The cyberattack late last year on Sony Pictures, intended to deter the release of the movie “The Interview” — combined with threats of physical harm to civilians — threw once again into sharp relief the complexity and dangers of cyberspace. As the heated exchanges between Washington and Pyongyang continue, the weaknesses in cyber defense of private companies and states is again evident, not only in repelling the attack, but in identifying the hackers as well.
The Sony attack is far from a solitary occurrence. Beyond the already well-known cybercrime and cyber espionage phenomena, a dangerous and complex realm is emerging where the level of sophistication of terror groups and states is growing. Cyberterrorism and cyberwarfare have become a key national security threat.
By way of some examples, in September 2014, various news outlets reported that jihadists in the Middle East, including leaders from both the Islamic State (also known as ISIS) and al Qaeda, were actively planning cyberterror attacks against Western countries, specifically targeting government servers and critical infrastructure. It was further reported that ISIS was planning to establish a “cyber caliphate” “intending to mount catastrophic hacking and virus attacks on America and the West.” According to Fox News,
..the terror groups are trying to add to their numbers to boost their capabilities, using social media to reach a larger pool of potential recruits and calling on militant-minded specialists to join them. The targets are the websites of US government agencies, banks, energy companies and transport systems. Islamic State's efforts are spearheaded by a British hacker known as Abu Hussain al Britani, whose real name is Junaid Hussein. He fled his hometown of Birmingham for Syria a year ago to join the group and US intelligence sources say he is one of several key recruiters. Al Britani once led a group of teenage British hackers called Team Poison, and now actively calls for computer-literate jihadists to come to Syria and Iraq.
Iran and North Korea are heavily investing in cyberwarfare capabilities, building as part of their military establishment sophisticated cyber units with defensive and offensive capabilities. A 22-page analysis of Iranian cyberwarfare capabilities published in August by Israel's Institute for National Security Studies concludes that during the course of 2013, Iran became one of the key players in the international cyberwarfare theater, and points to the many major qualitative and quantitative investments by Iran in this field. The paper outlines cyberattacks conducted by Iran, including a relatively recent large-scale attack on the websites of key banks and financial institutions in the United States, stating that "information security experts described this attack as 'unprecedented in scope and effectiveness'." Israel has also attributed to Iran numerous cyberattack attempts.
A July 7, 2014 article in Security Affairs reports that North Korea doubled the number of units of its cyber army (now estimated to employ approximately 6,000 people), has established overseas bases for hacking attacks, and "is massive[ly] training its young prodigies to become professional hackers." According to the article, "the North Korean cyber army has already hit many times the infrastructure of South Korea, banks, military entities, media and TV broadcasters with malware and other sophisticated techniques."
Russia and China have also heavily invested in such capabilities, and it is reported that their specialized cyberwarfare units are behind several instances of network disruption, technology theft and other cyberattacks against governments and companies. On February 4, 2014, the website tripwire.com reported that “Russian government officials have announced they intend to create a designated military unit devoted to preventing cyber-based attacks from disrupting vital systems devoted to Russian military operations” and that the new unit is expected to be fully operational by 2017.
In March of 2014 it was reported that the Latvian army had hired the country’s first 13 cyber guards as part of a newly created cyber defense unit.
In a 2012 speech on cybersecurity, then-FBI Director Robert Mueller stated that: “Terrorism remains the FBI’s top priority. But in the not-too-distant future, we anticipate that the cyber threat will pose the number one threat to our country.” Former US Secretary of Defense Leon Panetta and former director of the NSA Keith Alexander have repeatedly warned against a future "cyber Pearl Harbor."
Similarly, the US Department of Defense's 2014 Quadrennial Defense Review declares:
The Joint Force must also be prepared to battle increasingly sophisticated adversaries who could employ advanced warfighting capabilities while simultaneously attempting to deny US forces the advantages they currently enjoy in space and cyberspace. We will sustain priority investments in science, technology, research, and development both within the defense sector and beyond. […] Innovation is paramount given the increasingly complex warfighting environment we expect to encounter.
