Cyber-security (3rd edition, 2013)

25 Cyber-security Myriam Dunn Cavelty Chapter Contents • Introduction 363 • Information security 101 363 • Three interlocking cyber-security discourses 364 • Reducing cyber-in-security • The level of cyber-risk 373 376 • Conclusion 377 Reader’s Guide This chapter looks at why cyber-security is considered one of the key national security issues of our times. The first section provides the necessary technical background information. The second unravels three different, but interrelated ways to look at cyber-security: the first discourse has a technical focus and is about viruses and worms. The second looks at the interrelationship between the phenomenon of cyber-crime and cyber-espionage. The third turns to a military and civil defencedriven discourse about the double-edged sword of fighting wars in the information domain and the need for critical infrastructure protection. Based on this, the third section looks at selected protection concepts from each of the three discourses. The final section sets the threat into perspective: despite heightened media attention and a general feeling of impending cyber-doom in some government circles, the level of cyber-risk is generally overstated. Cyber-security Introduction Information has been considered a signiicant aspect of power, diplomacy, and armed conlict for a very long time. Since the 1990s, however, information’s role in international relations and security has diversiied and its importance for political matters has increased, mostly due to the proliferation of information and communication technology (ICT) into all aspects of life in post-industrialized societies. The ability to master the generation, management, use but also manipulation of information has become a desired power resource since the control over knowledge, beliefs, and ideas are increasingly regarded as a complement to control over tangible resources such as military forces, raw materials, and economic productive capability. Consequently, matters of cyber-(in)-security— though not always under this name—have become a security issue. In this chapter, the cyber-(in)-security logic is unpacked in four sections as described in the Reader’s Guide, with the irst providing the necessary technical background information on why the information infrastructure is inherently insecure, how computer vulnerabilities are conceptualized, who can exploit them and in what ways. Information security 101 Cyberspace connotes the fusion of all communication networks, databases, and sources of information into a vast, tangled, and diverse blanket of electronic interchange. A ‘network ecosystem’ is created; it is virtual and it ‘exists everywhere there are telephone wires, coaxial cables, iber-optic lines or electromagnetic waves’ (Dyson et al. 1996). Cyberspace, however, is not only virtual since it is also made up of servers, cables, computers, satellites, etc. In popular usage we tend to use the terms cyberspace and Internet almost interchangeably, even though the Internet, albeit the most important one, is just one part of cyberspace. Cyber-security is both about the insecurity created by and through this new place/space and about the practices or processes to make it (more) secure. It refers to a set of activities and measures, both technical and non-technical, intended to protect the bioelectrical environment and the data it contains and transports from all possible threats. The inherent insecurity of computers and networks Today’s version of the Internet is a dynamic evolution of the Advanced Research Projects Agency Network (ARPANET), which was funded by the Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense (DoD) from 1962 onwards, mainly for optimized information exchange between the universities and research laboratories involved in DoD research. From the very beginning the network designers emphasized robustness and survivability over security. At the time there was no apparent need for a speciic focus on security, because information systems were being hosted on large proprietary machines that were connected to very few other computers. Due to the dynamic evolution of ARPANET this turned into a legacy problem. What makes systems so vulnerable today is the conluence of three factors: the same basic network technology (not built with security in mind), the shift to smaller and far more open systems (not built with security in mind), and the rise of extensive networking at the same time. In addition to this, the commercialization of the Internet in the 1990s led to a further security deicit. There are signiicant market-driven obstacles to IT-security: there is no direct return on investment, time-to-market impedes extensive security measures, and security mechanisms have a negative impact on usability so that security is often sacriiced for functionality. Also, an ongoing dynamic globalization of information services in connection with technological innovation has led to an increase of connectivity and complexity, leading to ill-understood behaviour of systems, as well as barely understood vulnerabilities. Quite simply, the more complex an IT system is the more bugs it contains and the more complex it is the harder it is for an IT system’s security to control or manage it. Computer vulnerabilities and threat agents The terminology in information security is often seemingly congruent with the terminology in national security discourses: it is about threats, agents, vulnerabilities, etc. However, the terms have very speciic meanings so that seemingly clear analogies must be used with care. One (of several possible) ways to categorize threats is to diferentiate between ‘failures’, 363 364 Myriam Dunn Cavelty ‘accidents’, and ‘attacks’. Failures are potentially damaging events caused by deiciencies in the system or in an external element on which the system depends. Failures may be due to software design errors, hardware degradation, human errors, or corrupted data. Accidents include the entire range of randomly occurring and potentially damaging events such as natural disasters. Usually, accidents are externally generated events (i.e. from outside the system), whereas failures are internally generated events. Attacks (both passive and active) are potentially damaging events orchestrated by a human adversary. They are the main focus of the cyber-security discourse. Human attackers are usually called ‘threat agents’. The most common label bestowed upon them is hacker. This catchphrase is used in two main ways, one positive and one pejorative (Erickson 2003). For members of the computing community it describes a member of a distinct social group (or sub-culture); a particularly skilled programmer or technical expert who knows a programming interface well enough to write novel software. A particular ethic is ascribed to this subculture: a belief in sharing, openness, and free access to computers and information; decentralization of government; and in improvement of the quality of life (Levy 1984). In popular usage and in the media, however, the term hacker generally describes computer intruders or criminals. In the cyber-security debate, hacking is considered a modus operandi that can be used not only by technologically skilled individuals for minor misdemeanours, but also by organized actor groups with truly bad intent, such as terrorists or foreign states. Some hackers may have the skills to attack those parts of the information infrastructure considered ‘critical’ for the functioning of society. Though most hackers would be expected to lack the motivation to cause violence or severe economic or social harm because of their ethics (Denning 2001), government oicials fear that individuals who have the capability