Walk with me through a thought exercise… let’s say that two nations are at a high level of international tensions, just less than a full declaration of war. Let’s also say that one nation’s Internet access is tightly controlled and the other’s is widely available. What happens when the two nations engage in a dark war in cyberspace?
By “dark war”, I mean one in which the nations can be pretty sure about who is sending cyberattacks, but they can’t prove it. They can’t prove attribution because that means either revealing sources and methods of intelligence collection or they simply don’t have any permanent, tangible evidence to work with. As such, the attacks go forward, as do the responses, but there is no public attribution of them, so they stay in the dark.
Back to the nations in the hypothetical example, the one that has tightly controlled Internet access is already set for cyberdefense. Its commerce and government likely do not rely upon Internet connectivity in order to run normally. Or, if they do require connectivity, it’s only with internal IP addresses, nothing or very little extraterritorial. As such, it is not much of a target for the other nation. Its networks are difficult to get into and wrecking them is little more than an inconvenience.
For the nation with widely available Internet access, commerce and government services depend upon the Internet as a lifeline. Without it, activity halts and few organizations are prepared for long-term offline activity. It is a target-rich environment in a dark war.
So let us say that attacks against the Internet-rich nation are increasing in frequency and cost. How can it protect itself?
First, it bans traffic from the attacking nation. Nothing allowed to or from it. This then leads the attacking nation to shift to another path, that of compromising systems in other countries, perhaps starting with those in the allies of the nation they’re attacking. This is where the Internet-rich nation then asks all its allies to cut off traffic to and from the attacking nation. Let us assume that they all comply. What next?
Next are neutral nations. Their PCs are compromised, the botnets made of their PCs then launch attacks. This is where things will get complicated, so I’ll start using fictional names for these nations. We’ll call the Internet-rich nation the United States of Shamerica, or Shamerica for short, and the nation with its local networks separated from the world Shiran. Shamerica has its allies Shanada, Shengland, Shermany, Shrance, and The Shetherlands all cut off traffic from Shiran.
But many of those nations have outsourced their IT needs to nations such as Shindia, Shungary, Shulgaria, Shalaysia, and The Shech Republic. If Shiran attacks through those nations, what does Shamerica do if only half of those agree to cut off traffic from Shiran? Companies with outsourced IT in nations that don’t cut that traffic, like Shindia and Shalaysia, will be ruined if their access to those outsourcers is suddenly terminated – and that will be a victory for Shiran.
But if the traffic isn’t blocked, then that will also be a victory for Shiran when it results in yet another major cyberattack successfully getting through.
Meanwhile, firms in Shamerica are dealing with a higher and higher likelihood of cyberattack from Shiran’s indirect methods. At what point is the likelihood of attack high enough to justify them spending appropriately on security? And how much can appropriate security cost without those firms deciding to disconnect entirely from the Internet and return to the days of paper ledgers and mail-order business? Would customers be receptive to such things, as they potentially promise less Big Data tracking of their lives and maybe even less likely identity theft?
Drastic, I know, to suggest people returning to physical mail and magazines and buying goods in stores, but we have to ask at what point is the certainty of a successful attack enough to where being connected to the Internet is too high of a risk relative to the costs of mitigation? Would the hypothetical nations of Shussia and Shina have to be involved, as well, or can Shiran reach this point all on its own? How do we correctly calculate the risk of being connected to the Internet, or will that always be a given until such point it becomes entirely clogged with attack traffic so as to render it useless?
Because, in a dark war, the only true equivalent of a bomb shelter is to unplug from the Internet. Any connectivity is making a bet that your defenses are better than the attacker’s weapons. Miscalculate, and you are damaged.