January 2011 saw a rush of activity around the concept, defence and rules for cyber warfare. There was a report by the OECD, various conferences across the globe (most noticeably the Annual Security Summit in Munich), and the publication of a report by the EastWest Institute on the rules of engagement concerning cyber warfare.
The key message in William Hague’s speech at the Munich Security Conference in February was the creation of cyber warfare rules. This concept – that cyber warfare can have some sort of Geneva Convention – is laudable, but is it practical? Let’s look at some of the issues.
To start with, what is cyber warfare? It seems a popular buzzword at the moment, and its use and misuse feeds the confusion. In reality, we can take this over-simplified term and categorise it further. We can talk of cyber espionage, cyber terrorism and cyber war. Even then we end up over-simplifying events and activities that blur significantly at the margins.
Ever since a single secret existed, people have tried to uncover it. Espionage is as old as mankind and unlikely to disappear soon. The only real difference between “normal” espionage and cyber espionage are the techniques. A modern Mata Hari is more likely to have a USB thumb drive down her garter than a spy camera. In fact, a modern Mata Hari is more likely to be a geek in a bunker than some sort of glamorous femme fatale.
Espionage has never really had rules; it’s always enjoyed the deniability and third-party agent of fiction and fact. So with cyber espionage, what changes? It’s easier to do, there is less risk, it’s more scatter gun than rifle shot, and ultimately impossible to codify. It’s also unlikely to replace traditional espionage, but rather just enhance the capability and make protection from it more complex.
By its very name, terrorism is not subject to rules. Terrorism intends to bring fear to a population though unacceptable acts, and the thought of terrorists obeying a voluntary code of conduct seems bizarre. We also enter one of the blurred areas in any discussion of terrorism – is it state-sponsored, is it rebellion, is it freedom fighting? Events in Libya and Egypt point to the difficulties here.
No matter where we go on these vectors, we are left with the unquestioning belief in the impossibility of defining rules that everyone would stick to. Yes, you can have rules about who can take who to court, but that is not a deterrent or defence, especially if the ‘enemy’ wins its ‘battles’.
Cyber war is possible. One nation-state can attack another nation-state's infrastructure, communication and wealth with a cyber attack. The Russia/Georgia conflict demonstrated this effectively. However, in the same way that you cannot subjugate a nation with just air power, cyber war is only effective as part of a multifaceted kinetic battle (where real things go bang) as well. Russia did significant cyber damage to Georgia’s infrastructure and morale, but in the end it was the troops on the ground that prevailed, albeit against a weakened enemy.
So will we see nation states exclusively waging cyber wars on other nation states in the future? I believe it is unlikely in any formalised manner. I can foresee state-on-state espionage and third-party terrorism – deniable, very difficult to attribute, and difficult to defend against.
Regardless, in the event of cyber war as part of a kinetic battle, there is great value in defining which rules of engagement apply. Is it acceptable to take down an air traffic control system when civilian transport relies on the same infrastructure? Is it acceptable to take out national water or electricity systems? In these areas, rules of engagement make sense. Many nation-states abide by the existing conventions, again perhaps with some blurred edges. Categorising what is legitimate and what is not would be a valuable step forward.
Is the concept of cyber war hype? Some suggestions have been made that cyber war is a creation of the military contractors as a way to generate revenues by creating panic in worried administrations. The OECD’s report poured cold water on the concept of cyber Armageddon, but the challenge is that the genie is out of the bottle here. Stuxnet proves it’s doable, and with all things scientific and military, once you prove it can be done, everyone’s doing it – so it’s real. Perhaps its not worthy of the hysteria displayed in some quarters – stories of infecting satnavs and causing cars to explode do veer on the ridiculous – but any intelligent state with secrets and enemies must develop a sense of paranoia and do its utmost to protect itself and its citizens.
What’s fair game in a cyber attack – not just the State itself? In cyber war we can see that rules might exist, but in terrorism and espionage where are the boundaries? Attacking the banking systems, water or electricity might seem fair game to terrorists, but where does state or state-sponsored espionage stop? Stealing commercial intellectual property, be it designs, financials or strategic plans, was one of the objectives of the Aurora attacks in 2010. Again, many would believe that these were state sponsored.
But so what? Against the utopian ideal of proportionality and a set of conventions in cyber space, what would you do differently if they existed? Would you say ‘great, I can switch off my firewalls’, ‘superb, I can remove that pesky encryption’, or would you say ‘actually, I need to focus as much on defence as I do now, maybe more because the game has changed ‘. Rules are great, but reality means that not everyone plays to them and as a responsible security professional would you last long if you said to your minister or CEO: ‘it’s not fair, I trusted they’d play by the rules, it’s not my fault we got hacked’. Well, would you?
As the OECD stated in their report, your defence is not the rules of engagement but practical things you do in protection. Putting enough emphasis on security when you design systems, putting effective procedures in place and reviewing them regularly, perhaps accepting that 100% protection is now a myth and you need to have the resources and skills in place to perform effective incident response when (not if) they get through.
The concept of cyber warfare, real or not, rules or not, just made your job harder.
Frank Coggrave is general manager EMEA at Guidance Software. Coggrave has more than 20 years of experience in the security industry, working with a number of high-tech companies, including Telelogic, Continuus Software, Jacada, Texas Instruments and Websense. He holds a BSc in computer science from Brunel University.