Back
About RSIS
Introduction
Building the Foundations
Welcome Message
Board of Governors
Staff Profiles
Executive Deputy Chairman’s Office
Dean’s Office
Management
Distinguished Fellows
Faculty and Research
Associate Research Fellows, Senior Analysts and Research Analysts
Visiting Fellows
Adjunct Fellows
Administrative Staff
Honours and Awards for RSIS Staff and Students
RSIS Endowment Fund
Endowed Professorships
Career Opportunities
Getting to RSIS
Research
Research Centres
Centre for Multilateralism Studies (CMS)
Centre for Non-Traditional Security Studies (NTS Centre)
Centre of Excellence for National Security
Institute of Defence and Strategic Studies (IDSS)
International Centre for Political Violence and Terrorism Research (ICPVTR)
Research Programmes
National Security Studies Programme (NSSP)
Social Cohesion Research Programme (SCRP)
Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
Other Research
Future Issues and Technology Cluster
Research@RSIS
Science and Technology Studies Programme (STSP) (2017-2020)
Graduate Education
Graduate Programmes Office
Exchange Partners and Programmes
How to Apply
Financial Assistance
Meet the Admissions Team: Information Sessions and other events
RSIS Alumni
Outreach
Global Networks
About Global Networks
RSIS Alumni
Executive Education
About Executive Education
SRP Executive Programme
Terrorism Analyst Training Course (TATC)
International Programmes
About International Programmes
Asia-Pacific Programme for Senior Military Officers (APPSMO)
Asia-Pacific Programme for Senior National Security Officers (APPSNO)
International Conference on Cohesive Societies (ICCS)
International Strategy Forum-Asia (ISF-Asia)
Publications
RSIS Publications
Annual Reviews
Books
Bulletins and Newsletters
RSIS Commentary Series
Counter Terrorist Trends and Analyses
Commemorative / Event Reports
Future Issues
IDSS Papers
Interreligious Relations
Monographs
NTS Insight
Policy Reports
Working Papers
External Publications
Authored Books
Journal Articles
Edited Books
Chapters in Edited Books
Policy Reports
Working Papers
Op-Eds
Glossary of Abbreviations
Policy-relevant Articles Given RSIS Award
RSIS Publications for the Year
External Publications for the Year
Media
Cohesive Societies
Sustainable Security
Other Resource Pages
News Releases
Speeches
Video/Audio Channel
External Podcasts
Events
Contact Us
S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
Nanyang Technological University Nanyang Technological University
  • About RSIS
      IntroductionBuilding the FoundationsWelcome MessageBoard of GovernorsHonours and Awards for RSIS Staff and StudentsRSIS Endowment FundEndowed ProfessorshipsCareer OpportunitiesGetting to RSIS
      Staff ProfilesExecutive Deputy Chairman’s OfficeDean’s OfficeManagementDistinguished FellowsFaculty and ResearchAssociate Research Fellows, Senior Analysts and Research AnalystsVisiting FellowsAdjunct FellowsAdministrative Staff
  • Research
      Research CentresCentre for Multilateralism Studies (CMS)Centre for Non-Traditional Security Studies (NTS Centre)Centre of Excellence for National SecurityInstitute of Defence and Strategic Studies (IDSS)International Centre for Political Violence and Terrorism Research (ICPVTR)
      Research ProgrammesNational Security Studies Programme (NSSP)Social Cohesion Research Programme (SCRP)Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      Other ResearchFuture Issues and Technology ClusterResearch@RSISScience and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      Graduate Programmes OfficeExchange Partners and ProgrammesHow to ApplyFinancial AssistanceMeet the Admissions Team: Information Sessions and other eventsRSIS Alumni
  • Outreach
      Global NetworksAbout Global NetworksRSIS Alumni
      Executive EducationAbout Executive EducationSRP Executive ProgrammeTerrorism Analyst Training Course (TATC)
      International ProgrammesAbout International ProgrammesAsia-Pacific Programme for Senior Military Officers (APPSMO)Asia-Pacific Programme for Senior National Security Officers (APPSNO)International Conference on Cohesive Societies (ICCS)International Strategy Forum-Asia (ISF-Asia)
  • Publications
      RSIS PublicationsAnnual ReviewsBooksBulletins and NewslettersRSIS Commentary SeriesCounter Terrorist Trends and AnalysesCommemorative / Event ReportsFuture IssuesIDSS PapersInterreligious RelationsMonographsNTS InsightPolicy ReportsWorking Papers
      External PublicationsAuthored BooksJournal ArticlesEdited BooksChapters in Edited BooksPolicy ReportsWorking PapersOp-Eds
      Glossary of AbbreviationsPolicy-relevant Articles Given RSIS AwardRSIS Publications for the YearExternal Publications for the Year
  • Media
      Cohesive SocietiesSustainable SecurityOther Resource PagesNews ReleasesSpeechesVideo/Audio ChannelExternal Podcasts
  • Events
  • Contact Us
    • Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
      rsisvideocast
      school/rsis-ntu
      rsis.sg
      rsissg
      RSIS
      RSS
      Subscribe to RSIS Publications
      Subscribe to RSIS Events

