A Non-Combattant's Guide to Cyberwar
Making sense of the chaos and the crossfire.
We live in interesting times. In addition to the many boots-on-the-ground conflicts going on, cyberspace is a theatre of war with hardly any distinction between military and civilian targets. Nothing is off-limits and combatants can be anything from creative individuals to well-funded state level actors like governments and multi-national corporations.
There’s no way to be perfectly out-of-the-way. Any significant cluster of data, storage, computing power, or bandwidth can become a strategic resource to be sought after. When it comes to hacks, many cybersecurity professionals will say that it’s a matter of when, not if. This means that the goal of the technocratic empires to centrally control data on everyone… everything… everywhere, backfires when resilience starts to become critically important.
What makes you a target?
You may not be interested in cyberwar, but it has ways of being interested in you. For many governments, dissenting narratives are themselves considered a threat. The infodemic narrative allows funding intended for protecting critical infrastructure from hacks, to be used to classify citizens or censor your speech. If only it stopped there, law-enforcement and intelligence agencies often make use of malware themselves to invade people’s devices with dubious oversight.
This is where your participation really matters. Propping up systems of control only raise the risk for yourself and others around you. It may not be a big deal when yet another company has a massive data breach, but it’s a whole other matter when it’s a treasure-trove of data the state has been collecting on everyone.
I hope that this would encourage democracies worldwide to shift from control and domination to education and innovation. By treating citizens as just another target you give up the most important strategic advantage: resilience.
You cannot invade mainland United States. There would be a rifle behind each blade of grass.
The best way to properly mitigate risk is to properly diffuse it. Avoiding systems that unnecessarily introduce risk would go a long way too. We don’t just need people to have computer skills, but we need to implement better tools and methods for many aspects of cyberspace. Allowing tyrants to seize power over cyberspace for your safety merely replaces small solvable problems with a single massive one.
With all this in mind, even as a non-combattant, it’s important to understand the battlefield and what you can do. There is a lot to understand even if you have no desire to ever hack anyone. Taking your own privacy, security and systems seriously can go a long way.
Cyberwarfare
Keeping digital systems safe from intrusion requires active vigilance. Whether it’s your social media accounts, company software, or critical infrastructure, a great deal of proactive work is required to prevent or mitigate problems. The challenge is that the defense has to get lucky every time, whereas the attackers only need to get lucky once.
A serious problem is that various exploits can be chained together allowing for more sophisticated attacks to take place. To complicate matters, the internet never forgets. Data that has been seized or leaked can be weaponized forever. This is why the top-down strategy of the state and corporations data-mining and manipulating the public is a terribly poor strategy for cyber resilience.
Social Engineering
We are all human after all. Ignorance is a problem, but so can an occasional act of carelessness. The point isn’t to beat yourself up over every mistake, but to take incidents seriously enough to learn from them before they can be a bigger problem.
It has been often said the people are the weakest link. If such an individual is known, it can sometimes be much easier to manipulate a person with access, rather than the system directly. This gets much worse when everyone is under constant surveillance by a variety of different entities. Suddenly, a one-off cloud account hack can be a springboard for other intrusions.
Phishing
Phishing is worth it’s own post.
There are many different ways it can be carried out:
E-mail: one kind of attack is an urgent email that requires you to immediately click a certain link. That link will then present a fake log-in form disguised as a legitimate site. This could be used to steal your credentials. If the site itself has a vulnerability, merely clicking the link itself could be enough to compromise your account.
Attachments any file sent your way may be more than meets the eye. There are a variety of methods that allow a file that’s opened to either run as a virus, or send your data elsewhere.
None of this is exclusive to e-mail.
Messaging apps, and online communities can all enable the same problems.
Impersonation
Thanks to a variety of voice cloning tools, impersonation is a significant risk. There are already many scams where someone receives a call from someone who sounds like their loved one asking for urgent financial assistance. The biggest risk from impersonation is not just manipulation of your loved ones, but it also makes the risk of identity theft more potent.
Malware
Malware is a bit of software that allows the attacker to either infiltrate or take control of particular systems. Sometimes it’s for mining cryptocurrency, stealing data, or more nefarious ends. Not only are cybercriminals making use of malware, but governments too.
