The Burisma Hack … Cyberwar or Not?

by C. Warren Axelrod on February 24, 2020

Just
to complicate things further, we learned from a New York Times
article that Russian military cyber-forces hacked into Ukrainian gas company,
Burisma, apparently in an attempt to find incriminating evidence against prior
Board member, Hunter Biden, so as to discredit his father, Joe Biden, in the
latter’s run for U.S. president. The article, dated January 13, 2020 (and
updated on January 15), is by Nicole Perlroth and Matthew Rosenberg and has the
title “Russians Hacked Ukrainian Gas Company at Center of Impeachment.” It is
available at https://www.nytimes.com/2020/01/13/us/politics/russian-hackers-burisma-ukraine.html?searchResultPosition=1

Let’s
ignore for a moment whether or not the article is accurate and just focus on
how such an act, if true, might be categorized. We all are familiar with the somewhat
questionable (in my opinion) claim that “The enemy of my enemy is my friend.” But what if supposed friends commit acts
against you? And what if an enemy attacks a friend to get at you without any apparent
damage to the friend? I examine some of these issues in my article “When
Victims and Defenders Behave Like Cybercriminals” in the January-February 2020
issue of the ISACA Journal. You can read an excerpt of the
article at https://cybersecurity.isaca.org/articles-details?articleId=cybervictims-defenders-and-cybercriminals-how-to-tell-them-apart

As
an exercise, you might find it interesting to look at the following four situations
and try to come up with counterexamples—there are many:

An enemy of my enemy is my friend
A friend of my enemy is my enemy
A friend of my friend is my friend
An enemy of my friend is my enemy

You
might not agree with all of the above, but to the extent that you do agree, can
you name who fits into each category, and who does not?

It
gets more difficult when entities or countries are cooperative at one level and
competitive or adversarial in another area. Are these so-called “frenemies”?
Think of China, for example. China cooperates (to some degree) with the U.S. on
trade but competes for influence on the World stage. And now, with the
coronavirus epidemic, the rules change again. After all, by helping China
contain the virus, we are ultimately helping ourselves. And, despite some
claiming differently, the negative impact on supply chains could be far more
reaching that currently supposed.

Sponsorships Available

Now
back to cyberwar. To support the idea that we are still struggling with the
definition of cyberwar and the corresponding rules of engagement, you should
read the January 12, 2020 article “Congress struggles on rules for cyber
warfare with Iran” by Maggie Miller and Laura Kelly at https://thehill.com/policy/cybersecurity/477795-congress-struggles-on-rules-for-cyber-warfare-with-iran

In
the article, Senator Richard Blumenthal is quoted as saying: “I think that the
question of what is an act of war in the cyber domain is a serious policy
question that needs to be addressed, and Congress so far has failed to address
it.”

He’s
right, in my opinion. More than 18 years ago, I testified before a U.S. House
Subcommittee on cybersecurity and recommended that Congress address several
issues, among which was dealing with terrorism and attacks by nation states.
You can dig through the various testimonies that day and find mine at https://www.govinfo.gov/content/pkg/CHRG-107hhrg76310/html/CHRG-107hhrg76310.htm

You
should also see what the late Howard Schmidt and others had to say that day. We
put a number of cybersecurity issues before the Subcommittee, many of which appear
to have been ignored. The Subcommittee members seemed to be mostly focused on
identity theft and account hijacking, which were (and continue to be) leading concerns
of their constituents. In my opinion, it was a lost opportunity to address the
“serious policy question[s]” that prevailed at the time and still haunt us
today. Perhaps our testimonies weren’t convincing enough or the Subcommittee
members did not have the technological background to grasp what we were saying,
or they were not willing to take on so enormous and controversial an issue,
which has only exploded in size and intensity since. Whatever the reasons, we remain
confronted with old and new issues that are orders of magnitude greater than
they were 18 years ago.

We
see decades flying by, and still the world governments have not even come up
with a binding generally-accepted definition of cyberwarfare. Without such a
definition, and corresponding rules of engagement, it is well nigh impossible
to agree upon suitable responses to cyberattacks on our political systems,
critical infrastructure, and individuals’ privacy and security.

Senator
Blumenthal is correct. We need to come up with policy on cyberwar quickly and
not keep kicking the can down the road—or we’ll be dealing with even greater
consequences.