Now, in addition to the types of fraud and fishing that emanated from email services, Craigslist and various secondary market websites, IT has given rise to malware, spyware, adware, and offensive cyberwarfare. Malware affects information security, and is promulgated through viruses, worms, and network intrusions by rogue users and botnets of so-called zombie computers whose security has been compromised. Spyware is spread through bundling with desirable software or by malicious code that is transferred from seemingly innocuous webpages. Once installed, these programs are increasingly difficult to detect, remove, and destroy. Recently, researchers at the University of Texas Dallas created the Frankenstein virus which can be generated from as little as three pieces of common code so as to avoid detection by anti-virus programs. Cyber weapons have been in development for at least a decade, and according to a study by CSIS, the 15 governments with the largest military investments have all gotten involved in developing offensive capabilities.
Cyber security experts are at odds on the appropriate level of freaking out deserved by the situation. Many argue that developing adequate firewalls and network protection mechanisms is impractical, thanks to the 99% success rate of infiltration confirmed by experts who test network vulnerability, and that the average hacker faces low profit margins as thousands of new entrants find increasingly less easy money in the leveled cyber playing field. In addition, that estimate of $144 billion in losses was computed using ‘absurdly’ poor statistical methods. Thus, burdensome regulation is an option that is highly contested by some who favor light legislation to preserve the openness of the Internet, while others raise concern that high information, infrastructure, and telecommunications network security must be mandated even if it means curtailing Internet freedom.
For the US government, there is a need to balance objectives. With the growing concern of policy-makers, law enforcement, and citizens, there is a temptation to devote more resources to R&D, regulation, and oversight, which, although clearly necessary, will encourage rent-seeking at the expense of taxpayers and firms as well as the diversion of labor and capital away from more productive uses. Legislation that mandates high security will be costly to implement for firms, making other initiatives more preferable from an economic perspective. However, firms that deny security breaches to customers and shareholders, as Amazon and Linkedin have done, should be prosecuted to the fullest extent of the law. Consumers need to be aware which firms have upgraded their systems to provide better security for investments, deposits, intellectual property, and communications, and rich countries with high capacity to combat cybercrime should to form strategic alliances to build capacity in the developing countries with high levels of criminal activity.
The linkages created by tracking, apprehending, and prosecuting cyber criminals and terrorists will strengthen international cooperation on the issue and streamline the judicial process. Policy-makers in Washington need to put pressure on foreign governments that are soft on cybercrime. Because Russia fails to enforce its laws against cyber crime, the well-known Koobface gang works openly in a posh district in St. Petersburg, regularly checking in on Foursquare. Many other low and middle income countries such as those in the former Soviet Union have a low capacity for law enforcement and thus give criminals a base from which to launch destructive attacks and lucrative heists. Since law enforcement is likely to lag, it may be tempting to retaliate with skilled government hackers who can disable the computers used by criminals. However, two can play at this game, and one single successful attack can lay waste to several tens of thousands of computers. Another option is to treat cyber criminals as terrorists and engage in the practices that have heretofore been reserved for them, such as extraordinary rendition, enhanced interrogation, and unlimited detention. The legislative environment is being shaped, perhaps, for just this sort of scenario.
While trying to recruit talented hackers in order to participate in the construction of defensive innovations and offensive cyber weapons, one would be well-advised to avoid offending the entire community with initiatives like the Stop Online Piracy Act, which so angered Anonymous that the group declared war on the US government and successfully hacked into several very prestigious agencies’ networks, considerably damaging the image of the government at home and abroad. While DARPA and other cyber recruitment initiatives leverage a lot of talent for the USG, Anonymous and other hacktivist groups would be fertile soil for effective cyber operatives, coerced into service through entrapment or lured by the temptation of assailing more oppressive governments without fear of incarceration. This would require in depth understanding of the culture of each group and how to appeal to their sensibilities, but there is no dearth of information and plenty of researchers have already done the legwork. With the diligent efforts of law enforcement, particularly the FBI and Interpol, some notable hackers of Anonymous and Lulz Sec have been apprehended, and doubtless a few will cooperate in exchange for commuted sentences or pardons.
