And here we go again.
The experts minimize, and in some ways they are right, but what happened yesterday with the Ransomware attack was not something to be proud of. In practice, only minor infrastructures have been affected, several thousand worldwide, and no infrastructure defined as "critical". Well.
After all we are at war with Russia, whether we like it or not, and since these hackers (like almost everyone by now) are under the umbrella of Putin, who offers them a passport and freedom to attack, we need to do some propaganda. Real.
But now we need to open the box and figure out what happened. I'm not referring to the fact that this attack concerned a vulnerability for which VMware had already patched. It is known that many don't care about best practices.
But the problem lies in the general structure of the Net.
In case anyone hasn't noticed, the world is changing. From a globalized world where people and goods moved around without problems, and everyone trusted everyone, and Europe saw no problem depending on Russia for gas, we have ended up in a different era in which Russia is the enemy, China the is becoming, the Indians are retreating to a ferocious nationalism, and the giants who have made the history of the Net are weakening.
But if the external situation changes, and the map of trades and flows is distorted by the end of globalisation, how is the situation on the internet?
Apparently unchanged. Internet continues to function, and to be managed, as if nothing had happened: the RIPE, in Amsterdam, continues to guarantee the functioning of the Russian network, as if Amsterdam were not a possible target of the first bombs which, hypothetically, would leave from Kaliningrad.
Think about this: Russia is excluded from international credit card circuits. It is excluded from banking circuits such as swift. It has export restrictions.
The internet works as usual.
RIPE continues to happily propagate routes for Russian ASs, and continues to happily connect their exchangers.
And this despite the fact that we know very well that the Russians have a whole malicious government infrastructure dedicated to attacking infrastructure.
Does it seem normal to you?
What exactly does RIPE Amsterdam do? Let's say it actually inserts pieces of the Russian network into the Internet "map of maps", i.e. the BGP broadcast, so that when you send data to a Russian computer, or a Russian sends data to us (good or bad) , the network knows the route to use, both for the outward and return journeys.
If RIPE removed the Russian AS from the "map of maps", Russia would be unreachable, at least by a European AS, or probably the data would pass for AS that still remember old routes and do not depend on RIPE.
Furthermore, it also takes care of the infrastructure part, "certifying" (in a certain sense) the exchangers, i.e. the large traffic nodes. If this were to fail, map or no map, it would be more complicated for the Russians to communicate with the outside world.
Some might say that if RIPE takes Russia off the "map of maps", or the "radio of maps" that is BGP multicast, the Russians could still use routes to other ASes, like Asians, South Americans, etc. and from there they could reach western servers.
This is true, but I see it MUCH more problematic to do a DDOS, for example.
But the problem is not practical: if we wanted to segment the internet, there are many things we could do.
The point is, that the management of the internet proceeds as if we were still in the super-globalized world of before, where the spice has to flow and both goods and people go where they want when they want.
What should be done in my opinion? First of all, we need to talk to those of RIPE, who think like this when it comes to the internet:
In my opinion, RIPE should begin to understand that we are no longer in the 90s, that it could happen that the spice no longer flows, or that it needs to be channeled properly.
Once this is done, imagine that there are four "defence conditions", or DEFCONs, associated with the degree of danger. They are established on a national scale, and are mapped as follows:
| State of readiness | Meaning | (Un)connected countries |
| DEFCON 4 | Business as usual, no particular risk. | All countries of the world are reachable. |
| DEFCON 3 | There are harassing cyber attacks, but the damage can be contained with good practices. Relations with other countries are not better or worse than ever. | All countries except the rogue states (North Korea, Russia, Iran, Afghanistan, etc) and except the countries in special black lists (eg: Comacchio) are reachable |
| DEFCON 2 | DDOS and/or capable cyber attacks targeting strategic structures, there are signs of attack from organizations linked to governments. There are governments that are openly hostile and capable. | Only countries classified as friendly are connected (NATO, EU) in which the level of cooperation with the forces of order guarantees that an attacker "on site" will be arrested. |
| DEFCON 1 | The country is under attack, it is not clear where the attack is coming from, the damage is huge or difficult to measure, the disservices are widespread. | Disconnected from the rest of the internet except for strategic governmental and military connections. |
What advantages would a structure of this type give? Critics will say that VPNs exist, and that it would be like closing the door after the horse has escaped.
This is because you have not understood that disinformation on the internet is a real cyber attack. Newspapers like Russia Today, already closed in France and Germany, outlets of all kinds, etc.
Let us take the current condition, Russia-Ukraine war, also sponsored by many NATO and EU countries. We would therefore be in a situation, knowing that Russia has Fancy Bear&co, from DEFCON 2 for a year now.
This would hardly be an insurmountable bridge for those who want to spread malware, but we are talking about disinformation. In DEFCON 2 that I imagine, we are going to hit some weaknesses: to make a "Russia Today", you have two choices: the first is to be in Russia, but seen from abroad, and the second is to create local companies to shorten distances.
The trouble is that in DEFCON 2 which I imagine, the public is no longer able to read Russian newspapers, and if Russia wants to misinform it has to open its outlet inside a network under EU or US/NATO control.
If we had organized the national networks to act as I describe, we would have been in DEFCON 2 for a year. This year, the police and secret services would have swept away the Russian disinformation outlets: to work, they would have to be located on the national territory, or on a politically very friendly territory, where the institutions collaborate.
The current defense system, that is, is organized around the idea that cyber attacks are of the DOS/penetration type, aimed at sabotaging infrastructures and services, but they do not understand that the hybrid nature of network warfare also includes disinformation.
DEFCON 1 would have the advantage of blocking DDOS, given that in the end there are too few devices in Italy to make a real DDOS. If applied by all NATO countries, this kind of framework would obviously have far greater effects.
In a situation like last Sunday's, all of NATO and the EU would have gone into DEFCON 1 after the French alert, slowing down the spread of the malware (or at least they would have done so if there were the relevant alert channels).
Why is nobody proposing it?
Because when we speak of cybersecurity we think of hackers who penetrate systems, DOS and DDOS, perhaps phishing, and other attacks to penetrate the computer in one way or another, but the propaganda, which even Gerasimov describes in his book as a hybrid attack tool, is not considered in the defense landscape.
In fact, the system I'm talking about is mainly effective against disinformation attacks, it can mitigate DDOS and make it slightly more difficult to do large-scale scans or prepare a certain attack, but in the design of the fight against computer or hybrid attacks disinformation as a danger is almost never mentioned.
It makes me wonder how many lessons need to be learned before understanding that yes, the spice must flow, but it would be better if the flows were under control.