tag:theconversation.com,2011:/ca/topics/cyberattacks-47325/articlesCyberattacks – The Conversation2024-03-27T14:37:30Ztag:theconversation.com,2011:article/2266682024-03-27T14:37:30Z2024-03-27T14:37:30ZChina’s UK election hack – how and why the Electoral Commission was targeted<figure><img src="https://images.theconversation.com/files/584522/original/file-20240326-24-tyjinv.jpg?ixlib=rb-1.1.0&rect=95%2C36%2C4793%2C2763&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption"></span> <span class="attribution"><span class="source">Shutterstock/Gago design</span></span></figcaption></figure><p>The UK government has accused China of hacking the UK Electoral Commission, gaining access to information about millions of voters.</p>
<p>In the aftermath of the incident, the UK and US governments have <a href="https://www.bbc.co.uk/news/uk-politics-68654533">sanctioned</a> a company that is a front for the Chinese Ministry of State Security (MSS), Wuhan Xiaoruizhi Science and Technology, and affiliated individuals for their involvement in the breach and for placing malware in critical infrastructure.</p>
<p>The UK and many other countries have growing concerns over cyber operations that target national security, technological innovation and economic interests. China has been linked to state-sponsored cyber espionage activities for some time. Targets have included foreign governments, businesses and critical infrastructure. </p>
<p>While China is not inherently a threat to the UK, the two countries have a complex relationship that is characterised by both cooperation and competition. China has economic influence over the UK and the two compete on innovation. But China’s military ambitions, human rights record and reputation for covert influence campaigns require careful diplomatic and strategic management.</p>
<p>It’s not clear what precisely motivated the attack on the Electoral Commission but such attacks are generally linked to various strategic interests. States may target foreign electoral organisations with the aim of influencing election results or more generally to undermine democratic processes, including by damaging trust among voters. They may seek leverage with whatever information they gather, either economically or in terms of global positioning. </p>
<p>These activities are not unique to China. In a deeply connected and increasingly digitised world, many states are strategically motivated to engage in subterfuge of this kind.</p>
<h2>How this kind of attack works</h2>
<p>The US Cybersecurity and Infrastructure Security Agency (CISA) has <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a">already detailed</a> the methods deployed by affiliates of the MSS in their cyber espionage. They systematically exploit vulnerabilities in software and systems, penetrating federal government networks and commercial entities. </p>
<p>Their approach demonstrates a deep understanding of cyber warfare and intelligence gathering and a high level of expertise. It’s clear that significant resources have been put at their disposal.</p>
<p>Central to their strategy is the active exploitation of vulnerabilities. They meticulously search for and take advantage of weaknesses across target systems and software. By identifying these security gaps, they manage to bypass protective measures and infiltrate sensitive environments, aiming to access and extract valuable information.</p>
<p>In gathering intelligence, these operatives scour publicly available sources – including the media and public government reports – to accumulate critical data on their targets. This could range from specifics about an organisation’s IT infrastructure and employee details to potential security lapses. Such intelligence lays the groundwork for highly targeted and effective cyberattacks.</p>
<p>Meanwhile, they scan for vulnerabilities in the system itself, uncovering essential details like open ports and the services running on them. This will include any software that may be ripe for exploitation due to known vulnerabilities.</p>
<p>The operatives then leverage all this information to gain unauthorised access. They exploit system flaws to induce unexpected behaviours, allowing for the installation of malware, data theft and system control. </p>
<p>The ultimate aim of these operations is the exfiltration of data, such as the names and addresses of British voters in the case of the Electoral Commission. They illicitly copy, transfer, or retrieve data from compromised systems, targeting personal information, intellectual property and government or commercial secrets. </p>
<h2>The pencil is mightier than the keyboard</h2>
<p>It was known by August 2023 that the Electoral Commission had come under attack but the suspects have only now been named publicly.</p>
<p>Despite the breach, the Electoral Commission claims that the core elements of the UK’s electoral process remain secure and that there will be <a href="https://www.electoralcommission.org.uk/media-centre/electoral-commission-response-cyber-attack-attribution-0">“no impact”</a> on the security of elections. This is in part because so much of the British system is paper based. People are processed by hand when they go to a polling station on election day, they use pencil and a paper ballot to vote, and their votes are counted by hand.</p>
<p>These factors make it very difficult to influence the outcome of a British election via a cyberattack, unlike in countries that use electronic voting machines or automated vote counting. Paper ballots and records, being tangible and physically countable, provide a verifiable trail. So even in the event of a cyber intrusion, the fundamental act of casting and counting votes remains untainted by digital vulnerabilities. </p>
<h2>Stronger systems are still needed</h2>
<p>The attack nevertheless raises questions about the effectiveness of existing monitoring and logging systems for detecting data breaches. The attack accessed not only the electoral registers but also the commission’s email and control systems. The data potentially accessed included UK citizens’ full names, email addresses, home addresses and phone numbers.</p>
<p>Nor is the commission the only target in the British political system. The National Cyber Security Centre (NCSC) assesses with a high degree of certainty that APT31, an advanced persistent threat group affiliated with the Chinese state, has engaged in reconnaissance activities targeting <a href="https://www.ncsc.gov.uk/news/china-state-affiliated-actors-target-uk-democratic-institutions-parliamentarians">UK parliamentarians</a>.</p>
<p>To secure its elections from cyber threats like those from APT31, the UK government is already improving the overall resilience of its elections cyberinfrastructure. It is working closely with the NCSC to identify threats and emerging trends. These efforts are likely to include regular security audits, penetration testing and the adoption of secure software development practices to ensure that systems are robust.</p>
<p>What’s perhaps most significant in the case of the Electoral Commission hack, however, is the fact that the UK government has called China out so explicitly. This is a strategy decided on with allies as a way of holding perpetrators more accountable. </p>
<p>Publicly attributing cyber attacks to specific state actors or groups sends a clear message that such activities are being monitored and will not go unchallenged. This strategy of transparency and accountability is pivotal in establishing international norms and expectations for state behaviour in cyberspace.</p><img src="https://counter.theconversation.com/content/226668/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Soraya Harding does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>British elections are pencil and papers affairs, which makes them difficult to hack. But the breach of millions of people’s details is still a deeply serious matter.Soraya Harding, Senior lecturer in Cybersecurity Intelligence and Digital Forensics, University of PortsmouthLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2201712024-01-03T17:41:29Z2024-01-03T17:41:29ZUK urged to get ready for disaster with new national crises plan – but our research reveals the dark side of prepping<p>What would you do if everyday life was suddenly turned upside down? Thanks to recent <a href="https://www.bbc.com/culture/article/20231122-leave-the-world-behind-review-julia-roberts-stars-in-a-timely-and-chilling-thriller">Hollywood blockbusters</a>, the increasing popularity of <a href="https://journals.sagepub.com/doi/full/10.1177/0038038521997763">everyday survivalism</a> and a climate of volatile, uncertain times (war, weather, accelerating technology), visions of the apocalypse seem to be having a moment.</p>
<p>Preppers – those who store food, water and supplies to survive impending disaster – have a bit of an image problem. Ridiculed for their delusional end-of-the world outlook, they are caricatured as “<a href="https://onlinelibrary.wiley.com/doi/10.1111/gwao.13086">tin foil hat-wearing loons</a>”. But is their approach to self-sufficiency so extreme? Recently, we’ve seen <a href="https://www.independent.co.uk/voices/rolling-blackouts-energy-crisis-life-death-disability-b2272741.html">energy companies</a> warn about blackouts, urging people to plan for when the lights go out.</p>
<p>In this context, looming (and actual) threats from climate disruption, extreme weather, global pandemics, cyberattacks and AI have led the UK government to launch its ambitious <a href="https://www.gov.uk/government/publications/the-uk-government-resilience-framework">resilience framework</a>.</p>
<p>This framework is based on three core principles: a shared understanding of risk, a greater emphasis on preparation and prevention, and establishing resilience as a “whole of society” endeavour. Everyone is encouraged to be prepared.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/living-with-bunker-builders-doomsday-prepping-in-the-age-of-coronavirus-136635">Living with bunker builders: doomsday prepping in the age of coronavirus</a>
</strong>
</em>
</p>
<hr>
<p>In the new guidance, households are urged to <a href="https://www.theguardian.com/politics/2023/dec/05/britons-should-stock-up-on-torches-and-candles-in-case-of-power-cuts-says-oliver-dowden">stockpile items</a> such as radios and candles, and have ample food in case disaster strikes. But this blanket whole of society call to preparedness rings hollow for many people who feel burned by past <a href="https://www.theguardian.com/politics/2019/jan/14/we-have-a-brexit-shelf-readers-prepping-for-the-no-deal-scenario">vague government directives</a>.</p>
<p>In the run up to Britain’s exit from the EU, for example, fears arose surrounding the collapse of supply chains. The ongoing availability of everyday consumer goods was questioned. Despite officials dismissing stockpiling as <a href="https://www.bbc.co.uk/news/business-55293595">unnecessary</a>, the fact is <a href="https://www.theguardian.com/politics/2019/jan/14/we-have-a-brexit-shelf-readers-prepping-for-the-no-deal-scenario">one-in-five Britons began prepping</a>.</p>
<p>Many consumers secretly stashed essential items – tinned food, toilet paper, batteries – driven by stigma surrounding “tin foil hat” preppers (more usually associated with <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151311/">bunker-culture</a>, calamity and doomsday scenarios). However, the government has seemingly reversed its stance, and is now sounding the alarm about imminent crises, and – more importantly – how we are all individually responsible for being prepared.</p>
<p>As a group of academics researching shifts in prepping, covering Brexit, COVID-19, and now the cost of living crisis, our collective work explores how consumers practise everyday resilience and preparedness. </p>
<h2>Women, responsibility and division</h2>
<p><a href="https://www.theguardian.com/politics/2019/jan/14/i-dont-trust-the-government-to-look-after-me-or-my-dog-meet-the-brexit-stockpilers">Newspaper articles</a> and our own <a href="https://journals.sagepub.com/doi/full/10.1177/0038038521997763">research</a> on UK Brexit preppers suggest that women disproportionately bear the weight of home-based preparedness.</p>
<p>Domestic and emotional issues fall squarely on mothers who are tasked with keeping households running, no matter the circumstances. Whether ensuring everyone eats during shortages or soothing worries when the lights go out, women carry an outsized caretaking burden pivotal to family survival. All while navigating their own stresses and anxieties.</p>
<p>Recommendations around resilience underestimate the invisible and emotional labour needed to implement contingency planning, scanning the horizon for the next crisis. Rather than empowering households, the push toward self-sufficient readiness fuels deeper anxiety around loved ones’ safety. And if disaster strikes, support beyond immediate family remains essential.</p>
<p>Despite the resilience framework promoting a whole of society approach, preparedness inevitably develops into a scenario of haves and have-nots (meaning, those with the spare cash, space and time to prepare, and those who do not). This lays the foundations for inequality, resentment and the erosion of communal ties.</p>
<p>Our <a href="https://onlinelibrary.wiley.com/doi/10.1111/gwao.13086">research</a> on Brexit-prepping mothers highlights the stigma that they directed towards the unprepared (who they vilified as lazy and feckless for failing to shield children from risk). What resulted was families taking individual action to preserve their own resilience, which we believe has two implications for the resilience framework.</p>
<p>First, focus on individual resilience risks fuelling an “everyone for themselves” mentality. The prepared will put their own families’ needs above others. In our research with Brexit preppers, envisaged disruption led mothers to anticipate difficult decisions surrounding who they would and would not offer help should disaster strike.</p>
<p>In our research study ordinary, upstanding community members (such as teachers and parish councillors) imagined allowing children of the unprepared to go hungry, or considered exploiting others’ unpreparedness on the black market (selling surplus food and supplies at extortionate prices).</p>
<p>Pushed to the edge, they fortified their homes and armed themselves to fend off potential looters who lacked the foresight to prep. Anna, for example, <a href="https://onlinelibrary.wiley.com/doi/10.1111/gwao.13086">discussed using her archery skills</a> to fend off possible looters: “I’m actually an archer, so I have a bow and arrow in the garage. And I’m a bloody good shot, I’m not kidding. I’d need to protect the family.”</p>
<p>Second, the ability to be “prepared” risks becoming tightly bound up with dominant norms of privilege and “good”, middle-class motherhood. These are the mothers mostly likely to possess the wealth, time, skills and physical space to prep.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/wbO3Nyg2HA4?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<h2>Those left out</h2>
<p>Conversely, the less privileged, such as those experiencing housing issues and precarious employment, who often live hand to mouth, will be less able to prepare. Their survival is likely focused on the everyday, rather than planning for a possible eventuality. Inevitably, they will need wider support from the community, which the resilience framework, given its individualised approach to risk, does not fully consider.</p>
<p>While secrecy around prepping aims to safeguard accumulated assets from prospective thieves, it also isolates at-risk groups who lack equal means to stockpile for themselves. What duty do neighbours have to share with others if catastrophe (or even a temporary glitch) occurs? The line between rational self interest and morality blurs when survival instincts kick in, yet interconnected resilience may suffer when social cohesion frays beyond repair.</p>
<p>The government may encourage readiness across the whole of society, but this rings hollow if resilience is pursued through the stigma and separation of haves versus have-nots. Promoting preparedness without addressing inequalities, communal ties, emotional resilience and the gendered nature of caretaking labour undermines social cohesion critical for weathering crises.</p>
<p>Real security arises not from isolated stockpiles and individual action, but the establishment of more community-wide plans for preparedness in the event of disaster.</p><img src="https://counter.theconversation.com/content/220171/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Prepping is fast becoming mainstream, but new government advice fails to address inequality, and could cause division between the haves and have-nots.Ben Kerrane, Professor of Marketing, School of Busines, Manchester Metropolitan UniversityDavid Rowe, Lecturer in Marketing, University of YorkKaty Kerrane, Lecturer in Marketing, University of LiverpoolShona Bettany, Professor of Marketing, School of Business, Education and Law, University of HuddersfieldLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2175332023-11-13T06:16:44Z2023-11-13T06:16:44ZHas the cyberattack on DP World put Australia’s trade at risk? Probably not … this time<p>Australians getting ready for Christmas this week had reason to believe even the best of preparations were not enough after a cyberattack hit all its major ports.</p>
<p>DP World, which operates container ports in Australia and the region, first detected problems last Friday so unplugged its systems to minimise the impact while it examined what had happened.</p>
<p>While operations <a href="https://www.abc.net.au/news/2023-11-13/dp-world-deals-with-impact-of-cyber-attack/103097658">resumed at the ports Monday</a>, the cause is still unclear and the incident continues to be investigated.</p>
<p>With responsibility for about 40% of freight movement at Australian ports, and a significant 10% of global trade through its international operations, the attack disrupted the flow of goods coming from ports DP World operates.</p>
<p>Deliveries of <a href="https://www.dfat.gov.au/trade/resources/trade-at-a-glance/Documents/top-goods-services.html">import items</a> such as videogames, air-conditioners, furniture and pharmaceuticals were held up.</p>
<p>As well, Australian exports of goods including processed meat, dairy products and fruits, all with limited shelf life, were delayed.</p>
<h2>Why this cyber attack is significant</h2>
<p>While DP World seems to be recovering, the incident highlights the potential vulnerability of global networks. </p>
<p>Supply chains rely on fully integrated solutions, from sellers overseas to buyers in Australia, to work efficiently. Information technology is embedded into them through equipment automation and data processing. Product visibility, customs clearance and checks for <a href="https://www.agriculture.gov.au/biosecurity-trade/import/arrival">biosecurity risks</a> rely on cargo information detailing where goods come from, who is responsible for them and their trading value. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723541050328023478"}"></div></p>
<p>With sensitive data linked to the movement of containers, it is no wonder logistics professionals recognise cybersecurity as a major threat to operations – not to mention their obligations under the <a href="https://www.legislation.gov.au/Details/C2022C00160">Security of Critical Infrastructure Act</a>.</p>
<p>If there is still no certainty of the specific nature of the incident with DP World, there are few likely causes.</p>
<p>Ransomware has been on the rise, with incidents aligned to prolific cyber-criminal gangs including REVil and more recently LockBit.</p>
<p>In an attack, data is usually extracted from an organisation and then rendered inaccessible to users – typically using encryption. The organisation will usually receive a ransom demand to “unlock” the data, often payable using a crypto-currency.</p>
<p>In recent years the trend of double-extortion has become common, where the criminals incentivise their victims to pay by threatening to release the data publicly if they refuse.</p>
<p>While refusal is a possibility, the nature of the disruption could mean a loss of access to critical systems and information. If data is inaccessible, operations would need to be halted, leading to even greater losses.</p>
<p>Recovering systems would require restoration from backups and a thorough inspection for any traces of the original infection or compromise. Finally, checks would be needed to ensure no data had been lost and to identify any missing consignment data after the previous backup had taken place.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/major-cyberattack-on-australian-ports-suggests-sabotage-by-a-foreign-state-actor-217530">Major cyberattack on Australian ports suggests sabotage by a 'foreign state actor'</a>
</strong>
</em>
</p>
<hr>
<p>If the incident is a direct cyber-attack that infiltrated systems and stole or modified data, this would also require a complete system shutdown. Without the integrity of systems, consignment data cannot be trusted and the Australian Border Force would be unable to verify the content of shipments. There would also be issues with the collection of duties, taxes and fees.</p>
<p>Disconnecting DP World from networks allowed the investigating team to inspect systems to look for impacted systems and to evaluate the depth of any infection. This process also needs to consider the original infection mechanism – you don’t want the systems re-infected.</p>
<h2>The timing could have been worse</h2>
<p>The cyberattack caused the ports operated by DP World to start filling up with containers, but it had not yet become critical.</p>
<p>While Black Friday, Cyber Monday and Christmas are an extra busy time for retailers, there is usually a marginal increase in movement compared to other times of the year, typically less than 10%. With around <a href="https://www.bitre.gov.au/sites/default/files/documents/water_069_0.pdf">1.4 million containers</a> to be moved in the last three months of the year, the impact of losing a few days should be minimal.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/is-australia-a-sitting-duck-for-ransomware-attacks-yes-and-the-danger-has-been-growing-for-30-years-161818">Is Australia a sitting duck for ransomware attacks? Yes, and the danger has been growing for 30 years</a>
</strong>
</em>
</p>
<hr>
<p>Big retailers typically start making orders for Christmas in August, with deliveries starting as early as October. While they keep inventory in check, it is unlikely that operations work in just-in-time mode.</p>
<p>Especially in Australia, where the distance from major global flows, the lack of alternatives such as railroad imports and lessons learned from COVID has bred risk averse businesses that are extra cautious to avoid empty shelves.</p>
<p>Also, ports can quickly recover. When container volumes go up, extra labour and equipment can be organised to increase the output of a terminal. In the last three years the number of time slots used by trucks has seldom reached 90% of total availability.</p>
<p>DP World should quickly be able to resolve any backlogs arising from this incident. </p>
<h2>The hidden problem behind this attack</h2>
<p>A problem for Australia is the potential effect of the cyberattack on its reputation as a shipping destination. When port facilities fill up with containers to the point where ships are delayed, costs quickly escalate to millions of dollars.</p>
<p>And numbers haven’t been shiny lately.</p>
<p>The <a href="https://www.bitre.gov.au/sites/default/files/documents/water_069_0.pdf">Maritime Waterline 69 report</a> shows ship turnaround time increased from 35 hours early in 2020 to more than 50 hours in 2022. Port congestion went from a little over 10% of ships waiting for more than two hours to over 22%. And average waiting time at anchorage went up from 17.3 hours before COVID to 126.5 hours in mid-2022.</p>
<p>Add the risk of cyberattacks to this and Australian ports may lose their competitiveness, with fewer companies interested in sending their ships down here - or requiring a premium price to do so.</p>
<p>While the DP World cyberattack is unlikely to upset Christmas, the aggregated impact such attacks could have on Australia’s reputation as an important shipping hub, must be taken seriously.</p><img src="https://counter.theconversation.com/content/217533/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Flavio Macau receives funding from the Planning and Transport Research Centre - PATREC. He is currently involved in the Last Mile Delivery (LMD) project which looks at parcel distribution to the end consumer. This article, and the ports impacted in this incident, are not connected with the LMD project or the funding provided by PATREC.</span></em></p><p class="fine-print"><em><span>Paul Haskell-Dowland receives funding from the Cyber Security Cooperative Research Centre. He is currently involved in the Augmenting Cyber Defence Capability (ACDC) project which looks at cyber security in Maritime Ports. This article, and the ports impacted in this incident, are not connected with the ACDC project or the funding provided by the Cyber Security Cooperative Research Centre.</span></em></p>A cyberattack on one of Australia’s biggest port operators has highlighted the potential vulnerability of the global economy.Flavio Macau, Associate Dean - School of Business and Law, Edith Cowan UniversityPaul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2175302023-11-13T02:19:18Z2023-11-13T02:19:18ZMajor cyberattack on Australian ports suggests sabotage by a ‘foreign state actor’<figure><img src="https://images.theconversation.com/files/558984/original/file-20231112-17-mgtyva.jpg?ixlib=rb-1.1.0&rect=98%2C44%2C5793%2C3574&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/aerial-shipping-containers-botany-bay-sydney-699787051">Janelle Lugge/Shutterstock</a></span></figcaption></figure><p>A serious cyberattack has disrupted operations at several of Australia’s largest ports, causing delays and congestion. Late on Friday, port operator <a href="https://www.dpworld.com/supply-chain-solutions/ports-and-terminals">DP World</a> detected an IT breach that affected critical systems used to coordinate shipping activity.</p>
<p>DP World is one of Australia’s largest port operators, handling approximately <a href="https://www.news.com.au/technology/online/hacking/cybersecurity-incident-major-aussie-ports-locked-down-after-breach-rocks-ports-operator-dp-world/news-story/5f9b85e0009f26d1027592d0634fff05">40% of the nation’s container trade</a> across terminals in Brisbane, Sydney, Melbourne and Fremantle.</p>
<p><a href="https://www.abc.net.au/news/2023-11-11/dp-world-australian-ports-cyber-security-incident/103094358">DP World reacted</a> quickly to contain the breach, including shutting down access to their port networks on land, to prevent further unauthorised access. This means they essentially “pulled the plug” on their internet connection to limit possible further harm.</p>
<p>DP World <a href="https://www.channelnewsasia.com/world/port-operator-dp-world-australia-cyber-incident-police-investigating-3915016">senior director Blake Tierney said</a> it is still possible to unload containers from ships, but the trucks that transport the containers cannot drive in or out of the terminals. This is a precaution when the full extent of a data breach is not known. </p>
<p>The latest media reports suggest cargo could be stranded at the ports <a href="https://www.theguardian.com/australia-news/2023/nov/13/australian-port-operator-hit-by-cyber-attack-says-cargo-may-be-stranded-for-days">for several days</a>.</p>
<p>Australian Federal Police and the Australian Cyber Security Centre <a href="https://www.msn.com/en-ae/news/world/dp-world-australia-makes-significant-progress-to-restore-operations-after-cyber-attack/ar-AA1jMEHJ">are investigating</a> the source and nature of the attack, <a href="https://www.msn.com/en-gb/news/world/australia-locks-down-ports-after-nationally-significant-cyberattack/ar-AA1jKAFg">deemed a</a> “nationally significant incident” by federal cybersecurity coordinator Darren Goldie.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723578782416814170"}"></div></p>
<h2>Is there evidence of this being a malicious attack?</h2>
<p>The timing, scale and impact of the disruption do suggest this was a targeted attack.</p>
<p>It occurred on a Friday night, when most staff were off duty and less likely to notice or respond to the incident. The target was a major port operator that handles a significant share of Australia’s trade and commerce. Such an attack can have serious consequences for Australia’s economy, security and sovereignty.</p>
<p>The identity and motive of the attackers are not yet known, but the skills needed to mount such an attack suggest a foreign state actor trying to undermine Australia’s national security or economic interests.</p>
<p>In recent years, cyberattacks on ports and shipping have become more common. For instance, in February 2022, several <a href="https://www.euronews.com/2022/02/03/oil-terminals-disrupted-after-european-ports-hit-by-cyberattack">European ports</a> were hit by a cyberattack that disrupted oil terminals. In another incident early this year, a <a href="https://therecord.media/ransomware-attack-on-maritime-software-impacts-1000-ships">ransomware attack</a> on maritime software impacted more than 1,000 ships. Also in January 2023, the <a href="https://maritime-executive.com/article/cyberattack-threatens-release-of-port-of-lisbon-data">Port of Lisbon</a> was targeted by a ransomware attack which threatened the release of port data. </p>
<p>These incidents <a href="https://www.navy.gov.au/media-room/publications/soundings-42">highlight the vulnerability</a> of the maritime industry to cyber threats and the need for increased cybersecurity measures. </p>
<h2>How might the attack have happened?</h2>
<p>So far, the details have not been disclosed. But based on what we know about similar cases, it is possible the attack took advantage of vulnerabilities in DP World’s system. These vulnerabilities are normally closed by applying a “patch” in the same way your browser needs updating every week or two to keep it safe from being hacked.</p>
<p>Once hackers gained access, the breach likely pivoted to infiltrate the operational systems that directly manage port activities. Failing to isolate and secure these control networks allowed the incident to impact operations. </p>
<p>It is also possible access was gained via a phishing email or a malicious link. Such an attack may have tricked an employee or a contractor into opening an attachment or clicking on a link that installed malware or ransomware on the network.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dont-click-that-link-how-criminals-access-your-digital-devices-and-what-happens-when-they-do-109802">Don't click that link! How criminals access your digital devices and what happens when they do</a>
</strong>
</em>
</p>
<hr>
<h2>Now what?</h2>
<p>DP World is working urgently to rebuild affected systems from backups. However, resetting port management networks is a complicated process that could take days or weeks. Until the operator’s core systems are securely restored, cargo flows may face ongoing delays.</p>
<p>The Australian government is <a href="https://australiancybersecuritymagazine.com.au/australian-government-monitors-significant-stevedore-cyber-attack/">closely involved in managing the situation</a>, providing support and advice to DP World and other affected parties through the <a href="https://www.cisc.gov.au/">Critical Infrastructure Centre</a> and the <a href="https://www.cisc.gov.au/engagement/trusted-information-sharing-network">Trusted Information Sharing Network</a>. These government agencies are equipped to provide timely support in times of crisis. </p>
<h2>How can we prevent future attacks?</h2>
<p>The DP World cyberattack is a clear warning of the risks to the essential transportation services that power Australia’s trade and commerce. </p>
<p>Ports are difficult targets. To cause such a disruption, the attackers would have to be highly skilled and plan ahead. The fact ports have been successfully hacked more than once in recent times suggests threats from cybercriminals are steadily increasing. </p>
<p>For companies such as DP World, it’s important to continuously monitor networks in real time, promptly install security updates and keep critical systems separated from each other. </p>
<p>Dedicated, well-resourced cybersecurity personnel, employee training and incident response plans are key to improving preparedness.</p>
<p>Ports should closely coordinate with government counterparts and industry partners on intelligence sharing and cybersecurity best practices. Cyberthreats evolve so quickly, always being prepared for the latest one is a significant challenge. </p>
<p>For a seamless flow of goods, we need to be constantly vigilant of potential threats to our supply chain infrastructure. This latest attack is an urgent reminder that cyber resilience must be a top priority.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-to-make-fragile-global-supply-chains-stronger-and-more-sustainable-169310">How to make fragile global supply chains stronger and more sustainable</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/217530/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Port operator DP World handles roughly 40% of Australia’s sea freight. Over the weekend its ports were disrupted by what appears to be a malicious, targeted cyberattack.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2112332023-08-28T11:39:01Z2023-08-28T11:39:01ZInternational ransomware gangs are evolving their techniques. The next generation of hackers will target weaknesses in cryptocurrencies<figure><img src="https://images.theconversation.com/files/542594/original/file-20230814-24-9r3xkv.jpg?ixlib=rb-1.1.0&rect=233%2C155%2C5458%2C2967&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/ransomware-cyber-security-email-phishing-internet-2014441709">Shutterstock/JLStock</a></span></figcaption></figure><p>In May 2023, the <a href="https://www.govtech.com/security/dallas-officials-say-ransomware-recovery-could-take-months">Dallas City Government</a> was hugely disrupted by a ransomware attack. Ransomware attacks are so-called because the hackers behind them encrypt vital data and demand a ransom in order to get the information decrypted. </p>
<p>The attack in Dallas put a halt to hearings, trials and jury duty, and the eventual <a href="https://www.nbcdfw.com/news/local/dallas-municipal-court-building-closed-this-week-due%20to-ongoing-ransomware-attack/3262694/">closure</a> of the Dallas Municipal Court Building. It also had an indirect effect on wider police activities, with stretched resources affecting the ability to deliver, for example, <a href="https://www.nbcdfw.com/news/local/ransomware-attack-still-impacts-police%20as-dallas-plans-summer-youth-programs/3259229/">summer youth programmes</a>. The <a href="https://www.cbsnews.com/texas/news/royal-ransomware-group-threatens-release-sensitive-information-dallas/">criminals threatened</a> to publish sensitive data, including personal information, court cases, prisoner identities and government documents.</p>
<p>One might imagine an attack on a city government and police force causing widespread and lengthy disruption would be headline news. But ransomware attacks are now so common and routine that most pass with barely a ripple of attention. One notable exception happened in May and June 2023 when hackers exploited a vulnerability in the <a href="https://theconversation.com/moveit-hack-attack-on-bbc-and-ba-offers-glimpse-into-the-future-of-cybercrime-207670">Moveit file transfer app</a> which led to data theft from hundreds of organisations around the world. That attack grabbed headlines, perhaps because of the high profile victims, reported to include British Airways, the BBC and the chemist chain Boots.</p>
