Photos taken from the Norse Attack Map.   The map shows in realtime attacks that happen on the Norse honeypots.

Photos taken from the Norse Attack Map. The map shows in realtime attacks that happen on the Norse honeypots. Christiaan Colen via Flickr

Writing the Rules of Cyberwar

The line between offensive and defensive attacks is far from clear, a new book argues.

The Washington Post’s report last week on Russian cyber efforts to disrupt the 2016 election—and the Obama administration’s months-long debate over how to respond—ended on a foreboding note. Among the measures apparently adopted in response to the hack was “a cyber operation that was designed to be detected by Moscow but not cause significant damage,” involving “implanting computer code in sensitive computer systems,” according to anonymous officials who spoke to the paper. The code could be used to trigger a cyberattack on Russia in response to another Russian cyberattack on America, whether that targeted elections or infrastructure. The paper characterized the operation as currently being “in its early stages.”

From an American perspective, the operation as described could look defensive—if it was “designed to be detected,” it would serve as a warning and potential deterrent against further offensive actions by Russia. Or it could be used purely in retaliation for aggression of some kind. On the other hand, though, once the implants are operational, what’s to stop an American leader from using them for offensive purposes, simply to weaken, undermine, or otherwise mess with Russia? From the Russian perspective, this potential would make the implants look like an offensive cyberoperation—and prompt “defensive” measures on Russia’s part, that would in turn threaten the United States. The cycle could escalate from there.

This dynamic is an example of the “security dilemma”: When a state takes defensive measures, other states can perceive such behavior as threatening, and respond accordingly. Underlying this dilemma is the difficulty of distinguishing “offensive” from “defensive” moves when trying to evaluate another state’s intentions. Ben Buchanan, a postdoctoral fellow at the Cyber Security Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs, argues in his recent book, The Cybersecurity Dilemma, that the line between offense and defense is even blurrier in cyberspace. “To assure their own cybersecurity, states will sometimes intrude into the strategically important networks of other states and will threaten—often unintentionally—the security of those other states, risking escalation and undermining stability,” Buchanan writes. Meanwhile, a ransomware attack believed to be using stolen NSA tools spread across the globe on Tuesday for the second time in as many months, showing another way cyber tools can undermine stability: The technologies states develop to protect themselves can be stolen by criminal hackers and turned against their inventors.

I recently caught up with Buchanan at the Belfer Center's Cyber Security Project, which supports my research as well, to better understand the cybersecurity dilemma and its risks. Our conversation, condensed and edited for clarity, follows.

Alyza Sebenius: Why is the line between offensive and defensive action blurry in cyber?                                                                   

Ben Buchanan: One of the striking things is that network intrusions—which is to say, hacking—is really useful for defense as well as for offense. One of the stories I relate at some length is how the United States, in order to improve its cyber defenses against Chinese hacking, hacked Chinese hackers themselves—to understand who they were and how they operated—and used this information to guide its own defenses [in the 2000s].

This, of course, was great from an American perspective. But if the Chinese uncovered this intrusion, one wonders what they would think about it. Would they know that it was done genuinely with defensive intent? Or would they fear it was something more offensive?

Another of the big issues here is that the mechanics of doing offense and defense in cyber are different from conventional or nuclear. So, for example, if you're doing offense in cyber operations, it requires a lot more prep work—reconnaissance and so forth in the adversary’s systems, [and] actually getting your malicious code into their networks—than in a Cold War context, where you would launch a missile but do a lot of prep work in your own territory before launching that missile.

For example, if you look at the Stuxnet operation [which consisted of cyberattacks reportedly by the U.S. and Israel on Iranian nuclear facilities], it was preceded by months if not years of reconnaissance, getting information on how the Iranian facilities worked and ultimately how they could be attacked. And that kind of reconnaissance took place in Iranian networks. One of the things that worries me is that if a nation uncovers this kind of reconnaissance under way, they have a very hard time interpreting it and knowing if it’s for offense or for deterrence or something else.

Sebenius: Why does this make the security dilemma more difficult for cyber?

Buchanan: The notion that, when offense and defense are blurred the security dilemma is more serious, long predates cyber. And it makes some intuitive sense. For example, if a nation builds walls and towers, its surrounding nations are not likely to be as threatened because those walls and towers can’t move. If they build bombers and tanks, that might be more threatening. It’s easy in that context to differentiate offense and defense and to know what’s threatening.

In cybersecurity, the harder it gets to differentiate an offensive intrusion from a defensive intrusion, the more real the cybersecurity dilemma is. A nation might break in for genuinely defensive reasons, but the side suffering the intrusion might say: We don’t know what the intentions are here. We are going to assume the worst. And that’s how misperception can happen.

Sebenius: How did the blurry line between offense and defense play out in the case of Nitro Zeus [an unexecuted cyberattack plan which reportedly would have been used against Iran if nuclear negotiations failed]?

Buchanan: Nitro Zeus is a follow on to Stuxnet—or a contingency plan, probably, is the best way to put it. It was a notion that if the United States did end up in a conflict with Iran it might want some cyber options to carry that conflict out, according to The New York Times. And as part of this contingency plan, the United States did, it seems, a fair amount of preparation in the environment, reportedly inside Iranian networks to build out those capabilities. Of course the question becomes: If the Iranians saw this preparation, saw this reconnaissance, saw this contingency planning, would they know it was just for a deterrent later on, or would they be immediately worried about the possibility for attack and potentially escalate the situation?

Sebenius: How does the margin for error in cyber complicate this picture?

Buchanan: One thing that’s interesting in cybersecurity is the capacity for accidents. And certainly there are accidents in other domains as well. But one case that stands out in the cyber domain is when the internet went out in Syria in September 2012. Edward Snowden tells us that this was not an intentional attack against the Syrian internet but this was a case of someone trying to do espionage and inadvertently making a mistake and causing an outage to the internet.

Whether or not the particulars of that case are true, it’s hard to know. It reveals something that’s concerning which is that a state might genuinely be trying to do espionage … but the possibility [exists] for an accident. And this makes any intrusion into a foreign network more threatening or seem more threatening, because even if the intentions of the intruder are not to cause damage, it might inadvertently do so.

Sebenius: Are there particular errors that worry you for the future?

Buchanan: One that gets attention is someone trying to build out a capability that would affect critical infrastructure—networks that control power, water, and so forth—but has no intention to use it, except in a very serious circumstance, and they inadvertently cause some damage. Now, I don’t know how likely that is, but anytime we’re talking about intrusions into critical infrastructure, it’s concerning.

Sebenius: While network intrusions may be for defense or espionage, you suggest that states tend to view any intrusion as highly threatening. Walk me through this.

Buchanan: We don't know a ton about how nations interpret intrusions, but we do have a couple data points to go on. Two that have entered the public domain are cases called “Solar Sunrise” and “Moonlight Maze,” from the 1990s.

Solar Sunrise emerged at a time of heightened tension between the United States and Iraq. American policy-makers worried greatly that this breach into American computer systems would inhibit their ability to fight in Iraq, [and] to do deployments. They thought that this might be Iraq using some kind of asymmetrical technique against the Americans, and they were very concerned. Eventually investigators concluded that Solar Sunrise was conducted by just three teenagers, so not nearly a geopolitical threat. But it was taken very seriously because it was thought that this was an Iraqi attempt to weaken the American military.

Moonlight Maze was probably a more significant illustration of how seriously network intrusions can be taken. Moonlight Maze was a series of Russian intrusions into a wide variety of American targets, none of which were classified networks but all of which, put together, attracted a great deal of attention in Washington. Richard Clarke, who was then a senior national security official, called this pre-war reconnaissance. Deputy Secretary of Defense John Hamre said to Congress: We're in the middle of a cyber war. And there was no attack in this case—it was just espionage, and just intelligence collection all from unclassified networks.

And the last point here that’s interesting is Ash Carter, who was President Obama’s secretary of defense, discussed a Russian intrusion into Pentagon networks. And a journalist asked him what he thought the intentions of the intruders were, and Carter essentially said that he didn’t know the intentions, but it was a priority to kick the Russians out as fast as possible. This shows how seriously nations these days take cybersecurity and the lengths that they'll go to defend their networks.

