Should the acronym WMD, which stands for “Weapons of Mass Destruction,” be updated to “Weapons of Mass Disruption?” I think it is a timely question in this Digital Age as we connect and integrate billions of new digital devices into our lives and business processes and when a cyber-attack against one supply chain provider can lead to cascading effects on entire communities across the globe. Cyberattacks on Critical Infrastructure (CI) can cause mass economic and societal impacts. Fewer strategies than cyber-attacks can offer better plausible deniability and can cause greater anxiety and instability to our society than targeting the systems and networks that enable our day-to-day activities. Consider that 20 years ago terrorists killed 3,000 Americans and disrupted the entire U.S. and global economies with only four planes. Given the growth and ubiquity of technology today we must consider how the exponential growth of cyberattacks on CI might be similarly leveraged by adversaries and criminal actors as Weapons of Mass Disruption, the new WMD.[1]
Cyberattacks take many forms, often progressing through multiple phases as they escalate in severity. Malicious actors often initiate a network intrusion through phishing campaigns or the purchase of compromised user credentials on the dark web. What begins as the hijack of a single user profile expands in severity. Intruders move laterally across internal systems, conducting surveillance and gathering intelligence on network environments before escalating to data theft, service disruptions, and ransomware extortion.
The goals of these actors may be both strategic and economic in nature, and targets may be government and/or the private sector. Cyberattacks perpetrated on CI elements develop into the new WMD when the intended and unintended consequences cause widespread damage and societal impacts. A disruption of essential services, even if brief, can occupy significant civilian and military resources in a region or entire country.[2]
Russian military doctrine views the battle of the information space, to include cyber activities, as unending.[3] As such, the bar to initiate cyber-attacks appears low and the past two decades have witnessed numerous cyberattacks on CI around the world. The march toward a more interconnected and networked world increases the likelihood that cyberattacks against CI could be used as the new WMD. In this new threat environment, more than ever we need to increase and leverage government and private-sector partnerships to mitigate and neutralize these cyber threats.
Cyber Threat Technology
Cyber threats combine numerous attack vectors and strategies in a single attack. Common attacks include malware, denial-of-service attacks, phishing, structured query language (SQL) injection, and zero-day exploits. Some attacks specifically target critical nodes, software, or people, while others overwhelm internet websites with massive, automated amounts of data requests. Malware attacks install malicious code, transmit sensitive data, and corrupt, destroy or deny access to data by overwriting or encrypting files, often referred to as ransomware. Phishing attacks target users with false messages that request they open a file or access a link that secretly installs malware. SQL injection attacks insert malicious code into servers running SQL database software to reveal sensitive data not normally available. Vectors for SQL injections include inserting malicious code in search boxes of vulnerable web pages. These attack opportunities persist due to inconsistent patch implementation and failure by end users to employ cyber best practices, often called cyber hygiene, which increase the risk of cyber-attack on vulnerable systems. Zero-day exploits, alternatively, may be known vulnerabilities that lack immediate solutions. Even if a zero-day exploit is known, the threat continues until a patch is developed and the end user installs it. The combination of attack vectors with new and old malware options creates opportunities for both intelligence gathering and development of mass disruption strategies of CI operations by and against U.S. adversaries.[4]
Critical Infrastructure Sectors
Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience identified 16 sectors and identified specific federal agencies charged with their security. PPD-21 addressed the reality that advances in technology led to increases in each sector’s interconnectivity and reliance on online and networked resources to accomplish their fundamental missions. [5]
Past Attacks on Critical Infrastructure
The threat against CI elements is neither theoretical nor improbable. Cyberattacks have occurred independently and as part of multi-domain conflicts involving Russia, China, and others over the past two decades. Connell and Vogler described the Russian military view of cyber operations as part of the larger concept of information warfare, and not a distinct tactic. They assessed that in line with traditional Soviet military thinking, Russian decision-makers view the battle for the information space as unending. Such a doctrinal view of an information space in constant conflict stands in sharp contrast to the U.S. view. Furthermore, Russian decision-making informed by this view likely sets a low bar for the initiation of offensive cyber operations.[8]
