Cyber-Aggression and Its Discontents
All of the ‘four horsemen’ of cyber-aggression – cyber-war, cyber-terrorism, cyber-crime and cyber-espionage – are serious. Not all are urgent
The age of cyber-warfare is upon us. So say the soothsayers. Their voices are many, varied and urgent. They range from presidents and security chiefs, to principals of private sector security firms. US President Obama, writing in the Wall Street Journal on July 19th, 2012, called the cyber-threat “one of the most serious economic and national security challenges we face.” Also in July 2012, Keith Alexander, the Director of the US National Security Agency (NSA), labelled cyber-espionage the cause of the “greatest transfer of wealth in history,” citing data on cyber-attacks against US companies that have siphoned off vast quantities of intellectual property and industrial information. General Alexander also mused about the militarization of cyber-attacks, which he regards as an inevitable development that poses challenges greater than those that Cold War nuclear deterrence strategies were designed to meet.
Jonathan Evans, the Director General of the British Security Service (MI5), has also lent his voice to the chorus, noting that cyber-security rivalled terrorism as a key security challenge facing the UK. According to him, “the extent of what is going on is astonishing – with industrial scale processes involving many thousands of people lying behind both state-sponsored cyber-espionage and organized cyber-crime.”
A multiplicity of studies from private sector IT security firms documents the firms’ own struggles with cyber-attacks. Recently, for example, a Dell security unit reported on a year-long study of the cyber-espionage threat, calling its findings “disturbing.” The Dell SecureWorks Counter Threat Unit found more than 200 unique “families” of custom malware used in cyber-espionage campaigns, and more than 1,100 Internet domain names registered and used by cyber-espionage actors for hosting malware or for spearphishing. The industry acronym for this activity is telling: APT, or Advanced Persistent Threat.
Of course, our demonstrated instinct is to rush collectively to the trenches and the cyber-shelters, beef up resources, promulgate cyber-security strategies, harden systems, pump vast amounts of hard currency into the effort to stem the threat, and finger alleged perpetrators in an escalating war of words. The NSA has estimated that, in 2011 alone, one trillion dollars was spent globally on dealing with cyber-espionage and cyber-crime. And in a sign of where all of this might be heading, a report prepared for the US Congress by the Office of the National Counterintelligence Executive, issued in October 2011, openly named China as the world’s most active and persistent perpetrator of economic spying against the US. However, before we decide that the sky is falling, and that we have seen the enemy, some clarity ought to be brought to the definitional morass in which the debate on what we may call ‘cyber-aggression’ finds itself. In other words, in order to understand the nature and scale of the threat – present and future – we first need to be a lot plainer about what it is that we are talking about.
Cyber-aggression can take various shapes – each determined by the actors involved, the methodologies used, the intended target and the anticipated outcome. Four types of cyber-aggression – the four ‘cyber horsemen,’ as it were – grab our attention: cyber-warfare, cyber-terrorism, cyber-espionage and cyber-crime. Though they are often depicted, Durer-like, as riding in a tight pack, it is important to distinguish between these in order to decide on priorities, and to outline appropriate policy options. Apocalyptic language and, worse still, linguistic drift from discussions of one type of cyber-aggression to another are unhelpful in the extreme.
Of the four cyber horsemen, two constitute, at best, future threats: cyber-war and cyber-terrorism. Both are hyped, but they are both over-the-horizon dangers. Cyber-war means the deliberate use by state or non-state entities of cyber instruments as a military weapon in order to advance a campaign of military aggression in the international system. Proponents of the cyber-war threat might argue that it has already arrived, and point to cyber-attacks that coincided with Russian aggression against Estonia in 2007 and Georgia in 2008. Still, even these examples, for which we lack compelling evidence, do not quite meet the definition.
There is good reason to think that cyber-war might remain a futuristic threat. We have Clausewitz’s famous dictum – war as the continuation of politics by other means – to thank for this. Short of all-out war designed to cripple and destroy an adversary at all costs, it is hard to see cyber-warfare as securing any lasting political or grand strategic objective. It also remains hard to see cyber-warfare as likely to succeed in completely crippling the electronic nervous system of a target.
