Ronald Deibert: Tracking the emerging arms race in cyberspace

OPEN IN VIEWER

Photo: Glenn Lowson.

For governments around the world, 2010 brought new evidence of the growing cyber threat to national security. The year began with Google announcing that it and other companies had been the target of a China-based cyberattack, known as Operation Aurora, though a direct connection to a government cannot be proved. In the spring the United States named General Keith Alexander, who also heads the National Security Agency (NSA), as the first head of a newly established Cyber Command meant to “fight and win wars in cyberspace.” And late in the year, security experts said a sophisticated computer worm called Stuxnet may have corrupted or damaged industrial control systems around the world, including at Iran’s Bushehr nuclear reactor and Natanz uranium enrichment facility.

Ronald Deibert—who directs the Canada Center for Global Security Studies and the Citizen Lab at the University of Toronto’s Munk School of Global Affairs—has co-authored key reports on cyber-espionage, including “Tracking Ghostnet,” which documented an alleged cyber-espionage network, orchestrated from Chinese soil, that affected more than 103 countries and 1,295 computers including ones in the headquarters of the Dalai Lama; and “Shadows in the Cloud,” which analyzed how a different China-based espionage network operated in part by using cloud computing services. He is also a co-founder of the Information Warfare Monitor project, which, together with the Ottawa-based think tank SecDev Group, tracks the militarization of cyberspace. He spoke with BAS about how cyberthreats affect the global order, and how they relate to existing threats to global security.

BAS: President Barack Obama’s recent Cyberspace Policy Review declared that “cybersecurity risks pose some of the most serious economic and national security challenges of the 21st century.” And there has been much talk in policy-making circles of the “militarization of cyberspace.” To what does the term refer?

DEIBERT: Militarization of cyberspace refers to the growing pressures on governments and their armed forces to develop the capacity to fight and win wars in this domain. The clearest and most potent example of militarization in the United States is the setup of the Cyber Command, which unifies all of the existing military cyber activities under a single command headed by General Keith Alexander of the NSA.

This one development will have a ripple effect around the world. Not to put it too bluntly, but other countries—beginning with the countries closely allied to the United States—have to fall in step as a function of being closely engaged on an operational level with the US military. Outside the Western allied community, there will be a different, negative reaction. Adversaries will feel that they must adapt or be left behind. If you look at China or Russia, they probably realize they can’t compete financially and organizationally on the same level as the US Cyber Command, and so they will look at asymmetric techniques, including potentially cultivating criminal networks, or encouraging so-called patriotic hacking in which citizens themselves wage cyberattacks. We’ve seen all of those techniques crop up with greater frequency. The Internet is being rapidly degraded by militarization, censorship, and surveillance. This unique artificial communication medium that human beings have created, and that should be central to global democratic governance, is being rapidly degraded.

BAS: It’s always been important to use information technology to gather intelligence on your opponents—whether to assist in fighting wars, or to learn who is developing weapons of mass destruction, for example. What’s changed?

DEIBERT: It is important to recognize that cyberspace is essentially a new environment, a new ecosystem, or domain—equal in importance to land, sea, air, and space—within which states and other actors seek competitive advantage. That recognition has seeped into US strategic doctrine, which now speaks of the need to dominate and maintain freedom of maneuverability in cyberspace as much as in the other domains.

This doctrinal shift is not something that happened overnight; it has been a gradual transformation that started in the middle of the twentieth century. By the 1980s and 1990s new, more systematic, studies and ways of thinking emerged about the so-called “Revolution in Military Affairs,” which recognized the role of information technology in the conduct of US armed forces. But then, in the early 2000s, you had a fundamental reconceptualization in various national security circles that cyberspace itself had become something more than a tool, but an actual environment. This is a transformation on the order of something like what the great British theorist Halford Mackinder—considered by many to be one of the founding fathers of geopolitics—spoke of with respect to the “Heartland Theory” and the changes wrought by the Industrial Revolution. We now have an appreciation by the world’s armed forces that a global technological environment we have created—an artificial environment, in other words—is a space within which states and non-state actors will compete for strategic advantage and try to engineer to suit their strategic interests.

BAS: How did this evolve?

DEIBERT: Right through the dot-com era, governments were either ignorant of—or took a hands-off approach to—cyberspace. But with the use of these technologies by civil society such as NGOs, opposition groups, and advocacy organizations—and by some uncivil society groups such as militants, criminals, and terrorists—governments became aware of its potential negative implications. You’d have to look at each government’s threat perspective to untangle this carefully from each national point of view, but you begin to see a growing recognition among governments that this domain has to be policed and controlled. Governments began to intervene, first through the erection of digital firewalls to block citizen access to information, and then through the development of military capabilities. If you look at authoritarian regimes, their perception of what constitutes a threat includes opposition groups or human rights activities and dissidents. For them, techniques like network exploitation and denial of service have become a convenient way to limit and contain what these groups do, in addition or as a complement to Internet content filtering practices.

