Cyber Cease-Fire: US v. China

100615-640x400

As published on Norse on October 6th, 2015

Interesting times indeed, now that the outcome of Chinese president Xi Jinping’s two-day visit to the White House last week has been made public. According to the White House press release, this is what was agreed:

  • The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities.  Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.  Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.
  • The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
  • Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community.  The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace.  The two sides also agree to create a senior experts group for further discussions on this topic.
  • The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.  China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue.  The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States.  This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side.  As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests.  Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.

 

Second-guessing

At first glance this sounds wonderful, but it didn’t take long before the second-guessing started. With Barack Obama making statements such as “What I’ve said to President Xi, and what I say to the American people, [is] the question now is: ‘Are words followed by actions?’”.

It’s important to look at this meeting in the context in which it was held. As most people are aware, the US has been experiencing cyber-attacks almost non-stop for years now, on multiple fronts. The US criticizes China for attacking not only US government infrastructure, but commercial enterprises are suffering massive theft of intellectual property in almost every industry as well. The widely publicized OPM hackwas only the most recent event that made the American cup ‘runneth over’.

But the US is hardly the innocent victim that it portraits itself to be. Well-known whistleblower Edward Snowden revealed that the US has actively been attacking Chinese infrastructure as well, in order to ‘prepare the battlefield’ for any potential physical conflict. They have admitted doing so, but claim that no intelligence from the large cyber intelligence gathering ‘driftnet’ known mostly by its moniker PRISM is fed to American enterprises for their commercial benefit. Whether that is true, of course, remains to be seen. After all, accusations of unfair commercial advantages through government espionage have been shown to contain some substance in the past.

 

Limiting cyber-attacks

In this regard, it is not surprising that it is the US calling for an agreement on limiting the cyber-attacks between the two nations. When taking the theft of intellectual property into account, the US simply has more to lose. It should also not be forgotten that not long ago China signed a treaty with Russia that, among other things, contained a pledge that they would not hack each other. This same treaty also further solidified their efforts to influence global internet governance, about which I commented in an earlier article, giving the US all the more reason to try to calm the waters with China.

 

So what does this treaty mean?

Of the four points covered under Cybersecurity, only the first two are points with some meat to it. As also mentioned in my previous article, the Chinese are very unlikely to sign any treaty on internet norms of behavior that include a reference to the UN’s definition on human rights. The entire bullet point might as well not have been there. It is window dressing and was probably only agreed upon because it shows a willingness to ‘get along’, whether real or imagined. The last point about the ‘cyber hotline’ doesn’t actually say a whole lot at all, so let’s move on to the more salient points.

It should be noted that the US is trying to stop the attacks against American businesses while trying to keep the option of ‘battlefield preparation’ on the table. This isn’t guesswork, its public record; just look atwhat American politicians are saying on the subject. In other words, both countries now seemingly agree that attacks on government networks are more-or-less allowed, but commercial enterprises are considered off-limits. In the unlikely event that both parties actually honor the agreement, this would be a clear win for the US.

 

An unlikely agreement

And that the agreement will be honored does seem very unlikely. For one, the Chinese government has never acknowledged that it has any involvement in cyber-attacks against commercial enterprises, and it is highly unlikely that they ever will. If those attacks would now suddenly cease, it would be a tacit admission that it had such control in the first place and put the lie to every official statement the Chinese government has ever issued on this topic. Another important factor is the simple question of “Cui Bono?”. Who benefits? The Chinese would lose a very effective method for national advancement in many areas, and the only cost thus far has been (relatively light) international criticism. They would gain nothing, whereas the US would gain a stopgap in the massive IP drain.

In short: The agreement seems a bit one-sided and that does not bode well. It may well be that China agreed only to stave off the sanctions that the US has been casually dropping to the press recently. Whether China takes these sanctions seriously is debatable, because China still remains the greatest holder of US debt, which means it can give a considerable pushback. Then again, China not honoring the agreement is probably expected. Despite what some critics may say, the people involved in drafting this treaty are not fools. With this agreement on the table it makes the American case much stronger if Chinadoes violate it, as Jason Healey points out.

As always, time will tell.

 

Social Media as a Cyber Warfare Gamechanger

September of 2012 will live on in infamy for a large number of people. It was the month of the massive riots by Islamic extremists who, incited by the ever present radical imams, stormed several US embassies, allegedly over a months-old, poorly crafted Youtube video that ironically decried the violence of Islam. Most notable of which were the embassies of Egypt and Libya, where four Americans lost their lives; one of which was an American ambassador. Riots and demonstrations followed all over the globe for about a week. I say allegedly because a closer scrutiny of what happened will tell you an entirely different story.

Stoking an Insurgency
It´s not the first time that something seemingly innocuous gets blown out of proportion by religious extremists with their own agenda; some of you may recall the Mohammed cartoon riots or pick any of the incidents listed in the article by Michelle Malkin who goes into this a lot more eloquently than I ever could. Regardless, my point is that there is a lot more to this Innocence of Muslims riot than meets the eye, as the ever well-informed good people of Sofrep.com will tell you. They have a lot more information than what you are likely to have seen in the press.  The cliff notes are quite simple and a lot more easily explained than what the press is force-feeding us:

Trained soldiers executed a coordinated attack on multiple US embassies at the same time. These so-called ´rioters´ were carrying RPG´s with them. You know, as you do when out shopping on a summer day in Benghazi. Not only was this not a spontaneous event, but chatter about this meticulously planned attack was picked up by various intelligence agencies beforehand and people in Washington are now falling over each other on who to blame for this failure to act to the imminent threat. This did not, however, stop some deviously clever people from using the Innocence of Muslims video, which by that time had been on Youtube for 6+ months without anyone noticing, as a clever ruse to further fan the anti-American flames. Did I mention that all of this happened on the very significant anniversary of 9/11?

The Facebook Riots
On a much smaller scale, on Friday the 21st of September the small Dutch town of Haren came under siege by thousands of youths looking to party, who swarmed the town after one girl accidentally published an invitation to her Sweet Sixteen birthday party on Facebook to the entire world. Resulting in what is now referred to in the Netherlands as the “Facebook Riots”, a few ´friends´ of the girl decided it would be fun to relive the movie Project X and started spreading the word. Things escalated and swiftly got out of hand, requiring the riot police to act. When the smoke cleared the following morning it became clear that the rioting youths had caused damages of several million euro´s. Ever since this phenomenon took hold, attempts at recreating the carnage (Dutch link) have been springing up all over the country (Dutch link), keeping local government and police on their toes.

Tallinn´s Bronze Night
Let’s go back to Estonia in 2007: The local government in Tallinn relocates an elaborate Soviet-era grave marker of a Bronze Soldier, as well as some war graves, to a more out of the way location. What followed was two solid days of rioting (now referred to as Bronze Night or the April Unrest) and, better known in cyber security circles, the massive cyber-attacks against the Estonian parliament, banks, ministries, newspapers and broadcasters. While no real proof has been found to directly implicate the Kremlin in backing the riots or the cyber-attacks, it has since been believed to be true regardless and on March 10th 2009 a commissar of the Kremlin-backed youth group Nashi claimed responsibility.

The Innocence of Muslims riots, the Haren Facebook Riots and the April Unrest disconcertingly share a common factor: All three were incited and coordinated through the internet. The only real difference is the level of sophistication: Tallinn´s Bronze Night was more or less coordinated through various internet fora and both the Innocence of Muslims riots and the Haren Facebook riots were incited, spread and coordinated through Social Media sites Youtube, Facebook and Twitter.

The reason that I now write this piece is because I fear that this level of social manipulation can be readily adopted by foreign powers to foment troubles well outside of their own national borders. In the case of the April Unrest in Tallinn, the rioting and the cyber-attacks were all done through allegedly Kremlin-owned “assets” such as Nashi. Of course I can offer no empirical evidence to validate my fear, but I would argue that the other two cases prove you don´t need such assets to get the same results. Especially the Haren case shows that massive local damage can be done through exploiting the set of social phenomena that Social Media create and that we have barely begun to discover. It seems to me that it is only a matter of time before these social phenomena are actively exploited by those groups that are specifically suited and knowledgeable in these tactics such as Anonymous or 4Chan.

To me, indeed these phenomena feel like a weapon custom made for them. Think of it as a gross escalation of Swatting and you will understand why governments need to get a grip on this before it undermines their authority. If done right, I have no doubt that successfully re-creating the Haren case is almost as easy and almost as swiftly arranged. And these are just the groups that generally only have mischief on their mind. Can you imagine the damage that can be done this way by someone with truly malicious intentions and absolutely none of its own assets at risk? Some creative type with a long exposure to really unconventional warfare getting his cues from a government with a score to settle, and deep pockets to fund the whole thing? It’s a scary thought. If used properly, Social Media might very well be the most refined weapon for asymmetric warfare to date.

 

Dutch MoD releases Defense Cyber Strategy

At long last, the Dutch Ministry of Defense has published a crucial piece of Cyber Doctrine by publishing its Cyber Strategy [PDF Alert – Dutch]. It was given quite a nice introduction by the Dutch Minister of Defense Hans Hillen, who introduced it during the MoD’s Cyber Symposium in Breda on the 27th of june. During this introduction it was also asserted that over 90% of all attacks to Dutch military systems and networks was of Chinese origin, which made me wonder why we haven’t heard any political outcry yet, but I digress as this is not the topic I had in mind of treating today. Let’s get to the document in question: It’s a total of 18 pages long and the introduction of the Dutch Cyber Defense Strategy is, as is often the case in such documents, very telling. The language used should be looked at as defining terms by which the rest of the document can be interpreted.

In the introduction the Dutch MoD acknowledges that they use the digital domain for (satellite-)communications, information-, sensor-, navigation-, logistical- and weapons systems, that are dependent on secure internal and external networks of digital technology and that  this makes them vulnerable to cyber attacks.