Even if we grant cyber-warfare a possible status as the nuclear weapon of the future – capable of doing existential damage – this begs the question of whether, like nuclear weapons systems, it will eventually become an unusable instrument of war – too destructive in its unleashing to match any war-related goal, and subject to a strong deterrence calculation along the lines of the Cold War logic of mutually assured destruction.
If all-out cyber-warfare looks unlikely, it is less hard to see a role for ‘limited’ cyber-warfare. And yet even this presumes state-on-state conflict, and raises inevitable concerns about climbing undesirable escalatory ladders once the cyber weapon is deployed. For now, we should consider cyber-warfare not as a current threat, but as a form of military R&D that has run ahead of the laws of war and floats free of military doctrine. As military R&D, it is relatively harmless, but it needs to be brought back to Earth in terms of efforts to figure out how it fits into the laws of war, and how it advances military doctrine – especially with regard to political/strategic objectives. Some hard thinking also needs to be done on costs and the relative advantage of pushing cash into cyber-warfare capabilities, as opposed to other military instruments.
Like cyber-war, cyber-terrorism is very much on the national security agenda, as well as on the minds of the global community of ‘securicrats.’ And like cyber-war, it is a future threat – if a threat at all. The question of what we mean by cyber-terrorism is pertinent, as the definitional envelope is sometimes stretched to cover the ways in which terrorist organizations use the Internet and electronic communications in order to build up their capacity and image through propaganda, recruitment, fundraising, cell formation and even virtual training. This use of the cyber realm is distinguishable from its deployment as a weapon of direct attack to damage the capacities of an enemy, and to create ‘terror.’ Cyber-terrorism should be used only to refer to the use of cyber-weapons for terrorist strikes, not capacity building. For now, there has been surprisingly little indication of any such offensive activity. This may reflect a lack of terrorist capacity, knowledge of the enemy, or will, or some combination of all of these. It may just be that the cyber-attack ill suits the intended psychological shock effects of terrorism. It may be that a cyber-attack is harder than it looks for non-state actors. Of course, we cannot rule out the possibility that cyber-terrorism will become a reality in the future – not least because terrorist groups are not hindered by some of the constraining calculations that should deter state actors from any massive, doctrinal use of the cyber weapon. But capacities to deal with any future cyber-terrorist attacks will arrive as a by-product of efforts targeted at more clear and present dangers.
Unlike cyber-war and cyber-terrorism, cyber-espionage and cyber-crime are just such clear and present dangers. They are easily conflated as threats. Cyber-crime is driven by the profit motive, largely targets the private sector – to wit, intellectual property, commercial secrets and useful private data – and, as best as we can tell, is rarely a state enterprise. There is no denying the damage that it can do. The first question is: who is the sheriff? Is it the state, in an expanded version of its ‘night watchman’ role? Or is it really the private sector itself, with its huge stake in securing proprietary information, and its obligations to protect the privacy of customers with whom it interacts? Many commentators would like to see the state strap on its star and gun belt in order to clean up the town. But there may well be more wisdom in seeing efforts at preventing cyber-crime left predominantly in the hands of the private sector, with a modicum of state regulation of standards of protection in critical sectors (banking, health care, critical infrastructure) and some partnership arrangements between state intelligence, security and law enforcement agencies in order to assist the private sector in keeping up with the latest global trends in technology and cyber-attacks. Not only should the private sector bear the brunt of protecting its own data and its networked proliferation, but the private sector may actually be better than the state at doing the job. At the very least, the private sector needs to understand that if it is currently not good at data protection, then it had better get up to speed fast, because there will be no other real sheriff in town.
If cyber-crime prevention, under this model, seems to leave the state at the margins, then there remain two distinct and important functions that states can play. One is to maintain in their intelligence systems a collection and analytical capacity in order to give themselves strategic-level knowledge of trends in cyber-crime, and to keep tabs on the development of any worrying ‘cyber-crime’ states – that is, states that might be contributing to the advent of cyber-crime either through lax internal controls, poor law enforcement, or deliberate collaboration with criminal elements. The other role for states is to work with the international community in order to monitor trends in cyber-crime, help create norms, and explore the prospects for the development of an international law on the worst forms of cyber-crime.
