In June 2019, The New York Times published an article claiming that the U.S. intelligence services had carried out a cyberattack against Russia. Specifically, according to anonymous sources, Russia’s electric power grid had been the target of cyber incursions. The article caused quite a stir among experts and government officials in Russia, the United States and other countries. For example, President of the United States Donald Trump accused the journalists responsible for the article of treason, although the same article alleges that National Security Council representatives “had no national security concerns about the details of The New York Times’ reporting.” At the 10th International Meeting of High Representatives for Security Issues, Director of the Foreign Intelligence Service of the Russian Federation Sergei Naryshkin said that the Russian security services were aware of planned cyberattacks and informed the relevant authorities in a timely manner. The question of the likelihood of cyberattacks being carried out on critical infrastructure was even put to President of the Russian Federation Vladimir Putin during a live Q&A on Russian television, to which he responded: “As to the operation of our critical infrastructure, including power and other areas, we must certainly think about how to protect ourselves from any cyberattacks, from any negative impact. We are not only contemplating this, but also addressing it.”
It is still unclear whether or not the New York Times article is even telling the truth. Does it disclose sensitive information? Or is it merely “fake” news? Nevertheless, it would be useful to consider the situation from the point of view of the security of critical infrastructure, the possibility of carrying out cyberattacks and the rules of conduct in ICT.
The Informational Security of Critical Infrastructure
Protecting critical infrastructure from malicious attacks in the ICT environment is a crucial national security task, one that all developed countries are attempting to solve in one way or another. Each country draws up their own list of facility categories and prioritizes them as they see fit. However, these lists typically include energy and water supply systems, high-risk facilities and the information infrastructure. A number of factors determine the national features of critical infrastructure protection, chief among which is the issue of ownership – that is, who owns the facilities? In Western countries, a significant part of the infrastructure belongs to, and is managed by, the private sector (up to 85 per cent in the United States, according to estimates). In some cases, this leads to the appearance of a model of interaction in which the state establishes reasonably soft rules for businesses that have to ensure their own cybersecurity. Such mechanisms do not always meet national security requirements, since, in the absence of strong government regulation, businesses may use more widespread and cost-effective – yet untested and uncertified – information security solutions. And this is simply unacceptable for critical infrastructure. At the same time, special attention should be paid to issues of improving the social responsibility of entrepreneurs while ensuring the information security of new hi-tech products. And it is not just the positions of states that are needed here, as the counter initiatives of private business and the development of public private partnership mechanisms are also important.
Critical infrastructure protection is particularly important now, at a time when the ICT environment continues to develop on a massive scale, human activities are becoming increasingly digitized and the digital economy is starting to gain a foothold. ICT forms the foundation of such technologies and phenomena as big data processing, quantum computing, augmented and virtual reality, blockchain and the Internet of Things. In 2017, the global production of ICT goods and services totaled approximately 6.5 percent of gross domestic product (GDP), with around 100 million people being employed in the ICT sector. According to some estimates, the Internet of Things will consist of 50 billion devices by 2020.
Russia has adopted a number of normative, regulatory and strategic planning documents that regulate the protection of critical infrastructure facilities, in particular: Main Areas of the State Policy on the Security of Automated Control Systems for Production and Technological Process of Critical Infrastructure Facilities in the Russian Federation (approved by the President of the Russian Federation on February 3, 2012 under No. 803); Presidential Decree No. 620 “On Improving the State System for Detecting, Preventing and Mitigating the Consequences of Computer Attacks on the Information Resources of the Russian Federation,” dated December 22, 2017; and Federal Law No. 187-FZ “On Information Security Protection in the Russian Federation” dated July 26, 2017.
The legislation that has been adopted formed the basis for the establishment of the State System for the Detection, Prevention and Mitigation of the Consequences of Computer Attacks (GosSOPKA). The system is comprehensive in terms of its functionality. In accordance with the Concept of the State System for the Detection, Prevention and Mitigation of the Consequences of Computer Attacks, its mandate is not only to forecast information security issues in the Russian Federation and identify signs of compute attacks, but also to organize and conduct scientific research into the development and application of tools and methods for the detection, prevention and mitigation of the consequences of computer attacks and implement measures to ensure that the personnel required for the establishment and operation of the System receive the proper training and subsequent professional development opportunities. The forces and means of detecting, preventing and mitigating the consequences of computer attacks that make up the System include the authorized units of the Federal Security Service of the Russian Federation, the National Coordination Centre for Computer Incidents (which, among other things, coordinates the activities of the Russian Federation’s Critical Information Infrastructure [CII]), and subdivisions and officials of CII facilities that are involved in activities to detect, prevent and mitigate the consequences of computer attacks and respond to computer incidents. At the same time, GosSOPKA centers that have been set up at CII facilities (including those that are privately owned) are combined into a single hierarchical structure by department and territory.
We can judge the effectiveness of GosSOPKA’s work by the data presented at regular briefings of the National Coordination Centre for Computer Incidents. Thus, in 2017, a total of 2.4 billion attacks on critical information infrastructure were recorded in 2017, with that number rising to 4 billion in 2018. During the latest briefing on June 27, 2019, that is, after The New York Times article had been published, Deputy Director of the National Coordination Centre for Computer Incidents Nikolai Murashov noted: “An analysis of the information received by GosSOPKA shows that the majority of attacks aim to steal information. Criminals primarily target information about Russian defense, nuclear, energy and missile engineering technologies, as well as information from public administration systems. At the same time, “attacks on Russian information resources typically go through control centers [botnets] that are located in the European Union or the United States.”
