Workshop Report: Crafting a democratic and responsible cyber power?

The Offensive Cyber Working Group hosted a workshop at CyCon 2022 in Tallinn, Estonia in May 2022.

This workshop explored what cyber power is, how it is understood, and applied in different contexts. Andrew Dwyer has now produced a report based on the workshop to share with the community, which can be accessed below:

An Offensive Future?

We are pleased to announce the publication of the Summer 2022 special issue of the Cyber Defense Review, edited and curated through the Offensive Cyber Working Group. This project brought together various scholars and practitioners from across disciplines and perspectives to explore the contours of offensive cyber.

This project began in July 2021, with a online, closed workshop where 13 authors presented a range of short papers. This productive and lively event resulted in a number of authors wishing to pursue their work in a longer, more formal forum, resulting in this special issue in the Cyber Defense Review.

As co-leads, Andrew Dwyer and Amy Ertan, state in the introduction that the special issue “is an open invitation to deepen and extend the conversation. The Offensive Cyber Working Group—which we co-lead and under which these papers were curated—will continue to promote conversations on these themes and welcomes engagement from research and policy communities to do so.”

It is hoped that this special issue will continue the conversation and we would like to thank all authors, including those not within the special issue, who contributed and shared their work. You can find the links to all the papers below:

Summer Special Edition:

Dr. Andrew Dwyer and Dr. Amy Ertan (Durham University and Harvard’s Belfer Center) – “Introduction: An Offensive Future?

Alicia Bates (King’s College London) – “Prepare and Prevent: Don’t Repair and Repent: The Role of Insurance in Offensive Cyber

Matthias Dellago, Daniel Woods, and Andrew Simpson (University of Innsbruck and University of Oxford) – “Exploit Brokers and Offensive Cyber Operations

Dr. Bryan Nakayama (Mount Holyoke College) – “Democracies and the Future of Offensive (Cyber-Enabled) Information Operations

Ewan Lawson (UK Embassy, Vietnam) – “Between Two Stools: Military and Intelligence Organizations in the Conduct of Offensive Cyber Operations

Dr. Nori Katagiri (Saint Louis University and Modern War Institute) – “Three Conditions for Cyber Countermeasures: Opportunities and Challenges of Active-Defense Operations

Dr. Brandon Valeriano (Marine Corps University) – “The Failure of the Offense/Defense Balance in Cyber Security

Dr. Joe Burton (University of St. Andrews)– “The Future of Cyber Conflict Studies: Cyber Subcultures and the Road to Interdisciplinarity

Dr. Rod Thornton and Dr. Marina Miron (King’s College London) – “Winning Future Wars: Russian Offensive Cyber and Its Vital Importance in Moscow’s Strategic Thinking

If you have ideas of how you would like to be involved with the OCWG – please do get in touch.

Cyber-Warfare: Stop Asking About the Revolution 

By Daniel Moore

We have been expecting cyberwar for decades. Researchers and commentators alike have awaited a revolution in military affairs delivered by non-violent digital coercion. In their view, cyber-warfare was expected to shake the great balance of power, plunge countries into nation-wide outages, and turn our deepest dependencies against us in the fight between nations. It all sounded quite compelling. After all, we have embraced the ascent of the internet with a passion weaving networks into every facet of our existence. Yet the revolution in warfare never came. Far from non-violent digital coercion rendering war obsolete, we have seen that war remains a brutal, violent experience for soldiers and civilians alike.  We observed cyber-warfare incorrectly; we have over-promised on what is likely and under-promised on what is possible. The result is wildly inappropriate expectations of what we may see in future conflicts. 

It is not that we have not seen cyber-attacks. We have indeed, and ransomware has exacted a particularly heavy toll from governments, businesses, and individuals globally. Some ransomware operations were employed by governments as a form of crude, barely-deniable cyber-attack. We have also seen military-driven targeted attacks within conflict

I offer three points:

  1. Cyber-warfare is an incremental evolution of other forms of warfare that, when used correctly and jointly with other capabilities, can deliver meaningful effects and help achieve objectives.
  2. Cyber may deepen existing asymmetries rather than upset them. 
  3. Our visibility is deeply biased as a result of limited evidence and a narrow, desensitizing perspective. 

Evolution, not Revolution

The odds of winning a military campaign singularly through cyber are essentially zero. Disrupting networks gives you no dominion over territory, and the very nature of offensive cyber capabilities preempts them from meaningfully deterring an adversary from their intentions. This means that questions such as “Has Russia failed its cyberwar with Ukraine” are mostly unhelpful. Rather, we should ask: “Why have the Russians failed to control the narrative of war?” or “Have the Russians used offensive cyber to degrade the Ukrainian military’s capacity to execute against its objectives?” The sooner better questions permeate the public conversation, the faster we can focus on what offensive cyber can achieve rather than focusing on what it overpromises.

