By Tanner Huggins, Transatlantic Security Analyst
Cyberattacks have the potential to utterly cripple an unprepared country, dealing vast and immediate damage to a country’s communications, infrastructure, and economy — and most nations, including the United States and major players in the European Union — have little infrastructure available to combat such attacks.
The effects of a coordinated cyberattack, for anyone who relies on modern technology in even the most remote of ways, are crippling. As the 2007 attack against Estonia showed, even a basic attack can entirely cut off a country’s communication with the outside world. When the Estonian attack hit, major news outlets could not get any information to the outside world — effectively, the country became an island, severed from Europe and the rest of the international community.
Adding to the complications, it is notoriously difficult to determine the perpetrators of such attacks, be they “freelancers, organized crime, or foreign government agents.” Though initial indicators pointed towards Russian involvement, and even though the government may have helped ‘encourage’ the perpetrators, after the shakedown it seemed as if the attack actually came from a mercenary group of “hacktivists” and criminal botnets. This group, led by a few dedicated Russian criminal hackers, used a relatively small network of infected computers to bring down the network of an entire state. Multinational infrastructures have also been a target; €30 million of carbon credits were stolen from EU members’ emission-trading registers this January. What, then, would happen if a coordinated attack, supported by a state or an organized criminal or terrorist organization, struck several nations simultaneously?
Most networks, like those of the United States, remain woefully unprepared for an attack despite these preliminary preparations, and potential hackers have a wide range of options available in choosing when and where to strike. Sensitive networks are being probed on a daily basis — Northrop Grumman and other US defense contractors are under “constant” and “sophisticated” attack, according to that company’s CEO Wes Bush. Of course, governments are not unaware of the dangers they face: as US Army General Keith Alexander told attendees of a cyberdefense symposium this month, we know that a destructive cyberattack is coming, but not how or when.
NATO and the EU have taken initial steps to anticipate such attacks in the form of the NATO Policy on Cyber Defense and the European Network and Information Security Agency (ENISA), respectively, which aim to focus on coordinating member states’ cyberdefense policies to prevent and build resilience against cyberattacks. A program set up by the US Department of Defense, which shared classified information with defense contractors to assist in keeping their shared networks secure, met with a great deal of success, keeping out “hundreds of attacks” during its trial period. The Department of Defense is considering expanding the program into other sensitive industries in the civilian arena, such as power grids, financial services, and transportation systems.
And, as with many information security issues, therein lies the problem. Increased cyberdefense capabilities by necessity entail invasions into privacy. It is not clear, at least within the United States, if current laws allow such an expansion — or if private citizens will tolerate more incursions into online privacy. Adding to the confusion, it is likely that a coordinated national cyberdefense would necessitate acting through other nations’ online “territory”, and if this were to be handled in a haphazard fashion, it seems reasonable that diplomacy between such countries would suffer.
Given this litany of complications and concerns, how should countries and international organizations prepare for hostile cyberoffensives? As German MEPs Christian Ehler and Jorgo Chatzimarkakis recommend in an opinion piece for European Voice, it is vitally important that countries — especially those in NATO and the EU — standardize legislation regarding cyberdefense and create an organized forum in which they can pursue common objectives. Council of Foreign Affairs Fellow Robert K. Knake expands upon this idea, calling for a multilateral initiative that develops a stronger network to fight cyber crime, develops new norms of state behavior in cyberspace, and establishes mechanisms within governments to pursue that strategy.
To that end, countries with a common stake in cyberdefense — the United States, European Union and NATO members — should go above and beyond current policies to create an international structure with statutory powers that will settle issues of international law in regard to cyberdefense, integrate host countries’ networks to control access and limit points of weakness, and incorporate sensitive private networks to ensure that they remain protected against potential incursions. Though this would necessarily involve some sacrifices of both national sovereignty and civilian privacy, such steps are a necessary evil when dealing with the potential of a national or international electronic shutdown. Whatever form that this cooperation takes, it must stand in stark contrast to the status-quo approach, where states organize their defenses largely independently and can only act in a very limited manner once an attack has been launched. Opting for that response, as evidenced by Estonia in 2007, is inviting catastrophe.