Information Security, Post-Snowden

As published on Tripwire’s State of Security:

The revelations regarding the extensive digital intelligence gathering programs of the American National Security Agency by Edward Snowden won’t have escaped your notice. Since the first reports around June 5th of 2013, the hits have not stopped coming; each consecutive unveiling being of larger scale, depth and intensity than its predecessor.

It is interesting to note that Snowden was hardly the first whistleblower on the massive internet espionage operation by the US government. On January 20th 2006 an employee of AT&T approached the Electronic Frontier Foundation (EFF) with proof that AT&T was cooperating in an NSA intelligence program and on july 2nd 2012 three NSA employees shored up a lawsuit by that same organisation.

The facts are hard to ignore: wiretapping heads of state[1], allied or not[2], hacking telecom corporations[3], large scale internet wiretapping[4] and forcing American technology firms to provide access to customer information[5] or worse: building a backdoor into their products[6]. Summing matters up sometimes stretches the bounds of credibility.

As Jacob Appelbaum put it during his talk at the German CCC conference late last year, the NSA´s operations have really only been limited by Time. Had Snowden waited another year, chances are that we would have seen even bigger programs come to the surface. And perhaps we still might; if Snowden is to be believed we haven’t seen the last of his work.

The impact on our online privacy is consistently mentioned by the various news media. Organisations of all sizes and nationalities are asking themselves just how safe their data is. Do they have unwanted American visitors on their network? How are they going to keep out the NSA? Or other intelligence agencies? Cán you keep them out at all?

In my opinion, these questions aren´t simply valid, but due to the immensity and depth of these intelligence gathering programs and the long list of involved corporations, a considerable bit of research should be more than warranted.

Thanks to Snowden´s revelations we have enough material to make three assumptions:

  • Virtually all the internet traffic is tapped. Because it’s not just the NSA spying on internet traffic but –to varying degree- almost every national intelligence agency on the planet, there is a reasonable degree of certainty that all of our traffic is intercepted and looked at, regardless of where it´s going or where its´ coming from. In case you´re wondering, this certainly includes smartphone traffic.
  • American and British hardware (laptops, desktops, servers, USB devices, mice, keyboards, smartphones et cetera) are very likely all compromised by a backdoor through which remote access can be obtained. If it hasn´t been built in during fabrication, it could still be inserted during transportation, with the aid of transportation firms[7]. For safety sake it is reasonable to assume that Canadian, Australian and New Zealand firms are performing such tasks for their respective intelligence agencies as well, given that these countries are also part of the Five Eyes intelligence gathering pact between the US, UK, Canada, Australia and New Zealand.
  • We cannot trust American technology firms. It is unfortunate for those that haven´t been compromised, but due to American anti-terrorism laws you simply cannot trust them you’re your data. Whether they are paid or forced to cooperate is, in the end, unimportant for you; they willprovide the NSA with intelligence or build those backdoors into their products that are so prevalent and so desired. Your data simply isn´t safe with American online service providers, and thanks to the PATRIOT act it doesn´t even matter if the data itself is on US soil or not. It also doesn´t matter if you are not American. Or if you´re a citizen of an allied country. The American justice system pretty much completely ignores non-citizens and as such, virtually everything done to your data is considered legal. Your data can be reached and inspected regardless of where it resides, and they do it on a shockingly large scale. Here too, it would be wise to lump British, Australian, New Zealand and Canadian firms in on this.

And its not just US firms that have been exploited in such a fashion. Among the firms on the list below you will also see enterprises that have a lot to lose if banned from the American technology market, such as Samsung. Lets put some names to faces. Do you have products in your network or at home that are made by these companies?

Then you almost certainly have a backdoor into your network through which the NSA can enter your network unseen. Perhaps more than one. And now that it is public knowledge that these backdoors exist, it is highly likely that they are exploitable by other parties as well.

pic

The US is, thanks to strong representation in the Technology market, in a very comfortable position where gaining remote access is concerned. This doesn’t stop other nations from attempting the same level of access or intelligence, and quite successfully.