to cause serious damage, but little motivation, could be corrupted by a group of malicious actors. Hacking tools There are various tools and modes of attack. The term used for the totality of these tools is malware. Wellknown examples are viruses and worms, computer programs that replicate functional copies of themselves with varying efects ranging from mere annoyance and inconvenience to compromise of the conidentiality or integrity of information, and Trojan horses, destructive programs that masquerade as benign applications but set up a back door so that the hacker can return later and enter the system. Often system intrusion is the main goal of more advanced attacks. If the intruder gains full system control, or ‘root’ access, he has unrestricted access to the inner workings of the system (Anonymous 2003). Due to the characteristics of digitally stored information an intruder can delay, disrupt, corrupt, exploit, destroy, steal, and modify information. Depending on the value of the information or the importance of the application for which this information is required, such actions will have diferent impacts with varying degrees of gravity. Key pOINTS • Cyberspace has both virtual and physical elements. We tend to use the terms cyberspace and Internet interchangeably, even though cyberspace encompasses far more than just the Internet. • Cyber-security is both about the insecurity created through cyberspace and about the technical and nontechnical practices of making it (more) secure. • The Internet started as ARPANET in the 1960s and was never built with security in mind. This legacy, combined with the rapid growth of the network, its commercialization, and its increasing complexity made computer networks inherently insecure. • Information security uses as vocabulary very similar to national security language, but has speciic meanings. Computer problems are caused by failures, accidents, or attacks. The latter are the main focus of the cybersecurity discourse. Attackers are generally called hackers. • The umbrella term for all hacker tools is malware. The main goal of more advanced attacks is full system control, which allows the intruder to delay, disrupt, corrupt, exploit, destroy, steal, or modify information. Three interlocking cyber-security discourses The cyber-security discourse originated in the USA in the 1970s, built momentum in the late 1980s and spread to other countries in the late 1990s. The US government shaped both the threat perception and the envisaged countermeasures with only little variation in other countries. On the one hand, the debate was decisively inluenced by the larger post-Cold War strategic context in which the notion of asymmetric Cyber-security vulnerabilities, epitomized by the multiplication of malicious actors (both state and non-state) and their increasing capabilities to do harm, started to play a key role. On the other hand, discussions about cybersecurity always were and still are inluenced by the ongoing information revolution, which the USA is shaping both technologically and intellectually by discussing its implications for international relations and security and acting on these assumptions. The cyber-security discourse was never static because the technical aspects of the information infrastructure are constantly evolving. Most importantly, changes in the technical sub-structure changed the referent object. In the 1970s and 1980s, cyber-security was about those parts of the private sector that were becoming digitalized and also about government networks and the classiied information residing in it. The growth and spread of computer networks into more and more aspects of life changed this limited referent object in crucial ways. In the mid-1990s, it became clear that key sectors of modern society, including those vital to national security and to the essential functioning of (post-)industrialized economies, had come to rely on a spectrum of highly interdependent national and international software-based control systems for their smooth, reliable, and continuous operation. The referent object that emerged was the totality of critical (information) infrastructures that provide the way of life that characterizes our societies. When telling the cyber-security-story we can distinguish between three diferent, but often closely interrelated and reinforcing discourses, with speciic threat imaginaries and security practices, referent objects, and key actors. The irst is a technical discourse concerned with malware (viruses, worms, etc.) and system intrusions. The second is concerned with the phenomena cyber-crime and cyber-espionage. The third is a discourse driven initially by the US military, focusing on matters of cyber-war initially but increasingly also on critical infrastructure protection (see Figure 25.1). Viruses, worms, and other bugs (technical discourse) The technical discourse is focused on computer and network disruptions caused by diferent types of malware. One of the irst papers on viruses and their risks was Fred Cohen’s ‘Computer viruses—Theory and Experiments’, initially presented in 1984 and published in 1987 (Cohen 1987). His work demonstrated the Figure 25.1 Three discourses Technical Main actors Crime–Espionage Computer experts Law enforcement Anti-virus industry Intelligence community Military/civil defence National security experts Military Civil defence establishment Main referent object Computers Business networks Computer networks Classiied information (government networks) Military networks, networked armed forces Critical (information) infrastructures 365 366 Myriam Dunn Cavelty universality of risk and the limitations of protection in computer networks and solidiied the basic paradigm that there can be no absolute security /no zero risk in information systems. In 1988, the ARPANET had its irst major network incident: the ‘Morris Worm’. The worm used so many system resources that the attacked computers could no longer function and large parts of the early Internet went down. Its devastating technical efect prompted DARPA to set up a centre to coordinate communication among computer experts during IT emergencies and to help prevent future incidents: a Computer Emergency Response Team (CERT). This centre, now called the CERT Coordination Center, still plays a considerable role in computer security today and served as a role model for many similar centres all over the world. Around the same time, the anti-virus industry emerged and with it techniques and programs for virus recognition, destruction and prevention. The worm also had a substantial psychological impact by making people aware just how insecure and unreliable the Internet was. While it had been acceptable in the 1960s that pioneering computer professionals were hacking and investigating computer systems, the situation had changed by the 1980s. Society had become dependent on computing in general for business practices and other basic functions. Tampering with computers suddenly meant potentially endangering people’s careers and property; and some even said their lives (Spaford 1989). Ever since, malware as ‘visible’ proof of the persuasive insecurity of the information infrastructure has remained in the limelight of the cyber-security discourse; and it also provides the back-story for the other two discourses. Table 25.1 lists some of the most prominent examples. Most obviously, the history of malware is a mirror of technological development: the type of malware, the type of targets and the attack vectors all changed with the technology and the existing technical countermeasures (and continue to do so). This development goes in sync with the development of the cyber-crime market, which is driven by the huge