2. PwC
Petr Špiřík, MSc.
Cyberwar: ®evolution?
Professional
PwC CEE CISO
29 countries, full scope of information security
portfolio
Former Cyber threat intelligence lead and
Security architect
I get paid for what I love. How cool is that?
Personal
Geek & security enthusiast
Fascinated by cyberspace, cyber security realm
and associated topics
Believer in the power of information and that
it wants to be free
Low tolerance for nonsense.
Rules of engagement
Respect each other
There are no stupid questions
3. PwC
Cyber war …
… or cyber operation?
Threat actors
Criminals
Hacktivists
Lone wolfs
State actors
The term cyberwar will
be used through this
presentation for
simplicity
Treat with caution
War has a meaning from legal perspective
Defined especially in IHL, explained in Tallinn Manual
Not everyone “can” be at war
Organized crime is not war
Different rules apply in war
(Cyber) act of war can result in kinetic response
By abusing defined terms we risk misunderstanding – or worse
During this presentation we will focus on
operations in cyberspace where state is either a target
or an attacker and where the objective is military or
political advantage.
4. PwC
History of notable incidents
Helicopter view
2003, Iraq war
Battlefield online, information supremacy
Harsh lessons
2007, Estonia
Russia “patriots” targeting banks, media and
state institutions. NATO wake up call
2007, Israel, Operation Orchard
No nuclear plant, Korean workers, AA defense
and Israel airstrike
2008, Georgia
Russian “patriots”, information blackouts
Well documented
2010, Stuxnet, Operation Olympic games
Targeting Iran’s nuclear program
Admitted by USA – or not?
2011, Georgia
Cyber espionage attack from Russia
2014, Ukraine
Elections manipulation, “hybrid warfare”, joint
kinetic & cyber activities
5. PwC
Case study #1
Stuxnet family
Stuxnet
Targeting Iranian nuclear enrichment facilities
Objective is physical damage
Successful delay of nuclear program
Designed to pass the air gap
Discovered by accident
Attribution: United States (99%)
General James Cartwright
Project Olympic games
Considered “the first cyberweapon”
Flame, Duqu, Gauss
Same “family of cyber weapons” as Stuxnet
Responsibility and accountability
Flame (Discovered 2012)
Cyber espionage
Duqu (Discovered 2012, version 2.0 in 2015)
ICS targeting
Gauss (Discovered 2012)
Targeting banking sector
6. PwC
Case study #2
Case of Ukraine
Ukraine conflict
Election manipulation
Does not have to be effective
Support kinetic operations
Supremacy over the battlefield
CyberBerkut
Propaganda and desinformation
Hybrid war
Overused and abused term
Strong focus on information warfare
Combination of traditional warfare with
special forces & cyber operations
Focus on fear, uncertainty, doubt
Key concept is limiting opponent's options
Avoidance of hot conflict
Loopholes exploitation (legal, policy &
decision making, strategic & tactical)
7. PwC
Key distinct features
Characteristic
Asymetric
Offense is easier than defense
Fast
No time for reaction
Preventive measures
Attribution vs. deniability
Who to blame
Who to counter
Enablers
Attack surface of the victim
More advanced = more vulnerable
Reduction leads to degradation
Capability of the attacker
Talent can be trained
Technology is cheap
Brave new world
Interconnected
Fast development
8. PwC
Objectives of cyberwar
Mission support
When “cyber” is not the objective but delivery
Military concept of mission
“I want 200 soldiers at their doorstep
tomorrow morning, sergeant!”
Cyber capabilities
To achieve the mission objective
To prevent interruption of mission
Logistics & operations focused
Battlefield domination
Takedown of enemy information command
Contest the cyberspace environment
Drones hacking
Critical infrastructure disruption
When military objective can be achieved
by cyber means in more efficient, safe
and cheaper way – it will be.
9. PwC
Ways of war
Technology
Denial of service of key
technologies
Websites
Communication
Support system disruption
Medical
Logistic
Navigation
Infrastructure targeting
Information
Propaganda, political
influence
Hearts and minds of people
Information denial, disruption
or credibility loss
Targeting decision making
process
Digital only – single point of
failure
Cyber to physical
Demonstration of cyber
capabilities in physical world
Power plants do not have “self
destruct” button
Cross-domain knowledge
required
Security through obscurity
works (this time)
Marina Krotofil
10. PwC
Cyber fratricide
Competing interests
“We need to go deeper!”
Intelligence agencies
Researchers
Investigators
Get as much information
about the attacker as possible
during his operations.
“Leave me alone!”
Innocent bystanders
Private companies
Individuals
Don’t get harmed. Live the
good life. Mind own business.
Be sad.
“This ends here!”
Law enforcement
Incident responders
Operations
Stop the attack. Get back to
normal operations. Seek &
destroy.
11. PwC
Cyber Pearl Harbor
We need more resources to prevent atrocious
terrorist attack! No second Pearl Harbor!
Cyber security = money
Cyber security = more power to government
Cyber security = more power in government
Without the ever present terrorist
threat of new “Cyber Pearl Harbor”, the
flow of money & power will be
endangered
Is cyber terrorism even a thing? Give me one
example!
There are no cyber terrorists (theories!)
Subgroups of other categories
Skill barrier for dummies
Recruitment for talents by others
There might be cyber terrorists
Dormant capabilities
Cold war mode
Efficient MAD concept in play
12. PwC
Challenges of cyberwar
Attack
Aging weapons
If we don’t use it, it will expire
Speed is the factor
Mutual assured destruction (MAD)
from nuclear arms race reappears
Who will be the warrior?
Defense
Line of defense
What are my crown jewels?
Home ground – the only advantage
Seeking the high ground in
cyberspace
Who will be the guardian?
Ability to attack can often mean the vulnerability to the same tactic employed
by the adversary
13. PwC
Future threats
Technology
Internet of Things (IoT)
Self driving cars
Smart houses
Smart grid
Growing computational capabilities
Relying on legacy concepts from the 80s
New technologies (drones, quantum
computers)
Faster evolution of capabilities than
associated security concepts
Social
Balkanization of the Internet
Adoption of wrong legal concepts
Encryption damage
Governmental lawful interception
Growing gap of understanding
Reality vs. decision makers
Lack of “white hats” in cyber security
community
Pretending cyberspace is something
completely different will backfire
14. PwC
Is there no hope?
If you can’t beat them, join them!
When living in exciting times. Make use of it!
Cyberspace is the last frontier. For now.
The cyberspace landscape is changing. Make
an impact!
Possibilities are endless. Offensive, defensive,
research, education, policy & decision making,
cross-domain questions, ethics…
There was never a better time to jump
into cyber security industry
Power of informed decision making
Cyberspace is here to stay
“Cyberwar” is reality and its role will grow
Education is critical
Self education is the key
The power is just few keystrokes away
Don’t panic, approach with caution
To make the right decisions, you need
to understand the world around you. It
is a skill that can be acquired
15. PwC
®evolution?
“War is not merely a political act,
but also a real political
instrument”
“Gain a preponderance of
physical forces and material
advantages at the decisive point”
Carl von Clausewitz
Cyberwar is not a
revolution. It is the
evolution of existing
concepts over new
battlefield – the
cyberspace.
Gain information advantage
Limit your adversaries’ options
Know & control the battlefield
Assure your operations
Deny operations of the adversary
Exercise the least minimum force
16. PwC
Reference
Petr Špiřík
@HidenatNet
petr.spirik@gmail.com
petr.spirik@cz.pwc.com
http://www.slideshare.net/zapp0
/cyberwar-revolution
Clarke, R.A. & Knake, R., 2012, ‘Cyber War: The Next Threat to National Security and What to Do About It’, Ecco
Arquilla, J., 2011, ‘From blitzkrieg to bitskrieg: the military encounter with computers’, Communications of the ACM, vol. 54, no. 10, 2011
Mandiant, 2013, ‘Exposing One of China’s Cyber Espionage Units’ [online], Available from:
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
US-CCU, 2009, ‘Overview by the US-CCU of the Cyber Campaign Against Georgia in August 2008’ [online], Available from:
http://www.registan.net/wp-content/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.pdf
Leverett, E.P.,2011, ‘Quantitatively Assessing and Visualising Industrial System Attack Surfaces’ [online], Available from:
http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf
DoD, 2011, ‘Department of Defense Cyberspace Policy Report’ [online], Available from:
http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf
CCDCOE, 2013, ‘Tallinn manual’ [online], Available from: http://www.ccdcoe.org/249.html
Ministry of Justice of Georgia, 2012, ‘CYBER ESPIONAGE Against Georgian Government’ [online], Available from:
http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf
Mauer, T., 2015, ‘Cyber proxies and the crisis in Ukraine’ [online], Available from:
https://ccdcoe.org/sites/default/files/multimedia/pdf/CyberWarinPerspective_Maurer_09.pdf
Langner Group, 2013, ‘To kill a centrifuge’ [online], Available from: http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-
centrifuge.pdf
Deep, A., 2015, ‘Hybrid war: Old concept, new techniques’ [online], Available from: http://smallwarsjournal.com/jrnl/art/hybrid-war-old-
concept-new-techniques