Lucy is the editor of Verdict. You can reach her at lucy.ingham@pmgoperations.com

A lack of rules of engagement in cyber warfare is creating a “slippery path” towards more destructive cyberattacks and even physical attacks, according to a former Israeli Defense Forces cyber security expert.

Israel Barak, former Israeli Defense Forces red team founder and CISO at cyber security company Cybereason, told Verdict’s sister title Verdict Encrypt that while cyber warfare has become a standard part of nations’ defence capabilities, a lack of agreed rules is creating serious risks for both companies and nations.

“The interesting thing is that there are no rules of engagement right now,” said Barak.

“How you respond to a cyber attack? What is the sliding scale of launching military offensives in cyberspace? Is it legitimate to try to thwart an election? How do you respond to that? Do you send F-16s? Is that the proper response?”

He drew comparisons with physical attacks, where the rules of engagement are clear and well-established.

“In the physical realm, there’s a certain understanding of what the balances are in terms of what is that sliding scale,” he said.

“Armies or military organisations know that if they launch an operation of type one they can expect the retaliation of type two. In cyberspace, these rules haven’t been written yet.”

How far will governments go with cyber warfare?

Cyber attacks are becoming an increasingly common part of both diplomacy and warfare, providing governments with a new means of retaliation in response to real-world threats.

For example, in the wake of the US’ decision to pull out of the Iran nuclear deal, cybersecurity experts warned that the country is likely to engage in digital retaliation.

“President Trump’s actions have placed American businesses at increased risk for retaliatory and destructive cyberattacks by the Islamic Republic,” warned Priscilla Moriuchi, director of strategic threat development at Recorded Future, in the wake of the announcement.

“We assess that within months, if not sooner, American companies in the financial, critical infrastructure, oil and energy sectors will likely face aggressive and destructive cyberattacks by Iranian state-sponsored actors.”

However, what countries choose to do in response to such attacks is unclear, and this lack of rules, Barak argues, is leading governments to see how severe they can make cyberattacks before they provoke a response.

The State of Technology This Week Get the Verdict weekly email

“What you see around us are governments experimenting with how far they can go along with launching cyberattacks and what type of retaliation they can expect, and therefore how can they manage their risk,” he said.

This is leading to a creep in the severity of attacks, with governments assuming that there will not be a physical response.

“There’s no agreed-upon, even informally, understanding of what the common action and reaction would be in cyberspace, and I think that is a very slippery path and can lead governments to going very far with launching cyber warfare operations just based on the expectation that there’s not going to be any physical retaliation,” he said.

Who is behind a cyber attack?

As cyber warfare has developed, it has become convention for those responsible, known as threat actors, to disguise their attacks by making them appear to be from a different country.

“That’s a built-in part of any operational plan of an advanced attack; you choose who you want to resemble. A lot of threat actors, some of them are criminals, some of them are nation states, want to resemble the NSA, for example,” explained Barak.

“What they do is they build these tools with code characteristics, certain time signatures, that are indicative of the actor they want to resemble.”

Attackers take significant steps to mask their identity, from pop culture references in code to working on machines with software licenses from the location they want to resemble, which can make identifying an attacker extremely difficult, and in some cases impossible.

Often, said Barak, technology alone is not enough to accurately identify a threat actor, meaning governments have to rely on intelligence to infer who is responsible. And this makes retaliation fairly risky.

“This actually increases the likelihood that someone, I wouldn’t want to call it a bystander, but someone that’s not directly involved in an incident but was just used as a cover for an incident, is actually going to get hit with something like a hack back that an enterprise would be involved in.”