Cyber attacks have become an integral part of modern warfare and have significantly leveled the playing field, affording even 2nd and 3rd ranked powers the ability to inflict major, if not lethal, damage on any given adversary. In the past few years there have been some very high-profile instances of alleged cyber warfare, which in many ways reflect the growing tensions between the status quo powers of the West on the one hand, and the West’s principal adversaries, notably China, Russia, Iran and North Korea on the other. In this rapidly evolving threat landscape, Europe is particularly exposed, especially as the confrontation between the United States and Russia is heating up, making Europe once more a principal theatre in this conflict.
CYBER WARFARE ON THE RISE
There have been a growing number of cases of alleged cyber warfare in recent years, specifically between the United States and Russia. Most prominently, the US government has officially blamed Russia for the hack against the Democratic National Committee. In addition to the DNC hack, however, Russia has also been widely accused of being involved in the hacking of the World Anti-Doping Agency (Wada), resulting in the leak of confidential medical information of US athletes; or the leaked emails from Clinton’s campaign chair John Podesta, subsequently published by Wikileaks. Moreover, the Russian hacking group APT28 has been blamed for infiltrating the networks of several German federal ministries, including the Foreign Ministry and Defence Ministry; and the Russian government, as Edward Snowden among others suggested, might also be involved in the sensitive hack against the Equation Group, a highly sophisticated hacking group allegedly linked to the National Security Agency (NSA), which led to some of its offensive ‘cyber weapons’ being posted on the internet. In turn, Russia has accused US intelligence agencies for being responsible for code used in the ‘WannaCry’ virus, which hit Russia particularly hard.
While these are the more public and politically embarrassing cases of recent instances of cyber warfare, there have been much more alarming attacks that provide a disturbing glimpse into the future of warfare more generally, and the inherent dangers for whole nations and economies. Prominently, there has been the Stuxnet cyber attack against the Iranian nuclear programme, allegedly perpetrated by the US in partnership with Israel, which resulted in the destruction of numerous Iranian nuclear centrifuges; a cyber attack against western Ukraine directed against the region’s electrical infrastructure, plunging hundreds of thousands of homes into darkness; or an attack against Turkey’s electricity infrastructure that left most of the country without electricity for hours in 2015. More recently, the US government has accused Russia of installing malware on its energy networks, including nuclear power plants. According to a Technical Alert published by the United States Computer Emergency Readiness Team (US-Cert), based on joint research conducted by the National Security Agency (NSA) and the Federal Bureau of investigations (FBI), it was discovered that:
a multi-stage intrusion campaign [was conducted] by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
Less prominent, but an equally alarming occurrence includes the Refahiye pipeline explosion in Turkey in 2008 that took the entire Baku-Tbilisi-Ceyhan pipeline out of commission for 20 days. While Turkey subsequently denied that a cyber attack was to blame for the explosion, in an article that appeared on Bloomberg in December 2014, the authors Jordan Robertson and Michael Riley claimed that “hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident’”.
THE RISING THREAT OF EMP WEAPONS
Perhaps even more disconcerting than the growing instances of cyber attacks is the rising possibility of future uses of so called electromagnetic pulse or EMP weapons, which, while not generally associated with the realm of cyber warfare, could take down the electric infrastructure of an entire nation.
According to Dr Peter Vincent Pry, Executive Director of the Task Force on National and Homeland Security in the US and one of the foremost experts warning of the risks of an EMP fallout, speaking at the Defense Forum Foundation in 2017:
The electric grid, when it goes down, there’s no food and water immediately. The water immediately. The food supply will last about 3 days, then begin spoiling in 72 hours, because with emergency generated power we have to keep the big regional food warehouses operating. The air-conditioning systems, the temperature control systems that keeps the food palatable so that you can eat it. We’ve got a nation of 320 million people and a whole food supply about 30 days, which begin to spoil within 72 hours…And that’s why we estimated that 90% of the population could die in a year, from an EMP attack or EMP from the sun.
The rising fear of EMP weapons might also contribute to explaining the particular concerns US strategic and military planners, including the former Director of the CIA James Woolsey, have voiced over North Korea’s even low-yield nuclear weapons tests and its ambitions to develop intercontinental ballistic missiles (ICBM); and of course the Iranian nuclear programme. The fact is that even low-yielding nuclear warheads, but with enhanced gamma rays, if delivered via a satellite or ICBM to an altitude of between 30 to 60 kilometres above a target area represent what is known as a Super-EMP, with effects that could throw advanced economies like those of the US and Europe back into the stone age. In 2017, Woolsey and Pry warned for example in The Hill that the two North Korean satellites that were at the time orbiting over the United States, KMS-3 and KMS-4, could very well be used for launching a surprise and devastating EMP attack on the United States.
