By Arul Louis *

NEW YORK (IDN) – The terrifying potential for cyberwar between nations and also asymmetrical cyberwar by non-state actors now looms over the world with the same intensity of the threat of a nuclear holocaust.

The danger was writ large in a recent cyber intrusion into a nuclear power plant in India and the planting of a virus in an Iranian nuclear facility.

United Nations Secretary-General António Guterres issued a warning last year, “Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare.”

Cyberwarfare at different levels of intensity is at the height of cybersecurity concerns, which also affect nations and socials at various levels.

It helps to start with a survey of the array of threats before going into the policy dimensions.

Cybersecurity threats can be classified for the purpose of this discussion into four levels with varying degrees of threats with some overlap.

The highest are threats that can be escalated to the level of cyberwarfare and these exponentially increase the risk of asymmetrical warfare – by both nations as well as non-state actors. In a conventional war, for example, bombers, missiles and artillery along with their support systems will be required to destroy industrial complexes, communications infrastructure, railway networks and power and water supply systems. But it can all be accomplished without the need for any weapon hardware by hacking into computer systems controlling them.

Within this category of cyberwarfare, the most dangerous threat would be a nuclear catastrophe engineered through hacking civilian or military nuclear facilities.

Although it was ostensibly meant to be a nuclear disarmament effort, the attempt to cripple Iran’s nuclear fuel generation using the infamous Stuxnet virus demonstrates the capabilities for nuclear sabotage that could annihilate cities.

These possibilities point to the enormous offensive capabilities nations as well as non-state actors can wield.

Former United States Defence Secretary Leon Panetta has summed up the risks at this level warning of a “cyber Pearl Harbour” – an allusion to the devastating Japanese attack on Hawaii that caught the US unawares and brought Japan into the Second World War.

Cyberwar waged on political systems

The level of cyber threats below that – which are political but have the potential to rise to the higher level – are those that can create a havoc in the political and civic systems. The higher level of this verging on cyberwarfare would be, for example, hacking into the voting system or the voter list because of the potential for regime change.

The hacking of government systems to issue fake orders, change or destroy records or to interfere in personnel matters is another aspect of the threat at this level.

Consider at this level also the use of social media to create civil disturbances or encourage activities that paralyse governments and cause huge losses of lives and property and destroy social order.

(The role of social media in Egypt and Ukraine are examples of this, although some would try to make the distinction between what they consider noble causes and those that they would disapprove of like the Russian use of social media to try to disrupt the 2016 election in the U.S. This could echo the “who is a terrorist” debate – making a distinction based on motives rather than actions.)

Major financial and economic crimes with no direct or identifiable political motive but would fall into the third tier. Theft of intellectual property from businesses or research institutions would be major subset of this (although sometimes they can also have military or political aspects when the targets have military use).

Then there are what appear to be crimes of opportunity like the cyber heist of about $1 billion from Bangladesh Bank in 2016 and the $13.5 million cyber theft from India’s Cosmo bank (by North Korea). At this level are the ransomware attacks that shut down local government operations in the U.S. and the British health system and demanded payments to restore them.

And then there are low level cybercrimes that affect individuals and businesses and institutions with small stakes.

The weaponised hardware threats can be noted, although outside the purview of this discussion. Four nations, China, India, Russia and the United States have the capability to take down communication satellites. International undersea cables that now carry the bulk of intercontinental digital traffic can be destroyed. Internet infrastructure within nations are also at risk of sabotage.

Developing cybersecurity policies

A comprehensive cybersecurity policy at the national level would have to have several approaches to the different types of threats. While social media is at centre stage in most of the discussions about cybersecurity and the impact on societies and politics, the norms for dealing with them inevitably collide with issues like freedom of expression and the control exerted by powerful multinational corporations. Therefore, leaving them aside here is a look at the policy perspectives for dealing with more pressing issues of cybersecurity.

The most urgent action needs to be at the political and diplomatic levels in promoting an international legal regime for cyber applications with military potential.

The United Nations has been trying to come up with a framework for this with an experts’ group but has not made any concrete moves, even though most major nations have expressed support for this.

The General Assembly has adopted resolutions on the Creation of a Global Culture of Cybersecurity in 2002 and 2004, the second one dealing specifically with protection of infrastructures. They are but seminal efforts.

While warning about the risk of cyberwarfare, Guterres wondered if the Geneva Conventions on international conduct in conventional war can be applied to cyberwar.

A suggestion by Microsoft president and chief legal officer Brad Smith for a Digital Geneva Convention on Cybersecurity could be a starting point. He proposes a treaty like the Fourth Geneva Convention that deals with the protection of civilians during times of war which has been signed by 196 countries.

His proposal goes beyond the protection of civilians, businesses and critical infrastructure to restraint in developing cyber weapons, a commitment to nonproliferation of cyberweapons and limiting any offensive action to avoid a “mass event.”

Some of the issues in developing international norms for cybersecurity reflect the dilemmas of nuclear weapons use and disarmament and complicate their development. For example, there is the question of no first-use, which the U.S. has ruled out.

Meeting the challenge

Cyber wars are a universal threat, which leaves smaller countries, especially those with a less developed cyber ecology but nevertheless interconnected to a global system, highly vulnerable as was seen in the looting of the Bank of Bangladesh.

All countries, especially those most vulnerable, should focus on consensus-building on key issues by disaggregating them from contentious East-West issues of freedom of information and human rights to focus on overarching issues of military use.

Alongside this, military doctrines on deployment and use of cyber capabilities is a new area that requires development intellectually keeping in mind the ethical issues.

The idea here is to establish the groundwork for an eventual international regime like the non-proliferation treaty, although realistically it should focus on setting a code for military applications and penalties for their use because a ban on possession and use may not be possible.

Side by side with this is pushing for international action against non-state actors getting and using cyber weapons – very difficult task because the infrastructure for developing them cost very little.

Those are the ideals, but at a practical level countries have to develop defensive cyber capabilities.

International organisations and countries with advanced cyber technology should be prevailed upon to set up a mechanism to help countries that are unable to build cyber defences.

At the domestic level cybersecurity policies have to first aim to develop a culture of cybersecurity and propagate them. And then comes enforcing cyber discipline.

It is essential to quarantine critical systems from the internet completely to protect against intrusions; this is supposed to be in place for the critical elements of the nuclear power plants.

Higher levels of security for important offices requiring use of special telecommunications equipment is essential when they have to communicate across phone and internet systems.

(In the U.S. officials at certain levels are required to use special phones – which President Donald Trump reportedly often does not to the consternation of security officials who have reported finding intrusion devices planted in the nation’s capitals believed to be by foreign countries. His predecessor Barack Obama had to accept limitations on using his favourite Blackberry.)

Officials and diplomats from many developing countries often use commercial mail like Gmail for official communications, which can be risky and should be avoided.

Where official equipment is used for social media as part of official business, norms should be set for security software.

It is also important to develop and enforce norms for cybersecurity for the private sector, especially for financial and other important sectors.

As with government sector, audits and rules for disclosure of risks must be developed and enforced.

Ultimately a lot of this comes down to personal responsibility and that is where the propagation of the culture of cybersecurity is important.

*Arul Louis, a New York-based journalist, is a non-resident Senior Fellow of the Society for Policy Studies and can be contacted at arullouis@spsindia.in and followed on Twitter @arulouis. He is a former news editor and columnist of the technology section of the New York Daily News. [IDN-InDepthNews – 23 November 2019]

Image: Cyber security. Source: Eurocontrol

IDN is flagship agency of the International Press Syndicate.

facebook.com/IDN.GoingDeeper – twitter.com/InDepthNews