They also acknowledge that other countries are developing offensive cyber capabilities and that non-state actors are also capable of forming a threat to Defense forces by attacking digital systems and networks. What’s interesting is that this strategy also acknowledges the blur of the lines between the combatant and the non-combatant, and also the blurring of the borders of any operational areas. Both are key components of the “Fourth Generation Warfare” principle and it seems that the Dutch MoD has at least partially accepted this principle. What makes this so interesting is that they are declaring that non-combatants may also be actively targeted. In essence, they are putting the world on notice that walking around without a uniform is no longer an automatic safe haven, and that if you’re involved with any kind of cyber attack, part of a militia or a terrorist, you have a bull’s-eye on your head. No matter where you are. Plain and simple.

The last paragraph of the introduction specifically mentions that the Military Industrial complex is already a major and consistent target of cyber attacks because they develop and produce high-grade military technology. The strategic and economic value of their digital assets is high and as such these need to be very well guarded, also in the Cyber aspect. This ties in nicely with my earlier articlebased on the MIVD’s yearly report.

For those interested in what official Dutch political documents and official questions this document ties into, here’s the official answer:

The Defense Cyber Strategy was created in answer to:

  • The publication ‘Defensie na de kredietcrisis’ of April 8th, 2011 (“Kamerstuk 32 733, nr. 1”);
  • The piece to be covered by the MoD in the National Cyber Security Strategy as I covered earlier (“Kamerstuk 26643, nr. 174”);
  • The advice given on Digital Warfare by the Advisory Council on International Questions (AIV);
  • The Advice Commission’s (CAVV) answer to the questions posed in “Kamerstuk 33 000-X, nr. 79”;

 Right, so we have that covered. Now let’s get to the meat of the document. From the onset it looks pretty promising. The strategy has six driving points and they are very broad (but relevant): 

  1. Creating an integral and integrated approach;
  2. Increasing digital resillience of the entire MoD (Cyber Defense);
  3. Developing the capability to carry out cyber operations (Cyber Offense);
  4. Reinforcing intelligence gathering in the digital domain (Cyber Intelligence);
  5. Increasing knowledge and innovative power of the MoD in the digital domain, including recruiting and keeping qualified personnel (“adaptive and innovative”);
  6. Intensifying collaboration nationally and internationally. 

(more…)

Dutch Military Intelligence dives into Cyber

The Dutch Military Intelligence agency (MIVD) recently released its 2011 yearly report (in Dutch). As is usual, they covered the events of 2011, but also did some forecasting for 2012. Its especially this last bit I was interested in, and im writing this in the hope that you feel the same way.

One of the most interesting facts I extracted from the report is that the MIVD will be focusing the majority of its Cyber Warfare efforts in countering Cyber Espionage. Given that this is probably the most tangible and widely represented cyber activity currently employed, I think this is a wise choice. Add that to the fact that the Netherlands is, by far, the most connected country in Europe (highest internet penetration in Europe with 83%; highest broadband internet penetration in the world with 68% of its connections at 5mbs or faster) it would probably be a safe assumption to say that our economy is critically interwoven with the Internet. Now, I know that there’s a lot to be said about the military defending a mostly commercial and/or civil commodity, but personally I’m happy with this direction. If anything, it’s *a* direction and from what I’ve seen this has not always been the case in the past.

Three other interesting tidbits that were published in the report involved the MIVD’s future collaborative efforts. One of these is a rather obvious and expected one, but it involves their supporting the Dutch Ministry of Defense with their Cyber Operations through involvement with Taskforce Cyber. A less obvious one is their intention to support in ‘cyber-aspects’ of the Dutch military industrial complex. They don’t really go into how they intend to assist, other than that it will involve working with Dutch domestic intelligence agency AIVD. This is too bad because it sounds interesting. Considering the major cyber security breaches in the past at American defense contractors such as Booz-Allen Hamilton, Lockheed Martin, L3 Communications or Northrop Grumman, it certainly sounds pertinent. They don’t mention it specifically, but odds are good that this (and only this) is what the MIVD has in mind when they mention countering cyber intelligence. Lastly, and to me this was the most interesting, they reveal their intentions to collaborate with the AIVD to set up a special SIGINT Cyber Unit (or command – this wasn’t mentioned) to generate shared cyber intelligence. Their goals for this unit are straightforward: Assisting in cyber operations in support of regular military operations, chart threats, provide excellent cyber intelligence at all times, and to assist in attributing cyber attacks.

The report also tickled my interest in ‘cyber semantics’ when the MIVD asserted that offensive cyber operations usually include the same activities as cyber intelligence and/or cyber espionage. They also mention that cyber is increasingly important in counterintelligence, and mentioned that they would be increasingly exploiting social media such as Facebook, Hyves, Twitter et cetera. An interesting side note here is that due to severe upcoming Defense budget cuts and related contract terminations, it’s been observed that everyone in the Dutch armed forces is now suddenly absolutely perfect in every way (article in Dutch), because apparently it’s gotten to the point that calling in sick is now a bad career move. Our troops should be warned that venting their frustrations through social media is probably a bad idea at this time, however much it may be valid criticism.

