Cybersecurity and the dividing nature of global competing ideologies

July 6th, 2015

By Sarah De Geest – Research Assistant

Threats of cyberterrorism and cyberwar are appearing more and more in the media in one form or another. While some experts say these concepts are just hyped up by the media, others point to the fact that whilst as of now, no one has died at the hands of a cyber-terrorist act, the speed at which we develop our capabilities in cyberspace means these could very well become real in the near future. This article advocates the need for cooperation among common minded nations to address our growing vulnerability in cyberspace.

Scholars across the globe warn that cybersecurity concerns can be both overestimated[1] and underestimated. [2] Almost everyday there is a new threat, a new crisis, whether it relates to China spying on the United States, the United States spying on Germany, the United States using a proxy to spy on the EU and France, or news of intellectual property theft. One recent example: the United States realised its Office of Personnel Management (OPM) had been compromised, exposing millions of employees’ information to whomever had broken into the files (the state department is currently assessing the evidence as to who this way). A few days later another press report suggests that Chinese-based hackers gained access to classified information on millions of intelligence and military personnel (including the NSA, CIA and Pentagon). The files included detailed information on security clearance, as well as information on their family and friends.[3] So what concrete steps have countries and international institutions taken to counter serious future cyber threats, and specifically, how can or should they address them?

In a world ever more interconnected by the internet, what are the main problems that actors deal with? For the sake of a comprehensive oversight, the problems that arise from our dependency on computers and online networks can broadly be divided in three categories.

• Individuals: encounter problems like identity theft, which can translate to credit card theft – fraud – misrepresentation etc.
• Businesses: Two prominent issues are information theft in general – like client information, information with regards to the company finances, financial strategy etc. OR intellectual property theft more specifically.
• States: worry lies in the contested and rapidly evolving notion of cyberwar, which can include attacks that compromise infrastructure or system hacks that compromise information related to national security, such as: national strategies, information on government personnel, information regarding military capabilities etc.

These categories will be further explored in the article together with question of which organisations or entities would be best suited to regulate these issues. Generally, when it comes to internet and cybersecurity in Europe, a couple of overarching organisations come to mind: European Union (EU), Council of Europe (CoE) and North Atlantic Treaty Organisation (NATO). The CoE has identified cybercrime as a thread to Rule of Law and holds its cybercrime Octopus Conference 2015[4] on 17-19 June in Strasbourg to discuss common strategies and further define the rights of individuals in cyberspace. The EU has been pushing for a groundbreaking project on cyber security called the Network and Information Security (NIS) directive. Sadly, this directive has been transferred from one council presidency to the next over the past couple of years, with both Italy and Latvia have trying to get the member states to agree on the text, however Ireland and the UK stay sceptical and continue to have doubts. EU insiders suggest that the draft will be passed on to the Luxembourg presidency starting in July.[5]

As a catch all strategy against cyber attacks in general, Peter Singer and Allan Friedman propose “cyber resilience” by differentiating within the system (create intelligent defence systems all the while maintaining a workable system for the administrators).[6] These two academics argue it is absolutely impossible to defend against all incoming attacks – whether it is through the distribution of malware (like viruses, worms), a Distributed Denial of Service attack (DDoS – overwhelming systems and shutting them down) or Advanced Persistent Threads (APT – the Rolls Royce of the cyberattacks, a well-researched and tenacious attack meant for a specific target).

When we assess these categories we need to ask ourselves some additional questions: if cybersecurity relates to economic growth (which today is the currency of global power) and – how does it relate to national security? There appears to be an important overlap between the state category and the business category which makes these sectors interdependent. On a more practical note, what should any legislation attempt to regulate? If we take a look per sector it could be easier to create legislation based upon specific actors (who do we regulate) and consequences (how serious is the cyberthreat) that would need to be addressed in the fight against cybercrime as well as the introduction of incentives to strengthen cybersecurity. The biggest challenge may be how legislation and regulation can add something valuable without being outdated six months after being enacted: “We must re-evaluate our cybersecurity efforts to ensure that we can quickly exploit new technologies to deliver more effective mission results. Today, the call for speed and agility is nowhere more crucial than in our cybersecurity policies and practices.”[7]

