Op-ed: Has cyber warfare reached the age of limitation?
Why we cannot continue to live in a digital wild west
A senior executive arrived for work at Sony pictures and found her desktop computer had a random and slightly strange picture on her front page as she tried to log in. She sighed to herself and then reached for the phone to call the IT desk. But this was not a Ctrl-Alt-Del day, this was a hack.
The “Guardians of Peace” left skulls on her desktop as the final piece of a jigsaw they started building a year before hand. This was the culminating point of a well planned operation with a clear purpose in mind. As we all know now, Sony was knee deep in a cyber conflict and what she didn’t know was that this would outgrow Sony pictures. This cyber-salvo was fired because Sony was intending to release a film on someone assassinating the North Korean leader. The anonymous hackers had broken in to Sony’s system and had erased terabytes of information including actual (unreleased) commercial footage. Sony was given an ultimatum; stop the film release or the digital attack would be followed by a physical attack in cinemas. Sony conceded. The US’s first amendment was in trouble and the instigators, aka The Guardians of Peace, had won.
"Whilst there is an economic benefit to the use of the internet, this also presents an unrivalled opportunity for states, groups and individuals to attack each other"
While this is now a global problem, the West is uniquely vulnerable. According to Cisco, the annual fixed internet traffic in 2016 was 65,942 Petabytes (a single PB is 1,024 TB) and growing fast. The reliance on being connected is growing globally and countries understand the economic growth that accompanies a connected economy, look at Estonia. But whilst there is an economic benefit to the use of the internet, this also presents an unrivalled opportunity for states, groups and individuals to attack each other. Not only to attack but also to carry out large scale, widespread physical, monetary and computer damage, sometimes well beyond their previous ability and sometimes without meaning to do so.
Every part of our national infrastructure is connected (meaning, the facility has an intranet – albeit isolated – and uses commercial software), the National Grid, Water, nuclear, transport, et cetera, and all of them can be attacked. Whilst there are many lines of defence and preventative measures in place, every gap can be breached. The Iranians purposely built their centrifugal plant entirely isolated from the rest of the net. If you have an ‘air gap’ you can’t be attacked? Wrong. The Israelis left a series of thumb drives around the offices and cafes which someone picked up and used. That’s all it took. The beauty of an e-weapon is that the victim is not always aware that they have been attacked. This sleeping Dracula syndrome even struck the mighty US; the US DoD took 14 months to realise that there was a worm sitting in a server, feeding information back. So the scale of the attacks is rising as the anonymity and the frugal nature of e-weapons makes them increasingly appealing. According to Symantec, it blocked 229,000 web attacks per day in 2016. That’s a staggering 83 million per year.
The other major difference between physical and cyber attacks is that military confrontation, of the sort that we are familiar with, was traditionally a government on government activity, or at least with a nation state’s resources. That is no longer true in the cyber world when the target for the attacks can be civilian organisations and the private sector. This has relegated the Government to a parental, advisory - and sometimes legislative- framework but it is no longer the first line of defence as it was historically.
How secure is our software? Ask a coder forum and they will quote that there is a small defect in every 2500 lines of code and then consider that a Windows application has 40 million lines of code which would give approximately 16,000 weak points (and from weak points, attacks are made).
Imagine a scenario where a hostile near-peer country which feels threatened by sanctions or having troops on its borders, decides to start attacking the west’s key weakness’s (fickle public opinion, IPR, FinTech, et cetera) by cyber. It begins with influencing decision makers and commentators (2014), exposing a politician’s extra-curricular activity (2013) and then a run on a bank but it does this all behind a veil of anonymity. These strikes are seen by western NATO defensive systems and retaliatory action is taken in a reciprocal fashion.
"The impact of an attack on the national power grid would be "very severe” and would require a ‘Black Start’ as the system was rebooted"
The antagonist objects to having its social media sites turned off and launches a retaliatory attack on a piece of the UK’s infrastructure - civil airspace control. The attack was supposed to be non-lethal and an inconvenience but when a pilot misheard his instructions two ‘planes collided with the death of 500 people. A private web security company spots the attackers that caused the disaster and publishes their findings. Public opinion turns sour and HMG retaliates by striking a proxy’s militia HQ in Syria with a salvo of cruise missiles in a physical escalation.
This act crosses a further red line and an all out cyber wave is launched and all of the UK’s major infrastructure assets are attacked in a coordinated and sophisticated fashion; there are the obvious hits on nuclear plants which do not cause a meltdown but prevent any electricity from being generated. This is a widespread attack on the population at large. For instance, all government payments are hacked preventing payment and the original data on tax and NI are wiped clean. No policeman, soldier or nurse is paid. No interest payments are made (the UK spends £54 bn on these alone) and the UK creditors freeze the UK’s assets. Nobody can pay a mortgage putting the entire home-owing population at default and the power is cut for days on end. Someone calls for military strikes and the UN calls for talk…
Admittedly, this hypothetical doomsday scenario is predicated on the UK’s defences failing and a worst case scenario but cyber is now an unlikely part of the domino of confrontation in the 21st century. A wise maxim may be “don’t let the unfamiliar be confused with the unlikely”. Just analyse one tiny aspect of this vignette: how long would the UK last without power? The UK’s civil contingency plan of 2017 assesses the impact of “widespread electric failure” as a Level 4 (5 being the worst) and a cyber attack on infrastructure as a medium plausible scenario. According to the report, the “impacts would be very severe” and such an attack would require a ‘Black Start’ as the system was rebooted. The estimates are five days for a reboot and there would be fatalities and “emerging public disorder”. It is not beyond the bounds of reason to suggest that the government would be forced to invoke the Civil Contingencies Act 2004 and use the emergency suspension powers, such as Habeas Corpus (many have cited internment in Norther Ireland 1971 as an example of the suspension of Habeas Corpus). The ultimate attack on western democracies? Could attacks of such magnitude be considered to be an act of war? This is a new style of war and the repercussions are just as likely to be new. Blitzkrieg was once a novel approach and so is cyber.
These scenarios may sound apocalyptic but they are familiar to those who lived through the Cold war and, in the preceding global conflicts, a ‘total war’ – an attack on every part of society. In this ‘digital wild west’, we are fighting wars in a pre-convention world. There are no rules on the use of e-weapons, other than the self-control imposed by the perpetrator and yet the impact of such mass e-weapons could be felt by an entire country such as we have not seen since the nuclear age. Cyber weapons can be manipulated so that there would at least be doubt as to who the originator was, making retaliation difficult and prone to error. No sane country would launch a military first-strike bombing campaign against a civilian populace, but e-weapons can be un-controllable. For instance, OLYMPIC GAMES (the operational name for StuxNEt virus) was supposed to remain isolated to the Iranian enrichment plant - but it got out. Apocalyptic, uncontrollable, large scale, nation-impacting, anonymous, cheap - these are some of the tenets of this new warfare.
So, in a short space of time and in a simple scenario, all parties to this notional conflict have suffered major upheaval, civilian deaths and direct threats to their national security. The toll of civilian fatalities could be high. The ability to damage each other to a point beyond recognition is real; how long and how much would it cost for every tax payer in the country to re-submit their PAYE returns for 10 years? Whilst the post-attack photographs would not look like the harrowing pictures of Hiroshima, they would feel like an attack as nuclear stations hit meltdown, major flooding made people homeless, there was no food at supermarkets, no medical services, no money in your account and the rule of law broke down. These doomsday scenarios work both ways. So whilst we now recognise that we can do this to each other, why would we want to?
Weapons of mass destruction (WMD) are not new to us. With WW2 still raw in the social memory and millions of Europeans still displaced by war, the US and the USSR had built and deployed sufficient strategic weapons to administer destruction on a previously unimaginable scale. The policy of Mutually Assured Destruction (the wonderfully ironic acronym of MAD was the result) was in force. Deterrence was the key, each side had to know that those weapons existed and that they could initiate a first strike. It is not enough to own weapons without the ability to deliver them for deterrence to work. Each side worked hard in an arms’ race to get one over the other side. The risk of accidental wars was enormous and there are infamous examples; we should all thank Lt Col Stanislav Petrov a Soviet Air Force officer who ignored the warnings that the US had launched a pre-emptive strike and did not retaliate.
