7 December 2016

MAD Concept of Deterrence Doesn't Apply in World of Cyber War

By Wayne Rash

NEWS ANALYSIS: The rules of traditional warfare don't apply in the world of cyber war, even to the point where it's hard to tell if the war has actually started or with whom you're fighting. 

PITTSBURGH, Pa. – The next world war may have already started, but the chances are that you may not have noticed it. That's because the new world of cyber warfare is taking place out of sight in places that only the initiated can see. Even then, it's not always clear who the participants are.

Nor is the damage that regularly occurs in the war clearly visible and the only way you would see it is when the war spills over into networks you use. But the only thing you would notice is that your internet connection is running slower that normal.

That was a major conclusion by a panel of experts at the Carnegie Colloquium here on Dec. 2. The topic at the Future of the Internet: Governance and Conflict conference was "cyber deterrence by denial and the vulnerabilities debate." Despite the lengthy title, the panelists were discussing the manner in which a cyber war might be conducted.

The question the experts were dealing with was whether the idea of deterrence will actually work in the conduct of a cyber war as it did with preventing nuclear war in the years after World War II. The general consensus is that it does not, mainly because it's difficult if not impossible to hold a specific person or entity accountable for a cyber-attack.

The Threats From Within

The reason that the analogy with the Mutually Assured Destruction (MAD) concept falls down is that cyber warfare doesn't lead to the type of destruction that nuclear weapons do, making it hard to convince an enemy that he has a lot to lose.

"The only destruction is just a nuisance," explained Ariel Levite, now a nonresident senior fellow on the nuclear policy program for the Carnegie Endowment for International Peace. "A bigger challenge is fake or distorted data," he said.

Levite, who is the former head of the Bureau of International Security and Arms Control for the Israeli Ministry of Defense, said that there are a number of problems in dealing with a cyber war, among them, delineating what actually constitutes a cyber war.

"Can we delineate what activity we want to deter?" he asked. He then posed three more questions that must be answered before you can know there's a cyber war on. "Will you know when the attack occurs?" he said that it's frequently impossible to know the full nature of an attack, not to mention who carried it out. "Do you possess the means to retaliate?" he asked, and then he asked whether the attacker was vulnerable to retaliation.

Then there's the issue of what any retaliation might accomplish. In the case of well-prepared adversary, you might not be able to inflict significant damage, meaning retaliation would not be effective.

Retired Lieutenant General Robert Schmidle suggested that retaliation with the idea of causing damage is probably pointless. Schmidle, who is the former deputy commander of the U.S. Cyber Command, said that the real goal should be to change the behavior of your adversary, rather than to destroy him.

"You have to convince your adversary that you really are willing to use cyber weapons," Schmidle explained. He said that you also need to convince your adversary that you have the capability for retaliation, even though you don't necessarily want to carry out an attack.

Schmidle said that the Stuxnet malware attack on the Iranian nuclear facilities was intended to convince the Iranian government that the U.S. and its allies could eliminate the Iranian nuclear program at will.

Another challenge to conducting a cyber war is that it's so easy to get a cyber attack capability that any nation can do it. Nicole Periroth, cyber-security reporter for the New York Times, pointed out that the barrier to entry on to the cyber-warfare stage is quite low, and that cyber weapons can be repurposed to attack others. She pointed out that Iran is using reengineered variants of Stuxnet to attack Saudi Arabia.

The Threats From Within

All of this is compounded by the fact that simply knowing who your adversary is can be difficult. According to Chris Valasek, security lead for the Uber Advanced Technology Center, an experienced cyber warrior can enter an adversary's IT systems and leave no trace that they were ever there. Valasek, who rose to fame for hacking into and taking over the electronic controls of a Jeep recently, said that he has long experience breaking into systems as a part of his job.

The reality of a cyber conflict is clearly quite different from what many have believed. Except for the potential for collateral damage, such a war could go on between several adversaries with little certainty as to whether damage was being inflicted, whether one side or another was successful, or even whether your attacks made any difference. The only outcome could be that your adversary changes his behavior. But you may never know for sure whether that behavior change was due to your attack, or something else.

Ultimately the purpose for a cyber war is about information. The goal may be to obtain information from your adversary, or it may be to prevent the adversary from getting access to information he needs. If that's done properly, then your adversary may change the behavior you find objectionable, but the chances are you'll never know that your attack was the reason for the change.
Next » 

No comments: