Opinion: No hackbacks – but offensive cyber operations
JĂĽrgen Schmidt long spoke out against offensive cyber operations. Russia's sabotage attack on Poland's energy supply has changed his mind.
(Image: vectorfusionart / Shutterstock.com/ Bearbeitung heise medien)
Germany must develop and also deploy offensive capabilities in cyberspace. We can no longer refuse to engage in this ongoing conflict.
I abhor the word “hackbacks.” It's an inflated political marketing term that evokes false associations. As if there were some kind of “cyber-retaliation” directly in response to any hacks. But that's not how it works. It's not about counter-strikes but about whether one actively participates in a conflict in cyberspace. So let's talk about “offensive cyber capabilities” instead.
Escalation in Cyberspace
By this, I mean the ability to obtain information about the adversary through targeted cyber attacks in a conflict, to influence them, and also to disable their IT infrastructure. The conflict already exists. A war has been raging right on our doorstep for years, in which we have clearly taken sides with the attacked Ukraine and thus against the aggressor Russia, for good reasons. So we are already part of it.
And we are already seeing the effects in cyberspace: Russia is attacking Europe and NATO with all its cyber forces. The Kremlin-affiliated group NoName057(16) is openly coordinating DDoS attacks against European authorities and companies. It even maintains public hit lists of current targets. heise online also appeared there after Russia-critical statements. Furthermore, Russia's secret services are conducting large-scale disinformation campaigns aimed at unsettling the population and destabilizing our democracy.
And at the turn of the year, Russia crossed another red line. As the Polish CERT meticulously documented, attackers – almost certainly Russian – attacked our neighbor's energy supply with a destructive sabotage attack. Poland, like us, is a member of the EU and NATO. The fact that there has been no reaction from the West so far will have one consequence above all: Russia will continue to escalate in cyberspace. The next cyberattack could hit energy suppliers here in Germany.
Is our Cyber-Pacifism Working?
Since then, I've been asking myself: Can we really afford to entirely refuse to engage in this conflict in cyberspace, or more precisely, to always just take the hits? Should we offer Russia, the cyber bully, the other cyber cheek, in the hope – but what hope? They won't just stop. Why should they if it works and has no negative consequences for them? We need ways to put this aggressor in his place.
One can now lament the unreliability of information about perpetratorship. However, attribution has developed to such an extent that it can provide useful information about perpetrator groups and their origins. Of course, assigning responsibility for cyber attacks remains a difficult craft, and there is always some residual uncertainty. That is precisely why direct 1:1 actions make no sense. Because there would indeed be a risk of accusing the wrong party and placing oneself in the wrong with a hasty, direct response. But the general trend is clear and undisputed: Russia has massively expanded its cyber attacks against Europe and NATO in recent years. There is no denying that. And we – Germany, the EU, and NATO – have so far not responded adequately.
Of course, this could also occur in other areas. But we have already gone through all of that – without it deterring Russia from escalating its cyber activities. Does anyone seriously believe that a threat of further sanctions or the expulsion of diplomats could stop Putin from approving a cyber strike against German critical infrastructure? However, with offensive cyber capabilities, new possibilities arise.
Videos by heise
Targeted Actions with Manageable Risk
What would speak against penetrating NoName*'s IT infrastructure and sabotaging it sustainably? That would be a clear blow against Russia's offensive cyber activities and demonstrate that we are capable and willing to react to escalation in this area. One could also identify important individuals in Russia's war machine, monitor their communications, and infect their phones with espionage software. The information obtained from this would certainly be extremely useful for coordinating further actions – even outside of cyberspace.
Especially with sabotage actions, one can never completely rule out unintended side effects. However, one should not overstate this danger either. Thousands of ransomware attacks, despite their ruthless nature, have so far primarily caused financial damage. If cyber strikes are carried out with caution, unlike, for example, with missile attacks, the risk to human life can be kept very low.
Of course, this does not mean that defensive efforts in cyberspace can be neglected. Better IT security and more resilience are indispensable and have the highest priority. The attack on Poland's energy supplier, in particular, shows that much is still amiss despite NIS-2. But Germany, the EU, and NATO now also need offensive capabilities in cyberspace so as not to be permanently disadvantaged in the conflict with Russia.
This commentary was originally written by JĂĽrgen Schmidt for the exclusive newsletter of heise security PRO, where he analyzes the IT security world for corporate security managers every week:
(ju)
