An essay on the future of cyber warfare, with predictions on what the future of cyber warfare may look like, with a brief look at what Australia’s policy reponse to these threats.
Science fiction novelist William Gibson once said, “The future is already here. It’s just not evenly distributed.” The same is true about the future of cyberwarfare. The technology and techniques to wage cyberwarfare already exist, but we are yet to see widespread use by governments. By investigating the forefront of technology, and developments in geopolitical cyberconflict, we may be able to predict what the future of cyberwarfare might look like. Cyberspace is often called the fifth domain of warfare. The fifth domain is a virtual realm, unlike the traditional domains of land, sea, air and space. The digital revolution has seen “software eat the world”, meaning that computer systems in virtual space can be manipulated to cause consequences in traditional realms. States such as China and Russia lead the way in Advanced Persistent Threat (APT) groups and cyberwarfare. Unlike traditional warfare, cyberwarfare often occurs in what is called “the gr[e]y zone… where coercion is used to achieve national objectives below the threshold of war” (Cohen, R. , et al., 2020, p. 21). Russia is a brazen grey zone combatant with Ukraine and can offer insights into what the future of cyberwarfare might look like for western nations. There are three areas of cyberwarfare that are predicted to be important focus areas in future cyber operations. They are cyber-sabotage, information operations and cyber-espionage (Cohen, R et al., 2020). This essay will review current trends in these areas, offer predictions based on these trends, and look at how these focus areas may exploit future technologies. It will critically evaluate Rid’s (2012) fictional cyberwarfare scenario in his seminal paper Cyber War Will Not Take Place to show that cyberwar is in fact, taking place and use this exposition as a way of discussing future cyberwarfare trends.
Kinetic cyber warfare and cyber-sabotage
In Rid’s (2012) paper, the cyberwarfare doomsday scenario was meant to be an example of cyber-kinetic warfare and cyber-sabotage so obscene it was called science-fiction. Its purpose was to convince the reader that such a scenario would be impossible and that even if such attacks could take place they could not exceed the harm of a “small physical attack”. But is it impossible? Rid describes a scenario where China launches a cyber-attack against the United States (US) in response to a political crisis, causing coordinated attacks leading to widespread panic, death and economic collapse. The attacks described were:
- Hacking into Industrial Control Systems (ICS) and causing electrical grids, blackouts, crashing trains and causing nuclear power plant meltdowns.
- Sabotaging financial institutions information systems on a massive scale causing data loss.
- Destroying air traffic control systems leaving hundreds of planes mid-air without communication.
- Rendering military units defenceless.
What was considered fiction less than ten years ago is today a reality. Almost all of the events described in Rid’s scenario have occurred in some shape or form as a cyberattack, most of which have been attributed to state-based actors. However, there is no single incident where all attacks occurred concurrently, or attacks with confirmed human casualties. The single event that comes close to the scenario was the 2017 NotPetya ransomware attack by Russia against Ukraine in their ongoing grey-zone war. On the 27th of June 2017, Russia assassinated the Ukrainian Chief Directorate of Intelligence in a car bomb attack and released the NotPetya ransomware. The ransomware came via a backdoor in a Ukrainian accounting software (MEDoc) (a suspected supply-chain attack). It hit four hospitals, six power companies, twenty-two banks, government departments, railways, two airports including their traffic control systems, Chernobyl’s radiation monitoring system, and at least 1500 businesses. It quickly spread beyond Ukraine to cause global havoc. NotPetya has since been attributed to Russia, although it is vehemently denied by them. The global cost of NotPetya was estimated to be $10 billion dollars (USD), far beyond the financial damage a small physical attack could have caused.
1. Hacking Industrial Control Systems (ICS)
There were no reported deaths in the Russian NotPetya attack, which infected critical infrastructure in Ukraine, including six power companies. There were also no reported blackouts. However, there have been other Russian cyberattacks against Ukraine, causing blackouts in 2015 and 2016.
In December 2015, two days before Christmas, Russia carried out a cyberattack against three separate electrical distribution companies in Ukraine, leaving approximately 250,000 people without power for up to 6 hours. Multiple US agencies, including the Federal Bureau of Investigations (FBI) and the Department of Homeland Security (DHS) helped with the investigation into the attack and were quoted as saying that in many instances, the security of the Ukrainian power grid operators was better than operators in the US.
In December 2016, 11 days before Christmas, Russia struck again in what has described as a much more sophisticated attack whereby malware targeting Honeywell and Siemens ICSes set off automated sequences to cut off power. Security researchers said malware payloads had programmed capabilities that could have gone further, such as permanently destroying diesel generators or overriding surge controls to permanently damage grid hardware. Russia’s restraint in the attack shows that they were toying with Ukraine and possibly using them as a testbed to discover what might be possible in attacks against other nations.
