One of the most fundamental yet critical tasks facing a country struggling to bolster its cybersecurity is to understand its own information systems and those of its adversaries, said Martin Libicki, a senior researcher at the U.S. think tank RAND Corporation.
During a recent email interview with The Korea Herald, the scholar also pointed out that a country’s cybercapabilities were “people capabilities,” emphasizing the need to nurture quality specialists to counter the evolving threats in the new security domain.
Libicki said cyberthreats were “real” to military organizations and argued that cybersecurity must be taken seriously by militaries and intelligence agencies.
The following is the interview with Dr. Martin Libicki.
Korea Herald: Can you talk about the importance of cybersecurity? Although we all use the Internet and computer networks, people at large do not seem to be serious about cybersecurity.
Martin Libicki: The importance of cybersecurity is directly related to the threat that a person, organization or nation faces. Do you have something of value to them? Do you do something that someone else wants to interrupt? How badly do they want to get into your system? How likely will you be attacked? What happens if you are?
So, cybersecurity is like a lot of risks that arise from other people (it is similar to crime and war in that regard). Cybersecurity has to be taken seriously by militaries (and their associated intelligence components), by financial institutions and critical infrastructures because the consequences of their failure are severe. Organizations with intellectual property also have to be alert to the threat that someone will want to see and copy it (and then use it in their own designs). Otherwise, cyber is a risk like any other.
KH: How real are cyberthreats facing the world? It seems that Sino-U.S. cyberwarfare is already ongoing.
Libicki: The threats are real, particularly to military organizations, but they are not enormous. Cyber-espionage is a source of irritation between the U.S. and China. We do not like their stealing our intellectual property and business proprietary information (e.g., negotiation strategies). The Chinese don’t like how deeply our intelligence agencies are into their networks. But people have been doing espionage since biblical times.
In cyberspace, there is a lot more espionage than there ever has been in physical space. Many collectors have passed the point where they can collect a lot more than they can process. But it would be an exaggeration to say that the U.S. and China are (in) a war (China and Vietnam are closer to war in their South China Sea dispute).
KH: What is your assessment of South Korea’s cybersecurity? Do you think it is weak? If so, why is it weak?
Libicki: I don’t know that South Korea’s cybersecurity is particularly weak (for a country of its size and affluence). But the aggression level of North Korea towards South Korea has no parallel elsewhere in the world (I think it even exceeds mutual Israeli-Iranian aggression). The attack on South Korean banks that wiped out desktop computers did not arise from the usual cybercrime motives (taking money) but from spite and vandalism. The lesson is that cybersecurity cannot be understood out of its context ― and in South Korea, it’s less how good cybersecurity is and more how good it is relative to the threat from the North (I have not heard many reports of Chinese hacking into South Korea to steal the latter’s intellectual property, but that doesn’t mean it isn’t happening).
KH: When we talk about a country’s cyberwarfare or security capabilities, what would comprise those capabilities?
Libicki: A country’s cybercapabilities are people capabilities. It depends on how much money there is for hiring people, the talents of the manpower base and the quality of their direction. These people do not necessarily have to work for you if you can hire the services of cybersecurity corporations. But the first task is understanding what problem you need to solve.
KH: Can you talk about what South Korea can do to improve its cybersecurity and warfare capabilities and reduce vulnerability to cyberterrorism or attacks?
Libicki: Cyberwar, both offensive and defensive, is a matter of understanding information systems and their relationship to warfare systems. To do well at cyberwar requires understanding your adversary’s systems, the role they play (e.g., how automated are weapons systems, what command-and-control infrastructure do they have), and what potential exists to interfere with these systems to your benefit. Defense requires a similar understanding of your own dependence. A great deal of improvement in cybersecurity is possible if one disconnects systems from access to the Internet (tunneling encrypted traffic through the Internet prevents fewer cyberrisks), but one loses the benefits of connectivity. Again, I cannot overemphasize the role of self-understanding.
KH: Do you think South Korea should put cybersecurity high on its security agenda?
Libicki: From a defensive angle, South Korea needs to spend as much on cybersecurity as it takes to make sure that (military and critical infrastructure) systems will be available and work as intended when needed. As for offense, that depends on North Korea’s dependence on networked IT, which used to be quite low but may have increased to where cyberspace operations might be a useful military tool.