What of cyber-espionage? Here the role of the state is different, and indeed much larger. Cyber-espionage involves both the realms of state offensive and defensive action. On the defensive end – or cyber-counter-espionage – the state is confronted with the age-old problem of protecting secrets in the face of a new version of the espionage threat. This version posits a virtual and often very stealthy agent nosing its way into sensitive data, and capable of siphoning off vast quantities of material – well beyond the dreams of Minox-toting agents from the Cold War era. But if the cyber version of the threat is new and potent, it remains the case that the traditional security requirements are still operable. In other words, there remains a need for adequate security vetting of personnel with access to sensitive data, for robust measures to protect physical and virtual data from unauthorized access and usage, for a culture of security consciousness, and for proactive capabilities to anticipate threats and to detect and follow intrusions – if possible, to trace them to their point of origin. This may be a tall order in a world of cyber-communications and ‘big data’ storage, but there is something reassuring about the fact that cyber-counter-espionage is merely a variant on past practices, for which many national intelligence and law enforcement systems have plenty of stored experience.
If cyber-counter-espionage is a variant of the past, then the same can surely be said of the offensive use of cyber-espionage against foreign targets. Cyber ‘Int’ (CYBERINT) has entered the pantheon of other, long-established intelligence collection methodologies, taking its place alongside HUMINT (human intelligence), SIGINT (signals intelligence), IMINT (imagery intelligence) and OSINT (open source intelligence). CYBERINT bears closest resemblance to SIGINT, and for many intelligence systems, established SIGINT agencies will find themselves extending their work into the cyber-espionage field with an attendant shift in operational focus from identifying and penetrating communications networks, to identifying and penetrating key command-and-control computer arrays, key computer work stations hosting valuable data, and critical data storage sites. Cyber-espionage, for all the hype, is really just an extension and adaptation of an intelligence methodology that has been around since WW1.
The key difference between traditional SIGINT operations and the new world of CYBERINT is that there now exists the prospect – and maybe the reality – of the outsourcing of cyber-espionage to private sector actors and patriotic hacker groups. This might have been a feature of the conduct of the aforementioned cyber-operations by Russia in 2007 and 2008, and seems to be part of the modus operandi of Chinese cyber-espionage, where we appear to see the emergence of a Chinese military-cyber complex involving a murky partnership between the Chinese military, the Chinese academic sector and organized private groups. If true in either or both the Russian and Chinese cases, then it manifestly extends the reach of cyber-espionage, adds to the potency of states that have the capacity to construct such public-private ‘complexes,’ and deepens the problem of attributing cyber-espionage attacks to their source. Still, it does not fundamentally affect cyber-counter-espionage.
As noted, one of the principal characteristics of successful cyber-espionage operations is the ability to acquire – potentially invisibly – quantities of sensitive data on an unprecedented scale – what Jonathan Evans, the MI5 director, referred to as “industrial-scale” processes. Of course, the siphoning off of ‘big data’ also requires an ability to sort, search, filter and make sense of vast data pools. Search engines will be of some assistance, but the question that ‘industrial scale’ cyber-espionage raises is whether the state or other actors involved will have the capacity to sort wheat from chaff, or find the needle not in an information haystack, but in an information mountain. Cyber-espionage therefore brings to the fore a key challenge for intelligence systems – noted long ago by the late Roberta Wohlstetter in her pioneering study of the Pearl Harbor intelligence failure: the need to identify true signals against the background noise of false, misleading and irrelevant information.
