Ensuring peace in the age of cyber operations

Admiral Dennis Blair

Publications Ensuring peace in the age of cyber operations

Policymakers, business leaders and security researchers came together from November 7 to 8 to examine the realities of our hyper-connected world, including cyber issues and their implications for the future of the global economy.

Admiral Dennis Blair, Chairman and CEO of Sasakawa USA, guided that conversation at The “Cyber3 Conference Okinawa 2015 — Crafting Security in a Less Secure World” as chair of the Cyber Security track of the conference.

Here’s a look at his remarks:

Remarks by Admiral Dennis Blair

November 7, 2015

The subject of this panel is the major issue of cyber operations and national security. What is the effect of networks on the conduct of military operations, on the deterrence of war, and on the conduct of intelligence operations? These major areas of national security activity all have been profoundly affected by the increasing use of information networks in the economies, the governments, the armed forces and the intelligence services of nation states.

I would like to offer a few thoughts on the difficulty of these questions, to set a framework for our panel’s discussions.

One national security definition of cyber is that it is a domain of conflict in which nation states define national interests, protect assets, conduct espionage, and wage war.

However, this understanding does not get us very far, since we fortunately do not have experience of large-scale cyber operations in major conflicts, and analogies of other weapons systems for cyber are not good matches.

There are superficial similarities between weapons of mass destruction and cyber operations… However, large-scale cyber infrastructure attacks do not have the immediate direct, damaging and irreversible effect on humans and structures or equipment of nuclear and chemical weapons, and their long-term effects are very different.

Admiral Dennis Blair

For example, there are superficial similarities between weapons of mass destruction and cyber operations. In theory, large-scale cyber attacks against the computer-controlled key infrastructure of a country – electrical power grids, financial systems, air traffic control systems – could cause societal devastation and damage to military capabilities comparable to a nuclear, chemical or biological attack. By this rationale, large-scale cyber attacks by one nation-state against another can be deterred by the threat of cyber retaliation.

However, large-scale cyber infrastructure attacks do not have the immediate direct, damaging and irreversible effect on humans and structures or equipment of nuclear and chemical weapons, and their long-term effects are very different from nuclear radiation sickness or biological epidemics. Cyber attacks can damage or alter the control systems of infrastructure systems, and thereby cause power plants to shut down, electrical grids to malfunction, air traffic control pictures to degrade, or banking transactions to fail to be transmitted. At the scale of major attacks, however, the total effect is very uncertain. Not all control systems are the same in all power plants and banking systems. They are in various stages of updating and replacement, and various forms of viruses and other malware may be more or less effective in individual instances. Computer-controlled systems have fallback systems of various kinds. Even with a complete loss of an air traffic control system, aircraft pilots can find their ways to airports and land safely, for example. It is possible that a large-scale cyber attack might be much less effective than intended by an attacker; however, it is also possible that it might be much more effective.

In summary, large-scale infrastructure cyber attacks do not have the certainty of destruction of large-scale WMD attacks. Therefore, deterrence theories cannot be formed by strict analogy from WMD deterrence theory.

There is another very important distinction between weapons of mass destruction and cyber attacks.

Countries with nuclear weapons have chosen to terminate conflicts with defeat, or without victory, rather than using nuclear weapons of any size.

Admiral Dennis Blair

Since they were invented, smaller nuclear weapons – so-called tactical nuclear weapons – have never been used, even though countries that had these weapons have fought many wars. In fact, countries with nuclear weapons have chosen to terminate conflicts with defeat, or without victory, rather than using nuclear weapons of any size. The United States declined French requests to use nuclear weapons against North Vietnam to save it from defeat, and decided not to use them itself against North Vietnam, as it had chosen not to do in Korea. The Soviet Union did not use nuclear weapons before withdrawing from Afghanistan. Pakistan and India fought a small war in Kargil without using their weapons that had been tested the year before. In all these cases, the nuclear threshold for first use has proved to be very high – nation states generally believe that even a single nuclear attack is disproportionate or dangerous in a wide range of conflict situations.

In contrast, there already have been many cyber attacks – both small scale and larger – by nation states against important targets in other states. Russian hackers have attacked Georgia and Estonian networks, causing economic damage. North Korean government hackers have attacked Sony corporation. Hackers with the sophistication generally found only at the nation-state level have made an attack against Iranian uranium enrichment plants, and against Saudi oil production facilities. Apparently nation states believe they can make a limited cyber attack, either for demonstration purposes, or to cause limited damage, without fear of escalating retaliation. So the threshold between limited cyber attacks that are not estimated to risk escalation, and those that will trigger escalation is not established.

If cyber attacks are not like nuclear attacks, neither are they just like conventional weapon attacks.

For example, much of the law of armed conflict has to do with the distinction between attacks on military targets and on civilian non-combatants. Although in the unlimited warfare of the Second World War, there were large-scale attacks against civilians by all major combatant nations. Both before and after that conflict, the concept of proportionality has been generally accepted by most nations. Under this concept, nations do not attack civilians as primary targets, and they are judicious and careful in the civilian deaths and damage done as a result of attacks on military targets. Conversely, combatants do not use civilians and civilian systems to shield military operations.

Communications systems in virtually all major countries carry both military and civilian information, and it is almost impossible to attack military communications without damaging the civilian communications on the same fiber optic cable or satellite.

Admiral Dennis Blair

Dual-use – military and civilian – networks and other digital systems make the concept of proportionality very difficult to apply in cyber warfare. For example, communications systems in virtually all major countries carry both military and civilian information, and it is almost impossible to attack military communications without damaging the civilian communications on the same fiber optic cable or satellite. Position, Navigation and Timing Systems like the Global Positioning System, or Galileo, or GLONASS or Beidou, are used by civilian and military systems, and interfering with or destroying them will affect civil and military users alike. Small nation states and even non-states can use civil commercial systems such as communications networks, reconnaissance systems, and even weapons delivery systems like drones or robots, in attacks on either military or civilian targets of more powerful nations. They can also conduct information warfare, or propaganda, using the worldwide web or social media.

So cyber systems and cyber attacks are not just like conventional weapons systems and attacks. They are dual use – military and civilian – to a far greater extent than are conventional military weapons and systems, and therefore resistant to the principle of proportionality in civilian damage from military attacks.

If cyber attacks are not like weapons of mass destruction, and are not like conventional weapons, how can we apply accepted laws of warfare such as deterrence, or proportionality to them?

Let us turn to cyber espionage, which further complicates the search for accepted practices or rules of the road.

Because national security organizations, other government organizations, businesses and other civilian organizations are storing and communicating their information on digital networks, they becoming the most important targets for espionage, both by nation states and by criminal organizations.

Intelligence organizations of all countries are developing capabilities to penetrate the networks to gather intelligence on the full range of subjects in which their governments are interested – military capabilities, leadership intentions, economic strength, identity of individuals of interest. Some countries classify economic development as a national security concern and support their own companies by conducting espionage against commercial companies in other countries.

Espionage is the second-oldest profession, and spying is nothing new. However, cyber espionage is different – penetration of adversary networks is the most difficult stage of the sequence of actions in cyber attacks. Once a hacker has gained a concealed position inside the network of a SCADA system, the rest of the steps of launching a cyber attack to disable or destroy that system are relatively straightforward.

So, cyber penetrations are made both for the purposes of gathering intelligence, and for the purposes of the military function of battlefield preparation.

Cyber espionage can be destabilizing – leading an adversary to think that a cyber attack is imminent, perhaps triggering a preemptive attack, and beginning a cyber conflict that neither side intended.

Admiral Dennis Blair

Therefore, cyber espionage can be destabilizing – leading an adversary to think that a cyber attack is imminent, perhaps triggering a preemptive attack, and beginning a cyber conflict that neither side intended.

***

With all this uncertainty in the relationship between cyber activities and armed aggression, is there any hope for reducing the chances of miscalculation, for ensuring that war does not break out between countries as the result of misinterpretation of the activities of an adversary?

Can we ensure that in the cyber age, countries only go to war because they intend to, not because they took actions that triggered an escalatory cycle that resulted in conflict that neither side intended?

In our panel, we will discuss these issues, and some of the ways in which more certainty can be introduced into cyber operations.

For nuclear weapons, the United States and the Soviet Union introduced what was called the chill certainty of deterrence through protracted and detailed arms control negotiations.

There are examples of less formal understandings that have been worked out between countries. For example, during the Cold War it was understood by both sides that attacks on the intelligence and reconnaissance systems used by both sides to detect nuclear attacks were destabilizing, even though there was never a formal treaty to that effect.

Are there any prospects, either formally negotiated, or informally understood, for creating common understandings of the use of cyber attacks for both espionage and attacks? If our panel this morning can provide some concepts that help us to grapple with this question, it will have made a major contribution.

For more information on the Cyber3 conference, read the Executive Summary of the discussion. In advance of the conference, Blair additionally spoke at the U.S. Embassy in Tokyo at a Cyber Security roundtable. Read those remarks here.

2024 Sasakawa USA | Privacy Policy | Sitemap

Custom WordPress Design, Development & Digital Marketing by time4design