Author: Miguel Alberto Gomez, DLSU
Security experts at Kaspersky Lab — a Russian anti-virus firm — disclosed the existence of a large-scale cyber espionage operation in January 2013.
Dubbed Operation Red October, it targeted over 39 different countries across multiple regions and exfiltrated confidential information from both public and private organisations over a five-year timeframe. Diplomatic missions, government agencies and energy research centres are among the many groups affected.
The operation adds to a growing list of prominent cases in the last decade that have been labelled ‘cyber espionage’. But one question has not yet been addressed: do Operation Red October and other similar cases prove that cyber espionage has become the new platform from which to project national power? The answer? They do not.
While there is no doubt as to Red October’s complexity, cyber espionage cannot project a country’s power like other uses of cyberspace, such as the Stuxnet worm launched against Iran that was attributed to the United States and/or Israel, or the cyber attacks launched against the Philippines that were attributed to the People’s Republic of China (PRC). Unlike these examples, cyber espionage enshrouds the culprit in such a high level of uncertainty that it defeats the purpose of using cyberspace to visibly demonstrate national cyber capability and, in turn, power.
In most cases, this ambiguity helps to limit the possible escalation of conflict. But while the goal of conducting operations in cyberspace is to instil doubt in the mind of the target, a balance must be struck between hiding the source of the attack and providing enough information to intimidate and consequently discourage the victim from conducting retaliatory action.
Take, for example, the defacement of Filipino government websites at the height of the Philippines’ South China Sea dispute with the PRC in 2012. It was difficult for the Philippines to attribute the action to the PRC (whether conducted by the government directly or indirectly by elements of its citizenry) because the attack may have simply been routed through the PRC rather than originating in it. But, considering the same tactics were used by the PRC in previous conflicts and owing to the escalating situation in the South China Sea, the Philippines concluded that the attack was intentionally launched by the PRC. While this did not discourage Filipino nationals from retaliating, their response did not equal the PRC’s initial attacks. Hence, while this incident and those like it may not be as devastating as conventional strategies, they can still demonstrate a country’s relative strength, while also mitigating a possible escalation of conflict by intentionally limiting one’s actions.
In contrast, Operation Red October has employed techniques to make attribution difficult and cannot be pinned to a single on-going conflict. Researchers have suggested either Chinese or Russian origins because Cyrillic text is used, as well as techniques pioneered by the PRC. But these do not provide any conclusive link or connect the incident to an on-going conflict, particularly given the range of affected states. This raises the possibility that a non-state actor is behind the operation, possibly with the motive of selling the stolen information. Researchers involved with the investigation have also proposed this theory.
The low cost of entry into cyberspace, coupled with the broad range of targets, supports the idea that Red October was not necessarily instigated by a state. Yet the possibility that it was endorsed by a state or that information will be sold to various states is quite feasible. Studies have suggested a link between the cyber underground in the PRC and government activity, for example. Red October could well be a product of this arrangement. However, all these scenarios can at best be viewed as mere supposition; as yet there is no ‘smoking gun’ that would provide the necessary clarity.
Despite that fact that cyber espionage may not have the same power and appeal as other forms of cyber attack, its value in supporting other instruments of national power in a highly interconnected global society should not be underestimated. That is to say, while cyber espionage itself cannot visibly project national power, the information that can be obtained through such activities can be used to support other cyber operations or traditional forms of power projection.
The growing prominence of the ASEAN region as an economic hub for European and American firms will increase the likelihood of cyber espionage operations to obtain proprietary information. This vulnerability is already evident insofar as several ASEAN member states are on the list of countries affected by Red October and other operations. While there is no way to accurately predict the rate at which events such as these will occur, affected countries must take steps to proactively address these threats. Initiatives such as information sharing between different law enforcement organisations and robust legislation, while not perfect, should help to blunt the effects of activities like Operation Red October.
Miguel Alberto Gomez is an instructor and researcher with the College of Computer Studies at the De La Salle University, Manila, Philippines.