STRATEGIC TRENDS 2012 Key Developments in Global Affairs

Center for Security Studies

Editor: Daniel Möckli

Series Editor: Andreas Wenger Authors: Myriam Dunn Cavelty, Jonas Grätz, An Jacobs, Prem Mahadevan, Daniel Möckli

CSS ETH Zurich STRATEGIC TRENDS 2012 is also available electronically on the Strategic Trends Analysis website at: www.sta.ethz.ch

Editor STRATEGIC TRENDS 2012: Daniel Möckli Series Editor STRATEGIC TRENDS: Andreas Wenger

Contact: Center for Security Studies ETH Zurich Haldeneggsteig 4, IFW CH-8092 Zurich Switzerland

This publication covers events up to 12 March 2012.

All images © by Reuters (except Chapter 5, © by CSS)

ISSN 1664-0667 ISBN 978-3-905696-36-3 CHAPTER 5 The militarisation of cyber security as a source of global tension Myriam Dunn Cavelty

Cyber security is seen as one of the most pressing national security issues of our time. Due to sophisticated and highly publicised cyber attacks such as Stuxnet, it is increasingly framed as a strategic issue. The diffuse nature of the threat, coupled with a heightened sense of vulnerability, has brought about a growing militarisation of cyber security. This has resulted in too much attention on the low probability of a large scale cyber attack, a focus on the wrong policy solutions, and a detrimental atmosphere of insecurity and tension in the international system. Though cyber operations will be a significant component of future conflicts, the role of the military in cyber security will be limited and needs to be carefully defined.

Emblem of the United States Cyber Command, an armed forces command that became fully operational in 2011 and is subordinate to the United States Strategic Command

103 STRATEGIC TRENDS 2012

Over the last few years, cyber The debate on ‘cyber security’ origi- security has been catapulted from nated in the US in the 1970s, built the confined realm of technical momentum in the late 1980s, and experts into the political lime- spread to other countries in the late light. The discovery of the industry- 1990s. Early on, US policy-makers sabotaging Stuxnet computer worm, politicised the issue. They presented numerous tales of (Chinese) cyber cyber security as a matter that requires espionage, the growing sophistication the attention of state actors because it of cyber criminals, and the well-pub- cannot be solved by market forces. As licised activities of hacker collectives concern increased, they securitised the have combined to give the impression issue: They represented it as a challenge that cyber attacks are becoming more requiring the urgent attention of the frequent, more organised, more costly, national security apparatus. In 2010, and altogether more dangerous. As a against the background of the Stuxnet result, a growing number of countries incident, the tone and intensity of the consider cyber security to be one of debate changed even further: The lat- the top security issues of the future. est trend is to frame cyber security as a strategic-military issue and to focus on This is just the latest ‘surge’ of atten- countermeasures such as cyber offence tion in the three- to four-decade-long and defence, or cyber deterrence. history of cyber issues. The impor- tance attached to cyber security in Though this trend can easily be under- politics grew steadily in response to stood when considering the political a continual parade of incidents such (and psychological) effects of Stuxnet, as computer viruses, data theft, and it nonetheless invokes images of a sup- other penetrations of networked com- posed adversary even though there is puter systems, which, combined with no identifiable enemy, is too strongly heightening media attention, created focused on national security measures the feeling that the level of cyber inse- instead of economic and business solu- curity was on the rise. As a result, the tions, and wrongly suggests that states debate spread in two directions: up- can establish control over cyberspace. wards, from the expert level to execu- Not only does this create an unneces- tive decision-makers and politicians; sary atmosphere of insecurity and ten- and horizontally, advancing from sion in the international system, it is mainly being an issue of relevance to also based on a severe misperception of the US to the top of the threat list of the nature and level of cyber risk and more and more countries. on the feasibility of different protection

104 CYBER SECURITY measures. While it is undisputed that The backdrop of the cyber dimension will play a sub- the cyber security debate stantial role in future conflicts of all The combination of telecommunica- grades and shades, threat-representa- tions with computers in the late 1970s tions must remain well informed and and the 1980s – the basis of the cur- well balanced at all times in order to rent information revolution – marks rule out policy reactions with exces- the beginning of the cyber threat sively high costs and uncertain benefits. debate. The launch and subsequent spread of the personal computer cre- This chapter first describes the core ated a rise in tech-savvy individuals, elements of the cyber security debate some of whom started to use the novel that emerged over the past decades. networked environment for various These elements provide the stage and sorts of misdeeds. In the 1990s, the scenery for the more recent trend information domain became a force- of increasing militarisation of cyber multiplier by combining the risks to security. Five factors responsible for cyberspace (widespread vulnerabili- this trend are described in section two. ties in the information infrastructure) The effects of the discovery of Stuxnet with the possibility of risks through as the culmination point of the cyber cyberspace (actors exploiting these threat story are the focus of section vulnerabilities). The two core elements three: Though the actual (physical) of the cyber security debate that pro- damage of Stuxnet remains limited, vide the stable backdrop for the curit had very real and irreversible politi- rent trend of militarisation emerged: cal effects. The fourth section critically A main focus on highly vulnerable assesses the assumptions underlying critical infrastructures as ‘referent the trend of militarisation and their object’ (that which is seen in need of negative effects. The chapter con- protection) and the threat representa- cludes by arguing that military coun- tion based on the inherent insecurity termeasures will not be able to play a of the information infrastructure and significant role in cyber security due the way it could be manipulated by to the nature of the information envi- technologically skilful individuals. ronment and the nature of the threat. Finally, it sketches the specific, though From government networks to limited role that military apparatuses critical infrastructures can and should play in reducing the Initially, the overarching concern overall level of cyber insecurity nation- of the US was with the classified in- ally and internationally. formation residing in government

