More than 10 years ago I had the opportunity to discuss the topic of cyber in the context of Army leadership. During this discussion it was said from different sides that cyber would not decide a war. That was wrong then and is even more so today. An unnecessary mistake in thinking, which should be avoided in the information age.

We live in an era where our existence is held together, togetherness is orchestrated and quality of life is ensured by electronics, digitization and information processing. Cyber, however, is not just about bits and bytes. Security audits like to focus on tech-savvy hacking attacks, even though many companies have implemented their power supply lines and fuse boxes unprotected and freely accessible.

Electricity is just one of the elements that make up the critical infrastructure. If this fails, chaos can be expected after hours and looting after days. This is because the water supply, communications and transport will also collapse along with it.

In turn, the generation and distribution of electricity is enabled by modern computer and network technologies. Sooner or later, an electronic attack on central elements can severely affect a society. Scenarios that have gained relevance both below and above the threshold of war thanks to societal digital transformation.

Geopolitical interests

Computer attacks are commonplace in a globally interconnected world. Some of them are driven by cybercriminals who want to finance their lifestyle with theft and extortion. Others are orchestrated by state actors to advance their geopolitical interests. The difference in approach and figures involved is sometimes fluid, and the clear identification and association of actors all the more difficult.

However, opportunities exist to observe these activities, or at least the results of them. This makes it possible to “profile” both individual actors and groupings: ?labs.20201022: Which technologies are relevant and which products are selected as targets. Putting this in context with economic or geopolitical intentions, it is sometimes possible to make fairly accurate predictions in terms of planned, emerging or ongoing activities.

For example, it can be seen that China made a strategic decision about 2 years ago to also target attack scenarios that may require user interactivity. These include classic phishing and social engineering scenarios in which the target is pressured into a compromising action. This can typically be giving out passwords or installing a malware.

This thrust is in great contrast to the paradigms that can be observed, for example, among U.S., Russian, or Israeli actors. There, purely technical attack methods are primarily preferred, in which the fickle human factor plays no role. These methods are technically more complex to implement without errors, but they are just as difficult to detect early on and defend against in real time.

Such details, especially when they can be used to derive a solid forecast, are of enormous importance. They help to make strategic and tactical decisions oneself in order to be able to identify attacks at an early stage and successfully mitigate them. Ideally, you can take proactive action against the threatening dangers, or at least react confidently.

Offensive requirements

But professionalization and industrialization have also taken place on the offensive side. The implementation of technical attacks is automated with so-called exploits. Developing these has become increasingly difficult over the decades as computer systems have become more complex and defense mechanisms more sophisticated. So it is not surprising that a market for these exploits could establish itself: Attack tools are exchanged, sold and bought there.

Analyses of these markets reveal trends in terms of popular attack targets and price developments. As a rule of thumb, the more popular a product is from the attackers’ perspective, the higher the prices. Exploits for iPhones have been leading the ranking for years, regularly achieving prices above USD 1.5 million. On the one hand, this is due to the architecture of Apple’s operating system. On the other hand, it is due to the potential VIP targets that can be targeted with a good exploit.

In the end, the one with the best knowledge wins. By buying exploits, this doesn’t even have to be acquired to a large extent. It remains a question of money at this point. If you want to keep up in the international game in cyberspace, you have to be able to position yourself correctly not only defensively, but also offensively. Corresponding budgets are now being earmarked by the organizations responsible for this. And the mindset is slowly coming to terms with the digital transformation.

Conclusion

Our society is based on new technologies. They give us prosperity and quality of life. At the same time, however, they are also a faustian pact with the devil. In many areas, they tend to dominate us. This can only be countered with wise decisions and organic growth. Primitive-seeming basic values such as independence and simplicity are indispensable if we are not to be overrun by technology.

Digitalization has not stopped at military equipment. Drones, aircraft, tanks are the most obvious elements that can benefit from it. They all rely on electronic mechanisms that either highly optimize or even enable orchestration and use. Hacking attacks on these components are of enormous importance, can significantly weaken associations. They have thus become an elementary tool in warfare. Nowadays, a war can certainly be decided with cyber. This should neither be underestimated nor ignored.

About the Author

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)