Cyberwar and cybercrime – responding to the governance challenge

We caught up with Diplo’s Vladimir Radunovic who attended the 2nd Belgrade Security Forum at the end of September. The forum was convened to discuss the challenges to democracy and security in this time of global crisis. Vladimir was one of the panellists in Session 3: Cyberwar and cybercrime – responding to the governance challenge and was happy to answer some questions for us.

How do we define cyberwar? Is most cyberwar just espionage?

When it comes to defining cyberwar, we can look at it in two ways. First from a narrow perspective. Think of the cyberattacks in Estonia back in 2007 when websites were blocked and the country’s entire Internet services crippled – banks, government services, business communications… Or the 2008 attacks on Georgia when a  coordinated deluge of millions of requests overloaded the country’s servers and shut them down.  Or 2010 and the Stuxnet virus attack against Iran – a masterpiece of malware code which managed to take control over and then physically destroy large percentages of uranium-enrichment turbines in the Natanz facility. The cases are numerous (and yet it is likely many more are kept secret by the victims) and are likely to grow. More importantly, the effects go much beyond espionage and temporarily disabling some servers: as the critical infrastructure of modern society – such as power plants, electrical grid, water supplies, etc. – increasingly depends on networked computers, the effect of cyberattacks can possibly lead to war-like consequences including destruction and death.

We can also look at cyberwar from a broader understanding where strategic control of information and information security comes into play. Due to historical and economic circumstances, the online space is dominated by the US industry and content, and its global outreach enables greater influence of western culture, including (but not limited to) openness and freedom of expression. The confluence of the cultures in the cyberworld sometimes raises real-world consequences. Take a look at the real-world consequences (even lives lost) of the recent YouTube video mocking Prophet Muhammad – the full freedom of expression by anyone, respected in the USA, is not a shared global value.  Some countries, like Russia or China, fear that the Internet is being used for ideological aggression; in response, at the end of 2011, the countries of Shanghai Cooperation Organisation (SCO) proposed to the UN an International Code of Conduct for Information Security (note that the text of the code does not mention cybersecurity, but only information security). This proposal goes along with a trend in many countries to control online content, including filtering, as a way defending their own cultural or political systems. In this broader view, therefore, cyberwar is not only about cyber-attacks, but also about the information warfare in cyberspace.

So is the scenario of a cyberwar a reality or hype? And are the Geneva Conventions relevant to cyberwar if it occurs?

Let’s turn the issue upside-down and ask ourselves how do we define cyberpeace? Are we currently living in times of a cyberpeace? On one hand many would say that the information war is ongoing, which might be seen in the increasing control over communications by many (if not most of) governments. On the other hand, however, in spite of a growing number of state-driven cyber-attacks there have been no major ones that could be labelled as ‘armed attack’ according to classical definitions of war by von Clausewitz or the Law of Armed Conflict (not even the attacks on Estonia, according to NATO reports). But the time can come when a single cyber-attack will cause such consequences (including damage, destruction, injury, and death) that the attacked part would consider it as an armed attack, i.e. act of war, and possibly respond with either counter-attack in cyberspace, or even with a real-world attack, leading into the traditional war.

How should cyberwar be waged, and could the existing international treaties like the Geneva Convention be relevant? Comparing physical war with cyberwar is a little like comparing apples and oranges. They’re both fruit but so very different. These are both types of war, but so very different. The Geneva Convention, for instance, sets up ‘rules of war’, like protecting the civilians, causing damage proportional to objective of attacks, etc. Some of these principles can certainly be used in case of cyberwar as well, but there are challenges specific to cyberspace. For instance, it would not be so easy to limit the proportion of the cyber-attack, due to the very nature of the Internet as a global network (e.g. the spread of the virus can hardly be controlled). More importantly, attribution of the cyber-attack is one of the major problems: it is almost impossible to attribute the attack to any particular party (country), also because most of the attacks are implemented by globally distributed networks of hijacked zombie computers (botnets).