105 STRATEGIC TRENDS 2012 information systems. As computer the smooth functioning of all sorts of networks grew and spread into more computer-related applications, such as and more aspects of everyday life, this software-based control systems. focus changed. A link was established in the strategic community between The basic nature of the cyber threat cyber threats and so-called ‘critical The networked information environ- infrastructures’, which is the name ment – or cyberspace – is pervasively given to assets whose incapacitation or insecure, because it was never built destruction could have a debilitating with security in mind. The dynamic impact on the national security and/ globalisation of information services or economic and social welfare of the in connection with technological entire nation. innovation led to a steady increase of connectivity and complexity. The This threat perception was influenced more complex an IT system is, the by the larger strategic context that more problems it contains and the emerged for the US after the Cold War. harder it is to control or manage its It was characterised by more dynamic security. The commercialisation of the geostrategic conditions, more numer- Internet led to an even further security ous areas and issues of concern, and deficit, as there are significant market- smaller, more agile, and more diverse driven obstacles to IT security. adversaries. As a result of the difficulties to locate and identify enemies, the These increasingly complex and glob- focus of security policies partly shifted al information networks seemed to away from actors, capabilities, and make it much easier to attack the US motivations to general vulnerabili- asymmetrically: Potentially devastat- ties of the entire society. In addition, ing attacks now only required a com- the influence of globalisation on the puter with an Internet connection complex interdependence of societies and a handful of ‘hackers’, members around the world and their growing of a distinct social group (or sub- technological sophistication led to a culture) who are particularly skilled focus on security problems of a trans- programmers or technical experts. In national and/or technological nature. the borderless environment of cyber- The combination of vulnerabilities, space, hackers can exploit computer technology, and transnational issues insecurities in various ways. In par- brought critical infrastructures to cen- ticular, digitally stored information tre stage, particularly because they were can be delayed, disrupted, corrupt- becoming increasingly dependent on ed, destroyed, stolen, or modified.

106 CYBER SECURITY

Intruders can also leave ‘backdoors’ expert level to the diplomatic and for- to come back at a later time, or use eign policy realm. the hijacked machine for attacks on other machines. Though most indi- First, computer security profession- viduals would be expected to lack the als are increasingly concerned with motivation to cause violence or severe the rising level of professionalisation economic or social harm, large sums coupled with the obvious criminal of money might sway them to place (or even strategic) intent behind at- their specialised knowledge at the tacks. Tech-savvy individuals (often disposal of actors with hostile intent juveniles) aiming to create mischief or like terrorists or foreign states. In ad- personally enrich themselves shaped dition, attackers have little to fear in the early history of computer-related terms of retribution. Sophisticated crime. Today, professionals dominate cyber attacks cannot be attributed to the field. Actors in the ‘cyber crime a particular perpetrator, particularly black market’ are highly organised in not within a short timespan. The main terms of their strategic and operation- reasons are the often hidden nature of al vision, logistics, and deployment. exploits and the general architecture of Like many legitimate companies, they cyberspace, which allows online iden- operate across the globe. As a conse- tities to be hidden. quence, the nature of malware has changed. Advanced malware is target- Five developments that speed ed: A hacker picks a victim, examines up militarisation the defences, and then designs spe- The basics as described above provided cific malware to get around them. The a stable setting for the cyber security most prominent example for this kind debate at least since the mid-1990s, if of malware is Stuxnet (see below). not before. Five developments as described below have solidified the im- Second, the main cyber ‘enemy’ in pression that cyber disturbances are the form of a state has been singled- increasingly dangerous and fall under out: There is an increase in allegations the purview of national security. The that China is responsible for cyber es- discovery of Stuxnet is the culmina- pionage in the form of high-level pen- tion point in this evolution. It has etrations of government and business brought about a qualitative and ir- computer systems, in Europe, North reversible change in how the issue is America, and Asia. Because Chinese handled politically: Its discovery has authorities have stated repeatedly that catapulted the cyber issue from the they consider cyberspace a strategic

107 STRATEGIC TRENDS 2012

Timeline: Major known cyber incidents

Malware 1 2 3

Cyber crime/espionage 14 15 16 17 18

‘Cyber war’ 27 2011 1991 1987 1997 1995 1993 1992 2010 2001 1988 1994 1986 1998 1989 1996 1999 1990 2007 2005 2003 2002 2004 2008 2006 2009 2000

Malware 1 Morris Worm: Slowed down machines in the Cyber ARPANET until they became unusable. Huge impact on the general awareness of insecurity. 2 Michelangelo: Overwrote the first hundred sectors of the hard disk with nulls. Caused first digital mass hysteria. 3 Back Orifice: Tool for remote system administration (Trojan horse). 4 Melissa: Shut down Internet mail, clogged systems with infected e-mails. 5 I Love You: Overwrote files with copy of itself, sent itself to the first fifty people in the Windows Address Book. 6 Code Red: Defaced websites, used machines for DDoS-attacks. 7 Nimda: Allowed external control over infected computers. 8 Blaster: DDos-attacks against ‘windowsupdate.com’. System crash as a side effect. Was suspected to have caused black-out in US (could not be confirmed). 9 Slammer: DDoS-attacks, slowed down Internet traffic worldwide. 10 Sasser: Internet traffic slow down, system crash. 11 Conficker: Forms botnets. 12 Stuxnet: Spies on and subverts industrial systems (see also incident 35). 13 Duqu: Looks for information useful in attacking industrial control systems. Code almost identical to Stuxnet (copy-cat software).

