AUSTIN – Information security has never been more front and center than it is now. The recent hacking of the Democratic National Committee; the implications that Russia — a sovereign country — may have been deeply involved; the potential implication it had on a national election; and the accusations, difficulty in establishing proof, and what can be done about it, all form a perfect backdrop for a look at cyber attacks, cyber war, cyber espionage, and general cyber-malfeasance. At South by Southwest, Sean Kanuck laid out a framework for thinking about cyber attacks, the sometimes similar but mostly different form of warfare it can be, and some ways where escalation of this new form of attack can be limited going forward.
Kanuck is a lawyer, ex CIA officer, the US’s first National Intelligence Officer for Cyber Issues from 2011 to 2016, and is currently affiliated with Stanford’s Center for International Security and Cooperation. He framed cyber conflict by defining terms, and comparing and contrasting cyber conflict with traditional armed conflict. To start, he refutes that we should consider cyber war as another domain of war, like land, sea, or air. Cyber is a means to an end, a way to disrupt information flow or processes that depend on it, or to corrupt that information and make it unreliable. Cyber attacks are another form of obtaining a strategic result, not a form of war in and of itself.
Cyber war vs. traditional war
There are many ways in which cyber conflict differs from typical conflicts. An attack can come from anywhere, and it is difficult to tell from where it originated. It’s possible and not immediately obvious, for example, that it could come from a 400-pound hacker in his pajamas in an apartment – but it’s not likely in the case of the best orchestrated attacks. Because of the worldwide, distributed nature of the Internet, it could come from literally anywhere.
The tools used are perishable, designed specifically for the target, and unpredictable. While a bullet is designed to do the same damage to any human anywhere, and it’s predictable what it can do, the tools used to attack an electric grid or steal classified information are different than what may be used to hack a router or internet-connected camera and make them do nefarious things. Using a war analogy, under the Geneva Convention rules of war there are definitions as to what constitutes a legitimate military target. Communications networks (and the internet that runs on it) carry both military and civilian information flow, so there is no separation of target – everything is essentially fair game.
The newest trends in cyber attacks have gone beyond disruptive denial of service attacks on internet sites. Industry and infrastructure like power grids and ATM networks are targets, which could cause large social disruptions. Indirection is heavily used, making it difficult to prove who is behind an attack. Perhaps the most dangerous form is the integrity of information attack – where the network or service is not disrupted, but information is modified, and the target doesn’t know it’s been attacked, as there is no stoppage or sign of disruption. One could see how this, used on financial services or healthcare for example, could be highly dangerous.
Cyber war’s unique challenges
Kanuck details how cyber conflict presents other unique challenges, particularly for thinking about how to respond to an attack. First, there is really no deterrence today to refrain from doing it – there is no universal mode of behavior or conduct in this sphere like the Geneva Convention. It is relatively easy for any actor – state or otherwise – to test a target’s tolerance threshold, resolve, and technical capabilities. A cyber attack may do a lot of economic damage, but if people don’t die as a direct result, it’s not likely to provoke an armed response – assuming we are talking about provable state actors here.
Even admitting there’s been an attack exposes a vulnerability. Once exposed, the attacker knows the method could be detected, so it will use a different form or attack next. This is perhaps analogous to when the Allies broke the German cryptographic codes in World War II, but didn’t reveal it so they could secretly monitor German communications. If you know how you’ve been hacked, it might be better to keep that quiet and use that knowledge for future protection and potential countermeasures. This aspect provides a disincentive for governments or organizations to come forward, especially when it’s difficult to prove who is really behind an attack.
Despite the clandestine nature of cyber attacks, Kanuck doesn’t see a high likelihood of some kind of cyber Armageddon, as in an attack where whole power grids and water supply systems stop working. In that case, where there’s a high likelihood of large numbers of people dying, a real armed conflict will ensue. When 9/11 occurred, nearly 3,000 people died, and the response was a large-scale military invasion. One could expect that if an infrastructure attack resulted in that scale of human loss, the response would also be similar against whichever actor is thought to have carried it out. But given the indirect nature of attacks, it is often very difficult to prove who was really behind them. And the more likely scenarios are likely to be attacks below the threshold of triggering armed conflicts. They will be attacks that could target a key corporation (like the Sony attack), an attempt to potentially influence an election (the DNC hack), or a limited infrastructure attack (the Ukraine power grid).
Deterring escalation of cyber arms
While there are mutually declared concerns between China, the U.S., and Russia about cyber warfare, few mechanisms exist today to draw lines which shouldn’t be crossed. It will require further cooperation on definitions of what constitutes an attack, what are legitimate targets, and what are undesired effects of cyber attacks. For example, under the Geneva Convention, poison gas is outlawed in war. Some rules about prohibiting attacks on infrastructure (for example, disrupting water supplies by attacks on treatment systems) would be the analogy in cyber. But the Geneva Convention has been violated by a number of countries in different conflicts, so rules are just rules unless there is some incentive to follow them.
In the Cold War, the U.S. and Russia escalated the nuclear arms race to the point of MAD – mutually assured destruction. Perhaps the same will happen in cyber until that kind of shaky equilibrium is reached. Kanuck postulated that much better defenses, or resilience, are necessary to deter attacks as well. Right now, it appears there are vulnerabilities across too many vital systems that present many attack surfaces. Even if it’s difficult to identify an attacker conclusively and respond, making attacks much more difficult to mount will be a deterrence. Because of the above issues with correctly identifying perpetrators and exposing vulnerabilities, offensive moves have the advantage. A better defense to limit potential damage is one way to affect deterrence.
Beyond that, Kanuck proposes the basic elements of a security architecture to make cyber Armageddon much less likely. First, transparent, articulated rules need to be agreed upon for use of cyber aggression, likely around permissible targets and methods, similar to the Geneva Convention. The rules need to apply universally, although as in nuclear proliferation limitation clearly some countries will have capabilities that others don’t. Stability can be reached by getting to the kind of cold war equilibrium that would make any party think hard about launching an offensive move.
Unfortunately, these kinds of agreements take years to come to pass. And in that time frame, technology will move forward quickly, creating more challenges. Across industry, infrastructure, government, and the military, vigilance and defenses against cyber attacks will need to keep up.