Cyber Cease-Fire: US v. China

100615-640x400

As published on Norse on October 6th, 2015

Interesting times indeed, now that the outcome of Chinese president Xi Jinping’s two-day visit to the White House last week has been made public. According to the White House press release, this is what was agreed:

  • The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities.  Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.  Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.
  • The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
  • Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community.  The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace.  The two sides also agree to create a senior experts group for further discussions on this topic.
  • The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.  China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue.  The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States.  This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side.  As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests.  Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.

 

Second-guessing

At first glance this sounds wonderful, but it didn’t take long before the second-guessing started. With Barack Obama making statements such as “What I’ve said to President Xi, and what I say to the American people, [is] the question now is: ‘Are words followed by actions?’”.

It’s important to look at this meeting in the context in which it was held. As most people are aware, the US has been experiencing cyber-attacks almost non-stop for years now, on multiple fronts. The US criticizes China for attacking not only US government infrastructure, but commercial enterprises are suffering massive theft of intellectual property in almost every industry as well. The widely publicized OPM hackwas only the most recent event that made the American cup ‘runneth over’.

But the US is hardly the innocent victim that it portraits itself to be. Well-known whistleblower Edward Snowden revealed that the US has actively been attacking Chinese infrastructure as well, in order to ‘prepare the battlefield’ for any potential physical conflict. They have admitted doing so, but claim that no intelligence from the large cyber intelligence gathering ‘driftnet’ known mostly by its moniker PRISM is fed to American enterprises for their commercial benefit. Whether that is true, of course, remains to be seen. After all, accusations of unfair commercial advantages through government espionage have been shown to contain some substance in the past.

 

Limiting cyber-attacks

In this regard, it is not surprising that it is the US calling for an agreement on limiting the cyber-attacks between the two nations. When taking the theft of intellectual property into account, the US simply has more to lose. It should also not be forgotten that not long ago China signed a treaty with Russia that, among other things, contained a pledge that they would not hack each other. This same treaty also further solidified their efforts to influence global internet governance, about which I commented in an earlier article, giving the US all the more reason to try to calm the waters with China.

 

So what does this treaty mean?

Of the four points covered under Cybersecurity, only the first two are points with some meat to it. As also mentioned in my previous article, the Chinese are very unlikely to sign any treaty on internet norms of behavior that include a reference to the UN’s definition on human rights. The entire bullet point might as well not have been there. It is window dressing and was probably only agreed upon because it shows a willingness to ‘get along’, whether real or imagined. The last point about the ‘cyber hotline’ doesn’t actually say a whole lot at all, so let’s move on to the more salient points.

It should be noted that the US is trying to stop the attacks against American businesses while trying to keep the option of ‘battlefield preparation’ on the table. This isn’t guesswork, its public record; just look atwhat American politicians are saying on the subject. In other words, both countries now seemingly agree that attacks on government networks are more-or-less allowed, but commercial enterprises are considered off-limits. In the unlikely event that both parties actually honor the agreement, this would be a clear win for the US.

 

An unlikely agreement

And that the agreement will be honored does seem very unlikely. For one, the Chinese government has never acknowledged that it has any involvement in cyber-attacks against commercial enterprises, and it is highly unlikely that they ever will. If those attacks would now suddenly cease, it would be a tacit admission that it had such control in the first place and put the lie to every official statement the Chinese government has ever issued on this topic. Another important factor is the simple question of “Cui Bono?”. Who benefits? The Chinese would lose a very effective method for national advancement in many areas, and the only cost thus far has been (relatively light) international criticism. They would gain nothing, whereas the US would gain a stopgap in the massive IP drain.

In short: The agreement seems a bit one-sided and that does not bode well. It may well be that China agreed only to stave off the sanctions that the US has been casually dropping to the press recently. Whether China takes these sanctions seriously is debatable, because China still remains the greatest holder of US debt, which means it can give a considerable pushback. Then again, China not honoring the agreement is probably expected. Despite what some critics may say, the people involved in drafting this treaty are not fools. With this agreement on the table it makes the American case much stronger if Chinadoes violate it, as Jason Healey points out.

