Crisis in Ukraine: Blame It on Number 8

Featured
Uncategorized
Leave a comment

putin-ovechkin-handshake

UPDATE, JULY 14: Marc Champion of Bloomberg shares my concern about what might happen when Vladimir Vladimirovich attends a big-time international sporting event.

Could one of the accelerants of the worsening crisis in Ukraine be Vladimir Putin’s unhappiness with the results of the Sochi Olympics?

Overall, the games appeared to represent a success for Russia. In addition to a nice haul of medals, the host country came away with its image burnished. The events and venues were all up to snuff, and the carping media coverage of shoddy hotels and brutal round-ups of stray dogs all disappeared after the opening ceremonies.

But, at least for Putin, these results were incomplete. Russia failed to achieve what he had set as his main goal at Sochi: winning the gold medal in men’s hockey. Not only did Team Russia fall short, it did so ignominiously, in a 3-1 quarter-final loss to Finland.

Just maybe, this disappointment helped shape Putin’s attitude and response when protesters ousted Ukrainian President Yanukoyvych in February. Angry and possibly humiliated at being let down by Alexei Ovechkin, Evegeni Malkin, & co., Putin may have been even more determined than usual to demonstrate some bare-chested resolve in response to the demise of the pro-Russian government in Kyiv. And if such action could wrong-foot the United States–whose hockey team beat the Russians in the first round at Sochi thanks in part to controversial officiating–then so much the better.

If there is indeed a link between Russia’s hockey melt-down in Sochi and its aggressive body-check of Ukrainian reformists, it would join a long history of sporting events that have driven politics. Moreover, it would put Putin in better company than he deserves–with the likes of the 6th-century Roman Emperor Justinian, whose reign was shaken by riots by fans of rival chariot teams, and Nelson Mandela, who embraced South Africa’s national rugby team to advance racial reconciliation.

As for the No. 8 of this posting’s title, Alexei Ovechkin suffered public castigation by Russia’s coach after the team’s inglorious exit from the Olympics, but I doubt he’ll face any more serious fall-out from his shortcomings on the ice. Ovechkin returned to his day job with the Washington Capitals, who did their usual season-ending belly-flop sooner than usual this year by failing to make the NHL playoffs. Luckily for Alexei, though, if there’s one thing that distinguishes us Washington sports fans from Vladimir Putin, it’s the ability to accept defeat, if not quite gracefully, then at least without invading our neighbors.

What might be the security implications of the transistor’s replacement?

July 23, 2014
Uncategorized
Leave a comment

Even a History major knows memristors won't look like this.

Even a History major knows memristors won’t look like this.

Scientific American–which I’m not smart enough to read on a regular basis–has run this article on the “memristor,” the coming replacement of the transistor, which has amplified and switched signals and power in electronic gadgets for more than 60 years. This will of course have a wide range of downstream implications, from the way gizmos function to demand for energy and subsequent emissions of greenhouse gasses.

From my own parochial perspective, it seems that the relegation of the transistor to the same museum shelf as the vacuum tube may have important security implications as well. Will the electronic signals of memristors be more or less secure than transistors to intrusions from criminals or government agencies? What might it mean, per the article, that “memristors, like analog devices, can occupy a range of in-between states?” Is this similar to the use of qubits–super-position of quantum particles–in quantum computation? Will this make it easier to encrypt or decrypt data?

As a liberal-arts graduate, I’m sure I’m not even asking the right questions about this development. I sure hope someone in the US Intelligence Community (but not, of course the FSB or 3PLA), the corporate world, or the academy is thinking about this issue with a lot more brainpower than I can bring to bear.

Is it really a good idea to “stand your ground” in cyberspace?

July 23, 2014
Uncategorized
Leave a comment
death wish

Cybervigilantism might be a death wish.

I drafted but never published this posting about a year ago. I’m putting it out now in response to some of the comments on my posts (and RealClearDefense article!) about cyberwar, where some people speculated about the advisability of unilaterally responding in kind to a cyber attack or perceived threat of a cyber attack.

This item in The Economist discusses some good ideas and some not-so-good ones that were discussed at Black Hat in 2013.

Being a glass-half-full kind of guy, I’ll look at the good ideas first. These amount to an approach to cyber security based on threat awareness, on looking beyond the firewalls and other tech fixes, and on thinking about who is trying to subvert your networks as well as how and why the bad guys are doing so.

