Asked if they anticipated a cyber attack causing large-scale loss of life within the next 20 years, four of the five experts sitting on a cybersecurity panel at the Seoul Defense Dialog on Friday raised their hands.
That show of hands, which took place as the three-day conference ended in the South Korean capital, provided mute evidence of the perils now embedded in the borderless, ubiquitous and hard-to-regulate world wide web.
With 5G networks enabling autonomous vehicles – both cars and drones – and fully empowering the Internet of Things (IOT), and at a time when digital devices and medical devices may soon become routinely embedded in human bodies, the risks are surging.
While awareness of the dangers exists among experts, the costs and scope required to ensure effective cybersecurity are troubling barriers, particularly for developing nations. And individuals, who are now reliant on cyberspace for both personal and professional activities, lack an awareness of the dangers as both non-state and state actors upgrade their malicious capabilities.
The problems of cyber insecurity have long been recognized, but are far from being resolved – if, indeed, they ever can be.
“In 1998, the director of the CIA said that we are basing our future on resources we have not learned to protect yet,” Tomas Zdzikot, the Polish Minister of Defense, said. “Things have changed but we have not learned to protect all our resources yet.”
The risk of surging digitization is double-edged – increasing dependency on connected devices creates both new vulnerabilities and avenues of attack. And with 5G networks now enabling connected cars, and with some 50 billion things expected to be connected via the Internet of Things (IOT) within 2-3 years, these vulnerabilities are expanding 360 degrees.
“Our dependency increases as we relinquish more and more control to devices – smart bridges, smart cars and now we are talking medical devices that are inside us,” said Rain Ottis, professor of Cyber Security Management at Estonia’s Tallin University. “At the same time, the capabilities to attack also increase.”
These risks are being recognized by governments.
“The EU and our states are all concerned about malicious use of ICT both by non-state actors and increasingly by state actors,” said Pavel Maciej Herczynski, Managing Director of the EU’s Common Security and Defense Policy and Crisis Response body.
“Misusing ICT for malicious purposes affects the entire global community: governments, businesses, citizens and our armed forces. The scope and severity of such incidents appear to be increasing – as are associated costs.”
“Cyberspace enables statecraft, but when we think of cybersecurity and national strategy, we do it in an environment where there is much evidence of criminal and state-supported activity – IP disruptions, interventions in political processes and so on,” added Celia Perins, the First Assistant Secretary for Strategic Policy at the Australian Ministry of Defense.
She noted that Canberra had plenty of experience with malicious attacks, including DOS assaults and attacks on parliament. “We are highly alert to cyber as tool of statecraft.”
Attacks on all fronts
The scale of the assaults is staggering. In 2015, there were 77,000 cyberattacks on networks supporting the US government, Zdzikot stated, and it is getting worse.
In Australia at present, defense-related nets are “under constant attack – tens of thousands of incidents monthly,” Perkins said. “We need to build resilience from the inside out.”
“Cyberattacks on critical infrastructure started in the 1990s,” Zdzikot said. “That is why it is so important for every nation to create national rules and obligations that will guarantee that companies that operate the key infrastructure will be safe.”
And it is not just about defense and protection. Cyberspace is increasingly being seen as a theater of combat. In 2016, at the NATO Summit in Warsaw, cyberspace officially became a new operational domain, Zdkikot noted, demanding related planning and capability acquisitions by armed forces.
Still, even in the highly secure military space, there are multiple backdoors. “In NATO, the suppliers of logistics bases are 90% private companies, and critical infrastructure is run by private companies,” Zdzikot said.
A separate area from state-sponsored cyber warfare is cybercrime. Last year, in the 20 leading industrialized countries, more than one billion people suffered from cybercrimes such as ID theft or the theft of money, Zdzikot noted.
“The economic effects of cybercrime are devastating – breathtaking – and the figures are only growing and growing,” Herczynski added. “You don’t have borders … it is extremely difficult to track and prosecute.”
Yet the borderless aspect of the internet is most problematic beyond the criminal sphere. “Straight-up cybercrime – stealing money – is illegal everywhere. You can go to another country to prosecute, so it is a matter of cooperation,” said Ottis. “It is when national interest, politics and ideology come into play that trouble starts.”
Why is cyberspace dangerous?
Cyberspace as a domain has largely been created by commercial companies, rather than government infrastructure providers. More data is now being collected, analyzed and utilized by private firms than by accountable governments.
In terms of their influence and their numbers of users or inhabitants, popular social networks compare to large states.
Klon Kitchen, Senior Research Fellow at the US Heritage Foundation, compared states’ loss of their previous “monopoly on intelligence” to the way nations lost their “monopoly on violence” to terrorism.
“[Digital] companies are in the business of intelligence, they produce and consume and investigate as much data as possible to understand and shape human behavior. They call it marketing, governments call it intelligence,” he said. “These companies are not aligned with a geographical country but have the level of influence of a government.”
Adding further levels of risk to the cyber realm is its status as a relatively new and poorly understood frontier, where first movers are highly risk-tolerant.
“As any new domain emerges – and space is one – it’s not surprising that people will be adventurous and bold when it is hard for us to understand the nature of that domain,” Perkins said.
Policing this perilous terrain is problematic – especially for poorer or smaller states.
“The establishment of [South Korea’s] Cyber Command and related institutions has taken too many resources and attention,” said Min Byoung-won, a professor of Political Science and International Relations at Ewha Womans’ University in Seoul.
“I think this will cause a lot of problems for many developing countries. We have to find a fair paradigm for refining and regulating cybersecurity.”
First line of defense
In Poland, Zdzikot oversaw the creation of a dedicated police cybercrime unit. “I believe in building structures,” he said, but added that the first level of defense lies with the individual.
“We should not do in cyberspace and on our smartphones what we would not do in the physical world,” the minister said. “You generally don’t share your credit card number with friends and you don’t usually open anything that comes to you if you don’t know who sent it.”
The widespread take-up of digital technologies means the space is now no longer about entertainment or socializing – it is far more central to lives.
“The time when cyberspace was only a place to play games and chat with friends is gone,” Zdzikot said. “It is a place where you do most of your operations and there are more and more things that you cannot do without technologies and networks. But it is not a safe place.”
“It is essential to work at the baseline using the crime analogy – we lock our houses and do not leave valuables lying around,” Perkins added.
She noted that Australia’s 2016 National Cyber Strategy promoted local responsibility, and included government initiatives to support businesses and organizations. A public information campaign has also been undertaken to inform the public about what the secretive Australian Signals Directorate does, in terms of its organization and mission.
“Nobody will do cybersecurity for you,” said Zdzikot. “In your organization or company or office, mostly it is said by employees that it is an ‘issue for the IT guys,’ but in fact, it is also your responsibility.”
Cooperation is the key to cybersecurity and a core area of that is public-private cooperation – especially given the power that corporate executives now wield through digital networks.
“A CEO can make the day or ruin the day of hundreds of millions of people,” said Ottis. “States don’t build this environment. Typically, it is the private sector that builds things.”
Yet states must assert regulatory control.
“States do not build this environment but it is up to states to regulate the environment in cooperation with the private sector and civil society,” Macej Herczynski said. “Is cyberspace something entirely new that requires new rules and regulations that has not existed so far? Or is what we have developed over years and decades exactly as applicable to cyberspace as it is offline?”
In terms of the EU, the “commitment and conviction” is that cyberspace is “no different way from any other offline reality,” he added. “All international law that has been developed over decades applies to cyber exactly in the same way it applies in normal life.”
“Nobody denies the huge role of the private sector, and the private sector should be part of the conversation,” Macej Herczynski added. “But we should not forget the responsibility of governments. The private sector is driven by business, governments have the responsibility to protect.”
Following the migration of such vast quantities of intelligence into the private sector, nations are acting. “States, to reassert their sovereignty, are beginning to squeeze these companies to bring them into compliance,” said Kitchen. “In the US, this is why the CEOs of Google and Facebook were called into Congress.”
Given the borderless nature of the internet, cross-border cooperation is equally critical. Partly, this relates to hardware.
Addressing the issue of component security, which has been highlighted recently by US allegations of security backdoors built into products sold by 5G network equipment provider Huawei, Zdikot said: “A safe supply chain is being discussed all over the world – especially in 5G. Of course, the best way is to have your own capability, but it is not always possible to develop by yourself, so the next step is to cooperate with allies and like-minded countries.”
Global legislation is another area. “We are reviewing legislation so it supports the activities of our apparatus, foreign and domestic, and addresses these challenges,” said Perkins. “A core part is to address and consider traditional boundaries between offshore and onshore crimes – understanding these boundaries is a difficult conversation to have.”
Macej Herczynski cited the work of the UN Working Group to advance peace and stability in cyberspace. “The framework is based on the application of existing international laws and the UN Charter, complimented by universal laws of responsible state behavior and regional confidence-building methods,” he said. “Cyberspace is not the Wild West, the rule of law fully applies.”
In terms of international conventions, the Convention on Cybercrime of the Council of Europe, also known as the Budapest Convention, serves as a guideline for countries developing national legislation against cybercrime and as a framework for international cooperation between states. About 70 nations have joined.
“The Budapest Convention is the only norm and standard that enables us to work closely in order to fight cybercrime,” he said. But agreements and treaties only go so far.
“The challenge for the international community is to create goal posts, to create rules and obligations that have to be obeyed,” warned Zdzikot. “We talk about ‘confidence-building’ and ‘cooperation,’ but there are a lot of states that simply do not care about rules – they act very aggressively in cyberspace.”
In areas when states aggressively prosecute cyberattacks, capitals need to act. Increasingly, this means naming names. “Australia attributes cyberattacks when they occur [for reasons of] transparency and resilience,” Perkins said.
And the EU now has official recourse to take political and or economic action. “Now the EU is in a position to respond to a cyberattack by imposing sanctions,” Macej Herczynski said. “This clearly shows that rules that apply offline should apply online.”
Beyond sanctions lies military action.
“Our task is to build capability within the armed forces to combat hybrid threats,” said Zdikot. “We’re talking about confidence-building cooperation, but there are a lot of states that simply do not care about rules – they act very aggressively in cyberspace. We have to be prepared to defend the country against people who are not coming in the future – they are coming now, day by day.”
When it comes to assessing cyber strategies, companies, organizations and states need to take a leaf out of the military book and conduct war games.
“How do you know your strategy works? It is one thing to write it on paper or announce it to the press, but when push comes to shove, will it actually work?” asked Ottis. “Set up an exercise, throw some scenarios at people who execute your strategy and see where it fails.”
The aim is not to find where it works, but where it fails, in order to plug gaps and find out where vulnerabilities exist and where accountabilities are.
Perkins noted that Australia held a major, national-level exercise in 2018 and that this risk-based approach is expanding. “We are working on the cyber resilience of critical infrastructure,” she said. “By regularly exercising, we find where accountabilities lie and how capable we are in the event of a cyber event.”
What are the common failures undercovered by this kind of highly sophisticated war-gaming?
“This wish to have full control, which is not realistic as most information you need is not in your jurisdiction. It will not be easily accessible and then it may take months or years to analyze the data,” Ottis said. “From the centralized point of view, you are setting yourself up for failure.”
Through a screen, darkly
Overall, despite the increasing resources and interest in cyber security, the future looks dangerous. Pro-active campaigns are essential to start ameliorating risks, Ottis advised.
“Users should demand some basic things – if I have my phone in my bedroom, employees of the [service provider] should not be listening to what I am doing, and the company should not relinquish that information to the government,” he said. “We should push for a more transparent system where companies are more responsible and where government makes a commitment not to abuse these companies.”
However, he warned: “Currently, we do not have this.”
Meanwhile, traditional mechanisms of accountability and power are being eroded. The move of so many operations and activities from an offline sphere that took place within terrestrial boundaries to an online space that is borderless, and where so many players are non-governmental, is undercutting the power of the state in profound ways.
“The state is losing power and authority in this field,” said Min. “It is the beginning of the decline of the modern sovereign system that has defined the international system since the [17th century] treaty of Westphalia.”
These developments and the accelerating development digital technologies point to frightening future scenarios.
Mankind is now heading for “a very dystopian environment where we will have hundreds of billions of devices around us and inside us and we won’t know what they do and who controls them,” Ottis warned. “I don’t think we want to go there, but we are moving steadily in that direction.”