This site may earn affiliate commissions from the links on this page. Terms of use.

AUSTIN – Data security has never been more front and center than it is now. The contempo hacking of the Democratic National Commission; the implications that Russian federation — a sovereign country — may take been securely involved; the potential implication information technology had on a national ballot; and the accusations, difficulty in establishing proof, and what tin can exist washed about information technology, all form a perfect backdrop for a wait at cyber attacks, cyber war, cyber espionage, and general cyber-malfeasance. At Southward by Southwest, Sean Kanuck laid out a framework for thinking nearly cyber attacks, the sometimes like but mostly different form of warfare it can be, and some means where escalation of this new form of attack can be limited going forrad.

Kanuck is a lawyer, ex CIA officer, the US's start National Intelligence Officer for Cyber Issues from 2011 to 2016, and is currently affiliated with Stanford's Middle for International Security and Cooperation. He framed cyber conflict by defining terms, and comparing and contrasting cyber conflict with traditional armed conflict. To start, he refutes that we should consider cyber war every bit some other domain of war, similar land, sea, or air. Cyber is a ways to an end, a way to disrupt data flow or processes that depend on it, or to corrupt that information and make it unreliable. Cyber attacks are some other form of obtaining a strategic result, not a form of war in and of itself.

Cyber state of war vs. traditional war

In that location are many ways in which cyber conflict differs from typical conflicts. An assail can come from anywhere, and information technology is difficult to tell from where it originated. It'south possible and not immediately obvious, for example, that it could come from a 400-pound hacker in his pajamas in an apartment – but information technology's non likely in the case of the best orchestrated attacks. Because of the worldwide, distributed nature of the Cyberspace, information technology could come from literally anywhere.

The tools used are perishable, designed specifically for the target, and unpredictable. While a bullet is designed to practice the same damage to whatever human anywhere, and it'south anticipated what it can do, the tools used to attack an electric grid or steal classified data are different than what may be used to hack a router or net-continued photographic camera and make them do nefarious things. Using a war analogy, nether the Geneva Convention rules of war there are definitions equally to what constitutes a legitimate military target. Communications networks (and the internet that runs on information technology) conduct both war machine and civilian information flow, so there is no separation of target – everything is substantially fair game.

The newest trends in cyber attacks have gone beyond disruptive denial of service attacks on internet sites. Industry and infrastructure similar power grids and ATM networks are targets, which could cause large social disruptions. Indirection is heavily used, making it difficult to prove who is behind an attack. Perhaps the near dangerous course is the integrity of information attack – where the network or service is not disrupted, simply information is modified, and the target doesn't know it's been attacked, equally there is no stoppage or sign of disruption. One could run into how this, used on financial services or healthcare for case, could be highly dangerous.

Security

Cyber war'southward unique challenges

Kanuck details how cyber conflict presents other unique challenges, particularly for thinking nearly how to respond to an set on. First, there is really no deterrence today to refrain from doing information technology – there is no universal mode of behavior or conduct in this sphere like the Geneva Convention. Information technology is relatively easy for any actor – state or otherwise – to test a target's tolerance threshold, resolve, and technical capabilities. A cyber attack may do a lot of economic harm, but if people don't die equally a direct result, information technology's not likely to provoke an armed response – assuming we are talking nigh provable land actors hither.

Even admitting there'southward been an assault exposes a vulnerability. Once exposed, the attacker knows the method could be detected, so it will apply a different form or assail next. This is perhaps analogous to when the Allies bankrupt the High german cryptographic codes in Earth War II, but didn't reveal information technology and so they could secretly monitor German communications. If you know how you've been hacked, it might be ameliorate to keep that quiet and utilise that noesis for future protection and potential countermeasures. This aspect provides a disincentive for governments or organizations to come forward, peculiarly when it'southward difficult to evidence who is really behind an assault.

Despite the clandestine nature of cyber attacks, Kanuck doesn't see a high likelihood of some kind of cyber Armageddon, every bit in an attack where whole power grids and h2o supply systems finish working. In that example, where at that place'due south a high likelihood of big numbers of people dying, a real armed conflict volition ensue. When 9/11 occurred, nigh iii,000 people died, and the response was a large-scale armed forces invasion. I could expect that if an infrastructure attack resulted in that scale of human loss, the response would too be like confronting whichever histrion is thought to have carried information technology out. But given the indirect nature of attacks, it is often very difficult to prove who was really behind them. And the more likely scenarios are likely to exist attacks beneath the threshold of triggering armed conflicts. They will exist attacks that could target a key corporation (similar the Sony attack), an attempt to potentially influence an election (the DNC hack), or a limited infrastructure assail (the Ukraine power grid).

Deterring escalation of cyber arms

While at that place are mutually declared concerns between China, the U.S., and Russia about cyber warfare, few mechanisms exist today to depict lines which shouldn't be crossed. It volition require further cooperation on definitions of what constitutes an attack, what are legitimate targets, and what are undesired effects of cyber attacks. For example, under the Geneva Convention, poisonous substance gas is outlawed in war. Some rules nigh prohibiting attacks on infrastructure (for example, disrupting water supplies past attacks on handling systems) would exist the analogy in cyber. But the Geneva Convention has been violated past a number of countries in different conflicts, and so rules are simply rules unless there is some incentive to follow them.

In the Common cold War, the U.S. and Russia escalated the nuclear arms race to the bespeak of MAD – mutually assured destruction. Perhaps the same volition happen in cyber until that kind of shaky equilibrium is reached. Kanuck postulated that much better defenses, or resilience, are necessary to deter attacks likewise. Correct at present, it appears there are vulnerabilities beyond besides many vital systems that present many attack surfaces. Even if it'southward hard to place an attacker conclusively and respond, making attacks much more than difficult to mount will be a deterrence. Considering of the above issues with correctly identifying perpetrators and exposing vulnerabilities, offensive moves have the advantage. A ameliorate defence force to limit potential damage is 1 style to affect deterrence.

Beyond that, Kanuck proposes the basic elements of a security architecture to make cyber Armageddon much less probable. First, transparent, articulated rules demand to be agreed upon for apply of cyber aggression, probable around permissible targets and methods, similar to the Geneva Convention. The rules demand to apply universally, although as in nuclear proliferation limitation conspicuously some countries volition have capabilities that others don't. Stability can be reached by getting to the kind of cold war equilibrium that would make whatever party think hard about launching an offensive move.

Unfortunately, these kinds of agreements have years to come to laissez passer. And in that time frame, technology will move forrard quickly, creating more than challenges. Across industry, infrastructure, authorities, and the armed services, vigilance and defenses against cyber attacks will need to proceed up.