While these hacktivist gangs may be annoying, the havoc they wreak pales in comparison to the potential threat of the cyber armies training in Iran, China, and other countries that intentionally or otherwise incubate anti-American sentiment. So, while there is a need to curb cyber crime and crack down (somehow) on offensive strikes, a strategic balance must be found whereby the fruits of openness on the Internet can be enjoyed and powerful adversaries are deterred from engaging in offensive warfare or retaliation. The problem of attribution greatly imperils this delicate balance, because the perpetrators of an attack can disguise themselves behind an army proxies in a dozen different countries to make burning American flags appear on thirty thousand computers at a Saudi Arabian oil company, as happened last week.
The capabilities offered by signals intelligence (SIGINT) is a powerful and controversial weapon in the hands of governments. Information sent via satellite can be intercepted by governments after which the location of the sender can be bombed, as allegedly happened to the CNN war correspondent Marie Colvin just after she broadcasted that Homs was being shelled by the Syrian Army. Experts on international law have been constructing the legal framework by which those who perpetrate these kinds of crimes against humanity with signals intelligence can be prosecuted in international tribunals. However, building a case for prosecution is complex due to the various provisions of the Rome Statutes’ definition of crimes against humanity.
As such, cyber attacks may provide a handy proxy by which to conduct warfare without entering into a conventional armed conflict, which would allow for the ‘prohibited acts’ that usually constitute war crimes, like targeting hospitals and other civilian infrastructure, without reaching the threshold called for by the Law of Armed Conflict. Both state and non-state actors can take advantage of the intricacies of the laws of war and the asymmetries inherent in cyber conflict, but international human rights lawyers are not far behind, innovatively adopting the framework of international humanitarian law to the context of cyber warfare.
The financial, telecommunications, and civilian infrastructure of an enemy can be targeted with computer network operations (CNO) while avoiding the risk of accountability according to international law as long as a military commanders can be assured that an enemy will not identify the origin of an attack. Although it may be convenient for the Chinese government to claim that an attack by its cyber corps was ‘unauthorized,’ or for the US military to blame rogue elements such as hacktivists, the existence of evidence is less important than that of a motive. It bears remembering that sophisticated cyber weapons, such as Stuxnet or the Frankenstein virus, are easily re-deployed against their creators. Nevertheless, in the cyber arms race, offensive and defensive CNO capacity presents a critical advantage by which a preemptive strike can disable command, control, communications, computer, intelligence, surveillance, and reconnaissance networks, on which modern military forces depend. This prospect may seem terrifying, especially when considering that this capacity is fundamental in Chinese military strategy. The result of CNO, however, is not annihilation but rather paralysis. Although there is the specter of psychological operations as a vector of CNO, which we see in the theatrical display of burning flags on computer screens, this new form of warfare is a penultimate alternative to nuclear war and may act as a deterrent to modern war.
If categorized in terms of costs, cyber warfare has a high financial cost and a low human cost relative to other forms of warfare. Just as with cyber crime, it is inconvenient and financially ruinous, but generally not life-threatening, except for in the case of infrastructure attacks, which the US government has already designated as an act of war. Nevertheless, in view of the impracticality of adequate cyber defense, cyber diplomacy rather than legislative or security solutions may be more cost efficient, although all three have merit. Cyber diplomacy would take the form of policy dialogue, mutual aid, such as information-sharing between national intelligence agencies, cyber armistices, and multilateral treaties containing effective enforcement mechanisms against aggressions in the cyber realm.
This is not to suggest that treaty obligations alone are an effective deterrent from engagement in cyber warfare, partially because, although there are potentially informative models in the nuclear disarmament treaties, cyber weapons are much easier than nuclear weapons to conceal. However, as an example, the US government has extremely detailed knowledge of the location, goals, and operating capacity of the cyber division of the Chinese armed forces. The likelihood of a cyber skirmish between the US and China escalating to a full military conflict is less than such a conflict developing between Israel and Iran, partially because there are fewer vital economic linkages to be protected. All the same, doomsday cyber scenarios should be greeted with suspicion. Interestingly, according to McAfee, the countries with the most aggressive cyber strategies are also the most vulnerable in terms of defenses: Iran and China.
Tim Tolka is an Analyst at 361Security