CyberWire Daily - Interview select: Kenneth Geers of NATO's CCD COE on "Cyber War in Perspective: Russian Aggression Against Ukraine."
Episode Date: February 21, 2022As we break to observe Washington's birthday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, e...xclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with Kenneth Geers from NATO's CCD COE on "Cyber War in Perspective: Russian Aggression Against Ukraine." Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
With all eyes closely watching the developing hybrid war between Russia and Ukraine,
it's worth looking at the recent history that brought us to this place
and how it informs current activity in the region.
My guest today has done just that.
Kenneth Gears is Ambassador for the NATO Cooperative Cyber Center of Excellence and a senior fellow at the Atlantic Council.
He's editor of the book Cyber War in Perspective, Russian Aggression Against Ukraine, published in
2015. So I moved to Estonia in the spring of 2007 during that nation's crisis with Russia over a Soviet statue that Estonia wanted to move.
Moscow decided to use it for a propaganda war.
it being after the political fight, a weeks long distributed denial of service attack against banks in Estonia, the media, government. And so while it wasn't a national security crisis,
it was a proof of concept or an experiment in that direction. And so many people wanted to know
whether, you know, for a country like Estonia that invests in, you know, in electronic government
and digital society, what would happen if you shut that down? So the center is not operational
in the military sense. It's more like a think tank, but it does research on computer
security topics as they relate to national security. And now even countries outside of NATO,
including Finland and Sweden and Japan and New Zealand and Switzerland, have taken part in
exercises. And some of them are not full members, but they participate on a daily basis in the center's activities.
So in 2015, the organization published a report titled Cyberwar in Perspective, Russian Aggression Against Ukraine.
And certainly, I think that report is drawing new attention given the situation between Russia and Ukraine today.
What were the takeaways when you initially published that report back in 2015?
So we published the report about a month before the Christmas attacks that turned out the lights, targeted the electrical grid in western Ukraine.
the lights targeted the electrical grid in western Ukraine. Even so, I think in the introduction I wrote, based on the work of about 20 authors and 18 chapters, that there was no decisive cyber
attack during the 2014 war between Russia and Ukraine in what's known as the Donbass, eastern Ukraine, and the takeover
of Crimea. However, wherever one looked, there were examples to analyze of computer network
operations of a novel variety, really. So in the diplomatic space, U.S. diplomats had their telephone communications captured via
traditional signals intelligence, uploaded to YouTube, and announced on Twitter. One of the
authors we had for the book was the chief of the Ukraine's CERT, the Computer Emergency Response
Team. And he wrote that the attack on the summer presidential election, because in the spring,
the president of Ukraine, Yanukovych, had to flee to Russia after the events in Maidan. So the
Euromaidan uprising that winter of 2013-14 forced him out. And so they had an election in the summer of 2014 to find a new president.
The head of the Ukraine cert wrote that it was the most advanced attack that they had ever
investigated. And sort of boiled down to this, the website that was meant to show and to publicize the winner of the election or the ongoing tally at the end of the
day had been hacked. And rather than display the actual vote count up to that point, a far-right
candidate was announced the winner. And this was immediately announced on Russian television that evening,
again, suggesting sort of a coordinated operation to embarrass Ukraine and to diminish the
legitimacy of the election. So those are a couple of examples we could talk about some military,
some business, even focused on civil society in social media,
sort of developing accounts that had just been created in order to insert propaganda into the space.
But basically in every domain in the book,
we talked about examples of computer network operations.
Nothing that might be decisive, let's say, in a war,
but what it did show was that you're not going to invade a country these days without also using, you know, digital tools and
tactics and hackers to support your troops and to support your political goals. It just is not
going to happen anymore. Because everywhere we looked, we saw examples of it. One of the chapters in the book that was written by Jason Healy and Michelle
Kantos from Columbia University is titled, What's Next for Putin in Ukraine? Cyber Escalation.
Again, you know, this was back in 2015. How have some of these predictions played out? Well, the NotPetya ransomware attack in Ukraine that emanated, sort of reverberated throughout the world, has been called the most costly and damaging cyber attack in history.
