What if a malevolent group could hack into a country’s database and disrupt its media channels, its banking system, its citizen databases and its parliament?
What if they could silently enter an organisation’s networks, steal their intellectual property and release a comparative product to the market cheaper and earlier, ruining the company and weakening the country’s economy in the process?
What if they could infiltrate common, everyday devices like cameras, webcams and sensors to infect systems and bring down whole systems?
What if the above examples weren’t hypotheticals at all, but things that have occurred in recent history? Then you’d be concerned, right?
Cyberwarfare: Old concept, new reality
In the early 1990s when the internet was starting to gain traction, governments immediately grasped the potential — and the threats — of this revolutionary technology.
Even though the concept of cyberwarfare seems modern, the term according to the New York Times, has been used by governments for decades to describe the way a nation-state infiltrates the networks, communication systems or infrastructure of another country’s military, government or businesses in order to cause damage to it, or to learn their secrets.
Over time this definition has broadened to include transcontinental acts by cyber terrorists, hacktivists and cyber criminals, who seek to undermine a nation-state by way of cyber-attack or cyber espionage. Despite understanding the jeopardy of cyber-attacks, there hasn’t been a lot of international agreement about how to approach the significant challenge of creating a set of legal norms.
The international response to cyberwarfare
In 2011, the UN released a paper titled: Cyber Norm Emergence at the United Nations. In it, the author acknowledged that cyber warfare was no longer in the remit of science fiction. The technology had advanced to the point where nation-states now had the capability to infiltrate the military, government and business networks and that international cooperation was vital in stemming the tide.
Fast-forward 5 years and despite the urgent need for action, we are still no nearer to having a legislative framework, or even an international definition of what acts constitute cyberwarfare.
However, this lack of clarity isn’t to suggest that tackling the challenges of cyberwarfare isn’t a priority for nations. Just recently, US President Barack Obama announced that several heads of state, including Russian president Vladimir Putin, got together at the G-20 summit in China to discuss a set of standards for cyberware. He stated:
‘Look, we’re moving into a new era here where a number of countries have significant capacities. But our goal is not to suddenly, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so everybody’s acting responsibly.’
Having standards in place is vital because with the rise of the Internet of Things, we are seeing technology develop at an exponential rate. The scope and scale of advancement is occurring at a speed unprecedented in our history. While on one level this is incredibly exciting, because of the many opportunities it offers to business, government and citizens, these opportunities are also afforded to those who won’t use it so benignly. As Marc Goodman, author of Future Crimes says in his TED talk A Vision of crimes in the future: ‘The ability of one to affect many is scaling exponentially, and it's scaling for good and it's scaling for evil’.
And we’re seeing how this interconnectivity is creating vulnerability for organisations and for nation-states. One just has to look to a small, Baltic country to see the damage that can be done with a well-timed attack.
Communication Breakdown: Estonia
Estonia is one of the world’s most tech-savvy and connected countries. According to Wired UK: ‘what Estonia has achieved makes the Northern Californians look like laggards.’ They state:
- By 1997 97% of Estonian schools were online
- By 2000 Estonian parliamentary cabinet meetings were paperless
- By 2007 it had introduced e-voting and 98% of the country’s banking was done online
2007 was also the year in which tension with their neighbours Russia erupted. The cause: a statue. The statue was a Bronze soldier who symbolised the Russian war effort in the region. It had long been controversial, as it was seen a symbol of Russia’s occupation.
There was a movement to have it pulled down, countered by a small, but passionate Russian ethnic minority. There were protests. There was bloodshed. When the statue came down there was swift retaliation described by The Daily Dot as Web War One:
‘Estonians compare the day to their own 9/11. Imagine what would happen if Wall St financial institutions and every American bank was crushed under the weight of a cyberattack while Washington, D.C.'s institutions fell apart under the same withering offensive. Meanwhile, what if no one could read newspapers or call 911?’
A botnet attack (where multiple devices are used to infect a network with malware) overwhelmed Estonia’s main newspaper, the Postimees first. Over the next few days,the botnets struck the country’s whole infrastructure: Its banking system, its government, its emergency services and its police systems. For four days, a country that had prided itself on its digital maturity was unconnected — and the result was chaos. Money couldn’t move, injured citizens couldn’t access services and officials couldn’t get through to the outside world to get help.
After the attack, according to The Daily Dot, Estonia appealed to NATO for help in finding the responsible party and establishing rules but there was a big problem:
‘There had never been a cyber-attack like this; there was no playbook to study. They were unprepared on a technological and strategic level. As such, this moment also started fundamental debates that are still being sorted out.’
It wasn’t until NATO itself came under the same botnet attack a few years later that it was galvanised into creating a cyber defence plan. However, the Estonian watershed attack exposed several difficulties facing organisations like NATO and The UN:
- It’s almost impossible to prove who is behind the attack, so even if countries are signing agreements, there’s no guarantee that they will be faithful to that agreement
- Getting agreement from all countries in the first place (not a new issue for the UN)
- The difficulties of accounting for acts of cyber espionage. Once again, proving that they’ve occurred can be very difficult and often by the time that you’ve discovered that your network’s been infiltrated, it’s too late
- Not all countries have the same cyber security capabilities, so some are more vulnerable to breach than others
What the Estonian attack did achieve was to show how devastating an attack could be, even to a country with a comparatively good cyber security strategy.
What will cyber-attacks of the future look like?
In the years since the attack, both businesses and governments have been the targets of more sophisticated and devastating attacks.
In the last few months we’ve seen Bank of Bangladesh attack, where over USD 80 million was stolen. Then, an attack on cloud-based internet performance management company Dyn, infected everyday devices to bring down huge platforms like Spotify, AirBnB, Netflix, Etsy and Reddit. We’ve also seen the alleged attacks by Russia on the US which resulted in the leaks of the emails of the democratic candidate, Hillary Clinton. What these attacks show is that the scope and scale of the technology is also amplifying the scope and scale of the potential for damage. It doesn’t matter if you’re a major bank or running for office, no matter who you are, you are vulnerable.
By 2020 it is estimated for the number of connected devices to exceed 50 billion. And as this connectivity broadens to 3D printing, robotics and bio-tech, all these new technologies will make us more vulnerable for attacks. As Goodman mentions in his TED talk: ‘There has not yet been an operating system or a technology that hasn’t yet been hacked’. Estonia was just a mere glimpse of the potential for malignant behaviour. Even though the majority of users will enjoy the technology in the way it’s intended, there will always be those who aren’t so altruistic and the damage they can cause could be truly catastrophic. The only way to stem the tide is to ensure that business, government and tech communities are using their collective knowledge and making cybersecurity a top priority.
Would you like to know more about how technology will impact government? Then check our eGovernment 2017 @ CeBIT program today.