“The United States considers the promotion of an open and secure internet to be a key component of our foreign policy,” said Secretary of State John Kerry on May 18, 2015, in South Korea.
Although the July 2011 Department of Defense Strategy for Operating in Cyberspace has already been replaced by The DoD Cyber Strategy, the May 2011 International Strategy for Cyberspace has not been superseded and is not expected to be anytime soon. Thus, Kerry’s speech is our most current and comprehensive summary of the U.S. State Department’s positions on cybersecurity. (A writer at justsecurity.org called for a new international strategy for cyberspace last fall.)
Little is new in the speech. State still supports multistakeholderism and opposes multilateralism. (More on that over at nextgov.com.) It still considers access to the Internet, privacy, and censorship in cyberspace to be human rights issues. Review Secretary Kerry’s speech for yourself. Below is the official text, and between here and there is video of the actual speech.
An Open and Secure Internet: We Must Have Both
Secretary of State
Seoul, South Korea
May 18, 2015
SECRETARY KERRY: (Applause.) Well, good afternoon, President Yeom. Thank you very much for a generous introduction. Distinguished guests, all, I’m delighted to be here and I want to thank the university, and particularly Park No-young, the Director of the Cyber Law Center, for inviting me to be here today. Thank you very, very much.
“I’d say our [cyber] defense isn’t working” – Former Director of the National Security Agency Keith Alexander.
In a keynote address at the American Enterprise Institute, Alexander told the audience that “if everybody’s getting hacked … industry and government … the strategy that we’re working on is flawed.” Critical infrastructure is vulnerable to cyberattacks and several nation states have developed the necessary cyber arsenal to strike critical infrastructure. Yet, our cyber defense isn’t working. This is not the first time nations have developed weapons that break through defense systems. The nuclear terror of the Cold War presented a similar complication.
In cyber defense, can Cold War-style deterrence work? Relying primarily on the words of Keith Alexander, Eric Rosenbach (principal cyber advisor to the Secretary of Defense), and Scott Jasper (retired Navy captain and lecturer at the Naval Postgraduate School), Mark Pomerleau examines this question in an article for DefenseSystems.com.
Pomerleau first sets out Jasper’s definition for deterrence, breaking it down into potentially three components: deterrence by punishment (the threat of retaliation), deterrence by denial (the ability to prevent benefit), and deterrence by entanglement (mutual interests). According to Rosenbach, a cyber deterrence policy would require a “whole-of-government” approach, in which the Department of Defense would need to:
(1) develop the capabilities to deny a potential attack from achieving its desired effect
(2) increase the cost of executing a cyberattacks . . . DOD must be able to provide the president with options to respond to cyberattacks on the U.S., if required through cyber and other means,
(3) ensure that we are resilient, so if there is an attack that we can bounce back.
However, Pomerleau goes on to describe a number of issues in the cyber realm that differentiate the cyber defense situation from the Cold War nuclear defense situation. First of all, attribution is difficult in the cyber realm due to the ability of adversaries to re-route the source to a different location providing plausible deniability. Second, deterrence will not be as effective with the numerous criminal non-state actors involved in cyber attacks. Finally, traditional nuclear deterrence relies on an adversary having knowledge of the destruction that will result if they make a move, whereas in the cyber realm the effectiveness of a cyber threat depends in part on the secrecy of weapons.
While Pomerleau also describes potential solutions, they are couched in vague terminology, providing little reassurance. For instance, Rosenbach addresses the attribution problem by suggesting that the government reduce anonymity in cyberspace, without providing any information as to how the government would be able to accomplish that objective. Pomerleau also stresses the importance of international frameworks, a view shared by most, but despite numerous international conferences the vulnerabilities in cyberspace are still on the rise.
