If you would like to share feedback on the new format of the IISS Cyber Report, please email John Drennan, Special Assistant to the Executive Director, IISS–Americas.
Doing the maths on bug bounties
Results from the Singaporean Ministry of Defence’s first bug bounty programme indicate that 35 vulnerabilities were uncovered, including two categorised as ‘high’ severity. Rewards totalling almost SGD20,000 (US$15,000) were paid out for the three-week event that finished in February. By comparison, Microsoft’s bounty programmes offer hackers up to US$250,000, depending on the nature of the discovery, and Google’s incentives range from US$100–20,000. Zerodium – one of the private firms that purchases zero-day exploits to serve ‘mainly government organisations’ in need of ‘specific and tailored’ capabilities – has an exploit acquisition programme with payouts from US$5,000–1,500,000 per submission. The maximum amount currently available is for a ‘remote jailbreak with persistence’ of the Apple iPhone.
The apparent disparity between what cyber defenders offer would-be ‘white-hat’ hackers and the real market value of zero-day exploits for criminals and governments may partially explain the advantages of offence in cyberspace and the ongoing insecurity of that ecosystem. [For information on the United States government’s policy regarding zero-day exploits, see the unclassified November 2017 White House memorandum on its vulnerabilities equity process.]
Is a compromise over access to customer data in sight?
Governments and technology companies around the world are increasingly coming into conflict with each other over a state’s right to access customer data. Apple this week acquiesced to Beijing’s demands to store cryptographic keys needed to unlock iCloud accounts in China. The US Supreme Court also began hearing a case pitting the US government against Microsoft, which seeks to clarify whether the company must comply with a court order to turn over customer data stored on a foreign server. The case could be pivotal for the interpretation of the Stored Communications Act of 1986.
Pending legislation entitled the Clarifying Lawful Overseas Use of Data Act, or ‘CLOUD Act’, could resolve such disputes by requiring companies to honour data requests from pre-approved governments, with sufficient laws to protect privacy and civil liberties. The White House, the UK government and some of the largest tech firms all support the bill, demonstrating that appetite for greater consensus between law enforcement and the private sector over access to data is growing.
Russians blamed for Winter Olympics hack
Consensus that Russian hackers were responsible for the cyber attack against the Pyeongchang Winter Olympics opening ceremony is building. US intelligence officials said Russia’s military intelligence agency had compromised up to 300 computers associated with the games and hacked countless routers in South Korea. The false flag operation made North Korea appear culpable by using North Korean IP addresses to launch the attack, as well as other unspecified tools, which could have included modified North Korean malware or developing malware on computers with Korean language settings.
The attack was likely in response to Russia’s official exclusion from the games. However, the fact that Moscow planned and executed this overt attack at a time when it is under international scrutiny for its interference in the 2016 US presidential elections raises serious doubts about the effectiveness of efforts to deter Russia from further cyber interventions.
Twitter announced it would no longer allow users to post ‘identical or substantially similar content’ to their multiple accounts, or to coordinate interactions such as ‘likes’ or retweets. These rule changes follow the social media company’s ongoing investigation into the use of Twitter by foreign actors to influence the 2016 US presidential election. Twitter contacted approximately 1.4 million users in the US to inform them of interactions with the more than 3,800 accounts associated with the Russian Internet Research Agency. In the 16 February indictment, Special Counsel Robert Mueller accused the agency, which is linked to the Russian government, of heavy social media use in an attempt to influence the election.
Disjointed approach to disinformation in Washington
Countering Russia’s disinformation campaign is currently a critical strategic concern and a matter of heated debate within the US government. The White House faced bipartisan Congressional criticism this week for not actively ordering the disruption of Russian meddling in US political affairs. In a hearing before the Senate Armed Services Committee, Admiral Michael Rogers, the departing head of the National Security Agency and US Cyber Command, said he had received no orders to counter Moscow’s disinformation efforts.
