WannaCry, NotPetya : Larger issues and the growing need for a National Cyber – Electronic Warfare Doctrine

Anurag Dwivedi Writes: Repeated cyber attacks cannot be looked at merely from a technical perspective and they have multiple dimensions straddling geo-politics, warfare, economy and national security. Larger underlying narratives are at play globally and we need to start working on a “Cyber – Electronic Warfare Doctrine” on similar lines as our nuclear doctrine.

Just as the world had recovered from the WannaCry ransomware, the next wave of cyber attacks has hit critical infrastructure worldwide in the form of NotPetya (the “Not” is to distinguish it from older version of Petya ransomware which is of 2016 vintage).

 

The NotPetya infection reportedly originated in Ukraine when a financial software firm called MeDoc inadvertently pushed an infected file to its clients. India was the worst hit country in Asia and the seventh worst hit globally¹ behind Ukraine, US, Russia, France, UK and Germany as per reports. Operations of a container shipping terminal operated by AP Moller-Maersk at India’s Jawaharlal Nehru Port Trust (JNPT) were disrupted prompting the National Cyber Security Coordinator Dr Gulshan Rai to visit JNPT and assess impact². Maersk apparently uses MeDoc services and its IT infrastructure at their HQ in Hague was infected, thereafter spreading to its subsidiaries worldwide including JNPT.

 

Technically, NotPetya is similar to WannaCry in that it also encrypts files on the infected computer. It also uses the same Eternal Blue exploit to propagate as WannaCry, which was stolen from the US National Security Agency (NSA). The full details about this attack can be read in the article here³.

 

It is however important to focus on larger issues involved here because this is neither the first nor the last such cyber attack we are witnessing. Some of these issues are outlined below:-

 

• The US National Security Agency (NSA) has yet again come under severe criticism⁴ for not only hoarding cyber weapons but also the extremely lax security which has allowed these weapons to be stolen. After the WannaCry attack Microsoft in a scathing blogpost⁵ had opined that “an equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today – nation-state action and organized criminal action”. It begs asking whether other sovereign nations are expected to remain mute spectators when the Americans are developing cyber weapons at such alarming scale.

 

• Secondly, Russia, China and North Korea have become the cyber whipping boys of English news media. The WannaCry attack was for instance linked to China on the flimsy evidence⁶ that Chinese version of the ransomware note which appeared on user screens was written by someone familiar with Chinese language. WannaCry was similarly  linked to North Korea on equally flimsy grounds⁷ that the code had resemblance to ransomware attributed to the notorious Lazarus hacker group which is alleged to have the backing of North Korea. NotPetya has been linked to Russia on similar flimsy evidence⁸ that the attack first struck in Ukraine just a day prior to their constitution day on 28^th June and Russia has targeted Ukraine in the past as well, particularly their power grid. There were also articles like this one⁹ in The Washington Post which stated that Russia has developed Cyber Weapons to disrupt energy grids. It is however peculiar to note that Russians have themselves been hit hard both by WannaCry as well as NotPetya. Russians see the infections as revenge by the United States¹⁰. A larger underlying narrative seems to be at play which includes the alleged Russian hacking of US elections¹¹. Prospects of a global cyber arms race are looming and we are most likely already in the midst of a cyber “Cold War”. Achieving any consensus on global cyber norms becomes increasingly difficult under such circumstances.

 

• With so many attacks crippling critical infrastructure worldwide, another parallel narrative which seems to be unfolding is about “Cyber Insurance”. The cyber insurance market is still in its infancy but is expected to grow to several billion dollars. Few days ago two of the largest tech players Apple and Cisco launched a joint Cyber Insurance venture¹². Cybersecurity insurance was also amongst one of the possible areas of a wider Indo-US cyber security cooperation¹³ proposed by the Heritage Foundation – an American think tank. This needs to be analysed in much greater depth.

