Mark cybersecurity consists in, issues faced by governments
Mark Smith, Microsoft (Brussels), Cybersecurity Policy EMEA
Cyber: relating to or characteristic of the culture of computer information technology, and virtual reality
– Top Secret
– Restricted – National Security/Commercially sensitive
– Regulated – government official / personal / health / financial / telecoms
– Data embassy a likely target
On date of event, we were given the opportunity to hear about cybersecurity from Mark Smith, a Cybersecurity Policy EMEA at Microsoft’s office in Brussels. The talk was enlightening as we covered what cybersecurity consists in, issues faced by governments in this fast expanding area, and which kind of policy in managing these issues were implemented or being considered. The novel nature of the threats involved in cyber attacks has prompted much discussion on the specific ways in which they can be countered, as such this paper will define some of the unique problems associated with cybersecurity, and assess possible reaction measures in case of attacks. More precisely, according to Smith, the word cyber is defined as “relating to or characteristic of the culture of computer information technology, and virtual reality”. The
In the spring of 2007, due to the Estonians regard of symbols that remind them of the Soviet occupation and the annexation of the Baltic states, a Soviet military statue from the center of Tallinn was removed and relocated to a nearby graveyard. This seemingly unnoticed event was the cause of a deflagration of anger on part of the native Russians in the country, and resulted soon after in riots occurring in the capital. It was subsequently followed by massive amounts of Internet activity which exponentially grew into one of the first official and publicly described cyber wars (Heickerö, 39).
2. Case Study: Estonia
The attack, according to Estonia’s permanent undersecretary of defense Lauri Allman, was carried out over two phases. The first wave, which began on April 28, was limited to relatively primitive and simple attack tools which furthermore lacked the quantity of people required to seriously weaken Estonian infrastructure (Heickerö, 40). In fact, it was mostly backed by individuals frequenting hacktivists web pages and Internet forums, who were encouraged to download attack tools and target Estonian websites such as the Estonian Government Briefing Room or the Estonian Ministry of Defense (Heickerö, 40). That first wave of attacks lasted until May 3 when it peaked and then slowly lost its participants (Heickerö, 40).
The second wave peaked around May 8-9 and, in contrast with the previous wave, used much more sophisticated attack tools. This attack notably used large nets of compromised computers to conduct DDOS attacks to overwhelm critical targets, such as two of Estonia’s largest banks, which resulted in losses of about $1 million (Schmidt, 10), most of the government’s ministries and three to six of the biggest news organizations in the country (Heickerö, 40). Consequently, after a few days of relentless information overloading, Estonian servers and networks were severely incapacitated, which led to the forceful shut downs of several websites (Heickerö, 40). Finally, the cyber attack quickly ended as the attackers themselves stopped their operation (Heickerö, 40).
The Estonian response to the cyber attack was quick, and initially involved the cooperation of the Estonian CERT and private entities, who in order to successfully solve the problems, had an informal agreement to openly share information and not compete on security (Heickerö, 41). Furthermore, the small size of Estonia was a beneficial factor to the resolution of the problem, since it leads to a more streamlined coordination of resources (Heickerö, 41).
3. Case study: Georgia
The use of cyber warfare against Georgia was incremental, and finally peaked when Russia began its military offensive on August 8, 2008. More precisely, almost two months before the military conflict began, a first small span DDOS attack was carried out by zombie computers infected with malware (Heickerö, 43). On July 20, Shadowserver Foundation, an Internet watchdog group, registered multiple DDoS attacks directed towards the website of the Georgian president, and consequently had to be shut down for 24 hours (Heickerö, 44). Interestingly, that last attack was shown to have originated from a control server based in the USA, which had been set up just weeks before the actual Russo Georgian War (Heickerö, 44).
On August 8, at the same time Russian forces were crossing the Georgian border, Georgia also suffered from a cyber attack that crippled its government’s communications infrastructure and effectively paralyzed the National Bank of Georgia (Kello, 25). Furthermore, website defacement was also conducted to discredit Georgian President Mikheil Saakashvili, which involved, among other things, digitally manipulated images of the Georgian President on his personal website with those of Adolph Hitler (Heickerö, 44).
Trust – Difficult cause how do I know I can trust you
• Information sharing
How should information be shared
• Government security program
• Digital Crimes Unit
• Microsoft Active Protection Program
Some have argued that the reason why cyber terrorism has yet to occur, despite the substantial incentives for such groups to initiate a cyber attack, is due to the lack of necessary infrastructure in the countries in which they are most often based (Brenner, 46). However, this claim was disproven by the fact that, even though Afghanistan might not have the required technological sophistication, countries such as Pakistan or Sri Lanka possess high degrees of computer expertise (Brenner, 46), and even Osama Ben Laden had equipped his headquarters in the mountains of Afghanistan with computers and access to the Internet (Brenner, 47). This example points out one of the crucial issues to cyber deterrence, and for which it needs adaptation is in that cyber weapons, in contrast with nuclear weapons, have a vastly lower cost of entry (Kugler, . This allows poorer and less developed states to have the ability to cyber engage richer and more established states for a cost substantially lower than a nuclear program. This low barrier to entry has two effects on the successful implementation of a cyber deterrence policy, especially regarding the identification of the source of a cyber attack.
