Tuesday, September 29, 2009

"Where Computer Security Meets National Security"

I read an interesting article by Helen Nissenbaum, on "Where Computer Security Meets National Security" (2005) [pdf, Springer link] .

She starts with a good point that the "traditional" computer security, developed in the technical community and focused on the protection of a computer (system) is difficult to port into national security terms, where damage to life, economy, morale and reputation is the core worry. She argues that the "technical computer security" focuses primarily on ensuring confidentiality, integrity and availability, even though there is a push to extend this to ensuring overall "trustworthiness" of a computer system (including resilience etc.).

She calls the competing national security conception cyber security (a term that has grown more popular since then). According to her, cyber security is most concerned with three problems:
  • using computer networks "as a medium or staging ground for antisocial, disruptive, or dangerous organizations and communications." In other words, propaganda, phishing and a host of other soft threats;
  • using computer networks to attack the critical societal (information) infrastructure, or the hard threats; and
  • using computer networks against computer networks. I may misunderstand her reasoning, but I think computer networks in the larger sense (Internet infrastructure, SCADA systems, public services on the internet) are also part of the critical information infrastructure, and I would combine the last two categories into one.
I found it interesting that she illustrates how computer security can be used in various moral (protect users from harm) and immoral ways (protect the interests of the company, while limiting the usefulness of the product to the end user).

She then reviews the concept of "securitization" by the Copenhagen School. Essentially, it means that unlike "realist" methods, there are more threats than just military aggression and there are more targets as well (state + religion, economy, environment etc.). Furthermore, securitization is a process of making something into a security issue (especially in the eyes of the public). In her words: "In general, to securitize an activity or state-of affairs is to present it as an urgent, imminent, extensive, and existential threat to a significant collective."
[Note: An interesting concept and something to be studied later.]

The next chapter shows some steps how cyber security has been securitized, including a funny interlude about how the music and film industry is trying to securitize the P2P threat against their obsolete business model. She also covers some examples of cyber space shown as a potential battle space and it's asymmetric nature.

Getting to the meat of the issue, she compares the two approaches:
  • Computer security recognizes a broad range of the degree and type of harm, while the cyber security assumes that the threats are dire or existential.
  • Computer security focuses on protecting the "individual nodes" (people, computers), while cyber security looks at "collective security."
  • Computer security rests on the moral foundation of protecting from harm, while the moral aspects of cyber security can vary depending on the securitization process.
An important question she brings up is when is securitization warranted? When is a threat dire enough to become a national security issue that is handled in secrecy, and potentially in ways not common to a democratic state? She argues that there is lack of reliable data on the size of the threat from the computer security perspective, as research is focused on (potential) vulnerabilities, while reporting of actual incidents is hap-hazard at best. She also touches on the issue that the same attack can be viewed in many different contexts (criminal, national defence, activism etc.).

She concludes that in the end, the "technical computer security" approach might be better, as it provides security at the user level and thus still allows us to use the net for the core purpose of sharing information and ideas. The highly securitized state controlled approach, on the other hand, raises questions about privacy, freedom of speech etc.

To sum up, a very interesting article with much food for thought. I found several interesting insights here and I am sure that more will pop up later. If anything caught your eye, I recommend reading the article in full, as there are many details that I did not cover.

Thursday, September 17, 2009

Article in Akadeemia

One of my articles (Conflicts in the information age - cyber attacks and the citizen society) was published in the Estonian academic journal called Akadeemia (2009, nr 9, Special Edition on War and Peace) a few days ago.

In the article, I revisit the own forces/hired guns/volunteers categories and focus on the latter. I try to explain some interesting aspects of using volunteers, such as the parallel rise in crime and the need to "exercise" the volunteers regularly. I also try to look at why ordinary people from the street may become belligerents in cyber space, specifically addressing radicalization through Internet and formulation of cyber tribes. I end the article with a positive note, that volunteers can be harnessed for good, as well as evil. Consider, for example, defensive volunteer organizations, such as the WARP network in UK. In addition, I touch upon the personal responsibility of today's netizens - we all have a part to play in developing a safer cyber society.

