Hack-backs: Options and limitations of cyber deterrence
The continuing rise of cyberattacks has been one of the crucial security developments of the last decade. While the U.S. Cyber Command has adopted an offensive cybersecurity doctrine, European critics have questioned the use of “hack-backs” due to escalation risks.
In a nutshell
- State-supported cyberattacks are on the rise
- The American and British cybersecurity policies are pivoting toward offensive deterrence
- The EU’s hesitation to use "hack-backs" could have costly consequences
Lockdowns and remote work have created numerous new cybersecurity challenges for companies and governments. The pandemic has accelerated digitalization across industries and services. But it has also created numerous new vectors for attacks on critical infrastructure.
Recent cyberattacks have included public sector institutions and facilities. Among others, hospitals were targeted in Germany, the Czech Republic and Spain. They were forced to suspend scheduled operations, shut down their IT networks and move intensive care patients to other locations. In September, a seriously injured woman died in Germany after a cyberattack on the University Hospital of Dusseldorf because she could not be transported to another hospital in time.
The WannaCry malware attack in May 2017, which paralyzed a third of British hospitals, had already highlighted the numerous vulnerabilities of the United Kingdom’s National Health Service. Several organizations, research institutes and governments have called for better protection of healthcare organizations against hackers, as well as international norms prohibiting attacks on critical infrastructure. The European Commission even directly asked China to stop all cyberattacks on hospitals.
Vaccines and viruses
Even more alarming is the continuous rise of state-supported cyberattacks in recent years. A new report of the British Signals Intelligence Agency concluded that more than a quarter of all cyber incidents detected by the UK in the past year were exploiting vulnerabilities created by the Covid-19 pandemic. New cybersecurity reports have highlighted that the development of vaccines in Western companies have become a prime target for industrial cyber espionage and potential disruption of vaccine supply chains.
China and Russia have a lot to gain by hindering the development of Western vaccines and stealing industrial secrets.
According to governmental and private cybersecurity companies (like Microsoft, IBM and others), Russian, Chinese, Iranian and North Korean hacker groups have targeted half a dozen organizations and companies involved in Covid-19 treatment and vaccine research. The Russian hacking groups Fancy Bear (APT28 or Strontium) and Cozy Bear (APT29), the North Korean Zinc and Cerium and the Chinese Cicada were identified as the perpetrators of attacks on pharmaceutical companies and research organizations.
Although most of the attempted cyber strikes failed, some succeeded. Industrial cyber espionage by state-supported hacker groups could be the mere tip of a large campaign against Western companies and governments running mass vaccination programs. Institutions and companies indirectly involved in the vaccine supply chain (such as the European Commission’s Taxation and Customs Union, as well as energy, manufacturing, and technology firms) could also be affected.
Cyberattacks have targeted the cold supply chains needed to deliver Western vaccines, which could disrupt supply amid increased competition from the Russian and Chinese producers. The cold chain platform of Gavi, the Vaccine Alliance, a public-private partnership organization that provides inoculation in poorer countries, was attacked. Such disruptions can also be used to steal commercial information about the delivery process through which vaccines are kept at temperatures between -20-80°C.
An effective vaccine entails not only significant profit, but also geopolitical influence. China and Russia have a lot to gain by hindering the development of Western vaccines and stealing industrial secrets.
Despite Washington’s decade-long dialogue with Russia and China, hostile cyber operations have never declined, and have even risen recently. Contrary to the European Union, the U.S. believes that solely relying on strengthening its cyber defense and enhancing the resilience of critical infrastructure is insufficient to cope with attacks, especially Advanced Persistent Threats (APTs) and other sophisticated state-supported strikes. The American cybersecurity policy already involves offensive cyber counterattacks, also known as hack-backs, as part of its broader deterrence strategy.
China and Russia have a lot to gain by hindering the development of Western vaccines and stealing industrial secrets.
Offensive cyber operations provide an additional military tool for disrupting other countries’ military capabilities, like Iran’s uranium enrichment and ballistic missile programs. Despite the risk of escalation, such strategies can reduce collateral damage when compared to conventional air strikes. But while state-supported cyberattacks have hitherto had a limited impact, they may increasingly and deliberately threaten nonmilitary targets deliberately in the future, which would put unprecedented pressure on cybersecurity.
Experts hold varying opinions on the benefits and downsides of hack-backs, but they mostly agree that cyberthreats have blurred the lines between defense and offense, civilian and military, as well as peace and war. Critics argue that deterrence is a cold war strategy that cannot address the cyberthreats of the 21st century, since highly industrialized countries have much more to lose than less developed countries or private hacker groups. Furthermore, it is often impossible to know whether deterrence has been successful or whether other factors have played a role.
Moreover, properly identifying cyberattackers is essential for conducting any deterrence counterattack. But despite the progress in digital forensics, attributing sophisticated cyberattacks can often take months or even years. Any mistake in the process can lead to a strike against an innocent third party. The Turla cyberattacks of 2018 were carried out by a Russian hacker group using the tools of an Iranian organization (known as APT34), which highlighted the risks and challenges of such situations.
Calls for cyber treaties as well as new UN norms for restraining and regulating state-sponsored cyber operations have grown louder. But in parallel, the global internet is becoming ever more fragmented because of China’s and Russia’s domestic cybersecurity isolation policies.
Managing cyberattacks poses a significant challenge because perpetrators are often non-state actors. Hacker groups and private companies producing dual-use software can become weaponized. Software and codes can easily be copied almost everywhere. In practice, enforcing cyber arms control agreements through verifications is practically impossible. An entire arsenal can fit on a USB stick, much like the Israeli-American Stuxnet virus in 2010. As long as attribution is difficult and offensive tools widely available, sophisticated cyberattacks on Western critical infrastructure will continue as part of a “hybrid warfare.”
Disruptive attacks have already crossed red lines and exceeded past security forecasts. U.S. fears of a “Cyber Pearl Harbor” scenario have been confirmed by a well-coordinated and calibrated attack on Ukraine’s electricity grid in December 2015. The first wave of the strike had begun in 2014 with an undetected cyber reconnaissance operation to find vulnerabilities. It was the world’s first known digital intrusion operation that caused physical disruption in a country’s electricity sector. Widespread power outages lasted for about six hours.
During the last decade, cyberthreats have become more frequent, complex, destructive and coercive.
Since then, the worldwide increase in complex cyberattacks on industrial control centers and supervisory control and data acquisition (SCADA) system has alarmed companies, governments and experts. Purely defensive strategies are considered insufficient for deterring state-supported cyberattackers and shifting their cost-benefit assessment. It is now widely believed that deterrence strategies need to include retaliatory strikes.
Since 2010, the U.S. Cyber Command’s strategy has evolved from a reactive defensive posture to a more proactive stance called “persistent engagement,” which entails attacks on the disruptive capacities of adversaries as part of a defend forward concept in its new cyber strategy from 2018. If the U.S. has indeed targeted Russian, Chinese, or Iranian critical infrastructure, these states could reassess the costs of future strikes. Washington has reportedly attacked Russia’s electric grid with a potentially crippling malware to achieve a “persistent presence” inside the Russian power network. This offensive strategy guarantees that Moscow would pay a high price for carrying out a devastating operation against the U.S.
During the last decade, cyberthreats have become more frequent, complex, destructive and coercive. But up to now, the EU has relied almost exclusively on traditional instruments of diplomacy. Its toolbox still comprises only preventive, cooperative, restrictive and stabilizing measures. It can also support member states’ lawful responses, but even these are limited to diplomatic responses and sanctions on identified individual hackers. However, in recent years the Union has recognized the limitations of international norms for prohibiting major cyberattacks on critical infrastructure. The European Commission is now seeking to enhance its capacity to “detect, trace and hold accountable those responsible.” Until recently, Brussels avoided “naming and shaming” countries supporting hacker groups. But Russia and China are beginning to be held officially responsible for their state-supported cyberattacks.
Military history suggests that using cyber defense alone will make Europe the target of endless blackmail.
However, the EU has not reached a consensus regarding offensive cyber strikes as part of a broader deterrence strategy. This is due to the inherent constraints discussed above, its tradition of caution when it comes to security matters, and its relative lack of cyber capabilities, compared to the U.S. – ranging from fast reconnaissance up to conducting various offensive cyber strikes at scale. There is little EU-wide political will to challenge Moscow and Beijing’s offensive cyber operations beyond its diplomatic toolbox because of its perceived bilateral energy and trade interdependencies. But this state of affairs means Russia and China’s attacks on Europe are likely to continue unless the EU develops the capacity to deter them more effectively.
The EU needs to wake up and adopt comprehensive “deterrence-of-punishment” strategies against state-supported cyberattacks from other countries, taking into account the special conditions and constraints of the cyber era highlighted by critics. For example, the UK has recently confirmed the existence of its new National Cyber Force, whose aim is to conduct legal offensive cyber operations against targets in hostile countries such as Russia and China. Its activities will be overseen by the parliament’s intelligence and security committee and follow the principles of restraint and proportionality, as well as escalation risk control procedures. The organization’s purpose will be to degrade, disrupt, and destroy the critical capabilities and infrastructure “of those who would do us harm.”
Adopting deterrence and the threat of retaliation as a cybersecurity strategy can entail more challenges than nuclear deterrence. While the EU and NATO will still focus on “deterrence-by-denial” and improving the resilience of critical infrastructure, they will also need to take into account the growing gap between offensive and defensive capacity that has developed. Reactive-only defense strategies may lead aggressors to further escalate the intensity of their attacks. Military history suggests that using cyber defense alone will make Europe the target of endless commercial and political blackmail with ever-rising costs. Foregoing cyber offense altogether is ultimately an invitation to surrender to the hybrid and asymmetric warfare of hostile countries.