First, this means that a state who desires to implement a cyber deterrence policy must deal with a much greater number of capable actors than in the case of nuclear weapons. Indeed, while it may be easier to determine who is a culprit in the case of a nuclear attack, due to the greatly decreased number of actors capable of carrying out such action, however cyber warfare, is available to a much greater number of states, but also non-state actors and even individuals. The great number of potential sources for an attack makes the identification of the culprit a much more difficult process to achieve.
Furthermore, cyber attacks are often secretive and difficult to track, which adds an additional complexity to the identification process. Indeed, cyber attacks can be initiated behind Internet proxies, which hide the original location of the attacker behind the internet signature of another city or even country, or by using entire armies of computers that were previously compromised and subsequently “zombified” for the purposes of the attacker. Finally, the identification process is made even more difficult by the fact that states, or any other actor for this matter, can engage in a cyber attack under the guise of another country (Vatis, 13). As such, even if we were to successfully determine the attacker’s computer and its location, there remains the uncertainty that it still might not be the real culprit. However, this issue can be resolved if we are to understand cyber warfare as a consequence of broader international issues, and not as an end in itself.
Another difficulty that arises with implementing a cyber deterrence policy is that cyber weapons do not have the same capabilities and scope that made nuclear weapons such feared threats, and therefore increased the chances that nuclear deterrence became a success. Especially regarding their differences in the domains of “sheer destructiveness, assuredness of destruction and lack of international understanding” (Cirenza, 1), cyber weapons, compared with nukes, probably do not have as strong a fear factor and has the motivation and intellectual development, which probably reduce the overall effectiveness of cyber deterrence.
More precisely, it is generally accepted that no one has ever died from a cyberattack (Cirenza, 2), and even though Stuxnet, one of the most successful cyber attacks implemented yet, damaged 1,000 uranium enrichment centrifuges, cyber attacks have had a much smaller destructive effect than some might have argued. Even though the chief of general staff of the People’s Liberation Army of China, Gen. Fang Fenghui, argued in 2013 that “If Internet security cannot be controlled, it’s not an exaggeration to say the effects could be no less than a nuclear bomb” (Cirenza, 1), the facts have hardly followed. Indeed, nuclear attacks are so taboo because they can inflict unacceptable costs on a nation, while cyber attacks are still far from the unacceptable level of damage that makes deterrence more likely to succeed (Cirenza, 2).
However, undermining the potential of cyber warfare for destruction because it hasn’t happened yet is a very risky approach to the threat. As the Defense Science Board stated in a report that “At some future time, the United States will be attacked, not by hackers, but by a sophisticated adversary using an effective array of information warfare tools and techniques” (Vatis, 12-13), the potential of cyber weapons is far from having been fully explored, and we might still have to expect increasingly spectacular results from cyber attacks.
Furthermore, the decision to implement a nuclear strike is final once it has been decided, and will most likely result in severe damages for the adversary. In fact, nuclear weapons most often do not depend on the adversary’s vulnerability, and your ability to make use of a vulnerability in order to successfully reach its target, however, once a cyber attack has been decided, its success nearly always depends on the success of its delivery (Cirenza, 2). Some cyber-attacks, if they need to reach air-gapped systems, depend for example, on a covert agent’s ability to successfully introduce malware in the machine, passwords that might have been modified, or even zero-day exploits that might have been patched. Furthermore, even if one manages to infiltrate malware, depending on the quality of the software, one cannot fully predict its effect, which could extend from doing nothing, to unintentionally wreaking an entire infrastructure. Therefore, because the decision to carry a cyber attack might or might not even lead to consequences, the impact of deterrence on cyber warfare is lessened due to the reduced importance of decision making to the result (Cirenza, 2).
However, not all cyber warfare is conducted through the use of malware. Distributed Denial of Service attacks, also called DDOS, use many machines in order to saturate a server’s processing capabilities in order to make it unusable. Those attacks are straightforward, do not require particular conditions in order to be implemented, and are inherently surgical in application. As such, even though not all cyber warfare is conducted through DDOS style operations, not every attack is due to malware. Therefore, cyber warfare offers many different tools in order to implement an objective, and thus, decision makers are still at the root of whether or not consequences occur from a cyberattack in that they are still responsible for its implementation or lack thereof.
