VIENNA MODEL UNITED NATIONS CLUB

Transcription

1 VIENNA MODEL UNITED NATIONS CLUB STUDY GUIDE APRIL SESSION 2013 CYBER SECURITYAND CYBER WARFARE 1

2 INTRODUCTION With anever-increasingnumber of technological improvements and the expansion of online services in the past two decades, the issue of cybersecurity has rapidly moved to the top of the agenda in national and international politics. Nowadays it is an issue not only relevant to the private sector and the individual consumer, but especially to all sorts of state actors. The term cyber security covers everything from cyber crime to cyber warfare; everything from the mischief an adolescent hacker can do to an individual s computer to the risk that skilled individuals could from cyber space critically disrupt or destruct a digital infrastructure. Cyber warfare, cyber terrorism, cyber espionage and cyber activism challenge the existing technological capabilities, the nature of the free internet and the modes of cooperation in the international system. Moreover, they cause huge losses for businesses and the economy as a whole and manage to steal sensitive data of government organisations. Some analysts have labelled cyber attacks as the war in the fifth dimension or fifth domain. Beyond land, sea, air and space the cyber world has become a new hot-spot for a variety of conflicts between companies and between governments. Simultaneously, others have called it the new cold war implying on the one hand the vast potential for serious confrontations between certain countries, most notably China and the U.S., and on the other hand the deliberate omissions to explicitly single out the states responsible for cyber attacks in order to avoid direct confrontations and a diplomatic impasse. Nonetheless, cyber security has certainly become a serious concern in international politics and was addressed at several conferences where lawmakers and key stakeholders from the private sector have become increasingly involved in the debates about how to tackle the threats stemming from malpractice in the digital world. The topic was also an integral part of the Douville G-8 summit agenda in Still the most important discussions have taken place on a bilateral basis so far. Thus there remains the need to find a solution on a multilateral basis in order to find international agreements that allow to deal with the issue appropriately and that provide the necessary legally binding provisions for state and non-state actors operating in the global cyberspace. The targets of cyber attacks From the government agencies to the International Olympic Committee and news media - nearly anything can or has already fallen prey to cyber attacks.even well protected security infrastructure such as the Pentagon seems to be vulnerable as has been revealed by a massive cyber attack in 2008 and in 2011 when approximately 24,000 files were abstracted. Apart from high profile breaches against industrial, financial and governmental targets, it is small companies, which have increasingly become the victims of targeted cyber attacks due to the fact that their security measures can often be considered rudimentary compared to those of large enterprises. The main goal of attacks against the private sector is to gain intellectual property (industrial espionage), whereas attacks against government agenciesaim for strategic intelligence, sensitive security data or in general the disruption or destruction of private and publicnetworks. Alternatively, cyber attacks in the form of so-called hacktivism (e.g. Anonymous)have also become a new way of protest and civil disobedience. An EU study conducted by the European Network and Information Security Agency analyzed more than 140 reports from the security industry and other organizations. It concluded that the top threats could be categorized in 6 areas: mobile computing, social technology, critical 2

3 infrastructure, trust infrastructure (defined as any information system that provides strong authentication and aims at establishing a trusted, secure connection between two end points. ), cloud computing and big data. Furthermore, it pointed out that particularly the threats to trust infrastructure and mobile computing are on the rise. Typical targets of cyber attacks include electrical grids, telecommunication systems, web servers, enterprise information systems, media corporations and newspapers (lately for instance France 24 and the NYT), banks, corporations in the technology sector but also in the construction sector or even agriculture, satellite systems, pipelines, air traffic control systems, water systems, ministries and other organizations affiliated with governments as well as non-governmental organizations. If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier (American computer security specialist) Prominent cyber attacks The Original Logic Bomb:in 1982 a computer control system stolen from a Canadian company by Soviet spies caused a Soviet gas pipeline to explode. The code for the control system had been previously modified by the CIA, which had been tipped off, to include a logic bomb, i.e. a piece of code that changes the workings of a system, which changed the pump speeds to cause the explosion. An air force secretary describe d it as the most monumental non-nuclear explosion and fire ever seen from space. Titan Rain: the name given by the FBI to a series of coordinated attacks on American computer systems since 2003ongoing for at least three years. It was discovered that several sensitive private and public computer networks were infiltrated by the hackers, such as those at Lockheed Martin and NASA. Not only was military intel and classified data stolen, but also thousands of zombified machines, i.e. computers infiltrated by malicious software that can be activated later, were left behind. Titan Rain is considered the largest state-sponsored cyberattacks in history, said to have been organized or supported by the Chinese government. Cyberattacks on Estonia: a series of well-planned cyber attacks began on 27 April 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries and broadcasters, amid the country s row with Russia about the relocation of a Soviet statue. Due to the sophistication of the attacks it was claimed that the Russian government had assisted in orchestrating the attacks. Among others Nashi, a nominally independent pro- Kremlin youth group, has taken responsibility for the incident. Some argue that it may have been the second-largest instance of state-sponsored cyber attack, following Titan Rain. Stuxnet: in 2010 the Stuxnet worm temporarily knocks out some 1000 centrifuges at Iran s Natanz nuclear facility, causing considerable delay to that country s uranium enrichment programme. Allegedly the highly sophisticated worm was plantedmanually by a flash driver into at least one computer connected to the network. In June 2012, The New York Times reports that the U.S. and Israel developed the worm. Flame: another complex malware responsible for data loss incidents at Iran s oil ministry in It was allegedly developed by the U.S. and Israeli governments to collect intelligence about Iran s computer networks that would facilitate future cyberattacks on computers used in that country s nuclear fuel enrichment program. It was also planted manually into the network. DDoS attacks on U.S. banks: the U.S. accuses Iran of staging a massive wave of denial-ofservice attacks against U.S. financial institutions in Defense Secretary Leon Panetta warns of cyber threats against critical infrastructure and calls for new protection standards. Korean cyber war: Already in 2009 and 2011 North Korea has been blamed for cyber raids against South Korean organizations. On 15 March, North Korea s KCNA news agency accused the US and its allies of large-scale hacking attacks on its internet servers. Later in 3

4 Marcharound 32,000 South Korean computers at banks and broadcasters were affected by a cyber attack. Even though the attack could be traced back to a Chinese IP address officials emphasized that this did not reveal who was behind the attack, as hackers can route their attacks through addresses in other countries to obscure their identities. North Korea is suspected to have staged the attack amid rising tensions on the Korean peninsula. International agreements International law regarding real warfare developed within a 150 years. This raises the question whether these regulations could be used in matters of online-warfare. A genuine legal framework, a jus ad bellum and jus in bello, is still missing for cyber warfare. The Working Group on Internet Governance, established by the United Nations based on a recommendation from the World Summit on the Information Society, was initiated to agree upon the future Internet Governance. Technical, policy, economic, institutional, as well as legal perspectives were taken into consideration. Two different approaches dominated the debates at the summit. Whereas one side argued for the development of genuine cyber-law since speed and volume of Internet cross-border communication hinders the enforcement of existing legal rules, the other side argued that the Internet is in fact not conceptually different from previous telecommunication technologies. Consequently, existing legal rules could be applied to the Internet and as far as global regulation is concerned, the most efficient option would be the harmonization of national laws, resulting in the establishment of one set of equivalent rules at the global level. The Working Group has fulfilled its duty to give recommendations for the next World Summit on the Information Society. But unfortunately a consensus regarding concrete measures could not be found. For the time being, bilateral agreements are the most common solution for cyber security regulations, like the new security pact of the UK with India. A group of international lawyers, working in conjunction with the International Committee of the Red Cross and the US Cyber Command, has now published a book on the subject. The group of experts was invited to draw up the handbook by NATO s Co-operative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, where the centre was established in 2008 following a wave of cyber-attacks on the Baltic state from inside Russia. The experts explained that existing laws broadly apply to cyberspace. The Tallinn manual contains 95 black letter rules. However, it is no official NATO document or policy but an advisory manual. Among other things it stipulates that cyber attacks led by governments must avoid sensitive civilian targets such as hospitals, dams, dykes and nuclear power stations. The manual also states that hacktivists who participate in online attacks during a war can be legitimate targets even though they are civilians. The manual suggests proportionate countermeasures against cyber attacks carried out by a state are permitted. Such measures cannot involve the use of force, however, unless the original cyber-attack resulted in death or significant damage to property. Rule seven of the manual also states that if an online operation originates from a government network, "it is not sufficient evidence for attributing the operation to that state but is an indication that the state in question is associated with the operation". Furthermore, it says that, in accordance with Geneva conventions, attacks on certain key civilian sites are outlawed, for instance hospitals and medical units, which are also protected under rules governing traditional warfare. International Involvement United Nations: At the UN level the International Telecommunication Union, is a specialized agency, is responsible for issues that concern information and communication technologies. Its main task include coordinating the shared global use of the radio spectrum, promoting international 4

