Dr. Alexander Klimburg, KuppingerCole Analysts, cyberevolution 2023, Dr. Alexander Klimburg, The Hague Center for Strategic Studies Dr. Alexander Klimburg, The Hague Center for Strategic Studies Dr. Alexander Klimburg, The Hague Center for Strategic Studies Dr. Alexander Klimburg, The Hague Center for Strategic Studies 93% of the so-called cyber leaders had strong or slightly strong opinion that the next two years there would be a significant cyber incident due to, or actually catastrophic cyber incident due to geopolitics. This is a reflection of the world we're living in right now.
And this is also something that is reflected in general business sentiment. Allianz also put out a recent poll not too long ago saying that of all the business risks that chief executives are worried about, cyber was still number one, tied with supply chain disruption sometimes, but still number one. And that is even though many of these chief executives probably don't really understand that much about cyber.
So one of the things I want to communicate with you right now is how you can use geopolitics and your history of what's been happening in the cyber domain over the last 10, 15 years and what role cyber crime plays to communicate with your sea level. And basically show that geopolitics is effectively at the moment run very often by cyber crime related trends. So first of all, a disclaimer. We can't even agree on how to spell the word cybersecurity, so we shouldn't be surprised that we're not exactly clear what it means. So you can write cybersecurity as a single word.
You can write it as two separate words. If you're not sure, you can put a hyphen in between. I've actually seen government documents that use two different spellings. Why is this relevant? Because it shows how ambiguous everything is in cyberspace. Everyone knows how difficult it is to do attribution. We sometimes don't know we're dealing with state actors or non-state actors or something in between. And sometimes we don't also know what the purpose of an attack was. Was it espionage? Was it preparation for war? Was it information warfare?
Everything is ambiguous in cyberspace and therefore we should always approach every statement and every tautology that we're dealing with with a bit of caution. That also leads me to a reminder. Cyberspace used to be a concept of science fiction. It didn't exist really. When I started in this business, it didn't exist officially at all. It didn't only exist since 2008 when the U.S. Department of Defense effectively classified cyberspace as a real domain of action equal to air, land, sea, and space.
Beforehand, if you wanted to talk about cyberspace, you had to talk about information networks or the internet, both of which, of course, don't really capture it. And the most important thing that came out of this discussion in the Department of Defense was how they saw the geography of cyberspace. And that geography, of course, starts with the basic physical layer of cyberspace, which is the routes, which is the routers, the cables, and where it exists. The level above it is the logic layer that supports the logic layer, which, of course, is a code.
The data layer is supported by the logic layer. And finally, it all supports the social layer, what we all depend upon, the reason why all of this exists.
Now, as a self-taught hacker from the 90s, and many of you as well, you really know that all of this is about effecting change in the social layer. The big best hack is for me simply to say to you, to tell you what I want you to do when you do it. If I have to tap a cable on the physical layer, or if I have to use a zero-day on the logic layer, or if I have to get you to divulge your password on the data layer, it's all a detour. The most effective hacks are always the ones that hit the social layer. And that is something that we sometimes, as technical people, tend to forget about.
Now, for some good news. The question is also, is your board ready?
Now, most of you will probably be aware that there are some really big pieces of legislations that have been enacted and are coming down the pipeline, which also is going to make our job hopefully a lot easier. The first, of course, is in the US, which the Security Exchange Commission has demanded that boards now take effectively responsibility for being aware, not only of how cybersecurity risks are managed in their company, but also show that they can effectively show that they have expertise in understanding the data that's provided to them.
Now, that's going to be interesting, right? For those of you who have dealt with larger companies and those boards, they have a lot to do. And being able to understand cybersecurity is not a job you can basically do on the side. But effectively, this is what's now going to be expected from them, is that they have to prove effectively in a disclosure form that they've been adequately briefed at a regular level. And this is plus all the other good stuff that was in this update of the SEC rule, which includes disclosures and other things which we've had in Europe for a while now.
The most important thing is they have to really prove that they have adequate cyber expertise. Now, in the Network Information Security Directive Version 2 that we are now also starting on, Article 20 does something similar. It directly refers to the need for boards to show that they, first of all, oversee the implementation of adequate cybersecurity risk. They are responsible. They cannot outsource it to three levels down the stack. They are personally responsible.
And furthermore, they have to also show that they have sufficient knowledge to be able to understand what they're being told about. These are both two kind of breakthrough concepts in what is known in English as duty of care, which effectively are going to change the equation in a big way. Because two of the biggest problems I have experienced in the last 15 years is the outsourcing, downsourcing, and ignoring of cybersecurity risk. It was too complicated. It was pushed out of the business in terms of insurance or contractors, or it was buried at the technical level.
And now that's not going to be an option anymore, theoretically. Because speaking about boards, there are a lot of great comments out there. For instance, I told them to back up everything. That's great. Have you ever tried to recover from your backup at speed? Because that can be the real challenge. There's no reason for anyone to attack us.
Sure, but there's no reason to not attack you. The whole idea of a pay and spray attack is that it costs them nothing, so why shouldn't they? If it's not broken, not fix it. Cybersecurity is not a run-to-fail proposition. If you fail, you're probably dead. So it's not necessarily a good way to operate, and you need to update this. My guys have this great war game Mac. It has a pew-pew, and you can see the cyber attacks incoming and outgoing. That's really helpful for dealing with senior management. Sometimes the question is, what do you do with that data?
And that is what insurance is for, and we are compliant. Insurance has gone through a lot of different stages in the last 14 years I've been observing it, and right now we're at a very interesting stage. But I can tell you one thing is that cyber insurance doesn't cover everything, and it still won't. Just being compliant does not necessarily mean you're going to be able to cover all the necessary risks out there, even though I actually think it's a very good development. But most importantly, I think the statement is, we are not at war.
And when I hear that statement, especially in the last couple of years, I think, right, I think this is where we have to start talking about geopolitics, understand why cyber is not necessarily just another business risk, as I've been hearing for a long time, but it's something very specific, and it plays a very specific role in the geopolitical landscape. When we talk about war, what is your definition of war? Do you think war is a continuation of politics by other means?
This, of course, is Clausewitz. It's the foundation of international law. We have war and not war, and there's nothing in between. So effectively, when we're at peace, we have peaceful rules, and when we're at war, we have international humanitarian law. We have the laws of armed conflict. There's nothing in between. But there is, however, a different definition, and that is politics as the continuation of war by other means. And this is very often ascribed to Lenin, and it's actually coming up to 100 years since he supposedly said this.
What is not assumption is that this is a core part of doctrine in Marxist-Leninist thoughts, and in particular in military doctrine, as well as security policy and international relations. A whole multiples of generations of people in Russia and China have been taught to think of war as being a continuous state, that everything else is a distraction, and all means are effectively plausible means or useful means for this.
This is why when you hear of such concepts of China, of lawfare or similar, that is actually very much in line with a long-term idea that war is eternal, and any kind of idea that we have a peace and wartime situation just isn't accurate. What is your act of war? What do you think in the United Nations and international legal system that we basically live under, it's kind of clear. It's usually an armed assault and use of force. That basically allows you to engage in self-defense.
So, in our case, I spent 10 years effectively in UN international cybersecurity discussions, and we are always talking about, of course, cyber war scenarios. The worst possible scenarios being blackout or really bad blackouts being that we either go back to the 1920s or the Iron Age, depending on how gloomy you are.
So, this is what the obsession of the West has been for about 15 years now, trying to make sure international law can deal with the consequences of cyber, and they treat it a little bit like it's a nuke. But that is not necessarily the only discussion there. There is a whole bunch of people, part of the world, that really sees the threat being information warfare, and that the absolute worst outcome is regime change. This very much relates to the previous comment that you saw, which is one that war is eternal.
And in that context, they see that this type of regime change operation is the number one threat that they need to ward against. And, for instance, if you talk to a Russian and Chinese cyber specialist, they will point back to, for instance, the picture on the right, which is Belgrade 2000, the democracy movement that got rid of Slobodan Milosevic. That was the original sin from their point of view. From that point onwards, they contend, the West has been engaged in a process to overthrow their governments.
The term color revolutions, even just recently, is constantly used as a bad word in Russia and China, because they are convinced that rather than it being effectively a phenomenon related to democracy or an internal uprising, these are operations planned by foreign intelligence services to undermine them. And don't forget, if they get undermined, it's very personal. They can end up being shot.
So, for them, regime change is something very personal indeed. And even though one can argue about how likely their interpretation is that any of these movements are directly coordinated or even influenced by intelligence agencies, that's their stated fear, and they do plan accordingly. What does it look like operationally? If you are trained as a traditional infosec person, or especially in the military intelligence environment, you're going to be well familiar with the document on the left. That's JP313, information operations, which is effectively how... You can't really read it, can you?
Which effectively is how information operations have been defined in the military since 1999. That's computer network operations. It has computer network attack, computer network exploitation, computer network defense. It's all nice and tidy, and it sits in an environment that effectively was defined by the US military in the 90s. And all of us have learned in our ISO 27,000 box that it's always about the data, always about protecting the confidentiality, the integrity, the availability of the data.
Therefore, when we see an attack, we're like, ooh, what do they want to do with this data? What are the three attributes do they want to violate?
However, there's a different way of viewing this, and that's just to view the entire paradigm through that of effectively psychological warfare. If you look on the right side, you effectively see that on the right side of the map you have a rendition of a philosophy called reflexive control, which is a military doctrine that has existed in Russia since the 1970s. And in this model, psychological operations is effectively the all-defining parameter. In the West, psychological operations are something that happens at the operational level in militaries.
In Marxist-Leninist systems, it is traditionally the most important parameter. Not a single operation, specifically at the top, is not planned without the psychological dimension having primacy. And this is something that carries on at every level. And the concept of reflexive control means that it's all about information. And all activities, physical activities or otherwise, are captured as information packets. And the idea of an information packet is to get you as the adversary to effectively do what they want, preferably without you knowing it.
In an ideal world, a reflexive control attack will allow you to effectively or lead you to lose a war without even knowing that a war has been declared. This is just an example of what effectively many people in China and Russia, especially who were trained in the military and the government, will have effectively learned in their service. But it's something that we consistently forget about because when we think about cyber attacks, we're always thinking about the data. Very often, it's not the data.
There are many cyber attacks that we've had, specifically significant ones against critical infrastructure, that have nothing to do with data. They're always about the political narrative. If you want to have cheap, deniable cyber power, you need to have cyber crime. A NATO analyst told me this in 2008. And to this day, I think it's probably the most succinct interpretation of why you would want to have cyber crime as an important component of your national cyber power. It does a lot of really good things for you. It effectively inflicts real economic pain on your adversary.
We've now reached incredible numbers, which we'll talk about later on. But even in 2008, it was already pretty high. But it also distracts defenders. And that's great because it allows you effectively to use your state intrusion sets and go after the really important targets. It provides you with plausible, deniable cover. That's always been the main statement.
It allows you to engage in intelligence for sabotage, or preparation for war, and all pretend that someone else is doing it, and especially reject any type of mutual law and legal assistance treaty attempt to cooperate to take these people down. It obviously provides logistic support for state operations. We all know how much of cyber crime is used by state actors in many different contexts. And finally, it can cause domestic political pressure, basically loss of confidence. In the U.S.,
we've had a number of different instances where data leaks have been traumatic enough that the political landscape was dominated by it for a couple of days. In the U.K., for instance, the same thing is happening again. This might not change politics itself overnight, but what it does is it slowly shifts to argument. And this is not something new. There's a good report that I've referenced here. There's many others about the history of how Russia and the intelligence services work together with criminal actors.
But this has really been going on for quite a long time, and we'll talk about that in a second. And most importantly, what it really is about is very often creating political pressure, or narratives, pressure points, whatever you want to call it, for Western governments to do something in cyberspace. They have very specific, sometimes, objectives that want to be accomplished by these attacks going public.
Again, they don't care about the data. That's why ransomware exists. They want to be, however, destructive, and they want to get a lot of attention, and they want things to happen as a result. One of the things they want to change is how the Internet is managed, specifically. So the two of the big discussions on the international level that I've been following are in the field of Internet governance, which is the management of Internet resources, and international security, which is the war on peace, component.
Both of these are connected to a push by Russia since 1999, which is basically since the existence of ICANN, to effectively establish international code of conduct for information security. They, with a lot of other allies that are now basically collected in the BRICS group, want to change the Internet from its present multi-stakeholder organized system, where the government, the private sector, and civil society basically work together, to one that is run by governments.
And they do that particularly so they can ward against, in their mind, the threat of foreign information operations posing a threat to their rule. This has been a very, very obvious and sometimes clearly declared goal on parts of these governments for a long time, and it is actually, if you want to put it ethically, it is a legitimate goal. It just not happens to be the goal that I personally share or want to see happen. But what it also means is that very often that any type of crisis, destruction, and unrest that is caused by cyber attacks feeds this narrative.
It feeds a narrative of what our government is doing to keep us safe. Why does the Internet run the way it is? The Internet, in fact, is mostly run by the civil society groups at the center, which run the DNS and the BGP, the protocols that make the whole thing work, the companies which own 90% of the Internet, and government can only listen in and blow things up. It doesn't really do very much there. Effectively, this is a model that they want to have changed, and they are spending a lot of time on it. How does this relate to ransomware?
I refer to ransomware simply because this is a continuation of something that has been going on for a very long time. I want to have a show of hands here from the group. Who remembers RBM? Only one person. I will try again. Russian Business Network?
2, 3, 4, 5? Okay. Game Over Zeus? I thought it would be a bit more popular. Russian Business Network in 2006 to 2007 was the first or the largest cybercrime syndicate. They effectively invented the crime as a service model. At one point, they were responsible for 40 to 60% of all cybercrime worldwide. They were the guys who effectively provided logistics and maybe executed the famous 2007 attack against Estonia, as well as the 2008 attack against Georgia. This was always clearly part of a Russian intelligence operation or Russian government operation. There is plenty of evidence for that.
Building off the spectacular results of effectively DDoS gangs and crime as a service, the journey continues. It went off into e-banking, Game Over Zeus, and Slavic, and the people who are associated with creating this malware and malware as a service. It continues to this present day. The objective is, as I showed before, not only about simply encouraging a lot of people to be active in cybersecurity, but the objective is to effectively cause unrest. That is one thing that we have a responsibility in consistently calling out.
WannaCry and NotPetya are two perfect examples of the third or fourth version of this. Let's remind ourselves how this all started. The first that happened was EternalBlue. EternalBlue, which of course is MSB, MSNB exploit. It was sometimes sold as an NSA exploit. It was stolen and then released by Shadow Brokers, which is now very clearly associated with Russian military intelligence, GRU. They put it out there and saying, hey, you know, guys, this is something that's out there. You can use it. Nothing happened, actually, for the first couple of months, unfortunately.
Actually, it took about two or three years. It was quite clear. They put this out there. They hoped something was gonna happen. Not much happened.
Actually, it was even worse. These graphics are terrible.
Oh, there you go. You can't really see it. But what actually happened is that the first intrusion sets that started to use the EternalBlue exploit were actually North Korean gangs operating in China. And they were basically using it, in part, to steal crypto cycles. So they were basically trying to mine cryptocurrency. They were using it in a way that was definitely not intended by the Shadow Broker release. Which is why, after observing this in the InfoSec community for about two or three months, thinking, that's kind of interesting. Why is this happening in China?
So North Korean-attributed groups working against China is not normally what's supposed to happen. They're supposed to be working out of China against the rest of the world, not against Chinese interests. That's a big no-no. So then you had, very suddenly, when probably somebody realized this was going on, you suddenly had WannaCry.
WannaCry, obviously, was quite destructive. Everybody's familiar with the damage that the National Health Service in the UK supposedly suffered. I think it's probably even worse than what was publicly reported.
And, of course, even in Germany, Deutsche Bahn had a significant effect as well. But that still was kind of limited because, effectively, there was a kill switch associated with WannaCry, and it was called out.
So, moving on, something else happened afterwards. And that was NotPetya. And NotPetya now is also very clearly attributed to a government actor. And that was also very clearly no attempt whatsoever to make money from it. WannaCry kind of attempted to make money, but there was not a real way to get any of the money.
I mean, it was quite clearly for nothing. It was really just there to show, hey, criminal, I'm the syndicate. Check this out. Isn't this a cool thing? Don't you want to pick it up? Because nobody was biting. Everybody was making money doing something else. Why should they?
So, NotPetya tried to do the same thing again. Really, again, had no real interest in trying to make money, but, again, tried to show that it was something that was possible. Moving forward, after NotPetya, we basically moved to the next big stage.
So, NotPetya led to, obviously, a whole bunch of cybercrime gangs figuring out, hey, there's something here. Most of them were, funnily enough, Russian. And then the next big stage was, like, attacking critical infrastructure. Colonial Pipeline attack. 50% plus of the entire U.S. Eastern Seaport fuel supply depended on Colonial Pipeline. The attack was so effective that the dark sides, the Russian gangs behind it, had to apologize.
Say, oops, sorry. Didn't really want to do that that bad. But they set the general tone, right? Critical infrastructure is tasty. People will pay to get their stuff back. Colonial Pipeline paid $4.5 million to get their data back.
