How To Define Cyberwar

Uploaded on 2016-06-14 in NEWS-Cybersecurity News, INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW

One of the things that keeps intelligence and military leaders from sleeping soundly is the problem of cyberwar and its subsets, cyber-espionage, cyber-sabotage and what most people call “hacking,” which isn’t something that only teenagers do from their parents’ basements.

For years, there has been a continuous string of attempted penetrations of US military, intelligence, defense contractor and related networks. It now occurs literally thousands of times a day. The Chinese “Titan Rain” computer attacks began in about 2003 and continued for at least three years, penetrating networks and stealing valuable defense secrets.

This kind of attack has at least two purposes. The first is espionage. Cyber-attacks, let’s not use the term “hacks” because the term sounds innocent, have penetrated unclassified Pentagon email systems. One attack, probably by China, reportedly succeeded in stealing all or part of the design for the F-35 fighter. Knowing what our intelligence community knows, without being detected, would be a huge advantage to any opponent (and even some friends).

The second is to disable or even take control of anything the attackers can penetrate. The computers in most cars can be penetrated and controlled so that the brakes can be jammed on or the engine turned off. So can power companies and everything else that is computer-controlled.

Far scarier is the fact that we are being forced by the cyberwar capabilities of our adversaries to protect military and intelligence satellites that we rely on for everything from secure communications to navigation and reconnaissance (i.e., espionage). The F-35 itself is the target of cyberattacks because of the enormously complex software that runs the aircraft. If a cyberattack penetrated the F-35, the damage that could be done might range from crashing the aircraft to causing damage to every other aircraft or satellite. There is no limit to the damage that can be done.

In April 2015, Adm. Mike Rogers, commander of US Cyber Command and director of the National Security Agency, told Congress that the level of cyber-threats was growing and that whatever we were doing to deter cyber-attacks wasn’t working. He said, “We’re at a tipping point. We need to think about: How do we increase our capacity on the offensive side to get to that point of deterrence?” Unsurprisingly, not much has been done since then to improve our deterrent and offensive capabilities and doctrines of operation.

One problem is that the intelligence and military agencies look to Congress to authorize and help define those efforts. Sens. Mike Rounds, South Dakota Republican, and Angus King, Maine Independent, have taken a step toward that by introducing S-2905, a bill to define what kind of a cyber- attack would amount to an act of war.

But the bill does nothing more than punt the question over to the executive branch, requiring it to come up with a definition of when a cyberattack would be regarded as an act of war. 

Congress has defined the term before. Title 18 US Code Section 2331 defines an act of war in the context of terrorism. It deals with attempts to influence or coerce the civilian population and to control or affect the conduct of government. In the context of cyberwar, a new definition needs to be created.

There are some fundamental concepts on which it should be based. We should be familiar with them from the “Stuxnet” computer worm used (by us? the Israelis? Together?) to attack the Iranian Natanz nuclear facility in about 2010. It caused many of its uranium enrichment centrifuges to run out of control, disabling or damaging hundreds of them. It was obviously justifiable in either nation’s national security interests, and doing so covertly was justifiable in preventing open war.

But the Stuxnet attack, whomever did it, was an act of war, and gives rise to applicable principles.

First, to qualify as an act of war the action must be undertaken by a “belligerent party” capable of fighting a war, be it a nation or a non-state actor such as a terrorist group.

Second, the action must cause either significant physical damage to people or property or it must disable, control or otherwise prevent the proper functioning of a computer system or systems essential to national security or public health and welfare.

Under this standard, any cyberattack that, for example, disabled or polluted a city’s water supply would be an act of war. So would attacks on our satellites or on our military or civilian aircraft that succeeded in disabling or controlling them.

There is clearly room for refining that standard to meet the nation’s defense and civilian needs. Congress needs to do more than the Rounds-King bill, and this is a good place to start.

Congress also needs to act to bolster both our cyber-deterrent and offensive cyber-forces. One veteran warrior I spoke to put it this way: If anyone attacks our defense or intelligence networks, or our vital civilian networks, we should immediately and automatically seek out the origin of the attack and counter-attack with a complex virus or Trojan horse that could disable the originating computer network.

It’s more than a year since Adm. Rogers’ warnings. It’s unlikely, to the point of impossibility, that anything will be done to remedy this situation before the November election. It doesn’t matter what happens to the Rounds-King bill. But it matters a great deal that our offensive and defensive cyberwar capabilities could easily fail for lack of presidential and congressional attention.

Ein News:  http://bit.ly/1toyBur

 

« Cyber Insurance Report 2016 (£)
Tor’s Developer Leaves After Lurid Sexual Allegations »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Techmeme

Techmeme

Techmeme is an online news curation service focused on leading edge technology, including cyber security.

Assured Data Protection

Assured Data Protection

Assured Data Protection specialises in data protection and disaster recovery services for large SME and enterprise organisations.

Stealthcare

Stealthcare

Stealthcare is a full service, global cyber security firm offering solutions that educate, empower and protect.

Cryptoloc

Cryptoloc

Cryptoloc's core business is developing solutions designed to protect businesses from all kinds of security threats using a unique patented cryptography.

Kasada

Kasada

Kasada has developed a radical approach to defeating automated cyberthreats based on its unmatched understanding of the human minds behind them.

SurePassID

SurePassID

SurePassID is a provider of highly secure, highly extensible multi-factor authentication (MFA) solutions.

Cypress Data Defense

Cypress Data Defense

Cypress Data Defense helps clients build secure applications by providing training, best practices, and evaluating security during every stage of the Secure Application Development Lifecycle.

Avetta

Avetta

Avetta One is the industry’s largest Supply Chain Risk Management (SCRM) platform. It enables clients to manage supply chain risks and suppliers to prove the value of their business.

Tech Vedika

Tech Vedika

Tech Vedika has access to technical guidance, training and resources from AWS to successfully undertake solution architecture, application development, application migration, and managed services.

Protectt.ai Labs

Protectt.ai Labs

Protectt.ai Labs is India’s first mobile security start up building awareness & providing solutions for mobile app, device & transaction security.

Aeries Technology

Aeries Technology

Aeries is a technology services organization offering capabilities in Technology Services, Digital Transformation, and Business Process Management.

Fletch

Fletch

Fletch’s AI tracks the evolving cybersecurity threat landscape by reading and interpreting every threat article every day and matching those threats to a company’s exposure.

Institute for Applied Network Security (IANS)

Institute for Applied Network Security (IANS)

For the security practitioner caught between rapidly evolving threats and demanding executives, IANS Research is a clear-headed resource for decision making and articulating risk.

Secure Halo

Secure Halo

Secure Halo has been protecting the intellectual assets and sensitive information of the federal government and private sector for 20+ years, through our proactive approach to risk and cybersecurity.

Revytech

Revytech

Revytech is a tech company providing services in a broad range of areas including IT operations, cyber security and network engineering.

AFINE

AFINE

AFINE is a trusted advisor in the field of cybersecurity and pentesting.