Nigel's Eyes

20230404 The very real threat of war and the inadequacy of the Fourth Geneva Convention

There are increasing international security threats. While some are talking up the risk of a world war, others say that there are likely to be local, brutal, conflicts.

But the quiet and big money isn't on nuclear threats or chemical weapons. It's not even on attacks in overwhelming number. No, the big money is not on attacks on or by hardware or wetware: it's on software.

The United Nations was formed in 1945. In 1949, it agreed the Fourth Geneva Convention. It was widely regarded as a belated addition to the regime on international hostilities dealing with, as it did, the protection of civilians. Technically, it's the protection of civilians in armed conflict.

It's time to rethink the definition of "armed conflict."

I'm not going to get into the obvious discussion of the uses of various forms of weaponry from rockets, bombs, shells and smaller arms such as are in daily use in many conflict zones around the world daily.

The issue that I will address is the use of weapons which don't go bang or involve directly imposing physical harm but which can, and do, cause immense harm.

We tend to think of cybersecurity as relating to hacks to steal personal information such as passwords, for ransom attacks, phishing and the like. On another level, we think of cyber-protection in the sense of blocking inbound e-mails, blocking known high-risk sites, or sites exhibiting known indicators of high risk. We worry about those pesky (and entirely false) messages that say that someone has taken over our computer and grabbed images from our camera and threatening blackmail.

But while these problems may be large in scale, they are small in complexity in that in each case there is one target who suffers. There may be incomprehensibly large numbers involved such as the data breach at yahoo! which, over a three year period, put the data of an estimated 3,000 million users into the wild. Or there may be much smaller, and much more accurately targeted attacks such as that at Latitude recently.

But attack vectors are becoming more devious. Everyone knows that banks now treat data as they treat gold, locked in a high security vault. Or so they think. Actually, cybercriminals have learned, some of the data is not in the vault but in the hands of trusted third parties which are outside the bank's own security perimeter. Worse, some of those working on the bank's systems, and which have authorised access to the bank's systems, are potential gateways to the bank's systems.

It's the equivalent of giving the key to the cleaner, or even leaving one under the flower pot by the front door.

But annoying and financially - even psychologically - damaging as these things are, they are not the big threats that exist but are spoken about in the whispering tones of intelligence agencies and while not actually hidden from "the general public" do not get the attention they should.

So, let's go loud.

Let's look beyond so-called cybercrime and look at cyberwarfare and, even, cyberterrorism. Let's look at attacks on systemically and strategically important systems.

What does this have to do with protecting civilians?

Any attack on a systemically and strategically important systems puts people, not only their wealth or assets, at risk.

An example of a systemic attack was that attributed to The Lazarus Group against Cosmos Bank in India in 2016. The story of the investigation has rumbled on for years with The Lazarus Group, widely said to be an agency of North Korea, being named as a potential suspect within weeks and more information pointing to the Group being uncovered until, as recently as this month, the BBC has published a long article about the attack. I don't need to rehash their story: it's linked from further reading. The salient point here is that the attack used credentials of users and hundreds, perhaps even thousands, of runners to make maximum withdrawals from ATMs in 28 countries around the world. But the clever part of the hack was that none of those transactions actually cleared the systems at Cosmos. Nevertheless, the money, some USD14 million worth, had gone within two hours and Cosmos was on the hook to make good on the withdrawals. The attack vector was a phishing e-mail to Cosmos staff which, when clicked, installed malware on those users' desktop machines and that gave access to the software that controlled ATMs.

This was not the usual style of data breach (although, we have to assume that there was also typical data breach that acquired the data that was later put onto innumerable ATM cards. The scale of the enterprise boggles the mind: to produce that many cards, to write data to them, to distribute them, to organise the runners, to collect the cash... just sit back and close your eyes. Could you plan such an enterprise and where, if you were one of the world's most despised regimes, would you find that many sympathisers in countries where your own foreign labour is unwelcome?

Put in that context, the scale of effort needed for a state, directly or indirectly, to mount an attack on the infrastructure of a vital part of a nation's economy or social fabric seems almost trivial.

IT v OT

There is an entire industry devoted to what it calls "Operational Technology" or "OT" and its threats.

The origins of the distinction are that Information Technology is data while OT is the equipment. The distinction is that information would be kept in a filing cabinet while control systems would be manual, even where they were electrical and, later, electronic. The two did not mix and access to both was physical. Breaking or interfering with operational technology meant attacking equipment: think hammers and wire cutters. Not long ago, access to electronic filing systems required someone to break into, or con their way into, premises.

Today, however, the difference is more of a marketing distinction than an accurate description of the nature of the threat for the simple reason that both are connected to the internet and the internet, in one way or another, is the entry route.

Operational Technology protection is about protecting specific aspects of a corporation's systems.

But the attack vectors are similar: someone putting a hammer through a server, inserting a USB stick into a computer or gaining access remotely, as well as infiltration of the workforce.

The systems are those that are mission critical for infrastructure be it controlling trains, electricity grids, gas pipelines or water storage and distribution. The cross-over with IT systems is most critical in, for example, integrated hospital systems where data and the supply of critical services such as oxygen are centralised and controlled through a computer.

In each of these cases, it can be seen that the target is to put pressure on the general population. It's no different, in principle, to using armaments. And what happens if a drone control system is hacked and the weapons turned on its sender or its allies?

A non-nuclear bomb might kill hundreds; an 11-September style attack might kill thousands, but to kill the electrical grid, water and gas supplies and cripple transport control systems would, depending on the target, kill, maim or otherwise injure millions.

It's happened, albeit not on purpose, when in 1965 and 2003 the USA's north east suffered widespread power failures. It happened in Texas in 2021 and, reports say, was barely averted in late 2022, up and down the USA's East Coast. In that case, it was deliberate - Duke Energy instigated rolling power cuts because it had failed, it admitted, to accurately predict the demand for power in the days before Christmas. That proves that, with access to the control systems, huge disruption can be created at a time when power consumption demonstrates the greatest need.

That's why the United Nations needs to review its definitions in the Fourth Geneva Convention. By default, such activities as drone strikes are covered but attacks through the internet are not. But that is at least a significant part of future war. And yet their primary target is civilians.

Further Reading: Lazarus Heist: The intercontinental ATM theft that netted $14m in two hours https://www.bbc.com/news/world-65130220