Rarely does a week go by these days without a ‘cyber attack’ making the headlines across the globe. It may be the massive WannaCry ransomware campaign that infected 300,000 systems in more than 150 countries, the hacking of Qatar News Agency which led to numerous fake postings on the nation’s official media platform, or Pyongyang’s targeted phishing campaign against members of the United Nations Security Council's North Korea Sanctions Committee. Typically, in the public discourse all these incidents are generically termed ‘cyber attacks’ with little to no distinction between them.
To put this into perspective, imagine a world in which every malicious action – no matter how insignificant – is classified as ‘murder.’ And now think about how this would affect your sense of security.
Indeed, one of the elemental challenges when it comes to cyber security and cyber defence is that, as the NATO Cooperative Cyber Defence Centre of Excellence eloquently describes it, “there are no common definitions for cyber terms — they are understood to mean different things by different nations/organisations.”
The most prominent example of this problem breaking to the fore occurred in September 2015 when James Clapper, then the United States’ director of national intelligence, testified before the US House Intelligence Committee. Clapper told lawmakers that the intrusion into the US Office of Personnel Management (OPM) network – and the resulting theft of personal information belonging to 21.5 million current, former, and prospective government employees – was not a cyber attack, because “there was no destruction of data or manipulation of data. It was simply stolen. That’s a passive intelligence collection activity — just as we do.” Lawmakers could not believe their ears and vehemently argued that a refusal to call the OPM hack an attack would minimise the gravity of the event and leave the US open to similar incidents if there was no forceful response.
Yet, Clapper was right. The most adequate legal definition of what constitutes a cyber attack can be found in the Tallinn Manual on the International Law applicable to Cyberwarfare, which describes it as: “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
To date, only two cyber attacks have successfully cleared this physical threshold. The first is the infamous Stuxnet worm which was deployed against the Iranian uranium enrichment plant in Natanz back in 2007-2008. The second is a much lesser known cyber attack against an unnamed German steel mill in 2015 which resulted in “massive — though unspecified — damage.”
Several other cyber incidents have come very close to crossing this threshold. For example, the Shamoon breach at Saudi Aramco during Ramadan in 2012, “partially wiped or totally destroyed the hard drives of 35,000 Aramco computers.” The incident even forced then US secretary of defence Leon Panetta to note that Shamoon is “one of the first [pieces of malware] we’ve seen that can actually take down and destroy computers […] to the point that they had to be replaced.”
Equally disturbing were the intrusions into the Ukrainian power grid in late 2015, which cut off electricity for approximately 225,000 Ukrainians in the middle of December. According to E-ISAC, the breaches in Ukraine are “the first publicly acknowledged incidents to result in power outages.”
Getting terminology right is immensely important in the cyber domain, because calling everything by the same name (1) undermines the public’s sense of cyber security, (2) blurs the lines between acts of war and criminal activities, (3) and disguises the greater dangers of exploit proliferation, misattribution, and collateral damage.
Code and exploit proliferation is a growing issue. Roel Schouwenberg, former senior analyst at Kaspersky Lab, explains that, “regular cybercriminals look at something that Stuxnet is doing and say, that’s a great idea, let’s copy that.” But it is not only cybercriminals and ‘script kiddies’ that are in the business of repurposing chunks of code – nation states are too.
After 2007-2008, sophisticated Stuxnet-like trojans, such as Duqu, Flame, and Gauss, popped up in the wild, wreaking havoc across the Middle East and making their appearance in Europe as well. The fallout of Shamoon progressed similarly: dormant for four years, researchers at Kaspersky Lab observed three waves of Shamoon 2.0 deployments against Saudi infrastructure, starting in November 2016. According to the Saudi Ministry of the Interior, Shamoon 2.0 wiped approximately 1,800 servers and some 9,000 computers in 11 organisations. Amid the new onslaught, Kaspersky Lab also discovered an elaborate new disc-wiper malware, now dubbed ‘StoneDrill’. To the surprise of many, given previous trojans’ propensity to remain in the Middle East, StoneDrill made its first foray outside that region by hitting a petroleum company in Europe.
What danger does this pose to Europe?
Despite the assertion of Thomas Rid, professor in security studies at King’s College London that “Cyberwar will not happen”, nation states and cybercriminal groups are already waging a silent conflict in the dark across the web. Europe should be particularly concerned with Russian activities. In fact, all of the Russian Advanced Persistent Threat (APT) actors, such as groups that are sponsored by a nation state or are nation state agencies, are primarily targeting European businesses and governments.
APTs like Fancy Bear and Cozy Bear (controlled by Russia security agencies the GRU and FSB respectively) − now well-known household names due to their central role in Russian interference in the 2016 US presidential election – have penetrated numerous European institutions, ranging from NATO and the Organization for Security and Co-operation in Europe to France’s TV5Monde and the German parliament. The Sandworm Team, another Russian APT actor, not only caused a powercut for 225,000 Ukrainians in late 2015, but also breached western European government agencies, Polish energy firms, and French telecommunication companies. It even targeted attendees at the 2014 GlobSec Forum in Bratislava. Equally, the Russian APT Waterbug predominantly compromised government and media websites in Europe. According to a 2016 assessment by security software company Symantec, the top four countries targeted by Waterbug are France (19 percent), Germany (17 percent), Romania (17 percent), and Spain (13 percent). The US accounted for only 4 percent of Waterbug activities worldwide.
The Democratic National Committee hack should have been a wake-up call for Europe. For far too long Europe has turned a blind eye to the persistent Russian threat in cyber space, and has left the US to deal with the issue alone on the international stage. Currently, there is little public discourse in Europe, nor is there even any foreign policy response in the making which takes into account the myriad Russia-linked APT intrusions that have breached European governments, companies, and individuals over the past five years. It is time for European policymakers, law enforcement agencies, and the intelligence community to step up to the plate, and defend the continent in cyber space.
In light of this, the one-and-a-half day Cyber WarGame, held in Brussels on 19-20 June by the European Council on Foreign Relations and Microsoft, was a first step to helping sharpen this understanding. It brought together government officials from across the EU28, to explore escalation dynamics in cyberspace, define national red lines, map norms of acceptable state behaviour, and analyse possible responses across the threat spectrum in an environment of uncertainty.
The European Council on Foreign Relations does not take collective positions. This commentary, like all publications of the European Council on Foreign Relations, represents only the views of its authors.