sums of money available to criminal enterprises at low risk of prosecution. While there was a tongue-in-cheek quality to many of the viruses in the beginning, viruses have long ago lost their innocence. While prank-like viruses have not disappeared, computer security professionals are increasingly concerned with the rising level of professionalization coupled with the obvious criminal (or even strategic) intent behind attacks. Advanced malware is targeted: A hacker picks a victim, scopes the defences and then designs malware to get around them (Symantec 2010). The most prominent example for this kind of malware is Stuxnet (see Case Study 25.2). However, some IT security companies have recently warned against overemphasizing so called advanced persistent threat attacks just because we hear more about them (Verizon 2010: 16). Only about 3 per cent of all incidents are considered so sophisticated that they were impossible to stop. The vast majority of attackers go after small to medium-sized enterprises with bad defences. These types of incidents tend to remain under the radar of the media and even law-enforcement. Key pOINTS • Theoretical research on self-replicating programs in the early history of computer networks proved that there could be no absolute security in information systems. In 1988, the Morris Worm downed large parts of the early Internet, proving the theory right and making clear that the Internet was a very insecure technology. • As a consequence, the CERT Coordination Center was founded. It is still very active today and has served as a model for similar computer emergency response teams in many countries. • There is a long list of prominent malware, which often made headlines. Over the years, malware has become more sophisticated and more clearly linked to criminal intent. • The most dangerous malware today is tailored to a speciic target. However, the large majority of attacks remains fairly unsophisticated and go after small or medium-sized enterprises with little IT security awareness and/or investment. Cyber-crooks and digital spies (crime-espionage discourse) The cyber-crime discourse and the technical discourse are very closely related. The development of IT law (and, more speciically, Internet or cyber-law) in diferent countries plays a crucial role in the second discourse because it allows the deinition and prosecution of misdemeanour. Not surprisingly, the development of legal tools to prosecute unauthorized entry into computer systems coincided with the irst serious network incidents described here (cf. Mungo and Clough 1993). Cyber-crime has come to refer to any crime that involves computers and networks, like a release of malware or spam, fraud, and many other things. Until today, notions of computer-related economic crimes Cyber-security Table 25.1 Prominent malware Name of malware year of discovery Creeper virus 1971 Bob Thomas (IT professional), USA Speciic types of computer/ Displayed message on computer screen: operating systems ‘I’m the creeper, catch me if you can!’ Elk Cloner 1981 Richard Skrenta (15-year-old high school student), USA Apple DOS 3.3 operating system Displayed poem, irst line: ‘Elk Cloner: The program with a personality’ Morris Worm 1988 Robert Morris (computer student), USA UNIX systems Slowed down machines in the ARPANET until they became unusable Huge impact on the general awareness of insecurity Michelangelo 1992 (unknown) DOS systems Overwrote the irst hundred sectors of the hard disk with nulls Caused irst digital mass hysteria Back Oriice 1998 Cult of the Dead Cow (hacker collective), USA Windows 98 Tool for remote system administration (Trojan horse) Melissa 1999 David L. Smith (programmer), USA Microsoft Word, Outlook Shut down Internet mail, clogged systems with infected e-mails I Love You 2000 Reomel Ramores and Onel de Guzman (computer students), Philippines Windows Overwrote iles with copy of itself, sent itself to the irst ifty people in the Windows Address Book Code Red 2001 (unknown) Microsoft web servers Defaced websites, used machines for DDoS-attacks Nimda 2001 (unknown) Windows workstations and servers Allowed external control over infected computers Blaster 2003 Jefrey Lee Parson (18-year-old student), USA Windows XP and 2000 DDos-attacks against ‘windowsupdate.com’ Side efects: system crash. Was suspected to have caused black-out in US (could not be conirmed) Slammer 2003 (unknown) Windows 95–XP DDoS-attacks, slowed down Internet traic worldwide Sasser 2004 Sven Jaschan (computer science student), Germany Windows XP and Windows 2000 Internet traic slow down, system crash Zeus 2007 (unknown), available to buy in underground computer forums Windows Steals banking and other information, forms botnets Conicker (several versions) 2008 (unknown) Windows Forms botnets Stuxnet 2010 US government (+ Israel) SCADA system (Siemens industrial software and equipment) Spies on and subverts industrial systems Duqu 2011 (unknown) Windows Looks for information useful in attacking industrial control systems Code almost identical to Stuxnet (copy-cat software) Creator Infected efect 367 368 Myriam Dunn Cavelty determine the discussion about computer misuse. However, a distinct national-security dimension was established when computer intrusions (a criminal act) were clustered together with the more traditional and wellestablished espionage discourse. Prominent hacking incidents—such as the intrusions into high-level computers perpetrated by the Milwaukee-based ‘414s’—led to a feeling in policy circles that there was a need for action (Ross 1991): if teenagers were able to penetrate computer networks that easily, it was assumed that better organized entities such as states would be even better equipped to do so. Other events, like the Cuckoo’s Egg incident, the Rome Lab incident, Solar Sunrise, or Moonlight Maze made apparent that the threat was not just one of criminals or juveniles, but that classiied or sensitive information could be acquired relatively easily by foreign nationals through hackers (see Table 25.2). There are three trends worth mentioning. First, tech-savvy individuals (often juveniles) with the goal of mischief or personal enrichment shaped the early history of cyber-crime. Today, professionals dominate the ield. The Internet is a near ideal playground for semi- and organized crime in activities such as theft (like looting online banks, intellectual property, or identities) or for fraud, forgery, extortion, and money laundering. Actors in the ‘cyber-crime black market’ are highly organized regarding strategic and operational vision, logistics and deployment. Like many real companies, they operate across the globe. Second, the cyber-espionage story has also changed. There has been an increase in allegations that China is responsible for high-level penetrations of government and business computer systems in Europe, North America, and Asia. Because Chinese authorities have stated repeatedly that they consider cyberspace a strategic domain and that they hope that mastering it will equalize the existing military imbalance between China and the USA more quickly, many oicials readily accuse the Chinese government of deliberate and targeted attacks or intelligence gathering operations. However, these allegations almost exclusively rely on anecdotal and circumstantial evidence. The so-called attribution problem—which refers to the diiculty to clearly determining those initially responsible for a cyber-attack plus identifying their motivating factors—is the big challenge in the cyberdomain. Due to the architecture of cyberspace, online identities can be optimally hidden. Blame on the basis of the ‘cui bono’-logic (which translates into ‘to whose beneit?’) is not suicient proof for