The not-so-good-ideas, sadly, outweigh the reasonable ones. CrowdStrike and other Black Hatters proposed that companies take the fight to the threat actors and engage, in effect, in a sort of cyber-vigilantism. A desire to do something seems to blind them to the fact that, in the cyber domain, fighting fire with fire could easily lead to a total conflagration.

Even relatively benign measures could create blowback. Planting false data in a honeypot could create legal liability if it somehow led to manufacture of defective products. Baiting honeypots with certain types of fake info could lead to the data leaking out as rumors that roiled financial markets, harming participants and, again, exposing the company to liability.

And hacking back at the hackers could have even more serious consequences. Per Mandiant‘s report of early 2013, some of the most aggressive intrusions against sensitive corporate data have been perpetrated by an element of China’s People’s Liberation Army. Retaliating against this type of intrusion would mean tangling with a powerful nation-state that could perceive an American company’s hack-back as a cover for American military cyber intrusions–thereby sparking a broader cyber skirmish or even cyber war. Would you want to be the Gavrilo Princip of such a conflict?

What is to be done, then? The best course of action in response to cyber intrusions and attacks, IMHO, is less sexy and provides less emotional satisfaction than hacking back solution, but it has the advantage of probably working better over the long term and sparing you liability and other headaches.

  • Implement the good ideas of the active defense crowd. Expand your concept of cyber security to include the way you look at your organization’s place in its corporate eco-system. Train your people–employees, suppliers, valued customers, indeed all key stakeholders–to be aware of the threat environment and, at least, make life a little harder for the bad guys.
  • Work with law enforcement and other national authorities. Report what has happened. To the extent possible, share concerns about what might happen. Be an active participant when law enforcement or national intelligence agencies share threat information. Yes, law enforcement and other government agencies are far from infallible and have agendas that often diverge from your own, but relationships with them are like any other–what you get out of it will depend on what you put into it.

What Are the Prospects for Cyberwar? And What Can You Do About It? SECTION 5 OF 5

July 21, 2014
Uncategorized
Leave a comment

This is the fifth part of a five-part consideration of cyberwar: what it is (and is not), how it could break out, and what (if anything) can be done to prepare for it. The opinions and conclusions in these posts are purely my own and do not in any way reflect the views of any organization that I have worked for in the past.

Part 1: Introduction and Definitions (posted July 7)
Part 2: Recent Cyber Skirmishes (posted July 10)
Part 3: How Cyberwar Could Happen
Part 4: Implications of Cyberwar
Part 5: What Is to Be Done?

What Are the Prospects for Cyberwar? And What Can You Do to Prepare?

Part 4: What Is to Be Done?

Like Lenin, we need to ask, "What is to be done?"

Like Lenin, we must ask, “What is to be done?”

A cyberwar—like any war—is an outcome no one wants. But, given the ready availability and growing power of cyberweapons, the plethora of potential military targets on IT networks, and the many points of friction between competing nation-states, this is an outcome we could all soon face with little or no warning. All organizations need to be able to protect key assets if cyberwar comes, or they will risk becoming collateral damage.

Contingency planning. There should be no doubt as to who is responsible for an organization’s response to a possible cyberwar or other security challenges.  Although cybersecurity programs are typically executed by a Chief Information Officer (CIO), Chief Information Security Officer (CISO), or Chief Security Officer (CSO), the entire leadership team must be committed to cyber preparedness. Beyond enhancing resiliency, this type of preparation will build a mindset that is better able to recognize current and future security risks, navigate the threat landscape in pursuit of business opportunities, and allocate security resources more effectively.

Knowing what you need to know. Contingency planning for cyberwar should include knowing how a potential cyber combatant looks at an organization. The cyber threat landscape—the identity of adversaries, the type of operation they might conduct, and the tools they might use—changes daily, and it’s affected by where and how an organization does business, how it conduct business, and who it does business with.

Organizations need to be able to identify the most important assets to protect in the event of cyberwar. If they try to protect everything, in the end they will protect nothing. Understanding both the threat landscape and an organization’s critical assets is essential to crafting a strong and resilient contingency plan.  A major component of this is to be able to know what critical assets are and who is responsible for them.  Organizations also must understand the architecture of their IT networks and be able to identify applications that are not continuously monitored.

Another key element is understanding whether an organization has a secure enterprise ecosystem.Organizational assets—and vulnerabilities—are part of a global network, and a given company or government agency exercises direct control over only a portion of it. Supply chains, service providers and strategic partners, employees, and customers are all interconnected—in fact are becoming more so with the spread of the IoT—and an attack on any one of these elements could an entire organizations.

Flexible action plan. Contingency planning for cyberwar should be both threat-based and asset-based. That is, the choices should be predicated on informed risk assessments. Done right, an organization can continue to thrive, even in the aftermath of a cyberwar. Done wrong—or not at all—the organization may not survive.

A public-private partnership strategy should be another element of contingency planning for cyberwar. The Obama Administration, the United Kingdom, and the European Union have recently taken important steps to advance corporate cybersecurity. Developing a productive partnership between public authorities and private companies is a key element of US, UK, and EU strategies. Organizations should take advantage of the new opportunities that these and other governments’ initiatives represent and seek out the right opportunities to collaborate with the appropriate agencies. They should also recognize that information sharing is not a one-way street and be prepared to implement cyberwar contingency planning that encompasses enterprise ecosystems, industry peers, cross-industry groups, and government agencies.

Informed, adaptive, secure. In sum, the organizations that are best prepared for the contingency of cyberwar will focus on three key areas:

  • Prioritizing resources and protecting those items and processes that are valuable to both the organization and potential cyber combatants.
  • Carrying out cybersecurity practices that will not only protect a business in the event of cyberwar, but put it ahead of the pack in the global marketplace.
  • Engaging with policymakers and regulators to keep up-to-date on threat vectors and plans for responding to threats.

What Are the Prospects for Cyberwar? And What Can You Do About It? SECTION 4 OF 5

July 18, 2014
Uncategorized
Leave a comment

This is the fourth part of a five-part consideration of cyberwar: what it is (and is not), how it could break out, and what (if anything) can be done to prepare for it. The opinions and conclusions in these posts are purely my own and do not in any way reflect the views of any organization that I have worked for in the past.

Part 1: Introduction and Definitions (posted July 7)
Part 2: Recent Cyber Skirmishes (posted July 10)
Part 3: How Cyberwar Could Happen
Part 4: Implications of Cyberwar
Part 5: What Is to Be Done?

What Are the Prospects for Cyberwar? And What Can You Do to Prepare?

Part 4: Implications of Cyberwar

Apocalypse not yet …

Under current circumstances the effects of a cyberwar on most organizations are more likely to be disruptive than apocalyptic for two main reasons. First, although cyber exploits can immobilize functions that are critical to the operations of companies and regions for hours and maybe days, modern cyberarchitectures tend to have enough built-in redundancy and resiliency to preclude a cataclysmic crash of all critical systems simultaneously, on a national scale, and for an extended period.

Moreover, the actors who currently have the greatest capability to use cybertools to inflict broad, systemic damage on their adversaries are the well-resourced nation-states who are most likely to calibrate their targeting carefully and whose economies are intertwined by­ growing IT and other links. (See James Lewis’s article “In Defense of Stuxnet.”) For example, if China or the United States were to try to immobilize the entire economy of an adversary, they would open a serious risk of a cyber or kinetic counter-attack aimed at inflicting the same kind of damage — a situation loosely analogous to the ‘mutually assured destruction’ doctrine that helped restrain nuclear saber-rattling during the Cold War.

Hasta manana, maybe?

Hasta manana, maybe?

… but maybe tomorrow

This balance is likely to change over time, though. On the “demand” side, there is a growing gray market in hacking tools that is likely to make more powerful exploits—directed, for example, against industrial control systems—more available to governments of smaller nations and even non-state groups that would have less to lose in a cyber exchange than a major power.(Mediareports) On the “supply” side, the number of potential targets of cyber weaponry is growing exponentially as the Internet of Things increases linkages and devices that cyberweapons can target; the consulting firm Gartner projects that 26 billion devices—not counting personal computers, tablets, and smartphones—will be connected to the IoT by 2020, representing a nearly 30-fold increase since 2009.