China, Russia and Iran also developed strong Cyber programs of which digital espionage is a substantial element. Closer to home the French DGSE was embarrassed by sudden publication of their own cyber espionage program, not a week after they publicly denounced such practices. Israel has also been known to have a very effective digital intelligence gathering program.

If you still have doubts about whether or not you might be compromised, the EFF has published an electronic file[8] containing exactly what vendors and their respective products give unwanted access to commercial networks. You will encounter the term “persistent backdoor” very often, which means that there is a built-in back door in the product through which unauthorised access to the network is easily attained.

They work virtually the same as the software companies install so that their employees can work from home, with the notable exception that your organisation doesn’t know, support or condone about this ‘feature’ of the products they installed and considered safe.

So why should companies care about this? You’ll often hear the argument that such programs revolve around national security, and is an affair between nation states, not commerce. And yet there have been several cases that show that this is certainly not always the case. Information obtained by national espionage programs can easily be used to great commercial advantage.

There are some prime examples in which national intelligence agencies provided firms with information that gave them a competitive advantage during critical moments while competing with foreign competitors, such as during the negotiations of lucrative contracts. On July 5th 2000 the European Parliament launched an investigation into contract negotiations taking place in Brasil in 1994.

In this case the French firm Thomson-CSF lost a contract to the American defence contractor Raytheon to a tune of $1.3 billion because Raytheon had received crucial information intercepted by an American intelligence agency. In 2000, aircraft manufacturer Airbus lost a Saudi contract worth $6 billion to American firms Boeing and McDonnell Douglas in equal fashion.

Both these incidents took place during the ECHELON program, an earlier iteration of the PRISM program that we have heard so much about in recent months. The amount of data that is being intercepted and monitored makes the ECHELON program pale in comparison.n

Whether you do business internationally or not, having intruders on your networks and mobile devices are almost certainly unwanted. There are ways to defend yourself, but depending on which hardware and software you are using, you may have to start looking for different vendors offering similar products.

This isn’t always practical. Imagine replacing Microsoft Windows with a Linux distribution on all of your systems. This may not be feasible due to lack of staff capable of supporting Linux. Replacing servers, desktops, laptops or networking equipment with equivalent products made by vendors of a different nationality can be difficult, but you could still take steps in the right direction.

For instance, if you are currently using remote access tokens by RSA[9], you may want to consider replacing them. By its very nature, remote access technology is an exceptionally critical service that can immediately defeat all of your network security measures. Whether you will be safe after a full overhaul of your network will likely always remain a mystery; Snowden or some other whistleblower might implicate yet more firms that are complicit with national intelligence agencies.

To have a realistic chance at securing your network, it must be capable of segmenting your various suppliers and vendors. Ideally your network architecture is designed in such a way that no single vendor or supplier can compromise the entire network by itself.

Outsourcing your data or network services to a cloud provider is equally a hazardous idea. You have to be absolutely assured that your provider does not store your data outside your nation’s borders, which would open up avenues for foreign entities to gain access. Most nations have laws in place for their intelligence and law enforcement agencies to obtaining access to systems within their sovereign territory with or without the consent of its owner.

If you have assured yourself that your cloud provider won’t suddenly change its policy. Be aware that most of the firms implicated by Snowden have kept -or have been forced to keep- silent about their assistance to the NSA. If your privacy has been violated, you may learn of it much too late or not at all.

Also, it is critical that you encrypt your data. This includes both data in transit and data at rest, so the smart move is to not leave any data unencrypted on online services such as Dropbox. Be sure to use encryption that is not commonly used on the Internet, or made by any of the implicated firms listed above.

