How to define cyber-enabled economic warfare
The U.S. and the international community have yet to agree to standard definitions of cyber attacks and cyber-enabled economic warfare, and that's hindering effective policy responses to attacks, according to a new report.
What: "Framework and Terminology for Understanding Cyber-Enabled Economic Warfare," a new report by Samantha F. Ravich and Annie Fixler for the Foundation for Defense of Democracies.
Why: The U.S. and its allies lack coherent doctrine and policy to defend against the growing range of cyber threats, and that is because of a failure to even agree on a common language to describe a "cyber attack," the authors contend.
Increasingly, nation states and other actors are engaging in cyberattacks designed to undermine the economy of the victim, and such attacks can now cause "economic harm disproportionate to the size or resources of the attacker."
The authors call this "cyber-enabled economic warfare." They argue that the U.S. has not embraced this terminology and therefore hasn't been able to build effective policies, and that the problem is even more complicated when dealing with U.S. allies.
The report contends that NATO's Cooperative Cyber Defence Centre of Excellence lists 15 different definitions for the term "cyber attack" and 11 definitions of "cyber terrorism." The authors argue that until the international community agrees to a common lexicon, policy coordination will continue to be stymied.
The report lays out a proposed set of definitions for various cyber acts.
Cyber-enabled economic warfare is a "hostile strategy involving attack(s) against a nation using cyber technology with the intent to weaken its economy and thereby reduce its political and military power." The authors state that for a cyber campaign to be defined as CEEW, it must meet four criteria: the attack(s) are cyber enabled, intended to cause economic harm, economic damage must be "significant enough to potentially degrade national security capabilities" and that must be the intent.
The report states that not all attacks will meet those four criteria and therefore may fit into other defined categories, such as cyber financial warfare, cyber crime, cyber espionage, cyber terrorism, cyber warfare or cyber-enabled information warfare -- each of which has a specific definition and criteria in the report.
The authors categorize some of the recent major cyber incidents according to this lexicon.
For example, China's economic theft of intellectual property from the U.S. is considered CEEW, along with Russia's cyberattack on Estonia and Iran's Saudi Aramco attack. The authors also contend that the U.S. sanctions on Iran using cyber means to cut off Society for Worldwide Interbank Financial Telecommunication access also falls under CEEW.
The Office of Personnel Management breach and Russia's hacks into U.S. government agencies such as the State Department and the White House constitute cyber espionage, which can be a tactic of CEEW, states the report.
Russia's effort to influence the U.S. election is a "classic case of cyber-enabled information warfare," according to the report, while the North Korean hack of Sony, and Iran's attack on the Las Vegas Sands Corporation are acts of cyber terrorism.
Verbatim: "The U.S. government should work with its allies and the private sector to create a unified understanding of the key concepts broadly related to cyber attacks and, more specifically, related to cyber-enabled economic warfare. Understanding not only the terminology but also the tactics, strategies, and intentions of nation states, non-state actors, and criminal organizations is critical for crafting effective counter-measures and proactive policies."
Read the full report.