Andria Gotsiridze, Cyber Security Consultant, Founder of Cyber Security Studies & Education Center
Cyber security has become an important topic of discussion at the Geneva Summit following cyber-attacks directly or indirectly related to the Kremlin. Against the backdrop of a pre-announced adequate response, Biden handed Putin a list of areas the attacking of which would be a red line for Washington. As expected, the Russian President denied Russia’s connection to the cyber-attacks, but expressed readiness for cooperation between cyber experts. The summit, which intensified the feeling that responsible behavior on the part of Russia in cyberspace is unlikely in the near future, was preceded by several major cyber-attacks.
At the end of 2020, the well-known American cybersecurity group “FireEye” announced that the company had fallen victim to a cyber-attack. It turned out that APT29, affiliated with the Foreign Intelligence Service of the Russian Federation, carried out a large-scale cyber-attack against large US private companies and government agencies. The cyber-attack came from a system update file of “SolarWinds Orion”, which contained malicious code. The target of the attack turned out to be more than 200 federal agencies and thousands of organizations around the world. Cyber espionage was declared as the reason for the attack.
As a result of a Ransomware cyber-attack on one of the largest oil pipelines in the United States on May 7, the company Colonial Pipeline temporarily suspended the operation of the pipeline. Hackers broke into the computer system of the pipeline and acquired almost 100 GB of data, and as a ransom received several million dollars’ worth of bitcoins from the company to open the encrypted data.
The US government declared a state of emergency. The pipeline shutdown led to an increase in fuel prices. As a result of several days of delay, fuel prices reached their highest level since October 2014.
The perpetrator, DarkSide, a Russian-based cybercrime group which uses a ransomware-type attack, became active last year and has already caused losses of billions to the West. The group also has a kind of “code of ethics”: it states that they will never attack government agencies, the medical domain or educational institutions.
A little later, in early June, another Ransomware attack on “JBS”, a large meat producer, led to a significant delay in operations in the United States, Canada, and Australia, thereby raising meat prices. According to the FBI, the Russian cybercriminal group “REvil” was behind the attack.
REvil, also known as Sodinokibi, is a well-known cybercrime group that has been active since at least 2019. Its members are citizens of Russia and post-Soviet countries.
So far, there has been no evidence of Kremlin involvement in the last two attacks, but according to President Biden the fact that cybercrime is based in Russia places some responsibility on Moscow. Official Moscow’s tolerance of hacker groups operating from the areas under its control is well known. It seems that the Kremlin, by not taking appropriate measures (arresting actors and obtaining cipher keys), at the very least encourages cybercrime, which serves as a means to weaken the West.
Whether the number of cyberattacks will decrease as a result of the recent summit is still unknown, although following the summit announcements, it can be assumed that this was a Red Flags Summit, seeing the US draw certain red lines to reduce risks in the cyber domain.
We can highlight several main directions in the field of cyber security at the Geneva Summit:
- According to Biden, experts from the two countries will work on “a specific interpretation of what actions are to be prohibited in the cyberspace”, as well as monitor cyber-attacks perpetrated from the territory of both states;
- Biden handed over to Putin a list of 16 domains that are considered critical infrastructure by the Presidential Order of 2013, and attacking them, according to the President, will precipitate an appropriate response. These domains include the government agencies, banking, finance, helthcare, ICT, energy, logistics, agriculture, and other critical sectors.
- Prior to the summit, Putin offered the US administration an exchange of cybercriminals, which the White House met with a willingness to prosecute cybercriminals, but, naturally, without extradition. Washington’s position is that a responsible state must take action against cybercriminals operating from its territory, which is directly contrary to the Kremlin’s intention to utilize the “white spots” in international law and use cyberspace for its own geopolitical purposes, so as not to lead to the initiation of a collective defense mechanism or retaliatory strike.
- Putin said at the press conference that Russia has not received an appropriate response to 45 cases of cybercrime, despite the fact that the Kremlin has complied with all relevant requirements of the United States. The Russian President also stressed that Washington has never provided adequate evidence to substantiate claims of Russian cyberattacks. Clearly, these statements are intended for a less informed audience and are false. In October 2019, the US Department of Justice took legal action and indicted six GRU officers. The indictment, along with other resounding attacks, includes a spearphishing attack on Georgia’s leading media outlets in 2018 and the defacement of thousands of Georgian websites, hampering the work of the president’s, courts’, and local government’s websites. A little earlier, dozens of employees of the Russian special services were charged with meddling in the 2016 US election.
- The development of offensive cyber capabilities is the most important topic, which can become a window of opportunity for Georgia. Clearly, threats could not be made during the meeting, although an adequate response still seemed relevant. This is probably what Biden’s question – what Putin would have done if he had faced a massive cyber-attack against the Russian oil pipelines? – was aimed at. Biden stressed that the US have significant cyber-attack potential and Putin knows what consequences to expect. It should be noted that the US has been working on the development of offensive cyber capabilities in recent years. The US Cyber Command has expanded its mission in Europe, the Middle East, and Asia, to monitor Russian, Chinese, and Iranian cyber actors. The NSA has the ability to block overseas targets, destroy their databases, or shut down their networks. During the 2018 midterm elections, US special services blocked the Russian IRA for prevention purposes. Last year, the NSA and the US Cyber Command launched a cyber operation against Iranian Revolutionary Guard Corps hackers after the group sent threatening emails to American voters.
After the SollarWinds incident, the White House is going to invite allies – The UK, Denmark, Estonia, and France – to the annual exercise CYBER FLAG 21-1 organized by the US Department of Defense. According to official information, the exercise will build a community of cyber security operators and enhance capabilities in terms of detecting malicious actions against critical infrastructure, synchronizing countermeasures and joint responses. It is a conception of a collective defense alliance in cyberspace, which will act in accordance with the norms of responsible behavior of states in cyberspace.
In general, in light of the ongoing confrontation in cyberspace, Washington will seek to intensify cooperation with allies against the malicious cyber activities to synchronize the norms of international law and attribution. Involvement in these events is very important for Georgia, as its cyberspace is a kind of testing ground for Russian cyber operations.
As early as September 2019, the US and 26 partner states signed a joint statement on the responsible behavior of states in cyberspace. The signatories note that, if necessary, they will act jointly against the “irresponsible” countries in accordance with the norms of international law. Obviously, Russia did not sign the document, and a Chinese Foreign Ministry spokesman said the statement ” is an attempt to justify certain countries’ offensive military operations in cyberspace and to turn the cyber domain into a new theater of war”
It is important for Georgia to adhere to this document and thus gain the opportunity to participate in the development of a framework of responsible behavior on the Internet, as well as in cyber capacity building activities. At the same time, Georgia should not limit itself to statements of attribution, and at the outset should express its readiness to join the CYBER FLAG 21-1 alliance. Such a development is feasible, given the degree of Georgia’s integration with the West in cyberspace.