political action. Attacks and exploits that seemingly beneit states might well be the work of third-party actors operating under a variety of motivations. At the same time, the challenges of clearly identifying perpetrators also gives state actors convenient ‘plausible deniability and the ability to oicially distance themselves from attacks’ (Deibert and Rohozinski 2009: 12). The third trend is the increased attention that hacktivism—the combination of hacking and activism— has gained in recent years. WikiLeaks, for example, has added yet another twist to the cyber-espionage discourse. Acting under the hacker-maxim ‘all information should be free’, this type of activism deliberately challenges the self-proclaimed power of states to keep information, which they think could endanger or damage national security, secret. It emerges as a cyber-security issue in government discourse because of the way a lot of the data has been stolen (in digital form) but also how it is made available to the whole world through multiple mirrors (Internet sites). Somewhat related are the multifaceted activities of hacker collectives such as Anonymous or LulzSec. They creatively play with anonymity in a time obsessed with control and surveillance and humiliate high-visibility targets by DDoS-attacks, breakins, and the release of sensitive information. Key pOINTS • The notion of computer crime and the development of cyber law coincided with the irst network attacks. Though this discourse is mainly driven by economic considerations until today, political cyber-espionage, as a speciic type of criminal computer activity, started worrying oicials around the same time. • Over the years, cyber-criminals have become wellorganized professionals, operating in a consolidated cyber-crime black market. • China is often blamed for high-level cyber-espionage, both political and economic. However, there only is anecdotal and circumstantial evidence for this. • As there is no way to clearly identify perpetrators that want to stay hidden in cyberspace (attribution problem), anyone could be behind actions that seemingly beneit certain states. States can also plausibly deny being involved. • Politically motivated or activist break-ins by hacker collectives that go after high-level targets, with the aim to steal and publish sensitive information or just ridiculing them by targeting their websites, have recently added to the feeling of insecurity in government circles. Cyber-security Table 25.2 Cyber-crime and cyber-espionage Name of incident 414s break-ins year of occurrence Description perpetrators 1982 Break-ins into high-proile computer systems in the United States Six teenage hackers from Milwaukee Hanover Hackers (Cuckoo’s Egg) 1986–1988 Break-ins into high-proile computer systems in the United States German hacker recruited by the KGB Rome Lab incident 1994 Break-ins into high-proile computer systems in the United States British teenage hackers Citibank incident 1994 $10 million siphoned from Citibank and transferred the money to bank accounts around the world Russian hacker(s) Solar Sunrise 1998 Series of attacks on DoD computer networks Two teenage hackers from California plus one Israeli Pattern of probing of high-proile computer systems Attributed to Russia Titan Rain Moonlight Maze 2003– 1998 Access to high-proile computer systems in the United States Attributed to China Zeus Botnet 2007 Trojan horse ‘Zeus’, controlled millions of machines in 196 countries International cyber-crime network, over 90 people arrested in US alone GhostNet 2009 Cyber-spying operation, iniltration of high-value political, economic, and media locations in 103 countries Attributed to China Operation Aurora 2009 Attacks against Google and other companies to gain access to and potentially modify source code repositories at these high tech, security, and defence contractor companies Attributed to China Wikileaks Cablegate 2010 251,287 leaked conidential diplomatic cables from 274 US embassies around the world, dated from 28 December 1966 to 28 February 2010 Wikileaks, not-for-proit activist organization Operations Payback and Avenge Assange 2010 Coordinated, decentralized attacks on opponents of Internet piracy and companies with perceived anti-WikiLeaks behaviour Anonymous, hacker collective Sony and other corporate as well as government attacks 2011 Highly publicized hacktivist operations LulzSec, hacker collective Theft of CO2Emmission Papers 2011 Theft of 475,000 carbon dioxide emissions allowances worth €6.9 million, or $9.3 million Attributed to organized cyber-crime (purpose probably money laundering) Cyber(ed) conlicts and vital system security (military–civil defence discourse) The Gulf War of 1991 created a watershed in US military thinking about cyber-war. Military strategists saw the conlict as the irst of a new generation of information age conlicts in which physical force alone was not suicient, but was complemented by the ability to win the information war and to secure ‘information dominance’. As a result, American military thinkers began to publish scores of books on the topic and developed doctrines that emphasized the ability to degrade or even paralyse an opponent’s 369 370 Myriam Dunn Cavelty communications systems (cf. Campen 1992; Arquilla and Ronfeldt 1993). In the mid-1990s, the advantages of the use and dissemination of ICT that had fuelled the revolution in military afairs were no longer seen only as a great opportunity providing the country with an ‘information edge’ (Nye and Owens 1996), but were also perceived as constituting an over-proportional vulnerability vis-à-vis a plethora of malicious actors. Global information networks seemed to make it much easier to attack the US asymmetrically and as such an attack no longer required big, specialized weapons systems or an army: borders, already porous in many ways in the real world, were nonexistent in cyberspace. There was widespread fear that those likely to fail against the American military would instead plan to bring the USA to its knees by striking vital points fundamental to the national security and the essential functioning of industrialized societies at home. Apart from break-ins into computer networks that contained sensitive information (see previous section), exercises designed to assess the plausibility of information warfare scenarios and to help deine key issues to be addressed in this area demonstrated that US critical infrastructure presented a set of attractive strategic targets for opponents possessing information warfare capabilities, be it terrorist groups or states. At the same time, the development of military doctrine involving the information domain continued. For a while, information warfare remained essentially limited to military measures in times of crisis or war. This began to change around the mid-1990s, when the activities began to be understood as actions targeting the entire information infrastructure of an adversary— political, economic, and military, throughout the continuum of operations from peace to war. NATO’s 1999 intervention against Yugoslavia marked the irst sustained use of the full-spectrum of information warfare components in combat. Much of this involved the use of propaganda and disinformation via the media (an important aspect of information warfare), but there were also website defacements, a number of DDoS-attacks, and (unsubstantiated) rumours that Slobodan Milosevic’s bank accounts had been hacked by the US armed forces. The increasing use of the Internet during the conlict gave it the distinction of being the ‘irst war fought in cyberspace’ or the ‘irst war on the Internet’. Thereafter, the term cyber-war came to be widely used to refer to basically any phenomenon involving a deliberate disruptive or destructive use of computers. For example, the cyber-confrontations between Chinese and US hackers plus many other nationalities in 2001 have been labelled the ‘irst Cyber World War’. The cause was a US reconnaissance and surveillance plane that was forced to land on Chinese territory after a collision with a Chinese jet ighter. In 2007, DDoS-attacks on Estonian websites were readily attributed to the Russian government, and various government oicials claimed that this was the irst known case of one state targeting another using cyber-warfare (see Case Study 25.1). Similar claims were made in the confrontation between Russia and Georgia of 2008. In other cases, China is said to be the culprit (see previous section and Table 25.3). The discovery of Stuxnet in 2010 changed the overall tone and intensity of the debate (see Case Study 25.2). CASe STUDy 25.1 estonian ‘cyber-war’ When the Estonian authorities removed a bronze statue of a Second World War-era Soviet soldier from a park a cyberspace-’battle’ ensued, lasting over three weeks, in which a wave of so-called Distributed Denial of Service attacks (DDoS) swamped various websites—among them the websites of the Estonian parliament, banks, ministries, newspapers, and broadcasters—disabling them by overcrowding the bandwidths for the servers running the sites. Even though it will likely never be possible to provide suicient evidence for who was behind the attacks, various oicials readily and publicly blamed the Russian government. Also, despite the fact that the attacks bore no truly serious consequences for Estonia other than (minor) economic losses, some oicials even openly toyed with the idea of a counter-attack in the spirit of Article 5 of the North Atlantic Treaty, which states that ‘an armed attack’ against one or more NATO countries ‘shall be considered an attack against them all’. The Estonian case is one of the cases most often referred to in government circles to prove that there is a rising level of urgency and need for action. Cyber-security Table 25.3 Instances of cyber(ed)-conlict Name of incident year of occurrence Description Actors /perpetrators Gulf War 1991 First of a new generation of conlicts where victory is no longer dependent only on physical force, but also on the ability to win the information war and to secure ‘information dominance’ US military Dutch hacker incident 1991 Intrusions into Pentagon computers during Gulf War. Access to unclassiied, sensitive information Dutch teenagers Operation ‘Allied Force’ 1999 ‘The irst Internet War’: sustained use of the full-spectrum of information warfare components in combat. Numerous hacktivism incidents US military, hacktivists from many countries 2000–2005 E-mail looding and Denial-of-Service (DoS) attacks against government and partisan websites during second Intifada Palestinian and Israeli hacktivists ‘Cyber World-War I’ 2001 Defacement of Chinese and US websites and waves of DDoS-attacks after US reconnaissance and surveillance plane was forced to land on Chinese territory Hacktivists from many nations (Saudi Arabia, Pakistan, India, Brazil, Argentina, Malaysia, Korea, Indonesia, Japan) Iraq 2007 Cyber-attack on cell phones, computers, and other communication devices that terrorists were using to plan and carry out roadside bombs US military Estonia DDoS-attacks 2007 DDoS-attacks against websites of the Estonian parliament, banks, ministries, newspapers, and broadcasters Attributed to Russian government Georgia DDoS-attacks 2008 DDoS-attacks against numerous Georgian websites Attributed to Russian government GhostNet iniltrations 2009 GhostNet related iniltrations of computers belonging to Tibetan exile groups Attributed to Chinese government Stuxnet 2010 Computer worm that might have been deliberately released to slow down Iranian nuclear programme US government (+ Israel) Korean network intrustions 2011 Botnets and DDos-attacks against government websites. Experts suspected North Korean ‘cyber-weapons’ test Attributed to NorthKorean government ‘Cyber-Intifada’ 371 372 Myriam Dunn Cavelty CASe STUDy 25.2 Stuxnet Stuxnet is a computer worm that was discovered in June 2010 and has been called ‘[O]ne of the great technical blockbusters in malware history’ (Gross 2011). It is a complex program. It is likely that writing it took a substantial amount of time, advanced-level programming skills and insider knowledge of industrial processes. Therefore, Stuxnet is probably the most expensive malware ever found. In addition, it behaves diferently from malware released for criminal intent: it does not steal information and it does not herd infected computers into so-called botnets from which to launch further attacks. Rather, it looks for a very speciic target: Stuxnet was written to attack Siemens’ Supervisory Control And Data Acquisition (SCADA) systems that are used to control and monitor industrial processes. In August 2010, the security company Symantec noted that 60 per cent of the infected computers worldwide were in Iran. Due to the attribution problem, it was impossible to know for certain who was behind this piece of code, though many suspected one or several state actors (Farwell and Rohozinski 2011). In June 2012, it was revealed that Stuxnet is part of a US and Israeli intelligence operation and that it was indeed programmed and released to sabotage the Iranian nuclear programme. For many observers, Stuxnet as a ‘digital irst strike’ marks the beginning of the unchecked use of cyber-weapons in military-like aggressions (Gross 2011). However, other reports think this unlikely (cf. Sommer and Brown 2011), mainly due the uncertain results a cyber-war would bring, the lack of motivation on the part of the possible combatants and their shared inability to defend against counterattacks. Future conlicts between nations will most certainly have a cyberspace component but they will be just a part of the battle. It is therefore more sensible to speak about cyber(ed) conlicts, conlicts ‘in which success or failure for major participants is critically dependent on computerized key activities along the path of events’ (Demchak 2010). Dubbing occurrences as ‘cyber-war’ too carelessly bears the inherent danger of creating an atmosphere of insecurity and tension and fuelling a cyber-security dilemma: many countries are currently said to have functional cyber-commands or be in the process of building one. Because cybercapabilities cannot be divulged by normal intelligence gathering activities, uncertainty and mistrust are on the rise. It was also reported that Stuxnet damaged centrifuges in the Iran nuclear programme. This evidence led several experts to the conclusion that one or several nation states—most often named are the USA and/or Israel–were behind the attack. The involvement of the US government has since been conirmed. On another note, Stuxnet provided a platform for an evergrowing host of cyber-war-experts to speculate about the future of cyber-aggression. Internationally, Stuxnet has had two main efects: irst, governments all over the world are currently releasing or updating cyber-security strategies and are setting up new organizational units for cyber-defence (and -ofence). Second, Stuxnet can be considered a ‘wake-up’ call: ever since its discovery, increasingly serious attempts to come to some type of agreement on the non-aggressive use of cyberspace between states are undertaken. Key pOINTS • The Gulf War of 1991 is considered to be the irst of a new generation of conlicts in which mastering the information domain becomes a deciding factor. Afterwards, the information warfare doctrine was developed in the US military. • Increasing dependence of the military, but also of society in