For the first two decades of the internet era, cyberattacks did not endanger the established social order. Motivated by money and limited by personal resources, hackers mainly chose to attack relatively defenceless individuals, rather than incur the wrath of a state. The threat posed to national security was minimal.

The decision of governments around the world to enter the cyber-battleground has since destroyed that dynamic. Using vast national resources to pursue political agendas, states are capable of carrying out sophisticated intelligence operations, economic espionage, and of destabilising rival nations by attacking critical infrastructure such as electricity networks and water supplies.

Top-secret documents leaked by the former NSA contractor Edward Snowden have revealed the extent of US involvement in cyber warfare. According to The Washington Post, a classified budget showed American intelligence services performed 231 "offensive cyber-operations" in 2011. The newspaper goes on to summarise the 2013 budget, detailing the CIA and NSA’s efforts to "hack into foreign computer networks to steal information or sabotage enemy systems".

While other world powers are yet to suffer such a major intelligence leak, few doubt they are engaging in similar cyber-activities. Obama’s budget proposal for the 2014 fiscal year embodies the growing fear of attack; despite cutting overall Pentagon spending by $3.9 billion, he wants to increase Defense Department outlay on cyber-efforts by $800 million. And with cyber-assaults causing minimal collateral damage to aggressors and costing little in comparison to conventional military strikes, it is likely this situation will only escalate over the years to come.

In the face of such threats, national and cybersecurity become two sides of the same coin. But while the need for new defences is widely accepted, questions abound over content and implementation. A significant part of the confusion stems from the new type of risk posed by cyberwarfare – when the aftermath is often far deadlier than the strike.
"The Israelis see terrorist attacks as two things. First as an attack, then all the crazy shit people do afterwards," says Jan Kallberg, assistant professor of homeland security at Arkansas Tech University. "The way I see it, we’re going to use cyber offensively to rock other societies so they disintegrate."

Panic on the streets

Kallberg has close to two decades experience in cybersecurity and is the co-author of numerous papers on the subject. In 1996, when there were only four references to cyber-defence on the internet (today there are over 954,000), he had the foresight to register the www.cyberdefense.com domain.

He believes the technical side of a cyber-strike is only a catalyst; the real damage is caused by the ensuing panic among the civilian population.

"Some US companies, frustrated by cyber attacks, have used strike-back technology to retaliate against hackers."

"Let’s say the credit card system gets shaken up and people start to distrust it," he says. "Okay, that has a financial impact. But the real impact for me is when I go down to the guy in the petrol store and he won’t give me my bread. Then from there, you’ll be angry."

His theory implies that any effective cyber-defence strategy must allow the state to maintain control of its citizens in a time of crisis, preventing any descent into Lord of the Flies-type scenarios that could result in significant harm being done. Kallberg believes trust is at the root of such a relationship and, despite many UK citizens’ outrage at the government’s recently uncovered surveillance tactics, cites the country as a model example of such a bond.

"I think the United Kingdom is a tremendously cyber-resilient country because it has institutional stability," he says. "People trust the government. Of course they question, they blog. But the bottom line is it’s not like adversarial countries, such as Iran or China; half of their military is just doing crowd control."

Kallberg does, however, acknowledge the threat caused by surveillance software – albeit not necessarily that of the government. The public’s ever increasing stock of gadgets, subject to advanced persistent threats, can be used to collect data on a populace and monitor collective reactions to different events. Using this detailed information, relatively small but well timed and placed cyberattacks can wreak havoc among civilians, potentially destabilising a nation.

At the sector level, defending against cyber-threats will require a much closer working relationship between states and private firms. Vast swathes of national infrastructure are run by business, and governments must ensure adequate protection is provided and that security breaches are dealt with, rather than swept under the rug for the sake of a company’s image. It is not all one-way traffic however; Kallberg believes the private sphere will also work to offer governments practical solutions to cyberattacks.

"I think,in the future, what we would call cyber-defence would be 90% private," he comments. "Instead of training some enlisted men to become programmers, why don’t you [the government] just go to a private company and buy the programmer direct?"

But while involving the commercial sector in state-level cybersecurity is necessary and often advantageous, it is equally vital to maintain a degree of distinction. Some US companies, frustrated by cyberattacks, have used strike-back technology to retaliate against hackers – a minority are even reported to have violated American laws in doing so. For Kallberg, this is a step too far.

"The demarcation in cyber between the government and private spheres is important to uphold… one reason we have a nation state is, in a uniform and structured way, under the guidance of a representative democracy, to deal with foreign hostility and malicious activity," he wrote in an article for Defense News.

"Abandoning the clear demarcation between government and private spheres leads to entropy, loss of control, and is counterproductive for the national cyber-defence and the national interest."

Team effort

Closer collaboration between academia, the military and the state will also be central to successful future cyber-defences. Universities must pursue the technological developments deemed necessary by government, as well as ensuring future civilian and military-contractor workforces are well educated. Maintaining the closeness of these ties is essential, and not only because universities must stay on target; if gaps open up between academic work and a state’s cyber-defences, they could be exploited by hostile parties. A country could fall prey to its own ingenuity.

"I think the military will also bring a sense of geopolitical realism to academia," says Kallberg. "We have to see them [academics] as the blacksmiths in the armouries of the dark ages. They’re going to hammer out the tools that governments need to deal with adversarial nations in cyber. And if they’re not interested in doing that, if they think they’re too good to do things for the government, they shouldn’t have money."

International co-operation on cyber-defence issues can also help, though it is unlikely to take place beyond close-knit diplomatic circles; there is a thin line between sharing vulnerabilities and giving away attack opportunities. Governments can work together to vet hardware and exchange information that makes it easier to trace the origins of certain security concerns. The Council of Europe’s Budapest Convention on Cybercrime, established in 2001 and acting, among other things, as a framework for international co-operation, is also gaining ground. Last year six new states, including Australia and Japan, became parties, bringing the total to 41.

For his part, Kallberg is determined to adopt a "more positive outlook" on cyber, despite the "doom and gloom" he sees hanging over the field. But while he is confident China will not succeed in dominating the world "from a barracks somewhere" anytime soon, he believes the greatest threat to cyber-security will remain unsolved for a while yet:

"We’re an engineering society. We love fancy-shmancy graphs and powerpoint presentations, and stuff. But the bottom line is: humans matter," he says.

"All secure systems end up with a person. So, as long as we can control greed, jealousy, sex and addiction, we’re good!"