Living in the Age of Cyber Attacks and Cyber Warfare

UMUC

If you asked the average person on the street about cybersecurity and cyber warfare, they would probably say they don’t know much about it other than the fact that it involves computers. In fact, for anyone outside of the cybersecurity industry, the closest thing to cyber warfare that they may have experienced was their viewing of the movie War Games, or the fourth installment of the Die Hard series, Live Free or Die Hard. While those movies had a profound impact on the lives of the characters in the script, the audience probably thought it was merely fiction, not fully based on fact. In Live Free or Die Hard, John McClain (played by the indefatigable Bruce Willis) is attempting to stop a domestic cyber-terrorist who is acting out on a vendetta against the United States. The cyber-terrorist is successful in launching an online attack to overload and destroy a power grid that left much of America’s East Coast in darkness. When I first saw this movie, I was curious if an attack like that was really possible; however, most people around me just labeled the movie as “Hollywood’s overactive imagination”. With cyber attacks literally having the ability to affect lives in a nanosecond, it is vital that everyone understand what cyber attacks entail, the impact of these cyber attacks on a domestic and international scale, and knowing what to expect in the future while living in a world dominated by virtual experiences.
The scary thing is that attacks like that are very real and pose an imminent threat to the U.S. and its allies. In fact, after viewing the movie War Games in 1983, President Ronald Reagan tasked his advisors with finding out if hacking into national security systems was a legitimate threat. He wondered this after seeing Matthew Broderick’s character in War Games, after he accidentally hacked into NORAD’s computer and played a deadly game of chicken with the computer that controlled America’s nuclear arsenal.). Surprisingly, President Reagan’s advisors told him that it was definitely possible and that America’s adversaries already have a head start. However, from 1983 through 2008, policymakers have shied away from making significant strides in the creation of cyber war doctrine leading to an open playing field where anyone can play. It wasn’t until the release of the White House’s International Strategy for Cyberspace in 2009, did the United States realize that it needed to have an obvious presence in cyberspace to maintain a balance to world order within the virtual world. With cyber warfare literally having the ability to affect lives in a nanosecond, it is vital that everyone understand what cyber attacks entail, the impact of cyber warfare on a domestic and international scale, and knowing what to expect in the future while living in a world dominated by virtual experiences. So what exactly does a cyber attack look like? Well Hollywood wasn’t that far off when they made War Games and Live Free or Die Hard. For anyone who knows what a hacker is, they will probably tell you that they envision a cyber attack coming from some geeky kid who doubles as a computer genius hacking into the servers of the Pentagon so that he can somehow manage to give himself an ‘A’ in high school English. While all this may sound implausible, it is most definitely a scenario that can happen. As I began my research, I knew that I needed to start with the basics and identify what exactly a cyber attack is. The only problem with that is that there are different definitions. According to the National Research Council commissioned by the U.S. to study cyber attacks, they defined the term as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.” (Singer & Friedman 2014, pg68) Cyber attacks come in all different forms from a variety of sources, also known as actors in the cyber realm. The majority of cyber attacks can be categorized into five types of tactics: espionage, secretly and illegally copying vast quantities of computer data or network communications; propaganda, digital information that may or may not be true (simple purpose is to influence); denial-of-service, deny use of computer resources to legitimate users; data modification, legitimate users can make important information based on maliciously altered information; and infrastructure manipulation, infrastructure hardware is connected to the Internet and therefore susceptible to change. (Geers 2008, pg 3)
However, these cyber attacks are not limited to nation-states committing these crimes with government entities being the only target. These attacks occur from a wide range of actors who have malicious purposes. Cyber actors range from hacktivist groups--hackers that initiate cyber attacks to further their own causes or beliefs-- to the more serious state-sponsored hacking teams that conduct very serious cyber-attacks usually against other nations in order to further the interests of their sponsoring country.
Through my research, I began to understand what constitutes a cyber attack but still did not understand why cyber attacks were not always considered acts of cyber warfare. The problem with cyber warfare lies within the definition and intent. Many acts of cyber warfare go unchallenged because of the varying definitions of cyber attacks between countries. Various countries have different definitions of what constitutes a cyber-attack. The majority consider cyber attacks as attacks against their government systems and infrastructure. However with different country definitions and without an established definition from the United Nations, cyber attacks can continue without being regarded as cyber warfare. Many countries believe that constitutes the use of force or an armed attack, with the use of force being considered as any approach that may be met with an act of self-defense. (McGavran 2009, pg. 271) Additionally, the intent of a cyber attack plays a factor. Many cyber attacks such as the OPM breach are only used to obtain information that may play a role into a bigger scheme. Attacks that have malicious intent and are determine to destroy data or cause physical damage are within the realm of being labeled acts of war.
While it is important to know what cyber attacks are and the many forms that they come in, it is vital to understand the past impacts that these attacks have had on the United States and the rest of the world and the implications that future attacks hold. For the last few years, many countries have published various cybersecurity policies in response to the numerous cyber attacks that have been committed throughout 21st century. Within those policies, nations have also included definition and intent statements on cyberwarfare that addressed their ability to use cyber capabilities for information operations, cyber attacks, and electronic warfare. (Lewis & Timlin 2011, pg. 3) However, the majority of these cybersecurity policies only discuss the protection of government and critical infrastructure against possible cyber attacks. There are many instances where private companies are the target of cyber attacks, sometimes for political gain, and sometimes for gain of power in other spectrums. For example, Sony Entertainment Pictures was the target of an attack led by hackers sponsored by North Korea in retaliation for Sony’s release of a movie deemed unfavorable by North Korea. Among the information that was seized, the hackers released internal emails among executives, upcoming films, and employee health records. (Haggard & Lindsay 2015, pg. 2) While this attack was not destined for the U.S. government, it was intended to scare the American public. This attack was successful in what is known as psychological operations, or psyops. These psyops are aimed to degrade morale and the well-being of citizens and aim to spread false information and fear through social media and news outlets.
Attacks such as the one on Sony bring into question the ethics of cyber attacks on civilians. There are those who believe that cyber attacks have not been successful in taking lives or wars being declared and therefore any attacks that involve civilians are considered fair game. However, these attacks are not victimless. In 2015, the Office of Personnel Management (OPM) discovered that its systems were breached and the personal information of over 22 million people was reportedly accessed. That information included personal addresses, social security numbers, and background investigation records. Now, the virtual lives of 22 million people were in control of unknown hackers. (Castelluccio 2015, pg. 1) However, these two incidents drew different responses out of the U.S. government. With sufficient evidence from the Sony hack that pointed to North Korea, President Obama issued new sanctions against the country. However this was largely symbolic since there were already numerous sanctions against North Korea. In contrast, the OPM hack was allegedly conducted by Chinese-sponsored cyber actors. The problem with labeling China as the alleged mastermind behind the OPM hack lies with attribution. Within the cyber realm, attacks can travel through various source points and can reflect their original source through any country that they want. Proving that a hostile act came from a certain country can be a fruitless effort. Furthermore, there is another attribution dilemma. Countries have to weigh the potential gains versus the potential losses by pointing the finger at the alleged attacker. (Singer & Friedman 2014, pg. 75) This is why the United States did not go so far as to force China to accept responsibility for the OPM attack. The U.S. deemed its relationship with China too important to upset the balance. The impacts from cyber attacks will be felt for many years to come.
Now that I fully understand the impact of these cyber attacks, it is time to focus on the most challenging part - determining what is next in this world of cyberspace. One of the biggest challenges facing the cyber realm is the lack of laws governing cyber attacks. The United Nations will need to determine various courses of action to meet the wide variety of cyber attacks that are committed. Cyberspace treaties can benefit many nations, most notably the United States. With the U.S. seen as a super power and claiming superiority in many national defense and technological advances, it is often the target of relentless cyber attacks, to include the theft of intellectual property. According to the Intellectual Property Commission Report sponsored by The Commission on the Theft of American Intellectual Property in 2013, approximately $300 billion is stolen each year through various means of cyber attacks and espionage (Blair & Huntsman, pg. 11). With increased international cyber policies, there is a greater chance to hold countries responsible when they commit a cyber crime.
Additionally, companies and individuals can reduce their chance of being susceptible to cyber attacks. One of the most important aspects for maintaining vigilance in the cyber realm is education about these cyber attacks. The individual consumer of information technology, that is anyone with Internet access, can no longer live in a world of ignorant bliss when it comes to cybersecurity. With a shift in attitude and becoming educated, cybersecurity can help ensure the protection of companies and their personnel. Stricter security initiatives such as two-factor authentication, and basic encryption of important documents can go a long way in maintaining cyber vigilance. (Singer & Friedman 2014, pg. 244) Another way to be more secure in this cyber world is to be mindful of your presence in the social media. In this age of connectedness, sharing too much can possibly bring about your downfall. Methods such as social engineering are extremely effective in gathering information to later use for malicious purposes and the victim doesn’t even realize that they have been exploited until its too late. Social engineering has been employed for decades to gather information on individuals for others to gain access to guarded information. While these steps cannot guarantee 100 percent safety while in cyberspace, they certainly will go a long way in aiding in the protection while interacting in your virtual world.
Although it may be a lot of information, it is important to be educated about cyber attacks. Living in world dominated by technology is our Achilles heel. It can be a power tool to improve our lives, yet it can cause the world to come crashing down if we don’t protect our information.

