Press "Enter" to skip to content

Lennart Maschmeyer | Cybersecurity, Cyber Power and Threat Intelligence | Intelligence & Interview N.32 | Roman Kolodii

Approved by the Author

Discover Intelligence & Interview and Subscribe to the Newsletter!

With current expansion of digital practices to mitigate the effects of Covid-19, well-calibrated cybersecurity strategies have become even more relevant than ever. Such instances as recent attempts to steal data on Covid vaccines through cyber-intrusions, for instance, demonstrate how dangerous and malicious cyber-threats can be during healthcare emergencies, especially if orchestrated by foreign governments. Indeed, in recent years, many experts began to view cyberspace not so much as no-man’s land but rather a battlefield where individual states can engage in confrontation for the sake of asymmetrical gains. Such scholarship, however, often focuses on government-centric perceptions of cyberspace-related events and presumes disruptive potential of cyber-technologies in situations where, in fact, it is not that pronounced. These habits of thought often preclude a more accurate and better informed appreciation of the role of cyber-threats, especially in terms of their effectiveness, as well as their mitigation through non-government efforts. For this interview, we have invited Dr Lennart Maschmeyer, an expert in cybersecurity, whose work examines existing blind spots and biases regarding cyber-operations and promotes more inclusive cyber-threat reporting among non-state actors. He is a senior researcher at the Center for Security Studies (ETH Zurich), a university-affiliated think tank in Switzerland offering security policy expertise in research, teaching, and consulting activities. Apart from his academic research, Lennart has been also involved in coordination of better cyber-threat reporting between commercial cyber-threat intelligence firms and civil society actors. In our interview, we discuss the character of modern cybersecurity threats, the role of digital technologies, including social media, in Russian influence operations, the importance of cyber-threat reporting, and dominant trends that would shape the nearest future of cybersecurity and strategy worldwide. On behalf of the Scuola Filosofica Team, our readers, and myself, Roman Kolodii, Lennart: thank you!

#1 Lennart, how would you like to present yourself to the international readers of Scuola Filosofica?

I am a senior researcher at the Center for Security Studies at ETH Zurich where I examine the opportunities information technology provides for actors to project power in world politics. Specifically, I focus on how technological change has altered the quality of covert operations as an instrument in strategy. Cyber operations are often perceived as a novel instrument, yet my research shows close similarities to subversive intelligence operations both concerning strategic role and operational constraints. What is probably new about cyber conflict is the outsize role played by non-state actors, especially commercial cyber threat intelligence firms whose reporting often constitutes the main, sometimes the only source of data on ‘cyber attacks’. Because these firms are profit-driven, so is their reporting—and this produces selection bias in what is, and what is not reported. This bias distorts how policy makers, academics and the public perceive cyber conflict, and my secondary topic of interests is studying these biases.

#2 What factors contributed the most to your interest in cybersecurity, cyber conflict and threat intelligence?

There is a persistent and broadly shared perception that digital technologies revolutionize conflict and competition in world politics, making this an important topic in world politics. Yet the mechanisms of change remain ill-understood and there is an overall lack of data, which is often filled by speculation. Hence, my research is driven by a curiosity to better understand these mechanisms, and focus on empirical evidence rather than speculation. There is no doubt technological change is having a significant impact on power politics, yet there remains a fundamental uncertainty about what exactly this impact is, and its consequences for world politics.

#3 In your doctoral dissertation at Toronto University, as well as in your recent project on Russia’s digital disinformation at the Center for Security Studies, you have focused largely on the relevant developments in Ukraine. In what ways, do you think, can the Ukrainian case study facilitate our understanding of the growing role of cyber power and digital technologies in international politics?

The conflict in Ukraine offers the longest and most varied case of cyber-enhanced conflict to date. It involves multiple disruptive cyber operations by one of the world’s leading cyber powers, Russia, and in the context of an ongoing conflict. In fact, many see this conflict as the first of a new kind of ‘hybrid warfare’ marked by a mix of conventional and covert instruments—and particularly cyber operations. Many scholars and defense planners expect digital technology to increase both efficiency and effectiveness of such forms of conflict below the threshold of conventional war. In short, if digital technology has the revolutionary impact on conflict and competition that many continue to expect, the Ukraine conflict is where one would most expect this impact to be observable. Apart from its overall significance, the Ukrainian case allows studying the use of cyber operations over multiple years by the same actor, namely the GRU-linked threat group ‘Sandworm’. This extended duration and internal variation makes it the best available case to track how operational constraints limit the strategic utility of cyber operations—and whether the actor is able to overcome these constraints by evolving its tradecraft. This case thus allows studying the strategic utility of cyber operations in a practical setting.

