Are Cyber Attacks an Act of War?

A Huawei Phone Mast

As the New Year started the most prominent story was that of the Meltdown and Spectre vulnerabilities. The vulnerabilities are certainly huge as they may only be completely resolved by replacing the processor of a device. A story that wasn’t given as much prominence but is a huge development is the cancellation of a deal between AT&T and Huawei.

The deal between the two companies would have meant AT&T selling Huawei’s Mate 10 Pro phone within the US and the deal’s collapse is the most recent in scuppered Chinese buys including Ant Financial’s buyout of Moneygram; and a buyout of Lattice Semiconductor by an investment group with mostly Chinese finance behind it.

On initial inspection it may seem like the cancellation of these deals is due to a harsher foreign policy by the Trump administration, but it was under the Obama administration when the acquisition of AIXTRON by Fujian Grand Chip Investment Fund was called off, again due to national security issues.

A recent increase in frequency may well be due to a stance taken by the new administration but when viewed more broadly, these events are part of a trend that is occurring in nations around the world and not only with deals involving China.

Shortly before Christmas guidance was issued by the NCSC that recommended ceasing use of all antivirus software created by Russia-based companies, as it could not be certain that the companies making the software were not under the influence of the Russian state.

Concerns about foreign nations interfering in the infrastructure of another are not new. When BT proposed their 21CN (Twenty-First Century Network) project with the aim of updating their network to be an IP based system. One of the suppliers they chose as part of this was Huawei and this caused concern from a number of MPs and areas of government at the time. As Huawei increased its marketshare in telecoms infrastructure one way the UK Government responded was to create the Huawei Cyber Security Evaluation Centre (HCSEC) whose job was to examine, in detail, the hardware and software in Huawei products.

US-aligned governments are not the only ones that hold concerns regarding other nations products with the Russian government pressuring foreign companies for greater access to the details of their products and North Korea even going to the trouble to create a custom operating system for use in the country (Red Star OS).

These concerns are only likely to grow in future as technology is integrated with even more areas of daily life and the reliance on them increases. In my opinion it is right that these concerns be taken seriously. Major western nations have faced a significant length of time since our last major conflict and it can often feel as though the peace created will last forever. This may not however be the case.

In the event of conflict breaking out one adversary may take advantage a previously planted vulnerabilities to cause a major disruption. This could range from using vulnerabilities in surveillance devices to provide reconnaissance, taking control of a self driving car to bring harm to the passenger or even seizing control of a nuclear power station to shut it down or cause a catastrophic event.

Governments should think carefully about the long-term benefits of planting exploits in exported software and hardware as this could create a race-to-the-bottom where a foreign government will think they’re doing it, so why shouldn’t we, causing the issue to spiral to the point where no foreign hardware or software can be trusted.

After witnessing the aftermath of Battle of Solferino, Swiss businessman Henry Dunant proposed a treaty that would provide a universal standard for the protection of victims of armed conflict, the Geneva Convention. Perhaps it is time for the world’s powers to come together and develop a new convention for the digital age.

It is expected that the European Union will agree that a cyber attack can be considered an act of war; likely in response to recent events such as WannaCry, and so a response attack with conventional weapons can be authorised “in the gravest circumstances”. Who decides what constitutes the “gravest circumstances”; should WannaCry, which had no directly attributable deaths, require an air strike. Perhaps the recent US power plant breaches require a no-fly zone to increase deterrence.

Being able to say with a significant level of certainty who was responsible for an attack is far more difficult with a cyber attack than conventional one. Many attacks have been linked to different actors at different points in time, being able to state with one hundred percent certainty that a cyber attack was performed by a specific nation state is incredibly risky. The barrier to entry for carrying out a cyber attack is a lot lower than conventional attacks. It’s incredibly unlikely that a teenager has the capability to orchestrate the blowing up of a portion a nations rail network solely from his bedroom, but cyber attacks can be, and are, committed by individuals with a low amount of resources. Should an entire nation-state be held responsible for this possibility?

Questions like this can only be answered by governments; both allied and adversarial, working together and adapting to the new reality created by cyber attacks but I think it will be a number of years before this happens.