16 December 2015

Offensive Cyber Operations

LUKE PENN-HALL
DECEMBER 13, 2015

Hollywood has a clear idea of what it would look like if someone used cyber-capabilities against us: a man in a room full of screens would be typing madly, planes would fall out of the sky, there would be explosions everywhere, and so forth. According to Director of National Intelligence, James Clapper, that’s not likely to happen anytime soon. In a recent Congressional hearing, Clapper said “the likelihood of a catastrophic attack from any particular actor is remote at this time.” However, the reality is that cyber-weapons do exist, raising questions that have bearing on both defense and industry.


First among these questions is: for what purposes are offensive cyber-capabilities being used? Most of the time, offensive cyber-capabilities are used for espionage or theft. This is because cyber-capabilities make it significantly easier to locate, access, and extract information from companies and countries, as the Target and OPM hacks have demonstrated. There have also been distributed denial of service (DDOS) attacks against a variety of different organizations, from banks tonon-governmental organizations (NGOs). This type of attack overwhelms computer systems so they can’t function, but while they are disruptive, they are not particularly destructive in any permanent sense. This is in keeping with the government’s expectations. In his testimony, DNI Clapper said that he expects “an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”

However, Clapper’s projections do not suggest that we can let down our cyber defenses. Offensive cyber-capabilities are absolutely being used to destroy things. Fortunately, most of the time only data is destroyed, but that is still very damaging to the victims of these cyber-attacks. The Sony hack is arguably the best known example of this. During the Sony hack, North Korean hackers released a virus that actively destroyed data on Sony’s Systems. Iran is believed to be responsible for two similar attacks using data-destroying viruses, one against Saudi Aramco – the Saudi Arabian national oil company – and another against the Sands Casinos. The Iran attacks are somewhat ironic since the best-known instance of physical damage caused by cyber-weapons took place in Iran, when the Stuxnet worm damaged Iranian nuclear centrifuges.

The increasing number of cyber-attacks also begs the question: can states maintain a monopoly on the use of force in the cyber-domain? The answer here is considerably less clear. On the one hand, cyber-capabilities are commonly seen as having a leveling effect – even a relatively weak actor can do a lot of damage if they have the right skills or access to someone who does. However, really complex and powerful cyber-capabilities are still the purview of governments, so the amount of damage that non-state actors can do with cyber weapons is still relatively small. Beyond cyber-enabled non-state actors, the tech sector has also a tremendous amount of cyber-related talent and a desire to use that talent to protect itself from threats. This is potentially troubling since there have been calls from the business community to allow its cyber talent to “hack back” against groups that hack industry. The desire to do so is somewhat understandable, since industry feels the government has essentially told them they are on their own in protecting themselves from cyber-attacks, but hacking back is illegal in the United States, and that is not likely to change.

The world is still adjusting to the emergence of offensive cyber-capabilities, and the extent of their effect on the international systems is still unclear. They have been used to great effect for operations related to espionage and sabotage, but they are still far from being able to pull off any of the stunts that the film industry finds so fascinating. That being said, these capabilities will continue to grow in sophistication and reach, so the government and industry will need to plan accordingly. 

Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.

No comments: