Perspectives & VoicesCyberwar 07.04.22

The events of recent weeks, with Russia’s war against Ukraine currently underway, place renewed focus on the issue of cyber threats to the critical infrastructure of states. However, the issue itself is not new.
The so-called “critical infrastructure” includes sectors such as energy, information technology and telecommunications, transportation, health, water, food, finance and insurance, government and administration, waste disposal, as well as media and culture.

That means: critical infrastructures are of great importance for the smooth functioning of society, and a failure of these can ultimately threaten public safety. The sectors have been regulated since 2015 by the BSI Act, which was revised again in 2021 by the new IT Security Act. At the same time, the law regulates requirements for the protection of these critical infrastructures by their operators. And not without reason. Because the fact that critical infrastructure can be the target of attacks from cyberspace has not only been known for a long time but is unfortunately also a bitter reality.

FINANCIAL SECTOR PROTECTION
On a different level, the European Union is currently consulting on the “Digital Resilience Operations Act” (DORA), a law that is intended to make financial service providers and their large IT service providers especially responsible for protecting themselves against cyber threats. This is because the financial sector, with its electronic payment systems, is of critical importance to a functioning public life in our increasingly digitalized societies.

INTERNATIONAL LAW – NOT AN ISSUE IN CYBERSPACE?
Establishing more general norms for behaviour in cyberspace is what the United Nations is working on. In 2018, the United Nations General Assembly established the “Openended working group on developments in the field of information and telecommunications in the context of international security”, which addresses issues such as cyber operations in the context of armed conflict through Resolution 73/27. This is because cyberspace has not yet been given any real consideration in international law.

WHO IS THREATENING WHOM?
But who actually represents the much-vaunted threat in cyberspace? The range of actors is very broad and extends from nation states, through state-supported or tolerated actors, to criminal organizations and individual criminals. The transition is fluid and sometimes difficult to clearly assign, which makes the prosecution of corresponding crimes and the clear attribution of attacks – i.e., the exact assignment of an act to an actor – very difficult again. This mix of actors can also be observed in Russia’s war against Ukraine in recent weeks.
In principle, the attack scenarios for attacks in cyberspace are diverse. They range from the disruption of payment systems through so-called distributed denial of service attacks, to the sabotage of public administration through the encryption of data, to the modification of settings and controllers in water or gas supply

EXAMPLE GERMANY
Recent examples in Germany alone include the attack on the Wismar public utility company, the Düsseldorf University Hospital, and the Bitterfeld district administration. The list could go on and on.

WIDE RANGE OF METHODS
There is also a wide range of methods in terms of the tactics used. Phishing mails are often used, but also websites that contain content, some of which is infected with malware, that is automatically downloaded when the user visits the site. In addition, there is what is often referred to as classic hacking, i.e. the targeted exploitation of software vulnerabilities – either in the code of the software used, or gaps in security due to incorrectly set settings or settings that were not even made in the first place. The actions of hackers and the combination of individual tactics in networks that are becoming more and more complex are increasingly presenting operators with major problems in defending their computers and networks.

PROTECTION AND DEFENCE
To defend against the threats, a multi-layered approach comes into play. On the one hand, from a management point of view, an information security management system is set up, which in this case is not a technical system, but a coordinated and interdependent set of processes, roles, responsibilities and controls to ensure the security of one’s own information. On the other hand, of course, a number of technical applications are used to detect and defend against such attacks. Increasingly, artificial intelligence is being used here, which in part learns independently by means of neural networks in order to recognize patterns of attacks.
The so-called “Intrusion Detection Systems” (IDS) analyses network traffic with a view to either already known attack patterns, or deviations from normal data traffic. Smart Intrusion Prevention Systems (IPS) then go one step further and can automatically initiate countermeasures, such as closing certain network connections or revoking certain access authorizations so that the attacker’s actions can no longer be carried out.

SECURITY OPERATION CENTER
Both of these aspects come together in a “Security Information & Event Management (SIEM) system” that reports the events to security analysts, who perform further checks based on the situation and, if necessary, alert other units in the “Security Operation Centre” (SOC), the command centre for cyber defence. The use of artificial intelligence in defence, as well as on the attacker side, will continue to increase in the coming years, further intensifying the arms race. Therefore, a strategic and efficient defence build-up is needed.

Text Sebastian Troch