general, on information infrastructures made clear that information warfare was a double-edged sword. Cyberspace seemed the perfect place to launch an asymmetrical attack against civilian or military critical infrastructures. • The US military tested its information warfare doctrine for the irst time during a NATO operation ‘Allied Force’ in 1999. It was the irst armed conlict in which all sides, including actors not directly involved, had an active online presence, and in which the Internet was actively used for the exchange and publication of conlict-relevant information. Thereafter, the term ‘cyber-war’ came to be used for almost any type of conlict with a cyber-component. • The recent discovery of a computer worm that sabotages industrial processes and was programmed by order of a state actor has alarmed the international community. Some experts believe that this marks the beginning of unrestrained cyber-war among states. • Others think that highly unlikely and warn against an excessive use of the term cyber-war. Future conlicts between states will also be fought in cyberspace, but not exclusively. One useful term for them is cyber(ed) conlicts. Cyber-security Key IDeAS 25.1 presidential Commission on Critical Infrastructure protection Following the Oklahoma City Bombing, President Bill Clinton set up the Presidential Commission on Critical Infrastructure Protection (PCCIP) to look into the security of vital systems such as gas, oil, transportation, water, telecommunications, etc. The PCCIP presented its report in the fall of 1997 (Presidential Commission on Critical Infrastructure Protection 1997). It concluded that the security, economy, way of life, and perhaps even the survival of the industrialized world were dependent on the interrelated trio of electrical energy, communications, and computers. Further, it stressed that advanced societies rely heavily upon critical infrastructures, which are susceptible to Reducing cyber-in-security The three diferent discourses have produced speciic types of concepts and countermeasures in accordance with their focus and main referent objects (see Figure 25.2), some of which are discussed later. Despite fancy concepts such as cyber-deterrence the common issue in all discourses is information assurance, which is the basic security of information and information systems. It is common practice that the entities that own a computer network are also responsible for protecting it (governments protect government networks, militaries only military ones, and companies protect their own, etc.). However, there are some assets considered so crucial to the functioning of society in the private sector that governments take additional measures to ensure an adequate level of protection. These eforts are usually subsumed under the label of critical (information) infrastructure protection. In the 1990s, critical infrastructures became the main referent object in the cyber-security debate. Whereas critical infrastructure protection (CIP) encompasses more than just cyber-security, cyberaspects have always been the main driver (see Key Ideas 25.1). The key challenge for CIP eforts arise from the privatization and deregulation of large parts of the public sector since the 1980s and the globalization processes of the 1990s, which have put many critical infrastructures in the hands of private (transnational) enterprises. This creates a situation in which market forces alone are not suicient to provide the aspired level of security in designated critical infrastructure classical physical disruptions and new virtual threats. While the study assessed a list of critical infrastructures or ‘sectors’—for example the inancial sector, energy supply, transportation, and the emergency services—the main focus was on cyber-risks. There were two reasons for this decision: irst, these were the least known because they were basically new, and second, many of the other infrastructures were seen to depend on data and communication networks. The PCCIP linked the cyber-security discourse irmly to the topic of critical infrastructures. Thereafter, CIP became a key topic in many other countries. sectors,1 but state actors are also incapable of providing the necessary level of security on their own (unless they heavily regulate, which they are usually reluctant to do). Public–Private Partnerships (PPP), a form of cooperation between the state and the private sector, are widely seen as a panacea for this problem in the policy community—and cooperation programmes that follow the PPP idea are part of all existing initiatives in the ield of CIP today, though with varying success. A large number of them are geared towards facilitating information exchange between companies and between companies and government on security, disruptions, and best practices. Mutual win–win situations are to be created by exchanging information that the other party does not have: the government ofers classiied information acquired by its intelligence services about potentially hostile groups and nation states in exchange for technological knowledge from the private sector that the public sector does not have (President’s Commission on Critical Infrastructure Protection 1997: 20). Information assurance is guided by the management of risk, which is essentially about accepting that one is (or remains) insecure: the level of risk can never be reduced to zero. This means that minor and probably also major cyber-incidents are bound to happen because they simply cannot be avoided even with perfect risk management. This is one of the main 1 The most frequently listed examples are banking and inance, government services, telecommunication and information and communication technologies, emergency and rescue services, energy and electricity, health services, transportation, logistics and distribution, and water supply. 373 374 Myriam Dunn Cavelty Figure 25.2 Countermeasures Technical Main actors Main referent object  Computer experts  Law enforcement  Anti-virus industry  Intelligence community  Computers  Business sector  Computer networks  Classified information Protection concept National level Crime–Espionage Military/civil defence  Security professionals, military, civil defence establishment  Military networks, networked forces  Critical infrastructures Information assurance  CERTs (specific for different domain, milCert, govCert etc.)  Computer law  Critical (information) infrastructure protection  Resilience  Cyber-offence; cyberdefence; cyberdeterrence International  International level CERTs  International information security standards  Harmonization of law (Convention on Cybercrime)  Mutual judicial assistance procedures  Arms control  International behavioural norms Cyber-security reasons why the concept of resilience has gained so much weight in recent debates (Perelman 2007). Resilience is commonly deined as the ability of a system to recover from a shock, either returning back to its original state or to a new adjusted state. Resilience accepts that disruptions are inevitable and can be considered a ‘Plan B’ in case something goes wrong. In the military discourse, the terms cyber-ofence, cyber-defence, and cyber-deterrence are often used as countermeasures. Under closer scrutiny, cyberdefence (and to some degree -ofence) are not much more than fancy words for information assurance practices. Cyber-deterrence on the other hand deserves some attention. Cyberspace clearly poses considerable limitations for classical deterrence. Deterrence works if one party is able to successfully convey to another that it is both capable and willing to use a set of available (often military) instruments against him if the other steps over the line. This requires an opponent that is