Melting Down Grids and Warping Minds: Cyberwarfare in Practice
Three expert panelists recently joined Recorded Future to dive deep into the topic of cyberwarfare. The speakers included industry expert Juan Andrés Guerrero-Saade, whose past experience includes working at Kaspersky Lab; Robert Lee, who previously worked for the National Security Agency and now leads Dragos, Inc., an industrial security firm; and Matt Tait, who teaches cybersecurity to law and public policy students at the University of Texas and previously worked at the Government Communications Headquarters.
Cyberwarfare: A Use of Force?
During the talk, the panelists chafed at any attempt to define cyberwarfare as a concept separate from warfare in a broader sense. The ambiguity of what counts as an act of war — because of the interconnectedness of the different technologies of warfare — was a running theme throughout the conversation.
In particular, the panelists often came back to article 2(4) in the United Nations Charter, which speaks on the use of force by states:
All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations.
Each panelist grappled with what sorts of attacks count as a use of force under these guidelines and whether an attack of one kind warranted only a response of equal measure. “[If] you’re going to cause explosions in my country, then I’m going to cause explosions in your country,” said Matt Tait. “You might have used hacking in order to cause those explosions, and I might use tanks and planes to cause the explosions, but we have to be quite careful when we’re using some of these words.”
Robert Lee agreed, saying the phrase “cyberwarfare” is not established on an international level in even cursory terms. “The discussion of cyberwarfare to me has always been lip service, because by associating it with the word ‘warfare,’ you’re talking about actually being able to do diplomatic, economic, or military actions back.” Because of that lack of clarity, recent cyberattacks like those in Ukraine in 2016 and in Saudi Arabia in 2017 were not condemned as uses of force by major government officials in any nation, despite having major effects on those countries’ economies and even having the potential to result in deaths.
The Role of Interconnected Systems
Juan Andrés Guerrero-Saade identified the growing automation of national infrastructure systems as one of the reasons for the discomfort around clearly defining cyberwarfare, saying that “the more we interconnect systems and step away from the manual systems that are still managed by human beings, [the more] we go, ‘Hey, if we just follow procedure, we’re going to break this thing for longer than if we did this the other way.’” Cyberattacks become more damaging and more closely resemble traditional warfare, not so much because the technologies of attack are becoming more threatening, but because the systems they target are more pervasive, more vulnerable, and have worse repercussions when they are disabled.
Cybersecurity experts often find it difficult to reach a universal consensus on whether even the most severe cyberattacks in recent history count as cyberwarfare. As an act of war, a bomb exploding in a crowded city is unequivocal; the infiltration of malware often leaves doubt about who the attackers were, let alone their intentions. Because determining those intentions and identities can take so much analysis and guesswork, the usefulness of dividing warfare into subcategories with qualifiers like “cyber” becomes questionable.
Lee put it in no uncertain terms: “There is war and conflict, and that’s it. If you look back at any conflict in the last decade, if you didn’t see a cyber component, it’s because you weren’t collecting [data] in the right places.” Matt Tait agreed, noting that whenever countries are “doing something in cyber that counts as warfare, [they’re] also bombing, right? There is no distinction there.”
Isolated vs. Sustained Attacks
Another reason that cyberwarfare cannot be named as something distinct from other acts of aggression is because warfare is a sustained conflict, and Tait argued that cyberattacks often do not scale sustainably. A military that has a certain amount of resources can, for example, buy however many tanks and planes and missiles as that money can afford them, and if they get more money, they can purchase a proportionally greater number. But cyber technology doesn’t work that way. “If I have a zero-day vulnerability that I can exploit, I might be able to keep on using it for a long time. But as soon as it gets discovered, that capability is gone. It’s evaporated,” Tait explained.
That leaves the tricky problem of naming isolated cyberattacks — what to call it when these incidents occur outside of a larger conflict. According to Guererro-Saade, there’s political discomfort with calling these attacks “cyber terrorism” when they’re undertaken by nation states and not terrorist groups, but otherwise there’s little distinction. But the boundaries of war itself — what counts as the start and end of a war, who is involved, and so on — have mostly disintegrated.
Facing the Consequences
The question, then, becomes how to treat cyberattackers who work on behalf of foreign governments in order to make future attacks less appealing. Tait noted that the United States government, usually through the Federal Bureau of Investigation, has begun indicting people who work for foreign governments, like Chinese hackers who stole industrial secrets from American companies.
Whether indictments actually do much isn’t clear. Tait argued that although it certainly doesn’t actually put those people behind bars — “obviously [they’re] not coming to the United States” — it does make travel to allied countries like South Korea and Japan much more difficult.
But Lee felt that these indictments do little to nothing. “I think the entire focus of the Department of Justice has been political wins on saying they’re being hard on cybercrime,” he said. “But it’s been completely ineffective and it’s been entirely lip service to all the operations we actually run.”
These sorts of attacks might only be deterred by treating them as inseparable from other uses of force, argued Guerrero-Saade. “From an organizational level, hackers are as expendable as every other warfighter; there is no privileged class, there is no notion that hacking is not as much an offense as any other act of warfare.” Preventing future attacks takes seeing these concepts of warfare and deterrence as fully inclusive of the digital realm. “It’s one word. It’s ‘cyberdeterrence’,” said Guerrero-Saade. “There’s no such thing as ‘cyber’ and ‘espionage,’ ‘cyber’ and ‘warfare’ … Honestly, I think we have witnessed the only case of genuine, effective cyberdeterrence.”
“What’s that?” asked Lee.
“Somebody throwing a Hellfire missile directly on the attackers.”