Our coverage of the RSA Conference continues. (If you'll be at San Francisco's Moscone Center this week, stop by and say hello to the CyberWire team. We'll be at the Akamai booth, #3625 in the North Hall. We hope to see you there, and we thank Akamai for their hospitality). Apart from the many studies and announcements linked below, the conference's formal opening was noteworthy for its discussions of cyber conflict.
US Secretary of Homeland Security Kirstjen Nielsen yesterday called for international norms for conduct in cyberspace (such norms have yet to emerge) and warned foreign bad actors that they shouldn't think they could strike at the US and it allies with impunity. The US has "a full spectrum of response options" available to it, and she suggested that some of those options might well be exercised.
Opting out of cyber war.
Microsoft's President Brad Smith led the announcement of an industry undertaking to refuse to conduct offensive cyber operations on behalf of any government. Thirty-four companies have signed the Cybersecurity Tech Accord. The companies' concern is commendably irenic, but one notes that the signatories are unlikely to have offensive cyber capabilities as part of their offerings. Microsoft has long pushed for adoption of a "cyber Geneva Convention." The Accord represents a private sector move in that direction.
Comments on conflict, deterrence, and why cyber isn't an isolated domain.
Last night we heard an interesting panel discussion at an event organized by Recorded Future. Three well-informed panelists, Matt Tait, Robert M. Lee, and Juan Andrés Guerrero-Saade, discussed cyber warfare in a session moderated by Recorded Future CEO Christopher Ahlberg. The panel agreed that cyber warfare was undoubtedly real, but also thought it made little sense to talk in terms of a "cyberwar" as a mode of conflict that could be confined and contained within that single, fifth operational domain. This doesn't reflect reality any more than "space war" or "sea war" do. Instead, nations use cyberattack tools in the course of larger conflicts.
We are, the panel thought, effectively in a state of continuing cyber conflict, which is to say, simply in a state of continuing conflict. This is a sharper version of Clausewitz's famous dictum that war is the continuation of policy by other means. Consider, panelist Lee said, speaking more-or-less hypothetically, a hellfire strike against an ISIS cyber operator in the Levant. That sort of (clearly kinetic, and lethal) action might itself be understood in the context of cyber warfare: ISIS operators could not be placed on notice more forcefully that their activities, even if conducted from a keyboard, makes them combatants. This observation clearly has implications for considerations of cyber deterrence.
The panel's other operations included thoughts on recognized false-flag operations (Russia's Olympic Destroyer that presented itself as a DPRK operation was the first such false flag recognized and unmasked), on officialdom's unrealistic squeamishness about attribution (Russia's two attacks on Ukraine's power grid were not only obvious, but were intended by the Russians to be seen and interpreted as their work), and a need for clarity when drawing red lines (if NATO intends to invoke Article 5 in response to a cyberattack, the Alliance might in the interest of deterrence say where an attack would rise to the level of an act of war). And there was much skepticism expressed concerning the effect of US indictments of foreign individuals carrying out attacks on behalf of their governments.