As 2018 commences, cyberspace remains in constant flux, a dynamic landscape that still favors hostile actors’ freedom of movement over the efforts of network defenders. Nation states continue to leverage the anonymity afforded to them in the digital sphere to conduct an array of offensive operations. Indeed, much attention has been focused on nation-state cyber activity by security vendors and news sites tracking suspected government or government-sponsored actors as they steal information and money, and conduct aggressive attacks on infrastructure, and influence national elections. Perhaps unsurprisingly, the increased international attention on these events has not served to deter these actors, but in some instances, have reaffirmed the need for all governments to be able to conduct similar operations to support their own national interests. In a recent United Kingdom intelligence report, Russian security services demonstrated a “go and see what happens” attitude towards conducting offensive cyber activities. Such an assessment certainly suggests there is little cause to fear any serious repercussion for such actions.
The past few years have seen governments actively pursuing offensive cyber capabilities, despite efforts from leading governments and recognized cyber “powers” trying to reel in the development of such skills and tools. No-hack pacts have been established between countries and international organizations, agreeing that cyber espionage should not be conducted for commercial advantage (Note: This intimates that cyber espionage for traditional espionage practices is acceptable). In January 2017, U.S. intelligence officials testified that more than 30 governments were actively seeking to acquire offensive cyber capabilities, and in 2013, there was reporting that European countries were doing likewise.
While the progression toward this end-goal may seem logical for developed and well-connected states, there is evidence suggesting that developing countries want to get into the mix as well. According to recent statements made by a former top Israeli intelligence official, inexpensive costs and ease with which to acquire technologies have created an attractive opportunity for these governments to become an immediate offensive presence in cyberspace. According to the Surveillance Industry Index, as of late 2016, there were 525 companies supplying these technologies to governments around the world. Some of these technologies are reputed to be able to bypass protection systems, monitor and analyze communications in real time, and send fake software updates to targets. Several developing countries have been recipients of these technologies.
There is no set definitions or criteria as to what constitutes “offensive” capabilities in cyberspace. These may include some or any of the following capabilities: attack tools, network exploitation tools, surveillance, or activities to combat online propaganda and influence operations. Indeed, recently, Vietnam has revealed its intent to recruit and train individuals to staff a cyber warfare unit to combat “wrong” views being spread online.
What’s potentially disconcerting about these events is that there seems to be an emphasis on offensive rather than defensive activities from developing countries, who are often a prime source and target of hostile cyber activities , and whose poor infrastructures serve as intermediaries to attack other countries. Compounding matters further is the fundamental lack of understanding with regards to bolstering a cyber security posture. Establishing organizations with cyber defense missions, enacting security policies, drafting and passing strong legislation, and aggressively arresting and prosecuting individuals involved in cyber criminal activities are areas where developing nations are grossly lacking.
Defense is hard, especially when trying to create a security apparatus from nothing. But there is evidence indicating that developed countries are leveraging the vulnerabilities in their cyberspace for authoritarian reasons, rather than trying to increase defense initiatives. One reason is the lack of incentive to do so. As developed nations look up to their more connected and cyber capable siblings, there is little forward progress when it comes to finding consensus and framing common rules on cyber issues such as state behavior norms, Internet governance, or cyber deterrence. While governments continue to hash these out, suspected state cyber activity continues without significant consequence, a fact that hasn’t got lost on developing countries. As long as this perseveres, there is more reason to adopt offensive capabilities than defensive ones, which doesn’t bode well for the global cyber security environment in 2018.
This is a guest post written by Emilio Iasiello