“Cyberwar” & Cybersecurity

Share

On June 16, 2011, the Cyber-Abwehrzentrum – its official English designation is “National Cyber Response Center” – was officially inaugurated in Germany. In the media coverage on the occasion the term “cyberwar” played a prominent role. Indeed, “cyberwar” has become a media catchword – like “star wars” (aka SDI) in the 1980s or “war on terror” after Sept. 11, 2001. However, we should have learned that security – including security in cyberspace – is not exclusively, not even primarily a military matter.

Outside the IT expert community, even well-informed people – including most journalists, I would suspect – seem to be overwhelmed by the complexity of cyberspace. As indicated by the simplistic phrase “cyberwar”, basic concepts (and terminology) are missing or obscure in the public discourse. So let’s begin with a useful definition of cybersecurity, which was provided last year in an article by the German physicist and IT expert, Dr. Patrick Grete: “Ensuring the privacy, integrity and/or operational availability of information-processing systems.” Or, in other words, protecting the digital infrastructure of a country, on which the functioning of state structures, the economy and the well-being of its citizen depends.

 

The Many Layers of Skin of the “Onion” Cybersecurity

The next question is: Who is threatening cybersecurity? Who carries out cyber attacks, exploiting (design) vulnerabilities in computer systems and IT networks – including the exponentially rising number of smartphones? The main actors here are extraordinarily diverse – and they are not primarily “military”:

  • frustrated individuals
  • criminals and organized crime
  • “independent” hackers with manifold motivations
  • private businesses
  • governmental agencies, notably intelligence services

The purpose of the cyber attacks can be equally manifold, among them are:

  • personal revenge
  • theft by digitally intruding into private financial accounts (of businesses or individuals)
  • damaging business competitors (business espionage or even sabotage)
  • damaging political or ideological opponents
  • espionage by states against political, economic and scientific institutions of other states

 

Cyber Crime Is the Business of Police and Intelligence Agencies

By far the most frequent cyber attacks are digital theft, business espionage and espionage by (state) intelligence services. These cyber attacks represent cyber crime. Cyber criminality, including espionage, has nothing to do with quasi-military conflicts among states. Cyber crime is predominant and most immediate threat to cybersecurity.

This point was acknowledged by President Obama in a May 2009 speech on “Securing our Nation’s Cyber Infrastructure”, in which he outlined his administration’s policy approach on cyber security: “We rely on the Internet to pay our bills, to bank, to shop, to file our taxes. But we’ve had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm – spyware and malware and spoofing and phishing and botnets. Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied. According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.”

One may add for non-expert readers an explanation of the terminology used by Obama: spyware facilitates the spying out of computer data or turning smartphones into “listening devices”, malware disrupts the functioning of computers, spoofing: stealing/”recreating” digital identities, phishing: stealing private data, and botnets: overloading/paralyzing IT systems. And, one may add that Obama’s remarks on cyber crime apply to most other countries: more than 1.8 billion people around the world are already online and four billion mobile phones are in use.

As a modern and rapidly expanding variation of criminality, cyber crime is a first of all a matter of criminal investigation and prosecution by police authorities, (counter) intelligence services and the judiciary. On a national level, most countries have established legal frameworks against cyber crime; and these national legal standards applying to private actors are – too slowly – synchronized in various multilateral formats, for example on the level of the European Union.

The investigation and prosecution of cyber crimes is a new and challenging task for police authorities and (counter) intelligence services. Cyber forensics is still in the early stages of development, but progress is being made. Thus, investigating, apprehending and prosecuting cyber criminals is a doable task for law enforcement and intelligence agencies.

Here we come back the National Cyber Response Center in Germany. The NCRC is part of the Federal Office for Information Security (BSI), which in turn is under the authority of the Federal Ministry of the Interior. The BSI is “responsible for ensuring secure, functional electronic communication between public administrations, citizens and businesses”, in particular protecting the digital dimension of “public key infrastructure” (electricity grids, rail and air traffic control or electronic accounting systems). The NCRC’s task is the “bundling” or “fusion” of information on threats to cybersecurity coming from the various police and intelligence agencies on the national and laender level. Out of this information, the NCRC extracts comprehensive assessment reports on the state of cybersecurity, including recommendations for counter-measures by police, intelligence services and other state agencies. Thus, the NCRC is Germany’s cyber intelligence center – however without itself being an intelligence service. And it should be emphasized that the BSI/NCRC is a civilian organization.

One may ask: But isn’t there a terrorist threat to cyber security? Could not, for example, Islamist terror groups digitally sabotage electricity grids? The publicly available information indicates that terrorist groups use the internet for propaganda, recruitment and communication, but lack the human and technological resources to conduct quasi-military cyber attacks. To make sure that terrorists don’t gain such capabilities, is the task of law enforcement and intelligence agencies – and not the military. However, in the United States a different view seems to prevail.