5 cooperation in assigning satellite orbits, improving telecommunication infrastructure and assisting in the development and coordination of worldwide technical standards. Following an initiative by the Malaysian Prime Minister a comprehensive public-private partnership against cyber threat led to the creation of the International Multilateral Partnership Against Cyber Threats, the first United Nations-backed cybersecurity alliance. Since 2011, after signing a cooperation agreement at the World Summit on the Information Society, IMPACT serves as the cybersecurity executing arm of the International Telecommunication Union. IMPACT is tasked with the responsibility of providing cyber security assistance and support to ITU s 193 Member States and also to other organisations within the UN system. IMPACT was massively supported with resources coming from the industry giants such as Kaspersky Lab and Symantec Corporation. United States of America: The new United States military strategy makes explicit that a cyber attack is a casus belli for a traditional act of war. William J. Lynn, former U.S. Deputy Secretary of Defense, states that as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare which has become just as critical to military operations as land, sea, air, and space. In 2012 the then Secretary of Defense Leon E. Panetta warned of the possibility of a cyber- Pearl Harbor. Furthermore, he stressed that the US won t succeed in preventing a cyberattack through improved defenses alone. The new Secretary of Defense Chuck Hagel has promised to prioritise cyber security at the Pentagon. President Barack Obama declared America's digital infrastructure to be a strategic national asset. Therefore in May 2010 the Pentagon established the US Cyber Command (USCYBERCOM) to defend American military networks and built up capabilities for offensive moves against other networks. In June 2012 the New York Times reported that President Obama had ordered the cyber attack on Iranian nuclear enrichment facilities. President Obama last fall signed a classified directive that requires an imminent or ongoing threat of an attack that could result in death or damage to national security before a military cyber-action can be taken to thwart it. Senior administration officials stress that under the new Obama directive, they would use law enforcement or diplomatic means before turning to military cyber warfare. The order does not alter the rules for intelligence agencies covert use of cyber-operations. The United States has already used cyber attacks for tactical advantage in Afghanistan. There have also been lots of other cyber warfare activities regarding the US. For example in 1982, a computer control system stolen from a Canadian company by Soviet spies caused a Soviet gas pipeline to explode. The code for the control system had been modified by the CIA to include a logic bomb which changed the pump speeds to cause the explosion. According to the NYT the US was also involved in developing Stuxnet to attack Iran. Currently, the main opponent in cyber warfare are said to be Chinese state and non-state actors where most attacks on American systems originate from. An American computer security company reported in March 2009 that it had detected 128 acts of cyberagression per minute coming from Internet addresses in China. The Department of Defense was the main target of these attacks. United Kingdom: In February the UK signed a new security pact with India as a countermeasure against the Chinese cyber-threat. The United Kingdom has also set up a cyber-security and operations centre based in Government Communications Headquarters (GCHQ). The UK government's National Security Strategy of 2010 is titled A Strong Britain in an Age of Uncertainty. It outlines threats facing the United Kingdom, and defences against these threats. It also emphasizes the risks posed by cyber warfare. There are also lots of cyber 5

