Digital lines in digital sand in cyberspace – how does one define what across the line means? As governments around the world bring cyberwarfare into their wheelhouse, what does this mean for defense and cybersecurity? The US government is making moves to define policy around these topics in the face of known Russian government malicious activities and fears amass around the consequences of the Ukraine conflict. What is our government doing and how worried should we be?
I think we should absolutely be concerned about what the government is getting up to in this arena. We are entering an era of a sort of “cyber arms race” where who has the best hackers, best defenses, etc. is in a constant state of flux. The sands are constantly in motion, which makes drawing lines all the more challenging.
First of all, how do you define cyberattacks and responses? A lot of people envision whole electric, sewage, and other utility grids going offline without warning. There are proposals to add digital attacks against any critical civilian infrastructure as a crime in the Geneva Conventions.
I spoke with an IT and Cybersecurity consultant and he stated,
That stuff shouldn’t happen. Not to mean that it can’t, but it shouldn’t. Critical systems like that should be abstracted from the internet. What that means, is it there should be no way from the internet to connect to those internal systems. They should be oh, if not completely isolated, then have a few very, very secure layers in between, and should those be compromised or cut off, then the system should continue to run without issue.
So what would a war inciting cyber-attack entail exactly? Access to certain parts of the internet could be disrupted. You could theoretically attack news sites, government sites, or websites that provide the public with information. You could also hijack those, sending out your own messages, propaganda, whatever. However, this is fairly easy to disrupt.
Our consultant cited an instance from several years ago where a county website in Kentucky frequented by lawyers, mortgage companies, builders, and landscapers to get property info was compromised once, and it took them weeks to acknowledge the problem, much less fix it. It was ill-preparedness, pure and simple. How much spyware got onto computers and law firms and construction company systems? We’ll never know.
This sort of happening could become a big problem if we look to compromising systems for use in information gathering and reconnaissance. If your target is critical infrastructure, infecting a construction company with spyware and stealing architectural drawings might be a big deal.
The most logical plan of attack is the financial sector. If you cut off people’s ability to purchase things online, transfer money reliably or securely, or do banking, you can cripple a lot of the economy of a country, if nobody trusts the internet anymore. Hit too hard, all at once, it could be devastating because people, simply, are not careful and if too many of them lose faith in a system at the same time, it’s going to put a kink and everyone’s day-to-day life. If someone took out PayPal or Venmo, who declares war on who?
However, most tensions around cybersecurity are founded in psychological manipulation, threats to financial security, and the disruption of services impacting day-to-day life. A big permanent, catastrophic strike, comparable to the nuclear arms race, is difficult to imagine. The military approach of treating cybersecurity like a nuclear mutually assured destruction, or MAD scenario is inherently misleading and caricatures the wrong end of the crisis spectrum. The real threat is in more sublime ongoing interactions, and targeted attacks compromising commercial systems
Lastly, some food for thought lest we forget: this conversation is focused on government versus government conflict. Attacks against multi-national corporations, special interest groups, and cyber activity by known terrorist hotspots aren’t even on the table, but arguably compose a larger proportion of risk. The question “When does one country declare war on another?” has many layers. Can a corporation request a government response to an attack against them by a third party?
Let me know your thoughts in the comments.