Responding to cyberattacks as allies: implications for the ANZUS alliance
James Mulvenon
Since 1952, the ANZUS Treaty has been a foundation for the military and national security relationships between the US and Australia. While the alliance has no integrated defence structure or dedicated forces, the two countries have ‘fought side-by-side in every major conflict since the First World War’ and continue to maintain extensive ministerial consultations, joint exercises and intelligence sharing. For most of this history, the parties to the ANZUS Treaty were concerned solely with kinetic military conflict, but the rise of cyberconflict necessitates an expansion of the scope of the alliance.
Why do we need cybercooperation?
Strategic cooperation in cyberspace between like-minded state actors such as the US and Australia is now absolutely critical to the national security of both countries. The main drivers are twofold: our collective reliance on cyberspace for an increasing percentage of global trade and commerce, and the corresponding rise of serious threats to what is universally acknowledged to be flawed technical architecture. Even as the world becomes more dependent on cyberspace in every facet of life, the threat environment has become more dire, exacerbated by a desire to prioritise connectivity over security.
The spectrum of cyberthreats ranges widely from lower level threats like defacements to intermediate threats like botnets and malware, and beyond to a new threshold of cyberattacks established by the Stuxnet worm. Not only is the spectrum wide, but the potential actors and adversaries are proliferating at the speed of the network. States and non-state actors, including state-sponsored organisations or proxies, have varying levels of capability and intent, but still comprise a significant level of threat in cyberspace. Increasing dependence on cyberspace across all dimensions of national power (political, economic, military, diplomatic, social) only increases our vulnerability and the potential negative consequences of not adequately understanding the threats.
While Stuxnet is considered the new pinnacle of cyberthreats, cyberespionage, not cyberattack or cyberwar, is currently the most pressing risk for the US and its allies in cyberspace. Strategic espionage against political, military and intelligence targets can change the outcome of interstate conflicts and even alter the balance of power, while economic espionage can result in substantial economic losses and can endanger future
competitive advantage. Within the espionage realm, ‘advanced persistent threat’ poses the most significant, sustained challenge to actors in cyberspace.
Another important class of threats against states includes activities designed to deny access to cyber-resources, such as the distributed denial of service (DDoS) attacks against Estonia in 2007, which took down the websites of many Estonian organisations, including the parliament, banks and media
following increased tensions with Russia.
The Estonian disruption also included defacements and other lower level methods, although the DDoS attacks caused the most significant, sustained damage. While some Russian hackers have taken responsibility for the attacks, no official connection with the Russian Government has been uncovered.
The Estonian experience was repeated during the 2008 cyberdisruptions before and during the brief war between Georgia and Russia, including defacement and DDoS attacks against Georgian Government and media websites, again presumably by Russian-backed actors. Taken together, these various classes of cyberthreat present a significant threat to the viability of cyberspace as a usable domain for states, groups or individuals, necessitating a systematic examination of the dynamics of cyberconflict.
In short, the advanced persistent threat problem is global, so the solutions can’t be isolated within an individual country. Instead, countries with similar values and institutional structures must band together in a ‘coalition of the willing’ to develop common strategies, policies, laws, standards and technical approaches. Given the long history of the relationship between Canberra and Washington, it’s natural to see the ANZUS Treaty as the foundation of strategic cooperation between Australia and the US.
What cooperation strategies should we pursue?
Before discussing specific strategies, it’s important to note a number of structural conditions and constraints that shape the cooperation environment. First, the governments of both countries are keenly aware that key resources for the effort, including time, bureaucratic energy and even travel dollars, are finite and must be optimised for the greatest potential gain. Second, we must recognise that the major ‘problem’ countries operating in cyberspace—China, Russia and Iran—are also the most difficult to talk to, and the cyber issue is inextricably intertwined with a wide array of other points of strategic tension and conflict with the three countries.
Given these factors, we should first align and normalise cybercooperation among ourselves before pursuing the more difficult challenge of cyberdialogue with adversary states. To this end, we can build upon over a decade of successful bilateral and multilateral exchanges, led in the US by the State Department, to synchronise cyber-related laws and regulations and establish formal points of contact at the working levels. The intent of these exchanges has been to improve information sharing, joint investigations and our common defence.
Strategically, we seek to create a cyber cordon sanitaire among Western, developed nations, while more starkly delineating the boundaries of the cyberthreat ‘sanctuary’. Operating as a common bloc also unquestionably strengthens our bilateral and multilateral negotiations with adversary states, preventing them from playing us off against one another.
Why does this cooperation work? The answer lies in our similar political, legal and economic systems, as well as our long history of fighting together as an alliance.
Our political systems share the same core values, including representative democracy, freedom of the press and governmental transparency. Our legal systems enshrine protections of privacy and civil liberties. And our economic systems are anchored in the encouragement of genuine private enterprise
as opposed to the state capitalist systems of our main cyberadversaries. While the symmetries between Western systems aren’t always exact, the similarities far outnumber the differences.
While these commonalities facilitate cooperation in peacetime, cooperation under conditions of cyberconflict is very different.
