Trust But Verify

By Kevin Coleman
Defense Tech Cyber-War Analyst

Remember that old adage? It was a common catch-phrase used by Ronald Reagan when he was addressing Russia and the Intermediate Range Nuclear Forces Treaty (INF). Well, it has just returned and has new meaning since it would be applied to the cyber world.

A group of fifteen nations, including the United States, China, Russia Belarus, Brazil Britain, Estonia, France, Germany, India, Israel, Italy, Qatar, South Korea and South Africa have all expressed a willingness to engage in constructive discussions about reducing the threat of cyber attacks on each others’ computer networks and systems.

Unlike previous efforts that concentrated on efforts to address the dramatic growth of cyber crime, this effort will address cyber attacks and intrusions on these countries critical infrastructure and sensitive computer systems and networks.

The Obama administration has reportedly stated that there’s been an increased understanding of the international need to address the cyber risks. These risks have been driven by the rapid advancement and proliferation of cyber weapons, as well as the number of cyber attacks and clandestine activities used in cyber intelligence.

How do we verify when it comes to cyber arms and attacks? The House Subcommittee on Technology and Innovation recently held a hearing to look into the issue of cyber attribution and the significant challenge these problems pose. During the hearing Committee Chairman David Wu said, “History shows that one of the best deterrents to an attack is the ability to identify your attacker.”

Anyone who has ever investigated a cyber attack knows what a huge challenge this is. International cooperation and joint investigations are two of the cornerstones in the foundation that needs to be built to manage the growing risks associated with cyber attacks and cyber intelligence collection.

Foreign Policy recently ran an article titled Fifth Domain. In that article they asked the following four questions.

1. Can traditional arms control or diplomacy be useful in this situation?
2. Would nations sign a global pact to foreswear cyber war?
3. Could it be enforced, and would it be effective against the legions of hackers and cyber warriors who exist outside of state control, or are loosely allied with state security agencies?
4. Is this threat too big for arms control as we’ve known it?

Here are my answers.

1. No! It can start a dialog, but the proliferation of cyber aggression capabilities is too far along!
2. They might, but, what value would it have without verification measures and what about the hordes of non-state actors?
3. No! How would you ever verify cyber arms control or address the problem of attribution of cyber acts of aggression?
4. A RESOUNDING YES! Ask yourself this, what is the difference between a security testing tool and a cyber weapon? The answer is the intent of the person using it. You can’t control intent.

These are great discussion points for the hundreds of thousands of participants in this blog. Tell us what you think.

  • Marvel

    I think the fact that anyone has yet to comment says a lot.

  • William C.

    Well it is a monday, a lot about what?

  • Marvel

    Good point. I just meant it is hard to come up with definite answers to those questions.

  • Kevin

    I never said this was going to be easy! The questions are as difficult as the challenge of securing cyber space.

  • mark

    cyber space is not a concern.
    if follows newtons laws:
    Its full off equal and opposite forces of cybergeekdom that thusly cancel each other out.
    The only ‘prime’concern is that any ‘weaponised’ cyber weapon can be dulicated en mass if proven to work, breaking all laws of supply and cost chains:
    ergo - a functional ‘cyber weapon’ if it can ever exist, will replicate massivly, hugely and globaly,

  • Philo

    Reminds me of what my Grandpa told me as a boy, “Trust everyone, but ALWAYS cut the deck…”

  • Philo

    1. Can traditional arms control or diplomacy be useful in this situation?

    ~Probably not any more than arms control works in actually controlling arms, or diplomacy works in actually solving international problems.

    2. Would nations sign a global pact to foreswear cyber war?

    ~ Probably, but what would it matter? Cyber conflict thrives through the use of unidentifiable proxies.

    3. Could it be enforced, and would it be effective against the legions of hackers and cyber warriors who exist outside of state control, or are loosely allied with state security agencies?

    ~To some extent, some aspects may be enforceable. Maybe. But again, the unique aspects of cyber conflict, allowing for an attack across the globe in little time, with little resources and with plausible deniability makes enforcement nearly impossible.

    4. Is this threat too big for arms control as we’ve known it?

    ~ LOL The control of conventional arms is to big for arms control, I can’t see how wishy-washy global treaties will fair any better. Especially in dealing with this subject.

    I think we would fair much better here by making cyber attacks so “expensive” that they cease to be used as commonly as they are.

  • Oblat

    “Trust But Verify” - what a pity that almost nothing Kevin says can be verified. In the few cases where it wasn’t anonymous sources and vague references it turned out to be a marketing beat-up.

  • Mark

    Not sure I agree with the Chinese thinker here. If China, or one of its allies, lost a ship to a torpedo attack off the US Coast, they would have a right to have naval exercises off the American coast. The American people would not like it, but would understand why they were having them.

    The US is having naval exercises due to the attack, and subsequent sinking, of an allies’ navy ship. Sailors died and the attack appears to be unprovoked. Attacks like that have caused wars in the past.

    Lets keep this naval exercise in perspective - were showing restraint when many others would not.

  • PTSFP

    Excellent questions. I truly think that things are to far along to reign in now. Also, some nations may not want to reign this in. A recent report from Medius research said that the PLA’s war doctrine is “seizing control of an adversary’s information flow as a prerequisite to air and naval superiority.”

    Also, the nightmares of trying offenses may be insurmountable. What is legal in one country is illegal in the next. Individual agencies have a hard time getting along with agencies from their own nation, let alone one from a foreign country.

    Then factor in foreign agencies being bribed to look the other way, agencies willingly looking the other way, and agencies being involved, you get a mess.

    Lastly, I heard a seminar where a UK agent was prosecuting a Russian hacker in a Russian court. The jurors didn’t understand the technology involved, so the UK agent gave a Powerpoint presentation to bring everyone up to speed. The effect? The court battled for a week to decide if Powerpoint presentations were legal in Russia.

    What a mess!

  • USMC Guest

    If I may invoke poetic license…
    Traditional arms control nor diplomacy would be useful in this situation. Nations could and would probably sign a global pact to fore swear cyber war yet there really is no way to enforce it and it would in no way be effective against the legions of hackers and “cyber warriors”(snicker) who anyone with a PC knows exist outside of State Control.

    No treaties, no promises, no good intentions will work. The answer is blended into the armies of all nations and particularly the USA. Tactics, training and resolve will usually ferret out the bad guys then… Special and Black Ops, Point of the Spear, call it what you like. My experience in the cities, villages and jungles of Viet Nam reinforced and dictated the rules in combat, mess with my family, mess with my country, mess with my men, and now mess with my cyber space and you willingly enter the battleground and ALL remedies exist for resolution, ready “cyber warriors.” Talk about expensive!