Security Experts:

Rise in State-sponsored Cyber Espionage: The Tipping Point of Cyber Warfare?

News emerged last week that a hacking group known as The Equation Group had itself been hacked by a separate group known as the Shadow Brokers. The release by Shadow Brokers of what now seems almost certainly NSA hacking tools is significant not because it happened, but why it happened. If the hacked Equation Group is in fact connected to the US government; the Shadow Brokers group relate to the Russian government; and the hacked cyber weapons were acquired by Russia in 2013, then the most important question is not what are these cyber weapons, but why has Russia released them now?

If you follow Edward Snowden's argument, this is a warning shot from Russia. With the tools now in public hands, any hack that can be shown to have used them can be traced directly back to the US government. If nothing turns up, no international harm has been done. If it emerges that these tools have been used for cyber espionage, then there is embarrassment, but little overall damage - espionage is what all governments do, and the only concern would be if it were done for US commercial advantage.

The primary concern would be if the NSA tools were used to interfere with foreign nations. Snowden says, "Particularly if any of those operations targeted [foreign] elections."

Following U.S. accusations that Russia was attempting to influence American opinion prior to the U.S. presidential election (see the DNC and DCCC hacks), then this could be nothing more than a 'back off' warning.

It is certainly true that the U.S. itself is engaged in foreign hacking, although we hear less of this than we do of Russian and Chinese state-sponsored activity. In September 2015, Director of National Intelligence James Clapper was very clear that the OPM breach, generally attributed to China, was not an 'attack': it was only "a passive intelligence collection activity, as we do."

The 'as we do' is a clear admission. "We can be confident," suggests F-Secure's Sean Sullivan, "that there have been incursions in China. That we haven’t heard much about it is undoubtedly due to how China does press." Until recently, the same could be said of western cyber incursions in Russia. Shortly before Kaspersky Labs all but named the NSA (and/or other members of the Five Eyes) as the actor behind ProjectSauron (the actor "commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication"), Russia's FSB admitted that the Russian government had been hacked - and all but named the NSA as the aggressor. 

Sullivan believes the Russian government was hacked by ProjectSauron -- but he describes none of this as cyber war.

"This is all still within the realm of cyber espionage. I wouldn’t worry about warfare just yet." Nevertheless, he does suggest, "this short PR statement from the FSB is an interesting development." And that is the problem: new developments. Cyber espionage is escalating in both quantity and quality.

Can you really define (alleged) attempts to influence national elections to be within the realm of traditional espionage? It's a stretch -- but if it cannot be described as espionage, what is it? It's getting perilously close to being warfare.

Knocking on the doors of cyber warfare

Defining and Debating Cyber Warfare

One of the difficulties is that there is no generally accepted definition of cyber war. We can infer something from Clapper's statement on the OPM breach. He said it wasn't an attack "since it was entirely passive and it didn't result in destruction or any of those kinds of effects. There was no destruction of data or manipulation of data. It was simply stolen." The implication is that destruction and manipulation is the tipping point between espionage and warfare.

With such a definition, the DNC breach comes right to the edge. Wanting intelligence on a potential future president could be called normal espionage. But in this case emails obtained by the hackers were publicly leaked via WikiLeaks. If this were done to embarrass the Democrats then it could be seen as manipulating the stolen data in order to manipulate public opinion in order to manipulate the US election -- which in Clapper's terminology could be seen as something more than 'a passive intelligence collection activity'.

In strategic terms, however, the Equation Group/ Shadow Brokers episode is probably best described as an act of reflexive control -- a strategy in which you direct and control the opponent's perception of events. By releasing only half of the stolen NSA documents and files, Russia is indicating that it may have even more damning evidence that it could release. Whether it has or not is a separate issue.

Is it time to define an act of cyber war?

There is an undoubted reluctance on the part of governments to define cyber war. Some claim that a definition would limit the government's flexibility in response -- but that is dubious. Governments have never been required to respond to an act of war by going to war. The same would apply in cyber. A cyber war attack could be responded to in kind, economically or militarily; just as if it were a physical attack.

It is tempting to suggest that if this is the case, why inflame the situation by creating warfare through defining warfare? But there is another body of opinion that sees positive merit in defining cyber warfare: it would paint a red line that must not be crossed without fear of serious reprisal from the world's most powerful nation. In this sense, the definition of cyber war has a deterrent effect against its use.

One supporter of this point of view is Dr. Andrea Limbago, a former Senior Technical Lead at the Joint Warfare Analysis Center, and now Chief Social Scientist with Endgame. Her view is that we are not yet asking ourselves where the escalation in state-sponsored cyber conflict is going.

