The hacking-cyberwar continuum

97% of all organizations have been the victims of hacking from cyber criminals

In my last blog, I stated that over 90% of organizations have no protection against the kind of targeted attacks experienced by Sony in recent months. In fact, over 97% of all organizations have been the victims of hacking from cyber criminals and other actors, some of them directed by foreign governments.

A recent study by Symantec Norton Security found that financial losses associated with Cybercrime are at $390 billion a year, at the same level as the illegal drug trade.

Some necessary distinctions

There is a Hacking-Cyberwar Continuum comprised of varied, generally overlapping activities perpetrated by actors having distinctly different motives. At a macro level, entire nation states and regional entities are possible targets of a kind of hacking that escalates into cyberwar, potentially inflicting damage, including mass casualties–that could even exceed conventional war. Consider, for example, how a months-long power grid failure triggered by a cyber attack would cut off food and water supplies, etc. Even without significant damage to infrastructure, cyberwar could have devastating impact on the level of trust required in open, democratic societies.

Very concerning is the fact that “the costs for non-state entities (of launching attacks) in cyberspace compared to land, sea, and air, are nil (because) in cyberspace, every computer is a point on a border.” (Nye, 2011). –Fortunately, to date, there have been no known incidents of Cyberterrorism–in which individuals have experienced actual physical harm.

To help clarify the mind-numbing complexity of these related threats, Internet security gurus have proposed some definitions:
  • No Major Cyberwar has yet occurred. If/when it does happen the most likely cyber war scenario would be the initiation of a series of cyber attacks against a foreign state as a precursor/accompaniment to actual conventional military action. This is how the Russian-Georgian War of 2008 played out.
  • However, nation state sponsored Cyber Espionage has been going on for years, most notably the ongoing, long-standing Chinese cyber theft of U.S. private and public intellectual property.
  • Because of ongoing cyber espionage and the ever-present threat of cyberwar, we have entered into an era of Cyber Cold War in which nations are continually building up both defensive and offensive cyber systems.
  • At least one incident of Cybersabotage has occurred. By far the most significant publicized cyber attack thus far was the 2010 U.S.-Israeli Stuxnet worm attack that reportedly destroyed one fifth of Iran’s nuclear centrifuges, setting back that country’s nuclear program months, perhaps years.
  • What some have called Cyberterrorism is probably better described as Cybervandalism, e.g., the Syrian Electronic Army’s hijacking of Twitter accounts or the Izz ad-Din Qassam Cyber Brigades’ denial of service attacks on American bank websites. Such attacks hold little chance of physically injuring anyone.
  • Finally, Hacktivism is carried out by individuals and/or small networks of hackers motivated by social and political reform. It underscores the power that ordinary individuals have for good or bad, depending on your perspective. Examples are the events surrounding the WikiLeaks controversy and the use of social media in the Arab Spring. All such activities are the work of

In my next blog, I’ll present arguments pro and con from experts about the likelihood of Cyberwar and exponentially more damaging Cybersabotage in the future.

How likely is a major cyber war?

So far I distinguished between Cyberwar, Cyber Espionage, Cyber Cold War, Cyber Sabotage/Vandalism and Cyber Hacktivism. All are familiar to us by now, though fortunately we haven’t yet experienced a major Cyberwar.

That said, there’s no discounting the state-sponsored damage that can result from cyber vandalism as with the recent attacks on Sony, apparently spearheaded by North Korea and/or its proxies.

  • Not receiving as much attention, but more serious, have been subvert, aggressive Russian cyber incursions into U.S. public and private domains that increased dramatically before and after their annexation of Crimea and ensuing Western sanctions. Case in point: Russian hackers (with probable links to the Russian government) attacked JP Morgan late last year, compromising 83 million accounts (USA Today, October 7, 2014). Now, with oil prices continuing to fall and other, mounting domestic pressures, several experts are pointing to Putin as the most likely ‘cyber loose cannon’ of 2015.

How likely is a major cyber war?

The Big Picture

Major Cyberwar scenarios range from disruptive to devastating, the latter including mass casualties that would result from the disruption of food and water supplies. On the disruptive end of the continuum, the Russian-Georgian War invasion of 2008 underscored the inevitability of Distributed Denial of Service (DDoS) attacks of ANY future military action between nations. A more recent example: in 2014, Russian forces cut telephone and Internet links to the Ukrainian mainland as they seized control of the Crimean Peninsula.

  • While most likely future Cyberwar scenarios encompass that and other communications disruptions, they don’t include a complete destruction of an enemy’s information technology because of the assumed need to maintain critical intelligence on an enemy’s ongoing military decision-making process.
  • In reality, there’s no way to predict whether a full-fledged Cyberwar will occur in the future. The complexity of digital offensive and defensive capabilities of different nations are classified and simply too complex even for insiders to fully grasp.
  • Finally, there’s no way to know how a future Cyberwar would unfold sequentially, let alone its outcome.

Possible triggers for a major cyber war–

The overriding concern is that Cyberwarfare is easy to start, making them more likely than conventional wars.

Why so?
  • First, because cyberwarfare is asymmetric, i.e., cheap, it may encourage weaker states into conflict with bigger, stronger states.
  • Second, since the source of cyberattacks is difficult to identify, actors may believe they won’t experience retaliation, encouraging them to be more aggressive than in conventional war scenarios.
  • Third, because it’s so hard to defend against cyberattacks, many states may be encouraged to attack preemptively.
  • Finally, since cyber offensive and defensive capabilities are surrounded by secrecy and great uncertainty, cyber arms control agreements would be hard to implement.

Next, I’ll describe standard arguments against the eventuality of Cyberwar.

While a full-scale cyberwar is always possible, many experts argue that it seems unlikely

Full-scale cyberwar

So far, no act of cyber incursion/aggression has yet filled all of Carl von Clausewitz’s classic criteria for war as “violent, instrumental, and political.” While a full-scale cyberwar matching this definition is always possible, many experts argue that it seems unlikely–for reasons I’ll explore at the end of this blog post.

Cyberwar scenarios

    • Scenario 1: Coordinated cyberattacks shut down important websites of an enemy nation as part of a series of Denial of Service and other, coordinated incursions.This has already happened. In fact, the first incident of this kind was a Russian cyberattack on Estonia during a three-week period in 2007 following Estonian removal of the statue of a WW II Soviet soldier. Government, political, bank, and major newspaper websites were all shut down.
    • Scenario 2: Hackers access and degrade an enemy’s military systems, crippling its conventional combat and offensive cyber system capabilities. Military systems, including GPS, for example, are inevitable targets in this scenario. Such attacks, in most cases, would be precursors to full-scale conventional war, and most probably coordinated with the following–
    • Scenario 3: Most concerning to policy makers is the possibility of a series of concerted attacks in which hackers destroy or degrade a nation’s critical infrastructure, including its power grid, financial systems, and/or transportation networks (e.g., triggering trail derailments), knocking systems offline for weeks, perhaps many months.Such an attack would result in the deaths of thousands, perhaps millions, of civilians.

Factors making major cyberwar less likely

While the last two of these scenarios are ‘scary-apocalyptic,’ a number of experts argue that full scale Cyberwar is less likely than many of us have feared–

    • First, outcomes of such major cyberattacks are highly uncertain–with potential devastating blowback to the perpetrator(s)/aggressor(s), even for advanced, sophisticated hypothetical aggressors like the U.S. and China. Bottom line: any nation state, large or small, has precise agendas and vital interests—that would be seriously jeopardized after launching such attacks. This dynamic is loosely parallel to the ‘balance of terror’ that has helped prevent nuclear war since the late 1940s.
    • Second, political cyberattacks will most likely continue to be ‘Cyber Cold War’ activities like subversion, sabotage (e.g., Stuxnet) and espionage (e.g., the theft of intellectual property).”
    • Third, though cyberwarfare seems asymmetrical (with weaker nations able to inflict serious damage on stronger nations), advanced cyberweapons are, in fact, costly to develop and hard to obtain from third parties. To date, weak actors do NOT seem capable of mounting the kind of protracted cyberattacks that could cripple the infrastructure of well-defended systems.
    • Fourth, offensive cyberattacks by weaker states make sense only in the unlikely event that their digital capabilities are backed by significant conventional and/or nuclear weapons. Otherwise, they could easily be decimated by the conventional military response of the stronger state. North Korea is a possible exception. Bottom line: cyberwarfare is unlikely to provide any significant advantages to nations that are unwilling or unable to engage in a coordinated conventional war.
    • Fifth, even the most hostile, strident actors (e.g., North Korea) have too much at stake to engage in a costly cyberwar if they can find other, cheaper ways to resolve conflicts.
    • Sixth, wars are primarily about achieving concrete objectives—and it’s impossible to do that without claiming responsibility for the damage caused to an enemy’s property. At the same time, any government claiming responsibility for such attacks would then be highly vulnerable to devastating counterattack (if not already identified as the perpetrator).
    • Finally, no terrorist group has yet had success disrupting target civilian or military infrastructures. Why? For a group like al-Qaida, or even the state-like entity of ISIS, such capabilities are not only costly, but difficult to implement, making newsworthy damage unlikely. In addition, cyberattacks lack the necessary spectacle of public theater terror, such as detonating a bomb in a busy public square. —That said, I, for one, believe that this is a long-term threat that needs to be monitored carefully.