As always, time will tell.

 

Missing in Action: Cyber Dictionary?

092215-640x400

As published on Norse on September 22nd, 2015.

I recently stumbled over an old issue that has shown no signs of being resolved: the lack of a normalized lexicon on Cyber Security. We can’t seem to start agreeing on terminology, even though the cyber security industry is rapidly professionalizing globally and the need for a universally understood set of concepts is beginning to show. The best example of this problem is that there are at this moment roughly 28 definitions for the concept we know as “cyberspace”, with the most recent draft definition apparently being:

Cyberspace defined

Cyberspace is a global and dynamic domain (subject to constant change) characterized by the combined use of electrons and electromagnetic spectrum, whose purpose is to create, store, modify, exchange, share and extract, use, eliminate information and disrupt physical resources. Cyberspace includes: a) physical infrastructures and telecommunications devices that allow for the connection of technological and communication system networks, understood in the broadest sense (SCADA devices, smartphones/tablets, computers, servers, etc.); b) computer systems (see point a) and the related (sometimes embedded) software that guarantee the domain’s basic operational functioning and connectivity; c) networks between computer systems; d) networks of networks that connect computer systems (the distinction between networks and networks of networks is mainly organizational);e) the access nodes of users and intermediaries routing nodes; f) constituent data (or resident data).Often, in common parlance, and sometimes in commercial language, networks of networks are called Internet (with a lowercase i), while networks between computers are called intranet. Internet (with a capital I, in journalistic language sometimes called the Net) can be considered a part of the system a). A distinctive and constitutive feature of cyberspace is that no central entity exercises control over all the networks that make up this new domain. – Mayer, Martino, Mazurier & Tzvetkova (2014)

This is a considerable problem for the eventual advancement of the practice, because ‘cyberspace’ isthe root term from which the entire “cyber-everything!” craze stems, and we can’t even seem to agree on what that is, exactly. How can we properly define derivative terms from a core concept that we don’t universally agree on? What is Cyber Security if nobody agrees on what Cyber is?

Cyber-anything

The result is that cyber-anything is, essentially, a rough approximation of what we mean to say. Developments in the industry haven’t yet reached the point where this is a problem for real scientific advance because there is still so much to discover. But in the long run, if the profession is to mature and be advanced beyond the point of the initial growth spurt we are currently experiencing, people will have to perform research. Thanks to that same ill-defined cyberspace, desktop research is often largely based on searching for keywords in existing research (thank you Google Scholar!). And herein lies the rub.

As said, it’s not just cyberspace that we can’t conceptually agree on. We also can’t seem to agree on the use of other terms. For instance, the terms ‘cyber security’, ‘information security’ and ‘cyber defense’ are used liberally, and are generally used to define the same set of concepts, but not always. The term ‘defense’ (singular), ‘security measure’ and ‘security control’ are all used to describe roughly the same concept as well.

Cybersecurity strategy

Give yourself the challenge to figure out what cyber security strategy means. Some quick research will show that some authors used this term in describing “security one-liners”, such as the security principle‘Reduce Attack Surface’, whereas others use the term to describe entire frameworks. There were also authors who did not use the term “strategy” where it might have made good sense to do so.

To answer any research questions on the subject of cyber security strategies, it is necessary to first be clear on which interpretation is used. We need to know where we are now to determine where we want to go. As an industry, we have an obligation to the rest of the world to be clear in what we mean by the words that we use. Many people complain about the use of the term ‘cyber warfare’. The most common heard complaint was that talk about war incites war, and that the resultant ‘militarization’ of the internet is an undesirable state. Whether the lack of a universal lexicon is to be blamed for this, is almost certainly overstating it, but it doesn’t help either. The press loves ‘sexy’ language, and military lingo sounds very impressive. It sells. It makes for bad reporting, but when considering that we, as an industry haven’t provided them with anything better to use, maybe they are not the only ones to blame here.

The future

If the Internet has proven anything, it is that there can be cooperation on a global scale. Perhaps one of the custodian organizations of the Internet, such as the IETF, can be used as a vehicle for the development of a universal set of concepts, who knows? But it certainly is high time we get started, before the future catches up with us.

 

The Right to Strike Back

pic3-640x400As published on Norse on June 26, 2015.

Last week, at the HiP Conference in Paris, there was a debate on whether or not it should be allowed to strike back when you are being hacked. Currently, criminal law in most countries does not allow it. But is this tenable in today’s’ highly digitized society rife with cybercrime?

My position in this matter is that we should create a legal recognition of the fact that we are in a social gray area where it concerns the Internet, even if it is only a temporary recognition, and allow for somecapability to strike back at cyber criminals. As I’ve said before, humanity is only now scratching the surface of what it means, socially and culturally, to have (largely) unrestricted access to the collective knowledge of Man at our fingertips, (almost) everywhere and (almost) anytime we desire.

In virtually every aspect of the human experience, it has made its’ impact felt. The number of human lives that remain completely unchanged through some kind of information technology is rapidly dwindling to zero as technology advances, and our adoption of them continues to rise.

Under the umbrella-term “Cyber”, that is similarly revered and reviled, we are inching our way through the various aspects of our daily lives to adapt our old notions of how we ‘did things’ to incorporate the new realities we face in the Information Age. Crime, international politics and armed conflicts are among the most hotly debated topics in this regard. What I am getting at, is that in a social and cultural sense, Cyberspace can (and in my opinion should) be considered terrain in the early stages of colonization. Think of it as the New Frontier or the Wild West, if you will.

We recognize that there is this huge new area that can be explored, colonized and exploited, but exactlybecause it is new and untamed, there should be only a limited expectation of Law and Order. Certainly, in most countries the national laws have been revised to incorporate the new realities of Cyberspace. But often these amendments or new laws are only rough first drafts because very few (if any) people understand exactly what Cyberspace means (culturally and socially).

What doesn’t help is the fact that as our technology continues to advance, our uses –and in turn the consequences- are changing with it. In other words: even if we manage to define proper laws for the circumstances right now, there is a good chance that they will be outdated due to technological advances in short order. But that is not really the core issue. Having properly defined, applicable and reasonable laws is only the first step. You have to be able to enforce a law if you expect people to follow it, otherwise it just becomes little more than an advisory note. A cute bauble that the criminally inclined can have a chuckle over while they continue making money off of these exact crimes you’re trying to prevent. And that, unfortunately, is largely where we are now.

Despite being a horrible analogy in every other sense, Cyberspace is the Wild West. Law and Order is reasonably established in some areas, but for the most part you can only depend on the occasional sheriff or Ranger. As was the case in the early years of the Wild West, there –on the whole- isn’t a whole lot of coordination between law enforcement, the government and the citizenry. This can be easily verified by looking at the figures. The number of successfully prosecuted cybercrime cases is very small indeed, when compared to the number of reported incidents. Also consider that we don’t see every incident, and even when incidentsare discovered, they are not always reported. Please don’t misunderstand what I am trying to say: This is not intended as a snipe against law enforcement or the government. They are trying to get a handle on these cases. But the fact of the matter is that we have a serious lack of expertise and experience across the board. There just aren’t enough people skilled and experienced enough to make a serious dent in the numbers. Or, for that matter, to faster develop an underlying framework that makes law enforcement of cybercrime any easier.

Frameworks containing (and hinging on) effective international agreements, laws and political policy to address cybercrime are also still being developed. The often-heard argument to forbid people from striking back at cyber criminals is that to do so is anoffensive act, and not a defensive one. In other words, striking back should be considered a weapon and not a shield. In the strictest sense of the definition this is indeed correct. However, just looking at the success rate of cyber-attacks alone will dissuade anyone from the notion that a “good defense” is enough to stave off a cyber-attacker.

Even the US military, with the highest defense budget in the world, can’t prevent some attacks from being successful. In very practical terms this tells us that we cannot count on being secure when we are only allowed to defend ourselves; something is clearly missing. Perhaps that missing element is the right to strike back. To stick to the earlier analogy of the Wild West, we are unarmed and criminals are not. Essentially we are telling people not to act when they are being attacked. To trust the Police to protect us against predators. To sit still and pray that the criminals don’t find the valuables we’ve buried in the proverbial shed. But clearly the Police are not capable of doing so right now, as can be easily deduced from the figures mentioned earlier.

In my opinion this is untenable, and quite frankly I find it unconscionable to leave the average citizen as such an easy prey. During the debate I therefore argued for at least a temporary recognition that allows for striking back at our assailants, with the express goal of halting an attack. It will be interesting to see how the other panelists view it, and I look forward to hearing if perhaps there is another solution to the problems we face today.

The Problem with the Universal Right to Online Privacy

privacy(As published on Norse on April 15, 2015)

A landmark decision by the UN Human Rights Council was made on March 26th to cover privacy issues arising from the pervasive monitoring by the UK and the US, in an attempt to establish that freedom from excessive (online) surveillance is a basic human right.

The resolution was spearheaded by Germany and Brazil, where public debate about online surveillance has been most intense. Naturally, German PM Angela Merkel has not yet forgotten the fact that her mobile phone was tapped, and event went as far as kicking out the CIA station chief in Berlin.

Brazil’s President Dilma Rousseff cancelled a trip to the US in protest of the surveillance on Brazil’s political leaders. Given that it is prime US policy to keep tabs (well, and taps) on all political leaders in the entire continent of South America, there is little doubt that the sentiment is shared amongst all South American nations.

It was expected that the resolution be blocked by the US and the UK, but it was adopted by consensus and the UN will be appointing a Rapporteur in June. This Rapporteur will have the authority to “remit to monitor, investigate and report on privacy issues and offer advice to governments about compliance. They will also look into alleged violations.”

The initiative, which contains the phrase, “the rapid pace of technological development enables individuals all over the world to use new information and communications technology and at the same time enhances the capacity of governments, companies and individuals to undertake surveillance, interception and data collection, which may violate or abuse human rights,” sounds very compelling and a worthy cause.

However, those who are skeptical of such an initiative have much reason to be.

To start, the UN has over the years steadily ignored both Article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights (where the Right to Privacy is mentioned).

This is hardly surprising since quite a number of UN member states have a rather uncomfortable record with Human Rights as a whole, and there has yet been little appetite for a clash on this subject.

Another major reason to remain skeptical is the equally uncomfortable fact that virtually 100% of all the UN member states are involved with pervasive online surveillance programs in one way or another.

In that respect there is plenty of negative sentiment to go around when it comes to online surveillance, and rightly not all of it is directed towards the US and the UK.

Even Germany, who is taking the lead in setting up this initiative, has been caught with its’ proverbial pants down when it was discovered that their own national security service BND was sharing data on German citizens with the NSA.

They are hardly alone in this: The number of European countries that hasn’t been subject to news in that area can be counted on one hand. To put forth an act that limits their own intelligence gathering operations seem counterproductive at best.

Lastly, it can be argued that the “Universal Right to Privacy” does not translate equally to “Universal Right to Online Privacy.”

However foolish it may seem, we have had a number of examples where such a translation proved much more difficult than it appeared. And these were not small topics: The laws surrounding warfare, for instance, or cybercrime.

Taking all these facts into account, it seems reasonable that this new initiative has some credibility issues. It will be very interesting to see if it develops some teeth moving forward.

Correlating and Escalating Cyber

On September 20th, CNet reported on a new wave of malware called ´Mirage´, embedded in PDF´s that were distributed through spear-phishing attacks against a multitude of targets, such as a Philippine oil company, a Taiwanese military organization and a Canadian energy firm. The attackers´ target set also included firms in Brazil, Israel, Egypt and Nigeria. Their report was based on the findings of Silas Cutler, a security researcher at Dell CTU. The researchers declined to comment on the origins of this new malware, but as we´ve seen before the characteristics of this digital crimewave are a dead match to the likes we´ve encountered during Night Dragon, Operation Aurora and pretty much everything we´ve seen coming out of China the last decade. Call me old-fashioned, but when I read attack characteristics such as these, I feel confident that a talk with the PRC is warranted:

