A copy of the full analysis can be downloaded by clicking on the link at the bottom of this blog entry.
As I mentioned in the previous part of the analysis, cyberattacks represent a new form of attack, and attempting to frame cyberattacks in terms analogous to those of traditional, real-world attacks has proven to be problematic. Part of the reason for the difficulties stems from the unique properties of cyberwar as compared with those encountered in cases of real-world war. This section discusses some of the more significant unique properties of cyberwar that distinguish it from traditional war.
Cyberwar is Doubly Dangerous
In cyberwar, offensive weapons cannot be distinguished from defensive weapons, and cyberwar tends to favor offense. Together, these two properties make cyberwar “doubly dangerous” as per Jervis’s characterization depicted in Figure 2.
In cyberwar, offensive weapons cannot be distinguished from defensive weapons, because the same technology that is used for offense is also used for defense. As Randall R. Dipert describes it,
… [T]here are no exotic components to cyberweapons, again very unlike nuclear and other advanced technology weapons, and even unlike chemical or biological weapons. Any computer is a potential cyberweapon and anyone with advanced knowledge of information systems is a potential cybercombatant. This makes treaties that would ban cyberweapons virtually impossible from the outset.
Nicholas C. Rueter in “The Cybersecurity Dilemma” furthers the idea that offensive weapons (and perpetrators) cannot be distinguished from defensive weapons:
Even if a cyber weapon can be identified, it remains exceedingly difficult to distinguish between offensive and defensive capabilities. Many military organizations tasked with conducting cyberwarfare have both offensive and defensive capabilities, both of which are conducted through the same mechanisms and machines…
The most important weapons of cyberwar are the “cyber warriors” that conduct it. But it can be equally difficult to identify a cyber warrior. Many militaries have officially-designated cyberwarfare units, yet responsibility for both cyber offense and cyber defense can easily be spread throughout various security and intelligence agencies, and even into the private sector. Even when cyber warriors are recognizable, it is nearly impossible to distinguish between their offensive and defensive intentions and abilities. This is because the same knowledge and tools that cyber warriors use to defend against attacks, such as firewalls and intrusion detection programs, can be used to circumvent those same protections.
As for cyberwar favoring offense, there are several characteristics that contribute to this proposition, including the instantaneous nature of attacks and the low costs of perpetrating cyberwar. Again, from Nicholas C. Rueter:
… [C]yber attacks can be carried out almost instantaneously. Under traditional military doctrine, mobility is considered to favor the offense. This is because greater mobility leaves targets with less opportunity to prepare a decent defense. Mobility is closely related to two factors that have historically played a significant role in kinetic warfare: terrain and surprise. As Jervis observes, “anything that increases the amount of ground an attacker has to cross...increases the advantage accruing to the defense.” While in kinetic warfare terrain may serve as an impediment to an attack, there is no such buffer in cyberspace. The lack of terrain also allows for surprise attacks on previously unrecognized network vulnerabilities. As Jervis notes, “weapons and strategies that depend for their effectiveness on surprise are almost always offensive.” In short, the speed with which cyber attacks can be executed makes defending against them very difficult, and thus greatly advantages the offense.
Cyberwarfare has extremely low costs of entry with potentially high returns on investment. As a report by the U.S. Air Force Research Laboratory notes, “anyone with a computer and an Internet connection can launch attacks...”
… [C]yber attacks are an attractive tool for waging asymmetric war … I use the term “asymmetric war” or “asymmetric warfare” to mean: “conflicts between actors with wide disparities in power”... Weaker actors can engage in cyberwarfare with relatively low costs… At the same time, if the weaker actor does not have a similarly sophisticated digital infrastructure or economy, a reciprocal attack may not be as effective…
All of these reasons suggest that cyberwarfare favors the offense. Many analysts and scholars agree. A report by the National Research Council states that “[c]yber-attack is easier, faster, and cheaper than cyber-defense,” because “effective defense must be successful against all attacks, whereas an attacker need succeed only once.” Kenneth Geers, the U.S. Representative to the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, claims that “the asymmetric nature of cyber attacks strongly favors the attacker.” Ned Moran, a Professor of Information Privacy and Security at Georgetown University, concludes that “the development and deployment of cyber warfare strategies, tactics, and weapons favors the offense and exacerbates the security dilemma.” Matthew Crosston argues that “the most basic axiom of the cyber realm” is that “offense will always trump defense.”
