Plaintext: Are Cyberattacks War Crimes?

Welcome to Dark Reading in Plaintext, brought to you this week by Deloitte. In this issue of Plaintext, we look at recent comments by Ukraine’s head of cybersecurity that Russian cyberattacks against Ukraine’s critical infrastructure should be classified as war crimes. What does it mean when cyberattacks become a component of a kinetic military operation?

Cyberattacks and the Rules of War. When Russia invaded Ukraine back in February 2022, security and intelligence officials warned of an increase in cyberattacks against Ukraine and its NATO allies. More than a year in, the question Ukraine wants the world to consider is: Are these cyberattacks war crimes?

By using cyberattacks to support kinetic military operations, Russia is treating cyberattacks as a method of disruption – not destruction. For example, when the military was attacking DTEK’s thermal power plant back in July, the company was also dealing with an attack against its corporate network. Digital operations include attempts to spread propaganda and disinformation, as well as stealing information to identify and target individuals.

There were more malicious activity against Ukrainian organizations than in the previous eight years, according to the annual M-Trends report from Google Cloud’s Mandiant. "The invasion of Ukraine represents one of the first instances in which a major cyber power has conducted disruptive attacks, espionage, and information operations concurrently with widespread, kinetic military operations," Mandiant said in the report.

The kinetic operations are destroying IT infrastructure, power grids, telecommunications, and critical infrastructure, which directly impact civilians. The international community needs to consider the impact of cyberattacks and digital operations during war and determine how to respond, says Victor Zhora, deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection of Ukraine (SSSCIP). Ukraine is collecting evidence of cyberattacks tied to military operations and are sharing information with the International Criminal Court in the Hague.

"For too long, the world has been considering cyber terrorism as something unrealistic, too sci-fi-ish, and cyber weapons as not posing any serious threat. Russia's war against Ukraine has proven such thinking wrong.” (Victor Zhora, head of Ukraine’s cybersecurity)

Dark Reading in Plaintext is brought to you by Deloitte.

Deloitte Cybersecurity Threat Trends Report 2023

Deloitte Cyber Threat Intelligence (CTI) analysts analyzed trends impacting the cyberthreat landscape. Analysis of trends is useful for threat forecasting, improving processes to ensure we are equipped to provide indications and warnings of evolving tactics, conducting program reviews to ensure timeliness and accuracy, cataloging activity to track changes to analytic lines, and efficiently reviewing defensive posture measures (e.g., endpoint detection, alerting rules, operator analysis, security tools, and business processes. Download the Deloitte Cybersecurity Threat Trends Report 2023 to learn more.

Pro-Privacy Groups Ask Slack for E2EE. Nearly a hundred digital rights, pro-privacy, and civil liberties groups signed a letter asking Slack to implement end-to-end encryption on its platform. If Slack implemented end-to-end encryption (E2EE) on its platform, it would cut down on governments’ ability to access and surveil Slack messages. “Safety should be a built-in feature of all technology, so we are calling on you to protect your users by providing the option to enable end-to-end encryption for messages to protect our privacy, and to add blocking, muting and reporting features to help protect users from harassment,” the letter said. Signatories include Mozilla, the Tor Project, Fight for the Future, Derechos Digitales, and Abortion Access Front.

With more communications moving to online, platform providers are increasingly under pressure to offer E2EE as an option to protect users from surveillance and eavesdropping. Zoom began offering E2EE to all users in 2020 and Facebook added the option to encrypt video and voice chats on Messenger in 2021. The fact that Twitter doesn’t encrypt direct messages has long been a source of concern among privacy advocates. “Default end-to-end encrypted messaging [is] a first and best step companies can take to protect targeted communities,” the letter said.

What We Are Reading

• [From Deloitte] Earning digital trust: Where to invest today and tomorrow
• From smartwatches to biosensors, wearable devices are on the rise. How Safe Is Your Wearable Device?
• Our digital future depends on the choices we make today. 4 Scenarios for the Digital World of 2040
• Assess how much value the technology provides. 5 Questions to Ask When Evaluating a New Cybersecurity Technology
• Deciphering the infosec technology alphabet soup is not easy. What Do All Those Cloud Cybersecurity Acronyms Mean?

What We Heard On-Air

Tune in to our on-demand webinar “SBOMs and the Modern Enterprise Software Supply Chain” to hear how security teams have successfully implemented SBOMs into their overall security strategy.

"You can't just leverage an SBOM (software bill of materials) as a document or an artifact, instead it needs to be part of a process." Mike McGuire, senior software solutions manager, Synopsys

From Our Library

Check out some of the latest reports from our Dark Reading Library.

• [From Deloitte] Lead Through Disruption: A guide for taking on cyber and business risk with confidence
• Tech Insights (May 2023): Everything You Need to Know About DNS Attacks (But Were Afraid to Ask)
• Dark Reading Reports: How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment
• Tech Insights (May 2023): Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks

On That Note

We think Netflix’s decision to clamp down on password-sharing with people outside of the user’s household is a good example of how organizations can help their customers form better security habits.