#4 You are the founder co-chair of the FIRST Threat Intel Coalition SIG. Could you describe the mission of this organization, as well as the techniques and methods it uses to achieve its goals?

This SIG aims to improve the situation of civil society groups by providing them with assistance in detecting and mitigating cyber attacks, and building in-house capacity and expertise. In a wider sense, its mission is to alleviate some of the information asymmetry in cybersecurity that results from the selection bias I mentioned concerning threat intelligence reporting. As I have shown in a research article with Ron Deibert and Jon Lindsay, particularly cyber operations against vulnerable civil society actors tend to be neglected in these reports. Consequently, although civil society groups have some of the most urgent need for information, yet often have the least information available. To improve on that situation, this SIG links civil society organizations in need of assistance to researchers at commercial threat intelligence firms who volunteer their services to help. We also starting hosting workshops on basic security and analysis skills to help civil society help itself.

#5 In your recent research, you have examined the role of non-state actors within cybersecurity landscape. What are the challenges and opportunities for cyber threat reporting from the point of view of non-state actors? Are there any effective national or international strategies for engaging civil society and private individuals in cyber threat intelligence?

As I have already touched upon above, civil society faces a shortage of information since commercial reporting tends to neglect this sector. There are some dedicated research centers and non-profits that report on civil society threats, most importantly Citizen Lab at the University of Toronto, as well as Amnesty International, the Electronic Frontier Foundation and Human Rights Watch. Yet these institutions have limited budget and thus limited coverage. Importantly, the neglect of civil society threats likely leads to under prioritization of the issue by policy-makers. If the problem seems small, why would it be prioritized? This is why it is of central importance to increase reporting on such threats, and alert policy-makers and funders to the problem. Civil society is notoriously cash-strapped, hence many organizations lack resources and technical skills. Supporting capacity building with funding for skilled staff and providing security training should thus be a key priority of policy-makers and funders. Currently there is a severe lack of effective national or international strategies for engaging civil society.

#6 How does disinformation, especially through digital media, impact the state’s power in cyberspace? What are the costs and benefits of digital disinformation for those who design and spread it?

This is an important question that has haunted many scholars, policy-makers and members of the public especially since the interference in the 2016 US Presidential Elections, which involved the use of disinformation to influence voters. Although this topic has since received a lot of attention, there is still a lack of evidence on the actual impact of digital disinformation on audiences. Many expect digital media makes disinformation campaigns more efficient and effective, in a clear parallel to cyber operations in general. There is some evidence suggesting digital disinformation can change audience perception, yet there is still no systematic evidence indicating it can do so at scale. What is more, it is increasingly clear that mounting digital disinformation campaigns at scale involved significant challenges. Individual accounts at social media platforms must be maintained to grow a network of followers, which can take years. The advantage is that these accounts can be made to look like normal citizens, hiding the origins of the narratives spread through them. Yet it is not clear whether this form of covert propaganda is in fact more effective than overt propaganda through traditional media, such as television. As I have written in a recent CSS Analysis piece on Disinformation in Ukraine, survey data indicates traditional media is more effective both in spreading narratives to a large audience and in convincing audiences of these narratives through repeated exposure compared to social media. Moreover, evidence from focus group interviews we carried out in collaboration with the London School of Economics and Internews Ukraine indicates knowing the origins of a narrative (i.e. a television station owned by a pro-Russian oligarch) does not make people less likely to believe in them.

Therefore, it is premature to assess the impact of digital media on state power, but emerging evidence suggest traditional media remains at least as important. In general disinformation campaigns have shown decidedly mixed results in the past, fostering a conspirative mindset not only among audiences, but also among its creators. The KGB thus fell prey to its own conspiracy theories repeatedly during the Cold War, precluding clear analysis and resulting in intelligence failures.