      Getting to RSIS

      Nanyang Technological University
      Block S4, Level B3,
      50 Nanyang Avenue,
      Singapore 639798

      Click here for direction to RSIS

      Get in Touch

    Connect
    Search
    • RSIS
    • Publication
    • RSIS Publications
    • “Offensive Cyber” and Espionage: Dirty Secrets No One Talks About
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • RSIS Commentary Series
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • Future Issues
    • IDSS Papers
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers

    CO21001 | “Offensive Cyber” and Espionage: Dirty Secrets No One Talks About
    Shashi Jayakumar

    04 January 2021

    download pdf

    SYNOPSIS

    A combination of one of the oldest professions – espionage – with one of the newer ones – cyber hacking – has led to hyperbole and threats of kinetic escalation. But is all this talk really warranted? What will the real fallout be?

    COMMENTARY

    RECENT REVELATIONS concerning the compromise of SolarWinds’ Orion network management platform through the backdoor insertion of malicious code are noteworthy in part because of the soul-searching that followed within the United States’ political and security commentary. Many US government agencies were amongst its victims.

    The reactions stem from three factors. The first is sheer embarrassment. The hacking appears to have been done by the SVR – the Russian foreign intelligence service. Its exposure is at a sensitive moment in US history – and with Russia in the security crosshairs due to earlier episodes such as electoral interference. Secondly, this was not a run-of-the -mill exploit. This was a sophisticated “supply chain” attack aimed compromising a trusted tool which downstream clients would assume is safe.

    Distractions on Two Fronts?

    The third factor is a conceptual one, and has to do with the mistaken notion that what happened amounted to OPE (operational preparation of the environment), or preparation for destructive attacks. The separating line between OPE and intelligence collection in the domain cyber can be fluid; there is little evidence too that there was an attempt to convert this espionage operation into evidence of a destructive attack.

    The somewhat bellicose talk of kinetic retaliation has proved something of a distraction from two issues. The first is a perceptual one. From the point of view of its adversaries – and even some allies – the US has been engaged in the same game for some considerable amount of time.

    The Snowden revelations have shown this, and there has also been more recently some light thrown on spying through technical means, sometimes in concert with select trusted partners, against other nations (including friendly ones), in the form of the Crypto AG scandal.

    The second distraction may be one with internal ramifications. What should not be forgotten from the Solarwinds episode is where the real remediation efforts lie. There should be a comprehensive breach notification law (which currently is only addressed at the state level) for the private sector in the US.

    And crucially, the incoming Biden administration needs to initiate a comprehensive cross-governmental effort (including the Department of Defence vendors, and the Department of Homeland Security) to address software and hardware vulnerability from vendors. These things are difficult to do, but necessary, and may in fact be the real learning lessons that should be heeded.

    Retaliation and Deterrence

    The US has the tools in its cyber arsenal to retaliate as well as the doctrinal blueprint to do so, having evolved offensive doctrine that provides a conceptual and operational framework to respond to cyber attacks. The culmination of this thinking came in the form of two seminal documents in 2018:

    The first is the White House’s National Cyber Strategy (NCS) which warns of developing “swift and transparent consequences” “to deter future bad behaviour”; the second is the DoD’s own Cyber Strategy which makes pointed mention of the concept “defending forward”, or halting malicious cyber activity at its source, which includes, it must be presumed, extraterritorial cyber operations.

    Imposing costs on the adversary, and resetting adversary expectations in cyberspace, have therefore now become essential parts of US offensive cyber doctrine. Core to this even in times of peace is activity in adversary networks.

    But activity and interdiction also take place in “grey zones” (as defined by the US), which might be networks of neutral states or even states allied with the party initiating action. This is a grey area in international law, with very little discussion on what happens when states seek to transit through nodes located elsewhere, or interdict others, when the adversary in question is another state.

    Solarwinds, Supply Chain Compromise & No Red Lines?

    A supply chain compromise is one matter. But nations engaging in persistent forward defence – and here one must assume that several nations think similar as the US ─ may choose to up the ante especially if engaging in retaliatory action.

    They might for example put in place assets that could compromise or even cause damage to critical infrastructure. The line between reconnoitering and the emplacing of these assets (as a preparatory to a cyber attack), is recognised to be grey area by many experts; and for some nations, this may cross the “use of force threshold” justifying an armed response, although there is no international consensus on this.

    There is, in short, the risk of miscalculation in a realm where there is no accepted codification of red lines.

    As some respected commentators have observed, it is unclear what aspect of international law would have been contravened by the Solarwinds espionage incident. The norms agreed at the 2015 UN GGE (Group of Governmental Experts) also do not cover espionage activities.

    Officials from major cyber powers have spoken generally about international law in cyberspace but have not been precise when it comes to how international law interacts with their right to defend themselves.

    This criticism is not specific to the US: other major cyber powers, while agreeing in general terms that international law applies in cyberspace, are chary of contributing to discussions on enforcement mechanisms.

    Norms do matter but not that much. The discussions themselves must and will of course continue, but it is extremely unlikely that as it stands they will prevent cycles of escalatory retaliation ─ or espionage when it serves the interest of the state. This is illustrated in the willingness of states (or hackers working at the behest of a state) to attempt cyber-enabled espionage  to discern the extent of the COVID outbreak in other countries and the actions being taken against the virus.

    Southeast Asia: Friends in Need?

    Cyber discourse is not as well developed in Southeast Asia as it is in the West. Nations in the region have shown signs of participating more actively in discussions on advancing responsible state behaviour on cyberspace.

    But when it comes to thorny issues such as attribution of cyber attacks, and taking a stance on whether hostile cyber operations that are not physically destructive (but might affect critical infrastructure, or even undermine governments) can constitute a use of force, no firm positions are taken.

    Singapore and Southeast Asian nations should prepare for scenarios that might see intensified conflict within the cyber arena by the major powers — conflict that might test existing, ambiguous, positions. Nations may come under pressure, for example, to attribute cyber attacks.

    Singapore has suffered major hacks before – with the most serious, the IHiS/SingHealth breach, almost certainly the work of state-linked actors, although following the usual practice, no specific official attribution was made.

    Separately, APT (Advanced Persistent Threat) groups thought to emanate from the region have targeted Singapore-based firms, a case in point being APT 32, or Ocean Lotus. The identification of APT32 with Vietnam has recently been confirmed by Facebook in its own investigations.

    Besides calling out aggressors (or being pressured to do so), another possible scenario might see countries in the region facing situations where major powers seek grey zone cooperation on the denial of space for others to operate, perhaps in the context of an offensive cyber campaign.

    These would be difficult situations to be placed in, and they may, or may not, transpire. They may in fact already be happening. Their very possibility refreshes the seemingly tired adage that there are no permanent friends in statecraft.

