Governments across the globe continue to invest in cyber warfare operations. Over 60 countries, a number that is rising, currently have some mechanism to play in the digital warfare and intelligence gathering game. This posturing has a very real consequence to everyday individuals and businesses.
The global arms race has begun and it is not limited to just world powers. For countries with less resources, cyber warfare holds the lure of being a great equalizer, where they can compete on a larger stage where factors such as size or geographical location are less important. Most countries see it as a necessity for continuing intelligence-gathering activities. Knowing what other countries are up to, both friend and foe alike, reduces the chance of unpleasant surprises. For an elite few, who seek to operationalize and integrate the military capabilities, it is a natural extension of national policy, complementing options like weapon sales, economic influence, or deployment of military forces around the globe as part of force projection. No matter the reason, the world is in a cyber-arms race. But this race is far different than the escalation of traditional weapons. Unlike conventional arsenals, software and code are ethereal. Once released to the Internet or deployed against a target, they can be easily captured, transferred, reverse engineered, and duplicated. The tools may very well fall into the hands of criminals or other attackers, to be mass-produced and then used against everyday people and businesses.
The Wall Street Journal published a pair of great articles, which highlight the rapid proliferation of worldwide government cyber-warfare capabilities. The first, Cataloging the World’s Cyberforces (may require subscription), outlines the more than 60 countries which are developing such weapons. The second, Cyberwar Ignites a New Arms Race (may require subscription) speaks to the technology escalation, which is emerging to dominate the cyber battlefield. With the intensity and investment growing, it is inevitable to spill over into the normal world where we all digitally exist.
The Journal’s research shows:
29 countries have formal cyber offensive military or intelligence teams
49 countries purchase offensive cyber tools
63 countries leverage tools for either foreign or domestic surveillance
These articles highlight the professional military side of cybersecurity. More and more the gap is growing between government and civilian capabilities in the world of cyber. With the tremendous financial, intellectual, and human-resource investments, military organizations will have a solid set of combined capabilities. Structures are maturing quickly with budgets now in the billions of dollars and entire career paths defined to ensure sustainable operational stability. Cyber is now the fifth operational domain, joining land, air, sea, and space warfare.
The major difference in this arms race is the cascade effects of weapons which leads to unintended consequences. Once a cyber-weapon is unleashed, the world can grab it and reverse-engineer it to use exploit code, identify previously unknown vulnerabilities, and mimic innovative ways to remain stealthy and persistent. If it is made widely available, which is a normal occurrence, then everyone, even down to the lowly script-kiddie, can use the pieces for their twisted purposes. We have seen this in the past, where parts of professional grade code were harvested and reused in other malware. So the risk is great that at the very least, elements of military grade cyberweapons will eventually filter down to criminals and other malicious parties and turned against businesses, civilians, and other targets. This is the unintentional consequence to digital warfare.
The question remains, will governments deploy them, knowing their creations might eventually be used to the detriment of innocent targets and critical infrastructures? That decision, just like any offensive maneuver, is made based upon the evaluation of value, risks, and consequences for any given situation. I would argue these investments are being made for a number of reasons with the overall intent of being used to gain an advantage. As John Paul Jones famously said, “It seems to be a law of nature, inflexible and inexorable, that those who will not risk cannot win.” For governments, it is their job to protect an entire nation, its people, interests, and allies. No easy task. Many are investing in cyber as a means of conducting surveillance, to deface or persuade others, and cause directed damage. This is just the beginning of the digital arms race, where the rules of engagement are not yet codified.
The last time I spoke to the government types, I made one recommendation abundantly clear. “Anytime you choose to make a cyberweapon, you better make the antidote at the same time. For it will be captured, reverse-engineered, and turned against its creators, their allies, and other bystanders. Be prepared. Predict it will happen and know how to detect, prevent, and respond when it come back to haunt you and the rest of the world.” The message continues to hold true. It is a brave new world where cybersecurity professionals defending civilian organizations will find the challenges to grow quickly as nation-states become more advanced. It is just the nature of things.
Offensive cyber is changing the security industry. As security professionals, tasked to protect individuals, businesses, and infrastructures, we must all be cognizant of the actions of these nation-states. What they develop today, may trickle down and find its way as a problem in our cybersecurity world tomorrow. It is tough enough to maintain parity with everyday hackers and organized criminals. Superweapons, created or funded with obscene resources by governments, would challenge even the most elite security operations team on their best day. As professionals, we must understand and be ready as the cyber arms race continues to escalate, as it will significantly change the equilibrium of computer security.