  • Widespread – broad targeting of an entire industry, aiming for commercially sensitive data;
  • Not extremely sophisticated, just adequate to get in;
  • Supporting command and control network is highly active;
  • Attacks seem well-prepared and highly organized;
  • Some of the malware is made by the Honker Union (a well-known Chinese hacker group);
  • Command and control IP address belonging to China, as did three others that have been used in the Sin Digoo affair earlier;

Looking at this pretty much confirms that those talks US Secretary of Defense Leon Panetta had with the Chinese recently about exactly these kinds of cyber-attacks, had little effect. Considering how much American debt is held by the Chinese, you would have to ask yourself just how hard a line the US can draw against such practices, but other countries would probably do well to start talking more sternly through the diplomatic channel with China. Make no mistake: the economic damages of these attacks are so high that involvement is definitely required at the state level.

Getting out of Dodge first
So here we have a rather clear-cut case of attacker correlation which, as ever, is done pretty much after the fact by an international firm who investigated the malware. My question is: How do you deal with this as a nation, as it happens?

This one question breaks down into a number of smaller issues. First off, you´d have to establish at least somewhat formally who defends what network. And let’s be fair: if you´re a democracy, it’s unlikely to be just one entity. The second issue you have to tackle is detecting the actual attack as it happens. Some network administrators will be able to, others won´t. To be of any use on a national level, defenses on all networks should probably be somewhat similar. At least quality-wise, you´d need them to be similar otherwise you wouldn´t be able to determine the whole scope of each outbreak, even after the fact.  This begs the question as to how wise or desirable it would be to regulate information security measures in some way. In many companies, information security is still seen only as an expense and not as a requirement, even though we can cite countless examples of companies being severely damaged by successful cyber-attacks.

So let’s assume we know who defends every network, and assuming they can all detect a new wave of malware as they happen. Then what? This information is usually kept a secret (or ignored, but that’s another matter entirely) and no signals are exiting these defending parties. When is the last time you called your government after a major cyber-attack hit your company? If you can answer that question, you´re really in a minority and most likely operating in a heavily regulated industry such as Finance or Healthcare. The rest is pretty much left to fend for itself. Attacked entities need a local place to send information about these attacks. I would argue that for governments to be able to correlate various cyber-attacks, it must first have a central authority to which each entity can report attacks on their networks and systems. I haven´t heard of any country having this, but a while back a couple of my friends here in the Netherlands started talking about the lack of such an authority. This was thought up during a brainstorming session at the Dutch MoD and initially dubbed a Security Operation Center (SOC). Even though I feel this name is somewhat ambiguous, let’s keep it for now. Given its national scope, we should probably stick to the CERT naming convention and call it GOVSOC.

Alright, then what?
At the risk of becoming repetitive, let’s assume for now that such a GOVSOC is formed and operational. You´d then need to devise thresholds and escalation paths, along with policies to deal with all eventualities. You´d also need some pretty good agreements with law enforcement, the military and civil government. All three of these parties need some kind of mandate to be able to act on information. It would also need to be covered how each of these parties will act on given information. In case of an actual cyber-attack wave being detected, it would first need to be established on whether there is nation-state involvement or if it´s cybercrime. In case of nation-state involvement, what would you want your government to do? Even when you´re certain who did what, what are thresholds to acting on it? How big must the damage be before diplomatic relations deteriorate? Is this affected by how much you engage in these activities yourself?

Maybe I’m wrong, and I sure hope I am, but I haven´t heard of any country getting to this point yet. Many have been debating these and similar questions, but how about some action? For instance, in the Netherlands the National Cyber Security Center (NCSC) seems like a great candidate to embed that GOVSOC function in. Its government, but it’s a public-private collaboration. If you know of any such developments in your country, please share it with me.

