Cyber 9/12 Strategy Challenge 2022
By: Marine Pichon, Nikhita Nainwal, Albéric de Carrère, Colombe Douxami
This article was written within the frame of the 2022 Paris edition of the Cyber 9/12 Strategy Challenge. Organised by the Atlantic Council and GEODE, this the only global cybersecurity competition for students, designed to address the shortage of skills in the digital field through interactive crisis simulation and strategy analysis. As both an interactive learning experience and competitive scenario exercise, Cyber 9/12 challenges teams of students from all university disciplines to respond to a realistic and evolving cyber crisis scenario. Teams analyze threats and develop responses to manage the crisis, accompanied by feedback from expert judges in the field at each stage.
The French competition for the Cyber 9/12 challenge 2022 was held from December 5th to 7th, 2022 in Paris.
Marine Pichon, Nikhita Nainwal, Albéric de Carrère, Colombe Douxami finished at the 2nd place.
Over the last decade, cyber-related issues have become a new and rather dangerous component of every conflict, and governments, as well as individuals, have been struggling to keep up with the fast-paced and ever-changing aspects of the cyber realm. The globalization of the internet and the digitization of various services across all fields have opened up opportunities to use flaws in information systems for various reasons (economic, political, profit related…). As such, we identify three major issues for international security related to cyber: the integration of cyber into states’ arsenal, the rise of financial-motivated non-state threat actors, and the fast-paced weapon proliferation.
Integration of cyber capabilities into states’ arsenal
One of the most visible challenges to international security is first the increased integration of cyber capabilities into states’ arsenal and weapons. Not only has cyber opened a new avenue for warfare, but state operations within the existing physical domains (land, maritime, air, and space) have been largely enhanced with the use of cyber capabilities, resulting in the emergence of “hybrid-warfare”. The recent war in Ukraine really highlighted this convergence. Even if few major direct cyberattacks were observed since February (mostly wipers, spear phishing attempts and DDoS campaigns), the conflict showed how cyber capabilities were integrated not only for offensive purposes but also for strategic goals deeply connected to physical operations, such as intelligence gathering, SIGINT or communication jamming (like the VIASAT satellite attack). Ukrainian telecommunications, businesses, and financial sectors have suffered extensive losses as a result of cyberattacks attributed to Russia. In addition, states have also learnt how to weaponize their tech private sector as well as citizens to take part in this new form of warfare. The creation of Ukraine’s state-approved “IT Army” perfectly demonstrates this integration. All of these capabilities make it easier for states to attack countries in ways not possible before, targeting ordinary citizens, private businesses and critical infrastructures, increasing the scope of damage caused to a state without the need for launching a kinetic attack.
Besides, the Internet’s availability and massive reach have resulted in it being increasingly weaponized by governments worldwide to disturb, disinform and influence public opinions, but also to facilitate warfare. The Ukrainian war is also a good illustration of this trend, further challenging international security. Troll farms spreading fake news, deepfakes, and state propaganda have been extensively used to conduct a war for Russia. Thus, cyber is changing the way states apprehend and understand wars, opening up new offensive opportunities.
The rise of non-state threat actors
Outside of states, the rise of non-state threat actors in cyberspace in the last decade is also a major challenge for international security. Cybercrime can be a huge source of income and continues to attract individuals and gangs looking to make profit while remaining anonymous, without having to be extremely skilled in computing. A good and recent example of this trend is the under-documented Nigerian cybercrime scene. Emerging since 2019, it has benefited from the lack of strong laws on cybercrime, coupled with a high unemployment rate and the seemingly easy money to be made. Cybercrime led to a loss of $800 million for the Nigerian economy in 2018 but also affected European or American targets. Just like the more ‘famous’ Russian cybercrime ecosystem, these threat actors often structure themselves in gangs or business-like organizations.
Interestingly enough, non-state actors can also work with or for states themselves. Indeed, to make profit, cyber mercenaries working for front companies (such as the Void Balau or Atlas Intelligence Group) have been selling their services to the highest bidder, whether it is zero-day vulnerability research, cyberespionage, extortion… Similarly, legitimate companies working in the surveillance industry (such as NSO, Candiru or Cytrox) now sell offensive spyware to governments, challenging even more international security.
All these different types of non-state threat actors benefit from the lack of clear international (and national) regulation. In addition to anonymity and difficulty of attribution, they benefit from extra-territoriality since they mostly target foreign countries. Indeed, the absence of extradition agreements between some countries where most cyberattacks originate from and the most targeted countries makes it extremely complex to tackle cybercriminals.
Cyber weapon proliferation
Finally, international security is intrinsically challenged by the fast pace of cyber weapon proliferation. There is indeed an inherently complex tension between, on the one hand, the propagation and development of ever more sophisticated malware among threat actors and, on the other hand, the relatively slow and unequal rhythm of cybersecurity maturity among users across sectors and countries. A lot of information systems (especially among critical infrastructures, public administration, utilities, and healthcare facilities) remain highly vulnerable to cyberattacks, as highlighted by the recent attack targeting the Seine-Maritime department (France) this month or the Conti ransomware operation which crippled the entire country of Costa Rica in June. These examples reveal how cybersecurity isn’t always perceived as a priority in many companies’ budgets, even states’. In addition, cybersecurity isn’t always complete when new software, new devices, or new technologies are conceived by developers, enabling vulnerabilities to be exploited by threat actors, for instance, in supply chain attacks.
This decentralized, slow, and incomplete pace of securitization is all the more problematic as threat actors continuously upgrade their techniques and arsenal (TTPs). Malware strains are now better equipped to avoid detection by anti-viruses and EDR, they can also abuse less-secured Internet-of-Things devices to create a botnet. Threat actors benefit from an increasingly wide range of offensive capabilities, which is reinforced by the availability of sophisticated malware either found in open source, leaked or sold on underground marketplaces. Thus, this third challenge to international security is deeply rooted in technological evolution, timing, and cybersecurity awareness to outpace cyber arms race.
To conclude, the development of cyber capabilities and technologies creates new challenges to international security, offering new means of conducting warfare to states, but also new opportunities to non-state actors attracted by the profit cybercrime can enable. A third challenge resulting from this increase of threat actors occupying cyberspace is the weapon proliferation which struggles to be outpaced by the development of cybersecurity across countries and verticals.