Military strategists, academics, politicians, and government officials have debated the inevitability, ethics, and even the “how it will happen” of cyberwarfare for years. What, curiously, is not being discussed is what takes place when cyber hostilities stop or, more to the point, how “cyber-normal” is restored and maintained after a cyberwar. Both points are of interest with the world’s ever-increasing reliance on digital computing and the internet to augment or enable critical services.

Dr. Michael Robinson, Dr. Kevin Jones, and Dr. Helge Janicke in their research paper An Introduction to Cyber Peacekeeping (PDF) offer an especially poignant reason why looking at potential cyberwar aftermaths might be important:

“Just as the unregulated use of land mines led to indiscriminate and prolonged harm to civilians in previous wars (After the guns fall silent: the enduring legacy of landmines), the unregulated use of cyber warfare has the potential to have similar effects. This in itself could be used to argue that cyber peacekeeping is necessary.”

SEE: IT leader’s guide to the threat of cyberwarfare (Tech Pro Research)

What is cyber peacekeeping?

The first order of business was deciding what cyber peacekeeping entails. Rather than reinvent the wheel, the paper’s coauthors decided to alter the current United Nations (UN) definition of peacekeeping (Terry M. Mays), which is:

“Action undertaken to preserve peace, however fragile, where fighting has been halted, and to assist in implementing agreements achieved by the peacemakers.”

to read:

“The application of cyber capability to preserve peace, however fragile, where fighting has been halted, and to assist in implementing agreements achieved by the peacemakers.”

The researchers suggest that following the UN definition closely helps.

  • Adoption: If cyber peacekeeping can be demonstrated to work within the established framework, decision makers are more apt to adopt it.
  • Comprehension: By understanding existing doctrine, it is more likely proposed ideas will address issues significant to peacekeeping operations.
  • Integration: By sharing a common approach, cyber peacekeeping is flexible enough to either operate alone or as part of a “boots on the ground” peacekeeping operation.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic cover story)

Cyber peacekeeping activities

Besides adapting the UN definition of peacekeeping, Robinson, Jones, and Janicke adapted the following time-proven UN Department of Peacekeeping Operations activities to cyber peacekeeping.

Observation, monitoring, and reporting (OMR): OMR activities are geared to provide impartial reporting on adherence to cease-fire agreements, as well as ongoing verification of compliance. The coauthors suggest any agreement should include verbiage on the following:

  • Cessation of cyberattacks;
  • Cooperation on cybercrime/spoiler attacks;
  • Declaration of information stolen during the conflict;
  • Declaration of compromised systems, and assistance with returning control to the rightful owners;
  • Declaration of known vulnerabilities in opponent’s networks;
  • Dismantlement of botnets; and
  • Remote disablement of malware, if possible, or assistance in locating and removing malware.

The paper’s authors state that OMR is already employed in cyberspace and suggest books by Richard Bejtlich and Don Murdoch for best-practice information.

Creating a buffer zone: The coauthors once again adapted a UN definition, defining buffer zones as attack-free areas of cyberspace under the protection of cyber-peacekeeping forces. Similar to physical buffer zones implemented by UN troops, cyber buffer zones provide a deterrent by:

  • Announcing a particular site is under cyber-peacekeeping protection;
  • Placing cyber peacekeepers at backbone providers to identify and hold attackers accountable using trace-back technology; and
  • Improving cybersecurity of sites in the cyber buffer zone.

Robinson, Jones, and Janicke admit improving cybersecurity should have the highest priority–that and improving local skills to where cyber peacekeepers are no longer needed. To that end, the three researchers suggest the following already-proven methodology:

  • Drop packets suspected of being cyberattacks;
  • Block attacker IP ranges at network devices;
  • Install cyberdefenses (hardware and software);
  • Perform host hardening (patching and removal of unnecessary services);
  • Provide additional capacity to reduce impact from Denial-of-Service attacks; and
  • Provide training for local staff, enabling them to take over security.

Besides the above activities, Robinson, Jones, and Janicke suggest deploying a “cyber” version of the UN’s Disarmament, Demobilization, and Reintegration policy, where disarmament refers to disarming the software and hardware used in the cyber conflict. Demobilization and reintegration is the securing of cyber combatants and ultimately reintegrating them into peacetime activities and professions.

SEE: Cyberwar: A guide to the frightening future of online conflict (ZDNet)

Mine action v. malware action

The paper’s authors write that mine action (the exploding kind) is designed to reduce the threat and impact of mines and explosive ordinance on civilians. “Just as a field can be littered with mines during conflict, a computer system can be littered with malware,” explain the paper’s authors. “Both mines and malware remain hidden until activated or detected, and the harmful effects continue after a conflict has ended.” Figure A furthers the comparison.

Figure A

The researchers suggest that individuals and organizations may want to use the National Institute of Standards and Technology (NIST) guidelines as a template for malware action.

Looking toward the future

Robinson, Jones, and Janicke believe a logical solution is to alter current UN peacekeeping doctrines to apply to cyberwarfare. They also bring up an interesting point: “We conclude that while cyber peacekeeping is not necessarily needed today, it will be required in the near future as cyber warfare becomes more commonplace,” write the authors. “Organizations such as the UN will find it an increasing necessity to operate in cyberspace in order to maintain peace.”

Historically, being proactive has not been our strong suit; however, due to the nature of cyberspace and the seriousness of disrupting what currently exists, it might in the best interest of everyone–public and private organizations, as well as the world’s citizens–to get ahead of the curve on this one.