References

Blair, D. C., & Huntsman, J. M., Jr. (2013). The IP Commission Report (Rep.). The Commission on the Theft of American Intellectual Property.

Castelluccio, M. (2015). The Biggest Government Hack Yet. Strategic Finance,97(2), 79-81. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.proquest.com.ezproxy.umuc.edu/docview/1707985967?accountid=14580

Droege, C. (2013). Get off my cloud: Cyber warfare, international humanitarian law, and the protection of civilians. International Review Of The Red Cross, 94(886), 533-578. doi:10.1017/S1816383113000246

Geers, K. (2008). Cyberspace and the changing nature of warfare. SC Magazine, 27.

Haggard, S., & Lindsay, J. (2015). North Korea and the Sony hack: Exporting instability through cyberspace. Asia Pacific Issues, (117), 1-8.

International strategy for cyberspace prosperity, security, and openness in a networked world. (2011). Washington, D.C.: Executive Office of the President of the United States.

Kaplan, F. (2016, February 19). Cybersecurity's Debt to a Hollywood Hack. The New York Times. Retrieved from http://www.nytimes.com/2016/02/21/movies/wargames-and-cybersecuritys-debt-to-a-hollywood-hack.html?_r=0

Lewis, J. A. & Timlin, K. (2011). Cybersecurity and Cyberwarfare: Preliminary Assessment of
National Doctrine and Organization. Geneva, Switzerland: United Nations Institute for
Disarmament Research.

McGavran, W. (2009). Intended Consequences: Regulating Cyber Attacks. Tulane Journal Of Technology & Intellectual Property, 12259-275.

Melzer, N. (2011). Cyberwarfare and International Law. Geneva, Switzerland: United Nations Institute for Disarmament Research.

Patterson, R. (2015). Silencing The Call To Arms: A Shift Away From Cyber Attacks As Warfare. Loyola Of Los Angeles Law Review, 48(3), 969-1015.

Singer, P. W., & Friedman, A. (2014). Cybersecurity and cyberwar: What everyone needs to know.

United States., Department of Defense,. (2015). The Department of Defense cyber strategy.