Cyber Warfare – Real or Imagined?
Amethyst Director Steve Southern gives his thoughts on cyber warfare in the world today
I recently attended a lecture/presentation given by Dr Dave Sloggett when he visited RAF Linton on Ouse.
His talk was wide ranging as he gave updates on various conflicts around the world with a particular focus on international terrorism, but his central theme was the role that air power can play in changing the outcomes in any given conflict. His talk also included reference to a recent and widely reported cyber attack on the French TV network TV5Monde, when hackers claiming allegiance to ISIL succeeded in disrupting and denying the service.
The conclusion drawn by Dr Sloggett was that this attack can be viewed as an example of what happens when a terrorist group is on the defensive in its 'normal' sphere of operations, ISIL having recently suffered a series of setbacks in both Syria and Iraq. Dr Sloggett opined that this cyber attack was an attempt by ISIL to remain in the media spotlight by attacking a Western target on a new front, e.g cyber, which seems an entirely credible hypothesis.
Among many of his other fascinating insights, Dr Sloggett also talked about the current situation in Ukraine and the motives of President Putin. In essence, Dr Sloggett made what may seem a surprising claim; namely that Putin's activities in Ukraine and his wider muscle flexing via increased military activity including around the UK and Japan are all diversionary, while his real objective is to claim and secure gas and oil reserves in the Arctic region.
Siberian oil production is expected to peak in 2020 and diminish thereafter, however Russia has recently signed a 30-year deal with China estimated to be worth some $400 billion to supply gas, as well as a $20 billion dollar deal to co-operate with Iran in bringing oil to the global market. Hence Putin's determination to take ownership of the gas and oil reserves in the Arctic, otherwise these contractual obligations cannot be met. As far back as 2007, Russia planted its flag on the seabed under the Arctic ice sheet, and Dr Sloggett explained that more recently it is claiming that an undersea ridge known as the Lomonosov Ridge, which runs between Siberia and Canada, somehow gives Russia the right to claim ownership of Arctic territory.
All of which got me thinking about state sponsored cyber attacks; surely as the Russians are projecting their conventional forces in the land, sea and air domains, albeit stopping short of actual attacks (except in Ukraine of course), then they may consider doing likewise in the cyber domain? Could Putin somehow further his Arctic land grab ambitions by deploying carefully targeted cyber attacks, perhaps on the assets and operations of other nations and corporations that are engaged in oil and gas exploration activities in the region for example? SCADA systems that remain widely used in the oil and gas sector have well known vulnerabilities – look no further than the aptly named scadahacker website (https://scadahacker.com/library/) – and present potential hackers with plenty of opportunity for denial of service attacks.
The same week I also attended the AFCEA (UK) London Chapter and the Information Security Group Royal Holloway University of London Cyber Dinner, where the guest of honour was Professor Thomas Rid from the Department of War Studies at King’s College London.
Unfortunately I am not able to report or comment upon the substance of speeches made by Professor Rid or by the other speakers (Captain Mike Hawthorne RN, Dr Alasdair Pinkerton, and Group Captain Andy Gudgeon). What I can record is the central idea and theme of the dinner, which was cyber warfare; Professor Rid was challenged by the aforementioned speakers on key aspects of his book ‘Cyber War Will Not Take Place’ and thereafter invited to give his considered response. All speakers were excellent and thought provoking, and suffice to say I am now well into reading Professor Rid’s book.
Coincidentally, on returning to my hotel after the dinner I turned on the TV to see the BBC Hardtalk programme where Pippa Malmgren was being interviewed. Pippa is an economist and part-owner of a company, H Robotics (now part of DRPM Group), that manufactures ‘non-weaponized’ drones. Pippa was questioned on some of the many issues around the use of drone technology including the extent to which they are truly autonomous or ‘aware’, and whether they should ever be allowed to have a capability to make life or death decisions. It was a fascinating interview and if you missed it you can watch it at http://goo.gl/xGJC0x.
Of course drones now play a key role in modern warfare, but we should perhaps consider whether they themselves are vulnerable to cyber attack. Loitering unseen and unheard at extremely high altitudes, some drones are well beyond the reach of all but the most sophisticated conventional weapons, but what about their control systems, data and communication links, and on-board sensors? How secure are all of these?
In their paper ‘The Vulnerability of UAVs to Cyber Attacks – An Approach to the Risk Assessment’ Kim Hartmann and Christoph Steup from the Otto-von-Guericke-University in Magdeburg, Germany, state “reviewing UAVs from a technical point of view, UAVs must be classified as highly exposed….with high strategic and economic value.” Rather worryingly perhaps they also observe that “there is more research done regarding the security of modern cars incorporating car-to-car and car-to-infrastructure communication than research regarding the security of UAVs.” These issues caused me to recall the final and forcefully made conclusion at the end of Dr Sloggett’s talk, namely that while drones will undoubtedly continue to play an important role in modern warfare, they cannot and should not, fully replace manned aircraft as there will always be scenarios where a person in a cockpit is needed.
Overall, a lot to ponder, and much new reading to be getting on with. In one sense, Amethyst’s services seem very far removed from cyber warfare and state sponsored cyber attacks, but actually the fundamental principles at the core of our knowledge and expertise are highly relevant. Whether the objective is to protect a drone over Syria or an oil well in the Arctic, it is necessary to identify and value the asset(s), understand the threats, and calculate the risks and vulnerabilities. Only then is it possible to design and implement appropriate and proportionate security measures.