Cyber crime/espionage 14 Hanover Hackers (Cuckoo’s Egg): Break-ins into high-profile computer systems in the US. 15 Rome Lab incident: Break-ins into high-profile computer systems in the US. 16 Citibank incident: US$ 10 m siphoned from Citibank and transferred the money to bank accounts around the world. 17 Solar Sunrise: Series of attacks on DoD computer networks. 18 Moonlight Maze: Pattern of probing of high-profile computer systems. 19 Titan Rain: Access to high-profile computer systems in the US. 20 Zeus Botnet: Trojan horse ‘Zeus’, controlled millions of machines in 196 countries.

108 CYBER SECURITY

4 5 6 7 8 9 10 11 12 13

19 20 21 22 23 24 25 26

28 29 30 31 32 33 34 35 2011 1991 1987 1997 1995 1993 1992 2010 2001 1988 1994 1986 1998 1989 1996 1999 1990 2007 2005 2003 2002 2004 2008 2006 2009 2000

21 GhostNet: Cyber-spying operation, infiltration of high-value political, economic, and media locations in 103 countries. 22 Operation Aurora: Attacks against Google and other companies to gain access to and potentially modify source code repositories at these high-tech, security, and defence contractor companies. 23 Wikileaks Cablegate: 251,287 leaked confidential diplomatic cables from 274 US embassies around the world, dated from 28 December 1966 to 28 February 2010. 24 Operations Payback and Avenge Assange: Coordinated, decentralised attacks on opponents of Internet piracy and companies with perceived anti-WikiLeaks behaviour. 25 Sony and other attacks: Highly publicised hacktivist operations.

26 Theft of Co2-Emmission Papers: Theft of 475,000 carbon dioxide emissions allowances worth € 6.9 m, or US$ 9.3 m.

Main incidents dubbed as ‘cyber war’ 27 Dutch hacker incident: Intrusions into Pentagon computers during Gulf War. Access to unclassified, sensitive information. 28 Operation ‘Allied Force’: ‘The first Internet War’. Sustained use of the full-spectrum of information warfare components in combat. Numerous hacktivism incidents. 29 ‘Cyber-Intifada’: Email flooding and Denial-of-Service (DoS) attacks against government and partisan websites during the second Intifada. 30 ‘Cyber World-War I’: Defacement of Chinese and US websites and waves of DDoS-attacks after US reconnaissance and surveillance plane was forced to land on Chinese territory. 31 Iraq: Cyber-attack on cell phones, computers, and other communication devices that terrorists were using to plan and carry out roadside bombs. 32 Estonia DDoS-attacks: DDoS-attacks against web sites of the Estonian parliament, banks, ministries, newspapers, and broadcasters. 33 Georgia DDoS-attacks: DDoS-attacks against numerous Georgian websites. 34 GhostNet infiltrations: GhostNet related infiltrations of computers belonging to Tibetan exile groups. 35 Stuxnet: Computer worm that might have been deliberately released to slow down Iranian nuclear program.

109 STRATEGIC TRENDS 2012 domain and that they hope that mas- engage in related activities of a mul- tering it will equalise the existing mili- tifaceted nature. They creatively play tary imbalance between China and the with anonymity in an age obsessed US more quickly (see Chapter 1 in this with control and surveillance and publication), many US officials read- humiliate high-visibility targets by ily accuse the Chinese government so-called DDoS attacks, which satu- of perpetrating deliberate and tar- rate the target machine with external geted attacks or intelligence-gathering communications requests so that it operations. However, because of the cannot respond to legitimate traffic, attribution problem, these allegations or by break-ins and release of sensi- almost exclusively rely on anecdotal tive information. These events are and circumstantial evidence. Not only perceived as pressing cyber security can attackers hide, it is also impos issues in government because data is sible to know an attacker’s motivation stolen in digital form and/or made or to know a person’s affiliation or available to the whole world through sponsorship, even if the individuals multiple Internet sites. In addition, were known. Therefore, attacks and media attention has been and will exploits that seemingly benefit states likely remain great; the reputational might well be the work of third-party damage has been high. The more actors operating under a variety of obsessed governments become with motivations. At the same time, the cyber security, the more embarrassing attribution challenge also conveniently it is when they become the public tar- allows state actors to distance them- get of break-ins. selves officially from attacks. Fourth, the term ‘cyber war’ is used Third, there has been an increase in more and more frequently in the me- ‘hacktivism’ – a portmanteau word dia but also in policy circles. Original- that combines ‘hacking’ and ‘activism’. ly, the term was coined together with WikiLeaks, for example, has added yet its twin concept ‘netwar’ in the early another twist to the cyber debate. Act- 1990s to signify a set of new opera- ing under the hacker maxim that ‘all tional techniques and a new mode of information should be free’, this type warfare in the information age. Both of activism deliberately challenges have since become part of official the self-proclaimed power of states to (US) military information operations keep information considered vital for doctrine in modified form. But ‘cyber national security secret. Hacker collec- war’ also leads a colourful life outside tives such as Anonymous or LulzSec the military discourse: The popular

