In May 2016, details emerged about a significant cyber attack against the global banking system. Malicious actors used stolen login details for the SWIFT financial messaging system to request close to $1 billion in transfers of funds from banks throughout the world. Most of the requests were denied, but $81 million was transferred from the Federal Reserve Bank of New York after receiving a fraudulent request from the National Bank of Bangladesh. Wells Fargo transferred $12 million after receiving a fraudulent request from a bank in Ecuador.
The SWIFT attack is the most recent reminder of the vulnerability of connected and global critical infrastructure industries such as finance and energy. Lack of robust security in some links in the industry chain – in conjunction with a general lack of vigilance and communication across the industry – create vulnerabilities for all members of that industry, even those that have built more advanced cyber defences.
Attributing cyber attacks is always difficult, but recovered code established a strong link to the Sony hack of December 2014 and to North Korea’s burgeoning cyber army. If cash-strapped North Korea was responsible for the attack, it would be another in the ever-expanding list of ‘never seen before’ cyber security attacks: a state using a cyber attack to rob banks.
Regardless of attribution, the SWIFT attack also demonstrated the shifting and fluid nature of the cyber threat and underscored key attributes of this threat that will complicate the capacity of private sector, civil government and even military and security organisations to prevent, detect, attribute and respond to creative attacks in a timely manner. The intersection of these attributes ensures securing the information domain will not only be a persistent challenge, but also an increasingly urgent and affecting one.
The gap between ascendant offensive capability and frequently reactive defensive measures is perhaps the most notable feature of the cyber threat landscape.
The inability of commercial, civil government and military and security organisations to prevent or dissuade and, subsequently, to detect a cyber attack once it occurs – the average amount of time an advanced persistent threat goes undetected after compromising a target system is more than 200 days – magnifies the scale of a given attack’s deleterious effects.
Military and security communities are not immune to the effects of this imbalance, even those with the most sophisticated cyber defences. For example, in early 2013, a US Defense Science Board report determined that more than two dozen critical military programmes had been compromised by cyber activity originating in China, including some of the platforms and systems most critical to US efforts to counter China’s anti-access/area denial military modernisation.
Expanding and converging
This imbalance will endure in part because the cyber threat landscape is simultaneously expanding and converging. A growing range of actors – from states, to transnational networks and criminal groups, to ideologically imbued and technologically savvy individuals – are engaged in an increasingly creative range of attack modes to achieve an expanding range of commercial, financial, political, geopolitical, social and personal objectives. The very human instinct to prepare for and defend against the most recent attack will not be sufficient in an environment in which ‘never seen before’ attacks will be the norm.
Show Attack modes and objectives are also converging across threat actor categories, a trend highlighted by North Korea purportedly using methods and pursuing objectives most commonly associated with criminals.
Complicating efforts to curb the cyber security problem are growing concerns about the intersection of cyber threats with other advanced technologies (for example, 3D printing), strategic competition, and, most urgently, the physical world.
The Stuxnet attack against Iranian nuclear enrichment facilities established the capacity of a cyber attack against industrial control systems (ICSs) to generate physical effects. While attacks against ICSs of similar scale or effect have not occurred since, the threat remains real. Earlier this month, researchers at FireEye discovered malware (dubbed ‘Irongate’) on Siemens’ simulated ICS environment. While the malware posed no direct threat to a specific ICS, the code shared attributes with Stuxnet and had gone undetected for four years.
Military and security communities are also preoccupied with the intersection of cyber and the physical world. In a 2014 interview with IHS Jane’s, Lt General John Johnson, director of the US Joint Improvised-Threat Defeat Agency (JIDA), noted that his organisation “is very concerned about where cyber meets physical – where the use of cyber can create a physical effect… the next IED might not be an IED in the way we think of IEDs”.
Cyber is also intersecting with the taut and affecting strategic competitions unfolding on the Korean Peninsula, across the Western Pacific, and in the Middle East and Eastern Europe.
Cyber capabilities offer a relatively low cost, extremely difficult to attribute (and therefore to deter) capability to create competitive advantages without escalating intense competitions to conflicts.
For example, China’s purported penetration of key US military systems serves as a reminder of potential US vulnerabilities that could be exploited in a time of crisis. Similarly, China’s alleged use of cyber attacks to illicitly acquire advanced commercial, dual-use, and even military technologies could accelerate technological innovation across several strategically vital industries, including aerospace and defence.
Cyber threat actors are nearly constantly probing for new technical, cognitive and organisational vulnerabilities and innovating new ways to exploit these vulnerabilities. Complete security in this environment is not possible.
However, significantly enhanced resilience is possible through savvy and coordinated development and incorporation of enhanced capabilities and protocols, including new and reinforced: national, industry and global standards; legislation; data analytics methods; organisational models; personnel training, education and vetting processes; and technologies that seek to protect networks and systems from the core – the most valuable parts – out.
Information sharing is another component of building resilience, a lesson the banking industry learned after the SWIFT attacks.
According to the BBC, the SWIFT organisation’s primary recommendation in its five-point security response plan was to “drastically improve information sharing” in the banking industry.
Enhanced strategic, operational and tactical intelligence is also essential to cyber security.
Incorporating iterative collection and analysis methods that not only identify the likely ‘who’, ‘what’ and ‘how’ of the current threat, but also focus on the possible ‘what’s next’ will enable commercial, civil, and military and security organisations to develop solutions that drive the offence/defence competition in the cyber domain along new and more advantageous trajectories.