Both east and west recognised that this was an absurd state of affairs and sought to reduce their arsenals to something more moderate through a series of treaties. These treaties, such as Strategic Arms Limitation Treaty (SALT), sought to limit the number of weapons, their size and to audit each other’s arsenal (the so-called ‘Hotline’ between the parties had been established as early as 1963). For the limitation treaties to work, there had to be a sense of parity, both sides had to be deterred from further aggression because the destruction was intended to be reciprocal.
Is cyber a MAD scenario?
Is cyber a MAD scenario? Because of the relative ease of its use, at least in comparative terms to developing and launching a nuclear weapon, the e-weapon is available to all and is therefore mutual. Whilst the type of destruction is different, we have already established that it can be just as potent, in some respects more so because the effects of a cyber attack can be tailored and not as blunt as kiloton blast. So, yes a cyber MAD era could (does?) exist but whilst there are similarities between nuclear weapons and cyber weapons, there are also some major differences.
"The NSA has still not admitted any involvement with Olympic Games (STux Net) and non-state actors are just as likely to be culpable"
Firstly, during the cold war, each side broadly knew what the other side had in its arsenal (or at least within acceptable tolerances). Bizarrely, one of the sources of intelligence was the Soviet parade in red square every year. It is much harder to inspect 150 lines of Chinese hacking code and almost impossible to check that it has not been enhanced or changed.
Secondly, the east / west political conflict had obvious adversaries. NATO played against the USSR. That clear definition is clouded in the cyber world, states can hide behind rogue elements. Trying to attribute a cyber bomb to a player, be it nation-sponsored or terrorist, can be difficult. The NSA has still not admitted any involvement with Olympic Games (STux Net) and non-state actors are just as likely to be culpable. So an Arms Treaty that is only signed by some of your opponents, that is not verifiable and can easily be circumvented – is not an Arms Treaty.
Thirdly, physics played a large part in the agreements, the size of the weapon was identifiable (normally by the payload) but it is much harder to quantify the weapon effects in the cyber arena. So, whilst there are some obvious parallels with the nuclear age, this is a different problem and it requires a different solution.
If all manner of groups or nations can easily build and launch weapons of mass Disruption / Destruction, how can they be tempered? Can we set out ground rules for their use? A group of experts has attempted to tackle this problem and have set out some basic rules of the game in the Tallinn Manual (2nd edition; Feb 2017), in an attempt to apply International Law to cyber warfare. As Martin Libicki, professor, researcher and author with the Rand Corporation said in an interview with TechWorld: "As a general rule if you do something in cyberspace that looks like the sort of thing you could do with kinetic weapons, it will be treated as though you have done it with kinetic weapons”.
The problem is that those countries which would probably adopt the pragmatic steps, laid out in Tallinn, do not encompass all the protagonists (North Korea?). Most rational nations would expect “responsible state behaviour” which is not always easy to define. The Budapest Convention, which attempted to harmonise the policing of cybercrime across friendly nations, has proved hard to put into practice even amongst those that think alike.
There is a view that the five main superpowers in the cyber weapons business (US, UK, Russia, China and Israel) have reached some sort of ‘Digital Equilibrium’. In that, without any written agreement or because some of them are allies, a large scale attack is not worth it because of the threat of equal or more severe retaliation (a principle of MAD). Notable by its exception is Iran in which aggressive hackers (try Rocket Kitten) – closely linked to the Iranian National Guard – have been particularly virulent.
It is worth noting that this search for an international legal agreement has not, thankfully, restricted some countries from taking national level initiatives. In the US the Patriot Act (2001) led to the USA Freedom Act (2015). Whilst not strictly a convention on cyber weapons, it did concern the use of data collection and the NSA’s controversial policy that “in order to find a needle in a haystack, you need to collect the haystack in the first place”. A principle which was supported by Theresa May and GCHQ in 2014. This principle allowed domestic security agencies to trace back acts of terrorism once a crime had been committed (US domestic disagreement led to sunset clauses being inserted and the act ends in 2019 though ISPs can now store the data and the NSA can now secure a court order to examine the trove). Working to the left of the event. But the Acts passed by Western democracies have not outlawed the development of offensive or defensive capability, in fact there has been a manifold increase of such capability in the last 10 years. In 2016 the British government announced a £1.9 bn increase to the budget and states, as one its strategic aims, to “detect, investigate and counter the threat from the cyber activities of our adversaries”.
