Last week, it was reported that cyberattacks on U.S. hospitals and health systems have increased this year. Clinical trials for the COVID-19 vaccine have been disrupted and hospitals’ access to patient records have been blocked as a part of ransomware attacks.
These cyberattacks may signal a wider trend. In an interview with The News-Letter, Anton Dahbura, executive director of the Information Security Institute at Hopkins, stated that future conflicts between nations may be defined by cyberattacks, not by physical combat.
“I’ve watched the evolution of how nation states are using technology against their rivals,” Dahbura said. “Clearly there’s been a trend towards expanding the concept of conflict to include cyber conflict.”
Dahbura, along with Terry Thompson, a former lecturer at the institute, and former Hopkins undergraduate Divya Rangarajan, developed the Cyber Attack Predictive Index (CAPI), an index that can be used to predict the likelihood of a cyberattack between pairs of nation states.
Thompson explained in an interview with The News-Letter that cyberattacks verging on war can damage critical infrastructure, destroy sensitive information and inflict economic or physical losses. Cyberattacks may also be used alongside more conventional forms of warfare.
The criteria for CAPI were developed from an analysis of six case studies of cyberattacks from the past 15 years. The five criteria are: the strength of the attacker’s cyber force; the severity of the grievance that the attacker feels regarding its target; the attacker’s fear regarding repercussions; the consistency of an attack with the attacker’s national security strategy; and the degree of technological vulnerabilities within the target.
Of the five categories, Dahbura explained, the two that policymakers and leaders need to pay attention to in order to reduce the spread of cyber conflict are the attacker’s fear regarding repercussions and the attacker’s national security strategy. Fear of repercussions and a robust national security policy often act as safeguards against cyberattacks.
“Countries should think carefully and ethically before developing a national security policy that promotes or permits cyber aggression,” Dahbura said.
Pairs of nation states are assigned a score of one to five in each of the five categories. The sum of the scores is used to assess the likelihood of a cyberattack between each pair. Currently, India and China are in the “Low Likelihood” category while Russia and Ukraine are in the “Extremely High Likelihood” category.
According to Thompson, assigning scores is a mix of objective analysis of open-source data and subjective judgments based on what is generally known about each pair of nation states.
“Countries like the U.S., U.K., Russia are pretty open about cyber capabilities, so we can be quite sure that we are making judgments based on objective data,” he explained. “In countries like Iran or North Korea, they don’t publish anything. So, you have to infer what their cyber force capabilities are.”
To help with monitoring the nation state pairs listed on CAPI, Dahbura and Thompson enlisted the help of a team of Hopkins undergraduates. Dahbura likes to call them “watchdogs of the world” because the CAPI Advisory Board members discuss all manner of hotspots and whether cyber conflicts will be a part of those hotspots. Seven undergraduates on the board regularly update the scores of existing nation state pairs and make recommendations of new pairs to add to the index.
Senior Becca Badon joined the CAPI Advisory Board because she is interested in how developing countries navigate the process of bridging the gap between traditional military power and modern forms of cyber power.
“I got to apply the things I learned throughout my course studies and see how traditional questions like balance of power apply in the field of cyber conflict and cybersecurity,” she said in an interview with The News-Letter.
Two members of the board — Liv Brown, a senior International Studies and Computer Science major, and Alex Osborne, a junior majoring in Computer Science — developed the website that made CAPI available to the general public. Within the first two weeks of release, there were over 5,000 unique visitors.
Dahbura noted that the purpose of the website and the Heat Index in particular is to encourage discourse about cyber conflict.
“Our target audience is rather general. Policymakers, scholars will be interested in [the Heat Index] and will have thoughts,” he said. “It is subject to debate, but that is partly what we want to do — to promote thought and discussion.”
Bringing cyber conflict to the public consciousness has become increasingly important, he said, since more nations are likely to develop a strong cyber force. Dahbura also hopes that discussions spurred by the Heat Index may prompt the audience to reckon with questions about other forms of cyber conflict. For example, if a private corporation is the victim of a cyberattack and it can detect the server the attack originates from, is it acceptable for the corporation to disable the server?
Dahbura, Thompson and the CAPI Advisory Board plan to continue to update the index. They may even include non-nation states in the index.
“For the future, we have not excluded the possibility of including non-nation states — for example, terrorist organizations,” he said. “If it is well-organized, it could be included in the index.”
Chris H. Park, a member of the CAPI Advisory Board, is a News & Features Editor for The News-Letter. He did not contribute reporting, writing or editing to this article.