The world breathed a sigh of relieve when Donald Trump de-escalated the tensions between the United States and Iran, which started when an American drone killed General Qasem Soleimani early in January and continued a few days later when Iran fired 15 missiles at several Iraqi military bases housing American and coalition forces.
Nevertheless, punitive sanctions remain in place and there has been an intense standoff since the United States withdrew from the Iran nuclear agreement. Iran knows it must pursue an asymmetric warfare strategy, which it is waging mainly through sponsorship of various allied militia in the Middle East, some of which are designated terrorist organizations by the United States and the European Union.
But there is another weapon that Iran has used in the past and may pick up again: cybercrime, and in particular, in order to destabilize the western banking system. It has form. Between 2012 and 2013 hackers brought down the internet sites of several American financial institutions, including global firms such as Bank of America, Morgan Chase, Citigroup and Wells Fargo. Seven Iranians, who worked for the IT company that serves the Revolutionary Guards were subsequently arrested and sentenced.
As a form of warfare, cybercrime has the two distinct advantages of being much less expensive than traditional military warfare, and much harder to detect. Directly after the killing of Soleimani, Neil Walsh, who leads the UN’s cybercrime initiative from Vienna, warned both countries not to resort to cybercrime as a means of retaliation. Walsh cautioned that targeting computer systems can have as much impact as physical attacks – and that nation states should think twice before carrying them out. As reported in the New Scientist magazine, there is a rather bizarre etiquette evolving around cyberwarfare. “There is an ongoing cybersecurity diplomatic process, which is where countries sit together to discuss what they can and can’t do against each other in cyberspace, and try to agree norms,” Walsh said. He too emphasized the difficulty of detecting cyberattacks and identifying the people behind them, and the dangers of misattribution of cyberattacks. “If a country sends a missile up from one place to another, you see where it came from, you know where it went. In terms of attribution, that’s relatively easy to do,” he said. But attributing cyberattacks can be much more difficult, increasing the risk of escalation. “That gap between is it an individual, is it a criminal, is it a terrorist, versus an intelligence agency, a military body or an advanced persistent threat group, is so grey now that for one to say it was a criminal or state-based activity might be incredibly difficult to do.”
As Iran’s record already shows, it is not just the military-industrial complex that has a legitimate concern about cyber terrorism and state-sponsored cyberattacks. Attacks on businesses by state-sponsored sources have significantly increased over the past few years for businesses. In this form of warfare, financial services companies are in the frontline, while healthcare and retail businesses are not far behind.
Iran is not the only culprit here. State-sponsored cybercrime is on the increase worldwide. The Centre for Strategic & International Studies has been tracking major incidents for some time. In December 2019 alone, it recorded the following:
- Microsoft won a legal battle to take control of 50 web domains used by a North Korean hacking group to target government employees, think tank experts, university staff, and others involved in nuclear proliferation issues.
- An alleged Chinese state-sponsored hacking group attacked government entities and managed service providers by bypassing the two-factor authentication used by their targets.
- Chinese hackers used custom malware to target a Cambodian government organization.
- Unknown hackers stole login credentials from government agencies in 22 nations across North America, Europe, and Asia.
- Iran announced that it had foiled a major cyber-attack by a foreign government targeting the country’s e-government infrastructure.
- A suspected Vietnamese state-sponsored hacking group attacked BMW and Hyundai networks.
- Russian government hackers targeted Ukrainian diplomats, government officials, military officers, law enforcement, journalists, and nongovernmental organizations in a spear phishing campaign.
Some businesses already take the threat seriously, which has resulted in a massive growth in the cybersecurity industry. Gartner Inc. values at $124 billion per annum. In a recent survey report into financial crime, cybercrime was identified as by far the biggest external threat and 20% of the respondents said their organizations had been the victims of financial cybercrime in the previous 12 months. Among publicly listed companies, that figure rose to 26%. Refinitiv calculated the total losses from cybercrime by the 2,373 global companies surveyed at $ 241 billion. According to the insurance brokerage and risk management consulting firm Marsh, cybercrime cost half a trillion dollars in economic damage in 2018, far more than the $300 billion in economic losses from natural disasters. Yet spending on cybersecurity insurance premiums ($4 billion in the USA) is dwarfed by the that spent on property insurance ($180 billion).
The threat of state-sponsored cybercrime was back in the news at the end of January, as the British government debated whether to award lucrative 5G network contracts to the Chinese firm Huawei. It decided not to ban the company outright, but to set clear limits that would exclude Huawei from any infrastructure that the UK government deems sensitive (what it calls “core” as opposed to “peripheral” infrastructure). At most only 35 percent of 5G or gigabit network traffic will be allowed to pass through equipment made by “high risk vendors”, and only 35 percent of cellular base stations can include equipment from those vendors. Without mentioning Huawei by name, the UK Culture Secretary said, “The government is certain that these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state sponsored attacks.”
The European Union issued similar guidance. But the US government is less sanguine. It effectively bans carriers from using the company’s equipment in US networks; it has long warned that Huawei could build backdoors into its products that could be accessed by the Chinese government, something the company denies it has done or would do.
Warnings from experts in the field of cybersecurity suggest that setting percentage limits or distinguishing between “core” and “peripheral” could be ineffective. The demarcation lines between the two are blurring as all components become more software driven. As a result, even the simplest equipment can be vulnerable to hacking. As UC Berkeley security researcher Nicholas Weaver told Wired magazine, “5G antennas aren’t simply wires, but complex computers in their own right doing a lot of signal processing.”
The concerns in the United Kingdom, expressed by a number of prominent MPs in the House of Commons, have focused mainly on personal privacy and the security of defense and intelligence establishments such as GCHQ. As one MP put it, Huawei has more people employed in its research department (90,000) than the UK has servicemen and intelligence personnel. But the potential for cybercriminals, state sponsored or otherwise, to exploit vulnerabilities in new networks should not be underestimated. Even if the Chinese government is not directly involved in cybercrime, it is not entirely unreasonable to assume that Huawei will pay rather less attention to network security matters in the UK than it would in China itself. We know this because only last year the UK’s National Cyber Security Centre reported that Huawei has basic but deeply problematic flaws in its product code that create security risks, which it blamed on low standards of “basic engineering competence and cyber security hygiene”.
The bottom line is that the threats are there, and they come from an unknown number of invisible actors from many countries. And the attack could come at any time. It is certain that further attacks will come from “rogue” states such as Iran and North Korea, either directly from government intelligence and espionage agencies and departments or from proxies and freelances. The institutions that are most vulnerable to cyberattacks include, perhaps most significantly, small to medium sized banks and financial services companies that do not have strong cybersecurity processes and infrastructure in place. If they have not already done so, they should commission a security audit soon: antivirus and anti-malware apps are simply no match for today’s cyberterrorists and criminals.
Written by Paul Allen Hamilton and Volha Miniuk
To participate or join the AML Knowledge Centre go to https://www.linkedin.com/groups/8196279/