110 CYBER SECURITY usage of the word has come to refer to Even though it was not possible to basically any phenomenon involving a provide sufficient evidence for who deliberate disruptive or destructive use was behind the attacks, various offi- of computers, which has prompted US cials readily and publicly blamed the President Barack Obama’s cyber secu- Russian government. Also, despite rity czar Howard Schmidt to repeat- the fact that the attacks had no tru- edly call it a ‘terrible metaphor’. For ly serious consequences for Estonia example, the media proclaimed the other than (minor) economic losses, first cyber World War in 2001. The some officials even openly toyed with cause was an incident in which a US the idea of a counter-attack in the reconnaissance and surveillance plane spirit of Article 5 of the North Atlan- was forced to land on Chinese territory tic Treaty, which states that ‘an armed after a mid-air collision with a Chinese attack’ against one or more NATO jet fighter. Soon after, defacements of countries ‘shall be considered an Chinese and US websites and waves attack against them all’. The Estonian of DDoS attacks began. Individuals example is one of the cases most often from many other nations joined in on referred to in government circles to both sides. TheUS government and prove that there is a need for action military stated that they had sharply and the age of ‘cyber war’ has begun. stepped up network security. Other Similar claims were made in the con- sources reported that the Navy was frontation between Russia and Geor- at INFOCON ALPHA, a cyber ver- gia of 2008. sion of real-world military Defense Readiness Level (DEFCON). Beyond Fifth, the discovery of the computer the hype factor, the true effect of these worm Stuxnet in 2010 changed the online activities is close to zero. overall tone and intensity of the debate even further. Stuxnet is a very Another, even more prominent exam- complex programme. It is likely that ple is the case of the Estonian ‘cyber writing it took a substantial amount war’. When the Estonian authorities of time, advanced-level program- removed a bronze statue of a World ming skills, and insider knowledge War II-era Soviet soldier from a park, of industrial processes. Therefore, a three-plus-week wave of DDoS at- Stuxnet is probably the most expen- tacks started. It downed various web- sive malware ever found. In addition, sites, among them the websites of the it behaves differently from the nor- Estonian parliament, banks, minis- mal criminal-type malware: It does tries, newspapers, and broadcasters. not steal information and it does not

111 STRATEGIC TRENDS 2012 herd infected computers into so-called emerged as a realm in which states see botnets from which to launch further their control and power challenged attacks. Rather, it looks for a very spe- from all sides, but in which they are cific target: Stuxnet was written to at- forced to position themselves as force- tack Siemens’ Supervisory Control And fully as possible, too. Data Acquisition (SCADA) systems that are used to control and monitor Unravelling the Stuxnet effect industrial processes. In August 2010, Whatever the ‘truth’ may be: The the security company Symantec noted Stuxnet incident is a manifestation of that 60 per cent of the infected com- longstanding fears. It is a targeted at- puters worldwide were in Iran. It was tack affecting the control system of a also reported that the Iranian nuclear super-critical infrastructure, invisible programme had been delayed as some and untraceable until it hits. Since so centrifuges had been damaged. little about the worm is known for certain, however, the actual effects The picture that emerges from the in form of damage are impossible to pieces of the puzzle seems to suggest uncover, as is shown in the first sub- that only one or several nation states section below. Other effects, though – the cui bono (‘to whose benefit’) logic also partially speculative, have mani- pointing either to the US or Israel – fested themselves more clearly. One would have the capability and inter- of these fears, covered in the second est to produce and release Stuxnet in subsection, is the fear of proliferation order to sabotage the Iranian nuclear and copycat attacks. Another more programme. However, the one big salient one is psychological and has problem with the Stuxnet story is, once real political consequences: Many again, that it is entirely based on specu- security experts and decision-makers lation: The evidence for Stuxnet being do believe that one or several state ac- a government-sponsored cyber weapon tors created the computer worm. For directed at Iran, though convincing those people, the digital first strike has and plausible, is entirely circumstan- been delivered, and this marks the be- tial. Due to the attribution problem, ginning of the unchecked use of cyber it is impossible to know who gave weapons in military-like aggressions. the order, who actually programmed Cyber security now clearly comes un- Stuxnet, and the real intent behind it. der the purview of diplomats, foreign Rather than making the problem less policy analysts, the intelligence com- serious, however, this fact is at the heart munity, and the military. These reac- of current fears. The cyber domain has tions and their severe consequences

112 CYBER SECURITY for international relations and security systems at the Bushehr plant, but later are the focus of the third subsection. said that Stuxnet had affected a limited number of centrifuges. There also Damage/cost seemed to have been some problems Putting a number to the cost of any at Natanz: A decline in the number of specific malware is a very tricky thing. operating centrifuges from mid-2009 Attempts to collect significant data or to mid-2010 may have been due to the combine them into statistics have failed Stuxnet attack, some experts speculate. due to insurmountable difficulties in All in all, knowing the extent of the establishing what to measure and how effect Stuxnet had on the Iranian nuc to measure it. Numbers that are float- lear programme is impossible; it seems ing around are usually plausible, however, more or less educated Stuxnet is a manifestation that is has delayed ‘guesstimates’, calculated of longstanding fears it, though only for a by somehow adding downtime of ma- short amount of time. The psychologi- chines and the cost for making them cal effect on the Iranian government, malware-free. The same problem applies though also not easily fathomable, is to Stuxnet. Shortly after the worm was likely to have been very high. discovered, Symantec estimated that between 15,000 and 20,000 systems Proliferation effect were infected. These numbers increased The discovery of Stuxnet and subse- the longer the worm was known. Sie- quent rumours that its source code mens on the other hand reported that was for sale led some experts to fear the worm had infected 15 plants with a rapid proliferation of this type of their SCADA software installed, both in programming and many so-called and out of Iran. In the end, Symantec piggyback attacks. This would make set both the damage and the distribu- SCADA systems – computer systems tion level of the malware to medium. that monitor and control industrial, infrastructure, or facility-based pro- In the mainstream representation of cesses – the target of choice in the the Stuxnet story, the Bushehr nuclear near to mid-term future for all types plant is the intended target of the attack. of hacks, with potentially grave conse- Indeed, the operational start of Bushehr quences, also due to unintended side was delayed by several months: Iranian effects. Other analysts have described officials blamed the hot weather and these fears as groundless, because even later a leak for it. Officially, Tehran at if somebody had acquired the source first denied the worm infected critical code, they would have to be just as

113 STRATEGIC TRENDS 2012 capable as the initial programmers for Though consolidated numbers are the variant to be as successful. Once a hard to come by, the amount of mon- piece of malware has been discovered, ey spent on defence-related aspects of even if it is a sophisticated specimen, cyber security seems to be rising stead- merely copying it will be of little use if ily. The new cyber military-industrial the computer vulnerability it exploit- complex that has emerged is estimated ed has been patched in the meantime. to deliver returns of US$ 80 to 150 bil- lion a year, and big defence companies So far, no proliferation effect has like Boeing and Northrop Grumman materialised; however, in September are repositioning themselves to service 2011, another worm (Duqu) was dis- the cyber security market. In addition, covered that is reportedly very similar some states, particularly those not to Stuxnet, and was probably written allied with the US, have ramped up by the same authors. It mainly looks their rhetoric. For example, Iranian for information that could be useful officials have gone on the record as in attacking industrial control systems condoning hackers who work in the and does not sabotage any parts of the state’s interest. As a result, the first infrastructure. signs of a cyber security dilemma are discernible: Although most states still Political and psychological effect predominantly focus on cyber de- The greatest effect the worm has had is fence issues, measures taken by some clearly psychological: It has left many nations are seen by others as covert state officials deeply frightened. This signs of aggression. That leads to more fear has political consequences. First, insecurity for everyone – specifically on the national level, governments because it is impossible to assess an- are currently releasing or updating other state’s cyber capabilities. cyber security strategies and are setting up new organisational units for Flawed assumptions and cyber defence. Second, internationally, detrimental effects increased attention is being devoted The militarisation of cyber security to the strategic-military aspects of the is first and foremost based on the be- problem. The focus is on attacks that lief in a massive threat of a large-scale could cause catastrophic incidents cyber attack. There are two aspects to involving critical infrastructures. More this perception: In the first subsection, and more states report that they have it is shown how and why the past and opened ‘cyber-commands’, which are current level of the threat is overrat- military units for cyber war activities. ed. The second subsection places the

114 CYBER SECURITY future likelihood of cyber war into per- security costs. Beyond the direct im- spective. It shows that now and in the pact, badly handled cyber attacks have future, the probability of a large-scale also damaged corporate (and govern- attack is very low. The third subsection ment) reputations and have, theoreti- looks at an additional reason for how cally at least, the potential to reduce widespread the fear of cyber war has public confidence in the security of become: Most countries simply follow Internet transactions and e-commerce the threat perception and reasoning of if they become more frequent. the US, even though the strategic context and disparity in power positions However, in the entire history of warrant a different threat assessment. computer networks, there are no ex- The fourth subsection finally criticises amples of cyber attacks that resulted the widespread use of vocabulary that in actual physical violence against is full of military analogies. Such vo- persons (nobody has ever died from cabulary insinuates a reality governed a cyber incident), and only very few by the traditional logic of offense and had a substantial effect on property defence – a reality that does not exist. (Stuxnet being the most prominent). Even worse, it is decoupled from the So far, cyber attacks have not caused reality of the threat and the possibility serious long-term disruptions. They for meaningful countermeasures and are risks that can be dealt with by is complicit in solidifying the militari- individual entities using standard sation of cyber security. information security measures, and their overall costs remain low in com- An overrated threat parison to other risk categories such There is no denying that different po- as financial risks. litical, economic, and military conflicts have had cyber(ed) components These facts tend to be almost com- for a number of years now. Further- pletely disregarded in policy circles. more, criminal and espionage activities There are several reasons why the involving the use of computers hap- threat is overrated. First, as combat- pen every day. It is a fact that cyber ing cyber threats has become a highly incidents are continually causing politicised issue, official statements minor and only occasionally major about the level of threat must also be inconveniences: These may be in the seen in the context of competition for form of lost intellectual property or resources and influence between vari- other proprietary data, maintenance ous bureaucratic entities. This is usu- and repair, lost revenue, and increased ally done by stating an urgent need

115 STRATEGIC TRENDS 2012 for action and describing the overall of so-called ‘dread risks’, which are threat as big and rising. perceived as catastrophic, fatal, un- known, and basically uncontrollable. Second, psychological research has There is a propensity to be dispropor- shown that risk perception, includ- tionally afraid of these risks despite ing the perception of experts, is highly their low probability, which translates dependent on intuition and emo- into pressure for regulatory action of tions. Cyber risks, especially in their all sorts and the willingness to bear more extreme form, fit the risk profile high costs of uncertain benefit.