<p>According <a href="https://www.theguardian.com/technology/2023/may/10/ransomware-payments-nearly-double-in-one-year">to one recent survey</a>, ransomware payments have nearly doubled to US$1.5 million (£1.2 million) over the past year, with the highest-earning organisations the most likely to pay attackers. Sophos, a British cybersecurity firm, found that the average ransomware payment rose from US$812,000 the previous year. The average payment by UK organisations in 2023 was even higher than the global average, at US$2.1 million.</p>
<p>Meanwhile, in 2022 <a href="https://www.bbc.co.uk/news/uk-60158874">The National Cyber Security Centre</a> (NCSC) issued new guidance urging organisations to bolster their defences amid fears of more state-sponsored cyber attacks linked to the conflict in Ukraine. It follows a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies.</p>
<hr>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><strong><em>This article is part of Conversation Insights</em></strong>
<br><em>The Insights team generates <a href="https://theconversation.com/uk/topics/insights-series-71218">long-form journalism</a> derived from interdisciplinary research. The team is working with academics from different backgrounds who have been engaged in projects aimed at tackling societal and scientific challenges.</em></p>
<hr>
<p>In reality, not a week goes by without attacks affecting governments, schools, hospitals, businesses and charities, all over the world. These attacks have significant financial and societal costs. They can affect small businesses, as well as huge corporations, and can be particularly devastating for those involved.</p>
<p>Ransomware is now <a href="https://www.zdnet.com/article/ransomware-attacks-are-the-biggest-global-cyber-threat-and-still-evolving-warns-cybersecurity-chief/">widely acknowledged</a> as a major threat and challenge to modern society. </p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/international-ransomware-gangs-are-evolving-their-techniques-the-next-generation-of-hackers-will-target-weaknesses-in-cryptocurrencies-211233&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/us/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>Yet ten years ago it was nothing more than a theoretical possibility and niche threat. The way in which it has quickly evolved, fuelling criminality and causing untold damage should be of major concern. The ransomware “business model” has become increasingly sophisticated with, for instance, advances in <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9895237">malware attack vectors</a>, <a href="https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics/">negotiation strategies</a> and the structure of criminal enterprise itself.</p>
<p>There is every expectation that criminals will continue to adapt their strategies and cause widespread damage for many years to come. That’s why it is vital that we study the ransomware threat and preempt these tactics so as to mitigate the long-term threat – and that is exactly what our research team is doing.</p>
<p><strong>Prediction of global ransomware damage costs - source: Cyber Security Ventures</strong></p>
<figure class="align-center ">
<img alt="A graph showing the damges related to ransomware" src="https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=373&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=373&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=373&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=469&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=469&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=469&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Alpesh Bhudia</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>For many years <a href="https://ieeexplore.ieee.org/abstract/document/9854946">our research</a> has looked <a href="https://link.springer.com/chapter/10.1007/978-3-031-16035-6_9">to preempt this evolving threat</a> by exploring new strategies that ransomware criminals can use to extort victims. The aim is to forewarn, and be ahead of the game, without identifying specifics that could be used by criminals. In our <a href="https://arxiv.org/pdf/2308.00590.pdf">latest research</a>, which has been peer reviewed and will be published as part of the International Conference on Availability, Reliability and Security (<a href="https://www.ares-conference.eu/">ARES</a>), we have identified a novel threat that exploits vulnerabilities in cryptocurrencies.</p>
<h2>What is ransomware?</h2>
<p>Ransomware can mean subtly different things in different contexts. In 1996, Adam Young and Mordechai “Moti” Yung at Columbia University <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=502676">described</a> the basic form of a ransomware attack as follows: </p>
<p>Criminals breach the cybersecurity defences of the victim (either through tactics like phishing emails or using an insider/rogue employee). Once the criminals have breached the victim’s defences they deploy the ransomware. The main function of which is to encrypt the victim’s files with a private key (which can be thought of as a long string of characters) to lock the victim out of their files. The third stage of an attack now begins with the criminal demanding a ransom for the private key. </p>
<p>The simple reality is that many victims <a href="https://www.bbc.co.uk/news/business-60478725">pay the ransom</a>, with ransoms potentially into the millions of dollars.</p>
<p>Using this basic characterisation of ransomware it is possible to distinguish different types of attack. At one extreme we there are the “low level” attacks where files are not encrypted or criminals do not attempt to extract ransoms. But at the other extreme attackers make considerable efforts to maximise disruption and extract a ransom.</p>
<p>The <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5461132/">WannaCry ransomware attack</a> in May 2017 is such an example. The attack, <a href="https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and">linked to the North Korean government</a>, made no real attempt to extract ransoms from victims. Nevertheless, it led to widespread disruption across the world, <a href="https://www.bbc.co.uk/news/technology-41753022">including to the UK’s NHS</a>, with some cybersecurity risk-modelling organisations even saying the global economic losses going into the billions.</p>
<p>It is difficult to discern motive in this case, but, generally speaking, political intent, or simple error on the part of the attackers may contribute to the lack of coherent value-extraction through extortion.</p>
<p>Our research focuses on the second extreme of ransomware attacks in which criminals look to coerce money from their victims. This does not preclude a political motive. Indeed, there is evidence of <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4507111">links between major ransomware groups and the Russian state</a>. We can distinguish the degree to which ransomware attacks are motivated by financial gain by observing the effort invested in negotiation, a willingness to support or facilitate payment of the ransom, and the presence of money laundering services. By investing in tools and services which facilitate payment of the ransom, and its conversion to fiat currency, the attackers signal their financial motives.</p>
<h2>The impact of attacks</h2>
<p>As the attack on the Dallas City Government shows, the financial and social impacts of ransomware attacks can be <a href="https://heimdalsecurity.com/blog/companies-affected-by-ransomware">diverse and severe</a>.</p>
<p>High-impact ransomware attacks, such as the one which targeted <a href="https://www.bbc.co.uk/news/business-57178503">Colonial Oil in May 2021</a> and took a major US fuel pipeline offline, are obviously dangerous to the continuity of vital services. </p>
<p>In January 2023, there was a ransomware <a href="https://talion.net/blog/royal-mail%20cyber-attack-wheres-my-mail-gone/">attack on the Royal Mail</a> in the UK that led to the suspension of international deliveries. It took over a month for service levels to <a href="https://www.bbc.co.uk/news/business-64718824">get back to normal</a>. This attack would have had a significant direct impact on the Royal Mail’s revenue and reputation. But, perhaps more importantly, it impacted all the small businesses and people who rely on it.</p>
<p>In May 2021, the Irish NHS was hit by a ransomware attack. This affected every aspect of patient care with widespread cancellation of appointments. The <a href="https://www.bbc.co.uk/news/world-europe-57184977">Taoiseach Micheál Martin said</a>: “It’s a shocking attack on a health service, but fundamentally on the patients and the Irish public.” Sensitive data was also reportedly leaked. The financial impact of the attack could be as <a href="https://www.infosecurity-magazine.com/news/ransomware-attack-cost-irish">high as 100 million euros</a>. This, however, does not account for the health and psychological impact on patients and medics affected by the disruption.</p>
<p>As well as health services, education has also been a prime target. For instance, in January 2023 a school in Guilford, UK, suffered an attack with the criminals threatening to publish sensitive data including safeguarding reports and <a href="https://therecord.media/vice-society-ransomware-guildford-school-student-data-extortion">information about vulnerable children</a>.</p>
<p>Attacks are also timed to maximise disruption. For instance, an attack in June 2023 on <a href="https://www.bbc.co.uk/news/uk-england-dorset-65685607">a school in Dorchester, UK</a>, left the school unable to use email or access services during the main exam period. This can have a profound impact on children’s wellbeing and educational achievement.</p>
<p>These examples are by no means exhaustive. Many attacks, for instance, directly target businesses and charities that are too small to attract attention. The impact on a small business, in terms of business disruption, lost reputation and the psychological cost of facing the consequences of an attack <a href="https://academic.oup.com/cybersecurity/article/%206/1/tyaa023/6047253?login=false">can be devastating</a>. As an example, a survey in 2021 found that <a href="https://atlasvpn.com/blog/31-of-us-companies-close-down-after-falling-victim-to-ransomware">34% of UK businesses that suffered a ransomware attack</a> subsequently closed down. And, many of the businesses that continued operation still had to lay off staff.</p>
<h2>It began with floppy disks</h2>
<p>The origins of ransomware are usually traced back to the <a href="https://medium.com/@alinasimone/the-bizarre-pre-internet-history-of-ransomware-bb480a652b4b">AIDS or PC Cyborg Trojan</a> virus in the 1980s. In this case, victims who inserted a floppy disk in their computer would find their files subsequently encrypted and a payment requested. Disks were distributed to attendees and people interested in specific conferences, who would then attempt to access the disk to complete a survey - instead becoming infected with the trojan. Files on affected computers were encrypted using a key stored locally on each target machine. A victim could, in principle, have restored access to their files by using this key. The victim, though, may not have known that they could do this, as even now, technical knowledge of cryptography is not common among most PC users.</p>
<p>Eventually, law enforcement traced the floppy disks to a Harvard-taught <a href="https://edition.cnn.com/2021/05/16/tech/ransomware-joseph-popp/index.html">evolutionary biologist named Joseph Popp</a>, who was conducting AIDS research at the time. He was arrested and charged with multiple counts of blackmail, and has been credited by some with being the inventor of ransomware. No one knows exactly what provoked Popp to do what he did.</p>
<figure class="align-center ">
<img alt="Early form of white computer text on red background" src="https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=293&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=293&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=293&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=369&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=369&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=369&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The on-screen message after the AIDS Trojan Horse ransomware was activated.</span>
<span class="attribution"><a class="source" href="https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)">wikipedia</a></span>
</figcaption>
</figure>
<p>Many <a href="https://arxiv.org/pdf/2107.09470.pdf">early versions</a> of ransomware were quite basic cryptographic systems which suffered from various issues surrounding how easy it was to find the key information the criminal was trying to hide from the victim. This is one reason why ransomware really came of age with the <a href="https://www.bbc.co.uk/news/technology/28661463">CryptoLocker attack in 2013</a> and 2014.</p>
<p>CryptoLocker was the first technically sound ransomware attack virus to be distributed en masse. Thousands of victims saw their files encrypted by ransomware that could not be reverse engineered. The private keys, used in encryption, were held by the attacker and victims could not restore access to their files without them. Ransoms of around US$300-600 were demanded and it is estimated the criminals <a href="https://www.bbc.co.uk/news/technology-28661463">got away with</a> around US$3 million. Cryptolocker was eventually shut down in 2014 following an operation involving multiple, international law enforcement agencies.</p>
<p>CryptoLocker was pivotal in showing proof of concept that criminals could earn large amounts of money from ransomware. Subsequently, there was an explosion of new variants and new types. There was also significant evolution in the strategies used by criminals.</p>
<h2>Off-the-shelf and double extortion</h2>
<p>One important development was the emergence of ransomware-as-a-service. This is a term for markets on the dark web through which criminals can obtain and use <a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468">“off-the-shelf” ransomware</a> without the need for advanced computing skills while the ransomware providers take a cut of the profits. </p>
<p>Research has shown how the dark web is the “<a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468">unregulated Wild West</a> of the internet” and a safe haven for criminals to communicate and exchange of illegal goods and services. It is easily accessible and with the help of anonymisation technology and digital currencies, there is a global black economy thriving there. An <a href="https://www.europol.europa.eu/cms/sites/default/files/documents/iocta_2019.pdf">estimated US$1 billion</a> was spent there during the first nine months of 2019 alone, according to the European Union Agency for Law Enforcement.</p>
<p>With <a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468?ref=pdf_download&fr=RR-2&rr=7f373d3fbf9b0722">ransomware as a service</a> (Raas) the barrier to entry for aspiring cyber criminals, in terms of both cost and skill, was lowered. </p>
<p>Under the Raas model, expertise is provided by vendors who develop the malware while the attackers themselves may be relatively unskilled. This also has the effect of compartmentalising risk – the arrest of cyber criminals using ransomware no longer threatens the entire supply chain, allowing attacks launched by other groups to continue.</p>
<p>We have also seen a movement away from mass phishing attacks, like CryptoLocker, which reached more than 250,000 systems, to more targeted attacks. That has meant an increasing focus on organisations with the revenue to pay large ransoms. Multinational organisations, legal firms, <a href="https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector">schools, universities, hospitals and healthcare providers</a> have all become prime targets, as well as many small and micro businesses and charities.</p>
<p>A more recent development in ransomware, such as Netwalker, REvil/Sodinokibi, has been the threat of double extortion. This is where the criminals not only encrypt files but also exfiltrate data by copying the files. They then have the potential to leak or post potentially sensitive and important information.</p>
<p>An example of this occurred in 2020, when one of the largest software companies, Software AG, was hit with a <a href="https://www.computerweekly.com/news/252490395/Software-AG-caught-in-double-extortion-ransomware-hit">double extortion ransomware</a> called Clop. It was reported that the attackers had requested an exceptionally high ransom payment of US$20 million (about £15.7 million) which Software AG refused to pay. This led to attackers releasing confidential company data on the <a href="https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/">dark web</a>. This provides criminals with two sources of leverage: they can ransom for the private key to decrypt files and they can ransom to stop publication of sensitive data.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1314648938704588801"}"></div></p>
<p>Double extortion changes the business model of ransomware in interesting ways. In particular, with standard ransomware, there is a relatively straightforward incentive for a victim to pay a ransom for access to the private key if that would allow decryption of the files, and they cannot access the files through any other means. The victim “only” needs to trust the cyber criminal will give them the key and that the key will work.</p>
<h2>‘Honour’ among thieves?</h2>
<p>But with data exfiltration, by contrast, it is not obvious what the victim gets in return for paying the ransom. The criminals still have the sensitive data and could still publish it any time they want. They could, indeed, ask for subsequent ransoms to not publish the files.</p>
<p>Therefore, for data exfiltration to be a viable business strategy the criminals need to build a <a href="https://www.mdpi.com/2073-4336/10/2/26">credible reputation</a> of “honouring” ransom payments. This has arguably led to a normalised <a href="https://www.pure.ed.ac.uk/ws/portalfiles/portal/257573307/How_Cyber_Insurance_WOODS_%20DOA27052021_VOR.pdf">ransomware ecosystem</a>.</p>
<p>For instance, ransom negotiators are private contractors and in some cases are required as part of a cyber insurance agreement to provide expertise in the managing of crisis situations involving ransomware. Where instructed, they will facilitate negotiated ransom payments. Within this ecosystem, some ransomware criminal gangs have developed a reputation for not publishing data (or at least delaying publication) if a ransom is paid.</p>
<p>More generally, the encryption, decryption or exfiltration of files is typically a difficult and costly task for criminals to pull off. It is far simpler to delete the files and then claim they have been encrypted or exfiltrated and demand a ransom. However, if the victims suspect that they won’t be getting the decryption key or encrypted data back then they won’t pay the ransom. And those that do pay a ransom and get nothing in return may disclose that fact. This is likely to impact the attacker’s “reputation” and the likelihood of future ransom payments. Simply put, it pays to play “fair” in the world of extortion and ransom attacks.</p>
<p>So in less than ten years we have seen the ransomware threat evolve enormously from the relatively low scale CryptoLocker, to a <a href="https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/">multi-million dollar business</a> involving organised criminal gangs and sophisticated strategies. From 2020 onwards the incidents of ransomware, and consequent losses, have seemingly increased by another order of magnitude. Ransomware has become too big to ignore and is now a major concern for governments and law enforcement.</p>
<h2>Crypto extortion threats</h2>
<p>Devastating though ransomware has become, the threat will inevitably evolve further, as criminals develop new techniques for extortion. As mentioned already, a key theme in our collective research over the last ten years has been to try and preempt the likely strategies that criminals can employ so as to be ahead of the game. </p>
<p>Our research <a href="https://arxiv.org/pdf/2308.00590.pdf">is now focused on</a> the next generation of ransomware, which we believe will include variants focused on cryptocurrency, and the “consensus mechanisms” used within them.</p>
<p>A consensus mechanism is any method (usually algorithmic) used to achieve agreement, trust and security across a decentralised computer network.</p>
<figure class="align-center ">
<img alt="Financial business concept, bitcoin, etheruem, litecoin" src="https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The next target could by crypto.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/financial-business-concept-bitcoin-etheruem-litecoin-1056178808">Shutterstock/sundaemorning</a></span>
</figcaption>
</figure>
<p>Specifically, cryptocurrencies are increasingly using a so called “<a href="https://theconversation.com/ethereum-second-biggest-cryptocurrency-to-cut-energy-use-by-over-99-but-the-industry-still-has-a-long-way-to-go-189907">proof-of-stake</a>” consensus mechanism, in which investors stake significant sums of currency, to validate crypto transactions. These stakes are vulnerable to extortion by ransomware criminals.</p>
<p>Cryptocurrencies rely on a decentralised blockchain that provides a transparent record of all the transactions that have taken place using that currency. The blockchain is maintained by a peer-to-peer network rather than a central authority (as with conventional currency). In principle, the transaction records included in the blockchain are immutable, verifiable and securely distributed across the network, giving users full ownership and visibility into the transaction data. These properties of blockchain rely on a secure and non-manipulable “consensus mechanism” in which the independent nodes in the network “approve” or “agree” which transactions to add to the blockchain.</p>
<p>Until now, cryptocurrencies like Bitcoin have relied on a so-called “proof-of-work” consensus mechanism in which the authorisation of transactions involves the solving of complex mathematical problems (the work). In the long term this approach is unsustainable because it results in duplication of effort and avoidable <a href="https://www.forbes.com/advisor/investing/cryptocurrency/bitcoins-energy%20usage-explained/">large scale energy use</a>.</p>
<p>The alternative, which is now becoming a reality, is a “proof-of-stake” consensus mechanism. Here, transactions are approved by validators who have staked money and are financially rewarded for validating transactions. The role of inefficient work is replaced by a financial stake. While this addresses the energy problem, it means that large amounts of staked money becomes involved in validating crypto-transactions.</p>
<h2>Ethereum</h2>
<p>The existence of this staked money provides a novel threat to some proof-of-stake cryptocurrencies. We have focussed our attention on <a href="https://ethereum.org/en/">Ethereum</a>, a decentralised cryptocurrency that establishes a peer-to-peer network to securely execute and verify application code, known as a smart contract.</p>
<p>Ethereum is powered by the Ether (ETH) token that allows users to transact with each other through the use of these smart contracts. The Ethereum project was co-founded by Vitalik Buterin in 2013 to overcome shortcomings with Bitcoin. On September 15 2022, <a href="https://ethereum.org/en/roadmap/merge/">The Merge</a>, moved the Ethereum network from proof-of-work to proof-of-stake, making it one of the first prominent proof-of-stake cryptocurrencies.</p>
<p>The proof-of-stake consensus mechanism in Ethereum relies on “validators” to approve transactions. To set up a validator there needs to be a minimum stake of 32ETH, which is currently around US$60,000 (around £43,000). Validators can then earn a financial return on their stake from operating a validator in accordance with Ethereum rules. At the time of writing there are around <a href="https://beaconscan.com/statistics">850,000 validators</a>.</p>
<p>A lot of hope is being pinned on the “stake” solution of validation - but hackers are sure to be looking into how they can infiltrate the system.</p>
<p>In our project, which was funded by the Ethereum Foundation, we identified ways in which ransomware groups could exploit the new proof-of-stake mechanism for extortion. </p>
<h2>Slashing</h2>
<p>We found that attackers could exploit validators through a process called “slashing”. While validators receive rewards for obeying the rules, there are financial penalties for validators that are seen to act maliciously. The basic objective of penalties is to prevent exploitation of the decentralised blockchain.</p>
<p>There are two forms of penalties, the most severe of which is slashing. Slashing occurs for actions that should not happen by accident and could jeopardise the blockchain, such as proposing conflicting blocks are added to the blockchain, or trying to change history. </p>
<p>Slashing penalties are relatively severe with the validator losing a significant share of their stake, at least 1ETH. Indeed, in the most extreme case the validator could lose all of their stake (32ETH). The validator will also be forced to exit and no longer act as a validator. In short, if a validator is slashed there are big financial consequences.</p>
<p>To perform actions, validators are assigned unique signing keys, that, in essence, prove who they are to the network. Suppose that a criminal got hold of the signing key? Then, they could blackmail the victim into paying a ransom.</p>
<p><strong>Flow diagram showing just how complicated it gets when there is an extortion attack against proof-of-stake validators, such as Ethereum</strong></p>
<figure class="align-center ">
<img alt="Flow chart showing what happens when ransomware attacks infiltrate crypto." src="https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=604&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=604&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=604&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=759&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=759&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=759&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Alpesh Bhudia</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<h2>A ‘smart contract’</h2>
<p>The victim may be reluctant to pay the ransom unless there is a guarantee that the criminals will not take their money and fail to return/release the key. After all, what is to stop the criminals asking for another ransom? </p>
<p>One solution we have found – which harks back to the fact that ransomware has in fact become a kind of business operated by criminals who want prove they have an “honest” reputation – is a smart contract.</p>
<p>This automated contract can be written so that the process only works if both sides “honour” their side of the bargain. So, the victim could pay the ransom and be confident that this will resolve the direct extortion threat. This is possible through the Ethereum because all the steps required are publicly observable on the blockchain – the deposit, the sign to exit, the absence of slashing, and the return of the stake. </p>
<p>Functionally, these smart contracts are an <a href="https://dictionary.cambridge.org/dictionary/english/escrow">escrow system</a> in which money may be held until pre-agreed conditions are met. For instance, if the criminals force slashing before the validator has fully exited, then the contract will ensure that the ransom amount is returned to the victim. Such contracts are, however, open to abuse, and there’s no guarantee that an attacker-authored contract can be trusted. There is potential for the contract to be automated in a fully trusted way, but we have yet to observe such behaviour and systems emerge.</p>
<h2>The staking pools threat</h2>
<p>This type of “pay and exit” strategy is an effective way for criminals to extort victims if they can obtain the validator signing keys. </p>
<p>So how much damage would a ransomware attack like this do to Ethereum? If a single validator is compromised then the slashing penalty – and so maximum ransom demand – would be in the region of 1ETH, which is around US$1,800 (about £1,400). To leverage larger amounts of money the criminals, therefore, need to target organisations or staking pools that are responsible for managing large numbers of validators.</p>
<p>Remember, that given the high entry costs for individual investors, most of the validating on Ethereum will be run under “staking pools” in which multiple investors can collectively stake money. </p>
<p>To put this in perspective, Lido is the largest staking pool in Ethereum with around 127,000 validators and 18% of the total stake; Coinbase is the second largest with 40,000 validators and 6% of the total stake. In total, there are 21 staking pools operating more than a 1,000 validators. Any one of these staking pools is responsible for tens of millions of dollars of stake and so viable ransom demands could also be in the millions of dollars. </p>
<p>Proof-of-stake consensus mechanisms are too young for us to know whether extortion of staking pools will become an active reality. But the general lesson of ransomware’s evolution is that the criminals tend to gravitate towards strategies that incentivise payment and increase their illicit gains.</p>
<p>The most straightforward way that investors and staking pool operators can mitigate the extortion threat we have identified is by protecting their signing keys. If the criminals cannot access the signing keys then there is no threat. If the criminals can only access some of the keys (for operators with multiple validators) then the threat may fail to be lucrative. </p>
<p>So staking pools need to take measures to secure signing keys. This would involve a range of actions including: partitioning validators so that a breach only impacts a small subset; step up cyber security to prevent intrusion, and robust internal processes to limit the insider threat of an employee divulging signing keys.</p>
<figure class="align-center ">
<img alt="Concept using blocks with locks and keys printed on them to show encryption keys being compromised." src="https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=405&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=405&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=405&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=509&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=509&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=509&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">What happens when hackers gain access to secret keys?</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/intruder-gains-access-secrets-hacker-hacking-2249792687">Shutterstock/Andrii Yalanskyi</a></span>
</figcaption>
</figure>
<p>The staking pool market for cryptocurrencies like Ethereum is competitive. There are many staking pools, all offering relatively similar services, and competing on price to attract investors. These competitive forces, and the need to cut costs, may lead to relatively lax security measures. Some staking pools may, therefore, prove a relatively easy target for criminals.</p>
<p>Ultimately, this can only be solved with regulation, greater awareness and for investors in staking pools to demand high levels of security to protect their stake.</p>
<p>Unfortunately, the history of ransomware suggests that high profile attacks will need to be seen before the threat is taken seriously enough. It is interesting to contemplate the consequences of a significant breach of a staking pool. The reputation of the staking pool would presumably be badly affected and so the staking pool’s viability in a competitive market is questionable. An attack may also have implications for the reputation of the currency.</p>
<p>At the most serious, it could lead to a currency collapsing. When that happens - as it did with <a href="https://www.bbc.co.uk/news/business-64313624">FTX in 2022</a> following another hacking attack, there are knock-on effects to the global economy.</p>
<h2>Here to stay</h2>
<p>Ransomware will be a challenge for years, if not decades, to come. </p>
<p>One potential vision of the future is that ransomware just becomes part of normal economic life with organisations facing the constant threat of attack, with few consequences for the largely anonymous gangs of cyber criminals behind the scams.</p>
<p>To preempt such negative consequences we need greater awareness of the threat. Then investors can make more informed decisions over which staking pools and currencies to invest in. It also makes sense to have a <a href="https://link.springer.com/chapter/10.1007/978-3-031-16035-6_9">market with many staking pools</a>, rather than a market dominated by just a few large ones, as this could insulate the currency from possible attacks.</p>
<p>Beyond crypto, preemption involves investment in cyber security across a range of forms – from staff training and an organisational culture that supports reporting of incidents. It also involves investment in recovery options, such as effective back-ups, in-house expertise, insurance and tried and tested contingency plans. </p>
<p>Unfortunately, cyber security practices are not improving as one might hope in many organisations and this is leaving the door open for cyber criminals. Essentially, everyone needs to get better at hiding, and protecting, their digital keys and sensitive information if we are to stand a chance against the next generation of ransomware attackers.</p>
<hr>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=112&fit=crop&dpr=1 600w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=112&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=112&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=140&fit=crop&dpr=1 754w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=140&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=140&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><em>For you: more from our <a href="https://theconversation.com/uk/topics/insights-series-71218?utm_source=TCUK&utm_medium=linkback&utm_campaign=TCUKengagement&utm_content=InsightsUK">Insights series</a>:</em></p>
<ul>
<li><p><em><a href="https://theconversation.com/the-melting-arctic-is-a-crime-scene-the-microbes-i-study-have-long-warned-us-of-this-catastrophe-but-they-are-also-driving-it-207785">The melting Arctic is a crime scene. The microbes I study have long warned us of this catastrophe – but they are also driving it
</a></em></p></li>
<li><p><em><a href="https://theconversation.com/beatrix-potters-famous-tales-are-rooted-in-stories-told-by-enslaved-africans-but-she-was-very-quiet-about-their-origins-202274">Beatrix Potter’s famous tales are rooted in stories told by enslaved Africans – but she was very quiet about their origins
</a></em></p></li>
<li><p><em><a href="https://theconversation.com/invisible-windrush-how-the-stories-of-indian-indentured-labourers-from-the-caribbean-were-forgotten-206330">Invisible Windrush: how the stories of Indian indentured labourers from the Caribbean were forgotten
</a></em></p></li>
</ul>
<p><em>To hear about new Insights articles, join the hundreds of thousands of people who value The Conversation’s evidence-based news. <a href="https://theconversation.com/uk/newsletters/the-daily-newsletter-2?utm_source=TCUK&utm_medium=linkback&utm_campaign=TCUKengagement&utm_content=InsightsUK"><strong>Subscribe to our newsletter</strong></a>.</em></p><img src="https://counter.theconversation.com/content/211233/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alpesh Bhudia's research was funded by the Ethereum Foundation for the project “Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators” and “REVOKE: Consensus-layer mitigations for validator ransomware attacks”, from which this article derives some contributions.
