« A look inside brain tissue to see network connections |
Main
| Monetizing and understanding Facebook Fanpages - An entrepreneurial perspective »
3 November 2011
International Cyber Security Challenges
It is widely recognized in government, business, military and scientific circles that there is a growing interconnectedness of physical and virtual infrastructure through information and communication technology (ICT). Many refer to it as Cyberspace. A domain, pervasive and ubiquitous, now considered strategically equal to land, air, sea, and space. Yet from a security perspective, cyberspace is different to the four other domains. It has emergent properties and eludes state control. Beyond its impact on leadership, management or institutions, there is a common fear that the growing interconnectedness offers more and more avenues for disruptions in the digital supply chain and thus increases the vulnerability of the information society, military power and the global economy to system failure.
The causes of disruptions to cyberspace and critical infrastructure - e.g. utilities, transport, telecoms, defense contractors, government institutions - in general can be divided into three categories: natural disasters, accidents and intentional attacks . Cyber threats are risks arising from cyberspace and its technologies (e.g. hacking, denial of service attacks, viruses, malware). The impact of malicious cyber activities can be without direct consequences (e.g. installing spyware) but may as well lead to physical consequences (e.g. loss of business or failure of control systems). Cybercrime is a common threat image in the business community while cyber terrorism, cyber war and information warfare dominate defense community's framing of the issue . The worst case scenario frequently mentioned but highly contested is an "electronic Pearl Harbor" type disruption.
Images of threats typically involve a broad range of adversaries and targets, including both state and non-state actors, dissolving the boundaries between the domestic and the international. Along these lines, non-state actors may be a challenge to as well as providers of security. Most observers focus on the transnational and network-based character of cyber threats. Adversaries are typically seen as operating in loosely organized networks consisting of relatively independent nodes of individuals. Research and media coverage of recent cyber attacks underline that beyond the hype concerns are real as attempts to exploit or defeat existing cyber infrastructures are happening ever second.
IT-security researchers showed that an unprotected computer connected to the Internet to collect intelligence on attack techniques and behaviors ("honeypot") was hacked and utilized for a botnet within 15 minutes of connecting it to the Internet. The sophistication of attacks and their consequences have reached a new level since 2010. Unlike distributed denial of service (DDOS) attacks to disrupt the Internet in Estonia or Georgia, the "Stuxnet Worm", likely developed by a state actor, targeted industrial control systems that use Siemens software and infected over 30,000 computers in Iran, including computers involved in running nuclear facilities in Iran. The latter raises even greater concerns about not only the threat to industrial control systems, but to all components of our information and communications technologies, generally. Early in 2011, RSA, a provider of SecurID two-factor authentication products which can be considered one of the core Internet security technologies experienced a similar APT breach to its infrastructure as Google did in 2010. Unlike most intrusions that go after financial and identity data, advanced persistent threat (APT) attacks tend to go after source code and other intellectual property. Intrusions may even sneak into an organization's network, sometimes for years, even after it has taken corrective action.
Much has been written about the challenge of attribution in cyberspace. Who is intruding in a system and who is behind the malicious activity? If we are attacked, will we know who is behind it, so that we can respond, without incurring the wrath of the world community? All too often it remains difficult, if not impossible, to identify the involved parties who hide behind the anonymity and global orientation of the Internet and utilize a catacomb of enablers, consisting of both legitimate and illegitimate providers, to cover their tracks. Policy makers and military planners are only beginning to address these questions.
In fact, cyber security and risk is inherently difficult to comprehend and communicate, due to its socio-technical complexity, and relationships among stakeholders in the international community. There is for example, little agreement as to what the security issue in cyberspace actually is as well as what is critical and the threat level . From a European perspective, the cyber insecurity "hype" is much more prevalent in the U.S. than in Europe. Consequently, it is difficult to come together around a common, collective vision in international bodies such as the UN or NATO by states such as the United States, United Kingdom, France, and Germany which often lead the adoption of broad based agendas. An additional challenge derives from the existing cyber security institutional eco-system which resembles a broad set of international, national, and private organizations with unclear and overlapping boundaries as well as differing capacities. Finally, the government resources available are tied up with national cyber security efforts such as critical infrastructure protection where state and industry objectives are only partially convergent. Specifically, the private sector fears that sensitive information on past security incidents might not be treated with the necessary degree of confidentiality by state entities and cause damage to their reputation. Furthermore, international approaches would be of much greater interest for transnational businesses. Many believe a comprehensive approach , one that provides for appropriate information sharing and mutual assistance obligations governed by international policies and treaties, is needed. Considering the struggles of the UN, EU or NATO in developing a common comprehensive approach for conflict and crisis management and the illustrated difficulties in the cyber security domain, this will pose a great challenge to the international community.
Nevertheless it requires a public-private collaboration which identifies critical cyber priorities, sets goals and objectives for each, and identifies corresponding milestones and metrics for those objectives so that they can be resourced, tracked, and improved over time. It is also important to systematically collect and share statistically significant malicious cyber activity data on the national and global scale. Moreover, we need to build the capability to quickly connect the dots among disparate databases to get a true picture of which instances of criminality are connected to each other, to which malicious actors, and to which enablers. However, first and foremost none of these and many other points is actively and openly debated among government or private industry organizations, nor is the fact that current means of law enforcement have proven insufficient, specifically because they tend to be reactive instead of proactive; they investigate after the fact instead of preventing the criminal attack. We must recognize that more of the same will not change this reality. The complexity of cyber risk must be addressed strategically and proactively by an alliance of business and government stakeholders, including, but not limited to, law enforcement because no single effort or initiative will eliminate the cyber threat.
References
Archick, K. (2006) "Cybercrime: The Council of Europe Convention", Report, U.S. Congressional Research Service.
Bendrath, R. (2001) "The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection", Information & Security, 7, 80-103.
Bendrath, R. (2010) "The American Cyber-Angst and the Real World - Any Link?", 49-72 in: Latham, R. (Ed.) "Bombs and Bandwith: The Emerging Relationship between IT and Security", The New Press, New York.
Brunner, E.; Michalkova, A.; Suter, M.; Cavelty, M. D. (2009) "Cybersecurity - Recent Strategies and Policies: An analysis", Focal Report 3: Critical Infrastructure Protection, Center for Security Studies, ETH Zurich, Zurich.
Cavelty, M.D.; Stuter, M. (2009) "Public-Private Partnerships are no silver bullet: An expanded governance model for critical infrastructure protection", International Journal of Critical Infrastucture Protection, 2, 4, 179-187.
CMCS - Center for Media & Communication Studies (2010) "Cyber Security: Participants' reflection on workshop themes", 7-8/6, Budapest, Hungary.
Clark, D. (2010) "Characterizing cyberspace: past, present and future", v1.2., MIT CSAIL, Cambridge, MA.
Culkier, K. N.; Mayer-Schönberger, V.; Branscomb, L. M. (2005) „Ensuring (and Insuring?) Critical Inormation Infrastructure Protection", RWP05-055, Harvard Kennedy School, Cambridge, MA.
Deibert, R.; Rohozinski, R. (2010) "Risking Security: The policies and paradoxes of cyberspace security," International Political Sociology, 4, 1, 15-32. Pages 15 - 32,
Demchak, C. (2010) "Conflicting Policy Presumptions about Cybersecurity", Atlantic Council of the United States, Washington, D.C.
Denning, D. E. (1999) Information Warfare and Security", Addison-Wesley, Boston.
Dlamini, M. T.; Eloff, J. H. P.; Eloff, M. M. (2008) "Information security: The moving target", doi.10.1016/j.cose.2008.11.007
Dunn, Myriam; Suter, M. (2009) "Public-Private Partnerships Are No Silver Bullet", CRN Reports, Center for Security Studies, ETH Zürich, Zürich.
Eggers, W. D. (2005) "Government 2.0", Rowman Littlefield.
ENISA (2009) "Analysis of Member States' policies and regulations".
Erikkson, J.; Giacomello, G. (2006) "The Information Revolution, Security, and Internationl Relations: (IR)relevant Theory?", International Political Science Review, 27, 221-244.
Eriksson, J.; Giacomello, G. (Ed.) (2007) "International Relations and Security in the Digital Age", Routledge.
Ferwerda, J.; Choucri, N.; Madnick, S. (2010) „Institutional Foundations for Cyber Security: Current Responses and New Challenges", Minerva Working Paper Series, -Draft-, 2009-03, CISL, MIT Sloan School of Management, Cambridge, MA.
GAO - Government Accountability Office (2005) "Information Security: Emerging Cybersecurity Issues Threaten Federal Information Systems", Report, GAO-05-31.
GAO - Government Accountability Office (2009) "Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk", Report, GAO-09-661T.
German Federal Ministry of the Interior (2009) "CIP Implementation Plan".
Ghose, A.; Gal-Or, E. (2004) "The Economic Incentives for Sharing Security Information", URL http://ssrn.com/abstract=629282 or doi:10.2139/ssrn.629282
Gordon, L.A., Loeb, M.P., Lucyshyn, W. & Richardson, R. (2007). "2006 CSI/FBI Computer Crime And Security Survey," Computer Security Institute Publication.