In 2008, cyberattacks attributed to Russia disrupted Georgian government websites, financial institutions, private telecommunications companies, and other organizations in the opening stages of the military conflict between the two countries over breakaway regions. Given the limited nature of Georgian information technology at the time, the impact of the cyber operations was reduced. This application of cyberattack methodologies, however, stands as the first large-scale use of cyber operations in support of a military conflict. In this multi-domain example, a cyberattack designed to cause widespread disruption preceded a physical attack. [9]
In December 2015, the Ukrainian Energy Minister attributed the first known power outage caused by a cyberattack to Russian actors, when three power distribution companies were targeted. The timing and coordination among the attacks across central and regional facilities pointed to a high level of sophistication. The subsequent investigation revealed an initial intrusion occurring at least six months prior, allowing the actors to gather intelligence on company operations and likely remediation responses. This surveillance allowed the cyber actors to insert additional malware to wipe key recovery servers and computers to stymie restoration efforts. The attack left approximately 225,000 customers without power for six hours in the middle of a Ukrainian winter. The investigation also revealed the attack could have been larger, and the damage permanent, but the cyber actors chose to limit the scope. This points to the scalability of damage from the spectrum of cyberattack methodologies and their potential as a WMD.[10]
In the spring and summer of 2020, the People’s Liberation Army (PLA) of China and the Indian Army were involved in multiple skirmishes in the vicinity of the Actual Line of Control that defines their common border in the Himalayas. One such engagement resulted in the deaths of 20 Indian soldiers. Unwilling to back down, that August the Indian Army seized additional strategic locations. In an apparent tit-for-tat response, hostilities escalated and entered the cyber domain when a power outage struck the power utility in the Indian state of Maharashtra, which includes India’s financial capital Mumbai. The attack was attributed to a group known as RED ECHO, potentially a state-sponsored group affiliated with China’s PLA Strategic Support Forces. In response to the cyberattack, India mobilized additional troops to the disputed region and expanded the hostilities into the economic domain – India banned Chinese mobile apps, limited Chinese investments in India, and joined an informal grouping of the U.S., Japan, and Australia dedicated to limiting Chinese advancement in Indo-Pacific. In this multi-domain example, the cyberattack causing widespread disruption was a response to the physical attack, which was met with economic sanctions.[11] Such an attack against such a large power grid and financial capital could be characterized as a WMD attack.
In their 2021 study, Izycki and Vianna defined a cyberattack as an operation conducted with a kinetic intent or result. Using this definition, they identified seven significant cyber-attacks between 2010 and 2019. Their results are illustrated in the table below.[12]
The attributions noted by Izycki and Vianna, if accurate, highlight how various actors employed cyber weapons across a wide range of political conflicts and actors. The authors concluded that the small number of campaigns highlighted the rarity of what they termed “kinetic attacks” against CI assets. Cyberattacks on CI sectors like those noted by Izycki and Vianna have the potential to cause massive disruptions and societal displacement if the underlying interconnected computer systems were destroyed or disabled for extended periods.[13]
Discussion of the Threat
Cyberattacks on interdependent CI sectors have the potential for secondary and tertiary effects in addition to the cascade of physical disruption that follows.[14] Beyond impairing physical assets, cyber-attacks on the foundational services of a society also function as psychological and strategic weapons. CI disruptions may undermine confidence in the state to provide security or basic services. Such attacks may serve as existential threats to unstable regimes. As strategic weapons, cyberattacks on CI causing mass disruptions have the potential to tie up significant military and economic resources at the same time the nation faces a military threat. Such attacks have the potential to fully occupy the time and attention of decision-makers as well as field commanders, causing them to miss or ignore other pending threats. This exemplifies the multi-domain use of cyberattacks.[15] Recently, plans purportedly developed by units within Iran’s Islamic Revolutionary Guard Corps (IRGC) leaked to a British reporter described various cyberattack strategies for cargo ships, building HVAC systems, and fuel pumps manufactured in the U.S. and sold worldwide. If authentic, such plans highlight in detail how CI sectors might be attacked via the cyber domain.[16]
