Perspectives on the Department of Defense Cyber-Strategy
Cyberattacks and the appropriate response are new territories in national security. While most attacks do little damage and their perpetrators are often unclear, the risk is growing.
October 2015 | by David Delaney
Cyberattacks regularly make the headlines. There have been military cyberattacks, like those used by Russia during its invasion of Georgia, and political cyberespionage such as the NSA programs revealed by Edward Snowden. And there has been state-backed economic cyberespionage, which topped the agenda during Chinese President Xi Jinping’s visit to the United States in September.
Another form of attack frequently occurs, but sits outside these three categories: aggressive cyberattacks during peacetime. Consider some recent state practice: In 2012, it was revealed that the United States and likely Israel had been targeting Iran’s nuclear program with cyberattacks: the first time a cyberattack had turned hot, doing physical real-world damage. In retaliation, Iran launched a major cyberattack in August 2012 on Saudi Aramco, releasing a virus, dubbed “Shamoon,” which replicated itself across 30,000 Saudi Aramco computers and took almost two weeks to recover from.
North Korea has also been active in the cyber realm. In November 2014, it struck at Sony after the company proceeded with its movie, The Interview, a farce that portrayed the fictional assassination of the North Korean leader. The attackers used the threat of terrorism to persuade theater chains in the United States to pull out of screening the film. And in March 2015, South Korea formally accused the North of cyberattacks on its nuclear reactor operator that had occurred back in December 2014.
Other examples include China’s attacks on code-sharing site GitHub, targeting pages that monitor Chinese online censorship and a Chinese-language version of the New York Times, and the 2014 Iranian cyberattack on Las Vegas Sands casino in retribution for comments CEO and majority owner Sheldon Adelson made about Iran.
Complicating the picture, it is not always nation-states that perpetrate the cyberattacks. As U.S. Director of National Intelligence (DNI) James Clapper has observed, profit-motivated criminals and ideologically motivated hackers or extremists also conduct attacks, such as the attacks carried out by the hacking collective Anonymous or the Russian jihadist group accused of hacking U.K. phone company TalkTalk.
The targets all of these actors can choose are similarly varied. As several examples above illustrate, a state need not always target another state directly. States also direct attacks towards state-related facilities and corporations, private companies, and individuals.
Rhetoric suggests a growing acceptance that cyberattacks launched in peacetime will continue. In 2012, the United Kingdom’s then-Minister of State for the Armed Forces, Nick Harvey, made the case to the Shangri-La Dialogue that cyberattacks were “quite a civilised option.”
DNI Clapper has also acknowledged a permissive environment for these short-of-war attacks. In his statement to the Senate Armed Services Committee, he observed:
Numerous actors remain undeterred from conducting economic cyber espionage or perpetrating cyber attacks. The absence of universally accepted and enforceable norms of behavior in cyberspace has contributed to this situation. The motivation to conduct cyber attacks and cyber espionage will probably remain strong because of the relative ease of these operations and the gains they bring to the perpetrators. The result is a cyber environment in which multiple actors continue to test their adversaries’ technical capabilities, political resolve, and thresholds. The muted response by most victims to cyber attacks has created a permissive environment in which low-level attacks can be used as a coercive tool short of war, with relatively low risk of retaliation. Additionally, even when a cyber attack can be attributed to a specific actor, the forensic attribution often requires a significant amount of time to complete. Long delays between the cyber attack and determination of attribution likewise reinforce a permissive environment.
The frequent use of cyberattacks in peacetime suggests an alluring assumption: they offer states a means of expressing displeasure that is more forceful than a diplomatic statement but is short of lobbing a cruise missile into a foreign capital.
Although tempting, this view is short-sighted. More than 100 countries now have military and intelligence cyberwarfare units, and most of this capability has only developed in the last few years. It is hard to imagine miscalculations won’t occur. For example, it is difficult to predict the outcome of an attack on a power plant that might cause indirect deaths or on industrial facilities, such as the attack on a German steel mill late last year. When an attack causes deaths, the public will demand a swift response and the situation could escalate. This could occur through a response perceived as disproportionate, prompting a counter-response, or if the attacking state is incorrectly identified and targeted, the aggrieved innocent state could retaliate.
Various factors increase this risk. These include rapidly improving capabilities and proliferation of capability. There is also uncertainty over whether the perpetrator was a state, a state-backed entity, criminal, or extremist group, increasing the chances that the wrong perpetrator could be targeted. The appropriate response is similarly unclear. A threshold question is whether these peacetime attacks constitute an armed attack under international law. Once the attacks hit a certain level, for example causing mass casualties, the answer seems almost certainly yes (as the Pentagon has argued), but for lower-scale attacks the answer is less clear-cut.