IDEAS-2022: Exclusive Interview with Mr. Lars Hilse, Global Thought Leader & Political Advisor on Cyber Security

Lars Hilse: Having spoken to numerous military top brass, industry leaders, law-enforcement officials, representatives of the intelligence community, and even heads of state, I have come to the conclusion that there is no universal definition of cyber warfare.

Every stakeholder defines cyber warfare differently because they have something different to gain or respectively lose.

With the ever-increasing reliance on digital infrastructure, we will inevitably see an exponential growth of exploitation; obviously also by state actors in times of conflict through their military forces, and intelligence services.

Given the terrible current state of the Internet, and Network connected infrastructure,  cyber warfare, as opposed to conventional warfare, in which the ultimate escalation may be mutual annihilation through a nuclear exchange, is capable of crippling any nation by rendering multiple aspects of their critical infrastructure useless… without the obvious drawbacks.

Not only therefore, is it safe to assume, that cyber warfare should play a major role in any nation’s arsenal; not only being prepared to use cyber weapons to strike but more importantly, keeping their own critical infrastructure safe against adversaries.

Lars Hilse: I have worked with many stakeholders across the globe to answer this question. It basically starts out by defining watch your own critical infrastructure is.

Every nation has its own, main GDP contributors. Obviously, these should receive the maximum attention for if they are subject to an attack from an adversary, the impact would be most dire.

However, it goes without saying that there are those industry verticals, which are important to the people of any nation equally; these are, for instance, banking, communication, energy, water, etc., and the military of course.

Through this initial assessment, a list will emerge, which has to be prioritized individually for the aforementioned reasons.

The next step would obviously be to harden/secure the infrastructure against attack. You have to keep in mind, that even today, the most successful means of infiltration remains social engineering, and not cyber payload delivery through a network breach.

Lars Hilse: Both nations are heavily reliant on their network infrastructure.

Without it, without the Internet, without any means of communication, it’s only a minuscule amount of time until the civilian population will fall into chaos.

Over a decade ago, there was a case in Germany, in which the German top-level domains were unavailable for a few hours due to a technical mishap. Because the population was unable to access news websites, and obviously neither the websites of their banks, a small bank run started. Keep in mind, that this was over 10 years ago when reliance on the Internet was much less omnipresent.

Fast forward to today, and an event, like this would have disastrous consequences because of the exponentially increased network reliance. So the more reliant a country is on the Internet, the worse the impact of an Internet outage… True, that is the worst possible outcome, and therefore one of the primary targets in a cyber conflict.

The economies of both nations would take significant hits. Civilian life would fall into almost immediate chaos because people have become so accustomed to using digital devices to communicate with each other. The push towards a cashless society would also immediately backfire because the connected terminals also require the Internet to execute monetary transactions.

However, the military implications would be insanely important to mention because, like the rest of the population, service members, who are not at their post, and would need to be mobilized, can’t be reached because the communication infrastructure has also fallen victim to the cyber attack. Even outdated methods of reaching reservists, and military personnel, not on base, like through the FM radio wouldn’t work, because the news anchors are going to be cut off from the outside world as well.

The ripple effect on other nations would take effect almost immediately.

Now, I don’t want to paint a picture of doom and gloom but this is an actual risk I wrote about in a paper published in 2014.

Lars Hilse: I think most readers are going to have that picture of a hacker, infiltrating a military network, and launching ballistic missiles at the enemy. And while this is probably not entirely impossible, the reality is, that security risks start with a deployed, platoon, which was not ordered to leave their cell phones behind.

This example may seem benign but actually gave the Ukrainian forces a significant advantage, particularly during the first phase of the Russian invasion by pinpointing gatherings of foreign GSM devices logged into their GSM infrastructure.

It also goes without saying that personal communication devices, which are often easily accessible by the adversary should be banned from the battlefield to prevent information from falling into the hands of the enemy. Even seemingly benign communication between a commander, and their subordinates can give the enemy a strategic advantage. Particularly if this communication is being conducted through private services like WhatsApp, and personal email accounts, both of which are definitely not up to industry standards in terms of encryption, and so on.

Another very important aspect is, of course, the spreading of fake news to demoralize the troops of an adversary. Any successful cyber attack on the infrastructure of a nation under attack can have a significant demoralizing impact on this nations troops as well.

Obviously, this list goes on and on, and I would be happy to speak in detail with anyone interested in reducing cyber risks to their military.

Lars Hilse: (Can’t answer that because I don’t know the capabilities)

Lars Hilse: Freed of the geopolitical aspect any conflict between nations will most certainly involve cyber weapons given the circumstances in the condition of anything network connected/critical infrastructure. The effectiveness of cyber weapons versus conventional weapons is much higher and thus more economical.

Still, conventional warfare is going to be seen on the battlefield nonetheless. Yet, the smart deployment of cyber weapons to make it more difficult for the adversary to deploy their troops, resupply them, and keep up their morale, among other implementations, will provide a significant advantage.

Now, is it possible for a cyber-only event to take place? I doubt that because existing military strategy relies very heavily on kinetic warfare aspects.

This doesn’t mean that cyber weapons could be deployed alongside the more traditional military arsenal, and may very end up as a game changer in a conflict.

Lars Hilse: (You’d need to make this question more precise, please)

Lars Hilse: We have seen the temporary disabling of the GPS system after 9/11; with all its impact on shipping, air travel/air cargo, etc. Not to mention the implications on the civilian population, who are heavily relying on GPS for their daily, convenient commute and travel.

The consequences hereof were obviously quite impactful two decades ago. With the exponential adaptation in both civilian and military use, it would have drastic implications given that most pilots, captains, and civilians, have forfeited conventional means of navigation in favor of GPS-assisted navigation for convenience purposes.

Globally, the consequences wouldn’t be quite as impactful, as the European Union – for instance – has deployed its own GPS system in 2016 to avoid the reliance on a monopolistic system like the original GPS.

Lars Hilse: Most certainly! If you distance yourself from the idea that such thing as perfect cyber security exists at any given point in time then a thorough strategy to protect strategic organizations, and critical infrastructure can play out quite well.

However, this strategy needs to be constantly adapted and improved because of new threat vectors being introduced.

As I have proposed to many governments, it’s about finding out which pieces of the economy have the highest priority for the GDP of a nation.

This prioritized list, then requires tough legislation, in which regular stress tests of the infrastructure are as mandatory as a list of ideal protective measures, which needs to be constantly reiterated based on newly discovered threats.

Obviously, the requirement for a country to be able to defend itself at any time makes it nearly compulsory for a significant part of the national cyber security budget to be made available to the military.

Lars Hilse: Given the high cyber capabilities accredited to Russia time and again in the past, I was surprised that so many kinetic weapons were used to disable such things as communication, and energy infrastructure instead of the deployment of cyber attacks to achieve the same outcome.

I think that every nation, which hasn’t equipped its military with cyber weapons, and which hasn’t dedicated a decent budget towards hardening its critical infrastructure against any type of attack should start doing so immediately.

Due to the unfathomable amount of security flaws in software, outdated software, dormant hardware, convenience-caused risks, etc., etc. the scope in its entirety is unassessable in its totality.

As a result, cyber weapons, once wider adopted by militaries around the globe, will play a significant role in severely damaging an adversary in conflict.

The next escalation will be the deployment of AI-based cyber security instruments, with multiple neural networks for assessment, defense, and offense capabilities, as I spoke about on stage at this year’s IDEAS conference in Karachi.

Lars G. A. Hilse (*1979) is a political/corporate advisor, and expert/witness in information security with a focus on the risks of cyber terrorism, and cyber warfare, and their impact on the security of critical, national/global infrastructure.

He maintains close cooperation with law enforcement, and the intelligence community, and actively contributes to the most difficult, and notable cybercrime investigations.

He acts as a cyber-crisis-manager, and through his vast network is able to deploy highly specialized cyber-incident-response teams globally within hours.

In his capacity as an information security consultant, he performs state-of-the-art risk assessments & mitigation directives, and crisis response protocols, and establishes cyber security maturity models.

Among his other talents are intelligence gathering, accessing well-protected infrastructure/ networks, forensics with a focus on social engineering, and other unorthodox access methods.

Since his first exposure to the internet at age 13, Hilse has constantly broadened his skillset in cybersecurity, focussing on cybercrime, cyber terrorism, and cyber defense.

Due to his precise foresight of all developments in the digital realm for over 25 years, he is repeatedly referred to as a global thought leader in cyber security, and digital strategy.

Hilse has privately funded research in cybersecurity worth over USD $1.000.000 since 2011. Some of the results hereof were the Advanced Cybersecurity Risk Assessment Checklist (ACRAC), the advancement of several information security maturity models, and numerous papers and books).

He acts as a political advisor among others to the European Parliament, always proposing highly individualized, complex, multi-phase approaches in which a threat-landscape is established, risks identified therein are mitigated, after which a (legislative) framework will reduce the potential fallout of cyberattacks.