Based on the attacks studied, the threshold for initiating a cyberattack appears low, and not all attacks produce an immediate or identifiable impact. Attacks may occur unnoticed, with bad actors lying dormant within systems for an extended time period. The nature of an attack may change over time, in that an intrusion may progress to an intelligence-gathering operation and data theft, before escalating into a denial-of-service or ransomware attack. The progression of an attack may change depending on the nature of the actor. The goal of non-state or criminal actors in conducting cyberattacks may be profit-driven or center on causing economic damage, while state actors may favor intelligence gathering and the creation of strategic options or outcomes. In the case of North Korea, the goals may be both financial and intelligence gathering, as they gather technical knowledge and the financial means to purchase necessary materials and equipment. The ubiquity of networked systems and the wide availability of cyber intrusion tools leave no country or critical infrastructure sector immune.[17]
Determining attribution for an attack is difficult. The use by cyber actors of Virtual Private Networks (VPNs), leased server infrastructure, and the cross-border nature of the internet complicate attribution efforts. Intelligence services can be reluctant to publicly disclose sensitive techniques and classified information in order to explain attribution conclusions. Additionally, public prosecution of these malicious actors may risk disclosure of investigative techniques, particularly in national security investigations. Complicating the matter further, cybercriminal organizations frequently operate from countries unwilling to arrest and extradite malicious actors to the United States. As a result, there appears to be limited consequences levied on adversaries for intrusion or intelligence-gathering activities. For example, in July 2021, in the same week the U.S. and NATO allies publicly identified the Chinese Ministry of State Security (MSS) as the perpetrator of the hack of the Microsoft Exchange email server uncovered three months prior, the U.S. Department of Justice filed motions to dismiss visa fraud charges against five Chinese scientists accused of concealing their ties to the PLA. This public shaming of cyber aggression by the MSS did not include economic sanctions against China, while a similar public disclosure in April 2021 about Russia included economic sanctions its cyber actions related to election interference.[18]
Conclusions and Judgments
Cyber intrusions utilize a volume attack scenario, leveraging automated software to continually probe end points and network connections for vulnerabilities. Hackers count on the incomplete implementation of software patches and poor cyber hygiene to provide illicit access. The assessment, based on this research, is cyberattacks on CI will continue to grow in number and frequency and continue to escalate in severity. As the world becomes more reliant on systems connected to the internet the attack surface expands. CI sectors are no exception, and their interconnectivity creates a risk of a failure cascade. Furthermore, cyberattacks are becoming automated and more anonymized. Consequently, if we have not yet met the threshold, we may soon, where cyberattacks against CI with large-scale impacts may be characterized as WMD.
The interwoven nature of CI sectors crosses international boundaries. To address the disruptive threats of cyberattacks against CI, facilities and their control networks must be hardened and continuously monitored for intrusions and anomalous activities. PPD-21 specifically identifies what was to be protected and which agency was to lead efforts for each sector. The identification, analysis, and mitigation of malware and the illicit marketplaces where it is sold remains of critical importance. Cyberattacks weaponize CI infrastructure to cause widespread disruption in addition to serving as an enabler for other adversarial intelligence activities.[19]
The opinions expressed in this article are those of the author. They do not reflect the opinions of the Federal Bureau of Investigation, the U.S. Department of Justice, or the United States Government.
Bibliography
“A Guide to a Critical Infrastructure Security and Resilience – November 2019.” Publications. Cybersecurity & Infrastructure Security Agency, 2019. https://www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure-Security-Resilience-110819-508v2.pdf.
Bommakanti, Kartik. “Chinese Cyber Escalation Against India’s Electricity Grid Amidst the Boundary Crisis.” Expert Speak: Warfare. Observer Research Foundation, March 10, 2021. https://www.orfonline.org/expert-speak/chinese-cyber-escalatio-india-electricity-grid-boundary-crisis/.
Connell, Michael, and Sarah Vogler. “Russia’s Approach to Cyber Warfare.” CNA Analysis and Solutions, March 2017, 1–30. https://www.cna.org/cna_files/pdf/DOP-2016-U-014231-1Rev.pdf.
“Cyber Attack – What Are Common Cyberthreats?” Products & Services: Security. Cisco Systems, Inc., February 19, 2021. https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html.
Haynes, Deborah. “Iran’s Secret Cyber Files on How Cargo Ships and Petrol Stations Could Be Attacked.” Sky News. Sky UK, July 27, 2021. https://news.sky.com/story/irans-secret-cyber-files-on-how-cargo-ships-and-petrol-stations-could-be-attacked-12364871.
Holland, Steve, and Doina Chiacu. “U.S. and Allies Accuse China of Global Hacking Spree.” Reuters. Thomson Reuters, July 20, 2021. https://www.reuters.com/technology/us-allies-accuse-china-global-cyber-hacking-campaign-2021-07-19/.
