Friday, December 16, 2016

The 5 Principles of Cyber Warfare

This week we got a partial glimpse into the types of action that the United States might consider to be acts of Cyber Warfare. I had written about this topic 2 weeks ago in regards to Voting Integrity in the face of Russian cyber attacks, but the story has escalated since then – culminating this week in direct accusations against the Russian government. The CIA and even President Obama have directly implicated Putin as being personally involved with the deliberate aim of swaying the 2016 election. In a year of big stories, this may have been the most far reaching in its implications. One of those implications, which has already been alluded to by many in Washington, is that this act may in fact represent a form of Cyber Warfare.

So, what exactly does Cyber Warfare mean and how does it differ – if at all – from Cyber Terrorism? That’s a tough question, one that I’ve not seen answered clearly before. Cyber Terrorism can come from nation states, such as China, North Korea, Iran and so forth, but one might expect that actions perpetrated by nation-states are less like terrorism per se and more like warfare. It is worthwhile at this point to step back into the not too distant past and bring up a similar question that also still applies here – what’s the difference between a “Cold” and a “Hot” war? The Cold War, as you might remember, involved a whole host activities from espionage to proxy wars. The Hot or real war between the super-powers never occurred and it didn’t happen primarily because of the concept of Mutual Assured Destruction through use of our nuclear arsenals. In that case, the distinction between the terms also involved both the nature of the participants as well as the types of activities involved which is similar to the current question.
None of this really helps though to clear up the confusion regarding what is or what isn’t Cyber Warfare. Here are a few reasons why:
  • Cyber Warfare can be both covert and overt – depending on the nature and intent of the attacks as well on the determination as to whether they should be publicized in any way.
  • Cyber Warfare could be conducted by both Nation States and Terrorist organizations. The key distinction here though would be that we wouldn’t necessarily classify acts committed by smaller unknown groups or even individuals as Cyber Warfare. In those instances, the term Cyber Terrorism might be more applicable. However, it is also clear that in Cyber Warfare, as in traditional warfare, non-nation state organizations can and have conducted offensive operations.
  • Cyber Warfare can be a standalone or blended activity (e.g. coordinated with other traditional war-fighting activities). It’s conceivable that an entire conflict could be fought solely within the Cyber Domain. Cyber “Domain” here refers to the notion that Cyber represents one of several potential war-fighting domains such as Land, Sea, Air and Space. The US military formally acknowledged Cyber as such a domain with its creation of US Cyber Command several years ago. Of course the reality of this statement is more complicated than it sounds as Cyber also infiltrates all other warfare domains through the technology implied by it – it is cross-cutting domain and even if an attack were completely limited to Cyber actions it is highly likely that physical capabilities (such war-fighting assets as ships, planes etc.) might be impacted.
  • Cyber Warfare can be directed at the Government or the Industrial Base or both. We can’t say for example, that all attacks against businesses must be considered Terrorism per se – the intent is what’s important. If the intent of an attack is to cripple the country that’s been targeted, then a Cyber attack like that is no different in principle from the types of bombing raids we conducted against Germany in WW2 in order to cripple its industrial base. Today though, the sectors that are perhaps more vulnerable might be Energy and Finance as opposed to Manufacturing. The results might be the same though if the goal is hobble an economy or otherwise disrupt a nation state.
Now, we are ready to consider what the distinctions between Cyber Warfare and Cyber Terrorism really are. They would likely involve the following considerations:
  1. Cyber Warfare must necessarily consist of a sustained campaign of Cyber activities, designed to disrupt any mission critical functions of an enemy at a national level. This doesn’t mean the activities have to occur in many places to effect a national impact, it merely has to be designed to impact an opponent that way (and would also likely encompass more than one attack or incident).
  2. Cyber warfare must necessarily occur between substantial Cyber combatants. The nature of what constitutes a ‘substantial’ combatant lies in what resources they have to bring to bear in any given conflict. A well-established terrorist or rebel group may have the money and personnel to manage sustained attacks. However smaller groups with few resources may only be able to sustain limited operations or a single attack. While there is always the possibility that an individual or a small group might be able to do harm at the national level, it is unlikely that they could sustain this over months or years and it would be more akin to one-off terrorism than warfare in the context of sustained operations and likely outcomes.
  3. Cyber warfare, in general, involves more specific objectives in contrast to Terrorism which is often random in nature and may only be focused on making a statement rather than effecting some desired outcome.
By these definitions, I’d have to say that the Russian hacking of the DNC computers and related activities designed to impact the 2016 election falls under the category of Cyber Warfare rather than Terrorism. And this begs the question, why does all of this matter and why do we need more specific definitions? The bottom line is, that if we don’t have a clear idea of what represents acts of Cyber warfare (either covert or overt), it’s highly likely we won’t be able measure our response properly. Deciding how to respond is obviously a very big deal – as any such decisions could quickly escalate from the Cyber domain into all the others. Perhaps our government does have all of this worked out, and maybe it’s just too secret for any of us to know about. However, from our vantage point now it’s all bit fuzzy. When the President says “we will retaliate in a manner and time of our own choosing” we basically don’t have a clue to what that really means.
Rather than spend a lot of time speculating as to what our response might be, we can instead highlight some principles that may apply to any such situation. The following principles represent a potential framework that might be used to help deal with Cyber warfare as it continues to evolve.
  1. Proactive Awareness – In order to survive or win any Cyber conflict, the nation needs to know when in fact it is under attack. Some attacks are more obvious than others and as the recent election shows, our response can be slow or too late to avoid impacts. Proactive Cyber Awareness is not about hacking into everyone’s cell phones, but rather it is about being able to identify unusual behavior in key systems and sectors across the country (or wherever our interests may be). This means we need more selective and actionable intelligence then we seem to be getting now.
  2. Measured Response – This has been mentioned in the news, but as I noted it’s not been explained by anyone (at least publicly) yet. For this to actually work, someone needs to define the measured responses up front rather than assessing each event as if it were the first time it had been considered. The landscape is fairly complicated so this involves a lot of work and some automation. However, it shouldn’t fully automatic any more than our current traditional war-fighting capabilities are – the human in the loop must always be present.
  3. Defined Escalation Approach – This is a process and it ought to be built atop the measured responses defined previously, the idea being that whenever or wherever Cyber activities begin crossing over to other areas there needs to be another level of safeguards built in to avoid any type of cascading escalation that could lead to something like a nuclear conflict.
  4. Maintain a Consistent Policy - In theory, our management of Cyber war shouldn’t be unique in each potential scenario – there ought to be a consistent expectation as to what will happen if enemies launch attacks against the US. This is a key point in the recent debate over Russia as the situation has also become embroiled in US political differences, confusing the matter. While there will always need to be specific considerations given to certain situations, we should never give an indication to any opponent that Cyber attacks may be permitted without any response coming from the US. This would be an extremely dangerous precedent and helps to explain why the President and CIA made statements this week to the effect that election interference would not go unpunished. Better late than never and like all of warfare, if we're in the game we should build policy around what's necessary to win - as opposed to settling for mere survival. There may such as a thing as a Cyber Maginot Line...
  5. Continuous Innovation – This may be the most important point, given the stark reality that it is easier and more cost effective to mount a Cyber attack than it is to defend against one. Despite the billions spent each year in the US across government and the private sectors, Cyber Security breaches and attacks have only become more prevalent and severe. More focus needs to be given to pushing the envelope on innovation to help reduce the current advantages enjoyed by our Cyber opponents. Today, much if not the majority of innovation has come from the attackers and we’ve been playing catch-up. As in every other realm of warfare, the side with the greatest technological advantage tends to win.
It’s anyone’s guess as to whether the current Russian hacking crisis will boil over into something more, but one thing is certain, the age of Cyber Warfare has most definitely dawned.

Copyright 2016, Stephen Lahanas

0 comments:

Post a Comment