On 17 November, a data dump from the core banking servers of the Cayman National Bank and Trust (CNBT) was uploaded to Distributed Denial of Secrets, a whistle-blowing portal with an explicit focus on Russia. CNBT is said to have stashed the slush funds of many Russian oligarchs.
Phineas Fisher, a self-described libertarian anarchist, had struck again.
Fisher is a lone wolf persona who, in the past, has hacked and uploaded stolen data from the hardest of targets – spyware vendors like Hacking Team and Gamma Group. In the CNBT case, she offered her heist to Distributed Denial of Secrets.
Phineas Fisher’s daredevil acts are generally followed by rambling manifestos and salacious technical details of her exploits.
But the public narrative could be a distraction.
In 2016, as the US was waking up to the threat of electoral interference, State Department’s Russia hawk Victoria Nuland was stung by an elaborate disinformation operation of Russian origin.
CNBT Hack: A Warning Before 2020 US Elections?
In his book The Perfect Weapon, journalist David Sanger pieces together Nuland’s plan for a reprisal. Along with other national security principals, she proposed punitive measures like exposing the money laundering operations and illegal holdings of Putin and his oligarchs, using cyber operations. The playbook was thought to be too escalatory back then and shot down.
Did the inhibitions of the past give way to a deterrence strategy?
Veterans from the US Intelligence Community have come forward on social media and called the CNBT hack a warning shot before the 2020 elections. It would be foolhardy to ignore the grapevine.
Andrew Thompson – former Department of Defence intelligence officer now working for cybersecurity firm FireEye – hints that growing “convincing personas” like Phineas Fisher takes years.
The operations of Phineas Fisher are too elaborate for a lone wolf to execute, and the rate of cracking hard targets is unusually high. Moreover, her propaganda leaflets are more confusing than clear – a tell-tale strategy for information operations.
The plausible deniability and anonymity that is hard-coded into the Internet may make sure that the complete truth would never be known.
It really does not matter who orchestrated the CNBT hack. The only marker of attribution would be how Russia chooses to respond. And it may be decisive, whether covert or overt.
Judging by how the grousing oligarchs reacted to the passage of the Magnitsky Act, they are bound to take things personally. In fact, a previous unattributed whistleblowing operation ‘Panama Leaks’ and the overbearing pressure of the oligarchs is said to have nudged Putin into escalating matters during the US elections.
The modicum of cause and effect in cyber conflict is a game of perception – an Angletonian ‘wilderness of mirrors’. The Russian generals believe that the US even had a hand in the Arab Spring, a belief which ended up bolstering Russia’s hybrid war doctrine.
Kudankulam Attack Aftermath: Lessons for India
But there is a major lesson to be learnt as we carve out India’s own cyber deterrence strategy, post-Kudankulam. Former National Security Agency hacker Dave Aitel categorises cyber operations into two tuples: “deny, degrade, disrupt, deceive, or destroy”; and “access, analyse, remove or offer.”
International relations theorists and lawyers believe that the true potential of cyber conflict lies in the first tuple – by erroneously drawing an analogy to the above-threshold physical or kinetic conflicts of the past. They tend to equate “cyberweapons” with conventional munitions, expecting that effects like “data destruction” could be deemed as acts of aggression.
In fact, time and again it has been proven that cyber operations actually produce cascading affects across the second tuple – in the cognitive or perceptive spectrum. It is when cyber operations feed into the parameters of information operations that true power projection and deterrence take shape.
Some of the most successful examples of cyber skirmishes fall under that category. Wikileaks was nothing but the world’s most powerful “offer” cyberweapon launched by a non-state actor. It merely challenged government secrecy by making information available, fomenting global diplomatic turmoil.
The hack and upload of Democratic National Convention’s (DNC) emails, too, squarely fits into “offer.” It ended up influencing a national election and deterring the US from responding.
After the damning pilferage of the Office of Personnel Management’s security clearance database, the US had plans of disrupting the Chinese Internet censors like the “Great Firewall.” The deluge of hitherto forbidden information – another case of “offer” – could have triggered public unrests. Nothing unnerves Russia and China more than a regime upheaval.
CNBT Hack: Legal Parameters
It is a fallacy to derive a fitment of cyber operations into the conventional thresholds of war. Cyber deterrence is downright dirty and illegal.
Unlike the unfounded belief of lawyers, circumscribing cyber operations within international law may prove detrimental to our cyber capabilities. The underlying parameters simply do not exist.
Doxing the ruling political party of an adversarial nation state using cyber offence could be far more effective a coercive manoeuvre than neutralising its military command-and-control, as the recent US-Iran cyber escalation has shown.
The 2019 operations of the US Cyber Command in the Iranian cyberspace, while spectacular, produced mixed outcomes. However, on the very same day that CNBT’s data was exposed, The New York Times and The Intercept also reported on leaked Iranian intelligence cables. That may certainly play a larger role in hampering the Iranian will.
Let us deconstruct the legal parameters of the CNBT hack.
The only redline of escalation would be the Kremlin’s response, and nothing else.
The operation not only potentially violated the sovereignty of a neutral party that is the Isle of Man, but was orchestrated over a bank which is a civilian target, barred by the Geneva Convention.
Not only that, unwitting ‘non-combatants’ from many countries, including India, also got exposed. It could be deemed as needless collateral damage risking the lives and liberties of account holders who could be potential tax evaders – also causing them irreversible mental harm.
Diminishing Opponent’s Will to Resist
The Russian government went on to invoke the US Foreign Sovereign Immunities Act in a New York district court to defend its action against the DNC. Russia deemed it as a “quintessential sovereign act.”
The US Department of Justice’s indictment against Russian military operatives who hacked DNC cites pre-emptive signals intelligence intercepts captured from Russia’s military networks. That in itself could become the case of a pre-emptive war by the Americans –military command-and-control is a no-go as per international law. It is reasonable to interpret the Russian response as retaliation. In cyberspace, even covert action can come under legal scrutiny.
As James Lewis of Centre for Strategic and International Studies argues, “The strategic goal [of cyber operations] is to affect morale, cohesion, political stability, and, ultimately, diminish the opponent’s will to resist.”
That is how the game is being played – in a full-on and no holds barred way.
A cyber deterrence framework must consider all the extraneous factors. And India seriously risks lagging in cyber power projection.
To draw upon Simon Peres’s exhortation after the Six-Day War, the stark option in front of us is to either innovate, or we could risk losing our sovereignty.
(Pukhraj Singh is a cyber intelligence analyst who has worked with the Indian government and response teams of global companies. He blogs at www.pukhraj.me and tweets at @RungRage. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)