The attacks against the global banking system via SWIFT, which appear to be via a state-sponsored group, poses an important question: is such an act actually an act of cyberwar?
BAE Systems investigation into the Bangladeshi SWIFT theft of $81 million has unearthed ‘a wider campaign’. This led to the discovery of a second bank compromise in a commercial bank in Vietnam – but a reasonable inference from finding ‘multiple bespoke tools’ in ‘SWIFT based systems running in banks’ is that there is yet more to follow.
In a report posted today, BAE Systems warns of the difficulty in making positive attribution to cyber attacks. Nevertheless, it gives enough cluves for any reader to point the finger ultimately at North Korea. For example, BAE Systems first suggests a very strong likelihood that the same group is behind both the Bangladeshi and Vietnam breaches using malware based on msoutc.exe. This it then links to ‘a larger toolkit described in US-CERT Alert TA14-353A.’
“The US-CERT alert mentions ‘a major entertainment company’ and is widely believed to describe the toolkit used to conduct destructive cyber-attack which took place in late 2014. Further details of this same toolkit were disclosed in the ‘Op Blockbuster’ report in February 2016.”
This is a clear reference to the destructive Sony attack. And that attack was firmly blamed on North Korea by the US government.
Meanwhile, Rep James A Hines yesterday introduced Bill HR5220 to the 114th Congress. The purpose is “To direct the President to develop a policy on when an action in cyberspace constitutes a use of force against the United States, and for other purposes.”
This follows Sen Mike Rounds introduction of Bill S2905 on Monday to “require the President to develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States, and for other purposes.”
In both cases the text of the bills is yet to be published. Nevertheless they demonstrate a growing desire to formalize what is and what is not an act of cyberwar. This will not be easy, even if it is possible; and Jason Healey, a senior research scholar in cyber conflict studies at Columbia University, considers it unhelpful. “After all,” he says in the Daily Dot , “there is no definition of what an ‘act of war’ is for any kind of kinetic conflict either. An ‘act of war’ depends entirely on the circumstances as well as the decision of the head of government — it is not just a national security decision, but ultimately a political decision.”
Mike Rounds presented his reasoning behind S2905 in an opinion piece in the Wall Street Journal, Sunday 8 May.
Rounds concludes, “America needs a clear and concise definition of when an attack in cyber space constitutes an act of war. The executive branch needs such a definition so it can fully formulate policies governing, for example, when it might be appropriate for the U.S. to undertake offensive operations against a cyber adversary.”
Three days later, at the CentrifyConnect 2016, former head of the National Security Agency and director of the Central Intelligence Agency, U.S. Air Force General Michael Hayden described the issue very differently. He mentioned Sony and North Korea and noted that there was no legal form of words to define the attack. Rather than have government define acts in cyberspace, however, he believes that the users of cyberspace should do so. In this area, he suggested, government should follow industry – noting that FaceBook and Zuckerberg would shape the definition of privacy more effectively than could Congress.
Nevertheless, however unlikely, it is possible that the US President could be forced by law to define an act of cyberwar. If that were to happen, it becomes an open question whether a state-sponsored attack against the global banking system would fall within that definition. That will make security researchers even more reticent in attributing cyberattacks to specific actors.
In February it was announced that the US is already conducting a cyber war against Daesh (IS). A formal definition of a cyber act of war might force the Pentagon into a greater range of retaliatory cyber activity.