The New Art of War – Cyber Conflict

Steve Jurvetson: Cyber War Matrix -  cyber-offense may be very different than cyber-defense

Cyberwar isn't going to be about hacking power stations. It's going to be far more subtle and much more dangerous.

Wandering the pretty, medieval streets of Tallinn's old town, it is hard to believe that the tiny country of Estonia has anything at all to do with cyberwarfare. But first as victim of an attack and now as home to some of the leading thinkers on how the digital battlefield will develop, the country has played a key role in its emergence and evolution.

Estonia is a country of around 1.3 million people, facing the Baltic Sea and the Gulf of Finland, it borders Latvia to the south and Russia to the east. After decades as part of the Soviet Union, it regained independence in 1991.

Even today reminders of the Soviet times still abound in the capital Tallinn. There's a museum in one of the big downtown hotels showing how the KGB would bug the rooms of foreign guests.

But Estonia does not intend to be defined by its past, but is instead intent on creating the most advanced digital state on the planet. Since independence, Estonia has invested heavily in digital services. It leads the way with Internet voting—in the 2011 election nearly a quarter of voters cast their ballots that way—and electronic tax filing, all underpinned by a nationwide digital signature infrastructure.

Today, you can even become an Estonian e-resident regardless of where you live in the world so you can use that same infrastructure to electronically sign contracts or set up your own company in the country.
But being so reliant on the Internet carries a risk, as the country found out in 2007.

Plans by Estonian authorities to move a Soviet war memorial sparked a wave of website defacements and denial of service attacks in the country over a three week period, throwing Estonia's government services, newspapers, and businesses offline. The attacks temporarily disabled the websites of banks, ministries and political parties. Many pointed the finger at Russian hackers (Russia denied any involvement in the incident) but the events demonstrated how a purely digital attack on a state could have real-world consequences.

The Tallinn Manual

While the impact of the attacks can be overstated—"inconvenient, not cyberwar" is how one local described it—it accelerated plans, already in place, to set up a NATO cyber defence think-tank in the country.
The Cooperative Cyber Defence Centre of Excellence (CDCOE) was established the year after the attacks took place as an institution created to figure out how to improve the digital defences of NATO members and what cyberwarfare would actually look like.

"Our view is that cyber is another operational domain, much as the seas are, much as the land is, much as space is."

As well as the cyber defence exercises it conducts annually, probably the centre's most important work so far appeared in 2013: the Tallinn Manual on the International Law Applicable to Cyber Warfare, known simply as the Tallinn Manual.

While there is no international law that directly refers to the ultra-modern concept of cyber warfare, there is plenty that applies. So CDCOE assembled a panel of international legal experts to go through this existing law and show how it applies to cyber warfare. This formed the basis of the Tallinn Manual and the 95 so-called 'black letter rules' it contains (so named because that's how they appear in the text).

Through these rules the manual attempts to define some of the basics of cyber warfare. At the most fundamental level, the rules state that an online attack on a state can, in certain circumstances, be the equivalent of an armed attack. It also lays out that such an attack is against international law, and that a state attacked in such a way has the right to hit back.

Other rules the manual spells out: don't target civilians or launch indiscriminate attacks that could cripple civilian infrastructure. While many of these sorts of rules are well understood when it comes to standard warfare, setting it out in the context of digital warfare was groundbreaking.

While the manual argues that a cyber attack can be considered to be the equivalent of an armed attack if it causes physical harm to people or property, other attacks can also be considered a use of force depending on their severity or impact. For example, breaking into a military system would be more likely to be seen as serious, as opposed to hacking into a small business. In contrast, cyber attacks that generate "mere inconvenience or irritation" would never be considered to be a use of force.

The manual also delves into some of the trickier questions of cyber war: would Country A be justified in launching a pre-emptive military strike against a Country B if it knew Country B planned to blow up Country A's main oil pipeline by hacking the microcontrollers managing its pipeline pressure? (Answer: probably yes.)

The manual even considers the legality of some scenarios verging on the science-fictional.

If an army hacked into and took control of enemy drones, would those drones have to be grounded and marked with the capturers insignia before being allowed to carry out reconnaissance flights? (Answer: maybe.)

But what's striking is that the Tallinn Manual sets the rules for a war that hasn't been fought yet.

No Digital Pearl Harbour

Although nearly every state around the globe has been developing a cyber warfare strategy, and some have been building up skills and perhaps even stockpiles of digital weapons, there haven't been any digital attacks that have crossed the thresholds of armed attack as defined by the Tallinn Manual. No massed bot armies, no hackers blowing up power stations from their bedrooms.

Perhaps the closest was the use of the Stuxnet worm (most likely by the US) as part of a bid to derail the Iranian nuclear programme. By contrast, the attacks on Estonia itself would, for all the excitement around them, be towards the inconvenience and irritation end of the spectrum.

