A cyber conundrum for Ukraine (and beyond)April 3, 2016
Knowing so little about the workings of the cyber world, during a discussion initiated by a boffin from Oxford University at the recent Odessa Security Forum gathering this blog was taken into a world it hardly comprehends – at least on a technical level.
The cyber threats however are not beyond recognition even for those without any particular technical knowledge of how things are actually achieved. Thus policy and strategy, despite no technical knowledge or ability, are not beyond the realms of pondering (even for the most technologically ignorant such as this blog).
Whether it be something approaching a temporary national convulsion as experienced by Estonia in 2007, with banks, the parliament, and broadcasters being downed, or the disruption of technical operations in conventional warfare experienced by Georgia in 2008, or the physical infrastructure damage such as that caused by the Stuxnet worm in 2011, or system wide computer malfunctions experienced by Sony in 2014, or the 2016 hack of the Ukrainian power grid, there would appear to be an empirical trend of escalation – or “pushing the envelope” to use the Tom Wolfe idiom. (It is perhaps a blessing that so old and ignored is Ukrainian infrastructure since independence that manual systems still exist to rectify matters swiftly.)
Directly or indirectly lives may have been lost through such acts, perhaps deliberately so on the battlefield, and perhaps as a consequence of downing power grid (or other) infrastructure.
The above incidents are employed to simply display a perception of escalation – there are numerous public domain incidents that could have been cited, and undoubtedly even more incidents remaining without the public domain that could have been used that may have already led to the loss of life.
All of which leads to the especially difficult question regarding what, exactly, will be the threshold for a cyber act that is deemed an act of war? Particularly so when such acts can be far more easily and deniably outsourced to non-State entities by the State?
Clearly those attacking any system have the advantage over those trying to defend it. There is no such thing as 100% security – on line or off line. Where there is a will there is a way with sufficient skill, determination, time, or money – or a combination thereof.
How do those on the receiving end recognise the difference between espionage (which all States engage in) and what is an attack (which perhaps not all States currently have the capability for) that will leave behind something nasty and that in the months ahead bring down critical defences and/or infrastructure?
Yet further, how easy would it be to misinterpret intent or miscalculate effects? How to judge the proportionate response – at least in a timely manner?
Despite the media and some officials (who should perhaps know better) having irrevocably dubbed The Kremlin war upon Ukraine a “hybrid war”, it is not a label this blog has, does, or will employ willingly or comfortably. It is a war on many fronts, hard and soft, diplomatic and military, economic and social etc – but none of that is new, nor historically are their simultaneous use.
That said, there is an empirical convergence of cyberspace and terrorism. There is an empirical convergence of cyberspace and organised crime – indeed with some States it is not always easy (if at all possible) to separate the State from organised crime, or organsised crime from the State. There is an empirical convergence of cyberspace and geopolitics. All of which leads to the empirical convergence of the space between war and peace – and ultimately what will be deemed and act of war – or not?
There will never be an international law that bans espionage – because every State engages in it. Domestic statute will predominantly deal with those caught engaging in espionage against the domestic interest, but will not ban the practice against others. Espionage, war and prostitution are probably the oldest recorded professions of the human race. All will continue to be engaged in.
Ukraine has no shortage of highly skilled IT professionals. It is the number one IT outsourcing nation for companies within the European continent. It has an incredibly high number of Microsoft and Apple certified programmers as well as programmers fluent in all those languages this blog simply does not care to understand (C++, Java and a dozen others no doubt). Ergo on the other side of that IT coin, there are hundreds of thousands of hacker, black net, black hat, malware, and adware capable individuals. If they are capable of that, they are capable of more strategic efforts too – either in the more difficult realm of defence, or in the easier realm offensive.
It is perhaps one of the few spheres where Ukraine can mitigate the Kremlin escalation dominance with equal potency.
Undoubtedly Ukraine has a policy for cyber issues. It will thus have a strategy (although implementation will probably be problematic as Ukraine seems unable to implement most of its policies effectively). Quite what the national definition of a cyber incident is that classifies a cyber act as an act of war, who knows – and perhaps ambiguity in the public realm is the best option anyway, for is it even possible to make strict definitions in a cyber environment where technology and complexity changes so swiftly?
With regards to Russia it perhaps matters not, for The Kremlin is already engaged in a war against Ukraine across all of the more traditional fronts. As the war The Kremlin is waging upon Ukraine, it is clearly a war of exhaustion. Thus as all fronts will therefore remain open for many years to come, cyber attacks will be a reoccurring theatre – yet it is a theatre that Ukraine has the ability to engage in with equal measure – putting to one side the issue of espionage. (On the subject of espionage, Ukraine would perhaps be better working on the basis that is has no secrets such is the level of infiltration.)
One may wonder therefore whether Ukraine is proactively recruiting (either overtly or covertly) its best and brightest IT techies, and if so whether that is enough to keep Kremlin cyber attacks to a minimum in the knowledge that it is perhaps one of the few areas that it would not hold clear dominance?