What are the rules of engagement when attacks strike in the cyber realm? Teri Robinson investigates.
When Syrian warplanes dropped barrel bombs of gas on innocent victims, most of the world was stunned, angered, saddened and offended. It is the kind of atrocity that would send heads of state, diplomats and military leaders to the table to hammer out guidance à la the Geneva or Hague Conventions.
But what if the weapons hurl ones and zeroes instead? And what if the damage done can be just as devastating, spreading fallout when a nuclear power plant is destroyed or, perhaps, upending democratic processes by interfering in a presidential election? What are the guidelines then, the rules of engagement, the appropriate use of force, to deal with the provocateurs?
There are none.
In part that might be because cyberwarfare, still in its nascency, isn't as visibly rattling as physical attacks. “The visibility of impact of most cyberattacks we've seen hasn't been as visually or emotionally impactful,” says Steve Grobman, senior vice president and CTO at McAfee. “Cyber does not have the same level of emotional or potential loss of life.”
But as cyber armies rise and become more menacing – marshalling bots and malware and sneaking into government networks and infiltrating infrastructure – the stakes are higher. That's enough to make cyberprofessionals believe it's time to head back, at least metaphorically, to Geneva or The Hague.
“As inherently horrible as war is in uncontrolled warfare with nuclear, chemical or cyber weapons, and carries immense dangers – even warfare has rules and that must include cyber,” says Larry Clinton, president and CEO of the Internet Security Alliance (ISA).
At an RSA keynote in February, Microsoft CEO Brad Smith (left) suggested just that – creating a Digital Geneva Convention of sorts that lays out ground rules for defending civilians from cyberattacks.
“For over two-thirds of a century, the world's governments have been committed to protecting civilians in times of war, but when it comes to cyberattacks, nation-state hacking has evolved into attacks on civilians in times of peace,” Smith lamented, making a case for a digital/cyber equivalent. “We need a convention that will call on the world's governments to pledge that they will not engage in cyberattacks on the private sector. That they will not target civilian infrastructure, whether it's of the electrical or the economic or the political variety. We need governments to pledge that instead they will work with the private sector to respond to vulnerabilities. That they will not stockpile vulnerabilities and they will take additional measures.”
That's a tough sell. Clearly governments, including our own, are already stockpiling vulnerabilities (see pg. 18), and WikiLeaks' recent Vault 7 dumps show the breadth of hacking tools at the CIA's disposal, including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.
In recent years, the U.S. has shown an appetite for cyber response, integrating cyber tools more fully into its menu of weaponry, mixed with diplomatic actions. The dossier of military programs and actions underway bequeathed to Donald Trump when President Obama left office included a three-year series of cyberattacks meant to disrupt North Korea's growing missile program.
Proponents of the campaign point to a number of missile launches that have failed – either missing their mark or exploding in midair. Skeptics say that incompetence and other factors are as likely responsible for the failures and note that the country has successfully launched three missiles recently.
Nick Bilogorskiy, senior director of threat operations, Cyphort
Shortly after North Korea conducted a successful, powerful nuclear test in 2013, the Pentagon took the wraps off of what it termed a “left of launch” program that Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff said, would use “cyberwarfare, directed energy and electronic attack” to foul the country›s missile launches.
Whether the Trump administration will ramp up the program or choose to rely on more conventional response to the North Korean threat – or a mix of both – is unclear.
Perhaps due to sensitivities that doubt would be cast on the election outcome, the administration has continued to be low key about Russia cyber meddling in the election. Former President Obama, however, pounced. When the U.S. intelligence community revealed that Russian operatives were behind hacks at the Democratic National Conference (DNC) and other sites affiliated with former Secretary of State Hillary Clinton, Obama in late December leveled a wide-ranging response to Russian interference with the 2016 U.S. presidential election.
American retaliation included ejecting nearly three dozen Russian diplomats from the country, naming two specific Russian nationals as cybercriminals, along with sanctioning the Russian GRU and FSB intelligence agencies and several companies. This action took place after Obama approved an amendment to Executive Order 13964, originally issued in April 2015, granting the U.S. government enhanced authority to respond to cyberthreats. That included the ability to freeze the assets of individuals or entities found to have used cybercapabilities to damage U.S. critical infrastructure.
“These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior,” President Obama said in a statement at the time.
The former president also pledged that today's sanctions would be followed by additional maneuvers to help hold Russia accountable for its actions. “These actions are not the sum total of our response to Russia's aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized,” Obama said.
Cyber experts expect to see more cyber and mixed responses. “As we move forward, cyber will be integrated into virtually all warfare,” says Clinton, while lamenting that “there are virtually no rules to manage this process.”
The path to building a set of rules to manage the process, though, is fraught with challenges, chief among them: knowing whether a cyberattack has actually taken place. While streaking missiles and the shrieks of warplanes – and the physical damage in the aftermath – are obvious indicators that a kinetic attack is underway, dormant bots or malware wending its way through a network might not set off alarms until the damage is done, maybe even years down the line.
Another challenge: while DIY nuclear weapons are unlikely, less developed countries, as well as criminals or terrorists, can amass quite an arsenal of cyber weapons and launch attacks from behind a keyboard, something that a treaty or set of treaties can't address.
“If an entity, like ISIS, doesn't have ownership of infrastructure it may not have a large base of cyber assets,” says Grobman. “That's part of the challenge with North Korea, which is not really a connected country. There's a lot less opportunity since they're a lot less connected.”
But less sophisticated entities might find it harder to be effective as cyberwar matures. “With anything, to do something is easy, to keep doing it is a lot harder,” says Chris Roberts, chief security architect at Acalvio. “Taking power out is actually simple. Keeping power out is harder. So the attack vector and end goals will dictate the level of effort and the number of bodies you need. The crafting of good tools these days takes a lot of people and a lot of time. The coding in the basement is good for some things, but weaponizing an exploit and building it into a framework that is going to be successful takes a decent-sized team of really good people.”
Attribution, too, is tricky. While false-flag operations can certainly mask physical attacks under certain circumstances, masking a cyberattack is much, much easier.
“Attribution based on digital forensics is difficult to trace back,” says Grobman. “Seeing the digital artifacts of attribution is not strong enough to draw a conclusion.” He suggests relying on traditional means as well, like law enforcement and government intelligence.
Roberts says cross-border forensics and, more than anything, identifying whose hands were clearly on the keyboard – and that they had intent – will continue to be a challenge, especially as we move into a less-well-defined set of environments that are rapidly approaching the boundary between humans and electronics.
Challenges aside, cybersecurity pros by and large don't want to see the world lag in creating a set of guidelines for cyber warfare.
Microsoft's Smith cited several strong building blocks for such a convention, including the United Nation's 2015 formation of a Group of Governmental Experts, which recommended a set of international norms for behavior in cyberspace, as well as the 2015 negotiations between the U.S. and China designed to curb the cybertheft of private intellectual property. He also noted that 2017 brings "an opportunity for a new president in the United States to sit across the table with the president from Russia and take another step forward to address the attacks that concern the world," alluding to Russia›s interference in the election. That relationship has grown decidedly contentious since Smith's talk after Putin's support of Assad has been questioned in the aftermath of April's gas attack.
Smith envisioned that a “Digital Geneva Convention” could work toward forming a new world organization – modeled after the International Atomic Energy Agency – that unites the greatest cyber minds in the public and private sectors to not only monitor global cyber activity but also identify and call out nation-state attackers.
There are a few elements that any Cyber Geneva/Hague Convention should include, pros say.
“This is complicated but there are pragmatic places to start,” says Clinton (left). “For example, the Geneva Convention requires that attackers be clearly identified via uniform. This ought to be adapted to the cyber world.”
He believes that nation-states should be required to identify themselves. “The rules of traditional war also require that governments restrict their attacks to other governments – this too ought to be applied to cyber attacks.”
Clinton says those requirements should be extended to agents of government action on contract as is often the case in cyberattacks. “Also, while espionage between governments is long understood and accepted, this should not be allowed for governments to use cyberattacks against private entities for domestic economic development purposes.”
That's a line that Grobman also believes should be sharply drawn. “There's a difference between nations trying to get information on technology advances and the military, and stealing from business to improve their economies.” The latter, he says, is an act of war.
Any Cyber Geneva Convention should require enforcement and monitoring.
“From an ideological standpoint, this sort of Digital Geneva Convention is a great concept and would be very valuable in today's global technology and security landscapes,” says Nathan Wenzler, chief security strategist at AsTech Consulting. But in practice?
Wenzler believes the logistics that would need to be involved to somehow accurately monitor and identify who is doing what to who is nearly impossible, especially considering the ease in which a malicious actor can hide, obfuscate, redirect, bluff and otherwise mislead where they're performing attacks from.
“For an organization like this to be successful, accurate proof – which all parties involved can agree is correct – would be the key,” he says. “But the very nature of technology today would make that difficult at best. And even if you can monitor all traffic accurately, there would still be difficulty in getting the political factions involved to agree with the findings.”
Wenzler says that unlike the existing Geneva Conventions, where photographic proof and firsthand human witnesses can demonstrate activity which violates the accords, digital evidence of such absolute nature is much harder to come by and is easier to discount or discredit. “If there is a way that this independent organization can collect evidence that all nations agree is legitimate and irrefutable, then yes, this concept would work and be a huge step toward a safer and more secure digital world for everyone on the planet to benefit from. But, without that level of agreed-upon credibility, this idea may simply not be feasibly effective to accomplish any meaningful goals.”
Deciding on what should be included in a Cyber Geneva Convention, though, is like putting the cart before the horse – who crafts the treaty is equally as important. Diplomats and leaders (as well as lawmakers) often lack the cyber knowledge and skills necessary to fully formulate guidance for cyberwarfare.
“Cyberspecialists are the proverbial dog that caught the car,” says Clinton. “We have convinced the mainstream, at long last, that there is a cybersecurity issue, but now everyone wants to be the cyber guy. We have reached cybersecurity awareness but not cybersecurity understanding.”
That's resulted in an avalanche of ill-considered cyber policies demonstrating a total misunderstanding of what we are dealing with, says Clinton. “A paradigm example of this is the EU's NIS directive that is focused on blaming the victims of cyberattacks by penalizing them up to four percent of gross global revenue for violaitons that are the result, often, of attacks by nation-states on private entities.”
Clinton suggests the model ought to be the collaborative effort initiated by NIST in the development of the NIST Cybersecurity Framework. In the coming months, he says, it will be industry, government and citizens against the rogue nations and criminals. “This will not be like historic conflict and, as a result, we need a more collaborative model to design our cyber defenses.”
Nick Bilogorskiy, senior director of threat operations at Cyphort, calls for an international coalition. “Cybersecurity experts from private sector and the governments should work together on drafting it,” he says. “Then governments of different countries would need to ratify the conventions.”
Governments will likely get behind such a movement as they realize increasingly the sound of incoming fire is not just the shriek of fighter planes but also the click, click, click of the keyboard.