CIVIL DIMENSION
OF SECURITY
171 CDS 11 E rev. 1 final
Original: English
NATO Parliamentary Assembly
INFORMATIONS AND NATIONAL SECURITY
GENERAL REPORT
LORD JOPLING (UNITED KINGDOM)
GENERAL RAPPORTEUR
International Secretariat
.
Assembly documents are available on its website, http://www.nato-pa.int
October 2011
171 CDS 11 E rev. 1 final
i
TABLE OF CONTENTS
I.
INTRODUCTION ................................................................................................................... 1
II.
THE INFORMATION AGE AND THE NOTION OF SECRECY IN INTERNATIONAL
RELATIONS .......................................................................................................................... 2
A.
THE “CABLEGATE” ..................................................................................................... 2
B.
REACTION TO THE LEAKS ........................................................................................ 3
C.
TRANSPARENCY VS. SECRECY ............................................................................... 4
III.
DIGITAL (H)ACTIVISM.......................................................................................................... 5
A.
THE PHENOMENON OF HACTIVISM ......................................................................... 5
B.
THE ROLE OF THE SOCIAL MEDIA ........................................................................... 6
IV.
CYBER ATTACKS AND CYBER DEFENCE ......................................................................... 8
A.
TYPES OF CYBER ATTACKS ................................................................................... 10
1.
DDoS attacks .................................................................................................... 10
2.
Malware attacks................................................................................................. 11
3.
Stuxnet .............................................................................................................. 11
B.
NATO AND CYBER DEFENCE .................................................................................. 12
1.
NATO’s cyber agenda ....................................................................................... 12
2.
National policies of member states .................................................................... 14
V.
INFORMATION AND CYBER SECURITY: OPTIONS FOR THE INTERNATIONAL
COMMUNITY AND NATO ................................................................................................... 16
171 CDS 11 E rev. 1 final
I.
1
INTRODUCTION
1.
The ongoing information revolution poses a series of political, cultural, economic as well as
national security challenges. Changing communications, computing and information storage
patterns are challenging notions such as privacy, identity, national borders and societal structures.
The profound changes inherent in this revolution are also changing the way we look at security,
often in unanticipated ways, and demanding innovative responses. It is said that because of this
revolution, the time it takes to cross the Atlantic has shrunk to 30 milliseconds, compared with
30 minutes for Intercontinental Ballistic Missiles (ICBMs) and several months going by boat.1
Meanwhile, a whole new family of actors are emerging on the international stage, such as virtual
“hactivist” groups. These could potentially lead to a new class of international conflicts between
these groups and nation states, or even to conflicts between exclusively virtual entities.
2.
One of the most fundamental characteristics of the Information Age is its ability to connect.
In this regard, the main tool is the Internet and the fact that bandwidth and storage capacity is
currently doubling every 12 months.2 Interconnectivity is now central to government offices, critical
infrastructures, telecommunications, finance, transportation, and emergency services.
Interconnectivity is also central to culture and education. Even where communication and data
exchanges are not routed through the Internet, they still, in many cases, use the same fibre optic
cables.3
3.
Despite its inherent advantages, this dependence on information technology has also made
state and society much more vulnerable to attacks such as computer intrusions, scrambling
software programmes, undetected insiders within computer firewalls, or cyber terrorists. The
Internet is inherently insecure as it was designed as a benign enterprise of information exchange,
a decentralised patchwork of systems that ensures relative anonymity. It is ill-equipped to trace
perpetrators or to prevent them from abusing the intrinsic openness of the cyber domain. In this
context, the key national security dilemma of the Information Age is how to create an effective and
transparent government, which, at the same time, is also able to protect its citizens and vital
national interests. Furthermore, in this Information Age, the North Atlantic Alliance faces a
dilemma of how to maintain cohesion in the environment where sharing information with Allies
increases information security risks, but where withholding it undermines the relevance and
capabilities of the Alliance.
4.
It is a critical time for the NATO Parliamentary Assembly (NATO PA) to discuss cyber
security, as the Alliance has recently adopted its new comprehensive Cyber Security Policy and
Action Plan. The details of this document are not publicly available for understandable reasons.
Since the cyber domain is extremely dynamic and increasingly complex, cyber security and
defence strategies of the Alliance as well as of individual Allies will be in a constant need of
updating and revisiting.
5.
This report will focus on three facets of the linkage between Information Age and national
security. First, it will discuss the changing notion of secrecy in international relations. This issue
was brought to prominence by the so-called “Cablegate” scandal. While the publication of
classified diplomatic correspondence was not a result of a cyber attack, it is nevertheless directly
linked to the information revolution: remarkable advances in data storage technology allowed one
1
2
3
As pointed out by Craig Mondie, Chief Research and Strategy Officer, Microsoft. See in Cybersecurity:
Is Technology Moving Faster than Policy? Security & Defence Agenda report. 31 January 2011.
http://www.securitydefenceagenda.org/Portals/14/Documents/Publications/2011/Cybersecurity_Dinner
_report_Final2.pdf
Reducing Systemic Cybersecurity Risk, OECD/IFP Project on “Future Global Shocks”. Peter Sommer
& Ian Brown. January 2011.
Cyber war and cyber power. Issues for NATO doctrine. By Jeffrey Hunker. NATO Defense College
Research Paper No. 62, November 2010.
171 CDS 11 E rev. 1 final
2
person to easily download colossal volumes of data that has taken the print media months, and
possibly years, to digest and to publish.
6.
Second, the explosion of Internet usage is creating the phenomenon we refer to as “digital
(h)activism”. Social media and other Internet-based communities are creating new, ad hoc and
cross-border allegiances that can manifest themselves in a variety of positive (reinforcing civil
societies in authoritarian countries) and negative (empowering hacker groups that act against
those who do not share their political worldview) ways.
7.
Third, the report will discuss the challenge of direct cyber threats against states and, in
particular, NATO’s role in cyber defence as one of the principal topics for the Euro-Atlantic
community, particularly in the wake of the Lisbon Summit.
8.
The report will not address the specific issue of cyber crime. While cyber theft and child
pornography are issues of grave concern for the international community4, they do not have direct
national security implications and are addressed by a number of other international organisations,
including the UN, EU, OSCE, OECD and G8. The Council of Europe Convention on Cybercrime –
which requires its parties to criminalise a number of activities in cyber space relating to
infringements of copyright, computer-related fraud and child pornography – is a particularly
5
noteworthy initiative that has yet to be ratified by several NATO member states.
9.
This report also represents the continuing effort by the Committee on the Civil Dimension of
Security to discuss the issue of critical infrastructure protection within the Alliance. Cyber
technologies are not only key enablers for systems such as energy generation or transport, but
can themselves be considered as critical national infrastructure.
10. The report also builds upon the contribution by other NATO PA Committees, particularly the
2009 Sub-Committee on Future Security and Defence Capabilities report NATO and Cyber
Defence [173 DSCFC 09 E bis] by Sverre Myrli (Norway) and the 2007 Science and Technology
Committee report Transforming the Future of Warfare: Network-Enabled Capabilities and
Unmanned Systems [175 STC 07 E bis] by Sen. Pierre Claude Nolin (Canada).
II.
THE INFORMATION AGE AND THE NOTION OF SECRECY IN INTERNATIONAL
RELATIONS
11. This chapter will discuss the challenges of protecting classified information in the age of
Internet. It will also outline the political and security implications of the “Cablegate” scandal that
highlighted the inter-agency and international co-operation versus sensitive information security
dilemma.
A.
THE “CABLEGATE”
12. According to the 11 September attacks investigation, the US government failed to ensure
adequate information sharing, which could have prevented the attacks (FBI failed to share details
connected to an al-Qaeda operative, who later proved to be key in uncovering the plot). As a
result, representatives of the political elite, the military, and the financial world all pressed for wider
sharing of classified information in order to increase operational efficiency in protection of the
4
5
President Obama has said cyber criminals have caused around US$1 trillion damage worldwide in
one year.
All NATO nations (including CoE non-member states Canada and the United States) have signed the
Convention, but Belgium, Canada, the Czech Republic, Greece, Luxembourg, Poland, Spain and
Turkey have not ratified it. CoE member state Russia did not sign the Convention.
171 CDS 11 E rev. 1 final
3
country. Therefore, the US government adopted a policy of information sharing, which it applied to
numerous US governmental institutions and agencies including the Department of Defense (DoD)
and the State Department (DoS).