The research team is scheduled to present their findings on August 30 at the ARES Conference. </span></em></p><p class="fine-print"><em><span>Anna Cartwright receives funding from The Ethereum Foundation, for the project "Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators", from which this article derives some contributions.</span></em></p><p class="fine-print"><em><span>Darren Hurley-Smith received funding from The Ethereum Foundation, for the REVOKE project, from which this article derives some theoretical contributions. </span></em></p><p class="fine-print"><em><span>Edward Cartwright receives funding from The Ethereum Foundation, for the project "Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators", from which this article derives some contributions.</span></em></p>What will ransomware attackers focus on next?Alpesh Bhudia, Doctoral Researcher in Cyber Security, Royal Holloway University of LondonAnna Cartwright, Principal Lecturer in Accounting, Finance and Economics, Oxford Brookes UniversityDarren Hurley-Smith, Senior Lecturer in Information Security, Royal Holloway University of LondonEdward Cartwright, Professor of Economics, De Montfort UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2047492023-05-04T05:58:31Z2023-05-04T05:58:31ZDeterring China isn’t all about submarines. Australia’s ‘cyber offence’ might be its most potent weapon<figure><img src="https://images.theconversation.com/files/524258/original/file-20230504-14-7qzz0j.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6016%2C4016&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Australia doesn’t need to wait ten or 20 years for its new submarines, or for long-range missiles, to project effective military power against China.</p>
<p>It has the ability to use its cyber forces to strike strategic targets inside China now, or for the sake of deterrence, to hold out that threat.</p>
<p>Cyber attacks are aimed at breaking into enemy military networks to disrupt or disable their systems. They can be used against a variety of weapons and communications systems.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/russia-is-using-an-onslaught-of-cyber-attacks-to-undermine-ukraines-defence-capabilities-177638">Russia is using an onslaught of cyber attacks to undermine Ukraine's defence capabilities</a>
</strong>
</em>
</p>
<hr>
<p>Cyber forces are now an integral part of a country’s strike capability in wartime. The United States is even now planning wartime cyber attacks against China, should they be needed. According to 2018 figures, the Americans have a force of <a href="https://misi.tech/docs/Nakasone_03-25-21.pdf">around 240,000 defence personnel and contractors</a> in place to contribute to cyber defence and cyber attack, with up to one-third likely available to support the latter.</p>
<p>In the event of war, these US cyber attacks could be sustained across the full range of Chinese war capacity. The aim would be to gain what’s called “decision dominance”. This is the “disintegration” of China’s systems and decision-making, “thereby defeating their offensive capabilities” – if we can interpret remarks of the former commander of US Indo-Pacific Command, <a href="https://www.pacom.mil/Media/Speeches-Testimony/Article/2101115/transforming-the-joint-force-a-warfighting-concept-for-great-power-competition/">Admiral Philip Davidson</a>, to be a reference to China.</p>
<p>Australia has been much more guarded in discussing cyber offence than the US, but the two allies are in step. Canberra is in the process of tripling the size of its offensive cyber forces under <a href="https://www.asd.gov.au/about/redspice">Project Redspice</a>, announced last year.</p>
<p>It could attack military command and control assets anywhere in China in the event of war. Softer targets might include critical national infrastructure, such as the energy grid supporting the war effort.</p>
<p>Australia’s cyber force will remain small compared with the US. But it can also call on private domestic or foreign corporations to design attack packages against China, as the US does. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/budget-2022-9-9-billion-towards-cyber-security-aims-to-make-australia-a-key-offensive-cyber-player-180321">Budget 2022: $9.9 billion towards cyber security aims to make Australia a key 'offensive' cyber player</a>
</strong>
</em>
</p>
<hr>
<p>Australia is aiming for world-class offensive options in cyberspace. The AUKUS allies coordinate closely together on cyber operations, and this area of activity is a prime focus for the new grouping.</p>
<p>In 2020, the United Kingdom set up a new organisation, its <a href="https://www.gov.uk/government/organisations/national-cyber-force">National Cyber Force</a>, dedicated to offensive strike operations.</p>
<p>As part of this “cyber three” alliance with the US and UK, Australia’s cyber force will likely remain the country’s most powerful strike capability against China for decades to come.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1508526221935603716"}"></div></p>
<h2>China’s cyber security weakness</h2>
<p>Of course, success isn’t assured with cyber attacks. But causing disruption on a significant scale can be achieved with a highly focused effort across all phases of offensive cyber operations, especially in coordination with our allies.</p>
<p>The most important phase is the first one: ensuring up-to-date intelligence on the other side’s systems. The effort put into cyber intelligence against China’s armed forces is actually the foundation of cyber offensive teams, even if the intelligence people aren’t counted as having an “offensive” role.</p>
<p>China is adept at cyber offence. But contrary to popular belief, cyber security isn’t a strong point for China, and this makes it particularly vulnerable to attack in wartime. The International Institute for Strategic Studies <a href="https://www.iiss.org/globalassets/media-library---content--migration/files/research-papers/cyber-power-report/cyber-capabilities-and-national-power---china.pdf">has assessed</a> that China has certain fundamental weaknesses that will take many years to overcome, including in its cyber security industry, education and policy.</p>
<p>Chinese leaders <a href="https://www.thechinastory.org/chinas-cyber-defence-weakness-military-consequences/">believe</a> they’re well behind the US and allies in terms of military cyber capability. This will likely <a href="https://www.iiss.org/sv/events/2020/06/chinas-weak-cyber-defences/">constrain their choices</a> about starting any war over Taiwan.</p>
<h2>Political sensitivities?</h2>
<p>There’s no need for Australia to be shy about this offensive capability against China on political grounds, because China is planning to do the same against us in the event of war.</p>
<p>China is already conducting cyber espionage on Australia and other countries in preparation for a major crisis. It’s almost certainly <a href="https://www.iiss.org/globalassets/media-library---content--migration/files/research-papers/cyber-power-report/cyber-capabilities-and-national-power---china.pdf">developing capabilities</a> to disable enemy military systems and infrastructure if needed.</p>
<p>Defence Minister Richard Marles <a href="https://www.minister.defence.gov.au/media-releases/2023-03-14/aukus-nuclear-powered-submarine-pathway">recently restated</a> the long-held view that the more offensive capabilities we have, for example through submarines, the more the country can contribute to allied deterrence of potential aggressors.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-under-sustained-cyber-attack-warns-the-government-whats-going-on-and-what-should-businesses-do-141119">Australia is under sustained cyber attack, warns the government. What's going on, and what should businesses do?</a>
</strong>
</em>
</p>
<hr>
<p>Australian political leaders must prioritise the military’s ability to attack targets in China at scale, in the unlikely event of war. And leaders need to ensure cyber forces have more highly trained people dedicated to this task and a more powerful domestic cyber industry.</p>
<p>For military and political leaders to go down this path more robustly, the Australian Defence Force will also need to reassess the military balance of power in the Asia-Pacific to take account of the US and its allies’ cyber superiority over China.</p>
<p>This might also allow Australians to feel more secure about possible Chinese military threats. The choices Chinese leaders might make in provoking a crisis will be shaped by their view that their armed forces aren’t as competitive in this dimension of US and allied military power.</p><img src="https://counter.theconversation.com/content/204749/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Greg Austin does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Contrary to popular belief, cyber security isn’t a strong point for China and this makes it particularly vulnerable to attack in wartime.Greg Austin, Adjunct Professor, Australia-China Relations Institute, University of Technology SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2031462023-04-03T20:10:08Z2023-04-03T20:10:08ZRussia’s shadow war: Vulkan files leak show how Putin’s regime weaponises cyberspace<p>Recent revelations about the close partnership between the Kremlin and <a href="https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics">NTC Vulkan</a>, a Russian cybersecurity consultancy with links to the military, provide some rare insights into how the Putin regime weaponises cyberspace. </p>
<p>More than 5,000 documents have been leaked by an anonymous <a href="https://www.techtimes.com/articles/289822/20230331/vulkan-files-unmask-putin-russia-launched-shocking-cyberwarfare-world.htm">whistleblower</a>, angry at Russia’s conduct in the war in Ukraine. They purport to reveal details about hacking tools to seize control of vulnerable servers; domestic and international disinformation campaigns; and ways to digitally monitor potential threats to the regime. </p>
<p>Although caution is always necessary before accepting claims about cyber capabilities, it’s noteworthy several Western intelligence agencies have <a href="https://www.washingtonpost.com/national-security/2023/03/30/russian-cyberwarfare-documents-vulkan-files/">confirmed</a> the documents appear genuine.</p>
<p>The leak also corroborates the view of many strategists: that the Russian government regards offensive cyber capabilities as part of a holistic effort to degrade its enemies. This includes the sowing of mistrust via social media, the gathering of <em><a href="https://www.washingtonpost.com/posteverything/wp/2017/01/13/how-russian-kompromat-destroys-political-opponents-no-facts-required/">kompromat</a></em> (compromising material), and the ability to target crucial infrastructure. </p>
<p>That list of enemies is a long one, and has grown since Putin’s full-scale invasion of Ukraine in February 2022. Naturally, the Kremlin’s just-released 2023 <a href="https://www.rbc.ru/rbcfreenews/6426ad869a79473fe8810ade">Foreign Policy Concept</a> identifies the United States as the “main source of threats” to Russian security.</p>
<p>But Ukraine, every NATO and European Union member, and several other states are identified as “<a href="https://www.1news.co.nz/2022/03/07/new-zealand-joins-russias-unfriendly-countries-list/">unfriendly countries</a>”, including Australia, Japan, Singapore and New Zealand.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1641455526491074560"}"></div></p>
<h2>War in the shadows</h2>
<p>Russia utilises a range of methods to wage war in cyberspace.</p>
<p>On one end of the spectrum, it uses groups attached to official agencies, such as the GRU (military intelligence) and the FSB (ostensibly domestic intelligence, but also carries out missions overseas).</p>
<p>The GRU’s groups include <a href="https://www.wired.com/story/russia-gru-sandworm-serebriakov/">Sandworm</a> and <a href="https://www.crowdstrike.com/blog/who-is-fancy-bear/">Fancy Bear</a>. Another group, <a href="https://www.crowdstrike.com/adversaries/cozy-bear/">Cozy Bear</a>, is associated with the FSB.</p>
<p>One or more of these groups have been responsible for a series of prominent cyber attacks on a range of targets, including:</p>
<ul>
<li><p>the <a href="https://www.reuters.com/article/usa-military-cyberattack-idINKCN0QB2CH20150806">Pentagon</a> in 2015</p></li>
<li><p>the Ukrainian <a href="https://cyberlaw.ccdcoe.org/wiki/Power_grid_cyberattack_in_Ukraine_(2015)">power grid</a> in 2015</p></li>
<li><p>the 2016 <a href="https://www.theguardian.com/technology/2016/jul/29/cozy-bear-fancy-bear-russia-hack-dnc">Democratic National Convention</a></p></li>
<li><p>the 2017 <a href="https://resources.infosecinstitute.com/topic/apt-sandworm-notpetya-technical-overview/">NotPetya</a> ransomware attacks, which targeted Ukraine but spread globally</p></li>
<li><p>German and French <a href="https://www.reuters.com/article/france-election-cyber-germany-idUSL1N1IB1SL">elections</a> in 2017 and 2018 </p></li>
<li><p>the <a href="https://securingdemocracy.gmfus.org/incident/russian-gru-connected-fancy-bear-hacking-group-targets-international-olympic-committee/">International Olympic Committee</a></p></li>
<li><p>US-based NGOs and <a href="https://www.gmfus.org/news/gmf-statement-2018-cyber-attacks">think tanks</a></p></li>
<li><p><a href="https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development">COVID-19 vaccine data</a></p></li>
<li><p>the 2021 <a href="https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee">Republican National Committee</a></p></li>
<li><p>and a 2022 attempt to cause a <a href="https://www.wired.com/story/sandworm-russia-ukraine-blackout-gru/">power blackout</a> in Ukraine.</p></li>
</ul>
<p>At the other end of the spectrum, Russian information operations regularly use armies of bots and trolls, as well as unsuspecting “<a href="https://academic.oup.com/ia/article/94/5/975/5092080">citizen curators</a>”, to spread false narratives. </p>
<p>Doing so is cheap and increases the distance between the attacker and its agents, allowing for plausible deniability.</p>
<p>Like biological warfare, it also weaponises the targets to do the job of spreading the narrative disease for it. </p>
<p>Russian information campaigns operate globally, among nations it considers its friends as well as its adversaries. Russian-weaponised media can be found in <a href="https://www.brookings.edu/blog/order-from-chaos/2022/02/08/russias-wagner-group-in-africa-influence-commercial-concessions-rights-violations-and-counterinsurgency-failure/">Africa</a>, where the Russian Wagner paramilitary organisation has been especially active, as well as in <a href="https://www.nytimes.com/2022/03/29/technology/twitter-russia-india.html">South Asia</a> and <a href="https://theconversation.com/russian-trolls-targeted-australian-voters-on-twitter-via-auspol-and-mh17-101386">Australia</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/russian-trolls-targeted-australian-voters-on-twitter-via-auspol-and-mh17-101386">Russian trolls targeted Australian voters on Twitter via #auspol and #MH17</a>
</strong>
</em>
</p>
<hr>
<p>In many respects, Russian information operations mimic Soviet geopolitical doctrine during the Cold War. This focused on courting areas of the world where the West was weakest.</p>
<p>But in the grey space between official agencies, useful idiots and unwitting proxies is an area of increasing emphasis of Russian cyberwar: outsourcing. Some of these, such as Vulkan, retain an aura of respectability as consultancies that do government work as well as contracting to other firms.</p>
<p>They also include the Internet Research Agency in St Petersburg, which was used to coordinate social media attacks on the US Democratic Party during the 2018 mid-term elections, leading to an <a href="https://www.justice.gov/file/1035477/download">indictment</a> by the Department of Justice. </p>
<p>Others are <a href="https://www.state.gov/transnational-organized-crime-rewards-program-2/maksim-viktorovich-yakubets/">organised criminal gangs</a>, like the aptly named “EvilCorp”, that use malware to harvest people’s banking details or personal information.</p>
<p>The November 2022 breach of Australia’s private health insurer <a href="https://www.aljazeera.com/news/2022/11/11/australian-police-blame-russian-hackers-for-medical-records-leak">Medibank</a> was one example, which exposed patients’ sensitive health details such as treatments for drug addiction or HIV.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1591920169785479169"}"></div></p>
<h2>The Vulkan revelations</h2>
<p>The Vulkan leak adds more detail to what we know about Russian methods, tactics and targets in cyberspace. The GRU group Sandworm is identified as having authorised Vulkan to help build “<a href="https://www.lemonde.fr/en/pixels/article/2023/03/30/skan-the-cyberattack-tool-developed-by-vulkan_6021229_13.html">Skan-V</a>”, a piece of software that can monitor the internet to detect vulnerable servers to hack.</p>
<p>Another Vulkan project, known as “<a href="https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics">Fraction</a>”, was designed to monitor social media sites for key words to identify regime opponents, both at home and abroad.</p>
<p>An even larger project in which Vulkan seems to have been engaged was “<a href="https://www.lemonde.fr/en/pixels/article/2023/03/30/inside-vulkan-the-digital-weapons-factory-of-russian-intelligence-services_6021230_13.html">Amezit</a>”. This is a tool that would enable operators to seize control of the internet both inside Russia and in other nations, and hijack information flows.</p>
<p>To function, its users need to be able to control physical infrastructure such as mobile phone towers and wireless internet nodes. Amezit can then be used to mimic legitimate sites and social media profiles, scrub content that might be deemed hostile, and replace it with disinformation.</p>
<p>Given the requirement to possess physical infrastructure, it’s clear Azemit was designed not solely as a piece of software, but to operate in tandem with the coercive instruments of a state.</p>
<p>This has internal uses as well as external ones. Domestically, it could be used to silence dissent in restive Russian regions. In a war zone, such as Ukraine, it could be used alongside Russia’s armed forces to intercept government communications and swap genuine information sources for false ones.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/as-russia-wages-cyber-war-against-ukraine-heres-how-australia-and-the-rest-of-the-world-could-suffer-collateral-damage-177909">As Russia wages cyber war against Ukraine, here's how Australia (and the rest of the world) could suffer collateral damage</a>
</strong>
</em>
</p>
<hr>
<p>The Vulkan leak also included information on physical objects. Although not a concise target list, its software allowed users to map physical infrastructure. This included airports worldwide, the Swiss Ministry of Foreign Affairs, and the Muhlberg <a href="https://www.spiegel.de/international/world/the-vulkan-files-a-look-inside-putin-s-secret-plans-for-cyber-warfare-a-4324e76f-cb20-4312-96c8-1101c5655236">nuclear power plant</a> near Bern.</p>
<p>What’s more, the document drop featured mapped clusters of <a href="https://www.silicon.co.uk/e-regulation/governance/leaked-vulkan-files-reveal-kremlins-cyberwarfare-tactics-504543">internet servers</a> in the United States. And the Skan-V project identified a site in the US labelled “<a href="https://ctexaminer.com/2023/03/30/fairfield-named-as-site-for-cyber-attack-in-lealked-russian-documents/">Fairfield</a>” as a potentially vulnerable point of entry.</p>
<p>If the documents are accurate, Vulkan’s work for the Russian government shows how extensive the Kremlin’s attempts have been to monitor digital infrastructure, collect information about vulnerabilities, and develop the capacity to hijack it.</p>
<h2>Combating Russian cyber attacks</h2>
<p>Cyber threats are insidious because they can be used in multiple combinations and aimed at different targets. Hack-and-leak campaigns against influential figures can be mixed with attempts to sabotage vital infrastructure, perform corporate espionage, undermine social cohesion and trust, and push fringe narratives to the political centre.</p>
<p>They can be drip-fed into the digital ecosystem. Or, much like the campaign that accompanied Russia’s takeover of Crimea in 2014, they can be employed <a href="https://www.businessinsider.com/russia-cyberattack-ukraine-2014-3">all at once</a> in a cyber-blizzard.</p>
<p>This makes cyber attacks very hard to build resilience against, and even harder to deter. They are a weapon of potentially mass disruption that can result in real casualties. Turning off the power grid in a city, for example, can lead to deaths among people on life support in hospitals, traffic accidents, and exposure to extreme cold in certain regions.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/a-year-on-russias-war-on-ukraine-threatens-to-redraw-the-map-of-world-politics-and-2023-will-be-crucial-197682">A year on, Russia's war on Ukraine threatens to redraw the map of world politics – and 2023 will be crucial</a>
</strong>
</em>
</p>
<hr>
<p>But beyond infrastructure and industry, such attacks also target <a href="https://www.tandfonline.com/doi/full/10.1080/23738871.2020.1797136">social pressure points</a>: a states’ institutions, ideas and people. This makes them especially useful in attacking democracies, making the open and free exchange of views a potential vulnerability.</p>
<p>As the Vulkan leaks demonstrate, hostile governments have greater ambitions in cyberspace than being able to switch off the lights. They seek to be able to encourage us to question what we believe to be true, and pit us against one another. </p>
<p>Recognising that will be a crucial step in preventing the poisonous seeds of disinformation from taking root.</p><img src="https://counter.theconversation.com/content/203146/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Matthew Sussex has previously received funding from the Australian Research Council, the Carnegie Foundation, the Lowy Institute, and various Australian government agencies.</span></em></p>More than 5,000 documents were leaked by an anonymous whistleblower.Matthew Sussex, Fellow, Strategic and Defence Studies Centre, Australian National UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1943402022-11-10T04:10:09Z2022-11-10T04:10:09ZMedibank hackers are now releasing stolen data on the dark web. If you’re affected, here’s what you need to know<p>On October 13 one of Australia’s largest medical insurers, Medibank, announced it had suffered a cyberattack – one which has resulted in the breached personal details of 9.7 million <a href="https://www.abc.net.au/news/2022-11-09/medibank-data-release-dark-web-hackers/101632088">customers in Australia</a>. We now know the hackers, who are almost certainly Russian, demanded a ransom of US$9.7 million (about A$15 million) – or else they would leak the data on the dark web. </p>
<p>It’s believed the hackers are linked to the notorious <a href="https://www.sbs.com.au/news/article/who-is-revil-the-russia-backed-hacker-group-thought-to-be-behind-the-medibank-data-breach/b44xvb1ya">REvil cyber gang</a> which, according to Russian sources, was allegedly <a href="https://www.bbc.com/news/technology-59998925">dismantled and arrested</a> earlier this year.</p>
<p>The Medibank breach consists of an <a href="https://www.theguardian.com/australia-news/2022/oct/20/medibank-says-sample-of-stolen-customer-data-includes-details-of-medical-procedures">alleged 200GB of data</a> that contain personally identifiable information such as names, dates of birth, addresses, phone numbers, Medicare numbers, credit card details, and ID documents. Importantly, it also contains sensitive personal information about medical diagnoses and procedures covered by Medibank and <a href="https://ahm.com.au/about">ahm health insurance</a>.</p>
<p>Medibank did not have a <a href="https://www.theguardian.com/australia-news/2022/oct/28/medibank-cyber-attack-should-the-health-insurer-pay-a-ransom-for-its-customers-data">cyber insurance plan</a>, and so decided it would not pay the ransom. This choice is consistent with <a href="https://www.cyber.gov.au/ransomware">Australian government recommendations</a>.</p>
<p>The deadline to pay was around midnight on Tuesday. With no ransom received, the hackers kept their promise and the first batch of data was released in the early hours of Wednesday, November 9. </p>
<p>This breach comes with clear risks, and a lot of people will understandably be concerned. Here’s what to know if your data have been exposed, or is exposed in the coming days. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/medibank-wont-pay-hackers-ransom-is-it-the-right-choice-194162">Medibank won't pay hackers ransom. Is it the right choice?</a>
</strong>
</em>
</p>
<hr>
<h2>What has been leaked so far?</h2>
<p>Here’s what the hacker group divulged in the first batch of leaked data:</p>
<ul>
<li><p>screenshots of failed negotiations with Medibank</p></li>
<li><p>a list of Medibank employees, with their full names, work emails, details of the mobile phones and computers they use, as well as some home wifi names (which can be used to find a person’s home address)</p></li>
<li><p>the personally identifiable information (including what appear to be passport numbers) of more than 500,000 international students, either currently or formerly in Australia</p></li>
<li><p>the personally identifiable information (including what appear to be ID document numbers) of an additional 500,000 people</p></li>
<li><p>and the personal information (including addresses and phone numbers) of 200 people. Most concerningly, this includes details of medical diagnoses and procedures, and a <a href="https://www.abc.net.au/news/2022-11-09/medibank-yet-to-contact-customers-whose-data-has-been-leaked/101633598">“naughty list”</a> of 100 people singled-out for having medical diagnoses of psychological disorders and drug addiction. </p></li>
</ul>
<p>On the following day, November 10, the hackers released an additional 300 records of personally identifying information on account holders who had abortions charged against their accounts. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1590552114543366144"}"></div></p>
<h2>How might criminals use the stolen data?</h2>
<p>Blackmail, fraud, identity theft and targeted scams are the three most obvious options for the hackers now in possession of Medibank customers’ data. </p>
<p>Personal information and information about medical treatments considered “controversial” – such as treatments related to sexual health, mental health, and addiction – could be used to blackmail victims, including high profile people and foreign nationals. </p>
<p>Foreign nationals may be particularly vulnerable if they have undergone procedures considered socially unacceptable – or even illegal – in their home country. This could even make it dangerous for them to return. </p>
<p>Personally identifying information, such as ID documents and contact details, may be used to impersonate victims and seize financial accounts, open lines of credit, or impersonate a victim to extort their friends and family for money.</p>
<p>Personal information can also be used to carry out targeted scams. For instance, cybercriminals may target data breach victims with highly personalised – and therefore highly believable – phishing attacks. </p>
<p>There are also data recovery scams, in which scammers contact victims and make the impossible claim to remove their data from the internet for a fee. </p>
<h2>What to do if you’re targeted</h2>
<p>We don’t yet know of every single individual who has been directly affected by this breach. Medibank will need to notify individual customers that have been affected, <a href="https://www.medibank.com.au/livebetter/newsroom/post/medibank-cybercrime-update8nov">and has said it will continue to do so</a>.</p>
<p>However, concerned customers can take some pro-active steps, such as securing critical accounts and being aware of potential scams – as we describe above, and also as we described in relation to the <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">Optus breach</a> previously. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">What does the Optus data breach mean for you and how can you protect yourself? A step-by-step guide</a>
</strong>
</em>
</p>
<hr>
<p>While passports and drivers licenses <a href="https://www.abc.net.au/news/2022-09-30/how-do-i-replace-my-passport-drivers-licence-medicare-care-optus/101491414">can be replaced</a>, there’s no protection against your medical history being released to the public. Hackers may try to exploit this information in extortion scams. </p>
<p>If you are targeted for an extortion scam as a result of the leak, you should notify law enforcement immediately, either through <a href="https://www.cyber.gov.au/acsc/report">ReportCyber</a> or your local police office. There won’t be any hiding of information that is already posted online, and these criminals can’t keep it a secret for you, no matter what they promise. </p>
<p>If you receive a text or email from scammers related to your medical history, <em>do not reply</em> as it will only encourage them to harass you further.</p>
<h2>What do we expect to happen next?</h2>
<p>So far, the <a href="https://www.abc.net.au/news/2022-11-10/medibank-data-breach-latest/101637160">hackers have released</a> less than 1GB of the 200GB allegedly stolen, with already serious consequences for more than a million Australians. But this is just the tip of the iceberg. </p>
<p>The communications leaked by the hacking group suggest two things. First, they appear to still be trying to extort their US$9.7 million ransom from Medibank. This explains the trickling release of data, rather than all of it being leaked at once. </p>
<p>Second, they seem intent on releasing the data if Medibank does not pay. Their own stated reason for releasing the data is to market their “ransomware as a service” offerings to other cybercriminals. This is when an initial hacker first gains access to a company, and then hires a hacking group such as REvil to actually run the complicated ransomware scheme – a service made (in)famous by <a href="https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/">REvil</a>. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/494587/original/file-20221110-16841-ceobss.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/494587/original/file-20221110-16841-ceobss.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/494587/original/file-20221110-16841-ceobss.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=233&fit=crop&dpr=1 600w, https://images.theconversation.com/files/494587/original/file-20221110-16841-ceobss.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=233&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/494587/original/file-20221110-16841-ceobss.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=233&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/494587/original/file-20221110-16841-ceobss.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=293&fit=crop&dpr=1 754w, https://images.theconversation.com/files/494587/original/file-20221110-16841-ceobss.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=293&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/494587/original/file-20221110-16841-ceobss.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=293&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Among the leaked data the hackers also posted screenshots of their ‘negotiations’ with Medibank.</span>
<span class="attribution"><span class="source">Screenshot</span>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<p>It seems unlikely Medibank will (or should) <a href="https://www.abc.net.au/news/2022-11-07/medibank-ceo-says-ransom-amount-irrelevant-10-million-hacked/101625012">pay the ransom</a>, and likely the unnamed ransomware gang will release the entire dataset to the public. </p>
<p>Should that happen, we may be facing an unprecedented exposure of personally identifiable information with potentially 9.7 million identity documents and credit card details stolen.</p>
<p>This possibility dwarfs even the worst case scenarios of the recent Optus breach, and will require an unprecedented effort to update and secure the identity documents and credit card details of those affected.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-are-there-so-many-data-breaches-a-growing-industry-of-criminals-is-brokering-in-stolen-data-193015">Why are there so many data breaches? A growing industry of criminals is brokering in stolen data</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/194340/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It’s reported the stolen data of more than one million Australians have already been leaked – and more is expected.Jeffrey Foster, Associate Professor in Cyber Security Studies, Macquarie UniversityJennifer J. Williams, PhD Candidate, Macquarie UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1886772022-08-17T18:08:16Z2022-08-17T18:08:16ZBefore paying a ransom, hacked companies should consider their ethics and values<figure><img src="https://images.theconversation.com/files/479427/original/file-20220816-1877-maolbq.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C7360%2C4902&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Ransomware attacks are increasing in frequency.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><iframe style="width: 100%; height: 100px; border: none; position: relative; z-index: 1;" allowtransparency="" allow="clipboard-read; clipboard-write" src="https://narrations.ad-auris.com/widget/the-conversation-canada/before-paying-a-ransom--hacked-companies-should-consider-their-ethics-and-values" width="100%" height="400"></iframe>
<p>The recent cyberattacks in August on <a href="https://www.itworldcanada.com/article/canadian-recreational-vehicle-maker-brp-ontario-cannabis-store-dealing-with-cyber-attacks/497252">Bombardier Recreational Products and the Ontario Cannabis Store</a> highlight the continuing scourge of cyber criminals and ransomware. </p>
<p>Ransomware is a piece of malware — malicious software — code that gets into an information system and blocks access to the computer or its files until the victim pays to obtain a key, or password. Ransomware was a term that did not enter the popular lexicon until about 10 years ago <a href="https://www.washingtontimes.com/news/2018/jan/31/ransomware-added-to-oxford-english-dictionary-in-l/">(and it was added to the Oxford English Dictionary in 2018)</a>. </p>
<p>It has now evolved, and in 2021, <a href="https://www.hsgac.senate.gov/imo/media/doc/HSGAC%20Majority%20Cryptocurrency%20Ransomware%20Report.pdf">there were 3,729 ransomware complaints registered, with losses of US$49.2 million in designated critical infrastructures alone</a>. The average ransomware payment climbed 82 per cent to hit a record US$570,000 in the first half of 2021.</p>
