The problem of protecting Critical Information Infrastructure (CII)
has ceased to be a topic for discussion in IT circles and among
representatives of the secret services only. Information about
cyberattacks and cyber security initiatives are hitting the headlines of
leading socio-political media outlets with increasing frequency,
becoming a subject of discussion at public platforms of various levels.
Anastasia Tolstukhina has drawn up short explainers to the seven key
questions on existing threats to Russia’s CII.
The problem of protecting Critical Information Infrastructure (CII) has ceased to be a topic for discussion in IT circles and among representatives of the secret services only. Information about cyberattacks and cyber security initiatives are hitting the headlines of leading socio-political media outlets with increasing frequency, becoming a subject of discussion at public platforms of various levels. Anastasia Tolstukhina has drawn up short explainers to the seven key questions on existing threats to Russia’s CII.
1. What happened?
2. What types of facilities does the Critical Information Infrastructure (CII) comprise?
3. How frequent are cyberattacks against Russia’s CII?
4. What are the capabilities of the U.S. Cyberattack Forces?
5. How much does the United States spend on cyber weapons?
6. Are there any cases of cyberattacks being carried out against a country’s CII?
7. How is the problem handled globally?
1. What happened?
In June 2019, The New York Times published an article claiming that the United States carries out targeted cyberattacks against Russia’s critical information infrastructure. However, President of the United States Donald Trump denied these claims and accused the article’s authors of committing treason. Whether the article was true or not is still unclear. Meanwhile, Director of the Foreign Intelligence Service of the Russian Federation said that the Russian secret services were aware of the West’s plans to carry out cyberattacks against Russia’s infrastructure.
2. What types of facilities does the Critical Information Infrastructure (CII) comprise?
Each country draws up its own list of the relevant types of facilities and prioritizes them as it sees fit. In Russia, the list includes public and private facilities working in healthcare, science, transportation, communications, power (including nuclear power), the financial markets, the fuel and energy complex, defence industry, the missile and space industry, mining, metallurgy, and the chemical industry. Protecting critical infrastructure is a matter of national security.
3. How frequent are cyberattacks against Russia’s CII?
According to the State System for the Detection, Prevention and Mitigation of the Consequences of Computer Attacks (GosSOPKA), a total of 2.4 billion attacks on critical information infrastructure were recorded in 2017, with that number rising to 4 billion in 2018. The frequency of cyberattacks is growing; in most cases, they target transportation, the banking system and power facilities.
4. What are the capabilities of the U.S. Cyberattack Forces?
The United States has the so-called Vulnerabilities Equities Process, which was launched back in 2008 under National Security Presidential Directive No. 54 (NSPD-54). The purpose of the process is to detect vulnerabilities in information and communication systems and make appropriate decisions regarding their use. For instance, a detected vulnerability may be used for surveillance, law enforcement or national security purposes. Searching for, analysing and selecting vulnerabilities are essentially the requisite components for creating cyber weapons, including weapons against CII. The U.S. Office of Tailored Access Operations has an entire catalogue of back doors that the Office can use to access servers, work stations, telephone lines, and industrial process control systems.
Currently, the Pentagon is finishing the development of the United Platform, a consolidated system for conducting secret online operations. Details of the platform have not been disclosed, but it is known that it will be used both to protect the U.S. government agencies from hacker attacks and to conduct online offensives. The United Platform will integrate and analyse data from offensive and defensive operations in conjunction with the intelligence services and other partners.
5. How much does the United States spend on cyber weapons?
In 2019, the United States Cyber Command (an autonomous military command of the United States Armed Forces) plans to spend up to USD 75 million on tools and expanding the capabilities of U.S. cyber forces, which is 70 per cent more than in 2018. By 2025, its budget may have grown to USD 250 million. Such expenses are related, among other things, to the desire of the Cyber Command to be independent of the NSA in terms of the equipment it has at its disposal.
6. Are there any cases of cyberattacks being carried out against a country’s CII?
Yes, one of the most high-profile attacks took place in 2010 in Natanz (Iran), when around 1000 out of 5000 functioning IR-1 centrifuges for uranium enrichment broke down. The breakdown was caused by Stuxnet malware, which pushed Iran’s nuclear programme back a number of years back. Many experts believe that the malware was designed and used at the order of the U.S. secret services.
7. How is the problem handled globally?
The matter of ensuring CII security is actively raised at the UN level. In 2018, the UN General Assembly adopted two resolutions (one put forward by the United States, the other by Russia) on the actions of states in the information space. Both resolutions in some way address the problem of cyberattacks against CII as well. In particular, Resolution A/RES/73/266 put forward by the United States emphasizes the productive work of UN Group of Governmental Experts and the importance of recommendations in the Group’s 2015 report. That report directly addresses the problem of ensuing the security of critical infrastructure facilities. For instance, Sub-Paragraph (f) provides that “A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” Resolution A/RES/73/27 put forward by Russia directly sets forth this recommendation in Sub-Paragraph 1.6, while Sub-Paragraph 1.7 notes that “States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 of 23 December 2003 on the creation of a global culture of cybersecurity.” The majority of states concur with these statements, although the problem is implementing this mutual consent and translating it into practical action.