Taking the Crowbar to Cyber-Denying Eyes

I’ve been quiet with my blogposts lately. I know and I apologise. Between writing a lengthy article on Cyber Warfare for PenTest Magazine, writing papers for the MBA degree I am working on, and snowboarding the gorgeous slopes of Val Thorens (France), it’s been sort-of busy. I must say though, that when I sat down and went looking for a subject for a new article, the last thing I expected was that there are still actually people out there who flat-out deny the threat of Cyber Warfare. To be honest, I was dumbfounded. This next piece is, I’ll admit, a bit of a rant. Mostly because quite frankly I enjoy ranting occasionally. Consider it a brief post-holiday deviation from my usual style. Blame it on the cocktails if you must. I’ll give you a brief summary of Jerry Brito’s article. I’ll only do some minor paraphrasing, honest.

“Cyber Warfare doesn’t exist! Yes we’re being robbed blind through Cyber Espionage by nation states, but thats not Cyber Warfare. Cyber Warfare is kinetic cyber attacks! What do you mean Stuxnet? …DuQu? Yeah but those didn’t cost lives! The rest is just DDoS attacks! I can’t see any evidence to the contrary so it must be a hype. Did I mention im really comfortable here with my head resting in a hole in the ground? A bit sandy though.” 

Okay so that last sentence might have been a little less-than-true, but still. Whats worse is, is that this guy is the Technology Policy Program Director at George Mason University. When people wake up after he introduces himself (can someone please shorten that title?), people listen to this guy! Why do we let people like this represent our industry, or even anywhere near our young to educate them? It seems to me that making your own arbitrary (and apparently poor) definition of Cyber Warfare, and then discounting MOUNTAINS of evidence that undermine your point, isn’t very scholarly to say the least. It’s a bit like arguing against Darwin’s theory on Evolution by taping a bible to your forehead and plugging up your ears screaming “I CANT HEAR YOU” over and over.

Can we please stop giving a stage for these people who are obviously cherry-picking their way to an uninformed argument? I will grant you that there is still a lot of debate going on about the true definition of Cyber Warfare. There are many definitions and most are considered incomplete, too narrow or too broad. But we all agree that there is at least some element of Political Will involved, and computer systems and networks are the playground on which this assertion of said political will is taking place. Technically, Cyber Espionage often involves a pretty much equal amount of breaking-and-entering as it would be to shut down the targeted system. The difference is mostly in the intent, not the methodology. If this is committed by a nation state, or a non-state actor with political intent, then Yes: you could (and should) call it  Cyber Warfare. In this regard it is the same as a nation state sending a military airplane into enemy airspace. Whether its a spyplane, a fighter jet or a bomber, it is still politically motivated and thus could be called Air Warfare. You can’t run around yelling “DDoS don’t count!” or “It doesnt count ’till someone ends up dead!” because those aren’t relevant points in this debate. By the same token, not all traditional military operations require someone to die. You cannot discount entire swathes of activities and still expect your argument to hold water.

So that pretty much covers the faulty logic of his argument. But we’re not there yet. Even IF we would be foolish enough to accept his premise at face value, he is still factually incorrect, because he is basing his statement on two very critically wrong assumptions:

1. His own perceptions of reality and;
2. His limited understanding of the current situation.

First off, it is highly unlikely that every succesfull cyber attack is common knowledge. For a nation state to be severely compromised through cyber attacks is embarassing. These systems are supposed to be highly protected. So much embarassing, that it is unlikely that they would publicly come forward about it themselves. Iran didn’t publicly admit their Natanz site got hit with STUXNET until the attack code was discovered by (non-Iranian) security researchers. Aside from the embarassment, its also possible that admitting such weakness sends out an invitation to other would-be attackers. All things considered, I have more sympathy for governments staying quiet after a breach than I do for corporations, simply because the stakes are so much higher. In any case, Jerry’s “evidence” by which he measures his statement is almost certainly severely incomplete.

Secondly he is saying that Cyber Warfare is a hype based on his ‘evidence’ right now. But just because a cyber attack that fits his cherry-picked definitions hasnt happened yet, doesn’t automatically mean it never will! If there is one major certainty in Cyber Warfare, is that things change – and change FAST. Any information you receive is completely obsolete a second later. New attacks and even entirely new concepts of attack methodologies are developed daily. A few years ago, the US Air Force figured that there were roughly 120 countries developing Cyber Warfare capabilities. This was before major international debates on the subject started. I think its safe to assume that more countries have started a Cyber program since then, don’t you? Compared to the individual, these are all players with extremely deep pockets. Deep pockets capable of investing heavily into cyber attack research. Im sure that at least some of them managed to come up with an idea or two that hasn’t been field-tested yet, further eroding mr. Brito’s argument. Again I would ask that we stop giving airtime to these silly arguments and get back to the more important task of actually securing ourselves.

