LONDON (Reuters) - Cyber warfare techniques might be leaping forward and nations ramping up spending on digital defenses and new electronic weapons, but the policy frameworks and philosophy for their use lag well behind.
The Stuxnet computer worm — widely believed to be an attack on Iran’s nuclear program through reprogramming industrial control systems to create damage — is seen as the latest sign of the increasing militarization of cyberspace.
The United States and Britain have openly increased focus in the area. Emerging nations such as China and Russia are believed to see it as an arena in which they can challenge conventional U.S. military dominance.
Nonstate actors such as militant groups are also seen keen to take advantage.
But the rules and conventions which govern how cyber weapons might be used, who they should be used by and how that might be authorized are still far from clear.
“In most areas, the relevant policies, roles and responsibilities have not kept pace with the technology — although this is changing,” said Prescott Winter, former chief information officer and chief technical officer at the U.S. National Security Agency (NSA) and now a senior official at computer security firm Arcsight Inc.
The United States has launched its own military cyber command in part to bring offensive capabilities under the preserve of the military rather than secretive intelligence agencies such as the NSA, which handles electronic surveillance. Senior officials in Britain, the US and elsewhere increasingly make speeches on the topic.
But the field still raises a host of moral, legal, ethical and practical questions so far largely unaddressed.
How could nations retaliate if it is not possible to trace the national origin of an attacker who is using only a laptop?
Who should pay to protect critical national systems such as power grids owned by the private sector?
Should nations acknowledge publicly they have an offensive cyber attack capability to deter aggressors, or keep it secret — particularly as they can never know for certain if it will work until they unleash it on a target?
“The pace of change can be so abrupt as to render the action/reaction cycle of traditional strategy out of date before it has begun,” wrote authors from British think tank Chatham House in a report this month, describing cyberspace as “currently beyond the reach of mature political discourse.”
Some compare the situation to that in the early years of nuclear weapons, when countries were still working out how they might use them and before the realization of mutually assured destruction between the Soviet Union and the United States bought some level of policy consensus.
“There was no real scope for ambiguity when it comes to nuclear weapons,” said Nigel Inkster, a former senior British Secret Intelligence Service (MI6) official now head of transnational threats and will political at London’s International Institute for Strategic Studies,
“With cyber, of course, there is. I don’t think anybody quite knows what the consequences of an extended exchange in the cyber domain would actually be. It’s an area where we probably don’t want to find out how bad it would be.”
Experts say major powers have long been developing systems to attack or hijack the software increasingly used to run essential industrial infrastructure, from traffic and supermarket supply control systems to nuclear power plants and telecommunications hubs.
Richard Clarke, former cyber security adviser to the White House under both Bill Clinton and George W. Bush, compares the situation to that before World War One where nations mechanized for war with railways, ironclads, gas, aircraft and airships.
“There may be parallels in the early years of the last century... a world similarly diverted from the realization its various militaries were preparing devastating forces without contemplating the horrific consequences of their use,” he wrote in his 2010 book “Cyber War.” “As in the period 100 years ago, these plans have received little public scrutiny.”
It is not quite a legal desert. Established sections of the law of armed conflict apply — so an unprovoked attack that killed civilians for example through triggering air or train crashes or turning off hospital systems would be illegal.
The key problem remains that of attribution. While some experts blame Russian authorities for 2007 cyber attacks on Estonia and 2008 attacks on Georgia, others point to “patriotic hackers” not directly linked to the government.
Similarly, while some blame Chinese state authorities for hacking into western firms to steal technology and corporate secrets, others suggest reality may be more complicated.
“NSA and (British equivalent) GCHQ by deploying their best resources might be able to make a case for the origin of a particular cyber attack in several months, but that would not be very useful,” said former MI6 official Inkster. “But what you can do is say “we think this came from you and if it didn’t, you need to investigate.””
The key question then would be whether to retaliate. Speaking to Reuters earlier this month, British Armed Forces Minister Nick Harvey said the UK needed an offensive cyber capability to act as a deterrent.
“I don’t think other countries who know anything about this are in any doubt that we have considerable capabilities in this field,” he said — a rare comment on the issue [ID:nLDE6A82ID].
Alastair Newton, a former policy lead on cyber warfare for Britain’s foreign office and now political analyst for Japanese bank Nomura, said genuine widespread international agreement on cyber weaponry would remain a distant dream.
“On a national level, there may well have been a lot of policy work done and there will have been discussion among allies — within NATO, for example,” he said “But in terms of an international legal framework along the lines of the... treaties for nuclear weapons, there’s really nothing at all. I wouldn’t expect to see one either (over the next 10 years). Passing international treaties is if anything getting more difficult, not easier.”
Editing by Ralph Boulton