Pages

4 March 2023

Nation-State Cyberattacks Have No Norms, And We Should Be Concerned

Marcus Fowler

As recently as a decade ago, the idea that a nation's ability to protect itself from cyberattacks was as, if not more, important than its missile defense systems would have seemed laughable.

Today, however, this is the reality nation-states confront as cyber operations play an ever-increasing role in critical geopolitical confrontations, from the cyber proxy war tied to global conflict to the seemingly state-aligned objectives of groups like Killnet.

While it's clear that cyber warfare is here to stay, what is less clear is how the international community should collectively engage with this new dynamic. The most pressing challenge is the lack of definition for an act of war in the cyber sphere and the potential risks stemming from that uncertainty. When will a cyber operation be the spark that lights an outright kinetic conflict?

Getting this right is critical. While several calls have been made for greater global governance with norms and regulations in cyber, efforts have thus far seen limited success. Delivering the sort of international collaboration that defined the Bretton Woods Agreement has proven elusive because of the complexity and variables involved. If countries strike too hard of a redline related to cyber flare-ups, a nation could quickly find itself headed to war over a phishing attack. Too loose of a standard could continue our current cyber free-for-all.

The problem: Is defining casus belli possible for cyber?

In the absence of clarity and consensus on what constitutes an act of cyber war, the discussion should start with separating acts of cyber espionage and those of cyber sabotage. This is difficult since prior to the actual command signal to cause destruction, most cyber operations have the attributes of an espionage campaign.

Intelligence gathering operations certainly attract outrage when discovered but seem to be an accepted part of the "great game" of geopolitical espionage, not an act of war. The are many recent examples of this, where the most likely goal of the operation has been assessed to be intelligence collection. More attention was focused on the failure of the U.S. defenses and the scale of the effort than on serious calls for war. While there is no doubt that data theft and intelligence collection cause real-world damage, those operations that are intended to cause physical destruction and even the potential loss of life must be judged and handled differently.

In September 2022, we saw Montenegro seek support from the U.S. and NATO following a persistent attack on its government websites and databases. The extent to which this kind of treaty-member cooperation should serve as a precedent for future compromises remains ambiguous. So, too, does the extent of Russian involvement in the cyberattack itself, mounting further concerns around the difficulties of attributing and governing state-level cyber response.

More broadly, the lack of clarity when it comes to cyber escalation is worsened by the ever-present potential for spillover and collateral damage in cyber, elucidated most powerfully by the NotPetya attack in 2018. A troubling question remains: When will cyber warrant a kinetic military reaction and how close have nation-states come without a mistake being made?

Who can be the world’s CISA?

There is currently no global or internationally recognized charter to take on cyber—and it's not difficult to see why. Cyber remains a Wild West, and setting out principles and norms for what has always been an arena of rapid change is a tricky pursuit—and not one that many nation-states may want to pursue, lest their cyber operating environment become more restrictive or require even more risk.

Since cyber dominance is defined today by defensive superiority rather than offensive capability, it is unsurprising that we might look to the U.S. as a potential candidate to fill the void of global cyber governance. The U.S. boasts some of the best intelligence powers, leadership in global cyberspace affairs, security and leading defense technologies born out of the private sector in the U.S. and U.K. In July, CISA announced the opening of its first Attaché Office in London, a clear effort to bolster international collaboration between CISA, U.K. government and other federal agency officials.

Ultimately, the U.S. cannot take on this mandate alone. Cyber by its very nature is fragmented and dispersed; our globalized economy has long relied on trading with many different nations and thrives on connectivity. Data is now fluid and global—the ship has sailed. Addressing this problem will necessitate collaboration across nation-states, the public and private sectors, and international convening organizations in ways we most likely have never seen previously.

Defining acts of cyber war and creating the right partnerships to govern them requires us to start small. For example, most of us can agree that a cyberattack on the part of a state that intentionally causes significant loss of life and/or irrevocable economic damage should be considered an act of war. However, cyberattacks, intentions and impacts are rarely so clear-cut. If we are to create bilateral agreements or a NATO-style international alliance, we cannot create hard red lines that we are not prepared to act on if crossed. These are rarely helpful or maintained in times of crisis and flux. We might consider using language with more nuance than "consider an act of war" and move toward something more concrete: "will consider kinetic response to cyber operations that cause physical destruction."

Private sector organizations and vendors should ask themselves, "How can I contribute?" CISA’s Critical Infrastructure Partnership Advisory Council is a good example of public-private sector collaboration on threat intelligence, risk mitigation tactics and resources for better testing environments. A similar approach can be taken when it comes to understanding and defining cyber norms, combining private sector expertise with national security goals to reach meaningful conclusions.

None of this will be easy, but it is critical. We must remember the goal of creating perceived norms—that is, deterrence as much as diplomacy. It's about causing a set of risk-gain calculations for adversaries that might prevent them from accidentally escalating a conflict.

No comments:

Post a Comment