Real Bullets for Digital Attacks

In May of last year, the US Government published its International Strategy for Cyberspace. The publication made some waves in the international community because in this document the US stated that military reprisals to cyber attacks were now officially on the table. More specifically, the US government stated that it ‘encouraged responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors and reserving the right to defend these national security and vital national assets as necessary and appropriate’ [emphasis mine]. This declaration of intent came after an ever increasing number of (detected) attacks on USG networks and systems. Development of cyber capabilities by governments worldwide are also likely to have influenced the situation.

Whatever the underlying political reasons of publishing such a loaded statement, the publication is clearly intended to deter would-be attackers and, as such, is more or less aligned with one of the RAND Corporation’s Monograph studies during Project Air Force on CyberDeterrence and Cyberwar (freely available PDF). In this lengthy publication by the hand of Martin C. Libicki, the subject of CyberDeterrence is extensively studied and described. He approaches the subject from so many angles that it would make you smile if it you didn’t have to read it all to get to the end. One especially important aspect of this discussion is the much-debated problem of attribution. Since retalliation and the threat thereof are a large part of deterrence, knowing who to strike is of paramount concern. Libicki describes various scenario’s such as striking back to the wrong target or not striking at all, and how every scenario has its own consequences. Suffice to say that if you, as an attacker, hide your tracks well enough (don’t forget the cyber intelligence aspect!), you won’t have much problems with retalliatory strikes. If you manage to implicate an innocent third party instead, you may even turn that into a distinct advantage. Considering that retalliation may now include kinetic attacks (bullets to bytes), it can be safely said that they have upped the proverbial ante.  

You might be wondering what the point is of declaring retalliatory (potentially kinetic) attacks when every player in this field knows what the score is: No attribution – No problem. So why make a public statement about how you’re going to strike back if everyone knows its highly unlikely? Well, Libicki covers that too by describing the effects of not striking back, striking back silently, striking back publicly as well as not striking back publicly. I won’t copy/paste his work here, but reading between the lines I found that even though such a public statement is mostly a bluff, it is somewhat of a deterrent and it wins out over the downsides. Besides, and here is the succint point of it all, even though you declare that you may use kinetic military options as a retalliatory measure doesn’t mean you are immediately obliged to actually do so.

In December of last year, the Dutch government was advised by the Advisory Council on International Affairs (AIV) (Dutch) to declare a similar statement with regards to cyber attacks. If the Dutch government decides to take up the advice, The Netherlands will be in the same boat as the US when it comes to cyberdeterrence strategy. It doesn’t worry me. I feel that making such a statement to the world has more upsides than downsides and it shows backbone. When I, along with friend and fellow NCDI council member Niels Groeneveld, was asked to provide input to some of the questions the AIV was looking to answer, I found the discussion so interesting that I wrote several articles about it. See the “Questions from .GOV” series. I was happy to see that some of my input had been used, but it also more-or-less automatically disqualifies me from judging this advice. So I ask you: How do you feel?

US vs The World – The Cyber Monroe Doctrine

On December 2nd in 1823, the US introduced the Monroe Doctrine. This article declared that the US would view further European interference in the Americas (the Western Hemisphere) as acts of aggression and reserved the right to an armed response. On march 10th, 2009 it was argued in front of a Homeland Security Subcommittee on “Emerging Threats, Cybersecurity and Science and Technology” by Mary Ann Davidson that this same piece of US doctrine would be a suitable candidate for application in cyberspace. You can find more information at Whitehouse.gov about this testimony, from where it has recently resurfaced on various discussion boards such as the Dutch Cyber Warfare Community group on LinkedIn (thank you Matthijs).

Not unlike other testimonies on the subject of Cyber Warfare and Cyber Doctrine coming from the US, we see a very ‘red-blooded American’ attitude seeping through, and quite frankly that’s not helping matters. Im generally a big fan of ‘re-using’ existing laws and policies when they apply well enough to Cyber, but Davidson demonstrates a lack of true understanding of the situation. It is possible that her testimony was misunderstood or misquoted by the person who wrote the testimony excerpt, but nevertheless I would like to address a few key issues I have with the testimony.

“We are in a conflict – some would say a war. Let’s call it what it is.”
In the very first segment of the testimony, Davidson asserts a number of things that are simply incorrect. The title of the paragraph is a clear giveaway, and sets the tone for the rest of the testimony. Davidson observes that the US is under constant attack in cyberspace, and that this amounts to war. What she does here is lump together all the cyber attacks that are recorded, and make it seem like this is all part of one big cyber war. But this is not the case. I would argue that 80% (if not more) of these attacks are merely ill-advised scriptkiddie attacks, maybe not even really aimed at government resources specifically. This is so common that many security people have come to call these attacks ‘internet white noise’. The remainder of the attacks might be more targetted, but their origins are at least as diverse as of the earlier 80%. They are perpetrated by cyber criminals, stalkers, curious college students putting their class material into practice, security pentesters who overstep their bounds, bored high school drop-outs, disgruntled administrators and many more potential attackers. You just don’t know. You can’t know. There are just too many attacks from too many sources to make it feasible to chase every one of them to find out. To lump all these attacks together and paint them as a constant barrage by one enemy is not just incorrect, its also dangerous and foolish. If anything, you’re not in one conflict, you’re in thousands.