We’re very early in the development of strategic and military understandings of the nature of cyberconflict. In many ways, it feels like 1946, when the US had detonated atomic weapons but there had been very little strategic thinking about their employment.
But what is cyberconflict? One definition describes it as: the conduct of large scale, politically motivated conflict based on the use of offensive and defensive capabilities to disrupt digital systems, networks, and infrastructures, including the use of cyber-based weapons or tools by non-
state/transnational actors in conjunction with other forces for political ends.
Cyberconflict includes activities conducted by both state and non-state actors against a variety of targets. It encompasses a number of activities that pose threats to individuals, organisations and nation-states, as well as traditional military and intelligence operations. An alternative definition
notes that cyberconflict is ‘broader than cyberwarfare, including all conflicts and coercion between nations and groups for strategic purposes utilising cyberspace where software, computers, and networks are both the means and the targets.’ At its most basic level, cyberconflict encompasses activities
conducted by many kinds of actors in order to achieve a strategic gain.
Given the huge stakes and potential damage to networked economies like those of the US and Australia, it’s natural to begin with an examination of the notion of cyberdeterrence.
While the US wisely retains the intention and capability to initiate cyberconflict at a time and place of its own choosing, it naturally seeks to deter other adversaries from the same goal, particularly given the asymmetric dependence of the US on cyberspace for economic, political and technological power. While it’s well known that US government, military, and corporate networks have been the target of sustained computer network exploitation activities over the past 10 years, the country hasn’t yet been the target of the type of large-scale computer network attack envisioned by Richard Clarke and others in their writings.
How can we explain this apparent gap? Why have adversaries not taken advantage of clear vulnerabilities to launch cyberattacks against the US? Is it because they haven’t developed sufficient capabilities to do so?
That’s hard to believe, given the sophistication of the intrusions and methods. Has there not yet been the right combination of strategic circumstance and perceived payoff, such as the China–Taiwan contingency involving US military intervention, to justify using known capabilities? Or, despite its strategic confusion, does the US currently benefit from a form of tacit cyberdeterrence from computer network attack, and if so, what is
the basis for this tacit deterrence?
When unpacking cyberdeterrence, the canon typologises deterrence into two categories: deterrence through denial and deterrence through punishment.
Cyberdeterrence through denial is also primarily based on computer network defence. One piece of good news is that the ‘attribution problem’, which occupies centre stage in the discussion of the dilemmas posed by cyberdeterrence by punishment, is not as significant an issue in cyberdeterrence by denial, because it isn’t critical to know who might attack, only whether you’re vulnerable to attack. Also, two primary methods for
protecting retaliatory forces are mobility and concealment. Cyberforces, by virtue of their form factor (a laptop is easier to conceal than a ballistic missile submarine), are already more mobile and more concealed than nuclear forces ever were. Finally, the inability to disarm an adversary’s cyberattack capability has three benefits: reduced incentives for pre-emption; more focused and proportional retaliation; and reduced demand for immediate retaliation (‘use it or lose it’). But the cyber offence–defence balance is a huge problem for cyberdeterrence by denial.
Fundamental security was not built into the architecture of cyberspace, and we have been gluing security onto the side of the network ever since. Without fundamental re-architecting of the network, which is unlikely in the short-term, is deterrence by denial even possible? In the short term, Rattray argues that these defensive dilemmas put a greater onus on risk management than impenetrable protection:
Diffuse vulnerabilities and limited resources also require defensive efforts
predicated on managing the risks of attacks rather than establishing
comprehensive defenses capable of assured protection.
But Owens et al. write that ‘the gap between the attacker’s capability to attack many vulnerable targets and the defender’s inability to defend all of them is growing rather than diminishing.’10 In addition, cyberoffensive
capabilities are dramatically cheaper than effective cyberdefensive capabilities. As is often pointed out, the cyberwarrior, armed perhaps with a minimal kit (computer, internet connection and publicly available tools) only needs to find one way in, but the cyberdefender, protecting perhaps a huge network of thousands of heterogeneous nodes with dozens of access points, needs to bar every possible avenue of approach.
Thus, cyberdeterrence by denial is also cost-prohibitive. For both of these reasons, it appears that cyberdeterrence by denial may be less credible than deterrence by punishment.
In the cyber-realm, deterrence by punishment theoretically offers better chances of success, especially against adversaries that have well-developed cyberinfrastructure. As Owens et al. argue:
Deterrence by punishment is more likely to be an effective strategy against nations that are highly dependent on information technology, because such nations have a much larger number of potential targets that can be attacked. Nevertheless, even nations with a less technologically sophisticated national infrastructure are probably vulnerable to cyberattack in selected niches.
Moreover, the will to retaliate is arguably less of a factor in cyberattack than in nuclear strategy, given its plausible deniability, potentially covert nature, and less physically destructive effects.
Yet cyberdeterrence through punishment is also highly problematic. The main challenges for cyberdeterrence through punishment are:
• the so-called ‘attribution problem’, which makes it difficult to identify the attacker in the first place
• a series of credibility problems, including automaticity of response, unavailability of retaliatory targets, demonstration of effect, uncertainty of cybereffects, repeatability of effect, survivability of retaliatory capability, thresholds, signalling, command and control, and extended deterrence.
