Cyberspace: The New Frontier in Warfare

Cyber_Warfare_2.jpg?1408013168

Opinion By Espen Barth Eide & Anja Kaspersen, WEF

Since times immemorial, the principal domains of warfare were land and sea. Kings and rulers built armies and navies, fortresses and castles, and sent scouts and spies to find out what their potential adversaries were up to. If properly organized, one would normally have some kind of early warning that an attack was in the making before it actually took place, so that countermeasures could be taken. The fortress gave a sense of security, at least until the advent of modern artillery.

As the technology of flight developed, air evolved as a new domain. There was simply no opting out; if your adversary developed an air force, you needed air defences, or your armies and navies would prove of little avail. Military strategy evolved: why spend resources on attacking a well-protected border when you could strike deep behind enemy lines, at population centres or even at the very centre of decision-making. The combination of technology and military strategy led to the shift from World War I trench warfare to World War II blitzkrieg.

Today, cyberspace has emerged as a domain of its own, in many ways like land, sea and air. Indeed, it might be the domain of choice: We can safely postulate that any future conflict between reasonably advanced actors will be a cyber-conflict. No modern attacker would resist the temptation to destroy, disrupt or confuse enemy sensors, communications and decision-making loops. What will vary is whether the conflict will take place in the physical domains as well. This insight will change the nature of conflict in fundamental ways, and possibly, lower the threshold of war and confuse the very distinction between war and peace.

And just as with the advent of human flight, opting out is not an option. Modern societies have become existentially dependent on cyberspace. In the words of Rod Beckstrom, the former head of ICANN: anything networked can be hacked, everything is being networked so everything is vulnerable.

Cyber-conflict shares certain characteristics with conflicts in the physical domains, but differs in many others. To start with, technologies tend to be typically dual-use: if a nation acquires a fighter aircraft, it clearly has a military purpose in mind; the same cannot be deduced if it acquires a new IT system.

Since anything networked can be hacked, that does not solely mean military bases communication systems, but any kind of infrastructural installations, energy sources, electricity grids, health systems, traffic control systems, or water supplies, as well as communications and sensors. The task of securing a country’s strategically important cyberspace is further complicated by the fact that much of it is owned and controlled by the private sector.

A second, major difference lies in the potential universe of “adversaries”. For the medieval king, this would typically be neighboring peers, the number of which he more or less knew. Proximity mattered. Today, the number of entities with the capacity to mount a potentially devastating attack is infinitely greater: not just states, but also hackers, terrorists, businesses, social groups, criminals, and even unsuspecting computer users. Proximity has become totally irrelevant, which takes away a fundamental premise in traditional military theory. Thirdly, the potential for “early warning” is low or non-existent. You need to be protected, here and now. There is no corollary to the call for “mobilizing forces” of old, you need to be resilient, and you need to factor in that attacks might actually happen and probably even will.

In cyber-wars, you no longer necessarily know who may attack you – or even who already has attacked you. Attributing blame for cyber-attacks is difficult, as attackers can use proxies to implicate innocents. Much of the emphasis today is therefore to improve the technology of attribution. Without attribution, no retaliation, and no deterrence.  Even with the right technology in place, the issue of attribution is tricky: stating all that you know might be politically sensitive and it could risk revealing critical intelligence capacities, which in turn could compromise the ability to attribute sources in the future.

Thirdly, in cyberspace, early warning is rendered largely irrelevant. Traditional defence logic assumes that there would always be some signs of a coming attack, whether in months or minutes ahead: armies marching to the border, or radar systems detecting incoming missiles. Not so with a cyber-attack. At best, you know that you are under attack as it is happening; more likely, you discover you have been attacked only after the fact. This renders obsolete any concepts of “mobilization”, “regrouping” or point-specific defence measures.

All these factors add up to one conclusion: in cyberspace, offence is significantly easier than defence. In traditional warfare, the defender tended to have the advantage, and the attacker needed a certain supremacy in numbers, technology or strategy to succeed. Indeed, cyber-defence must be omnipresent throughout one’s critical infrastructure, everywhere, all the time, and combined with effective redundancy.

All states, however, are mutually dependent in cyberspace. In this lies some hope: This fact creates for state actors a game-theoretic rationale not to engage in all-out cyber warfare, not unlike the logic that has restricted nuclear warfare in the form of MAD – Mutually Assured Destruction. This may also create an incentive for governments to work together on sharing defensive technologies.

However, a cyberspace “terror balance” could be threatened by governments playing “tit-for-tat” in probing each other’s’ cyber defences. It is well known that advanced states, as well as advanced non-state actors, are placing sleeping “agents” in each other’s information systems. Such malware is frequently found everywhere from defence systems to various critical infrastructure systems. This, in turn, can lead to inadvertent escalation into full-scale conflict.

As pointed out in a previous article, extremist movements are increasingly using cyber tools as a force multiplier including propaganda, scare-tactics, recruitment and fundraising with such ease that policy makers, military leaders and intelligence agencies are struggling to keep pace. Efforts to respond has so far been reactive rather than forward-looking.

Cyber is also critical in state’s military strategies, which are typically supplemented by cyber operations (“cy ops”), often hand-in-hand with psychological operations (“psy ops”). This may, for instance, include disinformation campaigns or data integrity attacks that could set off false alarms, such as sensors at nuclear power plants or air raid warnings.

Thus, as everyday life becomes increasingly dependent on cyberspace, the potential grows for cyber warfare to cause physical, economic, and social havoc and damage. The world needs a policy framework to address issues ranging from pre-emption and deterrence to rules of modern conflict. The Geneva Conventions’ principles of proportionality and distinction seems as relevant as ever, but increasingly difficult to ensure and enforce or even to translate into a new reality.

For example, what constitutes an act of war in cyberspace? If a cyber-attack causes physical destruction, does it justify physical countermeasures? What level of confidence about the origin of a cyber-attack would be needed to justify retaliation? Where should the line be drawn between military and civilian actors and installations in a cyber-conflict?

Existing provisions exist in national and international law, and cyberspace should not be seen as a lawless room. International norms are gradually emerging, but technological change is outpacing progress towards cyber versions of arms treaties. Without stepping up efforts to elaborate a system of global norms and regulations, we are at risk of severe fragmentation of cyber-security policy.

Governments should do a better job of communicating their positions and actions to the public, responding to the deterioration of trust which has resulted from privacy and human rights concerns, but also ensuring that their ability to secure society through appropriate and legitimate measures is in place.

Private sector companies carry a responsibility to put systems and procedures in place to alert governments about, and in some instances help to counter, malevolent cyber activities that risks compromising international security. Unfortunately, this is not always happening, as companies often do not want to lay bare their proven vulnerabilities for public scrutiny and may not want to report a successful attack.

Enhanced and more consistent collaboration is needed between the public and private sector to ensure a common understanding of both where the lines should be drawn between them, but also where collaboration is warranted in order to counter adversaries that will never play be the book. Without such collaboration, threats are outpacing our preparedness.

The current effort by President Barack Obama and President Xi Jinping to explore an agreement on a new set of principles to treat cyber as a military capability is a step in the right direction. Although there are a number of outstanding questions still on how to implement any form of agreement on how regulate the international security threats in the cyber domain and how to deal with the politically sensitive issue of attribution, better cooperative measures are urgently needed.

As the public institution for public-private cooperation, the World Economic Forum provides a platform for a broad, multistakeholder dialogue around these issues. Without sufficient preparedness and greater public awareness, we may be up for a rather bumpy ride as we make ourselves not only more connected, but also more interdependent and vulnerable.

Authors: Espen Barth Eide, Member of the Managing Board, and Anja Kaspersen, Head of International Security and Member of the Executive Board, World Economic Forum
WEF: http://bit.ly/1KGBTey

« Technology Predicts Your Next Security Failure
No US Cyber Peace Agreement with China. »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

authen2cate

authen2cate

Authen2cate offers a simple way to provide application access with our Identity and Access Management (IAM) solutions for enterprise, small business, and individual customers alike.

Emerson Electric Co

Emerson Electric Co

Emerson provides industrial automation systems and associated cybersecurity solutions to protect critical process control systems from cyber attack.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

Flashpoint

Flashpoint

Flashpoint is a globally trusted leader in risk intelligence for organizations that demand the fastest, most comprehensive coverage of threatening activity on the internet.

Plixer

Plixer

Plixer delivers a network traffic analytics system used for monitoring, visualization, and reporting of network and security incidents.

Omada

Omada

Omada is a leading provider of IT security solutions and services for identity management and access governance.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

Finosec

Finosec

Finosec's mission is to change the way information security and cybersecurity are managed in banking.

Silent Sector

Silent Sector

Silent Sector is a cybersecurity services company that specializes in providing a wide range of managed security services.

Cubro Network Visibility

Cubro Network Visibility

Cubro network visibility solutions remove network monitoring ‘blind spots’ to provide enhanced visibility and control of all data transiting a company’s network.

ReasonLabs

ReasonLabs

ReasonLabs have created a next-generation anti-virus that is enterprise grade, yet accessible to any personal device around the world.

Oregon Systems

Oregon Systems

Oregon Systems is a Regional Leader & Distributor with value added services for OT, IoT, IIoT & IT Cybersecurity products, Solutions & professional services throughout the middle-east region.

RAND Corporation

RAND Corporation

The RAND Corporation is a non-profit institution that helps improve policy and decision making through research and analysis.

Nullify

Nullify

Nullify is your automated security sentry that continuously finds and fixes security issues across your codebase.

CovertSwarm

CovertSwarm

Since 2020 CovertSwarm have been radically redefining how enterprise security risks are discovered. We outpace the cyber threats faced by our clients using a constant cyber attack methodology.

NetAlly

NetAlly

NetAlly network test solutions help engineers and technicians better deploy, manage, maintain, and secure today’s complex wired and wireless networks.