 

The Militarization of Cybersecurity

In the above quoted speech, President Obama also said that cyber attacks are “the future face of war.” One year later, on May 21, 2010, the “US Cyber Command” was activated at Fort Meade, Maryland. This military organization, headed by Gen. Keith Alexander, will coordinate and integrate the information networks of the Pentagon, all four (military) services, the CIA and NSA.

At his February 2011 confirmation hearings, the new Secretary of Defense (and former CIA chief), Leon Panetta said: “The potential for the next Pearl Harbor could very well be a cyber attack.” Then on May 31, 2011, the Wall Street Journal reported: “The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” The WSJ summed up the new cyber strategy by quoting an unnamed military official: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

It seems the United States are clearly prioritizing the military dimension of cybersecurity. The primary threat scenario seems to be the crippling/destruction of vital physical and/or digital assets of a state by another state via a military cyber attack. Such a cyber aggression would be defined as an act of war in terms of international law to which the USA would retaliate by using “kinetic” military force.

What’s puzzling here is that publicly available reports about military cyber attacks do implicate the United States – for example, during the invasion of Iraq in Spring 2003. The same goes for Israel – during the bombardment of a suspected Syrian nuclear site in September 2007 – and Russia – in the Russian-Georgian War in August 2008. And then there is the “stuxnet affair”: In September 2010 it was reported that the computer malware “stuxnet” had targetted and crippled Siemens industrial control systems in Iranian nuclear (and other industrial) sites. The stuxnet worm however digitally spread to other countries where it was detected and identified.

What was not identified was the originator of the stuxnet malware, except that it was of such an sophistication that it had to be the work of government agencies. What the Russian IT expert, Evgeny Kaspersky, told Der Spiegel, sums up the predominant view on the matter: “There was a lot of talk – on the Internet and in the media – that Stuxnet was a joint US-Israeli project. I think that’s probably the most likely scenario… It cost several million dollars and had to be orchestrated by a team of highly trained engineers over several months. These were no amateurs; these were total professionals who have to be taken very seriously. You don’t get in a fight with them.”

Here we come to the crucial problem of military cyber attacks: In cyberspace, there is no “hard proof” of the origin of a cyber aggression. One may ask: Who would have a motive to paralyze the Iranian nuclear program? Who would have the human an technical resources to do that? Who would be willing to take the risks of a quasi-military attack against Iran? But, those questions merely lead to circumstantial evidence – not hard facts. So can circumstantial evidence justify launching a physical military attack against a state one suspects – without solid proof – to have a carried out a cyber aggression? It should be evident that such military approach means opening a Pandorra’s Box.

Moreover, cyberspace opens up unprecedented possibilities for “false flag” operations: A cyber aggressor may lay traces pointing towards another state. Theoretically, country A might launch a cyber aggression against country B by making it appear that country C is the aggressor. A nightmare scenario indeed.

Notwithstanding the talk of a “cyber Pearl Harbour” and the new (military) cyber doctrine, I’m not terribly worried that, in the foreseeable future, any state would would launch a cyber aggression against the United States. Many states will continue to spy on the USA via cyber attacks, but the US won’t retaliate by using physical military force. Likewise, the USA will continue to spy on many (probably most) other states via cyber attacks. And, the USA will conduct covert action-type, “pin prick” cyber attacks against other states (stuxnet probably was one), but will disclaim its responsibility for such attacks. And, the USA would categorically deny that such covert actions represent an “act of war”.

So why is there such a hype about cyberwar in America, strongly radiating into NATO? The answer seems rather simple. The United States are so heavily indebted that they must cut their giant military spending. The traditional military services – Army, Air Force, Navy and Marine Corps – will inevitably shrink in the coming years. And that naturally worries the American “military-industrial complex”, which will be forced to regroup in the context of a fierce battle for scarcer funds. So the extended “military-industrial complex” is looking for “new threats”. And against these “new threats”, new sophisticated, yet (supposedly) “cost-effective” weapon systems and contract services are being offered. When you read the American magazine Aviation Week – required reading in the the US aerospace industry – you quickly realize what the “new threat” is. The lead story in the May 23 edition of Aviation Week is “Cyberwar Takes Off”. Its message is: Within the military-industrial complex, those sectors dealing with “cyberwar” will not shrink, but expand.

The one-sided focus on the military dimension of cybersecurity is to the detriment of the vast majority of people (and businesses). The threat to their cybersecurity is clear and present, as indicated the by the theft of more than 77 million user data of the Sony Playstation network. In the hypothetical case that just €10 would be siphoned off their bank accounts, the cyber criminals would have gained €770 million. Combating cyber crime, by strengthening the efforts of civilian security agencies – on the national and international level – is obviously the most urgent task in the field of cybersecurity.

Die Kommentarfunktion für diesen Beitrag wurde beendet.