Monday, September 14, 2009

Cyber Conflict Law and Policy Conference

As mentioned earlier, I attended the Cyber Conflict Law and Policy Conference in Tallinn last week. The event was organized by the CCD COE and took place in Swissotel from 9-11 September. About 150 attendees from about two dozen countries discussed issues like the applicability of the Law of Armed Conflict, legal frameworks etc. I will try to briefly summarize by sessions.

Setting the Stage

The conference opened with a keynote speech by the President of Estonia, Mr Toomas Hendrik Ilves. He stressed the need to adapt the defense thinking (including legal frameworks) to the changes in technology. He illustrated the point with medieval defensive structures in Tallinn, which were useless in fending off air raids during WWII. He also talked about the need for collective cyber defence. An important idea was that in NATO, as far as cyber defence is concerned, we should focus more on Article 4 (consultation among nations) today, so that if and when Article 5 (collective self-defence) is ever needed, there is already some consensus.

Next speaker was MG Glynne Hines, Director of NATO HQ C3 Staff. He pointed out the need for consistent legal advice and the usefulness of embedding lawyers in a cyber defence organization. He alsp briefly touched upon some changes in NATO that were initiated by the lessons learned from the 2007 cyber attacks against Estonia: adoption of NATO cyber defence policy and concept, accelerated development of NCIRC and the NATO cyber defence exercise.

Ms Eneken Tikk of the CCD COE, the content organizer for the conference, introduced a draft Framework for International Cyber Security (FICS), which was developed in cooperation with George Mason University Center for Infrastructure Protection (GMU CIP). Basically, they are a collection of abstract models/slides that should be helpful in reaching a common understanding about the issue.

Country Reports on Cyber Security Strategy

Ms Heli Tiirmaa-Klaar from Estonian MoD gave a brief overview of the 2007 April-May events, as well as the pervasiveness of e-services in Estonia. She then proceeded to introduce the Estonian Cyber Security Strategy. Some more points from her talk: cyber attacks pose a new asymmetric threat against critical infrastructure and the development of cyber defence capabilities is very uneven across different states.

Dr Per Oscarson from the Swedish Civil Contingencies Agency gave an overview about his organisation and the Swedish approach to national cyber security. It seems the Swedes have at least in theory a model for planning cyber security, consisting of two main parts: the strategy (vision and strategic directions) and the action plan (explicit objectives and measures).

WCDR Adrian Frost from UK MoD proceeded by giving a quick overview of the British approach. Apparently, UK considers cyber as one of the five domains (air, land, sea, space and cyber), similar to some thoughts I have heard from USAF in recent years. He briefly introduced the UK Cyber Security Strategy (approved 23 June), which aims to secure UK advantage in cyberspace by reducing risk (public), exploiting opportunities (industry) and improving knowledge, capabilities and decision-making (international).

Autopsy of a Cyber Conflict

Professor Daniel Ryan from the US National Defense University gave an interesting talk about the lawyer's look at a cyber incident. Specifically, he addressed the issue that there are regular incidents (handled as per SOP or ignored) and then there are INCIDENTs that really matter. In the latter case, one needs to determine if it is an attack (or accident, technical failure etc.), who is behind the attack (attribution) and who can/should respond to the attack (law enforcement, intelligence, military, lawyers).

Next, Dr Bret Michael from the US Naval Postgraduate School addressed various cyber conflict issues from a more technical viewpoint. Among his points was the claim that cloud computing will change the way we work and will introduce new security challenges. An interesting thought was the martial arts analogy - in cyber defence we should not focus on rigid and forceful response (karate), but rely more on the flexibility and use of the opponent's strength (aikido).

Unfortunately I had to leave early that day and I didn't catch Mr Joe Weiss' (Industry Expert and Control Systems) talk on industrial control systems, but I heard that he gave an insightful presentation on the vulnerabilities associated with the systems that uphold modern society.