BAS: What are the lessons from the sophisticated Internet attacks that struck Estonia in 2007 and Georgia in 2008—both during conflicts of different types with Russia—crippling government and media websites?

DEIBERT: The most salient lesson was that it was impossible to prove whether or not the Russian government itself was behind the attacks. We have entered an age where anyone can participate in a cyber conflict from any point on earth, masking their location and their identity, yet causing serious disruption. Attacks can be “crowd sourced” by governments—as some suspect might have been the case in Estonia and Georgia—or arise from acts of spontaneous participation, or both. In such an environment, it complicates the task of assigning blame to a state and forming an appropriate response. This is potentially destabilizing to the global order.

There’s evidence that governments are deliberating cultivating an ecosystem of cybercrime and privateering. In the case of the “Ghostnet” (Information Warfare Monitor, 2009) and “Shadows in the Cloud” (Information Warfare Monitor and Shadowserver Foundation, 2010) reports, for example, we could not pinpoint the attacks to the Chinese government itself, but they certainly would benefit by the information that was stolen from compromised victims. Similarly, it cannot be proven that Russian security services orchestrated the attacks on Estonia and Georgia, but the attacks clearly served Russian goals.

BAS: We’ve heard from former US counterterrorism czar Richard Clarke and others that cyberweapons can cause widespread infrastructure damage—like plane crashes, blackouts, and the crippling of financial markets and records.

DEIBERT: You have to be cautious when hearing from people engaging in fear-mongering about huge blackouts and collapses of critical infrastructures via the Internet. There is a lot of redundancy in the networks; it’s not a simple thing to turn off the power grid. Disruptions are more likely to happen because of de-regulation and a reduction in basic corporate accountability, than from a cyberattack, in my opinion—at least in present conditions.

The risks also have to be placed in context of social, political, and economic forces that militate against them. We live in a complex interdependent world in which most countries are intertwined and mutually dependent on huge financial flows. That will constrain governments against attacking each others’ critical infrastructures, a kind of mutual assured destruction in cyberspace. Of course, this dynamic will not have the same effect against small groups or terrorists bent on destruction, but those organizations, for the time being anyway, seemed more focused on spectacular forms of violent behavior that are less complicated to engineer.

The concerns around mass destruction—the “Electronic Pearl Harbor,” so to speak—can also be used to justify extreme regulatory measures that diminish privacy and other liberties, or justify major defense contracts for the private computer security sector. We have to be careful to check people’s credentials, and ask whether there is a commercial agenda behind their prognoses and warnings, especially in an environment where the cybersecurity commercial market is exploding.

BAS: How are these commercial interests driving the evolution of the relevant technologies?

DEIBERT: I have seen estimates that there is anywhere from a $50 billion to $80 billion annual US market for cybersecurity. Whatever the precise figure, the amount is huge. This not only creates a kind of feeding frenzy among defense contractors, but also propels the development of more refined techniques of monitoring, exploitation, and attack. This new cybersecurity market brings to mind Dwight Eisenhower’s warnings of a looming military-industrial complex. When you have a major defense budget served by the private sector, a constituency is created that has enormous influence over policy, perceptions of threats, and strategic interests.

You can look today at the cyber military-industrial complex, where you have major private sector actors offering network attack strategies and surveillance techniques that were never before imagined. Suddenly, companies like Northrop Grumman or SAIC or Booz Allen are not only servicing a market, but they can help create ones by marketing “solutions” to defense agencies, law enforcement, and intelligence services. And that can really begin to change the way in which cyberspace is constituted.

BAS: Recently, a computer worm called Stuxnet targeted industrial control systems, reportedly including Iran’s nuclear facilities. How are we to understand the cyberthreat posed to the nuclear complex in particular?

DEIBERT: Much as we need to be cautious about fear-mongering, we do have to be concerned about things like Stuxnet. There is a lot of speculation about where it came from, and who the targets were. And that’s part of the character of how cyberattacks can be destabilizing. These techniques can cause damage but be delivered in a way that we don’t know where they came from and what was the precise intent. They are also very difficult to control.

Stuxnet shows the ability of attackers, using very sophisticated techniques, to do damage to industrial control systems. This worm was able to overcome the so-called “air-gapping” of industrial control systems because it moved through USB sticks and other media. It targets very specific industrial control systems that tend to be arcane and very specialized—Siemens operating systems and specific Windows operating systems. It employed several separate “zero-day” attacks, meaning attacks that had yet to be registered by security companies. If present trends continue, forecasts about attacks on critical infrastructures will become more accurate and worrisome.

BAS: Despite all of these troubling trends, doesn’t the Internet still provide a powerful means for citizen empowerment, democratization, and free speech around the world?

