Inside Cyber Warfare - Jeffrey Carr [117]
This essay was written by an active duty member of an international law enforcement agency.
Whole-of-Nation Cyber Security
By Alexander Klimburg
The general public is often wholly unaware of how much of what we commonly call “security” depends on the work of informal groups and volunteer networks. For a while it seemed that Western governments had generally gotten the message: when most of your critical infrastructure is in private hands, it is natural that new forms of private-public partnerships need to be created to be able to work on critical infrastructure protection. Organizations such as the US ISAC (Information Sharing and Analysis Center) and the UK WARP (Warning, Advice, and Reporting Point) are examples of this thinking. Unfortunately, most governments have a hard time moving beyond the “two society” (government and business) model. In an age where even the “managing” bodies of the Internet (such as ICANN) do not belong to either of these groups but instead are really part of the “third society”—i.e., the civil society—this is a critical, and potentially fatal, omission. From groups of coders working on open source projects to the investigative journalism capability of blogs, the breadth of the involvement of the civil society and nonstate actors in cyber security is wide and growing. But what are these groups, exactly?
The variety of these groups is as wide as the Internet itself, and these groups also interact directly with the harder side of cyber security. Nongovernment forces of various descriptions have attacked countries on their own (e.g., Estonia, Lithuania) and defended them, helped wage a cyber war (e.g., Georgia), and sought to uncover government complicity in them. One can even argue that most of the cyber terror and cyber war activity seen over the last decade can be ascribed to various nonstate actors. A recent US Congressional inquiry heard that the great majority of the Chinese attacks against the United States were probably being done by young volunteer programmers whose connection with the security services was probably more accidental then anything else. Indeed, if one looks at the sum total of cyber security-relevant behavior, from software and patch development on the technical side to the freelance journalism and general activism on the political side (and with the “script kiddie patriot hackers” somewhere in between), it indeed seems that most “cyber security” work is done by members of the third society, with business following close behind—and government bringing up the rear.
Do these groups really have anything in common? After all, it is questionable whether heavily instrumentalized civilian hacker groups in China and Russia really qualify as representatives of a “civil society.” Should they really be compared to, say, a Linux developers’ group or an INFOSEC blog network? Aren’t these “patriot hackers” just an update of the age-old paradigm of the citizen militia and the flag-burning rent-a-mob, but with broadband?
Although the militia model can to a limited extent be applied to some of the Russian and Chinese groups (indeed, the Russians actively talk of the need to maintain an “information society” for their national security, and the Chinese have recruited an “information operations militia”), the model just does not hold for the many groups rooted in liberal democratic societies. This is particularly evident when examining nontechnical (i.e., not “White” or “Grey” hacker) groups and their activities. They are increasingly able to provide critical input into one of the most difficult aspects of any wide-scale cyber attack, namely attacker attribution.
Identifying the true actors behind a cyber attack is a notoriously difficult task. Attributing attacks to individual actors is traditionally seen as being the acid test to determine whether an attack is rated as an act of cyber war or an act of cyber terrorism (or even “cyber hooliganism”).