The CSS Blog Network

Why Cyberattacks Don’t Work as Weapons

Image courtesy of Pexels/Pixabay

This article was originally published by ETH Zurich in the Zukunftsblog on 18 January 2018.

Cyberattacks must also be understood as a phenomenon of political violence and combated as such, says Myriam Dunn Cavelty.

Digitalisation will fundamentally alter many aspects of our lives – in many cases for the better. However, our increasing dependence on computers and networks for data exchange and storage is creating new vulnerabilities for both individuals and society. The key word here is: cybersecurity. This encompasses more than just technical solutions: it involves not only security in cyberspace, but also security that is influenced by cyberspace.

Cyberattacks in political conflicts

It is only very recently that those of us conducting political science research have been in the position to systematically examine cyberattacks as a phenomenon of political violence – simply because the number of cases is increasing. We see that cyber operations are a “normal” side effect of political conflicts of all kinds. Both state and non-state actors use cyber activities to intervene in conflicts in various ways.

Attackers cannot be punished

Testing the technical and political effects of cyber operations in various contexts is attractive to both state and non-state actors, as the costs are relatively low and mostly indirect. The targets have exploitable technical vulnerabilities and insufficient security measures, while victims often find it difficult to assign a clear attribution (specifying the perpetrator) and thus punish the attacker. This is why we are seeing more, and particularly more spectacular, cyberattacks. However, these attacks are often restrained: as rational actors, states are not interested in uncontrollable escalation.

Are cyberattacks a justification for war?

At the same time, efforts to develop rules of behaviour have intensified in order to reduce the remaining danger of escalation. An international consensus has developed that only cyberattacks that cause a high level of destruction equivalent to a kinetic military attack should be viewed as a reason for war. We can also see that the US seeks to regulate the cyber activities of states such as Russia (electoral manipulation) and China (industrial espionage) using the classic instruments of international politics, such as diplomatic negotiations, bilateral agreements and sanctions.

Cyberattacks unsuitable as weapons

The most important point, however, is the awareness that cyberattacks only have a limited use as instruments of destruction – as weapons. Only a short while ago, strategic “cyberwar” was considered as the central threat; a virtual attack out of nowhere (e.g. against a power supply) that would bring a state to its knees.

The reality looks a little different: the difficulties of achieving controllable effects and causing actual violence by means of cyberattacks mean that cyber methods are above all suited to protest actions of various kinds. They aim to cause confusion and influence a population’s opinions. They are also well-suited for espionage, for (with a bit more effort) local sabotage and – much less frequently – as preparatory or disruptive measures in the course of “traditional” military operations.

What does this mean for the digital future?

Fears of a digital meltdown are unfounded. However, a wide range of actors are already using digital networks to achieve strategic goals against the will of other actors. This means that digitalised areas must guard against deliberate interference – because the more connected things become, the more potential targets there are.

In the future, an even better understanding of the motivations of political actors will be necessary. We must analyse how and on what basis they make their decisions and what role digitalisation plays. In this way, we can utilise technical solutions to influence political incentives through international norms, so that confidence in the technical opportunities of the future will be possible despite the strategic exploitation of cyberspace.


About the Author

Myriam Dunn Cavelty is a senior lecturer for security studies and deputy for research and teaching at the Center for Security Studies (CSS).

For more information on issues and events that shape our world, please visit the CSS website.

Game Changer – Cyber Security in the Naval Domain

Image courtesy of TheDigitalArtist/Pixabay

This article was originally published by the Institute for Strategic, Political, Security and Economic Consultancy (ISPSW) in January 2018.

Summary

The systems and networks naval forces must protect are complex and large in size. Ships are increasingly using systems that rely on digitization, integration, and automation. Offensive actors understand the naval reliance on communications, ISR, and visualization technologies, and perceive them as vulnerable to disruption and exploitation. Cyber has been moving from a supportive to a rather active role within an operational force. With today’s rapidly evolving threats, naval forces are well advised to develop a sense of urgency not only to develop cyber resilience capabilities that will enable them to “fight through”, but also cyber warfighting capabilities as these will be particularly valuable when they can be delivered reliably and in concert with other capabilities.
» More

Countering Russian Information Operations in the Age of Social Media

Image courtesy of Anton Fomkin/Flickr. (CC BY 2.0)

This article was originally published by the Council on Foreign Relations (CFR) on 21 November 2017.

As investigations into attempts to influence the 2016 U.S. presidential election continue, more aspects of Russia’s approach to information warfare are coming to light. A steady stream of new disclosures is revealing a complex blend of hacking, public disclosures of private emails, and use of bots, trolls, and targeted advertising on social media designed to interfere in political processes and heighten societal tensions.

» More

The UN GGE is Dead: Time to Fall Forward

Image courtesy of lost placees/Flickr. (CC BY 2.0)

This article was originally published by the European Council on Foreign Relations (ECFR).

The top down UN GGE process appears dead in the water. International norms and laws for responding to cyber attacks must now be built from the bottom up.

Rules must be binding, violations must be punished, and words must mean something. The UN GGE failed on all three accounts.

In 2004, the United Nations established a Group of Governmental Experts with the aim of strengthening the security of global information and telecommunications systems (UN GGE). To date the UN GGE has held five sessions, which are widely credited for successfully outlining the global cybersecurity agenda and introducing the applicability of international law to state behaviour in cyberspace.

However, during the UN GGE’s fifth session in June 2017, fundamental disagreements emerged between the Group’s 25 members, particularly on the right to self-defence and the applicability of international humanitarian law to cyber conflicts. In the end, the fifth and possibly last session concluded without the release of a consensus report. With no plans to pick up the pieces, the question now is, where do we go from here?

» More

The ARF Moves forward on Cybersecurity

Courtesy of Max Elman/Flickr. (CC BY-NC-ND 2.0)

This article was originally published by Pacific Forum CSIS on 16 May 2017.

The Wannacry virus that attacked computers around the world last week is one more reminder of the growing threat posed by vulnerabilities in cyberspace. Over 100,000 networks in over 150 countries were infected by the malware; the actual ransoms paid appear to have been limited, but the total cost of the attack – including, for example, the work hours lost – is not yet known. Experts believe that this is only the most recent in what will be a cascading series of attacks as information technologies burrow deeper into the fabric of daily life; security specialists already warn that the next malware attack is already insinuated into networks and is awaiting the signal to begin.

Cyber threats are climbing steadily up the list of Asia-Pacific security concerns. Experts reckon that cyber crime inflicted $81 billion in damage to the Asia Pacific region in 2015 and the number of such incidents is growing. Online radicalization and other content-related issues pose expanding threats to the region, challenging national narratives and in some cases undermining government legitimacy and credibility. The networks and technologies that are increasingly critical to the very functioning of societies are vulnerable and those vulnerabilities are being distributed as regional governments are more intimately connected and more deeply integrated in economic communities. One recent study concludes that an ASEAN digital revolution could propel the region into the top five digital economies in the world by 2025, adding as much as $1 trillion in regional GDP over a decade. This growth and prosperity are threatened by proliferating cyber threats.

» More

Page 1 of 8