Dan Kaplan, SC Magazine:
In my eyes, this seems to be another step by U.S. officials, without exactly coming out and saying it, to label Anonymous as a cyber terrorist organization, bent on indiscriminate destruction of digital property and infrastructure.
The DHS in the “National Cybersecurity and Communications Integrations Center Bulletin”, A-0020-NCCIC / ICS-CERT –120020110916:
“The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting industrial control systems (ICS). (…) Anonymous’ increased interest may indicate intent to develop an offensive ICS capability in the future.”
Kaplan continues, on Duqu, the alleged Stuxnet offspring:
Which reminds me: I’m waiting for DHS to publish a warning based on a potential real critical infrastructure issue that popped up just yesterday — evidence that the Stuxnet authors are back with new malware. I’m sure the bulletin will arrive any minute now.
Even a year after, Langner sticks to his assessment:
Thinking about it for another minute, if it’s not aliens, it’s got to be the United States.
How could I miss that line in Michael J. Gross’ Stuxnet article in the April edition of Vanity Fair:
Stuxnet is the Hiroshima of cyber-war. That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality. We have crossed a threshold, and there is no turning back.
Nice alteration to recently excavated rhetoric corpse of the Digital Pearl Harbour by the Washington Post. “Hiroshima of cyber-war” is an allegory conveying ideas and association probably not intended by the author:
- The dawn of a new age of geopolitics defined by control over certain technological artefacts.
- The assumption by US security circles that unilateral and sole control over these artefacts equals incontestable geopolitical power, a truly “unipolar moment” (Charles Krauthammer) that should have lasted considerably longer than 1949 when the Soviets managed to assemble their “Fat Man” equivalent.
- The militarisation and secretisation of a potentially benevolent technology.
- The institution of a nuclear umbrella which served as a foreign policy instrument and “provided a cooperative structure, linking the United States in a mutually beneficial way to a wide range of friends, allies, and neutral nations.” (Nye/Owens 1996, p. 26)
A Hiroshima of cyberwar?
Fourteen years ago, the Clinton administration launched the Presidential Commission on Critical Infrastructure Commission. Its 1997 report “Critical Foundations – Protecting America’s Infrastructure” states (Appendix A, Section Summary Report, p. A-26):
Vulnerabilities facing the energy industries include:
* Those created in the operating environment by the rapid proliferation of industry-wide information systems based on open-system architectures, centralized operations, increased communications over public telecommunications networks and remote maintenance
Earlier this week, Terry Zink quoted the following in a blog post:
Despite investments into state of the art technology, a majority of the oil and gas industry remain blissfully unaware of the vulnerabilities, threats and capability of a malicious cyber attack on control systems.
Eric Schmitt and Thom Shanker, NYT:
But administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. …
“We don’t want to be the ones who break the glass on this new kind of warfare,” said James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies, where he specializes in technology and national security. …
“These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” said one Obama administration official briefed on the discussions. …
Some officials also expressed concern about revealing American technological capabilities to potential enemies for what seemed like a relatively minor security threat to the United States.
Read: Cyber-attack capabilities are built up in the shadows, quantity and quality unknown, to be used only in conflicts on the ‘vital-interest’-level – or as yet another deterrence (the attribution problem aside).
Stewart Baker, former official at DHS and NSA, in an article called “Denial of Service” on Foreign Policy:
“We should not wait for our own Prince of Wales moment in cyberspace.”
Now, that’s disturbing. Virtual Pearl Harbour no more. Welcome to: Oh, that I were a bot upon that machine that I might touch that juicy data? Well, I shouldn’t start reading articles at their very last paragraph. The second last comes to rescue.
In 1941, the British sent their most modern battleship, the Prince of Wales, to Southeast Asia to deter a Japanese attack on Singapore. … It took Japanese bombers 10 minutes to put an end to their fantasy, to the Prince of Wales, and to hundreds of brave sailors’ lives.
Besides that, the message is:
But the lesson of all this for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.
Therefore, cyber strategies are necessary:
The offense must be powerful enough to deter every adversary with something to lose in cyberspace, so it must include a way to identify attackers with certainty. The defense, too, must be realistic, making successful cyberattacks more difficult and less effective because resilience and redundancy has been built into U.S. infrastructure.
How to identify attackers with certainty without fundamentally altering the architecture of the internet or the ability to enforce collaboration of intermediaries such as ISPs worldwide? The latter could be accomplished in several ways: a) by foreign governments as a proxy, convinced by diplomatic influence ad-hoc or by institutions such as international treaties; or b) by supportive worldwide technical communities.
While German LEAs apparently try to create backholes themselves to wiretap computers, the FBI knocks the doors in Silicon Valley for some backdoors. Evgeny Morozov in his review of Susan Landau’s “Surveillance or Security” book:
To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build “backdoors” into their products.
