One thread running through this year’s RSA Europe conference from start to finish was the topic of cyber-war. If you took the talks from Tom Heiser in Tuesday’s opening keynotes, Richard A Clarke on Wednesday, Ira Winkler and Michael Chertoff on Thursday, and generated a word-cloud, some of the biggest fonts would have to be reserved for words like “Stuxnet”, “SCADA” and “Nation State”.
Co-incidentally (?), in the UK news headlines… on Wednesday, the government’s electronic intelligence agency warned of the nation’s vulnerability to cyber-attack, and on the following day, Prime Minister David Cameron announces £1bn of funding for cyber-defence.
Meanwhile, in the closing conference keynote, Michael Chertoff sketched out an argument along these lines: in the past, “security” was, in general, the government’s problem. Not only did the government have responsibility for borders, police and the military, it was also seen as an actively bad thing for those responsibilities to be delegated to commercial entities. Now, however, the reach of the internet into everyday social, commercial and economic affairs is such that much of the critical infrastructure is owned and operated by commercial companies.
Governments have neither the remit, the means nor – mostly – the inclination to ‘secure’ the internet in anything approaching the same way as they exercise their military, border-control and law enforcement powers.
Nevertheless, he argued, cyberwar is a real and credible threat, in the face of which governments cannot afford to remain idle. That threat, he said, “changes the customary roles of both government and commercial entities”. He went on to give the example of Eisenhower’s Cold War doctrine, under which the process of escalation up to and including a “nuclear exchange” was clearly and publicly stated; Chertoff attributed much of the stability of the Cold War period to the fact that actions and consequences had been thought through in advance and made explicit to the primary adversary. We need, he said, a doctrine for the cyber age which can give some similar measure of stability.
Seductively simple as that analogy is, I am not convinced. It may just be that Mr Chertoff didn’t have time to go into the details… but to my mind, any doctrine of cyber-defence (and indeed offence) needs to deal credibly with two issues which Eisenhower did not need to face: asymmetry, and attribution.
The issue of asymmetry is this: when it came to nuclear technology, it was clear that (at least in the days of Eisenhower’s Project Solarium) there were really only three or four credible sources of a nuclear threat. Just as today, the nuclear threat comes less from nation states than from rogue groups and ‘dirty’ bombs, so in the cyber domain it is not just nation states who can assemble the means to mount an attack. Admittedly, both Michael Chertoff and Richard A Clarke maintain that a credible cyber-attack on a national infrastructure could only realistically be mounted, currently, by half a dozen or so other nation states. So they currently discount the idea that such an attack could come from smaller, less capable and less well resourced groups. That may indeed be the case – I’m not qualified to say; but if you look at everything we know about how malware is created and propagated, you’d have to reckon that, once the components of a serious attack have been developed *by anyone*, the skill needed for someone else to re-use those tends to be much lower.
I would argue, then, that it is only a matter of time before non nation-state actors either acquire viable cyber-attack assets from nation states, or gain the competence to develop their own credible threat; Dick Clarke himself pointed out that organised criminals are already ‘investing’ in assets like advanced research students, and the ability to infiltrate and subvert hardware manufacturing processes.
Whether that is the case or not, the problem of attribution still arises. Anyone who has followed the Stuxnet story will have been aware that there is still huge speculation over who was behind the attack. Did Israeli developers leave cryptic clues in the source code, pointing to the date of Habib Elghanian’s execution? Or was that itself a cunning piece of mis-direction, planted by someone who wanted the finger of suspicion to be pointed in Israel’s direction? John le Carre has written worse.
Of course, when nation states get involved, they have whole agencies devoted to making this kind of puzzle to all intents unsolvable. But leaving the spooks aside, let’s look at the practicalities, borrowing the territorial labels from Orwell’s 1984: if Oceania wants to launch a cyber attack on Eastasia, there’s no need for it to do so from its own geographical territory. It could do so from a third party country, or even from inside Eastasia itself, or from a net of distributed bots. Anyone at RSA Europe this year will have heard enough about cloud computing to dispel the idea that computing resources and geographical location are in any way tightly coupled.
And that brings us right back to asymmetry. Eisenhower was able to set out a very predictable theory of escalation: if you launch a conventional attack, we may exercise the option of a conventional counter-attack, or escalate directly to a nuclear response. In the cyber world, things aren’t that simple.
Supposing Oceania pays an individual in Eurasia to deliver a cyber-attack on Eastasia; there’s no guarantee Eastasia will be able to identify Oceania as the origin of the attack – so what’s the appropriate response? Nuke the individual? Cripple the national infrastructure of Eurasia? And what if the attack was actually launched from inside Eastasia? It’s hardly rational to respond by zapping your own network as a punishment.
Nor is it any easier if you start from the assumption that the best response to a cyber attack is a conventional retaliation. And if you step back from that and go for, say, economic sanctions instead, then we’ve come full circle and find ourselves staring at the problem of attribution again. In 2008, the Russian invasion of Georgia was preceded by a sustained assault on the Georgian internet infrastructure, with attacks on government and commercial websites. Apparently elements of that assault were directed from Brooklyn, NY. I’d be fascinated to see what level of economic sanctions Georgia could persuade the international community to apply to the United States, as a third party country responsible for hosting elements of a cyber attack.
I’m delighted that the likes of Chertoff and Clarke are devoting serious thought to the risk of cyber-war and the practicalities of cyber-defence. I’m even relieved that they think there are viable ways for nation states to prepare their defences. But the issues of asymmetry and attribution make me pessimistic. Goodness knows, we’ve seen how hard it is for conventional armed forces to deal with asymmetric warfare in the midst of a civilian population. In the virtual world, those problems only intensify.
There’s already debate, following David Cameron’s announcement, over whether cyber-defence is the best way for policy-makers to allocate £1bn of state funding in these times of budget cuts and deficit reduction. I am fascinated to see how the boundaries will get drawn between what they try to fix through policy and governance measures, and what they will expect see solved through the application of technical fixes.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.