Information and Cyber security: options for the international community and NATO
63. The challenges of the Information Age for national and international security are complex and require the combined efforts of international, regional and national authorities and the private sector, as well as sub- and trans-national groupings of active individuals. NATO is not in a position to address all aspects of this challenge, but it does have a significant role to play, not least because it unites nations with the most developed information and communication infrastructure (infrastructure, hardware and software which collectively make up the Internet are still overwhelmingly Western designed and produced; more than 50% of the world's Internet traffic transits the United States).83
64. On the global level, NATO should support initiatives to negotiate at least some norms of acceptable behaviour for the cyber domain. This framework must discourage the cyber arms race and clearly prohibit the use of cyber attacks against civilian infrastructures. The principles of international law should also recognise indirect responsibility of a state to ensure that its territory is not used by non-state actors to launch attacks against a third country. If a country systematically fails to ensure that or provides sanctuary for perpetrators, it should be considered as breaching international law and should face sanctions.84 When addressing our Committee at the Assembly session in Varna, Kenneth Geers of the NATO CCD COE suggested that the universal cyber treaty could follow the path of the Chemical Weapons Convention, i.e. focus on promoting best practices, helping find data points quickly, and sending teams to collect forensics, and eventually securing networks.
65. Achieving this agreement will not be easy, since some critical players – such as China – view cyber security from an “information security” perspective. This perspective is based on their desire to limit dissent and access to information deemed threatening to their regimes. These nations have proposed in-built tracking devices on all Internet packets that would allow all actions on the Internet to be traced. Western analysts argue this would be cumbersome, costly and easily negated by criminal groups, intelligence agencies and militaries. Therefore, the real target of such proposals is the average Internet user and their ability to access information and engage in political dialogue anonymously.85 Such a surveillance approach is prohibited by many NATO member states’ own laws governing surveillance, propaganda and counter-terrorism.
66. Other approaches to policing the cyber domain focus on developing technical solutions within Internet infrastructure itself to help maintain security. The Internet was originally designed to be interoperable and has therefore paid little attention to security aspects. The 2003 US National Strategy to Secure Cyberspace identified vulnerabilities within three “key Internet protocols”: the Internet Protocol, which guides data from source to destination across the Internet; the Domain Name System, which translates Internet Protocol numbers into recognisable Web addresses; and the Border Gateway Protocol, which provides the connection between networks to create the “network of networks”86. None of these protocols have in-built mechanisms to verify the origin or authenticity of information sent to them, leaving them vulnerable to being manipulated by malicious actors. Therefore, funding and developing technical solutions for a new set of secure protocols that will address many of the vulnerabilities in the current Internet infrastructure whilst falling short of surveillance of member states populations could be useful to NATO.
67. In addition, NATO member states should support wide ratification of binding international treaties, like the Council of Europe’s Convention on Cybercrime, because banning cyber criminal activities would also help negate cyber terrorists as well as state-sponsored cyber attacks that often use the same techniques as cyber criminals. The verifiability of these conventions is a serious issue, however.
68. In terms of public-private co-operation, relevant authorities of NATO nations should be more pro-actively engaging private IT companies when it comes to setting stricter rules on the use of cyber space. Dialogue is essential because software companies like Microsoft and Google remain able, by developing various software options, to exercise influence beyond what any nation state could aspire to do using their legislative powers. Incentives must be put in place to encourage private companies, particularly those running critical national infrastructures and designing cyber hardware and software, to upgrade their security systems beyond simple profit vs. loss calculations. It is also important for our nations to co-operate closely with Internet Service Providers in order to identify and quarantine the compromised computers (botnets) residing on their soil.
69. The Alliance should also establish closer co-operation with the EU based on already existing agreements. Although NATO is developing cyber defence capabilities, it still needs the EU because it issues laws on comprehensive standards for cyberspace and NATO does not. It would be useful, however, if the EU established the position of an EU “Cyber Czar” in order to have a clear contact point for NATO.
70. With respect to its own contribution, the most immediate objective for the Alliance is to ensure swift and efficient implementation of the newly adopted Cyber Security Policy and Action Plan. NATO should incorporate its cyber policies (and encourage its member states to do likewise) into a broader framework for adapting the military to the realities of the Information Age. Cyber security is not a value per se, it must be seen within the context of the developing concept of network-enabled capabilities. In other words, we need to find the right balance between the advantages offered to our armed forces by the new information and communication technologies, and the introduction of stricter protective measures against cyber threats, measures that could result in reduced efficiency of the military.
71. It also goes without saying that NATO must clarify its response mechanisms for itself in case of a cyber attack against one or more of its members, although these mechanisms do not necessarily need to be announced publicly in order not to let the adversaries know what they could get away with. Some argue that Article 5 should not be applied with respect to cyber attacks because their effect so far has been limited to creating inconvenience rather than causing the loss of human lives and because it is hard to determine the attacker. So far, there is no evidence that cyber attacks took human lives. However, the Rapporteur believes that the application of Article 5 should not be ruled out, given that new developments in cyber weapons such as Stuxnet might eventually cause damage comparable to that of a conventional military attack.
