How do you deter cyber-attacks in an increasingly complex world?
9 May 2018
Dr Joe Burton has been in Estonia at the NATO Cooperative Cyber Defence Centre of Excellence, where he has been addressing that question. Funded by NATO nations, the Tallinn-based international military organisation focuses on cyber technology, law, strategy, and training and education, hence the invitation to Dr Burton from Waikato’s New Zealand Institute for Security and Crime Science to spend several months there at the end of 2017.
Estonia became a European version of Silicon Valley after being the victim of a series of debilitating cyber-attacks in 2007. The attacks swamped the website of the country’s parliament, banks, ministries, newspapers and broadcasters. In response, NATO assessed cyber security and infrastructure defences. That assessment gave rise to a new cyber policy and the creation of the NATO Centre of Excellence for Cyber Defence in 2008.
The Cambridge Analytica scandal and its role in the Trump administration and Brexit has dominated international headlines. Dr Burton says it shows how cyber security has become militarized, and data and social media weaponized. That is also part of his basic problem with current cyber deterrence trends. “Our response to deterring cyber-attacks is often caught up in a military mindset. You can’t just deter a cyber-attack by threatening to launch a missile at someone. You need to deter through international and domestic laws, norms and cyber resilience, which means having the ability to get computer systems and the societal services they provide back up and running in the event of an attack. You need to think about the civil and criminal responses rather than being caught up in a military way of thinking.”
While his focus is on action with norms, laws and resilience, Dr Burton says in order to respond to severe strategic cyber-attacks countries may have to use offensive cyber capabilities, but only under exceptional circumstances. Those would include attacks against critical infrastructure such as shutting down the US power grid, targeting of nuclear facilities, or causing the loss of life.
However, most cyber-attacks are occurring below that threshold. One of the biggest problems is deterring cybercrime, which according to some statistics could be an $6 trillion black-market by 2025.
The ‘hack-back’ or cyber retaliation is something Dr Burton is warning against. He says it can lead to escalations in cyber conflict, drag in other parties, and create collateral damage. “You have to move away from thinking you can have a militaristic response, or retaliate against a cyber-attack with another cyber-attack. That just opens a Pandora’s Box, and perpetuates the cycle of disruptive and damaging activity that no-one wants to see.”
Dr Burton says evidence suggests while there is already a degree of deterrence operating internationally, Russia is the most unrestrained power, including interference in the US election. There are also far more than state actors in play. “Look at Cambridge Analytica, and Mark Zuckerberg being called to testify in the US. It was the Facebook platform that was manipulated to spread Russian propaganda, so how are you going to deter that kind of activity? How are you going to deter countries from weaponizing information on Facebook? You’re not going to do that by having a military approach, you're going to do that by having Zuckerberg sitting in front of Congress and putting pressure on him to regulate the activity so that the Russian state can’t buy US election advertising.”
Dr Burton says his time at the NATO CCDCOE was very rewarding. “I saw a little bit of my role in doing this research as challenging some of the assumptions people have about cyber security. Militaries can be very closed bubbles, so that’s why I think having a centre for research excellence is a good thing, so they have academics come in to offer different perspectives on security.”
It was also a great opportunity for him to have some influence on policy and thinking in NATO as an organisation, especially as the report will be distributed to staff at NATO’s Brussels HQ. “It’s good for Waikato, and developing New Zealand’s links with a significant international organisation. It may also lead to further opportunities including for some of our students, and other academics to go over and work with them.”
To read more, go to Dr Burton’s paper Cyber Deterrence: A Comprehensive Approach?
Dr Burton’s new book, ‘NATO’s Durability in a Post Cold War World’ was published in March 2018 with SUNY Press, New York.