Countries are beginning to develop cyberwarfare policies to protect their national interests, but defending oneself in the borderless Internet will prove problematic.
There is speculation among some politicians and pundits that the fog of war will soon extend to the Internet, if it has not done so already, given a recent report that the U.S. Department of Defense will introduce its first cyberwarfare doctrine this month, combined with similar announcements from the governments of Australia, China and the U.K. (not to mention Google’s ongoing cyber spat with China). Less clear, however, are the rules of engagement—such as what constitutes an act of cyberwar as opposed to the cyberattacks that take place on government computers every day and who, if anyone, should mediate such disputes.
Wars have traditionally been waged between nations or clearly defined groups that officially declare themselves in conflict. This has yet to happen openly on the Internet, although such accusations have been leveled against China, Russia and other nations, says Chris Bronk, an information technology policy research fellow at Rice University’s James A. Baker III Institute for Public Policy in Houston and a former U.S. State Department diplomat.
Cyberwarfare is more likely to reflect the wars fought against shadowy terrorist networks such as al-Qaeda as opposed to conflicts between uniformed national military forces. “One thing about war is that, historically, the lines have been drawn and there is an understanding of who the enemy is,” says David M. Nicol, director of the Information Trust Institute at the University of Illinois at Urbana-Champaign. “When a cyberattack occurs against a sovereign state, who do you declare war on?”
The Defense Department is expected to clarify at least some of these gray areas when it releases its cyberwarfare doctrine, the Wall Street Journal reported last month. This would not be the Pentagon’s first foray into managing cyberwar. The U.S. Strategic Command’s U.S. Cyber Command (USCYBERCOM) division has been operational since October and is designed to centralize the administration of cyberspace operations, organize existing cyber resources and synchronize defense of U.S. military networks. What is missing is a clear set of publicly declared rules under which USCYBERCOM will operate, Bronk says, adding, “We can’t say there is a cyber command and then not have rules of the road like you do for other areas of military conduct.”
Other countries seem to be following suit. The U.K. is developing a cyberweapons program that will give ministers an attacking capability to help counter growing threats to national security from cyberspace, the Guardian reported last month. Australia is also on record as saying it will create the country’s first national cybersecurity strategy to confront the growing threat posed by electronic espionage, theft and state-sponsored cyberattack, the Sydney Morning Herald recently reported. Not to be left out, China has also set up a specialized online “Blue Army” unit that it claims will protect the People’s Liberation Army from outside attacks, according to News Track India.
The inability of governments, or any other cybersecurity experts for that matter, to pinpoint the origin of cyberattacks is problematic and boils down to an intelligence problem, Nicol says. “Right now, with the infrastructure that we have it’s very difficult using purely technological means to trace the source of some kind of attack,” he adds. “You can’t just look at the connection between one computer and another because cyberattackers use multiple levels of cutout servers that make it difficult to determine where data is being sent. These computers that do the cutoffs are in foreign countries so there’s little recourse in terms of requesting log files from those computers.”
This lack of clarity is troubling. “We’re nowhere near where our policy makers believe we are or want us to think we are,” says Anup Ghosh, a research professor and chief scientist at George Mason University’s Center for Secure Information Systems in Fairfax, Va. “Internet Protocol (IP) was never designed with strong attribution properties. There’s no connection between an IP address and an individual.”
In cyberspace, it is easy to masquerade as someone else. “As naked as we are insecurity, so is China,” says Ghosh, also co-founder and CEO of cybersecurity technology maker Invincea. “Their security might even be worse than ours, which is pretty sad. It wouldn’t be hard to use China as a jumping-off point if you’re in organized crime or another nation state looking to cause some saber rattling between China and the U.S.”
Much of the U.S.’s current tension with China comes from Google’s claims that recent hacker attempts to steal Gmail user passwords appeared to have originated from China. “Google is a very secure company, so when they are attacked we should stand up and take notice,” says O. Sami Saydjari, a former Pentagon cyber expert who now runs a consultancy called Cyber Defense Agency. At the national level, however, “clearly you want to be able to attribute an attack with a degree of certainty before you respond with military action,” he adds.
Internet agencies such as the Internet Corporation for Assigned Names and Numbers(ICANN) might be a reasonable place to start when trying to improve cybersecurity and avoid international cyberconflicts, but essentially this is a problem requiring input from the U.S. State Department and international policy makers and perhaps even something along the lines of an Internet Geneva Convention, Saydjari says. “One option is to make countries [that are] unwilling to trace the source of cyberattacks coming from within their borders accountable for the results of those attacks,” he adds. “We also need more think tanks in this space such [as] we had during the cold war, where analysts discussed the consequences of nuclear weapons and mutually assured destruction.”
If the U.S. chooses to enter a new war with another country within the next decade, there will be cyberweapons deployed under the guidance of cyberdoctrine to scramble communications and otherwise disrupt the enemy, Bronk says. “I would assume that the cyberattacks that we would consider as acts of warfare would be clandestine in nature, with Stuxnet being an example of how this might happen,” he adds, referring to the highly sophisticated Microsoft Windows computer worm that made headlines last year when it attacked targets in Iran, leading to speculation that it was developed by the U.S. or Israel.
The threat of cyberwar “is like any great security problem; the key is not to either overreact or underreact but [to] have a calibrated response based on the knowledge we hold,” Bronk says. “The problem is our knowledge is very, very limited. This is the infancy of this issue.”