Even if you consider all these attacks by all these different enemies conflicts, which implicates that there is some underlying plan or strategy to said attacks, its still a big leap in logic to call it a War. America’s habit of declaring war on abstract notions (the War on Drugs, War on Terror et cetera) may sometimes be necessary to get people to act, but in case of Cyberspace it just doesn’t work. Internet is everywhere and, considering the earlier clarification on the attacks, you’re attacked by thousands of enemies. What are they going to call it? “The War Against Everyone”? Actually, given the tone of the testimony I should probably refrain from giving Davidson any ideas. It is exactly this attitude that gives credence to people who claim that the war drums are being beaten unnecessarily to militarize the Internet and to reduce the rights and freedoms of netizens.  Language matters. Talk of war incites thoughts of war, and it should be used sparingly.

 Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems including our defense systems for weaknesses, infiltrating U.S. government networks and making similar attempts against American businesses and critical industries, is there any other conclusion to be reached? Whatever term we use, there are three obvious outgrowths from the above statement. One is that you do can’t win a “conflict” – or war if you don’t admit you are in one. The second is that nobody wins on defense. And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.

Emphasis is mine. As previously stated, there are a multitude of conclusions you could draw from what is happening on your networks. The three points mentioned thereafter make even less sense, because she speaks about ‘winning’  the ‘war’. But what does that mean? The Monroe Doctrine referred to Military/Political consequences to Military/Political interference by foreign nations on US soil. Or rather the entire Western Hemisphere but I digress. I mention this with emphasis because the Internet and/or Cyberspace is a different animal altogether. The majority of the cyber equivalent of ‘US soil’ isn’t actually ‘US soil’, but is actually owned and operated completely and totally by third parties. To further complicate matters, a large portion of that is owned and operated by third parties who are distinctly not American such as foreign-owned corporations. Imposing a Cyber Monroe Doctrine would effectively militarize the entire US portion of cyberspace. That is, if they can ever decide on what parts of that cyberspace they could and could not call American. Davidson acknowledges this problem with the use of the term ‘turf’ but fails to grasp the severity of the problems it causes with her theory.

So that covers the underlying theory by Mary Ann Davidson, but the three ‘outgrowths’ don’t even make sense on their own. “You can’t win a war if you don’t admit that you’re in one.” Aside from the whole War statement…I mean…Really? This is a complete non-sequitur if you ask me. You could argue the exact reverse and it would be equally true (or untrue, of course). I might be piling on here, but someone should probably have told the US Senate this before the Vietnam war, which the US never formally admitted as being a War. Had they used Davidson’s logic, they would have known this was a war they could not win.

The second is that nobody wins on defense.” This is another argument that doesn’t stand up to closer scrutiny. The Monroe Doctrine revolved mostly around defense. It was enacted to work as a deterrent to protect (not project) US interests in the Western Hemisphere. So what does Davidson envision with this statement? It seems to me that she’s calling for offensive cyber operations, which is something that isn’t covered by the Monroe Doctrine. Monroe wanted to defend his Home, while Davidson seems to want to cross the pond and kick some butt. She’s calling for a Sword to match the Shield, but doesn’t take into account that they are two entirely separate entities with entirely different properties, capabilities and logistics.

And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.” So if I read this correctly, Davidson argues the US needs a doctrine because….well, because! This last argument isn’t actually an argument. Its a possible answer to her first two statements and probably only included because she needed a third argument. Three arguments makes it sound nice and official. And why would the US need one doctrine to cover everything? It has been my understanding that the US Government has published various doctrinal documents that cover a variety of issues, such as the International Strategy for Cyberspace. The US Department of Defense has also published a number of documents on Cyberspace over the last few years, and these map to a number of existing legal and societal principles in the offline world. These can be easily found online.

So is Mary Ann Davidson correct in her assertion that the Monroe Doctrine would be a handy fit in Cyberspace? To be honest, I don’t know. Im not a politician and im not a military strategist. But her arguments are flawed and they didn’t sway me. Im usually a big fan of a common-sense approach to Cyber-anything, and in most cases we can apply existing legal and societal frameworks just fine. But in this particular case we simply cannot forget that the US already has an potentially undue influence over the proper functioning of the Internet, and any kind of overly agressive stance will foster more animosity between the US and the rest of the world. The Internet is, and should remain, an active demonstration of global cooperation. We would all be better off if we strived to make things safer for everyone.

Debating Cyber Warfare – Still more questions from .GOV (Part III)

In this closing article, last in a set of three, I discuss some international treaties that may or may not apply to Cyber Security. Again I would like to note that the answers I give are merely my opinion on the matter. This article is comprised of two questions. Without further ado:

In how far can international codes of conduct in using the digital domain contribute to increase Cyber Security? Can we learn from experiences with existing codes of conduct such as in the area of non-proliferation?

Fading national borders and defacto international routing of data traffic are a property of cyberspace we can’t escape. This makes international relations and codes of conduct essential, especially when considering fighting cyber crime. This calls for Law Enforcement Agencies and Justice departments of multiple countries to work together to stop criminal enterprises in their tracks. International cooperation amongst law enforcement agencies in taking down cyber crime rings has been taking place for several years now, and although not nearly as successful as we’d hope, they did have some successes. For an excellent read on this subject, I recommend Joseph Menn’s Fatal System Error.

As for Cyber Warfare and Cyber Conflict, there are various internationally accepted legal frameworks and cooperative initiatives that can provide some help with increasing security in Cyberspace. Consider the Law of Armed Conflict or the Universal Human Rights, both of which have received wide adoption and have led (and still lead) to increased cooperation among nation states. Connecting to existing initiatives in this area is therefore highly recommended.

Although Non-Proliferation has a similarly high adoption rate, using this as an example may very well give off the wrong idea because of the emotional ‘weight’ associated with nuclear weapons. Cyber weapons are not currently anywhere near the immediate physical threat that nuclear weapons pose, nor is it feasible to attempt to restrict development or trade of cyber weapons. Cyber weapons consist of computer code and knowledge of the target system or application. Anyone with enough knowledge can create one, and all it takes is a computer. Connect that system to the internet and proliferation is both virtually immediate and unstoppable.  

How can NATO and the EU give substance to the principles of Common Defence, Deterrence and the Solidarity clause when considering cyber threats? How can NATO and the EU improve the information exchange with regards to threat analyses?

Existing initiatives within NATO and the EU offer excellent opportunities in this regard. For instance, a better connection to the NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is a very good idea. The CCDCOE was founded and sponsored by a number of nations, but the Netherlands was not one of them. It is still possible to become a sponsoring nation by signing its Memorandum of Understanding and after looking at its Mission statement revolving around cooperation, I highly recommend our government does so. Aside from this centre, NATO’s own C3 agency has various endeavors with regards to Cyber Security that we here in the Netherlands might be able to get an advantage out of.

All in all, it’s safe to consider that our best bet lies in engaging in cooperation with other culturally similar nations. Most western nations are as connected to the Internet as we are, and they share our understanding of how critical cyberspace is to us and our economies. Together we simply have a much better chance of improving our situation online.

Debating Cyber Warfare – More Questions from .GOV (Part II)

In continuation of the series I promised you on high-level debates surrounding Cyber Warfare, here is the next article in a series of three. This article will be the longest in the series due to the multi-parted nature of the question. Of course the answers given to each of the questions are merely my opinions on the matter. Please feel free to comment or contact me with relevant remarks.

Question                
In how far, and in what way, are existing international Legal frameworks relevant to behavior in the Cyber domain; specifically in relation to cyber violence? 

  • [Ad Bellum] Under what circumstances can a cyber threat be considered use of force or threatening use of force, in the sense of article 2, section 4 of the UN Charter? Under what circumstances can a cyber attack be considered an armed attack  that justifies violence in self-defence based on article 51 of the UN Charter?
  • [In Bello] When does humanitarian law of war apply to behaviors in the Digital domain? Must these be linked to kinetic use of force? How would this, during such application, be given shape to the Law of War’s  principles of distinction and proportionality, and the requirement of taking precautions for safety?
  • How would Civil legal concepts such as Sovereignty and Neutrality be given shape in the Cyber Domain?

Relevant UN Charter articles:

  • Article 2, Section IV:
    All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
  • Article 51:
    Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

An Answer – the Right to Self Defence
Although Cyber gives a new dimension to Warfare, it is my opinion that the general application and behavior apply in the same fashion as they do under conventional warfare. It is important that one should look to the effects of cyber attacks rather than the method or the individual components therein. In the end it is the damage dealt that bears relevance to those it is inflicted upon rather than the method. For this reason the thresholds that have bearing on the various articles in the UN Charter  we have set for conventional warfare do not necessarily change because of innovation in technology, nor do  international agreements automatically become void. Under the current UN Charter, each member state has the right to actively defend itself when attacked (or threatened with attack) and I feel this right remains relevant when discussing cyber warfare. I would like to point out though, that what is typical for Cyber Warfare, but uncommon in kinetic operations, is the problem of Attribution. Not knowing who will attack, is attacking or has attacked you complicates the situation considerably. It makes all action and reaction susceptible to a fair margin of error and so any response should be carefully considered before execution.

Humanitarian principles
As far as humanitarian principles in warfare go, it is certainly conceivable that cyber attacks may directly or indirectly lead to injury or loss of life. For instance, when a cyber attack on a power plant successfully blacks out an area, this can cause all kinds of damage. Some of the more obvious risk area’s are those that affect Hospitals and Emergency Services such as Police and Ambulance services, but this is not a new aspect of warfare. Knocking out power and communications is always something that must be done with utmost care, and this advance in technology doesn’t change that. In this case a well-placed cyber attack may very well be preferred over a kinetic attack that does permanent damage. Principles of distinction between military and civilian targets, as well as proportionality should still apply when discussing the use of cyber attacks.

