ISACA Journal
Volume 4, 2,018 

Features 

Cyberconflicts: Reflections and Implications for Today’s Enterprises 

Jeimy J. Cano M., Ph.D., CFE 

Cyberconflict, or the so-called cyberwar, is an issue that could be seen as falling into the category of being “a truth through plausible deniability.”1 That is, it is a reality that develops in the context of cyberspace, without any kind of rules or control, where nations, unknown destabilizing actors and other clandestine groups (generally state-sponsored) are capable of creating instabilities in the dynamics of nations, the operations of enterprises and the trust of citizens, but which, because cyberconflicts cannot be seen with any clarity or shown to be evident, they may be taken as paranoia on the part of people who see “conspiracies” everywhere.

The great triumph of cyberwar is its unobtrusiveness—the way in which it avoids any type of monitoring, evading the attention of the press or international analysts. While other kinds of news and scandal draw the attention of global media, events relating to cyberconflicts are camouflaged among generally everyday occurrences, thus remaining in the shadows of press headlines, creating a low-profile strategy that enables their operation without any significant issues and avoiding greater scrutiny.2

The reality of cyberconflicts straddles multiple points of view that attempt to explain the dynamics of this phenomenon, which, although it could be explained through the technological context of cyberattacks as a visible expression of its action, it is necessary to review and explore more geopolitical and infopolitical variables.3 Infopolitical variables are the flow of strategic information from nations represented in intelligence information, intellectual property (IP) and strategic defense strategies, to create global values that promote positions of power and control based on the use of privileged information.

International uncertainties and global political instability establish new tensions that affect the dynamics of organizations due to the multinational forces in play in global geopolitics. While organizations have been strengthening themselves with security and control practices that create greater trust in their operations, there are new, uncertain actors, digital attack groups and mercenaries capable of creating operations and scenarios involving confusion, deceit and disinformation that affect the very essence of organizations’ promised value.4

In this context, to understand the dynamics of cyberwar, it is necessary to review some of the practices of regular war itself. This supports exploring new manifestations and knowledge that must be comprehended when the concept of confrontation arises in the cyber domain and which can then be translated into tactical and operational actions in cyberspace. That is, a place where technology, vulnerabilities and security failures in technological devices become tactical weapons that seek to compromise opponents’ defenses and achieve strategic superiority in a domain that traverses all the traditional theaters of war, as the cybertheater does.

This article presents a basic review of cyberconflict for the purposes of presenting the current dynamics of its actions, showing their effects and prompting an awakening in organizations so that they will understand that they are in a territory of “irregular and asymmetric war.”5 This war involves a variety of actors with differing interests who seek to carry out their acts in such a way as to manifest their capacity for destabilization, take advantage of limitations in information security management and, especially, compromise key information (the spoils of war) of organizations.

Visions of Cyberwar

A review of the literature on cyberwar or cyberconflict reveals at least three key positions that should be taken into account. Each of these is related to experience and research in the area, which is manifested in practice in governmental positions and the way in which academics observe and detail the aspects of this reality and its impacts.

The first position is that of Richard Clarke, an employee of the US government for more than 30 years in various positions of responsibility, who, in both his practice and multiple publications, clearly outlines the framework of cyberwar in terms of the dynamics of cyberattacks. Clarke establishes at least four types of cyberattacks: isolated, systematic, persistent and selective.6

Isolated cyberattacks refer to acts of provocation that lack any unique target and seek, in general, to create a distraction in order to implement other, more aggressive actions. Systematic attacks are characterized by a designed, focused escalation aimed at deteriorating and compromising specific objects belonging to the opponent. Persistent attacks are acts that continue unceasingly until they obtain the information from the target or lower its defenses. Selective attacks are operations whose purpose is to affect the integrity or image of a third party on the basis of deceit and dissuasion to create specific effects in a single sector.7

The second position is that taken by Thomas Rid, professor of strategic studies at the John Hopkins University School of Advanced International Studies (Baltimore, Maryland, USA), who insists that cyberwar cannot materialize as such, since the manifestations to date correspond to already known activities such as sabotage, espionage and subversion, or attempts to overthrow the established order. Added to this, Rid points out that if war is defined by the use of force, which involves violent, instrumental, political action, attacks in the cyber context do not fulfill these three criteria.8

The third position is based on the reflections offered by Julian Assange, founder of WikiLeaks, who, aside from any possible illegal acts he may have committed, clearly showed the tensions regarding control of information that exist in some governments, along with the decisions they have taken in order to coordinate action to establish political or strategic attitudes that situate them in privileged positions on the global political stage. With Assange’s revelations, it is clear that there are circles of international power that are using the cyber domain as a scenario of action to create diffused webs of information and influence away from the cameras filming official government meetings.9

These three tendencies reveal the social, economic and political tensions that arise when information flows are mobilized through the cyber domain—the scenario of interaction among different interest groups exchanging information, data, expectations, tastes and attitudes with the aim of sharing and discovering new frontiers in knowledge or simply documenting some particular issue.

The tensions present drive the actions of the various stakeholders. This leads to actions that can be targeted or random in this context, aimed at demonstrating their own capacity to mold values on the Internet and create scenarios of trust and credibility on the basis of uncertainty or falsity. It can also lead to war games that confirm the temporary supremacy of some of the actors to create a credible dissuasive halo around the participants in these games.

This relational dynamic establishes tactical and strategic exercises that materialize in the development of cyberweapons, which, using the weaknesses and risk inherent in infrastructures, establish new attack vectors whose motivations are far beyond the demonstration of technical capacity and that seek to weaken, compromise or dominate the opponent.

The New Cyber Arms Race

According to research, a conventional weapon is “a tool that is used, or designed to be used, for the purpose of threatening or causing physical, functional or mental damage to structures, systems or human beings.”10 Following this definition, a cyberweapon is defined as a:

Subset of arms in general: such as a computer code that is used, or is designed to be used, for the purposes of threatening or causing physical, functional or mental damage to structures, systems or human beings.11

Based on this definition, and considering the effects that these cyberweapons can have, it is possible to establish the following basic characteristics of this new type of weapon (figure 1):12

  • Propagation method—Defined strategy for delivery of malicious code to the target system
  • Payload—Malware, central executable code deploying functionality and materializing its adverse effects
  • Exploitation code—Software that takes advantage of vulnerabilities and defensive measures
  • Evasive capacities—Additional functionalities facilitating concealment of the payload, encryption of communications and data, and self-destruction when detected


Adapted from: Stevens T. J.; “Cyberweapons: Power and the Governance of the Inviible,” International Politics. Doc: 10.1057/41311-017-0088.y.1-21 JCM-18’ 2017. All rights reserved.

Some examples of the uses of these new computational weapons, in line with the features outlined in figure 1, are shown in figure 2. To increase the effectiveness and consolidate the dissuasive effect of this type of weapon, it is necessary to articulate a psychological strategy that consolidates a specific imaginary. Such a strategy may be based on two concepts:13

  1. The intent of the aggressor to threaten to cause damage or to cause damage to a target
  2. The weapon being used as a threat or, if its use is announced or anticipated, the perception of the target of the weapon’s potential to cause damage


Source: Adapted from Dreyer, P.; T. Jones; K. Klima; J. Oberholtzer; A. Strong; J. W. Welburn; Z. Winkelman; “Estimating the Global Cost of Cyber Risk. Methodology and Examples,” Rand Corporation, 2018, p. 14-15, https://www.rand.org/pubs/research_reports/RR2299.html

The effectiveness of the cyberweapon lies not only in its technical capacity to really cause the damage claimed, but in the prior details that can be generated around it to create a credible perception of threat that will make the opponent think twice before using any offensive actions against its adversary.

This arms race requires the various actors involved to capitalize on the capacities of the available malicious codes to design or create intelligent agents capable of stealthy deployment, penetrating isolated systems and taking actions autonomously to create destabilizations in the target facilities. The malicious code passes unnoticed, creating confusion and damage to the physical infrastructure without detection, or self-destructs upon detection.

It would seem there are glimpses of a new Cold War, in which global powers struggle for global supremacy, creating contexts with an air of superiority to establish contrasts in their visions based on technical attack mechanisms or the use of social networks and information flows to confirm and indoctrinate specific groups to act in favor of the causes of one or other of the sides or countries.

In this practice, the software becomes a military discipline aimed at creating made-to-measure developments that broaden the spectrum of damage, control or destruction that a piece of code can have in a particular context. With the advent of the Internet of Things (IoT) and the use of artificial intelligence (AI), the creation of specialized, militarily motivated codes establishes the new front in the war, which now not only takes place in the kinetic scenario known hitherto, but combines the forces of the military and the computational to make the difference in cyberspace the theater of conflict.

If this is true, it gives notice of an advanced global digital intelligence network, one without any particular agenda, but that seeks new niches of conflict, or creates them, to create a fertile terrain of motivations and declarations of aggression designed to advance the criminal Internet industry, notwithstanding any actions carried out “without weapons or cyberweapons” created to extract information from specific targets, such as targeted phishing campaigns, which are natural points of reference for threats against the information security of organizations or governments.14

Given this, cyberattacks, as part of the logistics used by cyberweapons, establish the endpoint of effective action in cyberconflicts inasmuch as they are the evidence that reveals the use of offensive strategies articulated with malicious code to cause confusion or damage to the third party they are targeting. Recognizing some of the features of cyberattacks facilitates a greater understanding of their strategies and nuances in order to communicate, act and, as far as possible, anticipate their movements or prior actions.

Cyberattacks and Their Characteristics

Following the reflections of researchers,15 it is possible to characterize cyberattacks by their nuances, that is, a range of values that a property (or set of properties) can have in the event of an attack. This comprises the inputs, outputs, restrictions, suppositions or environments in which an attack takes place. Some of the nuances that may be of interest to analysts are:

  • Measurement—Does the organization have the capacity to measure the impact, the vector, the motivations and the attribution of an attack (i. e., identification of persons, physical elements, hardware, software, financial matters, reputation)?
  • Influence—What influence, either direct or indirect, do the phases of the attack have on the system?
  • Duration—How long does it take to execute the attack, from both the perspective of the aggressor and that of the defender?
  • Transparency—How visible are the attack phases, to both the attackers and the defenders?
  • Repeatability—How repeatable is the attack and is it possible to measure its performance and effectiveness in a controlled environment in order to learn from it?

Studying each of these nuances involves entering into the details of what has occurred and going over the particular strategies that organizations or governments have used to confront these new digital aggressions to develop the key capacities that will enable them to defend and anticipate the attackers’ moves. This can also assist in correctly articulating and ensuring the set of technical and administrative practices that must exist in the development of protections for valuable organization or government information.

Cyberattacks operate in accordance with the motivations arising from the realities of cyberwar. These motivations may be known or unknown, but their effects have repercussions beyond physical, economic, social and technological implications. Some cyberattacks are vehicles for the social expression of the power of a community seeking to send messages to society in order to call attention to its demands and capacities for the purpose of achieving a privileged strategic position in a particular environment.

In this context, the study and analysis of cyberattacks comprise not only uncovering and analyzing the technical details of their deployment, but also a greater challenge: analysis of the motivations that hide behind them. This is where the essence of the interests at play are to be found, along with the geopolitical and infopolitical movements involved in such acts and the consequences these have for both governments and organizations.

When a cyberattack occurs and there is an information leak or data are extracted, it is not an everyday theft of information but, rather, the beginning of a campaign of confrontation of interests, which, using what has been extracted, configures a real view of the objectives to be reached through a cyberoperation. A cyberattack is an exercise in the construction of instabilities that reveals how much governments and organizations prepare to survive a collapse of their operations, with all the implications that this might have for each of their interest groups.

Responses From Nations and Organizations to Cyberconflicts

When it is recognized that cyberconflicts are not realities independent of the dynamics of the business and that cyberattacks are ongoing activities in cyberspace, fundamental to the tensions between nations jockeying for positions of dominance, power and control, it is possible to understand that cybersecurity is not an issue of technological controls and actions, but, rather, a business reality requiring deep reflection on how an organization affects its environment and the implications the environment has for the organization.

In view of this, nations have been developing cybersecurity strategies for the purpose of including in the agendas of governments’ and organizations’ new responsibilities involving activities that go beyond information security controls. These new responsibilities include developing new capacities based on data analysis, intelligence and cognitive elements that enable them to defend against and anticipate emerging risk and threats that might compromise either the stability or the governability of a nation or the value proposition of an organization.

Recent research in this area16 reviewed the experiences and recommendations of the International Telecommunication Union (ITU), the North Atlantic Treaty Organization (NATO) and the Organisation for Economic Co-operation and Development (OECD), as well as certain advances made in the United States. That research established that national cybersecurity strategies should contain, at a minimum, the following eight keys to take into account the complexity of the new country-level operational environment and the implications for organizations:

  1. Cybersecurity culture—How citizens and society as a whole address the challenges posed by cybersecurity
  2. Stakeholders—Identification of all those who should participate in the joint construction of a national strategy, taking care to establish an appropriate definition of roles and responsibilities
  3. Construction of capacities—A set of measures necessary to deal with emerging risk inherent in the social and business dynamics in the digital context
  4. International context—The international nature of cyberthreats implies relationships and joint action by the governments of other countries.
  5. Cybersecurity working framework—Establishment of available practices and standards aligned with the various stakeholders in harmony with the inherent challenges of other international jurisdictions. Among the known international frameworks are the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cybersecurity, and International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 27032 Information technology—Security techniques—Guidelines for cybersecurity.
  6. Legal aspects—The need for countries to participate in the creation of regulations to deal with global cybercrime and develop capacities in both the private sector and the legislative and judicial branches of sovereign states
  7. Organizational architecture—Establishment, by nations, of mechanisms and roles for coordination of the national cybersecurity strategy to ensure correct implementation and follow-up among the various sectors and their administrators
  8. Defense—The participation of the armed forces and their level of preparedness to intervene in the context of the dynamics of the cyberwar as a guarantor of sovereignty and protector of the nation in cyberspace

Conclusion

While it may be clear that cyberattacks are unavoidable, both governments and organizations must undertake the task of joint construction to develop capacities that will enable them to reinforce their digital resilience in the face of these computationally aggressive phenomena.

