blog post
Cyberwar or Cyberespionage? It’s Tricky
When you ask three individuals to delineate the concept of cyberwar, prepare to receive three divergent interpretations. However, as global geopolitical tensions escalate and audacious cyberattacks surge, this question transcends mere academic curiosity.
The conventional belief holds that cyberwar constitutes warfare in the digital realm. Yet, this assertion only paints part of the picture. It proves more insightful to regard traditional war and cyberwar as distinct entities, though they occasionally intersect.
A pertinent illustration of this disjunction arises in the context of the Merck insurance case. For individuals uninvolved in government or the military, the NotPetya assault against Ukraine appeared unmistakably as an act of cyberwar. It exhibited aggression, inflicted damage, and was orchestrated by a Russian agency (the GRU) as an unacknowledged offensive against Ukraine. If it amounted to an act of war within Ukraine, did it not also extend beyond its borders?
The answer, surprisingly, is no. Technically speaking, NotPetya never constituted an act of cyberwar. Misconceptions surrounding this incident and the definition of cyberwar cost the insurance industry a staggering $1.4 billion. This article seeks to shed light on a layperson’s grasp of cyberwar and cybersecurity.
Let’s first consider the conventional notion of war. It typically entails kinetic military actions between two nations following a formal declaration of war. However, this view isn’t universally accepted. War, fundamentally, revolves around one party asserting dominance over another, a feat achievable through means beyond armed conflict. Economic strategies, psychological operations such as disinformation, and non-military approaches to effect regime change can be equally potent.
Kevin Tierney, VP of Global Cybersecurity at General Motors, advocates this broader perspective. He asserts that confrontations between countries are not limited to kinetic warfare. Economic disruptions, destabilizing financial systems, eroding trust in information, loss of government data, transportation halts, or damage to energy and water supplies can all serve as tools of war without the need for actual physical conflict.
This broader view on warfare is exemplified by the Cold War, an undeclared and primarily non-kinetic war between the USSR and the Western bloc. Economic means, rather than military force, played a pivotal role in the Western victory, ultimately leading to the dissolution of the USSR.
Nevertheless, a crucial distinction arises when contrasting physical warfare with cyber warfare. Physical wars predominantly transpire within the national boundaries of involved nations, constrained by geography. In stark contrast, cyber warfare knows no such confines and possesses the potential to swiftly escalate into a global conflict.
Due to these unique characteristics, cyber warfare is often categorically distinguished from traditional warfare. It follows distinct definitions and criteria that don’t necessarily align with conventional warfare concepts.
In most nations, a response to a cyberattack targeting critical industries by a foreign nation-state may include kinetic actions. Consequently, the definition of cyberwar sets a high bar to mitigate the potential for inadvertent escalation. Cyberwar is typically restricted to cyber activities that result in or can be expected to result in death or destruction.
This definition’s origins can be traced to the Tallinn Manual, crafted by international experts at NATO’s Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia. It confines cyberwar to activities that inflict or anticipate casualties or destruction.
Anything falling short of this threshold is generally deemed cyberespionage rather than cyberwar. This dichotomy becomes particularly pronounced when examining the realm of critical infrastructure.
Tom Kellermann, Senior VP of Cyber Strategy at Contrast Security, subscribes to this perspective. He posits that cyberwarfare transpires when a nation-state launches a destructive cyberattack against critical infrastructure, relegating other activities to the realm of cyberespionage.
John Hultquist, VP of Intelligence Analysis at Mandiant, shares this view. He dismisses economic suppression as a form of war, emphasizing that actual warfare hinges on the application of violence or the threat thereof. Anything falling below this threshold, even if coercive, is typically categorized as cyberespionage rather than cyberwar.
The argument for excluding cyberespionage from the ambit of cyberwar hinges on the premise that spying conducted in the digital domain is a pervasive aspect of human society. It has existed throughout history, across individuals, corporations, and governments. Labeling espionage as an act of war would imply that the world has been embroiled in perpetual warfare since time immemorial. The modern twist lies in the increased ease, scalability, and deniability of cyber spying.
However, this interpretive definition introduces complexities. It hinges on notions of intent and expectation, both subjectively construed and readily deniable by aggressors. This becomes particularly evident when an adversary’s actions straddle the boundary between cyberespionage and cyberwar.
Vladimir Putin’s disavowal of government involvement in hacking, attributing it to patriotic Russian citizens, underscores this point. In his view, these actions didn’t represent the Russian state, didn’t result in death or destruction, and hence couldn’t be classified as acts of cyberwar.
The issue of deniability looms large. In a democratic society, legality relies on evidence that meets the stringent criteria of a civilian court. Intelligence agencies might possess knowledge they can’t disclose publicly due to source protection requirements.
Helder Figueira, founder at Incrypteon, brings an additional layer of complexity to the fore. He notes that sovereign states often outsource cyberattacks to independent contractors, further obfuscating attribution and increasing the prevalence of such activities.
Furthermore, envisioning future scenarios where AI-driven attackers engage in ‘cyberwar’ introduces a unique challenge. Legal remedies against subcontracted AI attackers remain nonexistent.
The definition of cyberwar ultimately hinges on a case-by-case, fact-specific assessment by the President, as articulated by the Senate Armed Services Committee. It underscores the critical role of political power and national defense in shaping this definition.
The Merck ruling reinforces the notion that the political and military definition of cyberwar significantly diverges from the layperson’s perception of the term. Decisions regarding responses to apparent cyberwar events must be rooted in observable effects of attacks by nation-states or their affiliates, rather than official government definitions.
Now, does this distinction between cyberwar and cyberespionage matter? The answer varies depending on one’s perspective.
Malcolm Harkins, Chief Security and Trust Officer at Epiphany Systems, emphasizes the importance of focusing on controlling exploitability, as it is the only aspect under a CISO’s purview. The nature of the perpetrator remains beyond their control, making it a variable of little utility.
John Hultquist presents an opposing view, asserting that understanding the identity and capabilities of adversaries is pivotal for conducting risk assessments and securing systems effectively. Neglecting to consider the adversaries’ profiles and intentions can leave systems vulnerable.
A more politically-oriented stance is provided by Juan Andres Guerrero-Saade. He underscores the need for nuanced considerations, both as citizens of law-abiding nations and as individuals concerned with defense measures. In this context, the ultimate decision-making authority falls upon the President. Thus, understanding the arguments underpinning these decisions becomes essential for individuals affected by them.
In essence, the corporate cyber defender must remain resilient to all forms of attacks, regardless of their classification as cyberwar or cyberespionage. Yet, the distinction between these terms can influence the broader geopolitical landscape, thereby necessitating a nuanced understanding of their implications.
Author
Steve King
Managing Director, CyberEd
King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.