13. This policy resulted in an exponential number of people obtaining access to classified
6
information. Approximately 854,000 people now possess top-secret security clearances. For
almost 10 years now, embassy cables have been distributed through the SIPRNet (Secret Internet
Protocol Router Network operated by the DoD), which has made them accessible to DoS
employees all around the world, to all members of the US military and contractors with necessary
security clearance. Eventually, several millions of people ended up having access to materials
such as US diplomatic cables.7 According to information-security experts familiar with the
SIPRNet, the data-sharing system was not programmed to detect unauthorised downloading by
anyone who had access to this pool of data. Thus, those in charge of the network design relied on
those who had access to this sensitive data to protect it from abuse. These users were never
scrutinised by any state agency responsible for the data-sharing system.8
14. The US government’s post-9/11 policy on information-sharing received the most serious
blow when the “anti-secrecy” organisation WikiLeaks started publishing documents of different
levels of confidentiality. Its first major release (April 2010) was a video of a US helicopter shooting
into a crowd in Bagdad in 2007 which killed 18 people, including two Reuters journalists. Shortly
after, the release of 77,000 documents allegedly revealing the realities of the Afghan war were
made public, as well as almost 400,000 secret Pentagon documents on the Iraq war.9 In
November 2010, WikiLeaks started releasing about 250,000 US diplomatic cables, many of which
were classified. The cables provided US diplomats’ candid assessments of terrorist threats and the
behaviour of world leaders.10 Currently, the US authorities suspect that the material was leaked by
Private Bradley Manning stationed in the Persian Gulf, who had downloaded the information from
a computer in Kuwait. He then allegedly passed these files on to the “whistleblower” organisation,
which made them public.
B.
REACTION TO THE LEAKS
15. WikiLeaks has spurred public debate with each of its releases. Nevertheless, the
November 2010 release of US diplomatic cables got the most aggressive reactions from politicians
world-wide. In anticipation of the leaks, Secretary of State Hillary Clinton and her diplomats
warned foreign officials about the upcoming leak days before the November 2010 release
happened. Following the release, the White House11 as well as the DoS were quick to denounce
the leak and, as Secretary of State Clinton put it, characterised the cable disclosure as an “attack
on both the United States and the entire international community”.12 Consequently, countries
including Turkey, Iraq, Afghanistan, China as well as NATO were quick to condemn the leak.13
6
7
8
9
10
11
12
13
A hidden world, growing beyond control. By Dana Priest and William M. Arkin. A Washington Post
Investigation. 19 July 2010.
WikiLeaks: the price of sharing data. IISS Strategic Comments. Volume 17, Comment 3. January 2011.
Cables leak reveals flaws of information-sharing tool. By Joby Warrick. The Washington Post.
31 December 2010.
WikiLeaks Founder on the Run, Chased by Turmoil. By John F. Burns and Ravoi Somaiya.
The New York Times. 23 October 2010.
Leaked Cables Offer Raw Look at U.S. Diplomacy. By Scott Shane and Andrew W. Lehren.
The New York Times. 28 November 2010.
WikiLeaks: Saudi King Abdullah Encouraged U.S. to Attack Iran; Chinese Politburo Hacked Into
Google. New York News & Features. 28 November 2010.
Reaction to Leak of U.S. Diplomatic Cables, Day 2. By Robert Mackey. The New York Times.
29 November 2010.
Reaction to Leak of U.S. Diplomatic Cables, Day 2. By Robert Mackey. The New York Times.
29 November 2010.
171 CDS 11 E rev. 1 final
4
16. On the day of the release, the White House ordered government agencies to review security
procedures and ensure that only the necessary users had access to their documents.14 Soon after,
the President’s Office also appointed an Interagency Policy Committee for WikiLeaks, which was
to assess the damage caused by the leaks, co-ordinate agencies’ reactions, and improve the
15
security of classified documents. The US DoD conducted an internal 60-day review of security
procedures. It also disabled the usage of different storage media and the capability to write or burn
removable media on DoD classified computers.16 The Defense Information Systems Agency has
also launched a new Host-Based Security System, which is meant to monitor software and policy
rules in order to spot suspicious behaviour and alert responsible authorities. For example, the
software should set off an alarm if large quantities of data are being downloaded. Today,
approximately 60% of SIPRNet is protected by the software. In order for it to be bullet-proof,
however, it will probably require additional compartmentalisation of information.17 A similar tracking
mechanism is being adopted by US intelligence agencies (referred to as “enhanced automated,
on-line audit capability”).18
17. The DoS has limited the number of people with access to the Net Centric Diplomacy
database, which contains diplomatic reports19 suspended the access to SIPRNet and to two
classified sites ClassNet and SharePoint, as well as prohibited the use of any removable data
20
storage devices. Following the leaks, the US Air Force has blocked its employees’ access to at
least 20 websites containing the leaked documents such as “The New York Times” and
“The Guardian”. The Pentagon prohibited its employees to access the WikiLeaks website on
government computers “because the information there is still considered classified”.21 Eventually,
the administration banned hundreds of thousands of federal employees of the Department of
Education, Commerce Department, and other government agencies from accessing the site. The
Library of Congress, one of the world’s biggest libraries, also issued a statement saying that it
would block WikiLeaks.22
18. As far as the WikiLeaks website was concerned, following the leak it suffered repeated
distributed denial of service attacks, which prompted it to move its server. Companies such as
Visa, Mastercard or Paypal suspended all their services to the organisation, which relies heavily on
online donations from its supporters worldwide.23
C.
TRANSPARENCY VS. SECRECY
19. The relationship between transparency and secrecy remains a key dilemma in the
Information Age and has dominated worldwide media, especially since the outbreak of the
WikiLeaks phenomenon. On the one hand, there are pro-transparency advocates who argue that
the existence of WikiLeaks certifies that transparency of governments and other organisations is
publicly desired. According to them, it is precisely the current Internet age that is conducive to
14
15
16
17
18
19
20
21
22
23
Pentagon revamps security in wake of Wikileaks. Homeland Security Newswire. 29 December 2010.
White House memo outlines new anti-leak measures. Reuters. 2 December 2010.
Pentagon revamps security in wake of Wikileaks. Homeland Security Newswire. 29 December 2010.
U.S. Clamps Down on Info Sharing. Defense News. 6 December 2010.
WikiLeaks fallout leads to an info-sharing clampdown. By Sean Railey.
FederalTimes.com.
5 December 2010. http://www.federaltimes.com/article/20101205/IT03/12050306/
U.S. Clamps Down on Info Sharing. Defense News. 6 December 2011.
WikiLeaks fallout leads to an info-sharing clampdown. By Sean Railey.
FederalTimes.com.
5 December 2010. http://www.federaltimes.com/article/20101205/IT03/12050306/
U.S. Air Force blocks NYT, Guardian over WikiLeaks. Reuters. 14 December 2010.
US blocks access to WikiLeaks for federal workers. By Ewen MacAskill. The Guardian.
3 December 2010.
The arrest of Julian Assange: as it happened. The Guardian. December 2010.
171 CDS 11 E rev. 1 final
5
institutional reform, increases public trust in government conduct, and enhances co-operation.24
And, as transparency proponents argue, we should not react to this development by limiting the
spread of technologies and information, but instead by focusing on adapting the conduct of
diplomacy, military affairs and intelligence to the new paradigm.25
20. That said, the Rapporteur believes that even if one is in favour of transparency, military and
intelligence operations simply cannot be planned and consulted with the public. Without some
secrecy, it would be impossible for governments, and especially security agencies, to perform their
functions and to protect citizens. Added to which, transparency can be misused on several levels –
by providing unprofessional or poor-quality interpretation of information or documents, by lack of
experience on the topic or by pursuing a political agenda. Thus, not everything carried out under
the “transparency label” is necessarily good for the government and its people. Moreover, the very
ideal of transparency can also force public figures to become more secretive. The Information Age
and its transparent nature may, for example, prevent diplomats from conducting “business as
usual” such as making off-the-record statements or engaging in frank discussions with their
colleagues.26 It also increases pressure on decision makers, who have to identify, assess, and
react to information, which is immediately and widely accessible to other governments,
organisations, as well as the public.27 This is an unnecessary and possibly dangerous pressure,
especially when it comes to the issues of security.
III.
DIGITAL (H)ACTIVISM
21. This chapter will discuss the phenomenon of emerging borderless communities and
networks, most of which are welcome, but some of which are highly dangerous. Virtual
communities operating on-line provide new opportunities for civil society, but they have also
increased the potential for asymmetrical attacks.
A.
THE PHENOMENON OF HACTIVISM
22. Apart from causing harm, destruction or conducting espionage, some of the most recent
cyber attacks have also been used as a means to reach a rather different goal. “Hactivism” is a
relatively recent form of social protest or expression of ideology by using hacking techniques.
Hactivists use different malware (or “malicious software”) and Distributed Denial of Service (DDoS)
attacks to publicise their cause rather than for crime. Such attacks first occurred in 1989 but have
gained more prominence over the last decade. In the past hactivists have attacked NASA, the
Indonesian and Israeli governments, Republican websites, as well as the University of East
28
Anglia.
24
25
26
27
28
On his first day in office President Obama instructed US agencies to be more open and transparent.
Later on he launched a review of the classification procedures, ordered training for personnel in charge
of classifications, and obliged classifiers to provide their identification on each classified document (see
in Wikileaks’ War on Secrecy: Truth’s Consequences. By Massimo Calabresi. Time.
2 December 2010.).
Intelligence in the Information Age; Spy Data For Sale. By Kevin O’Connell. Commentary. RAND
Corporation. 8 April 2001. http://www.rand.org/commentary/2001/04/08/ND.html
Analysis: WikiLeaks will kill transparency. By C.M. Sennott. Globalpost.com. 29 November 2010.
http://www.globalpost.com/dispatch/worldview/101129/opinion-wikileaks-will-kill-transparency
Intelligence in the Information Age; Spy Data For Sale. By Kevin O’Connell. Commentary. RAND
Corporation. 8 April 2001. http://www.rand.org/commentary/2001/04/08/ND.html
Reducing Systemic Cybersecurity Risk, OECD/IFP Project on “Future Global Shocks”. By
Peter Sommer and Ian Brown. January 2011.
171 CDS 11 E rev. 1 final
6
23. One of the most prominent group of on-line hackers - Anonymous - led a campaign against
Iran, Australia and the Church of Scientology.29 Their most prominent campaign, however, took off
in 2010 after WikiLeaks had released the US diplomatic cables. In its on-line seven-point
manifesto, Anonymous announced its engagement in “the first infowar ever fought” and named
PayPal as its enemy.30 What followed were DDoS attacks against Mastercard, Visa, PayPal, and
other companies that had decided to stop providing services for WikiLeaks (they used to
administer online donations for the site), against the Swiss bank PostFinance, that had earlier
closed Julian Assange’s bank account, and against the Swedish Prosecution Service.31 The group
32
also attacked Amazon.com, which was previously renting server space to WikiLeaks.
24. Observers note that Anonymous is becoming more and more sophisticated and could
potentially hack into sensitive government, military, and corporate files. According to reports in
February 2011, Anonymous demonstrated its ability to do just that. After WikiLeaks announced its
plan of releasing information about a major bank, Anonymous hacked servers of the Internet
security company HBGary Federal’s sister company and hijacked the CEO’s Twitter account in
response to the CEO’s statement that he was about to uncover the identities of Anonymous
members. Today, the international group of hackers and activists is said to have thousands of
operatives and has no set rules or membership.33 It is certainly a challenge for law enforcement
agencies to develop effective countermeasures against such virtual cross-border communities
formed and disbanded on an ad hoc basis.
B.
THE ROLE OF THE SOCIAL MEDIA
25. The discourse on the Information Age and new social media gained a new momentum in the
beginning of 2011, as numerous countries in North Africa and the Middle East began experiencing
popular anti-government uprisings. It was the Internet, in combination with other new and old
media such as cell phones and television that has enabled global resistance to authoritarian rule in
the region. The sight of protesters holding up signs “Thank you, Facebook!” has become common
34
in Egypt and Tunisia. Journalists, experts and politicians are increasingly using terms such as
“Facebook Revolution”, “Twitter Diplomacy”, or “Cyber-Activism”.35 Today, Facebook is a
community that unites more people than any other country in the world, save for China and India,
and if the growth trends keep going as they are, the social network site will soon have more users
than India has inhabitants.36
26. Social media, and most prominently Facebook, have helped activists in many of these
countries to organise anti-government protests, evade surveillance, discuss issues that have been
taboo for decades such as torture, police violence or media censorship, and provided a platform
for trading practical tips on how to stand up to rubber bullets and organise barricades.37
Recognising that new social media have had an important share in the success of public
29
30
31
32
33
34
35
36
37
Why Are Hactivists “Anonymous” Defending WikiLeaks? Interview by Debbie Randle. BBC Newsbeat.
9 December 2010.
Operation Avenge Assange, http://i.imgur.com/C35Ty.png
Reducing Systemic Cybersecurity Risk, OECD/IFP Project on “Future Global Shocks”. By
Peter Sommer and Ian Brown. January 2011; Hackers Rise for WikiLeaks. By Cassell Bryan-Low and
Sven Grundberg. Wall Street Journal. 8 December 2010.
Hundreds of WikiLeaks Mirror Sites Appear. By Ravi Somaiya. The New York Times.
5 December 2010.
Anonymous vows to take leaking to the next level. By Ashley Fantz. CNN. 24 February 2011.
Drop the Case Against Assange. By Tim Wu. Foreign Policy. 4 February 2011.
These Revolutions Are Not All Twitter. By Andrew K. Woods. The New York Times. 1 February 2011.
Yet another Facebook revolution: why are we so surprised? By John Naughton. The Guardian.
23 January 2011.
A Tunisian-Egyptian Link That Shook Arab History. By David D. Kirkpatrick and David E. Sanger.
The New York Times. 13 February 2011.
171 CDS 11 E rev. 1 final
7
resistance, two days after demonstrations started in Egypt, Facebook, telephones, and Internet all
over the country were switched off. A few days later, when the Internet connection was restored
and Facebook users regained access to their accounts, they found that the regime attempted to
use this tool for disseminating pro-Mubarak propaganda. Most recently, Facebook pages, groups
and blogs attempting to mobilise protesters have appeared in Algeria, Bahrain, Morocco and Syria.
As a show of support for the protestors, the online group Anonymous attacked websites of the
Tunisian and Egyptian government, Mubarak’s National Democratic Party and the Tunisian stock
exchange, making them unavailable for certain periods of time.38
27. Proponents of social media argue, that “merely knowing about social dynamics changes
social dynamics”. The authority of one’s peers has been proven to have substantial influence on
the decisions made and thanks to these new social media peer influence has evolved into multiple,
nation-wide protests. However, others argue that the influence of new social media in respect to
the 2011 revolutions has been overrated. Critics say that social media can only provide fast
co-ordination of masses but do not deliver the narrative or resolve that are essential for starting
and sustaining any popular movement.39 As an example, in Egypt the protests started growing
significantly after the government had shut down the Internet. The social media also do not
prevent popular protests from being contained by governments and security services. In other
words, they do not determine the outcome.
28. In the wake of popular uprisings in North Africa and the Middle East, social media
representatives have reacted very differently to the events. Facebook’s representatives declined to
discuss Facebook’s role in the uprisings and provided only a short statement: “We’ve witnessed
brave people of all ages coming together to effect a profound change in their country. Certainly,
technology was a vital tool in their efforts but we believe their bravery and determination mattered
most.” Twitter and YouTube (owned by Google), embraced their roles in the protests more openly.
As opposed to Facebook, they took a proactive approach after the Internet was shut down in
Egypt by assisting protesters in setting up a new service, "speak2tweet", that would allow people
to communicate and organise.40 WikiLeaks founder, Julian Assange, was even more eager to
attribute the success of these recent resistance movements to his site. According to him, it was
the US diplomatic cables leaked by WikiLeaks that gave the army ‘the confidence that they
needed to attack the ruling political elite’..41
29.
Most recently, in June, Europe’s last dictatorship was also struck by a wave of
anti-government rallies. Due to severe shortage of dollar and euro reserves, the Belarusian
government devaluated its national currency, which resulted in overnight pressure on living
standards. As a consequence, opponents of these measures started anonymously organising
themselves through social networking sites such as Facebook and its Russian equivalent
vKontakte.42 After initial arrests, organisers opted for so-called “silent” forms of protest. By posting
instructions on-line, they called on people to fill up parks or squares without doing anything apart
from clapping their hands, having their phones buzz or play music at an agreed time, or simply
drive slowly through Belarusian towns playing the popular Soviet-era song called “We Are Waiting
for Change”.43 So far the state police have been unable to identify those posting instructions via
38
39
40
41
42
43
Hackers Shut Down Government Sites. By Ravi Somaiya. The New York Times. 2 February 2011.
These Revolutions Are Not All Twitter. By Andrew K. Woods. The New York Times. 1 February 2011.
Facebook Officials Keep Quiet on Its Role in Revolts. By Jennifer Preston. The New York Times.
14 February 2011.
Wikileaks' Julian Assange takes credit for Tunisian and Egyptian revolutions. Daily Mail online.
14 February 2011. http://www.dailymail.co.uk/news/article-1356754/Wikileaks-Julian-Assange-takescredit-Tunisian-Egyptian-revolutions.html
Belarusians organize flash mob protests. Global Post. July 2011.
http://www.globalpost.com/dispatch/news/regions/europe/110701/belarus-flash-mob-protests-facebook
‘Belarus Cuts Social Media Access Amid Protests’. Office for a Democratic Belarus. July 2011,
http://democraticbelarus.eu/node/13105
171 CDS 11 E rev. 1 final
8
social media. The new concept of “silent demonstrations” is making it difficult for the police to
know who is actually taking part in the protest. The demonstrations have not yet managed to
mobilise large numbers of supporters or pose any real threat to the ruling elites. They have,
however, managed to utilise social media to involve several thousand people of all professional
backgrounds as well as different age-groups.44
IV.
CYBER ATTACKS AND CYBER DEFENCE
30. As mentioned above, the Information Age has brought about an environment that has made
the state and society more vulnerable to digital attacks. They are vulnerable because we no longer
keep our files and data on a shelf, but in a virtual world accessible from any of the world’s corners.
As in the case of WikiLeaks, these files can be physically removed from a computer, handed over
to adversaries, or simply made public. Apart from that, however, one of the greatest strengths as
well as weaknesses of the Information Age is that files can also be accessed and on-line services
disrupted from afar by various “cyber attacks”. The term “cyber attack” represents a myriad of
activities ranging from stealing passwords, to accessing accounts, disrupting critical infrastructure
of a country or spying on an enemy.45 As cyber experts testified to the members of two NATO PA
Sub-Committees during the visit to The Hague on 18-20 April 2011, there is still no agreement
within the international community as to which of these cyber activities constitute a crime. NATO
C3 Agency’s Principal Scientist Brian Christiansen suggested that the existing legislative “black
holes” should be addressed in a multinational manner due to the transnational nature of the threat
and this argument has been supported by many cyber security specialists.46
31. Due to its decentralised nature, the Internet per se is in fact extremely robust and resilient as
it was designed to withstand nuclear war. However, separate parts of this network of networks are
vulnerable to cyber threats. The most disquieting feature of the cyber domain is that the attacker
has the advantage over the defender. Perpetrators need only one weak point to get inside the
network, while defenders have to secure all vulnerabilities. These attacks also take place at the
speed of light which leaves little or no time react to attacks. Furthermore, the inherent nature of
the Internet allows an attacker to forge the sender’s address or to use botnets (zombie computers
often located in different countries), thereby disguising the true identity of an attacker and leading
47
to misattribution of the source of an attack. It is estimated that roughly 1,200 botnets reside on
48
US soil alone.
32. The problem of attribution is widely recognised as the biggest obstacle for effective cyber
defence. Professional hackers can easily cover their tracks and thus avoid penalties. Deterrence,
a critical element of a traditional defence paradigm, is problematical in cyber space. In addition to
which, most cyber attacks are performed by civilian hacker groups so it is very difficult to prove
government involvement. For instance, experts suggest that the thriving Chinese hacker
community is not directly supervised by respective government authorities but merely encouraged
financially or through ‘patriotic’ education mechanisms such as the People's Liberation Army's
militia and reserve system. It makes it difficult to blame Beijing for the attacks such as the one in
44
45
46
47
48
Sound of Post-Soviet Protest: Claps and Beeps, The New York Times. 14 July 2011.
The Perpetrators of Cyber Attacks. By Mary Watkins. Financial Times. 17 February 2011.
The Information Polity: Social and Legal frameworks for Critical Cyber Infrastructure Protection”. By
M. Losavio et al. In Cyber Infrastructure Protection, T. Saadawi and L. Jordan (eds) Strategic Studies
Institute, 2011.
Cyber war and cyber power. Issues for NATO doctrine. By Jeffrey Hunker. NATO Defense College
research paper No. 62. November 2010.
On Cyber Peace. By Les Bloom and John E. Savage. Issue Brief. Atlantic Council. August 2011.
171 CDS 11 E rev. 1 final
9
2007, when some 25-27 terabytes of information (equivalent to roughly 5,000 DVDs) were illegally
copied from the Pentagon.49
33. According to Kenneth Geers of the NATO Co-operative Cyber Defence-Centre of Excellence
(CCDCOE) in Estonia, who spoke on the issue at the CDS Committee’s Spring Session in Varna,
Bulgaria, 27-30 May 2011, the internet and computer programmes are so complex that they are
almost impossible to secure. It is not, however, entirely impossible to track down cyber attackers.
Firstly, in order to attribute successfully cyber attacks, we need to develop a system of
international co-operation among governments and experts, possess a network of effective human
intelligence and conduct thorough police investigations. All these steps are essential because
simply outlawing hacking or only employing cyber means when tracing attacks is insufficient.
According to Kenneth Geers, NATO, being a powerful alliance of members with high tech
capabilities and great financial assets, is the right organisation to tackle the issue. Secondly, we
might be able to solve the problem of attribution thanks to the new Internet Protocol version 6
(IPv6), which has built in authentication technology and makes it possible to limit interaction only to
confirmed ID - white-listed – users into your network. This technology limits internet connectivity
but, on the other hand, it provides a new level of protection.
34. At the moment, however, sources of cyber attacks are almost impossible to trace.
Nevertheless, when it comes to the involvement of states in cyber attacks, Russia and China are
said to be the usual suspects.50 From what we know today, terrorist groups such as al-Qaeda do
not yet have the capability to carry out such attacks. However, terrorists are increasingly
acquainted with the possibilities offered by the Internet. Extremists have long used the Internet to
spread their ideals as well as details of tactics, techniques and procedures used in terror attacks.
Since 2001, many internet sites have been monitored and shut down in the United States.51 But
sites are constantly changing and security officials need to be agile in locating them. Furthermore,
chat-rooms and online publications are used not only to spread their violent message amongst
supporters but to radicalise and recruit new members also. Of note is al-Qaeda’s ‘Inspire’ web
publication which was reportedly recently hacked itself by British security officials.52
35. As noted, the cyber domain is extremely dynamic and rapidly developing, making it difficult
for cyber security experts to always react adequately and speedily to novelties. For instance, one
of the newest trends is the emergence of the so-called ‘cloud computing’. Cloud computing is
network-based computing where software, data storage and other resources are provided over a
shared network. It allows users to access their company’s business applications securely through
the ‘cloud’.53 Governments as well as the private sector benefit from cloud computing, which helps
to increase productivity, cut costs (according to Brookings Institute’s estimates, the
US government can save up to 25-50% of its IT costs), keep pace with technology innovation, and
54
become more transparent with their citizens. Nevertheless, the process also raises some key
data security concerns, which include: vendors using ineffective security practices, agencies not
able to examine the security controls of vendors, cybercriminals targeting data-rich ‘clouds’, and
49
50
51
52
53
54
Mobilising Cyber Power. By Alexander Klimburg, Survival, 28 January 2011.
Tackling
the
Cyber
Threat.
By
Margaret
Gilmore.
RUSI
commentary.
http://www.rusi.org/analysis/commentary/ref:C4CBD84EDE6ACB
T. Thomas, “Al Qaeda and the internet: The danger of ‘cyberplanning”, Foreign Military Studies Office,
Fort Leavenworth, KS., 2003
J. Wilson, “Operation Cupcake: British Spies Hack Al Qaeda’s Magazine to Replace Bombs with
Cupcakes”. Time Magazine Online. 4 June 2011, http://newsfeed.time.com/2011/06/04/operationcupcake-british-spies-hack-al-qaedas-magazine-to-replace-bombs-with-cupcakes/
PLDT, Microsoft. team up for cloud computing. Malaya Business Insight. 2009,
http://www.malaya.com.ph/apr11/busi7.html
Google Apps and Government. Official Google Enterprise Blog. September 2009.
http://googleenterprise.blogspot.com/2009/09/google-apps-and-government.html
171 CDS 11 E rev. 1 final
10
agencies losing access to their data if the relationship with a vendor ends.55 Thus, standards to
regulate this new cyber space need to be set and implemented.56 According to
Gregory Wilshusen, Director of Information Security issues at the US Government Accountability
Office (GAO), however, US agencies are moving their data to the ‘cloud’ before government-wide
security strategy has been developed by responsible agencies. As he continued, “these risks
generally relate to dependence on the security assurances and practices of a service provider and
the sharing of computing resources.”
36. There are, however, also voices that believe cloud computing will improve security.
According to Mike Bradshaw, Director of Google Federal, “Cloud computing vendors store data on
multiple servers in multiple locations, making it difficult for cybercriminals to target one location”.
Also, vulnerabilities can be managed more rapidly and uniformly.57
A.
TYPES OF CYBER ATTACKS
37. Generally speaking, there are two types of cyber attacks: Distributed Denial of Service
(DDoS) and malware attacks.
1.
DDoS attacks
38. DDoS attacks aim to overwhelm a target by sending large quantities of network traffic to one
machine. Attackers take over a number of other computers (botnets) and use them without the
knowledge of their owners – for instance, the Estonia attack, roughly one million computers were
hijacked in 75 countries.58 The goal of DDoS is to prevent legitimate users from accessing
information and services, such as the actual computer, email, websites, online accounts (banking,
etc.). DDoS attacks are extremely difficult to deal with because they do not attempt to exploit
vulnerabilities of a system. Vulnerabilities may be patched, but essentially one cannot do much to
59
prevent DDoS attacks.
39. One of the first major attacks aimed to cripple a country’s critical infrastructure hit Estonia in
May 2007. The e-government country experienced co-ordinated DDoS attacks on websites of the
Estonian President and Parliament, almost all of its government ministries, political parties, major
news organizations, two banks and several communication companies. The attacks came soon
after Estonian authorities had relocated a Soviet war memorial in Tallinn – a step which spurred
protests by ethnic Russians living in Estonia. The series of cyber attacks, which occurred weeks
after the event, supposedly originated in Russia and were hosted by Russian state computer
servers. Russia denied these allegations, but in March 2009, an activist with the pro-Kremlin youth
group Nashi claimed responsibility for organising the cyber attacks on Estonia. It should be noted
that Estonia is extremely dependent on the Internet. At the last parliamentary elections, ¼ of the
voters cast their votes via Internet.
40. Another significant DDoS attack was launched against Georgia in the summer of 2008. This
is of note due to the fact that it was coupled with the use of conventional military force, something
that a number of experts predict will occur more often in the future. Georgia blamed Russia for the
60
attack only for Russia to deny any involvement. A year later, the combination of cyber and
55
56
57
58
59
60
Lawmakers question the security of cloud computing. Reuters. 1 July 2010,
Open Networking Foundation Pursues New Standards. By John Markoff. The New York Times.
22 March 2011.
Lawmakers question the security of cloud computing. Reuters. 1 July 2010.
A Treaty for Cyberspace. By Rex Hughes. International Affairs. March 2010.
Cyber war and cyber power. Issues for NATO doctrine. By Jeffrey Hunker. NATO Defense College
research paper No. 62. November 2010.
Before the Gunfire, Cyberattacks. By John Markoff. The New York Times. 12 August 2008.
171 CDS 11 E rev. 1 final
11
conventional force was supposedly also employed in the case of the bombing of the Syrian
nuclear reactor, which was allegedly orchestrated by Israel.61
2.
Malware attacks
41. Malware – or “malicious software” – attacks refer to techniques capable of infiltrating one’s
computer without the user’s knowledge and taking control of it, collecting information, or deleting
its files (see examples of malware in the Annex). Attack malware can reportedly be bought online
for several hundred dollars or even downloaded for free.62
42. Malware-based cyber attacks are increasingly being used for espionage. In 2008, the
Unites States experienced a major attack on the classified networks of US Central Command in
charge of oversee military operations in the Middle East and Central Asia. Based on available
information, the attack was carried out by a foreign intelligence service, which used portable data
storage devices to spread malware. In 2009, the GhostNet cyber espionage study conducted by
the Information Warfare Monitor concluded that 1,295 computers in 103 countries, had been
penetrated by GhostNet malware that allowed the surveillance and possible control of states’
critical cyber infrastructures. Worryingly, 30% of GhostNet’s targets were classified as high
63
value.
43. Espionage cyber attacks, however, can also be carried out against non-state actors such as
private companies and think tanks. “Operation Aurora” carried out in late 2009/early 2010 is a
case in point. Over several months, Chinese hackers managed to penetrate the networks of at
least 34 financial, technological, and defence companies by exploiting flaws in e-mail
64
attachments. One of the attack’s targets, the giant search engine Google, admitted that hackers
had penetrated Gmail accounts of Chinese human rights advocates in the United States, Europe
and China. A number of human rights organisations and Washington-based think tanks focusing
on United States-China relations were also hit by the attacks. According to experts, the attack
reached a new level of sophistication as hackers exploited multiple flaws of different software
programmes – multiple types of malware codes were allegedly used against multiple targets and
the whole process was very precisely co-ordinated. This series of attacks was aimed at gaining
information about the latest defence weapons systems, source codes powering software
applications of prominent technological companies, as well as gaining background about Chinese
dissidents.65
3.
Stuxnet
44. The Stuxnet is technically a malware, but its characteristics, originality and potential for
disruption are so novel that it merits special attention. The Stuxnet worm has been described as
“the most sophisticated cyber weapon ever deployed”66 and its widely-acknowledged role in
damaging Iran’s Bushehr nuclear reactor and Natanz uranium enrichment plant has put Stuxnet
61
62
63
64
65
66
Stuxnet and the Future Cyber War. Farwell, James P. and Rohozinski. IISS, Survival, Feb-March 2011.
Cyber-war a growing threat warn experts. By Clark Boyd. BBC. 17 June 2010.
The Information Polity: Social and Legal frameworks for Critical Cyber Infrastructure Protection”. By
M. Losavio et al. In Cyber Infrastructure Protection, T. Saadawi and L. Jordan (eds) Strategic Studies
Institute, 2011. p. 131.
A recipient opens an e-mail, which is seemingly from someone he/she knows, opens an attachment
containing a “sleeper” programme that embeds in the recipients computer. The attacker can then
control the programme remotely - access e-mail, send confidential documents or turn on a Web
camera or microphone and record.
Google China cyberattack part of vast espionage campaign, experts say. By Ariana Eunjung and
Ellen Nakashima. The Washington Post. 14 January 2010.
Israeli Test on Worm Called Crucial in Iran Nuclear Delay. By William J. Broad, John Markoff and
David E. Sanger. The New York Times. 15 January 2011.
171 CDS 11 E rev. 1 final
12
firmly in the spotlight recently.67 Essentially, the worm is a direct-targeting cyber attack: it “sniffs”
around its target’s operating system and only attacks if this system matches its targeting criteria,
thereby making detection harder for other defences. Once it has acquired its target, Stuxnet
deploys two extremely complicated programming payloads to “bomb” them. In the Iranian
example, the first of these cyber bombs attacked the centrifuges in the nuclear plant, slowly
"un-synching" them so that they collided with each other, causing serious damage. The second
cyber bomb compromised the digital warning, display and shut-down systems controlling the
centrifuges, thereby blinding these systems to the reality of what was happening.
45. This characteristic makes Stuxnet unique in that it specifically attacks and compromises the
Supervisory Control and Data Acquisition (SCADA) systems of critical national infrastructures.
Thus, the real danger of Stuxnet is that, although the Iranian example was a specifically targeted
attack, the same method could be used to virtually attack any information technology system used
in any critical infrastructure around the world. Stuxnet has therefore been described as a “cyber
weapon of mass destruction”.68 Of particular note is that the vast majority of complicated
information technology systems controlling critical national Infrastructures that are potentially
vulnerable to Stuxnet are located in NATO and NATO partner countries. Related to this,
British Telecom has estimated that 65 % of cyber attacks on critical infrastructures exploit preexisting configuration errors in the controlling system’s software, highlighting the need for
69
standardisation across the Alliance.
B.
NATO AND CYBER DEFENCE
1.
NATO’s cyber agenda
46. The cyber domain is often described as the “fifth battlespace”; representing both opportunity
and risk for the military. In the context of the revolution in information and communication
technology, the military institutions of major powers have been working relentlessly to interconnect
commanders, soldiers, sensors and platforms in order to improve agility and achieve better
situational awareness. Today, more than 1/5 of US defence and security acquisitions are in the
70
cyber sector. “Network-centric capabilities” has become a buzzword in militaries, while new
technologies enable commanders to make better-informed decisions and to reduce human losses
by, for example, operating an unmanned aerial vehicle (UAV) over Afghanistan from a base in
Nevada.
47. On the other hand, our armed forces are now faced with risks they have not experienced
before, such as the incident reported by The Wall Street Journal in December 2009, when Iraqi
insurgents managed to intercept feeds coming from American UAVs using inexpensive software
that is available on the Internet.71 The Pentagon computer systems are probed up to
six million times per day, according to US Cyber Command.