A recent US ransomware attack saw the major east coast oil pipeline shut down for eleven days, causing fuel shortages and widespread consumer panic. Although the attack was not directly state-sponsored, the hacking group responsible (Darkside) provide a ransomware-as-a-service toolkit and operate in Russia under the “benign neglect of Russian authorities”. The Darkside ransomware is designed to avoid attacking computers in the twelve Commonwealth of Independent States (CIS Charter States) such as Russia, Armenia, Belarus, and Syria by checking installed operating system languages.
To date, there have been no confirmed reports of ICS hacking directly causing deaths, apart from the 1982 Russian pipeline explosion, although, according to Rid (2012), there is little evidence it ever occurred. The “first verified human casualties of a[n] [industrial] control system” was said to have occurred in Washington State (US) in 1999 where a mixture of poor system design and possibly human error caused a water pipeline to rupture, flooding local creeks causing two deaths and injuring eight others. Surprisingly, the writer was unable to find any reports of deaths during the 2015 or 2016 Ukraine blackouts, which is astonishing considering the attacks were carried out in the middle of winter in December where Kiev’s maximum temperature is 0°C.
There have been no cyber initiated nuclear meltdowns. Although in the 2017 NotPetya attacks, the system which monitors radiation at Chernobyl went offline and had to be monitored manually for several days. Considering the capabilities displayed in the Stuxnet incident, and with the US having 56 nuclear power plants with an average age of 39 years old, it puts a sophisticated cyberattack well within the realm of possibility.
2. Attacking financial institutions on a massive scale causing data loss.
The idea that financial institutions losing their data on a massive scale could cause economic disruption is explored in the Chuck Palahniuk novel (and later film) Fight Club. The theory is that if financial institutions lose the data that holds credit information, everyone’s debt would be reset to zero, plunging the country into economic chaos. The successful disruption of financial institutions on a large scale is yet to be seen outside of Ukraine’s NotPetya incident. Although no permanent data loss was reported in the Ukrainian incident, many of the banks were offline for weeks. Outside of Ukraine, there are many examples of Distributed Denial of Service (DDoS) attacks against financial institutions. There was a week-long attack in 2012 against six major US banks leading to customer frustration with intermittent failures of services, and the New Zealand Stock Exchange DDoS attacks which took trading offline for five hours over two days in August 2020. In Australia, hedge fund Levitas Capital was forced to shut down last year after losing $8.7 million in a business email compromise (BEC) fraud, making other customers nervous and withdrawing funds leading to its collapse.
In the future, if the adoption of virtual currencies using blockchain (such as cryptocurrencies) becomes an accepted norm for use in everyday transactions, it may become a target for state-based actors attempting to cause economic disruption. There have been multiple so-called 51% attacks carried out against cryptocurrencies such as Bitcoin Gold and Ethereum Classic. State-based actors in the future may also develop quantum computing able to crack private keys of cryptocurrency wallets to steal funds and disrupt the economy.
3. Destroying air-traffic control systems
The idea of hackers breaking into air traffic control systems and directing aeroplanes into buildings in a cyber 9/11 attack is a common fictional scenario in television and film. No such events have taken place in reality. During the 2017 NotPetya attacks, two airports in Ukraine shut down, including the air traffic control systems although, no deaths were reported. The reason for this may have to do with the types of systems used by civil aviation, which rely on non-digital equipment such as radar and radio communications. Humans still direct contact with pilots over the radios, and although “hackers” have broken into air traffic control radio systems and attempted to give pilots bogus instructions,none have been successful. With existing systems being old, the US Federal Aviation Administration (FAA) embarked on amodernisation program in 2007 called NextGen, with all components to be in place by 2025. Research by Weiland and Wei (2018) into the security of NextGen show that it introduces many new risks, mainly to do with going from a radar-based system to a network-based GPS. With NextGen there is a real possibility that planes could be hijacked by jamming, spoofing or authentication attacks. A Canadian security researcher also claims that NextGen ADS-B signals are susceptible to spoofing and that fake ghost planes could be created on an air traffic controller’s screens to confuse them. Although not contemplated by Rid in his fictional scenario, researchers have successfully hijacked consumer drones using A-GPS spoofing. With the increased commercial adoption of Unmanned Aerial Vehicles (UAVs) in transport, agriculture, construction and mining, there is plenty of scope for abuse of UAVs to create kinetic cyberwarfare. The recent Australian Department of Defence report described a scenario of adversaries “hacking into autonomous vehicles or drones to cause road crashes or ignite bushfires”.
