Adopt stronger laws
WHENEVER national cybersecurity policy is discussed, the same stories come up again and again. Whether the examples are called acts of cyberwar, cyberespionage, hacktivism, or cyberterrorism, they all affect national interest, and there is a corresponding call for some sort of national cyberdefence.
Unfortunately, it is very difficult to identify attackers and their motivations in cyberspace. As a result, nations are classifying all serious cyberattacks as cyberwar.
This perturbs national policy and fuels a cyberwar arms race, resulting in more instability and less security for everyone. We need to dampen our cyberwar rhetoric, even as we adopt stronger law enforcement policies towards cybersecurity, and work to demilitarise cyberspace.
Ordinarily, you could determine who the attacker was by the weaponry. When you saw a tank driving down your street in most parts of the world, you knew the military was involved because only the military could afford tanks. Cyberspace is different.
In cyberspace, technology is broadly spreading its capability, and everyone is using the same weaponry: hackers, criminals, politically motivated hacktivists, national spies, militaries, even cyberterrorists.
They are all exploiting the same vulnerabilities, using the same sort of hacking tools, engaging in the same attack tactics, and leaving the same traces behind.
They all eavesdrop or steal data or personal IDs. They all engage in denial-of-service attacks. They all probe cyberdefences and do their best to cover their tracks.
Despite this, knowing the attacker is vitally important. As members of society, we have several different types of organisations that can defend us from an attack.
We can call the police or the military. We can call on our women’s rights or human rights organisation or even our lawyers. Or we can defend ourselves with a variety of commercial products and services. Depending on the situation, all of these are reasonable choices.
The legal framework in which any defence operates depends on two things: who is attacking you and why. Unfortunately, when you are being attacked in cyberspace, the two things you often do not know are who is attacking you and why.
It is not that everything can be defined as cyberwar; it is that we are increasingly seeing warlike tactics used in broader cyberconflicts. This makes defence and national cybersecurity policy in particular, difficult to define.
The obvious tendency is to assume the worst. If every attack is potentially an act of war perpetrated by a foreign military, then the logical assumption is that the military needs to be in charge of national cyberdefence, and military problems generally require military solutions.
This is the rhetoric we hear from many of the world’s leaders: the problem is cyberwar and we are all fighting one right now. This is just not true; there is no war in cyberspace.
There is an enormous amount of criminal activity, some of it organised and much of it international. There is politically motivated hacking—hacktivism—against countries, companies, organisations and individuals.
There is espionage, sometimes by lone actors and sometimes by national spy agencies. There are also offensive actions by national organisations, ranging from probing each other’s cyberdefences to actual damage-causing cyberweapons like Stuxnet.
The word “war” really has two basic definitions: the literal definition of war which evokes guns and warplanes and advancing armies, and the rhetorical definition of war as in war on crime, war on poverty, war on drugs, and war on terror.
The term “cyberwar” has aspects of both literal and rhetorical war, making it a very loaded term to use when discussing cybersecurity and cyberattacks. Words matter. To the police, we are citizens to protect. To the military, we are a population to be managed during conflict.
Framing cybersecurity in terms of war reinforces the notion that we are helpless in the face of the threat, and we need government - and a military - to protect us.
The framing of the issue as a war impacts policy debates around the world.
From the notion of government control over the Internet, to wholesale surveillance and eavesdropping facilitation, to an Internet kill switch as shown by recent military actions in Myanmar, to calls to eliminate anonymity - many measures proposed by different countries might make sense in wartime but not in peacetime. (Except that like the war on drugs or terror, there is no winning condition, which means placing a population in a permanent state of emergency).
We are still in the early years of a cyberwar arms race but with AI implementation, I can see escalation in the near future.
Arms races stem from ignorance and fear: ignorance of the other side’s capabilities and fear that its capabilities are greater than one’s own.
Once cyberweapons exist, there will be an impetus to use them. Stuxnet damaged networks other than its intended targets – particularly civilian ones in Europe. Any ‘for national security’-inserted back doors in Internet systems will make us more vulnerable to criminals and hackers.
The cyberwar arms race is destabilising. It is only a matter of time before something big happens, perhaps by the reflex actions of a low-level military officer, an enthusiastic hacker who thinks he is working in his country’s best interest, or even by accident! If the target nation retaliates, we could find ourselves in a real cyberwar.
I am not proposing that cyberwar is complete fiction. However, war can expand to fill all available theatres, and any future war will definitely have a cyberspace component. It makes sense for countries to establish cyberspace commands within their militaries, and to prepare for cyberwar.
Similarly, cyberespionage is not going away anytime soon. Espionage is as old as civilisation, and there is simply too much good information easily available in cyberspace for countries not to avail themselves of hacking tools to get at it.
We need to dampen the war rhetoric and increase international cybersecurity co-operation. We need to continue talking about cyberwar treaties.
We need to establish rules of engagement in cyberspace, including ways to identify where attacks are coming from and clear definitions of what does or does not constitute an offensive action.
We need to understand the role of cybermercenaries (cyberwar-as-a-service!), and the role of non-state actors. Cyberterrorism is still mostly a media and political myth, but there will come a time when it will not be.
Lastly, we need to build resilience into our critical infrastructure. Many cyberattacks, regardless of origin, exploit fragilities in the Internet. The more we can reduce those, the safer we will be.
The interconnections and dependencies created by globalisation has also make it harder to recognise how the international environment has changed for the worse in the last decade and that relations among great powers no longer follow peacetime patterns or rules.
While we are not in full conflict today, we are also no longer at peace.
Wars no longer begin with formal declarations or dramatic kinetic actions. Conflict with major powers today is largely nonmilitary. These differences make it easy to fail to notice the deterioration in our security.
There is some debate about whether to call the new environment conflict or a competition, but in cyberspace, it is conflict where opponents routinely violate a nation’s sovereignty and use coercive actions for harm.
This makes an important first step for a new cyber strategy to admit that we are already in a conflict with powerful authoritarian state opponents. Simple metrics can guide an assessment of cyber strategy.
The nature of conflict has changed in ways that highlight the importance of cyber operations.
Stability is the wrong goal when opponents seek to change the status quo. The need to rethink global strategy helps explain why we are on the defensive in cyberspace, and constant appeals to deterrence seem to indicate a certain lack of innovation in strategic thought.
To do this, we will need a more assertive strategy that is based on how to achieve strategic effect using cyber actions, how to co-ordinate with allies, and how to manage risk.
Cyber strategy must be embedded in larger domestic and regional security policies. Domestically, a new cyber strategy must be accompanied by public messaging and by building both stronger defences and greater resilience for when defences fail.
There is increased risk in adopting a more assertive strategy, but a risk-averse strategy has failed.
There is risk in any new strategy, but risk is unavoidable if we seek change, and risk can be managed. Cyber conflict is messy, usually covert, and often ambiguous. Better cybersecurity requires persistence and boldness.
As military expert strategist and philosopher Sun Tzu advised in “The Art of War”, centuries before cyberspace was defined - “Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of your opponent’s fate”.
As always, wishing you all a blessed weekend, stay safe and well in both digital and physical worlds.
is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com