Analysis

As US Loses its Edge, Game of Cyber Chicken Could Have Deadly Consequences

Prabir Purkayastha

Two major hacks—SolarWind and Microsoft Exchange Server—have affected a whole range of computers systems. Both are supply-chain hacks, meaning what appeared to be a routine software upgrade to a particular component in the system, instead inserted malicious code. In the SolarWind hack a backdoor in one such component was downloaded to systems of 18,000 organisations, including even the US Treasury, Commerce, Homeland Security and State Department.

In the Microsoft Exchange Servers hack, an estimated 250,000 machines might have been affected by a vulnerability which allowed hackers to control the machines and even infect other systems in the internal network of the targeted companies. Four vulnerabilities in Microsoft Exchange Servers were reported to Microsoft in early January. Unfortunately, Microsoft plugged these vulnerabilities only in early March. These vulnerabilities were used by the hackers during the period that Microsoft had either not released the patches, or in the time companies had not upgraded their systems and installed the patches.

In the SolarWind hack, the US authorities and security companies that work closely with the US government have blamed Russian intelligence agencies for the hack. In the Microsoft Exchange Server hack, the Chinese have been blamed. It is unlikely that either the Russians or Chinese spy agencies would execute such a widespread attack on systems. Their interests are better served by targeting a few critical systems and compromising them rather than infecting systems on such a wide scale.

The scale of the attacks multiplied exponentially, particularly after Microsoft announced the four vulnerabilities and released their patches. As email servers of a large number of organisations use Microsoft Exchange servers, a number of them, particularly small companies, were slow to apply the patches. This allowed a huge number of rogue hackers to get into the act, setting off a feeding frenzy of hacking such unprotected systems.

There have been calls for retaliating against Russia and China, even declaring these hacks to be acts of war. What such claims forget are that all countries have offensive and defensive capabilities and 'stealing" data and knowledge from other countries are time-honoured tasks of spook agencies. It becomes an act of war only if it leads to physical damage to critical equipment or infrastructure.

Any identification of the kind that it is either Russian or Chinese is based on the evidence of supposed Russian or Chinese "signatures" in the software. The NSA tools dumped by Shadow Brokers on the internet in 2017 show that NSA can spoof signatures of other countries in their software. This problem is further compounded by NSA's hacking tools being dumped on the Internet in 2017 by Shadow Brokers and now accessible to all hackers. This means that identifying the origin of software from such code "signatures" is conjecture, at best.

Why does the US expect Russia or China not to hack other country's systems, when we all know that the NSA and CIA have been routinely hacking systems from all over the world? The Snowden revelations showed that the US and its Five Eyes partners did everything and more than it today is accusing Russia and China of doing. XkeyScore and Prism, two of the largest NSA programs, showed how systems across the world had been hacked or compromised. The NSA's Tailored Access Operations hacked hardware that went to different countries, providing the NSA with physical backdoors into equipment in foreign networks. Not only did the US hack the rest of the world, including India, but it also did not spare even its close NATO allies like Belgium and Germany! In Belgium, NSA hacked its largest telecom company, then called Belgacom, which operates a large number of data links internationally. It serves millions of people, including top officials from the European Commission, the European Parliament, and the European Council. In Germany, the NSA had even bugged Angela Merkel's communications.

The US has mounted a worldwide campaign against Huawei being a security risk for global networks and how a clean network means no Chinese equipment. On March 22, 2014, The New York Times and Der Spiegelin a joint publication reported on an NSA program Shotgiant that hacked into Huawei systems and its network to find a link between Huawei and the Peoples Liberation Army. The NYT report says: "But the plans went further: to exploit Huawei's technology so that when the company sold equipment to other countries—including both allies and nations that avoid buying American products—the N.S.A. could roam through their computer and telephone networks to conduct surveillance and if ordered by the president, offensive cyber operations...Many of our targets communicate over Huawei-produced products. We want to make sure that we know how to exploit these products… to gain access to networks of interest" around the world.

The NSA document above shows that it not only conducted surveillance operations in other countries networks, but also carried out offensive cyber operations. So if NSA or CIA compromises computers, routers or other equipment of a country, they not only exfiltrate data out of these networks, but also have offensive capabilities of inserting logic bombs in the target network or equipment to bring these down.

In a re-enactment of Obama's campaign in 2013-14 against China and Russia on cyberwar and cyber espionage, the Biden administration is attributing all the major cyber hacks in the world to 'evil' Russian and Chinese actors. Obama's campaign had to be aborted with the damaging Snowden revelations. The US appears to believe that the world by now has forgotten about Snowden. The time is ripe again for a renewed offensive on hacking against the Russia and China, and the Biden administration's continuing Trump's confrontationist policies with China and Russia.

The question is with growing offensive capabilities, can we continue to play this path of confrontation? Can we play this reckless game of cyber chicken without suffering devastating consequences? Can cyber offensive capabilities lead inadvertently to an attack that has physical consequences and therefore, a physical war?

With the Stuxnet attack on Iran's centrifuges, a line of not causing physical damage using cyberweapons—the cyber Rubicon—was crossed. Dress it up any way we want, an attack on equipment processing radioactive material that could lead to possible radioactive leakage was the first use of a cyber weapon.

In a repeat of the atom bomb era, where the US thought that it had a long-term monopoly of nuclear weapons, the US considers its cyber dominance to be long term. Commenting on the US rejection of any proposal to ban cyber weapons, Mary Ellen O'Connell and Louise Arimatsu explained that the US's resistance to proposals for a treaty may have been related to "US plans to use the Internet for offensive purposes […] U.S. officials claim publicly that Cyber Command is primarily defensive, but the reluctance to entertain the idea of a cyberspace disarmament treaty is raising questions about the true U.S. position."

The US and its NATO allies have turned down every attempt within the UN framework for banning cyber weapons. Russia, China and many other countries tried for a UN process to discuss such a cyber peace treaty. In 2009, Russia proposed a treaty modelled on the Chemical Weapons Convention that would ban cyber weapons, a call it has repeated in the UN. The US has turned it down every time, arguing instead that every country should accept the Tallinn Manual. Tallinn Manual is a non-binding academic study sponsored by a group of NATO countries on how international law should be interpreted for cyberspace. It does not call for a ban on cyber weapons, only defines what it is and where its use would violate international law. Clearly, a far cry from a treaty on maintaining cyber peace and banning cyber weapons.

Cybersecurity threats are emerging as one of the most serious challenges of the 21st century. The Russians and the Chinese are not the only ones promoting a cyber peace treaty; or at least negotiations of do's and don'ts in the cyber era. With the leak of the NSA's tools and in the wake of Wannacry ransomware attacks, even tech giants like Microsoft started talking about nation-states—read the NSA in this case—not stockpiling and exploiting vulnerabilities in systems.

The reality that the US refuses to accept is that it is no longer the sole cyber hegemon. The Belfer Center of Harvard Kennedy School, Cambridge Massachusetts ranks cyber power of countries by both offensive and defensive capabilities. While the US is still the leading player in both, China is in second place and catching up fast. Russia, UK and others are still some distance behind, while India is way behind in the 21st place.

With computer systems and networks underpinning the global infrastructure, the risks of cyber weapons to the world are greater than ever before. We either work for cyber peace or we will inevitably tip over to a ruinous cyber exchange and possibly the splintering of the global internet with hard borders. If we do not enter the even more dangerous territory of a hot war that initially starts as a cyberwar.

This article was first published by Newsclick.