Cyber Warfare: From Attribution to Deterrence
The number of cyber-attacks continues to increase such as the offensives conducted by nation-state hackers against governments worldwide.
Often, security experts use the term information warfare referring cyber disputes among states. A cyber-attack could cause physical damage such as a convention military attack, nation-state actors according specific strategies target critical infrastructure of their enemies.
Cyber disputes are stealthy and asymmetry, in the majority of cases nation-state actors launch non-lethal attacks against the information systems of adversaries for both sabotage and cyber espionage, it is the evidence of the rise of information warfare.
Cyber warfare is becoming the most progressive warfare domain after the Second World War.
Which are the global actors that benefit the most from this capability?
The development of offensive cyber warfare capabilities of the minor states against so-called "superpower states," which have greater kinetic warfare capabilities, grants them a strategic advantage and it is rapidly changing the balance of power to their advantage.
Information warfare is attractive for almost any government due to its low cost of development and deployment, its minimum visibility during development and mobilization of a weapon, the difficulties of the attribution, the possibility to attack also in "peacetime," the great dependency of so-called super powers from their critical infrastructure.
What is the definition of Information Warfare?
There are many definitions for a term that is even more abused by media, Dan Kuehl of the National Defense University defined information warfare as the "conflict or struggle between two or more groups in the information environment."
This means that the term could be used to refer any action to deny, exploit, corrupt, or destroy the enemy's information environment and its operations;
The core concept behind the information warfare is the so-called "cyber capability," the ability of a cyber army to protect its systems from cyber-attacks, or dually, to be able to launch cyber-attacks against a target reaching the desired results.
Almost any government worldwide is investing billions in developing such kind of capabilities, US, United Kingdom, Israel, China, and Russia, are considered the most advanced countries, but recently governments like Iran and North Koras are entering powerfully into the cyber arena.
Going deep into the analysis of the term Information Warfare, we can observe that the cyber capabilities mentioned by military experts are a combination of hacking techniques, electronic warfare, cyber warfare and psyops (psychological operations).
Is our infrastructure resilient to cyber-attacks? Which are the countries with the greatest resilience against cyber-attacks?
We are all vulnerable to cyber-attacks, the increase of our attack surface makes our system exposed to a wide range of cyber threats, and nation-state actors know it.
The Word Economic Forum shared interesting data on Governments and their resilience to cyber-attacks. It is the Global Cybersecurity Index (GCI), a multi-stakeholder initiative to measure the commitment of countries to cyber security. The level of development for each country is analyzed within five categories: Legal Measures, Technical Measures, Organizational Measures, Capacity Building and Cooperation.
"The project is a result of intensive primary and secondary research by both ITU and ABI Research. Country level surveys, complemented by in-depth qualitative research, were sent out to all ITU Member States. Information was collected on laws, regulations, CERTs and CIRTs, policies, national strategies, standards, certifications, professional training, awareness raising, and cooperative partnerships. The aim of the GCI is to provide a snapshot of where countries stand in their cybersecurity engagement at the national level." Reads the report titled "Global Cybersecurity Index & Cyber Wellness Profiles."
Figure 1 - Data WEF from Global CYBERSECURITY INDEX & CYBERWELLNESS PROFILES Report (ITU)
The US reserved a significant effort to cyber security because the country is a privileged target of threat actors, for this reason, it is investing in the adoption of innovative technical measures, as well as, legal measures. The surprise in the above chart is the rank of countries like Israel and UK that are considered by the experts among the most advanced states in the cyberspace. Positive is the judgment on the cyber strategy implemented by countries like Oman and Malaysia and Norway.
The anatomy of information warfare
We live in a highly connected world; the data communications are essential for the execution of vital operations of each country, but we have to consider that they are one of the main targets for an electronic warfare attack. The stock exchange, air traffic control systems, bank systems, defense systems are a few examples of components that could be damaged by a cyber-attack bringing the target country in the chaos.
Information warfare doesn't mean only hacking attacks; the psyops are crucial components of any military strategy. Spreading specifically crafted information it is possible to destabilize a country or degrading the morale of the population, the prelude to a military action.
Information warfare today is the results of electronic warfare, cyber warfare, and psychological operations, all these disciplines are applied by Government for both attack and defense purposes.
Define new rules for the war of the futures implies to be able to analyze all the above aspects and define a set of regulations globally accepted by any country.