48. NATO’s increasing involvement in cyber security is therefore inevitable. As NATO
Secretary General Anders Fogh Rasmussen put it: “[t]here simply can be no true security without
cyber security”. The Alliance has included this issue on its agenda since 2002 when it approved a
Cyber Defence Programme – “a comprehensive plan to improve the Alliance’s capability to defend
67
68
69
70
71
Stuxnet and the Future Cyber War. By Farwell, James P. and Rohozinski. IISS. Survival. FebMarch 2011; and Israeli Test on Worm Called Crucial in Iran Nuclear Delay. By William J.Broad,
John Markoff and David E. Sanger. The New York Times. 15 January 2011.
Cracking Stuxnet: A 21st century cyber weapon. By Ralph Langner. Ted.com brief. 29 March 2011.
http://www.youtube.com/watch?v=CS01Hmjv1pQ
Toward Foolproof IP Network Configuration Assessments. By R. Talpade. In Cyber Infrastructure
Protection, T. Saadawi and L. Jordan (eds) Strategic Studies Institute, 2011. p. 265.
Cyber-security: the corporate gold rush. Jane’s Defence Weekly. 29 September 2010.
The Cyber-war. By Eleanor Keymer. Jane’s Defence Weekly. 29 September 2010.
171 CDS 11 E rev. 1 final
13
against cyber attacks by improving NATO’s capabilities”. However, it was not until the 2007
attacks against Estonia that NATO embarked upon developing a comprehensive cyber defence
policy that would include not only the protection of the Alliance’s own networks but would also
augment the cyber security of individual member states. The Group of Experts’ Report (the
"Albright report") recommended that NATO must accelerate its efforts to respond to the dangers of
cyber attacks. It recommended focusing on protecting NATO’s communications and command
systems, helping Allies to improve their ability to prevent and recover from attacks, and developing
an array of cyber defence capabilities aimed at effective detection and deterrence.
49. At the Lisbon Summit, NATO member states committed the Organisation to developing a
revised NATO Policy on Cyber Defence that was adopted by NATO Defence Ministers in
June 2011, together with the Action Plan that sets out the details of implementing the Policy. The
contents of the Policy remain classified, but, according to the official NATO press release, the
Policy addresses all key aspects relating to the Alliance’s cyber security, including bringing all
NATO structures under centralised protection, clarifying NATO’s response mechanisms to cyber
attacks, integrating cyber defence into NATO’s Defence Planning Process, devising the framework
of assisting national efforts of individual Allies, facilitating better information sharing and setting up
principles of closer co-operation with non-NATO countries, international organisations and the
private sector. This Policy will most likely require regular revisions and updating as the
developments in the cyber domain are remarkably frequent.
50. At present, individual members continue to bear the principal responsibility for the security of
their networks, while relevant NATO structures, apart from protecting their own networks and
providing support for NATO operations, are expected to assist member states by sharing best
practices and dispatching Rapid Reinforcement Teams in case of emergency. At present NATO
cyber efforts are purely defensive in nature, and there is a particular focus on protecting member
states Critical National Infrastructures.
51.
•
•
•
•
Key NATO institutions in the area of cyber security include:
NATO Cyber Defence Management Authority (CDMA), which is responsible for co-ordinating
cyber defence systems within NATO and providing advice to member states on all the main
aspects of cyber defence. NATO CDMA operates under the auspices of the new Emerging
Security Challenges Division in NATO HQ;
The Co-operative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, which
was established in 2008, is responsible for research and training on cyber warfare;
The NATO Consultation, Control and Command (NC3) Board and NATO’s Consultation,
Control and Command Agency (NC3A) control the technical aspects and operational
requirements of NATO’s cyber defence capabilities;
The NATO Communication and Information Services Agency (NCSA), through its NCIRC
(NATO Computer Incident Response Capability) Technical Centre, provides technical and
operational cyber security services for NATO and its operations and is responsible for
responding to any cyber aggression against the Alliance networks.
52. NATO conducts annual exercises aimed at enhancing the understanding of NATO’s cyber
defence capabilities and identifying areas for improvement. This year’s exercise, Cyber Endeavor
was scheduled to take place from 5-22 September 2011 in Grafenwöhr, Germany.
53. A lot remains to be done, however. NATO’s principal cyber unit – NCIRC – is only partially
operational and does not yet provide 24/7 security for all NATO networks. Full operational
capability is expected to be achieved in 2012. NCIRC is also only engaged in passive defence,
monitoring network activities and dealing with incidents.
54. With the NATO Policy on Cyber Defence being classified, discussion continues on how
NATO should react to cyber attacks against one of its member states. In particular, questions
171 CDS 11 E rev. 1 final
14
arise as to the relevancy and practicality of invoking Article 5 of the Washington Treaty in
response to a cyber attack. The Washington Treaty refers specifically to “armed attacks”, but the
New Strategic Concept is vaguer and the word “armed” is dropped in reference to collective
defence. While this does not change the Washington Treaty, one can presume that the Alliance is
more open to the idea of applying Article 5 if a cyber attack on member states were to cause
significant casualties. However, questions still arise as to what response mechanisms the Alliance
should employ against attackers. Should the retaliation be limited to cyber means only, or should
conventional military strikes also be considered? Furthermore, the Alliance must decide to what
extent it can engage in co-operation on sensitive cyber issues with partner countries, such as
Russia.
2.
National policies of member states
55. As noted above, member nations bear the principal share of responsibility for their cyber
security. Before the 2007 attacks against Estonia, most European nations were developing
national strategies to promote Information Society focusing on economic and cultural benefits
offered by new communication and computing technologies, largely neglecting possible risks.
Since 2007, the need for a more balanced approach has been increasingly acknowledged.72
56.
The 2010 UK House of Lords report on cyber security noted wide differences between
various European countries in terms of preparedness to meet cyber threats. Since in the cyber
domain the system is as strong as the weakest link, the report stated that the European countries
“have an interest in bringing the defences of the lowest up to those of the highest”.73 The exact
level of preparedness is difficult to measure, however, due to a lack of full understanding of the
complexity of the cyber domain.
57. The highest level of preparedness in the Alliance is in the United States and the
United Kingdom. The United States feels more threatened by cyber attacks than any other nation
due to its highly pervasive use of information and communication technology as well as to its
status as a superpower. President Obama identified cyber security as a strategic priority. From
2010 to 2015, the US government is expected to spend over US$50 billion on its cyber defences.74
The Departments of Defense and Homeland Security share the responsibility for the security of
American government networks and implement this mandate through several agencies such as
National Security Agency and US Cyber Command (inaugurated in 2010 and specifically tasked to
protect US military networks). In terms of legislation, three separate Acts streamlined executive
responses to cyber warfare on critical national energy infrastructures, while another Act
co-ordinated wider cyber security efforts, including those against financial institutions and
industry.75 In July 2011, the Pentagon released its new Cyber Strategy (known as “Cyber 3.0”).
The document considers cyberspace as an operational domain and focuses on “active defence”,
i.e. strengthening traditional network protection measures with other capabilities such as signal
intelligence. It is not clear, however, if the document empowers cyber defence institutions to go
after an attacker. The new Strategy also emphasises closer interinstitutional, international as well
as public-private co-operation.76 The Strategy, focusing on defensive measures, has also proved
false the allegations that the United States was considering militarising cyberspace and prioritising
development of offensive cyber weapons.
72
73
74
75
76
Global Cybersecurity-Thinking About the Niche for NATO. By Eneken Tikk. SAIS Review, Vol. 30,
No. 2, Summer-Fall 2010
Protecting Europe Against Large-Scale Cyber-Attacks. European Union Committee – Fifth report.
UK House of Lords. March 2010.
On Cyber Warfare. By Paul Cornish, David Livingstone, Dave Clemente and Claire York. A Chatham
House Report. November 2010.
Cyber Security Enhancement Act Redux. By Eric Chabrow. Government Information Security Articles.
10 February 2011. http://www.govinfosecurity.com/articles.php?art_id=3340
Pentagon’s New Cyber Strategy. By Jason Healey. Atlantic Council. 14 July 2011.
171 CDS 11 E rev. 1 final
15
58. The UK’s leading cyber agency is the Government Communications Headquarters (GCHQ).
Cyber security occupies a central place in the National Security Strategy and the Strategic
Security and Defence Review published in October 2010. Experts note that the “review contains all
the early signs of a well-balanced and (now) better-funded approach to UK cyber security.”77 The
UK Computer Misuse Act is also hailed as “a robust and flexible piece of legislation in terms of
dealing with cybercrime”.78
59. That said, even in the United States and UK there are still important questions that need to
be addressed. In particular, experts note the insufficient degree of co-operation between the
government agencies and private sector which owns most of information capabilities and
infrastructure – more than 90% of American military and intelligence communications travel
through privately-owned telecommunications networks.79 However, private entities are reluctant to
allow greater government involvement and monitoring. The UK House of Lords report noted that
representatives of the commercial United Kingdom Internet industry showed little interest in giving
evidence for this report. Many experts stress that private industry makes its decisions on cyber
security measures based on financial rather national security calculations.
