In the long Cold War between NATO and the Warsaw Pact, espionage was rife. Security services placed secret agents in sensitive positions, spy planes photographed strategic locations and information was smuggled through borders.
The reasons were simple: each side believed that they would eventually end up at war with the other – and when conflict began, knowing your enemy’s secrets could make a crucial difference to the outcome. There was only one rule: don’t get caught. Getting caught could spark an international incident and bring the world one step closer to war.
Is something similar happening online?
Attacks are everywhere
In August, it emerged that a group called APT1 – aka Comment Crew – had infiltrated the control systems for a US city’s water supply. The systems were fake, a honeytrap designed to catch hackers, but the infiltration was real. According to security firm Mandiant, "APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors" and may be Unit 61398 of the Chinese People’s Liberation Army.
As MIT Technology Review reports, other hacking groups also target municipal control systems: "Between March and June this year, 12 honeypots deployed across eight different countries attracted 74 intentional attacks, 10 of which were sophisticated enough to wrest complete control of the dummy control system." Around half of the critical attacks originated in China.
Why are they targeting control systems? The answer’s simple: by shutting down key infrastructure, you can cause chaos. According to US director of national intelligence James Clapper, cyber attacks and electronic espionage have supplanted terrorism as the most severe security threat to the US.
In May, a report claimed that the US electricity grid is under near constant attack from malware and cyber-criminals – and earlier this month, industry leaders claimed that a massive attack on the US power grid was "inevitable."
In the UK, GCHQ has announced twin schemes to protect against electronic attacks: it is working with the Council of Registered Ethical Security Testers (CREST) to promote "appropriate standards for incident response" across the public and private sectors, and it is working with the Centre for the Protection of National Infrastructure (CPNI) to help organisations under attack "source an appropriate incident response service… and allow GCHQ and CPNI to focus on the most challenging attacks."
State-sponsored cyber-attacks
It’s unclear whether APT1 and similar groups are controlled by the Chinese authorities – security analyst Jeffrey Carr told MIT Technology Review that he doubts that "the Chinese military or their intelligence services would use such obvious methods and be so frequently found out" – but there’s no doubt that many electronic attacks and espionage are state sponsored.
China isn’t doing this in isolation – Iranian hackers have been targeting US companies, with one attack on oil pipeline systems that went "far enough to worry people" – but it’s a little more brazen than others.
In March, General Keith Alexander told the US Congress that he was creating 13 teams to carry out offensive cyber-attacks. "I would like to be clear that this team, this defend-the-nation team, is not a defensive team," he said. "This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace."
And of course, there’s PRISM. According to claims by US whistleblower Edward Snowden, PRISM extends to Hong Kong and China, giving the US "access to the communications of hundreds of thousands of computers without having to hack every single one."
Hacks of war
Is hacking an act of war? That depends on what you hack. The go-to guide on electronic aggression comes from the NATO Co-operative Cyber Defence Center of Excellence, whose Tallinn Manual attempts to explain how international law applies to cyber operations. By the group’s legal analysis, an electronic attack isn’t an act of war unless it violates sovereignty and is a "use of force" that causes damage. So far, the antics of Chinese (and other) hackers don’t meet that definition.
Where things get scary is when they do. A Stuxnet-style attack on a power station or a successful and deadly shutdown of the power grid would fall into the category of "use of force" – and that means the nations are in an armed conflict.
Once that happens anything goes: while the Tallinn manual emphasises the need for diplomatic responses to acts of force, the response depends very much on the scale and severity of the attack. An attack with real-world consequences is likely to be met with real-world weapons.
Under the Tallinn Manual, the perpetrators would be legitimate targets even if they were civilians. Rule 29 says that civilians "forfeit their protection from attacks for such time as they do so participate." As Mother Jones reports, that doesn’t mean NATO can send drones "to take out Anonymous hackers who they find annoying" – but it does mean that in a conflict hackers who might not consider themselves soldiers would be targeted as such.
That’s assuming you can identify the perpetrators, of course. In most cases, attacks’ origins are carefully disguised – so for example the Stuxnet worm that attacked Iranian nuclear facilities was discovered in early 2010, but it wasn’t until mid-2011 that believable reports of its origins began to circulate.
The Chinese authorities claim that the US is the aggressor and that claims of Chinese cyber-attacks are being exaggerated or invented for political gain. Hu Xijin, editor-in-chief of Beijing’s Global Times, says that "we feel that you are shouting about [us] as an excuse for establishing an internet army." Some conspiracy theorists go further, alleging that recent attacks such as Iranian hacks on US energy providers are false flag operations – that is, faked by the US.
Time to talk
The parade of claims, counter-claims, vehement denials and heated allegations is horribly familiar. As security expert Bruce Schneier writes, "we’re in the early years of a cyberwar arms race. It’s expensive, it’s destablising, and it threatens the very fabric of the internet we use every day."
Schneier – and many others – argue that the best way to solve the problem is to have international treaties that "stipulate a no-first-use policy… we could prohibit cyberattacks against civilian infrastructure; international banking, for example, could be declared off-limits".
Such treaties wouldn’t be perfect. Enforcement would be a problem: it’s hard enough to find weapons of mass destruction, let alone trace electronic weapons. But there’s an even larger problem, and that’s getting the major powers to agree on them in the first place. While the US has accepted the Tallinn Manual, Russia has rejected it: it wants cyber-weapons banned altogether.
Meanwhile, China’s official response to US requests for international agreement is that the US is having a laugh. According to China Daily, which often speaks on behalf of the Chinese authorities, "it is bizarre that Washington can continue to pose as the biggest cyberespionage victim and demand others behave well" in the light of Edward Snowden’s revelations: "Washington is trying to dictate the rules for global cyberdomain, which is a public space".
US president Obama and his Chinese counterpart Xi Jingping met in July to discuss the issues, but failed to reach any agreement. International cyberwar treaties appear to be a long way off.
Technology can be used against the state, but is it also making us less human?
TechRadar: World of tech
Share