4. Attacks against military units
At present, the best example of an attack against military units was Operation Orchard by the Israeli Air Force (IAF). They used a combination of cyber-sabotage with traditional kinetic force. On 6 September 2007, the IAF bombed a suspected nuclear reactor site in Northern Syria. The Russian made Syrian airspace defence system failed to detect an entire squadron of warplanes during the attack because of an Israeli “kill switch” planted in the system.
In 2008 Iraqi insurgents were found to be tapping into Predator and Reaper drone feeds “using a piece of $26 software”. The drones were openly broadcasting video feeds without encryption. In 2011 there were reports that the US Predator and Reaper drones were hit with a computer virus that was “logging pilots every keystroke”. Although specific details were never released, the virus persisted for two weeks after it was detected and kept coming back. For these reasons, and the A-GPS attacks described in the previous section, a future cyber-attack may be a nation-state hijacking a military drone and using it for an attack or stealing the drone and reverse engineering it to acquire the enemies technology.
In the future, military personnel will be “hyper-enabled”, wearing body armour with augmented reality (AR) or mixed reality (MR) headsets. Since 2013 the US Special Operations Command has been developing a robotic exoskeleton for troops called theTactical Assault Light Operator Suit (TALOS). TALOS is designed to increase situational awareness and improve the speed of decision making. AR/MR features will highlight enemies and objectives. The AR/MR is power by Artificial Intelligence (AI), and TALOS is cloud-connected. The system can even run over civilian networks if defence networks are unavailable. With TALOS having such high dependence on cloud connectivity and the possibility of running over civilian networks, this introduces the possibility of hacking TALOS, or at least DDoSing it. Another weakness is its use of AI. AI, especially neural network image recognition are susceptible to adversarial AI techniques, which could be used to fool TALOS.
Other future attacks against military personnel and possibly even civilians or high-profile politicians could be hacking biomedical devices. Today, the most common biomedical devices are pacemakers and heart pumps or ventricular assist devices (VADs). These small electromechanical devices are implanted in patients to keep them alive. The devices are sophisticated enough to have firmware and wireless access for control settings and for firmware updates. Former US Vice President Dick Cheney, who had a pacemaker implanted in 2007 was so concerned about the wireless capabilities being hacked and used to assassinate him that he had the wireless access disabled. In 2013 security research firm MedSec discovered security vulnerabilities in six types of pacemakers that led to the recall of 465,000 devices that were implanted. Luckily the fix was a firmware update.
Other devices such as cochlear implants, retinal implants and neuroprosthetics are already on the market. In the future, these medical technologies could be used to give military personnel superhuman powers of hearing, vision and strength. Devices that do not exist yet could be used for brain-memory enhancement and computer-brain interfaces. These biomedical devices will require firmware or an operating system meaning additional attack vectors for hacking and misuse by state-based actors or terrorists.
In Australia, the government has passed the Security of Critical Infrastructure Act 2018 (Cth), putting positive obligations on critical infrastructure operations (suc has power grid, gas and hosptials) to maintain asset registers and force obligations on operators to collaborate with governments and notify them regarding security events and risks. There is currently an amendment to this Act, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), which adds additional positive obligations on operators to have incident response plans, participate in “cyber exercises” and compulsory vulnerability assessments. Interestingly, whilst water, gas, electricity and maritime port infrastructure are considered “critical infrastructure” as part of the Act, airports are not.
Cyber-subversion and Information Operations
Information operations are a form of psychological warfare. It is the art of spreading false or misleading information to gain a competitive advantage over an adversary. “Human minds are the targets, not machines” (Rid 2012). Rid classifies information operations as the offensive activity of subversion, which is the “deliberate attempt to undermine the authority [or] integrity …of a society’s established government.” Traditionally, subversion would mean dropping propaganda leaflets by air. Leaflet drops were used on a large scale in both Word War I and II. Since then, the internet has replaced the printing press in distributing information and consequently has become the ideal vector for subversion. Russia is no stranger to information operations. The Soviet Union called them Active Measures, and the Communist Party were the masters of it. During the 2016 US Presidential Elections, Russian troll farms were said to have created 80,000 Facebook posts, 131,000 tweets and 1,000 YouTube videos of divisive social and political content (Klimburg, 2018). The messages were intended to influence the outcome of the 2016 election. Estimates are that on Facebook alone, these messages reached 126 million Americans. In addition to the troll farms in a cyber-espionage operation, Russian APT group Fancy Bear stole over 25,000 emails from the Democratic National Committee (DNC) and published them on Wikileaks shortly before the 2016 elections in an effort to prevent Hillary Clinton from being elected to office. In the first nine months of 2020, Facebook claims that it blocked 4.5 billion bot accounts, although manually created faked still pose a problem. In an attempt to self-regulate (possibly in fear of government-imposed regulation) and to limit foreign political interference, Facebook banned political advertising and posts a week before polling day in the 2020 US election. While information operations today are limited to text and images, future information operations will use AI-backed technology to create deep fake audio and video. Furthermore, deep fakes can be generated in real-time, meaning they can be used to interact with people in live streams. The recent Australian Department of Defence report suggests a possible future scenario where “the prime minister is hit by a corruption scandal over payments into his or her bank account, while mass distrust and confusion are sewn by deep fake videos of leaders. The possibilities for adversarial states, terrorists, or even political opponents creating deep fakes are limitless. Suggestions by Chesney & Citron include:
- Politicians taking bribes, being racist or adulterous, being in places they have never been, doing things they have never done.
- Soldiers murdering civilians.
- Officials announcing impending missile strikes or pandemics.
Furthermore, even if the subversion created by deep fakes is not believed, the effect of raising the signal to noise ratio of fake news means that it will destroy public trust in government as citizens no longer know what to believe.
Globally, regulators have been slow to respond to the threat of fake news. In Australia, amendments to the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 (Cth) could apply to persons who weaponise fake news. However, it is difficult to see how such laws would be effective against internet trolls in Russia. With the impending torrent of deep fakes, it would be advisable for governments to fund research into deep fake detection so that fakes can be identified and removed from social media.
Espionage is “penetrat[ing] an adversarial system for purposes of extracting sensitive or protected information.” (Rid, 2012, p. 20). Cyber-espionage intelligence gathering can also be used to support cyber-sabotage and information operations. Since at least the turn of the Century, China has embarked upon a massive cyber-espionage campaign against western democracies. China’s espionage does not distinguish between governmental or commercial interests. Its cyber-espionage program has been so successful in stealing western intellectual property (IP) that it has been called“the greatest transfer of wealth in human history.”. In an effort to stem the flow of IP theft, the US entered into a bilateral agreement with China in 2015, stating that they would “not engage in or knowingly support online theft of intellectual properties.” Although there was a decline in commercial espionage by China in 2016, a study conducted three years later in 2018 by ASPI suggests that China is in violation of the agreement.
Research by Demchak and Shavitt (2018) found evidence that China Telecom regularly uses BGP hijacking to selectively route traffic through its Points of Presence (POPs) all over the world via China. This could be used to carry out man-in-the-middle surveillance or to decrypt traffic. But what about the traffic China is unable to decrypt? This can be stored for a time when it can be decrypted, either through discoveries of new cryptographic weaknesses or better decryption technology, such as the use of quantum computing. In the 2013 Snowden leaks reported that the NSA had a similar philosophy of “collect it all”. The Snowden leaks also described systematic tapping of international submarine cables.
So far in 2021 the hacking group Hafnium (which is either Chinese state or state-sponsored) compromised at least 30,000 US Microsoft Exchange servers. From this incident alone, China has amassed petabytes of data. The question is, what is done with all the data acquired through cyber-espionage? The data is most likely being fed into big data analytics to extract intelligence, commercial data and to surveil foreign citizens. A data leak from Chinese firm Zhenhua Data in 2018 data was found to have information such as “dates of birth, addresses, marital status, along with photographs, political associations, relatives and social media IDs” on 2.4 million people, including 35,000 prominent Australians such as entertainers, politicians, military officers and diplomats. Surveillance of foreign citizens can use big data analytics to assign a score of how friendly or hostile the citizen is toward the state, much like China’s social credit system used on its own citizens. This information can then be used for further espionage, such as recruiting spies or information operations to discredit people hostile toward the state.
The aforementioned Australian foreign interference laws are applicable to cyber-espionage too, although it is difficult to see successful prosecutions against state-based actors operating outside of Australia’s jurisdiction. A more pragmatic approach may be to create stronger legislation around policies for enforcing cybersecurity of organisations that hold personal information that goes beyond simply mandatory reporting of breaches.
The future of warfare will be fought in the cyberwarfare grey zones. The west’s globalisation of industry and open borders have put it at a cyberwarfare disadvantage compared to command and control economies. The internet has been the great enabler for innovation in communication and commerce but a nightmare for national security. The asymmetric nature of cyberwarfare means that adversaries can cause billions in economic damage with only a small investment. As adversaries push the limits of the grey zone, this could spill over into deaths. The Australia, New Zealand, United States Security Treaty (ANZUS) alliance mean that cyberattacks on member nations resulting in property damage or loss of life allow military responses, including kinetic warfare (Tully, 2012). In the writer’s opinion, this does not go far enough. Notions of property damage in war are outdated, dating back to 19th Century Clausewitzian definitions. In the 21st Century, the value of IP far exceeds tangible property. Western democracies must equate theft of IP to theft of tangible and real property. By redefining what property is, we can narrow the scope of the grey zone and consider kinetic responses to the theft of a nation’s wealth.