When someone is throwing nukes at you, you can probably tell where they’re coming from. There’s only a few nuclear nations and, over the decades of the Cold War, they have developed complex strategic intelligence and early warning networks.
But what about a cyber war? Particularly the kind of intense multi-vector cyber attack targeting critical infrastructure that’s been dubbed as cyber blitzkrieg?
Cyber attribution is hard. It’s not impossible, but it takes time. Time that doesn’t exist when your infrastructure is collapsing and you’re thinking about resorting to what is euphemistically called a “kinetic response”.
Retaliation against the wrong target could well result in disaster.
One possible solution, at least in part, could be installing direct “cyber hotlines” between national leaders.
The Moscow–Washington hotline of Cold War fame is the archetype.
During the high-stakes nuclear Cuban Missile Crisis of 1962, official diplomatic messages took up to six hours to deliver. Presidents John F Kennedy and Nikita Khrushchev had to resort to unofficial channels, including relaying messages via TV news correspondents.
The Moscow–Washington hotline was installed the following year.
This hotline was never the iconic red telephone of TV and movies. At first it was a teletype, then a fax machine, and now email. Initially, its terrestrial phone lines were backed up by a radio link via Tangier in northwestern Morocco. Today, a set of satellite links are backed up by optical fibre.
At least eight other pairs of nations have developed their own hotlines.
Cyber versions of these hotlines are a key recommendation of the Cyberspace Solarium Commission (CSC), a US government initiative to “develop a consensus on a strategic approach” to defending the nation against “cyber attacks of significant consequences”.
“The US government should develop a multi-tiered signaling [sic] strategy aimed at altering adversaries’ decision calculus and addressing risks of escalation. This signaling strategy should also effectively communicate to allies and partners US goals and intent,” says the CSC’s final report [PDF].
“The strategic level of signaling should involve overt, public diplomatic signaling through traditional mechanisms that have already been established for other domains, as well as private diplomatic communications through mechanisms such as hotlines and other nonpublic channels (including third party channels in instances in which the United States may lack robust diplomatic relationships).”
At the operational level, this should include “clandestine, protected, and covert signaling (including through non-cyber means) that is deliberately coupled with cyber operations,” the CSC wrote.
“An example of this type of signaling is tailored messaging preceding or running concurrently with defend forward cyber operations.”
The CSC also recommends developing a framework to guide “when and under what conditions the US government will voluntarily self-attribute cyber operations and campaigns for the purposes of signaling capability and intent to various audiences”.
Diplomatic tools like hotlines are examples of what diplomats call “confidence building measures”.
Confidence building is one of four pillars of cyber diplomacy
Your writer has previously reported on Australia’s part in developing the so-called 11 international norms for nation-state behaviour in cyberspace and last year’s restart of the UN’s stalled process for negotiating such rules.
Last month, the Department of Foreign Affairs and Trade (DFAT) reported that it was progressing work on the norms.
Norms of behaviour are only a quarter of the cyber diplomacy story, however.
“You have binding international law, you have voluntary non-binding norms, which complement and together set clear expectations of behaviour,” said Johanna Weaver, Australia’s cyber negotiator at the UN.
“You have capacity building, which is a really important part of it … to make sure that all countries have the ability to implement the recommendations and agreements,” she told ZDNet.
“Then you’ve got confidence building measures, which are designed to increase trust and transparency.”
While the building of hotlines has not yet become a priority at the UN, there has been modest progress at the regional level in the Association of South East Asian Nations (ASEAN).
Australia and Malaysia’s proposal for a regional cyber points of contact directory received in-principle endorsement at the ASEAN Regional Forum (ARF) Intersessional Meeting on Security of and in the use of ICTs in Singapore back in March 2019.
“The directory will provide a means of direct communication to prevent miscalculation and escalation, as well as manage potential responses in the event of cybersecurity incidents with the potential to impact regional security,” DFAT wrote.
A cyber equivalent to the International Atomic Energy Agency?
The UN’s Open-Ended Working Group (OEWG), one of the two UN bodies negotiating the rules for cyberspace, has stressed the importance of accurate attribution of cyber attacks.
“It was suggested that developing a common approach to attribution at the technical level could lead to greater accountability, transparency, and could help support legal recourse for those harmed by malicious acts,” OEWG wrote in the initial pre-draft [PDF] of its report.
Australia has noted that attribution comes in two flavours.
One is factual attribution, “the factual circumstances, including the technical indicators that allow you to make an assessment as to a technical assessment of attribution,” Weaver said during a briefing in April.
“Then there is a legal attribution assessment, which is taking into account the considerations of state responsibility. Can you take those technical or factual circumstances and say this is therefore attributable to a particular government?”
Separate from that is any political decision to act publicly or privately on both of those attribution assessments, she said.
To this end, the Geneva-based ICT4Peace Foundation has proposed what they’ve dubbed to be a Global Cyber Attribution Network.
“ICT4Peace proposes the setting up of an independent network of organisations engaging in attribution peer-review,” the organisation wrote in its policy brief Trust and Attribution in Cyberspace [PDF].
Currently, most attribution is done by private cyber threat intelligence organisations and national security agencies.
“For international legal provisions to be effective, and accountability for malicious cyber activities to take hold, high levels of confidence and publicly persuasive attribution of responsibility are required,” ICT4Peace wrote.
This new independent attribution agency should include “government representatives, private sector pundits as well as proponents from civil society and academia”.
Microsoft has also suggested, in 2017, an attribution organisation to strengthen trust online as part of its Digital Geneva Convention proposal.
Such an agency has been compared with the long-established International Atomic Energy Agency, but the cyber world is vastly different.
“Nuclear technology is industrial by design. It is difficult, if not impossible, to develop nuclear capabilities in hiding. Also, military use of nuclear technology is very different from civilian use,” ICT4Peace wrote.
“Cyber capabilities on the other hand are software based. In contrast to nuclear technology, cyber tools do not emit suspicious radiation and do not require factories for their development. A handful of dedicated individuals gathered in a room can launch a cyberattack of sizeable magnitude.”
While an independent agency wouldn’t be able to provide real-time attribution during a cyber attack, its existence and its ability to subsequently validate or refute a nation’s claims could provide a break on cyber escalation.
ZDNet understands that the idea of an IAEA-style cyber inspection agency is raised at the UN from time to time, including in the OEWG intersessional multi-stakeholder consultations, but for various reasons, it has yet to gain traction.