Keyboard warriors: the ground rules for online warfare15 December 2016
The recent cyberattack on the Democratic National Committee, if premeditated, represents the first time that hacking has been used as a tool of political manipulation. Rod James looks at the significance of the incident, what constitutes best practice in security and why it is so hard to establish ground rules for online warfare.
On 25 July it became apparent that the Democratic National Committee (DNC), the group responsible for organising the campaigns of Democratic Party candidates throughout the US, was in serious trouble. That day – the first of the party’s convention at which Hilary Clinton was to be nominated candidate for the 2016 presidential election – Wikileaks published 20,000 emails stolen by hackers from the DNC’s computer network.
Some of these exposed an apparent bias on the part of the DNC towards Hilary Clinton in her leadership battle with Bernie Sanders, causing an outpouring of anger among his supporters at a time when a show of unity, superficial or otherwise, was what the party most needed.
These emails also shed light on a dark political underbelly that many knew existed, but would rather not see. For example, one from chief financial officer Brad Marshall suggested the Committee try to highlight Sanders’ Jewish heritage and rumoured atheism in order to reduce his appeal to Southern Baptist Democrats.
By 26 July, the US Government confirmed it had “high confidence” that the theft was carried out by hackers linked to the Russian Government.
While they could not confirm whether it was part of a concerted effort to manipulate the 2016 presidential election, or just the by-product of standard espionage, there’s no doubt the leaks had the effect of associating Hilary Clinton’s name with skulduggery and dishonesty in the eyes of some voters, a theme Donald Trump continued to play upon throughout the presidential election process, as more emails continued to emerge. If it were a premeditated strike, the event marks a significant milestone in the evolution of cyberwarfare.
Espionage has been carried out by all the major powers for centuries. Politicians and members of the diplomatic service have long been aware that their correspondence could land on the desk of a devious third party, even one from a supposedly friendly nation, and this “spies will be spies” philosophy has carried through to the cyberage.
However, the use of cyberattacks as a tool of electoral manipulation is a step beyond, turning hacking from an intelligence gathering tool into an offensive weapon.
Low-tech may be best
Although the DNC computer system was a relatively easy target, defence workers still need to be alert to this escalation. Classified information tends to be kept on systems isolated from the rest of the web, making its theft and manipulation a real challenge for hackers.
But non-isolated, unclassified systems, which in the US encompass strategically important things like logistics systems, force the defender to react constantly to the attacker’s next move, and, at the moment, the attacker is one step ahead.
The aim of the defender is to wear the hacker down with multifactor authentication, firewalls, malware detection and anomaly detection software, though, in truth, anyone with the technology, skill and inclination can hack a computer system.
“It’s not even clear that sophisticated cyberdefences can keep up on systems that are exposed to the internet,” says Martin Libicki, a cybersecurity specialist with RAND Corporation, visiting professor at the US Naval Academy in Annapolis and author of the recently released Cyberspace in Peace and War.
The fact is that greater digitisation, for all its benefits in terms of speed and productivity, has opened up new avenues for hackers and, in this respect, countries with less sophisticated security apparatus are actually at an advantage. Use of analogue walkie talkies, still common among many of the world’s militaries, and line-of-sight communications certainly have their downsides, but they require far less protection and, in many cases, recover more quickly in case of attack.
“Hackers took down the electric power system in Ukraine, but it was able to be quickly restored because it was barely out of the manual phase,” explains Libicki.
“They were able to do a manual override and restore conditions within about five hours. They didn’t have very sophisticated cybersecurity installed, but didn’t have a very deep dependence on digital systems, either.
“When you look at advanced countries, particularly the US, you see they are becoming increasingly digitised. To keep the same level of safety, you have to have appropriately sophisticated defences.”
Earlier this year, the faculty at the Naval Academy took these low-tech lessons on board. They began teaching their charges how to use a sextant, a 285-year-old device that helps sailors navigate by the stars, just in case GPS experiences technical failure, or is compromised by hackers. “I think, in general, it’s a good idea that people are familiar with the paper backup to electronic systems, so that they realise there are alternatives if the unexpected occurs,” says Libicki.