Hansen, L.; Nissenbaum; H. (2009) "Digital Disaster, Cyber Security and the Copenhagen School", International Studies Quarterly, 53, 4, 1155-1175.
Hathaway, M. E. (2009) "Strategic Advantage: Why America Should Care about Cybersecurity", Belfer Center for Science and International Affairs.
Hathaway, M. E. (2010) "Toward a Closer Digital Alliance", SAIS Review, 30, 2, 21-31.
Hawkins, S.; Yen, D. C.; Chou, D. C. (2000) "Awareness and challenges of Internet security", Information Management & Computer Security, 8, 3, 131-143.6, 2, 523-541.
Hosein, Ian. (2008) Creating Conventions: Technology Policy and International Cooperation in Criminal Matters. In Governing Global Electronic Networks, edited by
William J. Drake and ErnestJ. Wilson III. Cambridge, MA: MIT Press.
Knake, R. K. (2010) "Internet Governace in an Age of Cyber Insecurity", CFR Council Special Reports, 56, Council on Foreign Relation, New York.
Kramer, F. D.; Starr, S. H.; Wentz, L. K. (Ed.) (2010) "Cyberpower and National Security", NDU Press.
Lewis, J. A. (2010) "The Cyber War has not Begun", Center for Strategic & International Studies.
Libicki, M. C. (2009) "Cyberdeterrence and Cyberwar", RAND, Santa Monica, CA.
Nissenbaum, H. (2005) Where Computer Security meets National Security", Ethics and Information Technology, 7, 2, 61-73.
Nye, J. S. Jr. (2010) "Cyber Power", Belfer Center for Science and International Affairs, Harvard Kennedy School, Cambridge, MA.
Paget, F. (2009) "Cybercrime and Hacktivism", Whitepaper, McAfee.
Peritz, A. J.; Sechrist, M. (2010) "Protecting Cyberspace and the US National Interest", Belfer Center for Science and International Affairs, Harvard Kennedy School, Cambridge, MA.
Rintakoski, K.; Autti, M. (2009) "Comprehensive Approach", Seminar publication, Crisis Management Initiative, Ministry of Defense, Finland.
Roberts, S. (2003) "Critical Infrastructure Protection and Homeland Security", Perspectives on Preparedness Report, 15, Belfer Center for Science and International Affairs, Harvard Kennedy School, Cambridge, MA.
SDA - Security Defense Agenda (2008) "Assessing the Cyber Security Threat", SDA Monthly Roundtable, Brussles.
SDA - Security Defense Agenda (2010) "Cyber Security: A Transatlantic Perspective", SDA Evening Debate Report, Brussels, 3/22.
Shackelford, S J (2009) "From Nuclear War to Net War: Analogizing Cyber Attacks in International Law", Berkley Journal of International Law (BJIL), 25, 3, URL: http://ssrn.com/abstract=1396375
Shackelford, S. J. (2010) State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem (January 12, 2010). Proceedings of the NATO CCD COE Conference on Cyber Conflict held in Tallinn, Estonia July 15-18, 2010. URL: http://ssrn.com/abstract=1535351
Sheffi, Y. (2005) "The Resilient Enterprise", MIT Press, Cambridge, MA.
Starr, S. H. (2010) "Toward a Preliminary Theory of Cyberpower", 43-88 in Kramer, F.
D.; Starr, S. H.; Wentz, L. K. (Ed.) (2010) "Cyberpower and National Security", NDU Press.
Talib, S.; Clarke, N.L.; Furnell, S.M. (2010) "An Analysis of Information Security Awareness within home and work environment", ARES '10 International Conference , 15-17/2, Krakow, 196-203.
Tikk, E. "Global Cyber Security - Thinking About The Niche for NATO", SAIS Review , 30, 2,105-119
The White House. (2009a). Cyberspace policy review: assuring a trusted and resilient information and communications infrastructure. Retrieved on September 23, 2009
Ottis, R., Lorents, P. (2010) Cyberspace: Definition and Implications. In Proceedings of the 5th International Conference on Information Warfare and Security, Dayton, OH, US, 8-9 April. Reading: Academic Publishing Limited, 267-270.
Van Eten, M.; Bauer, J. M. (2009) "Emerging Threats to Internet Security: Incentives, Externalities and Policy Implications", Journal of Contingencies and Crisis Management, 17, 4, 221-232.
Wilson, C. (2010) "Cyber Crime", 415-436 in: Kramer, F. D.; Starr, S. H.; Wentz, L. K. (Ed.) (2010) "Cyberpower and National Security", NDU Press.
Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46, 8.
Posted by Alexander Schellong at November 3, 2011 10:00 PM
