Playing with fire: Global offensive cyber operations
In late-September, and in unison with the United Nations General Assembly’s General Debate, 27 countries signed an agreement on Advancing Responsible State Behavior in Cyberspace. A joint statement on the agreement states that offensive cyber measures are being used by malicious actors to “target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them.”
This long overdue document attempts to outline what is acceptable — and what is not — in cyberspace, as well as mentioning that there will be consequences for behavior deemed unacceptable. However, specifics regarding what these repercussions might look like are absent.
Russia and China, who are frequently accused of “bad behavior” — like influencing political elections and stealing valuable intellectual property — did not sign the agreement.
Hopefully this agreement serves as a much-needed wakeup call. Cyber warfare is already here, and a few organizations have unfortunately suffered the crippling consequences.
While these attacks are happening on a small scale, they could quickly rise to a widespread problem if a nation-state so chooses. Just as individuals often fail to consider the consequences of their behavior online, nation-states — including the U.S. — are operating in cyberspace without any serious deliberation regarding potential outcomes.
Escalating maneuvers between adversaries is part of a growing trend of state-backed offensive cyber operations. Joint Chiefs chairman nominee Gen. Mark Milley emphasized this point when addressing the Senate Armed Services Committee, saying, “good offense is critical, and that is the best defense.” However, these once seldom-deployed strategies need to be de-escalated before it’s too late, because the possible catastrophic outcomes of a retaliation are not being considered.
Offensive efforts are designed to demonstrate a strong presence on the global stage, showing adversaries that there are consequences for unfavorable geopolitical decisions. It is a warning shot that the offensive government is capable of exploiting other countries’ systems.
But cyber attacks take place in a lawless battlefield. With cyber warfare, the rules of the road are less defined. Further, there is a lack of appreciation for the power of offensive cyber tools and their ability to have cataclysmic ramifications.
The current state of offensive cyber operations across the globe continues to escalate to new and dangerous points every day as attacks become more sophisticated and as nations race to keep pace with their peers. Unrestricted, governments will continue building their cyber arsenals and increasing the severity of their attacks — igniting a cyber-arms race akin to the Cuban Missile Crisis.
For the U.S., going on the offensive might deter some attacks, but the outcome of these operations could have unintended consequences. For example, hacking into a power plant in Russia so it can be shut off if conflict arises between the two countries may appear to be an effective deterrent, but deployment may cause collateral damage and impact blameless civilians. Further, infiltrating another country’s critical infrastructure would go against the newly signed agreement, or worse, prompt our adversaries to infiltrate our critical infrastructure.
Alternatively, what happens when Russia responds? Are U.S. organizations — private entities — caught in the crossfire and losing their valuable data because of their government’s actions? The U.S. needs to consider the potential blowback from their offensive decisions in cyberspace, something they currently are failing to do.
Attacks against companies or individuals often target sensitive data for monetary gain, but offensive cyber measures by nation-states are designed for disruption, damage and sometimes destruction. Retaliation could target civilian systems, sending a strong message with a significant impact, and put the attacking nation at risk of facing penalties for their actions based on the new agreement. These tactics also increase the risks of offline retaliation using military weapons.
Tests of strength during the Cold War era hinged on the development of weapons of mass destruction. But today, countries like North Korea and Iran can conduct offensive cyber operations with few obstacles — and sanctions have done little to stop them. The ideal response to an offensive cyber attack must mitigate the risk of escalation. What this looks like has yet to be determined — but it should underpin any strategic countermeasures adopted by the U.S. in cyberwarfare.
Arms control agreements between nuclear superpowers have helped stymie escalation. However, monitoring something physical, like nuclear weapons or even the materials required to make them, is much simpler than knowing what cyber weapons a nation possesses, recognizing who is responsible for the attack, or confirming that additional offensive cyber capabilities are not being developed.
The Cuban Missile Crisis thankfully ended without any nuclear weapons being launched, and a global disaster was avoided. However, at any moment we could face a nation-wide cyber attack with unprecedented — and many unintended — consequences.
Anthony J. Ferrante is the Global Head of Cybersecurity at FTI Consulting. He previously served as Director for Cyber Incident Response at the U.S. National Security Council at the White House. The views expressed here are his own and not necessarily those of FTI Consulting, it’s management, subsidiaries, affiliates or any of its other professionals.