.
World War IV, Cyber War, digital Pearl Harbor or cyber 9/11—people talk about catastrophic scenarios in cyberspace, whereas academics and other experts point out that there is a danger in the overuse of the cyberwar rhetoric. But is the overuse premise still valid? What if recent events in cyberspace make it no longer correct? Should states brace themselves for the age of cyber warfare? Especially in the media, everything potentially related to cyberspace and state-actor violent behavior is being named cyber war. For example, we can find since the 90´s plenty of books on cyber warfare, cyber war, information war, etc., but no real act of cyber war to justify them. Not long ago, I would agree with the premise that this phenomenon is shifting the focus from real dangers like cybercrime, espionage or critical information infrastructure disruption. But for how long will cyber warfare will still stand for just a future concept of warfare? Bearing these questions in mind, I have identified some clues in the past few months, which can predict the change. The first is the recent hack on Sony, perhaps the biggest known corporate cyber attack in history. The hack itself is not interesting, nor the fact that it appeared to be an operation possibly conducted by a state actor, North Korea. The most interesting fact represents what happened after—the U.S. publicly imposed sanctions on North Korea in revenge for the Sony hack. This public attribution of the attack to North Korea is a watershed moment for how states handle cyber attacks. And another breakthrough could represent events that followed—9.5 hours of internet outage in North Korea. Whether it was conducted by the U.S. or not, the U.S. officially called the hacking of Sony a "serious national security matter” and considered “proportional response” to North Korea. In these cases, the U.S. may legally step up its active cyber defense posture—to destroy, nullify, or reduce the effectiveness of cyber threats and its approach can be also supported by e.g. the new NATO cyber defense policy which clarifies that a major digital attack on a member state could be covered by Article 5, the collective defense clause. It means that nowadays there is a shift in perceiving the significance of cyber attacks even if the cyber attack did not produce physical harm. The hack on Sony appears to have violated U.S. sovereignty and it may have also violated the customary international norm in the eyes of U.S. The second clue represents increased involvement of terrorists in cyberspace. Even if no devastating cyberterrorist attack has ever occurred it does not mean that cyberterrorism is not a significant threat. These days the jihadists and their supporters are investing a lot in development of encryption technologies—their own software to cover communication—and they have started experimenting with hacking (e.g. “Cyber Caliphate” and its cyber attack on TV5 Monde). It is a noteworthy change in the use of cyberspace by terrorists that shifts their limited activities from propaganda, communication and recruitment to more sophisticated usage of the cyberspace. Besides that, states have to be aware that the threat of a catastrophic cyber attack include emotional and psychological effects on populations. It is a matter of grave concern for states around the world because as we have already seen (e.g. Stuxnet or the case involving a German Steel Mill discovered in December 2014) cyber attacks could have a great material impact too. The last clue symbolizes the change the way states conduct military operations these days and the fact that almost each state builds its own capacities to conduct cyber operations. Anyone could have noticed an elevated activity in the cyber domain following the events in the Russia-Ukraine conflict, where there were several cyber attacks carried out. This could be perceived as a warning that cyber attacks will be more and more frequent during any kind of conventional conflict. An increasing number of states have recently included cyber defense in their defense planning and budgets, containing the development of offensive cyber capabilities, but taken with defensive purposes in mind. According to some states, we have already experienced the real acts of cyber warfare and it is very likely that more acts will follow. Now there is a change in how states perceive cyber attacks and how they handle cyber security and defense policy. In addition, states cannot underestimate the threat of cyberterrorism. While capabilities of terrorists to conduct cyber attacks are still in an early stage, they are evolving now more than ever. No country wants to be at a disadvantage, so more and more states are officially developing cyber defense capacities. Roman Packa works as a Cyber security/Policy specialist at the National Cyber Security Centre, National Security Authority (Czech Republic). He is primarily responsible for updating national cyber security strategy and holds the positions of National Liaison Officer in ENISA and OSCE national point of contact on on cyber security issues.

