China’s success at perpetrating massive cyber-attacks against the United States – including arguably the biggest hack in history, the Office of Personnel Management raid – without any repercussions means cyber espionage is here to stay. It’s too easy, too effective, and too deniable to be stopped.
It’s fairly easy for hacker operations to pull off significant attacks. Aggressors are always one step ahead of defenders in the security game, and experts have warned for several years that the gap is growing. Some of the biggest data raids, including the one at OPM, didn’t even rely on techniques that most people would consider “hacking” in the traditional sense – the thieves acquired valid passwords and logged right into the system.
Some methods of electronic attack are very difficult to stop. An article at the Daily Dot traces the beginning of the modern cyber-war era to a massive Distributed Denial of Service (DDoS) assault on the Estonian government by “pro-Russian activists” in 2007. A network of nearly a million computers worldwide was controlled with malware and fused into a digital artillery battery, bombarding government and newspaper websites in Estonia with enough garbage data to make them inaccessible to legitimate users.
There is no question such cyber-attacks and data raids are highly effective, and they can be conducted with relatively little risk or cost. Even the large, well-supplied, highly coordinated cyber-espionage units maintained by China cost less than the conventional People’s Liberation Army units based around them.
DDoS attacks are very difficult to block pre-emptively; system administrators must fight back, as the Estonian government did in 2007, by identifying many of the million IP addresses attacking them and enlisting expert assistance to take them offline. Even NATO got involved, although they came up short of invoking Article V of the NATO treaty and classifying the incident as an attack on a member state.
As for suspicion some of those “pro-Russian activists” were pro-Russian enough to be working for Moscow, such a connection was never conclusively proven, and the Russians were not helpful to the investigation. The deniability of cyber-espionage is unparalleled in the history of asymmetrical warfare. There’s never really been a case of state-directed computer espionage that resulted in any sort of “conviction” before a world court, or significant repercussions for the instigators. Most of the consequences could be described as mild political turbulence, even when counter-espionage experts are quite certain of the culprit.
The Daily Dot article notes that it’s not even clear what legal status a state-directed cyberattack has. Even massive headline-grabbing capers like the North Korean hit on Sony Pictures Entertainment and the OPM raid fail to “rise to the level of cyber-war,” according to experts.
In other words, computer espionage can inflict staggering amounts of damage – up to $100 million in costs for Sony, according to some estimates, and $350 million to U.S. taxpayers for the OPM breach, plus incalculable damage to American human-intelligence efforts – but these actions have not yet been defined as “acts of war.” One State Department official quoted by the Daily Dot speculated that even an outright attack on the U.S. power grid could evade classification as an act of war, provided no one died.
The old wisdom that nearly any sort of attack could be conducted against private companies without a significant government response is challenged by the OPM hack, which rocked the U.S. federal government to its core… and has also produced no significant response, beyond a bit of testy verbiage from President Obama. Most forms of aggression are deterred by fear of reprisal, but that hasn’t been a major factor in the ongoing First Cyber War.
There is some hope that shadowy war might be ending, as the previous refusal of aggressor governments to investigate hacking attacks launched from within their sphere of influence gives way to working agreements at multi-lateral cyber-crime prevention. That’s the theory, anyway, but for the moment it remains mostly a matter of reassuring rhetoric, plus a bit of movement toward developing a firm international legal framework for dealing with computer espionage.
There seems to be growing recognition in bodies such as NATO and the United Nations that governments are using hacker proxies and mercenary data thieves, and the practice must be stopped. There isn’t much of a deterrent factor against low-level mischief, but at least everyone seems to understand a certain level of Mutually Assured Destruction exists with regard to apocalyptic cyber-attacks on national infrastructure.
The possible exception to that principle is the OPM hack, which was far worse than anything our government previously decided to treat as international misdemeanor vandalism – but no one died (at least, not provably and directly) and the damage wasn’t huge and immediate, the way messing around with a power grid or air-traffic control system would be.
Life on the digital frontier is a bit like living on the old Wild West frontier: if the rustlers show up and raid your homestead, you can yell for help, and a sheriff will ride in to help eventually. Then he’ll sit on his horse for a while, scratching his head, as he tries to figure out exactly what crime was committed, and who was responsible.
If the First Cyber War ends, it will be because the aggressors think they’ve built up more online value themselves than they care to risk, and find cyber-espionage treaties in their best interest. They’ve also got some ideas about how a more heavily policed Internet could be policed to their advantage.
Meanwhile, the U.S. government has its Cyber War successes as well – notably the Stuxnet virus that sabotaged Iran’s nuclear program in 2010. Everyone talks about putting their cyber-weapons down, but nobody wants to go first. No one is confident that an international regime of electronic espionage laws couldn’t be twisted against them. And if the cyber-war ever went hot, will all bets off and everything up for grabs, no one is confident of their defensive abilities measured against the value in data, property, and lives that could be destroyed.