The New Art of War – Cyber Conflict

Steve Jurvetson: Cyber War Matrix -  cyber-offense may be very different than cyber-defense

Cyberwar isn't going to be about hacking power stations. It's going to be far more subtle and much more dangerous.

Wandering the pretty, medieval streets of Tallinn's old town, it is hard to believe that the tiny country of Estonia has anything at all to do with cyberwarfare. But first as victim of an attack and now as home to some of the leading thinkers on how the digital battlefield will develop, the country has played a key role in its emergence and evolution.

Estonia is a country of around 1.3 million people, facing the Baltic Sea and the Gulf of Finland, it borders Latvia to the south and Russia to the east. After decades as part of the Soviet Union, it regained independence in 1991.

Even today reminders of the Soviet times still abound in the capital Tallinn. There's a museum in one of the big downtown hotels showing how the KGB would bug the rooms of foreign guests.

But Estonia does not intend to be defined by its past, but is instead intent on creating the most advanced digital state on the planet. Since independence, Estonia has invested heavily in digital services. It leads the way with Internet voting—in the 2011 election nearly a quarter of voters cast their ballots that way—and electronic tax filing, all underpinned by a nationwide digital signature infrastructure.

Today, you can even become an Estonian e-resident regardless of where you live in the world so you can use that same infrastructure to electronically sign contracts or set up your own company in the country.
But being so reliant on the Internet carries a risk, as the country found out in 2007.

Plans by Estonian authorities to move a Soviet war memorial sparked a wave of website defacements and denial of service attacks in the country over a three week period, throwing Estonia's government services, newspapers, and businesses offline. The attacks temporarily disabled the websites of banks, ministries and political parties. Many pointed the finger at Russian hackers (Russia denied any involvement in the incident) but the events demonstrated how a purely digital attack on a state could have real-world consequences.

The Tallinn Manual

While the impact of the attacks can be overstated—"inconvenient, not cyberwar" is how one local described it—it accelerated plans, already in place, to set up a NATO cyber defence think-tank in the country.
The Cooperative Cyber Defence Centre of Excellence (CDCOE) was established the year after the attacks took place as an institution created to figure out how to improve the digital defences of NATO members and what cyberwarfare would actually look like.

"Our view is that cyber is another operational domain, much as the seas are, much as the land is, much as space is."

As well as the cyber defence exercises it conducts annually, probably the centre's most important work so far appeared in 2013: the Tallinn Manual on the International Law Applicable to Cyber Warfare, known simply as the Tallinn Manual.

While there is no international law that directly refers to the ultra-modern concept of cyber warfare, there is plenty that applies. So CDCOE assembled a panel of international legal experts to go through this existing law and show how it applies to cyber warfare. This formed the basis of the Tallinn Manual and the 95 so-called 'black letter rules' it contains (so named because that's how they appear in the text).

Through these rules the manual attempts to define some of the basics of cyber warfare. At the most fundamental level, the rules state that an online attack on a state can, in certain circumstances, be the equivalent of an armed attack. It also lays out that such an attack is against international law, and that a state attacked in such a way has the right to hit back.

Other rules the manual spells out: don't target civilians or launch indiscriminate attacks that could cripple civilian infrastructure. While many of these sorts of rules are well understood when it comes to standard warfare, setting it out in the context of digital warfare was groundbreaking.

While the manual argues that a cyber attack can be considered to be the equivalent of an armed attack if it causes physical harm to people or property, other attacks can also be considered a use of force depending on their severity or impact. For example, breaking into a military system would be more likely to be seen as serious, as opposed to hacking into a small business. In contrast, cyber attacks that generate "mere inconvenience or irritation" would never be considered to be a use of force.

The manual also delves into some of the trickier questions of cyber war: would Country A be justified in launching a pre-emptive military strike against a Country B if it knew Country B planned to blow up Country A's main oil pipeline by hacking the microcontrollers managing its pipeline pressure? (Answer: probably yes.)

The manual even considers the legality of some scenarios verging on the science-fictional.

If an army hacked into and took control of enemy drones, would those drones have to be grounded and marked with the capturers insignia before being allowed to carry out reconnaissance flights? (Answer: maybe.)

But what's striking is that the Tallinn Manual sets the rules for a war that hasn't been fought yet.

No Digital Pearl Harbour

Although nearly every state around the globe has been developing a cyber warfare strategy, and some have been building up skills and perhaps even stockpiles of digital weapons, there haven't been any digital attacks that have crossed the thresholds of armed attack as defined by the Tallinn Manual. No massed bot armies, no hackers blowing up power stations from their bedrooms.