This comes at a time when the US State Department’s Global Engagement Center stated that it will receive an additional US$40m from the Defence Department’s budget for the purpose of exposing and countering propaganda by foreign states. Likewise, the US Justice Department is seeking to tackle the issue of foreign influence, announcing on 20 February the establishment of a Cyber-Digital Task Force, which will be responsible for investigating election interference, the cyber threat to critical national infrastructure, cybercrime and extremism online. [For in-depth analysis about the re-emergence of Russian information warfare tactics, read chapter three of the IISS Strategic Survey 2017.]
North Korea’s expanded cyber operations
A cyber espionage group linked to the North Korean government has been observed targeting government and commercial organisations in Vietnam, Japan and the Middle East, representing a significant expansion of the reclusive state’s intelligence-gathering activities. Separately, it was reported that Pyongyang’s cyber troops had compromised the corporate networks of Orascom Telecom Media and Technology Holding, an Egyptian-owned firm responsible for developing North Korea’s telecommunications networks. Prior to the launch of a state-run cellular network, Orascom was the only network provider in the country, leading to speculations that the operation was intended to gain business intelligence about the company’s activities.
These developments suggest that in addition to carrying out financially motivated cyber operations, state hackers in North Korea play an important role in gathering political and commercial intelligence to help shape government policy.
Cyber criminals: more of the same
Akamai’s latest State of the Internet report found a growth in distributed denial-of-service (DDoS) attacks, increasing use of botnets to abuse stolen credentials and exploitation of enterprise systems in order to make them bots over the past year. With 40% of login attempts being malicious (82% in the hospitality sector) and a 115% increase in application layer DDoS attacks from Q3 to Q4 in 2017, Akamai’s data reflects the ubiquitous threat of cybercrime.
Cyber security firm McAfee also released its own study this month, concluding that cybercrime costs businesses approximately US$600 billion – or 0.8% of global GDP – which is up from the US$445bn estimate in 2014. Cyber criminals are rapidly adopting new technologies and focusing on lucrative targets, as illustrated by more fraudulent transmissions through the SWIFT messaging system used by banks and the Reserve Bank of India’s recent press release.
NATO improving Moldova’s cyber defence capabilities
NATO launched a multi-year initiative to help develop the Moldovan Armed Forces’ cyber defence capability. The announcement does not cite specific cyber threats to Moldova’s security institutions, but several former Soviet Union countries have been the target of Russian cyber and information operations. Diplomatic relations between Moldova and Russia remain strained following the expulsion last year of five Russian diplomats from Moldova, and the country’s signing of an association agreement with the European Union in 2014. Earlier this month a law that effectively bans the retransmission of TV and radio programmes produced by Russia came into effect. The partnership between NATO and Moldova may increase tensions between the West and Russia, which will likely view such efforts as further NATO encroachment.
Strategic cyber planning in Europe
NATO is reviewing how to achieve strategic cyber awareness and security for joint operations following a reform of the alliance’s command structure. As part of that effort, a new cyber operations centre has been created within Supreme Headquarters Allied Powers Europe in Belgium.
This month, France’s General Secretariat for Defence and National Security also published a strategic review of cyber defence, detailing efforts to protect government networks and critical infrastructure. The review also references the French diplomatic proposal at the United Nations Group of Governmental Experts to create normative constraints on ‘hack back’ cyber operations (see page 36 of the report). Last year the German government held initial discussions about developing a legal framework for computer network operations, ruminating whether armed forces, intelligence agencies and the police ought to have ‘hacking back’ operations under their purview.
Managing supply chain threats in the UK
The UK’s National Cyber Security Centre (NCSC) confirmed it will continue to collaborate with Chinese telecom company Huawei, despite concerns raised by US intelligence officials about the threat it poses to national security. To manage this risk, the UK’s signals intelligence agency GCHQ oversees a team of Huawei researchers who check the company’s software and hardware for vulnerabilities.
The UK has also diverged from the US in its treatment of Kaspersky Lab, the Russian cyber security firm accused of providing the Kremlin with access to customer information. While the US has effected a ban of Kaspersky Lab products across the federal government, the NCSC advised that the same rule should only apply to UK government systems with a national security purpose. The NCSC will work with Kaspersky Lab to establish a review process for its products. [For strategic analysis of the threat posed by Kaspersky Lab and other vendors, see testimony by the IISS Director for Cyber, Space and Future Conflict before the US House of Representatives last October.]