SIGNAL, the official publication of AFCEA
January 1, 2015
Incoming: What Is a Cyber Attack?
By Adm. James G. Stavridis, USN (Ret.)
Unfortunately, cyberspace is an increasingly attractive venue for aggression these days. The digital domain facilitates operational maneuver in a manner that obfuscates an actor’s identity, affiliation and tactics. But unlike sea, air and land, much of cyberspace’s doctrine remains undefined, to include even the most fundamental of terms. We do not even have an agreed-upon definition of what constitutes an attack in cyberspace—and it is high time we did.
One prominent definition comes from the Tallinn Manual on the International Law Applicable to Cyber Warfare. The widely read but nonbinding document calls a cyber attack “a cyber operation … that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” The Tallinn Manual is an impressive body of work, but its definition of cyber attack is far too simplistic to account for the nuances of cyber warfare. It sets a dangerously high threshold for a domain with comparatively low barriers to entry.
Rather than defining cyber attack in a single sentence, it is useful to first briefly explore the use of force in cyberspace and then establish the point at which cyber force becomes an armed attack. This is more than theoretical, by the way. The NATO treaty states that an attack on one nation will be regarded as an attack on all, so we are bound to respond to a cyber attack, but again we lack an agreed-upon definition.
From the mildest action to the most destructive, the broad spectrum of cyber attack could include intrusion, surveillance, recording of data, espionage, extraction of data, theft of intellectual property, manipulation of data, destruction of data, control of devices and systems, kinetic effect through control of devices, destruction of devices and property, destruction of critical infrastructure, individual lethal effect and operations with national impact.
Today, three elements are key to cyber force, beginning with intelligence. Gaining access to a network and executing a cyber payload demands a nearly perfect understanding of the target environment. Therefore, network reconnaissance enables the use of cyber attacks, and evidence of such activity often indicates the potential for use of cyber force.
Next are cyber weapons. Unlike the physical domain, cyber weapons usually are target-specific with short shelf lives. The same string of code that threatens a Windows operating system may pose no threat to a Cisco router. Code is only weaponized when paired with a compatible target. Otherwise, as with a dummy bomb, the virtual payload is benign.
Finally, as in the physical domain, capability absent intent and will is insufficient to project cyber force. Behind every cyber attack is a calculated human decision. Efforts to deter aggression in cyberspace are aimed at this element of cyber force.
While these three elements combine to produce cyber force, the cyber weapon determines whether cyber force rises to the level of an armed attack. As with conventional weapons, every cyber weapon is developed with a precise outcome in mind. It is this desired outcome that converts seemingly random “ones and zeros” into weaponized code.
Cyberspace is most attractive because it affords opportunities to affect nonviolent but impactful consequences. A definition that limits cyber attacks to physical death and destruction, therefore, eliminates most manifestations of cyber force from consideration. In today’s digital society, the definition must account for the effects of manipulating data and altering network processes to produce virtual destruction or disruption.
For example, in 2010, the well-known Stuxnet virus infected Iran’s nuclear centrifuges, causing them to spin out of control and ultimately self-destruct. Because Stuxnet produced a destructive effect that we normally associate with attacks in other domains, there is no argument over whether it constituted a cyber attack.
Two years later, however, the less well-known Shamoon virus infected the network of Saudi Aramco, the world’s largest state-owned oil company. The cyber weapon erased data on most of the company’s computers and compelled Saudi Aramco to terminate employee email for an extended period of time and replace tens of thousands of corrupted hard drives.
Three aspects of Shamoon qualify it as a cyber attack. First, Saudi Aramco was unable to reconstitute data wiped from its computers’ memories. Equipment is easily reconstructed, but data lost without backup is lost in perpetuity. In addition, interrupting business services for extended periods of time affects corporate productivity and profits. Two weeks of downtime for the world’s largest oil-producing company yields adverse global economic consequences. And finally, the sheer cost of replacing more than 30,000 machines to rid a corporate network of malware is a far better measure of cyber force than simply concentrated personal injury or physical damage. Yet, according to the Tallinn Manual, Shamoon was not a cyber attack.
Both examples are attacks. One did physical damage, and the other had an effect in less visible ways, but both caused harm to an intended target after deliberate, willful launch. A good definition to use as a starting point would be: A cyber attack is the deliberate projection of cyber force resulting in kinetic or non-kinetic consequences that threaten or otherwise destabilize national security; harm economic interests; create political or cultural instability; or hurt individuals, devices or systems.
Within cyberspace, defining doctrinal terms is more than just an exercise in semantics. It is crucial to maturing our capabilities and overcoming the ambiguity that plagues collaboration and unity of effort. Gaining universal consensus on what constitutes a cyber attack is the first step to establishing international norms and curbing the malicious exploitation of the digital commons by state and non-state actors. The term cyber attack cannot be viewed in the context of other domains. Physical violence is not always a primary measure of cyber force, and limiting the definition to kinetic standards only encourages other activities that are far more costly to victims of cyber force.
Adm. James Stavridis, USN (Ret.), was the 16th Supreme Allied Commander for NATO from 2009-13. He is the 12th dean of the Fletcher School of Law and Diplomacy at Tufts University, from which he holds a Ph.D. in international relations.