THE ARMS RACE IN CYBERSPACE
INDEX
1. - INTRODUCTION………………………………………………………………………………….. 2
2. - “SUPPOSED” SCENARIOS …..……………………………………………..……………….. 2
3. - DRASTIC MEASURES “STILL” NOT VIABLE …………….…………………………….. 3
4. - FACING THE PROBLEM…….…………………………………………………….…………… 4
5. - EFFORTS TO INCREASE CYBERSECURITY…………………….……………………….. 7
6. - CONCLUSION………………………………………………………………………….………….. 9
1
1. - INTRODUCTION
Before starting a war, it is necessary to meticulously determine the strategic targets and the sequence they
are going to be knocked down.
In the past, to eliminate these strategic targets, it was in all cases imperative a physical attack of enough
proportions to warrant their destruction; in other words, missiles, explosives, bombs, rockets, machine
guns, etc., were used.
Nowadays, due to many critical infrastructures’ dependence on the Internet, it is possible to execute
attacks, typical of military engagements between powers, without spilling a single drop of blood, but
causing the same strategic effects as physical destruction.
This fact is alarming, but in spite of having spread this possibility, society is aware of neither the threats nor
the vulnerabilities. Why? What is wrong?
Basically it fails both: legislation (national and international) and society’s technical education.
2. - “SUPPOSED” SCENARIOS
In order to illustrate the first part of the last statement, initially we are going to include, following this
paragraph, the 5th and 6th articles of the North Atlantic Treaty Organization. Afterwards we are going to
describe a hypothetical scenario and last, as an example of the message we intend to transmit, we will vary
(only to argue) the text of the article 6th, basing upon the supposed scenario.
Article 5
The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered
an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise
of the right of individual or collective self-defense recognized by Article 51 of the Charter of the United Nations, will
assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such
action as it deems necessary, including the use of armed force, to restore and maintain the security of the North
Atlantic area.
Any such armed attack and all measures taken as a result thereof shall immediately be reported to the Security
Council. Such measures shall be terminated when the Security Council has taken the measures necessary to restore
and maintain international peace and security.
Article 6
For the purpose of Article 5, an armed attack on one or more of the Parties is deemed to include an armed attack:
on the territory of any of the Parties in Europe or North America, on the Algerian Departments of France (2),
on the territory of or on the Islands under the jurisdiction of any of the Parties in the North Atlantic area
north of the Tropic of Cancer;
on the forces, vessels, or aircraft of any of the Parties, when in or over these territories or any other area in
Europe in which occupation forces of any of the Parties were stationed on the date when the Treaty entered
into force or the Mediterranean Sea or the North Atlantic area north of the Tropic of Cancer.
Written IAW www.nato.int
2
Let’s suppose now that a NATO country, called A, suffers a serial of attacks from a country called B (no
NATO member) affecting the following targets:
-
HV Electric Grid
Military Combat Systems Control
Financial infrastructure
Transportation
Communications networks
And let’s suppose too, that these attacks take place through the use of weapons, in this case missiles.
Surely there would be many human casualties (we are not going to calculate the number).
Let’s suppose again the previous situation, excepting the casualties, but weapons are still employed (also
missiles). In both cases, physically an armed attack occurs, causing critical infrastructures unutilization.
Therefore, in both suppositions, we could legitimately appeal to the 5th and 6th articles.
However, what happen if these attacks would take place remotely, exploiting vulnerabilities of informatics
systems, without using “traditional” weapons? If these attacks are not physically executed, do NATO
members have the right to self defense?
Today the answer is NO. They have no right to self defense, facing then a great magnitude problem with
complicated solution at short term.
3. - DRASTIC MEASURES “STILL” NOT VIABLE
The situation would notably change if we would write in the 6th article not only “on the forces, vessels, or
aircraft” but also “on the forces, vessels, aircrafts, their command and control systems or critical
infrastructures (including their management systems, communication, information and control), military or
civilian, assumed as strategic targets affecting National or International Security” (of course, we would have
to define “strategic target”). This would imply that if the country A receives informatics attacks from
servers located in B, could ask for responsibilities. In theory, A could demand to B to control the activity of
those servers, even shutting them down. Excuses would arise about the impossibility of locating with
accuracy the origin of the attack, but with the “new” law in the hand, B Government could be forced (being
intimidated with the possibility of a physical engagement as last resource, and other actions contained in
international regulation) to concentrate all efforts in avoiding the execution of those attacks coming from
his own country, implementing the needed precautionary measures in the nation.