After finishing Pomerleau’s article, I pulled out a book of essays on cyber deterrence compiled by the National Research Council of the National Academies*. In one of the essays** in the book, Stephen J. Lukasik compared the nuclear deterrence policy to deterrence issues in the cyber realm. While Lukasik described many of the same issues in Pomerleau’s article, he noted the three aspects of deterrence that remain invariant:
(1) A defender’s response must be seen as technically feasible. In the nuclear case, very visible weapon tests and well publicized images of nuclear detonations and measured global radioactive fallout provided convincing demonstrations of feasibility.
(2) [T]he defender must be seen as credible, willing as well as able to respond. U.S. nuclear weapon use in WWII established that, and equivalent Soviet nuclear capabilities left little doubt what its respond to a nuclear attack would be.
(3) [D]efense through deterrence requires being able to respond, with in-being offensive capability. While response to a cyber attack need not be a cyber counter-attack, international principles of armed conflict speak to proportionality of response and escalation control favors responding in kind. Thus cyber offense is a component of cyber deterrence.
I agree with Lukasik that feasibility, credibility, and ability are the cornerstones to a successful deterrence policy, but can this work in cyber defense? It seems like all three of those objectives suggest some sort of a demonstration to the world that it is feasible, we are able to strike, and our threats should be taken seriously.
While Lukasik argues that the response to a cyber attack should be limited to cyber offense, Rosenbach is cited in Pomerleau’s article advocating for a response policy that uses all the tools of foreign policy and military options.
This is a global issue, and everyone will be watching what policy the United States ultimately follows to fix the flaws in their cyber defense. If we continue to limit offensive actions, we limit deterrence by punishment. On the other hand, if we are too aggressive, we could open the door to more attacks. I agree with Rosenbach:
“The U.S. is a glass house when it comes to cyber.”
To read the full DefenseSystems.com article by Mark Pomerleau, click here.
*Proceedings of a Workshop on Deterring Cyberattacks – Informing Strategies and Developing Options for U.S. Policy, compiled by the National Research Council of the National Academies
**A Framework for Thinking About Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for These Domains, by Stephen J. Lukasik
We’ll have lots of analysis and commentary over time, no doubt, but we just want to make sure you all have a copy of the actual [U.S.] Department of Defense Cyber Strategy of April 2015 by posting it here:
Of course, it is always better to read the actual source document for yourself before reading what the reporters, pundits, analysts and experts have to say about it.
- Russian Hackers Used Two Unknown Flaws (Reuters Reports): A recent report by security firm FireEye determined that Russian hackers had been using flaws in Adobe’s Flash and Microsoft’s Windows operating system to try to get information about diplomatic targets in the United States and elsewhere. Adobe issued a fix for the breach on Tuesday, and while Microsoft is still working on a fix, Reuters reports that the Microsoft problem by itself is less dangerous. Read the full article here. To read the FireEye report, click here: FireEye – Russia’s Cyber Espionage Report
- Army and DEA Buying Remote Access Hacking Tools (Arstechnica.com Reports): An Italian company called Hacking Team sells a piece of malware remotely installed on a target’s computer or smartphone which collects data, and then transmits that data to an encrypted and untraceable server. According to Arstechnica.com, both the DEA and the US Army have been buying what the article calls a “questionable” remote access hacking tool for years. The article also notes that according to experts, it’s only a matter of time before these surveillance tools turn up in the hands of local law enforcement, if they haven’t already. Read the full article here.
- Pentagon’s “Blunt Force Trauma” Cyber Weapons (Politico Reports): Military services are looking to move beyond developing defense cyber capabilities to pursuing offensive “cyber weapons they could wield the way they now deploy fighter squadrons or infantry battalions.” The goal is to create weapons that have the same large-scale effect as conventional weapons. An example: turning an enemy surface to surface missile around and sending it home. To read more about these plans, read the full article here.
