GCCS2015 Part II: Government Influence is the Key Issue

gccs2(As published on Norse: Feb 5th, 2015)

As we noted in Part I: GCCS2015: Battlefield for the Internets’ Multi-stakeholder Coup, the next iteration of the Global Conference on CyberSpace (GCCS2015) will be held on April 16th and 17th in The Hague, the Netherlands this year. It is the worlds’ premier political conference on Cyberspace.

The Internet was founded on, and has ever since been based on, the multi-stakeholder principle. That is to say: the Internet does not belong to any government, it belongs to everyone equally.

In fact, aside from lending material support, governments have had precious little to do with the development, implementation and administration of the Internet. The brunt of the work has been done by civilian institutions such as the IETF, ICANN, IANA and a whole slew of similar civilian non-profit organizations.

But as time progressed and the significance of the Internet grew, so too did the urge to control grow at the worlds’ governments.  This is signified most clearly by the continued attempts of the UN to move this piece of internet governance away from US-based ICANN to the International Telecoms Union (ITU).

At first glance, the ITU seems innocuous enough. It has a membership of over 193 countries and over 700 commercial entities such as Apple and Cisco. However, the ITU is an agency of the UN and therein lies the rub.

The ITU is ultimately subject to the will of the UN charter members. They will face considerable pressures by many UN nations such as Russia, China and Iran, who are staunch supporters of ‘cyber sovereignty’.

The ‘cyber sovereignty’ camp considers the current state of affairs to be directly threatening their national security primarily because they have no easy way to censure content. They will no doubt push for measures stifling internal dissent and perhaps even for measures to censure content disagreeable to them.

In fact, they’ve pretty much said so.

Several blows have already been dealt to advance the power shift towards the ITU during the 2012 World Conference on International Telecommunications (WCIT), as excellently commented on by Alexander Klimburg in his article “The Internet Yalta”.

In his article he describes how China and Russia managed to sway most of the developing nations to supporting ‘cyber sovereignty’, and the whole issue devolved into essentially a bipartisan issue in which the developing nations aim for governmental control of the Internet, and the Western nations prefer to keep the status quo.

There does not appear to be a middle ground. WCIT was, in this respect, a political cloak-and-dagger event of almost Machiavellian proportions.

It had it all: the polarization of the voters, sudden ‘midnight votes’ that most parties were left uninformed about, and attempts at tricking voters into voting on articles that were thought to contain something other than it did.

Both the ‘code of conduct’ and the battle for the internet’s multi-stakeholder principle shine through in the Seoul Framework for and Commitment to Open and Secure Cyberspace that was drafted for the 2013 conference in South Korea.

It is this framework that will be the key talking point in The Hague this year. The Netherlands has already stated that it would support further work on this framework, but given its democratic nature and strong culture of international trade, this is hardly surprising.

In an earlier published flyer the official statement was made that the ‘self-organization of the Internet should be supported and is preferred to regulation imposed by states’.

It can only be hoped that all sides remain cordial and that political sleight-of-hand doesn’t catch anyone off guard. The result of such an event could very well mean the end of the Internet as we know it.

The Dutch and the Dorifel

Unless you happen to live in the Netherlands, chances are that you missed the outbreak of a ‘new’ piece of malware a few weeks ago called Dorifel, also known as XDocCrypt. With over 3000 infections in a matter of hours, of which 90% were systems in the Netherlands, this triggered the Dutch National Cyber Security Center almost instantly. XDocCrypt/Dorifel is a new trojan that encrypts executables, Excel- and Word files that it finds on USB drives and network disks, causing companies to come to a grinding halt almost immediately after infection. Later investigation by Digital Investigations turned up that it also distributes phishing banking websites for ING Bank, ABN AMRO and SNS Bank (all banks with a strong presence in the Netherlands). With such distinctive traits, you would expect that it would be ransomware, but it’s not. It doesn’t ask for money, and there are no real clues what the point is of encrypting those files. It may simply have been a trial run just to find out how good this technique works, but it’s all conjecture at this point.

As an aside, it should be mentioned that the malware’s efforts in encryption did uncover something I found interesting: it exploits the RTLO Unicode Hole, which uses a Windows standard Unicode “Right-to-left override” that are more commonly used in Arabic and Hebrew texts (meaning it’s a Feature, not a Bug). Through this use of the RTLO Unicode Hole, they make filenames such as testU+202Ecod.scr appear in the Windows Explorer as testrcs.doc, and effectively make a harmful executable look like a simple Word doc.

