Models of Escalation and De-escalation in Cyber Conflict


Published on

The cyber insecurity conundrum cuts across all things digital or networked. How can we prioritize defensive efforts across such a vast domain? This talk will describe a framework for engineering systems and policymaking based on the work factors for cyber attack and defense. After developing the work factor concept, it will be illustrated in several examples

Published in: Technology, Education
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Models of Escalation and De-escalation in Cyber Conflict

  1. 1. Models of Escalation and De- escalation in Cyber Conflict John C. Mallery Computer Science & Artificial Intelligence Laboratory Massachusetts Institute of Technology Presentation at the 2011 Workshop on Cyber Security and Global Affairs, Budapest, Hungary, May 31 – June 2, 2011.Version: 3/29/2012 11:04 AM
  2. 2. Escalation And De-escalation Models For State-state Cyber Conflict & Cooperation l A step towards a US-Russia-China workshop on escalatory models of cyber conflict l Intended to develop shared perspectives and analytical frameworks across countries l Appendices include a draft set of topics for consideration in a longer workshop l Dynamics of cyber-fueled conflict l Approaches to managing cyber-fueled conflict l Lessons from history or other conflictual domains l Today we will discuss a few selected topics l Background: Topic area selected as the top priority by MSU IISI team from 10 workshop topics presented last yearJohn C. Mallery 2 MIT CSAIL
  3. 3. Possible International Workshops On Critical Cyber Policy Issues Workshop Topics MSU IISI prioritization 1. Cyber Definitions 1. Escalation Models 2. Cyber Crime 2. Civil infrastructures 3. Cyber Terrorism 3. Cyber Definitions 4. Escalatory Models 4. Cyber Law 5. Civilian 5. Codes of Conduct Infrastructures 6. Cyber Terrorism 6. Industrial Espionage 7. Cyber Crime 7. Technical 8. Technical Cooperation Cooperation 8. Codes of Conduct 9. Protection of the 9. Cyber Law Commons 10. Protection of the Termed “Protection of Commons World Community” 10. Industrial EspionageJohn C. Mallery 3 MIT CSAIL
  4. 4. Overview l Defining cyberspace l Threat actors and capabilities l Entropy-based model of conflict and cooperation l Global cyber conflict mess l Illustrative Conflictual Actions l Illustrative Cooperative Actions l Phase-structured Cyber Events Data l Utility of cyber actions l Managing Strategic Technology Competition l Cross Domain Responses l Proportionality Judgments l Institutions and Mechanisms for Cyber De-escalation l Cyber Conflict CharacteristicsJohn C. Mallery 4 MIT CSAIL
  5. 5. What is cyberspace? l Interdependent network of information technology infrastructures (NSPD54/HSPD23) l Internet l Telecommunications networks l Computer systems l Embedded processors l Controllers in critical industries l Also virtual environment of information and interactions between people (NSPD54/HSPD23) l Activities riding on cyberspace l US Military l Electro-magnetic spectrum l Information operations l C4ISR, space l Supply chains for IT l Computers, networks, software, sensors, crypto, identity management, etc. l Knowledge, information, dataJohn C. Mallery 5 MIT CSAIL
  6. 6. Domains of Cyberspace Diplomacy Treaties Agreements Norms Alliances IGOs NGOs IndustryGovernance Technological Level Network, Computer, Crypto, ID Mgt. Standards Universal Principles Knowledge Formation Value System Dynamics Political Discourse Information Processes, Social NetworkingCyberspace Economic & Business Activity International Dialogues Military And Intelligence Systems Physical Network Connectivity Critical Infrastructures Enterprise IT Consumer IT Network Infrastructure Administration Application Software and Administration Routers, Switches, Fiber, Wireless, Other PCs, Servers, Laptops, Cell Phones, PDAsSupply Chain IC Fabrication IC Design Operating Systems Information Assurance Cryptography Research Communities IA, Certification, Accreditation International Standards John C. Mallery 6 MIT CSAIL
