BY SERENA DAI
The nightmare cyberattack scenarios: Hackers shut down electricity for millions of people. Hackers cause the banking system to collapse. Hackers manipulate the military’s global positioning system, disrupting communications in combat.
Even worse, it might be impossible for the U.S. to know who’s really behind the attacks—or how to respond.
Right now, cyberwarfare has no rules of engagement. Countries shroud their cyberweapons in secrecy, and cyber-strategy differs from nation to nation. In the absence of a uniform policy, NATO is focusing on boosting defenses of member countries, not retaliation strategy. The result: A nebulous cyber-environment where few boundaries exist.
The cyberattacks in Estonia showed the first signs of what cyberwarfare might look like—and the difficulties of fighting back. For several weeks in 2007, hackers shut down government and business websites in Estonia. Estonia went to NATO and accused Russia, which denied it.
Thus, the first problem of deterrence in cyberwarfare: attribution. In traditional combat, tankers and airplanes bear the flags of their countries. But cyberattacks are anonymous, clouding victims’ ability to trace them to their source. The Estonia hackers were indeed Russian, but it was impossible to prove that they were acting for the Russian government. Estonia couldn’t retaliate against Moscow.
“In the cyber world, individuals can launch attacks that can cause significant damage,” says Susan Brenner, professor of law and technology at University of Dayton. “Cyberweapons are much more democratic.”
Had Estonia been able to conclusively point a finger at Russia, how would it have retaliated? One view says an attack must be kinetic to be considered an act of war, Brenner says. In other words, something must “blow up.” The Estonian conflict doesn’t qualify. Therein lies cyberwarfare problem number two: the issue of proportionality.
“What did Estonia expect NATO to do?” Brenner says. “Bomb Russia?”
These questions become more important as attacks rise. In the U.S. alone, a recent report by the Government Accountability Office found that cybersecurity incidents in federal agencies, including malware and unauthorized access increased by 680 percent in the past six years.
Since the Estonia attack, NATO has added more cybersecurity capabilities and a rapid-response team to boost reaction time and defensive infrastructure. But the “fortress model”— shielding computer systems behind a virtual brick wall—doesn’t work, Brenner says. Experts say that the best a country can do is to try to limit the damage. Retaliation requires rules of the road, and while academics are talking about the issues, international politicians and diplomats are not.
Jamie Shea, NATO’s deputy assistant secretary general for emerging security challenges, says the idea of a cyberwarfare treaty is far off. The discussion process has not yet matured. Until then, he thinks nations should be more transparent about cyber policy, much like the transparency regarding nuclear weapons use or military doctrines more generally.
“You can’t have every international organization having its own separate and uncoordinated approach,” Shea says. “Like climate change, these things are not perfect. But you need one recognized global initiative around which we can organize these discussions.”