Civil-Legal principles
The debate surrounding legal concepts such as Sovereignty and Neutrality are the subject of much debate amongst technical, political and legal experts from many nations, and any answers to these questions are most likely susceptible to change as insight is gained over time. Many people take the approach that Cyberspace does not have physical borders, but this is not exactly true. While Cyberspace as a concept may be regarded as unbound by geography, it is held up by very real, physical networking equipment. Data flowing from one system to the next does actually cross physical space through cables, routers and maybe even airspace via satellites or Wi-Fi connections. As such, this data may be subjected to all kinds of rules and regulations imposed by the owners of the networking equipment in between points of departure and arrival. And what to say about being used as a proxy during a cyber attack? Without international understanding of the ‘rules of the game’, you may be involuntarily drawn into conflicts because one of the parties routes his cyber attacks through your networks, or even using systems that are hosted on your soil. Regardless of what position you take, it’s clear that concepts such as Sovereignty and Neutrality have a place in the debates surrounding Cyber Warfare.

Debating Cyber Warfare – Questions from .GOV

The NCDI
A few months ago I was engaged by a friend who had desires of starting a new foundation in the Netherlands. He surmised that the Dutch Ministry of Defence could use some help in establishing proper Cyber Doctrine. Now, a scant 6 months later, we find our group is firmly set at 7 people and the foundation has officially been established. It is called the Dutch Institute for Cyber Doctrine (NCDI) and I sincerely hope you will hear more of us in the near future.

I mention the birth of this foundation because through some proper networking we’ve been asked for input by our government with relation to Cyber Warfare. The request for information contained such interesting questions that I felt I could almost dedicate an entire article on each question, and so I did. I hope to generate some really interesting debates with these questions. Without further ado, here is the first question:

“After Land, Air, Sea and Space, Cyberspace is generally considered to be the fifth warfighting domain. Based on what political and military objectives can operational cyber capabilities be developed and deployed? Please define the nature and role of operational cyber capabilities during military operations.”

An Answer
While you’ll find a plethora of discussions in which it is still hotly debated what it all means, it is very likely that future conflicts will not be ‘pure cyber wars’ in the same way we haven’t seen ‘pure nuclear wars’  or ‘pure air wars’. Instead it is much more likely that new conflicts will contain cyber attacks or cyber espionage as part of a larger strategic plan. In fact we’ve already seen it in conflicts as early as the war in the Persian Gulf in 1991, where the famous and recently deceased Robert Morris was said to have launched the first US cyber attack. Many people now ask the question what the political and military impact is of cyber warfare, and this is a very valid question. However, it should not be confused with political and/or military motive, because nothing has really changed in that regard. War is, as Clausewitz said, the continuation of Policy through other means, and that is exactly what cyber is: just another means.

With that in mind, I feel the first half of the question is somewhat flawed. Political objectives are not usually fundamentally changed by technology, though military objectives certainly can be, and with the advent of cyber warfare it is easy to confuse or even conflate the two. So for me, the question is really “What military objectives should be the focus of operational cyber capability development?”.

The answer to this question will probably always remain difficult to answer, because the technology surrounding cyberspace is continually changing. Furthermore we find that the application of said technology is ever changing as well, making it very hard to pin down exactly if and where there are any fixed strategic points or objectives to aim exploitation development to. What is a sensible and effective angle today may be completely obsolete tomorrow. Based on what we’ve seen so far (of what we’ve been allowed to see, that is), we can assume that in the foreseeable future, cyber attacks will not have a directly kinetic component. That is to say – cyber attacks don’t (and won’t) act like bullets, bombs or missiles. As we know and understand it now, it can be used as a strictly supporting function to ongoing operations. The key word here is Information – its discovery, manipulation or denial. Cyber attacks could be succesfully applied to disable a radar array preventing a strategic bombing or insertion, or more locally to disable alarm systems on a house that needs to be breached quietly. It could (and already is) be used highly effectively to break into the networks of defence contractors and steal the highly sensitive specs of enemy technology, and in turn use that information to render them harmless to your troops. Interestingly enough, you could also use it the other way around: To make your enemies see things that aren’t there, such as by flooding their radar screen with bogus information or by infiltrating and corrupting their chain of command’s methods of communication. Whatever the application, it is important to note that virtually all these attacks are of a temporary nature. They don’t really change things permanently. As such, you should not depend on cyber attacks to give you a lasting advantage. It is highly likely that the target will, at one point, discover the attack and take steps to undo it.

The bottom line is that before being able to develop operational cyber capabilities, it is important that you understand the nature of Cyber attacks. What it is, and what it isn’t. You won’t win any wars with Cyber alone, but you may be able to increase the success rate of your missions and give your opponents a very frustrating time during ongoing operations by applying this exciting new technology.