TNNI: You recently authored a book called Inside Cyber Warfare. Tell us a little about the book. What was your motivation for writing it?
Carr: What I tried to do with the book was take a more complex view of the scope of cyber warfare and really even the misnomer of cyber warfare, because there really isn’t any legal definition as such. There is a cyber component to an actual act of war, but in terms of a battle in cyberspace, we have not really seen that and there is no real definition to that. Instead, the book looks at the various ways that state and non-state actors interact in cyberspace, in order to exercise control or to commit crime or do espionage or any number of actions that network systems now enable actors to do.
TNNI: One of the areas you just touched on was defining cyber war. Do you think we will ever reach a point where there is a commonly accepted definition, particularly in the international realm?
Carr: Probably. I imagine in time such a thing will occur, it is going to take an awful long time. The biggest problem is that the existing models of what treaties do is something that might not work for cyberspace, and I touch on this in the book. In my view, it is more of a law-enforcement issue rather than an issue that can be prescribed through a treaty regime similar to way that weapons of mass destruction are controlled. I think those treaties will just not be effective for cyberspace. However, I do hope that one day the principal nations will agree on the principals of a collaborative law enforcement effort to crackdown on abuses that are committed in that plane.
TNNI: Do you find cyber attacks to be a predominately the work of nation-states, or do you also see this as a proliferation of nationalist hackers, and who do you think poses the greater threat?
Carr: I don’t think hackers are going to waste time with anything that does not yield some type of profit. So, then it really becomes the question of what was targeted. That is how Grey Logic looks at attribution when it comes to cyber espionage; what have we tied it to what was taken, who would have reason to have entered or accessed it; it has value to what party? Then you can start narrowing the field. I categorize it in three areas, you have state actors, and state-sponsored actors, which would typically be skilled hackers who have some type of handshake arrangement, or some other compensation with the state entity, but also at the same time create plausible deniability. Then, you just have non-state actors. The best example of that is in China, when Chinese activists respond to an action that negatively affects their country. There are multiple examples of that. There is also the distinction when what you look at what is referred to as hactivists between Russia and China. In the case of China, they are defensive. People act against their country, Chinese hackers react. In the case of Russia, it is not. It is much more offensive. And there are exceptions of course, for example, Estonia in 2007 can be interpreted as a defensive action. Because the Estonian authorities moved a Russian statue and the Russian hackers reacted.
TNNI: Do you see states concentrating more on offensive or defensive capabilities?
Carr: Most large countries are developing some type of capabilities, including the U.S., Russia, China, Germany, Israel, North Korea, South Korea, and then you can assume, I think you can safely assume that other members of the European Union are also developing there own capabilities. Turkey, for example, I think it is safe to assume that they are developing, although they have not officially announced it. They have done some things, which would indicate that they are creating that capability. India, I believe, is actively involved, because China has stated development, so I am sure that India must be developing a similar capability as well. I think everybody is going to wind up doing it just simply because it is necessary from a defensive point of view.
TNNI: How serious is the threat from cyber attacks, and is the U.S. government currently taking the necessary steps towards defending U.S. networks?
Carr: I think that it is very serious, potentially extremely serious. I think that the U.S. government is taking some measures but not nearly acting fast enough or at a scale equivalent to the severity of the matter. One big example that I frequently point to is that in a most recent report put out by Host Exploit; of the top 50 badware ISPs in the world, 20 are right here in the U.S. That is just an intolerable situation as far as I am concerned because you have the capability of non-state actors using servers in the U.S. to attack U.S. interests and U.S. networks. It is just silly to allow that to continue.
TNNI: What steps to you think the United States, both from a government side and from a business side and even down to individuals, should all be taking to enhance cybersecurity?
Carr: What I just described would be in my opinion the very first step. So you require that ISP do what they are supposed to do, which is every person who is purchasing a service from them, make sure they are providing accurate WHOIS information on their domain registration and hosting agreements; name, address and contact information. All of that has to be vetted effectively. In addition, ISPs should be held responsible for crawling their servers on a monthly basis to check for malware and other illegal activities, and then shut it down until the problem is corrected or the bad actor leaves that hosting service. In addition to that, we need to recognize that we cannot defend everything. Therefore I think you need to do a survey of your assets, identify what the most critical assets are, and that is what you need to protect.
TNNI: What are some of the greatest impediments to greater cooperation, both domestically and internationally, and what can be done to overcome them?
Carr: The biggest problem is exemplified by the Russian federation. Their preference is a treaty regime to control or help govern cyberspace. What they would not agree to do is cross-border law enforcement. That is a predicament because every instance, going back to even Chechnya in 2002, Russia has engaged or utilized non-state actors to run their cyber campaigns. They will only be discovered through cross border law enforcement arrangements. A treaty would have absolutely no effect on them whatsoever. China, on the other hand, is setting, in my opinion, a very good example. They are cracking down on their internal ISPs that are hosting malware. They are making an effort to arrests hackers that engage in illegal activities, they are doing all the right things. I am not sure, frankly, if China is willing to agree to cross border law enforcement, but at least they are making the effort to clean their own house.