60. While the United States and the UK tend to lead on these matters, other NATO members
have also updated their existing legal frameworks and made cyber security increasingly prominent
in their security strategies. In particular, significant progress has been achieved in establishing
Computer Emergency Response Teams (CERTs). A CERT is an organisation that studies
computer and network security in order to provide incident response services to victims of attacks,
publish alerts concerning vulnerabilities and threats, and to offer other information to help improve
computer and network security. The 2010 House of Lords report identified the lack of CERTs in
some European countries as a major concern. However, in 2011 the situation seems much better.
According to the register of the European Network and Information Security Agency (ENISA),
CERTs were established in all European NATO countries. Furthermore, the establishment of more
advanced Computer Security and Incident Response Teams (CSIRTs) is being promoted. CSIRTs
are CERTs that have extended their services from being a mere reaction force to a more complete
security service provider, including preventive services like alerting and security management
services.80
61. However, there is no basis for complacency. Establishment of new institutions must be
followed by more intensive schedule of joint exercises. The legislative basis must also be further
reviewed and updated to take into account the new realities of the cyber domain. According to
NATO Deputy Assistant Secretary General Jamie Shea, legislative frameworks in many NATO
countries are lagging behind in cyber term realities.81 At the meeting with NATO Parliamentarians
in The Hague on 19 April 2011, NATO C3 Agency General Manager Georges D’hollander said that
not all NATO member states have adopted legislation that would make it mandatory for the private
sector to protect their data and their networks. For instance, it should be mandatory to install
safeguards that would prevent computers or networks being hijacked and used as ‘botnets’.
NATO C3 Agency’s Principal Scientist Brian Christiansen also suggested that all NATO nations
77
78
79
80
81
Evaluating
the
2010
Strategy
Review.
By
Dave
Clemente.
Chatham
House.
http://www.chathamhouse.org.uk/files/17631_1010sdsr_clemente.pdf
IISS Global Perspectives – Power in Cyberspace. Q&A with Nigel Inkster, Director, Transnational
Threats and Political Risk, IISS. 18 January 2011.
The New Vulnerability. By Jack Goldsmith. The New Republic. 7 June 2010.
Taken from “Inventory of CERT activities in Europe”. ENISA publication. March 2011.
Cybersecurity: Is Technology Moving Faster than Policy? Security & Defence Agenda report.
31 January 2011.
http://www.securitydefenceagenda.org/Portals/14/Documents/Publications/2011/Cybersecurity_Dinner
_report_Final2.pdf
171 CDS 11 E rev. 1 final
16
should employ the so-called “red teams” that use hackers’ methods to probe security levels of
various national networks (without malign intentions, of course).
62. The less advanced NATO nations must realise that in the cyber domain there cannot be a
free ride. One study notes that nations that do not have adequate legislative and institutional
framework to protect their cyber assets are less likely to receive assistance from the international
community because “in a rapid reaction situation, existing procedures better support effective
interaction (…) because there is a certain amount of ‘homework’ that can only be performed by the
82
victim.”
V.
INFORMATION AND CYBER SECURITY: OPTIONS FOR THE INTERNATIONAL
COMMUNITY AND NATO
63. The challenges of the Information Age for national and international security are complex
and require the combined efforts of international, regional and national authorities and the private
sector, as well as sub- and trans-national groupings of active individuals. NATO is not in a position
to address all aspects of this challenge, but it does have a significant role to play, not least
because it unites nations with the most developed information and communication infrastructure
(infrastructure, hardware and software which collectively make up the Internet are still
overwhelmingly Western designed and produced; more than 50% of the world's Internet traffic
83
transits the United States).
64. On the global level, NATO should support initiatives to negotiate at least some norms of
acceptable behaviour for the cyber domain. This framework must discourage the cyber arms race
and clearly prohibit the use of cyber attacks against civilian infrastructures. The principles of
international law should also recognise indirect responsibility of a state to ensure that its territory is
not used by non-state actors to launch attacks against a third country. If a country systematically
fails to ensure that or provides sanctuary for perpetrators, it should be considered as breaching
84
international law and should face sanctions. When addressing our Committee at the Assembly
session in Varna, Kenneth Geers of the NATO CCD COE suggested that the universal cyber
treaty could follow the path of the Chemical Weapons Convention, i.e. focus on promoting best
practices, helping find data points quickly, and sending teams to collect forensics, and eventually
securing networks.
65. Achieving this agreement will not be easy, since some critical players – such as China – view
cyber security from an “information security” perspective. This perspective is based on their desire
to limit dissent and access to information deemed threatening to their regimes. These nations
have proposed in-built tracking devices on all Internet packets that would allow all actions on the
Internet to be traced. Western analysts argue this would be cumbersome, costly and easily
negated by criminal groups, intelligence agencies and militaries. Therefore, the real target of such
proposals is the average Internet user and their ability to access information and engage in
political dialogue anonymously.85 Such a surveillance approach is prohibited by many NATO
member states’ own laws governing surveillance, propaganda and counter-terrorism.
82
83
84
85
Global Cybersecurity-Thinking About the Niche for NATO. By Eneken Tikk. SAIS Review, Vol. 30,
No. 2, Summer-Fall 2010.
Power in Cyberspace. Speech by Nigel Inkster, Director of Transnational Threats and Political Risk,
IISS.
18
January
2011.
http://www.iiss.org/middle-east/global-perspectives-series/power-incyberspace/read-the-speech/
Cyber war and cyber power. Issues for NATO doctrine. By Jeffrey Hunker. NATO Defense College
research paper No. 62. November 2010.
Internet Governance in an Age of Cyber Insecurity. By Robert Knake. Council on Foreign Relations
Special Report no.56, September 2010.
171 CDS 11 E rev. 1 final
17
66. Other approaches to policing the cyber domain focus on developing technical solutions
within Internet infrastructure itself to help maintain security. The Internet was originally designed to
be interoperable and has therefore paid little attention to security aspects. The 2003 US National
Strategy to Secure Cyberspace identified vulnerabilities within three “key Internet protocols”: the
Internet Protocol, which guides data from source to destination across the Internet; the Domain
Name System, which translates Internet Protocol numbers into recognisable Web addresses; and
the Border Gateway Protocol, which provides the connection between networks to create the
“network of networks”86. None of these protocols have in-built mechanisms to verify the origin or
authenticity of information sent to them, leaving them vulnerable to being manipulated by malicious
actors. Therefore, funding and developing technical solutions for a new set of secure protocols
that will address many of the vulnerabilities in the current Internet infrastructure whilst falling short
of surveillance of member states populations could be useful to NATO.
67. In addition, NATO member states should support wide ratification of binding international
treaties, like the Council of Europe’s Convention on Cybercrime, because banning cyber criminal
activities would also help negate cyber terrorists as well as state-sponsored cyber attacks that
often use the same techniques as cyber criminals. The verifiability of these conventions is a
serious issue, however.
68. In terms of public-private co-operation, relevant authorities of NATO nations should be more
pro-actively engaging private IT companies when it comes to setting stricter rules on the use of
cyber space. Dialogue is essential because software companies like Microsoft and Google remain
able, by developing various software options, to exercise influence beyond what any nation state
could aspire to do using their legislative powers. Incentives must be put in place to encourage
private companies, particularly those running critical national infrastructures and designing cyber
hardware and software, to upgrade their security systems beyond simple profit vs. loss
calculations. It is also important for our nations to co-operate closely with Internet Service
Providers in order to identify and quarantine the compromised computers (botnets) residing on
their soil.
69. The Alliance should also establish closer co-operation with the EU based on already existing
agreements. Although NATO is developing cyber defence capabilities, it still needs the EU
because it issues laws on comprehensive standards for cyberspace and NATO does not. It would
be useful, however, if the EU established the position of an EU “Cyber Czar” in order to have a
clear contact point for NATO.
70. With respect to its own contribution, the most immediate objective for the Alliance is to
ensure swift and efficient implementation of the newly adopted Cyber Security Policy and Action
Plan. NATO should incorporate its cyber policies (and encourage its member states to do likewise)
into a broader framework for adapting the military to the realities of the Information Age. Cyber
security is not a value per se, it must be seen within the context of the developing concept of
network-enabled capabilities. In other words, we need to find the right balance between the
advantages offered to our armed forces by the new information and communication technologies,
and the introduction of stricter protective measures against cyber threats, measures that could
result in reduced efficiency of the military.