This measure could be considered by many as out of proportion or even extreme, maybe because they are
not still aware of the seriousness of the situation. Nevertheless it is not their fault, but of the lack of legal
elements classifying the informatics attacks on military or strategic targets as hostile acts, terrorist acts, and
punishable war acts, defensible and indictable. That is to say, we do not only have to make population
aware of the existence of menaces in the cyberspace and that we are vulnerable to them. A reform of
international regulation is also needed, so the informatics attacks are considered as harmful as physical
attacks, because from a strategic viewpoint, an experienced hacker is, in informatics world, a missile in real
world, able to destroy targets causing no human casualties (at least directly). They are the weapon to
3
perpetrate accurate attacks against our infrastructures (dependent on the internet). If this technologic
weapon would physically exist in the military arsenals, and it would be indiscriminately used, we dare to
affirm that a physical attack of such characteristics, would be questioned at international levels, denounced
and answered by the affected country, with complete legitimacy.
Nonetheless, could really a country A respond the informatics attacks launched FROM a country B, through
the use of physical force? We do not think so, due to the impossibility of immediately linking those attacks
with concrete governments. It would be as if United States would declare war to China or Russia because a
high percentage of the attacks received come from servers there located. Then, what can we do?
4. - FACING THE PROBLEM
As in any situation, and while there is not a legal framework that allows other actions, we must face the
problem according to a serial of priorities that condition the necessity of elaborate a traditional planning
(something that we perfectly know), for a modern problem, i.e., we need to devise an emergency plan
(explained later), an immediate action plan besides others for short, medium and long term, adding, of
course!, the periodic updates and differentiation between preventive and corrective measures (emergency
and crisis management, risk mitigation, recovery time minimization, etc.).
Like in physical attacks, trying to establish analogies between the real and the informatics world, if in the
past to defend ourselves from our enemies we proceeded to create armies, it will be then necessary to do
the same in the cyberspace, because the walls of the castle (firewalls and antivirus) are not enough to
prevent unwanted visitors from entry (hackers, malware, virus, etc.). It is time to change into an active
defense, “cyberdeterrence”, through the use and creation of all means within our reach, as passive
measures are spectacularly failing. Nevertheless, a question arises, what are weapons for, if we are not able
to find our attackers and if besides that weapons could destroy the own environment’s mechanisms of
operation.
In order to exert cyberdeterrence with efficacy, we not only must have weapons, but mainly knowing the
environment as well as the methodology and location of the enemy where to send our troops. It is essential
to develop new techniques and tactics, based on a strategy specifically designed against a phenomenon not
yet defined with precision. Indeed, they are several phenomenons that are intermingled and combined in a
much more complex and diffuse way (terrorism, espionage, fraud, conspiracy, theft, etc.), being therefore
more complicated to face the problem, because it is indispensable to respect the principle of
interconnectivity.
In terrorism for example, we are seeing day after day, that conventional weapons are useless, that the kind
of fight is very different from the classical engagement between countries, and that new and specific tactics
are required for asymmetric conflicts. There are environments where the last advances in technology are
vain to fight this phenomenon.
In cyberspace, tactics employed by hackers are asymmetric and somehow similar to those used in
terrorism, but with the advantages of digital world.
4
One alternative among others, that we propose as a suggestion, would be the possibility of configuring the
Cybersecurity policy, learning from the experience of the fight against terrorism, but put into practice and
adapted to the informatics environment. To tackle the problem, the technical focus and experience in
computers are not enough and we have to gather together the best strategists of different disciplines, to
understand the problem and to design strategies to reduce as much as possible its consequences, as we
could not eradicate them (although it is our intention). Some of these disciplines could be:









Anti-terrorism and Counter-terrorism
Military strategy
Intelligence
Organized Crime Fight
Informatics, Electronics and Telecommunications
Enterprise and Bank
International Law
Logistics and Transport
Energy
So, we do not have to invent anything new, just adapting what exist and we know in tangible world to the
informatics one, taking into account that global interconnectivity must be preserved as a fundamental
requirement, direct consequence of the own internet’s essence. It will be necessary differentiate among
military and civilian solutions for the various affected sectors, but there is no doubt that we will finally have
to adapt ourselves to a new reality or field:
 Creating or promoting if already exists, a Cyber-Army fostering its deterrence and defensive
capacity (but without altering the basic principles of interconnectivity through an arms race). As in
many nations Land, Air and Navy armies exist with their respective functions and responsibilities, a
cyberarmy should exist, including its responsibilities in the cyberspace
 Creating or promoting if already exists, a Cyber-Police exclusively focused to the cyberspace. In
Spain for example, depending on responsibilities, National Police and Guardia Civil are in charge,
but it does not exist an independent Cyber-Police (although there is a branch for technological
crimes)
 Creating or promoting private security services in cyberspace. They already exist, but far away of
we are trying to imply here.
It seems that all we have just mentioned already exist, but do not, at least in the way we are suggesting.
