If the U.S. is already planning for a major war in cyberspace, as Edward Snowden suggests, the world should be bracing for the dangerous weaponization of cyberspace and even greater distrust between the U.S. and Russia in the cyber domain.
U.S. President Barack Obama arrives to speak at the National Cybersecurity and Communications Integration Center in Arlington, Va. on Jan. 13. Obama renewed his call for Congress to pass cybersecurity legislation, including a proposal that encourages companies to share threat information with the government and protects them from potential lawsuits if they do. Photo: AP
Last week prominent German media outlet Der Spiegel published the second part of former NSA agent Edward Snowden’s revelations. According to these documents, the U.S.-led global surveillance program was only the first round of a broader cyber strategy by the United Sates that aims at preparing for global cyber war with other countries.
As indicated from this second round of revelations, the U.S. National Security Agency (NSA) suggests in no uncertain terms that the next major conflict will take place in cyberspace. In addition, the documents outline the development and implantation of malware programs to disable the enemy’s key infrastructure objects - including banking systems, power plants and airports.
In the wake of Snowden’s first revelations in 2013 about the NSA’s dragnet electronic surveillance, there was hope by some that these revelations would lead to better oversight of state security activities and a significant makeover of the intelligence system. Now, it is more probable that the momentum for fundamental change will not be efficiently used. The way nations perceive cyber threats across the world might lead to the launch of an active and open cycle of “cyber weaponization,” most certainly at the expense of data privacy. However, more importantly, we might be already much deeper into an undeclared ‘hybrid’ war than it might seem.
Cybersecurity in the wake of North Korea’s alleged cyber attack
Since the cyber attack on Sony Pictures in December 2014 [allegedly spurred by the release of the Hollywood movie “The Interview” that mocks North Korea’s leader Kim Jong Un and depicts an attempt to assassinate him – Editor’s note], the cyber capacities of various states are more in the limelight than ever. Even though not the first one of its kind, the alleged North Korean attack pulled the trigger of cyber mobilization.
Cybersecurity issues were flagged ahead of U.S. President Barack Obama’s State of the Union speech on Jan. 20, highlighting their top-priority nature – especially against the backdrop of the Sony attack. This cyber attack helped start translating “concerns” into policy tools.
“We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism,” Obama said, urging the U.S. Congress to pass new legislation.
It would support these goals by enhancing data protection regulations and beefing up cybersecurity efforts of critical infrastructure objects, governmental computers and networks. The protection of individuals’ privacy and civil liberties would be shaped accordingly. Ironically, the legislative cyber agenda unveiled in advance of Obama’s speech coincided with the publication of a new batch of Snowden’s documents in Der Spiegel on Jan. 16. These documents revealed the rest of the iceberg, with mass surveillance being just the very tip.
Reportedly, the U.S. has been developing malware able to “paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money.”
The reports suggesting that the NSA compromised the North Korean networks before the Sony attack fit neatly into this picture. By compromising the networks in advance, America could launch a swift retaliation taking the North Korean ‘intranet’ down for a few hours. Although experts say that neither attack can be 100 percent attributed, what the world has seen looks like a mock-up cyber war attack exchange, followed accordingly by a public pledge to protect citizens and step up national cybersecurity.
With Snowden’s files in mind, this leaves us with three major takeaways:
(1) The Internet as a platform for warfare is no longer fiction or theory;
(2) In the absence of a broadly recognized international legislative framework defining cyber war and precise attribution tools, it’s hard to localize it in space and time or even call it ‘a war’ even though apparently it has been under way for a while. (The term of choice, therefore, has been ‘hybrid war’ whereby cyber is an increasingly used element of otherwise conventional warfare);
(3) A cyber arms race at the national or alliance level is likely to reflect the current geopolitical standoff.
New regional cyber alliances to fight shadowy cyber attacks
While the world is digesting the potential scope of the NSA-sponsored malware initiative, the U.S. and the UK have already announced their intention to conduct joint ‘cyber war games’. The UK’s intelligence and securities bodies such as the Government Communications Headquarters (GCHQ) and MI-5, as well as their U.S. counterparts, the NSA and the Federal Bureau of Investigations (FBI), will stage cyber attacks on the City of London’s and Wall Street’s key financial infrastructure to test their resilience.