The NSA, and more than likely many intelligence agencies with them, is especially capable of cracking the most used encryption methods such as SSL[10] (Secure HTTP, which ensures that well-known lock icon in front of a web address in your browser). Custom, strong and domestically made crypto technology is the best choice to protect both your network traffic as well as encrypting data storage devices[11].

Finally, it is important that you have a strong identity & access management program. None of the measures above amount to very much if an employee or supplier has access to your network and happily provides this access to a third party with bad intentions.

Protecting information today is more complex than before. To have a chance at keeping unwanted visitors off your network tomorrow, you must lay the foundation today. Although this can be a considerable undertaking, you can at least be assured that it will not get any easier. The time of leaning back casually without having to worry about security has certainly passed.

picAbout the Author:  Don Eijndhoven (@ArgentConsulting), Chief Executive Officer of Argent Consulting B.V, lead cyber security architect and guest lecturer Cyber Resillience at the Nyenrode Business University. Don can be reached at d.eijndhoven@argentconsulting.nl.

Trojans for the Bundestag – German PD acquired Finfisher

FinfisherIn December of last year, the German public prosecutors’ office had declared that there was no legal basis for the use of the so-called “Bundestrojaner” spyware, which was used to spy on German citizens. On top of it being illegally used, it was also found to be of very poor quality by extensive research performed by the Chaos Computer Club. In a surprising turn of events, German political platform NetzPolitik.org has now uncovered secret documents belonging to the Ministry of Finance, that the Ministry of the Interior sent to the Bundestag (the political seat of Germany) that reveals the German Federal Police’s intention to use Gamma Group’s Finfisher spyware to do the exact same thing.

Finfisher is quite an elaborate suite that allows for remote take-over of both computer systems and mobile devices such as iPhones, Androids, Blackberries and Windows Mobile-phones by pretending to be a software update. Gamma Group sells this product to dictatorial regimes all over the world, and that says a lot. What is also quite interesting is the presence of the logo for the UK’s Home Office and a link to its’ premier Security & Policing Exhibition. Does this imply that the UK government also purchased this product? Wikileaks recently published a document that looks like Finfishers’ marketing brochure and it is certainly geared towards the more modern police forces, as it sports solid integration with LEMF, which stands for Law Enforcement Monitoring Facility.

In august of last year, Bloomberg published an article that reported Finfisher presence on 5 continents and analysis performed by Rapid7 indicated its presence in at least Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, Bahrain  and the United States.  Now, of course this is not concrete proof that these governments actually use Finfisher, but Gamma Group is based in the UK and they have placed this software in the category of goods requiring an export permit because of the restrictions on exporting such digital weapons. Combined with how Gamma specifically markets Finfisher as ‘Governmental IT intrusion‘, it is highly unlikely that the British government would allow legitimate export to be done to just anyone. In a similar story posted by the New York Times, Bloomberg spoke to Martin J. Muench, who is managing director of Gamma International, and he stated that they had not sold their product to Bahrain and the malware that was found must have either been a stolen demonstration copy, or reverse-engineered by criminals.

To be clear, the use of this software is highly questionable. A while back the Dutch Minister of Safety and Justice Ivo Opstelten revealed that a plan was in the works to change the law so that it became allowed for the Dutch police to hack systems belonging to suspects. This led to international resistance and an open emergency letter [PDF warning - Dutch] was sent to the Minister to have this plan terminated because it was a gross violation of privacy. Apparently Germany is already at least one step further than this, having purchased the software already. Is this the future for the Netherlands as well? Will Minister Opstelten dust off his ill-advised plan and follow Germany in purchasing this software? I hope not. Not only is the Dutch police severely understaffed as it is, it also has a serious history of bending (or outright breaking) the rules and violating people’s rights when it comes to (ab)using technology such as this. And just how long will it take before hacking a suspects’ computer will no longer require an approval from a court judge? Where is our oversight then?

