Is cyber warfare leading to a new type of arms race?
by Justin Stares
There are a surprising number of parallels between cyber warfare and nuclear warfare, reports PublicServiceEurope.com from the Security and Defence Agenda conference in Brussels
If countries go to war over the internet, doomsayers predict a "cyber-geddon" in which planes are brought down, vital electricity supplies switched off and hospital blood test records falsified. Optimists on the other hand say cyber "patches" would soon be devised that could bring an end to any attack within days, if not hours. "The thing is that we just don't know how much cyber-paralysis there would be," said Jamie Shea, the North Atlantic Treaty Organisation's deputy assistant secretary general for emerging security challenges. Whereas the effects of nuclear and chemical warfare are well documented - there have until now only been cyber-skirmishes, not cyber warfare. "Cyber-attacks have been a weapon of mass disruption, not mass destruction," added Shea.
How many countries have the ability to launch a cyber-attack? Talking on the sidelines of a debate in Brussels on Improving global cyber-governance, Shea referred to an estimated 100 states. He was, however, keen to point out that this figure came from the world of academia, not NATO. No country has officially admitted to possessing a cyber-arsenal, Shea told PublicServiceEurope.com. A suspected attack by Russia on Estonia, in 2007, has not been proven to an extent that would be required in a court of law. The attacks could have been the work of "patriot hackers", rather than the Russian government. A separate report that the United States military considered launching a cyber-attack on Libyan defence forces - before discarding the idea in favour of cruise missiles - remains just that: a report in an American newspaper.
Increasing state cyber capabilities nevertheless raises questions that in certain ways parallel the nuclear war debate, according to Shea. There is talk within multi-lateral forums of "confidence-building measures" between governments. First would come the issue of capability: will governments admit to their cyber-arsenal? This could lead to a type of cyber arms control. "Could the same models be applied to the cyber field as apply in the nuclear field," Shea stated. Would states make public just how much they are spending on their cyber defences? Would they accept inspectors with similar powers to those deployed by the International Atomic Energy Agency?
There are favourable precedents. The US and Russia have recently, and for the first time, made public the number of nuclear warheads they possess; both those deployed and those in storage. This kind of confidence-building measure has the benefit of preventing the adoption of "worst case scenario" policies that could lead to an arms race. Confidence building is also easier to implement than a fully-fledged international treaty. But what level of cyber activity would be deemed to be an attack? In a cyber war, would certain targets - such as hospitals - be considered off limits? Definitions and the rules of cyber warfare are still very much undefined, as are methods of cooperation. There is a need, Shea said, for a "harmonisation" of laws. "One country could go to another and say 'look, I'm not accusing you of anything, but the attacker is using your internet service providers'. The government concerned could help by freezing data, by shutting down rogue systems and botnets," he added.
Not only is there no common ground on preventing cyber warfare, there is still as yet no widely accepted definition of what constitutes cyber-crime. Neither is there agreement on how prevalent cyber-crime is, according to the panelists in Brussels. Some estimated that cyber-crime could be as big as the narcotics business. According to others, it has been "over-hyped". Panelists at the debate were, though, in agreement on one thing: there was a need for greater "real-time" information-sharing on cyber threats. "The bad guys share - as an industry we generally do not," said Raj Samani, vice president and chief technical officer for McAfee, a virus protection specialist. It was, he said, "imperative that we come together".
While industry and public authorities were generally considered insufficiently prepared in terms of their business-continuity plans, there was one reassuring message: whatever the motivation of a cyber-attacker, he or she was unlikely to take down the internet itself. According to Jeff Moss, vice president and chief security officer at the Internet Corporation for Assigned Names and Numbers, there were four types of hacker. Governments used the internet to search for secrets; organised crime was in search of money; protestors used the internet to draw attention to themselves; while researchers were after knowledge. "All need the internet to function," Moss said. "Is it possible to have a fifth group whose interest is not to have a functioning internet?" He had pondered this question for many years and had not yet identified such a group, he told the Brussels gathering, which was organised by the Security and Defence Agenda think-tank.
Cyber warfare advancing at a rapid rate
From state-sponsored malware attacks to credit card fraud, the online security landscape has altered dramatically in a very short space of time – writes Paul Davis