Can The War in Ukraine move to cyberspace ?
Spoiler: As you may have noticed, there are some international tensions these days and some expert influencers are brandishing the threat of cyber attacks. As we’ll see, Yes there are risks in cyberspace, since its birth. But no, no cyber apocalypse in sight. Breathe calmly, it will do you good.
Cette page est également disponible en français.
To quickly sum up, Russia is at war with Ukraine, trying to invade. To stop the invasion, while avoiding triggering a third world war, the EU and NATO impose sanctions against Russia, which, angry, takes another one and puts its nuclear deterrence force on alert. The rest of the world is trying to stay away, but there is a strong smell of the Cold War.
If you wanted an example of an anxiety-promoting situation (“unpleasant waiting, more or less aware, of an upcoming danger”), we are in a good one. And because fear, unlike anxiety, needs to crystallize in a concrete threat, your brain searches for reasons to be afraid… World War III? too apocalyptic and risky for both sides! So what else?
How about cyberspace? This virtual world that exists through computer networks and where we go daily… After all, it is so technological that it has become magical. And when it’s magic, we can fantasize our fears! No need to understand how they would materialize, the bad hackers will inevitably find a way…
Especially since we can count on the white hats to expose to us all these - very numerous - risks which could happen and to highlight any event to suggest that the cyber-apocalypse is imminent. All these anxiety-provoking communications produce fear. And fear makes it viral. And above all, it would sell.
So the arsouyes took some time to reassure you about the risks of cyber-war. Because all this is not magic, it is just very complex.
To Hack is not so easy
To begin with, all these formidable attacks in cyberspace necessarily involve infiltration into the adversary’s network. With a little imagination, just like film and series screenwriters, there are plenty of ideas. Here is an example :
- We can find a machine or a service accessible from the internet,
- With luck, the username and his password are easy,
- Otherwise, there is surely a published vulnerability that allows us to enter,
- At worst, we will find it ourselves and we will exploit it (because we are soo great),
- We can then bounce from services to services and from machines to machines,
- And finally get domain admin access that can do anything!
We’re not going to lie to you, this kind of scenario is played out almost every day.
Not because it’s easy (it’s bloody complicated), nor because hackers are too tough magicians (most wave their wands without knowing how they work). Simply because given the number of machines, services and networks, you always find something vulnerable when you search long enough.
To tell you the truth, this kind of attack is so rare that in almost all cases, the hackers got around the difficulty by sending lots of booby-trapped emails (with a link or a file). Likewise, people aren’t so stupid as to click on anything. But with the number, there is always someone, somewhere, who will be taken in; will execute the Troyan horse which will give access to the hacker.
Afterwards, we will say that the hackers had targeted such an organization, developed and then executed a crazy strategy to break through the defenses… but in reality, it was the opposite that happened: the hacker cast his nets and waited for a fish to bite. Whoever, the first to pass, or the next. Classic case of intentionality bias where we give an intention to events after they have occurred.
For example, if so many hospitals in France fell victim to ransomware in 2020, it was not because a hostile state (randomly: Russia) wanted to make the COVID-19 health crisis worse. They were hacked because our hospitals run less quickly (they lack resources and had not devoted enough to their IT). And we’ve seen a lot of them because they can’t hide that their IT is down (unlike many companies).
Because a hacker, as tough as he is, cannot do much in the face of a properly partitioned, monitored and operated network. And if this network is redundant, backed up and its teams are doing their exercises, the little that a hacker can do will not have a major impact on the organization.
Vital Infrastructures are Identified
If you are anxious, you tell yourself that if an important network is not properly secured, a hacker could break into it. You are right. And you have surely already thought about the catastrophic consequences if a hacker were to attack the computer systems on which our modern societies depend so much…
- The explosion of a nuclear power plant?
- Contaminated drinking water?
- A shortage of tartiflette supply?
Rest assured, 📣 you are not alone; people in very good positions have thought about it too. In France, they have defined the notion of Operator of Vital Importance (in french), which, as the name suggests, brings together organization whose activity is of vital importance to our societies. These notions are defined in the Defense Code (we are not kidding with these things). You can reasonably think that EDF (power supply), Veolia (water supply) and the producers of reblochon (the cheese we made tartiflette from) are among them even if, for reasons of national security, it is completely unofficial.
Once integrated into this VIP area, it is no longer possible to overlook IT security. The specifications are rather serious; pre-defined for the common base (e.g. the critical systems are not connected to the Internet) but also imposes specific risk analyzes for each operator. And everything will be checked by experts in the field, with ANSSI (the French IT security agency) overseeing everything and intervening if necessary.
For hackers, attacking these operators is a real challenge, much more complicated than their usual targets. Except cosmic stroke of luck, it is impossible for these operators to get caught in the usual nets. To attack them with a credible chance of success requires the power of a state. And not just by hacking through cyberspace: it takes all the usual arsenal necessary for classic sabotage operations, with plenty of real-world operations (e.g. physical intrusion on site). It’s complicated and it leaves a lot of evidences.
As a result, we are no longer talking about an anonymous hacker in cyberspace but about an act of war… against a member of NATO… I’m not saying that it can’t happen, but you have to accept having NATO against you if you attempt this kind of action.
Internet is robust
The Internet as we know it today is built on technologies developed by academics in the 1980s with budgets from DARPA, a US military agency for new technologies. The official legend of the myth therefore wants that this network was designed in a military context.
