What are the rules of engagement when attacks strike in the cyber realm? Teri Robinson investigates.
When Syrian warplanes dropped barrel bombs of gas on innocent victims, most of the world was stunned, angered, saddened and offended. It is the kind of atrocity that would send heads of state, diplomats and military leaders to the table to hammer out guidance à la the Geneva or Hague Conventions.
But what if the weapons hurl ones and zeroes instead? And what if the damage done can be just as devastating, spreading fallout when a nuclear power plant is destroyed or, perhaps, upending democratic processes by interfering in a presidential election? What are the guidelines then, the rules of engagement, the appropriate use of force, to deal with the provocateurs?
There are none.
In part that might be because cyberwarfare, still in its nascency, isn't as visibly rattling as physical attacks. “The visibility of impact of most cyberattacks we've seen hasn't been as visually or emotionally impactful,” says Steve Grobman, senior vice president and CTO at McAfee. “Cyber does not have the same level of emotional or potential loss of life.”
But as cyber armies rise and become more menacing – marshalling bots and malware and sneaking into government networks and infiltrating infrastructure – the stakes are higher. That's enough to make cyberprofessionals believe it's time to head back, at least metaphorically, to Geneva or The Hague.
“As inherently horrible as war is in uncontrolled warfare with nuclear, chemical or cyber weapons, and carries immense dangers – even warfare has rules and that must include cyber,” says Larry Clinton, president and CEO of the Internet Security Alliance (ISA).
At an RSA keynote in February, Microsoft CEO Brad Smith (left) suggested just that – creating a Digital Geneva Convention of sorts that lays out ground rules for defending civilians from cyberattacks.
“For over two-thirds of a century, the world's governments have been committed to protecting civilians in times of war, but when it comes to cyberattacks, nation-state hacking has evolved into attacks on civilians in times of peace,” Smith lamented, making a case for a digital/cyber equivalent. “We need a convention that will call on the world's governments to pledge that they will not engage in cyberattacks on the private sector. That they will not target civilian infrastructure, whether it's of the electrical or the economic or the political variety. We need governments to pledge that instead they will work with the private sector to respond to vulnerabilities. That they will not stockpile vulnerabilities and they will take additional measures.”
That's a tough sell. Clearly governments, including our own, are already stockpiling vulnerabilities (see pg. 18), and WikiLeaks' recent Vault 7 dumps show the breadth of hacking tools at the CIA's disposal, including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.
In recent years, the U.S. has shown an appetite for cyber response, integrating cyber tools more fully into its menu of weaponry, mixed with diplomatic actions. The dossier of military programs and actions underway bequeathed to Donald Trump when President Obama left office included a three-year series of cyberattacks meant to disrupt North Korea's growing missile program.
Proponents of the campaign point to a number of missile launches that have failed – either missing their mark or exploding in midair. Skeptics say that incompetence and other factors are as likely responsible for the failures and note that the country has successfully launched three missiles recently.
Nick Bilogorskiy, senior director of threat operations, Cyphort
Shortly after North Korea conducted a successful, powerful nuclear test in 2013, the Pentagon took the wraps off of what it termed a “left of launch” program that Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff said, would use “cyberwarfare, directed energy and electronic attack” to foul the country›s missile launches.
Whether the Trump administration will ramp up the program or choose to rely on more conventional response to the North Korean threat – or a mix of both – is unclear.
Perhaps due to sensitivities that doubt would be cast on the election outcome, the administration has continued to be low key about Russia cyber meddling in the election. Former President Obama, however, pounced. When the U.S. intelligence community revealed that Russian operatives were behind hacks at the Democratic National Conference (DNC) and other sites affiliated with former Secretary of State Hillary Clinton, Obama in late December leveled a wide-ranging response to Russian interference with the 2016 U.S. presidential election.
American retaliation included ejecting nearly three dozen Russian diplomats from the country, naming two specific Russian nationals as cybercriminals, along with sanctioning the Russian GRU and FSB intelligence agencies and several companies. This action took place after Obama approved an amendment to Executive Order 13964, originally issued in April 2015, granting the U.S. government enhanced authority to respond to cyberthreats. That included the ability to freeze the assets of individuals or entities found to have used cybercapabilities to damage U.S. critical infrastructure.
“These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior,” President Obama said in a statement at the time.