Friday, May 21, 2010

CFP: IEEE S&P - Cyber Conflict


Special Issue on Cyber Conflict
(Sept./Oct. 2011 issue)

Deadline for abstract submissions: 15 June 2010
Full papers due: 1 October 2010

Guest editors:
Thomas A. Berson (Anagram Laboratories)
Dorothy E. Denning (Naval Postgraduate School)

In 2007, Estonia was the target of massive denial-of-service attacks over the controversial relocation of a Soviet-era war memorial. Although the attacks leveraged botnets scattered all over the world, they were believed to originate in Russia or with persons of Russian descent. The following year, Georgia was the victim of similar attacks in conjunction with a ground confrontation with Russia. Meanwhile, large-scale cyber espionage operations into US military networks, computers belonging to the Dalai Lama and the government of India, critical infrastructures, major companies including Google, and various other targets have been traced back to China.

These incidents offer a glimpse into a future where cyberspace plays a key role in conflicts involving either or both nation-states and non-state actors. Over a hundred countries are reportedly developing capabilities for cyber espionage and cyber attack – capabilities that many individual hackers, criminals, and spies already possess and freely use.

These developments have raised numerous questions, including: What constitutes an act of war in cyberspace? How does the law of armed conflict apply to cyber attacks? Do we need international treaties governing cyber conflict? Can cyber attacks be deterred or pre-empted? Can we detect and analyze cyber attacks with sufficient speed and certainty as to limit their damages and determine attribution? Should states be responsible for attacks conducted by their citizens or using computers in their territory? What are the security implications of cyber conflict? What are the privacy implications?

IEEE Security & Privacy magazine seeks papers on all aspects of cyber conflict, including technology, policy, legal, ethical, operational, and strategic issues, especially as they relate to security and privacy. Papers can provide a broad overview or more in-depth coverage of a specific topic, country, or case study.

Authors should submit abstracts of 100-500 words as plain text or a .pdf file to by June 15. Authors whose abstracts fall within the scope of the issue will then be invited to submit full papers to the journal for peer-review. Papers will be due October 1 and should not exceed 6,000 words. The writing should be down-to-earth, practical, and original. Articles that are accepted for publication will be professionally copyedited according to the IEEE Computer Society style guide.

Visit /author.xml for information about the magazine, including article guidelines.

Friday, May 14, 2010

Hostage Deterrence

Today I happened to hear yet another discussion about the impossibility of deterrence in cyberspace, when I realized that it may not be entirely true.

While I agree that in the conventional sense, cyberspace does not support the concept of deterrence very well (lack of attribution), I think there is a special case where it might work. Consider a situation, where Nation A develops a credible offensive cyber capability and announces a policy that regardless of attribution, if a critical cyber attack were launched against it, it would automatically launch a critical cyber attack against Nation(s) B(,C,D, ...). In that highly controversial case, Nation A would actually have a deterrent against the other Nation(s) in question.

In other words, Nation B is effectively deterred from launching a critical cyber attack against Nation A.

Obviously, the weak point here is that any Nation X may do a false flag or anonymous attack in order to make Nation A to attack Nation B without cause. That is why it is not normal deterrence, but something you might call "hostage deterrence". Has anyone come across such a thing before, either in theory or in practice?

Baltic Cyber Shield 2010

I spent the first two days of this week engaged in a multinational distributed cyber defence exercise - Baltic Cyber Shield. It was a tech-centric exercise organized by CCD COE and various Swedish defence organizations, particularly the Swedish National Defence College and the Swedish Defence Research Agency. The Estonian Cyber Defence League, a volunteer cyber defence organization, also provided invaluable support. All in all, about 100 people from about 10 countries took part in the exercise.

According to the scenario, six blue teams (3 Swedish, a Latvian, a Lithuanian and a NATO team) of up to ten experts were deployed to take over compromised and poorly set up networks targeted by an extremist environmental group's "cyber warfare division" (multi-national red team). The exercise was distributed, so the participants performed the defence and attack missions remotely.

I must say it was a lot of fun. As expected, there were all kinds of issues, but in the end, everything went quite well. The attackers were able to maintain a steady push, compromising well over a hundred systems over the two days, while the defenders tried different strategies to maintain their services while locking the attackers out of their networks.

As a member of the referee team, I got another good experience, and learned some things that can contribute to my PhD research (the attackers were, after all, supposedly a non-government volunteer group who engaged in politically motivated cyber attacks). Congratulations are in order to the members of Blue 5, a Swedish expert team, who won the exercise.

Next week I will be at the SMi's Cyber Defence Conference in Tallinn.

Friday, May 7, 2010

Cyber Attacks and NATO Article 5

I gave a lecture about malicious uses of cyberspace to an international group in Germany yesterday, and one of the attendees asked me if a cyber attack could ever be a trigger for the collective self defense clause of NATO a.k.a. Article 5.

A very good question.

Allow me to answer via analogy:
1. A cyber attack is either malicious use of commonly available technology (computers, software, network infrastructure, ...) or the use of a cyber weapon (something specifically crafted for causing damage/disruption in cyberspace - such as a DoS tool) in order to create a cyber incident.
2. The ONLY time when Article 5 was actually invoked was in response to the malicious use of commonly available technology (passenger aircraft during 9/11).
3. Therefore, it follows that if the cyber attack causes serious enough harm, it can trigger Article 5 action.

The question that remains, then, is what level and type of harm will cross this threshold. In reality, this will never be set in stone. Likely there will be some cases that will automatically trigger it, however, in the end it will be case by case, as it is with "conventional" attacks.

Monday, May 3, 2010

The Law of Armed Conflict in Cyberspace

Last week I spent three days with a group of law experts, who are trying to figure out how to interpret the current laws of armed conflict (LOAC) for cyberspace. The group is headed by Mike Schmitt, and includes many other heavyweights like Derek Jinks, Ken Watkins, Tom Wingfield and Bill Boothby, just to name a few.

This work is very important, as there are no laws specifically drafted for conflicts in cyberspace or suitable court cases to analyze (to my knowledge). To bridge the gap between the laws written in the (arguably) pre-cyber era and the events that we witness and theorize about today, one needs to make good use of one's imagination. This was my role, I guess - I was one of the "cyber experts" who was tasked to come up with examples and analogies on the spot, while explaining some basic concepts from computer science, informatics, physics, etc. to a crowd who normally deal with the legal issues in the realm of things that kill people and blow stuff up.

I must say it was a wonderful learning experience and I look forward to the next meeting. It also clearly identified some issues that I have not seen discussed (recognized?) by us theoretical/conceptual researchers, who approach the cyber conflict from the de-facto viewpoint (what the technology allows to do and what is actually being done in cyberspace). While we may say that the de-jure viewpoint is outdated and not realistic, we cannot argue that it is, in fact, the law.

Some issues that I personally found interesting (contrasted with the cyber-centric viewpoint) were:
  • the legal concepts of armed attack, use of (armed) force and armed conflict in cyberspace, and
  • the legal status of non-military personnel, who perform cyber attacks during wartime.
While this work is still in its infancy, I hope the resulting manual will settle some of the speculative cyber warfare discussions of today.