Cyber-warfare is coming
by Ilmar Tamm
11 November 2011
Cyberspace is the new 'wild west' with horses replaced by computers and guns replaced with web knowledge
Almost every aspect of modern life is now dependent upon computer networks – our bank accounts, our social network profiles and our health records - not to mention our businesses, our governments and our militaries. Access to the internet has become a defining condition of the way we work, entertain ourselves and learn about the world. But while computer networks have brought unprecedented convenience to our lives, there are dangers that they bring as well – a host of insidious, amorphous challenges to our collective security. It is, upon reflection, a self-evident parallel. We are able to check our bank balances from smartphones, while militaries can remotely control drones without leaving the base. Is it any surprise that criminals, hostile governments and terrorist groups should use this same wondrous technology to disrupt our lives with equal ease?
There are many ways we can be attacked in cyberspace, but there are some types of attacks that we see continually: the appropriation of all kinds of data, the hijacking of computers and networks and the defacement of websites – especially, those of governments or political parties by ideological opponents. While hackers have been around for as long as computers have, it is only in the last few years that the dangers of cyber-warfare have become more evident. The 2007 cyber-attacks in Estonia – where hackers disrupted and defaced the websites of Estonian banks, newspapers, public ministries and a political party – was one of the first major incidents that was directed against a country as a whole. And it was politically motivated.
However, a new kind of attack is on the horizon. At the recent International Conference on Cyber Conflict in Tallinn, Ralph Langner analysed the Stuxnet malware - which seriously disturbed Iranian nuclear enrichment facilities. Langner argued that this is the type of cyber-weapon we are going to see in the future. The effect are not limited and targeted to the cyber-world, but seek to take over control of critical systems in the real world. This is the reality that corporations and nation states will be facing, and attacks that have effects like this are sure to gain public attention. It seems like a long shot to many, but even the possibility of a cyber-attack that, for example, turns off a city's electrical power, is alarming. The question naturally, and fearfully perhaps, arises: how do we defend our systems against attacks like these? In addition to the enormous technical challenges to which there are many technical solutions, the legal aspects of cyber-conflict are a realm unto themselves - where definitions, precedents and doctrines are urgently needed. Moreover, the practice and implementation of existing norms are a key challenge to gain optimum balance between security and privacy.
What is cyber-warfare? What is the definition of cyber-terrorism? What constitutes a proportionate response in cyberspace? And, perhaps the most fascinating, though not necessarily the most pressing question is - when is it appropriate to respond to a cyber-attack with armed forces? These are questions that a few years ago would have seemed farfetched and unnecessary, but today they are looking increasingly relevant from the perspective of ensuring state or national security. Various states have managed to agree on laws that govern borders, international sea and air space, even outer space – but now we are faced with the task of adapting or creating laws and precedents for cyberspace. As in outer space, there are no borders in cyberspace – but unlike in outer space, it does not take many resources to enter cyberspace. Any individual with computer skills and an internet connection can act in cyberspace. It's like the American wild west, where anyone with a horse and a gun could be an outlaw. The horses have been replaced with computers, and gun skills with knowledge of the web.
So how can we tame the wild west of today? There is no denying that one of the overarching problems is a lack of experience and precedent. To help address this issue, the North Atlantic Treaty Organisation cooperative cyber defence centre of excellence – or NATO CCD COE - is sponsoring and actively participating in the writing of the manual on international law applicable to cyber-warfare – or MILCW. This is expected to be published by the end of 2012. The manual is meant to address all the legal issues under a framework of both international use-of-force law and international humanitarian law. In addition, it examines related problems such as sovereignty, state responsibility and neutrality. We are confident that this manual will help the international community answer many unanswered questions, especially those regarding retaliation.
But every legal issue in cyberspace is connected to others. Retaliation is impossible if one does not know the attacker and identifying actors in cyberspace is extremely difficult. An attacker can be in Europe, but route his attack through servers in Australia, Asia and America, making it nearly impossible to trace the originator. In fact, it becomes very easy to misattribute attacks by attaching responsibility for an attack on a possibly hijacked computer and its owner. Attribution, in short, is an enormous difficulty. This is one of the reasons why cooperation is crucial for cyber-defence - international cooperation and cooperation between the public and private sectors. Because so many critical infrastructures are run by private businesses rather than the government, it is critical that incident information is shared. Cyber-malefactors share information and tactics to their enormous benefit. It is important that, on our side, we do the same for defence and early warning dissemination.
Because governments do not have the financial resources to hire the top IT minds, strategies must be developed for how to utilise their expertise. The Estonian Cyber Defence League provides a useful model in which cyber-experts volunteer in their free time to work on cyber-defence issues, and are willing to contribute to the defence effort when governmental institutions are attacked. Raoul Chiesa, at our annual conference in June 2011, provided another innovative suggestion: maybe governments and the private sector should try to lure hackers to our side? It seems unwise not to try to win their expertise and experience.
In the words of Alan Turing – the English mathematician who has often been called the father of computer science and artificial intelligence –"we can only see a short distance ahead, but we can see plenty there that needs to be done". Every day brings news about developments in cyberspace, from the adaption of new technologies, to the rise of new hacker groups, to the latest attacks. We do not know what is waiting for us in the realm of cyberspace, but we do know that the most crucial capabilities will be those of adaptability, of preparation and of innovation.