- Hackers Could Kill You With Your Oven (TheRegister.com Reports): As technology continues to improve, consumers are expecting more consumer goods to utilize the advantages that come with technological innovations. TheRegister.com provides the example of the simple iron to explain the ramifications of this trend. An iron has many setting for steam, so how would you as a consumer feel about creating an iphone application that keeps track of each item of clothing you own and the setting required for each item, and then automatically applies that setting to your clothes? How about an oven you can set with your iphone? According to TheRegister.com, “if something uses electricity, it will be connected.” If it is connected, a hacker can access it. What started as a neat way to set your oven from your living room, results, potentially, in a hacker turning your gas on, then your pilot, and leaving you breathing deadly fumes in your sleep. According to the article, we need to find a solution which provides security to these connected devices before we begin integrating this type of technology into our consumer goods. Read the full article here.
- Wi-Fi Increases Hacking Risks on Airplanes (Wired.com Reports): A new government report suggests that hackers could take advantage of Wi-Fi on planes in order to hijack the navigation system or commandeer the plane through the in-plane network. In order for a hacker to gain access, a passenger need only visit a website with a virus or malware embedded. For the full article, click here. For a summary of which changes the report recommends for the Federal Aviation Administration, read an article by Threatpost.com, here. Read the full report here: GAO: Air Traffic Control Report
In 2010, the United States and Israel reportedly attacked Iran’s nuclear enrichment center using a computer worm that caused about 1,000 centrifuges to self-destruct. From recent reports by cybersecurity firms Norse and Cylance*, it appears that Iranians have begun a cycle of cyber retaliation. Unlike nuclear technology, cyber tools provide Iran with a usable weapon with the added bonus of plausible deniability.
The New York Times examined the Norse and Cylance* reports, as well as information gathered from American intelligence officials, and detailed their findings in an article on Iran’s recent cyber developments. According to the article, despite international sanctions, Iran has greatly increased the frequency and skill of its cyberattacks.
American intelligence officials are concerned about Iran’s cyber capabilities, but according to the article, the concern has nothing to do with sophistication. While Iran’s cyber capabilities are not as advanced as Russia or China, their attacks are the most concerning because they are aimed more at destruction. The destructive cyber attacks are the category of attacks that could escalate into attacks on critical infrastructure.
Norse and Cylance* report the same thing: Iran’s cyber attacks are politically motivated with a focus on retaliation. Iran is believed by many to have attacked American banks in retaliation for sanctions. Iran has also been identified as the source of the 2012 attack on Saudi Aramco, in which hackers wiped out data on 30,000 computers, replacing it with an image of a burning American flag.
However, the reports also indicate a move away from ostentatious attacks toward quieter reconnaissance. As for the degree of escalation, the reports are mixed. Cylance* reports that in the recent months (potentially due to the recent nuclear negotiation talks) there has been a notable drop in cyber activity. On the other hand, Norse (“which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods”) detected more than 900 attacks, on average, every day in the first half of March, showing no signs of Iran slowing down.
There is also evidence in the reports supporting the fear that Iran will escalate cyber attacks by targeting critical infrastructure: From the NYTimes article:
In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks. . . . Cylance researchers, for example, noted that Iranian hackers were using tools to spy on and potentially shut down critical control systems and computer networks in the United States, as well as in Canada, Israel, Saudi Arabia, the United Arab Emirates and a handful of other countries. . . . Norse says it saw evidence that Iranian hackers probed the network of Telvent, a company now owned by Schneider Electric that designs software to allow energy companies and power grid operators to control their valves and switches from afar.
In 2010 the Stuxnet worm proved to be a cyber “win” for the United States, but just as in non-cyber warfare, winning the battle is not the same as winning the war. To read the full New York Times article, click here.
For the full Norse report, click here: Norse: The Growing Cyber Threat from Iran
*It is unclear which Cylance report NYTimes is referring to, as they do not link any report to their article. The most recent report concerning Iran is the Operation Cleaver report. The Crossroads Blog posted an in-depth discussion of this report, accessible here: For the report itself, click here: Cylance – Operation Cleaver Report
We noted in January of 2014 that Chatham House, the international famous UK think-tank, had assembled a Global Commission on Internet Governance. On April 14, 2015, the Commission released a statement entitled: “Toward a Social Compact for Digital Privacy and Security.” From the Chatham House website:
On the occasion of the April 2015 Global Conference on Cyberspace meeting in The Hague, the Commission calls on the global community to build a new social compact between citizens and their elected representatives, the judiciary, law enforcement and intelligence agencies, business, civil society and the internet technical community, with the goal of restoring trust and enhancing confidence in the internet.
