Worse will be the invisible manipulation of public opinion and election outcomes using digital tools such as targeted advertising and deep fakes—recordings and videos that can realistically be made via artificial intelligence to sound like any world leader. The great challenge for military and cybersecurity professionals is that incoming attacks are not predictable, and current strategies for prevention tend to share the flawed assumption that the rules of conventional war extend to cyberspace as well.
Moreover, these rules are not intuitive to generals versed in fighting conventional wars. Defense Department and at Microsoft over office software contracts with U. Immigration and Customs Enforcement demonstrate. That leaves only governments and properly incentivized multinational corporations to set the rules. Neither has yet provided a workable and operational definition of what constitutes a globally recognized act of war—a vital first step in seeking to prevent such transgressions.
The closest that the U. But given how quickly a cyberattack could disable critical infrastructure, expecting Congress to react in time to answer effectively is unrealistic.
In a world where partisan politics have been weaponized, a smart misinformation campaign by a foreign state that targeted only one political party might even be welcomed by other parties so long as there was plausible deniability—and with cyberattacks, attribution is rarely certain. There is also a serious risk of collateral damage in cyberoperations. Most militaries understand that they are responsible not only for targeting strikes so that they hit valid targets but also for civilian casualties caused by their actions.
Though significant collateral damage assessment occurs prior to the United States authorizing cyberoperations, there is no international agreement requiring other powers to take the same care. A major cyberattack against the United States in was a clear example of how civilians can bear the brunt of such operations. A hostile country hit a U. The conventional warfare equivalent might look like the physical destruction of a Texas oil field or an Appalachian coal mine. If such a valuable civilian resource had been intentionally destroyed by a foreign adversary, it would be considered an act of war.
In the near future, attacks like the Sony hack will not be exceptional. There are countless vulnerabilities that could result in mass casualties, and there are no agreed norms or rules to define or punish such crimes. Consider the following examples. But we can still prevent our household appliances from becoming an army of malicious computer zombies out to destroy the web. Once a week, a European aircraft manufacturer cleans all plane cockpits of Android malware.
Pilots can pass malware to the plane from their smartphones when they plug them in, which the plane while theoretically unaffected by phone-only malware then passes it on to the next pilot with a smartphone. Planes are already covered in viruses, both virtual and microbial.
In such a vulnerable environment, even an unsophisticated hack could wreak havoc. A text message sent to the phone of every in-air pilot giving them a national security warning or rerouting their planes could lead to emergency landings and widespread confusion, with more sophisticated attacks potentially leading to far more serious consequences.
Please review our terms of service to complete your newsletter subscription.
Aviation is not the only vulnerable sector. The U. Small hospitals often cannot afford to replace their medical equipment on a regular schedule, and device providers may deprioritize or block security patches or upgrades in order to sell updated devices in the next round of production. The medical device industry focuses more on performance and patient health outcomes than on keeping a cyberadversary at bay. A cyberattack on hospitals using robotic surgical devices could cause them to malfunction while in use, resulting in fatal injuries.
If a country or terrorist group decided to take out a sitting U. Nor do there appear to be clear protocols for retaliation. There are less direct potential vectors of attack, too. Recently, a cold storage facility for embryos in Cleveland failed to notice that a remotely accessible alarm on its holding tanks had been turned off, leading to the loss of more than 4, frozen eggs and embryos. Many operators of industrial control systems never bother to change all their default passwords or security credentials, which can leave them vulnerable to ransomware attacks, and even fewer health care officials are likely to assume that someone might deliberately shut off sensors that monitor the viability of future human life.
It is difficult to determine whether the Cleveland eggs and embryos were lost due to a simple maintenance failure or deliberate tampering—but as techniques such as the freezing of eggs become more common in wealthy nations, such a simple attack could wipe out thousands of future citizens. The two acts are equally heinous on a moral level.
The uncertainty in attribution and the lack of an easily identified villain may make the latter seem the province of science fiction.
What is cyberwar? Everything you need to know about the frightening future of digital conflict
But it is not. Cyberattacks—some egregious, some mundane—are happening now, quietly and unnoticed by the public. Much of the confusion and fear over cybersecurity comes from the distorted publicity surrounding a few outlying events. The risk of cyberattacks is knowable, probabilistically. Technology and cyberspace are changing faster than countries can legislate internally and negotiate externally. Part of the problem with defining and evaluating acts of cyberwarfare against the United States is that U. The legal status of most information security research in the United States therefore remains unclear, as it is governed by the poorly drafted and arbitrarily enforced Computer Fraud and Abuse Act CFAA —a piece of legislation that was roundly derided by tech experts on its inception and has only grown more unpopular since.
The law creates unnecessary fear that simple and useful information security research methods could be maliciously prosecuted. These methods include network scanning using tools such as Nmap a computer network discovery and mapping tool or Shodan a search engine for devices on the internet of things to find unsecured points of access to systems. One of the fastest fixes for the dismal state of federal cybersecurity expertise would be to overturn the CFAA and reward cybersecurity researchers engaged in preventive research instead of tying their hands with fears of breaking the law.
Yet at present the U. This dynamic has left the U.
The United States simply lacks a viable legislative plan for hardening its infrastructure against cyberattacks and developing much-needed cybertalent. Any strong defense against cyberattacks should follow the same principles used for basic U. For example, the interstate highway system in the United States, authorized in to enable rapid military transport of troops and supplies, also had much broader civilian benefits.
- 90s in the shade;
- Cyberwar and Information Warfare [Book]?
- Security Education and Critical Infrastructures: IFIP TC11 / WG11.8 Third Annual World Conference on Information Security Education (WISE3) June 26–28, 2003, Monterey, California, USA!
- Stay ahead with the world's most comprehensive technology and business learning platform.!
- Why the world desperately needs digital Geneva Conventions.?
- Navigation Bar.
- Why the world desperately needs digital Geneva Conventions..
Now, through neglect, roads in the United States are riddled with potholes, widening cracks, and crumbling asphalt; thousands of deaths on U. Yet potholes are the most boring problem imaginable for a policymaker. By contrast, whenever a bridge collapses, it grabs headlines—even though a comparatively small number of people per year die from bridge catastrophes.
Incident response is appealing; it lets policymakers show their leadership chops in front of cameras, smoke, and sirens. The drudgery of repairing underlying problems and preventing the disasters in the first place takes a back seat.
What do you think is the most blatant act of cyberwarfare to have occurred so far?
This is dull but essential policy work, and the same goes for technology infrastructure. Cybersecurity should be akin to a routine vaccine, a line item in the infrastructure budget like highway maintenance. Basic cybersecurity measures—such as upgrades to encryption, testing the capability of recovery in the event of data loss, and routine audits for appropriate user access—should be built into every organizational budget. When incidents happen—and they will happen as surely as bridges collapse—they should be examined by competent auditors and incident responders with regulatory authority, just as major incidents involving airlines are handled by the National Transportation Safety Board NTSB.
War Books: Cybersecurity and Information Warfare - Modern War Institute
If the U. Responding to major cyberattacks requires battalions of highly trained government analysts, not armies of accountants and attorneys. Yet the White House, under President Donald Trump, has failed to fill or has outright eliminated almost every major cybersecurity position.
There are a few brilliant holdouts bravely providing solid advice on information security and best practices. The government agency 18F and the United States Digital Service are both doing valuable work but receive far smaller budgets than they deserve. But cybertalent is draining faster than it is being replaced at the highest levels.
The challenge for policymakers is the same as it ever was: Improving lowest-common denominator infrastructure in cybersecurity makes for the most effective defense against ill-intentioned adversaries. Intelligence, the First Defense? Cyberconflict: Stakes of Power, Daniel Ventre. Special Territories, Daniel Ventre. He is the author of a number of articles and works, in France and abroad, on the themes of cyberwar, information warfare, cyberconflict, cybersecurity and cyberdefense.
Cyberwar and Information Warfare.