Cybersecurity – Governments need to cooperate
Published 17:14, 08 April 10
As the Lords call for greater levels of co-operation amongst governments, the EU and Nato to prevent and detect cyber attacks, many people are wondering what level of attack we are under, when does cyber-attack become cyberwar and who is responsible for cyber defence of critical infrastructures owned by private companies.
It is clear that we are under varying levels of cyber attack, often severe and sustained. In the US, these attacks have ranged from attempts to break into the Pentagon, to attacks on commercial institutions, and some have even attributed power blackouts to cyber-attackers penetrating the power grids.
Two recent historical events in former Soviet republics demonstrate the scope of current attacks, how much they can be woven into the fabric of other kinds of conflict, and yet how elusive their definition and containment remain. In 2007 the cyber infrastructure of Estonia was heavily and repeatedly attacked in successive waves of activity, significantly impairing or shutting down many cyber-based services and communications.
Firm attribution was never made, and in fact a large number of attacking computers were in the United States. Although the incidents occurred as part of a serious dispute with Russia over a monument to the Soviet liberation of Estonia from the Germans--the context of a traditional diplomatic dispute--even the Minister of Defence, Dr. Jaak Aaviksoo, who was in charge of responding, said recently at a cyber security Forum at Stanford University that without clear attribution, one dare not leap to conclusions about the ultimate source of the attacks. He is clearly wary of saying that they passed the point at which a cyber attack had become an act of war.
More recently, in 2008, as a part of the South Ossetia War, sustained denial of service attacks and defacement of government web sites in Georgia, coincided with with a physical attack by Russian forces with all the hallmarks of a traditional military confrontation: tanks and troops across the border, destruction of Georgian military systems and infrastructure, etc.
In both cases, in the absence of firm attribution, the results more resembled an extended cyber-riot rather than a formal act of war. In neither case did NATO's commitment to collective response come into play. In the UK, there have been 300 significant attacks on the government's core computer networks in the last year, according to Lord West of Spithead, parliamentary under-secretary for security and counter-terrorism.
In many ways, until nations and international organizations like the UN work to define cyber war, it is unrewarding to try to determine the point at which a cyber attack can be called a cyber war. There is an enormous legal and policy infrastructure developed over centuries the determine when war has started in a non-cyber context. Even then, undeclared "wars" are fought between groups of combatants who may or not be officially linked to nation states; civil unrest blends into insurgency into open rebellion and into civil war, just as incidents or provocations across borders lead to shows of strength, to cross border raids and into full scale invasions.
Even with all the processes, definitions, conventions, etc., the boundaries of war are often blurred. We have clearly reached the threshold of the cyber war era, and the enormous effort to define the terms and conditions pertaining to war in cyberspace has yet to start. Moreover, many of the legal structures and processes that come into play around armed hostilities are also lacking or are at best embryonic in the case of cyber intrusions. The nations of the world need to begin the arduous task of developing these structures, and soon.
The problem of arriving at a definition or of identifying a clear-cut case of cyber warfare stems from the difficulty of determining where the hostile actions have originated or their intent. An attack on cyber infrastructure may target financial systems, for example. While nations engaged in war against one another might happily sabotage each other's ability to run an economy and find resources to sustain the conflict, many of the same affects on the financial cyber infrastructure would serve the needs of cyber criminals. And yet the all important elements of purpose and perpetrator are often impossible to discern.
This is because a cyber attack can be launched from computers other than those of the attacker, often with multiple levels of concealment. While we can clearly distinguish between warfare, espionage and crime (identity theft, fraud or other financial crimes, intellectual property theft, etc.) in non-cyber domains, without knowing the intent and defining the originator of the event it is very difficult to draw these clear distinctions in the cyber domain. The right kinds of broader cooperation between nations, and between the private sector owners and operators of most cyber infrastructure would make it more difficult to hide in cyber space.
It is clear that the risks of cyber attack are greatest for those with the most extensive cyber-related infrastructures, and the greatest dependency on those infrastructures that can be used against them to achieve the greatest impact. In this respect, leading nations like the US and the UK are in a precarious position, and they need to act first. The Digital Economy Bill currently going through parliament in the UK, is an indication of the recognition of how heavily invested in cyberspace the UK is already.
However, as the recent cases of Estonia and Georgia demonstrate, even nations with differing degrees of development and dependency on their cyber infrastructure can be the targets of well coordinated hostile actions. Estonia has one of the world's highest degrees of cyber development and integration, and the 2007 attacks there had serious impact on many kinds of basic infrastructure and services.
In contrast, Georgia is significantly less well developed in this regard, and most of the damage was to government web sites. And yet in both cases, the authority and sense of control of national governments was undermined. It is time for the nations of the world to start to come to terms with the cyber era by defining the terms, expectations and obligations of nations in this new environment.
The forms of cooperation that will be required will have to extend not only across the borders between nations, but also across the boundaries between governments and the private sector owners and operators of most of the worlds infrastructure. If the UK and other governments are to design effective definitions, policies, treaties and regulations for dealing with cyber attacks, they will have to do so in a way that allows much critical action to be taken by the private sector.
As noted earlier, the purposes of a cyber attack may be unclear, and the private sector--financial institutions, for example--may be the targets and principal losers in an attack. Yet the attacks often have an international cast of players and involved resources, jumping from computers to servers to computers across cyber space, ignoring the geopolitical boundaries that provide authority, structure and process to our laws and regulations.
Only with cooperation between government and the private sector can truly effective control regimes be implemented to identify perpetrators and intentions, and thus to provide the missing parts off a fabric of security to make cyber space safer. Perhaps the most positive aspect of this is the fact that the protective measures required of an enterprise or nation to secure its on-line assets are much the same, regardless of the source or intention of the attack.
This means that well-designed cooperation regimes and thorough implementation of protective measures by infrastructure owners and operators will pay big dividends against all types of attacks. This is good news, because it means we can secure critical assets once against most assaults. Key elements of this process must come from governments, who must learn to cooperate with both each other and with their private sector partners. It is time to come to terms with this new reality--fast.
Prior to ArcSight, Dr. Winter served as Associate Deputy Director of National Intelligence for Information Integration for the National Security Agency (NSA) from 2008 to 2009. Dr. Winter served more than 25 years at the NSA, including positions as CIO and CTO; Chief, NSA Commercial Solutions Center; Chief, Customer Response; and Deputy Chief, Defensive Information Operations.