The accelerating globalization of many organization’ operations will also leave them increasingly vulnerable to disruption from cyberwar, even if it does not involve their home government. Businesses rely on research-and-development and production processes that are based in third-world countries; these important sources of innovation and revenue could be cut off, at least temporarily, by the deployment of cyber weapons. Cyberwar operations could also disrupt supply chains and support services. Tensions between China and its neighbors, for example, could disrupt call center operations in the Philippines or the manufacture of specialty parts for global supply chains in Vietnam.

The most likely casualties

Even now, when cyberwar is less likely to have apocalyptic consequences, it could disrupt companies’ operations across much of the economy. Industries most closely tied to military capabilities probably would quickly become the front lines of such a conflict: the defense industrial base; commercial Internet service providers and telecommunications firms that provide communications architecture and services for commercial, military, and other government operations; airlines; energy companies; pharmaceutical manufacturers and healthcare providers; and utilities that supply power and water to government facilities.

Business, nonprofit, and government leaders should also anticipate significant indirect effects. Companies across the industry spectrum and across the globe would likely be at risk of damage from malware or a massive DDOS attack that a cybercombatant had introduced into their business eco-systems, via customers, suppliers, perhaps even employees’ personal contacts and electronic devices that had been connected to corporate networks.

What Are the Prospects for Cyberwar? And What Can You Do About It? SECTION 3 OF 5

July 14, 2014
Uncategorized
Leave a comment

This is the third part of a five-part consideration of cyberwar: what it is (and is not), how it could break out, and what (if anything) can be done to prepare for it. The opinions and conclusions in these posts are purely my own and do not in any way reflect the views of any organization that I have worked for in the past.

Part 1: Introduction and Definitions (posted July 7)
Part 2: Recent Cyber Skirmishes (posted July 10)
Part 3: How Cyberwar Could Happen
Part 4: Implications of Cyberwar
Part 5: What Is to Be Done?

What Are the Prospects for Cyberwar? And What Can You Do to Prepare?

Part 3: How Cyberwar Could Happen

Part 3: How Cyberwar Could Happen

The pace and stakes of cyber skirmishing are on the rise, reducing the margin of error and increasing the chance that misunderstanding or miscalculation by one or more nation-states could escalate these skirmish into cyberwar. Below, I extrapolate existing trends to sketch out three possible scenarios for how this might happen.

Blowing up the Internet as well as the Houses of Parliament?

Blowing up the Internet as well as the Houses of Parliament?

Scenario 1: Hackers Unbound. The likeliest scenario for an escalation to cyberwar starts with hackers, in my view. Because of the uncertain control that intelligence and military services often have over such groups, hackers could exceed the desires of the government they’re affiliated with—say, by destroying data rather than merely defacing a public-facing website or by introducing malware that spreads beyond the target’s IT system.

Even actions by independent hackers could set off escalation. Attribution for cyber exploits is hard in the best of circumstances, and nation-states’ use of proxy hacker groups could lead some targets to see a government hand behind an action lacking affiliation with an intelligence or military service. Assignment of attribution may get even more difficult as the hacking kits increasingly available online make it easier for private citizens, or for smaller and poorer states, to carry out fast and sophisticated attacks.In these conditions, for example, an attack on Chinese organizations’ IT systems by hackers protesting conditions in Tibet, or on Russian oil companies’ networks by a group concerned about pollution in Siberia, could be viewed as a proxy for hostile actions by a Western government—leading to a spiral of retaliation.

  • An escalation of cyber skirmishes caused by hacker exploits could occur with little warning. Companies and other third parties probably would have no visibility into hacker group operations or the likelihood that these would spark retaliation from the target.
Heavy damage when heavyweights brawl.

There’s heavy damage when heavyweights brawl.

Scenario 2:  Clash of the Titans. In this scenario, cyber skirmishes escalate into cyberwar as a complement to conventional military action, as apparently happened in the Russia-Georgia conflict in 2008; alternatively, cyber weapons could be against military targets instead of kinetic strikes. A country facing the prospect of an adversary’s military deployment along a disputed border could use cyber tools to disrupt the IT systems that modern armed forces use for communications and logistical support—leading the targeted country to retaliate.