Cyber Security Institutionalized - Pieces of an Effective Defence Model

The second day started with Ms Eneken Tikk's talk on international organization's legal and policy approaches to cyber incidents. Sha listed the numerous laws, regulations and directives that various IOs have produced to deal with cyber security matters. To limit the scope, she briefly examined the documents that focus on data protection and concluded that while there are a lot of regulations in place, they tend to be stovepiped and there is not enough practice in using the breadth of tools available. She also discussed the different approaches that have been taken in various EU countries on data protection.

Ms Yurie Ito from ICANN, formerly of JP-CERT gave a presentation about recent developments in ICANN, with regard to security. Unfortunately she did not have enough time to delve deeper into her slides on Conficker, as I am sure her insight would have been valuable.

Ms Maeve Dion from GMU CIP addressed public-private partnerships and national input to international cyber security. She touched various points, including the many areas of law that deal with aspects of cyber, informal vs formal networks in cyber defence, developing strategy and risk analysis methodologies.

The day ended with three working groups that discussed FICS and cyber law/policy issues.

Enhanced FICS

The final day started with Professor Derek Jinks from US Naval War College. His talk was on the Law of Armed Conflict (LoAC) and the military perspective. He pointed out that LoAC is not there to minimize "war" as an official status of affairs, but to minimize organized violence. Another good point was that "armed" does not imply any physical properties or mechanics, but rather organized application of violence. He further explored the concept of armed attack, as it is often used in the definition of armed conflict. He noted that armed attack is subject to various conditions, such as severity (death or substantial destruction of property), status of the attacker (according to UN terms, attacker is state, but in practice it is often a non-state actor that may or may not have state sponsorship), status of the target (again, old rules dictate the state as target, whereas in practice, any entity that the state can claim sovereignty over, incl. citizens), necessity, proportionality, time-proximity etc. He also raised some interesting questions about new concepts like cyber occupation (displacing civil authority by means of cyber attacks). A very good talk indeed, even though he did not have enough time to go into all the details.

Next came Dr Thomas Ramsauer from German Ministry of Interior. His talk focused on the law enforcement perspective, but he also revisited some LoAC questions. He used a nice model of cyber conflicts, where you have the damage to target on one axis and organization of the attackers on the other. Then, as damage and level of organization increase, one progresses from cyber crime to cyber terrorism to cyber war. While I don't think it is that simple, it is a nice and visual way of presenting the idea. He also briefly touched the Schmitt test and the concept of attributing "private attacks" to a state actor. An interesting thought was that in order to limit collateral damage to civilians, commanders in future wars may be obliged to prefer cyber attacks over traditional means of warfare.

Mr Lauri Almann from Aare Raig Attorneys-at-Law (former undersecretary of defence of Estonia) gave a talk on national defence law from the government perspective. He focused on factors of decision making, which consisted of four one-dimensional axis': secret-public, fast-slow, international-national and professional-emotional. He proposed that in cyber conflicts, the first of all these pairs is the relevant (used) property. I am not sure I agree. Secrecy in international environments seems to exlude the fast property and often the professional property as well. He closed by noting that there is not much need to exercise the technical community (as they perform the cyber defence mission daily), but educate and train the legal and political community, who only get involved when things get hot [and potentially profitable - author's note].

Professor Lilian Edwards from University of Sheffield provided a brief glimpse into the information society law and the user perspective. She noted that laws should always set a balance between security and privacy. The problems appear when the balance varies from law to law and over different jurisdictions.

The conference ended by comments of the observers as well as summaries of the working group results. A couple of points that stuck were the slide on the spectrum of state-sponsorship by Jason Healey (US Cyber Conflict Studies Association) and the idea that some sort of International Cyber Tribunal may be needed [not sure how much success other international tribunals have had].

Finally, Mr John Bumgarner from the US Cyber Consequences Unit gave a short overview of their recent report on the lessons learned from the Georgia cyber attacks in 2008. Unfortunately, the report is not public, so his notes were fairly general and added little new insight to the events in Georgia. It's a shame, as he possesses a wealth of knowledge on the subject. I understand his position, but it is yet another example of classification issues diminishing the value of research.

