Countering transnational dissident cyber espionage
Read more 
Towards an accurate description of cyber operations
Cyber operations can range from espionage to sabotage, but they are often described in uniform ways, leading to misconceptions and inadequate responses. Using plain language to describe the goals and consequences of the operations is a better approach.
Image: Screenshot of Bloomberg News, 2014
The novelty of cyber operations has led to them being both under and over hyped. Life-threatening cyberattacks receive less attention and therefore less decisive actions from governments, while routine cyber intelligence operations are elevated to ‘attacks’ and treated as hostile actions.
Threat actors conduct operations with aims comparable to traditional terrorist or military attacks, but do not receive comparable responses. Cyber operations like Stuxnet, Trisis, and recent attacks on water treatment plants endanger health and life, as well as disrupt access to essential services. On the other hand, less dangerous campaigns like Salt Typhoon or the Solarwinds supply chain ‘attack’ gained very high profiles, including calls to action from US policymakers. However, the likely aim of these campaigns was counterintelligence and intelligence collection, similar to operations done by intelligence agencies worldwide on daily basis. Deploying cyber capabilities for espionage is a widely recognised practice, not in violation of international law. It is analogous to human intelligence operations like recruiting and developing sources for clandestine collection of state secrets.
Despite drastically varying intent, these cyber operations tend to all be reported simply as ‘cyberattacks’. This abandons distinctions between computer network exploitation and computer network attacks, despite the important differences between espionage operations and destructive attacks. When information about cyber activities is communicated to the public in this manner, it translates to incorrect understandings of the threats posed and unnecessary fear and uncertainty.
One solution to these issues is to use plain language to describe cyber operations, describing what perpetrators aimed to achieve. Was the goal to cause destruction or just to collect intelligence? It is important to address the core of the intent behind intrusions instead of focusing on the cyber aspect.
A crucial mismatch
In terms of public policy and state response, plain language – calling military operations and incidents of sabotage ‘military operations’ and ‘sabotage’ rather than vague ‘cyberattacks’ – demands a more decisive response.
A notable example of the mismatch between the nature of an operation and its consequences was the deployment of the Prestige wiper by a Russia-based group, associated with the Sandworm threat actor, against transportation and logistics targets in Poland. Tasking the Sandworm group, known for its destructive operations in Ukraine, to attack targets in Poland indicated a willingness to cause damage not just outside of Ukraine but even in a NATO country.
However, while this was a Russia-based attack targeting critical infrastructure, it did not result in the diplomatic interventions provoked by, for example, Russian missiles crossing into Polish airspace. This is the case even though the intent to cause damage was more direct in the case of Prestige than the likely accidental airspace intrusions.
A similar case is that of the discussion around Volt Typhoon. The group, probably linked to Chinese military intelligence, breached critical infrastructure to lay the groundwork to conduct destructive operations in the future. Volt Typhoon targeted critical communications infrastructure between the United States and Asia, as well as utilities and telecommunication providers. The US government claims this is intended to slow down military mobilisation following a potential Chinese invasion of Taiwan. Despite the destructive potential of the campaign, the US response was confined to diplomatic channels rather than retaliatory disruptive operations or military exercises in the region.
One result of this mismatch between the characterisation of activity and policy goals can be seen in the use of criminal indictments by the US. The US government used indictments as a response to multiple campaigns by China-nexus actors aiming to steal intellectual property and confidential business information. While the activity was treated as criminal, there was no realistic chance of following up with criminal law measures such as sentencing. The indictments had little effect in terms of deterring adversaries, and campaigns continued.
In contrast, calling intelligence operations ‘cyberattacks’ contributes to fearmongering. It portrays routine espionage as much more disruptive and dangerous than it is.
One example is the hack of software provider SolarWinds by a Russia-affiliated actor. This threat actor compromised software supply chains and created backdoors to a number of government and private sector targets. While the operation was classic espionage, aimed at collecting political and strategic intelligence, US officials went as far as calling it ‘virtually a declaration of war’, stating that the ‘magnitude of this ongoing attack is hard to estimate’.
The price: loss of flexibility
One group might benefit from more abstract ways of discussing threats, such as using monikers and broadly describing incidents as ‘cyberattacks’: policymakers. Such framing leaves leeway for limited responses, avoiding potential escalation. For example, when US President Barack Obama called the North Korea-linked hack of Sony Pictures ‘cyber vandalism’ rather than an act of war, he used language that specifically allowed him to avoid having to conduct retaliatory operations.
No more flashy names
This situation is exacerbated by the naming conventions of threat intelligence vendors, which often use colourful language or anthropomorphised representations of threat actors. The approach includes presenting them as comic book characters and animal-like figures, or using monikers based on humorous wordplays referencing intrusion artefacts, with threat actor names like Fancy Bear or Mint Sandstorm, or the malware name Dadbod. This makes cyber operations seem abstract and disconnected from their reality as covert operations or criminal activities.
A plain-language approach can mitigate those drawbacks and improve public understanding of cyber threats and risks. Rather than using a catchy moniker like ‘Salt Typhoon’ and describing it as a ‘cyberattack’, government agencies should refer to it as ‘a foreign espionage effort designed to improve counterintelligence capabilities’. Using imaginative names does not help, and may even glamorise hostile activities.
Attribution of operations will further support such efforts, even if naming perpetrators is not always possible. Just stating that an operation was conducted by the military, intelligence, or criminals will provide context and inform the public about the nature of an activity. While indictments can fail as a means of imposing costs, they succeeded in this aspect. The evidential burden required to issue a criminal indictment and present it in a court of law ensures that it is a reliable and robust method for publishing information about alleged perpetrators.
Normalising language and ensuring that cyber operations are accurately described in the media will limit fearmongering and ensure that the public can understand their scope and goals. When the public grasps these threats, it can better engage in informed debate and support necessary policy decisions. This clarity is essential not only for justifying policy responses but also for maintaining credibility on both the national and international stages.
Through clear communication, state officials can explain why a cyber incident requires diplomatic measures, targeted economic sanctions, or a coordinated cyber defence, and ensure that the public understands any cyber operations that might affect their lives.