clearly identiiable as an attacker and has to fear retaliation—which is not the case in cyber-security because of the attribution problem. However, this is not stopping US government oicials from threatening to use kinetic response in case of a cyber-attack on their critical infrastructures (Gorman and Barnes 2011). Naturally, the military discourse falls back on wellknown concepts such as deterrence, which means that the concept of cyber-deterrence, including its limits, will remain a much discussed issue in the future. In theory, efective cyber-deterrence would require a wide-ranging scheme of ofensive and defensive cyber-capabilities supported by a robust international legal framework as well as the ability to attribute an attack to an attacker without any doubt. The design of defensive cyber-capabilities and the design of better legal tools are relatively uncontested. Many international organizations and international bodies have taken steps to raise awareness, establish international partnerships, and agree on common rules and practices. One key issue is the harmonization of law to facilitate the prosecution of perpetrators of cyber-crime. While there is wide agreement on what steps are necessary to tackle international cyber-crime, states are unwilling to completely forgo ofensive and aggressive use of cyberspace. Due to this, and increasingly so since the discovery of Stuxnet, eforts are underway to control the military use of computer exploitation through arms control or multilateral behavioural norms, agreements that might pertain to the development, distribution, and deployment of cyber-weapons, or to their use. However, traditional capability-based arms control will clearly not be of much use, mainly due to the impossibility of verifying limitations on the technical capabilities of actors, especially non-state ones. The avenues available for arms control in this arena are primarily information exchange and norm-building, whereas structural approaches and attempts to prohibit the means of cyber-war altogether or restricting their availability are largely impossible due to the ubiquity and dualuse nature of information technology. Key pOINTS • There are a variety of approaches and concepts to secure information and critical information infrastructures. The key concept is a risk management practice known as information assurance, which aims to protect the conidentiality, integrity, and availability of information and the systems and processes used for the storage, processing, and transmission of information. • Critical (information) infrastructure protection (C(I) IP) has become a key concept in the 1990s. Because a very large part of critical infrastructures are no longer in the hands of government, CIP practices mainly build on public–private partnerships. At the core of them lies information sharing between the private and the public sector. • Because the information infrastructure is persuasively insecure, risk management strategies are complemented by the concept of resilience. Resilience is about having systems rebound from shocks in an optimal way. The concept accepts that absolute security cannot be obtained and that minor or even major disturbances are bound to happen. • The military concepts of cyber-defence and cyberofence are militarized words for information assurance practices. Cyber-deterrence, on the other hand, is a concept that moves deterrence into the new domain of cyberspace. • If cyber-deterrence were to work, functioning ofensive and defensive cyber-capabilities, plus the fear of retaliation, both militarily and legally, would be needed. This would also include the ability to clearly attribute attacks. • Internationally, eforts are underway to further harmonize cyber-law. In addition, because future use of cyberspace for strategic military purposes remains one of the biggest fears in the debate, there are attempts to curtail the military use of computer exploitation through arms control or multilateral behavioural norms. 375 376 Myriam Dunn Cavelty The level of cyber-risk Diferent political, economic, and military conlicts clearly have had cyber(ed)-components for a number of years now. Furthermore, criminal and espionage activities with the help of computers happen every day. Cyber-incidents are causing minor and occasionally major inconveniences. These may be in the form of lost intellectual property or other proprietary data, maintenance and repair, lost revenue, and increased security costs. Beyond the direct impact, badly handled cyber-attacks have also damaged corporate (and government) reputations and have, theoretically at least, the potential to reduce public conidence in the security of Internet transactions and e-commerce if they become more frequent. However, in the entire history of computer networks, there have been only very few examples of attacks or other type of incidents that had the potential to rattle an entire nation or cause a global shock. There are even fewer examples of cyber-attacks that resulted in actual physical violence against persons or property (Stuxnet being the most prominent). The huge majority of cyber-incidents have caused inconveniences or minor losses rather than serious or longterm disruptions. They are risks that can be dealt with by individual entities using standard information security measures and their overall costs remain low in comparison to other risk categories like inancial risks. This fact tends to be disregarded in policy circles, because the level of cyber-fears is high and the military discourse has a strong mobilizing power. This has important political efects. A large part of the discourse evolves around ‘cyber-doom’ (worst-case) scenarios in the form of major, systemic, catastrophic incidents involving critical infrastructures caused by attacks. Since the potentially devastating efects of cyberattacks are so scary, the temptation to not only think about worst-case scenarios but also give them a lot of (often too much) weight despite their very low probability is high. There are additional reasons why the threat is overrated. First, as combating cyber-threats has become a highly politicized issue, oicial statements about the level of threat must also be seen in the context of different bureaucratic entities that compete against each other for resources and inluence. This is usually done by stating an urgent need for action (which they should take) and describing the overall threat as big and rising. Second, psychological research has shown that risk perception is highly dependent on intuition and emotions, as well as the perceptions of experts (Gregory and Mendelsohn 1993). Cyber-risks, especially in their more extreme form, it the risk proile of so-called ‘dread risks’, which appear uncontrollable, catastrophic, fatal, and unknown. There is a propensity to be disproportionally afraid of these risks despite their low probability, which translates into pressure for regulatory action of all sorts and a willingness to bear high costs of uncertain beneit. The danger of overly dramatizing the threat manifests itself in reactions that call for military retaliation (as happened in the Estonian case and in other instances) or other exceptional measures. Though the last section has shown that there are many diferent types of countermeasures in place, and that most of them are in fact not exceptional, this kind of threat rhetoric invokes enemy images even if there is no identiiable enemy, favours national solutions instead of international ones, and centres too strongly on national-security measures instead of economic and business solutions. Only computer attacks whose effects are suiciently destructive or disruptive need the attention of the traditional national