Internet was designed by the military to work in the event of a nuclear attack.
The Genesis of the Internet, verse 13.37
This legend is false (too bad because it was a great one) but Internet can actually survive a failure of any of its components because everything is decentralized and redundant. For example, there are 13 IP addresses to reach the root DNS servers, and each corresponds to several physical machines spread all over the planet. Several very massive attacks were attempted in 2002, 2007 and 2015 without ever causing any noticeable disruption for users (they did not even realize it).
So of course, if a network connection (or service) isn’t redundant, it’s annoying to lose it. Whether after a nuclear attack, a blow from a backhoe (e.g. April 30, 2021 in Loire Atlantique, May 21, 2021 in Hérault or 14 June 2021 in Maine-et-Loire) or even snowfall (i.e. November 2019 in Drôme-Ardèche but this time it’s the electricity grid).
The case of the KA-SAT satellite: it has stopped responding since the Russian attack on Ukraine and has disconnected many satellite subscribers in Europe (including Nordnet subscribers in France). We do not yet know how or why it no longer responds.
On March 11, 2022, the privileged track would be an access by a hacker to an administration console. This would have allowed him to remotely disable some of the modems.
For cyberspace, as such, these failures or attacks are nothing more than temporary and localized failures. It’s a shame for companies whose services are inaccessible or subscribers who find themselves excluded from cyberspace, but if this connection is so important to them, it is enough to redundant it.
Attacks of the poor
So only the stuff accessible to anonymous hackers remains. Independent patriots in their geek room or mafia groups more or less supported by the states who want to stay in the shadows.
- Ransomware: send lots of spam everywhere, a distracted employee or individual could execute the Trojan horse. If his network is not well squared, the hacker can walk around, copy the files (to threaten to distribute them) and destroy the local version (to resell them to the victim). It has existed for more than ten years and the current crisis is not going to change much on this subject.
- Denials of service: overwhelming a network service with so many requests that it doesn’t know where to turn. Like the CNED website (in french). It just needs a lot of people. But it will only be temporary (because network administrators can react) and will only work on services that are not critical enough to be redundant (read: you can live without it until it comes back).
- Deface a site: by searching for a long time, we sometimes come across systems where the credentials are not serious. There are surveillance cameras, FM stations in companies, institutional communication websites, but a hacker never knows what he will come across (just that these things are considered unimportant and not incidental for his operators). He will be able to show off on the stage while the administrators correct and close the accesses.
And against these attacks, nothing has really changed. The same methods of protection always work: check your access, back up and protect the files you care about, redundant the services you really need and remain cautious on the internet (if you want to click, wait until the next day and call to a friend).
This is the meaning of ANSSI’s announcement:
Current international tensions, particularly between Russia and Ukraine, can sometimes be accompanied by effects in cyberspace that must be anticipated. While no cyberthreat targeting French organizations in connection with recent events has yet been detected, ANSSI is nevertheless monitoring the situation closely. In this context, the implementation of cybersecurity measures and the strengthening of the level of vigilance are essential to guarantee the protection at the right level of organizations.
Basically: we are not immune to a patriotic guy or an idle government agent who throws nets, it would be a shame to be fooled by it. Let’s just stay vigilant.
And after ?
The real danger, in this crisis and in cyberspace, does not come from the mythical Russian Hackers who would blow up our nuclear power plants, contaminate our waters and scratch the tartiflette off the surface of the Earth. But you will always find some cyber experts for such a renowned consulting firm that will mount the slightest computer event as a sign of an imminent cyber apocalypse. They play with our fears and fantasies to get attention. Take a breath, take a step back and you will see the balloon deflate.
If you really want to see danger in cyberspace, turn to social media, which serves as a sounding board for conflict-related (dis)information: We’re the good guys, they’re the bad guys; they are overtaken by our greatness; The apocalypse is coming soon, there is no more Reblochon in the fridge.
Because there is no need to be super gifted in computers, or to have crazy computer resources to want to manipulate public opinion. It’s all just marketing. Applied to war and the manipulation of public opinion in opposing countries, it remains classic design.
Our goal as a designer isn’t to communicate, it’s to incite an action.
Stefan Mumaw, Linkedin Learning Training:
Designing Emotion: How to Use Design to Move People.
The problem with social networks is that behind their facade of content hosts and vectors of social friendship between peoples, there are companies whose turnover depends directly on their advertising revenue. Revenues proportional to their ability to capture us and show us the content that makes us react. So great working tools for advertisers, designers and other opinion manipulators.
- By manipulating our emotions, they generate and exploit our anxiety to make us react and amplify the exhibition,
- By manipulating our perceptions, they influence our decision-making to make us act in the direction of their sponsor.
Who benefits from crime? Whenever an individual is confronted with distressing communications, they push their opinions to extremes. This phenomenon is called mortality salience. At the scale of a country, the whole public debate is radicalized, it skews decision-making and weakens our democracies.
Good news, we can very easily counter all these effects and regain control of our emotions and our perceptions. When you are afraid of missing something and want to get informed, choose long-term media that employ professional journalists. When you feel an itch rising in you (to go on a network, to click on a link,…), take a good deep breath (three if the urge is irresistible), it will reconnect you to your body and to the real world, breaking the influence of designers and manipulators.