We will not have an acceptable effectiveness percentage until those entities are made up in an
autonomous and independent way (not as a branch, section or department). Although the border is
narrow, they are two different worlds, reciprocally dependent and an exclusive dedication to the
cyberspace responsibilities is needed. Imagine if we would just employ a single army for the three
environments (sea, air and land). It is very probable that at a partial level the efficacy would be inferior (and
5
therefore the global too), due to not having the specialization and dedication that every environment
requires.
Solutions for cyberspace problems are neither immediate, nor cheap nor easy to implement. Security is a
constant evolving discipline and the efficacy of the measures progressively arises, but it will never be total.
Regarding to informatics, we are very late, from a technical viewpoint, since any hacker knows that if
he/she has penetrated into a system, this is understood by the hacker better than the own administrator
and in the future it is very probable that he/she could re-enter, even although the last updates have been
installed. This is because during his/her surreptitious visit, the hacker use to gather enough information
from users with privileges, as their patterns of behavior, used to predict password changes or to plan social
engineering or to determine the policy of passwords generation for new employees…These are only
examples to indicate that the vulnerability problems we had yesterday, could be used tomorrow to
infiltrate into systems, theoretically armored, although the vulnerability had been fixed, since during the
penetration that vulnerability allowed enough information gathering to warrant subsequently illegal
access.
Hence an emergency plan is needed, conceived to avoid what we have just mentioned: the future
infiltration into information systems, through the exploitation of information that could have been
obtained previously. This emergency plan, sometimes implies to start from scratch, and that is something
that not everybody can afford. But if we want to be professionals and arise our security efficacy
percentage, we cannot overlook this fact. We must have clear in our minds that in many occasions,
acquiring new software and hardware will be needed, permanently check the system, completely
reconfigure the network and paying attention to the strictest management protocols. Hypothetically, an
independent rings disposition could make this kind of maintenance easier, although it would implies a
higher investment in software and hardware, so the funds manager first idea would be to ask for a forensic
analysis in order to determine the necessity of this investment. The problem is that in the bits’ world is a
little easier to hide the evidences of a crime and if real time surveillance does not exist (for example at
02:30 AM, when there is no one in front of the computers), it is hard to determine the presence in the
system of unauthorized users. For that reason we would have to inform the funds manager about the
convenience of the investment but including that these forensics analysis and surveillance should be
implemented permanently and by human guards (not only using software, so increasing the cost). We can
see that technically the issue is not exactly easy and economically speaking it is not viable in accordance
with the present social and labor schema, since an effective security assessment implies undertaking real
vulnerabilities analysis and nowadays they are not done as it should be *…+
From our viewpoint, cyberspace should not be understood only as a “new” channel through crimes can be
committed, but as an environment itself, autonomous (but not independent) in constant omni-directional
expansion (conditioned by myriads of factors). It is true that many crimes that are being perpetrated
through the internet, existed in the past and the only change is the procedure, but facts seem to indicate
that the global trend is that the “ones and zeros” space gradually becomes a parallel dimension whose fate
is to set itself up as an interdependent sub-world. If we pay attention to the direction in which internet is
moving, we appreciate without any doubt that there is a parallelism with the social customs in real life
(consumption, network, business, leisure time…). It exist a part of the population (increasing) that
consume, mix with people, make business and enjoy entertainment mainly through Internet. Virtual shops,
6
thanks to the ongoing crisis, are proliferating in such a way, that they do not exist in real world, just in that
commercial sub-world recently born. Many funds movements are not physically done, but electronically,
therefore we would pass from “stealing THROUGH the net” to “stealing IN the net”, that is to say, inside
the financial sub-world towards we are traveling and where an important part of our values and interests
as Nation reside.
5. - EFFORTS TO INCREASE CYBERSECURITY
As a summary of already exposed and adding a brief explanation, following we will include some of the
efforts we humbly think could contribute positively to enforce Cybersecurity, if jointly considered.
I.
INTERNATIONAL LEGAL EFFORT
 International regulation do not permit self-defense in cyberspace to the NATO member
nations (as a close example), to whom Spain belongs. Besides, there is not yet a useful
international coordination focused to define informatics crimes.
 Cyberspace must be understood as international, so national regulations cannot prevail;
instead legal framework should be established by mutual agreement by all the nations,
preventing hackers avoiding the corresponding sentence due to the existence of
differences among the various national regulations. The fact that a common criteria does
not exist implies that users perceive impunity in their illegal actions committed in
cyberspace, while society is not able to differentiate the seriousness of the issue. Using an
example: if a country has decided to use and to allow the usage by their citizens of the
“Net”, should compromise to authorize the extradition to the applicant nation, of every
criminal that had committed in its territory illegal acts through the Net or in the Net itself.
