Cyber Warfare (9 page)

But that’s no reason to be complacent about ISIS’ capabilities and its intent. The cyber domain provides a group like ISIS with a low-cost means of harassing their adversaries and promoting their cause. They’ve demonstrated an ability to utilize modern technology and unleash effective propaganda, and they’ve proven attractive to
tech-savvy
youngsters. With their 2015 successes, confidence will have increased, and the next attack will be planned with greater ambition. There’s no reason that ISIS won’t work to mature what has so far been a successful strategy and capability. In many ways this reflects what we see in the broader cyber threat environment: the cyber domain is becoming an essential part of offensive operations for any group, be it a government, criminal organization or terrorist group. Over the last five months, ISIS has shown us that they are pushing to close the knowledge and capability gap when it comes to offensive cyber operations.

We’d be wise to keep a close watch.

PART FOUR
United States Policy, Problem of Attribution, Defense Department Preparations

Chapter Seven
United States Policy Stance; The Five Pillars

The United States, like many of its Western counterparts, has lost control of the technology upon which the power, as well as the threats to national security within our respective governments, rest. The cyber arena, and the technology upon which it is based, includes the science of cyber engineering. The safety aspects of this science have been evolved into the weapons that will be used as the primary offensive assets in the upcoming new age of cyber warfare.

The next major war will not be fought with tanks, vessels, and cruise missiles. The world will experience a cyber war with the potential for more damage and loss of human life than could be achieved by our combined nuclear arsenals. Some even say that when conventional weapons are used during this conflict, they are likely to be our own turned against ourselves.

Via complex cyber intrusions, hacktivists have demonstrated their ability, from halfway around the world, to hack into an automobile’s onboard computer, take control of the steering, brakes and acceleration, and run the car into a ditch, while the driver tried desperately to regain control in vain.

The same technological discoveries that created the framework of an automobile’s control system pervade every aspect of our military hardware. To expect our military to have some magic that the auto manufacturers do not have, especially in the light of the recent Office of Personnel Management cyber intrusion referenced earlier in which tens of millions of private, and sometimes classified, personnel files were easily stolen by the Chinese and Russians, is absurd.

The world, and America in particular is on the edge of a steep cliff, about to be pushed over by any number of bad actors who would do us harm. Many believe our government is naïve—largely in denial at the greatest threat to America that has ever existed. The ostrich theory clearly applies, and the nation is at significant risk.

Advanced nations of the world have placed a great emphasis on cyber technologies and have left Americans behind. This same illiteracy does not exist in Russia, India, China, and Japan where advanced sciences take a priority during a student’s formative years. Our lack of knowledge is also found in our nation’s political leadership. In America, the threat of cyber warfare takes a back seat to social issues. In countries like China, Japan, and Russia, it’s difficult to reach any level of political power without a vast knowledge of computer related technology.

To these countries, the concept of a government official who was not highly competent in the cyber sciences would be the equivalent of us having a president who could not read or write. This must drastically change and an increasing number of policy analysts believe we must accept cyber attacks from adversarial nation-states for what they are—acts of war—and respond accordingly.

Strides within the political hierarchy of this nation are being made in recent years. In November of 2011, the US government declared that it has the right to meet cyber attacks with military force. Although this is just a broad declaration, it’s significant because it takes the first step towards a declaratory policy for cyber war. The policy statement provided, in essence:
We reserve our right to defend ourselves with bullets, missiles, and bombs in the event that you hack us
. The statement was vague and didn’t mean much but fell short of drawing the line in the sand.

The Five Pillars

In 2010, United States Deputy Defense Secretary William Lynn introduced to the North Atlantic Treaty Organization (NATO) the framework for the United States military strategy for cyber warfare. Known as
The Five Pillars
, this cyber shield would extend a blanket of security over NATO member’s networks similar to the nuclear defense shield.

Article 5 of the NATO charter states
an armed attacked on one of its members should be considered as an attack on all the members
. After the September 11 attacks, this article was invoked in dealing with global terrorism. With the rise in cyber terrorism and crimes, there might be a need to accommodate the cyber attacks in the enforcement of Article 5.

The first pillar is to recognize that the new domain for warfare is cyberspace similar to the other elements of the traditional battlefield.

The second pillar is the implementation of proactive defenses as opposed to relying on passive defenses. Two examples of passive defense are computer hygiene and firewalls. The balance of the attacks requires active defense using sensors to provide a rapid response in detecting and stopping a cyber attack on a computer network. This would provide military tactics to backtrace, hunt down and attack an offending enemy intruder.

The third pillar is critical infrastructure protection to ensure the security of power grids, transportation, communications, and financial sectors.