This is challenging if we consider that while cyber security experts, politician, and diplomats of any government are collaborating to the definition of the rules, nation-state actors in the wild are exploiting the lack of regulation to target organizations with a new generation of sophisticated cyber weapons.
It is a war all against all, where there are rules, and where new actors, such as cyber terrorists and cyber criminals, represent a significant element of disturbance.
What is the response of the governments?
Almost any government is increasing the number of units assigned to the "unconventional warfare."
In March 2015, federal officials announced that the US military received the green light to hire 3,000 cyber experts to assign to the US Cyber Command.
One year later, the United States Marine Corps has launched, on March 25th, a new hacker support unit called Marine Corps Cyberspace Warfare Group (MCCYWG). The group is already operative, and the assigned resources are expected to expand in the next year rapidly.
The newborn Marine Corps Cyberspace Warfare Group will support the US Marine Corps Forces Cyberspace (MARFORCYBER) established by the US Government in 2010.
The Marine Corps Cyberspace Warfare Group will protect the Marine Corps infrastructure from cyber-attacks, for this reason, in the announcement, it is described as a sort of virtual "firewall" against the cyber threats.
"Cyber operations as a whole are anything from ensuring your network is secure to home use like when you buy a router, set it up, set up passwords and encryptions," said Sargent Brian Mueller, a member of the unit.
"[Cyberspace operations] ensure that our systems are secure to stop hackers from getting into our systems where our personal identifiable information and everything else is stored," added Mueller.
"While the offensive side is what can we do to hinder an enemy."
Below the official description of the new hacker unit and its functions:
"Commander, MCCYWG organizes, trains, equips, provides administrative support, manages readiness, and recommends certification and presentation of Cyber Mission Force (CMF) Teams to U.S. Cyber Command. The MCCYWG plans and conducts full-spectrum cyberspace operations as directed by COMMARFORCYBER in support of service, combatant command, joint, and coalition requirements." states the website of the US Marine Corps.
A similar approach is adopted by the UK Government; the British Army established two new units, the 77th Battalion, a cyber unit composed of soldiers familiar with social media specialized in psychological operations, and the 1st Intelligence, Surveillance and Reconnaissance Brigade which includes electronic warfare and intelligence capabilities.
Cyber warfare, a dominant dimension for interstate conflicts
Ever country is even more exposed to the cyber threats, factors such as the exponential growth of Internet penetration and the dependence of critical infrastructure to cyberspace (i.e. power, emails, emergency systems, reconnaissance networks, military communication, weapons, etc.) make the information warfare the dominant dimension for interstate conflicts in the next future.
There are some states that benefit most from offensive cyber warfare capabilities, this is the case of the China that does not have the kinetic war (traditional weapons) capability that equates to the U.S. advanced military forces, anyway, offensive cyber warfare becomes a sound balancing factor against this asymmetrical relationship.
The development of a strong cyber warfare capability takes less economic, human and geopolitical resources respect conventional weapons, such as a nuclear capability. A growing number of experts are starting to compare nuclear capability and cyber war potential. Of course, nuclear capability is the maximum expression of military power.
Until today, states have sustained an intense dialogue to avoid the proliferation of mass destruction weapons, like nuclear weaponry, but clearly, the new generation of weapons imposes similar reflections.
The proliferation of cyber weapons is hard to control although similar malicious codes could have potentially the effects of a nuclear bomb. A cyber-attack against a critical infrastructure could cause the loss of many human lives and could have the same impact of a nuclear bomb on the environment. Let's think of the effects of a cyber-attack against the SCADA systems within a nuclear plant.
"If Internet security cannot be controlled, it's not an exaggeration to say the effects could be no less than a nuclear bomb," said General Fang Fenghui, Chief of General Staff of the People's Liberation Army of China, in April 2013. In the same year, the Secretary of State John Kerry responded to a cyber security question during his confirmation hearings in January 2013 by saying, "I guess I would call it the 21st-century nuclear weapons equivalent."
Other military leaders and politicians expressed their opinion on the analogy between the fundamentally different nuclear and cyber weapons systems. The Admiral Michael Rogers, director of the NSA, and Director of National Intelligence James Clapper have both stated that the threat posed by cyber weapons is comparable to, or greater than, that of nuclear weapons.
However, at present, many skeptics argue that strategic cyber weapons simply do not share main deterrent characteristics of nuclear weapons (sheer destructiveness of a single weapon, the assuredness of that destruction, and a broad debate over the use of such weapons).
I totally disagree with this line of thought, and I sustain that states need to approach the proliferation of cyber weapons like the nuclear weapons.
Reflecting on the deterrent characteristics of a cyber weapon we can verify that:
- Sheer destructiveness. Despite until now, cyber weapons have inflicted very little physical destruction, malware like Stuxnet can potentially disrupt a critical infrastructure. It is my opinion that the destructive power of a nuclear weapon could be compared to the one of a cyber weapon. Cyber may be able to threaten our life, and recent studies demonstrate they are capable of inflicting severe damages to the target.
- Assuredness of destruction. This is likely the weakest aspects related to cyber weapons. When attackers deliver a nuclear bomb on the target, there is the certainty of damages. This is not applicable to cyber weapons, the delivery of cyber "payloads" also weaken strategic cyber weapons' credibility as a deterrent. The effects of a cyber weapons depend on the efficiency of the attack vector and the presence of vulnerabilities in the target systems. This aspect significantly undermines the feasibility of applying deterrence principles in cyberspace. Commenting about the assuredness of destruction for cyber weapon, the President Barack Obama said: "With nuclear weapons, there is a binary. Either there are no nuclear explosions or there are big ones, and it is a real problem. In cyberspace, there are all sorts of gradations."
- A common understanding. I believe the debate surrounding the use of strategic cyber weapons is rapidly reaching high level due to the escalation in cyber-attacks. It is crucial for the government to share a common understanding of strategic cyber weapons.
To better understand the effectiveness of information warfare, especially for states with a smaller conventional arsenal and less technologically advanced military, you should consider the fundamentals of the asymmetric warfare.
The cyber warfare capabilities represent a crucial advantage in asymmetric warfare, especially for the weaker party. Let's think for example of the threat represented by countries like the Iran and the North Korea; their cyber armies continue to target systems worldwide.
Similar attacks in conventional warfare would trigger a response against the smaller state by the hegemon, but in the cyber warfare context the things go in a different way due to various factors, including the problem of the "attribution."
In asymmetrical conflicts, the attackers have an advantage over the defenders; they can launch the offensive any time, and the attack may be discovered years after the threat actor completed its mission.
Another problem when dealing with the Information Warfare is responsibility for defending the national infrastructure against a cyber-attack. Many agencies and the private sector could be involved in the incident response, a circumstance that complicates the organization a coherent response to an attack.
Cyber warfare capability as a strategic weapon for weaker countries is the most viable option.
Computers, connection, the ability to hide online identity operate anonymously, the availability of zero-day exploits could transform any attacker in a dangerous enemy, also for super power like Russia, China, and the US. It is a sort of cyber democracy!
In a kinetic warfare scenario, deterrence has a crucial role, but in cyber warfare, deterrence seems to have a different meaning. Almost any government is working to improve cyber capabilities and to design effective cyber weapons for their arsenal. Anyway, no one is trying
to deter them. North Korea is probably the nation that most of all have ramped up its investment in the development of cyber warfare capabilities.
The principal problem when dealing with deterrence in the cyberspace is the different exposure of countries to the cyber threats. Usually weaker countries like Iran and North Korea have a limited exposure compared to the US or European nations; this implies that they are not equally vulnerable to cyber-attacks. With these premises, cyber retaliations will not be the same as equalization of nuclear warfare capabilities.
Cyber warfare incentives weaker countries to engage cyber disputes with other nations to maximize their profits while risking little, this makes deterrence very difficult to establish. Counties that are more technologically developed are more susceptible to cyber warfare.
The purpose of deterrence is to disincentive governments for launching cyber-attacks against other nations. Another problem when approaching the concept of "Deterrence" is the ability of countries to be able to distinguish the source of the attack (attribution) and motivation of the threat actors.
Both aspects are crucial in cyber warfare as explained by Patrick Cirenza on the bulletin.org.
"The raw calculus of deterrence is fairly straightforward: The lower the odds of getting caught, the higher the penalty required convincing potential attackers that what they might achieve is not worth the cost. Unfortunately, the higher the penalty for any one cyber-attack, the greater the odds that the punishment will be viewed as uneven, this by nature can be contributed to the attribution problem inherently embedded in the cyber warfare capability," explained Cirenza.
An effective deterrence in cyber warfare leverages on multiple factors such as:
- The availability of the cyber weapon that represents the offensive capability of the country.
- The credibility of the threat.
- The ability to convey the threatening message to the potential adversaries and the international community.
Intelligence and security experts speculate that both economic and military threats may be effective in deterring a nation-state actor using cyber warfare against another government.
The Attribution of cyber-attacks is very difficult in cyber warfare and involves many aspects, including technical, legal, and political.
Attribution is a multi-dimensional issue that needs the analysis of multiple sources of information, including forensic analysis, human intelligence reports, signals intelligence, history, and geopolitics.
In cyber warfare context, an initial cyber-attack must be attributed before triggering a counterattack with the permission of the international community. This means that the defenders need to implement effective active defense measures with the ability to identify the source of an attack.
When dealing with the problem of attribution, we have to distinguish actions conducted in the cyberspace by non-nation-state actors from the ones carried out by governments.
Non–state actors such as individuals, terrorist organizations, and organized groups, must be linked to a state to bear a responsibility under Article 2(4) of the UN Charter.
The reality demonstrates that the problem of attribution is exceedingly complex and is not always solvable, this means that in a cyber warfare scenario it is not possible to start retaliation against the attackers.
Let's consider as examples, the cases of the cyber-attacks against the US Pentagon and the recent string of attacks against organizations and individuals involved in the next US Presidential Election. Although evidence suggests the involvement of Chinese and Russian Nation-state actors respectively, the victim has not replied to the attack.
The worldwide web is composed of systems and networks that were not developed with attribution in mind, and so the attribution has become a major problem in the management of the cyber incident and their response.
Fortunately, the attribution capabilities are increasing due to the great interest of security experts in the subject. Things are changed with respect to a decade ago; today security experts have more instruments to monitor suspicious activities and conduct and investigation on the activity
of a specific threat actor in the cyber space. Governments are increasing their investments in threat intelligence trying to define new predictive models that allow them to profile activities of threat actors, including nation-state hackers.
On the other end, bad actors are adopting new sophisticated techniques that allow them to remain under the radar for long periods, introducing a further element of difficulty when dealing with the problem of attribution.
The growing number of connected platforms unavoidably offer new attack vectors that must be addressed within a national strategy; cyber security must be at the core of national and industrial technology strategies.
Attribution judgments will always have some degree of uncertainty that is a peculiarity of the cyber warfare; this uncertainty influences political and policy decisions when the government needs to evaluate a proportional response against the alleged attackers.
Cyber warfare represents a strategic opportunity for any government, especially countries considered weaker under the conventional military perspective.
We are just in the first phases of an urgent reflection on the cyber warfare matter that need to involve diplomatic, politicians and technical. It is imperative for the international community to consider cyber warfare as a new battlefield where rogue states and non-state actors are increasing their presence aiming at the dominance of the fifth domain of the warfare.
The dominance in the cyberspace is strategic for any government, for this reason, we see evidence of an arms race begun years ago with the intent to gain an economic and political advantage against the dominant political structure.
We have seen that is possible, under certain conditions, analyze cyber weapons with an analogy to nuclear weapons. With the technology exposure of our society, a massive cyber-attack could result in prohibitively high costs and losses of human lives being comparable to those of nuclear weapons. It could be not difficult to promote a not -proliferation act among a small subset of states. However, the number of cyber actors that could move a massive cyber-attack will continue to increase and governments need to work for the definition of a nuclear-style deterrence in cyberspace.
The unique plausible way to avoid catastrophic scenarios is the definition of norms of behavior in cyberspace that will be accepted by almost any government.
Governments will have to promote the 'due diligence' principle, to regulate state behavior in the cyberspace.
The discussion among government must focus on an effect-based approach that will carefully assess potential effects of cyber threats against critical infrastructure worldwide.
The analysis of these effects has to include aspects like the use of cyber capabilities as a coadjuvant in conflict situations. This implies the abilities of international organizations of conducting an effective threat intelligence that could work on the identification of the threats and their attribution to a certain threat actor.
On the legal perspective, it is essential the adoption of a shared framework of law and norms that will discourage the use of cyber weapons and will oblige States to improve the cyber security of their infrastructure.