"I don't really feel we're having that discussion yet," Limbago told SecurityWeek. "Take PPD-41. It is useful and addresses some of the issues, but it focuses on the bureaucratic aspects -- information sharing etc. It doesn't say anything at all about how we as a country will defend ourselves. It's individual incident response and clean-up rather than how the nation should respond to cyber attacks. It doesn't define the type of behavior that would constitute that red line that would provoke one or other of the various tools of statecraft -- military, economic and so on."

Limbago believes it is time for greater clarity. "There is too much of a nebulous nature to it now. There needs to be more clarity. You don't have to go all the way to the extremes, making it so concrete that it ties your hands, but there does need to be greater clarity. When you have some of the generals coming out and asking for something along those lines, you know they're unsure on how to respond." She's not alone in this view. In May 2016 Sen Mike Rounds (R) introduced a bill that would direct the president to develop a policy that would determine when "an action carried out in cyberspace constitutes an act of war against the United States."

Another reason for the reluctance to define an act of war is not that it could limit U.S. response, but that it could limit U.S. 'aggression'. Stuxnet is generally accepted to have been developed by the U.S. It is hard to imagine any definition of an act of cyberwar that would not define its use against Iran as an act of war.

The problem of attribution

Of course, if the purpose of a legal definition of cyber warfare is to facilitate a predefined, formal response, there is still the problem of attribution. Who did it?

Attribution -- that is, the naming of the perpetrator -- is difficult but not always impossible. It is, however, almost always denied by the perpetrator; and this makes any national and overt response to a cyber attack even more problematic. Not only must the responder have absolute confidence in the identity of the aggressor, he also needs to be able to convince the wider international community of the same. 

Microsoft's Scott Cheney recently published a paper on implementing 'norms' in international cyber behavior. It discusses the problem of attribution and proposes an international body of independent experts to provide that attribution. It is a neat solution to a tricky problem, but with one major difficulty -- it is unlikely to work. If the United States was convinced that a serious and damaging attack came from, say, North Korea, it is unlikely not to respond just because a body of experts isn't sufficiently in agreement.

Attribution is hard, but not impossible, commented Andrea Limbago. "You will always have to combine cyber data with other data, such as geopolitical intelligence and so on. But that's true for any form action you want to take -- you should never act on one stream of data on its own."

Where cyber espionage is concerned, the U.S. is not afraid to go public with attribution. It does this through legal means, by indicting the guilty parties even where there is little chance that the perpetrators can ever be brought before a court of law. It has done this with five members of the Chinese military. It has done this with members of the Syrian Electronic Army. This approach has the additional advantage of saying to the US public and to the wider world; we uphold the rule of law. 

But whether a similar approach is realistic following a declared act of cyber war is a moot point.

The effect of escalating cyber conflict on business

It is worth pausing for a second to question whether a political interest in the difference between cyber warfare and cyber espionage is anything more than an academic interest to business. Is business following this debate with any degree of interest? The answer is no; it is not.

"The reason," said Steve Lentz, chief security officer at Samsung Research America, "is that I have to protect my systems from all bad guys, whether internal or external, state-sponsored or criminal. A good security practitioner will do due diligence and provide the best in class security for his environment." In other words it doesn't matter whether the attacker is Russian intelligence or Russian mafia, or whether the motive is political or economic -- it is the same tools and methodology that are used against all attackers.

Martin Zinaich, information security officer for the City of Tampa, takes a similar view. In general, he told SecurityWeek, most CISOs don't really care who the attacker is, although they will be aware that the attack will probably be more sophisticated if it is state-sponsored. He does, however, suggest that different verticals will follow the situation with different degrees of interest. "Surprisingly," he added, "I believe you will be more concerned if you are a private corporation and you need to protect your IP. As for me, I'm concerned if anyone can access police or water systems."

Summary

This is a huge and complex issue. There are arguments in favor of defining an act of cyber warfare; and there are arguments against it. But one thing seems certain: if international cyber conflict continues to escalate, the red line that is currently undefined will inevitably be breached. Stuxnet was an act of war if perpetrated by the U.S. government (or the Israeli government). The Ukrainian blackouts of last year were the result of an act of warfare if perpetrated by the Russian government.

The status quo is unsustainable. It might not be necessary to define an act of cyber warfare; but it will become necessary to define responses to acts of aggression. This could have the same deterrent effect as a definition of warfare itself. But if this is the direction to be adopted, then President Obama has already missed one opportunity to include national rather than just bureaucratic responses to aggression within July's presidential policy directive (PPD) 41.

Related: Are Attacks Against SWIFT Acts of Cyberwar?

Related: Pentagon Boosts Cyber War Against IS Group

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.