A decade ago it was possible to say that cyber was a promising new topic, which had the potential to stay beyond the realm of politics. Today, not so much. Besides becoming highly contested political ground, cyber has the devastating capacity of widening the policy gap between public and private sectors. Let’s face it – even with all highly inspirational callings coming from government officials and private companies have not had any likes of tangible result. And are not likely to do so. And this is just the backdrop of the story because countries, especially big and powerful ones, are piling up cyber weapons and sharpening their already defensive national cyber strategies. They will develop and eventually sign a comprehensive and all-inclusive set of cyber treaties but for that to happen it seems that the world may need a cyber war or at least a major regional cyber collapse. When will this happen and if yes, then how massive will be the collateral damage for international relations?
A la cyber arme
International relations are an intricate and yet cumbersome matter. Throughout history they have been challenged by innumerate large and minor factors, be it social changes, economic advancement or technological progress. Technology has always been at the heart of this contestation and simultaneously pushed humanity to become better versions of ourselves. Or worse. Cyber domain is a vast playground for states to flex their muscles until it hits hard and solid. Even five years ago some of the most renowned experts[1] were adamant about the concrete improbability of more or less global cyber war. Today, countries are waging low-key cyber wars and are immersed in cyber weapon race, not to mention global paranoia about state abuse of big data. And the weapons are getting more and more sophisticated with each passing day.
Some 10 years ago, cyber weapons were used mainly to take down or suspend proper functioning of critical infrastructure. In 2007, Estonia was the first loud public case of a country victimized by tentatively other country – Russia – amidst political turf wars. Over the course of one day some crucial governmental web services and online banking systems were taken down by an unprecedented DDos attack on the servers. As a result, 10 years later Estonia (some even refer to the country now as E-stonia) is one of the European strongholds of cyber vision and R&D as well as host of NATO cyber excellence center in Tallinn. Georgia in 2008, Ukraine on numerous occasions, Israel, Turkey, Iran with notorious Stuxnet case, Saudi Arabia and Aramco, the USA with the Sony attack presumably coming from DPRK and many more – all these attacks were large and well-orchestrated, most probably state-funded. Still, their preparation required several years in some cases and they had to be manually injected into the targeted system. Experts are weary about precise number for economic losses from cybercrime but most recent research shows that it is around $450 billion annually.
Cyber attacks have become increasingly more political, especially with the 2016 US Presidential elections unfolding against the backdrop of loud allegations of Russia’s meddling in election process. Whether it is true or not, the wider public has no official reference to make but there is unlikely any doubt that something happened in that heated time of election cycle between the two countries. Especially with the recent news about Microsoft targeting the hacking group Fancy Bear, who are accused of hacking the Democratic National Committee and allegedly have links to the Kremlin. The legal reason Microsoft used to file a lawsuit against the group is their compromising Microsoft domain names and thus making the tech giant look like part of the cyber political assault. This is a real life game on multiple levels – high political and low key private, generating marshy and shady news flashes about “fake news” even today.
Today, the attacks vary greatly in their nature but the easiest in terms of access, effective and unpredictable form of cyber offensive method is blocking data for ransom (ransomware). If yesterday state sponsored hackers just took down infrastructure or spied for data, today the matter went further – or for some romantics of the field, acquired a more traditional touch – hackers simply block data through malware sent via emails (phishing is widely spread) with rigorous deadlines for payment in bitcoin. Ransomware is heaven on Earth for criminals. Bitcoin guarantees complete anonymity and high profit thanks to it rising value (as of August 2017 1 bitcoin equals $3,239). In May 2017, largest private companies, public facilities and even some ministerial intranets were hit by a largest known ransomware attack WannaCry or (Wanna Crypt), affecting more than 23, 000 computers in 150 countries. British public authorities were lost and as usual late with an appropriate measure. The spreading of the virus was stopped thanks to an anonymous British IT employee by simple luck. In late June 2017, WannaCry was followed by another ransomware attack Petya, which had a better spreading and resisting mechanism than its predecessor. And the hackers have reached their goal – ransom has been paid in bitcoin. All these attacks have been made possible due to accurate and timely exploitation of “zero days” possibilities and interception of exploit leakages from officials (EternalBlue in Microsoft discovered by NSA) by the cyber criminals. It is evident that private sector companies suffer the most from these aggressions. At first, these attacks are seemingly distant from our everyday life until it comes to the very facilities used on daily basis. However, this was not the case for people in May 2017 using U-Bahn in Hamburg when all ticket vending machines went blocked. And especially for patients in English and Scottish hospitals on the day of the attack. With national authorities in England failing to provide a coherent response, suppliers to these public facilities did not make any statements whatsoever and the overall condition of cyber resilience in hospitals and other public infrastructure, whose failure can cause public chaos and social disarray, is not promising. And new weapons are being developed right this minute when you are reading these lines.