KH: What is your assessment of North Korea’s cyberwarfare capabilities? Why do you think North Korea pushes to bolster its cyberwarfare power and personnel?
Libicki: The DPRK (North Korea) seems to be (at) Iran’s level. There are basically two categories of attackers: those whose best feats lead one to ask, “How did they do that?” and those (including the DPRK) whose best feats might be clever but not sophisticated. The folks in the top category are the USA, Russia, Israel and China (many other affluent countries might fall into that category but they either are not interested in penetrating networks very much or are very good at hiding their tracks for the few attacks they carry out).
KH: North Korea seems to be less vulnerable to cyberattacks given that it has poor Internet penetration and very small computer networks. What do you think about this?
Libicki: Generally true, although North Korea does have an Internet presence. However, since they use other people’s technology, they may be heir to supply-chain attacks.
KH: Can you be more specific about supply-chain attacks?
Libicki: In the early 1980s, when Russia was stealing Western electronics to build their systems, the U.S. (was believed to have) went into the gray market and managed to sell Russia a defective component for their natural gas pipelines. The component failed in such a way as to blow the pipeline up.
KH: What kinds or scenarios of cyberattacks from North Korea can we think about?
Libicki: There are two types of scenarios: those in war and those in peace. Cyberattacks in wartime would, one might expect, be used to help North Korean forces and might be calibrated according to battlefield conditions. Those in peacetime would be various forms of annoyance, perhaps substantial inconvenience.
Although North Korea can be quite irrational, it is difficult to see what they might gain from, for instance, trying to take down the South Korean power grid. The effects are likely to be temporary (days), while the effect of such attacks on public opinion would be highly negative unless they could generate a narrative that directed attention not to the attackers but to those who constructed and (were) operating their networks with weaknesses in it that others could exploit.
KH: Would there be deterrence measures South Korea could craft to counter North Korea’s cyberthreats?
Libicki: Any deterrence of North Korea is a difficult proposition whether in cyberspace (where they have little attached to the Internet) or in real space (their guns are trained on Seoul). The best leverage that South Korea might offer would have to work through China ― convincing China that the risks of a North Korean collapse are tolerable compared to all the other risks that might exist from not tamping down on North Korea. This argument has yet to be persuasive, but South Korea has yet to suffer greatly from North Korean cyberattacks (where “greatly” can be understood in comparison to the cost of a conventional war).
KH: What do you think about the prospect of cyberwarfare between South Korea and North Korea?
Libicki: It could (happen), but North Korea’s relatively isolated position and the fact that North Korean leaders tolerate a great deal of suffering among their people make the prospect of coercion through cyberspace very difficult ― unless South Korean intelligence has identified targets that are simultaneously vulnerable and meaningful to North Korean leadership. North Korea, for its part, seems determined to harass South Korea, even today, and their efforts are likely to grow, forcing South Korea to institute successively more expensive and intrusive cybersecurity measures.
KH: There seem to be various opinions about cyberspace. Some argue that a country’s sovereignty extends to cyberspace, while others argue that it is part of global commons where freedom should be preserved. Some are cautious about militarization of the domain. What is your opinion about this?
Libicki: The general principle is that countries have a right to do things within their borders to safeguard their citizens and pursue their national interests. The U.S. policy operates in terms of law enforcement. It wants to hold countries such as Russia responsible for apprehending cybercriminals within its borders, or at least cooperating with U.S. efforts to investigate cybercrimes.
China believes that it can censor Internet content going to its citizens. The U.S. disagrees, not because it believes that China has no role vis-a-vis the Internet but because we believe in the freedom to communicate. The U.S. is willing to enforce the law that governs Internet content (e.g., intellectual property, cyberbullying), but the U.S. Constitution mandates U.S. officials pursue crime after the fact, not censor content beforehand (in other words, it forbids “prior restraint”).
There have been cases where one country’s censorship behavior affects another country ― but that is for technical reasons. Pakistan denied their citizens access to certain YouTube videos a while back, but did so in such a way as to shut (down) YouTube service for everyone; Turkey did something similar a few months ago. In both cases, they backed off when the global implications of what they did were understood.
KH: How can we define cyberwarfare or cyberwar? I think many countries have difficulty defining the beginning of cyberwarfare from which time they could begin taking offensive measures to counter cyberaggression.
Libicki: This is the most common question people ask about cyberwar, and I always tell them that it’s the wrong question. A cyberwar begins when you (as a country) think it is in your best interest to declare something a cyberwar (or act as if something was the opening shot of a cyberwar) in order to justify doing something about the incident (e.g., retaliating). It also helps, but is not absolutely necessary, that other countries believe that your response was justified. The international Law of Armed Conflict does not speak about something being an act of war. We are very far from a universal understanding that certain specified acts cross a red line and merit retaliation.
KH: Some scholars seem to work on crafting cyberdeterrence strategies, adopting some of the Cold War-era nuclear deterrence strategies. Is it right or appropriate to use nuclear deterrence strategies when creating cyberstrategies?
Libicki: Bad idea. Nuclear war deterrence was developed because no one had any way to counter a nuclear attack that did not nevertheless result in the killing of thousands or millions of their citizens. Thus, the only way to deal with the threat was to threaten back. In cyberspace there are many ways of defending systems ― which can only be attacked, incidentally, if you have created or left open a path between the attacker and your system. Furthermore, whereas in nuclear war there was never real doubt about where an attack came from (because, for example, until 1964 only the U.S., two of its NATO allies and the USSR had nuclear weapons), in cyberspace, as your earlier question pointed out, there may be a great deal of question about who is attacking whom. Ultimately, countries have to ask themselves whether retaliation (with the prospect of counter-retaliation and escalation) is the most cost-effective way of making themselves safe.
KH: What kind of international cooperation can South Korea engage in to improve its cybersecurity?
Libicki: The U.S. would help (e.g., with threat information). But cybersecurity is largely a matter of dedicating sufficient resources to the job and managing networks with sufficient diligence. Every day more companies form that are interested and eager to supply cybersecurity services. Some have gimmicks; others can offer valuable services. It will take study and money to determine which services are right for South Korea. But the bottom line is that money can buy help.
KH: The attribution issue is one of the vital issues, as it is difficult to pin down a culprit for cyberattacks. North Korea has already denied its responsibility for its past cyberattacks on South Korea, saying South Korea’s argument is a complete fabrication. Why is the attribution difficult?
Libicki: Attribution can be difficult because evidence is circumstantial and because cyberforensics is a new field and it keeps changing as attack methods change. But the question that has to be asked before worrying about attribution is: What is South Korea going to do with that information? If it is not prepared to act against North Korea (and there are many reasons not to), what does it gain by knowing that North Korea did it?
KH: What would be the prospect of the international community reaching a consensus over norms, laws and rules of engagement concerning cyberwarfare? Would they be necessary like those about conventional wars?
Libicki: There is an informal consensus among developed countries that the de facto norms of cyberwar can be derived from the laws of armed conflict in general. Beyond that, people have been looking for a real international consensus (one that would be agreed to and complied with not only (by) developed countries but by Russia and China) for at least 15 years and they haven’t gotten very far. I’m not optimistic.
● Martin Libicki has been a senior management scientist at RAND since 1998, focusing on the impacts of information technology on domestic and national security. He also serves as a professor at the Pardee RAND Graduate School.
● He has authored two books ― “Conquest in Cyberspace: National Security and Information Warfare” (Cambridge University Press, 2007) and “Information Technology Standards: Quest for the Common Byte” (Digital Press, 1995).
● He has also written numerous monographs, notably “Crisis and Escalation in Cyberspace,” “Global Demographic Change and its Implications for Military Power” and “Cyberdeterrence and Cyberwar.”
● Prior to joining RAND, he spent 12 years at the National Defense University, three years on the Navy staff as program sponsor for industrial preparedness, and three years as a policy analyst for the U.S. General Accounting Office’s Energy and Minerals Division.
● He received his Ph.D. in city and regional planning from the University of California, Berkeley, writing on industrial economics in 1978.
By Song Sang-ho (firstname.lastname@example.org)