  • This type of scenario probably would be preceded by warning signs, such as media reports of military movements and increasingly heated rhetoric between the two states. However, the nature and extent of disrupted IT systems would be hard to anticipate, and a spread of military malware beyond its intended targets—or its capture and re-use by other parties—could compound damages.
Who's ready to go over the top?

Who’s ready to go over the top?

Scenario 3:  Corporate Guns of August. As corporate IT systems suffer accelerated intellectual property theft and disruptions from cyber intrusions, some companies could launch their own cyber counteroffensives. Tactics for retaliation could range from placing “honeypots” with deliberately falsified data on corporate networks to disrupting the networks of suspected attackers.

This type of freebooting retaliation could quickly escalate.  Acting against the perpetrators of the massive Chinese cyber espionage operation identified in Mandiant’s report, for example, would mean attacking a unit of Beijing’s military.  And targeting an apparently private corporation—much less a group of “patriotic hackers”—could be just as dangerous because of the close ties between companies and national governments in countries like China and Russia.

  • The country being targeted by a corporation’s private retaliation for cyber intrusions may also see such action as a proxy for the security or military services of the corporation’s home country, leading to a broader and more damaging spiral of escalation.

What Are the Prospects for Cyberwar? And What Can You Do About It? SECTION 2 OF 5

July 10, 2014
Uncategorized
Leave a comment

This is the second part of a five-part consideration of cyberwar: what it is (and is not), how it could break out, and what (if anything) can be done to prepare for it. The opinions and conclusions in these posts are purely my own and do not in any way reflect the views of any organization that I have worked for in the past.

Part 1: Introduction and Definitions (posted July 7)
Part 2: Recent Cyber Skirmishes
Part 3: How Cyberwar Could Happen
Part 4: Implications of Cyberwar
Part 5: What Is to Be Done?

What Are the Prospects for Cyberwar? And What Can You Do to Prepare?

Part 2: Recent Cyber Skirmishes

Academic experts have noted that nation-states’ intelligence and military services today use cyber exploits to conduct the sort of sensitive tasks that, until recently, were carried out by human spies, commandos, or missiles. Two examples indicate how such actions can disrupt military and economic infrastructure as effectively as kinetic strikes:

  • Hackers backed by nation-state resources—probably the United States and Israel, according to Kaspersky Labs—designed the Stuxnet computer worm and remotely introduced it into industrial control systems that were critical to Iran’s alleged program for developing nuclear weapons. This malware is thought to have destroyed about one-fifth of Iran’s nuclear centrifuges by causing them to spin out of control.
  • In the run-up to the Russia-Georgia border war in 2007, Russian-controlled or –affiliated hackers clandestinely penetrated Georgia’s Internet infrastructure to deploy an array of botnets, DDOS attacks, logic bombs, and other cyber exploits. Once the shooting war started, the cyber weapons disabled the Tbilisi government and paralyzed Georgia’s national banking system—leading to a de facto financial quarantine as international banks and other payments processors feared cyber infection.
Georgian government page defaced by pro-Russian hackers.

Georgian government page defaced by pro-Russian hackers.

Cyber tools can make espionage appear so pervasive and efficient that it creates a climate of insecurity and public demands for a muscular response. A Chinese military unit since 2006 has allegedly carried out cyber espionage operations against at least 141 companies in the United States and elsewhere, making off with hundreds of terabytes (TB) of data, according to a study that the computer security firm Mandiant published in early 2013.[1] All members of this unit are located i-n Shanghai, and there apparently have been no direct, face-to-face meetings with human collaborators in the targeted companies. Extensive media coverage of this report and other allegations of rampant Chinese cyber espionage almost certainly played a role in US officials’ decision to indict Chinese military intelligence officers for cyber espionage and have also fueled calls for Washington to engage in offensive cyber operations and take other stiff measures.

Chinese officers indicted by FBI as cyber spies.

Chinese intelligence officers indicted by the FBI as cyber spies.

Cyber privateers? Hacker groups with ambiguous relationships to national governments often play an important role in cyber skirmishes. They provide plausible deniability for a nation-state’s cyber operations, akin to the Soviet and US use of guerrilla groups as proxies during the Cold War.

