Where battlefields and crime scenes were once limited by physical geography, the world wide web has opened up a space for strife that is borderless and multidimensional, while being dangerously interconnected.
Such widely reported cyber operations as North Korea’s criminal hacks, the United States’ deployment of offensive worms to disable Iran’s nuclear programs and Russia’s use of sophisticated cyber strategies to influence Western elections are barely the tip of an expanding iceberg.
Despite being a borderless space, the web requires no passport or vessel to navigate, enabling both attacker deniability and/or proxy attacks, with non-military assets such as hackers and criminals being weaponized by states. Vulnerabilities are multidimensional and worrisome: Personal information linkages to national infrastructure put actual national security in peril.
On this vast, chaotic and often anonymous technological battleground, traditional concepts such as deterrence and arms control are restricted, and internationally recognized moral and proportional limitations on action – regulated in the physical space by treaties such as the Hague and Geneva conventions – are lacking.
In digitally advanced Asia, the vulnerabilities are particularly grave. But at the Seoul Defense Dialog conference, held at the Chosun Hotel last month, while global experts in the Cyber Security session pointed out the vulnerabilities societies face, solutions are far from obvious against a threat that is multilayered and multidimensional.
‘Fifth domain of warfare’
“We have seen a blurring of actors and the purposes they fulfill,” said Ewan Lawson, a senior research fellow at the UK’s Royal United Services Institute (RUSI), noting that “script kiddies” (individuals of small groups seeking to showcase their skills) “hacktivists,” (groups such as Anonymous who use cyberspace for political messaging), criminals, terrorists and states make up a vast spectrum of potential online threats.
“We see criminals acting on behalf of states and states engaging in criminal activity,” Lawson added. Identifying and proving that deniable actors or proxies are, indeed, state-sponsored, is problematic. “Using criminal actors is like the use of privateers – merchant sailors as pirates with the authority of the state,” Lawson said. “That can help us understand what we are seeing but like all analogies, you can only take it so far.”
Even so, he agreed on one analogy: After land, sea, air and space, cyberspace is emerging as “the fifth domain of warfare.”
If the number of threatening actors has expanded, so has the range of related targets and vulnerabilities.
“Many functions – such as commerce, healthcare and finance – that used to separated are now being combined in cyberpace,” said Kwon Hyuk-jin, Director General of the Information Planning Bureau at South Korea’s Ministry of National Defense. “Everything smart has a problem with it: All infrastructure is now interdependent, so one attack on a power grid can impact transport and communications – all layers can cascade,” added Professor My T. Thai, a professor of Computer and Information Science and Engineering at Florida University. “If you put human behavior into the picture you get more problems – you get panic.”
The convenient connections which link average citizens with national infrastructures provide handy infiltration routes for cyber attackers; smart grids make particularly accessible targets. “Many private sectors embed social networks on top of smart grids, just to share info,” Thai explained. “However, if you exploit this vulnerability of social networks you can create a problem on the smart grid itself. It is very simple.”
The multidimensional range of actors, vulnerabilities and targets raises the question of who should respond when an attack is discovered – local or corporate security solutions and assets? National intelligence bodies? The military?
“The fundamental role of the military is to protect the national cyber domain from state-sponsored or terrorist attack which may be beyond the response capacity of private entities,” said Jun Osawa, a senior research fellow at Nakasone Yasushiro Peace Institute.
But in reality, jurisdictions are not so simple. “I am comfortable that cyberspace represents a fifth domain of warfare,” said RUSI’s Lawson. “But if we overuse that phrase, the military becomes a response to all these problems. Many of these problems should be not be dealt with on a military basis.”
That is particularly the case in democracies, where the military is constitutionally firewalled from many areas of civil activity. “Can the military interfere? If so how and when?” asked Thai. “In cyberspace, it is hard to define what the scale of the attack is, and when the military should interfere or not.”
Even in cases where it is determined that an attack goes beyond criminal activity to become a national security threat, and the military is engaged, related international acts, standards and treaties are lacking.
“In physical war you can see it, and see when it begins and ends, so parties can discuss how to respond as they have common understanding, but when it comes to cyberspace it is not visible or tangible,” said Kwon. “There is a need for international law that governs how we act in cyberspace.”
The formulation of a cyber arms control acts presents huge problems. “How do we do arms control with a series of 1s and 0s?” asked Lawson. Indeed, the legal and ethical boundaries of cyber warfare are currently vague. “The ethics of cyber espionage are problematic,” the RUSI expert continued. “We do it and criticize others, it is about understanding where the boundaries of acceptability are.”
Different concepts of what constitutes an attack create further complications.
“There is a problem of language,” Lawson noted. “The phrase ‘cyber attacks’ used to cover everything from disruption of a power grid to election interference to provision of so-called fake news through bots and social media. We need a better, clearer shared understanding of cyberattacks.”
Upgraded alliances, international treaties, hybrid responses
As is the case with all military activity, early threat identification and response – or prevention – is key. This means local and national communication on cyber security needs to be upgraded.
Early response systems are critical and will require upgraded communications. “If we can identify cyber threats earlier rather than late we can move into the direction of prevention strategies rather than response strategies,” said Kwon. “For the past 10 years, the patterns of cyber threats have changed. Many are targeted and more sophisticated and more comprehensive, so require a national-level concreted response. To identify signs of cyber attack, it is important to share data and information.”
Given that corporate bodies are subject to attack, Lawson suggested a “re-conceptualization of national security” – one that moves onward from a top-down model: “Now, we need a much more joined-up approach – much more of a peer-to-peer relationship than a top-down one from the government,” he said.
But if national-level communications need to be upgraded, so do international-level communications. This means traditional alliances can extend their roles and jurisdictions from the physical battlespace to cyber warfare.
“We have to come up with a cyber warfare act as soon as possible,” said Kwon. “I understand the international community is working hard to establish cyber norms.”
He referenced the UN – which has a related working group – and NATO as bodies Seoul is seeking to work with. Meanwhile, Microsoft has proposed a “Digital Geneva Convention,” and such transnational bodies as the Organization for Security and Cooperation in Europe are studying the problem.
But any traditional treaties are going to face hurdles being translated into cyber war language. “Ultimately, arms control is going to be a way to go about it, but I am not sure technically what you can do in this model,” said Lawson. “It is about what is mutually acceptable behaviors, rather than counting ones and noughts.”
Finally: How should nations deter against or respond to cyber attacks? In both cases, these concepts should not be limited to the cyber battlespace, experts argued; hybrid strategies are required.
To begin with, in cyber war, “deterrence” is a problematic concept. “We are talking about moving from relatively straightforward concepts of nuclear and conventional deterrence to multi-domain deterrence,” said Lawson. “In the first instance, deterring bad activity in cyberspace does not require a response back through cyberspace.”
The latter issue points back to deterrence theory and where an enemy’s vulnerabilities may lie. “Deterrence is about raising the costs of an action so the aggressor thinks it no longer worthwhile to do,” Lawson continued. “The focus on deterrence by punishing is from nuclear deterrence, so now we need to think who or what we are trying to deter: What is the actor and action? What are the levers of national power?”
When it comes to retaliation, Osawa suggested responding assymetrically – albeit, without using conventional military weapons.
“Western allies have to employ new strategies on comprehensive cyber deterrence,” Osawa said – suggesting that financial sanctions are one proportional and workable tactic.