sign in sign up
<<
Home , Turla (malware)

Security just got real Powerful. Affordable. Easy to use. Scalable, end-to-end IT monitoring software from solarwinds.com/government

ACCESS RIGHTS ACCOUNT SECURITY PATCH CONFIGURATION MANAGED FILE FTP SERVER MANAGEMENT TAKEOVER INFORMATION & MANAGEMENT MANAGEMENT TRANSFER PREVENTION EVENT MANAGEMENT Empower your mission with deeper real-time visibility.

Your missions need strong, intuitive, and trusted networks that never rest. Built on a platform that enables deeper real-time visibility, from the enterprise to the tactical edge. An operationally implemented platform for cyber that securely maneuvers data, creates decision advantage, and enables information effects across all domains. All while protecting you with industry-leading cybersecurity and resiliency.

Together with your partners at Cisco, you can deploy a platform for cyber that does this, and more. One that automatically interprets, implements, and enforces network operational policy in a simple and effective way. And automatically detects and reacts to threats, while providing your team with unprecedented situational awareness.

Cisco empowers your mission.

Learn more at cisco.com/go/DoD © 2019 Cisco Systems, Inc. All rights reserved. Foreword Contents p. 5

Suspected Iranian Cyber Attacks Show No Sign of Slowing By Patrick Tucker p. 6

New Tech Aims to Tell Pilots When Their Plane Has Been Hacked By Marcus Weisgerber p. 8

The US Must Prepare for a Cyber ‘Day After’ By Samantha Ravich p. 10

Russian Used Stolen Iranian to Attack 35 Countries, NSA Says By Jack Corrigan p. 13

States Must Explain When a Cyber Attack Might Draw a Violent Reprisal By Jonathan Reiber p. 15

Should Cyber Arms Be Treated Like Bioweapons? By David Fidler p. 18

The Cybersecurity Challenge Page 4 Foreword

It’s enough to make you long for the days when law? It’s not yet clear. In “Should Cyber Arms Be the proliferation of dangerous weapons required Treated Like Bioweapons?” the Council on Foreign more than an email. Late last month, officials with Relations’ David Fidler examines one potential the U.S. National Security Agency and the U.K.’s analogue — biological weapons — and comes away National Cyber Security Centre announced a joint unconvinced. finding that Russian hackers had used Iranian cyber Even more urgently needed than a strict tools and digital infrastructure to launch attacks classification of cyber capabilities are some on government and industry groups in dozens of international norms for using them. “Without countries. clear explanations that affirm rules of the road, “The disclosure paints a picture of Russian countries make it easier for conflicts to spiral out hackers piggy-backing off the work of Iranian of control,” writes Jonathan Reiber in “States Must rivals to advance their own agenda,” Nextgov’s Jack Explain When a Cyber Attack Might Draw a Violent Corrigan writes in “Russian Hackers Used Stolen Reprisal.” Formerly Chief Strategy Officer for Cyber Iranian Malware to Attack 35 Countries, NSA Says.” Policy in the Office of the Secretary of Defense, “Authorities said the Nautilus and Neuron tools Reiber writes in the wake of Israel’s May attack had ‘very likely; originated in Iran, but Turla had on a Hamas hacking center, “the first time that a acquired both tools by early 2018. The group initially military has conducted a kinetic operation directly used the malware in combination with one of its in response to a cyberattack in real time.” Read on. own toolkits, called Snake, but eventually began targeting victims with the tools directly.” Bradley Peniston But wait. Are these kinds of cyber capabilities Deputy Editor actually regarded as weapons under international Defense One

The Cybersecurity Challenge Page 5 Suspected Iranian Cyber Attacks Show No Sign of Slowing

In this photo released by official website of the office of the Iranian Presidency, President Hassan Rouhani By Patrick Tucker addresses the nation in a televised speech in Tehran, Iran, Monday Aug. 6, 2018. IRANIAN PRESIDENCY OFFICE VIA AP

As Iran and the U.S. trade cyber blows, a new warning shows that the online fight is likely to go on.