Spies will be spies
Aggressive moves by Russia, such as that against the DNC, have amplified calls for the creation of a regulatory and legal framework for cyberwarfare: rules of engagement, if you will. The UN Group of` Governmental Experts – a body formed to try to formulate a set of norms to govern electronic and cyberwarfare – reached a broad
global in consensus in 2013 that existing international law also applied to the cybersphere.
In the most severe scenario, this means that certain cyber attacks can be considered on par with physical use of force, and, under the UN charter, trigger the right to self-defence.
In addition, a number of bilateral political agreements have been forged in order to help deal with specific bones of contention. “In 2015, China and the US made a political agreement that included the point that they shouldn’t knowingly conduct cyber-enabled theft of intellectual property,” explains Henry Rõigas, law and policy analyst at the NATO Cooperative Cyber Defence Centre of Excellence, a NATO-affiliated but operationally independent think-tank based in Tallinn, Estonia.
“Industrial espionage is a huge problem in US-Chinese relations. This was a political agreement. It wasn’t international law or a treaty that states agreed to.
“Some say this has actually had an effect on levels of espionage, others say it hasn’t; attribution is a central problem when it comes to cyberattacks and there’s always plausible deniability… But it’s still progress on establishing these kinds of norms.”
Getting countries to adhere to cyberwarfare norms is a massive challenge. For a start, it’s very difficult to attribute the source of a cyberattack. Even if you are able to trace the country from which the attack emanated, a government can easily disassociate itself.
Ultimately, while countries want to ensure that ground rules are in place to prevent a cyberattack from escalating into something more serious, no country wants to curtail its espionage programme.
“Essentially, no one is interested in limiting those [espionage] activities,” says Rõigas. “The focus is now on limiting attacks against critical infrastructure. The UN [Group of Governmental Experts] in 2015 adopted this list of norms of responsible behaviour.
“This included the point that states during peacetime should not attack each other’s critical infrastructure, and they shouldn’t attack the computers of emergency response teams, which are civilian organisations dealing with severe incidents.
“States are trying to establish those ground rules of behaviour, and protecting critical infrastructure looks like the area in which they will find the most consensus.”
Are rules even necessary?
Another school of thought is that establishing norms would be counterproductive, and could push countries towards more drastic action.
While the Russian attacks on energy infrastructure and political bodies
are an escalation of the cyberwar, nobody has died, or even been injured, as the result of a state-sponsored cyberattack. While such attacks can
be hugely disruptive, surely they are preferable to the traditional, physically violent alternatives?
“You are faced with the argument, ‘why am I prohibiting a non-lethal form of attack when lethal forms of attack in the right circumstances are considered acceptable behaviour?’,” explains Libicki. “That’s a tough argument to refute. Then you say, ‘I figure that under the right circumstances a cyberattack on the military is fair game.
“That is to say, if you are in a situation where blowing it up is okay, then you can be in a situation in which a cyberattack is also okay’. This raises the discussion about dual facilities. ‘If I’m at war with your soldiers, does that give me the liberty to bring down your electric power supply?’ That is where the battle is being fought right now.”
Perhaps the most effective force preventing cyberattacks being used as a truly destructive weapon is what Rõigas refers to as ‘mutually assured doubt’. It’s very hard to guess the full extent of a country’s cybercapabilities and nobody really wants to find out.
This is partly intentional. While the hacking activities of the US Government (pre-Edward Snowdon, at least) were virtually undetectable, countries such as Israel generally want people to know when it is responsible for an attack, as it sends out a warning to its neighbours. All countries show their hands to different extents and for different reasons, creating a kind of fragile balance.
“It’s very easy to hide your capabilities and the developmentof your capabilities,” says Rõigas. “So there’s a big discussion around how we can even define what a cyberweapon is.
“When you speak with technical cybersecurity experts and those who have tried to address the subject of disarmament, quite often you realise that the best way forward it just to develop good cybersecurity practices, rather than limit the development of offensive cybertools.”