<p>And it’s only going to get worse. The FBI’s <a href="https://www.ic3.gov/">Internet Crime Complaint Centre</a> reported 2,084 ransomware complaints from January to July 31, 2021 – a 62% year-over-year increase.</p>
<p>For any organization, cyberattacks are not a matter of “if,” but “when”: A cyberattack is inevitable. This forces leaders to ask: Do we pay the ransom or not?</p>
<p>Roughly <a href="https://blog.knowbe4.com/ransomware-predicted-to-cost-20-billion-in-damages-globally-by-2021">half of all organizations opt to pay ransom</a>. But that also means that roughly half do not. What makes this an especially wicked problem is that there is no correct answer or clear structure. So the question becomes: Under what conditions should a ransom be paid? And what factors can help leaders make this decision?</p>
<h2>Blocking access</h2>
<p>There are four core actions that ransomware can execute, embodied in the acronym LEDS: Lock, Encrypt, Delete or Steal. Ransomware can lock, or prevent access to data or an information system, requiring a key to unlock. Similarly, it can allow access, but the data are gibberish as they have been encrypted in place, again requiring a decryption key to make legible. Data can be deleted in place (erased) or sold to the highest bidder. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="computer screen with the words SYSTEM HACKED displayed" src="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=413&fit=crop&dpr=1 600w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=413&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=413&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=519&fit=crop&dpr=1 754w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=519&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=519&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Ransomware removes or prevents access to companies’ data.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>What makes today’s ransomware attacks especially harmful and insidious is that they often deploy more than one of these effects.</p>
<p>Once malware is embedded in an organization’s system, <a href="https://www.zdnet.com/article/ransomware-an-executive-guide-to-one-of-the-biggest-menaces-on-the-web/">the criminals contact the victim</a>, usually through an anonymous email, or through the malware itself (pop-up window) demanding immediate payment of a ransom in cryptocurrency, and typically threatening further harm. </p>
<p>Paying the ransom may lead to a decryption key being provided, which, when entered on the pop-up window immediately unlocks the system and anything that has been encrypted.</p>
<h2>Considerations before payment</h2>
<p>There are two dimensions to be considered when deciding to pay a ransom: the business decision and the ethical one.</p>
<p>Law enforcement authorities, including <a href="https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware">the FBI</a> and <a href="https://www.rcmp-grc.gc.ca/en/prevent-ransomware">the RCMP</a>, adamantly advise against paying ransom, ever. They do so for two good reasons: first, it rewards and encourages criminal activity. Second, it may further endanger the organization when it becomes known in hacker circles that this is an organization willing to pay. </p>
<p>In other words, it may not make the crime go away and may make you even more of a target.</p>
<p>If the criminals are not a known terrorist organization, then payment of a ransom is not a crime. This might change, as some countries, notably the United States, are proposing enactment of Sanctions Compliance Laws criminalizing all cyber-ransom payments. It might be difficult to attribute the attack, which is why the hackers often identify themselves to their victims. </p>
<h2>An honest crime</h2>
<p>There is a compelling business case to be made for paying a ransom demand. The crime works because, if you will, it is an honest one. That is, <a href="https://www.proofpoint.com/us/resources/threat-reports/state-of-phish">70 per cent of the time</a>, paying a ransom will result in a valid decryption key being provided. </p>
<p>This makes sense. For criminals to profit from this endeavor, they must show good faith and deliver on their promise.</p>
<p>Criminals also know this. Targeted campaigns see attackers spending on average nearly six months inside a company’s network before enacting ransom malware. They do so to ensure that their malware has infected as many systems as possible, including backups; to identify and extract the items of greatest value; to ensure they do not leave traces; and to garner any business intelligence (such as incident response plans or insurance policies). This allows them to determine the maximum amount of ransom to demand.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="padlocks represented digitally, all are blue with the exception of a red one which is broken open" src="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">For ransomware to be a lucrative endeavor for criminals, they have to release the data once they have received payment.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>This is the essence of the business case decision. Suppose, for example, that the cost of a ransom event is estimated to be $500,000 (based on the size of the database, time to recover, data validation upon recovery and other expenses). A ransom demand of $250,000 is clearly a better alternative because it is not only cheaper, but faster than the alternative. </p>
<p>Organizations can calculate the cost of various incidents and determine, in principle, their willingness to pay for each possible ransom scenario. This leads to the development of what is referred to as a ransomware payment matrix for the organization.</p>
<h2>Moral dimensions</h2>
<p>However, there is also a moral, or ethical dimension to this decision. Payments to criminals might not be consistent with the organization’s core values, culture or code of ethics. Even if they are, this might not sit well with the company’s employees, clients and other stakeholders. </p>
<p>There are many frameworks and theories dealing with ethics in the workplace, and leaders need to avail themselves of one or more. This will help them make a decision regarding paying a ransom because, while it may make great business sense to pay a ransom, it may not be the right thing to do for the organization. </p>
<p>Instead, the organization may choose to invest funds that would otherwise go to ransom payments into training, cyber-protection and upgrading and patching systems.</p>
<p>Whatever the decision, it is critical to explore all options well before any cyberattacks occur. This includes holding discussions with employees, customers and other stakeholders. It also includes insurers (who are increasingly loath to insure against ransomware events) and law enforcement authorities.</p>
<p>Accepting the inevitability of a cyberattack and thoroughly exploring different scenarios will have the dual effect of not only preparing for the attack, but allowing for a more effective response when it occurs.</p><img src="https://counter.theconversation.com/content/188677/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Michael Parent does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cyberattacks demanding ransoms for the release of information are on the rise. To determine if they should pay, businesses need to think about how they would react in such a scenario.Michael Parent, Professor, Management Information Systems, Simon Fraser UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1875892022-08-08T12:21:01Z2022-08-08T12:21:01ZRise of precision agriculture exposes food system to new threats<figure><img src="https://images.theconversation.com/files/477469/original/file-20220803-13-8yd7pe.jpg?ixlib=rb-1.1.0&rect=0%2C4%2C3224%2C2234&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Agriculture is becoming increasingly dependent on technology.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/usdagov/50238208213">U.S. Department of Agriculture Photo by Lance Cheung</a></span></figcaption></figure><p>Farmers are <a href="https://ag.purdue.edu/commercialag/home/sub-articles/2021/03/adoption-of-precision-agriculture-technologies/">adopting precision agriculture</a>, using data collected by GPS, satellite imagery, internet-connected sensors and other technologies to farm more efficiently. While these practices could help increase crop yields and reduce costs, the technology behind the practices is creating opportunities for extremists, terrorists and adversarial governments to attack farming machinery, with the aim of disrupting food production.</p>
<p>Food producers around the world have been under increasing pressure, a problem <a href="https://www.nbcnews.com/news/world/russia-ukraine-war-grain-blockade-global-food-crisis-rcna25910">exacerbated by the war in Ukraine</a> and rising fuel and fertilizer costs. Farmers are trying to produce more food but with fewer resources, pushing the food production system <a href="https://www.washingtonpost.com/world/2021/12/15/global-food-crisis-pandemic/">toward its breaking point</a>.</p>
<p>In this environment, it’s understandable that many U.S. farmers are <a href="https://doi.org/10.1016/j.gfs.2016.07.005">turning to modern information technologies</a> to support decision-making and operations in managing crop production. These precision agriculture practices lead to more efficient use of land, water, fuel, fertilizer and pesticides so that farmers can grow more, reduce costs and <a href="https://www.ars.usda.gov/oc/utm/benefits-and-evolution-of-precision-agriculture/">minimize their impact on the environment</a>. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="rows of plants growing out of black plastic bags, some with metal poles and wires holding white plastic devices attached to the plants" src="https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=407&fit=crop&dpr=1 600w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=407&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=407&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=511&fit=crop&dpr=1 754w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=511&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=511&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Precision agriculture can include sensors that monitor crops, such as these avocado plants.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:Avocado_plant_monitoring_Precision_Agriculture.png">Simple loquat/Wikimedia</a></span>
</figcaption>
</figure>
<p>As researchers in <a href="https://scholar.google.com/citations?hl=en&user=_VNMFmgAAAAJ&view_op=list_works&sortby=pubdate">cybersecurity</a> and <a href="https://scholar.google.com/citations?hl=en&user=CH2XK2wAAAAJ&view_op=list_works&sortby=pubdate">national security</a> at the <a href="https://www.unomaha.edu/ncite/index.php">National Counterterrorism Innovation, Technology, and Education Center</a>, we see cause for concern. The advent of precision farming comes at a time of significant upheaval in the global supply chain and as the number of foreign and domestic hackers with the ability to <a href="https://www.govtech.com/security/agriculture-industry-on-alert-after-string-of-cyber-attacks">exploit this technology</a> continues to grow.</p>
<h2>New opportunities for exploitation</h2>
<p>Cyberattacks against agricultural targets are not some far-off threat; they are already happening. For example, in 2021 a ransomware attack forced a fifth of the beef processing plants in the U.S. to shut down, with one company paying nearly $11 million to cybercriminals. REvil, a Russia-based group, <a href="https://investigatemidwest.org/2021/10/13/fbi-says-ransomware-attacks-on-food-and-agriculture-industry-are-increasing/">claimed responsibility for the attack</a>. </p>
<p>Similarly, a grain storage cooperative in Iowa was targeted by a Russian-speaking group called BlackMatter, who claimed that they had <a href="https://www.reuters.com/technology/iowa-farm-services-company-reports-cybersecurity-incident-2021-09-20/">stolen data from the cooperative</a>. While previous attacks have targeted larger companies and cooperatives and aimed to extort the victims for money, individual farms could be at risk, too.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="three squat cylindrical structures with conical tops connected by a pipe stand in a row perpendicular to a cluster of narrower, taller vertical cylindrical structures topped by a catwalk" src="https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=392&fit=crop&dpr=1 600w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=392&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=392&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=493&fit=crop&dpr=1 754w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=493&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=493&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">This grain storage facility is run by New Cooperative, a farm cooperative in Iowa that was hit by a ransomware attack in 2021.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:NEW_Cooperative_facility_Knierim_Iowa_20211104.jpg">Jstuby/Wikimedia</a></span>
</figcaption>
</figure>
<p>The integration of technologies into farm equipment, from GPS-guided tractors to artificial intelligence, potentially increases the ability of hackers to attack this equipment. And though farmers might not be ideal targets for ransomware attacks, farms could be tempting targets for hackers with other motives, including terrorists.</p>
<p>For example, an attacker could look to exploit vulnerabilities within fertilizer application technologies, which could result in a farmer unwittingly applying too much or too little nitrogen fertilizer to a particular crop. A farmer could then end up with either a below-expected harvest, or a field that has been over fertilized, resulting in waste and long-term environmental ramifications.</p>
<h2>Slow to appreciate the threat</h2>
<p>Disruption to sensitive industries and infrastructure gives attackers higher returns for their efforts. This means that the increasing stress on the global food supply raises the stakes and creates a stronger motivation to disrupt the U.S. agriculture sector.</p>
<p>Unlike other critical industries such as <a href="https://www.aba.com/banking-topics/technology/cybersecurity">finance</a> and <a href="https://doi.org/10.3233/THC-161263">health care</a>, the farming industry has been slow to recognize cybersecurity risks and take steps to mitigate them. There are several possible reasons for this sluggishness. </p>
<p>One is that many farmers and agricultural providers haven’t viewed cybersecurity as a significant enough problem compared with other risks they face such as floods, fires and hail. A 2018 Department of Homeland Security <a href="https://www.cisa.gov/uscert/ncas/current-activity/2018/10/03/Cybersecurity-Threats-Precision-Agriculture">report</a> that surveyed precision agriculture farmers throughout the U.S. found that many did not fully understand the cyberthreats introduced by precision agriculture, nor did they take these cyber-risks seriously enough.</p>
<p>This lack of preparedness leads to another reason: limited oversight and regulation from government. In 2010, the U.S. Department of Agriculture classified cybersecurity as a low priority. <a href="https://isalliance.org/sectors/agriculture/">While this classification was upgraded in 2015</a>, the farming sector is likely to be playing catch-up for years. While other critical infrastructure industries have developed and published numerous <a href="https://doi.org/10.1016/j.diin.2017.07.006">countermeasures</a> and <a href="https://www.pcisecuritystandards.org/document_library/?category=pcidss&document=pci_dss">best practices</a> for cybersecurity, the same cannot be said for the farming sector. </p>
<p>The Biden administration has indicated that it is willing to <a href="https://www.wsj.com/video/events/agriculture-secretary-tom-vilsack-on-food-farming-and-climate-change/3D9C4481-4197-4672-B263-D0483DC007E3.html">help farmers take steps to protect their cyber infrastructure</a>, but as of this writing it has not released public guidelines to assist with this effort. </p>
<h2>All-hands approach</h2>
<p>In addition to the pressing need for policy guidance and resources from federal, state and local governments to prevent this type of cyberattack, there is room for academia and industry to step up. </p>
<p>From an academic research perspective, multidisciplinary efforts that bring together researchers from precision agriculture, robotics, cybersecurity and political science can help identify potential solutions. To this end, we and researchers at the University of Nebraska-Lincoln have launched the <a href="https://www.unomaha.edu/news/2022/06/grispos-cybersecurity-testbed.php">Security Testbed for Agricultural Vehicles and Environments</a>. </p>
<p>Farming equipment manufacturers and other industry organizations can help by designing and engineering equipment to account for cybersecurity considerations. This would lead to the manufacture of farming equipment that not only maximizes food production yields but also minimizes exposure to cyberattacks.</p><img src="https://counter.theconversation.com/content/187589/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Austin C. Doctor receives funding from the Department of Homeland Security. </span></em></p><p class="fine-print"><em><span>George Grispos does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Bringing advanced technologies to the ancient practice of farming could help feed the world’s growing population, but it could also open the door for people looking to disrupt the global food system.George Grispos, Assistant Professor of Cybersecurity, University of Nebraska OmahaAustin C. Doctor, Assistant Professor of Political Science, University of Nebraska OmahaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1878892022-08-03T16:03:47Z2022-08-03T16:03:47ZSouth Africa needs stronger security in place to stop the sabotage of its power supply<figure><img src="https://images.theconversation.com/files/477200/original/file-20220802-14-80pssz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">EFE-EPA/Kim Ludbrook</span></span></figcaption></figure><p>South African president Cyril Ramaphosa recently <a href="https://www.thepresidency.gov.za/speeches/address-president-cyril-ramaphosa-actions-address-electricity-crisis%2C-union-buildings%2C-tshwane">outlined</a> plans to solve the country’s devastating electricity supply crisis. But he didn’t mention the country’s ability to protect its energy infrastructure as a prerequisite to any solution.</p>
<p>South Africa has had power cuts <a href="https://www.aljazeera.com/news/2022/7/1/power-cuts-in-south-africa-what-you-need-to-now">since 2007</a> when Eskom, the power utility, began failing to meet demand. This got worse every year. The power utility is struggling to keep its <a href="https://www.power-technology.com/news/eskom-coal-power/">aged coal-fired power stations</a> running after many years of poor maintenance. It is also <a href="https://www.esi-africa.com/industry-sectors/asset-maintenance/generating-capacity-woes-continues-to-bedevil-eskom/">struggling</a> to get its two new power stations to operate at full capacity.</p>
<p>Explaining some of the recent power cuts, Ramaphosa said that some of the energy infrastructure had been <a href="https://www.enca.com/news/sas-power-stations-ramaphosa-says-theres-deliberate-sabotage">sabotaged</a>. </p>
<p>We flagged this in an earlier <a href="https://theconversation.com/hybrid-warfare-is-on-the-rise-globally-might-south-africas-eskom-be-its-latest-victim-173166">article</a>. We argued that Eskom was the target of hybrid warfare operations aimed at destabilising South Africa’s national power generation capability. </p>
<p>The question is whether the country has the necessary security capabilities to protect its energy infrastructure from such threats and risks. An assessment of the security capabilities also has to include a fit for purpose test of the legislation for the <a href="https://www.gov.za/sites/default/files/gcis_document/201911/4286628-11act8of2019criticalinfraprotectact.pdf">protection of critical infrastructure</a>.</p>
<p>Enhanced intelligence capacities are required to detect, deter and neutralise threats such as sabotage, or subversion caused by rioting. More – and appropriately equipped – security forces are also needed to physically secure critical infrastructure. These could be privately or publicly funded.</p>
<p>Our view is that the country does not have what is required where and when it is needed. A comprehensive approach is needed – including managing security threats – to address its energy crisis. This requires collaboration between the state and private sector to implement the president’s long-term energy security vision. </p>
<h2>Hybrid attacks now common</h2>
<p>South Africa is not the only country whose energy infrastructure is facing security threats. There are <a href="https://www2.deloitte.com/za/en/insights/industry/public-sector/cyberattack-critical-infrastructure-cybersecurity.html">numerous examples</a> of attacks on critical infrastructure. These are typically <a href="https://ec.europa.eu/research-and-innovation/en/horizon-magazine/critical-infrastructures-under-daily-attack-erncip-head-georg-peter">cyber-related</a>. But physical attacks such as <a href="https://www.da.org.za/2021/11/eskom-infrastructure-sabotage-is-consistent-with-the-july-insurrectionists-modus-operandi">sabotage</a> also occur.</p>
<p>The <a href="https://issafrica.org/iss-today/critical-infrastructure-attacks-why-south-africa-should-worry">Institute for Security Studies</a> argues that attacks on the critical infrastructure of developing countries, such as South Africa, could be “<a href="https://issafrica.org/iss-today/critical-infrastructure-attacks-why-south-africa-should-worry">potentially devastating</a>”. South Africa’s national security vulnerabilities, combined with the security risks to a monolithic state owned entity with no backup, could exacerbate the country’s power supply insecurities. </p>
<p>Cyber attacks on Eskom’s critical infrastructure could lead to severe damage. The result could be corresponding losses of generation capacity and damage to the economy. </p>
<p>National security vulnerabilities can be reduced by state security capabilities that are equal to the task. A <a href="https://www.thepresidency.gov.za/content/report-expert-panel-july-2021-civil-unrest">Report of the Expert Panel</a> into <a href="https://www.bbc.com/news/world-africa-57818215">civil unrest</a> in the country in July 2021 revealed serious capacity problems within the state security sector. The sector is mandated to forewarn government, and to protect critical infrastructure and the public against <a href="https://journals.sas.ac.uk/amicus/article/view/1671">hybrid threats</a>. These include terrorism, subversion, sabotage, espionage and organised crime. </p>
<p>This weakness was also highlighted in the 2018 <a href="https://www.gov.za/sites/default/files/gcis_document/201903/high-level-review-panel-state-security-agency.pdf">High-Level Review Panel on the State Security Agency</a>. It concluded that the country’s <a href="https://nationalgovernment.co.za/units/view/42/state-security-agency-ssa">State Security Agency</a> had been</p>
<blockquote>
<p>compromised by factionalism, mismanagement and inefficiency.</p>
</blockquote>
<p>The agency is South Africa’s primary authority tasked with protecting the country against such hybrid threats. Yet it is in a state of disrepair. This calls for the country to focus efforts on (at least) the capability to secure Eskom against obvious national security threats. </p>
<h2>The importance of critical infrastructure</h2>
<p>The protection of South Africa’s energy infrastructure falls within the remit of the new <a href="https://www.gov.za/sites/default/files/gcis_document/201911/4286628-11act8of2019criticalinfraprotectact.pdf">Critical Infrastructure Protection Act 8 of 2019</a>. Such infrastructure is crucial for the effective functioning of the economy, <a href="https://www.gov.za/sites/default/files/gcis_document/201911/4286628-11act8of2019criticalinfraprotectact.pdf">national security</a> and public safety. </p>
<p>Critical infrastructure consists of national assets that are viewed as having strategic importance. South Africa has plenty of critical infrastructure spread across its length and breadth – measuring <a href="https://www.worlddata.info/africa/south-africa/index.php#:%7E:text=South%20Africa%20is%20a%20country,25th%20biggest%20in%20the%20world">about 1.219 million km²</a>. These include the Eskom energy grid – <a href="https://www.eskom.co.za/wp-content/uploads/2021/08/TDP-Report-2019-2029_Final.pdf">including power stations, sub-stations and transmission networks</a> – dams, the banking system and oil storage. The sheer scale requires extensive security capabilities necessary for physical protection and monitoring threats. </p>
<p>Beyond physically securing this infrastructure, the state also needs to have the ability to detect, deter and neutralise threat actors. These are classical counterintelligence prerogatives. Failure on this front makes the country vulnerable to destabilisation. </p>
<p>The <a href="https://www.thepresidency.gov.za/download/file/fid/2442">stretched nature</a> of the country’s security agencies was laid bare during the <a href="https://www.bbc.com/news/world-africa-57818215">violent riots</a> in July 2021. It is thus reasonable to question the capacity of the police, and other security agencies, to secure Eskom’s critical infrastructure and that of private power producers.</p>
<h2>Planning for security</h2>
<p>In our view, all planning to develop and diversify the national power grid and energy supply should include enough resources to protect them. This requires cooperative planning between Eskom and the South African security sector (both state and private).</p>
<p>The exact role of the South African National Defence Force in providing security for critical infrastructure remains unclear. The <a href="https://www.gov.za/sites/default/files/gcis_document/201503/act-102-1980.pdf">National Key Points Act 1980</a>, the <a href="https://www.gov.za/sites/default/files/gcis_document/201409/a42-020.pdf">Defence Act 2002</a> and the <a href="https://www.gov.za/sites/default/files/gcis_document/201911/4286628-11act8of2019criticalinfraprotectact.pdf">Critical Infrastructure Protection Act 8 of 2019</a> are not explicit on the issue. </p>
<p>The protection of critical infrastructure has been assigned to the South African Police Service, with the defence force <a href="https://static.pmg.org.za/170512review.pdf">supporting it</a>. Given that the defence budget has been shrinking annually, the military will probably not be able to sustain this.</p>
<p>With the private sector playing an increased role in the energy sector, South Africa needs to develop dedicated private security capacities to protect its critical infrastructure. At the very least, it should adopt a mixed public-private security model akin to the police service’s <a href="https://cvwa.org.za/community-police-forum/">community policing</a> concept. </p>
<p>The president’s energy vision envisages a much larger private industrial capacity. If left unsecured, such capacity would be just as vulnerable to sabotage as the current Eskom infrastructure is. It is time the country took stock of its security requirements in the same way it has started being serious about its energy vulnerabilities. </p>
<p>There’s also the question of whether the penalties prescribed by law are fit to deter sabotage. </p>
<h2>What needs to happen</h2>
<p>The hybrid nature of <a href="https://www.da.org.za/2021/11/eskom-infrastructure-sabotage-is-consistent-with-the-july-insurrectionists-modus-operandi">threats to the country’s infrastructure</a> can only be solved by an integrated solution. That requires, firstly, clarity about mandates as well as state security capabilities. </p>
<p>Secondly, security sector capacity needs to be developed alongside critical infrastructure. Thirdly, legislation needs to increase existing sanctions in terms of fines and imprisonment.</p>
<p>Lastly, public-private security partnerships must be established to bolster the security of the country’s electricity infrastructure.</p><img src="https://counter.theconversation.com/content/187889/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sascha-Dominik (Dov) Bachmann has received funding from the Australian Department of Defence for research regarding grey zone and information operations targeting Australia. Sascha Dov is a Research Fellow with The Security Institute for Governance and Leadership in Africa, Faculty of Military Science, Stellenbosch University. Sascha would like to thank Dr. Sasha-Lee Afrika for her insightful comments and assistance, particularly regarding the law.</span></em></p><p class="fine-print"><em><span>Dries Putter does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The hybrid nature of threats to South Africa’s energy infrastructure can only be solved by an integrated solution, including severe sanctions that should include fines and imprisonment.Sascha-Dominik (Dov) Bachmann, Professor in Law and Co-Convener National Security Hub (University of Canberra) and Research Fellow (adjunct) - The Security Institute for Governance and Leadership in Africa, Faculty of Military Science, Stellenbosch University- NATO Fellow Asia-Pacific, University of CanberraDries Putter, Lecturer at the Faculty of Military Science / Affiliate Member, National Security Hub, University of Canberra and Researcher for Security Institute for Governance and Leadership in Africa (SIGLA), Stellenbosch UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1771232022-04-08T12:32:21Z2022-04-08T12:32:21ZYour digital footprints are more than a privacy risk – they could help hackers infiltrate computer networks<figure><img src="https://images.theconversation.com/files/456703/original/file-20220406-10870-70z4p3.jpg?ixlib=rb-1.1.0&rect=17%2C0%2C1920%2C1195&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Your digital footprints can give hackers clues about you that they can use to trick you.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/47476117@N04/50705422738/">Ivan/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>When you use the internet, you leave behind a trail of data, a set of digital footprints. These include your social media activities, web browsing behavior, health information, travel patterns, location maps, information about your mobile device use, photos, audio and video. This data is collected, collated, stored and analyzed by various organizations, from the big social media companies to app makers to data brokers. As you might imagine, your digital footprints put your privacy at risk, but they also affect cybersecurity.</p>
<p>As a <a href="https://scholar.google.com/citations?user=pvxc54kAAAAJ&hl=en">cybersecurity researcher</a>, I track the threat posed by digital footprints on cybersecurity. Hackers are able to use personal information gathered online to suss out answers to security challenge questions like “in what city did you meet your spouse?” or to hone phishing attacks by posing as a colleague or work associate. When phishing attacks are successful, they give the attackers access to networks and systems the victims are authorized to use.</p>
<h2>Following footprints to better bait</h2>
<p>Phishing attacks have <a href="https://apwg.org/trendsreports/">doubled from early 2020</a>. The success of phishing attacks depends on how authentic the contents of messages appear to the recipient. All phishing attacks require certain information about the targeted people, and this information can be obtained from their digital footprints.</p>
<p>Hackers can use freely available <a href="https://osintframework.com/">open source intelligence</a> gathering tools to discover the digital footprints of their targets. An attacker can mine a target’s digital footprints, which can include audio and video, to extract information such as contacts, relationships, profession, career, likes, dislikes, interests, hobbies, travel and frequented locations.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/RVX8ZSAR4OY?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Your online activities may feel fleeting, but they leave traces.</span></figcaption>
</figure>
<p>They can then use this information to <a href="https://www.knowbe4.com/spear-phishing/#RealWorld">craft phishing messages</a> that appear more like legitimate messages coming from a trusted source. The attacker can deliver these personalized messages, <a href="https://www.mitnicksecurity.com/blog/spear-phishing-targeted-email-scams-what-you-need-to-know-about-this-hacking-technique">spear phishing emails</a>, to the victim or compose as the victim and target the victim’s colleagues, friends and family. Spear phishing attacks can fool even those who are trained to recognize phishing attacks.</p>
<p>One of the most successful forms of phishing attacks has been <a href="https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise">business email compromise</a> attacks. In these attacks, the attackers pose as people with legitimate business relationships – colleagues, vendors and customers – to initiate fraudulent financial transactions.</p>
<p>A good example is the attack targeting the firm <a href="https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/">Ubiquity Networks Inc. in 2015</a>. The attacker sent emails, which looked like they were coming from top executives to employees. The email requested the employees to make wire transfers, resulting in fraudulent transfers of $46.7 million.</p>
<p>Access to the computer of a victim of a phishing attack can give the attacker access to networks and systems of the victim’s employer and clients. For instance, one of the employees at retailer Target’s HVAC vendor <a href="https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/">fell victim to phishing attack</a>. The attackers used his workstation to gain access to Target’s internal network, and then to their payment network. The attackers used the opportunity to infect point-of-sale systems used by Target and steal data on 70 million credit cards.</p>
<h2>A big problem and what to do about it</h2>
<p>Computer security company <a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf">Trend Micro</a> found that 91% of attacks in which the attackers <a href="https://csrc.nist.gov/glossary/term/advanced_persistent_threat">gained undetected access to networks</a> and used that access over time started with phishing messages. <a href="https://www.verizon.com/business/en-gb/resources/reports/dbir/">Verizon’s Data Breach Investigations Report</a> found that 25% of all data breach incidents involved phishing. </p>
