NotPetya, WannaCry: The Privatisation of Nation-State Capabilities Threatens Us All
Former senior British intelligence officer Malcolm Taylor has swapped briefing the Prime Minister on terrorist attacks to giving businesses cybersecurity advice at ITC Secure. Robert Scammell caught up with the director of cyber advisory at ITC’s Cyber Summit to find out how the privatisation of nation-state capabilities poses one of the biggest cyber threats to businesses
Few people know more about the threat of cyber terrorism than Malcolm Taylor. The now director of cybersecurity at consultancy firm ITC Secure spent 20 years at GCHQ, working in London, Cheltenham, Pakistan, Iraq and Afghanistan.
As an operational officer collecting intelligence – mostly for counter-terrorism – much of his role was “about getting information from people who don’t want to give it to you”.
But while much media attention has been given to the cyber threat of nation states such as Russia, China and North Korea, Taylor is keen to stress that the threat that they pose to the individual and to businesses has been inflated.
“The biggest threat they face is volumetric and it's criminal,” he tells Encrypt. “It's quite low sophistication, low bar entry, criminal in nature, untargeted – it's broadcast. But that's not to say it's not incredibly damaging.”
A prime example of this is the 2015 TalkTalk hack, committed by a pair of teenagers but still costing the British telecommunications company at least £77m.
But while Taylor believes the nation-state threat is over estimated, the cross pollination of criminal hacking groups and the technological prowess of nation states is cause for concern.
In recent years, this has spawned crippling malwares such as WannaCry and NotPetya.
Step forward the privatisation of nation-state capabilities.
From Russia with love
The blurring of the public and private cyber capabilities takes two forms, says Taylor.
The first means of privatisation is when a country provides direct support to a private hacking group.
“Because the nation-state is good at this, right? They're technically capable,” explains Taylor. “What they don't have is lots of people, they don't have lots of money and they have regulation and law around them.”
One such example is Russia being heavily linked to hacking groups that were previously thought to be independent.
In October last year, a UK government report directly accused the Kremlin of “indiscriminate and reckless cyberattacks targeting political institutions, businesses, media and sport” and associated the GRU with groups including Fancy Bear, BlackEnergy Actors and Tsar Team.
All of this came to a head when the UK and Dutch governments accused APT 28 (another alias of Fancy Bear) of the failed hacking of the Organisation for the Prevention of Chemical Weapons in The Hague. The organisation had been investigating the poisoning of Russian ex-spy Sergei Skripal and his daughter in Salisbury, UK.
“So they are ostensibly private hacking groups – which are famously disorganised and a bit crap – with the backing of a state, the funding of a state,” says Taylor. “Who knows, maybe the training, maybe the tools, etcetera. So that I think is significant.”
“Private hacking groups are famously disorganised and a bit crap.”
Another way in which nation-state capabilities are being privatised takes a less direct form, when state-created tools are leaked into the wild – something Taylor describes as “inevitable”.
This happened in April 2017, when a mysterious hacker group known as the Shadow Brokers released a Microsoft zero-day exploit dubbed EternalBlue into the wild. The group claimed it was developed by the US National Security Agency (NSA).
Unsurprisingly, the NSA has never confirmed that it created EternalBlue or any of the tools claimed to be in the Shadow Broker’s arsenal. Microsoft, however, took the unusual step of publicly attributing EternalBlue’s existence to the NSA.
Regardless, a month after the Shadow Brokers released the exploit into the wild, it was unleashed as part of a worldwide WannaCry ransomware attack that crippled the UK’s National Health Service. Around 19,000 appointments were cancelled and the total cost to the UK government totalled £92m.
“The leaking of that capability puts it onto all of our radars,” says Taylor. “So that kind of, through two different means, that privatisation of state capabilities is probably the thing that I would describe as the biggest threat.”
Nation-state spying and asymmetrical attacks
While Taylor is quick to quash the sensationalism that tends to follow nation-state cyberattacks, he says countries that do not adhere to the same rules can pose a noteworthy threat.
“Nation states spy on each other – it's not news. And they spy on each other in any ethical way they can,” he says.
“There are some countries that spy in unethical ways.”
By that, Taylor means asymmetric actions in which a country uses methods that they know will not be reciprocated.
“The best example isn't cyber – but it makes the point – is the events in Salisbury. The Novichok [poisoning] is the Russian intelligence service launching an asymmetric attack on the UK, because it knows the UK isn't going to go and poison people in Russia – full stop.
“There are some countries that spy in unethical ways.”
“Not only is it illegal, but it's just not the way that we do things. That asymmetric attack extends into cyber too.
“I guess that's something that I worry about.”
By their very nature, most state-sponsored cyberattacks are asymmetric. That is partly because attribution is so difficult, made trickier still by cyberattackers impersonating other states to deflect blame.
It is made more difficult still by a lack of set international rules for cyber warfare. What is a proportionate and legal response to cutting off another state’s electricity? What if a cyberattack caused the death of a country’s leader?
Rules of cyber engagement
Not knowing what level of digital aggression meets the threshold for an act of war has prompted some to call for more robust laws of cyber engagement.
Last November, French President Emmanuel Macron released an international agreement that called for countries to agree on such international rules for cyberspace.
Although 51 countries and 130 companies signed up, the agreement was somewhat castrated by the absence of the US, Russia, China, Iran and North Korea.
“ The notion of allies has been thrown up in the air. ”
Similarly, more than 30 technology companies have signed up to another version of a ‘digital Geneva Convention’, in which they committed to never partake in cyber-attacks against individuals or businesses.
But some experts feel it should go further, such as Deputy National Security Advisor to the UK’s Cabinet Office Paddy McGuinness, who has called for a body like the OPCW – but for cyber.
All out cyber war
While Taylor thinks a full blown cyber war is unlikely – “It's mutually assured destruction, I suppose” – he would champion an international agreement and government intervention.
The current geo-political landscape, coupled with the privatisation of nation-state capability, has made this more pressing.
“I think politically we've moved into a place where the notion of consensus, the notion of allies, has all been thrown up in the air,” he explains.
“For all of my life, until that point, those were the natural ways the world worked. We did things by consensus, we had friends that we talked to. We worked with allies.
“ It's mutually assured destruction, I suppose. ”
“And that's changed a lot over the last two years, because of Brexit and because of Donald Trump I think.”
Taylor says that before the era of Trump and Brexit, things were more “comfortable” and that the same is “probably true in cyber”.
“I guess I'd like us to go back to the point where we started having consideration of whether the notion of having a cyber-war capability is something you want to do, just from a sort of being a decent human being kind of thing.
“But I guess I've lost that argument.”