Internet security is a hot political topic at the moment. Governments are instrumenting changes to protect key infrastructure from both foreign and domestic network attacks.
During the UK Prime Minister’s visit to the US last week, both David Cameron and Barack Obama pledged a closer partnership on internet security issues. A joint fact sheet, released on March 14 last week, states:
As the United States and the United Kingdom continue developing joint capabilities that support our national security interests in cyberspace, we are sharing more and more incident data to help us and our allies counter advanced persistent threats.
Against the backdrop of wider internet security discussions, concerns about cyberwarfare often arise. However, thanks to liberal use of the term, and a big dollop of hype, it is very difficult to work out what cyberwar actually encompasses.
In a fascinating Foreign Policy article called “Think Again: Cyberwar”, Dr Thomas Rid has provided some clarity by questioning many of the widely cited cyberwar aphorisms. Three in particular caught my attention:
“Cyberwar is already here”
This claim could be supported by key incidents often cited as definitive examples of cyberwar. Back in 2007, alleged Russian DDoS attacks hit Estonian infrastructure to protest the removal of a Russian war memorial in the capital, Tallinn.
In 2008, sustained DDoS attacks and defacement of government websites in conjunction with conventional kinetic attacks hit Georgia during the South Ossetia conflict with Russia.
Most famously though was the 2010 Stuxnet worm incident. The worm was known as the world’s “first real cyberweapon” and allegedly targeted industrial controls at a nuclear plant in Iran, with the intention of damaging its uranium enriching centrifuges.
Naked Security writer Paul Ducklin did try to temper the hysteria at the time in his article, Stuxnet? Let’s stop being scared of shadows.
In “Think Again: Cyberwar”, Dr Rid says “cyberwar is still more hype than hazard”. He rejects these examples as “cyberwar attacks” because they don’t match up to the traditional definition of war:
"...an act of war has to be potentially violent, it has to be purposeful and it has to be political...there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it's not an act of war."
Clearly, a stricter application of this definition greatly raises the threshold an attack has to reach before it can sport the label “cyberwar attack”.
For me, it also highlights the complexity that comes with over-using the term war. Perhaps we need to create a broader typology of narrowly defined terms to describe these acts. These could be drawn from existing notions of terrorism, espionage and protest.
“A digital Pearl Harbour is only a matter of time”
Fellow Naked Security writer, Lisa Vaas, recently noted the distastefulness of this analogy and how “cooking up apocalyptic metaphors” diverts attention from the real risks for infrastructure management systems.
Past doomsday portrayals of the impact of cyber attacks have included exploding oil pipelines, disabling air traffic control systems, releasing poisonous gas and making trains collide.
Dr Rid argues the evidence simply doesn’t justify this kind of scaremongering and exaggeration. While attacks on critical infrastructure might theoretically give such results, this remains theory, and currently these tall claims are unjust.
But a recent Wired article highlights another problem with this widespread rhetoric and exaggeration, noting “the alarmist scenarios dominating policy discourse may be good for the cybersecurity-industrial complex, but they aren’t doing real security any favors.”
“We need a cyberarms control agreement”
Defining international controls on the use of internet weapons is not a bad idea, but Dr Rid does raise three issues blocking the way.
- Critically, differentiating between cybercrime and state-sponsored attacks, where both often use the same generic technologies, is a big issue.
- Controlling the manufacture of cyber weapons and relying on an international treaty to stop such activity would be impossible to enforce in practice.
- These would pose huge problems for getting any such agreement off the ground.
I think with some types of attack, it is difficult to draw distinctions based on the technology alone. Botnets and DDoS technologies used in the Estonian and Georgian state sponsored cyberattacks also happen to be the weapon of choice for everyone from
cybercriminal enterprise to hacktivist groups such as Anonymous and Lulzsec. Internationally controlling use of these tools by treaty is incredibly optimistic.
I would add that the issue of attribution of attacks is another big sticking point for effectively managing cyber-threats. When the ultimate perpetrator of attacks can hide their identity behind, for instance, botnets, it becomes very hard to determine the appropriate response.
This becomes particularly important if we continue to think of inter-state cyberattacks as acts of war. Applying international legal rules on use of force or self-defence becomes incredibly complex if the aggrieved state doesn’t know whether they are dealing with state-sponsored attacks, foreign cyber-espionage, domestic cyber-terrorists or hacktivist groups.
Without a doubt, there are threats from aggressive uses of computing, be they acts of cyberwar or other. However, there needs to be a real discussion about the actual threats and how best to deal with them.
As long as the current frenzied circus of fear, uncertainty and doubt continues, this will be very difficult to do.