Cyberattacks: The war of the machines

An attack has been launched on an American bank’s computer infrastructure – possibly by Russia. Is it an act of war? Simon Wilson investigates.

What’s happened?

The FBI is investigating a new wave of serious cyberattacks on JP Morgan Chase and several other big US banks, which are suspected to have originated from Russia.

Due to their timing, following the imposition of further sanctions against Russia, there has been speculation that these cyberattacks have been sponsored or sanctioned by Moscow – a scenario that (by most definitions) would mean that they amount to an act of cyberwarfare.

What is cyberwarfare?

The US government security expert Richard Clarke, in his book Cyber War, defines it as “actions by a nation state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption”.

Many countries, notably China and America, have invested heavily in both defensive and offensive cyberwarfare capabilities. The term, however, is contested – even by those who are part of the US security establishment.

Howard Schmidt, Barack Obama’s former cybersecurity czar, argues that routine economic espionage conducted via the internet has frequently been mischaracterised as “cyberwar”. What’s more, the people who talk up the threat include defence industry figures who have lots to gain by doing so.

What counts as war?

In an influential journal article (“Cyber war will not take place”, published in the Journal of Strategic Studies and expanded into a book in 2013), Thomas Rid, professor of security studies at King’s College London, argues that politically motivated cyberattacks are merely sophisticated versions of three “vectors” that are as old as warfare itself – sabotage, espionage and subversion – but which do not necessarily constitute acts of war.

(The revelation that the National Security Agency was spying on Angela Merkel’s phone was an embarrassment for Washington, but didn’t mean the US was at war with Germany.) Rid also argues that to qualify as an act of cyberwar, an attack would have to lethally disrupt a country’s critical infrastructure in a way that hasn’t happened to date.

So we can stop worrying?

Not at all. Whether a cyberattack on a company constitutes state-sponsored “warfare”, political ‘hacktivism’, or simple criminal fraud, corporations (as well as individuals) must deal with all kinds of cyber threats that nevertheless fall short of lethal disruption.

According to a study by the Centre for Strategic Studies, the estimated global cost to business of cybercrime is at least $375bn a year.

Large firms face particular challenges due to the fact that military power in cyberspace is normally projected via computer networks that are provided by private enterprise. As a recent article in The Diplomat pointed out, both Chinese and US firms have become the targets of suspicion and retaliation from the (presumed) enemy state.

Revelations that the US was using private firms to help its espionage programme triggered Chinese reprisals against Microsoft this summer.

Who’s behind the latest attacks on banks?

No one knows, but investigators believe the attacks originated in Russia. According to some analysts, the sophistication of the attacks suggest considerable resources, implying state involvement. Moreover, the attackers successfully breached the defences of one of the most well-funded institutions on Wall Street: JP Morgan Chase.

The bank spends about $250m a year on cybersecurity and employs 1,000 staff in this area (compared to Google’s 400). Again, that implies a level of sophistication that suggests a state actor. On the other hand, it’s unclear how Russia benefits from attacking Western banks: Moscow would gain more by keeping them onside and encouraging them to lobby their governments for an easing of sanctions.

What does that imply?

All this suggests that the latest attacks on banks are more likely to be the work of “patriotic” criminal hackers rather than of the Russian state itself. According to Scott Borg, chief executive of the US Cyber Consequences Unit, Russia’s “patriot-hacker” cybercriminals are tolerated and even, to some degree, protected by Moscow.

“But they will often carry out cyberattacks that allow them to profit, while still falling in line with what they perceive to be Russia’s interests,” Borg told the Financial Times.

Earlier in the summer, security firm Symantec warned that one such group of organised Russian hackers – known as “Energetic Bear” – was targeting grid operators, fuel pipeline operators, electricity generation firms and other “strategically important” energy companies.

The biggest cyberattack yet

To date, the only successful instance of cyberwarfare being used to do lethal damage to another country’s infrastructure was the Stuxnet virus, widely presumed to have been created by US and Israeli intelligence.

Stuxnet destroyed perhaps a tenth of the Iranian centrifuges at the Natanz nuclear facility and delayed uranium enrichment for a few months, but the vulnerabilities it exposed were quickly repaired by Iranian scientists.

According to Martin Libicki of think tank the Rand Corporation, if that’s the best that two first-rate, lavishly funded state powers can do against a third-rate industrial power, then it puts into perspective the more alarmist predictions of what others might achieve when it comes to attacking the West.