The Vulnerabilities of Developed States to Economic Cyber Warfare
Total Page:16
File Type:pdf, Size:1020Kb
Working Paper The Vulnerabilities of Developed States to Economic Cyber Warfare Paul Cornish Head, International Security Programme and Carrington Professor of International Security, Chatham House June 2011 The views expressed in this document are the sole responsibility of the author(s) and do not necessarily reflect the view of Chatham House, its staff, associates or Council. Chatham House is independent and owes no allegiance to any government or to any political body. It does not take institutional positions on policy issues. This document is issued on the understanding that if any extract is used, the author and Chatham House should be credited, preferably with the date of the publication. Working Paper: The Vulnerabilities of Developed States to Economic Cyber Warfare INTRODUCTION The central features of the ‘cybered’ world of the early 21st century are the interconnectedness of global communications, information and economic infrastructures and the dependence upon those infrastructures in order to govern, to do business or simply to live. There are a number of observations to be made of this world. First, it is still evolving. Economically developed societies are becoming ever more closely connected within themselves and with other, technologically advanced societies, and all are becoming increasingly dependent upon the rapid and reliable transmission of ideas, information and data. Second, where interconnectedness and dependency are not managed and mitigated by some form of security procedure, reversionary mode or redundancy system, then the result can only be a complex and vitally important communications system which is nevertheless vulnerable to information theft, financial electronic crime, malicious attack or infrastructure breakdown. Third, while ‘developed states’ and their occupants are generally assumed to be the target of so much of this nefarious activity, it does not necessarily follow that a political structure invented in 1648 – the sovereign state – will be the most appropriate means to deal with cyber- vulnerability. Yet it is not clear what alternatives to the sovereign state – if any – might be available. The more fundamental observation is that developed societies seem unwilling or unable to take counsel of their fears about cyber space. Perhaps because the world is so interconnected, and perhaps because societies depend so much on the complex of infrastructures for what is needed and desired, there is a reluctance to accept, and in some quarters an inability to understand that these highly developed societies have made themselves vulnerable to miscreants, criminals and aggressors. Technological strength and superiority has, unfairly though it might seem to its originators and beneficiaries, prompted what military analysts would describe as ‘asymmetric’ vulnerability, where a fleet-footed and sharp-witted adversary can manoeuvre so fast and so decisively that the strongest and most elaborate defences are turned into a cumbersome liability and a disadvantage. Since too little is known about who might wish to use cyber space against developed societies, and to what end, it is at least notionally possible that developed societies might be comprehensively, structurally vulnerable to a well organised and capable cyber aggressor of some sort, able to turn a society’s dependencies into vulnerabilities and strengths into weaknesses. If developed states could be vulnerable in this way, then this should be considered a strategic challenge of www.chathamhouse.org.uk 2 Working Paper: The Vulnerabilities of Developed States to Economic Cyber Warfare the highest order. The easiest, perhaps child-like response to such a possibility is to refuse to contemplate it at all and instead to believe fervently in a more positive and wholesome outcome. There can also be a more mature, if rather fatalist response which leads to a broadly similar position – that of the ostrich with its head buried firmly in the sand. During the Cold War, at the height of the doctrine of east-west mutual assured destruction (MAD), there appeared to be little preparation (at least in public) given to running the country after a massive nuclear onslaught. After all, why be concerned with such things when those who survive would be doomed to spend their remaining days in scenes similar to Cormac McCarthy’s The Road? Perhaps, therefore, the complete dependence on the cybered world is generating a complacency and fatalism similar to that caused by the complete vulnerability to MAD. This discussion paper is concerned with states and societies (rather than businesses or individuals) and their vulnerability, through interconnectedness and dependence, to aggressive economic action either from, or facilitated by cyber space. This paper is not, therefore, an analysis of the extent and gravity of financial cyber-crime; that subject has been discussed fully elsewhere.1 Neither does the paper examine child exploitation and other forms of computer-based crime, important though these are. Instead, I ask whether economic