Cybersecurity and cyberwarfare

CHERIAN SAMUEL

back to issue

CYBERSECURITY and cyberwarfare are antithetical to each other; while cybersecurity is about securing a medium that is increasingly central to human existence and interaction, cyberwarfare is about state sponsored actors actively locating and exploiting the vulnerabilities in cyberspace for a variety of malicious purposes, in the process, destabilizing cyberspace as a whole. Given the importance of cyberspace, one would expect states to make haste and frame rules of the road and come to a broad understanding on legitimate and illegitimate uses of cyberspace. They have tried but without much success, for reasons to do with approaches and perception.

A path with possibly greater returns would be that of undertaking a narrower and more structured discussion on cyberwar, and more specifically, on defining hostile actions that would be treated as equivalent to an act of war in cyberspace. However, the current trend is in the other direction, that of broadening accepted norms and definitions of war to justify state sponsored malicious activities in cyberspace. As a responsible stakeholder, India will have to work towards stability and security in cyberspace while also developing the capabilities and capacities to face cyberwarfare activities and help other states that are similarly vulnerable but lack the wherewithal to secure cyberspace.

Most commentators are agreed about the lack of clarity over definitions of many of the words that are bandied about in the discussion about cybersecurity and cyberwarfare, beginning with these two words themselves. And much like the medium itself, definitions too have a tendency to change. Consider how the definitions for cyberspace have changed in the span of five years. The US Government’s National Strategy to Secure Cyberspace, released in 2003, defined it as follows: ‘Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, switches, and fibre optic cables that allow our critical infrastructures to work.’1 In 2008, Gordon England, US Deputy Secretary of Defence defined it thus: ‘Cyberspace is the interdependent network of information, technology infrastructures that includes the internet, telecommunications networks, computers, information or communication systems, networks, and embedded processors and controllers.’2 The crucial point is the shift of the medium, from an enabler of critical infrastructure to being one itself.

 

Cybersecurity is another term that is yet to be comprehensively defined. One of the most succinct ones can be found on the Techtarget website and it states: ‘Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.’ Cybersecurity policies have been seen as a way of combining all these together so that the sum of the parts can better make up the whole. However, the complex nature of cybersecurity has seen even developed countries of the West, where much of the technologies, processes and practices were developed, falter when it came to developing holistic cyber security policies. Those countries that succeeded in piecing together a policy had difficulties in implementing them, and thus had to come up with successive iterations as new threats surfaced. Such policies were of limited use in preventing cyber attacks or pre-empting the formation of new threats.

One of the main reasons for the failure of cybersecurity policies is that cyberspace was largely designed to function on trust. Its relative simplicity enabled its seamless scaling up over the years to support the millions who have migrated into cyberspace and now use it on a daily basis for virtually every aspect of human conduct.

 

Given the current state of play in cybersecurity, it is not surprising that most discussions on cyber security sooner or later end as a confusing mix of viewpoints on fundamental rights, privacy, law enforcement, human rights, globalization and national security, thus leading to gridlock. With the progress of time, differing perspectives and approaches are getting more and more entrenched, thus making the job of arriving at a consensus on contentious issues even more difficult. The resultant anarchy has emboldened a variety of malicious actors to take advantage of the situation and further threaten the security of cyberspace.

The confusion at the domestic level is reflected and magnified at the international level with various countries having different approaches and cyber security priorities. At the same time, the threats and perceived threats have led to many countries going beyond a defensive architecture and advocating more pro-active and offensive approaches to be prosecuted by agencies with expertise from across the civilian, military and intelligence domains.

Coming to cyberwar, the debate is literally split down the middle between those who are convinced about the inevitability of cyberwar3 and those who are of the opinion that the dangers are unnecessarily magnified.4 Much of this debate revolves around the definition of war and the laws and norms governing warfare. Those in the latter camp note that war is characterized by three elements: it is violent, there are instrumentalities (the threat of force), and that it is a means to an end, which is usually a political objective of forcing the opponent to submit to your will. Cyberattacks do not meet any of these conventional criteria in terms of violence, instrumentalities and end objectives. Moreover, cyberwar does not fit into the traditional framework governing the use of force that has developed over the years, as also the laws and norms of war. Redlines defined in terms of territorial aggression, as well as principles for response such as distinction, proportionality and necessity are difficult to apply in cyberattacks. The problem of fashioning new laws for cyberspace is thus even more problematic given its rapidly changing characteristics and broad international consensus on sticking with the current laws.

