Today’s global economic system, governments, militaries, and social organizations all rely on cyber networks, and leaders tend to think of access to cyberspace as a given. But the ability to connect to the internet can be blocked by hostile actors—as it was in Estonia in 2007 and in the country of Georgia in 2008.
Massive access shutdowns and area denial operations can occur at two layers of cyberspace. At the physical level, access shutdowns require damage to fiber optic cables, satellite systems, or other concrete infrastructure. At the logic level, they require an attack on root servers, border gateway protocols, and internet service providers.
The latter is what happened in October 2016 when Dyn, an internet infrastructure firm based in New Hampshire, was targeted by massive distributed denial of service attacks that overloaded its servers and knocked out access to sites such as Twitter, Netflix, and PayPal for much of the East Coast, as well as other parts of the United States and Europe.
The Dyn attacks, which the company resolved within the day, were perhaps the largest of their kind ever. But the effects of such attacks in the future could be even more extensive, ranging from economic shutdown because of markets’ inability to function, to degradation of military capabilities due to the interconnectedness of platforms and systems, to the halt of government and diplomatic measures.
Broad access to cyberspace is so central to the strength of most nations today that cyber-based systems are considered critical national infrastructure and therefore, massive access shutdown or area denial operations could be considered acts of war, depending on the circumstances.
To deter potential future attacks, governments must focus on the actors most capable and likely to conduct anti-access operations, and the context of those threats. Robust, redundant, and resilient defenses will diminish the likelihood of successful attacks. It is also necessary to demonstrate political will and technological capability to retaliate for serious attacks on cyberspace or other critical national infrastructure. For the long term, an international framework is necessary to establish norms and international laws governing acceptable behavior in cyberspace and delegitimize efforts to deny a country access to it.
Weaponizing Home Tech
Hackers brought down much of the internet in 2016 by seizing control of millions of home routers, webcams, and other online devices. Here are some security issues reported since.
Cybersecurity firm Checkmarx recently showed how hackers might force Amazon’s voice-activated Echos to eavesdrop on users, then deliver transcripts of conversations to third parties.
Although these hacks are rare—and quickly fixed—Chinese security researchers last summer tapped into a Tesla Model X, remotely opening its doors and activating its brakes.
Ben-Gurion University researchers showed they could hack into Wi-Fi thermostats and webcam feeds, as well as hijack a baby monitor to make it play loud music. They often found passwords within thirty minutes—sometimes by simply Googling the device’s brand name.
A Conference to Find New Solutions at the Fletcher School
What new laws or organizations are needed to protect civilians from state-sponsored cyberattacks? Fletcher international law professors Ian Johnstone and Joel Trachtman, working with Fletcher cybersecurity professor Susan Landau, have assembled a top-flight team of computer scientists and international lawyers to develop legal responses and voluntary arrangements to defend civilian establishments and infrastructure. These experts will present their ideas on September 14 and 15 at a conference at Fletcher organized by the new Center for International Law and Governance. Find registration information here.