“The Coming Perfect Storm in Cyberspace”
Ron Deibert, Director of The Citizen Lab, gave a seminar on cyber security at King’s College London last night. Below are my notes from the seminar and comments:
- States all over the world want to implement rules on the “cyberspace commons” now, but these would be hard to enforce since 95% of internet is privately-owned.
- Elements of the coming “perfect storm” in cyberspace:
- Changing architecture of cyberspace commons
- Demographic changes—while internet developed in the West, more and more users coming from East and South.
- Global cyber-crime
- Blurring of lines between cyber-espionage and cyber-crime
- Two more that I didn’t catch
- 3.8 billion of the 5.3 billion mobile phones used globally are in the developing world.
- The western world makes up 40% of cyberspace.
- While Asia makes up about 44% of cyberspace, it is only sixth in user penetration.
- Two-thirds of internet users are under the age of 25.
- Center of gravity in cyberspace is moving east and south, so we can expect a change in the character of the cyberspace commons.
- One trillion incidents of cyber-crime per year in Canada alone.
- GhostNet, which targeted high-value political and economic organizations, spread in part through social engineering. For example, an email pretending to be from a “Free Tibet” organization sent to the Tibet government-in-exile.
- Indian defense and diplomatic establishments compromised by another botnet, discovered by Citizens Lab and traced back to China (but no solid proof that it was directed by Chinese government).
- Methods used for cyber-espionage are indistinguishable from methods used by cyber-criminals.
- More countries are becoming engaged in internet filtering over time.
- Despite the internet-aided revolutions in Tunisia and Egypt, most countries that try have successfully asserted control over the cyberspace commons.
- Governments with ill intentions have benefited from the internet as well: Iran crowdsourced identification of protesters during Green Revolution by setting up website with photos. [screenshot in slide looked almost like tagging Facebook photos]
Mr. Deibert made the point that crippling cyber-attacks against the US are not in China’s national interest, but states have the unfortunate tendency to act against their own interests quite a bit. The value to China of cyber-“warfare,” if we may use that term, lies in the fact that it provides coercive influence without the same negative effects or resource requirements as traditional, armed conflict. There is, however, a definite limit to how useful it can be outside of the realm of war.
We haven’t yet seen if the US or another country with advanced military capabilities is willing to respond to a major cyber-attack (and that alone) with conventional military action, but such a scenario is unlikely for several reasons. First, pinpointing the perpetrator of a cyber-attack is not a trivial task. Attacks can be traced to a geographical region easily enough, as many attacks from China have been, but identifying the sponsor of an attack requires hard intelligence from other sources. Deibert brought up an example of a botnet that was traced back to a specific university in China. Even that level of detailed tracing, however, doesn’t prove the Chinese government sponsored or ordered the activities. A military response would be a significant investment, and the severity of the effects of an attack would determine how solid the evidence against a country would have to be. Without a severe enough attack, public pressure will keep war out of the equation. Bullets and bombs are easy to understand, but the effects of a cyber-attack are not always so tangible. The public in general cannot conceptualize a cyber-attack unless it is causing widespread havoc, such as shutting down infrastructure or disrupting financial networks.
Second, the nature of cyber-warfare is very different from conventional military power, even if the effects are sometimes the same. Take the example of the alleged sabotage of the Trans-Siberian Pipeline by the CIA. Modifying software that was a likely target for theft by the KGB (allegedly) caused a massive, three kiloton explosion in a key piece of Soviet infrastructure. If the US had physically placed a three kiloton bomb (whether by aircraft or with commandos), the nature of the incident would have been quite different and a military crisis involving a direct confrontation between two superpowers would ensue. Cyber-warfare is cheap, but deploying a brigade combat team or flying sorties from an aircraft carrier are very, very expensive in terms of money and danger to lives. The threshold to respond to a cyber-attack with hard military power, with the associated risks and costs, is so high that a country willing to engage in such attacks would likely be at the point of open hostilities. A crippling cyber-attack would be the opening act of a traditional conflict—an appetizer rather than the main course.
That brings up the third point, which is that cyber-warfare is ancillary to traditional, bullets-and-bombs warfare. It acts as a force-multiplier by disrupting the enemy, but it alone cannot defeat the enemy. If the purpose of war is to make the enemy do your will, you need violence. Cyber-warfare alone is insufficient for that purpose, as violence can simply be used to stop you from conducting cyber-attacks. If a country is not willing to use military power, such escalation is not in its interest. Major, crippling cyber-attacks can do wonders in support of a war, but a country that is not willing to cross that threshold would have to satisfy itself with nuisance attacks and cyber-espionage instead. Stealing secrets from US defense contractors is certainly annoying as hell, but not quite enough to cause America to march to war. Something more drastic, like crippling a country’s internet service or disrupting its infrastructure networks, will not achieve anything on its own and likely incite a military response. That is obviously a huge problem if you’re only willing to commit cyber-resources to a conflict.
If the US does experience a major, crippling cyber-attack, we won’t even need to have the debate about whether or not to respond military. By design, the bombs and bullets will soon follow.