#7 In your opinion, how does the Covid-19 reality, with its pervasive technological crisis-management measures and increased online consumption, affect the character and practice of cyber operations today?

The lockdowns ordered in many countries to manage the pandemic have certainly increased the attack surface for threat actors—meaning there are more opportunities for malicious actors to exploit technologies and people to steal data and disrupt systems, especially with users who are inexperienced with the technology. In the longer run, however, this is unlikely to be more than a blip in the ongoing trend towards more and more interactions taking place online. The more interactions are computerized, however, the more potential there is for exploitation. Moreover, the deeper computers reach into societies, the more potential there is for such exploitation to have significant effects. Computerization promises great efficiency gains, and overall technology firms promise to ‘make the world a better place’, which may be true in many cases. Yet the risks of exposing the processes and interactions involved to malicious actors from around the globe must be clearly understood, and should be included in cost-benefit calculations behind such decisions. If current trends continue, we are likely to see cyber operations affecting a growing proportion of social activity.

#8 What are the main trends that would shape the nearest future of cybersecurity and strategy worldwide? What are the key risks and ways to mitigate them for state and non-state stakeholders in cyberspace?

The ongoing trend towards increasing computerization and connectivity also increases the potential for exploitation by malicious actors, as I have already discussed. Especially since the 2016 Election Interference operation, governments have become more aware of the resulting broad threat, pivoting away from the previous focus on threats of ‘cyberwar’ couched in military language. In fact, the new United States cyber strategy emphasizes the pursuit of gains by cyber means in conflict short of war, and is being emulated by many of its Western allies. Whereas previous strategy prioritized deterrence, i.e. keeping adversaries from engaging the United States with cyber attacks through threat of punishment, the current strategy instead encourages ‘persistent engagement’ of adversaries.

We can therefore expect an increase in cyber competition, and likely also disruptive cyber operations. While this strategic shift rests on the assumptions that actors share a ‘tacit agreement’ to keep intensity of conflict below a certain threshold, my research indicates that operational constraints have been the key limiting factor to intensity of effects. Creating disruptive effects through cyber means often involves significant efforts, and the greater the scale and intensity of effects, the more likely it becomes that actors lose control. Increasing competition in the way the current strategic shift does may thus encourage risk-taking behavior in adversaries, further increasing the disruptiveness of cyber attacks. Because cyber operations are typically deployed as an alternative to the use of force, escalation to military conflict is unlikely since it runs counter the intentions of the actors involved.

Yet especially considering the secrecy of cyber operations, there is potential for misperception and misunderstanding that may end up triggering unintended escalation. The more sensitive the target and the more reckless the operation, the more likely this potential becomes. Nonetheless, rather than escalation and cyberwar, disruptions to daily lives will likely remain the more common threat—especially as criminal actors are continuing to experiment with new tools and techniques to extract financial gains from their victims. Fortunately, many of the latter threats can be thwarted by rather basic security measures—often as simple as not clicking on a link in an email that asks you to do so urgently. Even many high-profile cyber attacks start with simple phishing emails, and this human factor is often neglected in the prevailing focus on digital technology.

On the latter note, one trend I would expect as technical security measures improve is a further focus on human vulnerabilities, especially the use of undercover agents and insiders to gain access to sensitive facilities. Hence, operations that blend both human agents and cyber means are likely to become more important down the line.

These forms of compromise involve classic spy craft though, which will remain relevant on their own. The recent explosion at Iran’s Natanz nuclear enrichment plant is a key example, since it was initially described by journalists as a cyber attack, yet turned out to be almost certainly classic sabotage carried out by a Mossad agent in the field using explosives. Producing the same effect through cyber means would have been significantly more complex, if not impossible unless the targeted system had a built-in capability to explode…

#9 How can our readers follow you and your organization on social media or elsewhere?

The best way to follow me is via my website, and my website at the Center for Security Studies. I also have a twitter account @LenMaschmeyer, but rarely use it since the platform is designed in a way that promotes polarizing content—making it so attractive for disinformation campaigns!

#10 Could you list five words that characterize you?

There aren’t any words I would propose to characterize me, I am just a researcher driven by curiosity to understand the way technology impacts our society and the desire to contribute towards alleviating some of its negative impacts.

Be First to Comment

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *