Thursday, 4 August 2016

The curious case of the (lack of) cyber response

The central question following the alleged hacking of the Democratic National Convention (DNC) by Russian-backed cybercrime groups is whether the US should “fire back.”

In the murky world of cyber, maybe we don’t want to know the answer. If Russia did take the files from the servers, then what exactly would firing back mean? That sounds awfully…militaristic. Perhaps a retaliatory hack into the Kremlin inner circle? Or perhaps escalating to a physical target? Where does this start? More importantly, where does it stop?

Because at this point the hack appears to be meant to manipulate US politics in a specific direction. Why the Russians would act this way takes little imagination, any country of significant size and power wants its rivals or neighbours to align with it (or at least be neutral). Political manipulation is a bloodless way to achieve this. And it’s not like the US has never dabbled in the dark arts of foreign electioneering.

What countries do with intelligence to protect their national interests is not a concern here. All countries spy, and in 2016, all countries use the internet to spy. Most of this spying is kept understandably away from the public eye, neither the spy nor the spied-upon wants to admit when they are breached or when they breach. But everyone assumes it happens.

Why Russia left sufficient bread-crumbs for the media to trace is an interesting question. Russia is a sophisticated and careful espionage adversary, if it wanted to keep the action behind the curtain, it could have. But the most important question is what the hack exposes about how Washington thinks about cyber. It has no idea what the appropriate cyber response must be to a breach or attack.

By the way, it is crucial in this debate to get the nomenclature correct: not every breach is an “attack” and not every cyber action is offensive. Sometimes a breach is simply espionage, and no one wants to shoot back simply because users were snooping where they shouldn’t.

This question of response goes to the heart. In one sense, the cyber domain is well-understood. The internet is the medium over which most communications and business processes travel. It is as integral to the world system as ocean travel. Yet unlike oceans cyber is opaque about what it means to do something bad and what enforcement really looks like.

The greatest concentration of cyber firepower anywhere in the world is located midway between the cities of Baltimore, Annapolis and Washington, DC at Fort Meade. The National Security Agency (NSA) and Cyber Command work in tandem to produce cyber tools. The legal parameters governing each are strict: NSA is responsible for espionage while Cyber Command is a military branch.

Its tools are more than capable of reaching out and touching the enemy anywhere, at any time, in ways unprecedented in the history of warfare – provided the enemy is connected to a digital network.

One example is the suspected joint US-Israel operation to sabotage the Iranian nuclear centrifuge facility at Natanz in 2010. It was a small, very public taste of how focused, careful and effective NSA capabilities are. Although the destruction was an unarguable geopolitical good, consider that it was really the sabotage – during peacetime – of what Iran could at the time only call its national infrastructure.

That’s a big deal. Yet the attack still occurred, and no one in Washington or Jerusalem appears to have cared because the cyber domain is entirely unregulated. They did it because could get away with it. And Russia would have felt the same when it broke into the DNC files. It certainly felt the same when it shut down infrastructure in Ukraine and Georgia using cyber during warfare.

So even though there is a clear danger to the digital world, countries are armed to the cyber teeth and limited cyber war has already occurred (arguably beginning with the Natanz sabotage), the US was at a loss this week for how to react to a clear cyber violation by a known adversary. That is incredibly frightening.

What will a modern, Western populace be comfortable with its government doing in the cyber world? More importantly, will that populace, which every year becomes more suspicious of government power and more possessive of its online privacy, allow its government to conduct accepted international practices such as espionage?

Washington hesitation last week shows they simply do not have an answer. Without that, the US republic is in a dangerous spot. Americans should know only four other countries are having this debate. All other nations have decided what their answer is, and it certainly isn’t “I don’t know.”

No comments: