Is All Fair in Love and Cyber War?
Recent hacks of organizations and individuals in the United States show marks of Russian involvement, according to U.S. intelligence agencies. In remarks last week on NBC’s Meet the Press, Vice President Joe Biden said that some form of retaliation for those hacks could be on the way. But what exactly are the rules of engagement for cyber attacks? Jason Healey, a senior research scholar at Columbia University’s School of International and Public Affairs, says that while the rules of international cyber conflict are less defined than those for traditional warfare, some norms do exist, setting expectations for what constitutes a “fair fight.”
Jason Healey is a Senior Research Scholar at Columbia University’s School of International and Public Affairs in New York, New York.
IRA FLATOW: This is Science Friday. I’m Ira Flatow. When we planned our next segment on cyber warfare, we had no idea that we’d be going on the air right in the middle of a cyber attack that is now taking place across the United States. We’re in the middle of attack that has taken out Netflix and Twitter and all kinds of other play– all kinds of other services.
In fact, we can’t even give you our Twitter site, @scifri because we can’t log on to that account. So it comes at a time when the US intelligence community is confident that Russia has played a role in the recent hacking incidents in the US. We don’t know if this attack is connected to anything like that. But those attacks, the US intelligence community communities have said, you know, DNC, John Podesta’s email. Vice President Joe Biden said last week on NBC’s Meet the Press that some form of retaliation was being considered for those attacks and that the Russians would know it when they saw it.
But are there any rules defining what constitutes an acceptable response? And when an attack comes from a soldier with a machine gun on the front lines, well, we know what to do then. But what happens with a coder at a keyboard in an office park? What makes for a fair fight in this situation?
Joining me now to talk about it is Jason Healey. He’s a Senior Research Scholar at Columbia University’s School of International and Public Affairs in New York, and he joins me from the studios of WYPR in Baltimore. Welcome to Science Friday.
JASON HEALEY: Thank you so much. Excited to be here. I even gave my mustache the extra wax. I’ve got some really good curl. I thought the listeners would appreciate it.
IRA FLATOW: Are you aware of the attack going on now? The denial of service going on now?
JASON HEALEY: Absolutely. Now, it’s likely to be criminals rather than nation states because it normally is a known criminal thing. I’d be very surprised if this were the Russians, for example, trying to escalate by doing such an attack.
IRA FLATOW: But when we talk about a cyber attack and we talk about the rules of engagement here, would you not– I’m not saying, again, that this is that, as you say, is occurring. Would you not sort of do a shot over the bow like this? It’s not really taking out any vital hospitals or government of, you know, agencies.
JASON HEALEY: It’s certainly the kind of thing that a nation might try and do. So much on this is trying to say what are the rules of the road. And I’d be very surprised if the US would try and do this as a shot across the bow to someone else because we care too much about free speech to try and drown it out for a simple military purpose. But Russia, others, you know, they wouldn’t feel so uptight about that.
IRA FLATOW: So we don’t have any rules like the Geneva Conventions for a regular kind of warfare? There are no rules for what’s fair game or how to do this correctly in a cyber war?
JASON HEALEY: There are. Well, the nations are still trying to figure this out. So in general, the major countries have said that existing international law applies. Now, to the United States and other Western democracies this means the Geneva Convention. That you can’t, just like you can’t drop a bomb on a hospital, you can’t attack a hospital with cyber capabilities either.
And so this has been the US position and one of the rules of the road that we want to push. We didn’t talk about rules of the road about releasing information to affect an election, attacking a motion picture company because you don’t like the movie it’s going to release.
IRA FLATOW: But back in 2015 didn’t the US and China sign an agreement covering what we felt was fair in cyber warfare?
JASON HEALEY: 2015 was an incredible year. We went into 2015 with almost no international agreement on these rules of the road, and we ended up with not just President Obama of China and president Xi of the United States but the entire G20 saying that you shouldn’t attack a nation’s infrastructure during peace time. That you shouldn’t conduct commercial espionage for your own company’s profits. And it looks like China has, in fact, been living up to their side of the agreement.
IRA FLATOW: Did Russia sign on to that agreement?
JASON HEALEY: They did not. But we’ve been– our issues with Russia have been a little bit different. Well, they would have signed up as part of the G20 agreement. But really what they’re doing now has been subtly different. It hasn’t been any of the things that US specifically laid out as norms, the way that we think the world ought to work. And they’ve been doing other things like releasing information.
IRA FLATOW: If our Twitter account is not working, let’s see if we can get the phone lines working. Our number 844-724-8255, 844-724-8255. Talking about the warfare with Jay Healey from Columbia University School of International and Public Affairs. In traditional war, you’ve got clearly defined combatants and targets. Is it harder with computer attacks to trace responsibility back to where it started?
JASON HEALEY: Absolutely. And this has been one of the reasons it’s been so hard to try and come up with rules of the road. Because if a nation wanted to, it can plausibly deny and say, we don’t have anything here. And, you know, if you’ve been paying attention to the debates, that is coming up, right? How do you prove that someone is doing this when they’re denying it?
But we’ve gotten much, much better, both within the government and within the private sector, of coming in and having multiple lines of evidence. So there’s some lines of evidence that say, look at these technical characteristics. This was written with a Cyrillic keyboard. And that’s important to us. Another line of evidence says, well, after we’ve seen a particular group work dozens or even hundreds of times, we can figure out their style.
I love the Ocean’s Eleven movies and you know if you– if you know anything about crime, if you’ve been stolen from by the Ocean’s Eleven gang or the Night Fox, right? They’re so different. And we can use that same kind of thinking to figure out which group is behind which attack. And then there’s the context, the third element, where so often you can tell that if say the North Koreans are walking away from the peace tables, that you’re very likely to be getting a cyber attack coming from them. And different lines of evidence like that help so much in trying to figure out who did an attack.
IRA FLATOW: So what do we need? Do we need an international agreement for all the countries or are we covered enough, do you think?
JASON HEALEY: We’re still figuring that out. Certainly, the United States is at the position of we don’t need to try and come up with another Geneva Convention. We have a Geneva Convention. I think that’s right because trying to negotiate a new treaty would be incredibly difficult and would never happen. What the Russians and Chinese care about is information sovereignty. They want to stop any information that they think is a counter to their countries, counter to their regimes and keep the information out. Obviously, that’s anathema to the United States, and we want the free flow of information.
So any treaty that we would try and start going down is going to be very difficult. So it turned out with China that the threat of sanctions, that indicting their officers actually made a difference. They were very sensitive to those moves by the United States, and they backed down significantly. Putin, we can see that with Crimea with Ukraine that he’s much more resistant and the United States’ reply to this election hacking and release of the emails is going to have to, I think, be probably quite a bit more muscular as the vice president hinted at.
IRA FLATOW: Why do you say that? The vice president said, “They will know we’re retaliating.” How do you strike that balance between not going over the line somewhere that’s going to escalate stuff?
JASON HEALEY: You hear a lot from the cyber warriors, and they’re coming out and they’ll talk about cyber deterrence and things like that and it’s really less about things like cyber deterrence. I mean, we do want to make sure that we don’t escalate. And I think there’s a range of things that we can look at.
For example, we can talk to our French and German allies maybe even through NATO because they have elections coming up too. And boy, wouldn’t Putin like to get Angela Merkel out of office? Wouldn’t he maybe like to get Marine Le Pen into office in France? So I think we can publicly work with our allies and that will certainly be a signal that Putin recognizes.
At US cyber command, the milit– this is really the US military cyber warriors at Fort Meade. They’ve got people that are looking out into cyberspace and seeing and looking what the Russian groups are doing waiting for that order from the president to disrupt them. And I would certainly expect that the president is going to give them the go order, not so that they can attack Russia but that they can disrupt what the Russians are trying to get done to us.
IRA FLATOW: 1-844-724-8255 is our number and lots of people would like to talk. Let’s go to the phones. Let’s go to Richard in Arlington, Virginia. Hi, Richard.
RICHARD: Hi, how you doing?
IRA FLATOW: Hi, there.
RICHARD: Yeah, I’m concerned about the US government itself working through surrogates or offshore companies to get cyber things done that it can’t do as a government such as the Equation Group and want to know if your guest knows about that, and also it’s acquiescence of back doors into major router systems by major routers manufactures.
IRA FLATOW: I will ask him. Thanks for calling. Can you translate that for us a bit Jay?
JASON HEALEY: Yeah, sure thing, Richard. Ira. And so what Richard is talking about here with this Equation Group is it’s not only those bad Chinese and those evil Russians that are doing things online. Of course, the United States has been active in this for a very, very long time. That’s the community that I come out of.
And the Equation Group was the nickname given by a computer security company to a set of computer intrusions that they said, this is almost certainly going to be the NSA. The US Signals Intelligence Agency out conducting computer espionage out there in the world. And so the US has said, yes, we absolutely do those– we absolutely do those things. The US says, well, we’re different because we might– we’ll spy on you on these things, but we won’t for example, take that information and give it to Boeing or Google or one of our other.
So that’s the way that we see the rules of the road. But, of course, not everyone else sees it the same way. And as far as the backdoor issue, so this is a technical issue of saying, if there is a US especially a US company that is selling software or hardware, that the NSA or other parts of US government like CIA would love to be able to get access to that to find out what messages are being passed or to try and be able to more easily defeat any encryption that the Russians are Iranians or North Koreans might be using on that.
And here it’s really difficult because this is the kind of thing that the intelligence community has been doing for decades. But it was always on– it was always on things that just the Soviet Union was doing. Nowadays– because then the Soviet Union was using different technology than we used in Arlington, Virginia or in Peoria. Now, it’s all the same technology is being used for military purposes for espionage purposes and we’re all carrying it around in our pockets for phones or having it at our desktop. And so now, those back doors are much more personal because it’s affecting you and I.
