In late September, deep in bucolic Oxfordshire, an eclectic group of spooks, soldiers, civil servants, academics and geeks gathered in surroundings eerily reminiscent of Downton Abbey. They took tea on the veranda, looked out onto a herd of docile cows and obediently trooped in to dinner when an austere-looking butler banged the gong.
Their focus, however, could hardly have been further from the subtle class divisions that began to rend the fabric of British society in the early twentieth century. They were mulling over how governments should respond to the growing threats facing networked computer systems.
Most of those in attendance were well accustomed to the task of trying to stop bad stuff from overwhelming the Internet, but the tone of the discussions was somber. “You must work on the assumption that all your primary systems are compromised to some degree,” was a typical contribution. “Whatever you might think, they are inside your networks.”
One of the main purposes of the meeting at Ditchley Park was to work out how to protect what is known as the Critical National Infrastructure, or CNI. But just figuring out exactly what constitutes the CNI and who should be protecting it, under whose authority, has proved disarmingly tough. At Ditchley, participants soon established that defining the CNI is nigh on impossible: in this interconnected age, the CNI is everything. Disruption of something like the telecommunications infrastructure could lead to chaos in a very short time because so many other utilities depend on it.
Furthermore, so much of the CNI is in private hands that coordinating its defense with government is a tricky business, fraught with the potential for missteps and conflicts of interest. In the United States, the Department of Homeland Security is in theory responsible for protecting the CNI, but if the American securocrats and military officers at Ditchley were anything to go by, they do not possess anything like the capacity to deal with a major cyberattack. Like other agencies, DHS is too often in thrall to major security companies that have invested heavily in expensive cyberdefense technology.
Moreover, protecting the CNI without infringing on civil liberties requires striking a delicate balance. Those responsible for “bad stuff” in cyberspace are tough to pin down. Who “they” are is open to discussion because “they” might be infiltrating your computer for a variety of reasons. There is a danger that if the scale of the threat is exaggerated, it will prompt moves to step up the regulation and monitoring of the Internet and people’s private communications. In fact, this is already happening.
Bad stuff is out there
The very genius of the web—its interconnectedness—means that the “securitization” of cyberspace has an impact well beyond its stated goals of protecting against the menace of the three main pillars of malfeasance: cybercrime, cyberindustrial espionage and cyberwar.
Almost invariably, states justify imposing restrictions and rules by pointing to the extraordinary growth in such malfeasance. Bad stuff is indeed going down wherever you look in cyber. And you don’t have to be listening to illegal downloads or surfing porn sites to be victimized anymore. When fans of Italian actress Monica Bellucci visited her official website four years ago, not only would they learn of her latest movies and other activities; they would also unwittingly download a virus placed on the website by hackers.
Individuals, companies and governments are constantly under cyberattacks whose origins are uncertain at best and usually unknown. The great majority of these are opportunistic. Hackers send out viruses that report back to them when they have entered a computer whose owner has failed to install or update antivirus security systems. But just as it is hard to identify where the attack is coming from, it is also very difficult to know why it is happening.
The global figures on losses attributable to cybercrime, industrial sabotage and industrial espionage are astronomical. The latest total conjured up by cybersecurity giant McAfee and endorsed by the White House is $1 trillion. Keep in mind that these numbers are arbitrary—there is no accurate metric for ascertaining these losses, and security companies are likely to exaggerate the figures since they have products and services to sell.
We can, however, identify how much we are spending every year on cybersecurity. The latest figures from consultants Visiongain and Gartner put the global annual cost at just over $100 billion, which is expected to double by the end of the decade. The rapid development of cyberdivisions at companies like Lockheed, Northrop, Raytheon and BAE Systems testifies to the emergence of a new arm belonging to the military-industrial complex.
Preparing the cyberbattlefield
In the past two years, we have seen several key attempts to redefine the structure of the web. Most dramatic of all was the Defense Department’s creation of a fifth military domain, cyber, alongside land, sea, air and space. The US CyberCommand has responsibility for this first-ever man-made military area of operations. Its chief is a four-star general, Keith Alexander, who is also director of the National Security Agency.
The primary role of CyberCommand is to defend the .mil networks. Few domain names come under more sustained attack than the Defense Department’s own—hundreds of thousands of attempted hacks (many of them relatively harmless automated operations) rain down on it every day.
The defense of .mil is a fairly straightforward task. But the military has not taken a full inventory of its vulnerability to networked computer attacks. The F-35, Lockheed’s latest stealth fighter, is scheduled to roll out in 2015 at a rough cost ofâ¨$100 million per aircraft (costs that former Defense Secretary Robert Gates criticized for spiraling out of control—he even threatened to cancel part of the contract). However, according to a senior Pentagon source, the Air Force has not carried out a serious investigation of the vulnerability of the 20 million lines of code that will control the F-35. This code is likely to contain vulnerabilities (some of the code is unclassified and available on the web). A malicious hacker or spy with access to the code could wreak havoc on these systems.
