In military parlance, there are now considered five potential theatres for conflict – land, sea, air, outer space and now cyberspace. As with any area of Defence spending, investment and innovation in this fifth theatre are shrouded in secrecy.
However, according to the Washington Post, the Pentagon has ratified a list of ‘approved cyber weapons’ which the US has available and has been seeking to define how and when these could be deployed within a revised legal framework for conflict.
Whilst nation states assess their readiness for future conflicts in cyberspace, there remains a lot of discussion about what constitutes a cyber-attack; whether it is possible to create some kind of ‘Geneva Convention’ for online conflict and whether certain online targets should be protected in some way due to their non-martial nature.
During the East West Institute’s Cybersecurity Summit in London, I was invited to participate in a panel discussion about the ‘Rules of the Road’ in cyberspace which brought together policy makers, defence experts, lawyers and technology consultants to address some of these difficult areas.
At a basic level, defining an attack can be more complex than in other conflicts. Hidden IP addresses, ‘cloned’ computers and the ability to access the Internet from just about anywhere in the world make it very hard to determine where an attack is originating from and how to respond. In Cyberspace there is no certainty, only probability and the probability has to be immensely high if you intend to commit to some sort of retaliation which may well have unforeseen side effects.
Understanding whether you are reacting to another nation state, a terrorist organisation, organised criminals or simply a frustrated teenage hacker is often very blurred and unclear. Information is the currency of the online world. Cyber-attack will invariably take two forms: those that seek to influence decision making by disruption and manipulation of information; the ability to capture valuable intelligence without another nation or organisation knowing for the purposes of informative decision making on your own side or perhaps for the simple business of monetary gain.
Not knowing precisely and instantaneously makes cyber conflict frustratingly hard to retaliate against. Hence, as the Financial Times leader said on Saturday (4 Jun 11), defence becomes of utmost important when trying to go about one’s business with confidence in cyberspace.
A major area of discussion at the Cybersecurity Summit discussion was whether certain targets should be ‘protected’ in cyberspace. The first element of military strategy is to disrupt the enemy’s lines of communication but what if that communication infrastructure also happens powers a hospital’s patient database or telephony systems? Or if the disruption were to damage an air traffic control system and risk numerous civilian lives?
On the one hand, nation states could agree ways to identify these systems to avoid ‘collateral damage’ but would this make them more obvious targets for non-state actors such as terrorists? Would the suggestion of distinguishing some URLs with a non-combatant suffix (.med; .nsz (non-strike zone)) help? The DoD said last week that they feel they have the legal right now to undertake target “reconnaissance) in cyberspace during peacetime and mark “targets” that they feel might do potential harm in a state of conflict. Could not the same markers indicate targets that are not to be touched?
These questions don’t have straightforward answers but governments and international institutions are increasingly exploring these issues and creating agencies and frameworks to address them. The range of expertise and nationalities at the Summit was considerable (the Cyber 40+ nations) and will help bring about more collective solutions to these challenges. The UK is planning an inter-governmental conference to help define the ‘norms’ of cyber conflict in London on 1 and 2 Nov 11 at which a number of organisations including Unisys will be participating.
Just as the definitions and boundaries of cyber conflict are unclear for traditional approaches to Defence, there are similar challenges for businesses. During the Summit, a number of speakers highlighted that the estimated cost to the UK of cybercrime is £27 billion of which £21 billion affects business. In recent months we’ve seen groups of hackers coordinate ‘attacks’ on corporates and use online channels to organise physical action at retail outlets. Whilst less in the public eye, industrial espionage via online channels is also a reality.
So how can businesses respond?
As Sir Michael Rake, Chairman of BT Group highlighted in his keynote address at the Summit, “We need to be more open about discussing the threats and the issues around cybersecurity. I think that it’s an area that will require huge investment and government-business cooperation.” Many companies tend to under-report the incidence of cyber-attacks due to understandable concerns about reputation and confidence but the right forums could help identify threats more quickly and help the law and law enforcement respond more quickly.
Secondly there is no real boundary between on and offline security. All security is converged into one holistic approach within a properly formulated security framework. Companies should take a comprehensive view of risk which integrates on and offline channels, looking at areas such as access to information as a whole and how it will affect timely decision making. Two suggestions were made at the Summit for getting a better understanding of these uncertain threats and what to do.
The first is to do what IT businesses do and postulate “Use Cases” for new solutions and how they might benefit the client. In the policy world this has been done with considerable effect using Scenario Driven “games” but at the strategic level. I would suggest that such an approach, but now involving key CNI industries, would provide some clarity on how to handle “events”, be they state inspired or ordinary decent crime (as Rumpole of the Bailey might have described it).
The second is to recognise the uncertainty and, in the first instance, set up “hot lines” between key nations in order to deflate the rhetoric and certainly discuss the media powered storm that soon surround any ambiguous issue – Google attacks being a prime example. Industry has a major part to play in all this and I look forward to the follow on events and activities that have come out of this extremely worthwhile Summit.