Individuals and cybersecurity

Before getting to bigger point on how international or regional organisations can protect or regulate the primary problem areas of cybersecurity (important areas such as economic, financial market, infrastructure), it is helpful to say what we all know – but don’t all act on. We – as individuals – must be aware of the impact of cybersecurity on our own lives and the lives and computers of others. On a basic level we carry responsibility for our own cybersecurity, which is why we have to take more steps to seriously secure our every day cyber-life, meaning our email accounts, bank accounts and our computers and protect ourselves as well as the others on the internet.

Ironically[8], one of the major problems in China is the spread of malware among individuals computers. often times because illegally downloaded software[9] is vulnerable to viruses and malware while the programs do not automatically update security features. So basically they do not get the same service as paying costumers. Unsupported machines are at risk of being recruited to a major botnet army. [10] And per usual, those who control the  botnets control the damage it can do (like DDoS or other malicious attacks), making this group of unprotected computers both a risk and a source of power for China’s growing cyber army.[11]

Businesses and cybersecurity

In business we find two categories that are too often vulnerable to online invasions: the traditional private sector (banks and financial sector but also fortune 500 companies and multinationals) and the companies that constitute and support public infrastructure (such as energy providers, banks, transport companies, health sector).

The Public infrastructure sector in particular forms a problem as many of these companies expect the state to safeguard their workings because they provide public goods to individuals living in that state. Some have argued that hospitals should be included in a list of “off-limit” cyber targets and should be safe havens in a similar way in which they are protected sites during war. However this means we could leave our critical infrastructure vulnerable, if we disregard the need for its protection. Any regulation of this issue would at least be a double edged sword that creates both protection and enhances vulnerabilities. On a more practical note, the Network Information Security (NIS) directive proposes a much more useful set of requirements: ranging from mandatory security measures to reports on security incidents to national authorities. These measures are already in place in telecommunications sector.[12]

As an organisation that focuses on the European market and is mostly economically driven, the EU is primarily suited to tackle problems that businesses incur in cyberspace, as a matter of fact the EU has identified the internet as its new focus area. In May 2015 the European Commission (EC) introduced its “Digital Single Marketplace (DSM) Strategy”, aiming to create more growth through digitalisation and hopes to create a “vibrant knowledge based society”.[13] Obviously this plan and its incentives will incrementally expand the reach of the digital marketplace beyond its current boundaries. The problem that exists is that the EU has been incapable of creating a regulation that focuses on the cybersecurity aspects of this digital marketplace. Also, EU will need to implement large pieces of legislation to give substance to its DSM strategy. In conclusion, so far – the EU has caught on both on the potential of the internet for its economy and its businesses as well as the need to create a secure online environment with responsible actors. The proposal for a directive is in place, now it is up to politics to follow.

States add cybersecurity/cyberwar

Lastly there is the ever-growing tension between States in cyberspace. Is this an area that should or can be touched upon by laws on armed conflict?  Today we do not frequently see wars like we used to see in history, with armies confronting each other on a chosen battleground. These days the focus shifts more and more to insurgency, counterinsurgency and other forms of hybrid warfare, including cyberattacks. Experts have even gone as far as to suggest that UN Charter should apply to cyberwar. It remains a difficult subject, as there is no unanimity within these organisations (neither the UN, nor NATO have taken a unanimous stance). So far, cyberattacks have not yet been used in a way that constitutes an act of war. The attacks by Russian patriotic hackers in 2007 on Estonia (one of the most cyber savvy nations in the world, their government and infrastructure is the most digitalised in Europe) overwhelmed websites, of government organisations, banks, media etc. Strategically and most notably the episode existed of DDoS attacks. However, a year later DDoS attacks accompanied an actual invasion during the Russian-Georgia War that effectively prevented Georgia from communicating to the outside world while Russian tanks rolled across the border.[14]

Another example that caused heated discussion on “cyberwar” is the computer worm Stuxnet, not only did this ingenious piece of software cause actual physical damage[15], it defied commonly held beliefs on cybersecurity as it bridged the “air gap” (a physical separation between the network and critical systems believed one the only effective ways to secure a system). Stuxnet was a computer worm designed to slow down a specific nuclear reactor in Iran and is considered the very first cyber-weapon and some even go as far as to call it an act of war.[16] Its instructions were very specific, designed to cause slight disruptions in the nuclear centrifuges of a particular nuclear lab in Iran and ever so subtly slow down Iranian research on nuclear weapons.[17]

When it comes to the entities that could defend states against cybersecurity threads, international organisations like United Nations and NATO come to mind. Incidentally experts have suggested the UN charter applies to cyberspace in the Tallinn Manual, however several nations (among which the United States) object to governmental influence over internet governance.[18] The manual is an academic effort in reaction to the Estonia attacks of 2007, analysing how international law applies to cyberspace. However impressive, the manual does not have legal standing and is not internationally recognised. For example, one observer rightly noted that there is no treaty to address the issues of cyberwar and very little consent on how to address the problems such as the issue of definitive attribution (or lack thereof) to tie any attack to a specific country.[19] The best illustration of this is the Estonia attacks as these were carried out by patriotic hackers: even though the parliamentary leader Sergey Markov said this was done by his assistant, there was still no way to hold the Russian nation accountable for the actions of said individual.[20] Without international consensus, an international treaty and and body to enforce the treaty, any academic effort can only go that far. It should be noted that a 2.0 version of the Tallinn Manual will come out in 2016, the updated version expands the research scope as well as an expansion of the researchers in on the projects. The first Tallinn manual included researchers from Europe, the Commonwealth and United States while Tallinn 2.0 will include researchers or consultants from all over the world and therefore enjoy a much more global appeal.[21]

A controversial moment in internet governance history occurred in 2012 at the UN International Telegraph Union (ITU) convention in Dubai, where nations voted on a Global Telecommunications Treaty which interestingly was mostly supported by non-democratic countries, effectively putting to paper an opposite and restrictive government regulated (vs. decentralised, open, free internet) approach to cyberspace. For example, China has often suggested that internet is part of its national sovereignty. The ITU traditionally focuses on telegrams, wires, telephones and radio, it now adds a non-binding resolution on internet. While the ITU representatives state that no decisions where made on internet governance, the text does “instruct the [ITU] secretary-general to take the necessary steps for the ITU to play an active and constructive role in… the internet.”[22]

On the other side of the spectrum, democratic countries adhere to the Convention on Cybercrime introduced by the Council of Europe (which was joined by the United States, Canada, Japan and South Korea). On a similar note, a group of  autocratic countries (Russia, China, Sudan and others) proposed an expansion of International Telecommunication Union capabilities to cyberspace in 2012.  Oddly, the decision to expand ITU treaty was made by majority instead of consensus, and a new Global Telecoms Treaty was born.[23] By including the internet in the ITU responsibilities, governments would potentially get a say in how the internet is structured, paving the way for governments censorship.

The treaty was signed by 89 states total, despite United States objections (55 countries did not sign[24]).  Because of this divide, the treaty should have minor influence but remains an important, yet symbolic achievement. Interestingly, a UN report by governmental experts appears to show us a different side to the argument, in the 2013 report on developments in the Field of Information and Telecommunications in the Context of International Security the group (that included representatives from China and Russia) concluded: “…that international law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.”[25]  It may be interesting and cause for more in depth research in this report and the ITU treaty to see of there are (in)consistencies.

Needless to say that despite clear differences in ideology and strategy, it remains highly important to continuously look for common ground and to continue cyber talks (especially between US and China) about what construes boundaries of actors in cyberspace, in order to prevent misunderstandings.  With regards to cyberwar and the possibility to apply the collective defence principle of article 5 (Washington Treaty) on cyber attacks, NATO recently excused itself form the equation. Despite NATO’s initial reactions in the aftermath of the Estonia attacks, increasing its posture towards cyber attacks an including it in its 2010 strategic concept, it seems that for the time being NATO will take a backseat on cyberwar. The US Ambassador to NATO recently stated that “hybrid warfare is probably unsuitable for its deterrence posture and reliance on Very High Readiness Joint Task Force (VJTF)”[26], this stance could be inspired by the budgetary needs of the new high readiness task force and other budgetary reasons, or it could simply be a reflection of the political impasse. On the other hand, NATO clearly assumes the importance of cybersecurity within the organisation as it continuously sports a large list of cybersecurity related vacancies. One NATO expert has put it more bluntly: “The official response is yes, we want there to be rules of the road and to apply the law of armed conflict. But unofficially the answer is no— countries that have advanced capabilities want to preserve that.”[27]

Conclusion

As more areas in our lives are getting more interconnected[28] and more mobile, as communication between electronics are becoming the standard it is only logical that politicians and lawmakers try and find ways to smoothen out the cracks that form in this mostly ungoverned area. Looking forward it is not difficult to imagine times in which everything in ones life can be switched on or off with a button/app on your smartphone. If our lives get more and more controlled by these networks,  the question is how do we avoid becoming more and more vulnerable?

For some the answer should be found in “stronger government control” (like China) and for some it is found in the “rule of law”. On the most recent Global conference on cyberspace in the Hague, Dutch foreign affairs minister Koenders and Federica Mogherini called for “cyberspace needs stronger rule of law” and during the conference the vision of a “free, open and secure internet” was posited as the objective for the future of the internet. As we have seen, an EU directive strives to build a common framework in a critical area – public infrastructure[29]– while national security remains an area strictly controlled by the nation states (possibly supported by EU and NATO in the long run).

So, we now know some nations wish to approach the growing issues in cyberspace (more rule of law) and we know what they wish to accomplish (a free open and secure internet). From here on out, many more questions need answering – as we have seen policy makers in Europe are aware of the problem areas and even have done their utmost to secure these in the proposed NIS directive. When reading on cybersecurity incidents one comes across so many different actors, victims, attacks that saying “rule of law” in cyberspace is about as easy as saying “rule of law” in in the world. As discussed, once we broadly sketch the specific needs of individuals, economic sectors and states in cyberspace a whole range of different problems arise. Most importantly though, the very decentralised nature of the internet appears to make global governance impossible and even undesirable – not in the least because of differing ideologies on the matter. While governments can introduce educational standards (for example: target MBA programs and high school coursework), introduce incentives targeting the market  by introducing liabilities to nudge businesses investment in cyber security, we should not forget that the internet and the way in which it is governed will continue to change as future leaders will have grown up with these technologies. While the upcoming generation did grow up with it, most of us still lack technological awareness and fail to understand the most basic mechanisms that construe this vast tool. However, despite these inabilities – future leaders may be more capable to properly address the issues we struggle with today or – they may become more lacks – taking it for granted and underestimating the consequences of their actions. To end on a somewhat optimistic note, what we should remember and try to strive for is, in an ideal world it is not the internet that should be governed, its the people/actors that use it – and that does provide a viable way to approach cybersecurity legislation by governments and institutions.

^[1] T. Rid, “Cyberwar and peace: Hacking can reduce real life violence”, November/December 2013, http://www.foreignaffairs.com/articles/140160/thomas-rid/cyberwar-and-peace?cid=soc-linkedin-in-essays-cyberwar_and_peace-112013.; P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, p. 37.

^[2] G. Ingersoll, “U.S. Navy: Hackers “jumping the air gap would disrupt the world balance of power”, 19 November 2013, http://www.businessinsider.com/navy-acoustic-hackers-could-halt-fleets-2013-11. P.W. Singer and A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, p. 37.