Finally, cyber warfare lacks the mature open debate that allowed the creation of nuclear strategies after the Second World War (Cirenza, 2). Without clearly determined explanations of the implications of using cyber weapons, might it be at the public or governmental level, there will not be a common understanding of cyber warfare, and therefore, won’t result in the establishment of international norms and accepted practices. This further weakens cyber deterrence in that the lack of established norms might result in states finding different thresholds for what constitutes acceptable uses of cyber warfare (Cirenza, 2).
However, as cyber attacks increase in volume and complexity, this issue might resolve itself with time. Estonia suffered from a severe DDOS cyber attack in 2007, which effectively disabled its financial and governmental infrastructures and subsequently required the help of NATO in order to contain its disruption (Hunker, 9). One of the results of this cyber attack was the development by NATO of mechanisms and guidelines through which it could help its allies deal with cyber warfare, and a revision of its policies regarding what may or may not constitute an Article 5 attack (Hunker, 9). Therefore, a lack of debate might be solved by increased awareness of cyber warfare as it becomes an increasingly common strategy.
GDPR (Government Security Program)
• Government Security Program
• Legal mechanism to talk to governments
• Online source authorization
• Transparency Center Authorization
• Information Sharing & Exchange authorization
• Technical Data Authorization
• Wassenaar Arrangement
• 41 participating states
• Revised in 2003 to include definition “intrusion software”
• EU dual use regulation
Digital Geneva Convention
• February 2017
• Cyberattacks getting worse
• 2020, cost of attacks up to 3 trillion $
• Now, 400 bn $
• (Alleged) Nation State Cyber attacks contribute to rising cyber insecurity
• Digital Geneva Convention needed to address short-of-conflict scenarios
• Binding government agreements
• Tech sector accords
• Attribution Organization
Global Tech Accord
• 0% offense – 100% defense
• Assist customers everywhere
• Collaborate to bolster first response efforts
• Support government response efforts
• Coordinate vulnerability handling and reporting
• Fight the proliferation of vulnerabilities
Cyber weapons are fundamentally different from conventional weapons and consequently, respond to different rules. More specifically, cyber weapons do not have a physical existence, and as such, are revolutionary since they are not constrained by space and therefore, do not require that a distinction is made between local and distant conflicts (Kello, 23). Effectively, cyber weapons are capable of attacking any country in the world without any regard for geography, and therefore, manage to flatten the world when it comes to conflict. Furthermore, due to their virtual nature, their payloads are not the actual source of any damage, but their contact with the remote object that it targets might lead to destructive consequences. As such, even though cyber weapons are unable to inflict harm by themselves, they do have the potential to take over an object that could lead to casualties (Kello, 23). Therefore, this divide between their virtual existence and physical capabilities is at the root of their offensive advantage, and because they do not have a physical effect until they reach their target, the ability to defend against them is a much harder struggle than to engage in a cyber attack.
The Olympic Games operation is a remarkable example of this strength, as it leads to the decommissioning of 1,000 centrifuges at Iran’s Natanz facility, simply because of a single USB drive (Kello, 23). In addition, cyber attacks extend beyond virtual and physical consequences as they also have a psychological effect, which initially lead Iranian officials to believe that the attack was carried out by an individual within their ranks (Kello, 23). In fact, cyber weapons did help win wars, like in the case of Russia’s cyber attacks on Georgia, which crippled the government’s communications infrastructure and paralyzed the National Bank of Georgia, and consequently resulted in a facilitated invasion by the Russians (Kello, 25).
While they are not nuclear weapons, cyber weapons do in fact carry a substantial amount of power, and as Chairman of the Joints Chiefs of Staff, Gen. Martin Dempsey stated, “the uncomfortable reality of our world is that bits and bytes can be as threatening as bullets and bombs” (Kello, 24).
Furthermore, some cyber weapons such as DDOS attacks do not even require that it takes control of an object, and are successful solely due to their ability to completely block networking capabilities. And indeed, the DDOS attack on Estonia in 2007 froze the country’s government and financial activities for about three weeks (Kello, 24). As such, cyber weapons are fundamentally capable as offensive weapons, which is compounded by the inherent costliness and ineffectiveness of cyber defense strategies.
1. Cyber warfare is offensive due to its inherent software advantage over cyber defense
Some have argued that cyber warfare is mostly defensive because of the high cost associated with staging a destructive cyber-attack, but the opposite is more likely to be the case. As we previously stated, the use of “zero-day” exploits by cyber weapons makes them considerably unpredictable and often undetectable to defenders. However, effective defense entails that the defender is aware of those vulnerabilities, but also understands how attackers may use them. Thus, defense requires inherently more of a though process and awareness regarding the network that needs protection than does a cyber attack.
