In Cyberwar, There Are Some (Unspoken) Rules
A recent article argues that the lack of legal norms invites cyberconflict. But governments know the price of overreach and are refraining from unleashing their full capabilities.
Tarah Wheeler’s recent Foreign Policy article “In Cyberwar, There Are No Rules” highlights the absence of norms governing aggressive actions in cyberspace as a potential cause of conflict within this domain. While the author is correct that the international community continues to struggle with the development of norms to regulate behavior in cyberspace, it doesn’t follow that the domain is completely anarchic. Over the past decade, publicly disclosed cyberoperations have appeared to surface a set of implicit rules that restrains state actors from employing cybercapabilities with the potential for widespread disruption. These rules are derived from the strategic realities that serve to temper how cyberoperations are deployed.
Cyberoperations do not occur in a vacuum; interactions take place within the context of preexisting strategic relationships and form part of any actor’s larger campaign in pursuit of its strategic objectives. The employment of cyberoperations is thus subject to long-standing political, economic, and military considerations—one of which is the need to minimize unintended and costly conflict among the parties involved.
A review of cyberoperations from 2000 to 2016 reveals an interesting pattern. Barring the large number of espionage-type operations, the remainder have been largely disruptive rather than devastating. Most involve website defacement or distributed denial-of-service attacks; these are quickly contained and remedied once discovered and don’t represent the sort of cyber-Pearl Harbor incident that remains pervasive in popular culture.
The few advanced and persistent operations that managed to inflict physical damage are, for the most part, inconsequential and, to an extent, counterproductive. The Stuxnet virus did not deter the Iranian regime from pursuing its nuclear program but instead led to increased investment in its offensive cybercapabilities. Similarly, the assault on the Ukrainian power grid did not result in a tangible shift in the nature of the conflict on the physical battlefield.
These examples are not intended to suggest that state cybercapabilities are ineffectual or to question the inherent vulnerability of cyberspace. In truth, states have become more skilled in employing these instruments over the past decade and have developed increasingly complex means with which to exploit vulnerabilities.
The point, rather, is that the need to manage the risk of escalation weighs heavily on any state actor’s decision to act in cyberspace. Moreover, as in the domain of conventional war, uncertainty abounds. And issues concerning attribution and intent become more salient within this virtual space.
Unlike conventional instruments, cyberoperations do not come with a return address. Technical evidence such as an IP address provides victims with a possible source but not necessarily the identity of the attacker. Furthermore, the presence of certain artifacts does not confirm the intent of the aggressor. Malicious code for use in espionage can just as well be employed as a first step for later, more damaging operations. Taken together, these factors would seem to encourage instability within cyberspace, as Wheeler argues. However, when viewed through the lens of preexisting strategic interactions and interests, the opposite may in fact be true.
Attribution becomes less of an obstacle when judgments are informed by tactical and strategic analysis. For instance, the appearance of individuals in unmarked uniforms carrying modern Russian weaponry in Ukraine were attributable to Russia, given the characteristics of these individuals as well as the surrounding context that preceded their appearance.
Different actors behave in a distinct manner that allows analysts—private threat assessment organizations and national intelligence services alike—to identify and classify individuals and groups. When analyzed alongside the prevailing political, economic, and military environment, both the identity and intent of the supposedly nonattributable actor usually become clearer.
The intent of those deploying Stuxnet limited the pool of suspects to those with both the intent and the capabilities to execute this operation. Without the benefit of anonymity, aggressors are less inclined to engage in activities that significantly alter the current military balance for fear of provoking the opposite party.
For example, the long-running series of defacements and denial-of-service operations between India and Pakistan reflects this dynamic. Given the stable nature of this rivalry, both sides have opted for a tit-for-tat approach with respect to disruptive behavior. The defacement of an Indian website is met with the defacement of a corresponding Pakistani website in a matter of days with neither side opting for a more vigorous response to the provocations of the other.
