Most definitions of cyber warfare include elements such as politically-motivated acts, cyber espionage and cyber sabotage. Typically, cyber warfare actions include those to disrupt or takedown critical infrastructure such as the power grid, water supply, transportation system, financial system, communications system, military capability, or the internet. There do not need to be any human casualties for activities to be regarded as cyber warfare.
The theft of commercial intellectual property, or industrial espionage, can also be regarded as cyber warfare if the intent is to achieve political rather than economic aims.
Cyber warfare actions can be either offensive or defensive. It is no secret that many states (including most NATO countries) have developed offensive cyber capabilities, as a tactic to be used to disrupt an enemy in a larger conventional warfare effort.
Cyber attacks can be performed with limited resources, and the attacker is often difficult to identify (what is known as the attribution problem). The cyber field offers the first time in history that an individual or small group with limited resources has the power to cause significant infrastructure damage to another country regarded as an enemy, power previously only available to nation-states. Defenders need to protect all parts of all infrastructure systems at all times, whereas attackers only need to find one weak point. Cyber warfare is asymmetric in this regard – resources required for defence far outweigh those needed to attack.
A cyber offensive with corresponding conventional warfare actions can be commenced by one country against the infrastructure of another country, such as during the 2008 South Ossetia war between Russia and Georgia. Within the Middle East, cyber actions are likely to be an element of all major conventional initiatives going forward. Country-against-country cyber actions require the offensive nation to seriously consider the repercussions. This may restrain countries such as China, Iran and North Korea from going much beyond exploratory cyber espionage levels of penetration testing and eavesdropping.
The relative ease with which skilled individuals can undertake cyber actions, means that cyber offensives, on their own without a corresponding conventional warfare element, can be undertaken by relatively small groups of motivated individuals. There are a large number of small groups in various parts of the world with sufficient motivation and cyber capabilities. Hacktivist groups or rogue elements within these groups could also be motivated to undertake more drastic disruptive cyber offensives targeting infrastructure systems. There are certainly sufficient numbers of skilled individuals, bright enough and adequately motivated to attempt major cyber disruption against a country they regard as their enemy.
Many cyber attacks occur every single day. The weapons of the cyber warrior include inter alia malware, hacking, spear phishing, botnets, and DDoS. The introduction of mobile and BYOD to the electronic system spreads the attack surface and makes some attack vectors far more vulnerable. Stuxnet and it’s related variants Duqu and Flame, are examples of malware recently deployed. Generally there are elements of key logging and capabilities of Command & Control. Stuxnet is widely believed to have been a joint US-Israeli effort to setback the Iranian nuclear programme. One challenge of cyber weapons such as these is to bridge the gap that often exists between the computer system that has been successfully infected and the system that controls the infrastructure. It appears Stuxnet accomplished this successfully. The Shamoon virus is understood to have attacked and disabled 30,000 PCs in the Saudi Arabian state oil company, Aramco.
We are certainly in a new era of warfare with potential of mass disruption from cyber actions. What are the probabilities of a successful cyber attack having major impact on critical infrastructure and the economy during the next year or two?
US Defence Secretary Leon Panetta warns of a cyber Pearl Harbour. However, a major cyber event is only likely to lead to conventional military actions against a nation-state if involving countries with existing tensions such as in the Middle East. The most likely successful cyber attack against the West which causes major disruption to some infrastructure system will come not from a country, but from a small group of activists perhaps operating out of several countries including the one attacked. It’s effect will also be limited to the particular infrastructure disrupted. Perhaps a better term for this type of initiative, is cyber terrorism rather than cyber warfare.
Cyber commando raids
Certainly with the current number of attacks aimed at disrupting critical infrastructure, attempted by politically-motivated groups, it is simply a matter of time until one will be successful in a major Western country. To use the military analogy, these attacks are more like cyber commando raids than conventional actions – a small group of crack troops disrupting a high value target. All relevant parties – central government, military, enterprise, local government, the IT security industry – need to work closer in developing and deploying defensive mechanisms such as engineering security into systems from the ground up to make them more difficult to attack. However, as we in the security industry know, it is difficult to build systems that are 100% safe, so relevant parties also need to develop contingency plans for the crisis following inevitable success of these commando raids.