by Alexander Klimburg

Like most activities in cyberspace, cyber espionage can be many things at once. One significant discussion is what constitutes legitimate versus illegitimate cyber espionage, particularly regarding economic cyber espionage.  The costs of cybercrime and cyber espionage look drastic: one recent estimate even put the damage to the global economy in at $445 billion. But at least as a significant a concern is the overlap between intelligence gathering on one hand and covert action (ranging from sabotage and preparations for war) on the other. The shades of (cyber) grey that constitute operations in cyberspace mean that it is possible to misattribute intelligence collection activities for something more serious—with dramatic consequences.

Cyber covert action (or Offensive Cyber Effects Operations, OCEO) can encompass a range of activities, from influencing opinion to preparations for all-out war. Most relevant here are acts that have kinetic equivalents—such as sabotaging a facility. This is known to have occurred in at least one instance—the 2010 to 2011 Stuxnet attack on the Iranian uranium enrichments facility of Natanz. The debate on the ethics or desirability of such cyber attacks is intense and ongoing. What receives less attention is the fact that—from the defender perspective—it is not always possible to distinguish between cyber espionage, cyber covert action, and, most importantly, preparation for cyber sabotage or war. Serious misunderstandings, therefore, are pre-programmed.

Cyber-Intelligence (CYINT) comes in many shades. Leaving open-source intelligence aside, and only referring to mass (bulk) collection rather than targeted collection or tailored access, one (admittedly very simplified) way to view CYINT is by segmenting it into “intercept,” “access,” and “presence.”

“Intercept” is similar to traditional signal-intelligence (SIGINT) activity, where data is read from the carrier medium, usually a cable, in a largely passive activity. Many countries are known to engage in wide-scale “tapping” of Internet traffic in this manner, and while the Snowden leaks have concentrated on global U.S. and allied efforts in this regard, other countries, such as Sweden, are known to have similar programs.

“Access” means the ability to directly read information from the targeted network or database. According to some sourcesthis has also been referred to as “SIGINT-at-rest,” and, when doing bulk rather than targeted collection, this includes getting access, for instance, to email accounts, databases, or metadata collections (such as telephone records). The U.S. PRISM program is one possible candidate for an “access” program.

“Presence” refers to the ability to be literally “on” a targeted network or device, for instance by injecting code onto a computer directly. It is generally referred to as CNE, for Computer Network Exploitation (CNE). This can occur in the context of an “access” attack, which can switch from “passive SIGINT” to “active SIGINT” using an approach called “tipping.” It is, however, most likely to occur with the help of a tool commonly referred to as a “Trojan” (for instance a manipulated email attachment, such as a PDF file), and can mean that the entire network or device is effectively subverted, and taken over. These types of attacks are commonly executed by advanced cybercriminals as well as state-sponsored entities, and in their most advance form are known as Advanced Persistent Threats (APTs). Such attacks can last for years before being detected. There are dozens of known cases of state-sponsored APTs, most often attributed to either Russia or China, but also (more rarely) to the United States.

While “intercept” or “access” will usually mean only that the confidentiality of the information in question is violated, “presence” (in particular an APT) can mean that the availability or integrity of the information is in question as well. Put otherwise, while in both “access” and “intercept” cases it is only possible to read someone’s email, “presence” gives you the option to interrupt that email, or even destroy or falsify it. Further, APTs often leave specific pieces of encrypted code behind on the target system. From the point of view of the defender, it is often impossible to know what the intention of the attacker is; it could be “just” espionage, or it could be preparations for a much more serious attack—one that aims to shut down or destroy a system entirely. The consequences of misidentifying the motive of the attacker could be, in diplomatic speak,“inadvertent escalation”—or accidental cyber war.

There are ways to limit such risks. Most important is to establish “rules of the road,” basic informal agreements between states on what is a legitimate target for espionage purposes. Some issues, such as the differences between commercial, industrial, economic, or national security espionage are not likely to be resolved soon. However, other issues are simpler to address and more immediately needed to help avoid “inadvertent escalation.” For instance, it is unlikely that a “presence” attack (say an APT) on a power grid would yield important espionage information, and instead such an action could easily be misconstrued as a preparation for war—particularly in times of heightened geopolitical tension. As a result, the defender might be prompted to take escalatory measures that are not warranted simply due to a misunderstanding or an accident. One vital “rule” would therefore be an agreement not to target super-critical infrastructure (particularly the power grid) with cyber espionage attacks.

As important as it is to address the risks and costs of economic espionage, the potential harm of misattributing cyber espionage in particularly sensitive environments could be drastic. It would be a grave mistake to consider this issue simply as another negotiation point in the ongoing dispute over economic cyber espionage. For in this case, there are no winners—only losers.

About the Author