When he addresses military audiences, Gary Brown often fields questions from soldiers who can’t see how cyber warfare is relevant to their lives.
They’ll tell Brown, a professor of cyber security at Marine Corps University in Quantico, Virginia, that they aren’t involved in cyber operations and can’t see why they should care about cyber warfare.
“You may not in fact be interested in it, but it’s very interested in you,” Brown, a retired US Air Force colonel, told the crowd Friday at Dalhousie University’s 12th International Humanitarian Law Conference.
“All the systems that we use now, every way that we communicate, that we move things, that we conduct command-and-control of our troops, our weapons … all those things are reliant on cyber systems. So it becomes a very big, fat target for your adversaries.”
That means people, whether they’re in the military or not, ought to be interested in cyber warfare, said Brown, who was the first senior legal counsel for US Cyber Command in Fort Meade, Maryland before leaving the military.
“Everything you do in your life is dependent on cyber now, almost,” he said.
We created those vulnerabilities almost unwittingly, according to Brown.
“It has always befuddled me that, as we’ve gone along since the mid ‘90s, we started connecting things to the Internet, and we started then, right away, suffering cyber attacks.”
Our response has been to connect even more devices to the web, he said.
“Is it OK that we sell all these things that have absolutely no protection built in?” Brown said.
“And in fact, some of them, many of them, are designed in such a way that you can’t protect them from cyber attack. Many of these systems come with hardwired passwords that can be found by Googling. And you can’t change them. So anyone can get into it.”
He pointed to the recent denial of service attack on the domain name system that took down significant parts of access to the Internet.
“Not for long. Everything wasn’t down. But it was the biggest hit we’ve ever had on the Internet and that botnet that was put together that carried that out, what was that botnet made of? Mostly programmable DVRs and webcams. Next it will be refrigerators. Everything that touches the Internet can be twisted around to use as a bot in an attack against the Internet.”
Forget about Internet privacy, said Brown, who served 24 years as a judge advocate with the air force, and deployed twice to the Middle East, the second time as senior legal advisor for combat air operations in Afghanistan and Iraq.
“We gave that up a long time ago,” Brown said of privacy. “In the ‘90s, when we were starting this stuff up … we were offered the option: hey public, here’s a system where you can pay a monthly fee and get email. All good. Here’s another one – it’s free. You just have to give us all the information about you so we can target you for ads.”
The companies that charged for email are all gone, he said. “Nobody wanted to pay. Everyone wanted free. But it wasn’t free. What we sold was our privacy.”
Tech companies including Apple are now indicating they no longer want to hold the encryption keys to their customers’ data, Brown said. They want to be able to say that, even with a court order, they can’t decrypt the information, he said. “That’s probably a good thing for the company because they don’t have to be the bad guy,” he said.
But is it a good thing for national security in the US or Canada? “I’m not sure that it is. And I think they’re finding this out in France and Germany where they’re unable to monitor some of the communications of people that have engaged in some of these attacks over there. So it’s at least a debate worth having.”
Brown posed the “sticky” question: How do we get to cyber war?
If cyber activity results in a dam bursting and thousands of people die, that’s an easy call to make, he said.
“Who cares whether it’s caused by a missile or a cyber attack?”
If a cyber attack drives a country to war, they aren’t limited to a cyber response, he said. “We can respond kinetically.”
But what if cyber activity is simply disruptive?
Politicians are concerned that the line hasn’t been drawn clearly enough, so people don’t know when they’ve crossed the threshold of war, he said.
“That’s important because you’d like to advertise, everything else being equal, to potential adversaries that, look, if you cross this line, we consider that to be an act of aggression and we will fight back,” Brown said.
“You’d like to advertise that so you don’t unintentionally escalate to warfare when you don’t need to. On the other hand, there’s some interest in not being too obvious about it because then you know your adversaries can creep right up to the line and just not quite cross it. So you don’t want to give them that kind of flexibility either.”
Sovereignty is an interesting concept in cyber space, he said, pointing to a map of Internet connections in the Middle East that looks akin to a massively complicated dried dandelion puffball.
