At the G20 Summit on Tuesday, President Obama said he had been talking to other heads of state about cybersecurity...
and avoiding a potential cyber arms race, but experts say it may be too late.
President Obama said nations should focus more on the dangers of non-state actors rather than repeating the mistakes of the Cold War in cyberspace. However, President Obama also began his comments by claiming the U.S. has more cyber "capacity than any other country, both offensively and defensively."
Experts said comments like this and the constant attribution of cyberattacks to countries like Russia and China are proof that the cyber arms race has already begun.
Michael Patterson, CEO at Plixer, said the cyber arms race is close to 10 years old at this point.
"The cyber arms race is on and has probably been accelerating since before the 2008 explosion on the Baku-Tbilisi-Ceyhan oil pipeline in Turkey that is thought to have been perpetrated by the Russians," Patterson told SearchSecurity, although the attribution of that attack to Russia has since come under question. "It was the United States and Israel that launched the Stuxnet attack in 2010 against Iran. Everyone better believe that the race is on and has been for a while."
Dwayne Melancon, vice president of products at Tripwire, said it is unlikely that a cyber arms race, would develop into a cyber-Cold War simply because nations won't hesitate to use their cyberweapons.
"If this truly becomes a cyber arms race akin to the nuclear arms race that would mean nations would develop weapons, use them to threaten other nations, and almost never use them to attack. However, I don't think that is what will happen with cyber arms -- I think they'll be used anyway," Melancon told SearchSecurity. "After all, the perceived consequence and damage seems much less outrageous when you think of cyber arms, at least at face value. Of course, cyber security researchers know that cyber weapons could cause death, destruction and chaos if deployed against critical infrastructure, systems affecting public safety, and so forth."
From cyber arms race to cyber-Cold War
John Dickson, former U.S. Air Force CERT and principal of Denim Group Ltd., based in San Antonio, said he thinks we're already in a cyber-Cold War -- though he would like a better term for it -- and to the point where a cyberattack could prompt a physical response, which pushes the need for more accurate cyber attribution.
"I'm not sure we've seen a case to date where physical destruction caused by a cyberattack was serious enough where a nation state would seriously consider striking back with what the military calls a 'kinetic' attack, or via conventional warfare," Dickson told SearchSecurity. "I suspect that will likely happen at some point, which is when incorrect attribution will really be substantially more critical. If terrorists or nation states brought down an airliner or opened up a dam causing downstream death and destruction, there would likely be pressure to retaliate in the physical realm with military force. If we, or another nation state, misread attribution, the results could be potentially devastating and could escalate to a much larger military conflict."
Brian NeSmith, the CEO at Arctic Wolf Networks, Inc., said there is no such thing as a cyber-Cold War.
"In preparation for a cyberwar, nations would be penetrating an adversarial nation's critical infrastructure and planting cyber-nuclear bombs," NeSmith said. "In a cyberwar, the 'invasion' would occur way in advance of the actual attack, and there would likely be no time to mount a defense before critical infrastructure is destroyed and real lives lost."
Jonathan Sander, vice president of product strategy at Lieberman Software, said the steps toward a cyber-Cold War may have already begun.
"One could say that the separation likely to result from a cyber-Cold war has already begun in the form of the 'Great Firewall of China,'" Sander told SearchSecurity. "The Chinese attempt to sever its cyber ties has many analogs to the USSR's iron curtain -- complete with resistance fighters, defections (both information and people), and espionage bringing things through the wall now and then."
Sander added that it may be impossible to imagine the political aspects of a cyber-Cold War, but the social impacts are easier to imagine.
"During the first Cold War, we saw some of the greatest physicists in the world stuck on [the] opposing side of an iron curtain. Science thrives on collaboration, and separation can be devastating to overall progress," Sander said. "With some of the greatest minds in computer science spread throughout all of the major players, and bitter rivals, that would be on sides of this cyber-Cold War, the chilling effects on overall progress may be a predictable outcome."
John Bambenek, manager of threat systems at Fidelis Cybersecurity, said a cyber-Cold War could be advantageous because it would force people to prepare for cyberattacks.
"In a cyber-Cold War scenario we would be spending real time and effort in securing our systems and educating the public in the very simple things they can do to protect themselves -- patching systems, avoiding phishing," Bambenek told SearchSecurity. "The hacking of the Illinois State Board of Elections, for instance, could have been prevented by the most basic SQL injection prevention techniques. What we have now is open conflict and the time for preparation is over."
The risks of faulty cyber attribution
Cyber attribution methods recently came under fire after confusion as to who was responsible for the DNC hack with some experts saying cyber attribution was an impossible task while others said the key was in human intelligence gathering and not focusing too much on technical evidence, which can be spoofed.
Melancon said the cyber arms race "is a perilous path for nations to walk -- and the error-prone nature of attribution make it even more perilous" because cyber attribution is "extremely hit or miss."
"It is unlikely you'll know exactly who the perpetrators are unless they are careless, not very good, or really want you to know they did it," Melancon said. "Often, security investigators arrive at conclusions like, 'I really think so-and-so did it,' but most of the time the evidence is insufficient to know for sure."
Patterson said being accurate with cyber attribution is currently difficult and may even be an "impossible task."
"Attackers often bounce from one country to the next before launching an attack. Hackers purposely put comments in their code to imply a different language other than their native tongue," Patterson said. "No one wants to get caught and cybercrime makes it relatively easy to cover your tracks."
Dickson said the only way to truly confirm cyber attribution as accurate would be to reveal "certain intelligence collection sources and methods to do so."
"Recall that during the Cuban Missile Crisis -- the U.S., at the United Nations Security Council, revealed compelling photo reconnaissance evidence that the Soviet Union had deployed certain ballistic missiles in Cuba. The downside of providing this evidence was that it provided certain adversaries insight into our national photographic intelligence collection capabilities," Dickson said. "If the United States were really interested in blaming the Russians or Chinese on a particular intrusion, they would risk revealing certain intelligence sharing relationships, national capabilities, and overall context that would provide more insight for subsequent attackers."
Sander said the Cold War shows a "perfect example of what the cyber-Cold War could bring if there was an incorrect attribution.
"In 1979, NORAD nearly reacted with deadly force to a software glitch that, a bit too much like the movie War Games, mistook a simulation for a real attack," Sander said. "If an attribution makes the powers-that-be think it's an enemy attack and not some bad guys doing cybercrime, then they may go a step further than they did in 1979 and hit the big red button. One hopes that in a cyberwar the red button means letting loose cyber weapons and not nuclear devastation. But it's also good to remember that cyber systems control all our power, water, heating, and even nuclear facilities today."
Sander said even if cyber attribution could accurately identify who performed the attack, that doesn't necessarily translate to knowing if the attacker was hired by someone else.
"Pinning down the attribution of cyberattacks so you know exactly who is behind them is much more art than science right now. And often it's the art of politics," Sander said. "The trouble is that even if you get the technology parts of attribution perfectly, which is a massive challenge, you may still not know who was behind the attack. The bad guys often call in cyber contractors. If you can somehow manage to get past all the evasion and misdirection of professional cyber criminals, then you have only found the fingers on the keyboard not the mastermind."
NeSmith said, "Incorrect attribution is like pronouncing someone guilty when in fact they are innocent. It can only lead to ill will and get in the way of what's really needed, which is a productive dialogue, collaboration and a common set of rules everybody will follow."
Learn more about DoD security panels calling for new cyber defense and offense.
Find out how we lost the plot of the decade-old 'cool' cyberwar.