<p>Given the significant role played by phishing in cyberattacks, I believe it’s important for organizations to educate their employees and members about managing their digital footprints. This training should cover how to <a href="https://www.techjunkie.com/track-identity-internet/">find the extent of your digital footprints</a>, how to <a href="https://www.howtogeek.com/228828/7-ways-to-secure-your-web-browser-against-attacks/nternet">browse securely</a> and how to <a href="https://www.digitalgrads.com/social-media-footprint/">use social media responsibly</a>.</p>
<p>[<em>Over 150,000 readers rely on The Conversation’s newsletters to understand the world.</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-150ksignup">Sign up today</a>.]</p><img src="https://counter.theconversation.com/content/177123/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Ravi Sen receives funding from Texas A&M university. He is affiliated with Association of Information Systems (<a href="https://aisnet.org">https://aisnet.org</a>). </span></em></p>One of a hacker’s most valuable tools is the phishing attack, and you might be unwittingly making the hacker’s job easier by leaving useful information about you online.Ravi Sen, Associate Professor of Information and Operations Management, Texas A&M UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1800852022-04-05T12:49:51Z2022-04-05T12:49:51ZHow Ukraine has defended itself against cyberattacks – lessons for the US<figure><img src="https://images.theconversation.com/files/455884/original/file-20220401-58985-uqp83w.jpg?ixlib=rb-1.1.0&rect=0%2C9%2C6048%2C4001&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">As missiles rain down on Ukraine's telecommunications infrastructure, including Kyiv's TV tower, hackers have been attacking in cyberspace.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/graphic-content-topshot-a-fireman-runs-after-russian-news-photo/1238853231">Sergei Supinsky/AFP via Getty Images</a></span></figcaption></figure><p>In 2014, as Russia launched a proxy war in Eastern Ukraine and annexed Crimea, and in the years that followed, Russian hackers hammered Ukraine. The cyberattacks went so far as to knock out the power grid in parts of the country in 2015. Russian hackers stepped up their efforts against Ukraine in the run-up to the 2022 invasion, but with notably different results. Those differences hold lessons for U.S. national cyber defense.</p>
<p>I’m a <a href="https://cyber.fiu.edu/people/profiles/robpeacock.html">cybersecurity researcher</a> with a background as a political officer in the U.S. Embassy in Kyiv and working as an analyst in countries of the former Soviet Union. Over the last year, I led a <a href="https://www-origin.usaid.gov/sites/default/files/documents/USAID_UkraineCybersecurityChallenge_CaseStudy_final.pdf">USAID-funded program</a> in which Florida International University and Purdue University instructors trained more than 125 Ukrainian university cybersecurity faculty and more than 700 cybersecurity students. Many of the faculty are leading advisors to the government or consult with critical infrastructure organizations on cybersecurity. The program emphasized practical skills in using leading cybersecurity tools to defend simulated enterprise networks against real malware and other cybersecurity threats.</p>
<p>The invasion took place just weeks before the national cybersecurity competition was to be held for students from the program’s 14 participating universities. I believe that the training that the faculty and students received in protecting critical infrastructure helped reduce the impact of Russian cyberattacks. The most obvious sign of this resilience is the success Ukraine has had in <a href="https://www.washingtonpost.com/technology/2022/03/29/ukraine-internet-faq/">keeping its internet on</a> despite Russian <a href="https://therecord.media/meet-the-frontline-workers-keeping-the-internet-online-in-ukraine/">bombs</a>, sabotage and <a href="https://netblocks.org/reports/internet-disruptions-registered-as-russia-moves-in-on-ukraine-W80p4k8K">cyberattacks</a>. </p>
<h2>What this means for the U.S.</h2>
<p>On March 21, 2022, U.S. <a href="https://www.politico.com/news/2022/03/21/biden-russia-cyberattacks-00018942">President Joe Biden warned</a> the American public that Russia’s capability to launch cyberattacks is “fairly consequential and it’s coming.” As Deputy National Security Adviser Anne Neuberger explained, Biden’s warning was a call to prepare U.S. cyber defenses. </p>
<p>The concern in the White House over cyberattacks is shared by <a href="https://finance.yahoo.com/video/cyberattack-threat-no-one-prepared-133939345.html">cybersecurity practitioners</a>. The Ukrainian experience with Russian cyberattacks provides lessons for how institutions ranging from electric power plants to public schools can contribute to strengthening a nation’s cyber defenses. </p>
<p>National cyber defense starts with governments and organizations <a href="https://acuityrm.com/resources/whitepaper/the-real-and-present-threat-of-a-cyber-breach-demands-real-time-risk-management-2/">evaluating risks</a> and increasing their capacity to meet the latest cybersecurity threats. After President Biden’s warning, Neuberger <a href="https://www.npr.org/2022/03/21/1087903332/us-companies-russia-cyberattacks-ukraine-infrastructure">recommended that organizations take five steps</a>: adopt multifactor password authentication, keep software patches up-to-date, back up data, run drills and cooperate with government cybersecurity agencies. </p>
<h2>Access control</h2>
<p>Cyber defense begins with the entryways into a nation’s information networks. In Ukraine in recent years, hackers entered poorly protected networks by techniques as simple as guessing passwords or intercepting their use on unsecure computers. </p>
<p>More sophisticated cyberattacks in Ukraine used social engineering techniques, including <a href="https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams">phishing emails</a> that tricked network users into revealing IDs and passwords. Clicking an unknown link can also open the door to tracking malware that can learn password information. </p>
<p>Neuberger’s recommendation for adopting <a href="https://www.cr-t.com/blog/why-multi-factor-authentication-is-way-better-than-just-passwords/">multifactor password authentication</a> recognizes that users will never be perfect. Even cybersecurity experts have made mistakes in their decisions to provide passwords or personal information on insecure or deceptive sites. The simple step of <a href="https://doi.org/10.1109/MSP.2011.144">authenticating a login</a> on an approved device limits the access a hacker can obtain from just gaining personal information. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/STI6vtKtHpU?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Multifactor authentication provides a major boost in network security.</span></figcaption>
</figure>
<h2>Software vulnerabilities</h2>
<p>The programmers who develop apps and networks are rewarded by improving performance and functionality. The problem is that even the best developers often overlook vulnerabilities as they add new code. For this reason, users should permit software updates because these are how developers patch uncovered weaknesses once identified.</p>
<p>Prior to the invasion of Ukraine, Russian hackers identified a <a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-057a">vulnerability</a> in Microsoft’s leading data management software. This was similar to a weakness in network software that allowed Russian hackers to unleash the <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">NotPetya</a> malware on Ukrainian networks in 2017. The attack caused an estimated $10 billion in damage worldwide. </p>
<p>Just days before Russian tanks began crossing into Ukraine in February 2022, Russian hackers used a vulnerability in the market-leading data management software SQL to place on Ukrainian servers <a href="https://www.computerforensicsworld.com/what-is-wiper-ransomware/">“wiper” malware</a> that erases stored data. However, over the last five years Ukrainian institutions have significantly strengthened their cybersecurity. Most notably, Ukrainian organizations have shifted away from pirated enterprise software, and they integrated their information systems into the global cybersecurity community of technology firms and data protection agencies.</p>
<p>As a result, the Microsoft Threat Intelligence Center <a href="https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/">identified the new malware</a> as it began appearing on Ukrainian networks. The early warning allowed Microsoft to distribute a patch around the world to prevent the servers from being erased by this malware. </p>
<h2>Backing up data</h2>
<p>Ransomware attacks already frequently target <a href="https://www.beckershospitalreview.com/cybersecurity/meet-the-ransomware-gang-behind-235-attacks-on-us-hospitals-7-things-to-know.html">public and private organizations</a> in the U.S. The hackers lock out users from an institution’s data networks and demand payment to return access to them.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/455879/original/file-20220401-11604-sm5ak0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="the top left corner of a computer screen displaying text against a blank background" src="https://images.theconversation.com/files/455879/original/file-20220401-11604-sm5ak0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/455879/original/file-20220401-11604-sm5ak0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/455879/original/file-20220401-11604-sm5ak0.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/455879/original/file-20220401-11604-sm5ak0.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/455879/original/file-20220401-11604-sm5ak0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/455879/original/file-20220401-11604-sm5ak0.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/455879/original/file-20220401-11604-sm5ak0.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">In ransomware attacks, hackers hold an organization’s data hostage.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/laptop-displays-a-message-after-being-infected-by-a-news-photo/802363994">Rob Engelaar/ANP/AFP via Getty Images</a></span>
</figcaption>
</figure>
<p>Wiper malware used in the Russian cyberattacks on Ukraine operates in a similar manner to ransomware. However, <a href="https://www.securitymagazine.com/articles/97176-wiperware-pseudo-ransomware-used-in-ukraine-cyberattacks">pseudo ransomware</a> attacks permanently destroy an institution’s access to its data. </p>
<p>Backing up critical data is an important step in reducing the impact of wiper or ransomware attacks. Some private organizations have even taken to <a href="https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/csi-cloud-security-basics.pdf">storing data on two separate cloud-based systems</a>. This reduces the chances that attacks could deprive an organization of the data it needs to continue operating.</p>
<h2>Drills and cooperation</h2>
<p>The last set of Neuberger’s recommendations is to continually conduct cybersecurity drills while maintaining cooperative relationships with federal cyber defense agencies. In the months leading up to Russia’s invasion, Ukrainian organizations benefited from <a href="https://www.ft.com/content/1fb2f592-4806-42fd-a6d5-735578651471">working closely with U.S. agencies</a> to bolster the cybersecurity of critical infrastructure. The agencies helped scan Ukrainian networks for malware and supported penetration tests that use hacker tools to look for vulnerabilities that can give hackers access to their systems. </p>
<p>Small and large organizations in the U.S. concerned about cyberattacks should seek a strong relationship with a <a href="https://www.ciodive.com/news/5-federal-agencies-with-a-role-in-ensuring-enterprise-cybersecurity/424557/">wide-range</a> of federal agencies responsible for cybersecurity. <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">Recent regulations</a> require firms to disclose information on cyberattacks to their networks. But organizations should turn to cybersecurity authorities before experiencing a cyberrattack. </p>
<p>U.S. government agencies offer <a href="https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses">best practices</a> for training staff, including the use of tabletop and simulated attack exercises. As Ukrainians have learned, tomorrow’s cyberattacks can only be countered by preparing today.</p>
<p>[<em>More than 150,000 readers get one of The Conversation’s informative newsletters.</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-150K">Join the list today</a>.]</p><img src="https://counter.theconversation.com/content/180085/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Peacock receives funding from USAID to support overseas cybersecurity higher education.</span></em></p>Russian hackers have been attacking Ukraine for years, but with help from US government agencies, businesses and universities, Ukraine’s cyber defenses have grown stronger.Robert Peacock, Assistant Professor of Criminology and Criminal Justice, Florida International UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1803212022-03-30T06:06:56Z2022-03-30T06:06:56ZBudget 2022: $9.9 billion towards cyber security aims to make Australia a key ‘offensive’ cyber player<figure><img src="https://images.theconversation.com/files/455177/original/file-20220330-5678-1asypig.jpeg?ixlib=rb-1.1.0&rect=166%2C137%2C4670%2C3082&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">MICK TSIKAS/AAP</span></span></figcaption></figure><p>In the 2022 federal budget, Treasurer Josh Frydenberg launched a range of vote-winning initiatives – one of which included a breathtaking A$9.9 billion for cyber security over ten years.</p>
<p>Bundled under the acronym REDSPICE (which stands for resilience, effects, defence, space, intelligence, cyber and enablers), the program is expected to help build Australia’s intelligence and defensive (and offensive) capabilities. </p>
<p>But what does this mean, where is the money coming from and just how <em>offensive</em> are we planning to be?</p>
<h2>What’s REDSPICE?</h2>
<p><a href="https://www.asd.gov.au/about/redspice">REDSPICE</a> is a program to grow and enhance the intelligence and cyber capabilities of the <a href="https://www.asd.gov.au/">Australian Signals Directorate</a> (ASD) — the chief agency responsible for foreign signals intelligence, cyber warfare and information security.</p>
<p>Headline figures include 1,900 new recruits and delivering three times more offensive capability within the ASD.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/455135/original/file-20220330-15-f5gtaz.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/455135/original/file-20220330-15-f5gtaz.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=350&fit=crop&dpr=1 600w, https://images.theconversation.com/files/455135/original/file-20220330-15-f5gtaz.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=350&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/455135/original/file-20220330-15-f5gtaz.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=350&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/455135/original/file-20220330-15-f5gtaz.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=440&fit=crop&dpr=1 754w, https://images.theconversation.com/files/455135/original/file-20220330-15-f5gtaz.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=440&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/455135/original/file-20220330-15-f5gtaz.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=440&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The REDSPICE program aims to bolster cyber capabilities across a range of areas.</span>
<span class="attribution"><span class="source">ASD website</span></span>
</figcaption>
</figure>
<p>A key <a href="https://www.minister.defence.gov.au/minister/peter-dutton/media-releases/budget-2022-23-delivers-record-investment-defence-and">justification given for the program</a> is, according to Defence Minister Peter Dutton, the “deteriorating strategic circumstances in our region” and “rapid military expansion, growing coercive behaviour and increased cyber attacks” from Australia’s adversaries.</p>
<p>This was also reinforced in a <a href="https://www.abc.net.au/news/2022-03-29/multi-billion-dollar-cybersecurity-federal-budget-package/100947938">pre-budget comment</a> from Dutton, who warned of China’s cyber warfare capability to launch “an unprecedented digital onslaught” against Australia.</p>
<h2>Potential outcomes</h2>
<p>The plans for the program will have effects beyond Canberra. They could see more <a href="https://www.zdnet.com/article/australian-budget-2022-delivers-au9-9-billion-for-spicy-cyber/">Australian technologies</a> being made available to our intelligence and defence partners overseas, as well as opportunities for increased data sharing (which is key to fighting against cyber threats).</p>
<p>Further investment in advanced artificial intelligence and machine learning will likely be used to detect attacks earlier than currently possible – potentially allowing <a href="https://www.threatintelligence.com/blog/automated-incident-response">automated responses</a> to cyber incidents.</p>
<p>Identifying previously “unseen” attacks is another significant challenge, and using advanced technologies to detect such incidents is essential for a strong defence.</p>
<p>Similarly, a doubling of “cyber-hunt activities” will see an increase in the analysts and automated systems actively looking for vulnerabilities in critical infrastructure. This is essential in protecting the services we depend on day-to-day.</p>
<p>A <a href="https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/cyber-attacks-on-critical-infrastructure.html">major attack</a> against our water, electricity, communications, health care or finance services could have devastating consequences – first for the most vulnerable among us, and subsequently for everyone. </p>
<p>All of these technologies will be of value in reducing the large number of threats and incidents seen on a daily basis, and prioritising certain threats so they may be better handled by limited human resources in agencies.</p>
<p>The program will reportedly ensure a distribution of key functions both nationally and internationally, with a focus on building resilience in the “critical capabilities” of the ASD’s operations.</p>
<h2>Some new money, but mostly old money</h2>
<p>A$10 billion sounds like a significant windfall for our defence and intelligence agencies. However, a closer look indicates the “new” money is perhaps only worth around A$589 million in the first four years.</p>
<p>The majority of the balance comes from <a href="https://www.canberratimes.com.au/story/7677022/khaki-cyber-budget-pledge-boosts-australias-ability-to-strike-back/">redirecting existing defence funding to the ASD</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1508732811377020932"}"></div></p>
<p>Also, since the funding is spread over a ten-year period, it will only realise a proportion of the intended outcomes in the next government’s term. In fact, only A$4.2 billion falls within the next four years. </p>
<p>Future governments can always revisit these funding commitments and decide to make changes.</p>
<h2>Is Australia ready to be an offensive cyber player?</h2>
<p>Offensive cyber is perhaps the inevitable consequence of the increasing levels of <a href="https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/">cyber threats around the globe</a>.</p>
<p>Not only have we seen global cyber crime increasing, but there is growing evidence of nations being willing to engage in <a href="https://www.rand.org/topics/cyber-warfare.html">cyber warfare</a>. Recently this has been illustrated through Russia’s cyber attacks against Ukraine.</p>
<p>Australia has had a publicly acknowledged cyber offensive capability for some time. This was even outlined in the government’s April 2016 <a href="https://www.homeaffairs.gov.au/cyber-security-subsite/files/PMC-Cyber-Strategy.pdf">cyber security strategy</a> (and this was just the first official <a href="https://theconversation.com/the-cyber-security-strategy-is-only-a-small-step-in-the-right-direction-58208">acknowledgement</a>). It’s likely Australia has had this capability for even longer.</p>
<p>Offensive cyber represents a significantly different approach to a purely defensive or reactive approach. Initiating an attack (or retaliating) is a dangerous endeavour which can have unpredictable consequences.</p>
<p>Launching a highly targeted attack from Australia is certainly possible, but with such attacks we often see <a href="https://www.nyulawglobal.org/globalex/Cyberwarfare_Collateral_Damages.html">consequential damage</a> that affects individuals and systems beyond the target. For example, the NotPetya malware, first identified in 2017, <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">rapidly moved outside of the target country</a> (Ukraine) and had significant financial impact around the world. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/as-russia-wages-cyber-war-against-ukraine-heres-how-australia-and-the-rest-of-the-world-could-suffer-collateral-damage-177909">As Russia wages cyber war against Ukraine, here's how Australia (and the rest of the world) could suffer collateral damage</a>
</strong>
</em>
</p>
<hr>
<p>In the 2016 strategy there was specific reference to the importance of legislative compliance: </p>
<blockquote>
<p>Any measure used by Australia in deterring and responding to malicious cyber activities would be consistent with our support for the international rules-based order and our obligations under international law.</p>
</blockquote>
<p>But this is largely absent in the (brief) REDSPICE blueprint. Also, due to the covert nature of operations conducted by the ASD, we are effectively being asked to accept Australia operates ethically in the absence of any recorded or published data on operations to date.</p>
<p>Although there have been limited reports of <a href="https://www.aspi.org.au/report/australias-offensive-cyber-capability">legitimate cyber engagements</a>, a <a href="https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id:%22media/pressrel/4951827%22">2016 Address to Parliament</a> by then Prime Minister Malcolm Turnbull referred to offensive attacks conducted by Australia in relation to operations against Islamic State (in partnership with UK and US allies):</p>
<blockquote>
<p>While I won’t go into the details of these operations […] they are being used […] they are making a real difference in the military conflict […] all offensive cyber activities in support of the ADF and our allies are subject to the same Rules of Engagement which govern the use of our other military capabilities in Iraq and Syria […]</p>
</blockquote>
<h2>Will it make a difference?</h2>
<p>We all want Australia to be a safe place, so any investment in intelligence and cyber security will be welcomed by most people. That said, it’s worth remembering this battle can never really be won. </p>
<p>Cyber defence is a constant game of cat-and-mouse. One side builds a better weapon, the other builds a better defence, and so it goes. As long as our adversaries are prepared to invest in technologies to infiltrate and damage our critical infrastructure, we will have a continued need to invest in our defences.</p>
<p>The increased focus on offensive initiatives may give us (and our allies) the upper hand for a while, but the cyber world doesn’t stand still. And the pockets of some of our cyber adversaries are also very deep.</p><img src="https://counter.theconversation.com/content/180321/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The funds are allocated across a ten-year period, with most of the money redirected from defence spending.Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1790732022-03-28T12:36:09Z2022-03-28T12:36:09ZLocal governments are attractive targets for hackers and are ill-prepared<figure><img src="https://images.theconversation.com/files/454246/original/file-20220324-15-10z04q0.jpg?ixlib=rb-1.1.0&rect=0%2C7%2C5267%2C3587&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Hackers can disrupt local government services, like this library in Willmar, Texas. The town suffered a cyberattack in August 2019.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/CyberAttacksCities/55163b1884304986b53bc189883efb6f/photo">AP Photo/Tony Gutierrez</a></span></figcaption></figure><p>President Joe Biden on March 21, 2022, warned that <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/">Russian cyberattacks on U.S. targets are likely</a>, though the government has not identified a specific threat. Biden urged the private sector: “Harden your cyber defenses immediately.” </p>
<p>It is a costly fact of modern life that organizations from <a href="https://www.energy.gov/ceser/colonial-pipeline-cyber-incident">pipelines</a> and <a href="https://www.zdnet.com/article/ransomware-the-key-lesson-maersk-learned-from-battling-the-notpetya-attack/">shipping companies</a> to hospitals and any number of private companies are vulnerable to cyberattacks, and the threat of cyberattacks from Russia and other nations makes a bad situation worse. Individuals, too, <a href="https://theconversation.com/ukraine-conflict-brings-cybersecurity-risks-to-us-homes-businesses-177893">are at risk</a> from the current threat.</p>
<p>Local governments, like schools and hospitals, are particularly <a href="https://www.recordedfuture.com/state-local-government-ransomware-attacks/">enticing “soft targets</a>” – organizations that lack the resources to defend themselves against routine cyberattacks, let alone a lengthy cyber conflict. For those attacking such targets, the goal is not necessarily financial reward but disrupting society at the local level. </p>
<p>From issuing business licenses and building permits and collecting taxes to providing emergency services, clean water and waste disposal, the services provided by local governments entail an intimate and ongoing daily relationship with citizens and businesses alike. Disrupting their operations disrupts the heart of U.S. society by shaking confidence in local government and potentially endangering citizens. </p>
<h2>In the crosshairs</h2>
<p>Local governments have suffered <a href="https://theconversation.com/hackers-seek-ransoms-from-baltimore-and-communities-across-the-us-118089">successful cyberattacks</a> in recent years. These include attacks on targets ranging from <a href="https://www.nbcnews.com/news/us-news/hackers-have-taken-down-dozens-911-centers-why-it-so-n862206">911 call centers</a> to <a href="https://apnews.com/article/coronavirus-pandemic-technology-health-business-hacking-aecb37a35f3677e4f2cc62362a23defa">public school systems</a>. The consequences of a successful cyberattack against local government can be <a href="https://www.vox.com/recode/2019/5/21/18634505/baltimore-ransom-robbinhood-mayor-jack-young-hackers">devastating</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/454250/original/file-20220324-19-19c6cza.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="an ornate 19th-century building topped with a dome in a big city downtown" src="https://images.theconversation.com/files/454250/original/file-20220324-19-19c6cza.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/454250/original/file-20220324-19-19c6cza.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=405&fit=crop&dpr=1 600w, https://images.theconversation.com/files/454250/original/file-20220324-19-19c6cza.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=405&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/454250/original/file-20220324-19-19c6cza.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=405&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/454250/original/file-20220324-19-19c6cza.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=509&fit=crop&dpr=1 754w, https://images.theconversation.com/files/454250/original/file-20220324-19-19c6cza.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=509&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/454250/original/file-20220324-19-19c6cza.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=509&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A cyberattack on the city of Baltimore disrupted municipal services for weeks in 2019.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/BaltimoreVirusAttack/14bfabf1b4aa444895f0e69a99cb48a4/photo">AP Photo/Patrick Semansky</a></span>
</figcaption>
</figure>
<p>I and other researchers at University of Maryland, Baltimore County have studied the cybersecurity preparedness of the United States’ <a href="https://www.governing.com/archive/number-of-governments-by-state.html">over 90,000 local government entities</a>. As part of our analysis, working with the <a href="https://icma.org/">International City/County Management Association</a>, we polled local government chief security officers about their cybersecurity preparedness. The <a href="https://www.wiley.com/en-us/Cybersecurity+and+Local+Government-p-9781119788287">results</a> are both expected and alarming.</p>
<p>Among other things, the survey revealed that nearly one-third of U.S. local governments <a href="https://doi.org/10.1111/puar.13028">would be unable to tell</a> if they were under attack in cyberspace. This is unsettling; nearly one-third of local governments that did know whether they were under attack reported being attacked hourly, and nearly half at least daily. </p>
<h2>Ill-equipped</h2>
<p>Lack of sound IT practices, let alone effective cybersecurity measures, can make successful cyberattacks even more debilitating. Almost half of U.S. local governments reported that their IT policies and procedures were not in line with industry best practices. </p>
<p>In many ways, local governments are <a href="https://theconversation.com/equifax-breach-is-a-reminder-of-societys-larger-cybersecurity-problems-84034">no different</a> from private companies in terms of the cybersecurity threats, vulnerabilities and management problems they face. In addition to those shared cybersecurity challenges, where local governments particularly struggle is in hiring and retaining the necessary numbers of qualified IT and cybersecurity staff with wages and workplace cultures that can compare with those of the private sector or federal government.</p>
<p>Additionally, unlike private companies, local governments by their nature are limited by the need to comply with state policies, the political considerations of elected officials and the usual perils of government bureaucracy such as balancing public safety with the community’s needs and corporate interests. Challenges like these can hamper effective preparation for, and responses to, cybersecurity problems – especially when it comes to funding. In addition, much of the technology local communities rely on, such as power and water distribution, are subject to the dictates of the private sector, which has its own set of sometimes competing interests. </p>
<p>[<em><a href="https://memberservices.theconversation.com/newsletters?nl=science&source=inline-science-corona-important">Get The Conversation’s most important coronavirus headlines, weekly in a science newsletter</a></em>]</p>
<p>Large local governments are better positioned to address cybersecurity concerns than smaller local governments. Unfortunately, like other soft targets in cyberspace, small local governments are much more constrained. This places them at greater risk of successful cyberattacks, including attacks that <a href="https://www.theguardian.com/technology/2017/oct/27/nhs-could-have-avoided-wannacry-hack-basic-it-security-national-audit-office">otherwise might have been prevented</a>. But the necessary, best-practice cybersecurity improvements that smaller cities and towns need often compete with the many other demands on a local community’s limited funds and staff attention.</p>
<h2>Getting the basics right</h2>
<p>Whether they are victimized by a war on the other side of the world, a hacktivist group promoting its <a href="https://www.theguardian.com/technology/2012/nov/22/anonymous-cyber-attacks-paypal-court">message</a> or a criminal group trying to extort payment, local governments in the U.S. are enticing targets. Artificial intelligence hacking tools and vulnerabilities introduced by the spread of smart devices and the growing interest in creating “<a href="https://www.nationalgeographic.org/article/smart-cities/">smart cities</a>” put local governments even more at risk.</p>
<p>There’s no quick or foolproof fix to eliminate all cybersecurity problems, but one of the most important steps local governments can take is clear: Implement basic cybersecurity. Emulating the National Institute of Standards and Technology’s <a href="https://www.nist.gov/cyberframework">national cybersecurity framework</a> or other industry accepted best practices is a good start. </p>
<p>I believe government officials, especially at the local level, should develop and apply the necessary resources and innovative technologies and practices to manage their cybersecurity risks effectively. Otherwise, they should be prepared to face the technical, financial and political consequences of failing to do so.</p><img src="https://counter.theconversation.com/content/179073/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career, and sits on the advisory board of BlindHash, a cybersecurity startup focusing on remedying the password problem. He is the co-author of Cybersecurity and Local Governments (2022, Wiley).</span></em></p>With Russia poised to launch cyberattacks on US targets, many local governments find themselves without the staff or resources to even recognize when they’re under attack.Richard Forno, Principal Lecturer in Computer Science and Electrical Engineering, University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1784142022-03-07T00:42:44Z2022-03-07T00:42:44ZUkraine is recruiting an ‘IT army’ of cyber warriors. Here’s how Australia could make it legal to join<figure><img src="https://images.theconversation.com/files/449977/original/file-20220304-17-15re78i.jpeg?ixlib=rb-1.1.0&rect=87%2C149%2C5780%2C3756&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>In response to the Russian <a href="https://theconversation.com/russia-is-using-an-onslaught-of-cyber-attacks-to-undermine-ukraines-defence-capabilities-177638">cyber attacks</a> that have accompanied its invasion of Ukraine, the Ukrainian government has begun recruiting what it calls an “<a href="https://www.zdnet.com/article/ukraine-is-building-an-it-army-of-volunteers-something-thats-never-been-tried-before/?ftag=TRE-03-10aaa6b&bhid=%7B%24external_id%7D&mid=%7B%24MESSAGE_ID%7D&cid=%7B%24contact_id%7D&eh=%7B%24CF_emailHash%7D">IT army</a>”.</p>
<p>Perhaps a more accurate term would be a “cyber militia”, given it will consist of civilian volunteers. In any case, it aims to repel Russian hackers’ attacks, and launching cyber counterstrikes of its own. </p>
<p>Ukrainian Vice Prime Minister Mykhailo Fedorov, who is also the country’s digital transformation minister, has <a href="https://twitter.com/fedorovmykhailo/status/1497642156076511233">called</a> “digital talents” to join the resistance effort.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1497642156076511233"}"></div></p>
