Cyber war: How close are we to the real thing?
There is little doubt that companies and agencies in the United States are under attack by adversaries, known and unknown, who are targeting IT systems and online resources. Some of the reported incidents, such as those against Google, RSA Security and Lockheed-Martin, are sophisticated and targeted, while others, such as the recent denial-of-service attacks against the CIA website, are trivial and almost benign.
Does this barrage amount to a cyberwar? Probably not — at least, not yet.
“What we’re talking about is theft,” said Dmitri Alperovitch, vice president of research at McAfee. “The hyperbole of cyberwar is overused.”
Ongoing storm of cyberattacks is preventable, experts say
Cyber Command still struggling to define cyber war
The thefts are a real threat, said Alperovitch, who called them “a massive transfer of wealth in intellectual property unprecedented in history.” But he draws a clear distinction between criminal activity, espionage, hacktivism and acts of war.
Information warfare consultant Charles Dodd, who is chief technology officer of Nicor Global, does not see the distinction so clearly. He does not call recent attacks warfare, but he worries about the possibility of escalation, especially in light of recent reports that the Pentagon is prepared to consider online hacking the equivalent of an act of kinetic war.
The CIA denial-of-service attack, for which the hacker group LulzSec has claimed responsibility, worries him.
“It might be benign, but it shows they have no fear of anyone coming after them,” he said. “These guys are making a very powerful statement to the rest of the world.” Without a meaningful online deterrence capability, the United States could be subjected to an escalating series of cyberattacks that eventually could trigger a conventional kinetic response and lead to a shooting war.
The United States, and any responsible military power, is at a disadvantage in this online cat-and-mouse game. “It is still very much a defensive game,” Alperovitch said. If an adversary seriously targets an enterprise, “the likelihood that they will get in is near 100 percent,” he said.
So far, the United States has been unsuccessful in significantly increasing the risk and reducing the rewards for attackers, regardless of their motives. Despite some recent successes on the law enforcement front, detection and punishment for criminal behavior online is anything but swift or certain. The certain military retaliation that has kept foreign armies and air forces away from our shores is not yet possible in cyberspace because we do not know for sure where attacks are coming from.
“That is a huge problem,” Dodd said. “We do not have a trackback technology today to know who the perpetrator was.” If we respond, “how do we know we’re attacking the correct target?”
Attribution for online activity today is possible, but it relies to a great extent on traditional techniques such as human intelligence, and results are likely to come well after the fact, making a swift and accurate response unlikely.
The bottom line is that offensive tools are limited by the ability to accurately identify targets, and despite cyberwar policies and capabilities, the United States is likely to remain on the defensive in cyberspace for the foreseeable future.
Playing a defensive game is uncomfortable and leaves the country at a disadvantage, but that does not mean security leaders have to be passive. Good defenses can reduce the target area and increase the cost of a successful attack, and improved international cooperation and law enforcement can increase the risks for the bad guys.
Networks need robust cyber defenses in any event, and if they are good enough they can buy the time it takes to make progress on the attribution problem.