The Militarisation of Cyber Security as a Source of Global Tension (page 2)

Five developments that speed up militarisation

The basics as described above provided a stable setting for the cyber security debate at least since the mid-1990s, if not before. Five developments as de- scribed below have solidified the impression that cyber disturbances are increasingly dangerous and fall under the purview of national security. The discovery of Stuxnet is the culmination point in this evolution. It has brought about a qualitative and irreversible change in how the issue is handled politically: Its discovery has catapulted the cyber issue from the expert level to the diplomatic and foreign policy realm.

First, computer security professionals are increasingly concerned with the rising level of professionalisation coupled with the obvious criminal (or even strategic) intent behind at- tacks. Tech-savvy individuals (often juveniles) aiming to create mischief or personally enrich themselves shaped the early history of computer-related crime. Today, professionals dominate the field. Actors in the ‘cyber crime black market’ are highly organised in terms of their strategic and operation- al vision, logistics, and deployment. Like many legitimate companies, they operate across the globe. As a consequence, the nature of malware has changed. Advanced malware is targeted: A hacker picks a victim, examines the defences, and then designs specific malware to get around them. The most prominent example for this kind of malware is Stuxnet (see below).

Second, the main cyber ‘enemy’ in the form of a state has been singled- out: There is an increase in allegations that China is responsible for cyber espionage in the form of high-level penetrations of government and business computer systems, in Europe, North America, and Asia. Because Chinese authorities have stated repeatedly that they consider cyberspace a strategic domain and that they hope that mastering it will equalise the existing military imbalance between China and the US more quickly (see Chapter 1 in this publication), many US officials readily accuse the Chinese government of perpetrating deliberate and targeted attacks or intelligence-gathering operations. However, because of the attribution problem, these allegations almost exclusively rely on anecdotal and circumstantial evidence. Not only can attackers hide, it is also impossible to know an attacker’s motivation or to know a person’s affiliation or sponsorship, even if the individuals were known. Therefore, attacks and exploits that seemingly benefit states might well be the work of third-party actors operating under a variety of motivations. At the same time, the attribution challenge also conveniently allows state actors to distance them- selves officially from attacks.

Third, there has been an increase in ‘hacktivism’ – a portmanteau word that combines ‘hacking’ and ‘activism’. WikiLeaks, for example, has added yet another twist to the cyber debate. Acting under the hacker maxim that ‘all information should be free’, this type of activism deliberately challenges the self-proclaimed power of states to keep information considered vital for national security secret. Hacker collectives such as Anonymous or LulzSec engage in related activities of a multifaceted nature. They creatively play with anonymity in an age obsessed with control and surveillance and humiliate high-visibility targets by so-called DDoS attacks, which saturate the target machine with external communications requests so that it cannot respond to legitimate traffic, or by break-ins and release of sensitive information. These events are perceived as pressing cyber security issues in government because data is stolen in digital form and/or made available to the whole world through multiple Internet sites. In addition, media attention has been and will likely remain great; the reputational damage has been high. The more obsessed governments become with cyber security, the more embarrassing it is when they become the public tar- get of break-ins.

Fourth, the term ‘cyber war’ is used more and more frequently in the media but also in policy circles. Originally, the term was coined together with its twin concept ‘netwar’ in the early 1990s to signify a set of new operational techniques and a new mode of warfare in the information age. Both have since become part of official (US) military information operations doctrine in modified form. But ‘cyber war’ also leads a colourful life outside the military discourse: The popular usage of the word has come to refer to basically any phenomenon involving a deliberate disruptive or destructive use of computers, which has prompted US President Barack Obama’s cyber security czar Howard Schmidt to repeatedly call it a ‘terrible metaphor’. For example, the media proclaimed the first cyber World War in 2001. The cause was an incident in which a US reconnaissance and surveillance plane was forced to land on Chinese territory after a mid-air collision with a Chinese jet fighter. Soon after, defacements of Chinese and US websites and waves of DDoS attacks began. Individuals from many other nations joined in on both sides. The US government and military stated that they had sharply stepped up network security. Other sources reported that the Navy was at INFOCON ALPHA, a cyber version of real-world military Defense Readiness Level (DEFCON). Beyond the hype factor, the true effect of these online activities is close to zero.

Another, even more prominent example is the case of the Estonian ‘cyber war’. When the Estonian authorities removed a bronze statue of a World War II-era Soviet soldier from a park, a three-plus-week wave of DDoS at- tacks started. It downed various web- sites, among them the websites of the Estonian parliament, banks, ministries, newspapers, and broadcasters.

Even though it was not possible to provide sufficient evidence for who was behind the attacks, various officials readily and publicly blamed the Russian government. Also, despite the fact that the attacks had no truly serious consequences for Estonia other than (minor) economic losses, some officials even openly toyed with the idea of a counter-attack in the spirit of Article 5 of the North Atlantic Treaty, which states that ‘an armed attack’ against one or more NATO countries ‘shall be considered an attack against them all’. The Estonian example is one of the cases most often referred to in government circles to prove that there is a need for action and the age of ‘cyber war’ has begun. Similar claims were made in the confrontation between Russia and Georgia of 2008.

Fifth, the discovery of the computer worm Stuxnet in 2010 changed the overall tone and intensity of the debate even further. Stuxnet is a very complex programme. It is likely that writing it took a substantial amount of time, advanced-level programming skills, and insider knowledge of industrial processes. Therefore, Stuxnet is probably the most expensive malware ever found. In addition, it behaves differently from the normal criminal-type malware: It does not steal information and it does not herd infected computers into so-called botnets from which to launch further attacks. Rather, it looks for a very spe- cific target: Stuxnet was written to at- tack Siemens’ Supervisory Control And Data Acquisition (SCADA) systems that are used to control and monitor industrial processes. In August 2010, the security company Symantec noted that 60 per cent of the infected com- puters worldwide were in Iran. It was also reported that the Iranian nuclear programme had been delayed as some centrifuges had been damaged.