Over the past decade, facing the alarming growth of cyberattacks on industry, media, banks, infrastructure and state institutions, there has been an increasing focus of industry and states on building tools to enhance capabilities to combat cybercrime, cyber espionage, cyberterrorism and cyberwarfare, and there is a major shift of funds, efforts, and focus to these areas. Many countries are creating cyber defense institutions within their national security establishments and enhancing their cyber capabilities, including through the creation of dedicated cyberwarfare units within their defense forces. Others are beginning to be aware of the necessity. According to Director of National Intelligence James R. Clapper in a January 29, 2014 Statement for the Record before the Senate Select Committee on Intelligence, the United States estimates that several of the cyber defense institutions created by states will likely be responsible for offensive cyber operations as well.
The cyber arena is complex and continuously evolving. Recognizing the critical interlink between the various actors and the need for cooperation and innovation, states are increasingly trying to build cooperation between domestic state cyber institutions and industry and academia, and devise mechanisms for internal cooperation between different state units and agencies. While in the past states kept many of these efforts — including information on the formation of military cyber units — relatively secret, today they increasingly publicize their efforts both nationally and internationally.
“Be an Army hacker: This top secret cyber unit wants you” shouts the headline of an April 6, 2013 article in the Military Times, explaining that the US Army is looking for computer-savvy American troops to “turn into crack cyberwarriors” for both offensive and defensive purposes. The United States Cyber Command has already announced that over the next few years it intends to recruit 6,000 cyber experts and create teams of soldiers and civilians to assist the Pentagon in defending US national infrastructure.
The United Kingdom is also going public with its efforts. A new cyber unit called the Joint Cyber Reserve has been set up by the Ministry of Defence to help protect critical computer networks from attack, and former Defence Secretary Philip Hammond appealed to Britain’s top IT experts to join up and work as military reservists.
Israel has been at the forefront of building defenses from cyberattacks — and it too has gone public with its establishment of cyberwarfare units. According to a November 14, 2013 article in the Israeli newspaper Haaretz, the Israeli military has been "bullish" on the cyber front — not only creating sophisticated cyber units but actively involved in "raising the next generation of cyber geeks" through after-school programs and other initiatives geared at preparing today's youth to fight this new kind of war. This is in addition to the establishment of a new national cyber defense authority in conjunction with the Israeli National Cyber Bureau.
As early as 2011, a study on cybersecurity and cyberwarfare conducted by the Center for Strategic and International Studies (CSIS) had already identified 33 states that include cyberwarfare in their military planning and organization. According to the report, “Common elements in military doctrine include the use of cyber capabilities for reconnaissance, information operations, the disruption of critical networks and services, for 'cyberattacks,' and as a complement to electronic warfare and information operations. Some states include specific plans for informational and political operations. Others link cyberwarfare capabilities with existing electronic warfare planning.” The report also points out that in another 36 states, civilian agencies charged with internal security missions, computer security, or law enforcement are also responsible for cybersecurity.
The cutting edge for military organizations, the CSIS report explains, is the creation of specific commands dedicated to cyberwarfare, similar to the United States Cyber Command created in 2009. At the time of the 2011 study, CSIS found that 12 states — including North Korea, Denmark, Germany, India, Iran, and South Korea — had established or were planning to establish similar commands. It is likely that other states, such as Cuba and the Russian Federation, will or are developing such organizations as well.
So the cyber swords are sharpened and drawn and have indeed already struck. Western countries spend substantial funds to train and employ many personnel in military establishments, defense establishments, universities, industry, and elsewhere to defend against cybercrime, cyberterrorism, cyberwarfare, and industry attacks, as well as building up their offensive capabilities.
Importantly, and as an additional challenge, these states will have to devise the correct balance between the need to confront these cyber phenomena and the privacy rights of citizens, as the United States has discovered in the wake of the Snowden affair. States that have until now taken a very strict view of privacy, particularly in the European Union, are now coping with difficult privacy questions in light of an increasing amount of terrorist attacks and a new phenomenon where it is has been estimated that 5,000 of their own young citizens have joined ISIS, which itself uses cyberspace and social media heavily to recruit as well as to make public their deadly activities. These European recruits may be operating against their home states, and may return to Europe and conduct terrorist attacks there, yet until recently they were undetected.
The threat is real and omnipresent. While some states are well into building up their capabilities, others are beginning, and there are those that have not even begun.
