Cyber attacks are inevitable, but can we fight back? (Part 2 or 2)

“Cyber warfare is as much about psychological strategy as technical prowess.” 
― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology

However, what if the attack is against a Northern country’s power grid in the dead of winter? This kind of attack would have military consequences if it were extensive. Most militaries, first responders, and many large organizations have backup power generation capability as well as stocks of fuel reserves, but these stores are not infinite. However, an cyber attack on a country’s infrastructure would likely have military consequences, definitely the case for a cyber retaliation, or even a cruise missile strike, or enven invasion.

Even if the country’s power grid were severely affected by a cyber attack and the government knew with a high degree of confidence which the guilty party was, there would be reasons for caution, primarily if the attack was an isolated incident, and there were no other signs of hostility or harmful intent because cyber attacks can have unanticipated consequences. With any military strike, collateral damage is always possible, but with most conventional attacks, methods of assessing and avoiding collateral damage are well-developed and based on well-established physics principles and observational experience. However, cyber weapons do not operate like missiles or tanks. They attack the underlying network or computer systems. The possibility of unexpected effects in the cyberspace is much higher.

For example, a cyberattack on an electrical grid might be intended to knock out the lights in a specific location, but end up affecting a whole region’s energy supply. The world saw this potential with the Stuxnet worm which was intended for a very specific, isolated Iranian control system, the worm was discovered precisely because it spread beyond its intended target into other related networked systems. Stuxnet did not attack other control systems, but only because the designers programmed in a self-destruct date. If the designers had been less cautious, its effects would have been much more widespread.

Therefore, before targeting a cruise missile at some cyber hub in a country, a coutnry’s leadership would want to have at least some knowledge of both the intentions of the attacker and the consequences (including secondary effects) of the response, otherwise the country might be starting a war by accident. However, a desperate foreign leader might miscalculate that he can get away with a surreptitious cyber attack on an ennemy’s infrastructure for exactly these reasons, and that in and of itself is cause for concern.

Context can make a huge difference. It is relatively easy to assess the damage done by an cyber attack on a country’s infrastructure, but less easy to assess the intent of that attack. If a cyber attack seriously disrupts a country’s power grid during an ongoing war with a known aggressor it is easier to strike back, with military force or with cyber weapons because it is easy to assume the attack was intentional.

Alternatively, given that cyberwarfare is a great field leveller a fearful foreign leader might lash out at a superpower if she or he fears one is on the verge of conducting a devastating cyberattack. The hostility might come in the form of a massive, pre-emptive cyber attack, a conventional attack, or in the extreme, even a nuclear salvo.

Since the ability to mount cyber attacks depends on keeping targeted vulnerabilities secret, both sides may fear that their adversaries possess capabilities that have far-reaching destructive potential, even when they do not. This fear in turn could increase the tendency toward pre-emptive action in cyberspace, followed by devastating escalation.

Cyber adds new and significant uncertainty to warfare and justice, making it difficult both to deter effectdively and respond adequatly. To this effect an International Attribution Consortium consisting of a “broad team of international experts would provide independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (1) technical experts from cybersecurity and information technology companies, as well as academia, and (2) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academia and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”[i]

[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace. Santa Monica, CA: RAND Corporation, 2017.

“International hacker-for-hire jailed for cyber attacks on Liberian telecommunications provider,” UK National Crime Agency