Public cravings
Even most optimistic ones among us, not so numerous but surprisingly stoic, say that in this algorithmic world one cyber terrorist has the mounting power to bring disruption and cause uncertainty for an indefinite period of time. The cyber weapon race is unfolding, for now keeping it low key but with each passing day it can erupt into full-fledged competition among states. Here two sides are divided by a river and the bridge is nowhere in sight – governments vs companies, power vs money. In order to gain upper hand, governments strive to monopolize cyber domain, make it more submissive, as it was with defense and nuclear areas. However, a defensive approach is always better than offensive one. And this line of attitude can be traced through all UN resolutions dealing with cyber, cyber culture and norms of behavior. There are not so many resolutions but they have a promise for a continuation of a more constructive and fruitful discussion among states and who knows, it might even result in a treaty before coming to a cyber conflict. Discussion among states is needed desperately even if does not have any tangible result. Reality is such that cyber has become an irrevocably politicized topic, where almost any high-level political dialogue on establishing norms and finding common ground leads to a deadlock because the stakes are too high. Where public sector finds some mutual understanding is the protection part – online child protection, cyber violence against women (links) etc. The UN GGE had a blast of mutual love in 2015 when they managed to settle on some soft norms for cyber behavior and vowed to continue the dialogue. The UN GGE is a behind-closed-doors process so until it is made public there is no knowing what 2016/2017 edition will venture at. These days the inspiration is not as booming as it used to be for the multilateral fora since some countries, especially major cyber players such as the USA, Russia and China, have marred their bilateral relations with numerous cyber clashes and shady incidents. The USA is not spearheading the UN talks any longer because simply the public interest has lost its sharpness and demand to be number one among international partners is not as high internally as it used to be some years ago. Russia and China are more nationally focused on adopting some restrictive cyber laws and initiatives. Of course, the expert knowledge, national and regional demand remain the same if not more – in more advanced cyber societies shifting focus to AI and R&D in new technologies – so regional hubs like Tallinn, Helsinki and Tel Aviv retain their status.
Separately, governments are issuing national cyber defense strategies, which are protective in their nature and underline cyber sovereignty more and more. This trend has led to a paradoxical convergence of China, Russia and US attitudes to cyber, at least in the realm of data sovereignty, even though the US continues to claim that it’s the beacon of internet freedom and democracy. US and Russia are waging turf diplomatic wars, constantly poking each other from various sides, including cyber. With Trump’s administration and never ending joy ride in the White House, the debate on net neutrality has been also blurred out by the rest of the political gaffes and flash news. It may seem that such things as net neutrality and data protection are somewhat above average defense range and lie in the internal digital politics of a given state but in cyber, and in general, in our world today, where connectivity rules, such changes cannot be disregarded simply because they are part of some bigger trend.
Take, for example, China and it latest development in the area of social credit system. Even reading about the mechanisms and how citizens of one of the biggest and most influential countries in the world will live in the coming years gives reader chills. This is not just an average credit system where anyone with a clean criminal record can come and submit a request for a credit. This is a digital totalitarian state where every citizen is openly watched and his/her steps in life are recorded. On the basis of each personal record a given person will be subject to examining before he/she is granted social privileges, i.e. social credit. The punishment scale for any misconduct is severe and rigid. This goes nicely along the cybersecurity law, which was passed in China in 2016 and aims at storing all big data on the Chinese soil. What kind of cyber defense will such a state where the population lives under the big eye have? A question, which will not remain unanswered for long. The backdrop to this story is China’s enormous bid on artificial intelligence research and development with the ultimate goal to spearhead the intricate area by 2030.
Same goes for Russia with several divisions of cyber warriors to monitor, defend and – who knows – even conduct covert operations as many other governments do. Not much is known about what the Kremlin is planning to do in the coming years in terms of cyber law making but such precedents as Yarovaya law, banning of several social media which are not string databases on Russian soil, various – as of today – failed attempts to create a viable and secluded segment of Russian internet, and most recently banishing all Tor and VPN anonymizers from RUnet (for that matter, same goes for China, who will be blocking all anonymizers by 2018). Cyber weapons race and cyber defense do not have to be by de fault secret operations developed behind closed doors. Everything that concerns wider public either reflects the greater trend of major state cyber policy or derives from it.
Governments are essentially seeking ways to secure themselves and it applies to all segments of power. Should a major collision in cyber space come, they must be ready. But governments will still not be able to ignore private sector – greatest and sole supplier of services to public facilities. And in order to avoid nastier and uglier incidents like WannaCry, public sector will have to forcibly go hand-in-hand with the private. But what are the private needs and aren’t they just fed up with hearing about cyber defense from public counterparts?
Private rulings
Private companies are seeking adequate – yet somewhat unorthodox – defense complex to shield themselves from economic losses. Some refer to this as active cyber defense or ACD. This is a complex set of measures aimed at preventive rather than restorative actions, involving working with the adversaries and engaging them to gather intelligence, disrupt and halt ongoing attacks. In order to work more efficiently many of the private companies, especially based in the Western countries, are working towards joint cyber expert groups (i.e. recent Internet of Things cybersecurity group between Nokia, AT&T and others) which will be able to exploit existing vulnerabilities and prevent them falling into the wrong hands. Private sector is the profit-driven area where most of the research and development strategies and promising experts are gathered. ACD is not an ultimate answer to the security issues the private sector faces in cyber because it is still quite new and provocative, balancing on the edge of escalating an ongoing cyber attack even more if the response involved hacking back. While the concept is more common and debated now in the USA it has the potential to become more widespread among other countries in the coming years. Acceptance and development of ACD illustrates the cementing differences between the state, which wants to limit the private capabilities for self-defense and private companies growing potential to defend themselves. After recent disruptive ransomware attacks ACD has become an even more acute and pressing issue, especially when thinking on how to legalize the practices and integrate them into corporate framework of action on global scale.
Yet, private sector is becoming more vocal on issues that previously concerned only state authorities. A vivid example of this is the Global Internet Forum to Counter Terrorism created by YouTube, Facebook, Twitter and Microsoft. As any other discussion platform, it aims to build trust and raise awareness against terrorist activities online but with one exception – the forum has not been created via any public channels, it has been brought to life by internet giants of the Silicon Valley. Even though this initiative will deal with countering terrorism activities online, such dialogue among private companies will attract governments’ attention and push for convergence between two worlds.
Shaken not stirred
The question remains: how to bring public and private to harmony and tame the cyber beast? At the end of the day the answer still stands: yes, there is no other way to work constructively in cyber but together. Cyber is political and this is difficult because the differences between the major public stakeholders are immense. Yet the overruling understanding of each other’s helplessness is also sobering. Russia and the US have been alienating each other since 2014. With Trump’s ascension to power last November mass media have been bursting with speculation on his and president Putin’s potential for dialogue thanks to seeming closeness in political views. The climax came at their first meeting at the G20 annual rencontre the public witnessed a rather dry handshake and tender suggestion coming from Trump about creating a joint “Cyber Security Unit”. The suggestion was bashed in the US, where some compared it to partnering with Assad on chemical weapons, so Trump’s initiative was stillborn child even though it was not fully devoid of sense.
Russia, US and other major players need to partner to bring further incentives for private sector to start dialogue and take concrete actions. Alienating in cyber domain will just lead the international community to familiar patterns of cold war, nuclear deterrence and overall dissatisfaction in longer historical perspective. Cyber defense has to be flexible and transparent, interconnected on all levels involving active participation of experts from private sector and policy makers from public entities. This is all lofty aspirations, which are hard to bring to life before some major cyber incident leading to many third parties involved, willingly or unconscientiously. The public-private combination has to be an all-inclusive and comprehensive mechanism created afresh and building on all the legal best practices and constructive experiences that we have today. All the ingredients have to be there accurately added and mixed but not stirred.
[1] T. Rid “Cyber War Will Not Take Place”, Oxford University Press, 2013.