The Capabilities of the United States and the Reality of the Attacks
Unfortunately, the truth of the matter is that, instead of developing international cooperation on the safe use of the ICT environment, the United States significantly increased its potential for destructive cyber operations in recent years. This was reflected above all in the elevation of the United States Cyber Command and the adoption of the relevant directive in 2018, which simplified the process of greenlighting cyber operations significantly. One extremely important document is the current National Defense Authorization Act, [ ] which confirms the military’s authority to conduct so-called “clandestine” activities.
At the same time, such activities and operations are carried out in order to prepare the environment, conduct information operations, demonstrate the power, and as a deterrent. By “prepare the environment,” we clearly mean the search for vulnerabilities in the computer systems and networks of the alleged enemy and/or introduce resident malware.
It is common knowledge that the Vulnerabilities Equities Process, which started to take shape back in 2008 in accordance with National Security Presidential Directive 54 (NSPD-54), has been operating in the United States for quite a while now. The purpose of the Process is to examine new ICT vulnerabilities that are not known to the general public and make appropriate decisions regarding their use. Accordingly, the decision can be made to either inform all interested parties or conceal the information in the event that the vulnerability that has been detected could be used for surveillance, law enforcement or national security purposes. Another seminal document in this Process is the “Joint Plan for the Coordination and Application of Offensive Capabilities to Defend U.S. Information Systems.” We can conclude that, taken together, these documents aim to create mechanisms at the state level for searching, analyzing and selecting vulnerabilities, which are effectively the components of cyberweapons.
At critically important enterprises, ICT systems can be used that in one form or another harness commercially available mass-produced (so-called “off the shelf”) components. The vulnerabilities of such components have been studied in greater deal, which is why cyberattacks are more likely to target them. What is more, we cannot rule out the possibility that undocumented functions (so-called “bookmarks”) may be present in off the shelf components. Moreover, this may even occur without the consent of the manufacturer. The United States Intelligence Community, specifically the National Security Agency’s Office of Tailored Access Operations has developed an entire catalog of hardware and software back doors that the Office can use to access servers, work stations, telephone lines and industrial process control systems.
Taking all this into account, we can argue that right now not only does the United States have the power, means, normative and regulatory support, but also the political will to actively use destructive ICT capabilities. In this regard, we should note that all of the United States’ current strategic planning documents name Russia, China, Iran, and North Korea as its main opponents, and these countries are likely to be the targets of any cyberattacks. National Security Advisor of the United States John Bolton confirmed as much at a conference held by The Wall Street Journal this past June (just a few days before The New York Times published its article). Among other things, he noted that “The purpose [of carrying out cyber-offensives]… is to say to Russia, or anybody else that’s engaged in cyber operations against us, ‘you will pay the price.’” This is why President Trump decided not to respond with force when tensions between the United States and Iran escalated after the Islamic Republic of Iran Air Defense Force shot down a U.S. drone. Instead, according to media reports, the United States Cyber Command carried out a cyberattack against Iranian units that were allegedly involved in the attacks on oil tankers in the Gulf of Oman the previous week, even though the United States provided no evidence to support its claim.
Cyberattacks and International Law
The legitimacy of the attack, like many others, is questionable. Similarly, international legal proceedings have yet to be launched against the United States in connection with the cyberattacks on Iranian nuclear facilities in 2010, and it is unlikely that any action will ever be taken. Unfortunately, instead of carrying out the proper investigations into such incidents, the United States and its allies resort to the mechanism of publicly naming the culprit instead of any real evidence that a state has committed malicious actions. In accordance with the new U.S. strategies, it can apply all available levers of influence on these countries, from economic sanctions to cyberattacks.
At the same time, the international community already has a certain constructive basis for ensuring peaceful coexistence in the ICT environment, including the protection of critical infrastructure. We are talking primarily about the voluntary and non-binding norms, rules and principles of the responsible behavior of states that were developed in 2015 by the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) and presented in the corresponding report. Representatives from the United States were involved in the work of this Group and endorsed the adoption of the report. Several standards proposed by the GGE directly address the problem of ensuring the safety of critical infrastructure facilities. Item f) says that “A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” Item g) calls upon states to take appropriate measures to protect their critical infrastructure from ICT threats. Finally, item h) says that “States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty.” The latest U.S. strategies repeatedly stress the necessity of promoting and implementing the norms and principles put forward by the GGE in any way possible. The incursion into Russia’s electric power grid, if it did indeed take place, is a gross violation on the part of the United States of the rules that it helped develop in the first place. Moreover, the ICT4Peace Foundation stated in an open message that civilian power grids are not legitimate military targets, which indicates that this is a violation of the provisions of international humanitarian law.
The media frequently talks about cyber countermeasures, which are primarily used to send “signals” to potential adversaries and let them know that the United States is aware of malicious activity being carried out. The goal is to deter opponents and increase stability. It is clear that “signals” sent by way of an attack on civilian facilities can only lead to escalation. One of the ideas that forms the basis of the new cyber strategy of the United States is to achieve peace through power. But this peace, where the norms and rules apply to some countries but not others, will be neither stable nor free.
Critical structure protection is in many ways a national task. At the same time, there are a number of problems that can only be solved at the international level. It seems that right now the only productive way to tackle these problems is to develop mechanisms for introducing and implementing the relevant norms, rules, and principles of the responsible behavior of states – rules that will be common for all.
From our partner RIAC
