What is the cyber equivalent of 'use of force'? When do we send in the tanks?
Former National Security advisor and CIA deputy head reflect on the online world
Cloudflare Internet Summit The United States needs to define a new set of international rules that decides what the cyber equivalent of a missile attack is.
So says Avril Haines, former deputy head of the CIA and deputy national security advisor to the Obama Administration.
Speaking at the Cloudflare Internet Summit in San Francisco Thursday, Haines reflected on the nature of cybersecurity when it comes to national security – an issue that has become increasingly important in recent years, especially with respect to Russian interference in the US political system.
The United States is more vulnerable than any other country in the world to a cyberattack, warns Haines, because so much of it is dependent on the internet. The problem is that while there is a long history and body of work on what represents an attack in the real world, there is still no agreement on what is acceptable and what is not in the online world.
"In the cyber realm, we are trying to figure out what constitutes 'use of force'," notes Haines, "but we are nowhere near that yet."
Part of the problem is that no one – particularly the sophisticated United States – wants to agree that something represents an attack when they could also be accused of the same thing.
"If we say something is 'use of force,' it can be used against us," Haines says. "We need a framework where we can go to other countries and say 'this is a problem, you should join us'."
Currently a big part of the problem is that cyberattacks are seen in some ways like intelligence, and espionage has traditionally been viewed as a kind of game that shouldn't invoke nation-state responses. Which leads to the question: what kind of cyberattack is sufficiently bad to send in the tanks?
Haines addresses the Cloudflare Internet Summit
In Haines' mind, the answer to that is when a cyberattack has the same impact as a bomb would have: taking out a critical piece of infrastructure. But she warns that while it is easy to see the cyberworld as a battlefield, in reality it is just part of a larger overall conflict.
"We need to make sure we don't imagine that the only responses to cyber are in cyber," she says. In other words, the cyberworld and real world interact and we should not view them separately.
Nevertheless, when pushed on the "send the tanks in" question, she flags what Russia did to Georgia – and currently what it's doing to Ukraine – as an example of where cyberattacks may cross the line as they are part of a larger strategy to pressure and damage a nation state.
Although the topic is complex and highly variant, Haines nevertheless remains optimistic that a set of rules covering the cyberworld that expand long-held norms over conflict into the virtual world can be broadly defined.
She points to the Law of the Sea – a very clear but complicated set of rules that define what guidelines and laws apply outside of normal national borders – as an example of how a seemingly impossible framework can be designed and made to work, as it is in everyone's interests not to end up in constant conflict all around the world.
It's just in the security and intelligence worlds that the internet is redrawing the way the world works, however.
Haines feels that the impact of virtual communities – where we all connect with and spend more time with people far outside of our own physical worlds – is going to bring with it "another evolution of our political institutions."
There will be an increasing reliance on non-state actors, she predicts. The question then becomes: are those non-state actors subject to the kind of rules that traditional systems are, in order to protect people and societies?
And by non-state actors she doesn't mean just terrorist groups, but also large companies (many of whom, she notes, have foundations that do similar work that governments used to do), and things like Bitcoin.
As for the impact of the internet on the intelligence community itself, Haines notes that it has become increasingly difficult for intelligence agencies to "bring something new to the table."
She told an anecdote about a former head of the CIA who, when he retired, thought he would miss the president's daily briefing. But then he started reading The New York Times, and found that he received almost the same quality of information and analysis.
In the internet world, information is much, much easier to find.
As to the biggest impact on intelligence in recent years – Edward Snowden's massive dump of information about what the security services are really up to – Haines notes: "I wish it hadn't taken Snowden to start the conversation."
She then provides some intelligence services and real-world perspectives: "One of the problems is that we always have the conversation in the light of an attack. There is this demand for perfection from the intelligence community – that there can never be an attack – and that makes it really difficult. They feel that pressure any time anything goes wrong."
The hard truth is that a difficult conversation needs to be had, says Haines. "There are some values such as privacy where we have to discuss whether we are willing to live with a certain amount of risk [in order to maintain a high level of privacy]. We have to get comfortable with that." ®