  7. 7. Threat Actors And Capabilities Threat Actors Motive Targets Means Resources Military, intelligence, infrastructure,Nation States Intelligence, military, Fully mobilized, multi- Political espionage, reconnaissance,During War Time broad private sector spectrum influence operations, world orders Intelligence, military, High, multi-spectrum,Nation States Espionage, reconnaissance, leverages criminal variable skill sets PoliticalDuring Peace Time influence operations, world orders enterprises or black below major cyber markets powersTerrorists, Political Infrastructure, extortion Leverage black markets? Limited, low expertiseInsurgentsPolitical Activists Political Political outcomes Outsourcing? Limited, low expertiseor PartiesBlack Markets For Tools, exploits, platforms, Mobilizes cyber crime FinancialCyber Crime data, expertise, planning networks Professional, low end Hijacked resources, fraud, theft, IP Reconnaissance,Criminal multi-spectrum, Financial theft, illicit content, scams, crime planning, diverseEnterprises leverage of black for hire expertise marketsSmall Scale Low, mostly reliant on Financial Leverages black marketsCriminals black markets IP theft, influence on sectoral Outsourcing to criminal Sectoral expertise,Rogue Enterprises Financial issues enterprises? funding, organization John C. Mallery 7 MIT CSAIL
  8. 8. Conflict and Cooperation within Living Social Systems Framework l Goal: Continuous function from conflict to cooperation l Countries are autopoetic systems l Prigogine, non-equilibrium thermodynamics l Self-recreating living systems l Network of component producing processes l Recreate the socio-economic and political system over time l Key functional areas: l Physical Security: Military, intelligence, terrorism l Economic Security: Business, technology, science, policy l Political Security: Ideation, legitimacy, diplomacy l State-state interactions l Conflictual action: Increases autopoetic entropy l Cooperative action: Decreases autopoetic entropy l Mesh of state-state interactions l Reciprocity dimensions: economic, political, military, cultural l Relationships: parasitic or mutualisticJohn C. Mallery 8 MIT CSAIL
  9. 9. Global Cyber Conflict Mess* Cyber Capability LevelsCyber Power No. IW Espionage Attack IntegrationMajor 3? High High High HighImportant 10? Moderate? Significant Significant HighMiddle 20? Lower? Crime ware Crime ware LowerLesser 70 Lower? Crime ware Crime ware Lower + l Over 100 states developing offensive cyber capabilities l Various USG 2008-2010 l What are their targets? l Economic l Political l Military/intelligence l Who are their targets? l G20? l Major industries?John C. Mallery 9 MIT CSAIL
  10. 10. Illustrative Conflictual ActionsMove Type Action Std. Cyber Intensity Duration Impact Displeasure x x 1 Protest x 1 Withdraw Support x 2 Political Snub x 1 Threaten x x 1 Support opposition x x 4 Subversion x 5 Industrial espionage x x 2 Sabotage x x 2 Economic Sanctions x ? 3 Quarantine x ? 4 Politico-military espionage x x ? Unconventional warfare, terrorism x x 1 Military Skirmishes x x 2 Limited warfare x x 4 General warfare x x 5John C. Mallery 10 MIT CSAIL
  11. 11. Illustrative Cooperative ActionsMove Type Action Std. Cyber Intensity Duration Impact Diplomatic recognition x 1 Praise, hail, applaud x x 2 Endorse or support policy or position x x 3 Political Promise material support x x 3 Negotiate x x 1 Make substantive agreement x x 2 Share data, intelligence x 4 Joint ventures, technical sharing x x 5 Economic Support capacity building x x 3 Suspend Sanctions x ? 1 Extend economic aid x ? 3 Extend military assistance x x 4 Coordinate counter-terrorism x x 4 Military Coordinate defense x x 5 Cease hostilities x x 3John C. Mallery Settle dispute 11 x x 3 MIT CSAIL
  12. 12. Phase-structured Cyber Events Data l Define cyber action vocabulary l Party actions l Referrals to conflict managers l Conflict management actions l Code state-state interaction sequences l Include partial order for level of conflict or cooperation l Phase structure is given by the movement up or down hostility/altruism l Enables learning to: l Predict escalation or de-escalation as a function of event sequences l Efficacy of conflict management actionsJohn C. Mallery 12 MIT CSAIL
