
This represents a 300 per cent increase over ransomware payments recorded in 2019.
This was confirmed by blockchain global analysis firm Chainalysis, who tracked and recorded transactions to blockchain addresses linked to ransomware attacks.
However, this figure is on the low end as not all victims disclosed their ransomware attacks and subsequent payments last year, with the real total suspected exceeding $US1 billion ($F2.04b).
A key finding of the report was that many cybercriminal operations, and not only ransomware, often reused the same intermediary money laundering services.
A group of only five cryptocurrency exchange portals received 80 per cent of all ransomware funds in 2020, and this is where law enforcement and central banks should concentrate their cybercrime investigations and AML/CFT efforts in future to disrupt or track the crucial cash flow of ransomware and other cybercriminal operations.
Hence heeding sage advice from Sun Tzu, “the supreme art of war is to subdue the enemy without fighting”.
As always, you all be blessed, stay safe and well in both digital and physical worlds.
- Ilaitia B Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