6 warfare activities regarding the UK. In the most famous one the MI6 repeatedly infiltrated an Al Qaeda website and replaced the recipe for a pipe bomb with the recipe for making cupcakes. People s Republic of China: Most reports about China s cyber warfare capabilities are not confirmed by the Chinese government. Nevertheless China continues to be held responsible for a string of cyber-attacks on a number of public and private institutions in the United States, India, Russia, Canada, France, Taiwan and Japan. US security experts claim a 12-story office building outside of Shanghai is the headquarters of a hacking unit in China established to attack international computer networks. Beijing has rejected the allegations, calling the reports unreliable. The Chinese government denies any involvement in cyber-spying campaigns. Instead the government maintains the position that China is not the threat but rather the victim of an increasing number of cyber-attacks. Official data showed that more than one million IP addresses were under control by overseas sources. A government report released in March 2011 indicates that more than 4600 Chinese government Web-sites had their content modified by hackers in 2010, an increase of 68 percent over the previous year. A list of the top 100 viruses infecting computers world-wide at the beginning of 2011also revealed that in every single case China was the most affected country. Yet, nearly all these viruses originated in China. The Chinese government has attempted to impose greater control over internal networks, both to suppress domestic opposition and to block penetration from outside the country. It has surrounded the country with a Great Firewall, also referred as the Golden Shield Project, which is an Internet censorship and surveillance project operated by the Ministry of Public Security. It is estimated that between 30,000 and 50,000 Internet police are employed in this project. Russian Federation: Cyber warfare in Russia includes allegations of denial of service attacks, hacker attacks, dissemination of disinformation over the internet, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, and persecution of cyberdissidents. It has been claimed that Russian security services organized a number of denial of service attacks as a part of their cyber-warfare against other countries as Estonia or Georgia. Russia has been accused of attacking Georgian government websites in 2008 to accompany their military bombardment. Russia is also believed to have rapidly advanced its IT sector. Still Russia is often overlooked as a significant player in the global software industry. Russia produces 200,000 scientific and technology graduates each year. This is as many as India, which has five times the population. However, since 2012 Russia has also stepped up its campaign for a globally binding treaty on cyber security. The rather controversial proposal for a U.N. convention to crack down on Internet crime and terrorism should define information warfare as a threat to international security and should urge countries to maintain a balance between fundamental human rights and the effective counteraction of terrorist use of the information space. France: In 2009 France created the French Network and Information Security Agency (FNISA) to provide a national watchdog on the government s sensitive networks that would detect and respond to cyber attacks. Since then, little has been exposed about the disposition of French cyber security until March 2011, when the French finance ministry announced that it had suffered a cyber attack during the Paris G20 summit. The attack targeted documents relating to the summit and other economic issues. In August 2011, France announced its intentions to 6

7 build network warfare capabilities. Cyber warfare specialists under the General Directorate of Armament (DGA) demonstrated their capabilities in September 2011 using a communications mini-drone to simulate an attack on a national communications satellite. Personnel dedicated to France s cyber warfare capabilities include 130 engineers and researchers with links to French universities, as well as US and UK cyber experts who provide advice to other French departments on improving their organic network securities. The DGA intends to grow these numbers by 30 per year for the next 30 years. A major focus of the DGA is currently to develop secure networks for the French Naval Forces, including Naval Aircraft, by implementing an intranet. Further reading [Al Jazeera World : Fighting in the Fifth Dimension] 7