Oh, and just ask to invest fine in IT. And no one invests fine right now.
I mean, they're having a serious ransomware incident that they have to resolve, right? So, critical infrastructure became, again, sold as, like, hey, this is maybe the target you really want to go after.
And, yeah, they did go after it. So, what happened? After the start of the Ukraine conflict, Europe gets hammered by ransomware. It's the number one target. Fishing attacks, which are still one of the most popular vectors for ransomware, are up 800% in one year only, right? And 26 of these attacks right now, within the overall, 26% of the attacks that effectively hit the, for instance, German Internet space are probably ransomware attacks.
Now, that is actually the highest rate overall of InfoSec incidences worldwide. So, this is, again, shows you that there is a particular interest in targeting Europe with ransomware. Ransomware is only part of the total cybercrime costs, but those costs are really kind of ridiculous. We're reaching now numbers of $15 trillion to the global economy.
I mean, $15 trillion is just a staggering sum, right? And that is something which effectively we have to deal with.
So, I'm running out of time, so I'm going to effectively come to the conclusion of my piece, which is, effectively, ransomware has one great advantage of going forward. It's easy to communicate to decision makers. Everybody has heard about ransomware. It might not be the most costly of all cyberattacks we're dealing with, but everyone's dealing with it. Cybercom literally was attacking, US Cybercom was literally attacking ransomware gangs, Wevo, for instance. White House issued statements, again, a couple of days ago, when Hive gets taken down, it's in the national news.
So, this is a great, great narrative device to help you communicate with boards about how geopolitical the cybercrime space is, because they've heard of ransomware, and they know it's destructive. Why? Because people want them to.
So, this is my final slide, because is it possible to stay safe between the cyber front lines? No, not really. All you can do is you can try your best on the battlefield, because everyone here is basically on the battlefield. There are no in-between the front lines here.
So, these are a couple of my favorite, simple, famous five to take a steal from Microsoft. I believe in zero trust. It's the easiest thing to do, obviously, but try to be agile and defense in depth. Most small, medium enterprises, which are the main target for ransomware, very large companies usually can deal with it quite well, they have defense in depth. Small enterprises are going to keep only limited to zero trust models, which obviously use least privilege and similar principles to defend themselves. You need to be agile.
You need to basically tell your board you're going to have to change the rules. You're going to have to change it, especially privilege rules, to deal with certain scenarios. You should prepare against becoming collateral damage. In this conflict, cloud service providers, managed service providers, third-party tools, in particular software, they're all going to be targets, and they always are targets. Putting everything in the cloud doesn't help you, especially if that cloud is going to be the target for a different cyber war attack.
Of course, you still want to use the cloud, but you need to know how to use it properly. Sometimes you can set zones. Sometimes you're able to do other kinds of contingency. But be aware that there's a lot of different ways to become collateral damage in this space. Revisit your business continuity, management, disaster recovery posture. In a nutshell, I'm a complete believer in the 3-2-1 rule. You should always have three different copies of your data, and two of them should be on different types of media, and one of them at least should be off-site.
If you keep it all off-site, you're asking for trouble. You should create digital slack in your organization and have pre-agreed authorities ready. Digital slack, slack is a term in resilience, and for the German climbers among you, it's durchhang. It's effectively something that allows you to deal with too much tension in the system. So it means you have redundancy built in, and you have also pre-ready authorities ready to go in a crisis. Creating digital slack is going to be the biggest challenges for larger companies concentrating on resilience.
And finally, incorporating cyber expertise on the board. This is really something that is now practically mandated in the United States and in Europe, but it still needs to happen. And that means not only having effectively a guest speaker come by, but it also means that CISOs really need to live up to the name. And as we've heard already a couple of times today, CISOs are buried very often quite far down the stack. And that can only change. It means either CISOs are a guest on the board at regular, or you have regular exercises on the board.
There are many different ways to do this, but you have to have cyber expertise on the board so the board feels comfortable in calling up this expertise. And trust me, if that happens, the discussion will change because most of the cyber leaders out there, companies that have a lot of experience in cybersecurity, are aware that this is not just a normal risk. And we need all the help we can get in dealing with it because one of the great comments I heard today from Mayor Carroll beforehand was that this is really about free societies.
And fundamentally, the political component of all this is immutable. And we need all the help we can get. So good luck to us all. And unfortunately, we're out of time for questions as far as I can tell. Thank you.
