The range of ferocious offensive cyber attacks by revisionist and rogue powers in recent years makes clear that the U.S. and its allies are fully enmeshed in the third generation of cyber conflict. Both the public and private sectors must elevate their responses accordingly.
The first generation of cyber conflict kicked off shortly after the dawn of the internet (then called ARPANET) in the mid-1980s. The primary actors were the old Cold War superpowers, sometimes assisted by their respective NATO and Warsaw Pact allies. The phase continued through the late 1990s, as they targeted each other’s military and government networks for the purpose of traditional state-on-state espionage.
The newly created cyber domain allowed them to augment decades-old signal-intelligence (SIGINT) collection platforms – passive interception of phone or radio communications – with more active hacking operations that allowed collection of documents and data residing on sensitive systems, material that was never even transmitted over the electromagnetic spectrum. This new capability brought on the “Golden Age of SIGINT,” as described by former NSA Director General Michael Hayden.
The second phase emerged in the late-1990s and continued through the 2000s, and produced an explosion of perpetrators. Criminals now were launching widespread operations against consumers and businesses, with the goal of committing financially-motivated crimes. Similarly, nation-states – China, North Korea and Iran, for example – began developing their own offensive cyber operations. These included traditional espionage against government networks of their rivals and economic espionage for the benefit of their own “private” sectors. The latter involved targeting Western companies to steal intellectual property and trade secrets.
Today, we are fully in the midst of the third generation of cyber conflict. Revisionist and rogue powers have evolved their cyber doctrines beyond simple theft of data. They now incorporate the full-range of coercive, disruptive and destructive offensive operations against critical public and private infrastructure, as well as influence operations to target the social fabric of Western societies.
In 2017, the U.S. and British governments publicly attributed the destructive WannaCry malware to North Korea. That attack temporarily caused outages in U.S. and European corporate and government networks, and, ironically, used stolen and publicly released cyber weapons of the U.S. National Security Agency to increase the disruptive power of the assault.
The Russians have launched wave upon wave of destructive cyberattacks against Ukrainian critical infrastructure since the start of their conflict over Crimea and Eastern Ukraine in 2014, including a cyber takedown of the electric grid for several hours in Western Ukraine in 2015.
And famously, the U.S. and Israel have been named publicly as responsible for the Stuxnet attack on Iranian nuclear enrichment facilities discovered in 2010. And in the last two years, we have seen significant influence operations, enabled by cyber intrusions, launched against Western elections.
What can be done to stop this out-of-control escalation? Effective solutions require action from both governments and the private sector to stem further cyber conflict.
Governments must begin to hold cyber adversaries to account. In the absence of effective deterrence, governments are, in effect, encouraging more innovation and boldness by our enemies.
The good news is that attribution – identifying who is responsible – is now largely a solved problem. Capabilities of both governments and private sector have improved; both are now competent at the swift identification of perpetrators of most intrusions, as evidenced by the fact that nearly every significant cyberattack in recent years has been attributed.
Now we need to move to the second critical part of the solution: establishing reliable punitive measures against identified perpetrators to make it clear that such behavior is not acceptable and will have serious consequences. Punishment, however, should not be limited to cyber retaliation; in fact, cyber retaliation will often be the least-productive response. Instead, all toolkits of national power –law enforcement, diplomacy, economic sanctions and military solutions – should be on the table to pressure rogue regimes into compliance with acceptable norms of cyber behavior.
In the private sector, companies and individuals need to evolve their security strategies to be commensurate with the threat they face. A primary point to acknowledge immediately is that it is impossible to stop every attacker from entering target networks. Numerous vulnerabilities exist that can be exploited, and the risks are multiplied by users who will err by clicking on nefarious links and emails.
Instead of focusing solely on total perimeter rejection, our security model needs to change to that of speed and agility to react within networks — that is, hunting for attackers on our networks, and discovering and ejecting them quickly before they can do any harm. Technologies such as the cloud and artificial intelligence are revolutionary to making this approach efficient and effective.
It is imperative that governments and companies undertake these important actions before we find ourselves in the fourth generation of cyber conflict, which history tells us is unlikely to make the world any safer.