If such drills are to become customary, as suggested, the next targets of potential attacks could be other elements of critical infrastructure in countries whose protection is vital for systemic integrity of national security elements – power grids, nuclear power sites, telecommunications and transport facilities.
What was called ‘fighting shadows’ at a specially dedicated session of the World Economic Forum in Davos is more than just a metaphor since the attribution of cyber warfare is highly challenging, according to Kaspersky Lab.
It’s also impunitive de jure but not de facto, as the decision of whether or not to counterattack is basically discretionary in the absence of a relevant and broadly adopted international code of conduct. The legislative gap is widely recognized but the room for a broad international cooperation in this area has significantly shrunk in the past couple of years due to the geopolitical escalation. Instead, one can observe the formation or reinforcement of regional strategic alliances through joint cyber defense agreements.
At a time when both Obama and UK’s Prime Minister David Cameron are experiencing difficulties in their respective political domains, both found a convenient populist tool in the cyber agenda by addressing the security concerns of the electorate, especially in the wake of the Charlie Hebdo attack.
For Cameron the task of striking the “security vs. privacy” balance at home is particularly tough, given the recent revelations about GCHQ tapping into journalists’ emails, reported by Snowden, and his controversial suggestions concerning encryption clampdown, urging the U.S. to put pressure on its Internet companies.
While the new round of security concerns provides a good reason for limiting civil liberties, including the revival of the notorious UK Communications Data Bill (also known as Snoopers’ Charter swept away in 2013 by Snowden’s first revelations) and attempts to introduce it into the proposed last year Counter Terrorist Bill, encryption is likely to remain the battlefield for a long-term tug of war with the private sector.
Russia looks to ramp up its cyber capabilities and find new cyber allies
While such a joint venture is no surprise as such – the U.S. and the UK have been cooperating on a range of defense and security issues in the “5 eyes” framework – it sends a clear signal to Russia in the context of current geopolitical tensions.
Russia’s first cyber drill in summer 2014 reportedly revealed systemic vulnerabilities and resulted, in particular, in calls for the creation of back-up DNS infrastructure and the stepping-up of cybersecurity measures at the national level. Russia's new Military Doctrine signed at the end of December 2014 qualifies a cyber hazard as a military hazard, which under certain conditions can prompt a ‘military threat,’ characterized by the direct possibility of a military conflict.
A cyber hazard can also be qualified immediately as a military threat if it targets objects of critical infrastructure in the nuclear, space, chemical or pharmaceutical industries. While according to experts the cyber elements of Russia’s Military Doctrine do not fit in smoothly and the terminology is not always clear-cut, it is obvious that a range of doctrinal documents will be reviewed to include the cyber dimension. Other countries are busy updating their cyber strategies accordingly.
Back in autumn 2014 Russia and China announced their resolve to sign an agreement on cooperation in cyberspace in 2015. While any agreement will not be easy for Russia, given that its wiggle room has diminished lately, this deal is expected to be more fundamental than the one Russia signed with the U.S. back in 2013.
This is no surprise since the Russian and Chinese stances are much closer on a range of governance issues in cyberspace. Joint cyber trainings could become part of this bilateral agreement in the future. Russia could also extend its cyber agenda in the framework of such alliances as BRICS (Brazil, Russia, India, China and South Africa), the Shanghai Cooperation Organization (SCO), the Collective Security Treaty Organization (CSTO), or the newly launched Eurasian Economic Union, in order to match the NATO pledge of collective cyber defense.
NATO’s new cybersecurity policy calling on all member to share expertise in cyberspace, which was approved at the summit in September 2014 and followed by a major cyber exercise in November to test systemic vulnerabilities, is very likely to be mirrored in a similar collective effort led by Russia and possibly joined by its allies.
The future threat of an escalating cyber arms race
As the sides reassess their strategic partnerships as well as defense capacities in the wake of the Ukraine crisis, further development of the cyber arms race raises many worries due to its unpredictability and lack of legal interoperability. On Jan. 9, the SCO members reportedly submitted an updated draft of an International Code of Conduct for Information Security to the United Nations, hoping to establish common rules under UN auspices.
However, national and newly launched regional initiatives are more likely to gain momentum to match immediate political and security goals than a holistic UN project, which most probably will fail to suit everyone. And it is probably too optimistic to try to devise common rules of fair play when the arms have already begun to be deployed.