It is now essential that governments, collaborating with all other stakeholders, take steps to build confidence that the right to privacy of all people is respected on the internet. It is essential at the same time to ensure the rule of law is upheld. The two goals are not exclusive; indeed, they are mutually reinforcing. Individuals and businesses must be protected both from the misuse of the internet by terrorists, cyber criminal groups and the overreach of governments and businesses that collect and use private data.
A social compact must be built on a shared commitment by all stakeholders in developed and less developed countries to take concrete action in their own jurisdictions to build trust and confidence in the internet. A commitment to the concept of collaborative security and to privacy must replace lengthy and over-politicized negotiations and conferences.
The following are the core elements that the Commission advocates in building the new social compact:
China has been at the forefront of cybersecurity news the past few weeks, so to catch you up, this Cyber Round Up will focus on China.
China’s New Cyber Weapon (NYTimes Reports): In an apparent effort to take out services that allow China’s Internet users to view websites otherwise blocked in the country, China has turned to a new cyber weapon researchers call “the Great Cannon.” The new cyber weapon allows China to intercept web traffic as it flows to Chinese websites, inject malicious code and repurpose the traffic. (For a WSJ article crediting Snowden with providing China with this new weapon click here, or if you do not have access to online WSJ read a Business Insider summary of the article here). Recent targets include GitHub, a San Francisco-based code-sharing site, and Greatfire.org, a nonprofit that runs mirror images of sites that are blocked inside China. According to Fox News, many view this as an attack by a nation state against key United States Internet infrastructure, and are calling for a government response. Read the full story here: (NYTimes)(FoxNews).
Businesses Fear China’s New Cyber Regulations (Reuters Reports): China is now considering cybersecurity regulations that could limit opportunities for foreign technology companies. As a result, American CEOs are either avoiding the Chinese market or planning to reduce their exposure there, and according to U.S. Secretary of Commerce Penny Pritzker, “these fears are real . . . it’s a lose-lose situation.” According to Reuters, “[b]usiness groups fear the regulations would favor domestic products or require that companies disclose to the government sensitive intellectual property, encryption keys or install ‘backdoors’ in products.” While many view this as an attempt by China to eliminate foreign companies from the market, a NYTimes report quotes Zuo Xiaodong, vice president of the China Information Security Research Institute, who explains that is not a viable option for the Chinese banking industry because the banks purchase billions of dollars’ worth of hardware and software to manage transactions, and Chinese companies cannot yet produce some of the higher-end servers and mainframes they rely on. Read the full story here: (Reuters) (NYTimes). For an excellent in-depth opinion piece on the topic that draws in history and discusses potential ramifications of the regulations, click here: (Adam Segal: What to do about China’s New Cybersecurity Regulations).
China Hacks Regional Rivals (FireEye Report): According to researchers at internet security company FireEye, hackers have been spying on governments and businesses in Southeast Asia and India uninterrupted for a decade, and those hackers are most likely from…China. While the exact damage is unclear due to the prolonged period of the attacks, FireEye researchers stressed that the impact could be massive. According to the company, “[t]heir targets possess information that most likely serves the Chinese government’s needs for intelligence about key Southeast Asian regional political, economic, and military issues, disputed territories, and discussions related to the legitimacy of the Chinese Communist Party.” Read the full story here: (Reuters) (Techcrunch). Click for the full FireEye Report.
Cyber Dialogue between China and U.S. (The Hill Reports): China and the U.S. have agreed to set a path to re-establishing a full government to government cyber dialogue. The two countries have a rocky history when it comes to cooperating over cyber issues. In May 2014, China quit a joint working group after the Obama administration indicted five members of the Chinese military for hacking the U.S. However, following DHS Secretary Jeh Johnson’s recent visit to Beijing, the DHS and China’s Ministry of Public Sector have agreed to focus on cross border cyber-enabled crimes like money laundering and online child sexual exploitation. Read the full story here: (The Hill) (Engadget) (USA Today).