Perhaps the closest was the use of the Stuxnet worm (most likely by the US) as part of a bid to derail the Iranian nuclear programme. By contrast, the attacks on Estonia itself would, for all the excitement around them, be towards the inconvenience and irritation end of the spectrum.

The Tallinn Manual doesn't say much about the reality of the cut-and-thrust of the modern Internet, where state-sponsored hackers, spies, and more are constantly probing the systems of other nations. This is a shadowy world where it is often unclear who the attackers are and what their intentions are (and just what the motivations of their backers are, too). It's a world filled with misleading evidence, ambiguity and deniability.
Throughout history, states have used third parties and proxies to get their dirty work done. The difference is that by hacking into systems in countries across the world, these groups can have an impact far from their home territories.

On the subject of such attacks—which can be extremely serious but never quite reach the level of an actual attack by force—the manual has little to say. However, these kinds of attacks are the ones that take place every single day. Cyberwar has become the continuation of politics by digital means.

"The scope of cyber attacks is very, very wide, so that's why with the first Tallinn Manual we took the most severe case of armed attack and the use of force," explains Colonel Artur Suzik, the director of CCDCOE until August 2015. "But the majority of cyber incidents nation states face occur outside of the conflict law, so there was a clear need to expand the legal analysis to this area."

That doesn't mean the manual is a failure, or irrelevant. Indeed, it may even be that by making clear that digital attacks are covered by an array of existing international law, the Tallinn Manual has forced countries to rethink their approaches to cyber warfare. That is, because the manual does a good job of defining just what kinds of attack might lead to a missile being lobbed in your direction, states launching hacking attacks have been careful to keep their operations (just) below that threshold, say experts.

An expanded Tallinn Manual 2.0 is due to be published next year looking at how international law addresses malicious cyber operations by state (and non-state) actors during peacetime.

The new manual will try to create the same 'black letter rules' around much trickier concepts, such as when countries are responsible for hostile cyber operations launched against other states from their territory, and when such operations violate the sovereignty of the state.

It will take the analysis into the much complicated and murky environment of the day-to-day cyber attacks that don't ever reach the level of physical attacks, but are no less dangerous for it.

Few, for example, could have imagined a couple of years ago that a hacking attack against a film studio could lead to an international incident, or that the theft of HR records from the obscure Office of Personnel Management could create such consternation.

Politicians and diplomats are still struggling to work out how to deal with the near-constant stream of other data leaks from all sorts of government agencies that are blamed on state-sponsored hackers. And there is little in the way of consensus on how to deal with it or often even how to label it. When does hacking become espionage and when does that evolve into something that could escalate into the use of armed force?

And while many industry watchers saw the attacks on Estonia and built out of that lurid 'Digital Pearl Harbour' style scenarios where a country could be toppled by a digital attack launched by a dedicated few, this has not taken place. The reality has turned out to be less far less dramatic, but much more complicated to tackle.

That's not to say that the apocalyptic scenario of state-backed hackers causing mayhem by breaking into industrial control systems (the technology that runs power stations or chemical plants) is utterly impossible - just extremely unlikely, and extremely hard and extremely expensive. Cyberwar, as it was envisaged, has not taken place.

But it's entirely possible that by watching and waiting for a explosive Hollywood-style catastrophe that we've missed the much more insidious and protracted cyberwar that has been going on for years already.

Hybrid information war

Earlier this year, the cyber think-tank held a conference to bring together some of the biggest thinkers on cyber warfare in Tallinn to discuss the most recent developments in cyber war theory ahead of the publication of the new Tallinn Manual at an event called CyCon.

For what was effectively a technology conference, there were a lot of people in uniform. In attendance was not only the head of the NSA, Admiral Mike Rogers, but also the Assistant Secretary General of NATO, Sorin Ducaru, reflecting the level of concern around cyber defence among the allies.

Despite the subject matter, it wasn't all serious. Speakers, including surveillance chief Admiral Rogers, were presented on-stage with a thank you present of a mug with an ear for a handle.

Both men reflected a cautious, slowly-developing approach when it comes to the use of the internet by the military. NATO itself, for example, only recently decided that a major digital attack on a member state could be covered by Article 5 of its collective defence clause (one of the most fundamental tenets of NATO, that an armed attack on one member should be considered an armed attack on them all). And, Ducaru insisted, "NATO doesn't have any interest [in militarising] cyberspace or to have an ungoverned space."

Rogers emphasised that the use of the Internet by the US military is still evolving, with defence the priority. "Our view is that cyber is another operational domain, much as the seas are, much as the land is, much as space is, and increasingly, it is an environment in which we will conduct a series of very traditional military evolutions from the defensive things to the application of capabilities to generate specific kinds of effects," he said. "We think cyber will evolve over time, much as we've seen the other domains, in the more traditional arenas."