Not the least, the parties (countries) should agree to apply existing international law like the Geneva Convention to the cyberspace as well. The US officials clarified again a month ago that international law does indeed apply to activities in cyberspace. Several countries, including the USA, Russia, and China, have been working since 2008 within a group of governmental experts on defining ‘international norms pertaining the state use of ICT’. It seems there is a general interest in at least making the rules of cyberwar clear, if not preventing it entirely.

What is the responsibility of states in preventing cyber-attacks? 

At the heart of the challenge of both cyberwar and cybercrime is the issue of the cross-border flow and transit of data. The Internet protocol is built in such a way that the data packages from country A to country B are each time routed through different routes around the world, depending on which route is the least crowded at that particular moment. That means that the data packages of the cyber-attack on Estonia, for instance, travelled through a number of countries in the region, and possibly beyond. Should the transit states be liable? And, if so, should they be allowed or obliged to check for the content of the data flowing through their sovereign territory, similarly to checking baggage at border crossings? Would that ruin the notion of a borderless Internet of today, and ultimately its openness and functionality?

What also comes into play is the ability to track and the ethics of tracking the data. The technology is already available and in use: the deep package inspection (DPI), a much disputed method due to implications to privacy, has also been used by the Qaddafi regime and the Libyan security forces to track nearly all of the online activities of the country’s 100 000 Internet users. Supplied by foreign firms, the technology allowed the regime to capture everything from chat messages to e-mails initiated by Libyan citizens. There are many more examples of such misuse of this and other technologies.

So let’s say the countries wish to prevent cyber threats, what is the way forward? 

No state can do anything on its own without risking cutting itself off the global Net. Instead, what is needed is a cross-border cooperation of responsible public authorities, but cooperation based on a clearly outlined set of judicial procedures with adherence to the fundamental human rights (especially freedom of expression and privacy) and openness of the Internet.

That implies that the legal environment should be harmonised. Is it possible and likely?

There exist many global and regional initiatives: the ITU Cybersecurity Agenda, the above-mentioned SCO proposal at the UN on an international code of conduct, the Council of Europe’s 2001 Budapest convention on cybercrime, the Commonwealth Cybercrime Initiative, the African Union Convention on Cybercrime… The list of proposals for Internet rights and principles is even longer. But, there is yet no widely accepted balanced and efficient approach that would encompass both security and human rights dimensions. The forthcoming meetings of the UN Internet Governance Forum in Baku in November and the  ITU World Conference on International Telecommunications in Dubai in December are currently the two international policy processes in focus that might move the discussions forward (or backward).

There is clearly a need for a governance model. Yet it seems that governments cannot do this alone – who are the other actors involved, and how?

Cyberwar and cybercrime can threaten any networked society on several levels: strategic (such as control of the information); economic (including the loss caused by the Internet downtime, which goes from dozens of thousands of dollars per hour of downtime for the media sector, up to several millions of dollars for large online brokerage companies); and infrastructure (especially critical ones like power and water supplies). The entire Internet ecosystem – if not our entire society – is involved in both the risks and possible prevention of cyber-attacks: from IT-related businesses (telecoms and ISPs, hardware and software vendors) and other corporations (especially small and medium ones which are common victims), via prosecuting and judicial authorities, to end-users (whose computers are commonly infected and used as bots). Governments and public authorities cannot prevent or respond to these threats without the cooperation with other stakeholders: a truly multistakeholder approach to both policy planning, education, and emergency responses is needed.

But this requires the full awareness and professional capacity of all the institutions involved (including the non-state actors) to understand the basic operating principles of the Internet, the legal and security aspects as well as the human rights aspects of the challenge. Governments and public authorities need to understand how the Internet works, and thus what is a real risk and what is hype. But also the engineers and tech community need to understand the governance models, the political and diplomatic aspects, and the needs for a comprehensive policy. Education, awareness building, and dialogue is key. This panel at the Belgrade Security Forum, initiated by Swiss DCAF, is a good example how to start.