LAS VEGAS — Uncertainty clouds the cyber domain. The ability to blur where attacks originated raises questions about how to strike back, while cyber weapons are changing the theory of deterrence.
Discussions swirl throughout the globe about whether cyberattacks constitute acts of war and whether they warrant a military response. In 2011, the Pentagon decided that they would.
“It’s very easy to say these things; it’s much more different to do these things,” Mikko Hypponen, chief research officer of Finnish cybersecurity and privacy company F-Secure, said at Black Hat USA, a hacker conference in Las Vegas running Aug. 3-8. “The reason why it’s so hard is basically one word: attribution.”
The origins of attacks in the cyber domain, particularly those of advanced persistent threats like nation-state actors, aren’t easy to pinpoint, making a decision to respond to a cyberattack with kinetic means, like missiles and bombs, more risky.
“How actually do you know who launched it? And if your enemy knows that you will respond with real-world attacks, the obvious tactic would then be that you mask your attacks to be coming from another enemy of yours,” Hypponen said. “Reroute your attacks through another country, make it look like it’s coming from someone else.”
As an example, Hypponen said that the Russians use the Mandarin Chinese version of Microsoft Word for malicious files in their APT attacks.
He also said that cyber weapons are “getting very close to the perfect weapon.”
“Cyber weapons are cheap, effective, and they are deniable,” Hypponen said
The lines may be shifting in nations’ response to cyberattacks. Hypponen used Israel’s airstrike on a building allegedly housing Hamas’ hackers in May as an example.
“The fact that attribution here wasn’t hindering the real-world response is important to think about; in this case, they knew perfectly well who they were fighting,” Hypponen said. “They had enough know-how, maybe insiders, who knew where these cyber operations were physically coming from ... For most cyberattacks, this is not the case.”
However, Hypponen concluded that because there are so many ways for hackers to avoid attribution, missiles should not be launched if the actor is only launching cyberattacks.
“The attackers ... can definitely figure out ways to bypass any mechanisms that we currently use for attribution,” Hypponen said.
“But when it’s part of a bigger conflict, then it’s pretty obvious what’s at play, who are the attackers and why they are doing what they’re doing,” he added.
No such thing as cyber deterrence
But bigger conflict comes with more significant challenges. Cyberwarfare differs significantly from traditional warfare, where adversaries know how many tanks, fighter jets or aircraft carriers an adversary has. Furthermore, nuclear powers have even stronger deterrence postures.
“The power in the tens of thousands active nuclear war heads on this planet right now is not in using them; it’s in having them,” Hypponen said.
It’s different in cyberspace, however, where 0-day vulnerabilities — weaknesses in programs or systems that only the hacker is aware of — aren’t visible. So countries don’t know the strength of adversaries’ capabilities.
“Cyber weapons ... haven’t had deterrence power so far because we have no idea who has what,” Hypponen said.
“There’s no deterrence power in weapons nobody knows about,” Hypponen said.
There is, however, one thing we know for certain, he said.
“We know that all developed nations are developing cyber defenses and cyber offenses," Hypponen said. “Everybody is doing this.”
Beyond that, in terms of the offense cyber capabilities of other countries, “we have no idea,” Hypponen said.
“So what kind of deterrence do these tools build? Nothing.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.