ensions between the United States and Iran in been phished — which is not what is occurring here. The the Strait of Hormuz may be cooling but, online, it organization may waste valuable time without focus on Tappears Iranian actors are continuing their activity the root cause.” against targets in the United States and elsewhere. In a December blog post, FireEye traces the activity to On Wednesday morning, U.S. Cyber a threat group dubbed APT33, which, they say, is working Command tweeted that they discovered “active “at the behest of the Iranian government.” In a June malicious use” of a known bug in Microsoft Outlook, update to that post, the company said that they saw those “CVE-2017-11774.” same APT33 tactics playing a role in a new a coordinated In their tweet, Cyber Command doesn’t say who campaign against “U.S. federal government agencies and is using the bug to launch attacks. But cybersecurity financial, retail, media, and education sectors.” company FireEye has reported that a variety of Iranian That update coincides with a June 22 notice from hackers have been busy using that very vulnerability. the Cybersecurity and Infrastructure Security Agency, “Adversary exploitation of CVE-2017-11774 continues or CISA, warning of a “recent rise in malicious cyber to cause confusion for many security professionals,” activity directed at United States industries and the company wrote in a statement sent to reporters on government agencies by Iranian regime actors and Wednesday. “If Outlook launches something malicious, proxies.” The agency notes that the new attacks are highly a common assumption is that the impacted user has destructive, “‘wiper” attacks and that the perpetrators

The Cybersecurity Challenge Page 6 are “looking to do much more than just steal data and the types of tactics used. “I think a lot of times we think of money. These efforts are often enabled through common escalation is vertical in nature,” he said. tactics like spear phishing, password spraying, and The statement follows a comment from Joint Chiefs credential stuffing. What might start as an account Chairman Gen. Joe Dunford in May, describing the compromise, where you think you might just lose data, increase in Iranian activity in the region, including cyber can quickly become a situation where you’ve lost your activity as “campaign-like.” whole network.” The U.S. has been ramping up cyber operations against At last week’s Defense One Tech Summit, Ed Wilson, Iranian intelligence groups involved the planning of the the deputy assistant secretary of defense for cyber policy, attack on various foreign oil tankers, according to reports described the recent escalation in Iranian offensive cyber from Yahoo and The New York Times. activity as a “horizontal escalation” meaning an increase Wilson declined to comment on those reports. in the volume of activity, rather than a sudden change in

The Cybersecurity Challenge Page 7 New Tech Aims to Tell Pilots When Their Plane Has Been Hacked By Marcus Weisgerber The Cyber Anomaly Detection System tells pilots when their plane is being hacked. /RAYTHEON

Raytheon is pitching a product to detect cyber intrusions into aircraft, drones, and even missiles.

s the military helicopter lifts off the ground information about what’s happening internally on and heads skyward, the numbers on the altimeter his aircraft in real time,” said Amanda Buchanan, the Asuddenly stop ticking upward. The rumble of the project’s engineering lead. “We’re telling him what’s going helicopter’s engines fade and the chopper starts losing on and allowing him to make decisions about what he altitude. A second later, a dire warning flashes in red on a needs to do to correct the problems.” cockpit screen: “Cyber Anomaly.” Inside most aircraft, important electronics are plugged The helicopter is under attack, but not from missiles or into a serial data bus. The bus used in many U.S. military guns. Seconds later, it smashes into the ground. planes was developed in the 1970s and “still have not been Luckily for the pilot, he’s not in a real helicopter — just updated for security,” according to Fry, a cyber-resiliency a small simulator set up in a conference room of a high- product manager at Raytheon. rise office building in Arlington, Virginia. Greg Fry, the “You GPS talks on it, your fuel valve switches are engineer at the controls of the choreographed crash, is on it, your autopilot is on it and other avionics systems part of a Raytheon team that is building a new warning all communicate over this bus,” Fry said. “What we system that tells pilots when their planes are being found is as technology has increased and more and hacked, something the U.S. military expects to happen in more [commercial] products are put in aircraft, there’s the battles of the future. more of an attack surface for cyber threats to go onto “Basically, we’re trying to give the pilot the the platform.”

The Cybersecurity Challenge Page 8 hackers had found cyber vulnerabilities in the F-15E Strike Eagle fighter jet. Hackers can get into military and commercial aircraft, vehicles, and even missiles and bombs by infecting them with malware — say, by plugging an infected cell phone into one of the aircraft’s USB ports, or even wirelessly, Fry said. Buchanan hacked Fry’s helicopter by injecting malicious code wirelessly from a tablet. The code caused the helicoper’s engines to shut down. While Fry was able to disable the helicopter’s wireless receiver before hitting the ground, he was not able to stop its fall. SENIOR AIRMAN FRANKLIN R. RAMOS Raytheon says the technology could be used to detect Raytheon began developing this Cyber Anomaly cyber intrusions on drones, vehicles or even missiles. And Detection System three years ago after receiving although its product can currently only detect attacks, “customer feedback” about “vulnerabilities in aviation new versions may be able to fight them off and repair platforms,” Buchanan said. She declined to identify the the damage. customer. Raytheon self-funded the project, Fry said. “In the future we’re looking more in that direction, Company officials won’t say if the systems is deployed but right now we’re starting with a passive system, so we on U.S. military aircraft. won’t interfere with the bus,” Buchanan said. “We’re just Pentagon officials have increasingly been going to leave the human in the loop [and] leave the pilot talking about weapon cyber vulnerabilities and the in control and make him aware of his surroundings so need for companies “harden” their products. In August, that he can take the actions.” the Washington Post reported that Air Force-sponsored

The Cybersecurity Challenge Page 9 The US Must Prepare for a Cyber ‘Day After’

By Samantha Ravich This Wednesday, May 20, 2015 photo shows server banks inside a data center at AEP headquarters in Columbus, Ohio. AP PHOTO/JOHN MINCHILLO

The government needs a continuity plan to ensure that critical data and technology remains available after a devastating network attack.

tealing personal data is not the worst thing how to assure continuity of the government, how to get that can happen in cyberspace. For years, transportation and communications back online, even Sthe U.S. government has warned that foreign how to put hard currency back into circulation and begin nations have been hacking our critical infrastructure and regenerating the economy. We currently have no such inserting malware that could sabotage dams, pipelines, reconstitution plans for a cataclysmic cyber event. water supplies, or even transportation systems. Three Part of the problem is the distraction of attention years ago, an Iranian state-sponsored was indicted and resources by the daily drumbeat of data breaches for hacking a dam in New York State. and theft of personal data. Data breaches are notorious In its 2019 Worldwide Threat Assessment, the Office and widespread, and garner headlines. But they do not of the Director of National Intelligence warned that China present the most dire cyber threat to nations’ economies. has the ability to cause “localized, temporarily disruptive Rather, the attacks that could damage or destroy the very effects” on corporate networks, while Russia “is mapping foundation of what makes our economy – and our lives— our critical infrastructure with the long-term goal of run must concentrate the minds of U.S. policymakers. being able to cause substantial damage.” And recent news Such disruptive cyber incidents are growing in reports indicate that the U.S. has similarly embedded number and intensity. In summer 2017, the malware malware into the Russian power grid, pointing digital “NotPetya” disrupted operations across industry giants missiles back at Moscow. such as Maersk, FedEx, and Merck. In March, electrical During the height of the Cold War, the U.S. government grid operations across parts of Southern California and had plans for the “day after” a massive nuclear strike: Utah were interrupted through a distributed-denial-of-