To put it another way: cyberwarfare models are maturing in the same way that other technologies mature. To take a more prosaic example, the evolution of cyberwarfare is a lot like the cycle e-commerce went through.

There was a lot of initial excitement and investment from retailers in building separate e-commerce operations or businesses, but gradually these became not just a standard part of their operation but for many retailers the core of their business, just as cyberwarfare planning and strategy is gradually becoming a part of mainstream military planning.

However that doesn't mean that all countries are taking the same approach to strategy or that they even agree on what should be included in the term cyberwarfare. Some countries have a very narrow model of what cyberwarfare should look like - that is should focus on hacking and damaging systems. Others see it as just one part of a much wider information warfare spectrum, which stretches from hacking to disinformation and propaganda. Indeed, much of the criticism of the Tallinn Manual has been around how it represents a NATO—and specifically Western—outlook on what cyberwarfare should look like.

Across the street from the hotel where the conference took place stands a building topped with a Soviet star, a reminder of Estonia's past and, unsurprisingly given the location and the ongoing conflict in Ukraine, understanding the cyberwarfare strategy of Estonia's big neighbour was a recurring theme.

And while NATO is thinking of cyberwarfare in terms of defending (and attacking) networks, others—particularly Russia, according to speakers at the conference—have developed a wider perspective that folds classic hacker tools into the broader concept of information warfare, which can stretch all the way from propaganda and disinformation through to the more expected denial of service attacks and more.

In some respects this is harnessing the nature of the Internet, a space where free speech, doubt, and scepticism can run wild. Fighting an army of online trolls sharing half-truths or outright lies in order to confuse the public and make it harder for politicians to make decisions is hard, and certainly not one that any existing army can deal with.

Few democratic nations will want to limit the free flow of information to the public but also aren't set up to—or are capable of—rebutting every crazy rumour which makes it a hard technique to combat. But if a nation can orchestrate a campaign of rumour and disinformation against another that changes public opinion in that country to the point that it alters the decisions made by its political leaders, then an army of trolls could be vastly more useful, and harder to fight, than a squadron of tanks.

Few democratic countries would want to wage war in such a way, but tackling it without undermining, for example, the freedom of speech which the public are used to is a challenge which they are currently ill-equipped to deal with. However, some are taking gradual steps in this direction. For example, the UK government recently started a Twitter account aimed at countering online propaganda from ISIL.

Perhaps the greatest success of cyberwarfare so far is to convince the world that it hasn't really started yet.

Ein News: http://bit.ly/1SeeszO

« Safety Agreement On Cyber and Wired Vehicles
How Much Are You Worth? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

European Organisation for Security (EOS)

European Organisation for Security (EOS)

EOS represents all domains of security solutions and services.providers including ICT information and communications technologies.

Swiss Re

Swiss Re

Swiss Re Group is a leading wholesale provider of reinsurance, insurance and other insurance-based forms of risk transfer including cyber risk.

Herbert Smith Freehills

Herbert Smith Freehills

Herbert Smith Freehills is a leading professional services including data protection and privacy.

Capula

Capula

Capula is a leading system integration specialist for control, automation and operational IT systems across all applications and industry sectors.

Cybriant

Cybriant

Cybriant Strategic Security Services provide a framework for architecting, constructing, and maintaining a secure business with policy and performance alignment.

VectorUSA

VectorUSA

VectorUSA is a premier technology solution provider. We design, build and maintain cybersecurity, data center, wireless and managed solutions – transforming business needs into technology solutions.

Componolit

Componolit

Componolit GmbH is a highly specialized company with a strong emphasis on trustworthy software, component-based systems and formal verification.

Armo

Armo

Armo technology enhances any Kubernetes deployment with security, visibility, and control from the CI/CD pipeline through production.

Easy Dynamics

Easy Dynamics

Easy Dynamics is a leading technology services provider with a core focus in Cybersecurity, Cloud Computing, and Information Sharing.

Luta Security

Luta Security

Luta Security implements a holistic approach to advance the security maturity of governments and organizations around the world.

Acora

Acora

Acora provide a range of best-in-class managed services, Microsoft-centric business software, and cloud solutions designed to help mid-market organisations succeed in the digital economy.

Ermes

Ermes

Ermes – Intelligent Web Protection provides companies with a solution that effectively secures them against web threats.

NetHope

NetHope

NetHope is a membership-based organization serving the international nonprofit humanitarian, development, and conservation sector through digital transformation.

Next DLP

Next DLP

Next DLP (formerly Jazz Networks) is a leading provider of insider risk and data protection solutions.

Icon Information Systems (ICONIS)

Icon Information Systems (ICONIS)

ICONIS is an integrated infrastructure and service provider, offering unified Information Technology (IT) solutions globally.