The Dutch, the Yanks, the Cloud and YOU

Recently a research project by the Amsterdam University [PDF Alert] revealed that US law allows for the US government to access information stored in the Cloud, by (ab)using the PATRIOT act. Multiple Dutch politicians have started asking questions from state secretary Teeven of the Justice department as to whether he knew about this before the research project, and whether he did anything to prevent this or to warn Dutch citizens about this potential breach of privacy. He has since sent in an official answer. Unsurprisingly, he confirms that the issue is real, but does not answer the question about whether he knew about this beforehand. He goes on to saying that it is up to each individual to be careful with any information they publish online, be it to a cloud-based service or anywhere else.

What surprises me, is that people still don’t seem to understand what the Cloud is, what it does and how it works. The effects of the PATRIOT act have long been known, and its effects have been hotly debated for years. How is this any surprise to anyone?

Please follow this logic:

The Cloud is the Internet. It really is that simple. Cloud Services are simply applications that run on clustered computer systems. Maybe on two, ten, a hundred or a thousand systems at a time, it doesn’t matter. Users –and data- are replicated to every system in this cloud regardless of where they are. There could be ten in your own country, twenty in the US and another fifty in Russia. This is (most often) invisible to the end user, and very often special effort is made to keep this invisible to the end user, and to make it one big system regardless of what server you are connecting to, or from where. To be on the safe side, you should assume that regardless of where you are located when you upload data, it is uploaded to the entire grid – not just the part in your country.

And it matters where these systems are located geographically, because that is the only factor in the question as to what country’s laws this system –and more importantly the data on that system- is subject to. For example: Google has servers dedicated to Google Docs in a lot of countries such as the Netherlands, Germany, Britain, the US and probably several countries in Asia. You upload a document to Google Docs while in the Netherlands. As soon as you do, it is replicated to either all the systems all over the globe, or replicated between central data storages all over the globe. It is generally safe to assume that your data will be everywhere, regardless of where you are. ANY country that has Google servers for Google Docs within its borders can in theory –this depends on what laws exist in said country- demand access to this data. The US is almost certainly not the only government that can do this, but even if no other country has such laws, you can rest assured that if the need ever arises (from a national security standpoint) to access your data, things tend to get very ‘flexible’ on very short notice in most countries. Therefore you should assume that you can not trust any online service with your data, regardless of its classification or nature.

As has always been the case, in the end you –and only you- remain the only person responsible for what happens to your data. If you absolutely do not want it leaked, don’t put it on the internet.

US vs The World – The Cyber Monroe Doctrine

On December 2nd in 1823, the US introduced the Monroe Doctrine. This article declared that the US would view further European interference in the Americas (the Western Hemisphere) as acts of aggression and reserved the right to an armed response. On march 10th, 2009 it was argued in front of a Homeland Security Subcommittee on “Emerging Threats, Cybersecurity and Science and Technology” by Mary Ann Davidson that this same piece of US doctrine would be a suitable candidate for application in cyberspace. You can find more information at Whitehouse.gov about this testimony, from where it has recently resurfaced on various discussion boards such as the Dutch Cyber Warfare Community group on LinkedIn (thank you Matthijs).

Not unlike other testimonies on the subject of Cyber Warfare and Cyber Doctrine coming from the US, we see a very ‘red-blooded American’ attitude seeping through, and quite frankly that’s not helping matters. Im generally a big fan of ‘re-using’ existing laws and policies when they apply well enough to Cyber, but Davidson demonstrates a lack of true understanding of the situation. It is possible that her testimony was misunderstood or misquoted by the person who wrote the testimony excerpt, but nevertheless I would like to address a few key issues I have with the testimony.