EU EFFORTS TO ENHANCE EUROPE’S CYBER SECURITY
In this new world of intensifying conflict in the domain of cyberspace, and while no nation is immune from this threat, the developed countries, with their advanced technological and digitalized economies, are far more exposed than others. Hence the emphasis of defence departments and national security doctrines over the last decade has been steadily shifting towards a greater appreciation of the rising risks of cyber warfare.
According to the widely cited Global Cyber Security Index, published annually by ABI Research and ITU, the countries with the highest national commitment in cyber security, measured in the areas of legal measures, technical measures, organisational measures, capacity building and international co-operation, are the United States, Canada and Australia followed by Malaysia, Oman, New Zealand, Norway and Brazil. The countries commonly considered leaders in cyber warfare on the other hand are the United States, China, Russia, Israel and the United Kingdom.
The EU, however, has also not been inactive in improving its cyber security posture. It established the European Network and Information Security Agency (ENISA) in 2004 to facilitate cooperation and best practice across the Union, adopted a Cybersecurity Strategy in 2013 and the Directive on security of network and information systems in 2016. Most recently, in September 2017 the EU also adopted a cybersecurity package that aims to build on previous as well as introduce a range of new initiatives to further enhance European cyber security. These include, among others, transforming ENISA into a full fledged European cyber security agency, putting in place an EU certification scheme, a blueprint for an EU rapid emergency response strategy as well as a new “Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities and measures to strengthen international cooperation on cybersecurity, including deepening of the cooperation between the EU and NATO”, among other efforts.
Since 2010, ENISA is also organising the biannual Cyber Europe exercise, a major months long cyber security war-game. The last such game took place from April 2016 and came to a head with a 2-day intensive exercise involving hundreds of cyber security experts from the private and public sectors to simulate and respond to major cyber security attacks against targets including the “Internet of Things, drones, cloud computing, innovative exfiltration vectors, mobile malware and ransomware”. The exercise is aimed at improving business continuity planning and helping to secure Europe’s Digital Single Market.
While efforts like these are extremely important and signify a move in the right direction, overall, a lot more needs to be done to equip Europe for one of the main security challenges it faces in the world today. The need for escalating preparations and especially for putting meaningful contingency plans in place in order to be able to respond to any massive coordinated cyber warfare by other states should be clear, especially in the context of escalating conflict between the United States and its main adversaries China, Russia, Iran and North Korea.
With the increasingly widespread application of internet of things devices and other technological advances, not least in artificial intelligence or quantum computing, the question that also poses itself is whether there has been too much emphasis on cyber security and insufficient emphasis on incident response, disaster recovery and business continuity planning.
As has been argued by Sandro Gaycken, Founding Director of the Digital Society Institute in Berlin and former member of the Chaos Computer Club, for example, in an interview with Deutsche Welle, “the idea of a protected network is nonsense”. When asked whether the only solution would be to “to fully decouple government systems from the Internet”, Gaycken responded:
Yes. The government needs to realize that there’s no technology that will help. Other experts and I have been telling them this for years. But then big telecommunications and software companies come and tell them they have a solution to make everything secure and that they should buy it. There’s no intrinsic motivation in politics to solve this problem. Many of the solutions proposed are very time-consuming and expensive and conflict with existing government programs aimed at increasing digitalization and expanding networks. So they’re politically unpopular.
With cyber security products and solutions commonly being at the least one step behind attackers, and especially given the increased sophistication of attackers, and the rapid technological progress, the EU efforts in the realm of cyber defence and cyber warfare should concentrate increasingly on:
- Developing effective cyber warfare capabilities to contribute to maximising the EU’s deterrence;
- Placing far greater emphasis on adopting powerful network monitoring and analytics solutions so to gain the greatest possible holistic awareness of all network activity, which is both key for prevention and responses to cyber attacks;
- Ensuring that critical infrastructure networks are as ring-fenced as possible as well as updated and hardened against cyber warfare, and especially EMP attacks.
- Devising effective offline and off-the-grid solutions for the most critical national, government and military infrastructure and capabilities to achieve business continuity in the face of a possible large scale attack.
This article originally appeared in the April 2018 edition of Cyber World magazine.