IRA FLATOW: Let’s go to Irene in Chestnut Hill, Pennsylvania. Hi, Irene. Welcome to Science Friday.
IRENE: Hello. Thanks so much for taking my call and I’m just wondering you just talked about how technical this is. I’ve been surprised at the lack of outrage of people like not thinking this is important. And does that have something to do with us not policing it better or not being kind of astounded at what’s going on because it is too technical or because they think it’s something that’s always happening to somebody else?
IRA FLATOW: Good question.
JASON HEALEY: It is a really fascinating question. Thank you. I think part of it is because so few of us understand the technology that’s sitting in our pocket, that’s sitting on our desktop, right? For most of us, we just look at it and it is just magic. It’s very difficult for us to know what’s going on in the end of that, right? You click Send and it goes and it shows up somewhere else and very few of us understand what happens behind that curtain.
And so it’s easy for us to feel that disassociation from it because we don’t fully understand it. Now, fortunately, what is happening at a certain– once we get past a certain level, like for example, right now with the election hacks and the release of the information, we don’t have a cyber problem. We have a Russia problem. And so that starts to take it out of this weird ones and zeroes stuff that aren’t very natural, and it puts it into more natural international affairs.
IRA FLATOW: Yeah, we can understand. It relates to us. I’m Ira Flatow. This is Science Friday from PRI, Public Radio International. Talking about cyber warfare this hour with Jay Healey, and let’s go to the phones. Let’s go to another Jay in St. Petersburg, Florida. Hi, Jay.
JAY: He has excellent taste in names, Ira.
IRA FLATOW: Go ahead. I want to address the topic that you guys were talking about right before you went to the phones which is how do you know where an attack is coming from? And what’s particularly well-timed given the attack this morning on a big DNS provider called Dyn, which affected among other things Twitter and probably everybody being able to get to your Twitter feed as you were talking about earlier.
The attack that normally kills you in that kind of sort of dance is called a distributed denial of service attack and the distributed part’s important. The way those attacks are usually conducted is by taking over a little piece of a whole bunch of computers either by malware or spear phishing attacks or what have you and originating just a few packets a second from tens of thousands or hundreds of thousands of computers and aiming them at a specific target.
IRA FLATOW: Jay, do you have– Jay, Jay, do you have a question? Because I’m running out of time.
JAY: Yeah, why is that even though there’s a defined protocol called BCP 38 for that to be blocked by people like cable modem providers, why don’t any of them implement it?
IRA FLATOW: OK.
JAY: Very few providers actually block forged packets.
IRA FLATOW: All right. Why is it so– why don’t they do that, this Jay, Jay Healey enlight–
JASON HEALEY: Yeah, and first it was how do you– how can we know? And it’s how do we know, for example, if it’s the Russians or how can we figure out who is behind this attack? And if it’s a single attack, it can be very difficult. But, fortunately, with the Russians, with the Chinese, with others, we see this over a decade, over years. And you can start to build up a pattern. That way when you see the activity happen again, you have a much better sense.
But I like what Jay was saying at was there is not just norms between nations. There are norms that happen amongst technologists. And many of these norms are incredibly strong. You know, right now the norms to keep up the network, it doesn’t matter what country it is, it doesn’t matter what school you went to, it doesn’t matter anything about you as an individual. Right now, we’ve got thousands of blessed nerds that are trying to get us past this denial of service attack because they have this common norm that you keep the network up.
Now, not all of these norms are so well policed. For example, the one that Jay mentioned that you don’t pass the trash essentially. And we haven’t built up those norms yet of what network providers should do so they’re not affecting others. They only worry about their own security, not what’s happening downstream.
That’s why I love ideas like a sustainable Internet. How can we make sure that our kids and grandkids are going to have an Internet that’s at least as safe, as clean, as awesome as the one that we have today? And ideas like sustainability will work towards the things that they brought up.
IRA FLATOW: And what does that mean, briefly, sustainable internet?
JASON HEALEY: It starts looking at what are the practices that we have that are most sustainable, right? We just heard about the new agreement on HFCs, right? We’re saying, we’re using this particular product, and it’s destroying the environment. That’s not sustainable, so we’ll make a substitute.
Jay brought up the BCP 38, the best community practice of what you’re supposed to do and it’s being ignored, and it’s affecting all of us. So if we take that same mindset of saying, the Internet’s not going to be around, we can start looking these non-sustainable practices.
IRA FLATOW: Can you crack down on some of these people?
JASON HEALEY: Absolutely, but whom would do that? In the United States, theoretically, you might have the FCC do that. You might– it’s going to take some smart public policy to try and figure out the right way. Where is naming and shaming enough? Where is regulation enough? You could tax and you could cap and trade just like you do for the environment.
IRA FLATOW: All right, thanks for– wow, good day to have you on, Jay. Jay Healey, Senior Research scholar at Columbia University’s School of International and Public Affairs here in New York.