  13. 13. Utility of Cyber Actions Modality Detection Complexity Reliability Consequences IW 3 2 2 1 Intelligence 1 3 2 1 Degradation 1 3 1 2 Disrupt 3 3 1 3 (precise) Denial 3 2 3 3John C. Mallery 13 MIT CSAIL
  14. 14. Managing Strategic Technology Competition 1. Engineering networking standards and computational frameworks for national advantage 2. Developing universalizable norms for system engineering and design certification 3. Managing industrial espionage when integrated component of strategic economic competition 4. Sanctions (diplomatic, economic) against predatory behaviors in open multilateral trading systems 5. Standards for ICT intended to reduce opportunities for bad cyber behavior, enhance international stability and promote orderly international interactionsJohn C. Mallery 14 MIT CSAIL
  15. 15. Cross Domain Responses l State need not respond to cyber in kind l Cross domain responses cloud anticipation of responses to cyber actions l Judgment of proportionality by initiator l Judgment of perception by recipient l Example: l Industrial espionage by China l Possible response aiming at regime legitimacy l Example: l Russia and US declare potential nuclear response against cyber attacks on C2 systems l Penetration of the wrong system could provoke major response l Cross domain responses Introduce potentially destabilizing feedback pathsJohn C. Mallery 15 MIT CSAIL
  16. 16. Proportionality Judgments l Shared understandings of proportionality are necessary for meaningful calibration of action l Different perspectives, approaches, traditions and cultural contexts can produce misunderstandings and unintended escalations l Errors or accidents involving cyber weapons may produce l Unintended consequences via cascading effects l Unforeseen escalatory responsesJohn C. Mallery 16 MIT CSAIL
  17. 17. Cyber Conflict Characteristics 1. Offense dominated 2. Strategic reach 3. Poor attribution (low frequency) 4. Poor warning with short detection times 5. No strategic depth -> pre-emption strategies 6. Readily usable techniques for espionage 7. Strong reciprocity among major actors 8. Low barriers to entry 9. Over 100 state players 10. Lack of shared perception of action seriousness l Limited history of cyber conflict l Cross cultural understanding challenges l Little guidance from international law l Many variations possible l Conclusion: Unstable, dangerous feedbacksJohn C. Mallery 17 MIT CSAIL
  18. 18. Institutions and Mechanisms for Cyber De-escalation Domain Activity Conflict Manager Hacktivism Political ?, UN Legitimacy IW Industrial espionage Economic Predatory Trade ?, IMF, G*, WTO, regional IGOs Supply chain subversion Prepositioning logic bombs Conventional mediators (e.g., UN, Military Critical infrastructure attacks regional IGOs)John C. Mallery 18 MIT CSAIL
  19. 19. Research Questions 1. What is the domain of cyber conflict and cooperation? 2. Does the rise of cyber operations, whether attack, espionage or influence operations, change inter-state conflict dynamics? 3. What are the stability characteristics of current and future international systems as cyber conflict capacity develops and diffuses? 4. How can levels of cyber conflict and cooperation be measured and compared across technical change? 5. How can strategic technical and economic competition be managed? 6. How can different perceptions of hostility or cooperation and escalation phases be managed? 7. Can legal or normative frameworks increase stability or protect non-combatants?John C. Mallery 19 MIT CSAIL
  20. 20. Appendix ADynamics Of Cyber-fueled Conflict
  21. 21. Dynamics Of Politico-military Escalation And De-escalation In State-state Cyber Conflict 1. Analysis of factors contributing to instability or stability 2. Cyber as a means for strategic reach with low barriers to entry (over 100 countries with some cyber offensive capabilities) 3. Pre-emption strategies due to poor warning as a source of instability 4. Problems of n-way games, including (mis-)attribution, bad reputations, provocations 5. Clusters of state-level cyber conflict and cooperation 6. Dangerous feedbacks, good feedbacks 7. Unintended consequences (e.g., perceptions, cascading impact, spreading impact, collateral damage to civilians or 3rd parties) 8. Precision and controllability of cyber techniques across target domains, including impact on neutral countries or global commons 9. Usability of cyber techniques for attack or exploitation (low probability of attribution, low physical damage, low human causalities) 10. Cross-domain responses to cyber as amplifiers or attenuators conflict 11. Differential perception of threat (e.g., economic, legitimacy, systemic) 12. Special case of nuclear powers (cyber under cover of nuclear) 13. Asymmetric vulnerability of lower ICT capacity states to cyber attack by stronger military powers 14. Dynamics of collapse or rebuilding of trust across state-state transactions, with special attention to low-to-mid level cyber provocations 15. Mechanisms for de-escalation, including termination of conflict or war 16. Mechanisms for establishing ground truth (e.g., monitoring, data sharing, inspection, cross correlation) 17. Institutions for international mediation and conflict managementJohn C. Mallery 21 MIT CSAIL
  22. 22. Conflict Triggers Or Escalators 1. Misread of red lines 2. Denial of service or attack on C2 or space assets 3. Ambiguity of cyber actions between exploitation and attack 4. Penetration of critical infrastructure, or "preparation of the battlefield” 5. Accidental impact on 3rd parties via spread or cascading 6. Excessive espionage provoking hostile responses, possibly cross-domain 7. 3rd party provocations intended to incite major power conflict 8. Information operations targeting political legitimacy 9. Conventional conflict triggering cyber responsesJohn C. Mallery 22 MIT CSAIL
  23. 23. Cross-modality Or Cross-domain Responses To Cyber Exploitation Or Attack 1. Signaling and problems of misperception in cyber conflict (or cyber cross-domain responses) 2. Mismatches of cross cultural or doctrinal models of cyber conflict 3. Hostility spirals due to volume of exploitation or development of bad reputationJohn C. Mallery 23 MIT CSAIL
  24. 24. Appendix BApproaches To Managing Cyber-fueled Conflict
  25. 25. Challenges 1. How can verification, monitoring and situational awareness be achieved and to what extent? 2. How is cyber defense possible without understanding and anticipating incoming cyber attacks? 3. How can proliferation of cyber weapons within or across countries be prevented or managed?John C. Mallery 25 MIT CSAIL
  26. 26. Shared International Frameworks For Designating Actions In Cyber Space As Criminal, Hostile, Or Negligent 1. Definitions of hostility levels 2. Definition of when counter-force becomes counter-value targeting along supply chains or supporting infrastructure for an opposing military 3. Red lines with the contexts of peace, crisis or war 4. Impact of red lines on dynamics of escalation control and stability 5. Instabilities arising from attacks on C5ISR systems, including nuclear systems, space assets and naval forces 6. Large-scale espionage: quantity exceeds conventional hostility calibrations 7. Ambiguity of cyber-physical systems (e.g., cyber attack on power grid causing physical damage) 8. Information operations: anti-terrorism, threats to government stability 9. How should international sharing of cyber data be organized and coordinated? 10. Rebuilding trust in a low verification environmentJohn C. Mallery 26 MIT CSAIL
  27. 27. Responsibility Of National Leadership For Controlling Cyber Offense And Exploitation 1. Government actors 2. Surrogates, including state responsibility for cyber "patriots" or criminals operating within their territory under International law regardless of whether the state has direct, indirect or no control at the time 3. Non-state actors using computing platforms within their territories  Hackivists  Terrorists 4. Leakage of advanced cyber capabilities to criminals or terrorists 5. Managing different levels of conflict from strategic (e.g., nuclear weapons control and release) to theater or tactical 6. Responsibility for cleaning up botnets, or other platforms within their territories used by 3rd parties to attack or exploit 2nd partiesJohn C. Mallery 27 MIT CSAIL
