Back in late April, with the world’s media distracted by the COVID-19 pandemic and businesses desperately trying to improve their remote desktop security, a number of cyberattacks in the Middle East showed us what the future of cyberwarfare might be.
Up until now, states have consistently denied responsibility for such cyberattacks, no matter how transparent it was that they were the culprits. In addition, there appears to be a new willingness for states to use their cyberweapons to go after private businesses, rather than military targets.
In this article, we’ll look at what these new attacks mean for cybersecurity, and why they were so surprising to those of us who have spent a lifetime in the business. We'll then share some tips on what you need to do to protect yourself against this new breed of attack -- not just in preventing social engineering, but also in order to secure your multi-OS environments against intrusion.
About the author
Sam Bocetta is a cybersecurity coordinator and a freelance journalist specializing in U.S. diplomacy and national security, with emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography. (Email, Twitter)
The Good Old Days
In order to understand why the recent attacks are so surprising, it’s worth considering how cyberwarfare worked in “the good old days”. Twenty years ago (or even a decade ago), there was a widespread view that the value of state-sponsored cyberattacks was their deniability. Even where it was obvious to everyone that an attack had been sponsored by a state, and directed against another, such states remained staunchly opposed to accepting responsibility for them. This approach was seen, for instance, in the attacks that Russia launched against the Ukrainian power grid back in 2016.
This approach was informed by two interrelated factors. The first was that no one was sure whether the concept of “cyber-deterrence” was a safe one. While cyberattacks can be used to show the power and expertise of a state, and potentially dissuade other states from launching preemptive attacks, it was also feared that such “demonstrative” displays of power would quickly lead to other forms of retaliation, including orthodox military force.
The second consideration, linked to the first, was that there remain no international rules governing the legality of state-sponsored cyberattacks. This means that the cyber-theater is dangerously open to rogue states launching cyberattacks with no regard for the consequences. The fear of escalation meant that there was an unspoken agreement between states that attacks would be denied.
Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:
- a ready-to-print PDF file
- an Excel file to help create a customizable assessment resource
The Changing Face of Cyberwarfare
All of this appears to be changing. The attacks launched in April by Iran and Israel were surprising for a number of reasons, all of which indicate that the future of cyberwarfare will be different from the past.
First is that responsibility for the attacks was (implicitly) claimed by the states involved. It seems, in other words, that we are now in a world where states no longer feel the need to hide their capabilities and intent when it comes to cyberwar.
Second, there is the fact that both attacks were directed at commercial targets. For many years, there has been an unspoken agreement that the targets of state-sponsored attacks should be limited to governmental or military installations. It appears that this is no longer the case; apparently, commercial targets are now “fair game”.
In some ways, this shift should not be surprising. When it comes to cyberwarfare, the line between “combatant” and “noncombatant” has been increasingly blurry for some time now. The most obvious example of this is the new techniques that have accompanied the rise of hacking in Asia. Instead of going for military targets, China appears to be taking advantage of the desire of citizens to use a VPN to hide their identity and to turn this against them by forcing VPN companies to share personal details. For this reason, say some analysts, VPNs may undermine privacy instead of protecting it.
What It Means for You
It might seem that the world of international cyberwarfare is quite distant from your own, but that is no longer the case. In its 2020 Global Risks Report, for instance, the World Economic Forum ranked cyberattacks among the top 10 risks in terms of likelihood and impact for small businesses.
In addition to the increased likelihood of attacks, cyberattacks will also come through new channels. Tom Steinkopf, writing in Forbes, has pointed out that ransomware has risen sharply in the past year, as governments use for-hire hackers to steal IP. The continued rise of the IoT also offers an opportunity for hackers, because the 20 billion devices that are now connected to the Internet now present a larger attack surface than human users.
For most companies, protecting systems against cyberwarfare will mean returning to the principles, techniques, and tools that have long been the keystones of cybersecurity. Given that 94% of malware is still delivered by email, though, one factor should take precedence: staff training. Employees, particularly in companies dealing with high-value IP, should be taught to hide their IP address whenever they are online and to spot the signs of a phishing attack as soon as they appear.
The Future
It might seem strange, in an article on international cyberwarfare, to end with a warning about phishing. But it is also worthwhile recognizing that not everything about the threat landscape has changed in the past few months. Governments seem more comfortable with admitting responsibility for attacks, and they seem more willing to target commercial businesses, but these attacks are still being deployed through the same methods they were back in “the good old days”: tricking employees into giving access to malicious actors.
For that reason, my advice for the coming year is not that different from the advice I’ve been dispensing for decades: educating your users is still the best defense you have against cyberattacks, whether these are state-sponsored or not.