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.

a global affairs media network

www.diplomaticourier.com

The Real Dawn of the Age of Cyber Warfare

June 22, 2015

World War IV, Cyber War, digital Pearl Harbor or cyber 9/11—people talk about catastrophic scenarios in cyberspace, whereas academics and other experts point out that there is a danger in the overuse of the cyberwar rhetoric. But is the overuse premise still valid? What if recent events in cyberspace make it no longer correct? Should states brace themselves for the age of cyber warfare? Especially in the media, everything potentially related to cyberspace and state-actor violent behavior is being named cyber war. For example, we can find since the 90´s plenty of books on cyber warfare, cyber war, information war, etc., but no real act of cyber war to justify them. Not long ago, I would agree with the premise that this phenomenon is shifting the focus from real dangers like cybercrime, espionage or critical information infrastructure disruption. But for how long will cyber warfare will still stand for just a future concept of warfare? Bearing these questions in mind, I have identified some clues in the past few months, which can predict the change. The first is the recent hack on Sony, perhaps the biggest known corporate cyber attack in history. The hack itself is not interesting, nor the fact that it appeared to be an operation possibly conducted by a state actor, North Korea. The most interesting fact represents what happened after—the U.S. publicly imposed sanctions on North Korea in revenge for the Sony hack. This public attribution of the attack to North Korea is a watershed moment for how states handle cyber attacks. And another breakthrough could represent events that followed—9.5 hours of internet outage in North Korea. Whether it was conducted by the U.S. or not, the U.S. officially called the hacking of Sony a "serious national security matter” and considered “proportional response” to North Korea. In these cases, the U.S. may legally step up its active cyber defense posture—to destroy, nullify, or reduce the effectiveness of cyber threats and its approach can be also supported by e.g. the new NATO cyber defense policy which clarifies that a major digital attack on a member state could be covered by Article 5, the collective defense clause. It means that nowadays there is a shift in perceiving the significance of cyber attacks even if the cyber attack did not produce physical harm. The hack on Sony appears to have violated U.S. sovereignty and it may have also violated the customary international norm in the eyes of U.S. The second clue represents increased involvement of terrorists in cyberspace. Even if no devastating cyberterrorist attack has ever occurred it does not mean that cyberterrorism is not a significant threat. These days the jihadists and their supporters are investing a lot in development of encryption technologies—their own software to cover communication—and they have started experimenting with hacking (e.g. “Cyber Caliphate” and its cyber attack on TV5 Monde). It is a noteworthy change in the use of cyberspace by terrorists that shifts their limited activities from propaganda, communication and recruitment to more sophisticated usage of the cyberspace. Besides that, states have to be aware that the threat of a catastrophic cyber attack include emotional and psychological effects on populations. It is a matter of grave concern for states around the world because as we have already seen (e.g. Stuxnet or the case involving a German Steel Mill discovered in December 2014) cyber attacks could have a great material impact too. The last clue symbolizes the change the way states conduct military operations these days and the fact that almost each state builds its own capacities to conduct cyber operations. Anyone could have noticed an elevated activity in the cyber domain following the events in the Russia-Ukraine conflict, where there were several cyber attacks carried out. This could be perceived as a warning that cyber attacks will be more and more frequent during any kind of conventional conflict. An increasing number of states have recently included cyber defense in their defense planning and budgets, containing the development of offensive cyber capabilities, but taken with defensive purposes in mind. According to some states, we have already experienced the real acts of cyber warfare and it is very likely that more acts will follow. Now there is a change in how states perceive cyber attacks and how they handle cyber security and defense policy. In addition, states cannot underestimate the threat of cyberterrorism. While capabilities of terrorists to conduct cyber attacks are still in an early stage, they are evolving now more than ever. No country wants to be at a disadvantage, so more and more states are officially developing cyber defense capacities. Roman Packa works as a Cyber security/Policy specialist at the National Cyber Security Centre, National Security Authority (Czech Republic). He is primarily responsible for updating national cyber security strategy and holds the positions of National Liaison Officer in ENISA and OSCE national point of contact on on cyber security issues.

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.