Anonymous has begun another campaign to purge the internet of what it deems “pro-Islamic State” websites and social media accounts, according to the news outlet RT. The group responsible for carrying out the campaign, dubbed “#OpISIS”, is called GhostSec. According to the group’s post, targeted websites include those that are frequently used by the Islamic State to transmit propaganda for recruitment purposes, and those that are used as a means of communications and intelligence gathering. RT reported that the group claims to have “destroyed” 85 websites, “terminated” 25,000 Twitter accounts, and attacked 233 websites. SC Magazine also reported that the group is planning to launch attacks against hundreds of ISIS sites in the coming days, mainly using DDoS attacks.
In addition to revealing and shutting down thousands of these websites, the group has also published a list of web hosts that house these websites, reported the International Business Times ( “IBT”). Google, Yahoo!, GoDaddy and CloudFlare were all included in the list, but the group claims that CloudFlare is “by far the largest offender,” IBT reported. Unlike the others, however, CloudFlare made the conscious decision to continue to allow these types of websites to operate, asserting that blocking the sites under the instruction of Anonymous would mean submitting to “mob rule,” the article continued. According to IBT, CloudFlare does not actually host websites, instead it provides services that protect websites from malicious attacks making it more difficult for groups like Anonymous to take down sites, although not impossible. Speaking with IBT, CloudFlare’s CEO, Matthew Prince, explained that if companies began censoring websites it would result in a system mirroring China’s internet control.
Mr. Prince’s argument is sound, especially because the identities and motives of those who make these determinations are unknown. Although the group announced that it targets websites that are used by the Islamic State to transmit propaganda, and those used for communications and intelligence gathering purposes, the actual standards used to make these determinations are relatively unknown. GhostSec accused CloudFlare of failing to eliminate such sites, claiming that the company is protecting these sites for profit, according to SC Magazine. In addition to placing financial a burden on these companies, however, censorship in this manner may have a chilling effect on speech online.
CloudFlare is not alone in criticizing Anonymous’s latest anti-terror campaign. According to RT, security professionals have bashed the group, claiming that taking down these websites prevent them from gathering important intelligence on the Islamic State’s activities. Anonymous, on the other hand, believe these sites are being used merely for propaganda and recruitment purposes, added RT. The group assert that the Islamic State does not use public websites to relay information concerning military and strategic activities, the article continued, so there really are no important intelligence uses for these sites.
The Islamic State and its followers are also not big fans of OpISIS. According to RT, Twitters co-founder has received death threats from IS sympathizers. Additionally, Jihadist groups linked to IS has threatened an attack similar to the 9/11 attacks against Twitter and the United States as a whole. The hashtag “#WeWillBurnUSAgain” was used on at least 15,000 Twitter accounts, reports RT.
In contrast, some companies, including Google, Facebook and Twitter, have chosen to act, diactivating websites that spread pro-Islamic State propaganda. For example, Twitter has taken down thousands of accounts found to have links to the Islamic State. In fact, according to RT, Twitter has taken down about 2,000 IS-linked account every week for the past several months. It looks like Twitter will have to continue patrolling its site though, as thousands of new accounts are registered to replace those taken down.
While the Congressional Research Service usually provides exceptional reports in the area of cybersecurity (see here, and here), the recent report titled Cyberwarfare and Cyberterrorism: In Brief falls short of the usual level of expertise. The report is full of factual information spanning various topics in cybersecurity, but the facts are thrown together in sections without any clear order or meaning. After reading the summary on the first page, readers are led to believe that the purpose of the report is to set out the legal obstacles standing in the way of clear definitions in cybersecurity. Instead, the report merely lists the various international treaties, processes, conventions and laws relating to cybersecurity. Despite these issues, I will do my best to recap the report below.