The Tallinn Manual doesn't say much about the reality of the cut-and-thrust of the modern Internet, where state-sponsored hackers, spies, and more are constantly probing the systems of other nations. This is a shadowy world where it is often unclear who the attackers are and what their intentions are (and just what the motivations of their backers are, too). It's a world filled with misleading evidence, ambiguity and deniability.
Throughout history, states have used third parties and proxies to get their dirty work done. The difference is that by hacking into systems in countries across the world, these groups can have an impact far from their home territories.

On the subject of such attacks—which can be extremely serious but never quite reach the level of an actual attack by force—the manual has little to say. However, these kinds of attacks are the ones that take place every single day. Cyberwar has become the continuation of politics by digital means.

"The scope of cyber attacks is very, very wide, so that's why with the first Tallinn Manual we took the most severe case of armed attack and the use of force," explains Colonel Artur Suzik, the director of CCDCOE until August 2015. "But the majority of cyber incidents nation states face occur outside of the conflict law, so there was a clear need to expand the legal analysis to this area."

That doesn't mean the manual is a failure, or irrelevant. Indeed, it may even be that by making clear that digital attacks are covered by an array of existing international law, the Tallinn Manual has forced countries to rethink their approaches to cyber warfare. That is, because the manual does a good job of defining just what kinds of attack might lead to a missile being lobbed in your direction, states launching hacking attacks have been careful to keep their operations (just) below that threshold, say experts.

An expanded Tallinn Manual 2.0 is due to be published next year looking at how international law addresses malicious cyber operations by state (and non-state) actors during peacetime.

The new manual will try to create the same 'black letter rules' around much trickier concepts, such as when countries are responsible for hostile cyber operations launched against other states from their territory, and when such operations violate the sovereignty of the state.

It will take the analysis into the much complicated and murky environment of the day-to-day cyber attacks that don't ever reach the level of physical attacks, but are no less dangerous for it.

Few, for example, could have imagined a couple of years ago that a hacking attack against a film studio could lead to an international incident, or that the theft of HR records from the obscure Office of Personnel Management could create such consternation.

Politicians and diplomats are still struggling to work out how to deal with the near-constant stream of other data leaks from all sorts of government agencies that are blamed on state-sponsored hackers. And there is little in the way of consensus on how to deal with it or often even how to label it. When does hacking become espionage and when does that evolve into something that could escalate into the use of armed force?

And while many industry watchers saw the attacks on Estonia and built out of that lurid 'Digital Pearl Harbour' style scenarios where a country could be toppled by a digital attack launched by a dedicated few, this has not taken place. The reality has turned out to be less far less dramatic, but much more complicated to tackle.

That's not to say that the apocalyptic scenario of state-backed hackers causing mayhem by breaking into industrial control systems (the technology that runs power stations or chemical plants) is utterly impossible - just extremely unlikely, and extremely hard and extremely expensive. Cyberwar, as it was envisaged, has not taken place.

But it's entirely possible that by watching and waiting for a explosive Hollywood-style catastrophe that we've missed the much more insidious and protracted cyberwar that has been going on for years already.

Hybrid information war

Earlier this year, the cyber think-tank held a conference to bring together some of the biggest thinkers on cyber warfare in Tallinn to discuss the most recent developments in cyber war theory ahead of the publication of the new Tallinn Manual at an event called CyCon.

For what was effectively a technology conference, there were a lot of people in uniform. In attendance was not only the head of the NSA, Admiral Mike Rogers, but also the Assistant Secretary General of NATO, Sorin Ducaru, reflecting the level of concern around cyber defence among the allies.

Despite the subject matter, it wasn't all serious. Speakers, including surveillance chief Admiral Rogers, were presented on-stage with a thank you present of a mug with an ear for a handle.

Both men reflected a cautious, slowly-developing approach when it comes to the use of the internet by the military. NATO itself, for example, only recently decided that a major digital attack on a member state could be covered by Article 5 of its collective defence clause (one of the most fundamental tenets of NATO, that an armed attack on one member should be considered an armed attack on them all). And, Ducaru insisted, "NATO doesn't have any interest [in militarising] cyberspace or to have an ungoverned space."

Rogers emphasised that the use of the Internet by the US military is still evolving, with defence the priority. "Our view is that cyber is another operational domain, much as the seas are, much as the land is, much as space is, and increasingly, it is an environment in which we will conduct a series of very traditional military evolutions from the defensive things to the application of capabilities to generate specific kinds of effects," he said. "We think cyber will evolve over time, much as we've seen the other domains, in the more traditional arenas."

To put it another way: cyberwarfare models are maturing in the same way that other technologies mature. To take a more prosaic example, the evolution of cyberwarfare is a lot like the cycle e-commerce went through.

There was a lot of initial excitement and investment from retailers in building separate e-commerce operations or businesses, but gradually these became not just a standard part of their operation but for many retailers the core of their business, just as cyberwarfare planning and strategy is gradually becoming a part of mainstream military planning.

However that doesn't mean that all countries are taking the same approach to strategy or that they even agree on what should be included in the term cyberwarfare. Some countries have a very narrow model of what cyberwarfare should look like - that is should focus on hacking and damaging systems. Others see it as just one part of a much wider information warfare spectrum, which stretches from hacking to disinformation and propaganda. Indeed, much of the criticism of the Tallinn Manual has been around how it represents a NATO—and specifically Western—outlook on what cyberwarfare should look like.

Across the street from the hotel where the conference took place stands a building topped with a Soviet star, a reminder of Estonia's past and, unsurprisingly given the location and the ongoing conflict in Ukraine, understanding the cyberwarfare strategy of Estonia's big neighbour was a recurring theme.

And while NATO is thinking of cyberwarfare in terms of defending (and attacking) networks, others—particularly Russia, according to speakers at the conference—have developed a wider perspective that folds classic hacker tools into the broader concept of information warfare, which can stretch all the way from propaganda and disinformation through to the more expected denial of service attacks and more.

In some respects this is harnessing the nature of the Internet, a space where free speech, doubt, and scepticism can run wild. Fighting an army of online trolls sharing half-truths or outright lies in order to confuse the public and make it harder for politicians to make decisions is hard, and certainly not one that any existing army can deal with.

Few democratic nations will want to limit the free flow of information to the public but also aren't set up to—or are capable of—rebutting every crazy rumour which makes it a hard technique to combat. But if a nation can orchestrate a campaign of rumour and disinformation against another that changes public opinion in that country to the point that it alters the decisions made by its political leaders, then an army of trolls could be vastly more useful, and harder to fight, than a squadron of tanks.

Few democratic countries would want to wage war in such a way, but tackling it without undermining, for example, the freedom of speech which the public are used to is a challenge which they are currently ill-equipped to deal with. However, some are taking gradual steps in this direction. For example, the UK government recently started a Twitter account aimed at countering online propaganda from ISIL.

Perhaps the greatest success of cyberwarfare so far is to convince the world that it hasn't really started yet.

Ein News: http://bit.ly/1SeeszO

« Safety Agreement On Cyber and Wired Vehicles
How Much Are You Worth? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IP Performance

IP Performance

IP Performance Limited is a leading supplier of customised network infrastructure and security solutions.

Cybrary

Cybrary

Cybrary is an open-source cyber security and IT learning and certification preparation platform.

Netrix

Netrix

Netrix is a Mexican company specialized in IT Security, with more than 18 years of experience in Managed Services, Professional Services and Turnkey Solutions related to Security.

Centro de Gestion de Incidentes Informaticos (CGII)

Centro de Gestion de Incidentes Informaticos (CGII)

CGII is the Computer Incident Management Center of the State of Bolivia.

Approach

Approach

Approach is a leading provider of cyber security consulting and secure application development services in Belgium.

ES2

ES2

ES2 is a consulting organisation specialising in Enterprise Security and Solutions Services.

Censys

Censys

Our customers rely on Censys data to get the global visibility they need of their attack surfaces in order to proactively prevent nation-state attacks and emerging threats.

GBT Technologies

GBT Technologies

GBT Technologies is a technology company focused on chip design and software to enable IoT, global mesh networks, and for applications relating to artificial intelligence.

Qohash

Qohash

With a focus on data security, Qohash supports security, compliance and optimization use cases enhancing your risk management process.

Brace168

Brace168

Specialising in Cyber Security incident identification and response, Brace168 is uniquely positioned to provide a vast experience in managed security services to meet the needs of all business types.

ACSG Corp

ACSG Corp

ACSG Corp is a Critical Infrastructure Protection Company with a multi-disciplinary focus on building analytics software for various industry sectors.

Cyral

Cyral

Easily observe, control, and protect your data endpoints in a cloud and DevOps-first world. Discover Data Mesh Security with Cyral.

Outsource Group

Outsource Group

Outsource Group is an award winning Cyber Security and IT Managed Services group working with a range of SME/Enterprise customers across the UK, Ireland and internationally.

SLVA Cybersecurity

SLVA Cybersecurity

SLVA Cybersecurity excel at delivering security-as-a-service, fit-for-purpose, within the constraints of realistic budgets and business expectations.

Bitdefender

Bitdefender

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide.

Pixee

Pixee

Pixee fixes vulnerabilities, hardens code, squashes bugs, and gives engineers more time to focus on the work that counts.