Prof François Heisbourg, Chairman of the IISS
Ladies and gentlemen, I now open our concluding session of this Global Strategic Review. The topic is cyberpower and security. It is a particularly interesting topic in intellectual terms. It is difficult, complicated, fast‑moving and exciting. It is also a very important topic. We are heavily dependent on the cybersphere. I was having a discussion yesterday with Martin Libicki, and the figure arose that, in sub‑Saharan Africa, which has not yet entered its own decade to use Celso Amorim’s words, one person out of three has a cell phone. Most of those cell phones are already being used for practical applications like retail banking, with countries like Bangladesh, India, Nigeria and Senegal being in the lead as compared to North America or Europe. This is also an area where the traditional divides between the haves and the have‑nots are entirely different from what they are in other spheres. The entry barriers of IT are not those of traditional infrastructure, and this creates its own particular challenge in the way we think about the relationship between the cybersphere – ‘cyberpower’, as we have styled it here – and strategy.
To deal with these topics, we are very fortunate in having Martin Libicki, who is a mathematician. He has been to just about everywhere – the Massachusetts Institute of Technology, and the University of California at Berkeley. He has a PhD in economics, not just simply in mathematics. He has been working at the RAND Corporation for a number of years now, which has worked very hard on this topic, notably as part of its multi‑decade‑long Project AIR FORCE, with the specific objective of adapting the US Air Force to cyber warfare and cyber security. Martin has also worked for 12 years at the National Defense University. I simply demonstrate that he is not a prisoner of a single service.
He has also been working on the Navy staff. He is extremely well qualified to give us a broad spectrum view of how to think about these issues.
Heli Tiirmaa-Klaar is a pure post‑Soviet person, if I could put it that way. She did her university training very shortly after independence came back to the Baltic States and to Estonia in particular. She is also a multi‑faceted person in terms of her university background, since she has studied political economy, economics, international relations and security policy. That gives her the same sort of equipment as Martin Libicki. She has also worked over the years within the Estonian Ministry of Defence. When one thinks about powerhouses, one does not tend to think about Estonia automatically, and yet we also know that Estonia is a country that was most spectacularly subjected to an apparently well organised cyber attack in 2006. This was in a society that was more wired than most in those days, and obviously still is. She will also be speaking from direct experience.
Dr Martin Libicki, Senior Management Scientist, RAND Corporation
Thank you for inviting me to this conference and thank you for introducing the topic of cyberpower to these deliberations. People talk about cyberspace as the fifth medium of warfare. I want to take a minute to think about that. If you have a suitably equipped ground force, it could probably blow up my home. If you have a suitably equipped naval force, you could probably blow up my home. The same is true for an air force and, treaties notwithstanding, is probably for a space force. If you have a suitably equivalent cyber force, can you blow up my home? That sounds a little absurd. In that sense, we can already see how cyberpower is a lot different from power in other media. In fact, if you make a few assumptions, it is not entirely impossible.
Imagine, for instance, that the heating system of my house is digitally controlled. It in fact has errors in it that allows software to cause a hardware fault. Assume that the heating system of my house is connected to the internet, and in an insecure fashion. Then I suppose it is theoretically possible to imagine a chain of events under which a cyberpower can, like the other four media, blow up my house. Notice what a lot of assumptions we make about the nature of my house before I can conclude that that is possible.
I want to start with an observation: cyber crime, cyber war and cyber espionage are all possible because, but only because, systems that we rely on have faults in them and are connected in ways that are perhaps too promiscuous, so that unauthorised people can give instructions to our systems. That sets an essential difference between conflict or crime in cyberspace and in all other media. If you talk about the birth of the atomic age, it is not the same as the birth of atoms. In fact, it is the birth of the insight that you could use atoms to create a great deal of destructive power. If you talk about the age of cyberpower, you talk about the birth of networks, of targets and systems that allow this to happen to you. In that sense, cyberpower is different.
We have a tendency, whenever we look at political strategic affairs in the media, to take a look at what has come before. What are the old rules of warfare and politics, and how do they apply? We have a fifth medium, so we will take our old rules and walk them over. You cannot do that with cyberspace. You have to think about it from its principles. I want to define some of these principles.
I mentioned entering systems. What can you do when you are there? Basically, there are three or four things. Firstly, you can steal information. Espionage, which is sometimes called computer network exploitation, happens all the time. Secondly, you can disrupt these systems. You can feed information systems commands that cause them to go haywire and not work the way they are supposed to do. If you ever hear about the prospect of hackers disrupting our electricity supply, that is what they are talking about. The third effect is corruption, which is to say that, if hackers enter a bank, photocopy some accounts and transfer some money to themselves, you will wake up and nobody will be entirely sure what money they have in that bank. That is another form of disaster people talk about with cyberpower. There is a fourth form, which is a little complicated. That is that I attack other computers. I put millions of computers under my command and use them to attack websites around the world. This is the sort of attack our next speaker will be talking about. It is one of those hybrid attacks that does not affect certain systems but affects others. It does not affect power infrastructures, unless the planning has been done very badly. It does not affect militaries, unless the planning has been done very badly. It does affect well‑wired countries in particular ways.
I want to assert a few propositions about the use of cyber. The first is that the direct effects of a cyber attack are almost always temporary. The bad guys are giving instructions to computers they do not own. When you discover that these instructions have been given, you can basically be in a position to reinstruct the computers, so they do what you want. It is almost impossible for a cyber attack to actually break anything, although there was a demonstration three and a half years ago on CNN of a cyber attack breaking a diesel generator, which happened to be a model associated with the Alaskan Pipeline. There are limits to how far you would go to extrapolate from a one‑off laboratory demonstration.
Secondly, cyber attacks are not necessarily repeatable. One of the points I have been making about cyberpower for as long as I have been doing this, which is close to two decades, is there is no such thing as forced entry in cyberspace. If somebody gets into your system, it is because a path in already existed beforehand. They are only following a path that you have, but probably do not know you have. You do not know you have it because information systems are so complicated. What happens if somebody takes a path into your system like that? It causes you a great deal of disruption and wakes you up in the middle of the night so that you have to fix it. Generally speaking, it is possible to say, ‘They entered doing this and there are ways to fix it.’ If you do not put in the fix, sometimes the software manufacturing company can install a fix. Oftentimes a fix already exists, but you have not installed it yet. For one reason or another, the specific faults that allow a specific attack to enter your system generally do not last forever once they are discovered. That is a big ‘if’ – once they are discovered.
The other aspect of cyberpower is that my hunch is that, if you look at information systems worldwide, you will see a great number of vulnerabilities which, in theory, give you the potential for a great deal of mischief and disaster. One of the reasons there are a great number of vulnerabilities is because we have promiscuously connected our systems to one another because we find that advantageous. We worry about security – and some worry more than others – but by and large we have not seen an event that says, ‘Uh-oh, maybe we overdid this connectivity business.’ If there is a cyber attack, I believe that people will reassess their degree of connectivity and, in so doing, the chances are fairly good that their connectivity will go down and their vulnerability also, but we have not seen that yet. It is a case of not locking the barn before the horse bolted. We are not entirely certain the horse is going to bolt. In essence, we are placing a bet on the good behaviour of that horse.
Another characteristic of cyber war is that hackers do not have to be states. I mentioned cyber crimes; some of the most sophisticated hackers in the world work for criminal organisations. Some of the most sophisticated hackers are white or grey hats, who are in the business of preventing cyber attack. In order to prevent it, you have to know how to carry it out. You do not need specialised equipment or to operate from military bases. You do not even have to operate from your own country. In fact, if you are insisting on attacking another country, the last place you want to operate from is your own country. The very last place is your own networks. You want to be somewhere else entirely, in case somebody is thinking of hitting back.
How bad can cyber attacks be? If you hang around these conferences long enough, you hear a lot of scare stories. The most common is that somebody attacks the power infrastructure of a large country, breaks tonnes of stuff and sends the country back into the dark ages for months, until the electric power system can be regenerated. I am not saying that cannot happen; I am saying that is not one of the many things that keep me up at night. I am not saying it cannot happen, however.
Let us look at what has happened. Firstly, nobody has died as a deliberate result of a cyber attack – not one individual. Secondly, there has been a lot of cyber crime. I am not quite sure how much, but will give you a guess. This is only my guess, but worldwide it is between $1 billion and $10 billion, which is more than you want to lose but does not put it as number one or two among the various categories of crime.
On the other hand, if you have information on your network, and your network is connected to the internet, and a large state is interested in your information, the chances are high that that information has already gone out the door. General purpose internet systems tend to be relatively weak, and we tend to patch them up after the fact. That does not always work very well, particularly against very sophisticated opponents.
What can you do about this problem? There are three things you probably cannot do. The obvious one you can do is have better defence. Rethink your degree of connectivity, if you think that is a problem. The first thing you cannot do is have a deterrent. There are many reasons deterrents will not work. I wrote a book on it, so you can read all the reasons, but I will mention one, which is attribution. In order to have deterrents, you need a return address to hit somebody back. In fact, if I can carry out a cyber attack by sitting in a public library and using its Wi-Fi connection, or a Best Western or a nice small airport, to get my attack into Joe Smith’s computer in Vacaville, California – or even by using a rogue cell phone – how is somebody going to trace me reliably? Even if we knew what box the attack came from, we do not know who owns it. Even if we knew that, we do not know who is operating it. I am not saying people do not make mistakes but, for a deterrent policy to work, getting lucky is probably not a prerequisite.
The second issue is arms control. We would like to control cyber arms and there have been some proposals for that but, as one person remarked, you can outlaw the possession of offensive cyber weapons as easily as you can mathematics. They do not leave a visible trail. They can sit on any one of a billion different computers. By the way, if you are going to be good at defence, you need a series of weapons to test your defences against. In the conventional arms control sense, you will not be able to outlaw cyber weapons. There are other things we can do with international negotiations. If the questions come up, I can answer them, but traditional arms control is not generally one of them.
The third thing you probably cannot do is use your military to guard your country. The reason why is that, for the attacker to enter the system, they depend on its faults. Somebody asked the question whether there were generic things militaries could do but, largely, the military cannot know the faults of your system. That is for you to know. The military cannot contribute much.
The concluding idea I want to leave with you is that cyber can be a problem, but we are not entirely certain how big a problem. Based on what we see so far, it is not a problem, but that is like saying terrorism was not a problem on 10 September 2001. Perhaps we have not seen the incident. The best approach to the cyber problem will be robust defences. The other priorities we have from the nuclear era do not make sense, given the technology. Thank you.
Prof François Heisbourg
Thank you very much indeed. It is so refreshing not to have heard the words ‘Pearl Harbor’ in your presentation, because there is a cottage industry in certain quarters, which waxes on the theme of the cyber version of Pearl Harbor. Thank you for having kept our feet on the ground while our heads were in cyberspace.