But whatever stage of preparation a state is in, given the realities of the age of globalization, it is unlikely the solution to national security cyber threats will be found by states trying to act on their own, no matter how sophisticated their internal mechanisms, protections, or armies may be. As states are grappling with their own internal organization, their legal questions (under both domestic and international law), and building their capabilities, they must also look — much sooner than later — to the international front and the challenges it poses to their national security interests.
Cyberterrorism, cyberwarfare and cybercrime are globalized phenomena cutting at light speed across borders, and are committed by attackers who are often difficult to locate and even sometimes impossible to identify. Combating the cyber criminals and terrorists, as well as cyber military units, will require not only strong domestic infrastructure and capabilities, but also similarly strong capabilities and infrastructure in other like-minded states and robust cooperation mechanisms between states and their various institutions, intelligence agencies, and militaries. Cybercrime, cyberwarfare and cyberterrorism can hit national security as well as other interests of a state from places where, without international cooperation, a state has little or no control, nor will it have, without international cooperation, sufficient ability to defend or protect itself.
Furthermore, globalization, and the link between countries and economies, creates many national security interests well beyond state borders. A major attack on the critical infrastructure or military operations of a NATO state in a way that falls under NATO Article 5 is one example. A major attack on offshore branches of US companies or banks in a way that will critically affect the US economy, or an electronic takeover of air command of airports in different areas of the world are others. The scenarios are almost unlimited.
It is not unlikely that the terrorists or states wanting to attack a particular state or business using cyberterrorism or cyberwarfare will look for the weakest links in the global chain, and hit wherever they can to harm their primary target.
The creation of a global action strategic plan in that regard must be a priority. International standards and norms — including enforcement mechanisms — to be applied across the board by states, and mechanisms for information sharing and cooperation, must be put in place sooner rather than later.
While there have been some efforts in different international forums to address the issue — for example, various UN groups of government experts have been convening over the last few years in an effort to achieve consensus and common understandings on the norms that apply with respect to cybersecurity — to date these efforts have had limited impact. Many times, debates on form supplant debates on substance, and progress, if made, is slow. NATO members are making some moves in a cooperative direction, whether in building some capabilities for cooperation between NATO members or examining the relevant international law with the assistance of the impressive Tallinn manual, and there are some efforts in assisting weaker states to strengthen their capabilities, but this too is only a first step.
In order to address the mounting cyber challenges ahead, weaker states, whether NATO members or not, will need assistance in building up their capabilities. Domestic standards, laws, and institutions for combating cybercrime, cyberterrorism and cyberwarfare will need to be put in place. International legal parameters will need to be defined and significant mechanisms for information sharing and cooperation will need to be created.
This will not be an easy venture. There is and will likely be much political and other opposition from states, as well as concerns over information sharing. The challenge is all the more daunting in light of the diametrically opposed views of the United States and other Western countries, on the one hand, and Russia and China on the other, regarding the manner in which cyberspace should be regulated. But while states are struggling with legal and other definitions, and debating their differences, terror organizations are forging right ahead as are unfriendly cyber armies. Time is not on the side of the Western nations, nor is it on the side of their private domestic industry and businesses that are many times the targets of the cyberattacks.
A concentrated effort is needed to try to close this serious gap in security. Lessons learnt from other international efforts — such as mechanisms and standards put in place to combat terrorism, money laundering, organized crime, trafficking in persons, or corruption — can be examined and, where applicable, could perhaps be followed and expanded and elaborated upon to meet the different needs arising from the serious and dangerous cyber challenge. Although devising international instruments and mechanisms for the cyber threat is likely much more complex, for a range of reasons, these examples interlinking trade interests, blacklists, sanctions, diplomatic pressure, and other measures with the creation of domestic and international standards and instruments have assisted to an extent in combating these cross-border phenomena.
These examples, which include also the creation of certain mechanisms for cooperation and information sharing, standards for industry, as well as other standards, show that in the age of globalization not only is it necessary to create the norms and infrastructure for states to work together to combat cross-border issues, but it may also be more possible to persuade states to do so if a strong lead is taken, whether by one powerful state or a group of states. Compelling measures must be put in place making it in the direct interests of states and industry to cooperate and adopt standards and cooperation methodologies.
Cyberterrorism, cybercrime and cyberwarfare pose a real and significant threat to national security. Together with increasing domestic efforts, it is time for strong operation on the international front.