The picture that emerges from the pieces of the puzzle seems to suggest that only one or several nation states– the cui bono (‘to whose benefit’) logic pointing either to the US or Israel – would have the capability and interest to produce and release Stuxnet in order to sabotage the Iranian nuclear programme. However, the one big problem with the Stuxnet story is, once again, that it is entirely based on speculation: The evidence for Stuxnet being a government-sponsored cyber weapon directed at Iran, though convincing and plausible, is entirely circumstantial. Due to the attribution problem, it is impossible to know who gave the order, who actually programmed Stuxnet, and the real intent behind it. Rather than making the problem less serious, however, this fact is at the heart of current fears. The cyber domain hasemerged as a realm in which states see their control and power challenged from all sides, but in which they are forced to position themselves as force- fully as possible, too.

Unravelling the Stuxnet effect

Whatever the ‘truth’ may be: The Stuxnet incident is a manifestation of longstanding fears. It is a targeted attack affecting the control system of a supercritical infrastructure, invisible and untraceable until it hits. Since so little about the worm is known for certain, however, the actual effects in form of damage are impossible to uncover, as is shown in the first sub-section below. Other effects, though also partially speculative, have manifested themselves more clearly. One of these fears, covered in the second subsection, is the fear of proliferation and copycat attacks. Another more salient one is psychological and has real political consequences: Many security experts and decision-makers do believe that one or several state actors created the computer worm. For those people, the digital first strike has been delivered, and this marks the beginning of the unchecked use of cyber weapons in military-like aggressions. Cyber security now clearly comes under the purview of diplomats, foreign policy analysts, the intelligence community, and the military. These reactions and their severe consequences for international relations and security are the focus of the third subsection.

Damage/cost

Putting a number to the cost of any specific malware is a very tricky thing. Attempts to collect significant data or combine them into statistics have failed due to insurmountable difficulties in establishing what to measure and how to measure it. Numbers that are floating around are usually systems at the Bushehr plant, but later said that Stuxnet had affected a limited number of centrifuges. There also seemed to have been some problems at Natanz: A decline in the number of operating centrifuges from mid-2009 to mid-2010 may have been due to the Stuxnet attack, some experts speculate. All in all, knowing the extent of the effect Stuxnet had on the Iranian nuclear programme is impossible; it seems plausible, however, more or less educated ‘guesstimates’, calculated that is has delayed it, though only for a by somehow adding downtime of ma- chines and the cost for making them malware-free. The same problem applies to Stuxnet. Shortly after the worm was discovered, Symantec estimated that between 15,000 and 20,000 systems were infected. These numbers increased the longer the worm was known. Siemens on the other hand reported that the worm had infected 15 plants with their SCADA software installed, both in and out of Iran. In the end, Symantec set both the damage and the distribution level of the malware to medium.

In the mainstream representation of the Stuxnet story, the Bushehr nuclear plant is the intended target of the attack. Indeed, the operational start of Bushehr was delayed by several months: Iranian officials blamed the hot weather and later a leak for it. Officially, Tehran at first denied the worm infected critical short amount of time. The psychological effect on the Iranian government, though also not easily fathomable, is likely to have been very high.

Proliferation effect

The discovery of Stuxnet and subsequent rumours that its source code was for sale led some experts to fear a rapid proliferation of this type of programming and many so-called piggyback attacks. This would make SCADA systems – computer systems that monitor and control industrial, infrastructure, or facility-based processes – the target of choice in the near to mid-term future for all types of hacks, with potentially grave consequences, also due to unintended side effects. Other analysts have described these fears as groundless, because even if somebody had acquired the source code, they would have to be just as capable as the initial programmers for the variant to be as successful. Once a piece of malware has been discovered, even if it is a sophisticated specimen, merely copying it will be of little use if the computer vulnerability it exploited has been patched in the meantime.

So far, no proliferation effect has materialised; however, in September 2011, another worm (Duqu) was dis- covered that is reportedly very similar to Stuxnet, and was probably written by the same authors. It mainly looks for information that could be useful in attacking industrial control systems and does not sabotage any parts of the infrastructure.

Political and psychological effect

The greatest effect the worm has had is clearly psychological: It has left many state officials deeply frightened. This fear has political consequences. First, on the national level, governments are currently releasing or updating cyber security strategies and are set- ting up new organisational units for cyber defence. Second, internationally, increased attention is being devoted to the strategic-military aspects of the problem. The focus is on attacks that could cause catastrophic incidents involving critical infrastructures. More and more states report that they have opened ‘cyber- commands’, which are military units for cyber war activities.

Though consolidated numbers are hard to come by, the amount of money spent on defence-related aspects of cyber security seems to be rising steadily. The new cyber military-industrial complex that has emerged is estimated to deliver returns of US$ 80 to 150 billion a year, and big defence companies like Boeing and Northrop Grumman are repositioning themselves to service the cyber security market. In addition, some states, particularly those not allied with the US, have ramped up their rhetoric. For example, Iranian officials have gone on the record as condoning hackers who work in the state’s interest. As a result, the first signs of a cyber security dilemma are discernible: Although most states still predominantly focus on cyber de- fence issues, measures taken by some nations are seen by others as covert signs of aggression. That leads to more insecurity for everyone – specifically because it is impossible to assess an- other state’s cyber capabilities.

(external pageContinue Readingcall_made)