<p><a href="https://ncfacanada.org/ways-you-can-help-support-ukraine/">Reports suggest</a> more than 275,000 volunteers from around the world have already answered the call, although verifying an exact figure is impossible at the moment. </p>
<h2>A will to help – but are we allowed?</h2>
<p>Russia’s war on Ukraine is half a world away from Australia. But many Australians recognise the importance of helping Ukraine, on both humanitarian grounds and because of the wider geopolitical ramifications. </p>
<p>While countries such as the <a href="https://www.theguardian.com/world/2022/feb/27/ukraine-appeals-for-foreign-volunteers-to-join-fight-against-russia">United Kingdom</a>, <a href="https://www.washingtonpost.com/world/2022/03/01/ukraine-visa-volunteer-fighters-russia/">Canada</a> and <a href="https://www.washingtonpost.com/world/2022/03/01/ukraine-visa-volunteer-fighters-russia/">Denmark</a> have opened the door for their citizens to enlist in Ukraine’s international territorial defence legion, the Canberra government has so far <a href="https://www.news.com.au/world/australians-wanting-to-fight-in-ukraine-warned-against-being-a-liability/news-story/e07afc03defc57bb4f203ca83d92254d">advised Australians not to do so</a>.</p>
<p>But in an interconnected world, volunteers who are unwilling or unable to physically help Ukraine could potentially join its cyber militia. </p>
<p>However, there’s one snag as far as Australians are concerned: Australia’s criminal law makes it illegal to engage in many of the activities that might be required of members of a foreign-organised cyber militia. Put simply, “hacking” is a crime.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/russia-is-using-an-onslaught-of-cyber-attacks-to-undermine-ukraines-defence-capabilities-177638">Russia is using an onslaught of cyber attacks to undermine Ukraine's defence capabilities</a>
</strong>
</em>
</p>
<hr>
<h2>A proposed ‘cyber militia bill’</h2>
<p>The Australian government has not publicly expressed a view on whether Australians should be barred outright from joining Ukraine’s cyber fight.</p>
<p>One way the government could address this would be to introduce specific legislation aimed at creating legal safeguards for genuine members of a foreign state-run cyber militia, within a narrowly defined set of circumstances. </p>
<p>Such people would need protection from being held to have violated the hacking-related provisions of Australia’s criminal law. And they would also need legal safeguards against civil liability and against being extradited. </p>
<p>This protection should apply unless the person has acted in violation of international law. </p>
<p>Of course, such legislation would need to be carefully designed, and its implications rigorously considered.</p>
<h2>Policing the cyber army</h2>
<p>One problem with cyber attacks is the issue of attribution. It can be hard to identify who is responsible for the attack with the level of confidence required under international law. This means cyber attackers often have a crucial advantage over those seeking to defend against them. </p>
<p>“Non-state actors” such as hacker groups might be willing to attack targets that are off-limits for state agents, such as hospitals or other civilian infrastructure. This can cause conflicts to escalate dangerously.</p>
<p>Consequently, it is vital that any proposed legal protection for cyber combatants would be conditional on governmental oversight. In my proposal, this is achieved by the involvement of both the Australian government and that of the foreign power in direct control over the cyber militia. </p>
<p>More specifically, this means the Australian government should have the discretion to designate that a specific country’s cyber militia (and not those of other countries) as being governed by the new rules.</p>
<p>I suggest the government should consider exercising that discretion where:</p>
<ol>
<li> a foreign state has established the cyber militia;</li>
<li> that foreign state has invited foreigners to join its cyber militia; and</li>
<li> that foreign state is under armed attack by another state.</li>
</ol>
<p>Only members of such a designated cyber militia would be protected. That ensures Australia can prescribe the situations in which it deems it acceptable for Australian citizens to engage in cyber warfare as part of a foreign cyber militia.</p>
<p>Further to this, participants should only enjoy legal safeguards where they have acted on specific orders issued by the foreign state in control of the militia. This is the second method of ensuring state control, and in the current situation, that control would be exercised by the Ukraine. </p>
<p>Another important question is how to strike a balance between offensive and defensive activities. To minimise the risk of Australia being seen to violate international law, I propose that only “defensive activities” - such as measures safeguarding vital computer systems in Ukraine - would be legalised for Australian members of a foreign cyber militia, and these “defensive activities” should be defined very carefully. </p>
<h2>A necessary step, but not the only one</h2>
<p>Clearly, this proposal is a response to the current invasion of Ukraine, and the Russian cyber aggression that has accompanied it. But given future wars are also likely to be fought in cyber space, this proposal will also be more broadly relevant.</p>
<p>Sooner or later, Australia will have to reckon with the prospect of significant numbers of citizens becoming involved in foreign cyber warfare. And there’s truly no time like the present.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/fake-viral-footage-is-spreading-alongside-the-real-horror-in-ukraine-here-are-5-ways-to-spot-it-177921">Fake viral footage is spreading alongside the real horror in Ukraine. Here are 5 ways to spot it</a>
</strong>
</em>
</p>
<hr>
<p>A version of my proposal could usefully be adopted by any nation that wants to support the defence of Ukraine. But in the meantime, there are still things concerned Australians can do to help the Ukrainians. </p>
<p>Donations to carefully selected organisations is one option, but social media abounds with other possibilities too. One creative option is to counter Russian disinformation by posting verified information about the atrocities on any Russian site that allows user posts – such as restaurant reviews, for example. Such posts are very likely to be removed, but if posted in sufficient numbers they may reach some of the Russian people.</p><img src="https://counter.theconversation.com/content/178414/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dan Jerker B. Svantesson does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It’s illegal for Australians to answer Ukraine’s call to join its global cyber militia and defend against online Russian aggression. But the government could (carefully) legalise it if it wants to.Dan Jerker B. Svantesson, Professor, Bond UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1778992022-03-01T13:44:30Z2022-03-01T13:44:30ZIntelligence, information warfare, cyber warfare, electronic warfare – what they are and how Russia is using them in Ukraine<figure><img src="https://images.theconversation.com/files/449004/original/file-20220228-25-46ugq6.jpg?ixlib=rb-1.1.0&rect=3%2C0%2C1990%2C1448&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Russian forces have the capability to jam signals from satellites, affecting communications and navigation.</span> <span class="attribution"><a class="source" href="https://en.wikipedia.org/wiki/File:MAKS2015part6-51.jpg">Vitaly V. Kuzmin/Wikimedia</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA</a></span></figcaption></figure><p>Russia has one of the most capable and <a href="https://www.c4isrnet.com/artificial-intelligence/2021/05/24/a-warning-to-dod-russia-advances-quicker-than-expected-on-ai-battlefield-tech/">technological militaries</a> on the planet. They have advanced intelligence, information warfare, cyber warfare and electronic warfare capabilities. </p>
<p>Russia has used these technologies in recent years in combat <a href="https://www.thedefensepost.com/2018/05/01/russia-syria-electronic-warfare/">in Syria</a> and <a href="https://www.uawire.org/russia-tests-orbital-jamming-system-in-donbas">the Donbas region</a> in eastern Ukraine, and is using them in its current invasion of Ukraine.</p>
<p>The terms “intelligence,” “information,” “cyber” and “electronic” denote distinct but overlapping fields. As a <a href="https://scholar.google.com/citations?user=nNlgxmMAAAAJ&hl=en">cybersecurity professor of practice</a>, I can explain what they are and how Russia is using them in Ukraine.</p>
<h2>Intelligence and counterintelligence in the information age</h2>
<p>The role of intelligence is to gain insight about the enemy’s activity. The role of counterintelligence is to blind the enemy or distort his view. Automation in intelligence surveillance and reconnaissance – key functions of intelligence in warfare – has become a <a href="https://autoisr.dsigroup.org/">common practice for modern militaries</a>. </p>
<p>Intelligence services collect vast amounts of data from <a href="https://theconversation.com/technology-is-revolutionizing-how-intelligence-is-gathered-and-analyzed-and-opening-a-window-onto-russian-military-activity-around-ukraine-176446">open-source intelligence</a> (OSINT) – information collected from news, social media and other publicly available sources – as well as secret sources, and <a href="https://www.afcea.org/content/battling-malign-influence-open">use artificial intelligence to analyze the information</a>.</p>
<p>Russia has reportedly progressed <a href="https://www.c4isrnet.com/artificial-intelligence/2021/05/24/a-warning-to-dod-russia-advances-quicker-than-expected-on-ai-battlefield-tech/">faster at integrating AI in intelligence systems than the U.S. expected</a> them to. It’s impossible to know what information Russia has collected, but its access to OSINT, spy satellites, operatives in Ukraine, powerful computers and experienced analysts makes it likely that Russia has extensive intelligence about Ukraine’s military and political situation.</p>
<h2>Information and disinformation</h2>
<p>Information warfare is the battle waged in the news media and on social media to bolster popular support; persuade and induce the sympathy of potential allies; and simultaneously spread confusion, uncertainty and distrust in the enemy’s population.</p>
<p>Russia has used and is likely to continue to use cyber operations to subvert the Ukrainian government. For example, in the weeks leading up to both the 2014 and 2022 invasions, Ukrainian soldiers were <a href="https://www.politico.com/news/magazine/2022/02/15/10-days-inside-putins-invisible-war-with-ukraine-00008529">targeted with disinformation</a> designed to sow confusion and disorder in the event of an attack. </p>
<p>Russian messaging about <a href="https://www.reuters.com/world/europe/russia-says-it-prevented-border-breach-ukraine-kyiv-calls-it-fake-news-2022-02-21/">“liberating” portions of Ukraine</a> is the disinformation most likely aimed at an international audience, and I expect attempts to legitimize Russia’s actions will continue. </p>
<p>There is an ongoing contest to control the narrative about what is happening in Ukraine. Russia is <a href="https://www.politico.com/news/2022/02/24/social-media-platforms-russia-ukraine-disinformation-00011559">running an active disinformation campaign</a> and I expect it is using AI to find and generate content at a rapid rate. </p>
<p>Some information circulating on social media, like this video <a href="https://gizmodo.com/10-photos-and-videos-from-russias-invasion-of-ukraine-t-1848586587">purporting to show Russian bombers over Ukraine</a>, has been <a href="https://www.wwltv.com/article/news/verify/world-verify/fact-checking-more-viral-videos-from-russia-air-invasion-of-ukraine/536-1c1239bc-a5f9-4d01-9973-f589ebaea63f">proven to be fake</a>. This underscores <a href="https://apnews.com/article/russia-ukraine-technology-europe-media-social-media-123c7975a879b89b85c06877f1f12908">how difficult it is to be certain of the truth</a> with a high volume of fast-changing information in an emotionally charged, high-stakes situation like warfare.</p>
<h2>Cyber warfare</h2>
<p>Cyber warfare entails infiltrating and disrupting the enemy’s computer systems. This includes generating denial of service attacks to block access to websites, breaking into computer systems to steal or destroy data, and taking control of computer systems to disrupt critical infrastructure like power grids.</p>
<p>U.S. and U.K. intelligence agencies reported on Feb. 23, 2022 that hackers based in Russia had <a href="https://www.theguardian.com/world/2022/feb/23/russia-hacking-malware-cyberattack-virus-ukraine">unleashed a powerful new type of malware</a> against targets in Ukraine. The attacks appear to have been <a href="https://www.bloomberg.com/news/articles/2022-02-26/hackers-destroyed-data-at-key-ukraine-agency-before-invasion">targeted at Ukrainian government and telecommunications facilities</a>, including the Ministry of Internal Affairs, and involve the theft and destruction of data.</p>
<p>Russia’s invasion of Ukraine was preceded by <a href="https://www.npr.org/2022/01/19/1074172805/more-than-70-ukrainian-government-websites-have-been-defaced-in-cyber-attacks">several weeks of cyberattacks</a>, including <a href="https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/">an attack that posted a fake ransomware note and then destroyed data</a>. These attacks were part of a multi-year <a href="https://theconversation.com/russia-has-been-at-war-with-ukraine-for-years-in-cyberspace-176221">campaign of cyber warfare against Ukraine</a>, which included attacks on <a href="https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/">portions of the country’s power grid</a>. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/Bc5mxd4O1SI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency, discusses Russian cyberattacks against Ukraine.</span></figcaption>
</figure>
<p>A rapid response team of cybersecurity experts in the European Union has <a href="https://www.bbc.com/news/technology-60484979">mobilized to assist Ukraine</a> in defending against cyberattacks by detecting when attacks are occurring. The Ukrainian government has also <a href="https://www.usnews.com/news/world/articles/2022-02-24/exclusive-ukraine-calls-on-hacker-underground-to-defend-against-russia">called on the Ukrainian hacker community</a> to help defend the country, by protecting computer systems that control critical infrastructure like the power grid.</p>
<h2>Electronic warfare</h2>
<p>Electronic warfare describes efforts to disrupt or misdirect the enemy’s electronic systems like radar and communications networks. It can include blocking radio signals, <a href="https://theconversation.com/experts-suggest-us-embassies-were-hit-with-high-power-microwaves-heres-how-the-weapons-work-151730">remotely destroying computer circuits</a> and <a href="https://www.thedrive.com/the-war-zone/13549/russia-may-be-testing-its-gps-spoofing-capabilities-around-the-black-sea">spoofing GPS signals</a> to disrupt navigation.</p>
<p>Russia has a long history of controlling the electromagnetic spectrum. Because of Russia’s <a href="https://defensionem.com/russian-electronic-warfare-systems/">advanced electronic warfare capabilities</a>, its force may be able to take down the internet and cell towers using a range of techniques. </p>
<p>Russia has used systems that <a href="https://www.uawire.org/russia-tests-orbital-jamming-system-in-donbas">interfere with the signal reception from satellites</a> in eastern Ukraine. These systems can be used to block communications and disrupt control of drones.</p>
<h2>Mastering new technologies</h2>
<p>The old game of spycraft has taken on new technologies, but I think it is useful to remember that the ability to win wars during revolutions in military affairs is generally determined by the <a href="https://doi.org/10.1017/CBO9780511817335">ability to integrate new technologies</a> into a country’s military and intelligence operations. </p>
<p>Though the Russian military has shown some interesting technological innovations in recent years, it’s not clear whether it has mastered this new way of conducting warfare.</p>
<p>[<em>Like what you’ve read? Want more?</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-likethis">Sign up for The Conversation’s daily newsletter</a>.]</p><img src="https://counter.theconversation.com/content/177899/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>I am a Reservist in the U.S. Army.</span></em></p>From jamming satellite signals to spreading disinformation, Russia’s military has sophisticated technologies it’s bringing to the battlefield in Ukraine.Justin Pelletier, Professor of Practice of Computing Security, Rochester Institute of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1779092022-02-25T05:02:03Z2022-02-25T05:02:03ZAs Russia wages cyber war against Ukraine, here’s how Australia (and the rest of the world) could suffer collateral damage<figure><img src="https://images.theconversation.com/files/448466/original/file-20220225-25-17yxd19.jpeg?ixlib=rb-1.1.0&rect=35%2C0%2C5955%2C3997&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Getty Images</span></span></figcaption></figure><p>The <a href="https://www.cyber.gov.au/acsc/view-all-content/alerts/australian-organisations-encouraged-urgently-adopt-enhanced-cyber-security-posture">Australian Cyber Security Centre</a> is asking organisations and businesses to be on high alert amid Russia’s cyber attack <a href="https://theconversation.com/russia-is-using-an-onslaught-of-cyber-attacks-to-undermine-ukraines-defence-capabilities-177638">bombardment of Ukraine</a>. </p>
<p>The United Kingdom’s National Cyber Security Centre issued a similar <a href="https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences">warning</a>, as have <a href="https://www.cisa.gov/uscert/ncas/current-activity/2022/02/18/ncsc-nz-releases-advisory-cyber-threats-related-russia-ukraine">New Zealand</a> and the United States <a href="https://www.cisa.gov/shields-up">Department of Homeland Security</a>.</p>
<p>The Australian Cyber Security Centre has said it is not aware of any specific direct threat to Australia, but that the country could be affected by “unintended disruption or uncontained malicious cyber activities”. </p>
<p>It wouldn’t be the first time a Russian cyber attack has caused serious collateral damage to nations that aren’t its intended target. </p>
<h2>Attacks so far</h2>
<p>Ukraine has suffered through a sustained digital assault from Russia over the past few weeks. One of the most penetrative attacks came on Wednesday, <a href="https://apnews.com/article/russia-ukraine-technology-business-europe-russia-9e9f9e9b52eaf53cf9d8ade0588b661b">cutting off access</a> to several Ukrainian government and banking websites – followed by more on Thursday. </p>
<p>These were distributed denial of service attacks, in which the perpetrator knocks targeted websites offline by flooding them with bot traffic.</p>
<p>Meanwhile, experts at the internet security company ESET <a href="https://www.reuters.com/world/europe/ukrainian-government-foreign-ministry-parliament-websites-down-2022-02-23/">identified</a> a malicious data-wiping malware called “HermeticWiper” circulating on hundreds of computers in Ukraine, Latvia and Lithuania – which they said may have been months in the making.</p>
<p>According <a href="https://www.theguardian.com/world/2022/feb/24/russia-unleashed-data-wiper-virus-on-ukraine-say-cyber-experts">to reports</a>, experts from software company Symantec found the malware had affected Ukrainian government contractors in Latvia and Lithuania and a Ukrainian bank.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/russia-is-using-an-onslaught-of-cyber-attacks-to-undermine-ukraines-defence-capabilities-177638">Russia is using an onslaught of cyber attacks to undermine Ukraine's defence capabilities</a>
</strong>
</em>
</p>
<hr>
<h2>How the impact will be felt</h2>
<p>Australia’s risk in the face of ongoing cyber attacks from Russia would almost certainly come in the form of a “spill over” effect. </p>
<p>For example, if a Ukrainian bank is targeted and goes offline, this would still impact Australians who use that bank to receive or send money to Ukraine. Attacks on banks are particularly alarming when you consider Ukraine’s dire need for <a href="https://www.politico.eu/article/eu-to-provide-emergency-financial-aid-to-ukraine/">financial aid and economic support</a> right now.</p>
<p>All global business conducted with, or through, the bank will be affected – and the impact could reach virtually anywhere in the world. Similarly, distributed denial of service attacks on Ukrainian news media would also have global ramifications, by limiting the exchange of crucial information. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1494685578834726916"}"></div></p>
<p>Another concern is the potential for Russia to cut off gas supplies flowing through Ukraine to Europe, either directly or through a cyber-enabled attack (the <a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">Colonial Pipeline</a> attack being a recent example). This also introduces significant market instability, resulting in shortages and driving up prices (including for <a href="https://theconversation.com/what-russias-war-means-for-australian-petrol-prices-2-10-a-litre-177719">Australia</a>).</p>
<p>Australian companies are a part of global supply chains. Many will have interests in Russia and/or Ukraine. Thus they will also have digital, and potentially even direct network connections with them, through a virtual private network – which allows users to establish a private network over a public internet connection (and which can be used to spread malware between connected devices).</p>
<p>Once a “wiper” malware – the likes of that currently circulating in Ukraine – gets enough footing, it can spread across countries within minutes. If an office in Canberra with a virtual private network connection based in Ukraine becomes compromised, it can allow the malware to jump countries.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1496581904916754435"}"></div></p>
<p>The NotPetya malware attack in 2017 is a pertinent example. This “self-propogating” malware spread globally and caused billions of dollars’ worth of damage. It, too, was attributed to a Russian source by investigators, and traced back to the update mechanism for a tax-accounting software application used widely <a href="https://arstechnica.com/information-technology/2017/07/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak/">in Ukraine</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/three-ways-the-notpetya-cyberattack-is-more-complex-than-wannacry-80266">Three ways the 'NotPetya' cyberattack is more complex than WannaCry</a>
</strong>
</em>
</p>
<hr>
<h2>Leveraging the chaos</h2>
<p>Apart from malicious Russian state-sponsored cyber crime, the current mayhem unfolding in Ukraine provides opportunity for cyber criminals more generally, too. </p>
<p>It’s very difficult to attribute cyber crime. While experts can analyse code taken from malware, this is usually a slow and costly process. Cyber criminals the world over may want to take advantage of the chaos, and try to carry out attacks they may not otherwise get away with.</p>
<p>Among all the noise, and with so many Ukrainians (including cyber security professionals) either displaced or fleeing, the chances of being caught may be lower. Also, it is likely any major cyber affliction will be blamed on Russia – at least initially.</p>
<p>At the same time, we might see an increase in phishing and scam attempts as a result of the crisis. Opportunistic criminals use global narratives to add credibility to their scams. For instance, they may send phishing emails posing as a Ukrainian citizen desperate for emergency funds. </p>
<h2>How can businesses protect themselves?</h2>
<p>A critical step in a defensive posture for companies and organisations in Australia is to determine their exposure level. This means being acutely aware of any direct or indirect connection with Ukraine and Russia, and the online systems and supply chains these countries partake in.</p>
<p>Employers also have a duty of care to employees who may have loved ones or other connections in Ukraine, and may be more vulnerable to various forms of cyber attacks exploiting the current situation. </p>
<p>And of course, the most basic cyber security advice is once more relevant. That is, individuals, businesses and organisations must take special care to ensure <em>all</em> devices are up-to-date and have software patches installed. </p>
<p>The 2017 NotPetya attacks were, in part, successful because the malware exploited a vulnerability in Microsoft Windows – even though a patch to fix it was available at the time. But the massive number of devices that hadn’t been patched meant NotPetya could spread without constraint. </p>
<p>In the case of Ukraine, where <a href="https://outsourcingreview.org/software-piracy-why-you-shouldnt-get-scared-of-outsourcing-to-ukraine/">pirated software is common</a>, this issue is particularly prevalent. Complications with (or a lack of) proper software licensing means updates may not be accessed or installed.</p><img src="https://counter.theconversation.com/content/177909/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>These days sophisticated malware can spread like wildfire, thanks to transnational businesses and organisations providing bridges across countries.Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1776382022-02-24T05:29:47Z2022-02-24T05:29:47ZRussia is using an onslaught of cyber attacks to undermine Ukraine’s defence capabilities<figure><img src="https://images.theconversation.com/files/448180/original/file-20220223-12782-zpaozk.jpeg?ixlib=rb-1.1.0&rect=27%2C26%2C994%2C656&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Getty Images</span></span></figcaption></figure><p>As Ukrainian cities come under air attack from Russian forces, the country has also suffered the latest blows in an ongoing campaign of cyber attacks. Several of Ukraine’s bank and government department websites crashed on Wednesday, <a href="https://www.bbc.com/news/technology-60500618">the BBC</a> reports. </p>
<p>The incident follows a similar attack <a href="https://www.bbc.com/news/world-europe-59992531">just over a week ago</a>, in which some 70 Ukrainian government websites crashed. Ukraine and the United States squarely blamed Russia. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1493631119669047299"}"></div></p>
<p>With a full-scale <a href="https://www.aljazeera.com/news/2022/2/23/ukraine-declares-state-of-emergency-amid-fears-of-invasion-liveblog">invasion now evident</a>, Ukraine can expect to contend soon with more cyber attacks. These have the potential to cripple infrastructure, affecting water, electricity and telecommunication services – further debilitating Ukraine as it attempts to contend with Russian military aggression. </p>
<h2>A critical part of Russia’s operations</h2>
<p>Cyber attacks fall under the traditional attack categories of sabotage, espionage and subversion. </p>
<p>They can be carried out more rapidly than standard weapon attacks, and largely remove barriers of time and distance. Launching them is relatively cheap and simple, but defending against them is increasingly costly and difficult. </p>
<p>After Russia’s withdrawal from Georgia in 2008, President Vladimir Putin led an effort to <a href="https://www.nytimes.com/2022/01/27/world/europe/russia-military-putin-ukraine.html">modernise the Russian military</a> and incorporate cyber strategies. State-sanctioned cyber attacks have since been at the forefront of Russia’s warfare strategy. </p>
<p>The Russian Main Intelligence Directorate (GRU) typically orchestrates these attacks. They often involve using customised malware (malicious software) to target the hardware and software underpinning a target nation’s systems and infrastructure. </p>
<p>Among the <a href="https://www.cnbc.com/2022/02/23/cyberattack-hits-ukrainian-banks-and-government-websites.html">latest attacks</a> on Ukraine was a distributed denial of service (DDoS) attack. </p>
<p>According to Ukraine’s minister of digital transformation, Mykhailo Fedorov, several Ukrainian government and banking websites went offline as a result. DDoS attacks use bots to flood an online service, overwhelming it until it crashes, preventing access for legitimate users.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1496581904916754435"}"></div></p>
<p>A destructive “data-wiping” software has also been found circulating on hundreds of computers in Ukraine, according to <a href="https://www.reuters.com/world/europe/ukrainian-government-foreign-ministry-parliament-websites-down-2022-02-23/">reports</a>, with suspicion falling on Russia.</p>
<p>On February 15, Ukraine’s cyber police said citizens were receiving fake text messages claiming ATMs had gone offline (although this wasn’t confirmed). Many citizens scrambled to withdraw money, which <a href="https://spravdi.gov.ua/en/cyberattacks-instead-of-tanks-ukraine-suffers-another-attack-in-cyberspace/">caused panic</a> and uncertainty. </p>
<h2>Ongoing onslaught</h2>
<p>In December 2015, the GRU targeted Ukraine’s industrial control systems networks with destructive malware. This caused power outages in the western Ivano-Frankivsk region. About 700,000 homes were left without power for about six hours.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cyberattack-on-ukraine-grid-heres-how-it-worked-and-perhaps-why-it-was-done-52802">Cyberattack on Ukraine grid: here's how it worked and perhaps why it was done</a>
</strong>
</em>
</p>
<hr>
<p>This happened again in December 2016. Russia developed a custom malware called <a href="https://www.cisa.gov/uscert/ncas/alerts/TA17-163A">CrashOverride</a> to target Ukraine’s power grid. An estimated one-fifth of Kiev’s total power capacity <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">was cut</a> for about an hour.</p>
<p>More recently, <a href="https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and">US officials charged six Russian GRU officers</a> in 2020 for deploying the NotPetya ransomware. This ransomware affected computer networks worldwide, targeting hospitals and medical facilities in the United States, and costing more than US$1 billion in losses. </p>
<p>NotPetya was also used against Ukrainian government ministries, banks and energy companies, among other victims. The US Department of Justice called it “some of the world’s most destructive malware to date”. </p>
<p>Another <a href="https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/">Russia-sponsored attack</a> that began as early as January 2021 targeted Microsoft Exchange servers. The attack provided hackers access to email accounts and associated networks all over the world, including in Ukraine, the US and Australia. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/448202/original/file-20220224-25-11lc59b.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/448202/original/file-20220224-25-11lc59b.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/448202/original/file-20220224-25-11lc59b.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=374&fit=crop&dpr=1 600w, https://images.theconversation.com/files/448202/original/file-20220224-25-11lc59b.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=374&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/448202/original/file-20220224-25-11lc59b.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=374&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/448202/original/file-20220224-25-11lc59b.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=470&fit=crop&dpr=1 754w, https://images.theconversation.com/files/448202/original/file-20220224-25-11lc59b.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=470&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/448202/original/file-20220224-25-11lc59b.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=470&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Russia’s 2008 invasion of Georgia was accompanied by a well-coordinated cyber attack run by state-sponsored hackers. These were primarily DDoS attacks that forced a number of Georgian government and commercial websites offline.</span>
<span class="attribution"><span class="source">Getty Images</span></span>
</figcaption>
</figure>
<h2>International cyber aid</h2>
<p>Ukraine faces serious risks right now. A major cyber attack could disrupt essential services and further undermine national security and sovereignty. </p>
<p>The support of cyber infrastructure has been recognised as an important aspect of international aid. <a href="https://www.reuters.com/world/six-eu-countries-send-experts-help-ukraine-deal-with-cyber-threats-2022-02-22/">Six European Union countries</a> (Lithuania, Netherlands, Poland, Estonia, Romania and Croatia) are sending cyber security experts to help Ukraine deal with these threats. </p>
<p>Australia has also committed to providing cyber security assistance to the Ukrainian government, through a bilateral Cyber Policy Dialogue. This will allow for exchanges of cyber threat perceptions, policies and strategies. Australia has also said it will provide <a href="https://www.abc.net.au/news/2022-02-21/ukraine-australia-cyberattack-russia-war-cybersecurity/100846870">cyber security training</a> for Ukrainian officials.</p>
<p>The international implications of the Russia-Ukraine situation have been noted. Last week New Zealand’s National Cyber Security Centre <a href="https://www.cisa.gov/uscert/ncas/current-activity/2022/02/18/ncsc-nz-releases-advisory-cyber-threats-related-russia-ukraine">released a General Security Advisory</a> encouraging organisations to prepare for cyber attacks as a flow-on effect of the crisis.</p>
<p>The advisory provides a list of resources for protection and strongly recommends that organisations assess their security preparedness against potential threats. </p>
<p>The Australian Cyber Security Centre has since issued <a href="https://www.abc.net.au/news/2022-02-23/cyber-agencies-warn-ukraine-cyber-attacks-from-russia/100855164">similar warnings</a>.</p>
<h2>Evading responsibility</h2>
<p>Historically, Russia has managed to evade much of the responsibility for cyber attacks. In conventional warfare, attribution is usually straightforward. But in cyberspace it is very complex, and can be time-consuming and costly.</p>
<p>It’s easy for a country to deny its involvement in a cyber attack (both Russia and China routinely do so). The Russian embassy in Canberra has also <a href="https://www.abc.net.au/news/2022-02-21/ukraine-australia-cyberattack-russia-war-cybersecurity/100846870">denied involvement</a> in the latest attacks against Ukraine. </p>
