Difficulty in attribution enables a worrying escalation
US President Barack Obama’s unprecedented decision to react publicly to intelligence agency assessments relating to Russian hacking appears to signal that we have entered uncharted waters in the murky world of cyber warfare, security experts told The Media Line.
Instead of responding to alleged interference in the US election covertly, as has been the normal response to cyber intrusions, the administration broadcast its displeasure and expelled a number of Russian officials. In the past, a response to an intrusion would normally be conducted in kind, in a tit-for-tat series of hacks. Instead the Obama administration escalated its spat with Russia into the public arena, ostensibly due to the level of persistent attacks it believed was emanating from Russian agents.
Previously, cyber attacks against a country were regarded as somewhat tolerable, similar to information gathering. The expulsion of 35 Russians diplomats suggests that cyber attacks have gone beyond information gathering to a level of interference that governments are no longer willing to tolerate. As the hawkish US Senator John McCain recently said while referring to allegations of Russian hacking, “When you attack a country, it’s an act of war.”
The problem with such language is that the US cannot 100 percent prove who carried out the attacks. Due to the nature of hacking, victims often do not realize their systems have been breached and even if they do attribute blame it is often extremely difficult to prove.
To illustrate how problematic it can be to verify the origins of a hack, Oliver Farnan, a security researcher at the University of Oxford, pointed to a report released last week by the US Department of Homeland Security and the FBI. The report firmly pointed to the Russian intelligence services as the sources of repeated hacks against US institutions – but from a technical standpoint there is little evidence in the report to show that this is the case, Farnan told The Media Line. “What they have released publicly is pretty wishy-washy and is probably not strong enough to uniquely identify Russia.”
This is not to say that the Kremlin didn’t orchestrate the hacks, just that through tracing IP addresses or demonstrating repeated patterns in the malware used to carry out an attack an investigation cannot be certain of an intrusion’s origin.
“These are things that are very easy to fake,” the security expert explained.
Intelligence agencies have other non-cyber means of collecting information, be it human sources or phone interceptions, that can lead them to identify the perpetrator behind an attack. but generally, this evidence cannot be released publicly without compromising sources.
This deniability is sufficient to allow anonymity for states to conduct operations against each other and the pace and scale in which they are doing this is increasing.
Added to this problem is the fact that cyber offensive capabilities are outpacing the development and sophistication of defensive countermeasures, Dudu Mimran, an Israeli expert told The Media Line. “From a technical view, in terms of the balance of power, if you want to be an attacker then you can have the tools to overcome many limitations,” the CTO of the Cyber Security Research Center at Beersheba’s Ben-Gurion University said.
This is leaving the world in a dangerous footing where not only do states have the capability to attack and breach the defenses of other states, but they can do so while maintaining a pretense of innocence. Such a scenario could lead to a dangerous escalation as countries are becoming increasingly vulnerable to innovative forms of attacks.
Currently hacking attempts are generally against websites or information held by companies, but, increasingly, critical infrastructure is becoming vulnerable. How should a state react if its power stations or transport network were intentionally compromised? The success of the Stuxnet virus, allegedly the brain child of US and Israeli collaboration to undermine Iranian nuclear weapons research, shows that such technological feats are already possible. If cyber forces in 2010 were able to destroy the centrifuge of a nuclear reactor in a hidden Iranian research facility just by spreading a virus, what else could hackers with the resources of a state behind them do?
Deterrence is one form of defense. If a state is known to have a powerful cyber offense, then other countries are less likely to try hack its systems for fear of retaliation.
But this alone is not sufficient Daniel Cohen, a researcher at the Yuval Ne’eman Workshop for Science, Technology and Security at Tel Aviv University, told The Media Line. “It’s not enough to protect your own governmental and critical infrastructure. You need to find a way to defend other digital assets in your own country,” Cohen said. A state can be damaged indirectly through attacks on major companies or hospitals that disrupt its economy or its citizens’ lives.
If defence or deterrence don’t curb the growing pace of cyber conflicts, then could an escalation go to a point where we see kinetic retaliation in response to a particularly severe hack?
Probably not, Cohen thinks. Due to the same problem of attribution that makes hacking effective, states are likely to remain cautious about responding militarily. “An attack on critical infrastructure that caused human casualties. This would be the only time that you could see kinetic escalation to a cyber attack,” Cohen argued.
But this risk aside it is still a time of discovery and danger for the cyber world. The technology which enables hacking, and intelligence agencies’ understanding and coordination in exploiting it, are still developing.
Oxford’s Farnan noted similarities between hacking and espionage but pointed out that the norms and taboos which govern how countries operate their spies are not yet present in the still emerging field of cyber warfare. “Countries are still working out what’s ok to do and what is not,” he suggested.
Apparently, interfering in an election falls into the latter category.