«KENNETH GEERS PANDEMONIUM: NATION STATES, NATIONAL SECURITY, AND THE INTERNET Tallinn Paper No. 1. 2014 Disclaimer This publication is a product of ...»
Software Manufacturer Liability
NATION STATES, NATIONAL
SECURITY, AND THE INTERNET
Tallinn Paper No. 1.
This publication is a product of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre).
It does not necessarily reflect the policy or the opinion of the Centre or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
Digital or hard copies of this publication may be produced for internal use within NATO and for personal or educational use when for non-profit and non-commercial purpose, provided that copies bear a full citation.
Please contact email@example.com with any further queries.
Roles and Responsibilities in Cyberspace The theme of the 2014 Tallinn Papers is ‘Roles and Responsibilities in Cyberspace’.
Strategic developments in cyber security have often been frustrated by role assignment, whether in a domestic or international setting. The difficulty extends well beyond the formal distribution of roles and responsibilities between organisations and agencies.
Ascertaining appropriate roles and responsibilities is also a matter of creating an architecture that is responsive to the peculiar challenges of cyberspace and that best effectuates strategies that have been devised to address them.
The 2014 Tallinn Papers address the issue from a variety of perspectives. Some of the articles tackle broad strategic questions like deliberating on the stance NATO should adopt in cyberspace matters, or exploring the role small states can play in this domain.
Others touch upon narrower topics, such as the right to privacy in the growingly intrusive national security context and whether software manufacturers should be compelled to bear their burden of cyber security by making them liable for faulty software. The thread running through all the papers, however, is their future-looking approach, one designed to inspire discussion and undergird strategic development.
Submissions The Tallinn Papers is a peer reviewed publication of the NATO Cooperative Cyber Defence Centre of Excellence. Although submissions are primarily commissioned by- invitation, proposals consistent with the annual theme and dealing with issues of strategic importance will be considered on an exceptional basis. Since the Tallinn Papers are meant for a wide audience, such proposals should assume no prior specialised knowledge on the part of the readership. Authors wishing to submit a proposal may contact the Editor-in-Chief at firstname.lastname@example.org.
THE TALLINN PAPERSPandemonium: Nation States, National Security, and the Internet Kenneth Geers1 A long time ago, the author of Ecclesiastes wrote: “There is nothing new under the sun.” What about the internet? The network of networks should help us to have a more peaceful future, but too often it seems that the internet today is merely a reflection of what came before – including crime, espionage, and warfare – and that the international security environment is still closer to Pandemonium2 than Paradise. To make matters worse, all of our vices have seemingly been teleported into the realm of science fiction. Cyber security threats are both technological and philosophical wonders: a computer program that destroys nuclear centrifuges thousands of miles away, malware that secretly records everything we do, encrypted code that decrypts only on one target device, and so on.
The internet now plays an important role in national security affairs. Consider just a few recent examples from Europe. Cyber spies have targeted the European Union3 and member states such as France4 in a drive for competitive advantage in politics and diplomacy. In the business world, Norway’s National Security Authority (NSM) has confirmed at least ten separate network penetrations of Norwegian corporations, while noting that the true figure is undoubtedly much higher.5 In law enforcement, German police discovered that its servers were compromised.6 In the military domain, French Navy planes were grounded by 1 Senior Global Threat Analyst, FireEye; Ambassador, NATO Cooperative Cyber Defence Centre of Excellence.
2 Pandæmonium, which now means ‘wild and noisy disorder’, was the capital of Hell in John Milton’s epic poem Paradise Lost.
‘“Serious” cyber attack on EU bodies before summit,’ BBC (23 March 2011).
3 Robert Charette, ‘“Spectacular” Cyber Attack Gains Access to France's G20 Files,’ IEEE 4 Spectrum (8 March 2011).
Chloe Albanesius, ‘Norway Cyber Attack Targets Country's Oil, Gas Systems,’ PCMag (18 5 November 2011).
‘Hackers infiltrate German police and customs service computers,’ Infosecurity Magazine (18 July 6 2011).
malicious code in the form of the Conficker worm.7 In the United Kingdom, hackers gained access to the Ministry of Defence’s classified networks.8 All of this takes place in an environment where cyber investigation, prosecution, and retaliation are difficult, and sometimes not even desirable.9 The purpose of this essay is modest. It spans the globe once, stopping long enough in numerous countries to record some of the most famous examples of international cyber attack and cyber conflict to date, and attempts to place them within a broader geopolitical context. Hopefully, this short composition will accomplish two things: remind the reader that traditional international conflicts have, as a rule, now drifted into cyberspace; and help set the stage for followon papers in this research series by the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), which will examine the challenge of securing cyberspace from many new angles in the future.
Russia Winston Churchill called Russia “a riddle wrapped in a mystery inside an enigma.” Today, cyber defence researchers often make a similar claim: Russia has the world’s best hackers, so they can operate quietly and without being caught.
There is likely some truth in that, but it seems equally true that Russia has been at least tangentially involved in some of the best-known cases of international cyber conflict to date.
Chechnya is an autonomous republic of the Russian Federation, but Moscow has nonetheless engaged in armed conflict with it since the dissolution of the Soviet Union. From the Chechen Wars, the primary lesson for future cyber war planners is that, in the age of the World Wide Web, the propaganda battle for hearts, minds, and wallets will be fought website by website.10 In 1998, when Russian ally Serbia was under attack by NATO, anonymous pro-Serbian hackers jumped into the fray, flooding NATO networks with denial-of-service (DoS) attacks and at least twenty-five strains of virus-infected email.11 In 2007, Russia Kim Willsher, ‘French fighter planes grounded by computer virus,’ The Telegraph (7 February 7 2009).
8 Nick Hopkins, ‘Hackers have breached top secret MoD systems, cyber-security chief admits,’ The Guardian (3 May 2012).
9 John Leyden, ‘Relax hackers! NATO has no cyber-attack plans—top brass,’ The Register (6 June 2012).
10 Kenneth Geers, ‘Cyberspace and the Changing Nature of Warfare,’ Hakin9 E-Book, 19(3) No.
6; SC Magazine (27 August 08) 1-12.
2 THE TALLINN PAPERS
was the prime suspect in the most famous international cyber attack to date – the punitive digital assault on Estonia for having moved a Soviet-era statue.12 In 2008, there was evidence that computer network operations played a supporting role in Russian military advances during its invasion of Georgia,13 and Russia was the prime suspect in what U.S. Deputy Secretary of Defense William Lynn called the “most significant breach of U.S. military computers ever”, a USBvector attack on Central Command (CENTCOM).14 In 2009, Russian hackers were blamed in “Climategate”, a breach of university research intended to undermine international negotiations on climate change mitigation.15 In 2010, the FBI arrested and deported suspected Russian intelligence agent Alexey Karetnikov, who had been working as a software tester at Microsoft.16 In response to the spectre of future cyber wars, Russia, like the U.S., China, and Israel, is creating cyber warfare-specific military units17 and, in an effort to improve its digital defences, is buying old-fashioned typewriters.18 China China’s enormous population and rapidly expanding economy have combined to create a voracious appetite for information, which is sometimes most easily acquired through cyber espionage. Much of this espionage appears to have national security implications, which could, over time, alter the balance of power in the Pacific.
As early as 1999, the U.S. Department of Energy believed that Chinese cyber espionage posed an “acute” threat to U.S. nuclear security.19 In 2001, following 12 Joshua Davis, ‘Hackers Take Down the Most Wired Country in Europe,’ WIRED (21 August 07).
13 U.S. Cyber Consequences Unit, ‘Overview by the US-CCU of the Cyber Campaign against Georgia in August of 2008’ (August 2009).
14 William J. Lynn, ‘Defending a New Domain: The Pentagon’s Cyberstrategy,’ Foreign Affairs 89(5) 97-108 (2010).
15 Will Stewart, Martin Delgado, ‘Were Russian security services behind the leak of ‘Climategate’ emails?’ Daily Mail (6 December 2009) & RT (23 November 2011) ‘Global warning: New Climategate leaks,’ RT.
16 Anastasia Ustinova, ‘Microsoft Says 12th Alleged Russian Spy Was Employee,’ Bloomberg (14 Jul 2010).
17 Vadim Gorshenin, ‘Russia to create cyber-warfare units,’ Pravda (29 August 2013).
18 Geoffrey Ingersoll, ‘Russia Turns to Typewriters to Protect against Cyber Espionage,’ Business Insider (11 July 2013).
19 Jeff Gerth, James Risen, ‘1998 Report Told of Lab Breaches and China Threat,’ The New York Times (2 May 1999).
the mid-air collision between a U.S. Navy EP-3 signals intelligence (SIGINT) aircraft and a People’s Liberation Army Navy (PLAN) J-8II fighter, and the prolonged detention of the U.S. crew in China, pro-U.S. and pro-China “patriotic” hackers threatened to take the conflict into their own hands.20 More recently, China apparently stole the plans for the most advanced U.S. fighter jet, the F-35,21 and hacked Google, Intel, Adobe, RSA, Lockheed Martin, Northrop Grumman,22 the New York Times, the Wall Street Journal, and the Washington Post.23 In a turn toward critical infrastructure, U.S. intelligence agencies believe that Chinese hackers targeted two dozen gas pipeline companies, possibly for sabotage,24 as well as the U.S. Army Corps of Engineers’ National Inventory of Dams.25 Outside the U.S., the story is little different. Chinese hackers are believed to have compromised the British House of Commons in 2006,26 the German Chancellery in 2007,27 Japanese classified documents in 2011,28 an air-gapped Indian Navy headquarters in 2012,29 and in 2013 both the South Korean government30 and the Australian Security Intelligence Organization.31 In response, Chinese officials contend that their country is also a victim of cyber 20 Jeremy Wagstaff, ‘The Internet Could Be the Site of the Next China-U.S. Standoff,’ The Wall Street Journal (30 April 2001).
21 Siobhan Gorman, August Cole, Yochi Dreazen, ‘Computer Spies Breach Fighter-Jet Project,’ The Wall Street Journal (21 April 2009).
22 Michael Joseph Gross, ‘Enter the Cyber-dragon,’ Vanity Fair (1 September 2011).
23 Nicole Perlroth, ‘Washington Post Joins List of News Media Hacked by the Chinese,’ New York Times (1 February 2013) and Nicole Perlroth, ‘Wall Street Journal Announces That It, Too, Was Hacked by the Chinese,’ The New York Times (31 January 2013).
24 Mark Clayton, ‘Exclusive: Cyberattack leaves natural gas pipelines vulnerable to sabotage,’ The Christian Science Monitor (27 February 2013).
25 Bill Gertz, ‘Dam! Sensitive Army database of U.S. dams compromised; Chinese hackers suspected,’ The Washington Times (1 May 2013).
26 Peter Warren, ‘Smash and grab, the hi-tech way,’ The Guardian (18 January 2006).
27 ‘Espionage Report: Merkel’s China Visit Marred by Hacking Allegations,’ Spiegel (27 August 2007).
28 Justin McCurry, ‘Japan anxious over defence data as China denies hacking weapons maker,’ The Guardian (20 September 2011) and The Indian Express, ‘China-based servers in Japan cyber attacks,’ The Indian Express (28 October 2011).
29 Manu Pubby, ‘China hackers enter Navy computers, plant bug to extract sensitive data,’ The Indian Express (01 July 2012).
30 Neal Ungerleider, ‘South Korea’s Power Structure Hacked, Digital Trail Leads to China.’ Fast Company (19 October 2010).
31 Associated Press, ‘Report: Plans for Australia spy HQ hacked by China,’ USA Today (28 May 2013).
4 THE TALLINN PAPERS
attacks. In 2006, the China Aerospace Science & Industry Corporation (CASIC) found spyware on its classified network.32 In 2007, the Chinese Ministry of State Security stated that foreign hackers were stealing Chinese information, “42%” by Taiwan and “25%” by the United States.33 In 2009, Chinese Prime Minister Wen Jiabao announced that a hacker from Taiwan had stolen his upcoming report to the National People’s Congress.34 In 2013, Edward Snowden, a former system administrator at the National Security Agency (NSA), published documents suggesting that the U.S. conducted cyber espionage against China;35 and the Chinese computer emergency response team (CERT) stated that it possessed “mountains of data” on cyber attacks by the U.S.36 United States Ralph Langner, the most experienced researcher of Stuxnet, contends that there is “only one” cyber superpower in the world: the U.S.37 In fact, if we narrow our definition of cyber attack to the digital destruction of physical infrastructure, Stuxnet may be the only true cyber attack the world has ever seen.