Attacking networks can be a force multiplier in warfare, if used well. A well-timed tactical attack against elements of local command and control can reduce enemy effectiveness. These capabilities – which are realized through what I call event-based operations ­– are becoming increasingly common as a natural extension of electronic warfare (EW) and can be repeatedly useful and robust. 

Similarly, a strategic or theater attack against a deployed enemy can impact communications, adversely degrade telemetry, render critical networks inoperable, and even affect combat system availability. Though crudely executed, the February 2022 Russian attack against Viasat – supposedly intended to disrupt the Ukrainian military in the leadup to the Russian invasion of Ukraine – is a good example of pursuing more significant effects against enemy forces. 

I call these types of attacks presence-based operations as they frequently require extensive network intelligence campaigns to precede them. They are valuable but brittle assets. Such capabilities draw from a storied history of clandestine sabotage coupled with the communications expertise of signals intelligence (SIGINT) to create a potent, modern lovechild. 

In both circumstances, the capability alone is not enough. A tactical network attack will not win an engagement, and a strategic one will not determine a campaign. Even when used in relative isolation, such as in the Israeli example of “the campaign between wars”, attacking networks is not the revolutionary reinvention of modern warfare. Cyber-warfare presents opportunities and risks from the steeply increasing dependency on networks, feeding all aspects of armed conflict and modern life. War remains innately kinetic. 

Asymmetries Remain

It has been argued that network operations are easier to carry out than their kinetic counterparts. The barrier of entry is supposedly lower, the internet is easier to traverse than a hostile airspace, there is some flimsy measure of deniability, the effects may be tailored or indiscriminate, and the tools of the craft are often easier to come by. This is true – to a limited degree. In reality, the complexities of creating effective offensive capabilities, reaching and breaching targets of interest, positioning your tools, and successfully getting the effect you want when you want it are immense. There is a reason why the vast majority of attacks we see are ransomware and wipers; they are crude, flexible, variably indiscriminate weapons. They are often the tools of the asymmetrically inferior. 

Cyber often amplifies existing asymmetries in warfare. The best-resourced nations, the ones with immense investment in SIGINT, EW, technical research, and software development are best placed to leverage the full value of network attacks. The United States, despite its lawyer-laden sprawling bureaucracy, likely holds both impressive strategic and tactical capabilities and the know-how to use them. At the very least, it is arguably best positioned to fulfil this potential. 

That said, offensive cyber is asymmetrically a means of persistent harassment. For nations such as Iran or Ukraine, it provides a means to consistently exact some cost from its adversaries while presenting limited risk. In most respects, cyber operations amplify the existing operational characteristics of the nations who use them.

Gaps in Visibility

We are inundated with coverage on network attacks. Whether it is increasingly high-quality journalism, private-sector research, government agency publications, or academic analysis, it seems that attacks get surveyed and catalogued daily, with a global reach. This perception is highly misleading and creates a pervasive bias which results in unnecessary surprises and a diminished capacity for accurate threat assessment. Our visibility is principally centered on (a) the loudest, worst threat actors, (b) adversaries targeting Western or Western-neutral countries, and (c) leaks. Each of these provides unprecedented access to otherwise sensitive, compartmentalized capabilities. But it is still a sliver. 

When was the last time we saw a publicly and reputably reported strategic network attack against a major adversary by the United States, the United Kingdom, or even Israel? These threat actors are often the benchmark for operational and technical capacity, and yet they are consistently absent from view for years at a time. Considering what was possible with Stuxnet in the 2010s and various statements on network attacks expended against Iranian targets in the 2020s, we simply do not know what the state of the art is in offensive cyber. 

We have yet to publicly capture forensic details about an attack against military equipment. Considering vulnerabilities in military networks and hardware, the odds that these capabilities do not exist are miniscule. We have also yet to see network attacks leading to cascading failures of critical infrastructure within armed conflict. It does not mean they are impossible to execute, simply that they are hard, rare, and possibly saved for the rainiest of days. 

Conclusion

It is crucial to acknowledge the limitations of what we see, and drive forward with cautious assessments. We know enough about warfare to understand that cyber will not fundamentally change it in the immediate future. We also know publicly enough about cyber to understand that there are likely threat actors about with capabilities meaningfully beyond what we have seen thus far. In this sense, the Russian invasion of Ukraine is both highly educational and a cautionary tale; we can learn from it, but must be careful not to over-extrapolate from it. 