71. It also goes without saying that NATO must clarify its response mechanisms for itself in case
of a cyber attack against one or more of its members, although these mechanisms do not
necessarily need to be announced publicly in order not to let the adversaries know what they could
get away with. Some argue that Article 5 should not be applied with respect to cyber attacks
because their effect so far has been limited to creating inconvenience rather than causing the loss
of human lives and because it is hard to determine the attacker. So far, there is no evidence that
86
The National Strategy to Secure Cyberspace. The White House. February 2003.
171 CDS 11 E rev. 1 final
18
cyber attacks took human lives. However, the Rapporteur believes that the application of Article 5
should not be ruled out, given that new developments in cyber weapons such as Stuxnet might
eventually cause damage comparable to that of a conventional military attack.
72. In more practical terms, NATO should consider its role in protecting physical infrastructure
associated with the cyber domain. The physical vulnerability of fibre-optic cables and information
hubs represent a serious challenge within the cyber domain. Most long-haul fibre-optic cables
reach land at obvious choke points, which make them susceptible to attack or damage. Of note is
the choke point for transatlantic cables, Widemouth Bay, Cornwall, in the UK, where four major
EU-US cables reach land.87 This area has reportedly been designated “vital to US security”
because of these cables.88 Meanwhile, the vast majority of the physical cables that connect the
United States and Asia run through the Luzon Strait choke point between Taiwan and the
Philippines.89 Cables in the Malacca Strait are also congested, and island NATO members and
90
partners, like Iceland, Japan and Australia, are particularly vulnerable. To date, the best form of
protection for these sub-surface cables has been their anonymity. However, sometimes this is not
enough, as highlighted by the fact that 75% of Internet capacity between Europe and a large part
of Asia was temporarily lost when, in 2008, ships off the Egyptian coast severed two intercontinental fibre-optic cables by dragging their anchors.91 A Georgian woman denied 90% of
Armenians access to the Internet for 5 hours when she inadvertently cut through a cable with her
92
spade. There have also been other large Internet disruptions caused by cable incidents in Malta,
Sicily, the United States and Asia.93 These highlight the possibility of sabotage by state or nonstate actors. In terms of bandwidth capacity, NATO member states are heavily dependent on
infrastructure in the United Kingdom for their transatlantic communications. Much of these key
Internet peering points are based in and around London and have previously been threatened by
flooding.94 Any disruption to these infrastructures could have far-reaching economic and military
effects.
73. Other elements of NATO’s better preparedness against cyber attacks include further
strengthening of national cyber incident response teams, achieving full operational capability of
NCIRC, intensification of joint exercises, promoting more efficient sharing of best practices among
the Allies and a wider use of “red teams”. Before investing in highly elaborate cyber defence
systems, however, the Allies should first ensure that proper levels of basic “computer hygiene” are
routinely maintained.
74. Security of networks in critical national infrastructure objects should remain a key priority.
Technical solutions being examined in this regard include the introduction of high fidelity sensors
to monitor intrusion activity on networks, and the strengthening of fault tolerance techniques.95
87
88
89
90
91
92
93
94
95
‘Internet’s undersea world’
http://personalpages.manchester.ac.uk/staff/m.dodge/cybergeography/atlas/alcatel_large.gif
Devon and Cornwall locations “vital to US security”. BBC, 6 December 2010.
Points of weakness in Internet cable network. By Adam Wolfe. Asiaone Digital. 17 January 2007.
http://digital.asiaone.com/Digital/Features/Story/A1Story20070523-7003.html
Points of weakness in Internet cable network. By Adam Wolfe. Asiaone Digital. 17 January 2007.
http://digital.asiaone.com/Digital/Features/Story/A1Story20070523-7003.html
Protecting Europe Against Large-Scale Cyber-Attacks. European Union Committee – Fifth report.
UK House of Lords. March 2010.
Georgian pensioner facing jail for cutting off Armenias Internet by snipping cable. EU Times,
8 April 2011.
Severed Cables in Mediterranean Disrupt Communication. Bloomberg. 19 December 2008; and,
Physical protection for the Internet. AlphaGalileo Institute. 14 December 2010.
Floods threaten UK Internet infrastructure. By Robert Jaques. V3.co.uk. 31 July 2007.
http://www.v3.co.uk/v3-uk/news/1942516/floods-threaten-uk-Internet-infrastructure
Developing High Fidelity Sensors for Intrusion Activity on Enterprise Networks. By E. Wagner and
A. Ghosh. In Cyber Infrastructure Protection, T. Saadawi and L. Jordan (eds) Strategic Studies
Institute, 2011.
171 CDS 11 E rev. 1 final
19
However, for a truly comprehensive cyber approach to infrastructure resilience, technological
solutions alone will not suffice. A collaborative approach between citizens/systems users,
businesses, law enforcement agencies and civil institutions will provide the best cyber security for
these objects.96
75. The Rapporteur also suggests that NATO considers applying common funding procedures
for procurement of some critical cyber defence capabilities for its member states. The Alliance and
its nations should also redouble their efforts to invest in human capital, because currently the
Western nations are widely believed to be losing their advantage in cyberspace in terms of
numbers of cyber experts and qualified personnel.
76. Other practical measures should include reviewing our policies in terms of critical information
that is to be stored online. The “Cablegate” revealed some documents that date back to 1966.
Nigel Inkster, a prominent British expert, says that this “suggests an excess of zeal among those
tasked to place State Department data on SIPRNet, since these cannot be relevant to today's
operational requirements.” It is also necessary to review the operating systems of critical national
infrastructure with a view to limiting their unnecessary exposure to online connections.
Furthermore, new safeguard mechanisms must be put in place to prevent unauthorised
downloading of sensitive data to digital storage devices. Procedures for vetting relevant personnel
should also be revisited.
77. That said, the Rapporteur wishes to emphasise that all necessary security measures should
not cross the line where they would violate the fundamental principles and values cherished by the
nations of the Euro-Atlantic community. It is also important for our national security interests: since
the cyber domain is to a large extent governed by the people, it is important to win the moral
support of the majority of the virtual community. In order to prevent abuse by the governments,
stricter security rules should be accompanied by measures ensuring democratic oversight. For
instance, the United States announced recently the establishment of the Privacy and Civil Liberties
Oversight Board (PCLOB) to ensure that privacy and civil liberties are protected.97
78. Last but not least, the Rapporteur would like to underline the role of parliamentarians not
only in terms of issuing relevant legislation, but also in communicating with a public that is often
insufficiently informed about the scope of opportunities and risks posed by the Information Age.
96
97
The Information Polity: Social and Legal frameworks for Critical Cyber Infrastructure Protection”. By
M. Losavio et al. In Cyber Infrastructure Protection, T. Saadawi and L. Jordan (eds) Strategic Studies
Institute, 2011.
Cybersecurity Two Years Later. A Report of the CSIS Commission on Cybersecurity for the
44th Presidency. January 2011.
171 CDS 11 E rev. 1 final
20
Annex
Logic Bomb
Trojan Horse
Key-logger
Virus
Embedded
Malware
98
Types of Malware
The earliest and simplest form of malware. It is not a virus but a computer code,
which needs to be secretly inserted into the computer software. When triggered
(positive trigger – setting a time or date of the bomb exploding such as
removing an employees name from the salary list; or negative trigger – failing to
insert certain data or code by a specific time). The bomb can cause system
shutdown, delete files, send secret information to wrong people, etc.
Creates a “back door” into a computer, which can be obtained via the Internet
from anywhere around the world. It can delete, steal or monitor data on
someone else’s computer. It can also turn the computer into a “zombie” and use
it to hide the real perpetrator’s identity and cause further damage to other
98
systems.
Monitors and keeps track of keystrokes on a computer usually without the user
being aware of it. The information can be saved to a file and sent to another
computer. Acquiring private data such as usernames and passwords are usually
the key targets of the programme.
Infects files when they are opened or being run and is capable of
self-replication. It often manifests itself as a logic bomb or a Trojan. Viruses are
difficult to track and can spread very quickly. In 2000 the ILOVEYOU virus
caused damage of approximately US$10 million.
Is inserted malicious software that accepts additional covert commands into
operational systems of machines ranging from phones to weapons systems.
According to General Wesley Clark and Peter Levin, an example of such
operation was Israel’s alleged attack on Syrian nuclear sites in 2007, which was
supposedly made easier because of embedded malware that turned off Syrian
defence radar.
How does a logic bomb work? By Julia Layton. http://computer.howstuffworks.com/logic-bomb.htm;
also in Reducing Systemic Cybersecurity Risk, OECD/IFP Project on “Future Global Shocks”. January
2011.