The cyber Cold War: Russian and US security systems draw new lines on the map

29 August 2018 (Last Updated August 28th, 2018 13:46)

Building robust cybersecurity systems from scratch is expensive and laborious while off-the-shelf solutions tend to be Russian or American. If a country doesn't have the means to develop its own protocols and has to pick a side for its systems provider, could a new cyber Cold War emerge? Julian Turner reports.

The cyber Cold War: Russian and US security systems draw new lines on the map
In 2017, the US Defense Department spent at least $18.5bn on foiling cyber intruders, a nearly 30% increase compared with the previous year. Image: US Air Force / Raymond McCoy.

Splinternet. Cyber-balkanisation. Military digital complex. Unprecedented scenarios demand new language to describe them. So it is with the battle for control of the internet. At stake is not just the security of individual countries’ data, but the entire concept of the web as a ‘democratic’ platform.

Charl van der Walt, chief security strategy officer at SecureData, defines the idea as “an end to the idea of a globally united internet promoting collaboration, innovation and information sharing”.

It’s an idea encapsulated in China’s ‘Great Firewall’, whereby Beijing has effectively censored and portioned off web access for one billion of its citizens, eschewing online rights in favour of an internet run along geopolitical lines, a policy it calls ‘internet sovereignty’. Russia has followed suit.

How will the US and its allies respond? And how can smaller nations hope to protect the integrity of their data against asymmetrical attacks with the potential to disable critical national infrastructure?

Take the infamous US/Israeli Stuxnet attack on Iran’s nuclear enrichment programme at Natanz.

“By all accounts Stuxnet was a devastatingly successful attack launched by one nation or group of nations against key national infrastructure of another nation,” noted SecureData’s Sensepost blog in 2011. “It bypassed all reasonable security controls and could easily have been more destructive, potentially even causing loss of life. All that at the measly price of between $500,000 and $2m – apparently less than what the US airforce currently spends in a day.”

Size matters: can smaller nations defend themselves against cyber bullying?

Developing cybersecurity systems that are fit for purpose can be prohibitively expensive. According to recent analysis from Taxpayers for Common Sense, between 2007 and 2016, US federal spending on unclassified anti-cyberattack programmes skyrocketed nearly four-fold from $7.5bn to $28bn.

In 2017, the US Defense Department spent at least $18.5bn on foiling cyber intruders, a nearly 30% increase compared with the previous year. The Department of Homeland Security spent $1.7bn, a 9% increase, while the Department of Treasury spent $2.8bn, a 42.7% increase compared with 2015.

Given these numbers, how are smaller nation states and private businesses expected to protect themselves from malicious cyber attacks and stop becoming pawns in the struggle for global cyber supremacy, especially when the majority of off-the-shelf solutions originate in the US and Russia?

“Given the rapid escalation of security countermeasures by the big governments, smaller governments rapidly reach a point where it is unreasonable to expect them to be able to defend themselves anymore,” der Walt told Army Technology earlier this year.

“If you’re a smaller developing country, you have a couple of choices. You can try and salvage your IT, but in doing that you have to make a platform choice, and whichever platform choice you make, effectively puts you under the control of that country. Or you just leave it as it is, and expect that larger nation states just have control over your IT, and let the strongest player win.”

The Kaspersky Lab controversy

In terms of anti-virus software, the issue is relatively simple. Manufacturers of anti-virus software have near total control over the machines it is installed on since such products send significant amounts of data back to central servers to allow staff to monitor malicious outbreaks in real time.

Trust is therefore crucial – and, in today’s cyber-balkanised world, in increasingly short supply.

In September 2017 the US Senate voted to ban Russian cyber security firm Kaspersky Lab’s products from use by the federal government after the Moscow-based company was blamed for the theft of confidential data from the machine belonging to a US National Security Agency (NSA) contractor.

The company’s antivirus tools apparently discovered hacking tools on the contractor’s machine. By correctly flagging them as malware, it “alerted Russian hackers to the presence” of the NSA tools, according to the Wall Street Journal.

The UK’s National Cyber Security Centre (NCSC) has effectively banned Russian anti-virus products from government departments in an effort to “prevent the transfer of UK data to the Russian state”.

Kaspersky has repeatedly denied the claims and has responded by spending around $12m on moving a number of its core processes from Russia to Switzerland as part of a “global transparency initiative”. According to The Register, by the end of 2019 the company plans to open a data centre in Zurich, which will store information on users in Europe, North America and Australia.

Such moves weren’t enough to convince the Dutch Cabinet, which feels there is a risk of espionage through the use of Kaspersky’s products and has recommended that the software not be used.

“Yet again, Kaspersky Lab is caught up in a geopolitical fight and still no credible evidence of wrongdoing has been publicly presented by anyone or any organisation to justify such decisions,” a company spokesperson said.

Stand-off in Helsinki: the US election and commercial cybersecurity

In March, the US accused Russia of cyberassault on its energy grid, claiming malware had been found in the operating systems of organisations and companies in the US energy, nuclear, water and ‘critical manufacturing’ sector, and that malware and other forms of cyberattacks had been traced back to Moscow.

At the recent Helsinki summit, US President Donald Trump vacillated between conciliatory and combative on the subject of Russia’s alleged interference in the 2016 US presidential elections.

However, as der Walt reminds us, cyber warfare is not just limited to nationalism and geopolitics.

“The bullying can even be commercial,” says van der Walt. “Say, if Microsoft ‘sponsored’ all the universities in Africa and provided all their computers, you’d have a situation where they establish themselves as the base platform everyone knows and uses; before you know it an entire state uses Microsoft ecosystems and other vendors get excluded.”

Foreign companies operating in China recently bemoaned the difficulty of conducting business there due to increased operating costs, a result of Beijing’s new cybersecurity law introduced in June.

“It created uncertainties within the investment community and it’s resulting in, at the minimum, postponement of some R&D investment,” said Harley Seyedin, president of the American Chamber of Commerce South China.

Collaboration across geopolitical lines is possible, however, if commercial interests are sufficiently strong. In February, the NCSC reaffirmed its commitment to working with Chinese smartphone giant Huawei, despite US government employees potentially being banned from using its smartphones due to security fears.

It remains to be seen whether such cooperation becomes the norm or a rarity in an increasingly cyber-balkanised world.