We're entering 'a very dark and dangerous era' of offensive cyber, says BAM's Ian Hill

Will the next war start with a bang – or are we already living with it?

The Cold War was a time of international tension, when superpowers tried to increase their geopolitical influence without ever coming into direct contact. Now, the world faces a similar situation: this time, in the digital space.

The USA and Russia competed against each other in the 20^th century, but other actors are involved in the so-called Cyber Cold War, including Iran, China and North Korea. Each is trying to expand its own power and influence while limiting others', and the virtual space is their new battleground.

A major advantage of cyber operations is they are relatively cheap, and so accessible to states that don't classify as superpowers. Another is that, on a physical level, they are safe; attribution and retaliation are difficult. However, neither are impossible, and the physical threat rose last month when the UK revealed that it could respond to a cyber-attack using its nuclear capabilities.

Ian Hill, Global Director of Cyber Security at Royal BAM Group, warns that this marks the beginning of "a very dark and dangerous era, where this sort of state action - either through states directly or through their proxies - is escalating, and I don't think any of us know where it's going to end."

Hill admits he would be "highly surprised" if it came to the point of physical response, but it demonstrates the seriousness with which governments today are treating cyber. Russia and China are known to have military divisions dedicated to offensive cyber operations, and it's almost certain that the West boasts similar capabilities. However, state actors normally take care to disguise their actions.

"In traditional warfare, the enemy is relatively clear: who that is, who you're fighting against, who the threat actors are. In cyberspace it's difficult to see who the enemy actually is. Often, there have been accusations that Russian state actors have been enacting attacks, but making it look like they've come from North Korea. It's difficult to see who the enemy actually is and what their purpose is."

Then there's the grey area between ‘state-sponsored' and ‘state-sanctioned'. Governments may have their own divisions of offensive and defensive cyber experts, but there are also reports of countries employing independent groups to give themselves plausible deniability; the SolarWinds hack is one such example, as well as attacks on the pharmaceutical and healthcare sectors last year. And finally there are some groups who only target organisations outside their own country, out of a corrupt sense of patriotism.

"There are hacking groups in Russia who primarily do things for their own personal monetary gain, but have, if you like, an implicit sanction from the state, who sort of leave them alone, because while they're doing it for their own selfish reasons, it's against the enemy," said Hill.

High-value targets

While most ‘private' cybercrime groups traditionally target organisations, governments are more likely to go after critical infrastructure: a key component in any war. While past wars have used bombs and other ordnance to take out railways and bridges, cyber-attacks can directly target supply lines by going after water, power and food suppliers.

As an example, look to the mass panic-buying a year ago; if a country could cause something similar in an enemy state, it would undermine confidence in the government, weaken the population's appetite for conflict and give the attacker an advantage before the first boots hit the ground: a cyber blitzkrieg.

But that might not happen. The more likely alternative is a long, drawn-out period of reconnaissance: of probing, testing and intelligence gathering, when threat actors evaluate what they can and can't do and look at where they need to go when the time comes to actually attack; more of a war of attrition than a blitz. Would that attack be difficult to spot? Hill thinks not:

"I think if there was an all-out type of cyberattack, we'd know about it. Not necessarily straight away, because it depends on how [the attackers] enact it. I think it would be a slow drip-drip effect: it would build up, there'd be attacks here, attacks there, distractions. They would just keep going, keep ramping up; they wouldn't just suddenly blitz it all in one go. I think they'd ramp it up, to whatever end; and of course, it depends on the purpose."

The Cold War has no solidly defined time period, but most historians agree that it covered several decades. In the same vein, we may already be living in the Cyber Cold War and simply not have acknowledged it yet. Hill, though, thinks we're still on the edge.

"It feels like we're almost on the verge of a Cold War: the ramping up of capability, probing, testing each other's weaknesses and strengths at the cyber level, ramping up the arsenal of offensive capability, and to a certain extent, ramping up the defensive capability.

"It feels like a bit of a sort of war game."

Ian Hill will speak at Computing 's Cyber Security Festival in June - make sure to register now.