There is a legend about former U.S. President Dwight D. Eisenhower’s visit to a secret government laboratory to see the latest “super computer.” In those days, computers were large, and this particular computer filled a warehouse the size of a modern IKEA store. President Eisenhower asked it: “Is there a God?” Several minutes passed while lights flashed and the machine hummed and churned inside. Finally, it presented the president with the answer: “Now there is.”
Similarly, the dynamic interactions and synergies of new information and communications technologies have created a new domain called “cyberspace.” This domain of electromagnetic activity, digital data processing and data transmission is invisible to the naked eye, yet it is just as vital to the health of our economies and social well-being as the air we breathe. However, the great promise of these new technologies and our growing dependence on them has exposed serious vulnerabilities that need to be addressed. One of these is malicious state-sponsored cyber activities, including cyber espionage and the use of malware to disrupt or destroy critical processes that support life and economic activity.
The recent contribution by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, a book titled Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy, comes after several high-profile cyber incidents have contributed to an increasingly tense atmosphere among nations. This landmark 740-page volume features a collection of articles on technology, security policy and legal issues that could apply to state activities in cyberspace.
Policymakers, legal experts and information technology (IT) security professionals who are used to working in a Microsoft Windows, Intel, PC-based environment will find much to like. However, industrial control systems-oriented cyber security folks may be slightly disappointed. For example, searches in the book for terms that refer to the systems and devices used to remotely access and control critical infrastructure (CI) operations such as SCADA, PLC, DCS and RTU yielded no results. The cyber fragility of CI devices and systems, which provide the foundation for the safety and availability of electric distribution grids, transportation systems, and water and gas pipeline control, is not adequately understood and not properly addressed. The complexity of cyberspace requires cyber security professionals from multidisciplinary backgrounds. It is not enough to be an IT cyber security expert.
This selection suffers from an imbalance in contributors: 15 of 24 focus on legal aspects, four address international security policy, three are scientists/specialists and two examine military ramifications. The lack of a multidisciplinary approach is perhaps part of the reason malicious state-sponsored activities in cyberspace have not been adequately addressed in international forums. Diplomats who seek to develop confidence-building measures and draft cyberspace treaties through discussions and negotiations in international organizations need to work in partnership with the technical community, not in isolation. Diplomats and policymakers alone cannot manage this issue without an understanding of technology and its potential misuse.
Critical infrastructure is a vulnerable target for cyber attack, not just from cyber criminals and politically motivated hacktivists, but also from states. Part I of the book focuses on “technical features” (and most curiously, “sociological facets”). STUXNET is mentioned, but not one author made reference to Ralph Langner, the first to analyze and draw attention to the sinister non-Windows part of STUXNET. This is like writing about the theory of relativity without referencing the works of Albert Einstein. Our understanding of the serious technical and policy implications of STUXNET came not from IT professionals, or those working for anti-virus firms specializing in Windows-based software protection, but from industrial control experts who are aware of STUXNET’s second, non-Windows “warhead,” namely the Siemens program logic controllers and the specialized software used to monitor and control these devices. The book underestimates the impact of this new family of malware, handicapping policymakers who must ask two critical questions when developing national cyber security strategies: What needs protecting and what are the threats?
This compilation also fails to address the link between STUXNET and the “Edward Snowden affair,” revelations of massive government cyber spying and surveillance programs. To prepare hostile malware for a specific target requires a great deal of support not only from laboratory programmers but intelligence services. Snowden’s leaks of information from the U.S. National Security Agency show the enormous capacity of governments to actively and passively collect intelligence. If the book better integrated STUXNET and Snowden, it would have been possible to evaluate the threat of STUXNET type attacks in the future.
The book’s failure to recognize these two points leads to its third major weakness – the assumption that attribution is futile. The legal analysis gives the impression that current laws are sufficient if attribution were feasible, but failed to explore other ways of addressing the issue. For example, Jason Healey of the Atlantic Council wrote an excellent paper, “Beyond Attribution: Seeking National Responsibility for Cyber Attacks,” offering an innovative proposal for dealing with attribution.
The authors could also have noted successes in assigning attribution to cyber crime. The main ingredients are a shared perception of the common threat, available technical means and, most importantly, the will and desire to cooperate. A good example is the arrest of Sven Olaf Kamphuis, alleged to have organized the biggest cyber attack in Internet history. He lived in the Netherlands but was arrested with the cooperation of Spanish law enforcement. The Snowden revelations, if true, support the argument that the technical means to investigate and assign attribution are available. When a state comes under suspicion for a cyber incident, the combination of ingredients used to defeat cyber crime is lacking. Attribution is not impossible, as many of the authors (Christian Czosseck, Mauno Pihelgas and Terry D. Gill) seem to think, but rather a political problem. However, governments do not want to apply the same methods, nor any legal caveats, that could constrain their own cyber activities.
Part II, “Rights and Obligations of States in Cyberspace,” is perhaps the most ground-breaking section. It provides approaches on how states’ current responsibilities in other domains could be applied to cyberspace. There is a fascinating and informative survey of current legal applications in the domains of aviation (Stefan A. Kaiser and Oliver Aretz), the environment (Thilo Marauhn), undersea cables (Wolf Heintschel von Heinegg), outer space (Martha Mejia-Kaiser), territorial sovereignty (Benedikt Pirker) and world trade (Joel P. Trachtman). Many have tried to use nuclear or chemical warfare policy as an analogy, but space law is worth reading. The section ends with a discussion of cyber espionage (Ziolkowski). Efforts should be made to avoid equating cyber spying with traditionally accepted spying. In cyberspace, the policy implications of the easy transition from cyber spying to cyber sabotage are not fully appreciated, especially relating to “preparation of the battlefield.”
In a 2011 per Concordiam article, I concluded that because of growing and largely unaddressed security issues, the Internet as we know it is at a crossroads. In Part III, Chris C. Demchak provides a very plausible, yet troubling, prediction on where one choice for the road ahead may lead. The remaining choices unfortunately will not save the Internet “utopia” that existed from 1992 to 2007. The best we can do, in this reviewer’s opinion, is to agree on some reasonable “rules of the road” that will save as much of that utopia as possible.
This collection of articles provides a strong case for putting the activities of states in cyberspace on the international agenda. It represents a significant contribution toward a wider understanding of the complex policy issues raised by our critical dependence on cyberspace. This is an ambitious, challenging, must-read volume for everyone seeking ways to manage clear and present cyberspace dangers threatening national security and economic and social well-being. This work can provide a common base from which to work together to ensure a “cyber safe” future for all. ο
A downloadable, free copy of the book is available at https://www.ccdcoe.org/427.html
This review represents the opinion of the author and should not be attributed to any organization with which he is affiliated.