^[3] New major hack hits spy agencies, impact “potentially devastating”, 12 June 2015,  http://thehill.com/policy/cybersecurity/244888-report-second-major-fed-hack-hit-military-intel-workers.

^[4] Info on http://www.coe.int/t/dghl/cooperation/economiccrime/Source/Cybercrime/Octopus2015/3021_30_octo15_outline_v3.pdf.

^[5] Article that points out parallel problems between NIS (EU) and GDPR (US) see Update on Cybersecurity directive – over to Luxembourg?, 15 June 2015, http://www.natlawreview.com/article/update-cybersecurity-directive-over-to-luxembourg

^[6] P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, 41, 43, 44, 56.

^[7] David Wennergren, Valuing cybersecurity outcomes instead of oversight, 19 June 2015, http://fcw.com/articles/2015/06/15/comment-wennergren.aspx?utm_source=dlvr.it&utm_medium=twitter.

^[8] China is often portrayed as the country that uses cyberspace to get the information they need (be it financial records of a multinational company or the records of US security personnel).

^[9] Microsoft believes that 90% of Windows software in China is pirated, http://www.networkworld.com/article/2175675/windows/china-s-unsupported-xp-machines-hold-the-potential-to-become-a-massive-botnet-army.html.

^[10] http://www.networkworld.com/article/2175675/windows/china-s-unsupported-xp-machines-hold-the-potential-to-become-a-massive-botnet-army.html.

^[11] China’s cyber volunteers (organised by PLA) could have up to 200,000 members says P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, 114.

^[12] Update on the Cybersecurity Directive – over to Luxembourg?, 15 June 2015, http://www.natlawreview.com/article/update-cybersecurity-directive-over-to-luxembourg.

^[13] http://www.natlawreview.com/article/eu-policy-update-june-2015-energy-economy-and-digital-marketplace.

^[14] P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, 120.

^[15] It has been argued that cyberattacks do not belong in the category of warfare because they do cause immediate physical harm.

^[16] See article on both arguments (pro- and con- cyberwar) T. Rid, More attacks less violence, Journal of Strategic Studies, 6 February 2013 and Cyber war will take place by John Stone, Journal of Strategic Studies, 29 November 2012.

^[17] As explained in P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, 114-119.

^[18] P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, 123.

^[19] Is The Tallinn Manual On The International Law Applicable To International Cyber Warfare Attacks And Defence, 22 March 2013, http://perry4law.org/cecsrdi/?p=453.

^[20] Kremlin based group behind Estonia cyber attacks, 11 March 2009, http://amccright.blogspot.be/2009/03/kremlin-backed-group-behind-estonia.html.

^[21] Tallinn 2.0: Cyberspace and the law, 14 May 2015, http://www.aspistrategist.org.au/tallinn-2-0-cyberspace-and-the-law/

^[22] 89 nation sign controversial UN treaty, 14 December 2012, http://phys.org/news/2012-12-nations-controversial-telecom-treaty.html. ; Internet remains unregulated after UN treaty blocked, 14 December 2012, http://www.theguardian.com/technology/2012/dec/14/telecoms-treaty-internet-unregulated.

^[23] P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, 184.

^[24] Among which the US, UK, Canada, Costa Rica, Czech Republic, Denmark, Egypt, Kenya, Netherlands, New Zealand, Poland, Qatar, Sweden.

^[25] UN Document, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, 24 June 2013, http://www.un.org/ga/search/view_doc.asp?symbol=A/68/98.

^[26]Karl-Heinz Kamp, Sharpening of NATO’s “Spearhead”, March 2015, Europe’s World, http://europesworld.org/2015/03/02/sharpening-natos-spearhead/#.VV3jXWDQdUQ

^[27] P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, 186.

^[28] If you need more convincing flip to the new issue of Foreign Affairs called “Hi Robot” the robots are coming. https://www.foreignaffairs.com.

^[29] Something that has already been done in the US, see transparency laws in P.W. Singer, A. Friedman, “Cybersecurity and Cyberwar: What everyone needs to know”, Oxford University Press, 2014, 228-229.