The problem facing cybersecurity in the public sector is that it is difficult to distinguish between civilian and military institutions. Following the Chinese government’s successful hack attack at the beginning of this year on Google and Gmail (among many other companies), Secretary of State Hillary Clinton responded immediately as the news became public by demanding a full investigation by the Chinese government into the attack. This ramped up a commercial issue into one of international politics.
Another task for CyberCommand is the development of an offensive cybercapability, spearheaded by the hyperactive Defense Advanced Research Projects Agency (DARPA). These days, it’s hard to find an out-there project in the computer labs of the West and East Coast universities that is not co-funded by DARPA. Although the project is classified, the US military and intelligence communities acknowledge in private that America is ahead of the pack in its development of an offensive cybercapability—in its campaigns in Afghanistan and Iraq, the DoD has become openly dependent on cyberassisted weaponry, notably its use of drones steered by computer operators in the United States that can bomb targets anywhere in the world. Not far behind lies China’s cyberespionage and security strategy, directed almost exclusively by the army. Russia, home to some of the most competent cybercriminal networks in the world, is also a major player, assisted by its intelligence service’s terrifying monitoring system, which goes under the suitably totalitarian name SORM-2. This obliges all Internet service providers of runet (as the web is known in Russia) to send a copy of all data that run across the network to its vast servers for storage.
Close behind these three giants is Israel, which given its tiny population punches far above its weight, thanks in large part to the symbiosis between the high-tech software cluster around Tel Aviv and the IDF’s dedicated cyberunit, 8200. France, Britain, India and Germany are also among the leading members of some 120 countries around the world developing their own cyberoffensive capacity, over which there is no system of treaty control.
The Chinese government, in particular, conducts an indefatigable campaign of espionage that sucks up such a volume of data from foreign governments, companies and international institutions like the United Nations that many analysts doubt it has anything approaching the capacity to assess all the documentation it steals.
The greatest defense against a major cyberattack is the mutual economic and commercial interdependency that globalization (and, in part, the Internet itself) has created. Why would Russia, for example, attack the networked systems of Western Europe when it would be killing the most reliable and efficient market for its gas and oil? Why would China or the United States attack each other when if one of the two powers collapses, the other would follow very quickly?
The Pentagon, the White House and the private security industry make much of China’s predatory cyberstrategy. In doing so, they pass over the strategic advantages Washington and its allies enjoy. The National Security Agency, thanks to its digital reach, is the most powerful espionage organization in history. It receives valuable support from its Canadian, British, Australian and New Zealand counterparts. The United States also has the benefit of access to the incalculably large repositories of data in the servers of companies like Google and Facebook. If the FBI or the NSA wants to peek inside your Gmail or Facebook account, it takes less than twenty-four hours with the requisite court order. But if you are an officer from the closest ally, like Canada or Britain, it will take three to six months of legal procedures before you get access to the data (assuming permission is granted).
For the Chinese and Russian governments, the Americans’ privileged access to the behemoths of the digital world is an enormous disadvantage. This US edge is also an important component of another struggle now playing out: the United Arab Emirates, India and Saudi Arabia have locked horns with RIM, the manufacturer of BlackBerry, insisting that RIM place servers inside their territory that will allow their intelligence services to intercept and decode the encrypted messages of BlackBerry’s business network, Enterprise. Because RIM’s servers are located in Canada, Ottawa has access to those servers (with the requisite legal documentation). And if the Canadian government does, so does Washington, within the framework of the Anglophone intelligence network. To the Emiratis, Indians and Saudis, that means they are excluded from monitoring their political opponents or criminals while the Americans are not.
Stuxnet: Starting sun in a cyber arms race
The surfacing of the Stuxnet virus was probably the most disturbing development of the past year and a half in the cyber realm. IT security experts agree that the virus advanced the cyber arms race by two or three notches. It can attack the operating system of a plant—like the Bushehr nuclear facility in Iran, which many believe was the intended target. “This virus could only have been developed by a team of sophisticated security professionals with time and money at their disposal,” explained Mikko Hypponen, chief research officer for F-Secure, a Finnish antivirus company. “We have known about it for several months and still haven’t managed to decode it fully.” This means, he said, that “we now have proof that states are investing serious resources into the development of next-generation viruses. It is without question the most significant virus we have seen in a decade.”
There has been a ferocious debate as to the origins of Stuxnet. Most speculation lays responsibility at Israel’s door; some respected researchers have implicated the United States, and others China. But it is still impossible to identify with any certainty the origin of a virus, especially if it is let loose into the world by a competent spy agency, as likely was the case with Stuxnet.
In fact, this virus has acted as the starting gun for an arms race in cyberspace. Not only do all major powers feel compelled to develop threatening malware; many smaller countries, which could not possibly compete in a conventional arms race, are working feverishly to develop cyberweaponry. It may sound as though it’s an extension of a Bruce Willis movie, but Stuxnet provides proof that cannot be refuted: the global cybergame has begun.Bio: Misha Glenny's atest book is DarkMarket: Cyberthieves, Cybercops and You (Knopf). The opinions expressed in this commentary are solely those of the author.