    Especially not in cyber.

    About the Author

    Dr Shashi Jayakumar is Head of the Centre of Excellence for National Security and Executive Coordinator for Future Issues and Technology at the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore.

    Categories: RSIS Commentary Series / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / Non-Traditional Security / Singapore and Homeland Security / Global / East Asia and Asia Pacific / Europe / South Asia / Southeast Asia and ASEAN
    comments powered by Disqus

    SYNOPSIS

    A combination of one of the oldest professions – espionage – with one of the newer ones – cyber hacking – has led to hyperbole and threats of kinetic escalation. But is all this talk really warranted? What will the real fallout be?

    COMMENTARY

    RECENT REVELATIONS concerning the compromise of SolarWinds’ Orion network management platform through the backdoor insertion of malicious code are noteworthy in part because of the soul-searching that followed within the United States’ political and security commentary. Many US government agencies were amongst its victims.

    The reactions stem from three factors. The first is sheer embarrassment. The hacking appears to have been done by the SVR – the Russian foreign intelligence service. Its exposure is at a sensitive moment in US history – and with Russia in the security crosshairs due to earlier episodes such as electoral interference. Secondly, this was not a run-of-the -mill exploit. This was a sophisticated “supply chain” attack aimed compromising a trusted tool which downstream clients would assume is safe.

    Distractions on Two Fronts?

    The third factor is a conceptual one, and has to do with the mistaken notion that what happened amounted to OPE (operational preparation of the environment), or preparation for destructive attacks. The separating line between OPE and intelligence collection in the domain cyber can be fluid; there is little evidence too that there was an attempt to convert this espionage operation into evidence of a destructive attack.

    The somewhat bellicose talk of kinetic retaliation has proved something of a distraction from two issues. The first is a perceptual one. From the point of view of its adversaries – and even some allies – the US has been engaged in the same game for some considerable amount of time.

    The Snowden revelations have shown this, and there has also been more recently some light thrown on spying through technical means, sometimes in concert with select trusted partners, against other nations (including friendly ones), in the form of the Crypto AG scandal.

    The second distraction may be one with internal ramifications. What should not be forgotten from the Solarwinds episode is where the real remediation efforts lie. There should be a comprehensive breach notification law (which currently is only addressed at the state level) for the private sector in the US.

    And crucially, the incoming Biden administration needs to initiate a comprehensive cross-governmental effort (including the Department of Defence vendors, and the Department of Homeland Security) to address software and hardware vulnerability from vendors. These things are difficult to do, but necessary, and may in fact be the real learning lessons that should be heeded.

    Retaliation and Deterrence

    The US has the tools in its cyber arsenal to retaliate as well as the doctrinal blueprint to do so, having evolved offensive doctrine that provides a conceptual and operational framework to respond to cyber attacks. The culmination of this thinking came in the form of two seminal documents in 2018:

    The first is the White House’s National Cyber Strategy (NCS) which warns of developing “swift and transparent consequences” “to deter future bad behaviour”; the second is the DoD’s own Cyber Strategy which makes pointed mention of the concept “defending forward”, or halting malicious cyber activity at its source, which includes, it must be presumed, extraterritorial cyber operations.

    Imposing costs on the adversary, and resetting adversary expectations in cyberspace, have therefore now become essential parts of US offensive cyber doctrine. Core to this even in times of peace is activity in adversary networks.

    But activity and interdiction also take place in “grey zones” (as defined by the US), which might be networks of neutral states or even states allied with the party initiating action. This is a grey area in international law, with very little discussion on what happens when states seek to transit through nodes located elsewhere, or interdict others, when the adversary in question is another state.

    Solarwinds, Supply Chain Compromise & No Red Lines?

    A supply chain compromise is one matter. But nations engaging in persistent forward defence – and here one must assume that several nations think similar as the US ─ may choose to up the ante especially if engaging in retaliatory action.