<p>One reason plausible deniability can usually be maintained is because cyber attacks can be launched from an unwitting host. For example, a victim’s compromised device (called a “zombie” device) can be used to continue a chain of attacks. </p>
<p>So while the operation may be run by the perpetrator’s command and control servers, tracing it back to them becomes difficult.</p><img src="https://counter.theconversation.com/content/177638/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Mamoun Alazab does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Further cyber exploitation of Ukraine could cause citizens immense distress at this critical moment.Mamoun Alazab, Associate Professor, Charles Darwin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1670172022-02-23T13:36:55Z2022-02-23T13:36:55ZHow AI is shaping the cybersecurity arms race<figure><img src="https://images.theconversation.com/files/447353/original/file-20220218-45245-1hgu9fk.jpg?ixlib=rb-1.1.0&rect=51%2C0%2C5700%2C3771&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Defending against cyberattacks increasingly means looking for patterns in large amounts of data – a task AI was made for.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/artificial-intelligence-robot-control-futuristic-royalty-free-image/1328784596">Yuichiro Chino/Moment via Getty Images</a></span></figcaption></figure><p>The average business receives <a href="https://www.fortinet.com/blog/industry-trends/overcoming-the-challenges-of-rapid-and-effective-incident-response">10,000 alerts every day</a> from the various software tools it uses to monitor for intruders, malware and other threats. Cybersecurity staff often find themselves inundated with data they need to sort through to manage their cyber defenses.</p>
<p>The stakes are high. Cyberattacks are increasing and affect <a href="https://www.verizon.com/about/news/verizon-2021-data-breach-investigations-report">thousands of organizations</a> and <a href="https://www.cisa.gov/be-cyber-smart/facts">millions of people</a> in the U.S. alone.</p>
<p>These challenges underscore the need for better ways to stem the tide of cyber-breaches. Artificial intelligence is particularly well suited to finding patterns in huge amounts of data. As a researcher who <a href="https://scholar.google.com/citations?user=jdFquF4AAAAJ&hl=en">studies AI and cybersecurity</a>, I find that AI is emerging as a much-needed tool in the cybersecurity toolkit.</p>
<h2>Helping humans</h2>
<p>There are two main ways AI is bolstering cybersecurity. First, AI can help automate many tasks that a human analyst would often handle manually. These include automatically detecting unknown workstations, servers, code repositories and other hardware and software on a network. It can also determine how best to allocate security defenses. These are data-intensive tasks, and AI has the potential to sift through terabytes of data much more efficiently and effectively than a human could ever do. </p>
<p>Second, AI can help detect patterns within large quantities of data that human analysts can’t see. For example, AI could detect the key linguistic patterns of hackers posting emerging threats in the <a href="https://theconversation.com/illuminating-the-dark-web-105542">dark web</a> and alert analysts.</p>
<p>More specifically, AI-enabled analytics can help discern the jargon and code words hackers develop to refer to their new tools, techniques and procedures. One example is using the name Mirai to mean botnet. Hackers developed the term to hide the botnet topic from law enforcement and cyberthreat intelligence professionals.</p>
<p>AI has already seen some early successes in cybersecurity. Increasingly, companies such as FireEye, Microsoft and Google are developing innovative AI approaches to detect malware, stymie phishing campaigns and monitor the spread of disinformation. One notable success is <a href="https://news.microsoft.com/cyber-signals/">Microsoft’s Cyber Signals</a> program that uses AI to analyze 24 trillion security signals, 40 nation-state groups and 140 hacker groups to produce cyberthreat intelligence for C-level executives. </p>
<p>Federal funding agencies such as the Department of Defense and the National Science Foundation recognize the potential of AI for cybersecurity and have invested tens of millions of dollars to develop advanced AI tools for extracting insights from data generated from the dark web and open-source software platforms such as <a href="https://github.com/">GitHub</a>, a global software development code repository where hackers, too, can share code.</p>
<h2>Downsides of AI</h2>
<p>Despite the significant benefits of AI for cybersecurity, cybersecurity professionals have questions and concerns about AI’s role. Companies might be thinking about replacing their human analysts with AI systems, but might be worried about how much they can trust automated systems. It’s also not clear whether and how the well-documented AI <a href="https://theconversation.com/ftc-warns-the-ai-industry-dont-discriminate-or-else-159622">problems of bias, fairness, transparency and ethics</a> will emerge in AI-based cybersecurity systems.</p>
<p>Also, AI is useful not only for cybersecurity professionals trying to turn the tide against cyberattacks, but also for malicious hackers. Attackers are using methods like reinforcement learning and <a href="https://developers.google.com/machine-learning/gan">generative adversarial networks</a>, which generate new content or software based on limited examples, to produce new types of cyberattacks that can evade cyber defenses.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/XOxxPcy5Gr4?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Just as AI can generate realistic-looking fake faces from photos of real people, the software can be used to create new forms of malware based on existing code.</span></figcaption>
</figure>
<p>Researchers and cybersecurity professionals are still learning all the ways malicious hackers are using AI. </p>
<h2>The road ahead</h2>
<p>Looking forward, there is significant room for growth for AI in cybersecurity. In particular, the predictions AI systems make based on the patterns they identify will help analysts respond to emerging threats. AI is an intriguing tool that could help stem the tide of cyberattacks and, with careful cultivation, could become a required tool for the next generation of cybersecurity professionals.</p>
<p>The current pace of innovation in AI, however, indicates that fully automated cyber battles between AI attackers and AI defenders is likely years away.</p>
<p>[<em>Climate change, AI, vaccines, black holes and much more.</em> <a href="https://memberservices.theconversation.com/newsletters/?nl=science&source=inline-science-various">Get The Conversation’s best science and health coverage</a>.]</p><img src="https://counter.theconversation.com/content/167017/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sagar Samtani works for Indiana University. </span></em></p>Artificial intelligence is emerging as a key cybersecurity tool for both attackers and defenders.Sagar Samtani, Assistant Professor of Operations and Decision Technologies, Indiana UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1775082022-02-21T23:20:57Z2022-02-21T23:20:57ZUkraine crisis: Putin recognizes breakaway regions, Biden orders limited sanctions – 5 essential reads<figure><img src="https://images.theconversation.com/files/447664/original/file-20220221-15-uhvxi7.jpeg?ixlib=rb-1.1.0&rect=6%2C0%2C2304%2C1445&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Russia's President Vladimir Putin, right, signed decrees recognizing the independence of the Donetsk and Lugansk People's Republics on February 21, 2022. </span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/search/2/image?family=editorial&phrase=Putin">Alexei Nikolsky/Russian Presidential Press and Information Office/TASS via Getty Images</a></span></figcaption></figure><p>Russian President Vladimir Putin, in <a href="https://www.washingtonpost.com/world/2022/02/21/russia-ukraine-updates/">a provocative address that could be construed as a pretext to war</a>, claimed on Feb. 21, 2022, that all of Ukraine belongs to Russia and formally recognized the independence of two breakaway regions in Ukraine that are largely controlled by Moscow-backed separatists. His government then <a href="https://www.nytimes.com/live/2022/02/21/world/ukraine-russia-putin-biden/moscow-orders-troops-to-ukraines-breakaway-regions-for-peacekeeping-functions">ordered troops</a> to those regions.</p>
<p>The U.S. and European countries were quick to respond, with <a href="https://www.washingtonpost.com/world/2022/02/21/russia-ukraine-updates/#link-NSM6BHMVH5E2TOF7HE5XXONOBA">the Biden Administration announcing</a> that it “will prohibit new investment, trade, and financing by U.S. persons to, from, or in” the two regions, known since 2014 as the Donetsk People’s Republic and Luhansk People’s Republic. The European Union’s executive branch leader, Ursula von der Leyen, condemned Putin’s action as a “blatant violation of international law.” And NATO chief Jens Stoltenberg said, “I condemn Russia’s decision to extend recognition to the self-proclaimed ‘Donetsk People’s Republic’ and ‘Luhansk People’s Republic.’”</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1495846146824183816"}"></div></p>
<p>To help readers understand the background of these developments, here are five stories The Conversation has published about the centuries-long bad blood between Ukraine and Russia, manifested in everything from religion to political ideology.</p>
<h2>1. Why Putin struggles to accept Ukrainian sovereignty</h2>
<p>Putin’s announcement that Russia would recognize the independence of the two Ukrainian territories is a reflection of his view that Ukraine is part of Russia’s once-great empire, which at one time ranged from current-day Poland to the Russian Far East. </p>
<p>The Russian president is not alone in that view. Two scholars, <a href="https://theconversation.com/profiles/jacob-lassin-1300277">Jacob Lassin</a> of Arizona State University and <a href="https://theconversation.com/profiles/emily-channell-justice-1300279">Emily Channell-Justice</a> of Harvard University, <a href="https://theconversation.com/why-putin-has-such-a-hard-time-accepting-ukrainian-sovereignty-174029">write that “for centuries, within the Russian Empire, Ukraine was known as ‘Malorossiya’ or ‘Little Russia.’</a> The use of this term strengthened the idea that Ukraine was a junior member of the empire.” </p>
<p>Czarist policies from the 18th century forward, write Lassin and Channel-Justice, “suppressed the use of the Ukrainian language and culture. The intention of these policies was to establish a dominant Russia and later strip Ukraine of an identity as an independent, sovereign nation.”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-putin-has-such-a-hard-time-accepting-ukrainian-sovereignty-174029">Why Putin has such a hard time accepting Ukrainian sovereignty</a>
</strong>
</em>
</p>
<hr>
<h2>2. The Soviet era added to resentment toward Russia</h2>
<p>Lassin and Channel-Justice also write about how <a href="https://theconversation.com/famine-subjugation-and-nuclear-fallout-how-soviet-experience-helped-sow-resentment-among-ukrainians-toward-russia-175500">the shared history of Ukraine and Russia has bred ill will</a> among Ukrainians towards Russia. </p>
<p>Among the many historical grievances: The Soviet Union’s collectivist plans helped wreck the once-famed Ukrainian agricultural sector, leading to a widespread famine in 1932 and 1933, known as the Holodomor. </p>
<p>“Research estimates that some 3 million to 4 million Ukrainians died of the famine, around 13% of the population, though the true figure is impossible to establish because of Soviet efforts to hide the famine and its toll,” write Lassin and Channel-Justice. Soviet leader Josef Stalin prevented Ukrainian farmers from traveling in search of food, and severely punished anyone who took produce from collective farms, which made the famine much worse for Ukrainians. “As such, some scholars call the famine a genocide,” they write.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/famine-subjugation-and-nuclear-fallout-how-soviet-experience-helped-sow-resentment-among-ukrainians-toward-russia-175500">Famine, subjugation and nuclear fallout: How Soviet experience helped sow resentment among Ukrainians toward Russia</a>
</strong>
</em>
</p>
<hr>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/447666/original/file-20220221-13-v0vxnz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A woman and children, dressed for the cold weather and during the night, leave a piece of fruit at a monument." src="https://images.theconversation.com/files/447666/original/file-20220221-13-v0vxnz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/447666/original/file-20220221-13-v0vxnz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/447666/original/file-20220221-13-v0vxnz.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/447666/original/file-20220221-13-v0vxnz.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/447666/original/file-20220221-13-v0vxnz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/447666/original/file-20220221-13-v0vxnz.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/447666/original/file-20220221-13-v0vxnz.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">People visit a monument to Holodomor victims in Kyiv, Ukraine, in November 2021.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/people-visit-a-monument-to-holodomor-victims-during-a-news-photo/1236857843?adppopup=true">Photo by Maxym Marusenko/NurPhoto via Getty Images)</a></span>
</figcaption>
</figure>
<h2>3. Putin’s strategic pipelines</h2>
<p>After Putin’s announcement, the Biden Administration said it would <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2022/02/21/statement-by-press-secretary-jen-psaki-on-russian-announcement-on-eastern-ukraine/">impose economic sanctions</a> on those doing business in the eastern Ukraine provinces declared independent by Russia. Biden has also declared that “severe economic consequences” would follow a Russian invasion of Ukraine.</p>
<p>But it may be hard to get allied countries in Europe to go along with such sanctions, writes <a href="https://theconversation.com/profiles/ryan-haddad-1313544">Ryan Haddad of the University of Maryland</a>. The reason: <a href="https://theconversation.com/how-russia-hooked-europe-on-its-oil-and-gas-and-overcame-us-efforts-to-prevent-energy-dependence-on-moscow-174518">the dependence of many European countries on Russian energy</a>. </p>
<p>Russia has a long history of using energy to divide the U.S. and Europe, and Haddad writes that “Russian [natural] gas exports to Europe reached a record level in 2021. … Europe got a glimpse of the potential consequences of this dependence in December 2021, when Russia reduced its gas exports to Europe as the crisis involving Ukraine was heating up.”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-russia-hooked-europe-on-its-oil-and-gas-and-overcame-us-efforts-to-prevent-energy-dependence-on-moscow-174518">How Russia hooked Europe on its oil and gas – and overcame US efforts to prevent energy dependence on Moscow</a>
</strong>
</em>
</p>
<hr>
<h2>4. Russia has been at war with Ukraine for years – in cyberspace</h2>
<p>As the world awaits the possible start of war between Russia and Ukraine, scholar <a href="https://theconversation.com/profiles/maggie-smith-1312550">Maggie Smith at the United States Military Academy at West Point</a> says that <a href="https://theconversation.com/russia-has-been-at-war-with-ukraine-for-years-in-cyberspace-176221">Russia has been attacking Ukrainian government operations and infrastructure for years</a> via cyberspace. </p>
<p>“Russia has interfered in Ukrainian elections, targeted its power grid, defaced its government websites and spread disinformation,” writes Smith. “Strategically, Russian cyber operations are designed to undermine the Ukrainian government and private sector organizations. Tactically, the operations aim to influence, scare and subdue the population.”</p>
<p>All of those actions, writes Smith, “destabilize Ukraine’s political environment.”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/russia-has-been-at-war-with-ukraine-for-years-in-cyberspace-176221">Russia has been at war with Ukraine for years – in cyberspace</a>
</strong>
</em>
</p>
<hr>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/447668/original/file-20220221-16-8o341t.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Priests in long ornate robes bend in worship." src="https://images.theconversation.com/files/447668/original/file-20220221-16-8o341t.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/447668/original/file-20220221-16-8o341t.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/447668/original/file-20220221-16-8o341t.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/447668/original/file-20220221-16-8o341t.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/447668/original/file-20220221-16-8o341t.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/447668/original/file-20220221-16-8o341t.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/447668/original/file-20220221-16-8o341t.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Ukrainian Orthodox Church priests during a 2019 prayer service in Kyiv.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/priests-the-ukrainian-orthodox-church-during-the-prayer-news-photo/1158264411?adppopup=true">Photo by Maxym Marusenko/NurPhoto via Getty Images</a></span>
</figcaption>
</figure>
<h2>5. The conflict is also religious</h2>
<p>To understand the present, it helps to understand the past. The tensions between Russia and Ukraine are not just political in nature. <a href="https://theconversation.com/why-church-conflict-in-ukraine-reflects-historic-russian-ukrainian-tensions-175818">They’re also religious</a>, writes Arizona State University scholar <a href="https://theconversation.com/profiles/j-eugene-clay-1311417">J. Eugene Clay</a>.</p>
<p>“Two different Orthodox churches claim to be the one true Ukrainian Orthodox Church for the Ukrainian people,” writes Clay. “The two churches offer strikingly different visions of the relationship between the Ukrainian and the Russian peoples.” </p>
<p>The Ukrainian Orthodox Church – Moscow Patriarchate stresses “the powerful bonds that link the peoples of Ukraine and Russia.” The Orthodox Church of Ukraine, on the other hand, was formally recognized in January 2019 and is “the culmination of decades of efforts by Ukrainian believers who wanted their own national church, free from any foreign religious authority.” </p>
<p>The two churches, writes Clay, reflect a fundamental question: Are Ukrainians and Russians one people or two separate nations?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-church-conflict-in-ukraine-reflects-historic-russian-ukrainian-tensions-175818">Why church conflict in Ukraine reflects historic Russian-Ukrainian tensions</a>
</strong>
</em>
</p>
<hr>
<p>[<em>Understand key political developments, each week.</em> <a href="https://memberservices.theconversation.com/newsletters/?nl=politics&source=inline-politics-understand">Subscribe to The Conversation’s politics newsletter</a>.]</p><img src="https://counter.theconversation.com/content/177508/count.gif" alt="The Conversation" width="1" height="1" />
Russia sent troops to two Moscow-allied breakaway regions in Ukraine, after President Vladimir Putin recognized the regions’ independence. Five stories provide background to the growing conflict.Naomi Schalit, Senior Editor, Politics + Democracy, The Conversation USLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1762212022-02-07T13:19:47Z2022-02-07T13:19:47ZRussia has been at war with Ukraine for years – in cyberspace<figure><img src="https://images.theconversation.com/files/444578/original/file-20220204-27-1lb4f9n.jpg?ixlib=rb-1.1.0&rect=0%2C7%2C2649%2C2256&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Russian President Vladimir Putin walks through a hall in the building housing Russia's GRU military intelligence service.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/RussiaPoisonedSpyGRU/66d4b73d747e49d597e5a5c4aab14e2e/photo?Query=GRU%20Dmitry%20Astakhov&mediaType=photo&sortBy=arrivaldatetime:desc&dateRange=Anytime&totalCount=1&currentItemNo=0">Dmitry Astakhov, Sputnik, Government Pool Photo via AP</a></span></figcaption></figure><p>The build up of Russian forces along Belarus’ <a href="https://www.nytimes.com/2022/01/29/world/europe/russia-troops-belarus-border-ukraine.html">665-mile border</a> with Ukraine is a physical manifestation of Russia’s intense interest in the region. Russia <a href="https://carnegieeurope.eu/2017/03/15/revisiting-2014-annexation-of-crimea-pub-68423">annexed Crimea</a> in 2014, and now Russian President Valdimir Putin appears intent on pulling Ukraine under Russia’s influence and denying it a close relationship with the West. </p>
<p>But even as Russia engages in brinksmanship from snow-covered fields in Belarus to meeting rooms in Geneva, <a href="https://www.foreignaffairs.com/articles/russia-fsu/2022-01-28/how-russia-has-turned-ukraine-cyber-battlefield">Moscow is already at war</a> with Kyiv – cyberwar. Russia has been waging this fight since at least 2014. </p>
<p>In cyberspace, Russia has interfered in <a href="https://www.atlanticcouncil.org/in-depth-research-reports/report/foreign-interference-in-ukraine-s-election/">Ukrainian elections</a>, targeted its <a href="https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/">power grid</a>, <a href="https://www.pcmag.com/news/ukrainian-government-websites-defaced-amid-threat-of-russian-invasion">defaced</a> its government websites and spread <a href="https://www.state.gov/fact-vs-fiction-russian-disinformation-on-ukraine/">disinformation</a>. Strategically, Russian cyber operations are designed to undermine the Ukrainian government and private sector organizations. Tactically, the operations aim to influence, scare and subdue the population. They are also <a href="https://www.newyorker.com/news/dispatch/a-moment-of-excruciating-anticipation-in-kyiv">harbingers of invasion</a>.</p>
<p>As a <a href="https://scholar.google.com/citations?hl=en&user=mMlCZbgAAAAJ">cybersecurity and public policy researcher</a>, I believe that Russian cyber operations are likely to continue. These operations are likely to further <a href="https://www.thecipherbrief.com/column_article/a-new-path-to-cyber-conflict-with-russia">destabilize Ukraine’s political environment</a> – namely, its government, its institutions and the people and organizations that depend on them. </p>
<h2>National power in cyberspace</h2>
<p>To date, Russia has been aggressive in its attempts to undermine Ukrainian sovereignty. <a href="https://foreignpolicy.com/2019/08/02/russian-disinformation-distorted-reality-in-ukraine-americans-should-take-note-putin-mueller-elections-antisemitism/">Russian propaganda</a> has painted a war with Ukraine as one of liberation. Many <a href="https://foreignpolicy.com/2021/12/02/russia-ukraine-liberated/">false narratives</a> paint the Ukrainians as submissive and eager for reunification. Russia’s intent is to sow confusion, shape the public perception of the conflict and influence the <a href="https://www.worldatlas.com/articles/major-ethnic-groups-of-the-ukraine.html">ethnic Russian population</a> within Ukraine. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/444587/original/file-20220204-17-1ikrjgz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A smart phone screen showing text in Ukrainian, Russian and Polish" src="https://images.theconversation.com/files/444587/original/file-20220204-17-1ikrjgz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/444587/original/file-20220204-17-1ikrjgz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=405&fit=crop&dpr=1 600w, https://images.theconversation.com/files/444587/original/file-20220204-17-1ikrjgz.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=405&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/444587/original/file-20220204-17-1ikrjgz.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=405&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/444587/original/file-20220204-17-1ikrjgz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=509&fit=crop&dpr=1 754w, https://images.theconversation.com/files/444587/original/file-20220204-17-1ikrjgz.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=509&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/444587/original/file-20220204-17-1ikrjgz.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=509&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">On Jan. 14, 2022, hackers that the Ukrainian government identified as Russian took over Ukrainian government websites and posted threatening messages.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/in-this-photo-illustration-a-warning-message-in-ukrainian-news-photo/1237728779">Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images</a></span>
</figcaption>
</figure>
<p>Russia has artfully employed cyber operations to project national power, particularly through its GRU military intelligence service. The phrase “<a href="https://www.thelightningpress.com/the-instruments-of-national-power/">instruments of national power</a>” defines power as diplomatic, information, military and economic – all are mechanisms for influencing other countries or international organizations. Cyberspace is unique as a <a href="https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_0ch1.pdf?ver=2018-11-27-160457-910">domain of warfare</a> because cyber operations can be used in the service of all four instruments of national power. </p>
<p>Diplomatically, Russia has tried to shape international norms in cyberspace by influencing discussions on cyberspace norms and behaviors. In 2018, Russia introduced a <a href="https://undocs.org/A/C.1/73/L.27/Rev.1">resolution to the United Nations</a> creating a working group with like-minded states to revisit and reinterpret the U.N.’s rule for cyberspace, emphasizing that a state’s sovereignty should extend into cyberspace. Some analysts argue that Russia’s true goal is to <a href="https://ccdcoe.org/incyder-articles/a-surprising-turn-of-events-un-creates-two-working-groups-on-cyberspace/#footnote_5_3341">legitimize its surveillance-state internet tactics</a> in the guise of state sovereignty. </p>
<p>Economically, the Russian <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">“NotPetya”</a> attack crippled international ports, paralyzed corporations, disrupted supply chains and effectively stalled the global economy – all with a single piece of code.</p>
<p>In the information environment, Russia is especially adept at <a href="https://cissar.com/research-reports-the-military-and-diplomatic-significance-of-russian-cyber-attacks/">influencing and manipulating information</a> to suit its strategic interests. For example, Russian efforts against the U.K. have targeted its relationship with NATO by using bots to spread false stories about British troops in Estonia during a <a href="https://www.thetimes.co.uk/article/troops-face-new-enemy-kremlins-fake-news-q0dbnfq79">NATO military exercise</a> in 2017. </p>
<p>Notably, Russia has a pattern of pairing information with military operations as tools of national power. During previous military conflicts in <a href="https://www.ausa.org/articles/russia-gives-lessons-electronic-warfare">eastern Ukraine</a>, the Russian military employed cyber capabilities to jam Ukrainian satellite, cellular and radio communications. </p>
<p>Overall, <a href="https://www.researchgate.net/publication/313252767_Russian_Military_Thinking_-_A_New_Generation_of_Warfare">Russia sees warfare as a continuum</a> that is ongoing with varying intensity across multiple fronts. Simply put, for Russia, war never stops and cyberspace is a key domain of its persistent conflict with Ukraine and the West. </p>
<h2>Probing the US, hammering Ukraine</h2>
<p>Russia has aimed its cyber operations at other nations, including the U.S. and Western European countries. Russia has targeted <a href="https://www.cisa.gov/uscert/ncas/alerts/TA18-074A">U.S. critical infrastructure</a> and <a href="https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/">supply chains</a>, and conducted <a href="https://theconversation.com/how-the-russian-government-used-disinformation-and-cyber-warfare-in-2016-election-an-ethical-hacker-explains-99989">disinformation campaigns</a>. U.S. officials are still investigating the extent of the recent <a href="https://www.rpc.senate.gov/policy-papers/the-solarwinds-cyberattack">SolarWinds</a> cyberattack, for example, but they have determined that the attack compromised federal agencies, courts, numerous private companies and state and local governments. The Russian activities are aimed at undermining U.S. domestic and national security, democratic institutions and even <a href="https://www.nytimes.com/2021/08/05/us/politics/covid-vaccines-russian-disinformation.html">public health efforts</a>. </p>
<p>But Russia is more <a href="https://mwi.usma.edu/striking-the-right-balance-how-russian-information-operations-in-the-baltic-states-should-inform-us-strategy-in-great-power-competition/">destructive</a> in its own backyard. Attacks on <a href="https://stratcomcoe.org/cuploads/pfiles/cyber_attacks_estonia.pdf">Estonia</a> and <a href="https://osce.usmission.gov/u-s-condemnation-of-russian-cyber-attack-on-georgia/">Georgia</a> illustrate how Russia can disrupt government functions and sow confusion as it prepares for military operations. </p>
<p>Most recently, Microsoft detected <a href="https://www.bleepingcomputer.com/news/security/microsoft-fake-ransomware-targets-ukraine-in-data-wiping-attacks/">data wiping malware</a> in Ukrainian government computer systems. Ukraine publicly <a href="https://thedigital.gov.ua/news/rosiya-mae-namir-zniziti-doviru-do-vladi-feykami-pro-vrazlivist-kritichnoi-informatsiynoi-infrastrukturi-ta-zliv-danikh-ukraintsiv">named Moscow as the perpetrator</a> and attributed the software designed to destroy data to Russian hackers. The presence of the malware marks an escalation of Russia’s current behavior toward Ukraine in cyberspace. The malware, if triggered, <a href="https://www.siliconrepublic.com/enterprise/ukraine-cyberattack-microsoft-malware-russia">would have destroyed</a> Ukrainian government records, disrupted online services and prevented the government from communicating with its citizens.</p>
<p>The ongoing aggression against Ukraine follows <a href="https://www.npr.org/sections/alltechconsidered/2015/04/28/402678116/report-to-aid-combat-russia-wages-cyberwar-against-ukraine">Russia’s pattern</a> of waging cyberwar while publicly threatening and preparing for a military invasion. In many ways, for Ukrainians, the prospect of war and anticipating invasion have become <a href="https://www.newyorker.com/news/dispatch/a-moment-of-excruciating-anticipation-in-kyiv">normalized</a>.</p>
<h2>Deadly consequences</h2>
<p>Website defacement and data loss are not the only concerns for Ukraine as Russia continues to mass troops and equipment along its borders. In the winter of 2015-2016, Russia demonstrated its ability to <a href="https://theconversation.com/cyberattack-on-ukraine-grid-heres-how-it-worked-and-perhaps-why-it-was-done-52802">hack Ukraine’s power grid</a> in a first-of-its-kind attack that cut off power to thousands of Ukrainians. <a href="https://www.climatestotravel.com/climate/ukraine">Temperatures in Kyiv</a> in the winter hover around freezing during the day and become dangerously cold at night. Any loss of power could be deadly.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/444435/original/file-20220203-27-17uf9j1.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C2908%2C1958&q=45&auto=format&w=1000&fit=clip"><img alt="a view of earth from space at night with scattered clouds and city lights below them" src="https://images.theconversation.com/files/444435/original/file-20220203-27-17uf9j1.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C2908%2C1958&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/444435/original/file-20220203-27-17uf9j1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=404&fit=crop&dpr=1 600w, https://images.theconversation.com/files/444435/original/file-20220203-27-17uf9j1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=404&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/444435/original/file-20220203-27-17uf9j1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=404&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/444435/original/file-20220203-27-17uf9j1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=508&fit=crop&dpr=1 754w, https://images.theconversation.com/files/444435/original/file-20220203-27-17uf9j1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=508&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/444435/original/file-20220203-27-17uf9j1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=508&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Kyiv, Ukraine’s capital, is the bright spot at the top center of this photo taken from the International Space Station. Russia demonstrated its ability to knock out parts of Ukraine’s power grid in 2015.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/nasamarshall/6289116940">NASA</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span>
</figcaption>
</figure>
<p>Similarly, cyberattacks could disrupt Ukraine’s economy and communications infrastructure. An attack on the financial sector could prevent Ukrainians from withdrawing money or accessing their bank accounts. An attack on the communications infrastructure could cripple the Ukrainian military and limit the country’s ability to defend itself. Civilians would also lose their means of communications and with it the ability to organize evacuations and coordinate resistance. </p>
<p>[<em>Over 140,000 readers rely on The Conversation’s newsletters to understand the world.</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-140ksignup">Sign up today</a>.]</p>
