Published by The Quint: https://www.thequint.com/voices/opinion/cyber-deterrence-kudankulam-nuclear-plant-cyber-attack-lessons-for-india. Hacktivist personas and hack-and-leak operations aren’t new — if anyone remembers CyberCaliphate, CyberBerkut & Guardians of Peace, etc. This is relevant as major leaks hit Iran, Russia and China in November. India’s cyber adversaries would rather target its soft political underbelly. Coercion and deterrence may have purely cognitive parameters. They simply do not exist in the “disrupt, deny & degrade” dimension, as recent Iran operations by US Cyber Command have shown.
On November 17, a data dump from the core banking servers of the Cayman National Bank and Trust (CNBT) was uploaded to Distributed Denial of Secrets, a whistleblowing portal with an explicit focus on Russia. CNBT is said to have stashed the slush funds of many Russian oligarchs.
Phineas Fisher, a self-described libertarian anarchist, had struck again. Fisher is a lone wolf persona which in the past has hacked and uploaded stolen data from the hardest of targets – spyware vendors like Hacking Team and Gamma Group. In the CNBT case, she offered her heist to Distributed Denial of Secrets.
Phineas Fisher’s daredevil acts are generally followed by rambling manifestoes and salacious technical details of her exploits.
But the public narrative could be a distraction.
In 2016, as the US was waking up to the threat of electoral interference, State Department’s Russia hawk Victoria Nuland was stung by an elaborate disinformation operation of Russian origin.
In his book The Perfect Weapon, journalist David Sanger pieces together Nuland’s plan for a reprisal. Along with other national security principals, she proposed punitive measures like exposing the money laundering operations and illegal holdings of Putin and his oligarchs using cyber operations. The playbook was thought to be too escalatory back then and shot down.
Did the inhibitions of the past give way to a deterrence strategy?
Veterans from the US Intelligence Community have come forward on social media and called the CNBT hack a warning shot before the 2020 elections. It would be foolhardy to ignore the grapevine.
Andrew Thompson – former Department of Defence intelligence officer, now working for cybersecurity firm FireEye – hints that growing “convincing personas” like Phineas Fisher takes years.
The operations of Phineas Fisher are too elaborate for a lone wolf to execute, and the rate of cracking hard targets is unusually high. Moreover, her propaganda leaflets are more confusing than clear – a tell-tale signature for information operations.
The plausible deniability and anonymity that is hardcoded into the Internet may make sure that the complete truth would never be known. It really does not matter who did it. The only marker of attribution would be how Russia chooses to respond to the CNBT hack. And it may be decisive, whether covert or overt.
Judging by how the grousing oligarchs reacted to the passage of the Magnitsky Act, they are bound to take things personally. In fact, a previous unattributed whistleblowing operation “Panama Leaks” and the overbearing pressure of the oligarchs is said to have nudged Putin into escalating matters during the US elections.
The modicum of cause and effect in cyber conflict is a game of perception – an Angletonian “wilderness of mirrors.” The Russian generals believe that the US even had a hand in the Arab Spring, which ended up bolstering Russia’s hybrid war doctrine.
But there is a major lesson to be learnt as we carve out India’s own cyber deterrence strategy, post-Kudankulam. Former National Security Agency hacker Dave Aitel categorises cyber operations into two tuples: “deny, degrade, disrupt, deceive, or destroy”; and “access, analyse, remove or offer.”
International relations theorists and lawyers believe that the true potential of cyber conflict lies in the first tuple – by erroneously drawing an analogy to the above-threshold physical or kinetic conflicts of the past. They tend to equate “cyberweapons” with conventional munitions, expecting that effects like “data destruction” could be deemed as acts of aggression.
In fact, time and again it has been proven that cyber operations actually produce cascading affects across the second tuple – in the cognitive or perceptive spectrum. It is when cyber operations feed into the parameters of information operations that true power projection and deterrence take shape.
Some of the most successful examples of cyber skirmishes fall under that category. Wikileaks was nothing but the world’s most powerful “offer” cyberweapon launched by a non-state actor. It merely challenged government secrecy by making information available, fomenting global diplomatic turmoil.
The hack and upload of Democratic National Convention’s (DNC) emails, too, squarely fits into “offer.” It ended up influencing a national election and deterring the US from responding.
After the damning pilferage of the Office of Personnel Management’s database, the US had plans of disrupting the Chinese Internet censors like the “Great Firewall.” The deluge of hitherto forbidden information – another case of “offer” – could have triggered public unrests. Nothing unnerves Russia and China more than a regime upheaval.
It is a fallacy to derive a fitment of cyber operations into the conventional thresholds of war. Cyber deterrence is downright dirty and illegal.
Unlike the unfounded belief of lawyers, circumscribing cyber operations within international law may prove detrimental to our cyber capabilities. The underlying parameters simply do not exist.
Doxing the ruling political party of an adversarial nation state using cyber offence could be far more effective a coercive manoeuvre than neutralising its military command-and-control, as the recent US-Iran cyber escalation has shown.
The 2019 operations of the US Cyber Command in the Iranian cyberspace, while spectacular in its own right, produced mixed results. However, on the very same day that CNBT’s data was exposed, The New York Times and The Intercept also reported on leaked Iranian intelligence cables. That may certainly play a larger role in hampering the Iranian will.
Let us deconstruct the legal parameters of the CNBT hack.
The only redline of escalation would be the Kremlin’s response and nothing else. The operation not only potentially violated the sovereignty of a neutral party that is the Isle of Man but was orchestrated over a bank which is a civilian target barred by the Geneva Convention.
Not only that, unwitting “non-combatants” from many countries, including India, also got exposed. It could be deemed as needless collateral damage risking the lives and liberties of account holders who could be potential tax evaders – also causing them irreversible mental harm.
In fact, the legal ambiguity around information operations since US vs. Nicaragua offers a sweeping garb of impunity to cyber actors, even if the said operation was an overt action.
The Russian government went on to invoke the US Foreign Sovereign Immunities Act in a New York district court to defend its action against the DNC. Russia deemed it as a “quintessential sovereign act.”
The US Department of Justice’s indictment against Russian military operatives who hacked DNC cites pre-emptive signals intelligence intercepts captured from Russia’s military networks. That in itself could become the case of a pre-emptive war by the Americans –military command-and-control is a no-go as per international law. It is reasonable to interpret the Russian response as retaliation. In cyberspace, even covert action could come under legal scrutiny.
As James Lewis of Centre for Strategic and International Studies argues, “The strategic goal [of cyber operations] is to affect morale, cohesion, political stability, and, ultimately, diminish the opponent’s will to resist.”
That is how the game is being played – in a full-on and no-holds-barred way. A cyber deterrence framework must consider all the extraneous factors. And India seriously risks lagging in cyber power projection. To draw upon Simon Peres’s exhortation after the Six-Day War, the stark option in front of us is to either innovate or we could risk losing our sovereignty.