“How to Break the Cyber Attack Lifecycle.” Cyberpedia. Palo Alto Networks, 2021. https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle.
Izycki, Eduardo, and Eduardo Wallier Vianna. “Critical Infrastructure: A Battlefield for Cyber Warfare?” International Conference on Cyber Warfare and Security (ICCWS), February 26, 2021. https://www.academia.edu/48210931/Critical_Infrastructure_A_Battlefield_for_Cyber_Warfare.
Lee, Jane. “U.S. Dials Back Probe of Chinese Scientists on Visa Fraud Charges.” Reuters. Thomson Reuters, July 24, 2021. https://www.reuters.com/world/us/us-seeks-dismiss-charges-visa-fraud-cases-chinese-researchers-2021-07-23/.
Polityuk, Pavel. “Ukraine Sees Russian Hand in Cyber Attacks on Power Grid.” Industrials. Thomson Reuters, February 12, 2016. https://www.reuters.com/article/us-ukraine-%20cybersecurity-idUSKCN0VL18E.
“Presidential Policy Directive (PPD-21) — Critical Infrastructure Security and Resilience.” Briefing Room: Statements & Releases. National Archives and Records Administration, February 12, 2013. https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
Rinaldi, Steven M., James P. Peerenboom, and Terrence K. Kelly. “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies.” IEEE Control Systems 21, no. 6 (December 2001): 11–25. https://doi.org/10.1109/37.969131.
Tucker, Eric, and Aamer Madhani. “US Expels Russian Diplomats, Imposes Sanctions for Hacking.” AP NEWS. Associated Press, April 16, 2021. https://apnews.com/article/joe-biden-ap-top-news-moscow-coronavirus-pandemic-elections-4c368f4734d5d1c5938645aa09641c79.
Tucker, Eric. “Microsoft Exchange Hack Caused by China, US and Allies Say.” AP NEWS. Associated Press, July 19, 2021. https://apnews.com/article/microsoft-exchange-hack-biden-china-d533f5361cbc3374fdea58d3fb059f35.
White, Edward, and Stephanie Findlay. “India Confirms Cyber Attack on Nuclear Power Plant.” Financial Times. FT Group, October 31, 2019. https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6.
[1] “A Guide to a Critical Infrastructure Security and Resilience – November 2019,” Publications (Cybersecurity & Infrastructure Security Agency, 2019), https://www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure-Security-Resilience-110819-508v2.pdf.
[2] “How to Break the Cyber Attack Lifecycle,” Cyberpedia (Palo Alto Networks, 2021), https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle.
[3] “How to Break the Cyber Attack Lifecycle,” Cyberpedia (Palo Alto Networks, 2021), https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle.; Michael Connell and Sarah Vogler, “Russia’s Approach to Cyber Warfare,” CNA Analysis and Solutions, March 2017, pp. 1-30, https://doi.org/https://www.cna.org/cna_files/pdf/DOP-2016-U-014231-1Rev.pdf.
[4] “Cyber Attack – What Are Common Cyberthreats?” Products & Services: Security (Cisco Systems, Inc., February 19, 2021), https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html.
[5] “Presidential Policy Directive (PPD-21) — Critical Infrastructure Security and Resilience,” Briefing Room: Statements & Releases (National Archives and Records Administration, February 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
[6] Critical Infrastructure Threat Information Sharing Framework: A Reference Guide for the Critical Infrastructure Community, https://www.cisa.gov/sites/default/files/publications/ci-threat-information-sharing-framework-508.pdf
[7] Steven M. Rinaldi, James P. Peerenboom, and Terrence K. Kelly, “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies,” IEEE Control Systems 21, no. 6 (December 2001): pp. 11-25, https://doi.org/10.1109/37.969131.
[8] Michael Connell and Sarah Vogler, “Russia’s Approach to Cyber Warfare,” CNA Analysis and Solutions, March 2017, pp. 1-30, https://doi.org/https://www.cna.org/cna_files/pdf/DOP-2016-U-014231-1Rev.pdf.
[9] ______, “Russia’s Approach to Cyber Warfare,” CNA Analysis and Solutions, March 2017, pp. 1-30, https://doi.org/https://www.cna.org/cna_files/pdf/DOP-2016-U-014231-1Rev.pdf.