72. In more practical terms, NATO should consider its role in protecting physical infrastructure associated with the cyber domain. The physical vulnerability of fibre-optic cables and information hubs represent a serious challenge within the cyber domain. Most long-haul fibre-optic cables reach land at obvious choke points, which make them susceptible to attack or damage. Of note is the choke point for transatlantic cables, Widemouth Bay, Cornwall, in the UK, where four major EU‑US cables reach land.87 This area has reportedly been designated “vital to US security” because of these cables.88 Meanwhile, the vast majority of the physical cables that connect the United States and Asia run through the Luzon Strait choke point between Taiwan and the Philippines.89 Cables in the Malacca Strait are also congested, and island NATO members and partners, like Iceland, Japan and Australia, are particularly vulnerable.90 To date, the best form of protection for these sub-surface cables has been their anonymity. However, sometimes this is not enough, as highlighted by the fact that 75% of Internet capacity between Europe and a large part of Asia was temporarily lost when, in 2008, ships off the Egyptian coast severed two inter-continental fibre-optic cables by dragging their anchors.91 A Georgian woman denied 90% of Armenians access to the Internet for 5 hours when she inadvertently cut through a cable with her spade.92 There have also been other large Internet disruptions caused by cable incidents in Malta, Sicily, the United States and Asia.93 These highlight the possibility of sabotage by state or non-state actors. In terms of bandwidth capacity, NATO member states are heavily dependent on infrastructure in the United Kingdom for their transatlantic communications. Much of these key Internet peering points are based in and around London and have previously been threatened by flooding.94 Any disruption to these infrastructures could have far-reaching economic and military effects.
73. Other elements of NATO’s better preparedness against cyber attacks include further strengthening of national cyber incident response teams, achieving full operational capability of NCIRC, intensification of joint exercises, promoting more efficient sharing of best practices among the Allies and a wider use of “red teams”. Before investing in highly elaborate cyber defence systems, however, the Allies should first ensure that proper levels of basic “computer hygiene” are routinely maintained.
74. Security of networks in critical national infrastructure objects should remain a key priority. Technical solutions being examined in this regard include the introduction of high fidelity sensors to monitor intrusion activity on networks, and the strengthening of fault tolerance techniques.95 However, for a truly comprehensive cyber approach to infrastructure resilience, technological solutions alone will not suffice. A collaborative approach between citizens/systems users, businesses, law enforcement agencies and civil institutions will provide the best cyber security for these objects.96
75. The Rapporteur also suggests that NATO considers applying common funding procedures for procurement of some critical cyber defence capabilities for its member states. The Alliance and its nations should also redouble their efforts to invest in human capital, because currently the Western nations are widely believed to be losing their advantage in cyberspace in terms of numbers of cyber experts and qualified personnel.
76. Other practical measures should include reviewing our policies in terms of critical information that is to be stored online. The “Cablegate” revealed some documents that date back to 1966. Nigel Inkster, a prominent British expert, says that this “suggests an excess of zeal among those tasked to place State Department data on SIPRNet, since these cannot be relevant to today's operational requirements.” It is also necessary to review the operating systems of critical national infrastructure with a view to limiting their unnecessary exposure to online connections. Furthermore, new safeguard mechanisms must be put in place to prevent unauthorised downloading of sensitive data to digital storage devices. Procedures for vetting relevant personnel should also be revisited.
77. That said, the Rapporteur wishes to emphasise that all necessary security measures should not cross the line where they would violate the fundamental principles and values cherished by the nations of the Euro-Atlantic community. It is also important for our national security interests: since the cyber domain is to a large extent governed by the people, it is important to win the moral support of the majority of the virtual community. In order to prevent abuse by the governments, stricter security rules should be accompanied by measures ensuring democratic oversight. For instance, the United States announced recently the establishment of the Privacy and Civil Liberties Oversight Board (PCLOB) to ensure that privacy and civil liberties are protected.97
78. Last but not least, the Rapporteur would like to underline the role of parliamentarians not only in terms of issuing relevant legislation, but also in communicating with a public that is often insufficiently informed about the scope of opportunities and risks posed by the Information Age.
Annex
Types of Malware
|
Logic Bomb
|
The earliest and simplest form of malware. It is not a virus but a computer code, which needs to be secretly inserted into the computer software. When triggered (positive trigger – setting a time or date of the bomb exploding such as removing an employees name from the salary list; or negative trigger – failing to insert certain data or code by a specific time). The bomb can cause system shutdown, delete files, send secret information to wrong people, etc.
|
Trojan Horse
|
Creates a “back door” into a computer, which can be obtained via the Internet from anywhere around the world. It can delete, steal or monitor data on someone else’s computer. It can also turn the computer into a “zombie” and use it to hide the real perpetrator’s identity and cause further damage to other systems. 98
|
Key-logger
|
Monitors and keeps track of keystrokes on a computer usually without the user being aware of it. The information can be saved to a file and sent to another computer. Acquiring private data such as usernames and passwords are usually the key targets of the programme.
|
Virus
|
Infects files when they are opened or being run and is capable of self‑replication. It often manifests itself as a logic bomb or a Trojan. Viruses are difficult to track and can spread very quickly. In 2000 the ILOVEYOU virus caused damage of approximately US$10 million.
|
Embedded Malware
|
Is inserted malicious software that accepts additional covert commands into operational systems of machines ranging from phones to weapons systems. According to General Wesley Clark and Peter Levin, an example of such operation was Israel’s alleged attack on Syrian nuclear sites in 2007, which was supposedly made easier because of embedded malware that turned off Syrian defence radar.
|
Share with your friends: |