“We are in a conflict – some would say a war. Let’s call it what it is.”
In the very first segment of the testimony, Davidson asserts a number of things that are simply incorrect. The title of the paragraph is a clear giveaway, and sets the tone for the rest of the testimony. Davidson observes that the US is under constant attack in cyberspace, and that this amounts to war. What she does here is lump together all the cyber attacks that are recorded, and make it seem like this is all part of one big cyber war. But this is not the case. I would argue that 80% (if not more) of these attacks are merely ill-advised scriptkiddie attacks, maybe not even really aimed at government resources specifically. This is so common that many security people have come to call these attacks ‘internet white noise’. The remainder of the attacks might be more targetted, but their origins are at least as diverse as of the earlier 80%. They are perpetrated by cyber criminals, stalkers, curious college students putting their class material into practice, security pentesters who overstep their bounds, bored high school drop-outs, disgruntled administrators and many more potential attackers. You just don’t know. You can’t know. There are just too many attacks from too many sources to make it feasible to chase every one of them to find out. To lump all these attacks together and paint them as a constant barrage by one enemy is not just incorrect, its also dangerous and foolish. If anything, you’re not in one conflict, you’re in thousands.

Even if you consider all these attacks by all these different enemies conflicts, which implicates that there is some underlying plan or strategy to said attacks, its still a big leap in logic to call it a War. America’s habit of declaring war on abstract notions (the War on Drugs, War on Terror et cetera) may sometimes be necessary to get people to act, but in case of Cyberspace it just doesn’t work. Internet is everywhere and, considering the earlier clarification on the attacks, you’re attacked by thousands of enemies. What are they going to call it? “The War Against Everyone”? Actually, given the tone of the testimony I should probably refrain from giving Davidson any ideas. It is exactly this attitude that gives credence to people who claim that the war drums are being beaten unnecessarily to militarize the Internet and to reduce the rights and freedoms of netizens.  Language matters. Talk of war incites thoughts of war, and it should be used sparingly.

 Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems including our defense systems for weaknesses, infiltrating U.S. government networks and making similar attempts against American businesses and critical industries, is there any other conclusion to be reached? Whatever term we use, there are three obvious outgrowths from the above statement. One is that you do can’t win a “conflict” – or war if you don’t admit you are in one. The second is that nobody wins on defense. And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.

Emphasis is mine. As previously stated, there are a multitude of conclusions you could draw from what is happening on your networks. The three points mentioned thereafter make even less sense, because she speaks about ‘winning’  the ‘war’. But what does that mean? The Monroe Doctrine referred to Military/Political consequences to Military/Political interference by foreign nations on US soil. Or rather the entire Western Hemisphere but I digress. I mention this with emphasis because the Internet and/or Cyberspace is a different animal altogether. The majority of the cyber equivalent of ‘US soil’ isn’t actually ‘US soil’, but is actually owned and operated completely and totally by third parties. To further complicate matters, a large portion of that is owned and operated by third parties who are distinctly not American such as foreign-owned corporations. Imposing a Cyber Monroe Doctrine would effectively militarize the entire US portion of cyberspace. That is, if they can ever decide on what parts of that cyberspace they could and could not call American. Davidson acknowledges this problem with the use of the term ‘turf’ but fails to grasp the severity of the problems it causes with her theory.

So that covers the underlying theory by Mary Ann Davidson, but the three ‘outgrowths’ don’t even make sense on their own. “You can’t win a war if you don’t admit that you’re in one.” Aside from the whole War statement…I mean…Really? This is a complete non-sequitur if you ask me. You could argue the exact reverse and it would be equally true (or untrue, of course). I might be piling on here, but someone should probably have told the US Senate this before the Vietnam war, which the US never formally admitted as being a War. Had they used Davidson’s logic, they would have known this was a war they could not win.

The second is that nobody wins on defense.” This is another argument that doesn’t stand up to closer scrutiny. The Monroe Doctrine revolved mostly around defense. It was enacted to work as a deterrent to protect (not project) US interests in the Western Hemisphere. So what does Davidson envision with this statement? It seems to me that she’s calling for offensive cyber operations, which is something that isn’t covered by the Monroe Doctrine. Monroe wanted to defend his Home, while Davidson seems to want to cross the pond and kick some butt. She’s calling for a Sword to match the Shield, but doesn’t take into account that they are two entirely separate entities with entirely different properties, capabilities and logistics.