In fact, there are still legal cases ongoing today after those events.
still legal cases ongoing today after those events. And it's unknown whether the attackers intended to damage multinational corporations in Denmark and Switzerland and elsewhere, but that's in fact
what happened to the tune of hundreds of millions of dollars in lost time and equipment and forcing the repurchase of software and hardware.
bottom line of a country with a ransomware attack, but you can scare off investors and you can frighten partnerships in the business space. And that's what many analysts believe. The result of
not Petya, whether it was entirely intended or not, it was an attack that took place in peacetime that was purportedly or
on the surface, it was criminal in nature. But deeper investigation yields a different
conclusion that it was in fact a geopolitical attack. And that's where we are in terms of analyzing what cyber war is or might be.
There's a large gray area between hacktivism and cybercrime and cyber war,
and the lines, if they exist, are hard to see.
As you and I record this, and Russian troops are positioned on the border with Ukraine,
and there's a lot of worry and speculation as to what's going to happen next, to what degree
have these cyber attacks that you and your colleagues have tracked over the past few years,
was this a demonstration of potential capabilities, of
putting it out to the rest of the world that these are some of the things we can do and you need to
take that into account? I think so. In terms of computer network operations, I think there is still a lot of experimentation going on, both for determining thresholds,
as well as trying to understand what other people could see, what they will countenance as well,
because most governments are probably involved to some degree in cyber espionage. And so
part of the challenge is that it's kind of hard to know
sometimes if a hacker is on your network, are they there to, you know, to read your email or
deny you access to your email or change one of your emails, right? There's sort of this spectrum
of cyber attacks in which the attacker could get more and more aggressive in behavior. And so there's a lot of experimentation going on,
and there's a lot of wanting to know how far you can push the envelope, I think. And the 2015
Christmas attack on the electrical grid in Ukraine was duplicated in a year later in Ukraine, right? And so it's almost like the
attackers kind of wanted to send a message that we're still here and we still have capabilities
that could be brought to bear. They also, they want to know the defender. What is the defender going to do? What can they see? Can they prevent this? But with, I think, an attack like that, the attacker probably knows that they are equally vulnerable to similar attacks. And that may slow down the use of super aggressive computer hacking
to support even the invasion of Ukraine. In this case, if Moscow would fear that its own
electrical grid or its own, you know, either infrastructure or sensitive documents, you know, that could be
stolen and leaked, are equally vulnerable. They have to imagine that in this day and age,
because there's only one internet, and we're all sort of sharing it, and it has,
you know, international kind of architecture for operating systems and applications and data, most countries are
vulnerable as well. And so that's one of the reasons we might see a hesitation before firing
certain cyber weapons that likely exist. I've also seen some folks speculating that
they would be reticent to tip their hand in terms of their capabilities, that they don't want to reveal the tactics, techniques, and procedures that goals, perhaps they would use that first so as to not
reveal what their cyber capabilities are. Do you think that's a reasonable line of thinking as well?
I think so. I think that if the goal is to occupy, let's say, five more cities in Ukraine,
computer network attacks will be used with some discretion and in some proportion to achieve those objectives.
But they will probably not stray or not exceed those parameters.
In other words, if Russia wants to take Kharkov and Odessa, two more cities and Ukraine, they're probably not going to mess with the infrastructure
in New York City. That said, if escalation gets out of control, then all bets are off, right?
In other words, I think one of the problems, and this may be beyond the bounds of our current
discussion, but in Moscow, I think we're dealing with more of a Putin problem than a Russia problem, right? So the leadership legitimacy in Moscow is driving, I think, events more than the true national security interests of Russia.
national security interests of Russia. So if Putin were like a cat, you know, trapped,
then might grow unpredictable, right? And in other words, if Putin's place as the leader of Russia comes into question, then the ladder of escalation may get out of control, and a leader may at least think they are forced to
exceed the parameters of what they had intended. Nobody wants that, and I think there'll be efforts
to contain the conflict. I certainly hope so, and hopefully we don't have a conflict at all.
I certainly hope so. And hopefully we don't have a conflict at all.
In the things that you've seen in the media and elsewhere when it comes to diplomatic efforts with this particular conflict in the cybersecurity realm, are you optimistic that there's good things happening here that we could see a de-escalation? I hope so. I have been fortunate to work with a few
international organizations. I love the work I've done for NATO. I've done also some work for the
OSCE, or the Organization for Security and Cooperation in Europe, and that is weaker,
but it's bigger than NATO. So it encompasses the former Soviet Union. So I've gotten to
do some work for them in Russia and Armenia and elsewhere. And one of the things that we worked on
over the past 10 years are confidence building measures or CBMs for cyberspace. And currently
there are 16. Now each of them has the word voluntary somewhere in it, but it's really important to think about lessons from arms control or lessons from, let's say, the Chemical Weapons Convention of decades past and how they might help for cyber conflict in the future. And I can boil those 16 down in another way as well and say that
communication, transparency, keeping phone numbers up to date, that sort of thing is really critical
because if something bad happens, you want to know whom to call. And that's why, of course,
we had the hotline in the Cold War and still do. You know, if something gets out of control,
you really want to know who you can talk to, to diffuse the crisis. And that's really key.
And I think with cyber conflict or computer network operations at the national level,
national level, it's also important because of the anonymous nature of so many attacks,
the ability of nation states to steal each other's malware and repurpose them for a different operation in a different place. It may be hard to do attribution in a timely manner.
And that's one of the things that's tough about, I think,
cyber weapons and cyber attacks is that it really does take time to sort of untangle
them and to do what's called attribution. And sometimes to do attribution, maybe all the time,
you can't just rely on log files or indicators of compromise, but you actually may
need to, you know, for a human spy or for a law enforcement officer to engage overseas with not
only friendly powers, but with the, you know, the suspected culprit to try and figure out,
you know, is this really you or might it be someone else playing you in cyberspace?
that perhaps it was something that had unintended consequences or whether its consequences were intentional.
The ability for it to act so quickly, to spread so quickly,
to worm its way around the globe, I think is particularly interesting as well
to your point of being able to pick up the phone and have humans talk to humans
and hopefully cooler heads prevail.
When things happen at the speed of cyber, I think that's an important consideration.
That's right. I think that the speed with which packets can move across the internet,
a couple of things, it does belie the amount of work and time that would go into the operation
before pulling the trigger. That may take months and years. the amount of work and time that would go into the operation, you know,
before pulling the trigger, you know, that may take months and years.
And that's one of the ironies.
And one of the challenges of cyber conflict is that if I'm going to want to
hack you in a time of conflict,
I probably need to do most of the prep work in peacetime,
which makes then the, the internet a chaotic place,
right, for businesses and for peace and stability, right, in the good times.
And that's a real challenge, I think, that world leaders have to grapple with. And one of the
things that I think about in terms of the EU and NATO, which I honestly, me personally, I believe that's the only world's true Cyprus superpower is the EU and NATO because they comprise roughly 30, however you want to count them, between 20 and 40 affluent democracies that are working together for peace and security and stability within their space.
And so it's whether it's law enforcement, intelligence and network security agencies that are working together.
If you imagine yourself as a bad actor, when the EU and NATO and they do work together closely on cybersecurity, then it really creates a very impressive and intimidating group.
Last year, I was living in Africa.
And just before I moved to South America, we went on one final trip to Kruger Park in South Africa.
followed this lion that was circling a giant group of zebra and kudu. And the lion was so intimidated, right? There were hundreds of them in a circle all staring down the lion.
And then one of my takeaways from that is that we should make, you know, the alliance of democracies look similar to that in cyberspace, so that if we're working together proactively and reactively, then the bad actors who don't trust each other will really feel isolated.
Our thanks to Kenneth Gears for joining us. The book is titled Cyber War in Perspective, Russian Aggression Against Ukraine.