Conflicts in cyberspace

At the risk of becoming a blog that does nothing but comment on New York Times stories, the NYT is reporting that the US and Russia are expected to continue discussions, during President Obama's visit to Russia this week, on Russia's proposal for an international treaty to limit offensive cyberwarfare capabilities. The US, which has so far opposed calls for such a treaty, instead favors a defensive approach which focuses on better security and increased cooperation between law enforcement agencies, which it hopes will reduce network vulnerability to attacks from both rogue operators and governments.

This discussion comes in the wake of an upsurge of interest in cybersecurity and online warfare; the Obama administration recently undertook a review of USG cybersecurity coordination, resulting in the creation of a White House coordinator for cybersecurity, while the US Military is in the process of creating Cybercom, a new command for offensive and defensive cyberwarfare. The UK and Russia, among other countries, have also stepped up their efforts. This is from President Obama's remarks on the review, in which he revealed, among other things, that his presidential campaign had been hacked:

"This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."

The administration's interest in cybersecurity, while forward-thinking and reflective of Candidate Obama's commitment to addressing unconventional threats, also responds to a number of recent incidents. In 2007, in what has been described as the first war in cyberspace, hackers (believed to be Russians or Russian Estonians) shut down much of Estonia's online infrastructure for several days in response to the Estonian government's removal of a monument to Russian soldiers. This sophisticated attack (the article is well worth reading) used a distributed denial-of-service (DDoS) mechanism, launched from both dedicated and rented botnets, to cyber-pwn the offices of the president and prime minister, parliament, and Estonia's largest bank. In 2008, as Russian tanks rolled into Georgia, hackers took down Georgian government and military networks (see here for a list of suggested targets). In 2001, after a US Navy surveillance plane collided with a Chinese fighter, hackers launched coordinated attacks on USG networks; malware has reportedly been found on computers at the Pentagon and NASA. Israeli networks regularly block attacks believed to come from Palestinian groups, and Danish servers were targeted after the 2005 publication of cartoons of the Prophet Muhammad.

Like conventional terrorism, cyberwarfare presents an opportunity for states, and their sympathizers (known in this case as "hacktivists"), to advance their interests while maintaining plausible deniability; although the Estonian government claims that Russian government IP addresses were involved in the 2007 incident, and both Russia and China are believed to have developed offensive capabilities, the use of botnets makes it difficult to trace responsibility (at least without active cooperation from the countries in which the attacks originated), and perpetrators of online attacks are rarely caught. Or, to quote the New Yorker cartoon where two dogs are sitting at a computer, "On the internet, nobody knows you're a dog." This is from Global Dashboard's Peter Hodge:

"The Russians and the Chinese appear to run a decentralized model, outsourcing cyber-war to shadowy civilian groups. The advantages of this approach include deniability, flexibility, access to the latest tactics and weapons, and being able to draw on the best talent available (hackers, IT workers, online gamers)."

For example, security pundit John Robb blames the Russian Business Network (RBN), an online crime syndicate, for the attack on Estonia and foresees a growing strategic advantage for countries that are willing to operate cyberwarfare through third parties. Evgeny Morozov, writing in Slate, describes how easy it is to become one of those third parties, using readily downloadable applications to flood servers with information (click here for cool movies of malicious activity). Hodge's conclusion is that the best response to outsourced attacks may be an outsourced defense:

"So, rather than set-up a hierarchical government unit, a better strategy for countering cyber-attack could be to form a flat network of experts, set a general operational framework, give people the resources they need, then let them to go for it. And keep the managers and the HR people well away."

The implications of all this span defense, international relations, and trade. Interestingly, they also raise complex legal issues ranging from privacy to intellectual property to NATO's commitment to collective defense. The Berkman Center at HLS is doing interesting work in this area, especially (in the form of the OpenNet Initiative) in tracing government filtering of internet content. On that topic, Slate ran a piece on the Iranian government's success in controlling information, which has launched the logical equivalent of a DDoS attack on my previous post about how Twitter has facilitated the Tehran protests. Perhaps most interesting are the article's assertions that the Iranian government is using crowdsourcing to identify protesters and that Nokia and Siemens built the system the government is using to stifle dissent.

On the topic of corporate complicity with filtering, and last but not least in this international technology roundup, China has delayed the enforcement of its new rule, set to enter into effect today, that all computers sold in the country be equipped with "Green Dam" software, which allows the government to block "objectionable content," supposedly restricted to pornography but, according to leaked documents, also including numerous political buzzwords. According to the WSJ, China and Iran use different approaches to filter information:

"China's vaunted "Great Firewall," which is widely considered the most advanced and extensive Internet censoring in the world, is believed also to involve deep packet inspection. But China appears to be developing this capability in a more decentralized manner, at the level of its Internet service providers rather than through a single hub, according to experts. That suggests its implementation might not be as uniform as that in Iran, they said, as the arrangement depends on the cooperation of all the service providers."

The delay, which seems motivated partly the logistical impossibility of implementing the rule on the government's timeline, also reflects US objections regarding possible violation of free trade agreements and concern from computer manufacturers that the software may compromise the security of computers on which it's installed, which sort of brings us back to the beginning of this post. If you are keeping score, which someone should be, Sony, Lenovo, and Acer are reported to be making attempts to comply with the order; HP and Dell have been quiet about their plans.