And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world.” So if I read this correctly, Davidson argues the US needs a doctrine because….well, because! This last argument isn’t actually an argument. Its a possible answer to her first two statements and probably only included because she needed a third argument. Three arguments makes it sound nice and official. And why would the US need one doctrine to cover everything? It has been my understanding that the US Government has published various doctrinal documents that cover a variety of issues, such as the International Strategy for Cyberspace. The US Department of Defense has also published a number of documents on Cyberspace over the last few years, and these map to a number of existing legal and societal principles in the offline world. These can be easily found online.

So is Mary Ann Davidson correct in her assertion that the Monroe Doctrine would be a handy fit in Cyberspace? To be honest, I don’t know. Im not a politician and im not a military strategist. But her arguments are flawed and they didn’t sway me. Im usually a big fan of a common-sense approach to Cyber-anything, and in most cases we can apply existing legal and societal frameworks just fine. But in this particular case we simply cannot forget that the US already has an potentially undue influence over the proper functioning of the Internet, and any kind of overly agressive stance will foster more animosity between the US and the rest of the world. The Internet is, and should remain, an active demonstration of global cooperation. We would all be better off if we strived to make things safer for everyone.

Debating Cyber Warfare – Still more questions from .GOV (Part III)

In this closing article, last in a set of three, I discuss some international treaties that may or may not apply to Cyber Security. Again I would like to note that the answers I give are merely my opinion on the matter. This article is comprised of two questions. Without further ado:

In how far can international codes of conduct in using the digital domain contribute to increase Cyber Security? Can we learn from experiences with existing codes of conduct such as in the area of non-proliferation?

Fading national borders and defacto international routing of data traffic are a property of cyberspace we can’t escape. This makes international relations and codes of conduct essential, especially when considering fighting cyber crime. This calls for Law Enforcement Agencies and Justice departments of multiple countries to work together to stop criminal enterprises in their tracks. International cooperation amongst law enforcement agencies in taking down cyber crime rings has been taking place for several years now, and although not nearly as successful as we’d hope, they did have some successes. For an excellent read on this subject, I recommend Joseph Menn’s Fatal System Error.

As for Cyber Warfare and Cyber Conflict, there are various internationally accepted legal frameworks and cooperative initiatives that can provide some help with increasing security in Cyberspace. Consider the Law of Armed Conflict or the Universal Human Rights, both of which have received wide adoption and have led (and still lead) to increased cooperation among nation states. Connecting to existing initiatives in this area is therefore highly recommended.

Although Non-Proliferation has a similarly high adoption rate, using this as an example may very well give off the wrong idea because of the emotional ‘weight’ associated with nuclear weapons. Cyber weapons are not currently anywhere near the immediate physical threat that nuclear weapons pose, nor is it feasible to attempt to restrict development or trade of cyber weapons. Cyber weapons consist of computer code and knowledge of the target system or application. Anyone with enough knowledge can create one, and all it takes is a computer. Connect that system to the internet and proliferation is both virtually immediate and unstoppable.  

How can NATO and the EU give substance to the principles of Common Defence, Deterrence and the Solidarity clause when considering cyber threats? How can NATO and the EU improve the information exchange with regards to threat analyses?

Existing initiatives within NATO and the EU offer excellent opportunities in this regard. For instance, a better connection to the NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is a very good idea. The CCDCOE was founded and sponsored by a number of nations, but the Netherlands was not one of them. It is still possible to become a sponsoring nation by signing its Memorandum of Understanding and after looking at its Mission statement revolving around cooperation, I highly recommend our government does so. Aside from this centre, NATO’s own C3 agency has various endeavors with regards to Cyber Security that we here in the Netherlands might be able to get an advantage out of.