cyber warfare should indeed be considered a strategic problem. In the words of the 2010 UK National Security Strategy, national strategy must be ‘a combination of ends (what we are seeking to achieve), ways (the ways by which we seek to achieve those ends) and means (the resources we can devote to achieving the ends).’2 Reversing the trajectory, I ask whether the economy might be the way, and cyberspace the means with which to attack the organisation and coherence of a modern developed state; not for financial or criminal gain, and not in order to achieve a terrorist ‘spectacular’, but for maximal political or strategic ends? I take a stepwise approach to answering this question, beginning with a discussion of economic warfare and then of cyber warfare, before discussing the possibility of the composite idea of economic cyber warfare. What might be the incentives and disincentives to partake in economic cyber warfare, how seriously should it be taken and is the modern state the best organisation to deal with this security challenge? 1 See most recently UK Cabinet Office and Detica, The Cost of Cyber Crime: A Detica Report in Partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office (Guildford, Surrey: Detica Limited, 2011). 2 HM Government, A Strong Britain in an Age of Uncertainty: The National Security Strategy (London: TSO, Cm 7953, October 2010), p.10. www.chathamhouse.org.uk 3 Working Paper: The Vulnerabilities of Developed States to Economic Cyber Warfare ECONOMIC WARFARE Economic warfare has long been associated with military tactics and operations; a relatively low level of activity albeit with a very high potential for damage and destruction. Throughout history, the most able and successful military commanders have sought to identify their opponent’s critical strength or weakness (the ‘centre of gravity’, in Clausewitzian terms) and then to attack it in order to bring the conflict to a quick and decisive end. To the extent that the opponent might be dependent on aspects of a functioning economy for access to food, water, transport, ammunition and military equipment, then it can make sense militarily (if not in humanitarian terms) to attack and destroy the economic infrastructure which produces these commodities or provides these services. There have been many examples of this so-called ‘scorched earth’ policy in time of war. The Scythians famously destroyed food supplies and poisoned wells in order to defeat the invasion by Darius I of Persia in 512 BCE. In 1868 General William Sherman, the Union general observed that ‘Amerindian troubles’ would cease only with ‘the ringleaders … hung [sic], their ponies killed, and such destruction on their property as will make them very poor.’3 The Russians used scorched earth tactics against the invading armies of both Napoleon and Hitler, and there have been many other variations on the theme including the forcible resettlement of local populations and large scale defoliation using chemical agents. By the late twentieth century the deliberate infliction of damage on civilians and non-combatants had become so extensive that it was banned under international humanitarian law: It is prohibited to attack, destroy, remove or render useless objects indispensable to the survival of the civilian population, such as foodstuffs, agricultural areas for the production of foodstuffs, crops, livestock, drinking water installations and supplies and irrigation works, for the specific purpose of denying them for their sustenance value to the civilian population or to the adverse Party, whatever the motive, whether in order to starve out the civilians, to cause them to move away, or for any other motive.4 3 Douglas Porch, ‘Imperial Wars: from the Seven Years War to the First World War’, in Charles Townshend (ed.), The Oxford Illustrated History of Modern War (Oxford University Press, 1997), p.95, 4 Additional Protocol 1 (1977) to the Geneva Conventions 1949, Article 54.2. Adam Roberts and Richard Guelff, Documents on the Laws of War (Oxford University Press, Third Edition, 2000), p.450. www.chathamhouse.org.uk 4 Working Paper: The Vulnerabilities of Developed States to Economic Cyber Warfare For all the death and destruction they cause, these activities could nevertheless all be described as tactical or operational variants of economic warfare, ancillary to the main military effort. There is also the national strategic level to consider, where the goal is to use all available levers of national power in order to achieve the desired effect before, or even as an alternative to the threat or use of armed force.5 Strategic economic warfare is intended to limit an adversary’s capacity to make war in the first place, by destroying the economy that would sustain such an effort. Naval blockades, economic sanctions, commerce raiding and the use of strategic air power against cities and industrial centres would all come under the rubric of strategic economic warfare. More recently, Saddam Hussein’s decision to destroy oil fields as he withdrew from Kuwait in 1991 seemed intended to limit both the case for military action against Iraq and the capacity to do so.