The Cold War concept isn’t outdated. In the decades since the fall of the Soviet Union, the battleground has simply shifted from conflicts between ideological proxy governments to cyberspace. And the opponents have grown from a few primary nations into a broad range of sovereign threat actors.
The question is, when does a cyberattack cross the line between a criminal action or mere prank, to an act of war? Is it the nature of the victim? The nature of the attacker? The nature of the damage? Or a combination of them all?
To be sure, this is not a determination for cybersecurity professionals to make. Our role is to defend IT assets for our organizations by reducing risk, mitigating threats, remediating the situation after an attack, and generally trying to keep everything running safely and smoothly. It doesn’t matter whether we are facing a script kiddie trying to deface a website, a political hacktivist trying to make a statement, a cybercriminal trying to steal or ransom our data, or a state actor trying to steal confidential information. Our goal is to keep them out, and minimize the damage when they do manage to get in. The only thing that changes is how well-resourced and tenacious our opponents are.
Defining an Act of War
Oxford’s Reference Dictionary defines an act of war as: “An act by one nation intended to initiate or provoke a war with another nation; an act considered sufficient cause for war.” That’s a good definition, but it leaves some ambiguity when applied to the realm of cybersecurity. It focuses on intent, with the reason for the act being of primary importance; and it defines the perpetrator and target as both being sovereign states.
The Oxford definition begs a couple of questions. How do you treat acts of espionage (political, industrial or otherwise), in this context? Does infecting a country’s industrial machinery with a custom-designed virus that caused it to fail destructively count? What about infecting a government supplier and then leveraging that breach to intrude into your rival government’s agencies? Both cases have a massive impact on the rival state, though the intent was not to provoke a shooting war.
What about cases where the antagonist isn’t a state-sponsored organization, but is rather a criminal or activist organization that has state support? Does plausible deniability protect a government from the repercussions of those acts? The reverse is also possible, of course: An independent criminal or activist organization perpetrating an incident that’s perceived as being state-sponsored.
Historical examples, such as the SolarWinds breach that was discovered in December or the Stuxnet worm of a decade ago, were both major incidents with serious political and diplomatic repercussions. But neither led to war. Which is good. So far, incidents in cyberspace have not translated into a shooting war in the real world. But that may not always be the case.
What Crosses the Line?
With so much of the world’s infrastructure network enabled and vulnerable to attack, it stands to reason that some actor, somewhere, could cross the line. An adversary could destroy vital infrastructure or cause an incident that led directly to the loss of many lives. The power grid. Air traffic control. Numerous other systems that are potentially vulnerable to attack might be the trigger that pushes a sovereign state over the edge into war.
Perhaps it’s fortunate then that civilian organizations aren’t legally, or ethically, permitted to “return fire” in the case of cyberattack. In turn, military and intelligence organizations have shown the common sense to keep their reactions clandestine, or covert, on those occasions when they’ve been directly involved.
There is no doubt there is a Cold War of sorts going on in cyberspace. The players may have changed. There may be some ambiguity over who works for whom. And the targets have expanded. But it’s happening. Fortunately, it’s yet to cross the line and manifest in the real world as a hot war.
As cybersecurity professionals, our part remains what it has always been; to secure our organizations against cyberattack. If we educate our users and keep our process and tools up to date, it won’t matter whether we’re attacked by a script kiddie or a foreign power. Our defenses will hold and, if they don’t, we’ll be in position to clean up the mess.
Figuring out whether it was an act of war will fall to the politicians and diplomats – where it belongs.
Saryu Nayyar is CEO at Gurucul.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.