All in all, it’s safe to consider that our best bet lies in engaging in cooperation with other culturally similar nations. Most western nations are as connected to the Internet as we are, and they share our understanding of how critical cyberspace is to us and our economies. Together we simply have a much better chance of improving our situation online.

Debating Cyber Warfare – More Questions from .GOV (Part II)

In continuation of the series I promised you on high-level debates surrounding Cyber Warfare, here is the next article in a series of three. This article will be the longest in the series due to the multi-parted nature of the question. Of course the answers given to each of the questions are merely my opinions on the matter. Please feel free to comment or contact me with relevant remarks.

Question                
In how far, and in what way, are existing international Legal frameworks relevant to behavior in the Cyber domain; specifically in relation to cyber violence? 

  • [Ad Bellum] Under what circumstances can a cyber threat be considered use of force or threatening use of force, in the sense of article 2, section 4 of the UN Charter? Under what circumstances can a cyber attack be considered an armed attack  that justifies violence in self-defence based on article 51 of the UN Charter?
  • [In Bello] When does humanitarian law of war apply to behaviors in the Digital domain? Must these be linked to kinetic use of force? How would this, during such application, be given shape to the Law of War’s  principles of distinction and proportionality, and the requirement of taking precautions for safety?
  • How would Civil legal concepts such as Sovereignty and Neutrality be given shape in the Cyber Domain?

Relevant UN Charter articles:

  • Article 2, Section IV:
    All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
  • Article 51:
    Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

An Answer – the Right to Self Defence
Although Cyber gives a new dimension to Warfare, it is my opinion that the general application and behavior apply in the same fashion as they do under conventional warfare. It is important that one should look to the effects of cyber attacks rather than the method or the individual components therein. In the end it is the damage dealt that bears relevance to those it is inflicted upon rather than the method. For this reason the thresholds that have bearing on the various articles in the UN Charter  we have set for conventional warfare do not necessarily change because of innovation in technology, nor do  international agreements automatically become void. Under the current UN Charter, each member state has the right to actively defend itself when attacked (or threatened with attack) and I feel this right remains relevant when discussing cyber warfare. I would like to point out though, that what is typical for Cyber Warfare, but uncommon in kinetic operations, is the problem of Attribution. Not knowing who will attack, is attacking or has attacked you complicates the situation considerably. It makes all action and reaction susceptible to a fair margin of error and so any response should be carefully considered before execution.

Humanitarian principles
As far as humanitarian principles in warfare go, it is certainly conceivable that cyber attacks may directly or indirectly lead to injury or loss of life. For instance, when a cyber attack on a power plant successfully blacks out an area, this can cause all kinds of damage. Some of the more obvious risk area’s are those that affect Hospitals and Emergency Services such as Police and Ambulance services, but this is not a new aspect of warfare. Knocking out power and communications is always something that must be done with utmost care, and this advance in technology doesn’t change that. In this case a well-placed cyber attack may very well be preferred over a kinetic attack that does permanent damage. Principles of distinction between military and civilian targets, as well as proportionality should still apply when discussing the use of cyber attacks.

Civil-Legal principles
The debate surrounding legal concepts such as Sovereignty and Neutrality are the subject of much debate amongst technical, political and legal experts from many nations, and any answers to these questions are most likely susceptible to change as insight is gained over time. Many people take the approach that Cyberspace does not have physical borders, but this is not exactly true. While Cyberspace as a concept may be regarded as unbound by geography, it is held up by very real, physical networking equipment. Data flowing from one system to the next does actually cross physical space through cables, routers and maybe even airspace via satellites or Wi-Fi connections. As such, this data may be subjected to all kinds of rules and regulations imposed by the owners of the networking equipment in between points of departure and arrival. And what to say about being used as a proxy during a cyber attack? Without international understanding of the ‘rules of the game’, you may be involuntarily drawn into conflicts because one of the parties routes his cyber attacks through your networks, or even using systems that are hosted on your soil. Regardless of what position you take, it’s clear that concepts such as Sovereignty and Neutrality have a place in the debates surrounding Cyber Warfare.