Disclaimer: I hope I did not do injustice to anyone by misunderstanding or missing key issues in their talk.

Overall, the conference was a success and I am looking forward to the next one. I had the chance to talk to many interesting people on the sidelines and I also met some old friends. The cyber scene is very small indeed.

Wednesday, September 9, 2009

Blog launch

In order to conserve my memory, I have decided to open my blog to the public today, on 09.09.09.

I hope this will result in good quality feedback and interesting new contacts, as well as facilitate discussion in the area of cyber conflicts.

Without further ramblings, here it is. I hope you enjoy it as much as I do.

Tuesday, September 8, 2009

Regaining strategic competence

And now for something different...

I happened across a study about Regaining Strategic Competence [pdf] in the US [thanks to The Best Defense blog for the link]. It consists of four parts: discussing the deterioration of US strategic competence, defining strategy, illustrating the importance of good strategy and finally debating the common mistakes.

The strategy chapter brings out a good point that strategy is applicable to many pursuits, not just military. I also like their definition of strategy:
"Strategy is fundamentally about identifying or creating asymmetric advantages that can be exploited to help achieve one’s ultimate objectives despite resource and other constraints, most importantly the opposing efforts of adversaries or competitors and the inherent unpredictability of strategic outcomes."
The only problem I see in it is that it does not explicitly state that strategy is usually a 'grand' affair, with long term and/or wide spread effects, versus the tactical gains of here and now.

As far as historical analysis is concerned, I am not sure I agree with some of their facts (Soviet soldiers happy to die en masse for the Rodina) and conclusions. The argument that in 1942 Western Allies could have launched a cross-channel invasion into occupied France, that is - before Germans had been overextended in the East and before Allies had enough troops, weapons and supplies for a full campaign in Europe - seems a bit far fetched. I would guess that the Torch landings would have produced a very different outcome for the Allies, had they been directed at France, instead of North Africa.

The final chapter addresses many typical mistakes that lead to bad strategic decisions.

Upcoming Conference

This week I will participate in the Cyber Conflict Legal and Policy Conference, in Tallinn. Organized by CCD COE, it aims to build some common ground in understanding the legal issues of cyber defence. More on the conference next week.

Friday, September 4, 2009

Paper on Cyber Society

I co-authored a paper with Peeter Lorents and Raul Rikk that was published in the 13th International Conference on Human-Computer Interaction, San Diego, in July. You can also find the paper in LNCS 5623, pp. 180-186.

The paper is titled Cyber Society and Cooperative Cyber Defence. In it, we explore the concept of cyber society, which we define as "a society where computerized information transfer and information processing is (near) ubiquitous and where the normal functioning of this society is severely degraded or altogether impossible if the computerized systems no longer function correctly."

We then examine Estonia as an early form of a cyber society and illustrate it's potential vulnerabilities with the events of April-May 2007. We conclude the paper with the foundations behind the establishment of the Cooperative Cyber Defence Centre of Excellence.

This was my first co-authored paper and as such a new experience. One of the problems of having multiple authors is to write a consistent paper - something that could be improved in this case. However, I think it does convey the ideas that we wanted.

Wednesday, September 2, 2009

Asymmetry in Cyberspace

The other day I started to ponder about what constitutes a fight in cyberspace. I find that it is fundamentally different from what could be termed conventional fighting (in a military sense) - tank engagements, infantry ambushes etc.

The issue is really about the asymmetry between attackers and defenders. A cyber attacker needs to find just one opening, while the defender needs to cover every conceivable (and inconceivable) weakness. This is a critical mismatch in terms of resources.

Another asymmetric aspect is the fact that in a "cyber battle", attackers rarely present a target themselves, because they are difficult to identify. Even if the attack can be attributed, there is little that can be done with a cyber retaliation. An attacker does not "own" critical technical infrastructure, which could be taken out. They just use the public communication infrastructure as a service provider and a "human shield".

In a potential two-way cyber engagement this works both ways. A practical example would be to use red teams to knock out critical infrastructure targets on the other side, while "ignoring" the attackers from the other side and relying on the quality of one's defence.