  • Russian cyber operations against Ukraine this year, Georgia in 2008, and Estonia in 2007 appear to have been carried out for the most part by criminal groups and other hackers with no overt links to the Russian Government—although Kiev, Tbilisi,Tallinn, and independent security researchers have charged that such links existed.
  • US officials claim that hackers acting at the Iranian Government’s behest in 2012 attacked the websites and communications networks of the energy giant Saudi ARAMCO, in the same way that Tehran has used purportedly independent hacker groups to infiltrate and disrupt political opposition groups’ websites.
  • China has reportedly tolerated, if not encouraged, “patriotic hackers” who have disrupted and defaced the websites of US, Japanese, and other organizations at times of diplomatic tension.

[1] Mandiant has since been acquired by FireEye.

Confessions of a Data Skeptic

July 9, 2014
Uncategorized
Leave a comment
This Data, at least, is always used well.

This Data, at least, is always used well.

The misuse of numbers terrifies me. This fear turned–at least briefly–to happiness this week when I came across two short items that lay out the limits of what statistical analysis can do.

  • Amanda Glassman of the Center for Global Development explains the pitfalls of over-reliance on African economic statistics, which are too often opaque, inaccurate, or tailored to the priorities of aid donors.
  • In a somewhat different tone, the Washington Post’s Couch Slouch, aka Norman Chad, expresses his dismay at the “statistical flotsam and jetsam floating through the ever-congested stratosphere” of the sports world.

Glassman and Chad may not share my existential dread at statistical malpractice, but they and I do agree that mixing simple people and complex numbers can end badly. Too many people in our Moneyball world–especially the ones in authority–believe there’s always some data set that can be alchemically manipulated to yield a perfect understanding of past, present, and future. If done right, in this view, the pith of an issue can be reduced to a handful of simple statistics. (Of which the most critical is 42, as Douglas Adams fans know.) This may be possible in certain limited circumstances in the physical sciences, but the result is often a false wisdom, buttressed by the seeming infallibility of numbers, that is much more dangerous than self-aware ignorance. Wishful statistical thinking of this type played a key role in the 2008 financial crash: analysis of decades of data on the US housing sector appeared to show  that residential markets in different regions never all moved in tandem and thus that financial instruments bundling mortgage payments from various regional markets would be risk-free. (Oops.)

I’ve witnessed this numerology repeatedly over my career.

  • Government and private-sector bosses who insisted on assiging numerical values to the effects of espionage, even though the clandestine nature of spying inherently precludes any sort of accurate measurement.
  • A foreign intelligence official who wanted to couch all analyses and estimates in quantitative formats because “numbers don’t lie.”
  • US officials responsible for economic aid in war zones who pushed for a faster financial “burn rate” because spending money can be done–and measured–easier than anything else.

I know my concerns are those of a dwindling, Luddite-seeming minority. The temptation to torture the data until they confess is  too great, given today’s combination of high-speed computers and instantaneous access to quantities of information dwarfing Borges’s Library of Babel. But we need to remember that the answers to the most important questions–those touching on war and peace, poverty and prosperity–lie in the human soul, whose perversity and mystery will remain impenetrable to statistics, analytics, and heuristics.

 

What Are the Prospects for Cyberwar? And What Can You Do to Prepare?

July 7, 2014
Uncategorized
Leave a comment

This is the first part of a five-part consideration of cyberwar: what it is (and is not), how it could break out, and what (if anything) can be done to prepare for it. The opinions and conclusions in this posts are purely my own and do not in any way reflect the views of any organization that I have worked for in the past.

Part 1: Introduction and Definitions
Part 2: Recent Cyber Skirmishes
Part 3: How Cyberwar Could Happen
Part 4: Implications of Cyberwar
Part 5: What Is to Be Done?

What Are the Prospects for Cyberwar? And What Can You Do to Prepare?

Part 1: Introduction and Definitions

 

Military and national-security operations in cyberspace have grabbed almost as many headlines as the World Cup.

  • Security companies for several years have documented massive cyber-espionage by China’s People’s Liberation Army against the US private and public sectors, and the US Department of Justice recently responded by  indicting five Chinese military officer for computer hacking, economic espionage, and other offenses directed at American nuclear power, metals and solar products companies.
  • Edward Snowden’s allegations of massive cyber spying by the National Security Agency and close American allies have raised worldwide fears about the security and privacy of the Internet.
  • Russia and Iran have been accused of launching covert cyber operations against political and economic targets in neighboring countries.