The Cybersecurity Challenge Page 10 service attack. That same month, hackers forced Norsk This is different than the standard system back- Hydro, one of the world’s largest manufacturers of ups many corporations use in case their data is lost or aluminum, to halt production at some plants and switch corrupted. This would go beyond any one company others to manual operation. or industry. One helpful model is the financial sector’s Our nation must be able to rapidly reconstitute the Sheltered Harbor in which banks store a copy of their infrastructure most important to sustaining the economy. data in standard format in secure data vaults that can During the Cold War, the United States developed be quickly accessed to deny a attack from Continuity of Operations/Continuity of Government crippling a bank. But Sheltered Harbor addresses a plans to ensure that the government could reconstitute very different problem than cold-starting a power grid, and perform a minimum set of essential public functions assuring safe insulin production and distribution, or after a nuclear attack. But today’s risks extend beyond rebooting telecommunications networks. COTE will direct threats to require an approach the U.S. government, beyond “stockpiling.” It and the resources COTE will require an approach must focus on functional needed to mitigate interaction among specific them far exceed beyond "stockpiling." infrastructure sectors – government how electricity supports capabilities. In fact, telecommunications, most capabilities to recover from a large cyber-enabled which supports transportation, which supports oil economic warfare attack reside in the private sector. Yet and gas, which feeds the electricity grid, etc. – and how these capabilities are usually focused on helping specific these interactions directly support key functions of sectors or, more specifically, individual corporations, the economy. rather than the national economic infrastructure as For the government to take this approach, it needs a whole. to answer some first-order questions: what are the key The U.S. government should institute a Continuity functions of the U.S. economy that rely on an operational of the Economy, or COTE, plan to ensure that the critical Internet? What are the industrial processes, sectors, and data and technology would be available, with priority entities that directly support those functions? What data for critical functions across corporations and industry is central to those processes, sectors, and entities, and sectors, to get the economy back up and running after a how long can that data be unavailable before it causes catastrophic cyberattack. Planners must figure out what unacceptable and irreversible damage to the economy? “seed data” would need to be preserved in a protected and What level of damage is unacceptable? And, finally, verified format, with a process to assure no corruption what scenarios would produce such devastating effects? or manipulation. Answering these questions would yield a more “whole-of-

The Cybersecurity Challenge Page 11 economy” approach than the current stove-piped method selectivity within sectors based on interconnectedness of resiliency planning, where risk analysis is still focused and substitutability, and some hard choices on which on industry sectors rather than cross-sector analysis. companies are included in the plan, and which are not. Across the economy, critical entities rely on, in COTE must be created before the lights go out. Not the large part, the same set of cloud providers, hardware day after. suppliers, and distribution methods. In a catastrophe, the government will need to prioritize which sectors, The views and opinions contained herein are solely and perhaps which companies within those sectors, get those of the author, and do not reflect the policies of her limited services and resources first. This would require affiliations, past or present.

The Cybersecurity Challenge Page 12 Russian Hackers Used Stolen Iranian Malware to Attack 35 Countries, NSA Says

By Jack Corrigan MEHANIQ / SHUTTERSTOCK

U.S. and British authorities said the Turla group is piggy-backing off the work of Iranian rivals to advance its own agenda.

ussian hackers used Iranian cyber tools work of Iranian rivals to advance their own agenda. and digital infrastructure to launch attacks on Authorities said the Nautilus and Neuron tools had Rgovernment and industry groups in dozens of “very likely” originated in Iran, but Turla had acquired countries, national security officials from the U.S. and the both tools by early 2018. The group initially used the United Kingdom said Monday. malware in combination with one of its own toolkits, The Turla group, which is widely believed to be called Snake, but eventually began targeting victims Russian in origin, used two Iranian hacking tools— with the tools directly. According to the release, Turla Nautilus and Neuron—to target military, government, worked to gain further access to targets by scouring academic and scientific organizations in at least 35 their networks for backdoors that had been inserted by different countries, according to a joint advisory released Iranian hackers. by the National Security Agency and the U.K.’s National In some cases, authorities found that Turla-affiliated Cyber Security Centre. So far, victims have largely been hackers tried to access the network using implants concentrated in the Middle East, officials said. that had previously been exploited, and subsequently While authorities had previously flagged Turla’s use destroyed, by Iranian advanced persistent threat groups. of the tools, this latest advisory offers new details on their “The timeline of incidents, and the behavior of Turla origin and the extent of their damage. The disclosure in actively scanning for Iranian backdoors, indicates that paints a picture of Russian hackers piggy-backing off the while Neuron and Nautilus tools were Iranian in origin,

The Cybersecurity Challenge Page 13 Turla were using these tools and accesses independently the platform as a launchpad for their own attacks. to further their own intelligence requirements,” Turla also reportedly stole troves of data—including officials said in the advisory. “Although [Turla] had a key logs and directory lists and files—from an Iranian significant amount of insight into the Iranian [backdoor hacking organization, which helped the Russian group co- shells], they did not have full knowledge of where they opt its previous work. were deployed.” “This access gave Turla unprecedented insight into “Those behind Neuron or Nautilus were almost the tactics, techniques and procedures of the Iranian APT, certainly not aware of, or complicit with, Turla’s use of including lists of active victims and credentials for their implants,” they added. accessing their infrastructure, along with the code Authorities discovered that Turla also hacked needed to build versions of tools such as Neuron for use into the command-and-control infrastructure of an entirely independently of Iranian [command-and-control] Iranian APT group, known as OilRig or Crambus, and used infrastructure,” authorities said.

The Cybersecurity Challenge Page 14 States Must Explain When a Cyber Attack Might Draw a Violent Reprisal

Smoke rises from an explosion caused by an Israeli airstrike in Gaza City, Saturday, May 4, By Jonathan Reiber 2019. AP PHOTO/HATEM MOUSSA

Without clear explanations that affirm rules of the road, countries make it easier for conflicts to spiral out of control.

hen conducting a kinetic military response trying to achieve, why the IDF felt that the strike was to a cyberattack, it’s better to explain why and justified, or just what Israel’s policy is for countering Whow you are doing so. cyberspace operations. A month ago, the Israeli Defense Forces, Here’s the problem: the internet, itself just 36 years or IDF, responded to a Hamas cyberattack with an old, is still a relatively new domain of warfare. As a online counter-attack against the hackers followed by historic first, this operation needed Israel to explain itself an airstrike that destroyed their building in Gaza. It a little more than it did. What did Israel think Hamas was remains unclear whether any Hamas cyberspace trying to achieve? Why was the response warranted? operators died in the operation. All Israel needed to say was something like “Hamas This was the first time that a military has conducted was targeting our military/hospital/government a kinetic operation directly in response to a cyberattack infrastructure and we deemed their operations to be in real time. It occurred in the context of decades-long a threat to our national security. On that basis, after hostilities between Israel and Hamas, and amid the worst conducting a cyberspace operation against Hamas, we fighting between the parties since 2014. determined that the appropriate course was to neutralize The operation may have been warranted. the threat. This operation occurred within the law of Unfortunately, the IDF didn’t explain much about it, so armed conflict just like any other operation.” But Israel the world cannot tell. We don’t know what Hamas was chose to say no such thing.

The Cybersecurity Challenge Page 15 Absent clear explanations that affirm rules of the road, countries risk setting a dangerous escalatory course for themselves and others. In the future, if State A conducts mass online banking theft during the course of hostilities, would a military response to the hackers be warranted? The short answer is: maybe. The onus would fall on the escalating country to explain how and why it felt that an escalatory operation (of any kind) was warranted and just. There is already policy precedent for kinetic operations against hackers. In 2011, for example, the Obama administration declared in its International Strategy for Cyberspace that “When warranted the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” Smoke rises from an explosion after an Israeli airstrike in Gaza City, Sunday, May 5, 2019.AP What are some possible scenarios for PHOTO/HATEM MOUSSA how states could respond kinetically to team.” Just as importantly, when the United States cyberspace operations in the future? We can map at has responded to a cyber attack, the government has least three hypothetical scenarios. tried to explain its rationale for response, whether that A cyber event crosses a conflict-initiation threshold. response is indictments or sanctions or kinetic operations. If a State A, not otherwise at war, launches a cyberattack Explanations can help to affirm the law of armed conflict, that cripples State B’s critical infrastructure, the latter establish rules of the road, and set a course for the future. could respond by launching a kinetic operation to A cyberattack amid a wider conflict draws an decapitate State A’s cyber command-and-control immediate kinetic retaliation. This is similar to the case structure. In this instance, it would be up to State B to of Israel and Hamas. There are a range of international determine whether State A’s activity warranted a military disputes that could trigger conflict in cyberspace or response. In the United States, as we said in the 2015 DoD kinetically. Imagine a crippling hack in India (or Pakistan) cyber strategy, cyberattacks and potential responses to that leads the country’s military to bomb its adversary’s them “are assessed on a case-by-case and fact-specific cyberspace command centers. The responding state basis by the President and the U.S. national security

The Cybersecurity Challenge Page 16 would have to explain how and why it made the choice play out in a range of authoritarian states. that it did. In some instances, states may be justified in deploying An authoritarian government uses kinetic attacks kinetic options against cyberattackers. In others, they may to suppress domestic protestors. As we mark the 30th not. For any government that hopes to maintain political anniversary of the deadly crackdown in Tiananmen legitimacy during an internal or external conflict, it is Square, imagine a group of dissident Chinese hackers up to its officials to explain their strategic choices to the who launch a cyberattack in a bid to weaken China’s state public and to situate the operation within appropriate control of the internet — and the government’s likely legal norms. Public statements will help countries to response. This scenario is by no means unique to China; a develop a language of restraint and proportionality in the narrative of online resistance and kinetic response could evolving landscape of war.

The Cybersecurity Challenge Page 17 Should Cyber Arms Be Treated Like Bioweapons?

Real-time cyber attacks are displayed in 2017 on the 275th Cyberspace Squadron's operations floor, known By David Fidler as the Hunter's Den, at Warfield Air National Guard Base, Middle River, Md. AIR FORCE / J.M. EDDINS JR

A recent paper suggests that the two are more closely related under international law than previously thought. But the analogy, while useful, is not exact.

n an important contribution, Jeffrey T. Biller and For much of article, I nodded in agreement as the Michael N. Schmitt argue that cyber capabilities are argument unfolded. With one exception, which produced Inot “weapons” or “means of warfare,” but can be a quizzical tilt of the head. “methods of warfare” under international humanitarian Biller and Schmitt observe that biological weapons law (IHL). These conclusions challenge the prevailing are “beyond question” a means of warfare because the notion, contained in the Tallinn Manual 2.0 on the biological agent’s “damage mechanism is…terminal” International Law Applicable to Cyber Operations, that as the agent “directly inflicts the harm.” However, they cyber capabilities can be weapons and means of warfare. appear to conflate biological agents with toxins in stating Biller’s and Schmitt’s claim is that, unlike other military that “[t]ypical biological toxins include bacteria, rickettsia, technologies, cyber capabilities do not cause direct harm fungi, and viruses.” Not all biological agents are toxins or to people or property. “Having a damage mechanism with generate morbidity or mortality through toxins. the ability to directly inflict the damaging or injurious Some agents, such as anthrax, produce toxins that terminal effect on a target is,” they write, “the litmus directly damage cells and organs. Other pathogens test for qualification as a means of warfare.” When considered biological weapons trigger a cascade of computer code is deployed, “the harmful effects are … adverse physiological reactions in the host that contribute indirect; they are not terminal vis-à-vis the code.” Harmful to, or cause, illness or death. In addition, fears about effects directly arise from the operation of the target biological weapons include how inadequate health system infected with the code, rather than from the code systems can exacerbate pathogenic damage. Put another itself. “Therefore,” they conclude, “computer code and way, many harmful effects of biological agents directly associated systems cannot qualify as means of warfare.” arise from the operation of biological and social systems

