Connect with us

War and Military

Attribution and the problem of retaliation in cyberspace

Alexandra Goman

Published

on

If a country is hit with a computer program and there is destruction/death involved, there is usually retaliation, a counter attack and an appropriate response. An opposing side is given a chance to respond to the enemy by means it deems necessary, especially if there is a lot of damage involved. In terms of conventional weapons it is clear who attached the target, yet cyberspace is another niche with its challenges.

Attribution in cyberspace has been a question for a long time. Although terrorist attacks attribution is somewhat difficult, cyberspace introduces a more complicated process. Anonymity is a challenge as perpetrators may easily hide their identities.  Moreover, an attack can be launched from a number of computers, operated by different people and placed in different places across the world. According to Clarck and Landau, challenge  lies in several dimensions: 1) identify a computer from which the attack was launched; 2) identify a person, who had been operating the computer at the time of the attack; 3) identify a main actor, who gave an order and/or an actor behind the attack (2010).

According to the technology consultant at the security company Sophos[1], perpetrators in cyber may use compromised computers that belong to unsuspecting innocent people to break in someone’s computer. A hack may be coming from China, but it may be under control of someone who is situated in another country. This was the case with the DDoS cyberattacks that happened in Estonia 2007 (it involved more than 80, 000 hijacked computers from around 178 countries). Moreover, even if an attacker is supposedly found, it is easy to blame it on a third party, saying that a computer has been hacked. This, consequently, gives rise to a plausible deniability.

Although technology is being developed in order to analyze and solve the problem of attribution, it is still a challenge because of the basic design of the Internet. In theory, nonetheless, it is possible to solve the problem. According to Feaver, in the future the language of computer networks will be replaced by the Internet Protocol version 6 (IPv6), which will raise the amount of computer addresses from four billion to an infinite number. That means that everything and everyone could be associated with a unique number. IPv6 may additionally support Internet Protocol Security for authentication of the Internet traffic (Ibid.).

However, at this point of time technological analysis should always be accompanied by intelligence and information analysis. This helps to identify attackers, understand more about capabilities and intentions, and whether the attack was sanctioned by the government. Strategic and political considerations will be essential too.

A damaging cyberattack may easily lead to escalation of the situation, which is another implication for a balance in international relations. In case of Stuxnet, a malware that affected a nuclear facility in Iran, if it achieved its believed goal to disrupt a nuclear infrastructure, it could have brought a high-level of destruction with many people dead. In this case, Iran would have probably retaliated with kinetic means, rather when relying on unreliable cyberattacks (unless they had the technology). However, as attribution was still lacking, it is not clear whether they would opt for this option.

Thus, attribution poses certain problems when it comes to the question of retaliation. When it is not clear who attacked, it is hard to prosecute or retaliate in response. Attribution also created additional challenges in decision-making, considering the speed of a cyberattack. Even if attribution is positive, it is still hard to understand what procedures are to be followed. If there are no casualties and no physical destruction, it is easier to opt for sanctions rather than a military retaliation. Moreover, if attribution is later established to be incorrect, there may be serious consequences.

On another note, the use of cyberattacks may have further complications, if the countries involved are nuclear. In case of major destructive consequences after a cyberattack, a country would be left with a choice whether to retaliate in kind or to employ conventional weapons, especially if they do not have a cyber capability.

What happens when an attacker is not identified but consequences are drastic? More importantly, if it is “believed” to be identified (yet without certainty), will a country retaliate? These questions are still yet to be answered, as there has been no precedent on such a scale. What is clear, cyberattacks present additional challenges in global security that should be undoubtedly addressed.

[1] Cluley, G. (2011). China denies hacking high-tech weapon maker. Naked security by Sophos, [online] Available at: https://nakedsecurity.sophos.com/2011/09/20/china-denies-hacking-high-tech-weapon-make/ [Accessed on 3.02.2018].

Use your ← → (arrow) keys to browse

Specialist in global security and nuclear disarmament. Excited about international relations, curious about cognitive, psycho- & neuro-linguistics. A complete traveller.

Continue Reading
Comments

War and Military

How Weaker Nations Are Taking Cyber Warfare Advantage

Alexandra Goman

Published

on

Cyber offensive technology (a malware that is employed for military use) gives clear asymmetric advantage which favours weaker states and non-state actors. They may pursue cyber technology in order to gain strength in pursuit of broader goal. This asymmetry is not something new and presents to be an effective tool to level the imbalance of power.