The fourth pillar is the use of collective defense involving both the public and private sectors, which would provide the ability of early detection and to incorporate them into the cyber warfare defense structure.

The fifth pillar is to actively maintain and enhance the advantage of technological change. This would include improved computer literacy and increasing artificial intelligence capabilities.

Are new Geneva conventions needed?

In 2015, members of the House Intelligence Committee urged fellow intelligence community leaders to help create international rules of engagement, similar to the Geneva Conventions, for cyber warfare.

“We don’t know what constitutes an act of war, what the appropriate response is, what the line is between crime and warfare,” said Connecticut Congressman Jim Himes at a committee hearing on global cyber threats. While Congressman Himes put the burden on Congress to push for such international norms, he suggested that the nation’s intelligence agencies have neglected to create a clear set of standards. Rep. Adam Schiff (Calif.), the ranking Democrat on the committee and Himes, have rung the clarion bell and argue some high-level policy questions about how the U.S. treats cyberspace are still unanswered.

Experts agree there are three distinct kinds of cyber intrusions:

·
        
economic spying in cyberspace which is intended to benefit foreign companies financially;

·
        
cyber attacks designed to do damage to critical infrastructure and utilities, and

·
        
traditional intelligence-gathering efforts performed by nation-states.

“For many of our adversaries in this realm, like the Chinese, there’s a benefit to blurring the distinctions here,” Congressman Schiff said in an interview with The Hill. “If they can blur the distinctions, they can justify anything they do. It seems to me it’s in our best interest to draw a line between economic espionage and intelligence gathering. Shouldn’t we make clear what the rules of the road are?”

But how should the United States, and perhaps its NATO allies, treat the various kinds of cyber activity? At what point would the theft of classified information constitute an act of war? At what point would a cyber attack result in a military or economic response beyond cyberspace?

Director of National Intelligence James Clapper and National Security Agency Director Michael Rogers pushed back on placing too much responsibility on the intelligence community to create international standards, characterizing such rulemaking as high-level policy decisions.

“The application of cyber in an offensive way is an application of force,” Rogers said. “In the broad policy context we use as nations, it will be a decision is made at a broad policy level. That’s not a decision I unilaterally decide.”

On a policy level, the adaptation of a set of international standards is attainable as it provides other nation-states some understanding of how the U.S. will respond to cyber intrusions. It would, in theory, have a significant deterrent effect. The United States should take the lead in establishing a roadmap, recognized internationally, on how cyber warfare and cyber criminal activity will be dealt with between countries. Some suggest that such norms will evolve over time. The question has to be asked—cyber attacks can happen so quickly, will the standards come too late?

Chapter Eight
The Problem of Attribution

Attribution—or lack thereof—is another major obstacle that prevents nations from defining when a bad actor can start a war via cyber attack. If a government cannot determine who carried out the attack, it’s difficult to know who to blame and whether the attack warrants a response. Without definitive evidence leading to identification of the intruder, a state can’t formulate an appropriate response without knowing who was involved. This challenge is on clear display with the Sony attack. At various times, investigators have attributed the attacks to North Korea, China, and even Sony employees. The FBI, after initially saying there was no connection between North Korea and the attack, has since concluded that indeed North Korea did carry out the attack—a conclusion that led to U.S. sanctions against the secluded country. For a time, it was alleged a disgruntled employee was behind the cyber intrusion—or perhaps both working in concert.

Just like any criminal investigation, if law enforcement could somehow figure out the assailant, then a lot of issues go away. If you know who’s conducting the cyber activity, you also get an insight into their intent. If it’s the Russian government, you know they have the ability to take things a step further. If it’s some hacker in his mom’s basement, you know there’s no intent or ability to raise the level of force that’s going to be used. Ultimately, the issue of attribution is not a legal problem; it’s a technical problem.

Determining whether a non-state entity is acting under the direction of the state further complicates the attribution problem. If it turns out that the Sony attack can’t be tied directly to the North Korea government, but rather to a group of non-state-affiliated individuals—North Korea’s response would be these individuals were just
patriots
. What level of command-and-control or even sponsorship is required before a state is held accountable for the cyber activity?

The problem of attribution won’t soon be solved. Most of the cyber attacks undertaken will require patient waiting and watching to establish a pattern. One policy analyst summarized the approach as follows: “We watch what states do over time and it sort of settles. State takes an action, no one objects, or everyone objects. We have a lot of people who want answers right now, but we’re in for a period of uncertainty.”

Attribution, the process of detecting an adversaries fingerprints on a cyber attack, will always be a challenge. Establishing any degree of confidence in determining guilt may always stand in the way of a military response. Will the United States government require a
beyond all reasonable doubt standard
as it might in a criminal prosecution? Time will tell.