 

Even as the nit-picking over what constitutes cyberwar continues, one needs to contend with the sustained low intensity conflict afflicting cyberspace. This conflict is characterized by attacks on governmental networks and critical infrastructure. It has given rise to the more generic term of cyberwarfare, defined by Richard Clarke as ‘actions by a nation state to penetrate another nation’s computers or networks for the purpose of causing damage or disruption.’5 This definition distinguishes such actions from cyber espionage, though the same methods, vectors and vulnerabilities can also be used for cyberwarfare. Schmidt and Cohen feel that while peer competitors will utilize cyberspace for espionage, ‘stealing state secrets, accessing classified information, infiltrating government systems and disseminating misinformation’, cyber terrorists constitute a new genre of actors that try to use it to inflict damage. Nevertheless, they feel that the threat of retaliation will inhibit state-on-state destructive behaviour.6

This hope has been belied by recent events starting with the Stuxnet worm that destroyed Iranian nuclear centrifuges. Soon other malware was also discovered; in terms of intensity, the most significant was the Shamoon virus which wiped off all the data from 30,000 computers of the Saudi Arabian state oil company, Aramco. Iran has also shown how rapidly cyber capabilities can be acquired; with virtually no capabilities before 2009, it has now acquired significant expertise, and is using them. This is what the United States discovered to its cost as US banks were subjected to a sustained volley of DDOS attacks by a hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters, but was actually Iran retaliating for cyber attacks on its infrastructure.7 

 

While countries have developed varying cyber capabilities, they have not thought about the role of cyber weapons in regular warfare. This is partly because responsibility for the development of cyber capabilities has in large part devolved to the signals and intelligence agencies and R&D organizations rather than the military. If in Britain it is the Government Communications Headquarters (GCHQ), its equivalent in Australia is the Cyber Security Operations Centre (CSOC). In the United States, according to the statement of Gen. Keith Alexander during the Senate confirmation hearings, the responsibility was initially with the US Military’s Joint Task Force Global Network Ops, which subsequently devolved to the National Security Agency by virtue of its technical proficiency in this domain.

The main drawback to this arrangement is that intelligence agencies are intrinsically secretive and contribute little to the debate, other than subverting the process to further their own limited agendas. This was evident in the Snowden revelations where the National Security Agency had gone to the extent of weakening encryption protocol and standards which are central to the reliability and integrity of cyberspace.

 

The blurring of intelligence collection and warfare has resulted in the development of two distinct strands in cyberwarfare – a high road which tries to maintain a distinction between cyberwar and cyberwarfare, and a low road which tries to blur the distinction. The latter is exemplified by the concept of ‘unrestricted warfare’, a term first used by two Chinese colonels in a treatise by the same name. The authors begin by observing: ‘Does a single "hacker" attack count as a hostile act or not? Can using financial instruments to destroy a country’s economy be seen as a battle? ... Obviously, proceeding with the traditional definition of war in mind, there is no longer any way to answer the above questions. When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war: warfare which transcends all boundaries and limits, in short: unrestricted warfare.’

If this becomes established, this kind of war means that all means will be in readiness, that information will be omnipresent, and the battle-field will be everywhere. It also means that many of the current principles of combat will be modified, and even that the rules of war may need to be rewritten.

 

This has been further fleshed out in subsequent iterations of the PLA’s thinking. According to analysts, PLA thinking on future wars is marked by the three ‘nons’ – non-contact, non-linear and non-symmetric.8 Non-contact would include computer network operations ‘that will effectively nullify an opponent’s forces without having to directly confront or engage them.’ Following on that, non-linear and non-symmetric war would take place in many dimensions, both physical and temporal, and not necessarily within a set battlefield or theatre. Given these characteristics, the armed forces would require inter-service cooperation and shared situational awareness through advanced communication facilities. For shared situational awareness, information would have to be integrated into all aspects from logistics, personnel, management and decision making. The challenge lies in successfully overcoming the vulnerabilities inherent in digitizing the warfare landscape.

Informationized warfare is, therefore, a competition between rival arrays of information systems, and the side that has the more hardened and secure systems will dominate. Thus, while the focus of western military planners is on accelerated decision making through the use of technologies and concepts such as the OODA loop, they remain constrained in their efforts to secure their networks because of the differing capabilities and capacities of the allies. Conversely, the Chinese emphasis is on degrading hostile capabilities to the extent possible while, at the same time, hardening and securing their networks.

For the PLA, non-symmetric war justifies the use of methods such as hacking and expropriating intellectual property – first as a tool for getting access to and parity with the advanced technologies of the West, and second, as part of psychological warfare, through visibly penetrating networks in other countries and raising the spectre of cyber instability.

 

The classified US Presidential Directive 20, issued in October 2012 and leaked by the Guardian in June 2013, seems to take pretty much the same approach, putting intelligence collection first and warfighting second in the uses of cyberspace.9 With regard to the first, cyber collection, this is described as ‘Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence... from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access.’

With regard to the second, actions are classified as DCEO (Defensive Cyber Effect Operations) and OCEO (Offensive Cyber Effect Operations) where Cyber Effect is the ‘manipulation, disruption, denial, degradation, or destruction of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.’

