12 August 2019

What Are the Rules of Engagement in a Cyberwar?

By Neil J. Rubenking

"The lines between real and virtual worlds are blurring fast," Mikko Hypponen, Chief Research Officer for Finnish security company F-Secure, said here at Black Hat. "Several governments have publicly stated that they reserve the right to respond to cyber attacks with kinetic force. Now we are seeing that happening for real."

War and conflict exist in a new domain, Hypponen told a rapt Black Hat audience at Black Hat. "What are the rules of engagement in these new conflicts? And where is the cyber arms race taking us next?"

These are not new questions; Hypponen has been attending Black Hat and its partner conference, DEF CON, for years. But "world is more and more virtual. We live 50 percent of our daily lives in a world where geography doesn't exist, doesn't matter, or matters differently."

The Problem of Attribution

Government officials have already established that computer sabotage could be an act of war, Hypponen pointed out. And "they reserve the right to respond with any means, including kinetic attacks."


The big problem is attribution. Who did it? Cyber weapons are cheap, effective, and deniable. "Regardless of what your policies say, how do you actually know who launched the attack?" queried Hypponen. "If your enemy knows you will respond, they can mask the attack as if coming from another of their enemies."

"False flag attacks in cyber are real," he continued. "We have seen cases where national agencies have tried to make it look like another country was behind the attack. Things like hosting your command and control servers in other countries. We've seen Russians generate bait files using Mandarin Chinese words. How can you respond when you're not sure who's behind the attack?"

The Domains of War

"Land, sea, air, space, and now cyberspace; these are the domains of war," said Hypponen. "Technology has always shaped the face of conflict, but the innovation of a new domain does not make the others go away, just as the introduction of sea war didn't make land war go away."

Hypponen went on to speculate about what new domains will emerge, noting that whatever they are will sound like science fiction, just as cyberwar once did. He touched on ideas like DNA warfare, or nano-bot warfare.

"The tech revolution that's happening right now is artificial intelligence. This could be the next domain, or could become part of the cyber realm. AI is going to shape the face of conflict, but don't take it from me, take it from President Putin," he said, before playing a video clip in which the Russian president states, "Whoever becomes the leader in this sphere will become the ruler of the world."

Hypponen noted that truly effective AI will create more conflict, not less. "If an entity announces they are close to making the breakthrough," he said, "all other players including governments will realize it's game over. The one with AI will win everything, including every war. No matter what, that technology must be stolen or destroyed. The race to AI is a scary race."

The Players

In terms of those with the best cyber capabilities, the US "is best at this," Hypponen suggested, "with more money, more manpower, and more time than any other." After displaying a clip of President Obama saying that cyberattacks emanating from China are not acceptable, Hypponen commented, "Between the US and China, he doesn't want a fight, but knows the US would win."

Hypponen explained that other, smaller countries don't have as much to lose. North Korea, in particular, balances its budget with cyberattacks on financial institutions that steal cryptocurrency. "No other government on this planet would resort to that kind of stealing," he said.

The Nuclear Option

"North Korea is not a problem at a world scale without weapons of mass destruction," said Hypponen. "Nuclear weapons changed the world. They ended the Second World War, a prime example of deterrence at play. They were built by people like us, the nerds and geeks of their generation. You could argue that nuclear physicists lost their innocence in 1945 when we first used that power to kill."

Similarly, "computer scientists lost their innocence in 2011 with Stuxnet, an attack that had the power to kill. We don't know that anyone died directly because of the Stuxnet code, but plenty of computer security people have been killed because of their skills. When computer experts are killed, it doesn't feel very nice."

He pointed to an event a few months ago, when Israel launched missiles to take down a Hamas hacker operations center. "Nobody would bat an eye if they launched missiles against a bomb factory," he said, "but this was a cyber center. It felt like we had crossed another line."

"The fact that attribution wasn't hindering the real-world response is important," he continued. "The Israelis knew who the attackers were. They may have had insiders, or people on the ground. They had confidence to believe their attribution. For most cyberattacks this isn't the case. In addition, Hamas was simultaneously sending physical attacks."

Cyberweapons Offer No Deterrence

"The power of traditional weapons very much lies in deterrence," said Hypponen. "You can show them in a military parade. You don't have to use them; it's enough to have them. Nukes have been used just two times. The power of the tens of thousands of nukes is in having them, not using them."

When it comes to cyberweapons, there's no deterrence power. "We don't know who has what," he said. "What's the cyber capability of New Zealand, or Vietnam? We don't know, and there's no deterrence in weapons nobody knows about."

Cyber weapons also have a short shelf life. "A typical zero-day exploit won't work forever. Maybe a new version of the target comes into play, or the vendor fixes the vulnerability."

"A general who invests millions in weapons like jets gets bang for the buck," he said. "They get deterrence. Invest millions in cyber that nobody knows about, you get no deterrence, and then they expire. You get no return on investment whatsoever. This could make use of cyberweapons more likely than traditional weapons.

"How do you get deterrence power in the cyber realm? How do you hold a parade for them? Could you do a public demo, have war games, scare the enemies by showing how good you are? We haven't seen any country do that. There's no cyber mutually assured destruction."
The Consequences of Cyberwar

"Cyber is the next domain we must defend," said Hypponen. "This is a lesson for both government and private companies. Most attacks against companies come from criminals. They just want money, and if you make the process too expensive they'll go attack someone else.

"When the attacker is from a government, the attacker is military, and the military follow orders," noted Hypponen. "They receive an order to go break this organization, get this information, and report back. The military will just keep trying. That the P in Advanced Persistent Threat.

"When we look at the countries of the world, the US is the most exposed to cyberattack, the most reliant on tech," he said. "Other countries just aren't as reliant.

"So should we respond to cyberattack with missiles? Yes we should, but only if the attacker is doing more than cyber," he concluded. "If all domains are in play, there's no problem with attribution, and no reason not to respond with missiles."

As to whether we should respond to missile attacks with cyber strikes, Hypponen flipped the question. He answered with a quote from security pundit Thaddeus e. grugq: "Total cyberwar. Because the primary deterrent against most aggressive cyberattacks is fear of kinetic escalation. But once you're already kinetic, why hold back? Cyber simply becomes another domain of conflict." So, yes!

Hypponen closed by thanking the attendees, saying, "Rarely is anyone thanked for the work they did to prevent the disaster that did not happen. That's more true in our line than most others. What we do is like Tetris. When you're successful it disappears. When you screw up it piles up."

No comments: