News that Chinese hackers obtained personal details of 4 million US federal employees dating to 1985, following on the heels of similar attacks on the customer records of private insurance companies and retirement funds as well as the internal email networks of the US State Department and White House, demonstrate that a guerrilla cyber-war is underway. Although it will not replace traditional warfare any time soon, this is the new face of war for several reasons.
First, it does not involve physical conflict using kinetic weapons, which removes direct bloodletting from the equation. Second, it can target critical infrastructure (power grids, water supplies) as well as the command, control, communications, computing and intelligence (C4I) capabilities of adversaries. Third, it can be masked so that perpetrators can claim a measure of plausible deniability or at least intellectual distance from the action. Fourth, it can be used for tactical and strategic purposes and the pursuit of short or long-term objectives.
Much like military drones, cyberwar is here to stay.
The war is not one sided: Russian hackers have penetrated Pentagon email networks and the 5 Eyes signals intelligence alliance has dedicated hacking cells working 24/7 on targets of opportunity. Many other nations also indulge in the practice as far as their technological capabilities allow them. To these can be added a host of non-state actorsâ€”Wikileaks, Anonymous, ISIS, among othersâ€”who have also developed the capability to engage in electronic espionage, sabotage, data capture and theft.
With the most recent revelations about the hacks on the US Office of Personnel Management (OPM) archival records (which include personal details of active and retired federal employees as well as identities of those who have had or hold security clearances, perhaps including myself given my prior employment by the Department of Defense) an evolution in cyber warfare is now evident.
Previously, most state-sanctioned cyber attacks were so-called â€œfront doorâ€ attacks on government or corporate mainframes, servers and networks. The interest was in surreptitiously obtaining sensitive data or installing surveillance devices in order to engage in ongoing monitoring of targeted entities. â€œBack doorâ€ probes and attacks were the province of non-state actors, especially criminal organisations, seeking to obtain private information of individuals and groups for fraudulent use. However, the recent attacks have been of the â€œback doorâ€ variety yet purportedly state sanctioned, and the Snowden leaks have revealed that 5 Eyes targets the personal communications of government officials, diplomats, military officials and corporate managers as a matter of course.
The move to state-sponsored â€œback doorâ€ hacks is ominous. Accessing data about current and retired government employees can be used to blackmail those suffering personal liabilities (debt, infidelity) in order to obtain sensitive information about government processes, procedures, protocols and policy. It can target active and former intelligence and military officials and others with access to classified information. It can target former public officials that have moved to the private sector, particularly in fields of strategic or commercial importance. Likewise, obtaining sensitive personal data of employees working in private firms opens the door to similar exploitation for illicit commercial gain.
Advances in consumer telecommunications have made cyber hacking easier. Smart phones and their applications are considered to be the most vulnerable to hacking. Because many people store an enormous amount of personal data on these devices, and because they often mix work and personal business on them, they represent an enticing entry point when targeted. Yet even knowing this millions of consumers continue to pack their lives into electronic devices, treating them more as secure bank vaults rather than as windows on their deepest secrets. Not surprisingly, both state and non-state actors have embarked on concerted efforts to penetrate mobile networks and hand-held devices. Encryption, while a useful defense against less capable hackers, only slows down but does not stop the probes of technologically sophisticated hackers such as those in the employ of a number of states.
The bottom line is this: the smaller the telecommunications market, the easier it is for cyber hackers to successfully place backdoor “bugs” into the network and targets within it, especially if government and corporate resources are directed towards defending against “front door” attacks. On the bright side, it is easier to defend against attacks in a smaller market if governments, firms, service providers and consumers work to provide a common defense against both “front door” and “back door” hacking.
The implications for New Zealand are significant.
In this new battleground physical distance cannot insulate New Zealand from foreign attack because cyber-war knows no territorial boundaries. New Zealand provides an inviting target because not only is an integral and active member of Western espionage networks, it also has proprietary technologies and intellectual property in strategic sectors of its trade-dependent economy (including niche defense-related firms) that are of interest to others. Because New Zealandâ€™s corporate, academic and public service elites are relatively small and the overlap between them quite extensive, hacks on their personal data are a valuable tool of those who wish to use them for untoward purposes.
New Zealand public agencies and private firms have been relatively slow to react to the threat of cyber warfare. The data they hold on their employees, managers, policy elites and general population is an inviting â€œback doorâ€ for determined hackers seeking to exploit vulnerabilities in New Zealandâ€™s cyber networks. Since many Kiwis are lax about separating their work and private electronic correspondence and records, the potential to access sensitive personal information is high.
New Zealand has been the subject of numerous â€œfront doorâ€ cyber attacks and probes on public and private agencies, including an attack by Chinese-based hackers on the NIWA supercomputer carried out in concert with a similar attack by the same source on the supercomputer run by the US National Oceanographic and Atmospheric Administration (NIWAâ€™s US counterpart). New Zealanders have been the targets of numerous “back door” intrusions such as phishing and other scams perpetrated by fraudsters and conmen. Yet successive governments have been slow to recognize the new threat advancing towards it in the cyber-sphere, only recently creating dedicated cyber security cells within the intelligence community and just last year amending the GCSB Act to address vulnerabilities in domestic internet security. But it still may not be enough.
Until New Zealand resolves the problem of institutional lag (that is, the time gap between the emergence of a technologically-driven threat and an institutional response on the part of those agencies responsible for defending against it), there is reason to be concerned for the security of private data stored in it. After all, in the age of cyberwar there is no such thing as a benign strategic environment.