Cyber Conflict: Will emerging norms keep pace with escalation?
At RSA there were a number of warnings about the coming increase in conflict in cyberspace. The term is mostly associated with Russia, but "hybrid warfare"—an amalgam of conventional combat, special warfare, deniable insurgencies, and cyber operations (involving hacking, interference, and information operations) is expected by many to become the normal form of warfare in this century.
Cyber operations are expected to include espionage, information and influence operations, destruction or disabling of systems and data, and more complete integration with kinetic military operations. Nation-states are also expected to become coyer about how they conduct such operations. The "pullback" some analysts think they've seen in the current Donbas cease-fire and in the apparent withdrawal of Russian state intelligence services from the relatively noisy activity they displayed during the 2016 US Presidential election probably amounts to a little in the way of a more peaceful future. It seems that states are increasingly turning to non-state actors (especially criminal groups) or front organizations in pursuit of plausible deniability. Some speakers have expressed cautious optimism about Western states' growing ability and resolution to act effectively against cyber challenges, but no one we encountered thinks it's going to be easy.
Threats in cyberspace
Representative Michael McCaul, chair of the House Homeland Security Committee and co-author of the US Cybersecurity Act 2015 delivered a keynote address that sounded familiar notes about the extent of cybercrime, the attackers' advantage, and the degree to which hacking endangered wealth. He went on, however, to deliver some alarming and alarmist conclusions about the conduct of Russian influence operations during the US elections. He argued that these had the potential to hold American democracy itself at risk. How such operations might be deterred remains unclear, but McCaul didn't hesitate to suggest that the existential threat nuclear weapons posed to the United States during the Cold War might bear some analogy to cyber threats.
Microsoft calls for a cyber Geneva Convention
Industry is particularly worried about the growing tempo of international conflict in cyberspace, and is urging governments to take seriously their operations in this new domain. Microsoft's Brad Smith called for the effective neutralization of the tech industry. "Even in an age of rising nationalism," he said, "we need to become a trusted and neutral digital Switzerland." He called upon the industry to focus on defense, protect its customers, and refrain from collaborating with governments in attacking cyber targets. (In this his plea is reminiscent of the case made early in the Twentieth Century in a widely influential book, The Grand Illusion, which argued that European nations were so interconnected, so mutually dependent on each other's economies, that the prospect of a general war was a fantasy, the grand illusion of the title. How that turned out may be seen in the history of the First World War and its sequela, the Second. But the aspiration is heartfelt and appealing.)
Smith also argued for establishment of international law similar to the Geneva Conventions that would protect non-combatants from the effects of conflict in cyberspace. Here he may have been on firmer, more realistic ground. If there are restraints, albeit imperfect restraints, on kinetic warfare that are designed to contain it, to limit its effects on noncombatants, and to induce combatants to fight in ways that don't make the restoration of peace impossible, shouldn't there be similar restraints placed on cyber conflict? The time for this would appear to have come. Cyber warfare is no longer in its infancy, but it hasn't yet left its adolescence, and this may be the last, best, opportunity to influence its development.
Smith also recommended putting some monitoring mechanisms and institutions in place, suggesting that a cyber analogue of the International Atomic Energy Agency might play a useful role in moderating conflict and building international confidence.
While certain bilateral undertakings appear to have had some positive effect, notably agreements between the United States and China to refrain from taking certain actions against one another's interests in cyberspace, the prospects for a general agreement mirroring the Geneva Conventions seemed to many in attendance to be as unlikely as they might be desirable.
Integration of cyber operations into conventional combat
Cyber operations have to a great extent begun to augment and supplant long-familiar forms of electronic warfare, from SIGINT collection to jamming. They also are beginning to appear in tactical targeting. US forces have used information collected from (and about) mobile device users to target ISIS leaders in the Middle East, and Russia is reliably reported to be doing the same in its own conflict with Ukraine.
The most well-known and controversial report of such use is CrowdStrike's account of how Russian forces were using a compromised Android app to target Ukrainian artillery units. The report has been criticized on several grounds, notably what many take to be questionable assessments of battle damage and an implausible account of how the malware was actually used.
We were able to catch up with CrowdStrike at RSA, and we received some useful clarification that lends detail to the report. In brief, CrowdStrike's research concentrated on an Android app, "Popr-D30," developed by a Ukrainian artillery officer. We confirmed with CrowdStrike that Popr-D30 is in fact a technical fire direction application: a gunnery program that computes the technical solution to be applied to the guns themselves, enabling them to deliver indirect fire against the targets they've been ordered to engage. It's the sort of replacement for older, slower, more cumbersome manual computations done with charts and slide rules. Most armies have adopted similar computational tools.
The malware did not, as had been widely reported (although not by CrowdStrike), extract GPS data from the devices of Popr-D30 users. It did, however, collect information that would be useful in deriving some order-of-battle intelligence. More interestingly, it collected coarse location information about the compromised device. Such information isn't precise enough to generate a target, but it does provide a very useful target indicator that could then be confirmed and refined by more precise methods of observation: drones, radar, forward observers, and so on. Pulling just coarse location data also offered the attackers a measure of stealth: extracting more precise geolocations would have drawn down device batteries more quickly, possibly arousing user suspicions.
How many Ukrainian units were engaged, how many guns were destroyed, is a matter of conjecture. The Ukrainian Army denies losing units at the very high rates reported in the press, and they may indeed be correct. But the case is an interesting one: cyberattack has taken its place in the target acquisition toolkit.