How To Define Cyberwar

One of the things that keeps intelligence and military leaders from sleeping soundly is the problem of cyberwar and its subsets, cyber-espionage, cyber-sabotage and what most people call “hacking,” which isn’t something that only teenagers do from their parents’ basements.

For years, there has been a continuous string of attempted penetrations of US military, intelligence, defense contractor and related networks. It now occurs literally thousands of times a day. The Chinese “Titan Rain” computer attacks began in about 2003 and continued for at least three years, penetrating networks and stealing valuable defense secrets.

This kind of attack has at least two purposes. The first is espionage. Cyber-attacks, let’s not use the term “hacks” because the term sounds innocent, have penetrated unclassified Pentagon email systems. One attack, probably by China, reportedly succeeded in stealing all or part of the design for the F-35 fighter. Knowing what our intelligence community knows, without being detected, would be a huge advantage to any opponent (and even some friends).

The second is to disable or even take control of anything the attackers can penetrate. The computers in most cars can be penetrated and controlled so that the brakes can be jammed on or the engine turned off. So can power companies and everything else that is computer-controlled.

Far scarier is the fact that we are being forced by the cyberwar capabilities of our adversaries to protect military and intelligence satellites that we rely on for everything from secure communications to navigation and reconnaissance (i.e., espionage). The F-35 itself is the target of cyberattacks because of the enormously complex software that runs the aircraft. If a cyberattack penetrated the F-35, the damage that could be done might range from crashing the aircraft to causing damage to every other aircraft or satellite. There is no limit to the damage that can be done.

In April 2015, Adm. Mike Rogers, commander of US Cyber Command and director of the National Security Agency, told Congress that the level of cyber-threats was growing and that whatever we were doing to deter cyber-attacks wasn’t working. He said, “We’re at a tipping point. We need to think about: How do we increase our capacity on the offensive side to get to that point of deterrence?” Unsurprisingly, not much has been done since then to improve our deterrent and offensive capabilities and doctrines of operation.

One problem is that the intelligence and military agencies look to Congress to authorize and help define those efforts. Sens. Mike Rounds, South Dakota Republican, and Angus King, Maine Independent, have taken a step toward that by introducing S-2905, a bill to define what kind of a cyber- attack would amount to an act of war.

But the bill does nothing more than punt the question over to the executive branch, requiring it to come up with a definition of when a cyberattack would be regarded as an act of war. 

Congress has defined the term before. Title 18 US Code Section 2331 defines an act of war in the context of terrorism. It deals with attempts to influence or coerce the civilian population and to control or affect the conduct of government. In the context of cyberwar, a new definition needs to be created.

There are some fundamental concepts on which it should be based. We should be familiar with them from the “Stuxnet” computer worm used (by us? the Israelis? Together?) to attack the Iranian Natanz nuclear facility in about 2010. It caused many of its uranium enrichment centrifuges to run out of control, disabling or damaging hundreds of them. It was obviously justifiable in either nation’s national security interests, and doing so covertly was justifiable in preventing open war.

But the Stuxnet attack, whomever did it, was an act of war, and gives rise to applicable principles.

First, to qualify as an act of war the action must be undertaken by a “belligerent party” capable of fighting a war, be it a nation or a non-state actor such as a terrorist group.

Second, the action must cause either significant physical damage to people or property or it must disable, control or otherwise prevent the proper functioning of a computer system or systems essential to national security or public health and welfare.

Under this standard, any cyberattack that, for example, disabled or polluted a city’s water supply would be an act of war. So would attacks on our satellites or on our military or civilian aircraft that succeeded in disabling or controlling them.

There is clearly room for refining that standard to meet the nation’s defense and civilian needs. Congress needs to do more than the Rounds-King bill, and this is a good place to start.

Congress also needs to act to bolster both our cyber-deterrent and offensive cyber-forces. One veteran warrior I spoke to put it this way: If anyone attacks our defense or intelligence networks, or our vital civilian networks, we should immediately and automatically seek out the origin of the attack and counter-attack with a complex virus or Trojan horse that could disable the originating computer network.

It’s more than a year since Adm. Rogers’ warnings. It’s unlikely, to the point of impossibility, that anything will be done to remedy this situation before the November election. It doesn’t matter what happens to the Rounds-King bill. But it matters a great deal that our offensive and defensive cyberwar capabilities could easily fail for lack of presidential and congressional attention.

Ein News:  http://bit.ly/1toyBur

 

« Cyber Insurance Report 2016 (£)
Tor’s Developer Leaves After Lurid Sexual Allegations »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DLA Piper

DLA Piper

DLA Piper is a global law firm with offices throughout the Americas, Asia Pacific, Europe and the Middle East. Practice areas include Cybersecurity.

CYBERPOL

CYBERPOL

CYBERPOL's mission is to facilitate the widest possible mutual assistance between all cyber crime law enforcement authorities to help mitigate global cyber threats.

Crossword Cybersecurity

Crossword Cybersecurity

We work with research intensive European university partners to identify promising cyber security intellectual property from research that meets emerging real-world challenges.

OneVisage

OneVisage

Our award-winning 3DAuth digital identity platform turns any consumer mobile device into a real-time 3D facial scanner that securely authenticates the user in seconds.

NetDiligence

NetDiligence

NetDiligence is a privately-held cyber risk assessment and data breach services company.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

Eseye

Eseye

Eseye is a global specialist supplier of cellular internet connectivity for intelligent IoT (Internet of Things) devices.

New Zealand Internet Task Force (NZITF)

New Zealand Internet Task Force (NZITF)

The New Zealand Internet Task Force (NZITF) is a non-profit with the mission of improving the cyber security posture of New Zealand.

24By7Security

24By7Security

24By7Security are Cybersecurity & Compliance Specialists with extensive hands on experience helping businesses build a defensive IT Infrastructure against all cyber security threats.

OurCrowd

OurCrowd

OurCrowd is a leading equity crowdfunding platform for investing in global startups.

ISA Security Compliance Institute (ISCI)

ISA Security Compliance Institute (ISCI)

ISCI, a not-for-profit automation controls industry consortium, manages the ISASecure™ conformance certification program for industrial automation and control systems.

Cyber Skyline

Cyber Skyline

Cyber Skyline is a revolutionary cloud platform to practice, develop, and measure your team's technical cybersecurity skills.

Stripe OLT

Stripe OLT

At Stripe OLT, we provide complete business technology solutions - Our team has an unrivalled reputation as a Microsoft Gold Partner, specialising in secure, cloud-first technology.

Cymptom

Cymptom

At Cymptom our purpose is to enable security managers to see at a glance all urgently risky gaps  in their organizations’ security posture at any given moment.

Tozny

Tozny

Tozny offers products with security and privacy in mind that are built on the foundation of end-to-end encryption, and open-source verifiable software.

Evolver

Evolver

Evolver delivers technology services and solutions that improve security, promote innovation, and maximize operational efficiency in support of government and commercial customers.