VIEW 18
Threat actors: Nation states
As insurers our focus is normally on the commercial sector, but there are some important points to make about cyber conflict between nation states. First, war in the information arena is not new and existed even before nation states did. Stealing information from the enemy with espionage strategies was eloquently outlined in Sun Tzu’s Art of War in the 5th Century BC. What is new is how the objectives of cyber conflict between nation states have recently changed. The focus of espionage was simply gathering information. Other objectives are now emerging such as the disruption of infrastructure (e.g. the Stuxnet attack in 2010) or influence over society as a whole (e.g. suspected Russian interference in the US Elections in 2016) which represent an escalation of cyber conflict to new strategic theatres.
Offence vs defence
A second point to highlight is the distinction between cyber warfare and traditional armed conflict sometimes referred to as ‘kinetic’ warfare. Cyber conflict is seen as being a constant low-level background occurrence until it reaches such an egregious level that it crosses a tipping point into kinetic warfare. This critical point is known in military circles as LOAC (the level above which armed conflict begins). At this point, the relative advantage between offence vs defence changes dramatically.
A rough rule of thumb in military circles is that in kinetic warfare an attacker needs a three to one advantage in manpower and firepower in order to successfully defeat a defender. Defenders typically have an advantage because it is normally easier to protect and hold than it is to move forwards, to destroy and to take. However, in cyber warfare the opposite is true. Attackers have an enormous advantage, maybe by a factor of as much as 10 to one. Large institutions must defend against many thousands of attacks every day. Only one needs to get through for an attacker to succeed. Generally speaking, offensive cyber-attacks are low cost with a high payoff, where defensive operations are expensive, overstretched and often ineffective.
Cyber warfare is asymmetric. Both the attacker and the defender are in a race to find vulnerabilities. But the number of vulnerabilities grows exponentially with the size and complexity of the system. The defender has little chance of finding every single vulnerability and patching it before the attacker finds one to exploit.
Response options
How should a nation state respond to a cyber incident? The diagram to the right shows the range of options from a passive defensive strategy which can be expensive and time consuming to a more aggressive retaliatory stance inflicting proportionate damage backed up by evidence. The USA’s stated strategy in cyber warfare is one of persistent engagement delivering proportionate counterattacks and ‘forward defence’ in neutral zones. As in the cold war, the end point will probably be a tacit bargain; an informal understanding that evolves over time as to what is or is not acceptable before LOAC.