The entry for weaker actors is easier, cheaper, and it does not require much efforts. Presumably, one may need some computers and technical assistance. Offensive capability can also be procured through online criminal market, so that even high-skilled IT personnel may not be required.  Furthermore, attribution problem is not yet solved, so it gives an advantage in staying anonymous, therefore, escaping failure costs.

Asymmetric tactics is pursued by actors that do not have constraints on their own concept of morality and war-fighting. Terrorists or insurgents might not have the same reservations about killing civilians or bringing high level of destruction in the event of a cyberattack than state countries. Similarly, those desperate enough but with a strong will to fight, may employ cyber method regardless of high costs.

Terrorists, for example, target innocents indiscriminately. Their goal is to inflict the threat of terror and violence in order to achieve a strategic goal.  This consequently poses great challenges for deterrence. As weak actors are becoming stronger, others become more vulnerable.

Soldiers wrapped up day two of an integrated cyber exercise between 4th Battalion, 23rd Infantry, 14th Brigade Engineer Battalion, 201st Expeditionary Military Intelligence Brigade, from Joint Base Lewis-McChord, Wash., supported by cyber augmentees from the 780th Military Intelligence Brigade from Fort Meade, Md., Oct. 21. Cyber information collected during the exercise enabled the Soldiers to isolate and capture a simulated high-value target in a mock village. The training integrates infantry ground units with cyber, signal and human intelligence collection capabilities, which gives units on the modern battlefield a broader capacity to search out and isolate their enemies in real time. (Photo by Capt. Meredith Mathis)

Nevertheless, gaining cyber capability is not that easy as it may seem. The case of Stuxnet (a malware that attacked a nuclear facility in Iran) does not seem to prove asymmetric advantage, because the attack was apparently conducted by stronger parties with substantial funding and resources. Detailed intelligence on the target, access to the computer network of an opponent, finding vulnerabilities and then employment of cyber capability (all present in Stuxnet case) further complicate an argument about asymmetry. Moreover, the development of Stuxnet code required some high-skilled expertise that may be difficult and inaccessible by non-state actors or weak states.

Additionally, it would take time and financial support to plan, manage, and monitor the development of the code. Therefore, it would require more personnel than just IT specialists. Moreover, considering the target of Stuxnet, nuclear expertise would be required as well. Similarly, knowledgeable experts in other areas would also come in handy: there should be people skilled in how these infrastructures work to cause actual damage.  So in case of a lone hacker with radical views, the use of cyber appears to be doubtful, as there are cheaper and easier ways to inflict damage.

At the same time, there are risks of failure and they are too faced by weak actors. If such mission was compromised, and/or a code behaved differently than expected and/or backfired, it would only increase the costs without ringing actual benefits. In this sense, stronger states are more prepared to minimize them than weaker ones.

If a cyberattack fails to reach the end result, weaker actors may have spent substantial amount of money in vain and have not reached the desirable effect. This, in turn, reduces the probability of using cyber in the first place. Weak states may want to invest in other ventures, rather than cyber, to be sure that they can reach the desirable end result. So the true costs of such attack have a high level uncertainty for weak actors as well, however they may not be prepared to bear the failure costs and may not have enough resources to mitigate them.

Another advantage of cyber technology is that the nature of cyberspace and cyberattacks favour an attacker. Offense is becoming easier than defense and guarantees anonymity. The Internet was designed to make connections easy and reliable, plus security was not in the original thinking of creators. Thus, an attacker has an upper hand to reach its target, while staying anonymous and inflicting damage through cyber means.

Today cyber defense is not perfected and has vulnerabilities that can be exploited. Although it has been greatly improved for the last decade, vulnerabilities still remain, especially in the sector of industrial facilities that proved to be slow in adjusting to current cyber threats. For instance there is increased complexity of integrated information systems, hardware devices and component software produced which only increase cyber risks. Moreover, security considerations are left aside because of the demand to design measures in accordance to CIA requirements and other specifications.

Meanwhile, the percentage of industrial computers targeted by cyber perpetrators has grown for more than 7% between July and December 2016 (Kaspersky Lab ICS CERT, 2016). In the first half of 2017, Kaspersky Lab blocked 37.6% attempts on ICS computers. Fortunately, no dedicated malware that affected industrial processes were found (Kaspersky Lab ICS CERT, 2017). Moreover, the Internet remains the main source of infection for computers that are part of industrial infrastructure.

As for anonymity factor, attribution remains a technical problem up to date. In case of Stuxnet, it is believed that it was initiated by the Unites States of America and Israel which both were interested in impairing Iran’s nuclear program. According to Sanger, one of the journalists who intensively covered the topic of Stuxnet as a US cyber weapon[1], Stuxnet has been a part of a highly covert US operation, code-named “Olympic Games”, which had already begun under the Bush administration. In any case, attribution is still lacking and Stuxnet was not attributed, so it is hard to speculate about the particular parties involved.