If a legal framework allowing us to regulate the access to Internet in this manner would
exist (i.e., preventing the non collaborator countries in cybercriminal pursuit from the use
of internet), we would expose many hackers that operate with impunity from countries
with no extradition agreement. So, if the use of internet is understood as a right,
international society almost have the right to not support criminal acts perpetration with
impunity.
 Continuing with regulation suggestions, any attack, linked or not to a nation, against
critical infrastructures, should be categorized as an attack perpetrated with weapons
(being classified as terrorist or war act, whichever applies); and being punished as such,
doing the publicity needed of the sentences, in order to spread the seriousness of the
attack and achieve a better awareness, about the important consequences derived from
the use of these new weapons, that allow to commit accurate attacks (cybermissiles).
 As it happens with the safety regulation, Governments should not allow any enterprise
related to cyberspace to operate until these enterprises accomplish the minimum
security standards required, certified by third accredited parts and supervised by official
7
inspections. In Spain, Government is fostering partially this idea, through the “Plan
Avanza2”, achieving more and more enterprises certified in quality of information assets
security management (with the exception that the focus is consolidation of national IT
enterprises in strategic sectors). But to increase Cybersecurity, it is indispensable that
information security management systems are implemented in accordance with
international standard legally imposed (at least those affecting the cyberspace security) to
all enterprises.
II.
LABOR, ECONOMICAL AND TECHNICAL EFFORT
 Technical emergency solutions are required, because we cannot obviate the high
knowledge that hackers do have over the exploited systems, allowing them a subsequent
entry, even after updates have been installed. Besides, passing to cyberdeterrence also
implies a considerable investment, to develop tools, tactics and techniques, where private
sector would play a fundamental role.
 Surveillance and forensic analysis of information and communication systems must be
executed continuously and under permanent human supervision. This would imply
continuous training, technically increasing, besides the recruiting of new highly qualified
personnel, distributed in 24 hours shifts. It is evident that we foster the employment, yes,
but passing previously through a long stage of economic and temporal investment.
 Reorganize the human resources assignation to net administration tasks. Only one security
administrator for the information systems of an enterprise/organism brings as a direct
consequence a decrease of the required security level. Saturation is immediate, due to the
excess of technical responsibilities; among others, deterrence, surveillance, detection,
alerting, informing, preserving, analyzing, investigating, correcting, training…Impossible for
just one person.
III.
EDUCATIONAL EFFORT
 Society’s technical level is low to achieve to understand the issue’s complexity. The
education system should integrate a technical training in order to prepare our society for
the future, in such a way they could understand and face it. A solid technical base in
informatics and communications, would qualify our tomorrow’s active population, for
holding posts classified IN cyberspace.
8
IV.
GOVERNMENTAL EFFORT
 Considering the costs of the measures here suggested, we must mention the base of the
United States’ strategy to ensure the cyberspace (published in 2003) as a good choice: a
close collaboration and solid alliance between private sector and Government is needed.
 Besides, at Government levels, all Ministries must coordinate the joint needed actions to
spread efforts (including crisis management during periodic simulations of cyberattacks),
since the issue here is to organize and manage a new environment (way and space at the
same time), without ruling out the idea of creating a new Ministry inside the Government
General Management, whose responsibilities would include management and
coordination of every question related to cyberspace.
 Simultaneously, it is needed to evaluate the global situation in other countries where
security is notably inferior, and develop a homogenization policy of Cybersecurity levels,
internationally distributing expenses, responsibilities and functions. The reason is obvious
considering the normal acting procedures, since the attacks use to be launched through
other infected machines, utilized as digital infrastructure to accomplish from anonymity all
kind of illegal acts in the cyberspace. It will be impossible to try determine the origin of
attacks or to attribute responsibility while other nations’ security level is lower than the
global.
6.-CONCLUSION
A unique and simple solution, to eradicate the problem of security in the cyberspace keeping its present
functionality and global interconnectivity, does not exist. The internet evolution has been so fast, that now
it is difficult to control. Progressively it gain autonomy and entity as a parallel sub-world and we do not
know the final outcome.
If we really desire to increase control and security over this “new” environment, we must be aware of
defensive measures’ fail and therefore we are obligated to think from NOW on in other ways, while ad hoc
alternatives are not developed. The essence of the new environment, where interconnectivity is its base of
work and evolution, implies that an arms race would probably lead us to net alterations, diminishing its
functionality, direct consequence of permanent global interconnectivity.
It is necessary to get deeper in that sub-world and found international regulation organisms besides
introducing a series of professionals, belonging to the permanent population of cyberspace, as a subsociety, distributed in accordance with network security needs.
Just like this, we will progressively arise the Cybersecurity percentage, being aware that we have started to
run the last after the starting signal and it will take much time to balance the efficacy security levels.
Abril, 29th 2010
Eduardo J. Orenes Nicolás
Founder and CEO of SEGLOSER®
9