None of these challenges can be solved through policy measures alone, such as stated declaratory policies. All of these challenges create strategic instability in cyberconflict and undermine the utility of deterrence through punishment.
This leads us to the stark conclusion that the current cyberspace domain is inherently unstable. The strategic cyber-environment is marked by an inability to establish credible deterrence and effectively prevent the emergence of adversaries and conflicts in cyberspace detrimental to US interests. The sources of this instability are manyfold. First, the technical architecture undergirding cyberspace is highly permissive of cyberintrusions and attacks, resulting in a system that’s extremely hard to defend and confers dominance on the offence. The defender can mitigate the asymmetry by reducing the degree of interconnectivity, or even disconnecting networks, but that’s very costly, given the growing reliance of the US and advanced nations on those networks for a wide range of economic activity and military operations. Second, the design of the architecture often provides the attacker with anonymity and plausible deniability, aided by the lack of effective
governance of the network focused on mitigating malicious activity. Third, the relatively low cost of technology and operations significantly lowers the barriers to entry for the attacker, enabling a wide range of actors to acquire capabilities.
Fourth, cyberoperations running at the rapid ‘speed of the network’ deny defenders and the political leadership sufficient time for assessment and decision-making. Automation may mitigate this problem, but the risks are
both high and unknown. Fifth, the pace of technological change and the breadth of network connectivity are outpacing both defensive approaches at the enterprise or engineering level and the policy and legal constructs promulgated to guide their operations. Moreover, these conditions are
only getting worse with the proliferation of social media and mobile communications, and the migration to cloud computing. An internet underground capable of exploiting these trends is alive and well, with pirates and mercenaries thriving in a swampy ecosystem that makes hiding and attacking too easy.
Last, while the issues are acknowledged, little progress is being made in improving security and resilience as a key aspect of internet governance.
Given this state of strategic instability in cyberspace, it’s more important than ever for allies such as the ANZUS Treaty countries to bolster their collective cyberdeterrent by coordinating information sharing and
technical cybercapabilities across all three realms of computer network operations (defence, exploitation and attack). This is a natural extension of the language in Article II of the treaty calling for all parties to ‘separately and jointly by means of continuous and effective self-help and mutual aid [to]
maintain and develop their individual and collective capacity to resist armed attack.’
A higher and more complicated goal would be to link the nations’ cyberdeterrence and declaratory policies such that cyberattacks would be covered under Article V’s language that ‘an armed attack on any of the Parties is deemed to include an armed attack’ on all. If deterrence fails, however, it’s equally important for the ANZUS Treaty partners to coordinate their kinetic and non-kinetic responses to a foreign cyberattack through
information sharing about defensive signatures and the synchronisation of exploit and attack operations.
Current and future cooperation challenges
One current arena for cooperation and conflict between states involves what might be called the ‘re-sovereigntisation’ of cyberspace.
During the early years of the internet, when cyberspace was not the technological foundation for global commerce, states had the luxury of permitting the architecture to grow organically and not being concerned
with its strategic value. Now that the situation has clearly changed, all states have come to an important realisation: every node of the network, every switch, router and computer, is either located within the sovereign boundaries of a nation-state and therefore governed by its laws, or travels on
submarine cables or satellite connections that are owned by companies incorporated in sovereign nations and therefore bound by their laws. In other words, there’s no ‘commons’ in cyberspace similar to air, sea and space, and there’s no part of the global architecture that is ‘sovereignty-less’. The implications of this realisation are profound, and explain why countries like China are keen on moving internet governance from non-governmental organisations like ICANN (the Internet Corporation for Assigned Names
and Numbers) and the Internet Governance Forum to state-based organisations like the United Nations International Telecommunications Union. The battlelines have been clearly drawn (compare the White
House’s recently published International Strategy for Cyberspace with China and Russia’s proposed International Code of Conduct in cyberspace), and Western nations need to develop policy responses that are properly aligned and mutually reinforcing.
Among the future cooperation challenges are the ‘long game’ issues in cyberspace, especially shaping the global information technology standards regimes. For many years, organisations such as the Internet Engineering Task Force and IEEE were dominated by knowledgeable technical personnel with little interference from governments, which had adopted a laissez faire approach to standards development.
China’s unwillingness to pay royalties for existing standards and protocols such as CDMA led Beijing to fund an aggressive, state-driven industrial policy to develop parallel, indigenous standards for nearly all of the existing protocols. While most of the Chinese standards have been rejected by the International Organization for Standardization and other governance
bodies as technically inferior to the existing standards, China, exploiting its status as ‘the world’s IT workshop’, has been able to force multinational companies assembling equipment in-country to integrate the rejected standards into their products, thus distorting the standards regime.
Western countries were late in recognising this strategy and its implications, and have been playing ‘catch-up’ ever since. Because the standards debates today will define the nature of the technical architecture and the corresponding cybersecurity challenges of 5, 10 and even 20 years from now, it’s important that the US and Australia develop a common approach on the standards issue and coordinate their efforts.