Public accounts of intrusions conducted or supported by state actors highlight the importance that military organizations are placing on cyber warfare. Those without access to privileged information have been debating when “real-world” warfare will find its way to the Internet, without realizing that such activities have been ongoing for at least several years.
Intrusions initiated by nation states against companies and governments of other countries are motivated by political and economic reasons, much like the traditional form of warfare. My hypothesis is that a country looking to safeguard its own cyber interests has to engage in a systemic campaign to compromise IT assets of its adversaries. The logical goal of such offensive operations is the state of mutually-assured destruction that deters each party in the conflict from taking advantage of the IT assets it compromised.
Here’s why I believe this might be the case:
The idea of mutually-assured destruction in cyberspace isn’t novel. It was brought up at an RSA Conference panel in February 2012. According to the Threatpost’s article discussing that panel:
"Deterrence will play an important role in avoiding conflict, as it did in the Cold War with Russia. The Chinese military appreciates that both it and the U.S. have cyber offensive capabilities and defensive vulnerabilities - ‘big stones, and plate glass windows,’ said Lewis. ‘We’re back to mutually assured destruction.’"
A June 2012 article in the New York Times discusses several cyber warfare initiatives that appear to have been conducted by the U.S. and highlights some of the challenges of achieving cyber warfare dominance and reaching the state of mutually-assured destruction.
Nations with the interest, expertise and budget to conduct offensive cyber activities are probably busy hacking each other to avoid being outpaced in this process by their adversaries. They are doing this to achieve the state of mutually-assured destruction as a way of deterring each other from launching a full-scale cyber war. Just a theory.
[The cyber] war can’t be won; it only has perpetrators and victims. Out there, all we can do is prevent everything from spinning out of control.
It’s easier to talk about mega breaches, such as the ones that ocured at Lockheed Martin and L-3, than pay attention of the thousands of small breaches that occur on hourly basis and affect smaller companies. The discussion regarding cyberwar might assist with very large and high-profile incidents, but is of little help for the small ones. This is problematic, because the smaller incidents could exceed the economic losses associated with mega breaches.
The Wall Street Journal recently described Pentagon’s report on its cyber warfare strategy, concluding that “computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” A cyber incident that might be classified as such an attack is likely to to be big enough to produce or intend to product “death, damage, destruction or a high level of disruption.”
A few days prior to the WSJ article, Gene Spafford published his perspective on cyberwar, pointing out that:
"We’re losing billions of $$ worth of intellectual property per year to foreign intelligence services, foreign competitors, and criminals, and we have been for years. U.S. companies and taxpayers are effectively paying for the R&D that is supporting huge amounts of foreign development. And we are also seeing billions of $$ of value being bled from the economy in credit card fraud, bank fraud and other kinds of fraud, including counterfeit pharma and counterfeit electronics sales."
Note that the incidents Gene describes are not the mega breaches that cyber warfare plans are likely to encompass. Gene characterizes the effects of the numerous threats were are failing to deal with as death by a thousand cuts. He points out that the U.S. military build up in cyber capabilities “does little to help civilian companies under attack within U.S. borders by unknown parties.”
Gene’s sentiment is reminiscent of Bruce Schneier’s concern with our fascination with the term cyberwar:
"If we frame the debate in terms of war, if we accept the military’s expansive cyberspace definition of ‘war,’ we feed our fears. We reinforce the notion that we’re helpless — what person or organization can defend itself in a war? — and others need to protect us.
If, on the other hand, we use the more measured language of cybercrime, we change the debate. Crime fighting requires both resolve and resources, but it’s done within the context of normal life. We willingly give our police extraordinary powers of investigation and arrest, but we temper these powers with a judicial system and legal protections for citizens.”
As we debate whether or not cyberwar exists and what role we might play in it, let’s remember that cyber warfare encompasses only some of the many information security issues that affect us. Don’t forget to consider how we’ll deal with the numerous smaller data breaches: Individually they may fall below the threshold of a warfare event, yet burden the economy in a way that has a tremendous negative impact on all its legitimate participants.