Types of cyber conflict

Cyber war: The use of computers to disrupt the activities of an enemy country, especially deliberate attacks on communication systems. The term is also used loosely for Cyber war cyber incidents of a political nature.

Cyber terror: Unlawful attacks against Cyber terror computers, networks, and the information stored therein, to intimidate or coerce a government or its people in furtherance of political or social objectives. Such an attack Cyber sabotage should result in violence against persons or property, or at least cause enough harm to generate the requisite fear level to be considered ‘cyber terrorism’. The term is also used loosely for cyber incidents of a Cyber espionage political nature.

Cyber sabotage: The deliberate disturbance of an economic or military process for achieving a particular (often political) goal Cyber crime with cyber means.

Cyber espionage: The unauthorised probing to test a target computer’s configuration or evaluate its system defenses, or the unauthorised viewing and copying of data files.

Hacktivism Cyber crime: A criminal activity done using computers and the Internet.

Hacktivism: The combination of hacking and Higher damage – Lower probability activism, including operations that use hacking techniques against a target’s Internet site with the intention of disrupting normal operations.

116 CYBER SECURITY

Third, the media distorts the threat effective for military purposes: It is perception even further. There is no exceptionally difficult to take down hard data for the assumption that the multiple, specific targets and keep level of cyber risks is actually rising them down over time. The key dif- – beyond the perception of impact ficulty is proper reconnaissance and and fear. Some IT security companies targeting, as well as the need to deal have recently warned against overem- with a variety of diverse systems and phasising sophisticated attacks just be ready for countermoves from your because we hear more about them. adversary. In 2010, only about 3 per cent of all incidents were considered so sophis- Furthermore, nobody can be truly ticated that they were impossible to interested in allowing the unfettered stop. The vast majority of attackers proliferation and use of cyber war go after low-hanging fruit, which are tools, least of all the countries with small to medium sized enterprises the offensive lead in this domain. with bad defences. These types of Quite to the contrary, strong argu- incidents tend to remain under the ments can be made that the world’s radar of the media and even law en- big powers have an overall strategic forcement. interest in developing and accept- ing internationally agreed norms on Cyber war remains unlikely cyber war, and in creating agree- Since the potentially devastating ments that might pertain to the effects of cyber attacks are so scary, the development, distribution, and de- temptation is very high not only to ployment of cyber weapons or to think about worst-case scenarios, but their use (though the effectiveness of also to give them a lot of (often too such norms must remain doubtful). much) weight despite their very low The most obvious reason is that the probability. However, most experts countries that are currently openly agree that strategic cyber war remains discussing the use of cyber war tools highly unlikely in the foreseeable are precisely the ones that are the future, mainly due to the uncertain most vulnerable to cyber warfare at- results such a war would bring, the tacks due to their high dependency lack of motivation on the part of the on information infrastructure. The possible combatants, and their shared features of the emerging informa- inability to defend against counterat- tion environment make it extremely tacks. Indeed, it is hard to see how unlikely that any but the most lim- cyber attacks could ever become truly ited and tactically oriented instances

117 STRATEGIC TRENDS 2012 of computer attacks could be con- Europe is not the US tained. More likely, computer at- The cyber security discourse is Ameri- tacks could ‘blow back’ through the can in origin and American in the interdependencies that are such an making: At all times, the US govern- essential feature of the environment. ment shaped both the threat percep- Even relatively harmless viruses and tion and the envisaged countermeas- worms would cause considerable ures. Interestingly enough, there are random disruption to businesses, almost no variations to be found in governments, and consumers. This other countries’ cyber threat discus- risk would most likely weigh much sions – even though the strategic heavier than the uncertain benefits to contexts differ fundamentally. Many be gained from cyber war activities. of the assumptions at the heart of the cyber security debate are shaped Certainly, thinking about (and plan- by the fears of a military and politi- ning for) worst-case scenarios is a cal superpower. The US eyes the cyber legitimate task of the national secu- capabilities of its traditional rivals, the rity apparatus. Also, it seems almost rising power of China and the declin- inevitable that until cyber war is ing power of Russia, with particular proven to be ineffective suspicion. This follows or forbidden, states and Cyber crime and cyber a conventional stra- non-state actors who espionage will remain tegic logic: The main the biggest cyber risks have the ability to de- question is whether velop cyber weapons will try to do the cyber dimension could suddenly so, because they appear cost-effective, tip the scales of power against the US more stealthy, and less risky than oth- or have a negative effect on its ability er forms of armed conflict. However, to project power anywhere and any- cyber war should not receive too much time. In addition, due to its exposure attention at the expense of more plau- in world politics and its military en- sible and possible cyber problems. gagements, the US is a prime target Using too many resources for high- for asymmetric attack. impact, low-probability events – and therefore having less resources for the The surely correct assumption that low to middle impact and high prob- modern societies and their armed forc- ability events – does not make sense, es depend on the smooth functioning neither politically, nor strategically of information and communication and certainly not when applying a technology does not automatically cost-benefit logic. mean that this dependence will be

