🧵 Last week I attended the Oxford Cyber Forum run by @cyber_conflict. Most of it was under the Chatham House rule, but a few bits & pieces that struck me as notable, all from very well-informed people. Bottom line is that cyber landscape reflects darkening mood in wider security
On the Russian cyber threat landscape: the number of actors is proliferating, with new threat actors 1/ within Russian intelligence services 2/ tied to other parts of the Russian government and 3/ semi-autonomous outside it.
In Israel I heard big concern about Russia passing advanced cyber tools & tradecraft to Iran. In Oxford one person noted that this would be surprising, as Russia has history of infecting Iranian infrastructure for fourth-party collection (i.e. piggybacking on Iranian spying)
Russia & China, despite their wider strategic co-operation, are still liberally hacking one another. One person also noted: "China probably has better insight into the Iranian government than the Iranian government does itself". This puts talk of an "axis" into some perspective!
On China: new threat actors constantly being discovered, but also a new ecosystem of 100+ commercial enablers, providing things like attack infrastructure, data brokerage, anonymisation tools, etc. Combo of enablers from different firms is making it harder to track APTs.
The network of private Chinese threat actors is interesting. The iSoon leaks are one example (). These firms often hack & then try and sell product to Chinese state; in other cases they are tasked by Chinese spies. PLA has officers embedded in some of them.therecord.media/china-commerci…
On the broader cyber landcape, one official noted: "our theories rest on the idea that zero-days are scarce, so countries are hesitant to use them." What, he/she asked, "could change that assumption?"
In Europe officials see "a lot of positioning on our critical infrastructure". Open sources suggest that since 2023 there were 67 cyber incidents involving Russian threat actors (23 targeting CNI). Six came from China (with five of those targeting CNI). And six from Iranians.
Official: "we cannot out-resilience our adversaries" on cyber. "Every kid in the schoolyard who's bullied knows if you want to make the bullies stop, you have to stop them. You have to find allies to help...You have to find long term strategies...to put them back in their box"
Official:" "the same is true in cyberspace. Fortunes in cyberspace favour the brave. Success will depend on whether you can manoeuvre the adversaries and impact will be determined by the quality of alliances you can muster."
"we have a key problem in that all our [European] cyber defenders at the mil level are still operating within an ancient system of peacetime-crisis-conflict. So we have a lot of shiny cyber commands in many allied countries" with "no mandate to operate during supposed peacetime"
Official: "the problem is that many of our military [cyber] operators are not mandated to do anything right now...we need to find ways of bringing them in now to what's happening now, so that we don't expect them to take over when there really is something escalating."
Official: "most of our infrastructure is operated by industry, private sector, most of our intelligence when it comes to cyber comes from industry. I would say even 90% of intelligence in terms of threat info. comes from industry these days." (see also: )economist.com/technology-qua…
One person argued the West was still better at offensive cyber. "some of the actors we count among the top of the line...a lot...don't even have that much operational experience. We talk a lot about the Chinese...but they have far less offensive operational experience than we do"
On defensive cooperation: "when we would go to a cybersecurity conference 10 years ago, Feds were not welcome. They would not step through the door without actually having the game in the room to spot them. Now it's become like a, like a running joke...the trajectory is positive"
"Ukraine is a country that up until a few years ago had vast swathes of its critical infra running on pirated copies of Windows XP. Look how quick the turnaround was, in defending that...collectively together through intel, the flow from the private sector, the public sector"
On cyber lessons from Ukraine. "there is a very strong security culture within the Russian security apparatus that is aggressive, that tests in production, that favours quantity over quality...they expended a lot of their capabilities early on and and truly sub optimal ways."
• • •
Missing some Tweet in this thread? You can try to
force a refresh