What worries me most, and this is the reason for this article, is the delivery vehicle used by this new piece of malware. You see, it doesn’t exploit some new weakness. Instead, it’s being delivered by systems previously infected with the Citadel/Zeus trojan. This means that over 3000 systems in the Netherlands –systems belonging mostly to ministries, local government and hospitals- already had active botnets inside their networks before getting infected with this new malware! Mind you, virtually all of these systems and networks had active antivirus and IDS systems, and NONE detected either the Citadel/Zeus botnet already in place, nor the new XDocCrypt/Dorifel malware. If anything should be a severe wake-up call for Dutch firms who still half-ass their security, this is it.

Major AV vendors such as Kaspersky and McAfee now address this piece of malware, but it does make you wonder: If this Trojan hadn’t gone through the trouble of encrypting all those files, would it ever have been caught? Clearly, with only a couple of thousand infections, it is not that big of an outbreak. Chances are good that Dorifel would have stayed below the “economic feasibility to fix” line that most antivirus corporations adhere to. With malware code mutation getting increasingly easier and more mature, will this be our future? No more large infections, but a lot more small ones to stay below the collective AV radar? It seems plausible. It certainly makes the dim future of the current AV Modus Operandi that much dimmer. When will we finally see a paradigm shift in our approach to defeating malware?

US vs The World – The Cyber Monroe Doctrine

On December 2nd in 1823, the US introduced the Monroe Doctrine. This article declared that the US would view further European interference in the Americas (the Western Hemisphere) as acts of aggression and reserved the right to an armed response. On march 10th, 2009 it was argued in front of a Homeland Security Subcommittee on “Emerging Threats, Cybersecurity and Science and Technology” by Mary Ann Davidson that this same piece of US doctrine would be a suitable candidate for application in cyberspace. You can find more information at Whitehouse.gov about this testimony, from where it has recently resurfaced on various discussion boards such as the Dutch Cyber Warfare Community group on LinkedIn (thank you Matthijs).

Not unlike other testimonies on the subject of Cyber Warfare and Cyber Doctrine coming from the US, we see a very ‘red-blooded American’ attitude seeping through, and quite frankly that’s not helping matters. Im generally a big fan of ‘re-using’ existing laws and policies when they apply well enough to Cyber, but Davidson demonstrates a lack of true understanding of the situation. It is possible that her testimony was misunderstood or misquoted by the person who wrote the testimony excerpt, but nevertheless I would like to address a few key issues I have with the testimony.

“We are in a conflict – some would say a war. Let’s call it what it is.”
In the very first segment of the testimony, Davidson asserts a number of things that are simply incorrect. The title of the paragraph is a clear giveaway, and sets the tone for the rest of the testimony. Davidson observes that the US is under constant attack in cyberspace, and that this amounts to war. What she does here is lump together all the cyber attacks that are recorded, and make it seem like this is all part of one big cyber war. But this is not the case. I would argue that 80% (if not more) of these attacks are merely ill-advised scriptkiddie attacks, maybe not even really aimed at government resources specifically. This is so common that many security people have come to call these attacks ‘internet white noise’. The remainder of the attacks might be more targetted, but their origins are at least as diverse as of the earlier 80%. They are perpetrated by cyber criminals, stalkers, curious college students putting their class material into practice, security pentesters who overstep their bounds, bored high school drop-outs, disgruntled administrators and many more potential attackers. You just don’t know. You can’t know. There are just too many attacks from too many sources to make it feasible to chase every one of them to find out. To lump all these attacks together and paint them as a constant barrage by one enemy is not just incorrect, its also dangerous and foolish. If anything, you’re not in one conflict, you’re in thousands.

Even if you consider all these attacks by all these different enemies conflicts, which implicates that there is some underlying plan or strategy to said attacks, its still a big leap in logic to call it a War. America’s habit of declaring war on abstract notions (the War on Drugs, War on Terror et cetera) may sometimes be necessary to get people to act, but in case of Cyberspace it just doesn’t work. Internet is everywhere and, considering the earlier clarification on the attacks, you’re attacked by thousands of enemies. What are they going to call it? “The War Against Everyone”? Actually, given the tone of the testimony I should probably refrain from giving Davidson any ideas. It is exactly this attitude that gives credence to people who claim that the war drums are being beaten unnecessarily to militarize the Internet and to reduce the rights and freedoms of netizens.  Language matters. Talk of war incites thoughts of war, and it should be used sparingly.

 Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems including our defense systems for weaknesses, infiltrating U.S. government networks and making similar attempts against American businesses and critical industries, is there any other conclusion to be reached? Whatever term we use, there are three obvious outgrowths from the above statement. One is that you do can’t win a “conflict” – or war if you don’t admit you are in one. The second is that nobody wins on defense. And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.

Emphasis is mine. As previously stated, there are a multitude of conclusions you could draw from what is happening on your networks. The three points mentioned thereafter make even less sense, because she speaks about ‘winning’  the ‘war’. But what does that mean? The Monroe Doctrine referred to Military/Political consequences to Military/Political interference by foreign nations on US soil. Or rather the entire Western Hemisphere but I digress. I mention this with emphasis because the Internet and/or Cyberspace is a different animal altogether. The majority of the cyber equivalent of ‘US soil’ isn’t actually ‘US soil’, but is actually owned and operated completely and totally by third parties. To further complicate matters, a large portion of that is owned and operated by third parties who are distinctly not American such as foreign-owned corporations. Imposing a Cyber Monroe Doctrine would effectively militarize the entire US portion of cyberspace. That is, if they can ever decide on what parts of that cyberspace they could and could not call American. Davidson acknowledges this problem with the use of the term ‘turf’ but fails to grasp the severity of the problems it causes with her theory.

So that covers the underlying theory by Mary Ann Davidson, but the three ‘outgrowths’ don’t even make sense on their own. “You can’t win a war if you don’t admit that you’re in one.” Aside from the whole War statement…I mean…Really? This is a complete non-sequitur if you ask me. You could argue the exact reverse and it would be equally true (or untrue, of course). I might be piling on here, but someone should probably have told the US Senate this before the Vietnam war, which the US never formally admitted as being a War. Had they used Davidson’s logic, they would have known this was a war they could not win.

The second is that nobody wins on defense.” This is another argument that doesn’t stand up to closer scrutiny. The Monroe Doctrine revolved mostly around defense. It was enacted to work as a deterrent to protect (not project) US interests in the Western Hemisphere. So what does Davidson envision with this statement? It seems to me that she’s calling for offensive cyber operations, which is something that isn’t covered by the Monroe Doctrine. Monroe wanted to defend his Home, while Davidson seems to want to cross the pond and kick some butt. She’s calling for a Sword to match the Shield, but doesn’t take into account that they are two entirely separate entities with entirely different properties, capabilities and logistics.

And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.” So if I read this correctly, Davidson argues the US needs a doctrine because….well, because! This last argument isn’t actually an argument. Its a possible answer to her first two statements and probably only included because she needed a third argument. Three arguments makes it sound nice and official. And why would the US need one doctrine to cover everything? It has been my understanding that the US Government has published various doctrinal documents that cover a variety of issues, such as the International Strategy for Cyberspace. The US Department of Defense has also published a number of documents on Cyberspace over the last few years, and these map to a number of existing legal and societal principles in the offline world. These can be easily found online.

So is Mary Ann Davidson correct in her assertion that the Monroe Doctrine would be a handy fit in Cyberspace? To be honest, I don’t know. Im not a politician and im not a military strategist. But her arguments are flawed and they didn’t sway me. Im usually a big fan of a common-sense approach to Cyber-anything, and in most cases we can apply existing legal and societal frameworks just fine. But in this particular case we simply cannot forget that the US already has an potentially undue influence over the proper functioning of the Internet, and any kind of overly agressive stance will foster more animosity between the US and the rest of the world. The Internet is, and should remain, an active demonstration of global cooperation. We would all be better off if we strived to make things safer for everyone.

Debating Cyber Warfare – Still more questions from .GOV (Part III)

In this closing article, last in a set of three, I discuss some international treaties that may or may not apply to Cyber Security. Again I would like to note that the answers I give are merely my opinion on the matter. This article is comprised of two questions. Without further ado:

In how far can international codes of conduct in using the digital domain contribute to increase Cyber Security? Can we learn from experiences with existing codes of conduct such as in the area of non-proliferation?

Fading national borders and defacto international routing of data traffic are a property of cyberspace we can’t escape. This makes international relations and codes of conduct essential, especially when considering fighting cyber crime. This calls for Law Enforcement Agencies and Justice departments of multiple countries to work together to stop criminal enterprises in their tracks. International cooperation amongst law enforcement agencies in taking down cyber crime rings has been taking place for several years now, and although not nearly as successful as we’d hope, they did have some successes. For an excellent read on this subject, I recommend Joseph Menn’s Fatal System Error.

As for Cyber Warfare and Cyber Conflict, there are various internationally accepted legal frameworks and cooperative initiatives that can provide some help with increasing security in Cyberspace. Consider the Law of Armed Conflict or the Universal Human Rights, both of which have received wide adoption and have led (and still lead) to increased cooperation among nation states. Connecting to existing initiatives in this area is therefore highly recommended.

Although Non-Proliferation has a similarly high adoption rate, using this as an example may very well give off the wrong idea because of the emotional ‘weight’ associated with nuclear weapons. Cyber weapons are not currently anywhere near the immediate physical threat that nuclear weapons pose, nor is it feasible to attempt to restrict development or trade of cyber weapons. Cyber weapons consist of computer code and knowledge of the target system or application. Anyone with enough knowledge can create one, and all it takes is a computer. Connect that system to the internet and proliferation is both virtually immediate and unstoppable.  

How can NATO and the EU give substance to the principles of Common Defence, Deterrence and the Solidarity clause when considering cyber threats? How can NATO and the EU improve the information exchange with regards to threat analyses?

Existing initiatives within NATO and the EU offer excellent opportunities in this regard. For instance, a better connection to the NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is a very good idea. The CCDCOE was founded and sponsored by a number of nations, but the Netherlands was not one of them. It is still possible to become a sponsoring nation by signing its Memorandum of Understanding and after looking at its Mission statement revolving around cooperation, I highly recommend our government does so. Aside from this centre, NATO’s own C3 agency has various endeavors with regards to Cyber Security that we here in the Netherlands might be able to get an advantage out of.

All in all, it’s safe to consider that our best bet lies in engaging in cooperation with other culturally similar nations. Most western nations are as connected to the Internet as we are, and they share our understanding of how critical cyberspace is to us and our economies. Together we simply have a much better chance of improving our situation online.

Dutch Cyber Security Council Invested

As part of the Dutch National Cyber Security Strategy that was launched earlier this year, one of the two new entities has officially been stood up. On June 30th of this year, Dutch minister Ivo Opstelten (Ministry of Security and Justice) officially installed the Cyber Security Council. The council will be advising both government and private parties on relevant developments in the area of digital security.

The council will make a priority of IT threats, will look into the necessity for further research & development and will investigate how this knowledge is best shared between collaborating public and private parties. The council will also expressly look to basic values such as the importance of privacy or fundamental rights such as freedom of speech and gathering of information. The foundation of the advice the Council will supply will lie in public-private risk assessments. The first threat analysis in the area of Cyber Security will be expected in October this year.

According to this government publication (warning, Dutch) the Cyber Security Council has been assembled based on balancing the public, private and scientific community with a broad spectrum in relevant Cyber Security issues and angles. It will feature a dual chairmanship. The Council currently exists of the following members:

  • Eelco Blok, co-chairman of the Council, CEO KPN;
  • Erik Akerboom, co-chairman. National Coordinator for Counterterrorism
  • Harry van Dorenmalen, on behalf of the IT suppliers, chairman IT~Office and Chairman IBM Europe
  • René Steenvoorden, on behalf of the major IT end users, chairman CIO Platform and CIO Rabobank
  • Frank Heemskerk, on behalf of the end users and SMEs, chairman of the ECP-EPN Supervisory Board and member of RVB Royal Haskoning;
  • Ben Voorhorst, on behalf of the vital infrastructure, operational director Tennet and member of RVB Tennet;
  • Professor Corien Prins, Tilburg University;
  • Mark Dierikx, DG Energie, Telecom and Competition, Ministry of Economic Affairs, Agriculture and Innovation;
  • Mark van Nimwegen, Board of Prosecutors General, cyber crime portfolio holder;
  • Professor Michel van Eeten, TU Delft;
  • Major General Koen Gijsbers, Chief Director Information Provision and Organisation, Ministry of Defence;
  • Professor Bart Jacobs, Radboud University Nijmegen;
  • Ruud Bik, KLPD Chief Constable;
  • Jan Kees Goet, deputy Head AIVD;

The installation of the Cyber Security Council acts as a prelude to the investment of the National Cyber Security Centre, which is to be made operational on January 1st, 2012. The NCSC is to be the operational centre of knowledge and expertise brought together by a collaboration between the public and private sector. Though it is absolutely a positive development that the Cyber Security Council has been made operational so quick, it is sad that the Dutch government did not provide a public course for other interested parties to participate. Obviously the first batch of members have been hand-picked and as such it could hardly be called a democratic process. Let us hope that this is changed rapidly so that more parties with experience in Cyber Security and Cyber Warfare can start assisting the Dutch government.


Security Awareness and Why Things Aren’t Improving

Earlier this week news broke of Google’s interruption of a large-scale phishing expedition, which alluded to some state involvement of China. This inspired a host of experts to write about it and J Oquendo’s article on InfoSecIsland inspired me to write mine. In his article mr. Oquendo asserts that its remarkable (read: stupid) that US officials still seem to be using commercial email services such as GMail for exchange of security sensitive and sometimes mission-critical information, instead of using the available high-security services offered by the US Government that they should be using. In this day and age, with a nearly constant barrage of security breaches in the news, people don’t seem to be getting any more aware of security issues.

In the area of User Security Awareness, things aren’t improving at the pace they should. The Internet (and related technology) is not New anymore. While the usage of internet technology has grown exponentially over the last decade, its users have not grown much wiser in terms of security. Largely this is because the common online populace simply does not see the danger in having their online identities compromised; its too abstract a notion for most people. Until the very real and practical downside of getting compromised hits them on the nose, they won’t care. There is a whole industry revolving around protecting you and recovering you from identity theft, and that is both a blessing and a warning. The many problems a person can experience from being a victim of Identity Fraud can take years to resolve. Years during which you are most likely to have bad credit (even when the bank knows you’ve been victimized!) or even be in debt for thousands of dollars for purchases you have never made. Living through such an experience is probably a real eye-opener, but we can hardly put everyone through such an ordeal just for security’s sake.

Provided all your friends would actually listen to sage advice, what would you even tell them? (more…)

Dutch National Cyber Security Strategy – Blessing or Curse?

Around September last year I wrote an article on the Dutch government promising a Cyber Security doctrine that was to determine the strategy the Netherlands was to follow in the areas of Cyber Crime, Cyber Warfare and generally all things related to Cyber Security. Well this document has finally arrived, and can be found here (PDF alert – Dutch). Its a decidedly vanilla document with not much meat to it, and the approach our government has taken looks a lot like that of the UK. That is to say: defend and extend on the commercial interests, partake in the various international initiatives pertaining to Cyber and don´t rock the boat too much (cost-wise).

The document outlines the following starting points:

  • Connect and Strengthen existing initiatives
  • Invest in Public-Private collaborations
  • Personal responsibility (referring to endusers protecting their own systems)
  • Division of Responsibilities of the various Departments
  • Active international collaboration
  • All actions to be undertaken are proportional
  • Selfregulation if possible, legislate if not

The list obviously isn´t anything new or exciting and has the added value of being very low-cost or even free. Its about what you´d expect from a government that has to take a 30 billion spending cut. One has to wonder about the effectiveness of such an approach, seeing as how most of these points have been in place (and followed) for a while and have yet to yield the desired results. Taking a look at the proposed action plan, we see corresponding initiatives:

Creation of a Cyber Security Council and National Cyber Security Center
The cabinet establishes that caring for Cyber Security is now a burden for a multitude of organizations and departments, and so they wish to unify all these efforts into two centers: The National Cyber Security Council and a National Cyber Security Center. The Security Council is the new organization where the strategy will be established by representatives of all involved parties. The Cyber Security Center will essentially be its  executing branch, and act as a place where information, knowledge and expertise is shared amongst the participants. The government urges all public and private parties to join in, and is working on a collaborationmodel to this end. They also intend to expand and strengthen GOVCERT, and to make GOVCERT a part of the Security Center.

Create Threat- and Risk analyses
By sharing information, knowledge and expertise, the cabinet aims to build threat- and risk analysis so that they can chart weak spots and strengthen the segments that need fixing. The  AIVD and MIVD (Dutch Intelligence communities) will insert their knowledge and if necessary, increase their cyber capabilities. This initiative is to yield a yearly National Threat Assessment, which is to inform the Government on current or pending risks.

Increasing resilience of critical infrastructure
The Dutch approach to Cyber Security has so far always hinged on business continuity rather than prevention or actual security. The document refers to an existing initiative from the ´old days´ called the CPNI (Informatieknooppunt Cybercrime, or Infopoint Cybercrime), and how this initiative is eventually to be folded into the Cyber Security Center. Also, the existing Telecommunications Act will be actualized in 2011 to accomodate for various new factors. Through the following measures, the government hopes to create more Cyber Security momentum: