Public officials are becoming better informed about the threats posed by cyber-attacks and creating policies that better reflect the technological realities of online conflicts, a defense expert tells DW.
Officials around the world are looking at cybersecurity
The International Conference on Cyber Conflict kicked off in the Estonian capital, Tallinn, on Wednesday. The Baltic state sustained a cyber-attack in May 2007, which Estonian government officials pin on having come with at least implicit support from the Russian government - a charge Russian officials deny.
Kenneth Geers, an American computer security expert with the Naval Criminal Investigative Service, tells Deutsche Welle about current state of cyberconflicts. He has been the American representative to the NATO Cooperative Cyber Defence Centre of Excellence for the last four years, and is one of the main organizers of the conference.
Deutsche Welle: Within the last couple of months we've had the United Kingdom saying that they have an offensive strategy. Stuxnet attacking nuclear facilities in Iran, China saying that it has a 'Blue Team' designed to attack foreign powers. What changes to the landscape have you noticed recently?
Nations no longer question the importance of cyberdefense, Geers said
Kenneth Geers: I think that nation-states are coming to terms with this, finally. We see the articulation of deterrence, strategies, "If you attack us in cyberspace, don't think we might not hit you in the real world with a kinetic attack." We see defenses overall raised. I talked to an official at the Pentagon who said, "Look, the defenses at the beginning of the cyber-era were low, and even high school kids, if they were smart, could get in." But today the defenses have been raised high enough that if you get in, you probably have some kind of professional organization behind you. It's more difficult to get in to the hard targets today.
Has public policy been able to catch up to the technical reality of cyberwarfare? Are there strategies that you'd like to employ but laws prevent you from doing so?
This is a challenge even for the most advanced intelligence agencies on the planet. It's impossible to know that you're on top of the technology. It's simply moving too quickly. You cannot be sure that your rival or your adversary does not have tools that are more powerful than what you possess. It's an exciting time, but also a scary time for national security planning purposes.
I think the lawyers are starting to figure this out. Just this morning we heard a great talk on cyberlaw, which talked about "clear and compelling evidence." It's not 50 percent, which is "beyond a preponderance of evidence," and it's not 99 percent, which is "beyond a reasonable doubt." In cyberspace it's starting to become 75 percent of knowing who the bad guy is, say, in terms of cybersecurity, or prosecution or deterrence for an international cyber-attack.
Can a 75 percent threshold be attained? It seems like a really high bar? What about if you're dealing with non-state actors, or antagonistic nation-states?
Governments are developing policies for reacting to cyber-attacks
It is such a challenge, because the nature of cyberspace is an international entity. If you attack across borders, your law enforcement is beholden to the law enforcement of the aggressor and the political will of that government. Even if you can do appropriate action, or even if you have clear and compelling evidence that it was a party that came from a rival state, you still need the cooperation of that government in order to prosecution or extradition, or anything else.
Do you see any larger themes emerging when it comes to cybersecurity?
I think one of the biggest changes is that even a couple of years ago it was still a major question as to whether cyber-attacks were really important and whether they could have a strategic or a national impact. And I think that question has largely been answered.
In the wake of Stuxnet?
In the wake of Stuxnet, in the wake of the Google attacks, in the wake of Estonia, the Georgia attacks, the Kyrgyzstan attacks. I think it's understood by most policymakers that cyber-attacks could cross the threshold and become a national security incident, when there is enough reconnaissance, enough preparation and enough expertise on the part of the attacking party. It's just a fact today. I think people understand it.
Interview: Cyrus Farivar
Editor: Sean Sinico