Consequently, defenders need to protect their entire network even though an attacker might only need one vulnerability to conduct a cyber attack, which subsequently creates a defense imbalance. This imbalance further increases as hardware and software become more complex, which increases the relative cost for each party. However, defenders suffer from a substantial disadvantage in that they must replace many pieces of equipment, while attackers might only have to pay extra for a more advanced cyber weapon. Thus, factors inherent to cyber weapons make them much more appropriate for offensive purposes, which combined with the difficulty of effectively protecting infrastructure and the substantially more consequent costs of defense infrastructure, makes cyber weapons inherently destined for offensive attacks.
2. Cyber warfare is offensive due to its inherent hardware advantage over cyber defense
Furthermore, some of the most critical computer infrastructures are owned privately, which creates further problem for the authorities regarding how they can implement securitizing measures that the private sector will be willing to put in place. Finally, most computers parts are built today exterior the country where used and therefore there is always the risk that they might come preloaded with malware.
As such, cyber defense is an enormous endeavor, which is tied to the fact that the offense defense equation will most likely tip in favor of offense. The current high price for offensive cyber attacks may make them too expensive for traditionally small states, but as technology increasingly becomes cheaper and attack tactics constantly evolve, such capabilities are likely fall in the hands of many more people.
2) – How can a bargaining model that accounts for the inherent advantages of offense in cyber warfare help us predict responses to cyber-attacks.
Since we established that cyber weapons operate best from an offensive perspective, and are difficult to use defensively, we must therefore understand how they might be used in the context of the international system’s state of anarchy. Thus, we may use Fearon’s rationalist explanation for war as a model from which we can deduce the reasons for the practical use of offensive cyber weapons, but most importantly, determine what kind of response states might implement after an attack.
A rationalist explanation of war finds it theoretical roots within a paradox that assumes that since war is costly and risky, rational states should have incentives to cooperate and negotiate settlements, however, war still occurs even if cooperation might have yielded more benefits (Fearon, 380). This paradox is solved by following the logic of five particular arguments: the condition of anarchy, expected benefits that are greater than the expected costs, the value of rational preventive war, and the rational miscalculations due to lack of information or disagreement about relative power (Fearon, 381).
Anarchy is the natural state of the international system, and is the reason for why states enter into conflicts with each other (Fearon, 384). Indeed, the lack of an international government that may issue credible threats to settle disputes, is a reason for why war may appear as the best option for states with conflicting interests (Fearon, 384). Furthermore, the lack of enforceable rules effectively allows states to act forcefully in any way they want in order to obtain what they desire (Fearon, 384). While the anarchical nature of international relations and its consequences might be considered a given by now, it is essential to acknowledge to follow the logic of the next arguments.
Preventive war becomes a rational choice for a declining state if it believes that it might be attacked by a rising power (Fearon, 385). However, even though there might be incentives for both states to construct an agreement, and a general acceptance of war as an inefficient and wasteful process, the declining state might still rationally fear being attacked in the future (Fearon, 385).
This is explained by the element of positive expected utility that comes into play when states assess the rationality of going to war. It argues that war occurs if both states have a positive expected utility to fight (Fearon, 386), but this is only a partial explanation of the role of bargaining in war decision making. In fact, if both states are willing to go to war, then their positive expected utility overlap each other within a bargaining range (Fearon, 387). Thus, war is an expensive gamble that, even though it could be made cheaper through peaceful bargaining (Fearon, 388), still offers a great reward if it is won.
However, this issue is not helped by the fact that war can be, and is often the product of rational miscalculation (Fearon, 390), which can especially occur due to a lack of information, which can be intentional as well as unintentional (Fearon, 391).
However, even though the rationalist explanation we just described was mostly concerned with war, its conclusions can be adapted to cyber weapons. Via this model, we figure that a state has a lower threshold to use offensive cyber weapons because of the decreased chances of actually losing to an adversary’s defense, but also, like in any conflict, because rational miscalculation may occur due to a lack of information, which may itself result from deception.
Heickerö, Roland. Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations. FOI, Swedish Defence Research Agency, Division of Defence Analysis, 2010.
Fearon, James D. “Rationalist Explanations for War.” International Organization, vol. 49, no. 03, 1995, p. 379.
Kello, Lucas. “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft.” International Security, vol. 38, no. 2, 2013, pp. 7–40., doi:10.1162/isec_a_00138.
Cirenza, Patrick. “Officials Like to Compare Cyberweapons to Nuclear Weapons. They’Re Dangerously Wrong.” Slate Magazine, 15 Mar. 2016, www.slate.com/articles/technology/future_tense/2016/03/cyberweapons_are_not_like_nuclear_weapons.html.
Richard Kugler. “Deterrence of Cyber Attacks” Cyberpower and National Security.