Fears are growing that, in an echo of the outbreak of World War I a century ago, some cyber event—the equivalent of the Serbian gunman’s assassination of the Austro-Hungarian Grand Duke in Sarajevo—could escalate into an outright cyber war, with dire consequences around the world. This paper assesses whether these fears are well grounded by looking at cyber skirmishing that has been reported to date, what these incidents mean, how they might escalate, and how private-sector, not-for-profit, and government organizations can prepare for this contingency.

Princip: assassin in 1914, hacker in 2014?

Princip: assassin in 1914, hacker in 2014?

What does “cyberwar” mean?

Nineteenth-century military theorist Carl von Clausewitz noted, “War is a mere continuation of policy by other means.”  In the 21st century, nation-states and a host of private actors are using cyber exploits as a means of attaining policy goals, which often include stealing sensitive corporate data, disrupting information technology systems (IT) and other critical infrastructure, and reconnoitring the cyber networks of potential military adversaries.  In the same way that patrolling by gunboats in disputed waters or by foot soldiers along ill-defined borders risked sparking conflict in Clausewitz’s time, today’s aggressive use of cyber tools has led to diplomatic sparring, cyber skirmishes, and the threat of escalation.

When I say “cyberwar” in this paper, I do so with a Clausewitzian meaning: the use of computers by actors controlled by a nation state for a prolonged, cross-sector disruption of an adversary’s activities, especially deliberate attacks on IT systems. This definition excludes minor acts of cyber vandalism such as sporadic defacements of websites and distributed denial of service (DDOS) attacks, and also—since espionage per se is not traditionally considered an act of war—the clandestine collection of information from IT systems.

"When I use a word, it means just what I choose it to mean."

“When I use a word, it means just what I choose it to mean.”

Trying to limit what I mean by cyberwar is important because of the lack of a broadly accepted definition, such as an international treaty or established set of norms that provides guidance. But at the same time it’s challenging because definitions can’t cover every contingency and are of limited use in gray areas. One example would be a cyberattack that causes a financial market crash but, because it does not directly harm people or the infrastructure necessary for preserving life and health, doesn’t meet criteria for a conventional act of war.

Reflecting these challenges, international organizations and nation-states have taken different and often ambiguous steps to try to define doctrine for their own approach to cyberwar:

  • A recently published National Atlantic Treaty Organization (NATO) manual on the applicability of international law to cyber warfare not explicitly define the term, although it does distinguish between “cyber warfare” and “cyber operations,” an defines “cyber weapons” as those that can destroy objects and injure or kill people.[1] A NATO official has said that “a cyber attack {on one member} could be treated as the equivalent of an armed attack,” but the nature of the Alliance’s response “will be decided by allies on a case-by-case basis.”
  • President Obama in 2013 issued a classified Presidential Policy Directive that authorizes military and intelligence services to identify “potential systems, OCEO (Offensive Cyber Effects Operations) capabilities,” according to The Guardian. The document authorizes military commanders to launch cyberattacks to respond to the threat of an imminent attack or an emergency situation.­
  • The Israeli Defense Forces say their doctrine is to handle “cyberspace … similarly to other battlefields on ground, at sea, in the air and in space,” and acknowledge that Israel engages “in cyber activity consistently and relentlessly, gathering intelligence and defending its own cyberspace” and is prepared to use cyberspace “if necessary … to execute attacks and intelligence operations.”
  • China’s military doctrine has been relatively explicit for more than a decade, according to an article in Military Review.  Recognizing “informationized arms … [as] as carrier of strategies” whose “basic purpose is to seize and maintain information dominance,” Chinese military theorists have advocated the use of cyber weapons for deceiving the enemy or applying psychological pressure on adversaries.
  • Russian operations in this area reflect a somewhat different doctrinal grounding. Russian definitions of “information warfare” or “information operations” avoid the term “cyber,” although some, like the Chinese do use “informatization.” This may reflect a preference for establishing control of networks in order both to feed disinformation to adversaries and to provide “information support for the state policy of the Russian Federation”—i.e., control internal and external messaging on issues of importance to Moscow.

[1] The financial market attack cited above presumably would be characterized as an “operation” rather than “warfare.”

Design a site like this with WordPress.com
Get started