When Do Malware and Cyber Attacks Become a Weapon or Act of War That Warrant a Real-World Response?
From hackers targeting the U.S. power grid to the emergence of Stuxnet, the evolution of cyber-attacks in the wild has challenged the way military and intelligence professionals define the rules of war. Deciding when malware becomes a weapon of war that warrants a response in the physical world – for example, a missile – has become a necessary part of the discussion of military doctrine.
Along those lines, officials at the Pentagon outlined earlier this month their working definition of what constitutes cyber-war and when subsequent military strikes against physical targets may be justified as result.
“Without question, some activities conducted in cyberspace could constitute a use of force, and may as well invoke a state’s inherent right to lawful self-defense,” the 12-page report reads. “In this context, determining defensive response to even presumptively illegal acts rests with the Commander-in-Chief.”
“As in the physical world,” the document notes, “a determination of what is a ‘threat or use of force’ in cyberspace must be made in the context in which the activity occurs, and it involves an analysis by the affected states of the effect and purpose of the actions in question.”
A key element of the country’s strategy is one of deterrence, which the Pentagon says relies on denying enemy objectives – via improving cyber-defenses – as well as developing offensive capabilities. This doctrine is an “all options are on the table” approach to deter an attack, said Anup Ghosh, CEO of Invincea.
“A proportional response is not necessarily a deterrent,” he said. “By declaring kinetic options are on the table for a response, the U.S. is hoping to deter would be hackers and nation states from launching a crippling attack with the threat of violence. Given the difficulty in attributing attacks in cyber space, the US must exercise great caution in launching retaliatory strikes — both kinetic and cyber — or else risk escalating conflict wrongfully.”
“Again, these odds are significantly in favor of the cyber adversary here as anonymity in launching attacks is relatively easy,” he added.
Attribution is naturally a vital ingredient in any cyber-security strategy, and the Department of Defense (DoD) said it is working with researchers within the DoD and the private sector to develop new ways to trace the physical source of an attack and the capability to identify an attacker using behavior-based algorithms. The DoD also said in the report that it is building out its cyber-forensic capabilities and expanding on international partnerships to increase situational awareness.
Pointing the finger at other countries brings a number of difficulties to the table. In their follow-up analysis of a series of targeted attacks known as LURID, Trend Micro senior threat researchers David Sancho and Nart Villeneuve noted that determining who is behind targeted attacks requires a “combination of technical and contextual analysis as well as the ability to connect disparate pieces of information together over a period of time.”
“Moreover, any one researcher typically does not necessarily have all of these pieces of information and must interpret the available evidence,” they wrote in a joint blog post on LURID in September. “Too often, attribution is solely based on easily spoofed evidence such as IP addresses and domain name registrations.”
But if a country is going to fire a missile at someone, it better be sure it has the right target, opined Chester Wisniewski, senior security advisor at Sophos.
“Attribution in cyber attacks will always be an issue,” he said. “I would expect that the threat of kinetic force would only be in extreme cases and is a strong message to dictators in hostile governments not to sabotage the US through electronic means.”
The issue is further complicated by the prospect of an attacker located in one country using servers located in another to launch attacks on the U.S.
“The interconnected nature of cyberspace poses significant challenges for applying some of the legal frameworks developed for specific physical domains,” according to the report. “The law of armed conflict and customary international law, however, provide a strong basis to apply such norms to cyberspace governing responsible state behavior. Significant multinational work remains to clarify the application of norms and principles of customary international law to cyberspace.”
There is no real deterrent to would-be attackers as a result of the offensive capabilities of the United States because of the inability to easily trace attacks to their origin, Ghosh said. The government, he argued, needs to re-tool its defenses and change its approach from reacting to attacks to architecting networks and employing tools that prevent attackers from gaining a foothold on government networks.
“The reality is our networks are open to attack because the methods we use to defend against attack require foreknowledge of the attack signatures,” he said. “A widely held misconception in the U.S. government is our offensive capabilities provide defensive advantage by identifying attacker toolkits and methods in foreign networks prior to them hitting our networks. Unfortunately, the signatures of the attack tools and methods change with each incident, making foreknowledge of the methods ineffective as well as even sharing signatures after an attack.”
“The technologies and approaches to move from reactive to proactive defenses exist, it’s a matter of leadership, vision, and will to make this happen,” he said. “Pouring resources into offensive capabilities does little to nothing to defending our government or critical infrastructures against attack.”
The problem with mandating types of responses – a cyber-attack in response to a cyber-attack, for example – is that it limits the nation’s ability to respond to threats as needed, John Burnham, vice president of corporate marketing for Q1Labs.
“Unfortunately, these aren’t black-and-white scenarios, and…the US should work with cyber experts to develop appropriate responses,” he said.