The Presidential Directive has to be viewed in tandem with another document that made a recent appearance; the Tallinn Manual on the International Law Applicable to Cyber Warfare. The manual is important because it tries to adapt many of the legalities that are used to determine whether an act falls within the purview of the laws of war to cyberspace. These range from the online equivalent of the use of force, to acts against civilians, to legal thresholds on escalation, to the concept of imminent threat, and the right of self-defence. Going by the findings of the manual, the use of the Stuxnet worm was an act of war, but its use was justified as the Iranian nuclear programme constituted an imminent threat to world peace.

 

While India is an important actor in global cyber affairs based on a number of parameters – from internet population, to capabilities and capacities in information technology – thinking on cyberwarfare remains limited in both voice and deed. In India too, two distinct approaches can be discerned with regards to cyber space. First is the realist approach, which places the state at the centre of international politics and enjoins upon it to do whatever necessary to secure a place at the high table on international cyber policy making. This approach places priority on developing capabilities, placing little faith in the ability of states to come to a consensus on what is essentially an anarchic space.

Since states are the primary actors, it is their responsibility to develop defensive and offensive cyber capabilities to secure their survival. However, cyberwarfare is only gradually getting the attention it deserves for a number of reasons. As yet, much of the focus on cyberspace is through the second approach, with internal debate over cyberspace taking place at the liberal end of the spectrum and revolving around issues of open and equitable access, freedom of speech and expression, and privacy. The challenge lies in marrying the two approaches at the national and global level, i.e., strengthening cyber capabilities while articulating the need for responsible stewardship of cyberspace.

 

To do the first, many of the current constraints that come in the way of action have to be removed. In the first instance, offensive and defensive actions in cyberspace are still largely the preserve of intelligence agencies who zealously guard their turf. Though the armed forces have been messaged over and over again by the top political leadership about the need to defend against cyberattacks, they have only a limited role in the absence of an official policy on offensive actions. That notwithstanding, the armed forces have been mulling over the structures necessary to carry out operations in the new domain and, according to reports, the navy will lead the effort since it is the most technology savvy of the three wings.

The confusion over responsibilities in cyberspace, however, needs to end. Only then can subsequent actions, such as an understanding of our own strengths and weaknesses, as well mapping out of the adversary’s vulnerabilities, be carried out effectively. A particularly difficult challenge involves working out the politico-military relationship and command and control structures given that actions in this domain take place literally at the speed of light. Another problem area relates to the training of ‘cyberwarriors’. This brings up the issue of quality over quantity. While our large population makes us predisposed towards ‘cyber battalions’, smaller and specialized force structures are the order of the day in the cyber battlefield.

One of the limitations of the armed forces is that their communications networks are still under the process of modernization and cyber capabilities can only develop concurrently with this process. Advanced research and development capabilities are also a sine qua non in this technology intensive and rapidly changing domain, but while defence research organizations like the DRDO are engaged in cutting edge research and have even announced intentions of developing cyber bombs, these are likely being developed less to a plan or in line with requirements, and more in terms of technology demonstrators. Also, given the emphasis on intelligence collection, more attention needs be paid to advancing knowledge on encryption and other means of defeating attempts at intelligence collection.

Once these internal lacunae are addressed and there is a better understanding and discussion of the issues, we can positively and effectively contribute towards the global conversation on cyberwar. As a fundamentally peace-loving nation, it is in our interest to arrest the current slide towards cyber dystopia with the ongoing cycles of attack, retaliation and counter-retaliation by taking the high road on cyber war. That notwithstanding, we should also be able to respond to those who insist on taking the low road through effective development of cyber capabilities and a willingness to help our friends who lack these capabilities, but are at the receiving end of cyber attacks.

 

* The views expressed are personal.

Footnotes:

1. The White House, The National Strategy to Secure Cyberspace. Washington D.C., February 2003, p. vii.

2. Gordon England, Memorandum for Secretaries of the Military Departments. The Definition of ‘Cyberspace’. 12 May 2008.

3. Richard Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to do About it. Harper Collins, 2010.

4. Thomas Rid, Cyber War Will Not Take Place. Oxford University Press, 2013.

5. Richard Clarke and Robert Knake, op cit., n. 3, p. 6.

6. Eric Schmidt and Jared Cohen (eds.), The New Digital Age: Reshaping the Future of People, Nations and Business. John Murray, 2013.

7. The New York Times, ‘Bank Hacking was the Work of Iranians, Officials Say’, 8 January 2013. Available online at http://www. nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html

8. Dean Cheng, China’s Space Program: A Growing Factor in U.S. Security Planning. The Heritage Foundation, 16 August 2011. Available online at http://www.heritage.org/ research/reports/2011/08/chinas-space-program-a-growing-factor-in-us-security-planning

9. PPD 20, US Cyber Operations Policy, October 2012. Available online at http://www.guardian.co.uk/world/interactive/2013/jun/07/obama-cyber-directive-full-text

top