<p>Ultimately, Russia is likely to continue to use cyber-enabled sabotage against Ukraine. Russian cyber operations over the past eight years hold three lessons to support this. First, cyberattacks that have costly physical effects, like knocking out the power grid, are destabilizing and can be used to erode the will of the Ukrainian people and counter their lean toward economic, military and political alliances with Europe and NATO. Second, cyberattacks that have a physical effect put Russian cyber capabilities on display and demonstrate their superiority over Ukrainian defenses. And third, Russia has done it before.</p><img src="https://counter.theconversation.com/content/176221/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The author is an officer in the United States Army. The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.</span></em></p>Troop buildups and diplomatic negotiations highlight the threat of a major land war in Europe. In cyberspace, Russia has been attacking Ukrainian infrastructure and government operations for years.Maggie Smith, Assistant Professor of Public Policy, United States Military Academy West PointLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1754552022-02-07T12:46:01Z2022-02-07T12:46:01ZTrying to cool the Earth by dimming sunlight could be worse than global warming<figure><img src="https://images.theconversation.com/files/444524/original/file-20220204-13-ix3pik.jpg?ixlib=rb-1.1.0&rect=2%2C0%2C1595%2C1065&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Geoengineering aims to intervene in Earth's climate to fight global warming.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/nasa2explore/24609284564">NASAJohnson/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span></figcaption></figure><p>A group of 60 scientists called for a <a href="https://www.solargeoeng.org/">moratorium</a> on <a href="https://theconversation.com/why-you-need-to-get-involved-in-the-geoengineering-debate-now-85619">solar geoengineering</a> last month, including technologies such as <a href="https://www.geoengineeringmonitor.org/2021/02/stratospheric_aerosol_injection/">stratospheric aerosol injection</a> (SAI). This involves a fleet of aeroplanes releasing aerosol particles – which reflect sunlight back to outer space – into the atmosphere, cooling down the Earth. </p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/trying-to-cool-the-earth-by-dimming-sunlight-could-be-worse-than-global-warming-175455&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/uk/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>SAI might make the sky <a href="https://www.scientificamerican.com/article/geoengineering-could-turn-skies-white/">slightly whiter</a>. But this is the least of our concerns. SAI could pose grave dangers, potentially worse than the warming it seeks to remedy. To understand the risks, we’ve undertaken a <a href="https://www.frontiersin.org/articles/10.3389/fclim.2021.720312/full">risk assessment</a> of this controversial technology. </p>
<p>A cooler Earth means less water would be evaporating from its surfaces into the atmosphere, changing <a href="https://www.carbonbrief.org/unregulated-solar-geoengineering-could-spark-droughts-and-hurricanes-study-warns">rainfall patterns</a>. This could produce ripple effects across the world’s ecosystems – but the exact nature of these <a href="https://phys.org/news/2021-04-sun-reflector-earth-scientists-explore.html">effects</a> depends on how SAI is used. Poor coordination of aerosol release could lead to extreme rainfall in some places and blistering drought in others, further triggering the spread of <a href="https://phys.org/news/2018-09-climate-disease-impacts.html">diseases</a>.</p>
<p>SAI could also make natural catastrophes worse than they currently are. A volcanic eruption, like that of Iceland’s <a href="https://ncas.ac.uk/eyjafjallajokull-2010-how-an-icelandic-volcano-eruption-closed-european-skies/">Eyjafjallajökull</a> volcano in 2010, could naturally cool the Earth as plumes of ash <a href="https://www.science.org/content/article/massive-volcanoes-could-cool-earth-more-warming-world">block sunlight</a> from reaching the planet’s surface. If this happened while SAI was deployed, it would have to be urgently <a href="https://www.tandfonline.com/doi/abs/10.1080/14693062.2019.1668347?journalCode=tcpo20">adjusted</a> (not an easy feat) to avoid overcooling one hemisphere and producing extreme weather patterns as a result.</p>
<p>Similarly, although <a href="https://thebulletin.org/2020/12/nuclear-risks-are-growing-and-theres-only-one-real-solution/">nuclear war</a> may seem unlikely, global nuclear capabilities continue to grow, and bad political decision-makers are in no short supply. A “<a href="https://theconversation.com/even-a-minor-nuclear-war-would-be-an-ecological-disaster-felt-throughout-the-world-82288">nuclear winter</a>”, during which global temperatures drop for years due to soot clouds from nuclear-triggered fires, could be deepened by SAI.</p>
<h2>Termination shock</h2>
<p>SAI would likely rely on aerosols being consistently sprayed into the atmosphere by a fleet of aeroplanes, as the particles have a half life of approximately <a href="https://www.frontiersin.org/articles/10.3389/fclim.2021.720312/full">eight months</a>. Satellites would be needed to coordinate these efforts and help monitor any atmospheric changes.</p>
<p>Any disaster severe enough to permanently disable these systems could trigger a “<a href="https://keith.seas.harvard.edu/publications/risk-termination-shock-solar-geoengineering">termination shock</a>”. If an SAI system effectively “hiding” global warming were suddenly removed for an extended period, the Earth could heat up by multiple degrees in a matter of decades. If we’re already seeing fires, heatwaves, and flash floods <a href="https://theconversation.com/how-summer-2021-has-changed-our-understanding-of-extreme-weather-165268">across the world</a> with around <a href="https://theconversation.com/ipcc-says-earth-will-reach-temperature-rise-of-about-1-5-in-around-a-decade-but-limiting-any-global-warming-is-what-matters-most-165397">1.1°C of warming</a> since 1850, just imagine what warming of 3-4°C would do.</p>
<p>There are numerous ways in which an SAI system could be disrupted. An unprecedented explosion of solar matter, related to a <a href="https://theconversation.com/why-are-we-seeing-more-northern-lights-this-year-176309">solar flare</a>, could knock out the world’s <a href="https://astronomy.com/news/2021/06/extreme-space-weather-predicting-and-protecting-against-solar-storms">electrical systems</a> by smashing into the Earth’s magnetic field. This could <a href="https://www.cbsnews.com/news/geoengineering-treatment-stratospheric-aerosol-injection-climate-change-study-today-2018-11-23/">damage</a> the aviation and satellite systems needed for SAI. </p>
<p>Hoping that catastrophes will simply not occur in the coming century would also be a mistake. One model estimating the likelihood of nuclear war between Russia and the US puts that probability at <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3155983">0.9% per year</a>. Estimates of large-scale <a href="https://theconversation.com/space-weather-is-difficult-to-predict-with-only-an-hour-to-prevent-disasters-on-earth-159895">space weather</a> events <a href="https://www.researchgate.net/figure/Empirical-and-fitted-Weibull-distributions-for-the-time-between-consecutive-geomagnetic_fig2_331238716">range</a> from 0.46% to 20.3% per year.</p>
<figure class="align-center ">
<img alt="An image of the sun with a solar flare" src="https://images.theconversation.com/files/444542/original/file-20220204-15-10hp3yn.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/444542/original/file-20220204-15-10hp3yn.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/444542/original/file-20220204-15-10hp3yn.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/444542/original/file-20220204-15-10hp3yn.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/444542/original/file-20220204-15-10hp3yn.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/444542/original/file-20220204-15-10hp3yn.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/444542/original/file-20220204-15-10hp3yn.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Unexpected solar activity could knock out SAI systems.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/gsfc/16086588490">NASA_Goddard/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>SAI could also be an attractive target for cyberattacks. In 2019, a group of hackers named DarkSide took the US oil company Colonial Pipeline <a href="https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/">hostage</a> by launching a ransomware attack on their computer systems. Fearing widespread fuel shortages across the US, operators were forced to pay £3.7 million to DarkSide in exchange for reactivating their systems. </p>
<p>And in 2000, the automated sewage system in the small coastal Australian region of Maroochy released hundreds of thousands of gallons of sewage into the sea. These “leaks” were actually caused by a single disgruntled <a href="https://medium.com/curious-minds/what-the-maroochy-incident-taught-us-about-cyber-warfare-4a1abd6abcfc">ex-employee</a> of the company that installed the system. An international infrastructural system masking global warming would attract more reasons for controversy, have a larger workforce than a local sewage system, and could likely fetch an even higher payoff. </p>
<h2>Political mess?</h2>
<p>Of course, it’s possible that SAI will end up being used responsibly. But if one thing goes sufficiently wrong – such as one unpredictable solar storm taking place – the hidden risks of SAI could be unleashed. Predictions of SAI’s average or “most likely” outcomes are generally fine. But although far less likely, SAI’s worst case scenarios could be calamitous.</p>
<p>If SAI is used sparingly to offset a <a href="https://phys.org/news/2019-03-dose-solar-geoengineering.html">smaller amount</a> of warming, any negative impacts would be minimised. Most <a href="https://phys.org/news/2020-09-climate-oversimplify.html">SAI models</a> assume <a href="https://agupubs.onlinelibrary.wiley.com/doi/abs/10.1029/2020GL088337">ideal conditions</a>, where a cooperative group of countries rationally and carefully deploy SAI. Unfortunately, international politics is <a href="https://phys.org/news/2020-06-human-factor-limits-climate.html">messy</a>. </p>
<p>A small group of countries that prefer a cooler Earth could start to use SAI without international agreement. Yet there is little research on what the effects of this more disorganised use of SAI might be.</p>
<p>In an ideal world, those governing SAI would ensure that its infrastructure is resilient against catastrophes, operated cooperatively between countries, has extensive backups and is closely monitored for the duration of SAI deployment (likely decades and potentially over a century). And to ensure we don’t get trapped into relying on SAI indefinitely, we’ll still have to reduce greenhouse gas emissions to <a href="https://theconversation.com/net-zero-despite-the-greenwash-its-vital-for-tackling-climate-change-160329">net zero</a>, as well as <a href="https://theconversation.com/the-earth-needs-multiple-methods-for-removing-co2-from-the-air-to-avert-worst-of-climate-change-121479">removing excess emissions</a> from the atmosphere.</p>
<figure class="align-center ">
<img alt="A person wearing a medical facemask" src="https://images.theconversation.com/files/444543/original/file-20220204-15-5uktkq.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/444543/original/file-20220204-15-5uktkq.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/444543/original/file-20220204-15-5uktkq.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/444543/original/file-20220204-15-5uktkq.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/444543/original/file-20220204-15-5uktkq.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/444543/original/file-20220204-15-5uktkq.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/444543/original/file-20220204-15-5uktkq.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Poor governance during the pandemic may leave low hopes for SAI governance in the future.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:COVID-19_(Coronavirus)_Girl_in_mask.jpg">VP Eremen</a></span>
</figcaption>
</figure>
<p>But assuming this kind of governance would be naive. Just consider the pandemic. From <a href="https://voxeu.org/article/take-innovation-economists-covid-19-crisis">underinvesting</a> in COVID testing and vaccine development to placing misguided trust in <a href="https://theconversation.com/what-is-herd-immunity-a-public-health-expert-and-a-medical-laboratory-scientist-explain-170520">herd immunity</a>, policymakers have not proven reliable decision-makers. Imagine the conflict over placing a <a href="https://theconversation.com/video-how-did-mask-wearing-become-so-politicized-144268">chemical mask</a> over the Earth. </p>
<p>SAI could become a highly politicised issue, with changes in SAI use driven by political swings rather than sound science. And the fossil fuel industry and its <a href="https://www.technologyreview.com/2017/11/08/241719/gop-embraces-geoengineering-which-terrifies-geoengineering-researchers/">supporters</a> may well develop a vested interest in using SAI to delay the use of renewables. </p>
<p>Is SAI worse than climate change? We’re still uncertain. What we can say is this: in a world where things don’t go wrong, SAI is a prudent response to the climate crisis. But we live in a world of complexity and chaos, where relying on SAI would be deeply unwise. By tightly coupling the climate system to the global economic and political system, using SAI would be hoisting up a planetary <a href="https://www.thoughtco.com/what-is-the-sword-of-damocles-117738">Sword of Damocles</a>.</p><img src="https://counter.theconversation.com/content/175455/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Luke Kemp's work is funded by the Templeton Foundation. </span></em></p><p class="fine-print"><em><span>Aaron Tang has received funding from the Australian Government Research Training Program Scholarship. </span></em></p>The risks of using aerosols to reflect sunlight and cool the planet include creating extreme weather and worsening catastrophes.Luke Kemp, Postdoctoral Research Associate in Existential Risk, University of CambridgeAaron Tang, PhD Scholar in Climate Governance, Australian National UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1760512022-02-02T11:33:02Z2022-02-02T11:33:02ZUkraine-Russia: the first shots have already been fired – in cyberspace<figure><img src="https://images.theconversation.com/files/443807/original/file-20220201-25-y2k2nd.jpg?ixlib=rb-1.1.0&rect=6%2C0%2C4486%2C2991&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">NicoElNino via Shutterstock</span></span></figcaption></figure><p>Wars always used to begin to with the softening up of an enemy with artillery fire. More recently, artillery has been replaced by strategic bombers or cruise missiles fired from naval vessels hundreds of miles away. This has made for eye-grabbing prime-time viewing in countries not being targeted by smart missiles and carpet bombing. </p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/ukraine-russia-the-first-shots-have-already-been-fired-in-cyberspace-176051&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/uk/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>Of course, Ukraine has been fighting Russians in the east of the country <a href="https://www.cfr.org/global-conflict-tracker/conflict/conflict-ukraine">since 2014</a>. But the opening salvos in the latest chapter of hostilities – viewed by much of the rest of the world as a potential invasion of Ukraine by its mighty neighbour – are already being fired. </p>
<p>The artillery being used today, however, is not high explosives. It chiefly comprises clever use of computer code and the deliberate exploitation of computer networks. This new warfare makes for a poor television spectacle, but it is doing the same job.</p>
<p>In 2013, the Russian general and current head of the Russian armed forces, <a href="https://eng.mil.ru/en/management/info.htm?id=11113936@SD_Employee">Valery Gerasimov</a> gave a speech in which <a href="https://foreignpolicy.com/2018/03/05/im-sorry-for-creating-the-gerasimov-doctrine/">he assessed modern warfighting</a>. Gerasimov’s speech was widely misinterpreted as a description of the Russian way of war, but was actually a critique of Nato. Russia perceives itself – with some justification – to have faced <a href="https://andrewmonaghan.net/dealing-with-the-russians/">constant interference and aggressive attention</a> since the end of the cold war. </p>
<p>Russia has become expert at what has been described as the “Gerasimov doctrine” – <a href="https://www.nato.int/cps/en/natohq/news_183004.htm#:%7E:text=Hybrid%20threats%20combine%20military%20and,and%20use%20of%20regular%20forces.">hybrid or sub-threshold warfare</a> – including against Ukraine. The essence of this idea is that the attacking force uses techniques that fall below a threshold that would usually trigger an armed response by the victim or its allies. </p>
<p>It has been established that Russian hackers attempted to <a href="https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html">disrupt electronic voting machines</a> in the 2016 US presidential election. They have also been blamed for the <a href="https://www.theguardian.com/us-news/2018/jul/13/russians-hillary-clinton-email-server-trump-indictment">intrusion into Hilary Clinton’s campaign team emails</a> that helped Donald Trump to victory and the misinformation that has so divided the US ever since. But these were not acts of war that could justify an armed response. </p>
<p>Since 2015, disinformation campaigns mounted by or attributed to Russia through its proxies during various European elections, the Brexit referendum and <a href="https://edition.cnn.com/2021/03/07/politics/russian-disinformation-pfizer-vaccines/index.html">the pandemic</a> have similarly resulted in notable levels of public confusion and societal fractures. But these campaigns have not warranted an armed response, and occasionally – for diplomatic reasons – <a href="https://www.csis.org/blogs/brexit-bits-bobs-and-blogs/did-russia-influence-brexit">they have not been investigated at all</a>. They are tactics whose effects would make a useful contribution to a military campaign without being obviously military themselves.</p>
<h2>‘Wait for the worst’</h2>
<p>There has reportedly been a <a href="https://www.politico.eu/article/russia-ukraine-disinformation-nato-united-states-special-forces-winter-olympics-moscow-kremlin-kyiv/">marked increase</a> in disinformation being pushed through Ukrainian social media platforms in the past few weeks. On January 13, <a href="https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/#:%7E:text=On%20January%2013%2C%20Microsoft%20identified,multiple%20victim%20organizations%20in%20Ukraine.">Microsoft’s Threat Intelligence Center</a> noted that malware had been placed on vulnerable Ukrainian computers. </p>
<p>It was a program designed to look like ransomware – an attack that effectively holds information captive until a “ransom” is paid. When triggered, the program simply deletes the information instead, causing disruption to organisations in deleting customer, payment or appointment records, for example. </p>
<p>A day later a concerted attack on Ukrainian government and media sites saw their front pages replaced for several hours with the ominous message of “<a href="https://fortune.com/2022/01/14/hackers-ukraine-government-websites-messages/">Be afraid and wait for the worst</a>”. Highly emotive propaganda and disinformation is aimed at weakening public morale, making invasion and occupation simpler to achieve.</p>
<p>Russia has a strong track record of intrusions into its neighbours’ cyberspace. In 2007 Russian hackers <a href="https://www.bbc.co.uk/news/39655415">overwhelmed many Estonian institutions</a>, including banks, media outlets, the parliament, and various public services. It was a distributed denial of service attack, which makes use of a global network of compromised computers to simultaneously place large demands on the target servers, forcing them offline. </p>
<p>The Russian military physically disabled communications technology in Georgia prior to their invasion in 2008. It was, <a href="https://www.atlanticcouncil.org/blogs/ukrainealert/the-2008-russo-georgian-war-putins-green-light/">wrote Brian Whitmore</a>, a senior fellow of the Atlantic Council: </p>
<blockquote>
<p>a Beta test for future aggression against Russia’s neighbours and a dry run for the tactics and strategies that would later be deployed in the 2014 invasion of Ukraine … When Russian forces attacked Georgia on the night of August 7-8, 2008, it was preceded by a cyberattack, a disinformation campaign, and an all-out effort to meddle in that country’s domestic politics. These are all tactics that are now very familiar to the United States and its allies.</p>
</blockquote>
<p>On December 23 2015, Russian hackers – having located a vulnerability – managed to <a href="https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/">enter the control panel of a Ukrainian power station</a>, disconnecting 223,000 Ukrainians from their heating for six hours in the depths of winter. </p>
<h2>Global threat</h2>
<p>A similar deprivation of electronic communications in Ukraine through physically or electronically attacking them would have a much larger impact today. Ukraine is a modern society that makes extensive use of modern electronic communications and banking systems. We can judge the possible impact of switching these facilities off, by simply thinking through how it would affect us if it were done here. </p>
<p>The stark reality is that Russia is a <a href="https://www.technologyreview.com/2022/01/21/1043980/how-a-russian-cyberwar-in-ukraine-could-ripple-out-globally/">highly capable cyberpower</a>. Russia uses cyberattacks strategically. It chooses opportune moments and targets to meet its strategic objectives in this case to undermine Ukrainian morale and the willingness of the public to follow government instructions. Ukraine has long experience of Russia’s non-military tactics. It is, in many respects, better prepared than Nato powers to withstand this type of warfare. </p>
<p>But while Ukraine is psychologically better prepared than the west, it will not be able to prevent Russia from shutting down vital infrastructure and communication services. Cyberattacks on businesses and hospitals create a potential spiral of economic disruption in Ukraine that will require direct financial support. </p>
<p>The west should worry about how Ukraine will fight a defensive conflict without this infrastructure and networks. And western governments need to worry about their lack of preparedness if Russia uses its cyber capabilities more broadly. Our societies are far less well prepared.</p><img src="https://counter.theconversation.com/content/176051/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert M. Dover does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Russia has been developing sophisticated hybrid warfare tactics for some years now.Robert M. Dover, Professor of Criminology, University of HullLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1754712022-01-26T19:55:02Z2022-01-26T19:55:02ZRussia could unleash disruptive cyberattacks against the US – but efforts to sow confusion and division are more likely<figure><img src="https://images.theconversation.com/files/442625/original/file-20220125-27-qyhl0p.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6000%2C3997&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The Department of Justice indicted six officers of Russia's GRU military intelligence service in October 2020 on charges of hacking and deploying malware.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/poster-showing-six-wanted-russian-military-intelligence-news-photo/1229171656">Andrew Harnik - Pool/Getty Images</a></span></figcaption></figure><p>As tensions mount between Russia and the West over Ukraine, the threat of Russian cyberattacks against the U.S. increases. The Department of Homeland Security issued an <a href="https://www.cnn.com/2022/01/24/politics/russia-cyberattack-warning-homeland-security/index.html">intelligence bulletin</a> on Jan. 23, 2022, warning that Russia has the capability to carry out a range of attacks, from <a href="https://www.cisa.gov/uscert/ncas/tips/ST04-015">denial-of-service</a> attacks on websites to disrupting critical infrastructure like power grids.</p>
<p>“We assess that Russia would consider initiating a cyberattack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security,” the DHS <a href="https://abcnews.go.com/Politics/dhs-warns-russian-cyberattack-us-responds-ukraine-invasion/story?id=82441727">stated in the bulletin</a>, which it sent to law enforcement agencies, state and local governments, and critical infrastructure operators.</p>
<p>Cybersecurity experts are concerned that in the wake of recent cyberattacks by hackers affiliated with Russia, the Russian government has the capability to carry out disruptive and destructive attacks against targets in the U.S. The <a href="https://theconversation.com/the-sunburst-hack-was-massive-and-devastating-5-observations-from-a-cybersecurity-expert-152444">SolarWinds attack</a>, uncovered in December 2020, gave the perpetrators access to the computer systems of many U.S. government agencies and private businesses. The DHS and FBI accused Russian hackers in March 2018 of <a href="https://www.cisa.gov/uscert/ncas/alerts/TA18-074A">infiltrating U.S. energy and infrastructure networks</a>.</p>
<p>Russian cyberattacks could include continued attempts to diminish Americans’ confidence in <a href="https://www.nytimes.com/news-event/russian-election-hacking">elections</a>, undermine <a href="https://www.thecipherbrief.com/column_article/dont-underestimate-economic-side-russias-cyber-warfare">economic stability</a>, damage the <a href="https://www.vox.com/world/2018/3/28/17170612/russia-hacking-us-power-grid-nuclear-plants">energy grid</a>, and even disrupt <a href="https://www.cbsnews.com/news/cyberattacks-ransomware-hacking-hospitals-target-foreign-groups/">health care systems</a>. </p>
<p>While some components of these systems almost certainly remain vulnerable to Russian-aligned hackers, the Russian government is likely to think twice before unleashing highly disruptive attacks against the U.S., because the U.S. government could interpret such attacks, particularly those targeting critical infrastructure, as <a href="https://www.wsj.com/articles/SB10001424052702304563104576355623135782718">acts of war</a>. The DHS bulletin stated that Russia has a high threshold for initiating disruptive attacks. As a researcher who <a href="https://scholar.google.com/citations?user=nNlgxmMAAAAJ&hl=en">studies cyberwarfare</a>, I believe a more likely threat from Russian hackers is launching disinformation campaigns.</p>
<h2>Distract, distort and divide</h2>
<p>Americans can probably expect to see Russian-sponsored cyber activities working in tandem with propaganda campaigns. These activities are likely to be aimed at preventing a unified response to Russian aggression in Ukraine. </p>
<p>Russian military doctrine includes the well-evolved concept of <a href="https://www.ndc.nato.int/news/news.php?icode=995">information confrontation</a>, which uses cyber means to create doubt about what is true. Russia’s information warfare strategy seeks to manipulate information and relationships. </p>
<p>The <a href="https://apps.dtic.mil/sti/pdfs/AD1108494.pdf">specific maneuvers</a> aim to bolster narratives, people and groups that support Russian interests and undermine those that are counter to Russian interests. The maneuvers, which include dismissing and distorting information and undermining opinion leaders, are carried out in the press and on social media. </p>
<p>Russian intelligence operatives are skilled at using technology, including <a href="https://theconversation.com/how-fake-accounts-constantly-manipulate-what-you-see-on-social-media-and-what-you-can-do-about-it-139610">amplifying misinformation through fake accounts</a> on popular social media platforms. In effect, Russia uses social and other online media like a military-grade fog machine that confuses the U.S. population and encourages mistrust in the strength and validity of the U.S. government.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a seven-story office building with gray walls and blue windows" src="https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">This office building, dubbed the ‘troll factory,’ housed the Internet Research Agency, a Kremlin-backed disinformation organization.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/Election2018RussianMeddling/91870df003cc492494b575682ef911c0/photo">AP Photo/Dmitri Lovetsky</a></span>
</figcaption>
</figure>
<p>Repressive governments like those in <a href="https://www.hrw.org/news/2020/06/18/russia-growing-internet-isolation-control-censorship">Russia</a> and <a href="https://gking.harvard.edu/50C">China</a> have perfected the manipulation of online information as a way to control their own populations. Democracies are especially vulnerable to these techniques, given the open exchange of ideas and lack of centralized control over sources of information. </p>
<p>In addition, U.S. society is <a href="https://www.pewresearch.org/politics/2014/06/12/political-polarization-in-the-american-public/">polarized</a>, and that polarization is <a href="https://www.brown.edu/news/2020-01-21/polarization">occurring at an increasing rate</a>. A study by researchers at the University of Oxford examined Russia’s computational propaganda against the U.S. <a href="https://int.nyt.com/data/documenthelper/534-oxford-russia-internet-research-agency/c6588b4a7b940c551c38/optimized/full.pdf">between 2013 and 2018</a> and found that it was designed to boost U.S. political polarization.</p>
<h2>Plausible deniability</h2>
<p>Though the Russian government commonly operates through its intelligence services, including the technical experts in the <a href="https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and">GRU</a> military intelligence service and the spymasters in the <a href="https://crsreports.congress.gov/product/pdf/IF/IF11718">FSB</a> domestic intelligence service, it also uses <a href="https://www.defenseone.com/technology/2021/05/russias-latest-hack-shows-how-useful-criminal-groups-are-kremlin/174401/">criminal groups</a> to achieve its aims. </p>
<p>History shows that Russia is most likely to recruit proxies to carry out cyberattacks that <a href="https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20111231_art013.pdf">disrupt decision-making</a> so that the attacks don’t point directly back to the Kremlin. There is no foggier battlefield than cyberspace. That is one of the main benefits of cyberspace as an element of national power – a cyberattack almost always allows for plausible deniability. </p>
<p>On Jan. 14, 2022, Russia <a href="https://theconversation.com/how-the-biden-administration-is-making-gains-in-an-uphill-battle-against-russian-hackers-174199">arrested members of the Russian-based cyber gang REvil</a> who were responsible for the 2021 ransomware attacks against <a href="https://www.bbc.com/news/world-us-canada-57338896">meat supplier JBS Foods</a>, headquartered in Greeley, Colorado, and <a href="https://www.politico.com/news/2021/05/08/colonial-pipeline-cyber-attack-485984">the Colonial Pipeline</a>, headquartered in Alpharetta, Georgia. The unusual move caused cybersecurity analysts to wonder about Russia’s motive, including speculation about <a href="https://www.darkreading.com/threat-intelligence/russia-takes-down-revil-ransomware-operation-arrests-key-members">making it easier for the government to deny a connection</a> to the cyberattacks.</p>
<h2>US cyber defenses</h2>
<p>National cyber defense is <a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">inherently challenging</a>, but the U.S. is far from defenseless. Several <a href="https://www.washingtonpost.com/politics/2021/06/28/cybersecurity-202-united-states-is-still-number-one-cyber-capabilities/">analysts</a> <a href="https://www.iiss.org/blogs/research-paper/2021/06/cyber-capabilities-national-power">have noted</a> that the U.S. is the most capable cyber power in the world. The U.S. also has <a href="https://www.forbes.com/sites/jodywestby/2020/12/20/russia-has-carried-out-20-years-of-cyber-attacks-that-call-for-international-response/?sh=526ef3a96605">20 years</a> of experience dealing with Russian cyber aggression.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="people in military uniforms sit at desks with multiple computer monitors" src="https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=399&fit=crop&dpr=1 600w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=399&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=399&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=501&fit=crop&dpr=1 754w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=501&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=501&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">U.S. Army intelligence personnel in the Cyber Operations Center at Fort Gordon in Georgia watch for network attacks.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/ftmeade/45028818622/">U.S. Army photo by Michael L. Lewis</a></span>
</figcaption>
</figure>
<p>The Biden administration’s <a href="https://theconversation.com/how-the-biden-administration-is-making-gains-in-an-uphill-battle-against-russian-hackers-174199">tough stance on Russian hacking</a> has made some progress. And though disinformation is among the murkiest of cyber strategies, cybersecurity experts are <a href="https://theconversation.com/the-battle-against-disinformation-is-global-129212">making headway</a> on that front, too.</p>
<h2>Cause for concern but no reason to fear</h2>
<p>Cyber activity that creates room for Russia to present the seizure of Ukraine as a fait accompli is much more likely than a crippling cyberattack. Though Russia might temporarily deter a U.S. response to Russian moves in Ukraine by disrupting U.S. critical infrastructure, Americans are likely to present a unified and powerful response to such an overt attack. I believe Russia is more likely to prefer a path of insidious political polarization to weaken U.S. geopolitical influence.</p>
<p>Even if Russia were to launch extensive cyberattacks against the U.S., the average American is unlikely to be harmed. The disruption of natural gas and food supplies would clearly have a significant economic impact, but it is <a href="https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/">extremely rare</a> for a cyberattack to lead to loss of life. </p>
<p>If you are worried about the situation in Ukraine and wondering what you can do to defend against Russian cyberattacks, I recommend tuning out divisive rhetoric and cultivating common ground with Americans whom you might not agree with. Though there are many issues U.S. society is working through, Americans can still try to find some general agreement in the principles of the American experiment.</p>
<p>[<em>Science, politics, religion or just plain interesting articles:</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-checkoutweekly">Check out The Conversation’s weekly newsletters</a>.]</p><img src="https://counter.theconversation.com/content/175471/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>I am a reservist in the United States Army.</span></em></p>Russia probably has the means to attack US electrical grids and otherwise create havoc but probably won’t go that far. Instead, watch for disinformation aimed at undermining the US and NATO.Justin Pelletier, Professor of Practice of Computing Security, Rochester Institute of TechnologyLicensed as Creative Commons – attribution, no derivatives.