Cyberwarfare seen evolving ahead of rules of engagement

Strict definitions of warfare are elusive when actors include nation-states, criminals and rogue actors

As the rhetoric heats up over cyberwar -- including warnings that attacks on the U.S. are imminent and alarms that the U.S. has escalated the risk via malware attacks on Iran's nuclear program -- the rules of engagement are missing in action.

The current framework of international law and treaties doesn't adequately address cyberconflict, Jody Westby, CEO of Global Cyber Risk, said Monday at the Techonomy 12 conference.

Westby said that customary international law should be extended into the cyber domain and define a certain amount of a nation's critical infrastructure that should be "declared sacred and off limits for attack." She also argued that there should be an agreement outlawing "irregular forces," which in this context would include botnets.

But other members of a panel at the conference, being held in Tucson, Arizona, argued that the virtual and covert nature of cyberattacks make it difficult to trace them and hold actors responsible.

"Defining what's legitimate and what's not legitimate is easier said than done," said RSA executive chairman Art Coviello. And defining actions as war is problematic, especially given that nations have spied on each other "forever."

"When does spying end and economic warfare begin? And when does spying end and actual warfare begin?" Coviello asked.

And the players differ as well, Coviello added. "We're used to having wars between and among nation-states. Where does criminal behavior end and warlike behavior begin?"

Cybercriminals have a big-data problem, Coviello said: They possess more credentials than they can monetize. And they can make more money selling credentials from an executive at a defense contractor than they would by attacking that individual's bank account.

Among nation-states there is an emerging de facto understanding of the tit-for-tat rules of warfare: "You take out my power grid, and I take out your dam." But when malicious actors are also criminals, "hacktivists" and terrorists, these groups won't abide by these rules, Coviello said.

Coviello's concern now is the evolution from intrusion to disruption, as with the recent distributed denial-of-service attacks on New York banks.

While the U.S. military has a cybercommand, it's currently constrained from protecting entities outside of the .mil domain, Westby said.

And in the midst of concern over cyberattacks taking the form of economic warfare, lack of cooperation between business and government is also a problem, said John Kao, chairman of the Institute for Large Scale Innovation.

"There's an issue of trust; if I'm a company and I get hacked or robbed, I may or may not be totally forthcoming about what happened. There's the question of how to create rules of engagement for collaboration that don't exist," Kao said. "There's been crescendoing attacks against U.S. financial institutions, and CyberCom monitors this, but the rules of engagement in terms of how it communicates with the commercial sector haven't been defined."

While the panelists decried fear-mongering by politicians and warnings of a "cyber Pearl Harbor," Coviello referred back to a famous quote by Nicholas Negroponte calling the Internet both overhyped and underestimated. Cyberwarfare may be overhyped relative to the risk posed by a bad actor with a nuclear or biological weapon, but he warned that we may underestimate the extent to which a cyberattack could disrupt confidence, and by extension the economy.

Join the CSO newsletter!

Error: Please check your email address.

Tags artsecurityCoviellogovernmentrsa

More about RSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Elizabeth Heichler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place