118 CYBER SECURITY exploited – particularly not for the ma- offence’, ‘cyber defence’, and ‘cyber jority of states in Europe. The existence deterrence’ suggest that cyberspace of the cyber realm seems to lead peo- can and should be handled as an op- ple to assume that because they have erational domain of warfare like land, vulnerabilities, they will be exploited. sea, air, and outer space (cyberspace But in security and defence matters, has in fact been officially recognised careful threat assessments need to be as a new domain in US military doc- made. Such assessments require that trine). Again, this assumption clashes the following question be carefully with the reality of the threat and the deliberated: ‘Who has an interest in possibilities for countermeasures. attacking us and the capability to do so, and why would they?’ For many demo- First, calling offensive measures cyber cratic states, particularly in Europe, the weapons does not change the fact that risk of outright war has moved far to hacker tools are not really like physical the background and the tasks of their weapons. They are opportunistic and armies have been adapted to this. Fears aimed at outsmarting the technical of asymmetric attacks also rank low. defences. As a result, their effect is usu- The same logic applies to the cyber do- ally not controllable in a military sense main. The risk of a warlike cyber attack – they might deliver something useful of severe proportions is minimal; there or they might not. Also, even though is no plausible scenario for it. Cyber code can be copied, the knowledge crime and cyber espionage, both politi- and preparation behind it cannot be cal and economic, are a different story: easily proliferated. Each new weapon They are here now and will remain the needs to be tailored to the system it biggest cyber risks in the future. is supposed to attack. Cyber weapons cannot be kept in a ‘silo’ for a long The limits of analogies time, because at any time, the vulner- Even if the cyber threat were to be ability in the system that it is targeted considered very high, the current at could be patched and the weapon trend conjures up wrong images. would be rendered useless. Analogies are very useful for relating non-familiar concepts or complex ide- Second, thinking in terms of attacks as with more simple and familiar ones. and defence creates a wrong image of But when taken too far, or even taken immediacy of cause and effect. How- for real, they begin to have detrimen- ever, high-level cyber attacks against tal effects. Military terms like ‘cyber infrastructure targets will likely be weapons’, ‘cyber capabilities’, ‘cyber the culmination of long-term, subtle,

119 STRATEGIC TRENDS 2012 systematic intrusions. The prepara- other that it is both capable and tory phase could take place over sev- willing to use a set of available (of- eral years. When – or rather if – an ten military) instruments against the intrusion is detected, it is often im- other side if the latter steps over the possible to determine whether it was line. This requires an opponent that an act of vandalism, computer crime, is clearly identifiable as an attacker terrorism, foreign intelligence activ- and has to fear retaliation – which ity, or some form of strategic military is not the case in cyber security be- attack. The only way to determine cause of the attribution problem. the source, nature, and scope of the Attribution of blame on the basis incident is to investigate it. This again of the cui bono logic is not suf- might take years, with highly uncer- ficient proof for political action. tain results. The military notion of Therefore, deterrence and retribu- striking back is therefore useless in tion do not work in cyberspace and most cases. will not, unless its rules are changed in substantial ways, with highly Third, deterrence works if one party uncertain benefits. Much of what is is able to successfully convey to an- said in China and in the US about

Types of cyber malware and attack modes Malware: A collective term for all types of malicious code and software Exploit Taking advantage of computer vulnerability to cause unintended or unanticipated behaviour. This includes gaining control of a computer system. Virus/worm Computer programmes that replicate functional copies of themselves with varying effects ranging from mere annoyance and inconvenience to compromise of the confidentiality or integrity of information. Viruses need to attach themselves to an existing program, worms do not. Spyware Malware that collects information about users without their knowledge. Trojan horse Malicious program that acts in an automatic manner. Trojan horses can make copies of themselves, steal information, or harm their host computer systems, or allow a hacker remote access to a target computer system. DDoS-attack Attempt to make a computer or network resource unavailable to its intended users, mostly by saturating the target machine with external communications requests so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Advanced A cyber-attack category, which connotes an attack with a high degree of persistent sophistication and stealthiness over a prolonged duration of time. The attack threats objectives typically extend beyond immediate financial gain. Botnets A collection of compromised computers connected to the Internet. They run (or bots) hidden and can be exploited for further use by the person controlling them remotely.