The aftermath of Stuxnet prompted Iran to act more aggressively in cyberspace in the years following its discovery, but Tehran’s operations did not do much damage. Furthermore, with states reserving the right to respond with conventional military means to cyberthreats, the necessity for restraint becomes even greater.
Because decision-makers know the risks, cybercapable states routinely punch below their weight or decide to employ cyberoperations in a limited manner. A review of cyberoperations from 2006 to 2016 highlights that despite the advancements of numerous actors, operations capable of causing physical damage are limited. More recently, the announcement that the United States would deter Russia from interfering in its midterm elections by calling it out rather than using more aggressive means underlines this point.
This applies to the targeting of critical infrastructure, such as power grids and water treatment facilities, managed by industrial control systems that are demonstrated to be vulnerable to relatively simple exploits. When a state decides to target industrial controls, it does so with a specific intent that is informed by its strategic objectives. These objectives are discernible through its actions in other domains. These constraints even apply to perceived rogue states such as North Korea.
A review of North Korean cyberoperations from 2008 to 2014 illustrates that most of Pyongyang’s attacks caused low-level disruptions to private and nonmilitary systems of adversaries, which include the United States, Japan, and South Korea. In addition, these often coincided with significant historical, political, or military events. The same is true in the case of Iran. The nature and timing of these incidents is telling, as a similar pattern is observed with respect to the physical domain. North Korean behavior, barring its invasion of South Korea in 1950, has not been severe enough to invite a massive response. Provocations such as missile tests or the shelling of a South Korean-held island have invited international condemnation or a limited military response—but no more and with limited impact on North Korean behavior.
Although the 2014 Sony Pictures hack, which leaked confidential information and later involved physical threats against cinemas that screened The Interview, may appear to be a departure from this behavior, the operation did not disrupt the current strategic balance between North Korea and its adversary, in this case the United States. Nor did the U.S. government seem to think the hack merited a more vigorous response other than the recent complaint filed by the U.S. Justice Department. For the most part, the intent of the Sony hack appears to have been meant to signal the North Korean regime’s displeasure through a display of its prowess in cyberspace but no more. Even with the more recent WannaCry ransomware attack, its effects, while broad in scope, had no lasting strategic implications that might have resulted in escalation.
Countries that have invested significant resources in cyberspace don’t lack the ability to act more effectively within this domain. They are making a conscious decision to rely on less sophisticated operations based on their strategic calculus—the same calculus that leads a government such as North Korea’s to employ violent rhetoric and limited military operations to signal its displeasure without risking direct confrontation.
If critical industrial control systems are so easily compromised, one would expect governments to target these vulnerable systems more frequently rather than resort to mere disruption. While reports do suggest that North Korea has the capability to disrupt critical infrastructure such as power grids, acting on this is another matter altogether—much in the same way that having significant conventional military power does not merit its immediate use. There would be grave consequences.
Cybercriminals and script kiddies may see in these vulnerable systems an opportunity for profit or mischief. But attributional analysis that looks beyond technological features and includes tactical and strategic attributes can help distinguish between state-associated and independent criminal actors.
There is a vast body of experience in dealing with cases of cybercrime. While the corresponding institutions and legislation are far from perfect, they do offer a course of action if actors are classified under this category. Subjecting state-associated actors to this form of punishment, however, may not be as effective in deterring malicious behavior in this domain. Previous indictments against Chinese hackers appear to have had limited effect in deterring economic espionage. It is too early to tell if recent legal actions against North Korea, Russia, and China will have any noticeable effects in cyberspace.
Wheeler correctly presents cyberspace as a vulnerable domain that continues to lack a set of norms that regulates aggressive tendencies. But that doesn’t mean that state actors will immediately take the opportunity to fully exploit this situation to further their interests. They are acutely aware of the consequences of overly aggressive cyberoperations and therefore actively attempt to limit the impact of their activities by either narrowing the scope of their operations or resorting to techniques that do minimal damage and are easily contained.
Miguel Alberto N. Gomez is a senior researcher at the Center for Security Studies at ETH Zurich. Twitter: @mgomez85