RSA: Cyber conflict and cyber restraint.
Cyber conflict and cyber deterrence, and the direction of innovation.
US Secretary of Homeland Security Kirstjen Nielsen in her keynote called for international norms for conduct in cyberspace and warned foreign bad actors that they shouldn't think they could strike at the US and its allies with impunity. The US has "a full spectrum of response options" available to it, and she suggested that some of those options might well be exercised.
Another speaker with a sharp view of the realities of cyber conflict was European Commission Vice-President Andrus Ansip, who described the real and current threat of nation-state cyber attacks with the hard-won, disillusioned clarity an Estonian official usually brings to the matter. He called out numerous examples of Russian offensive operations in cyberspace (and it's noteworthy that he included descriptions of that country's recent information operations, especially the disinformation surrounding the Salisbury nerve agent attacks). He offered a warning near the end of his presentation concerning the necessity of preparing for a full-spectrum of cyber conflict: "If we fail to do so, if the West fails to unify – we risk being exploited by those who would use cyberspace as a weapon to harm our free and open societies and economies. By not acting, we make ourselves an easy target."
Recorded Future organized an event off the main venue to discuss issues of cyber conflict. Recorded Future CEO Christopher Ahlberg moderated a panel composed of Matt Tait, Robert M. Lee, and Juan Andrés Guerrero-Saade. The panel agreed that cyber warfare was undoubtedly real, but also thought it made little sense to talk in terms of a "cyberwar" as a mode of conflict that could be confined and contained within that single, fifth operational domain. This doesn't reflect reality any more than "space war" or "sea war" do. Instead, nations use cyberattack tools in the course of larger conflicts.
We are, the panel thought, effectively in a state of continuing cyber conflict, which is to say, simply in a state of continuing conflict. This is a sharper version of Clausewitz's famous dictum that war is the continuation of policy by other means. Consider, panelist Lee said, speaking more-or-less hypothetically, a Hellfire missile strike against an ISIS cyber operator in the Levant. That sort of (clearly kinetic, and lethal) action might itself be understood in the context of cyber warfare: ISIS operators could not be placed on notice more forcefully that their activities, even if conducted from a keyboard, makes them combatants. This observation clearly has implications for considerations of cyber deterrence.
The panel's other operations included thoughts on recognized false-flag operations (Russia's Olympic Destroyer that presented itself as a DPRK operation was the first such false flag recognized and unmasked), on officialdom's unrealistic squeamishness about attribution (Russia's two attacks on Ukraine's power grid were not only obvious, but were intended by the Russians to be seen and interpreted as their work), and a need for clarity when drawing red lines (if NATO intends to invoke Article 5 in response to a cyberattack, the Alliance might in the interest of deterrence say where an attack would rise to the level of an act of war). And there was much skepticism expressed concerning the effect of US indictments of foreign individuals carrying out attacks on behalf of their governments.
The private sector counsels restraint.
Microsoft's President Brad Smith led the announcement of an industry undertaking to refuse to conduct offensive cyber operations on behalf of any government. Thirty-four companies have signed the Cybersecurity Tech Accord. The companies' concern is commendably irenic, but one notes that the signatories are unlikely to have offensive cyber capabilities as part of their offerings. Microsoft has long pushed for adoption of a "cyber Geneva Convention." The Accord represents a private sector move in that direction.
Microsoft's President Brad Smith announced an industry undertaking to refuse to conduct offensive cyber operations on behalf of any government. Thirty-four companies have signed the Cybersecurity Tech Accord. The companies' concern is commendably peaceable, but one notes that the signatories are unlikely to have offensive cyber capabilities as part of their offerings. Some of the companies on board with Redmond are Facebook, Cisco, Avast, Nokia, Dell, RSA, FireEye, LinkedIn, Symantec, and Juniper Networks.
The companies who signed committed themselves to four undertakings:
"Stronger defense. The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.
"No offense. The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.
"Capacity building. The companies will do more to empower developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves. This may include joint work on new security practices and new features the companies can deploy in their individual products and services.
"Collective action. The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace."
The Microsoft-led initiative in which thirty-four companies signed an undertaking not to engage in offensive cyber operations hasn't, for all of its good intentions, received uniformly positive reviews. The agreement was featured on the Conference's opening day. Some observers think it resembles other large-scale resolutions and legislation in that it fails to make necessary distinctions, and fails to do justice to the complexity of computer network operations.
One such complexity involves the familiar problem of dual use. Some security legislation and international cyber non-proliferation agreements (Wassenaar prominent among them) have come under criticism for the possibility that they might unintentionally criminalize legitimate vulnerability research, for example.
Other issues raised concern the undertaking's lack of teeth (it is after all a voluntary avowal of intentions) and the signatories' lack of involvement in delivering offensive cyber capabilities to governments.
(And nice seeing all of you.)
The CyberWire team was based this year at the Akamai booth (and we thank Akamai for their hospitality). It was as always a pleasure to meet readers and listeners, both at the booth and elsewhere at and around the Moscone Center.