Threat Actors and Harms Caused
There are no generally accepted definitions for the various terms frequently used to discuss cybersecurity issues. The report provides some general definitions that have been used for the following terms: cyberterrorists, cyberspies, cyberthieves, cyberwarriors, cyberactivists. For each definition, the authors provide an explanation of the type of harm typically connected to that group of actors. However, the authors also note that the threats posed by these actors and the types of attacks they can pursue are not mutually exclusive.
According to the report, there is no clear criteria for determining whether a cyberattack is criminal, an act of hactivism, terrorism, or a nation-state’s use of force equivalent to an armed attack. As a result, when it comes to defining “cyberwar,” experts are divided over whether to focus on the ends achieved or the means used. The United States recognizes that cyberattacks without kinetic effects are also an element of armed conflict under certain circumstances.
Rules of the Road and Norm-Building in Cyberspace
This section is where the report starts to become disorganized. It starts with a description of two major international processes geared toward developing international expert consensus among international cyber authorities: The Tallinn Manual and Article 5 of the North Atlantic Treaty. The authors then turn to the issues created by the lack of a clear definition of what constitutes an “armed conflict.” Next, the authors provide a brief description of the Council of Europe Convention on Cybercrime, the United Nations General Assembly Resolutions affecting cyber relations, the International Telecommunications Regulations affecting cyber relations, followed by a catch-all paragraph on other international law related to cybersecurity.
The report notes that like “cyberwarfare,” there is no consensus definition of what constitutes “cyberterrorism.” The authors provide descriptions of two laws which provide some clarity on the definition: the USA PATRIOT ACT (18 U.S.C. 2332b) and the Computer Fraud and Abuse Act (18 U.S.C. 1030a-c. According to the report, the issue is that “these provisions are also criminal statutes and generally refer to individuals or organizations rather than state actors.”
Use of the Military: Offensive Cyberspace Operations
In this section, the authors list the various US laws which could potentially be used to authorize offensive cyberspace operations by the military. After listing and defining these laws, one would expect the authors to analyze the ways in which these laws could be applied to offensive cyberspace operations or at least to point out the gaps and ambiguities preventing reliance on these laws for offensive cyberspace operations. However, the authors fail to provide any such analysis and instead conclude this section with a paragraph describing press speculation on a Pentagon plan for Cyber Mission Forces under the Cyber Command.
After reading the final paragraph of the report, I flipped the page over multiple times expecting to find a conclusion section typical in most of the cyber reports from the Congressional Research Service. I was hoping that the conclusion section would provide clarity on the many disconnected facts provided throughout the report. There was no conclusion. Lacking any sort of conclusion, it appears that the authors themselves were unsure of how to tie together the grab bag of information they provided on this very important topic.
To read the full report, click here: Cyberwarfare and Cyberterrorism: In Brief.
President Obama issued an Executive Order (“EO”) to block property belonging to those who engage in malicious cyber-enabled activities. Citing to the threat posed by malicious cyber-enabled activities to the nation’s security, foreign policy, and economy, the President declared a national emergency to deal with the threat. The President’s authority is derived from the International Emergency Economic Powers Act (“IEEPA”), which authorizes the sanctioning of individuals located outside the United States.
The EO authorizes the freezing of assets of any foreign individual deemed to be responsible for, or complicit in malicious cyber-enabled activities that pose a significant threat to the nation’s security, foreign policy, economic, or financial stability. The Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State are responsible for determining whether an individual is responsible for, complicit in, or engaged in malicious cyber-enabled activities. The EO can be used against individuals who harm critical infrastructure, disrupt computer networks, and those who engage in misappropriation of funds, trade secrets, and financial and personal identifiers for gain.
This EO is another tool that may be used against individuals who engage in malicious cyber-related activities. The Obama Administration is building an arsenal of weapons to expand the nation’s ability to counter cyber threats. In addition to this EO, the Administration also proposed several legislative changes to counter cyber threats.
Next Page »