“I think all of us believe in sovereign rights and the protection of sovereign territory,” Brown said.
“How do you lay that on top of cyber activity? How does that interact? Because when we think about sovereignty, we think about territory. That’s a fundamental part of the notion of sovereignty — protecting your sovereign territory. We know it’s a violation of sovereignty for somebody to march armed troops across the border.”
But how do you violate a country’s sovereign cyber space?
“We don’t even know what cyber sovereignty is.”
Would it violate Canada’s cyber sovereignty, he said, if another state fiddles with data on a commercial server here? “Is it a violation of Canadian sovereignty for someone to throw molecules across the border? Because that’s the kind of thing we’re talking about. I don’t know.”
Malicious firmware can be pre-implanted in electronic goods, he said. “Even if you build your own computer, when you order a hard drive in the mail, when you get your hard drive, it’s already got a little gift on it. Somebody has gone in and implanted some malware in the firmware of the hard drive so that, once a day, it takes everything that was written on the hard drive and mails it home, because we’re all connected to the Internet all the time.”
If a government procurement officer discovers someone put that on their hard drive before they bought it, he said, does that constitute an attack?
“Are we now in an armed conflict?” Brown said. “I don’t think so.”
The malware could easily have shut down a country’s entire logistics system in the event of a war, he said. “They were waiting, just like a platoon of Spetsnaz (special forces) troops going in. Waiting to take down our logistics systems as we go to war. What is that? I dunno. But I don’t think it’s an attack. But it’s more than espionage.”
Countries can expel foreign diplomats or shut down embassies of countries they believe to be engaging in cyber attacks against them, Brown said.
When a country has been the victim of an unlawful act, countermeasures can be taken, he said. “The theory would be in order to get somebody to stop engaging in that unlawful act, I can break the law, too, and go back after them as long as it doesn’t rise to the level of the use of force.”
When Sony’s servers were hacked and lots of hard drives destroyed, the Obama administration called it cyber vandalism, Brown said. “If something’s an act of war, if something’s an armed attack, you’re not going to call it vandalism.”
Countries could apply the functionality test and decide that a cyber attack is act of war when it causes something to stop working as it is intended to function, Brown said.
“You’re not attacking anybody. You’re moving a convoy of troops and you go across a bridge. And it’s a long convoy, so you’re driving across the bridge for a long time. While you’re driving across the bridge, guess what? It’s not functional for the purpose it was intended, which is to let civilians go from this side to that side.”
The law of armed conflict has little to say about what’s happening in cyberspace, he said.
“States aren’t admitting that they did things,” Brown said.
We’re not going to make progress in international law until countries are willing to put something on the table, he said.
“China is really, really good at espionage, commercial and otherwise. They’re really good at controlling information flow in their country,” Brown said. “Why would they put that on the table unless the US and Canada — the five eyes countries — are going to put on the table national security espionage, and Russia’s going to put on the table their influence operations. Everybody needs to put something of value to them on the table, then we can make progress. The chances of that are zero, I think.”
The alternative is politics and diplomacy, he said.
“We’ve already started doing that. The US and China had a cyber security agreement about 15 months ago and it looks like it’s had some effect on their commercial espionage,” Brown said.
“The reality is were probably going to have a big event that happens and everybody’s going to have their attention focused. The big event might be on purpose or it might be an accident. Maybe somebody was trying to do one thing and did another. Some people speculate that this German steel plant (that exploded in 2014) — that it was attempted espionage, but it ended up blowing up a boiler. Accidents happen. When you’re dealing with industrial systems accidents can happen pretty easily. So you never know.”
The focus on state-based cyber warfare is too limited. Ships and planes operate in areas that are outside of traditional territorial jurisdictions. These transportation means depend heavily on computers and data transmitted from all over the world. In a similar vein, there are criminal and terrorist organizations that also operate outside of traditional territorial constraints and some have economies that rival countries’ economies. By opting for low cost communications, computing and data facilities, we have opened Pandora’s box. This is a problem that needs a global solution. Multi-lateralism or single state vigilantism will not protect us.