UK “has cyber attack capability”…
Last week in England Lord West (Parliamentary Under-Secretary for Security and Counter-terrorism) indicated that the UK has the ability to launch cyber-attacks. Though his interview was very thin on facts and details, he made some interesting comments that GCHQ (The British Government’s communications and information systems arm in Cheltenham, UK) have former “naughty boys” in its employ, and that:
“It would be silly to say that we don’t have any capability to do offensive work from Cheltenham, and I don’t think I should say any more than that”
Interesting indeed, but I’d liked him to at least tell me something about what the government could do that the average hacker could not. Do they have more resources than the average bot net for example?
The whole concept of Cyber Attack, when sponsored by a state entity against another nation is a little grey at the moment – Dr Neil Rowe has written a series of interesting papers on the subject, notably the concept of “War Crimes from Cyberweapons“, where he raises the idea that as cyber attacks typically affect the civilian populations more than military (as they are the soft target), and as the international laws of the conduct of War (The Hague Conventions of 1899 and 1907, and the Geneva Conventions of 1949 and 1977) generally forbid disproportionate attacks against civilians, the nature of cyber war puts it on very shaky ground.
If you think the concept of fighting a war ‘legally’ is obscure, consider the number of people prosecuted and imprisoned because of their behaviour related to The Holocaust, or the Serb leaders imprisoned because of their behaviour during the Estonia/Croatia hostilities).
There have been few, if any events attributed to nation based cyber attacks. The suspect list can be found on Wikipedia, but in short no nation has ever openly admitted attacking another through this means, though nations such as Estonia have been ‘cyber-attacked’ severely. Most attacks have been attributed to organised hacking gangs, or political groups, so though a nation was attacked, it was not directly by another (though the ‘attacking nation’ may not have cared too much to prevent it).
In John Arquilla’s paper, provocatively titled “Cyberwar Is Coming!”, he outlines possible scenarios that such an attack could follow, and how the increasing reliance on communications and technology in conventional warfare opens up more and more reasons to engage in cyber war as a primary objective. John also raises the interesting point – how do you establish coalition forces in cyberspace?
You can see the whole topic is interesting, yet ill defined. One final jewel is that the USA and Russia are at this time negotiating the concepts on a “Treaty for Cyberspace” according to John Markoff at the NY Times. The USA is pushing for simple cooperation between international law enforcement groups (a Defense based strategy), and argue that a treaty is unnecessary.
An “unidentified” USA state official went so far to say:
“We really believe it’s defense, defense, defense,” said the State Department official, who asked not to be identified because authorization had not been given to speak on the record. “They want to constrain offense. We needed to be able to criminalize these horrible 50,000 attacks we were getting a day.”
Russia interestingly favors something much more robust along the lines of those negotiated for chemical weapons – banning the use of cyber weapons on noncombatants, deception operations (preventing one nation state from performing cyber attacks in a way which it was not clearly attributable to them), and banning nations from secretly embedding malicious codes or circuitry in technology that could be later activated in times of war.
To defend, or to attack, isn’t that the ultimate decision?