security apparatus. Attacks that disrupt nonessential services, or that are mainly a costly nuisance, should not. Key pOINTS • • The majority of cyber-incidents so far have caused minor inconveniences and their cost remains low in comparison to other risk categories. Only very few attacks had the potential for grave consequences and even fewer actually had any impact on property. None have ever caused loss of life. Despite this, the feeling persists in policy circles that a largescale cyber attack is just around the corner. The potential for catastrophic cyber attacks against critical infrastructures, though very unlikely, remains the main concern and the main reason for seeing cyber-security as a national security issue. • The level of cyber-risk is overstated. Reasons are to be found in bureaucratic turf battles due to scarce resources and in the fact that cyber-risks are so called ‘dread risks’, of which human beings are disproportionally afraid. Overstating the risk comes with the danger of prioritising the wrong answers. Cyber-security Conclusion Despite the increasing attention cyber-security is getting in security politics and despite the possibility of a major, systemic, catastrophic incident involving critical infrastructures, computer network vulnerabilities are mainly a business and espionage problem. Depending on their (potential) severity, however, disruptive incidents in the future will continue to fuel the military discourse, and with it fears of strategic cyber-war. Certainly, thinking about (and planning for) worst-case scenarios is a legitimate task of the national security apparatus. However, they should not receive too much attention in favour of more plausible and more likely problems. In seeking a prudent policy, the diiculty for decision makers is to navigate the rocky shoals between hysterical doomsday scenarios and uninformed complacency. Threat-representation must remain well informed and well balanced not to allow overreactions with costs that are too high and beneits that are uncertain. For example, an ‘arms race’ in cyberspace, based on the fear of other states’ cybercapabilities, would most likely have hugely detrimental efects on the way humankind uses the Internet. Also, solving the attribution problem would come at a very high cost for privacy. Even though we must expect disturbances in the cyber-domain in the future we must not expect outright disasters. Some of the cyber-disturbances may well turn into crises, but a crisis can also be seen as a turning point rather than an end state where the aversion of disaster or catastrophe is always possible. If societies become more fault tolerant psychologically and more resilient overall, the likelihood for catastrophe in general and catastrophic system failure in particular can be substantially reduced. Cyber-security issues are also challenging for students and academics more generally. Experts of all sorts widely disagree how likely future cyber-doom scenarios are—and all of their claims are based on (educated) guesses. While there is at least proof and experience of cyber-crime, cyber-espionage or other lesser forms of cyber-incidents on a daily basis, cyber-incidents of bigger proportions (cyber-terror or cyber-war) exist solely in the form of stories or narratives. The way we imagine them inluences our judgement of their likelihood; and there are an ininite number of ways in how we could imagine them. Therefore, there is no way to study the ‘actual’ level of cyber-risk in any sound way because it only exists in and through the representations of various actors in the political domain. As a consequence, the focus of research necessarily shifts to contexts and conditions that determine the process by which key actors subjectively arrive at a shared understanding of how to conceptualize and ultimately respond to a security threat. QUeSTIONS 1. Who beneits in what ways from calling malware cyber-weapons? 2. What are the pros and cons of abolishing anonymity (and therefore partially solving the attribution problem) on the Internet in the name of security? 3. What side efects does the indiscriminate use of the terms cyber-terror and cyber-war have? 4. Are hacktivism activities a legitimate way to express political or economic grievances? 5. What are the limits of traditional arms control mechanisms applied to cyber-weapons? 6. Why does the intelligence community not have more information on the cyber-capabilities of other states? 7. What are the similarities and what the diferences between information security and national security? 8. Which aspects of cyber-security should be considered a part of national security, and which aspects should not? Why? 9. What might be the next referent object in the cyber-security discourse? 377 378 Myriam Dunn Cavelty FURTHeR ReADING • Arquilla, J. and Ronfeldt, D. F. (eds) (1997), In Athena’s Camp: Preparing for Conlict in the Information Age, Santa Monica: RAND. This is one of the key texts about information warfare. • Brown, K. A. (2006), Critical Path: A Brief History of Critical Infrastructure Protection in the United States, Arlington, VA: George Mason University Press. Provides a comprehensive overview of the evolution of critical infrastructure protection in the United States. • Deibert, R. and Rohozinski, R. (2010) ‘Risking Security: Policies and Paradoxes of Cyberspace Security’, International Political Sociology 4/1: 15–32. An intelligent account of the threat discourse that diferentiates between risks to cyberspace and risks through cyberspace. • Dunn Cavelty, M. (2008), Cyber-Security and Threat Politics: US Eforts to Secure the Information Age, London: Routledge. Examines how, under what conditions, by whom, for what reasons, and with what impact cyber-threats have been moved on to the political agenda in the USA. • Libicki, M. (2009), Cyberdeterrence and Cyberwar, Santa Monica: RAND. Explores the speciic laws of cyberspace and uses the results to address the pros and cons of counterattack, the value of deterrence and vigilance, and other defensive actions in the face of deliberate cyber-attack. • National Research Council (2009), Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, Washington, DC: The National Academies Press. Focuses on the use of cyber-attack as an instrument of US policy and explores important characteristics of cyber-attack. • Sommer, P. and Sommer, I. (2011), Reducing Systemic Cybersecurity Risk, OECD Research Report, http://www. oecd.org/dataoecd/3/42/46894657.pdf. A down-to-earth report that concludes that it is extremely unlikely that cyber-attacks could create problems like those caused by a global pandemic or the recent inancial crisis, let alone an actual war. IMpORTANT WeBSITeS • http://cipp.gmu.edu George Mason University (GMU), Critical Infrastructure Protection (CIP) Program Website: The GMU CIP program is a valuable source of information for both US and international CIP-related issues and developments. • http://www.schneier.com Schneier on Security: Bruce Schneier is a refreshingly candid and lucid computer security critic and commentator. In his blog, he covers computer security issues of all sorts. • http://www.iwar.org.uk The Information Warfare Site: an online resource that aims to stimulate debate on a variety of issues involving information security, information operations, computer network operations, homeland security, and more. • http://www.infowar.com Infowar Site: A site dedicated to tracking open source stories relating to the full-spectrum of information warfare, information security, and critical infrastructure protection. Visit the Online Resource Centre that accompanies this book for lots of interesting additional material: www.oxfordtextbooks.co.uk/orc/collins3e/