The Most Effective Cyber Defense is Having an Agile Leadership Team that Prioritizes Risk Based Upon Relevant Threats
Booz Allen, a major management and infotech consultancy firm working for government agencies, the defense industry and major corporations, looks at the current state of cybersecurity, and foresees some major challenges to come. What makes these predictions more interesting than many others that appear at this time of the year is that there is no product being subtly marketed. Instead, the conclusions are drawn from the 2,400 intelligence reports published so far this year, 200,000 unique sources, and 2.4 million events each month.
Some of the coming challenges are obvious — like electoral interference and attacks against next year’s Olympic games. Others are less obvious, but based on rapidly evolving technology. All, however, are at least partially affected if not predicated on the first prediction — the increasing global balkanization of the internet.
Balkanization is somewhat similar to standard network segmentation, but writ large. Segmentation is used to better protect high value assets from sections of the network that may have become compromised. For any country, one of its highest value assets is its own national internet, while one of the biggest threats comes from the global internet. Segmenting the national internet from the global internet is a natural solution — this is what is meant by balkanization.
Booz Allen notes in a new report that balkanization is not simply national balkanization, but what could be called bloc balkanization. While Russia’s Sovereign Internet Law came into effect on November 1, 2019, Booz Allen notes that “Moscow has also pressed to develop independent network infrastructure for BRICS nations (Brazil, Russia, India, China, South Africa) and create a separate Domain Name System.”
Similarly, China is cultivating internet policy relationships with countries in the Middle East and Asia. “Recent geopolitical upheaval like the persistent anti-extradition protests in Hong Kong would be easily quelled if China effectively controlled web traffic in and out of East Asia,”
One of the big knock-on effects of this balkanization is that it reinforces the pre-existing geopolitical tensions between the major global powers: the U.S., Europe, Russia and China. These tensions can have a major influence on many of the remaining predictions made by Booz Allen. Counterintuitively, however, there is one possible benefit. The balkanized nations are concerned about over-reliance on technology from outside their own region. Huawei is developing an alternative to Android, while the U.S. is doing as much as possible to limit the use of Huawei equipment in the West. The result of such efforts will confirm the hybrid nature of the global internet, making it in general more resilient than a homogeneous internet.
Balkanization coupled with globalization and massive component demand is generating a new scale of supply chain threat. At one end of the threat, this is limited to cloned, counterfeit and repurposed components — which can prove physically dangerous (for example, cloned phone chargers have caught fire). The wider danger is, fueled by geopolitics and hidden behind balkanization, actors with nation state resources will gain access to hardware components being bought by other nations.
Although the concern is not new, there are yet no known proven occurrences — but Booz Allen warns that the likelihood is growing. Security defenders may have to consider a new threat from malicious hardware complementing the existing threat of malicious software.
The existing threat to connected cars will soon be supplemented by the new threat to autonomous vehicles (AVs). Both sets of vehicles will be extensively targeted, both directly and via the apps that control them. Apart from the vast amounts of personal data that such vehicles collect, and the potential for financial fraud as automatic payment facilities come online, AVs will introduce a new threat vector: driver kidnap and vehicle hijack.
Criminals are already known to monitor navigation and safety broadcasts. At sea, the International Maritime Organization advised operators to disable certain systems in high-risk areas. On land, one of the first major use of AVs is likely to be cargo trucks. These trucks will continuously broadcast their location and condition — offering the opportunity for criminals to locate and hijack them in remote areas. The same principle could apply to AVs carrying high-value businessmen, putting them at risk of kidnap for ransom.
Drones are another new technology offering a new attack vector. In the future, drones will be used as an initial network infection vector. “Drones equipped with a Raspberry Pi and Kali Linux — a platform that includes hundreds of pentesting programs,” says Booz Allen; “can be purchased online, and freely available tutorials and attack drone design plans may significantly reduce the barriers to entry for drone-based network attacks.” Booz Allen sees IoT as a primary target. “Israeli security researchers demonstrated that a drone could be used to manipulate ZigBee-controlled lightbulbs… IoT devices often use ZigBee, and the attack is indicative of the potential impact that drone-based network attacks could have on all types of IoT devices, including those that are critical to the manufacturing, health, and energy sectors, among others.”
Flying higher than drones, satellites will also be increasingly targeted. There are currently more than 5000 active satellites owned by multiple countries in orbit. The danger is the extent to which society depends upon satellites that do not have to be attacked in orbit. “Satellites provide critical communications infrastructure, not only to space programs or the military but also to the civilian sector, including navigation, location, communication, and timekeeping. The modern world relies on satellite constellations, and satellite constellations rely on ground-based C2 facilities to function properly,” says the report.
Booz Allen gives the example of the April 2015 attack, initially and incorrectly attributed to ISIS, against satellite television network TV5Monde. “APT28 gained initial access through compromised virtual private network credentials and used a combination of Active Directory tools and Remote Access Tools to pivot around the network and eventually corrupt most of the victim’s network-connected systems. The result was that TV5Monde’s satellite television network went dark for months. The attacker never needed to communicate directly with any satellite.”
The firm has also detected a shift towards more advanced Linux malware as the Windows ecosphere becomes better hardened. Existing .NET malware is easily modified to Linux, and the firm expects both nation state APTs and advanced criminal groups to take existing malware from Windows and adapt it to Linux. This will make attribution increasingly difficult. “APTs could use these blurred lines of attribution to conduct ‘false flag operations‘,” it warns. “Correct attribution could become nearly impossible and could lead to major geopolitical issues between governments because of false-flagging operations as governments or even as organizations try to determine who attacked them.” CISOs will increasingly need to adopt an attacker-agnostic approach to security. Law enforcement, however, will still need to know the attacker. The confusion, however, is a clear threat to elections — both the UK’s in December 2019, and the U.S. 2020 presidential elections. In both cases, right-wing groups and foreign nations have a vested interest in swinging the results in one particular direction.
But Booz Allen does not expect foreign nations to try to swing elections one way or another. It believes “the next evolution of election interference will focus primarily on generating a sense of chaos and attempt to undermine public confidence in the election system and infrastructure. Both state and non-state actors will copy and innovate upon previous nation state attack strategies, launching aggressive campaigns seeking to achieve specific political aims or the simple goal of creating discord.” It does warn, however, that such attacks will not just come from Russia, but from multiple nations.
Finally, but maintaining the geopolitical tension theme, Booz Allen warns that cyber operations carry an increasing risk of kinetic response. So far, there has been only one publicly admitted occurrence. In May 2019, comments Booz Allen, the Israel Defense Forces (IDF) “reportedly repelled [an Hamas cyber] operation, and in response, conducted an airstrike against the Gaza building that purportedly held Hamas’s cyber command center. Soon after, the IDF announced the strike over Twitter, the first publicly acknowledged use of conventional military force in response to an attempted cyber-attack.”
Noticeably, almost exactly one year earlier, the UK warned that it does not need to demonstrate attribution before engaging cyber retaliation, and that if the cyber-attack leads to loss of life, the retaliation could be kinetic without warning.
If there are two clear themes to Booz Allen’s future expectations in cyber (PDF), they are that evolving technology will lead to evolving threats, and that geopolitical tensions will expand the operations of nation state activity and make the world an even more dangerous place.