  28. 28. Managing Strategic Technology Competition 1. Engineering networking standards and computational frameworks for national advantage 2. Developing universalizable norms for system engineering and design certification 3. Managing industrial espionage when integrated component of strategic economic competition 4. Sanctions (diplomatic, economic) against predatory behaviors in open multilateral trading systems 5. Standards for ICT intended to reduce opportunities for bad cyber behavior, enhance international stability and promote orderly international interactionsJohn C. Mallery 28 MIT CSAIL
  29. 29. Legal Or Normative Frameworks Codifying Shared Interests 1. How can cooperative activities in cyber defense or fighting cyber crime build reservoirs of trust that help prevent or attenuate cyber crises? 2. Can a "public health" approach to cyber help reduce risk of conflict and enhance trust through cooperative contributions to the cyber commons? 3. To what extent are states interpreting cyber with the framework of the Geneva Convention? 4. Where are current international legal frameworks adequate or inadequate? 5. How can they be extended to cover gaps? 6. How do they serve the range of state or non-state actors in the international system? 7. Can legal or normative frameworks actually help in a timely fashion with cyber capabilities are so widely diffused and technical change is rapid? 8. What is their domain of relevance across a hostility range from, peacetime to wartime? 9. How can adverse impacts on international cyber infrastructures be prevented or managed? 10. How can collateral damage to non-belligerents be managed? 11. How can 3rd party provocations intended to initiate conflicts between major powers be prevented beforehand or managed afterwards?John C. Mallery 29 MIT CSAIL
  30. 30. Legal Or Normative Frameworks Codifying Shared Interests 12. What is the legal or pragmatic liability of states for consequences of cyber operations, whether intentional, collateral, or accidental (including cyber proliferation)? 13. What should be the status of a cyber attack on one country that disrupts economic activity in 3rd countries? (e.g., shared infrastructure, outsourcing, linked industrial verticals) Rights of 3rd parties to respond? Non-state actor case? 14. What is the responsibility to states to prevent private actors or 3rd parties from launching attacks from with their territory by controlling bad network traffic, taking down botnets, or requiring higher assurance standards? 15. What legal recourses are available when cyber espionage exceeds standards of customary practice to reach extraordinarily high levels of hostility? 16. What should be the responsibility of Internet service providers to report bad behavior to states (e.g., tracing attacks via proxies, cyber pollution, IW)? 17. What should be the legal liability of ISPs if they act as agents of a state by providing the means to deliver cyber attacks, engage in cyber exploitation or weaponization? 18. To what extent are States and ISPs separate around the world? How does it effect the ability of states to act in cyberspace?John C. Mallery 30 MIT CSAIL
  31. 31. Appendix CLessons From History OrOther Conflictual Domains
  32. 32. Lessons From History Or Other Conflictual Domains 1. How should the definition of "armed force" be extended to cyber attacks? (e.g., by consequences, by threat level) 2. How do we measure the consequences of cyber weapons? Must they have physical manifestation? 3. How can conventional counter proliferation approaches bear on cyber capabilities? 4. How can conventional protections of neutral parties, international infrastructures or global commons (e.g., sea, space) be extended to cyber? 1. How is cyber not like nuclear deterrence? (Over worked analogy with many analytical assumptions failing.) 2. How are cyber weapons like non-nuclear kinetic weapons? 3. How can biological weapons regimes inform cyber regimes? (Similarities and differences, for example in terms of proliferation, verification, usability)John C. Mallery 32 MIT CSAIL