Debating Cyber Warfare – Questions from .GOV

The NCDI
A few months ago I was engaged by a friend who had desires of starting a new foundation in the Netherlands. He surmised that the Dutch Ministry of Defence could use some help in establishing proper Cyber Doctrine. Now, a scant 6 months later, we find our group is firmly set at 7 people and the foundation has officially been established. It is called the Dutch Institute for Cyber Doctrine (NCDI) and I sincerely hope you will hear more of us in the near future.

I mention the birth of this foundation because through some proper networking we’ve been asked for input by our government with relation to Cyber Warfare. The request for information contained such interesting questions that I felt I could almost dedicate an entire article on each question, and so I did. I hope to generate some really interesting debates with these questions. Without further ado, here is the first question:

“After Land, Air, Sea and Space, Cyberspace is generally considered to be the fifth warfighting domain. Based on what political and military objectives can operational cyber capabilities be developed and deployed? Please define the nature and role of operational cyber capabilities during military operations.”

An Answer
While you’ll find a plethora of discussions in which it is still hotly debated what it all means, it is very likely that future conflicts will not be ‘pure cyber wars’ in the same way we haven’t seen ‘pure nuclear wars’  or ‘pure air wars’. Instead it is much more likely that new conflicts will contain cyber attacks or cyber espionage as part of a larger strategic plan. In fact we’ve already seen it in conflicts as early as the war in the Persian Gulf in 1991, where the famous and recently deceased Robert Morris was said to have launched the first US cyber attack. Many people now ask the question what the political and military impact is of cyber warfare, and this is a very valid question. However, it should not be confused with political and/or military motive, because nothing has really changed in that regard. War is, as Clausewitz said, the continuation of Policy through other means, and that is exactly what cyber is: just another means.

With that in mind, I feel the first half of the question is somewhat flawed. Political objectives are not usually fundamentally changed by technology, though military objectives certainly can be, and with the advent of cyber warfare it is easy to confuse or even conflate the two. So for me, the question is really “What military objectives should be the focus of operational cyber capability development?”.

The answer to this question will probably always remain difficult to answer, because the technology surrounding cyberspace is continually changing. Furthermore we find that the application of said technology is ever changing as well, making it very hard to pin down exactly if and where there are any fixed strategic points or objectives to aim exploitation development to. What is a sensible and effective angle today may be completely obsolete tomorrow. Based on what we’ve seen so far (of what we’ve been allowed to see, that is), we can assume that in the foreseeable future, cyber attacks will not have a directly kinetic component. That is to say – cyber attacks don’t (and won’t) act like bullets, bombs or missiles. As we know and understand it now, it can be used as a strictly supporting function to ongoing operations. The key word here is Information – its discovery, manipulation or denial. Cyber attacks could be succesfully applied to disable a radar array preventing a strategic bombing or insertion, or more locally to disable alarm systems on a house that needs to be breached quietly. It could (and already is) be used highly effectively to break into the networks of defence contractors and steal the highly sensitive specs of enemy technology, and in turn use that information to render them harmless to your troops. Interestingly enough, you could also use it the other way around: To make your enemies see things that aren’t there, such as by flooding their radar screen with bogus information or by infiltrating and corrupting their chain of command’s methods of communication. Whatever the application, it is important to note that virtually all these attacks are of a temporary nature. They don’t really change things permanently. As such, you should not depend on cyber attacks to give you a lasting advantage. It is highly likely that the target will, at one point, discover the attack and take steps to undo it.

The bottom line is that before being able to develop operational cyber capabilities, it is important that you understand the nature of Cyber attacks. What it is, and what it isn’t. You won’t win any wars with Cyber alone, but you may be able to increase the success rate of your missions and give your opponents a very frustrating time during ongoing operations by applying this exciting new technology.