From a foreign-policy perspective, the Western security-by-surveillance approach is rather shortsighted, Morozov argues:
Foreign-policy interests—a desire not to empower enemies and autocratic regimes—should shape this agenda as well. But most policymakers in Washington don’t incorporate global concerns into highly technical domestic debates about seemingly obscure issues of surveillance law.
Morozov was featured in a pretty interesting, visually innovative TV documentary in late September by Dutch channel vpro.nl. Includes some good rants.
Irrespective of David Eaves’ speculations about the underlying motives of the U.S., UK and the remaining Open Government Partnership cosigners, internet security certainly is a subfield of strategic foreign policy thinking. On the Atlantic Council website, John Healey has summed up the current status quo of the discussions for cybersecurity treaty. The Sino-Russian UN proposal for an “International Code of Conduct for International Security”. Healy has an excerpt addressing Twitter revolutions (Russia’s and China’s noospheric soft belly) …
The Russian and Chinese proposal asks for nations to pledge to
… prevent other states from using their resources, critical infrastructures, core technologies or other advantages, to undermine the rights of other countries … to independent control of ICTs, or to threaten other countries’ political, economic and social security.
… and the points at the omission of paragraphs on patriotic hackers (kind of unlawful cyber combatants posing asymmetric risks for the West):
Any UN voluntary code should include a pledge by nations to control patriotic hackers, militias, or other groups that are ignored, encouraged, or even supported by governments. This has been a scourge of modern cyber conflict and is a lead cause of instability in cyberspace, helping to escalate crises. And Russia and China are the particular sponsors of such groups as seen in Estonia and Georgia (Russia) and against the United States after Hainan Island incident and bombing of the Beijing embassy in Belgrade (China).
(Annotation: In Germany, courts have ruled human-bot-driven DDoS attacks legal and likened them to likewise legal sit-ins, which block traffic from and to property in the physical world.)
Update: The Council of Foreign Relations has a blog entry – alas too short – on the Chinese perspective of the geopolitics in cyberspace.
But taken together with China’s proposed International Code of Conduct for Information Security, they suggest that some observers in China feel that the United States has gained momentum in cyberspace with the introduction of the International Strategy for Cyberspace and the DoD Strategy for Operating in Cyberspace.
Interesting argument by David Eaves regarding the Open Government Partnership:
The OGP is part of a 21st century containment policy. And I’d go further, it is a effort to forge a new axis around which America specifically, and a broader democratic camp more generally, may seek to organize allies and rally its camp. (…)
Who is being contained? [China, Iran, Russia, Saudi Arabia, Pakistan] (…)
It’s no trivial coincidence that on the day of the OGP launch the President announced the United States first fulfilled commitment would be its decision to join the Extractive Industries Transparency Initiative (EITI). (…)
This is America essentially signalling to African people and their leaders – do business with us, and we will help prevent corruption in your country. We will let you know if officials get paid off by our corporations.
More data would certainly help to substantiate the argument, which in its current state is absorbing, but not compelling.
It would be interesting to link strategic US foreign policy thinking to ‘openness’ in governance – I’m thinking of, e.g., Anne-Marie Slaughter’s recent Foreign Affairs article, in which she proposed for the U.S. to take the role of a central node in a highly networked and, governance-wise, deconstructed world. The OGP could be one element in the operationalisation of this strategy.
Joint request by May, Strickling, Beers:
The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.
DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.
I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.
Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.
Update. Joel Harding with regard to Microsoft’s role in botnet response:
DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?
You never know with these Foreign Affairs articles, how significant they will be for actual policy making. But they reveal at least what is being discussed in US foreign policy circles. Google’s ties with the US administration and the Department of State became visible for a larger audience in the course of the China-Google showdown earlier this year. The publication of Eric Schmidt’s and Jared Cohen’s article “The Digital Disruption – Connectivity and the Diffusion of Power” in the forthcoming issue of Foreign Affairs only stresses this special relationship.
Foreign Affairs continues its tradition of articles on the strategic usage of information technology for US foreign policy. Back in 1996, Nye/Owens called for an “information umbrella” as a future means to allow the US to further lead an alliance of like-minded states in a post-“nuclear umbrella” world. Schmidt/Cohen discuss in a diplomatically sterile language the effects of “connection technologies” on politics, governments, and the diffusion of power among different actors. They have retained some techno-optimism:
In an era when the power of the individual and the group grows daily, those governments that ride the technological wave will clearly be best positioned to assert their influence and bring others into their orbits. And those that do not will find themselves at odds with their citizens.
But also within Western states, the notion of governance will further flourish:
Instead, governments, individuals, nongovernmental organizations, and private companies will balance one another’s interests.
Looks like multi-stakeholderism gone ubiquitous.
—
If you don’t want to register with the foreignaffairs.com website, Stefaan Verhulst has the complete article.