Cyberwar Actions and Actors Are Difficult to Identify
Another unique aspect of cyberwar that distinguishes it from traditional war is the fact that cyber actions and actors are difficult to identify. This problem is noted frequently in the literature. For example, Randall R. Dipert indicates,
… [I]t is very difficult to determine the source of cyberattacks: this is the ‘attribution problem.’ This fact would give many cyberattacks credible deniability especially since in many cases nations can plausibly claim that the attacks may have originated from within their territory but their governments did not initiate them.
As another example, David E. Sanger and Elisabeth Bumiller in “Pentagon to Consider Cyberattacks Acts of War” note:
In the case of a cyberattack, the origin of the attack is almost always unclear…
“One of the questions we have to ask is, How do we know we’re at war?” one former Pentagon official said. “How do we know when it’s a hacker and when it’s the People’s Liberation Army?”
From a TED talk, “Guy-Philippe Goldstein: How cyberattacks threaten real-world peace”, Goldstein notes that
Your country could be under cyberattack with entire regions plunged into total darkness, and you may not even know who's attacking you. Cyber weapons have this peculiar feature: they can be used without leaving traces. This gives a tremendous advantage to the attacker, because the defender doesn't know who to fight back against. And if the defender retaliates against the wrong adversary, they risk making one more enemy and ending up diplomatically isolated. This issue isn't just theoretical.
Additionally, Peter W. Singer and Allan Friedman in “What about deterrence in an era of cyberwar?” indicate
The same lack of clarity extends to the signals that the two sides send each other, so key to the game of deterrence. If you fire back with a missile, the other side knows you have retaliated. But fire back with malware, and the effect is not always so evident, especially as its impact can sometimes play out just like a normal systems failure.
Cyberwar Does Not Cause Death
Perhaps the most significant cost of traditional war – and the primary cause for eschewing war – is the consequence of human injury and death. Yet, while having the potential to create serious military and civilian havoc, the (direct) consequences of cyberwar generally avoid physical injury or death.
Olivia Solon makes these two points in “Do we need a Geneva convention for cyber warfare?”:
Traditional rules of warfare address inflicting injury or death on humans or the destruction of physical structures, but there are no rules on “soft” or “cyber” damage that might not destroy humans or physical structures.
However, intentional destruction or corruption of data or algorithms and denial-of-service attacks could cause “tremendous harm to humans, machines, artificial systems of the environment” that could render civilian systems necessary for people’s wellbeing redundant for long periods of time.
Nicholas C. Rueter iterates these same points:
… [C]yber attacks need not be accompanied with excessive (or any) human costs. Cyber attacks tend to coerce by disrupting economies and communications, not by taking lives. Many states are hesitant to pursue their political ends through violent means. Similarly, states prefer to limit their own casualties during war. Cyberwarfare provides a means of enhancing security and coercing others without causing loss of life to either side
Finally, Randall R. Dipert also notes the lack of loss of life distinction between traditional and cyberwar:
… [M]any cyberattacks will not be lethal and will not even result in permanent damage to physical objects. This is of course extremely dissimilar from nuclear weapons and from virtually all traditional weapons of war.
Certain Cyberweapons Are One-Time-Use
The last significant peculiarity of cyberwar as compared with traditional war is the fact that many cyberweapons can only be used once, after which defenses can be taken to make similar future attacks completely ineffective. Randall R. Dipert explains this one-time-use nature of cyberweapons in a bit more detail.
… [O]nce intrusive malware is detected, there will usually be countermeasures and damage repair that can be executed in minutes, hours, or days by a technologically advanced user or country.
From the point of view of the offensive use of the cyberweapon, this makes many of them ‘one-time use’ weapons whose effectiveness will likely rapidly diminish. Few traditional weapons have had this characteristic. As an attacker, one will thus not want to release one’s very best cyberweapon until there are occasions where risking the rapid development of enemy countermeasures might be worth it.
Allan Friedman, Tyler Moore, and Ariel D. Procaccia present a game theoretic model that’s based on the one-time-nature of certain types of cyberattacks in “Cyber-sword v. cyber-shield: The Dynamics of US Cybersecurity Policy Priorities”. They describe the situation as follows.
The models presented in this paper explore the tension between attack and defense in a particular context. Specifically, what should a cybersecurity organization do upon discovery of a previously unknown software vulnerability? We argue that a civilian or uniformed manager faces two conflicting options: to use the knowledge as a weapon in a cyber arsenal, or to treat the knowledge as an opportunity to secure our own systems. The choice is to behave aggressively or defensively…
… [W]e assume that patching, or fixing, one’s own system not only defends against potential attack, but also precludes the defender from using knowledge of this vulnerability to attack in the future. That is, an actor must decide whether to use a vulnerability for defense or offense; it cannot do both. This is reasonable because the duty to patch normally falls on the responsible private vendor, who would release a patch publicly accessible to both sides.