Cyberwarfare. PHOTO: Cybercrime Magazine.

SolarWinds And Microsoft Exchange Attacks: Lay Down The Cyber Law

Small countries are causing major cyber damage, and it may be time to enforce boundaries

David Braue

Melbourne, Australia – Mar. 11, 2021

As reports of nation-state involvement with major cyber attacks accumulate — the Russia-attributed SolarWinds attack, for one, has been more recently followed with assertions that cybercrime-loving China was behind the major Microsoft Exchange compromise — many observers have argued that national governments need to lay down some basic rules for engagement before things quickly get out of hand.

Although nation-states have been engaging in a “global online war that’s been around for ages,” Jaya Baloo recently told Cybercrime Magazine, “the whole thing has been highly covert. And it’s incredibly digital, so we’re not always going to see it all the time or notice it right away.”

Yet while victory in conventional warfare often goes the larger, stronger combatant, in cybersecurity the spoils inevitably go to the bolder, craftier adversary.

“It’s asymmetric, which means a very small player can have a really big effect,” said Baloo — who as chief information security officer (CISO) of security giant Avast is at the coalface when it comes to nation-state attacks.

“Tiny nation-states can be super powerful when they’re conducting these types of attacks,” she said, “because it doesn’t require a lot more than some good hacking knowledge and a good internet connection to conduct the attack.”

North Korea, for example, has been linked to a number of cybersecurity campaigns that have netted the rogue nation-state more than $1 billion in criminal proceeds. Even Czech Republic-based Avast has had its share of nation-state intrigue, with Chinese hackers breaching its network in 2017 and again in 2019.

Cybercrime Radio: Jaya Baloo, CISO at Avast

Hostile nation-states don’t follow the rules

Cybercrime Radio

Such campaigns — which have often seen nation-states buying exploits and zero-days from security researchers and cybercriminals — are “completely not okay,” said Baloo.

“When you take a look at the offensive cyber actions between nation-states, they don’t follow the rules — and, pretty much, all bets are off.”

Yet despite their success, such campaigns have rarely drawn direct retaliation — apart from a growing consensus that if national governments are going to behave this way, there needs to be a binding agreement limiting the potential collateral impact of cybersecurity attacks on the countries and their populations.

From Geneva to cyberspace

For more than a century, the widely-supported Geneva Conventions have set limits to conventional warfare so that warring nations do not target civilians, medical workers or humanitarian support staff.

Those conventions do not apply online, where all targets are equally accessible and attacks can be as narrowly or as broadly focused as the instigator wants.

Yet limits are no less important: a cyberattack on a country’s critical infrastructure, for example, could easily create a humanitarian crisis by interrupting critical electricity or water supplies.

Such an interruption could, in turn, potentially cause real-world retaliation that would trigger a physical conflict — potentially escalating into a major regional war if provisions such as NATO Article 5 were invoked.

“Our responsibility is to make sure that no such action can take place,” Baloo said, “and that anyone who violates that will either be cut off from the safe ecosystem, or they will be identified and no longer have access to, for example, the internet to conduct these kinds of activities.”

The Geneva Convention’s closest analogue is currently contained in the Tallinn Manual — a guide, written by 19 international legal experts, that outlines the application of international law to cyber operations.

Originally published in 2013 to great support, the manual was updated in 2017 and is, its authors say, built “on the understanding that the pre-cyber era international law applies to cyber operations, both conducted by and directed against states.”

“This means that cyber events do not occur in a legal vacuum and states both have rights and bear obligations under international law.”

The complexity and enforceability of such a framework have been widely discussed online and off, with academics, thinktanks, journalists, and organizations like the United Nations exploring — but failing to ratify — clear rules.

In the meantime, said Baloo, nation-states should work towards a common understanding — potentially using the Tallinn Manual as a conceptual guide — to “come to a place where you actually could agree on how we go about making a secure and stable and free cyberspace, when it comes to these kinds of problems, and that we understand the roles of governments.”

“These are the benefits and responsibilities, if you’re on this planet with each other: we need to work under the aegis of the UN and other international organizations to… cooperate and work together.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.