[10] Pavel Polityuk, “Ukraine Sees Russian Hand in Cyber Attacks on Power Grid,” Industrials (Thomson Reuters, February 12, 2016), https://www.reuters.com/article/us-ukraine-%20cybersecurity-idUSKCN0VL18E.
[11] Kartik Bommakanti, “Chinese Cyber Escalation Against India’s Electricity Grid Amidst the Boundary Crisis,” Expert Speak: Warfare (Observer Research Foundation, March 10, 2021), https://www.orfonline.org/expert-speak/chinese-cyber-escalatio-india-electricity-grid-boundary-crisis/.
[12] Eduardo Izycki and Eduardo Wallier Vianna, “Critical Infrastructure: A Battlefield for Cyber Warfare?” International Conference on Cyber Warfare and Security (ICCWS), February 26, 2021, https://www.academia.edu/48210931/Critical_Infrastructure_A_Battlefield_for_Cyber_Warfare. Critical Infrastructure: A Battlefield for Cyber Warfare?
[13] Eduardo Izycki and Eduardo Wallier Vianna, “Critical Infrastructure: A Battlefield for Cyber Warfare?” International Conference on Cyber Warfare and Security (ICCWS), February 26, 2021, https://www.academia.edu/48210931/Critical_Infrastructure_A_Battlefield_for_Cyber_Warfare. Critical Infrastructure: A Battlefield for Cyber Warfare?
[14] Steven M. Rinaldi, James P. Peerenboom, and Terrence K. Kelly, “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies,” IEEE Control Systems 21, no. 6 (December 2001): pp. 11-25, https://doi.org/10.1109/37.969131.
[15] Steven M. Rinaldi, James P. Peerenboom, and Terrence K. Kelly, “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies,” IEEE Control Systems 21, no. 6 (December 2001): pp. 11-25, https://doi.org/10.1109/37.969131.
[16] Deborah Haynes, “Iran’s Secret Cyber Files on How Cargo Ships and Petrol Stations Could Be Attacked,” Sky News (Sky UK, July 27, 2021), https://news.sky.com/story/irans-secret-cyber-files-on-how-cargo-ships-and-petrol-stations-could-be-attacked-12364871.
[17] Michael Connell and Sarah Vogler, “Russia’s Approach to Cyber Warfare,” CNA Analysis and Solutions, March 2017, pp. 1-30, https://doi.org/https://www.cna.org/cna_files/pdf/DOP-2016-U-014231-1Rev.pdf; Edward White and Stephanie Findlay, “India Confirms Cyber Attack on Nuclear Power Plant,” Financial Times (FT Group, October 31, 2019), https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6.
[18] Steve Holland and Doina Chiacu, “U.S. and Allies Accuse China of Global Hacking Spree,” Reuters (Thomson Reuters, July 20, 2021), https://www.reuters.com/technology/us-allies-accuse-china-global-cyber-hacking-campaign-2021-07-19/; Jane Lee, “U.S. Dials Back Probe of Chinese Scientists on Visa Fraud Charges,” Reuters (Thomson Reuters, July 24, 2021), https://www.reuters.com/world/us/us-seeks-dismiss-charges-visa-fraud-cases-chinese-researchers-2021-07-23/; Eric Tucker, “Microsoft Exchange Hack Caused by China, US and Allies Say,” AP NEWS (Associated Press, July 19, 2021), https://apnews.com/article/microsoft-exchange-hack-biden-china-d533f5361cbc3374fdea58d3fb059f35; Eric Tucker and Aamer Madhani, “US Expels Russian Diplomats, Imposes Sanctions for Hacking,” AP NEWS (Associated Press, April 16, 2021), https://apnews.com/article/joe-biden-ap-top-news-moscow-coronavirus-pandemic-elections-4c368f4734d5d1c5938645aa09641c79.
[19] Steven M. Rinaldi, James P. Peerenboom, and Terrence K. Kelly, “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies,” IEEE Control Systems 21, no. 6 (December 2001): pp. 11-25, https://doi.org/10.1109/37.969131; “Presidential Policy Directive (PPD-21) — Critical Infrastructure Security and Resilience,” Briefing Room: Statements & Releases (National Archives and Records Administration, February 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
