A a panel of security experts at the RSA Conference on Wednesday said there is a lack of agreement on a definition of cyberwarfare and of the tools used to fight them.
“Words matter and it’s important to have definitions. But one of the challenges is the pace of innovation gets in front of doctrine and law. Only a few years ago the notion of warfare in cyberspace would be akin to if something blows up or a digital Pearl Harbor. But what we have seen over the years is that the future warfare between two enemies might be only the targeting of data, information or it might be financial based,” said panelist Oren Falkowitz, CEO and co-founder of Area 1 Security.
Gary Brown, professor of cyber security at Marine Corps University said this dynamic presents a different context for cyberwarfare.
“As we go forward and as the lawyers debate what the traditional outlines of what cyber weaponry are, we are moving beyond the type of incident we had with Stuxnet. Cyberwarfare involves the targeting of data or information,” Brown said.
Modern-day tactics when it comes to launching an attack, they say, are radically different than the grandfather of digital weapons Stuxnet used six years ago. Today attacks can be launched between two nations without concrete knowledge of a direct assault or attribution as to who is behind them. And the tactics used, by comparison to Stuxnet, are mundane, and could include something as rudimentary as an effective phishing attack, Falkowitz said.
“It’s important to define things in the field, not just for the many legal reasons, but because in this area we are still setting expectations between states. One of the things that is important when it comes to international relations is making sure states understand what the other nation is trying to do. We debate all the time did this act cross some threshold into an armed conflict. So it’s important we have some shared understanding,” Brown said.
The traditional definitions put forth by the Tallinn Manual on the International Law Applicable to Cyber Warfare written in 2012 have lost a bit relevancy when it comes to defining what cyberwarfare is today, Brown said. Espionage, theft of data and attacks on financial institutions by unknown adversaries are aren’t acts of war, but become part of a cyber operation as one state fights another, said Roy Katmor, co-founder and CEO of enSilo.
In Israel, cyber attacks against an adversary are considered part of the cyber operations, Katmor said. Instruments used in those cyber operations include what many considered tools of espionage, not strictly cyber weapons that attack physical assets, he said.
But identifying cyberwarfare and weapons is not just a game of semantics. Panelists agree common definitions of what cyberwarfare is helps define the tools needed to fight them.
“There is not a great need for people to have these elaborate (hacking) toolkits. Ninety-seven percent of all cyber incidents start with something as basic as a phishing attack,” Falkowitz said. So how does that shape how one nation state wages cyberwarfare against another?
Today cyberwarfare is less about targeting “things” with weapons, and more about affecting and undermining systems, Falkowitz said.
The bonus of keeping attacks simple and effective, it makes the arduous task of assigning attribution to cyber weapons or assaults even more difficult. An attack that uses a commodity malware with a generic power-shell command-and-control could be perpetrated by any number of criminal actors. That makes it almost impossible to understand the intent of the attack as opposed to having a digital fingerprint traceable to a nation state attacker, Katmor said.