In this Help Net Security interview, Dr. Bernhards Blumbergs, Lead Cyber Security Expert at CERT.LV, discusses how cyberspace has become an integral part of national and military operations. He explains how countries develop capabilities to act and defend in this domain, often in coordination with activities in other areas of conflict. Dr. Blumbergs also explains that, despite progress in forensics and AI, identifying who is responsible for cyberspace operations remains difficult and often uncertain.
Many experts say that cyberspace has become the “fifth domain” of warfare. How accurately does that reflect the operational reality?
Cyberspace operations, under various terms and doctrines, have already been executed for at least two decades to perform various activities, such as intelligence collection, defence, and offence. NATO defined cyberspace as the fifth domain for cyber operations in 2016. This was a necessary step to formalise and define such operations to project power within and through cyberspace for the Alliance members as they execute, coordinate, or offer such capabilities to allies.
In reality, every nation develops necessary capabilities to perform cyberspace operations, as well as to detect and prevent other entities from interfering with its cyberspace. Additionally, cyberwarfare does not happen on its own. Its effects are used in support of operations in other domains, such as shaping the battlefield or the execution of kinetic attacks.
Attribution remains one of the biggest challenges in cyber conflict. How have advances in forensics, AI, and deception tactics changed the attribution landscape?
Attribution has always been a challenging process, prompting nations to establish procedures to accelerate attribution at various levels, such as political, technical, and intelligence. Cyber conflict, beyond technical operations, is usually accompanied by other activities within the information space, physical engagements, and political narratives, which permit a certain level of attribution.
The adversarial use of the latest technological advances (such as anti-forensics, generative AI, and cyber deception), as well as the execution of false-flag operations, will inadvertently make the attribution process harder. This applies both to the cyberspace operations performed by allies and their adversaries.
How can organizations improve resilience when faced with hybrid or gray-zone cyber activities that fall short of open warfare?
Only as part of intense hybrid warfare could cyber operations approach the warfare threshold, with a conventional incursion escalating the conflict to open warfare. In such a case, active cyber defence could be used to execute an asymmetric response within controlled networks.
One such form of active defence is threat hunting, which entails an active and persistent search for adversarial presence within computer systems and interaction with it to perform actions such as intelligence collection, deception, delay, and eradication. These activities would not only facilitate the attribution process but also permit the takedown of adversarial infrastructure, the acquisition of tools used by threat actors, and the hampering of ongoing offensive cyber operations.
Conducting threat hunting requires core capabilities to be in place, such as comprehensive system and network monitoring, data aggregation and parsing, and skilled human analysts.
Do you foresee offensive cyber capabilities becoming democratized, and if so, what risks does that pose for global stability?
To a certain extent, the democratization of offensive cyber capabilities has already happened, as such capabilities are available online in the form of premade offensive software and services, legitimate security testing tools, easy-to-compile source code repositories, online databases and tutorials, and generative AI tools. This abstraction of complexity enables script-kiddies to use publicly available resources and affiliates to acquire crimeware-as-a-service.
As technological immersion becomes more prevalent and the availability of information and tools omnipresent, society’s capacity for both their use and abuse increases.
What trends or developments should cybersecurity professionals be watching closely over the next decade in the context of cyber warfare?
Ten years can cover a few generations of technological development, especially under the current warfare conditions, within which existing and emerging technologies will be used to advance, merge, and enable the creation of new ones.
A more reasonable prospect is a six- to twelve-month period in which cyber warfare will further expand its capabilities towards cyber-physical systems, increasing the targeting of system-on-a-chip and embedded system firmware, and using the advancements of machine learning and computer vision to guide kinetic attacks towards critical infrastructure systems.
A significant increase in attacks is expected to target machine learning models and algorithms to poison and sabotage those used for critical areas, such as decision-making, civilian defence, and military systems.
