In the twenty-first century, everything significant that happens in the real world, including every political and military conflict, will also take place in cyberspace. For national security planners, this includes propaganda, espionage, terrorism, and even warfare itself. The nature of a national security threat has not changed, but the Internet has provided a new delivery mechanism that can increase the speed, diffusion, and power of an attack. Its ubiquitous and unpredictable characteristics mean that the battles fought in cyberspace can be just as important – if not more so – than events taking place on the ground.
The dynamic and constantly evolving nature of computing technology ensures that cyber defenses will never be easy to maintain. The intangible nature of cyberspace can make the calculation of victory, defeat, and battle damage a highly subjective undertaking. And amazingly, even knowing whether one is under attack can be a challenge. Much information lies outside the public domain, there have been no wars between two first-class militaries in the Internet era, and the ignorance of most organizations regarding the state of their own cyber security is alarming.
Growing dependency on information technology (IT) and the interdependence of related critical infrastructures have made a secure cyberspace vital to the functioning of the modern state. At the same time, advances in the IT sector have also presented terrorists and other criminals with new opportunities and attack vectors that they are increasingly exploiting. Notably, perpetrators of cyber-crimes share common methods even if their goals and motivations differ. They learn from each other and frequently work together.
I will try to showcase how dependency on cyberspace is continuously increasing, and will outline recent developments as they pertain to threats emanating from cyberspace. It will point to related challenges for those tasked with keeping cyberspace safe and secure and argue that today’s threats to cyber security can best be tackled. It will conclude by offering a few policy options for contemporary decision makers.
Although nobody can accuse the Internet’s early developers of a lack of fore- sight, they could never have imagined that their invention would develop into the global communication infrastructure it is today. Still, much has changed since the Internet was first developed as a tool to share scientific and military information, and much of the challenge in keeping cyberspace safe, secure and functional derives from the fact that security was not a priority when the Internet was created. Instead, the focus was on redundancy, efficiency and interoperability. But, exactly how dependent on cyberspace are we really?
A cyber-attack is not an end in itself. Rather, it is an extraordinary means to a wide variety of ends. The goals of a cyber-attack are primarily limited by the imagination of the attacker and his or her access to a target network. Here are five examples that national security thinkers should keep in mind as they incorporate cyber security into their defense strategies.
Increasingly, world leaders publicly complain of the threat posed by cyber espionage (“Espionage Report…» and Cody, 2007). On a daily basis, anonymous computer hackers steal vast quantities of computer data and network communications. In fact, it is possible to conduct devastating intelligence gathering operations, even on highly sensitive political and military communications, remotely from anywhere in the world.
Cheap and effective, this is often the easiest and the most powerful form of cyber-attack. Propaganda dissemination may not need to incorporate any computer hacking at all, but simply take advantage of the amplification power of the Internet. Digital information, in text or image format – and regardless of whether it is true – can be instantly copied and sent anywhere in the world, even deep behind enemy lines. And provocative information that is removed from the Web can reappear in seconds.
The simple strategy behind a DoS attack is to deny the use of data or a computer resource to legitimate users. The most common tactic is to flood the target with so much superfluous data that it cannot respond to real requests for services or information. Other DoS attacks include the physical destruction of computer hardware and the use of electromagnetic interference, designed to destroy unshielded electronics via current or voltage surges.
This category of attack targets the integrity of data. It is insidious, because a successful attack can mean that legitimate users (human or machine) could make important decisions based on maliciously altered information. Such attacks range from website defacement (often referred to as “electronic graffiti,” but which can still carry propaganda or disinformation) to database attacks intended to corrupt weapons or command-and-control (C2) systems.
National critical infrastructures are, like everything else, increasingly connected to the Internet. However, because instant response is often required, and because associated hardware may have insufficient computing resources, security may not be robust. The management of electricity may be especially important for national security planners to evaluate, because electricity has no substitute, and all other infrastructures depend on it (Divis, 2005). Finally, it is important to note that almost all critical infrastructures are in private hands.
Critical Infrastructures are those infrastructures, or parts thereof, which are of substantial relevance in maintaining important societal functions. Their disruption or destruction has serious effects on the health, security or the economic and social wellbeing of the population. or on the effective functioning of government. Plans for protecting such infrastructures should be cognizant of their importance and comprehensive in their approach. For example, on the basis of the European Program for Critical Infrastructure Protection, a national master plan was elaborated for Austria, called — the Austrian Program for Critical Infrastructure Protection (APCIP). APCIP describes the principles of the program, including listings of priority sectors; definitions of criteria for rating critical infrastructures; identifying risk factors and relevant actors; listing measures for the protection of critical infrastructures; and developing an action plan with detailed sub-goals.
The Europe-wide program lists 11 sectors of critical infrastructures: energy, nuclear industry, ICT, water, victuals, health, finances, transport, chemical industry, space travel and research institutions. The centers, communication nodes and steering systems of these critical infrastructures at the disposal of a modern society are based on information and communication technology or are of considerable importance for the ICT and can only be operated in certain locations.
For Austria not all of these sectors have the same relevance as they do for the EU. For example, nuclear industry and space travel are of no specific national importance, but conversely, emphasis is placed on constitutional installations, the maintenance of the social and defense systems as well as first responder organizations. Austria’s transformation into the information age is relatively more advanced than that of Estonia, and therefore Austria depends even more upon the functioning of its critical infrastructures. This calls for great efforts in order to ensure and sustain their functioning by taking comprehensive security measures.
The fact that a computer network attack during an armed conflict is not kinetic, physical or violent in itself, does not put it beyond the remit of Intern. Humanitarian Law (IHL). Computer network attacks open up new questions since they can be used, f.e., against the enemy’s production, distribution and banking systems, making the impact more difficult to judge. The IHL principle that civilians should be protected and their livelihoods and the environment in which they live should not be targeted, provides basic guidance when faced with these new methods of warfare. Some cyberattacks over the past decade have briefly affected state strategic plans, but none has resulted in death or lasting damage! Preparation in a wider sense can only be done in protection of critical (vital) infrastructure and concrete Cyber Defence measures.
The state has to provide adequate resources in developing a national means of analyzing, assessing and predicting developments in strategic ICT — including risk assessment, a permanent situation center for observation, estimates of the threat environment and, if necessary, for early warning, alert, and the activation of reactions and emergency organizations (such as CERT/CSIRT, or Computer Emergency Response Team/ Computer Security Incident Response Team).
Thus, what any state with a high degree of dependence on IT today needs is a central body to collect, analyzes, and assesses all pertinent information from government agencies at all levels as well as from private parties. This organization should also have the authority to take the necessary reconnaissance, prevention, defense, and reaction measures, or at least obligate other assets to do so. This authority would also ensure underpin the effective steering and coordination of national and international cooperation regarding cyber war. Clearly however, the necessary legal preconditions for such a body would have to be established and tailored in each national context, and the manner in which this is accomplished may well affect the way in which individual states can defend themselves against cyber war threats in the future.
Ministry of Defence and Sports,
Head Military Strategy Division and Cyber Coordinator, Austria
This article is based on a presentation delivered at the 7th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 22-25 April 2013 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.