If CYBERINT is but a new tool in an old intelligence tool box – rather than a revolutionary espionage instrument – there nevertheless remains a way in which cyber-aggression has fundamentally changed the global espionage equation. This has less to do with intelligence acquisition, and more with the use of cyber-intrusion tools by spy agencies in an action mode – what during the Cold War was called ‘covert operations.’ In the past, covert operations run by intelligence services were designed to disrupt and ultimately overturn the political regimes of vulnerable states deemed to be unfriendly or adversarial in a global contest for influence. Consider Iran, Guatemala, Cuba and Chile – to name only some of the US-inspired operations. (The Soviets had their share, as well.) Cyber-covert operations may share some of the characteristics of conventional Cold War efforts, including relative cheapness, quickness, bloodlessness and the all-important element of leadership plausible deniability. Yet the capacities of cyber-covert operations truly outstrip those of the past. The potential to cause vital damage to selected aspects of the economic or military-industrial capabilities of a foreign adversary, as demonstrated by first-generation efforts like the Stuxnet and Flame viruses targeting Iranian nuclear infrastructure, is out of scale with all past capacities for sabotage – while still retaining the veil of plausible deniability, and allowing for escalatory ceilings short of all-out war.
If the age of cyber-covert operations is now upon us – and it likely is – then we need to start devoting a lot more thought to the limits on its use, its impacts (recalling that nearly all Cold War era covert operations ended in long-term failure), its proliferation, as well as on playing defence. It would be one more terrible irony of history if, while recognizing the arrival of the new age of cyber-covert ops, we failed to appreciate the still relevant lessons of the Cold War past. The three main faults of the historical use of covert operations were its reliance on distorted assessments of the dangers posed by internal developments in foreign states, an exaggerated sense of the prospects for plausible deniability (the veil was always torn off relatively quickly), and a lack of care about long-term outcomes. To this list we should add the absence of any moral compass in the deployment of covert operations. It would behoove the global community to recognize and try to avoid these mistakes.
Hanging over all current debates on cyber-aggression and the threats posed by our four cyber horsemen is the assumption that the offence has, and will always have, the upper hand over the defence. To borrow from history, and in particular from the history of SIGINT operations, the more likely scenario is one of a constant cycle of change from offensive to defensive superiority, and then back again. Where any actor ends up in the cycle will depend on technological innovation and capacity. But it would be wrong to assume that the race has already been won.
For the present, the offence does seem to have the decided upper hand, and the defence has been slow to mobilize. We can also spot the current leaders in the world of cyber-espionage: Russia and China are on top. Both are frequently identified perpetrators – even if we know relatively little about their systems of cyber-spying. That Russia and China should, at present, top the list of cyber-superpowers is far from surprising. Both possess the technological know-how to engage in cyber-aggression. Both possess authoritarian political systems that remove some of the constraints on the untrammelled use of the cyber weapon. Perhaps most interestingly, both are adapting their traditional intelligence gathering techniques to the cyber age. Their traditional reliance on mass espionage activities using human agents to collect as much information as possible is easily transferable to the age of the cyber-spy. At the same time, what we know of their espionage history suggests that neither state was very capable of utilizing the information that their spy agencies collected. It is not far-fetched to presume that a historical inability on the part of authoritarian regimes to use intelligence well has also been transferred into the cyber age.
If Russia and China currently stand at the pinnacle of the league table of global cyber-spies, what about the league table for cyber-covert operations? Here the US and Israel appear to lead, driven by a combination of technological capacity, experience with covert operations, and indeed need – with particular focus on covert cyber-efforts to slow down the progress of the Iran nuclear programme.
Whither cyber-aggression in the next decade or two? Criminologists can place their bets on organized crime groups and their propensity for cyber-crime. The world’s leading militaries will do their R&D on cyber-war. Terrorist groups might start to explore cyber-terrorism. When it comes to cyber-espionage and cyber-covert operations, some of the building blocks for long-term success will include: long-term investments by the state in proportional, risk-based defence; a strong private sector capable of defending itself; superior education and knowledge-building sectors; pre-existing and strong intelligence systems and cultures; and maybe even democratic political structures.
The history of modern intelligence tells us that, broadly, democratic polities are much better placed to use intelligence well as compared to authoritarian polities. The same will probably hold true for the cyber age. Democracies will also have a much greater stake in the idea of keeping the global Internet alive, healthy and open. While this creates opportunities for adversarial cyber-spies and covert operators, it also creates the knowledge base and incentives for democratic societies to ultimately emerge as cyber age winners – better at defence, and selectively better at offence.
Wesley Wark is Professor at the Munk School of Global Affairs, University of Toronto, and also Visiting Research Professor at the Graduate School of Public and International Affairs, University of Ottawa.