Remote execution
Usually the first thing a sophisticated attacker wants over their target is the ability to execute a payload on the target’s system. The payload is additional instructions or programs such as more malware.
Privilege escalation
It’s bad enough to have a computer virus on your system, but often these programs will have techniques to give themselves more access over the system. This can include things like acting as your computer’s administrator, or gaining access to control over services hosted on a server.
Botnets
When an attacker has control over many systems, they can be used as a botnet. A massive swarm of infected systems can be used for DDOS attacks or merely act as remote storage and proxy for attackers. By proxying their attacks, attackers can quite effectively disguise their origin.
Vulnerabilities
Believe it or not, machines aren’t perfect either! Software development is complicated and computer engineering is even more so. From either simple mistakes or lack of forethought problems pile up over the course of development. From time and resource constraints hardly any product is perfect. Many large software projects will routinely release updates to fix vulnerabilities so updating is important.
0 days
“0 days” are a term for very valuable exploits that are presumed to be unknown to the developer/manufacturer at a given moment in time. This means that there’s likely not a security fix coming for some time. 0 days can be be minor or quite critical. A major bug in a browser could potentially be part of a 0day that gives a malicious website access to your system. The most important take-away about 0days is that while software may be secure when working as intended, there can be circumstances where it isn’t.
Supply-chain attacks
Especially in the cases where a vulnerability is introduced in production. Software is often built on other software called libraries, and hardware is generally built with components from other suppliers. This creates an opportunity for malicious actors to introduce problems in the creation of particular software or systems. Because many projects will often use the same components or libraries, this kind of attack can impact a wide variety of targets.
Backdoors
More and more governments around the world are working to undermine end-to-end encryption. Intrusions do not end at demanding access to everyone’s intimate conversations. Often governments and law-enforcement will ask for a vulnerability to be introduced to the product itself. This is the worst-case-scenario because it’s a guarantee that such a valuable key would be discovered, stolen or abused.
Ransomware
A particularly nasty kind of malware is ransomware. The gambit is that the virus encrypts all the infected system’s files and demands a payment in cryptocurrency. Not only is everything unaccessible, but often the software will overwrite everything the system has access to potentially taking out entire enterprises. The only protection from ransomware is regular offline backups. May be a good reason to start sharing copies of your critical backups with trusted friends or family. Otherwise, you may end up with a particularly painful, or expensive lesson.
Consequences
As geopolitical conflicts continue, and attackers gain more ground, I would say there has never been a time where it has been more important to take control of your information. Demanding analogue or offline ways of interacting with important institutions is a must.
There is a significant push to digitize national currencies, and identity documents. One has to wonder if the escalation of state-funded cyber threats has less to do with strategic objectives, or rather creating a pretext to force citizens to surrender more information and control to less-and-less accountable institutions.
Governments and institutions are quickly rushing to orchestrate a top-down solution and handing over more influence to public-private partnerships. The “stakeholders” for these partnerships won’t be representing your needs or your interests, but rather the influences over those entities.
It’s very concerning to see soft-power projection taking control over people’s lives. In
, discusses how these public-private partnerships respond to these threats, and opens the door to discussing the implications.
It is becoming hard to see where state power ends and corporate interests begin, and where they overlap. If the last few years is any indication, we can be sure that any additional power granted to these institutions inevitably leads to politicization, abuse, and weaponization. We are all responsible for how we enable governments, civil society organizations, and corporations to undermine our freedom, rights, and security.
There will never be any guarantee that centrally managed services can be safeguarded properly. The only way to protect information, and the people who’s safety depends on it, is not to record it at all. If it must be recorded than measures need to be taken to ensure it is not widely-shared. Sovereign computing needs to be less of a buzzword and more of a foundation for how we build, maintain, and interact with digital systems.
Yes, the mind boggles about how the UK government thinks it can do CBDC and digital IDs... it is infamous for its ability to do big [or even little] IT projects. Capita has recently had a major hack which meant to those in pension schemes have had there personal information released. including dates of birth and social security numbers.. yet the uk government has just renewed half a billion pounds worth of contracts with them!
Wow. Excellent post Gabriel. Very informative and useful!