DEIBERT: We assume these technologies support social mobilization in benign ways; that groups and individuals can use them to outflank authoritarian regimes. Some have even hypothesized the end of authoritarianism, assuming that slow, cumbersome government bureaucracies would not be able to keep up. But while activists may use fancy new gadgets to mobilize and raise awareness, governments can also use the same technologies with precision to monitor and control. In addition, there is also a growing impetus today to re-engineer the Internet to get rid of anonymity and make tracking of communications more efficient for law enforcement and intelligence agencies. This is one area where the NSA and the Chinese Public Security Bureau wholeheartedly agree. Insofar as such proposals gain traction—and I believe they will—some of the Internet’s defining features will be degraded.

BAS: Your recent research has turned up extensive evidence of global cyber-espionage. How vulnerable are the national security secrets of the United States and other countries to such espionage?

DEIBERT: Whereas in the past, government agencies that were very secretive would have sensitive documents in locked filing cabinets behind locked doors, they are now migrating to cloud computing services and social networking services that have questionable security architectures and poor data handling practices. There is just a lot more information sharing going on—thumb-drives moving from offices to homes to cafes, disks uploading information to cloud services, mobile phones sending and receiving information while roaming over multiple networks in numerous jurisdictions. As a consequence, those agencies’ information has become more vulnerable.

What we have been able to find in our work—and keep in mind we are a relatively small university-based research team in cooperation with a small private-sector think tank—is that the China-based cyber-espionage included the theft of documents marked “secret” and “classified” from the Indian National Security Secretariat, including detailed discussions of troop movements, analysis of insurgencies that the Indian government was facing, and very detailed defense contracts. We’ve had other investigations, some of which we haven’t yet published, where sensitive information has been stolen from law-enforcement agencies and private sector actors in the United States. Anybody who networks today is vulnerable. And there is a massive ecosystem of crime and espionage that feeds parasitically off the hidden underbelly of social networking platforms.

BAS: The United States has been pushing for broader cooperation on the crime-fighting level, and Russia has been calling for “cyber arms control.” Is this achievable?

DEIBERT: Russia has been pushing for arms control in cyberspace, or information-weapons control. Most people dismiss this as disingenuous, and I tend to agree. Most observers see it as Russia’s attempt to constrain US superiority in the cyber domain. Russia is more concerned about color revolutions and mobilization on the Internet by dissident and human rights groups—and trying to eliminate the United States’ ability to support that type of social mobilization—than it is about protecting the Internet.

In spite of that, I think it’s worthwhile to push them on it. If I were working for a foreign affairs ministry, I’d use this as an opening to talk about mutual restraint, cooperation, and push them back on what should be the rules of cyberspace. Some people dismiss cyber arms control, and they are right on one level: We cannot control information weapons—something like Stuxnet—in the way we talk about eliminating certain classes of weapons like ballistic missiles. Information is too difficult to control, and verification would be impossible. So what’s left? There is some merit in controlling behavior and enforcing rules in cyberspace. Language similar to something like that found in arms control agreements could begin to make sense.

BAS: What would such an agreement or set of rules look like?

DEIBERT: If you look at the Outer Space Treaty, the Moon Treaty, the Antarctic Treaty—they might be useful models for a Cyberspace Treaty. With those agreements, the aim is less about controlling certain classes of weapons, than it is about controlling expectations and developing a set of principles, rules and procedures, and norms about how states behave with respect to an entire domain.

Of course there is a lot that will be difficult to accomplish, especially when it comes to controlling cyber-espionage. But there are mutual interests that relate more to controlling cybercrime, viruses, and denial of service attacks that could form the basis for practical, positive outcomes. For example, one area that could be improved is the networking and integrating of national computer emergency response teams (CERTs) in a more robust, global manner. That is something all countries should probably agree on and can be accomplished in a way that creates a globally distributed sensor net to monitor “bad behavior” in cyberspace.

If you look at some outcomes of our own research as an example—we said we had no evidence linking either of the espionage networks we uncovered to China’s government itself. Quietly, and without much public fuss, we sent the information we had on the command and control servers that were being used by the attackers to the Chinese CERT, and to our surprise they thanked us and took measures to shut them down. I thought that was very interesting. If we are looking at trying to control this activity, we are going to need to facilitate and support that type of information sharing. A global network of nationally-based sensor teams monitoring the Internet and sharing information about its health with each other reminds me of the type of organization envisioned for verification of the Comprehensive Nuclear Test Ban Treaty, if it ever comes into force.

BAS: Is there a direct connection between the militarization of cyberspace and threats to humanity, including climate change and nuclear war?

DEIBERT: Look at the type of information sharing that is necessary for things like communication among global scientists around issues like global warming or nuclear test ban verification. All of these global monitoring systems depend on a communications platform that is relatively open, secure, and highly efficient. To me it’s a no-brainer that in order to fulfill the desire to monitor the planet in a way that assures nuclear weapons tests aren’t taking place that are in violation of an agreement—and that tracks climatic conditions in real-time—you need a communications platform that spans the globe that looks pretty much like the Internet. I fear that decades from now people will look back at the 1990s and 2000s and see it as a small window when cyberspace was an open, public commons of global information that was eventually destroyed by short-sighted policies and mutual fear and insecurity.