When Do Cyber Campaigns Cross a Line?

When Do Cyber Campaigns Cross a Line?

A new paper from the Germany-based think tank Interface has attempted to define the threshold at which peacetime state cyber operations become irresponsible.

The author thinks that more concrete definitions of responsible behavior would help guide states and prevent dangerous conduct.

It's a commendable effort, but we don't think the architects of cyber operations really care about norms, and a German think tank writing down its preferred rules on a piece of paper won't make any difference to state behavior.

Governments do, however, care about potential political costs and the risk of retaliation. One of the paper's goals is to provide a framework that makes it easier for victim states to flag irresponsible operations and respond appropriately.

The paper defines seven principles-based "red flags" and gives examples of some real-world cyber operations that might have raised these flags.

The first red flag, "causing physical harm, injury or death" is pretty straightforward. It's a threshold that states have observed, and the paper does not list any cyber operations that it thinks have crossed the line.

The most interesting red flag is "lacking or losing operational control." The author argues that maintaining effective operational control "is essential," because risks increase when operations spiral out of control.

This can take two forms. One form is "technical loss of control" such as in the cases of NotPetya, WannaCry, or even Stuxnet. At first glance, states seemed to have learned their lesson, and there hasn't been another NotPetya-style disaster since the original was unleashed in 2017.

The paper points out that AI "vibe coding" could make loss of control a problem again. Loosey-goosey software development risks introducing unpredictable behaviors. If operators don't even understand how their malware works, things could go wrong.

The second form is what the paper calls "organizational loss of control." This part of the paper takes aim at China's loosely controlled contractor ecosystems, and the examples cited include i-Soon and other contractors, and the mass exploitation of Microsoft Exchange.

This is a part of the report that could get some traction with policymakers. Governments want to make hay with cyber operations, but they don't want to accidentally cause some sort of drastic escalation because a contractor got excited.

The other five red flags are less likely to move the needle. The internal logic of why they are red flags makes sense, but some are already fairly common or there are practical reasons they are difficult to deter.

For example, "intervening in domestic political processes" being listed as a red flag makes sense. Internal political processes are fundamental to how a state functions. But interference is actually relatively commonplace, and we've yet to see a strong response. The paper cites direct interference in Ukrainian election architecture and hack-and-leak operations to influence the U.S. and French presidential elections as examples of this type of interference.

The French response to election interference in 2017 was tactically very effective, in that Russian interference was neutered, but in general, responses have not been painful enough to deter adversaries.

At least in part, that is because it can be practically difficult to respond robustly. During the 2016 U.S. presidential election, for example, a domestic constituency benefited from interference and did not want to acknowledge that it had even occurred.

So although the underlying logic of labeling interference in domestic political processes as a red flag makes sense, there are practical reasons why it has historically been difficult to enforce. And we don't see these reasons disappearing anytime soon.

“Triggering physical disruption or destruction” is listed as another red flag, with the paper citing the interruption of Ukraine's electricity network, Stuxnet, and the disruption of a German steel mill as examples. If we were writing the report, we'd add the Predatory Sparrow incidents in Iran to the pile.

Most of the destructive incidents we mentioned above are examples of stronger, more capable states punching down on relative minnows. It's the kind of things bigger states do when they think they can get away with it. An aggressor state might even argue that these destructive cyber operations are a good thing because they replace more destructive and escalatory kinetic attacks.

Two of the other red flags fall into the category of mostly-observed-but-we'll-do-it-when -we-can-get-away-with-it operations. These are "prepositioning for civilian disruption" and "preparing the military battleground."

The best example the paper cites here is Volt Typhoon, the Chinese government's effort to compromise U.S. critical infrastructure. That example highlights the problem, though. The U.S. absolutely does not want China's hackers rummaging around through its critical infrastructure getting up to no good. But what can it do? The U.S. is already engaged in an on-again off-again trade war involving tariffs, critical minerals, and artificial intelligence (AI) technology transfer. Concerns about Volt Typhoon are lost in the noise.

The paper also briefly describes the "toolbox" of options that policymakers can use to respond. This isn't the paper's focus, but it suggests "military posturing or operations" as an option.

The paper presents a framework to decide when cyber operations cross important thresholds that are worth responding to. As U.S. policymakers are thinking about legislation aimed at deterring foreign cyber adversaries, this work could be useful.

Iranians Share Deadly Cyber Intelligence With Proxies

Last month, AWS reported that state actors were "bridging cyber and kinetic warfare." Color us totally unsurprised, although it is interesting that the two case studies AWS cites involve Iran.