Cyber – Boundless Nonsense

In the Cyber industry, there is much to gripe about. We have a lot of very vocal experts out there, and roughly the same amount of opinions as there are experts. Most of the times, the differences of opinion are really just people being pedantic (or clueless) and while this is a detriment to the entire industry, we have bigger fish to fry. Some notions out there are just plain wrong, and they lead to really poor laws or national policies. If you’ve read any of my previous articles, you may know that when I go off on a tangent, my rants usually involve people who claim cyber warfare doesn’t exist. But the pundits have been strangely quiet on this topic lately, and so it leaves my hands free to chase another topic that’s been bothering me lately. Quite frankly I’m a bit surprised that I haven’t seen more articles on this subject, but here we go anyway:

Cyberspace is NOT without borders. Cyberspace DOES have boundaries.

As any IT person with a basic education in networks & systems will tell you, networks are made by connecting physical networking devices. These devices obviously occupy a physical space somewhere, making them susceptible to the national (and possibly international) laws of the country they are in. You can even configure most networking devices to only service a subset of internet traffic or, and this is especially relevant in this context, deny service to internet traffic involving certain geographic regions. In other words: if you run a country that is geographically wedged in between two countries that are at war with each other, you CAN opt to cease routing their internet traffic. It may not be easy, and it may not be politically useful, but it is certainly not impossible. Back in 2007 during the cyber attacks on Estonia, the responders actually mitigated much of the barrage of DDOS attacks arrayed against them by dropping large portions of international internet traffic.

The question is: What is neutral behavior in the context of cyber warfare? Are you, as a neutral country in the scenario described above, obliged to drop all traffic between these two nations that crosses your national networks? And if you’re not, are you obliged to make sure none of the cyber attacks are originating from compromised systems within your borders? Given the stakes involved, you may want to do that anyway. Simply dropping traffic might be easier though.  But what if dropping traffic from either side gives offense or is considered a hostile act? This can quickly develop into a political conundrum either way.  There is no official “right answer” yet, so for now governments will have to decide this on their own.

A more interesting question is: What constitutes our digital territory online? Our geographical borders are usually quite well defined, but 90% of the hardware on which the internet is built, is commercially owned and maintained. Would this mean that networks owned and operated by foreign companies are to be considered foreign territory? Does this automatically make them susceptible to the laws of the country that they originate from or registered at? But what about networks that aren’t owned by any official entity? And what about wireless networks? How would you treat areas that are covered by multiple wireless access points? If you look at the way territorial borders are handled by governments in physical space, I see no reason to treat cyberspace differently. In fact it’s probably a much easier approach to just declare the entire electromagnetic spectrum inside national borders as national territory than to figure out some new approach “just because it’s cyber”. You can even re-use the notion of Extraterritoriality or the special privileges as described in the Vienna Convention of Diplomatic Relations [PDF Alert].  Considering how international collaborations against cybercrime is currently being approached, we’re actually pretty much doing this anyway.

In conclusion, I would ask that experts and organizations such as RAND [PDF Alert],  Margaret Chon (Seattle University School of Law), NCCIC  and the Stanford Law Review (just a random grab) either develop a better understanding of cyberspace or be more clear about what they mean. In all fairness, I haven’t read the complete works of all these authors. They may actually understand what I just covered and if you read closely enough, they might not even be (technically) wrong. Nevertheless they give off the sense that cyberspace doesn’t have any borders and this is simply a poor representation of reality. The differences between Cyberspace and Physical space are not so big that we need to reinvent the wheel for every policy, law or process we have.  Let’s be sensible and re-use what we already have.

Debating Cyber Warfare – More Questions from .GOV (Part II)

In continuation of the series I promised you on high-level debates surrounding Cyber Warfare, here is the next article in a series of three. This article will be the longest in the series due to the multi-parted nature of the question. Of course the answers given to each of the questions are merely my opinions on the matter. Please feel free to comment or contact me with relevant remarks.

Question                
In how far, and in what way, are existing international Legal frameworks relevant to behavior in the Cyber domain; specifically in relation to cyber violence? 