    They might for example put in place assets that could compromise or even cause damage to critical infrastructure. The line between reconnoitering and the emplacing of these assets (as a preparatory to a cyber attack), is recognised to be grey area by many experts; and for some nations, this may cross the “use of force threshold” justifying an armed response, although there is no international consensus on this.

    There is, in short, the risk of miscalculation in a realm where there is no accepted codification of red lines.

    As some respected commentators have observed, it is unclear what aspect of international law would have been contravened by the Solarwinds espionage incident. The norms agreed at the 2015 UN GGE (Group of Governmental Experts) also do not cover espionage activities.

    Officials from major cyber powers have spoken generally about international law in cyberspace but have not been precise when it comes to how international law interacts with their right to defend themselves.

    This criticism is not specific to the US: other major cyber powers, while agreeing in general terms that international law applies in cyberspace, are chary of contributing to discussions on enforcement mechanisms.

    Norms do matter but not that much. The discussions themselves must and will of course continue, but it is extremely unlikely that as it stands they will prevent cycles of escalatory retaliation ─ or espionage when it serves the interest of the state. This is illustrated in the willingness of states (or hackers working at the behest of a state) to attempt cyber-enabled espionage  to discern the extent of the COVID outbreak in other countries and the actions being taken against the virus.

    Southeast Asia: Friends in Need?

    Cyber discourse is not as well developed in Southeast Asia as it is in the West. Nations in the region have shown signs of participating more actively in discussions on advancing responsible state behaviour on cyberspace.

    But when it comes to thorny issues such as attribution of cyber attacks, and taking a stance on whether hostile cyber operations that are not physically destructive (but might affect critical infrastructure, or even undermine governments) can constitute a use of force, no firm positions are taken.

    Singapore and Southeast Asian nations should prepare for scenarios that might see intensified conflict within the cyber arena by the major powers — conflict that might test existing, ambiguous, positions. Nations may come under pressure, for example, to attribute cyber attacks.

    Singapore has suffered major hacks before – with the most serious, the IHiS/SingHealth breach, almost certainly the work of state-linked actors, although following the usual practice, no specific official attribution was made.

    Separately, APT (Advanced Persistent Threat) groups thought to emanate from the region have targeted Singapore-based firms, a case in point being APT 32, or Ocean Lotus. The identification of APT32 with Vietnam has recently been confirmed by Facebook in its own investigations.

    Besides calling out aggressors (or being pressured to do so), another possible scenario might see countries in the region facing situations where major powers seek grey zone cooperation on the denial of space for others to operate, perhaps in the context of an offensive cyber campaign.

    These would be difficult situations to be placed in, and they may, or may not, transpire. They may in fact already be happening. Their very possibility refreshes the seemingly tired adage that there are no permanent friends in statecraft.

    Especially not in cyber.

    About the Author

    Dr Shashi Jayakumar is Head of the Centre of Excellence for National Security and Executive Coordinator for Future Issues and Technology at the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore.

    Categories: RSIS Commentary Series / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / Non-Traditional Security / Singapore and Homeland Security

    Popular Links

    About RSISResearch ProgrammesGraduate EducationPublicationsEventsAdmissionsCareersVideo/Audio ChannelRSIS Intranet

    Connect with Us

    rsis.ntu
    rsis_ntu
    rsisntu
    rsisvideocast
    school/rsis-ntu
    rsis.sg
    rsissg
    RSIS
    RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    Getting to RSIS

    Nanyang Technological University
    Block S4, Level B3,
    50 Nanyang Avenue,
    Singapore 639798

    Click here for direction to RSIS

    Get in Touch

      Copyright © S. Rajaratnam School of International Studies. All rights reserved.
      Privacy Statement / Terms of Use
      Help us improve

        Rate your experience with this website
        123456
        Not satisfiedVery satisfied
        What did you like?
        0/255 characters
        What can be improved?
        0/255 characters
        Your email
        Please enter a valid email.
        Thank you for your feedback.
        This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
        OK
        Latest Book
        more info