Many will be familiar with the biblical adage “an eye for an eye, a tooth for a tooth”. Underpinning the Book of Exodus, this principle of even-handed justice formed the kernel of Old Testament law.
Yet contemporary followers of the book allowed it to transmute into a justification for personal vengeance. It wasn’t until Jesus proselytised on a mount overlooking the Sea of Galilee that the meaning was renewed. He re-established the law as punishment commensurate to the crime.
But this meaning has been distorted in the sands of time. A far cry from the proportional legal penalty borne out in the Christian Beatitudes, “an eye for an eye” has all-too-often been harnessed to justify tit-for-tat retaliation. Worryingly, it is this interpretation that has stubbornly endured: the Blitzes of London and Berlin; the Cuban Missile Crisis; the 1980 and 1984 Olympic boycotts. And now, unsurprisingly, this attitude has finally reached cyber.
In recent weeks, two examples highlight the dangerous precedent of the tit-for-tat mentality in the cyber domain. First, the widely publicised hack of the US Democratic National Committee’s (DNC) servers. Hackers exposed opposition research on Trump & co and stole a host of private emails, 20,000 of which WikiLeaks made public.
US intelligence have high confidence that the Russian government orchestrated the theft. The firm Crowdstrike was solicited to inspect the DNC’s servers and manage the fallout. They discovered two separate Russian intelligence-affiliated adversaries present in the DNC network, one group of which had access to the servers for almost a year. This comes against the backdrop of Russian hackers breaching the email servers of the White House and State Department and gleaning information from President Obama’s Blackberry. The Kremlin, with the usual shrug of ignorance, has denied involvement.
Five days later, Russia is hit by a cyber attack – wham! The Russian Federal Security Service (FSB) identified cyber espionage malware in the networks of approximately 20 Russian government organisations. The malware was delivered via a malicious email attachment, adapting to each system, intercepting network traffic, logging keystrokes and listening to phone calls. The hack was designed to target state organisations and the country’s critically important infrastructures. There is no evidence yet to indicate US involvement. Has the eagle swiped its talons back at the belligerent bear? Perhaps – who knows?
The second tit-for-tat example lies with China. In July, the Permanent Court of Arbitration ruled that China’s claim to South China Sea territory over the Philippines had no legal basis. In 2013, China had poached control of the Scarborough Shoal reef, among others, leading to the construction of military outposts in the disputed island territory. After years of legal deliberation, the international tribunal at The Hague concluded that, not only was China’s claim invalid, but the state had infringed Philippine sovereign rights inside the country’s 200-mile exclusive economic zone: unlawfully disrupting Philippine fishing activities and risking collisions with Philippine vessels.
On this occasion, no time was wasted. Retaliation against China’s detractors was already underway. As far back as January 2015, a Chinese network attack known as an Advanced Persistent Threat had been deploying malware identified as the NanHaiShu Remote Access Trojan to create a backdoor and gain administrative control over target computers to harvest sensitive data. Systems from the Philippine Department of Justice, the organisers of the Asia-Pacific Economic Cooperation Summit, and a major international law firm involved in the South China Sea arbitration process were all compromised.
All three targets were considered to be of strategic national interest to the Chinese government. Moreover, the attack code and infrastructure were traced to a developer in mainland China. Of course, this could be mere coincidence or, worse, the product of adversarial groups intending to stir up regional divisions to further their cause. Nonetheless, it’s worrying stuff that has the potential to morph into something more sinister.
Retaliation often engenders escalation: something that the cyber domain facilitates with unprecedented ease. As nation states all-too-willingly adopt this tit-for-tat mentality, the prospect of attacks spilling over the ether into the conventional domains of war becomes increasingly likely. As Russia’s revanchist activities in Ukraine show, asymmetric warfare has already begun to rear its head; its efficacy and desirability – a potent combination of cyber and tangible force – will make it the norm.
Nation states should make a concerted effort to curtail a spiraling cyber arms race and ensure cooler heads prevail. Cyber’s destructive capacity and ability to destabilise international relationships deserves constant policing and attention.
There is a Chinese proverb: he who seeks revenge should remember to dig two graves. The international community would do well not to forget this. When it comes to tit-for-tat, there are no winners, only pyrrhic victories.