Is Cyber The Perfect Weapon?

Uploaded on 2018-07-16 in NEWS-Cybersecurity News, INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW

Joseph S. Nye, Jr., a former US assistant secretary of defense and chairman of the US National Intelligence Council, is University Professor at Harvard University has this to say…

‘For years, political leaders have warned of the danger of a “Cyber Pearl Harbor.” Thus far, however, cyber weapons seem to be oversold, more useful for signaling or sowing confusion than for physical destruction.

Leaders such as former US Secretary of Defense Leon Panetta have warned of the danger of a “Cyber Pearl Harbor.” We have known for some time that potential adversaries have installed malicious software in our electricity grid. 

Suddenly the power could go out in large regions, causing economic disruption, havoc, and death. Russia used such an attack in December 2015 in its hybrid warfare against Ukraine, though for only a few hours. Earlier, in 2008, Russia used cyber-attacks to disrupt the government of Georgia’s efforts to defend against Russian troops.

Thus far, however, cyber weapons seem to be more useful for signaling or sowing confusion than for physical destruction, more a support weapon than a means to clinch victory. 

Millions of intrusions into other countries’ networks occur each year, but only a half-dozen or so have done significant physical (as opposed to economic and political) damage. 

As Robert Schmidle, Michael Sulmeyer, and Ben Buchanan put it, “No one has ever been killed by a cyber capability.”

US doctrine is to respond to a cyber-attack with any weapon, in proportion to the physical damage caused, based on the insistence that international law – including the right to self-defense – applies to cyber conflicts. Given that the lights have not gone out, maybe this deterrent posture has worked.

Then again, maybe we are looking in the wrong place, and the real danger is not major physical damage but conflict in the gray zone of hostility below the threshold of conventional warfare. In 2013, Russian chief of the general staff Valery Gerasimov described a doctrine for hybrid warfare that blends conventional weapons, economic coercion, information operations, and cyber-attacks.

The use of information to confuse and divide an enemy was widely practiced during the Cold War. What is new is not the basic model, but the high speed and low cost of spreading disinformation. Electrons are faster, cheaper, safer, and more deniable than spies carrying around bags of money and secrets.

If Russian President Vladimir Putin sees his country as locked in a struggle with the United States but is deterred from using high levels of force by the risk of nuclear war, then perhaps cyber is the “perfect weapon.” 

That is the title of an important new book by New York Times reporter David Sanger, who argues that beyond being “used to undermine more than banks, databases, and electrical grids,” cyber-attacks “can be used to fray the civic threads that hold together democracy itself.”

Russia’s cyber interference in the 2016 American presidential election was innovative. Not only did Russian intelligence agencies hack into the email of the Democratic National Committee and dribble out the results through Wikileaks and other outlets to shape the American news agenda; they also used US-based social-media platforms to spread false news and galvanise opposing groups of Americans. 

Hacking is illegal, but using social media to sow confusion is not. The brilliance of the Russian innovation in information warfare was to combine existing technologies with a degree of deniability that remained just below the threshold of overt attack.

US intelligence agencies alerted President Barack Obama of the Russian tactics, and he warned Putin of adverse consequences when the two met in September 2016. But Obama was reluctant to call out Russia publicly or to take strong actions for fear that Russia would escalate by attacking election machinery or voting rolls and jeopardise the expected victory of Hillary Clinton. 

After the election, Obama went public and expelled Russian spies and closed some diplomatic facilities, but the weakness of the US response undercut any deterrent effect. And because President Donald Trump has treated the issue as a political challenge to the legitimacy of his victory, his administration also failed to take strong steps.

Countering this new weapon requires a strategy to organize a broad national response that includes all government agencies and emphasizes more effective deterrence. Punishment can be meted out within the cyber domain by tailored reprisals, and across domains by applying stronger economic and personal sanctions. We also need deterrence by denial, making the attacker’s work more, costly than the value of the benefits to be reaped.

