Dr. Herbert Lin of the National Academies led a team to develop a study of cybersecurity and cyberattack for the MacArthur foundation. The report, “Cyberattack Capabilities“, is the first major unclassified look at cyberattack capabilities, Lin tells us.
Lin tells us that too little attention is being paid to offensive aspects of cybersecurity. We understand “passive defenses” like anti-virus software, intrusion detection software and law enforcement strategies. But we don’t know much about our policy on cyberattacks because most of that information is classified.
What could we – and “we” means US defense forces (I think) – do if we wished to launch cyberattacks? We could deploy a set of remote attacks – virii, denial of service attacks, active penetration over the internet. We could also mount “close access” attacks based on compromising 3rd party suppliers of hardware or software – for instance, we could persuade a US anti-virus software manufacturer to eliminate a particular viral signature so we could attack using that virus. And we could engage in social operations, tricking or bribing network operators to gain access to systems.
Lin notes that “attack and expolitation are technically very similar” and, in fact, may be indistinguishable to the attacked party – in other words, it’s unclear whether someone’s trying to steal your credit card number or affect you for military or political reasons.
He quotes Admiral Mike McConnell as saying, “We’re losing the cyberwar”, and suggesting that we can win it by deploying an aggresive strategy to warn and assess when we’re being attacked. Lin points out that it’s hard to know when a cyberattack is in progress and very hard to attribute them. It’s unclear why an attack is taking place, and while we tend to think we know why an attack is going on, we’re often wrong. He quotes an unnamed DOJ official who says that we are “often wrong, but never in doubt” about why we’re under cyberattack.
If we’re interested in pre-empting cyber attack, “you need to be in the other guy’s networks.” But that may mean breaking into the home computers of US citizens. To the extent that cloud computing crosses national borders, perhaps we’re attacking computers in multiple jurisdictions. Lin wonders whether a more authenticated internet will actually help us to pre-empt attack. And he reminds us that US Strategic Command asserts authorization to conduct “active threat neutralization” – i.e., logging into your machine to stop an attack in progress.
Conducting effective forensics might require multiple intrusions to determine what’s actually happened. We need to consider what’s possible or effective in terms of retalliation – rules of war suggest that we’re entitled to a response in self-defense to prevent similar attacks.
Dr. Lin notes that it’s not a violation of international law to collect intelligence abroad. It’s possible to engage in covert action as regulated by US statute. And there’s an array of possible responses the US could launch in response to cyberattack (Lin pauses to note that he’s not advocating any of these) – we could attack enemy air defenses, hack their voting machines to influence an election, conduct campaigns of cyberexploitation to spy within those nations. Given all this, aren’t nations entitled to fear the consequences of a “free and open” internet? Might they reasonably choose to tighten national control over the internet?
Cyberoperations might threaten the private sector. We could imagine an attacker going after civilian infrastructure and targeting major US corporations. The Geneva Convention allows the targetting of dual-purpose infrastructure as part of a military activity – 90-95% of military communications are carried over civilian links, and military bases are heavily dependent on civilian electrical infrastructure, and we could expect those networks to be attacked in the case of cyberwarfare.
Essential to this discussion is the question of “what’s a use of force?” Is it a distributed denial of service attack? The destruction of data? Just the repeated probing of networks? Could the simple insistence of free access to information be regarded as a threat to national soverignty?
Dr. Lin asserts that there is “no legal way to stop an ongoing attack”. Relying on law enforcement to stop an attack isn’t a realistic strategy – the response will happen in months, not in minutes.
He closes by noting that a network environment conducive to warfighting “may not be an environment that we recognize as free and secure.” He invites us to participate in a series of research papers that discuss strategies for dissuading adversaries from launching cyberattacks, and the civil liberty implications thereof.
I cam away from Dr. Lin’s presentation unsure of whether he was channeling the thinking he hears in defense department circles or whether he was advocating an understanding of cyberwarfare in this frame. I asked him a question about the VPSKeys attack on Vietnamese dissidents and got an unsatisfying answer: “that’s not cyberwar.” But I spent some time talking to Dr. Lin after his presentation and got a clearer picture – yes, he believes that cyberwar exists. But his definition is a very tight and precise one – cyberwar is a digital component to a broader attack in a conflict between states. Or, it’s a digital attack between states that causes real, serious physical or economic harm, directly or indirectly. Much of what gets discussed as cyberwar doesn’t rise to this standard, and Dr. Lin shares my concern that cyberwar is overhyped. However, he sees the importance of raising these issues in a defense context and thinking through the implications – if we’re going to assert a right of response to cyberattack, we need to be able to answer questions of what constitutes force and who’s exerting that force.