So is there space for a UN resolution that discriminates what can be legitimately targeted in the digital world and what cannot? Could nation states start the process by agreeing that some things are just off-limits (why is deleting every NHS hard drive any different from dropping a bomb on a hospital?)? Could they agree that critical infrastructure, such as dams and nuclear reactors, are also crimes against humanity? The Geneva Convention does not limit the spread of weapons nor monitor their use. What it does do is to try and establish some rules around the use of whatever weapon was being used and to “limit [their] effects”, for instance, avoiding targeting non-combatants.
The United Nations Office for Disarmament Affairs (UNODA) started the cyber process off when Russia (yes, Russia) initiated a draft resolution in 1998. It stated that it was “Expressing concern that these technologies…can potentially be used for purposes that are inconsistent with the objectives of maintaining international stability and security”. By the time the Group of Governmental Experts published its 2015 assessment, they had agreed that “… a State should not conduct or knowingly support ICT activity that intentionally damages or otherwise impairs the use and operation of critical infrastructure”.
But, as I have outlined before, attribution, accidental breaches and non-state actors are just some of the problems the UN faces. In its submission to the UN, Britain supports the stance that “[it has] unequivocal support for the multi-stakeholder model, whereby governments do not exercise exclusive control over a domain and infrastructure that is largely owned and operated by the private sector”. So any solution that is developed and agreed by national governments will impact in the non-nation / private sector. This poses policy makers with further challenges.
One of the difficulties facing of a multination approach is the complexity of the tools involved and who pays for them. Ben Buchananhas suggested that the delineation between offensive and defensive weapons is blurred in cyberspace much more so than in the physical space; the only people who operate a tank in the real world are those in the Armed Forces but that does not apply in an e-world. In addition, one might have to be ‘offensive’, just to be ‘defensive’. In addition, Ben Buchanan also alludes to the fact that the private sector is on the front line but “[there is an] inability to raise security standards in the private sector for domestic political reasons”.
Brad Smith’s Digital Geneva Convention. Image: Microsoft Corp.
Brad Smith, the Microsoft Chief Legal Officer, has proposed a Digital Geneva Convention and has set forth some founding principles. His start point is that the (privately owned) tech sector should be a ‘Digital Switzerland’, i.e. neutral in its stance: “We will assist and protect customers everywhere. We will not aid in attacking customers anywhere. We need to retain the world’s trust”. It is interesting to note that no nations declare that they want to replicate the Swiss model because they all want the ability to strike as well as defend.
The cyber scale: Kiloton Yield
If individuals and nations need to understand the consequence of their actions, a scale of severity is required. The world has already endorsed scales in the natural world for many years; earthquakes, wind speed etc. A scale of the impact delivered by a cyber attack would give the world a uniform understanding of the severity of e-weapons which would assist both national and international courts in prosecuting offenders or in setting international disputes. It would not – and should not – replace the maxim of ‘what you do in the cyber world equates to a real world impact’. The cyber scale advocated by Robert Lee in the SANS paper, proposes five categories of “Architecture, Passive Defense, Active Defense, Intelligence, and Offense”. Lee’s scale is aimed at facilitating the private sector on where the balance of investment lies.
This thesis suggests that a scale that allows both sender and recipient to understand the severity of the weapon they are using giving e-weapons their own Kiloton yield. A scale would assist War Crimes trials and the assessment of intent. Most armed forces are familiar with conducting Collateral Damage Assessments before using a physical weapons, this scale would give politicians and soldiers a clear definition of the impact of their weapon before such an e-munition was launched. The scale attempts to categorise the following:
- Integrates both criminal and military actions as the end effect on the recipient is similar in nature and would assist those assessing the severity of crimes (although intent may be hard to prove).
- The numbers of people effected.
- Cost of the damage / repair estimates. The economic impact of a cyber armament is a part of the attractive of cyber weapons.
- Direct causation of fatalities. Was the e-weapon designed to inflict casualties?
- Was National Infrastructure targeted? (Define…).
- It seeks to establish the red line between generalised cyber conflict and an overact of war.
Whatever option the international community opts for, the world needs some rules behind e-weapons, we cannot continue to live in a digital wild west.