Colonel Ilmar Tamm is director of the North Atlantic Treaty Organisation cooperative cyber defence centre of excellence. This article was first published in PublicServiceEurope.com's sister title Public Service Review: European Union Cyber-warfare - the next frontier
Almost every aspect of modern life is now dependent upon computer networks – our bank accounts, our social network profiles and our health records - not to mention our businesses, our governments and our militaries. Access to the internet has become a defining condition of the way we work, entertain ourselves and learn about the world. But while computer networks have brought unprecedented convenience to our lives, there are dangers that they bring as well – a host of insidious, amorphous challenges to our collective security. It is, upon reflection, a self-evident parallel. We are able to check our bank balances from smartphones, while militaries can remotely control drones without leaving the base. Is it any surprise that criminals, hostile governments and terrorist groups should use this same wondrous technology to disrupt our lives with equal ease?
There are many ways we can be attacked in cyberspace, but there are some types of attacks that we see continually: the appropriation of all kinds of data, the hijacking of computers and networks and the defacement of websites – especially, those of governments or political parties by ideological opponents. While hackers have been around for as long as computers have, it is only in the last few years that the dangers of cyber-warfare have become more evident. The 2007 cyber-attacks in Estonia – where hackers disrupted and defaced the websites of Estonian banks, newspapers, public ministries and a political party – was one of the first major incidents that was directed against a country as a whole. And it was politically motivated.
However, a new kind of attack is on the horizon. At the recent International Conference on Cyber Conflict in Tallinn, Ralph Langner analysed the Stuxnet malware - which seriously disturbed Iranian nuclear enrichment facilities. Langner argued that this is the type of cyber-weapon we are going to see in the future. The effect are not limited and targeted to the cyber-world, but seek to take over control of critical systems in the real world. This is the reality that corporations and nation states will be facing, and attacks that have effects like this are sure to gain public attention. It seems like a long shot to many, but even the possibility of a cyber-attack that, for example, turns off a city's electrical power, is alarming. The question naturally, and fearfully perhaps, arises: how do we defend our systems against attacks like these? In addition to the enormous technical challenges to which there are many technical solutions, the legal aspects of cyber-conflict are a realm unto themselves - where definitions, precedents and doctrines are urgently needed. Moreover, the practice and implementation of existing norms are a key challenge to gain optimum balance between security and privacy.
What is cyber-warfare? What is the definition of cyber-terrorism? What constitutes a proportionate response in cyberspace? And, perhaps the most fascinating, though not necessarily the most pressing question is - when is it appropriate to respond to a cyber-attack with armed forces? These are questions that a few years ago would have seemed farfetched and unnecessary, but today they are looking increasingly relevant from the perspective of ensuring state or national security. Various states have managed to agree on laws that govern borders, international sea and air space, even outer space – but now we are faced with the task of adapting or creating laws and precedents for cyberspace. As in outer space, there are no borders in cyberspace – but unlike in outer space, it does not take many resources to enter cyberspace. Any individual with computer skills and an internet connection can act in cyberspace. It's like the American wild west, where anyone with a horse and a gun could be an outlaw. The horses have been replaced with computers, and gun skills with knowledge of the web.
So how can we tame the wild west of today? There is no denying that one of the overarching problems is a lack of experience and precedent. To help address this issue, the North Atlantic Treaty Organisation cooperative cyber defence centre of excellence – or NATO CCD COE - is sponsoring and actively participating in the writing of the manual on international law applicable to cyber-warfare – or MILCW. This is expected to be published by the end of 2012. The manual is meant to address all the legal issues under a framework of both international use-of-force law and international humanitarian law. In addition, it examines related problems such as sovereignty, state responsibility and neutrality. We are confident that this manual will help the international community answer many unanswered questions, especially those regarding retaliation.
But every legal issue in cyberspace is connected to others. Retaliation is impossible if one does not know the attacker and identifying actors in cyberspace is extremely difficult. An attacker can be in Europe, but route his attack through servers in Australia, Asia and America, making it nearly impossible to trace the originator. In fact, it becomes very easy to misattribute attacks by attaching responsibility for an attack on a possibly hijacked computer and its owner. Attribution, in short, is an enormous difficulty. This is one of the reasons why cooperation is crucial for cyber-defence - international cooperation and cooperation between the public and private sectors. Because so many critical infrastructures are run by private businesses rather than the government, it is critical that incident information is shared. Cyber-malefactors share information and tactics to their enormous benefit. It is important that, on our side, we do the same for defence and early warning dissemination.
Because governments do not have the financial resources to hire the top IT minds, strategies must be developed for how to utilise their expertise. The Estonian Cyber Defence League provides a useful model in which cyber-experts volunteer in their free time to work on cyber-defence issues, and are willing to contribute to the defence effort when governmental institutions are attacked. Raoul Chiesa, at our annual conference in June 2011, provided another innovative suggestion: maybe governments and the private sector should try to lure hackers to our side? It seems unwise not to try to win their expertise and experience.
In the words of Alan Turing – the English mathematician who has often been called the father of computer science and artificial intelligence –"we can only see a short distance ahead, but we can see plenty there that needs to be done". Every day brings news about developments in cyberspace, from the adaption of new technologies, to the rise of new hacker groups, to the latest attacks. We do not know what is waiting for us in the realm of cyberspace, but we do know that the most crucial capabilities will be those of adaptability, of preparation and of innovation.
Colonel Ilmar Tamm is director of the North Atlantic Treaty Organisation cooperative cyber defence centre of excellence. This article was first published in PublicServiceEurope.com's sister title Public Service Review: European Union Cyber-warfare - the next frontier
COMMENTS
RELATED CONTENT
Is cyber warfare leading to a new type of arms race?
There are a surprising number of parallels between cyber warfare and nuclear warfare, reports Justin Stares from the Security and Defence Agenda conference in Brussels
There are a surprising number of parallels between cyber warfare and nuclear warfare, reports Justin Stares from the Security and Defence Agenda conference in Brussels
