Last week, Endgame CEO Nate Fick and The New York Times reporter Nicole Perlroth discussed the future of cyberwar and its impact on national security at the Computer History Museum in Mountain View, CA. The conversation ranged from the asymmetric nature of today’s cyber attacks to the difficulty of attribution to how the US government can successfully deter its enemies in the digital domain. The entire conversation is available online, with the key topics summarized below.
The Decreasing Barrier to Entry
Nation states and criminal groups now have access to tools that were once reserved for the highest classified environments of great powers. For instance, recent global ransomware attacks such as WannaCry and NotPetya leveraged the leaked exploit EternalBlue. Although this is changing the game, attackers also continue to achieve great success from much less sophisticated attacks that take advantage of expanding connectivity. The most connected organizations may also be the most vulnerable due to the expanding attack surface, which is largely driven by the internet of things and the accessibility of social media information. Even organizations with robust defenses are now compromised thanks to the rise of social attack vectors - such as malware implanted in take-out menus or word documents. The combination of accessibility of these open source digital weapons and an expanding attack surface has dramatically lowered the barrier to entry for attackers.
The Cyber Domain Mimics Geopolitics
The escalation of digital offense mirrors the ebb and flow of geopolitical conflict and cooperation. Following World War II, the U.S. and democratic countries shaped a global order that helped deter great power war and limit the escalation of conflict at a global scale. The post-war deterrence system no longer is effective. Today, deterrence stops at the keyboard. Just as Russia has become more brazen in the physical world, such as the invasion of Crimea, their cyber activity similarly has a growing range of target sets and impact. Similarly, China seeks more global leadership across a range of issues, and is pushing forth its own narrative and objectives to foster cyber sovereignty and state control of digital information. In some ways, their behavior has changed following the 2015 Sino-American agreement, but these changes are more so in tactics and techniques. Alternatively, North Korea’s behavior in the digital domain mimics their increasingly brazen and unpredictable behavior in the physical realm. In short, a geopolitical lens is essential to understand the current and future range of attacks in the cyber domain.
A Major C-Suite Change in Addressing Cyber Attacks
Over the last five years, there has been a dramatic shift in the C-suite when it comes to cyber attacks. Five years ago, it was sufficient for executives to tell the board of directors that their defenses were good, and the CIO had information security covered. That is no longer the case, with executives fired, class action lawsuits filed, and growing reputational, financial, and even physical damage following cyber attacks. The C-suite no longer can view cyber risk as exogenous to a business risk framework. Increasingly, cyber risk is integrated into the larger business risk framework. In general, cyber risks can be categorized into those risks which must be accepted, those which can be transferred (such as to insurance), and those which must be mitigated via people, processes, and technology. Moreover, because of the feeling of helplessness following these attacks, there is a growing conversation, and even implementation, of hacking back. Problems of attribution, limited success, and the lack of escalation dominance (among numerous reasons) render hacking back a dangerous, unsuccessful, and illegal course of action.
The Laws of Armed Conflict Must Extend into the Cyber Domain
The perspective that cyber attacks only warrant a cyber response has limited the development of doctrine and policy to deter these attacks. Cyber attacks are a tool of statecraft, the effects of which should fall under the law of armed conflict. By decoupling cyber attacks as something solely within the cyber domain, a broader and more coherent response framework can be employed through the laws of armed conflict. This doctrine must include proportionality and noncombatant immunity. Responses to cyber attacks should be proportional to the effects of the attack, similar to the law of armed conflict in the physical world. Importantly, proportionality of response is not limited to a cyber tit-for-tat framework, but opens up the range of potential responses such as military or economic retaliation. In addition to proportionality, noncombatant immunity also is an essential component of the laws of armed conflict. Attacking an energy grid may fall within the laws of armed conflict during war time, but targeted cyber attacks on Ukrainian hospitals by Russia or the disruption of British hospitals due to WannaCry not only may violate laws of armed conflict during wartime, but also may violate peace time behavior. Until a declaratory and escalatory framework is formulated in adherence to the laws of armed conflict, escalation will continue. Importantly, the government should maintain the monopoly on the use of force, and global norms must help shape the appropriate rules of the road.
The discussion concluded by focusing on the cumulative effects of these trends, and whether any theorists may be the most applicable when contemplating the future of war. Nate drew upon St. Augustine and Thucydides, with the roots of just war theory and the steadfast nature of human conflict. Just because we have a new set of tools, it doesn’t mean these rules are no longer applicable. In fact, they are more necessary now than ever. Given how many ‘wake-up’ calls and watershed moments have occurred over the last few years, there is growing concern about the ongoing, creeping nature of these attacks on the erosion of confidence in the connected world and global institutions. From credit scores to bank balances to electoral outcomes, adversaries are increasingly finding ways to undermine confidence in those core institutions that have prompted global economic and democratic development for the last seventy years.