Asymmetric threat does not seem to be supported by Stuxnet case as there were substantial resources and financial capabilities involved to plan this operation. However, the possibility of employing cyberattacks in the future by non-state actors and weaker states cannot be ruled out as one case study is not sufficient enough to generalize. In case of cyberattacks by non-states, the damage may be limited, but cyber could be still used to compliment other weapons.  In any case, this asymmetric threat does impede final deterrence on the world stage and should be taken in consideration in future security affairs.

After all, Stuxnet – the first use of offensive computer program – might have been an imperfect test-run of cyber means and more advanced are yet to come. One always fails before achieving success; this is what happened to pretty much any other weapon in history. More dangerous attacks may be mounted in the future, but for now these are all speculations.

[1] Sanger, D. (2012). Obama Ordered Wave of Cyberattacks Against Iran. The Ney York Times, [online] Available at: http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html [Accessed on 17.02.2018].

Prev postNext post
Use your ← → (arrow) keys to browse

Continue Reading

War and Military

Food for Thought: A Cyber Pearl Harbour

Alexandra Goman

Published

on

cyber pearl harbor

To begin with, the notion that a state can be vulnerable to a strategic surprise attack is one of the main discourses in cyber debate. A former US Defense Secretary, Leon Panetta warned¹ of the Cyber Pearl Harbour in 2012, highlighting the dangers of cyberattacks on critical infrastructure. However, this term has appeared in the beginning of the 90s.

The Pearl Harbour analogy appeared to characterize a “bolt-from-the-blue” surprise attack and originated in America. Strategic surprise attacks can temporarily suspend an enemy, thus giving an advantage to the attacker to achieve its goal. It can also be employed by weaker actors to gain a strategic advantage.

Cyberattacks can be launched against critical infrastructures in order to stun and freeze the opponent. It can render an enemy unable to execute their normal operations, leaving them outnumbered and vulnerable to future offence. At the same time, a state can recover from this (depending on the capabilities), overcome the compromised systems and retaliate even with stronger force, preventing an attacker to reach the desirable result. Still, there are certain strategic and operational advantages.

The specifics of cyber Pearl Harbour cannot be known in advance, as something like this has not yet happened, however there are a lot of speculations in regards to the disastrous consequences. Such an attack, coupled with conventional military support, can give obvious benefits to the attacker.

At the same time, more powerful states (like United States of America, England, Japan) would be more vulnerable to such attacks, as they are heavily interconnected and reliant on the network connections. Nonetheless, they should be resilient and ready to mitigate the costs of the attack, yet it is not clear how much time they might need to recover from a massive incident that affects critical infrastructure.

As president Obama once said²,“It doesn’t take much to imagine the consequences of a successful cyberattack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.”

That being said, today cyber defense is still not perfect and this Cyber Pearl Harbour scenario cannot be ruled out. Increased complexity of integrated information systems, hardware devices and component software comes with increased cyber risks. Although cyber defense has been greatly improved for the last decade, vulnerabilities still remain, especially in the sector of industrial facilities that proved to be slow in adjusting to current cyber threats.

BBC News. (2012). Leon Panetta warns of ‘cyber Pearl Harbour’. [online] Available at: http://www.bbc.com/news/av/technology-19923046/leon-panetta-warns-of-cyber-pearl-harbour [Accessed on 20.02.2018].

President Obama, B. (2012). Taking the Cyberattack Threat Seriously. The White House, [online] Available at: https://obamawhitehouse.archives.gov/blog/2012/07/23/taking-cyberattack-threat-seriously [Accessed on 20.02.2018].

Use your ← → (arrow) keys to browse

Continue Reading

Technology

Wars: From Weapons to Cyberattacks

Alexandra Goman

Published

on

Historically war focused on public contests which involve arms, e.g. Gentili’s concept of war. The main goal of such contests is to inflict damage to soldiers of an opposing side. Through this lens, cyberwar may be seen as a contest which perhaps involves certain arms. But it should be noted that these contests are very seldom public, mostly due to attribution problem. Even more, cyberattacks do not kill or wound soldiers; instead they aim to disrupt a property. It is, however, somewhat debatable, because such disruption of a system (like meddling with the nuclear facilities of Iran) may have an effect on both, civilians and combatants in a longer run. However, these secondary consequences are not the primary goal of a cyberattack, thus, there should be a difference between a cyberwar and a war.

The element of war being public is very important, as war is always openly declared. Additionally, an opposing side is given a chance to respond to the enemy by whatever means it deems necessary. In the context of cyberwar, this is more complicated. In case of cyberattacks, it is very difficult to determine the source and the initial attacker (more precisely, an attribution problem which is to be addressed further). Moreover, many attackers prefer to remain silent. This argument is further exacerbated by the lack of evidence. At this date the best example of cyber warfare, going somewhat public, is Stuxnet – not attributed to and officially admitted.

In the end, the attack became public but it was hidden for a year before its discovery. The specialists did notice the Iranian centrifuges malfunctioning[1] but they failed to identify the source of problems. This cyberattack was new because it did not hijack a computer or extort money; it was specifically designed to sabotage an industrial facility, uranium enrichment plant in Natanz.

However, attribution still falls behind. U.S and Israel are believed to launch Stuxnet, however they denied their involvement. Moreover, not any other country as officially admitted that. Based on the previous argument, for war to happen it has to be public. The case of Stuxnet or its similar computer programs does not therefore prove the case of cyberwar.

Moreover, if war is seen as a repeated series of contests and battles, pursued for a common cause and reason (for example, to change the behavior of the adversary), then there should be more attacks than just one. Nothing seems to preclude that one state may attempt launching a series of cyberattacks against an enemy in the future, which consequently be named a war. However, the adversary should be able to respond to the attacks.

Another view argues that the just war tradition[2] can accommodate cyberwar; however there are also some questions to take into consideration. In cyberwar, a cyber tool is just means which is used by military or the government to achieve a certain goal. This fits the just war tradition very well, because the just war tradition does not say much about means used in war. It is more focused on effects and intentions (See Stanford Encyclopedia of Philosophy Online).

The example of cyberweapons and the debate around them prove that they are discussed in the same way as any other evolving technology. If agents, effects, and intentions are identified, cyberwar should supposedly apply to the just war tradition similarly to any other types of war. However, cyber means has unique characteristics: ubiquity, uncontrollability of cyberspace and its growing importance in everyday life. These characteristics make cyberwar more dangerous, and therefore it increases the threat in relation to cyberwar.

Another useful concept of war to which cyber is being applied is the concept of war by the Prussian general Carl von Clausewitz. It presents the trinity of war: violence, instrumental role, and political nature (Clausewitz, 1832). Any offensive action which is considered as an act of war has to meet all three elements.

Firstly, any war is violent where the use of force compels the opponent to do the will of the attacker (Ibid., 1). It is lethal and has casualties. Secondly, an act of war has a goal which may be achieved in the end of the war (or failed to achieve in case the attacker is defeated). The end of war, in this sense, happens when the opponent surrenders or cannot sustain any more damage. The third element represents political character. As Clausewitz puts it, “war is a mere continuation of politics by other means” (Ibid., p. 29). A state has a will that it wants to enforce on another (or other) states through the use of force.  When applying this model to cyber, there are some complications.

Cyber activities may be effective without violence and do not need to be instrumental to work. According to Rid, even if they have any political motivation, they are likely to be interested in avoiding attribution for some period of time. That is why, he highlights, cybercrime has been thriving and was more successful that acts of war (Rid, 2012, p.16).  However, in all three aspects, the use of force is essential.

In the case of war, the damage is inflicted through the use of force. It may be a bomb, dropped on the city; or a drone-strike that destroys its target. In any case, the use of force is followed by casualties: buildings destroyed, or people killed. However, in cyberspace the situation is different. The actual use of force in cyberspace is a more complicated notion.

[1] International Atomic Energy Agency (2010). IAEA statement on Iranian Enrichment Announcement. [online] Available at: https://www.iaea.org/newscenter/pressreleases/iaea-statement-iranian-enrichment-announcement [Accessed on 28.12.2017].

[2] Jus bellum iustum (Lat.) – sometimes referred both as “just war tradition” and “just war theory”. Just war theory explains justifications for how and why wars are fought. The historical approach is concerned with historical rules or agreements applied to different wars (e.g. Hague convention). The theory deals with the military ethics and describes the forms that a war may take.  Ethics is divided into two groups: jus ad bellum (the right to go to war) and jus in bello (right conduct of war). (See Stanford Encyclopedia of Philosophy Online). In the text Cook applies cyberwar to the just war tradition, rather than theory. In his belief, “tradition” describes something which evolves as the product of culture (In Ohlin, Govern and Finkelstein, 2015, p. 16).

Use your ← → (arrow) keys to browse

Continue Reading

Trending