120 CYBER SECURITY their own and the other’s cyber The role of the military in capabilities is (old) deterrence rheto- cyber security ric – and must be understood as such. Future conflicts between nations The White House’s new International will most certainly have a cyberspace Strategy for Cyberspace of 2011 component, but this will just be an states that the US reserves the right to accompanying element of the bat- retaliate to hostile acts in cyberspace tle. Regardless of how high we judge with military force. This ‘hack us and the risk of a large-scale cyber attack, we might bomb you’ statement is an military-type countermeasures will old-fashioned declaratory policy that not be able to play a substantial role preserves the option of asymmetrical in cyber security because of the nature response as a means of deterrence, of the attacker and the nature of the even though both sides actually know attacked. Investing too much time that following up on it is next to talking about them or spending in- impossible. creasing amounts of money on them will not make cyberspace more secure Fourth, cyberspace is only in parts – quite the contrary. These findings controlled or controllable by state are not particularly new: Most experts actors. At least in the case of democ- had come to the same conclusion in racies, power in this domain is in the the late 1990s, when the debate was hands of private actors, especially the not yet as securitised. At the time, the business sector. Much of the expertise issue was discussed under the head- and many of the resources required ing of critical infrastructure protec- for taking better protective measures tion rather than cyber security, but are located outside governments. The the basic premises were the same. The military – or any other state entity for role for the military as conceptualised that matter – does not own critical (in- then hardly differs from the role the formation) infrastructures and has no military should take on today. direct access to them. Protecting them as a military mandate is impossible, Undoubtedly, attacks on information and conceiving of cyberspace as an technology, manipulation of informa- occupation zone is an illusion. Mili- tion, or espionage can have serious taries cannot defend the cyberspace of effects on the present and/or future their country – it is not a space where of defensive or offensive effectiveness troops and tanks can be deployed, be- of one’s own armed forces. First and cause the logic of national boundaries foremost, militaries should therefore does not apply. focus on the protection and resilience

121 STRATEGIC TRENDS 2012 of their information infrastructure and to be a major centre of gravity, i.e., networks, particularly the critical parts a source of strength and power that of it, at all times. All the successful at- needs to be weakened in order to pre- tacks on military and military-affiliated vail. However, intelligence-gathering networks over the last few years are less by means of cyber espionage must a sign of impending cyber-doom than a be treated with utmost care: In an at- sign of low information security prow- mosphere fraught with tension, such ess in the military. In case the unfortu- activities, even if or especially because nate label ‘cyber defence’ should stick, they are non-attributable, will be read it will be crucial to make sure that eve- as signs of aggression and will add rybody – including top-level decision- further twists to the spiral of insecu- makers – understand that cyber defence rity, with detrimental effects for eve- is not much more than a fancy word for rybody. The implication of this is that standard information assurance and risk military staff involved in operative management practices. Furthermore, and military strategic planning and information assurance is not provided the intelligence community will have by obscure ‘cyber commands’, but by to be aware of cyber issues too. How- computer security specialists, whether ever, in the future, decisive strikes they wear uniforms or not. against critical (information) infrastructure will most likely still consist The cyber dimension is also relevant in of kinetic attacks or traditional forms military operations insofar as an adver- of sabotage rather than the intrusion sary’s critical infrastructure is deemed of computer systems.

Recent national strategies for cyber security

United States Department of Defense, ‘Strategy for Operating in Cyberspace’ (2011) The White House, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011) Department of Homeland Security, ‘Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise’ (2011) UK ‘The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World’ (2011) France Premier ministre, ‘Défense et sécurité des systèmes d’information: Stratégie de la France’ (2011) Germany Federal Ministry of the Interior, ‘Cyber Security Strategy for Germany’ (2011) The Netherlands ‘The National Cyber Security Strategy (NCSS): Success through cooperation’ (2011) India Department of Information Technology, ‘Cyber Security Strategy’ (2011)

122 CYBER SECURITY

As for the things the military should are usually not part of the military not do when it comes to the realm of or intelligence establishment. This is cyberspace, two major points come complemented by measures taken to to mind. First, particularly as long as ensure that the damage potential of a the ability to withstand cyber intru- successful attack is constantly decreas- sions of military networks or civilian ing, for example by augmenting the networks remains low, it is unwise to resilience of information networks declare the development or possession and critical infrastructures. of offensive measures. It does not have a credible deterring effect, the actual In conclusion, governments and mili- use would bring unclear benefits and tary actors should acknowledge that high risks, and again, it adds to the their role in cyber security can only cyber security dilemma. be a limited one, even if they consider cyber threats to be a major national Second, the military cannot take security threat. Cyber security is and on a substantial role in ensuring the will remain a shared responsibility be- cyber security of a whole country. tween public and private actors. Gov- Due to privatisation and deregulation ernments should maintain their role of many parts of the public sector in in protecting critical infrastructure most of the developed world, between where necessary while determining 85 and 95 per cent of the critical how best to encourage market forces infrastructure are owned and operated to improve the security and resilience by the private sector. Given that overly of company-owned networks. Threat- intrusive market interventions are not representation must remain well deemed a valid option, states have but informed and well balanced in order one option: to try to get the private to prevent overreactions. Despite the sector to help in the task of protect- increasing attention cyber security is ing these assets. What emerged from getting in security politics, computer this in the late 1990s already was a network vulnerabilities are mainly a focus on critical infrastructure pro- business and espionage problem. Fur- tection, with one particularly strong ther militarising cyberspace based on pillar: public-private partnerships. A the fear of other states’ cyber capabili- large number of them were (and still ties or trying to solve the attribution are) geared towards facilitating infor- problem will have detrimental ef- mation exchange between companies fects on the way humankind uses the themselves, but also between compa- Internet; and the overall cost of these nies and government entities, which measures will most likely outweigh

123 STRATEGIC TRENDS 2012 the benefits. What is most needed and a move towards more level-head- in the current debate is a move away ed threat assessments that take into from fear-based doomsday thinking account the strategic context.

124