In one case study, a group controlled by the Islamic Revolutionary Guard Corps compromised the Automatic Identification System (AIS) maritime situational awareness systems of a number of ships. Access to those AISs was then used to locate a specific vessel, which was targeted by a missile strike from Houthi forces.

In another, a group operating on behalf of the Iranian Ministry of Intelligence and Security compromised Israeli IP security cameras to help target missiles and conduct battle damage assessments. This has become a workaday war hack. In early 2024, we wrote about Russia using essentially the same CCTV compromise technique to better target missiles in Ukraine.

It is interesting to see Iran integrating its cyber espionage intelligence with its own forces and its proxies, though.

Mr. Claude Goes to Washington

Anthropic has been called to testify to Congress about a Chinese group using Claude Code in an AI-powered cyber espionage campaign.

It is a positive that lawmakers are interested in understanding the implications of AI for cybersecurity. And they are interested in pretty sensible topics such as how other AI tools could be used in similar attacks and how AI could be used defensively, as reported by Axios.

We'd also be interested in how far behind Claude Code open-source and Chinese models are. Is it just a matter of time before adversary threat actors migrate away from places where U.S. AI companies have visibility?

So far, both OpenAI and Anthropic have released fairly regular threat reports despite there being no requirement for them to do so.

Of course, these platforms being abused by China's Ministry of State Security is hardly a good news story, so there will no doubt be pressure from some forces within these companies to pull back efforts to detect and counter their malicious use.

That'd be bad, so this hearing is a good opportunity to reinforce the expectation that AI companies devote effort to countering malicious users on their platforms.

Three Reasons to Be Cheerful This Week:

1. Cryptomixer bust: This week Europol announced that a law enforcement operation had taken down the cryptocurrency mixing service Cryptomixer. It obfuscated currency flows by pooling deposits for a long time and then redistributing funds after a randomized time delay. The service was available on both the clear and dark web. Europol says it was the "platform of choice for cybercriminals." It claims that 1.3 billion euros have been mixed through the service since 2016.
2. Browser opt-out is coming: A new California law set to come into effect in 2027 will require browsers to have a single setting for users to opt out of data sharing when visiting sites. The law applies only to California residents, but it effectively has a global impact because it does so even if they are traveling or using a VPN. It's an idea whose time has come, and the European Union is moving in a similar direction.
3. Myanmar scam site takedown: The Department of Justice announced it had taken down a website used by a Myanmar scam center that was spoofing the website of the legitimate foreign exchange and commodities trading platform TickMill. A single site is a small victory, but it is a good sign of increased U.S. government focus on Southeast Asian scam syndicates.

Shorts

Asian Scam Centers Are Still Growing

A few weeks back, we were optimistic that reports of the demolition of the KK Park scam compound were actually good news, but experts now believe that it was mostly a PR exercise by the Myanmar government. It's not all peaches in Cambodia, either. Cyber Scam Monitor notes that Cambodian government crackdowns appear to be short-lived and targeted mostly on smaller scam compounds. Larger sites appear to have been untouched, some are "massively" expanding, and new ones are still popping up.

Disappointing.

China: The World's Most Innocent and Fluffy Cyber Bunnies

Late last month, the Chinese government released a white paper on arms control, and we thought one of the cyber-related sections was a good laugh. A short excerpt:

China opposes attempts to "own the domain" from a position of strength and carry out large-scale, systemic and indiscriminate theft and cyberattacks around the globe. It condemns a certain country's wanton targeting of other nations' critical infrastructure in cyberattacks, which places global critical infrastructure at grave risk.

It is reassuring to know that the PRC condemns Salt Typhoon and Volt Typhoon!

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq wonder whether it is possible to deter states from cyber espionage with doxxing and other disruption measures.

From Risky Bulletin:

Evil twin hacker sentenced to 7 years: An Australian man was sentenced to 7 years in prison for setting up fake Wi-Fi networks to steal personal data. Michael Clapsis, 43, from Perth, ran fake free Wi-Fi access points at the Perth, Melbourne, and Adelaide airports, during multiple domestic flights, and at work. He used evil twin attacks to redirect users to phishing pages and capture credentials. He then accessed personal accounts and collected intimate photos and videos of women. Clapsis also hacked his employer and accessed emails between his boss and police after his arrest. [ABC]

CCTV hackers detained in South Korea: South Korean authorities have arrested four individuals who hacked more than 120,000 security cameras, downloaded footage, and sold the data on adult-sharing portals. [ChosunBiz]