  • [Ad Bellum] Under what circumstances can a cyber threat be considered use of force or threatening use of force, in the sense of article 2, section 4 of the UN Charter? Under what circumstances can a cyber attack be considered an armed attack  that justifies violence in self-defence based on article 51 of the UN Charter?
  • [In Bello] When does humanitarian law of war apply to behaviors in the Digital domain? Must these be linked to kinetic use of force? How would this, during such application, be given shape to the Law of War’s  principles of distinction and proportionality, and the requirement of taking precautions for safety?
  • How would Civil legal concepts such as Sovereignty and Neutrality be given shape in the Cyber Domain?

Relevant UN Charter articles:

  • Article 2, Section IV:
    All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
  • Article 51:
    Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

An Answer – the Right to Self Defence
Although Cyber gives a new dimension to Warfare, it is my opinion that the general application and behavior apply in the same fashion as they do under conventional warfare. It is important that one should look to the effects of cyber attacks rather than the method or the individual components therein. In the end it is the damage dealt that bears relevance to those it is inflicted upon rather than the method. For this reason the thresholds that have bearing on the various articles in the UN Charter  we have set for conventional warfare do not necessarily change because of innovation in technology, nor do  international agreements automatically become void. Under the current UN Charter, each member state has the right to actively defend itself when attacked (or threatened with attack) and I feel this right remains relevant when discussing cyber warfare. I would like to point out though, that what is typical for Cyber Warfare, but uncommon in kinetic operations, is the problem of Attribution. Not knowing who will attack, is attacking or has attacked you complicates the situation considerably. It makes all action and reaction susceptible to a fair margin of error and so any response should be carefully considered before execution.

Humanitarian principles
As far as humanitarian principles in warfare go, it is certainly conceivable that cyber attacks may directly or indirectly lead to injury or loss of life. For instance, when a cyber attack on a power plant successfully blacks out an area, this can cause all kinds of damage. Some of the more obvious risk area’s are those that affect Hospitals and Emergency Services such as Police and Ambulance services, but this is not a new aspect of warfare. Knocking out power and communications is always something that must be done with utmost care, and this advance in technology doesn’t change that. In this case a well-placed cyber attack may very well be preferred over a kinetic attack that does permanent damage. Principles of distinction between military and civilian targets, as well as proportionality should still apply when discussing the use of cyber attacks.

Civil-Legal principles
The debate surrounding legal concepts such as Sovereignty and Neutrality are the subject of much debate amongst technical, political and legal experts from many nations, and any answers to these questions are most likely susceptible to change as insight is gained over time. Many people take the approach that Cyberspace does not have physical borders, but this is not exactly true. While Cyberspace as a concept may be regarded as unbound by geography, it is held up by very real, physical networking equipment. Data flowing from one system to the next does actually cross physical space through cables, routers and maybe even airspace via satellites or Wi-Fi connections. As such, this data may be subjected to all kinds of rules and regulations imposed by the owners of the networking equipment in between points of departure and arrival. And what to say about being used as a proxy during a cyber attack? Without international understanding of the ‘rules of the game’, you may be involuntarily drawn into conflicts because one of the parties routes his cyber attacks through your networks, or even using systems that are hosted on your soil. Regardless of what position you take, it’s clear that concepts such as Sovereignty and Neutrality have a place in the debates surrounding Cyber Warfare.

Dutch government to design Cyber Defence doctrine

Cyber WarfareIn the past I’ve always said that the Dutch government needs to do more in the area of Cyber Warfare / Cyber Security because there didn’t seem to be too much going on. Our Defence department didn’t post anything about starting up a Cyber Command, nor was there any government activity to be seen. However, though it wasn’t easy to find, there does finally appear to be some movement on the horizon.

During a meeting about the 2010 Defence budget, members Knops (CDA), Voordewind (CU) and Eijsink (PVDA) established that there was no mention of Cyber Warfare in the budget. They note that Cyber Warfare is an issue of great concern, and submitted motion 32 123x nr. 66 (in Dutch) to start interdepartemental development of a Cyber Security Strategy and urges The Netherlands to start actively participating in NATO initiatives on the subject.