Sebenius: You write that with cyber weapons—unlike conventional or nuclear ones—states have to make decisions without knowledge of other states’ capabilities. How does this complication play out?

Buchanan: The problem with cybersecurity—because cyber capabilities come out of the intelligence community, come out of the secret world, and indeed because they require secrecy in order to work—is that nations don’t have a great understanding of each other’s cyber capabilities. It’s a counterintelligence issue. And that makes interpretation of the other side’s plans more difficult. If you don’t know their intentions and you also don't know the means or some of the means with which they'll carry their intentions out, that definitely complicates the picture still further.

Sebenius: Why have measures taken by states to mitigate conventional security dilemmas failed to provide protection in the cyber realm?

Buchanan: Nations over time have developed different ways to mitigate the security dilemma, to make each side more confident in stability and less fearful. One of the ways they do this is to sharpen the distinction between offense and defense. For reasons I mentioned, it’s very hard to do that in cybersecurity.

Another way is to shift the offense-defense balance—to make it seem that defense has an advantage and that it’s better to receive an attack and then counterpunch, rather than to initiate an attack. The problem in cybersecurity is that there’s nearly universal acknowledgement that offense has the advantage. You can find people up to and including President Obama who will point to advantages that offense has in cyberspace. My concern is that the widespread notion of an offensive advantage could be a spur leading to this notion that: We have to strike first. We have to go fast at the beginning of a cyber conflict.

Sebenius: How do you see the Trump administration handling the cybersecurity dilemma?

Buchanan: President Obama was wary of escalation in cyberspace. Time and again when there was the risk of escalation, he chose not to pursue the path. An example of this is the 2016 DNC hack, in which reporting indicates he was worried about escalation if he pushed back too hard against Russian hacking. I’ve given up making predictions on Trump, but as a generalization, I think it’s fair to say that he is less cautious than Obama. So one question that does emerge is will he be less worried about escalation and blowback?

Sebenius: Are there ways that the cybersecurity dilemma can illuminate how non-state actors, like businesses, might be vulnerable?

Buchanan: A lot of times they are the targets of nation state activities. Ninety percent of the power grid in the United States is privately owned. So if China or Russia wants to hack American critical infrastructure, they’re often hacking a private-sector company. How we ask those companies to defend against essentially nation-state adversaries is still very uncertain: Do the companies want regulation? Do they want a U.S. government presence in their networks? The answer appears to be no. One concern that I have is that our inability to raise security standards in the private sector for domestic political reasons will have long-run effects on our cybersecurity and ultimately on our national security.

Sebenius: How do you envision the cybersecurity dilemma playing out in the next several decades? What is an optimistic case?

Buchanan: One of the optimistic cases is that cyber operations now have gotten more scrutiny now than ever before. So nations may recognize the dangers of this, and may try to think about what they could do to foster stability in the long run.

Another optimistic case is that we might get substantially better at doing technical defense, so that we don’t need to intrude into other nations to enhance our own security. If you can protect yourself without having to intrude in other networks, then this is actually an area in which we differentiate offense and defense very well. If firewalls could stop every intrusion—which they can’t right now—we wouldn’t need to break into the Chinese networks to enhance our defenses. We are a long way from that, but a technical optimist could go down that path.

Sebenius: And the pessimistic case?

Buchanan: One area of pessimism is that as more nations build out their cyber capabilities, this increases complexity, which increases the risk of misperception. We could have the cybersecurity dilemma play out, for example, between India and Pakistan, in a way that we didn’t anticipate—but it’s just a new engagement of the brinkmanship of those two countries.

Another pessimistic thing is that, as hacking becomes more integrated with military force, the potency of this situation might increase. It might be we don’t just fear that an intrusion might lead to a cyber attack, but intrusion may be integrated with conventional military attacks. One thing that I write about is that, maybe in 30 years, we no longer call the cybersecurity dilemma the cybersecurity dilemma and we just go back to calling it the security dilemma because it’s so integrated into statecraft and misperception.