The Cybersecurity Challenge Page 18 the pathogen affects, rather than from the pathogen itself. effects of malware can be proximate to the direct impact The smallpox virus is one of the most feared biological of the code and, potentially, severe enough within the weapon agents. How the virus causes disease and death is target system and beyond to warrant inclusion in the complicated and does not simply involve the virus killing determination of a means of warfare. cells. Responses of the immune system factor significantly However, reasoning from biological analogy is not in the morbidity and mortality associated with smallpox. persuasive. International law bans the development The virus interferes with the normal functioning of the and use of biological agents for non-peaceful purposes. immune system, which over-reacts in ways that seriously Indeed, biological agents are one of the few areas in which harm the body. A review of smallpox in Clinical Infectious states have banned specific technologies as means of war. Diseasesstated that “many features of severe illness…were Many of these bans reflect heightened concerns about the the result of host inflammatory responses. In severe cases, direct and indirect effects these technologies can inflict the release of cytokines, chemokines, and other mediators on people and societies. So far, cyber capabilities and into the bloodstream caused vascular dysfunction, operations have not generated fears about such grave, coagulopathy, and multiorgan failure, resembling septic gruesome, and repugnant threats to human life, health, shock.” Smallpox also generates concern because most and social order. countries do not have adequate health capabilities to As a method of warfare, cyber operations that address re-emergence of the smallpox virus. constitute attacks would, Biller and Schmitt note, “still Whether biological agents are “means of warfare” have to comply with all [IHL] prohibitions and limitations or only “methods of warfare” based on direct or that apply to attacks.” Thus, the likely indirect effects of indirect effects has not been a major policy or legal cyber capabilities would not escape scrutiny. Further, question. Smallpox and other pathogens that cause the nature and complexity of military cyber operations, adverse biological and societal cascades are considered military-civilian interdependence in cyberspace, and “repugnant to the conscience of mankind” because of the civilian dependence on cyber technologies counsel totality of their direct and indirect effects. The indirect early and comprehensive technical, policy, and legal effects of pathogenic infection are proximate to the consideration of the potential direct and indirect effects direct action of the pathogen on the host and sufficiently of such operations, regardless how cyber capabilities slot severe in the human body and the body politic to take into legal definitions of means or methods of warfare. into account. Whether such prudential handling of cyber capabilities This treatment of biological agents perhaps suggests keeps indirect effects tolerable as military cyber that deciding whether cyber capabilities constitute a operations expand remains to be seen. means of warfare should involve consideration of the nature and scale of indirect effects and not just the direct This piece, first published by the Council on Foreign effects of code on target computer systems. The indirect Relations, is used with permission.

The Cybersecurity Challenge Page 19 About the Authors

Patrick Tucker Samantha Ravich Marcus Weisgerber

Patrick Tucker is technology editor for Samantha F. Ravich, Ph.D. is the Marcus Weisgerber is the global Defense One. He’s also the author of Chair of the Center on Cyber business editor for Defense The Naked Future: What Happens in and Technology Innovation at One, where he writes about the a World That Anticipates Your Every the Foundation for Defense of intersection of business and national Move? (Current, 2014). Previously, Democracies and a commissioner security. He has been covering Tucker was deputy editor for The on the Congressional Cyberspace defense and national security issues Futurist for nine years. Tucker has Solarium Commission. for more than a decade, previously as written about emerging technology in Pentagon correspondent for Defense Slate, The Sun, MIT Technology Review, News and chief editor of Inside the Wilson Quarterly, The American Air Force. He has reported from Legion Magazine, BBC News Magazine, Afghanistan, the Middle East, Europe, Utne Reader, and elsewhere. and Asia, and often travels with the defense secretary and other senior military officials.

The Cybersecurity Challenge Page 20 About the Authors (cont.)

Jack Corrigan Jonathan Reiber David Fidler

Jack Corrigan reports on cyber and Jonathan Reiber is head of David P. Fidler is Adjunct Senior national security issues. Before cybersecurity strategy at Illumio, Fellow for Cybersecurity at the joining Nextgov in 2017, he wrote a cybersecurity firm based in Council on Foreign Relations and is for multiple publications around his Sunnyvale, California. He formerly the James Louis Calamaras Professor hometown of Chicago. Jack graduated served as Chief Strategy Officer of Law and a Senior Fellow at the from Northwestern University with for Cyber Policy in the Office of the Center for Applied Cybersecurity degrees in journalism and economics. Secretary of Defense. Research at Indiana University and an Associate Fellow with the Centre on Global Health Security at Chatham House. He is an expert in international law, cybersecurity, national security, counterinsurgency, biosecurity, and global health.

The Cybersecurity Challenge Page 21