In a letter by the Minister of Defence (again in Dutch), Eimert van Middelkoop acknowledges that rapid developments in technology have also led to certain threats such as cyber crime and cyber warfare. He describes what is understood by the term Cyber Warfare and how it relates to his department, along with how various other ministries also have responsibilities regarding cyber security issues.

A brief overview:

  • Interdepartmental coordination of Cyber Security in general is handled by the Ministry of the Interior through the National Security Program;
  • Cyber Crime is handled by the Ministry of Justice;
  • Cyber Terrorism falls under the National Coordinator of Counter-Terrorism (NCTb);
  • Cyber Defence is a shared responsibility between the Ministry of Defence and the Ministry of the Interior;
  • National Critical Infrastructure is handled by the Ministry of Economics

Minister van Middelkoop asserts that commercial parties also have a role to fulfill in the development and implementation of a cyber security strategy, to which I can only wholeheartedly agree. The next paragraph of this most clarifying letter confirms the existance of the Defence departments’ own CERT (DEFCERT), and its responsibilities towards defending its networks. In a separate letter he mentions that DEFCERT is growing and is expected to be fully operational in 2012.

Probably the most important information that can be obtained from this letter is in the final paragraph. It contains The Netherlands’ intentions in this area, which resemble those of Great Britain:

  • Creation of a Cyber Defence doctrine and implementation of a strategy;
  • Development of a Cyber Incident Responce strategy;
  • Investigation of Cyber Intelligence Gathering and the legal ramifications thereof;
  • Establishment of bilateral communications and best practices with NATO and the CCDCOE in Tallinn, Estonia

Compared to what has been released by the Dutch government on this topic, its a lot of information that suddenly became available. As a concerned Dutch citizen, I am very happy to see that this threat is finally addressed. With the dependency on technology growing every day, cyber security will continue to grow in importance along with it. If we do not work towards creating a safer cyberspace now, the consequences could be dire.

“Threat of cyber war is overhyped” – Bruce Schneier

Bruce SchneierThis month’s Ostrich Award would have to go to Bruce Schneier for his opinion piece on CNN.com. In it, he states that he’s seeing  a power struggle in the US government about who’s in charge of Cyber Security. In a surprizingly anti-establishment departure from his normally so levelheaded approach, he surmises that there’s some kind of goldrush going on that the Military is winning. By continuously beating the war drums, says Schneier, the Internet may become militarized and we can infer by this rhetoric that “citizens lose” when that happens. However: what he’s really seeing is the various branches of the armed forces rushing to finally defend the networks they were already supposed to be defending.

His article quotes people like Richard Clarke, General Keith Alexander and NSA Director Mike McConnell whom, according to Schneier, have all been actively hyping the dangers of cyber war just to get a leg up for their respective agencies. In a dangerous demonstration of sticking one’s head firmly in the sand, he goes on to point out that what we’ve seen so far is nothing but a little cyber espionage and little kids playing ‘hackerz’ on the internet. Sadly, by doing so he is dismissing the overwhelming evidence out there of the state-level involvement by multiple countries with the planting of logic bombs in national power grids (not just in the US) to what is seen by the military as ‘preparing the battlefield’. He also essentially dismisses cyber espionage being an act of war because we can’t properly attribute it, even though we’re seeing a massive exfiltration of data in virtually all fields (military, commercial and political). No reasonable person would consider it a minor infraction if this had been done by spies in the field – attributed or not. Apparently, the fact that its ‘only digital’ espionage makes it harmless.

Schneier concludes that this whole beating of the war drums reinforces the notion that we’re vulnerable. Well Yes Bruce, have you considered that this might be that its because you are? Really, you should do a little more research about discovered breaches into armed forces networks (SIPRNET et al) and critical infrastructure networks before writing this stuff. There are tons of articles out there that would further discredit your opinion piece on CNN. You could also go ahead and pick up a few books like Richard Stiennon’s Surviving Cyber War or Jeffrey Carr’s Inside Cyber Warfare. Hell, even Richard Clarke’s Cyber War contains some interesting stuff that you can actually go out and validate yourself.

If nothing else, you could go by the notion that if something is possible, you can bet that someone is doing it.