No, It Wasn’t a Nation-State Actor. Really.
Think it was a nation state malicious actor? Think again. so many more likely causes for that outage you're concerned about. Honest.
Many years ago my sister’s car mysteriously broke down one day on her way to work. We towed it back home and began the process of troubleshooting - after all, we were a handy family with tools and knowhow. Her gas gauge said she had fuel. Her air filter wasn’t clogged. Her electrical system was working, good battery voltage, starter motor turning over, and spark was strong and regular. The fuel pump made its customary pumping noise. It clearly had to be some sort of ECU gremlin.
Then Dad pulled out the gas can for the lawnmower and put a gallon of gas in her car. It started immediately. Clearly the gas gauge was no longer trustworthy, and our worries over a control system gremlin were misplaced.
Conclusions are extremely easy to jump to, and for whatever reason the conclusions we often jump to are the worst-case scenarios, when the truth is often far less malicious. It is one thing to embrace the scientific method, data based conclusions, and empirical observations but it is another to overcome the bias and predispositions we all carry with us.
Why am I writing about this in a cybersecurity related blog? Because it is doubly true in our field. Recently AT&T had an outage impacting roughly 70,000 of their cellular customers, and impacting some customers of other cellular carriers due to shared infrastructure. As the event unfolded a notable portion of the general public was asking the question “is this the result of a cyberattack?” A worthwhile question to be sure, and an important one to have answered. Given the size and importance of systems like our national cellular providers, that question often quickly turns to speculation about “nation-state” actors.
However, having lived and worked in both the telecom and the cyber security industries, and having attempted to diagnose my sister’s car, I caution anyone about assuming there was a cyberattack at the heart of that (or any other) event without evidence.
Plenty of Other Explanations
One thing that gets glossed over as we turn our attention to cyberattacks is that there are plenty of possible causes of an outage like that AT&T one. Cyberattacks didn’t suddenly render mistakes, misconfigurations, or hardware failures extinct. Instead, they just became one more possible cause of failure. In fact in late 2023 Australian telecommunications company Optus had an outage that lasted more than 12 hours and impacted more than 10 million people that was the direct result of a Border Gateway Protocol (BGP) issue. Yes, an IP routing protocol that’s been around since roughly the time I could drink legally was at the heart of this massive outage.
There are lists of the “most impactful” Internet outages like this one from just a few years ago (so the Optus and AT&T outages aren’t included). Perusing the list of causes, we see a wide variety:
- Insufficient disk space, so the software crashed
- DDoS (oh look, this one WAS an attack - barely)
- Power failure
- Bad software update - multiple references
- Router configuration change (BGP or similar) - multiple references
- “Scaling problems” in cloud auto-scaling systems
I have a personal bingo card of “root cause guesses” in my head whenever an outage like this occurs. Here are my personal top 5:
- DNS (I know this one from painful personal experience)
- BGP
- Human error
- Poorly tested software rushed to production
- Supposedly fully redundant hardware that turns out not to be
None of this is to say, however, that it can’t be an attack, nor that the attack is from a “nation-state” actor, but the odds are generally against that.
Motive - Why Would They Do It?
There is a significant difference between different types of malicious cyber actors, and that difference is generally about their motives and goals. Cyber criminals, for example, are generally working to make money, hence the popularity of ransomware for them, and when they act they make sure you can contact them to pay them. (There are cybercriminal groups that certainly seem to be nation-state backed, but for our purposes that distinction isn't particularly important here as they are still financially based cyber criminals and their behavior is inline with this "role")
Then there are the political hackers, who are focused on either bringing people to their viewpoint, or punishing those who impede their activities. DDoS, data leaks, and vandalism are their most common calling cards, and they want you to know what they've done - they don't hide their involvement.
Finally we have the “Nation-State” actors. In general these actors are focused on three key goals:
- Data gathering/spying
- Preparation for conflict
- Support for ongoing conflict
We have ample recent experience with nation-state actors focus on conflict as we’ve watched the war in Ukraine over the past two plus years. Those actions did, indeed, focus on infrastructure such as communications, and have also turned to attempts to impact the efficacy of weapons systems directly.
It stands to reason that, during peacetime, a nation-state actor would be focused primarily on remaining undetected to gather data and spy, as well as working to infiltrate key systems and infrastructure to prepare disruptions should conflict occur. Indeed, we have ample evidence of these actions going on all the time, and to disappointing levels of success. A random destructive attack, especially one that potentially impacted critical infrastructure such as 911, would be counterproductive in peacetime, drawing both attention to and outrage at their actions. Think about the attention paid to cyber criminals of “DarkSide” when they ransomed Colonial Pipeline and then ask yourself if a hostile government really wants that kind of attention.
Sorting It All Out
So next time there’s an infrastructure outage that doesn’t have any accompanying signs of conflict with it I encourage you to recognize that the outage is far more likely a “bad patch” than the result of a sophisticated nation-state actor at the heart of the outage. I’ll never say never, but the odds are so skewed to a mistake, error, or just plain hardware failure that nation-state actors are just not likely to be the root cause. So rest easy knowing that it was a foul up, not the “bad guys” that are making you unable to place calls on your phone. (Don't you feel better knowing that?)
Originally published on LinkedIn on March 11, 2024