 

• Whereas cyber weapons have managed to repeatedly cripple critical infrastructure worldwide, these same attacks have not proved very effective against terrorist outfits like ISIS as this article¹⁴ in New York Times points out. Closer home we have faced similar issues in Kashmir where terrorist groups are increasingly circumventing Internet restrictions (read here¹⁵ and here¹⁶). In the latest weekly roundups of cyber activities by the International Institute for Strategic Studies (IISS), India finds mention alongside Republic of Congo, Bahrain¹⁷ and Ethiopia¹⁸ on account of Internet shutdowns; which is not very flattering. One reason why cyber warfare is ineffective against terrorist organisations is because it is not being used optimally. Using cyber warfare in isolation without synchronizing with the equally relevant Information Warfare capabilities of Psychological and Electronic Warfare is like firing only one weapon at a time. Cyber warfare also has to be coordinated with operations on ground, particularly civic-military action.

 

• There is also a school of thought that cyber attacks cause no lasting damage and therefore must be taken in the stride much like road accidents or natural calamities (hence the insurance). This is a flawed argument. Even kinetic weapons cause only temporary damage. Defences are refurbished and reorganised once the attack is contained. Cyber / Electronic attacks against critical infrastructure can be just as detrimental as a kinetic strike and it cannot be wished away that any future war will start with a massive cyber-electronic attack on critical infrastructure and information systems.

 

To conclude, repeated cyber attacks cannot be looked at merely from a technical perspective and they have multiple dimensions straddling geo-politics, warfare, economy and national security. As a nation we also face a stark choice as to whether we should focus only on defensive cyber capability or develop our own arsenal of cyber weapons (as everyone else seems to be doing).

 

Under the circumstances, a “Cyber – Electronic Warfare Doctrine” advocating a “no first use of cyber weapons” along the lines of our nuclear doctrine may not be entirely out of place. It will also set the required processes in motion.

 

Endnotes.

1. http://economictimes.indiatimes.com/tech/internet/india-worst-hit-by-petya-in-apac-7th-globally-symantec/articleshow/59367013.cms
2. http://pibmumbai.gov.in/scripts/detail.asp?releaseId=E2017PR1164
3. https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/?page=1
4. https://www.nytimes.com/2017/06/28/technology/ransomware-nsa-hacking-tools.html?utm_source=Sailthru&utm_medium=email&utm_campaign=EBB%206.29.17&utm_term=Editorial%20-%20Early%20Bird%20Brief
5. https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.001c8i11317l0f3vs2f1cm2qoliu3
6. https://www.scmagazine.com/analysis-suggests-wannacry-ransom-note-is-native-chinese-speaker/article/664402/
7. https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group
8. http://dailysignal.com/2017/06/29/russias-hybrid-warfare-battlefield-ukraine-heats/
9. https://www.washingtonpost.com/world/national-security/russia-has-developed-a-cyber-weapon-that-can-disrupt-power-grids-according-to-new-research/2017/06/11/b91b773e-4eed-11e7-91eb-9611861a988f_story.html?hpid=hp_rhp-top-table-main_russiascyber-810a:homepage/story&utm_term=.e978b9df1c8f&utm_source=Sailthru&utm_medium=email&utm_campaign=EBB%2006.13.2017
10. https://www.nytimes.com/2017/05/14/world/europe/russia-cyberattack-wannacry-ransomware.html
11. https://usiblog.in/2017/06/russian-hacking-of-us-elections-larger-issues-at-stake/
12. http://www.insurancebusinessmag.com/uk/news/breaking-news/apple-launches-into-cyber-insurance-with-cisco-71584.aspx
13. http://www.heritage.org/sites/default/files/2017-05/IB4697.pdf
14. https://www.nytimes.com/2017/06/12/world/middleeast/isis-cyber.html?action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news&mtrref=www.nytimes.com&_r=0&utm_source=Sailthru&utm_medium=email&utm_campaign=EBB%2006.13.2017&utm_term=Editorial%20-%20Early%20Bird%20Brief
15. http://kashmirreader.com/2017/05/01/firechat-gaining-currency-restrictions-social-media-grow/?fromNewsdog=1
16. http://www.thehindu.com/news/national/with-facebook-banned-kashmirs-youth-reach-out-via-kashbook/article19141768.ece
17. https://www.iiss.org/en/iiss voices/blogsections/iiss-voices-2017-adeb/june-f086/cyber-report-22-to-28-june-9b20
18. https://www.iiss.org/en/iiss voices/blogsections/iiss-voices-2017-adeb/june-f086/cyber-report-8-to-14-june-cea1