There are many ways to make the US a tougher and more resilient target. 

Steps include training state and local election officials; requiring a paper trail as a back-up to electronic voting machines; encouraging campaigns and parties to improve basic cyber hygiene such as encryption and two-factor authentication; working with companies to exclude social media bots; requiring identification of the sources of political advertisements (as now occurs on television); outlawing foreign political advertising; promoting independent fact-checking; and improving the public’s media literacy. Such measures helped to limit the success of Russian intervention in the 2017 French presidential election.

Diplomacy might also play a role. Even when the US and the Soviet Union were bitter ideological enemies during the Cold War, they were able to negotiate agreements. Given the authoritarian nature of the Russian political system, it could be meaningless to agree not to interfere in Russian elections. 

Nonetheless, it might be possible to establish rules that limit the intensity and frequency of information attacks. During the Cold War, the two sides did not kill each other’s spies, and the Incidents at Sea Agreement limited the level of harassment involved in close naval surveillance. Today, such agreements seem unlikely, but they are worth exploring in the future.

Above all, the US must demonstrate that cyber-attacks and manipulation of social media will incur costs and thus not remain the perfect weapon for warfare below the level of armed conflict.

Project-Syndicate.org

You Might Also Read: 

A Brief History Of Cyber-Deterrence:

NATO Could Go To War In Response To A Cyber Attack:
 

 

« Russia Will Keep Up Cyber Attacks For Geo-Political Influence
What Does The EU Cybersecurity Vote Mean To You? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Institute for Critical Infrastructure Technology (ICIT)

Institute for Critical Infrastructure Technology (ICIT)

ICIT is a leading cybersecurity think tank providing objective research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders.

Paladion

Paladion

Paladion is a provider of managed IT security services.

National Cyber Security Centre Portugal (CNCS)

National Cyber Security Centre Portugal (CNCS)

CNCS is the operational coordinator and Portuguese national authority in cybersecurity working with State entities, and digital service providers

Duo Security

Duo Security

Duo combines security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools.

Payatu

Payatu

Payatu Technologies is a security testing and services company specialized in Software, Application and Infrastructure security assessments and deep technical security training.

NSEIT

NSEIT

NSEIT offers end-to-end Information Technology products, solutions and services including cybersecurity to organizations in the financial sector.

Blockchains LLC

Blockchains LLC

Blockchains is committed to changing the world for the better. Using blockchain and other innovative technologies, we’ll build new systems, new security, and new interactions.

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

Cyble

Cyble

Cyble Vision enables faster detection of cyber threats and focuses on identifying and analysing the motivations, methods, capabilities and tools of adversaries.

Cynance

Cynance

Cynance are an award-winning, independent cyber security specialist and part of the Transputec family of companies.

Data Storage Corp (DSC)

Data Storage Corp (DSC)

Data Storage Corporation is a provider of data recovery and business continuity services that help organizations protect their data, minimize downtime and recover and restore data.

Cyber Ireland

Cyber Ireland

Cyber Ireland brings together Industry, Academia and Government to represent the needs of the Cyber Security Ecosystem in Ireland.

Enea

Enea

Enea is one of the world’s leading specialists in software for telecommunications and cybersecurity. Our products are used to enable services for mobile subscribers, enterprise customers and IoT.

Ampere Industrial Security

Ampere Industrial Security

Ampere is an industrial security firm. We specialize in industrial control systems (ICS) and operational technology (OT) security.

Zenity

Zenity

Zenity is the first and only security governance platform for low-code/no-code applications.

Amazon Web Services (AWS)

Amazon Web Services (AWS)

Amazon Web Services is the world’s most comprehensive and broadly adopted cloud platform, offering fully featured services from data centers globally.

Heartland Business Systems (HBS)

Heartland Business Systems (HBS)

Heartland Business Systems serves commercial, public sector and small to medium business with results-driven and dedicated information technology services.