The insurance industry and offensive cyber operations: Slow and steady wins the race?

Photo by Soumil Kumar on Pexels.com

By Daniel Woods

The insurance industry is far from a “usual suspect” when it comes to offensive cyber operations. Insurers are neither belligerents, targets nor suppliers of offensive cyber capabilities. Yet they often find themselves footing the bill for the resulting damages. For example, the NotPetya attack—attributed to the Russian military—was estimated to have caused $3 billion of insured losses. Typically, insurers exclude coverage for losses caused by war. This raises the question of how insurers have excluded losses caused by offensive cyber operations?

The insurance industry have erred on the side of slow deliberation, especially with respect to cyber insurance products. This is not because the insurance practitioners are inherently more restrained, but instead because the structure of the industry rewards conformity.

The same restraint adds to the importance of two recent developments. First, in November 2021 an industry working group published contractual language drafted to apply to offensive cyber operations. Second, a court ruled in January this year that traditional war exclusions do not apply to the NotPetya cyber attack, notably this case concerned an all risks policy, not a standalone cyber product

Going forward, the insurance industry’s approach to offensive cyber may further shape discourses around offensive cyber by contesting the language of war clauses in a court of law and by adding information to the public record via the legal process of discovery. History has shown that exclusions can even undermine economic activities as businesses withdraw due to a lack of coverage.

War Exclusions in Cyber Insurance Policies

War clauses are included in insurance policies in order to invalidate coverage if the loss was caused by war and other external conflicts related events (e.g. warlike actions, hostilities and acts of foreign enemies). Typically, these clauses also exclude events caused by internal conflict (e.g. civil war, coup, and revolution). In some cases, events related to civil unrest (e.g. riot, strike or labor action, and lockout) are also part of a war clause. This raises the question of whether war clauses are included in cyber insurance policies, and how they are worded.

An in depth analysis of cyber insurance policies from 2008–2018 show that since 2012, all specialized cyber insurance policies include a war clause. In the first half of our sample, these war clauses were typically imported word-for-word from non-cyber insurance policies. This means they were drafted without offensive cyber operations in mind as they do not include language including the prefix cyber, electronic operations or similar. This began to change from 2015 onward.

The majority of the resulting cyber-specific clauses introduce the term “cyber terrorism”. This was not because actuaries had somehow quantified a shift in the risk landscape in which cyber terrorists played a greater role. Instead, the US Treasury clarified that the Terrorism Risk and Reinsurance Act (TRIA) applied to cyber insurance. This obligated insurance policies sold in the US to affirmatively state whether the policy covered acts of (now cyber) terrorism. This was typically done by including a “carve back” stating that the policy covers cases of cyber terrorism, but not any other losses that trigger the war clause. This potentially left courts with the task of adjudicating two questions, namely was the cause of the insured loss an act of traditional war, and was it an act of cyber terrorism? Coverage would only be invalidated if the answer was “yes, no”.

To summarize, the analysis illustrates how cyber insurance policies were not updated to reflect a growing narrative around cyber war and potential offensive cyber operations until at least 2018. In fact, the main driver of change was the US Treasury’s regulatory guidance. While some changes are beginning to filter through the industry, it is worth asking why insurers are so conservative when it comes to contractual language.

A Slow-Moving Industry

War clauses are not the only examples in which the industry has been slow to change. A general study of cyber insurance policies (looking at the whole contract and not just war clauses as in ours) did not reveal “any substantial changes in policy length, style, or composition over time” in a sample from 2007 to 2017. Even beyond contracts, an industry survey asked about the impact of ”systemic events such as the Dyn DDoS or the WannaCry Ransomware event” on cyber insurance assessment and pricing revealed that just 15% of insurance practitioners reported a moderate or significant change, with 45% reporting that there was no impact whatsoever.

It is worth sketching how change happens within the industry, or more importantly what structural factors inhibit change. Selling cyber insurance to large companies requires an unusual form of risk sharing between peer firms known as tower insurance. One firm offers coverage for the first $10 million of losses, another firm covers the next $15 million, a third the next $25 million, and so on. If a loss exceeds $50 million, then all three insurers pay out. Tower insurance is virtually the only way large corporations can secure cyber insurance with a limit of $100 million or more.

Typically, all layers of coverage are written with the same policy terms. In practice this means an individual insurer cannot experiment with novel cyber war exclusions without all the other insurers in the tower being on board. An additional force is that brokers would read the cyber war exclusion and immediately set about finding another insurer without the novel clause. Together these two effects, insurance towers and brokers, strengthen market norms about how cyber insurance policies should be written. This helps explain why the market was so slow to define cyber war and argue it in a court of law. Notably this changed in recent years, which we now consider.

Recent Developments

With enough time, even a slow-moving industry will get somewhere. Two processes culminated in the last year—the first was an industry push to craft a cyber-specific war clause, and the second was a court case asking whether the NotPetya attack could trigger a traditional war clause in an all-risks (not cyber) insurance policy.

First, the industry has been thinking about the problem of applying war exclusions to cyber incidents since at least 2016. In November 2021, an industry working group published the LMA Cyber War and Cyber Operation Exclusion Clauses, which exclude any claim due to a “cyber operation”. Interestingly, the primary factor in distinguishing a cyber operation from a generic cyber attack is whether the attack was attributed to “another state or those acting on its behalf” by the government in the location of the affected system. This is very similar to how insurance policies respond differently to “terrorism” but rely on governments to make the distinction. The Terrorism Risk Insurance Act (TRIA) in the US requires the US Treasury to cerify whether an event was an act of terrorism, with a similar mechanism for the Government’s Pool Re scheme in the UK. The interpretation of the new concepts and definitions will no doubt generate scholarship and court cases.

But we need not wait for the decision to see whether traditional war exclusions might be triggered by a cyber incident. In January 2022, a New Jersey court ruled in a dispute over $1.4 billion in losses that the war exclusion in Merck’s all-risks (not cyber) policy was not triggered by the 2017 NotPetya attack. The decision noted that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts”. Further, the responsibility was on the insurer to communicate that offensive cyber operations would not be covered. This further motivates the relevance of the new LMA exclusions.

The Future of Insurance and Offensive Cyber Operations

Beyond analyzing the corpus of cyber insurance policies, our article identifies five ways in which the insurance industry impacts discourses on war.

1. Financial (F1) – Unavailability of risk transfer prompts risk withdrawal 

Although obvious, insurance indemnifying the costs of offensive cyber operations makes the status quo more tolerable for private firms. In doing so, Virginia Haufler argues insurers are enabling commerce and prosperity. Withdrawing such coverage can halt economic activity. For example, the introduction of terrorism exclusions in property policies halted construction projects in the wake of 9/11. This raises the question of whether the aforementioned war clauses (or similar) could lead to a shift in either the economic activity or political demands of private firms.

2. Discursive (F2) – Contractual language and disputes produce argumentation

Insurers introduce language in policy contracts to exclude offensive cyber operations. The meaning of such definitions can be clarified in court disputes over whether an exclusion applies. This shifts the discourse towards legalistic reasoning. For example, arguments presented will be probed and critiqued by opposing lawyers and the quality of evidence will be assessed according to established standards. Neither process is available when security vendors attribute offensive cyber operations in white papers without peer review—as we saw earlier the LMA exclusions turn on this exact issue.

3. Informational (F3) – Evidence is produced and made public

Beyond the mode of reasoning, legal disputes may lead new documents to enter the public domain. The most striking example of this occurred during Pan Am v. Aetna 1973, an insurance dispute that hinged on whether a plane hijacking could trigger a war clause. The legal process of discovery was used to successfully to call government agencies (e.g. the State Department) to give evidence on the history of the Israeli–Palestinian conflict. Notably, the CIA refused to do so. In disputes over exclusions related to cyber incidents, novel documents could be unearthed by the discovery process.

4. Symbolic (F4) – Decisions inherit status and power from the legal system

A ruling in either direction confers the symbolism associated with the associated court. In Montoya v. United States, the Supreme Court ruled that property damage caused by indigenous tribes “acting in hostility to the United States” triggered a war clause. We saw this when the New Jersey Superior Court Judge Thomas Walsh rule that the NotPetya attack did not trigger the war clause found in Merck’s all-risks policy.

5. Active (F5) – Insurers actively shape security risks

Finally, insurers can re-structure the “strategic security environment”. This can be done either by publishing information like the Lloyd’s List, by requiring policies holders to implement security measures, or by influencing the political process. Ross Anderson predicted that insurers could lobby against offensive cyber operations way back in 1994. Notably, it is technology companies and not insurers who have set about doing so in recent years.

Conclusion

Offensive cyber operations have the potential to impact the insurance industry’s bottom line by causing many firms to make simultaneous claims. This was seen in the NotPetya attack in which the industry paid out billions of dollars to policyholders. Typically, insurers have controlled this existential risk via “war exclusions”. However, the New Jersey court ruling shows the need for insurers to draft exclusions crafted with offensive cyber operations in mind. The Exclusion Clauses released by the LMA in November 2021 do exactly this.

In the future, insurers will play a greater role in the narrative around offensive cyber operations. For example, the LMA’s choice of wording puts heavy emphasis on whether a government has attributed a cyber attack to a foreign state or its operatives. Notably, this does not include attributions made by cybersecurity vendors—an implicit value judgment. Although at present these decisions are just contractual language, insurance disputes are often argued in a court of law by opposing lawyers with million-dollar budgets. As such, scholars interested in offensive cyber operations should pay attention to the insurance industry, an actor beyond the “usual suspects”.

This blog post draws heavily on the article: Woods, D.W., Weinkle, J. Insurance definitions of cyber war. Geneva Pap Risk Insur Issues Pract 45, 639–656 (2020). https://doi.org/10.1057/s41288-020-00168-5.

Daniel W Woods is a Lecturer in Cybersecurity at the University of Edinburgh focusing on cyber risk measurement and management.

We Buy and Sell: The Public Advertisement of Zero-Day Exploits

By Max Smeets

Zero-day exploits expose a previously unknown vulnerability. They can be especially powerful for gaining access to computer systems or escalating privileges within the system.

Zero-day exploit brokers often publicly advertise what they pay out to developers for their new vulnerability discoveries. You can find detailed price lists online that tell you exactly how much money you can get for what type of exploit.

In recent years, these changes in advertised prices have been used by many commentators as a key source to understand the trends in the zero-day exploit market. For example, the media has written about the fact that you can get a reward of over a million dollars if you ensure access to an iPhone – finding a way to hack Android devices can be even more lucrative.

Yet, in reality, these publicly advertised payouts are bad indicators of market trends – and can be highly deceiving. There are often significant discrepancies between the advertised price and the actual bounty price. That is because the brokers play a signaling game involving multiple audiences.

Buying zero-days and the role of brokers

To aid their hacking activities, some government agencies (and other organisations) are frequent customers in the market for zero-day exploits.

A state can buy an exploit directly from the developers, often informally called ‘bug hunters’. But, as I explained in this Lawfare piece, it is more common that the sale goes through an exploit broker or platform that acquires original and previously unreported zero-day research from the bug hunters – and then sell it on to customers.

“Buying exploits through a broker reduces the number of parties a government organization has to engage with, allowing them to more easily vet the selling party and develop a long-term business relationship”, I previously noted.  These exploit brokers and platforms exist across the world.

The role of brokers

A particularly well-known exploit acquisition platform based in Washington DC is Zerodium (its predecessor was Vupen). Zerodium resells zero-day exploits for a wide range of operating systems, web browsers, email servers, and other applications. It provides a detailed list on the website as to what it pays out to developers for a certain exploit.

The payout for security researchers submitting fully functional exploits for mobile devices to the company are especially high. In 2015, Zerodium’s inaugural year, the platform would pay a bounty of up to $500,000 for a remote jailbreak of an iPhone (jailbreaking is a former of privilege escalation which removes software restrictions, permitting access to the operating system of the device). A year later, it doubled the maximum bounty to $1 million on iOS vulnerabilities. Soon after, Zerodium announced that it offers bounties of up to $1.5 million for this type of exploit. It also increased the payout for an Android exploit from $100,000 in 2015, to $200,000 in 2017, and ultimately to $2.5 million in the last year.

The payouts for zero-days offered by these platforms to bug hunters are often publicly advertised and seem to get fatter by the day. The media frequently reports on the spikes in the public price listings of exploits of Zerodium and academic studies have also started to build databases to analyse the market.

Yet, using these public listings to cover trends in the exploit market is highly problematic.

Signalling to multiple audiences

Exploit acquisition platforms use the listed prices to signal to multiple audiences.

First, an exploit acquisition platform wants to signal to the exploit sellers: ‘don’t sell them to another broker, sell them to us.’ This can lead to secondary effects in which the messages drive up the (public) prices for other brokers, in a space where exploit developers may try to sell their exploit to different brokers.

Similarly, the exploit acquisition platform also wants to signal to the exploit sellers: ‘don’t sell them to the vendor, sell them to us.’ Last, the exploit acquisition platform wants to signal to the exploit buyers: ‘look, we pay high prices for the exploits to developers, we have to charge you high prices if you want to buy them from us.’

Hacking can make you rich. However, the sums involved might not be as high as the ones you see in the news.

This essay is adapted from No Shortcuts: Why States Struggle to Develop a Military Cyber Force

Max Smeets is a Senior Researcher at the Center for Security Studies (CSS) at ETH Zurich, Director of the European Cyber Conflict Research Initiative, and author of ‘No Shortcuts: Why States Struggle to Develop a Military Cyber-Force’, published with Oxford University Press and Hurst in May 2022.