As each of the actors becomes able to identify the different elements of its digital and technological ecosystem, comprehend how the ecosystem impacts or is impacted, and understand its position in the international digital chess game implicit in being connected in cyberspace, it is possible to develop a network of knowledge, simulations and practices that increases the chances of surviving in today’s rough, competitive environment.

Organizations need to move reviews forward in tandem with governments to establish protocols for action in the face of these new digital threats, since any active defense strategies that could be developed can be mediated by activities and operation of cybernetic commands aimed at protecting nations, with an emphasis on critical infrastructure.

In this context, organizations in a variety of sectors should take joint action to share information, create incident management centers and foster joint response exercises to attend to the reality of unexpected digital aggressions, whose motivations may lie beyond the understanding of organizations, and to establish communication channels to ramp up actions when necessary for these government bodies.

Despite the fact that there is no global agreement regarding its existence or real operating conditions, cyberwar, or cyberconflict, is a subject that ought to be on the agendas of politicians, business leaders and citizens. In this way, a basis for reflection can be created, applied from the various scenarios of company and national reality with the aim of making cyberspace a place to enjoy different disruptive business opportunities and proposals, rather than a scenario of confrontation where the civil population and organizations find themselves at a crossroads of irregular operations as hidden interests compete for new control of the, as yet, unexplored territory that is the Internet.

Endnotes

1 Carlisle, R.; The Complete Idiot’s Guide to Spies and Espionage, Alpha, USA, 2003
2 Kello, L.; The Virtual Weapon and International Order, Yale University Press, USA, 2017
3 Cano, J.; “El riesgo geopolítico en clave de la seguridad y la ciberseguridad de las empresas modernas”, LinkedIn, 2017, https://www.linkedin.com/pulse/el-riesgo-geopol%C3%ADtico-en-clave-de-la-seguridad-ylas-cano-ph-d-cfe/
4 Choucri, N.; Cyberpolitics in International Relations, MIT Press, USA, 2012
5 Ballow, A.; “Why Irregulars Win: Asymmetry of Motivations and the Outcomes of Irregular Warfare,” Calhoun Institutional Archive of the Naval Postgraduate School, 2016, https://calhoun.nps.edu/bitstream/handle/10945/51628/16Dec_Ballow_Andrew.pdf
6 Domínguez, J.; “La ciberguerra como realidad posible contemplada desde la prospectiva”, Revista de Pensamiento Estratégico y Seguridad CISDE, vol. 1, iss. 1, 2016, p. 18-32
7 Clark, R.; R. Knake; Cyberwar: The Next Threat to National Security and What To Do About It, Harper Collins, USA, 2010
8 Rid, T.; “Cyber War Will Not Take Place,” Journal of Strategic Studies, vol. 35, iss. 1, 2012, p. 5-32
9 Op cit Dominguez
10 Rid, T.; P. McBurney; “Cyber-weapons,” RUSI Journal, vol. 157, iss. 1, 2012, p. 6-13
11 Ibid.
12 Stevens, T.; “Cyberweapons: Power and the Governance of the Invisible,” International Politics, 1-21, 2017, Doi: 10.1057/s41311-017-0088-y
13 Op cit Rid and McBurney
14 Ibid.
15 Happa, J.; M. Goldsmith; “On Properties of Cyberattacks and Their Nuances,” PS2U Research Review, vol. 1, iss. 2, 2017, p. 76-90
16 Sabillón, R.; V. Cavaller; J. Cano; “National Cyber Security Strategies: Global Trends in Cyberspace,” International Journal of Computer Science and Software Engineering (IJCSSE), vol. 5, iss. 5, 2016, http://ijcsse.org/published/volume5/issue5/p1-V5I5.pdf

Jeimy J. Cano M., Ph.D., CFE
Is associate professor at the School of Administration of the Universidad del Rosario (Bogotá, Colombia). He has more than 20 years’ executive and professional experience in information security, cybersecurity, forensic computing and cybercrime. In 2016, he was recognized as Cybersecurity Educator of the Year for Latin America by the Cybersecurity Excellence Awards and has published or presented more than 150 papers on his areas of interest in a variety of journals and at specialist events on an international level.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.