Cyberspace Cooperation

The Global Cooperation in Cyberspace Initiative seeks to reduce conflict, crime and other disruptions in cyberspace and promote stability, innovation and inclusion.

Learn More

The Cyber Fortress Mentality

Writing for the Foreign Policy Journal, EWI Associate Franz-Stefan Gady argues that traditional boundaries cannot protect cyberspace but international cooperation can.

Most people imagine that historical battles were fought between opposing armies charging and countercharging over open fields. On the North American continent, however, the fortress played the pivotal role in deciding the outcome of wars rather than traditional open battle—for example, in the siege of Quebec in 1759 or in the Battle of Vicksburg in 1863. As a result, the fortress has shaped the outlook of American foreign policy makers and its military brass ever since the creation of the United States. Even today, dealing with the 21st century challenge of cybersecurity, policy makers still think in 18th century terms.

In a recent article for Foreign Affairs Magazine, Deputy Secretary of Defense William J. Lynn III wrote:“In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls, or it will risk being overrun.” In other words, defense-centric strategies primarily aimed at blocking unauthorized access through filters such as application gateways or proxy servers is not enough to keep America safe. New strategies and new thinking are needed, which may finally end the United States’ two centuries-long romance with fortresses.

As the recent militarization of cyberspace illustrates, however, this romance is far from over. In 2009, President Barack Obama declared America’s digital infrastructure to be a “strategic national asset.” This promptly was followed by the integration of a new Cyber Command in May 2010 to defend American military networks and attack other countries’ systems.

Since then, the US military has been a dominating force in the discourse on cybersecurity in the United States. The Pentagon went on to call cyberspace a “domain,” reinforced by the description of cyber warfare as “the fifth domain of warfare after land, sea, air, and space.” This characterization implies that cyber space as a “domain” can be protected from intrusion.

True to the fortress mentality, efforts are currently under way to strengthen the defenses of networks with the aims of keeping the “bad guys” out, strengthening secure network communications, and boosting information insurance. The Department of Defense has increased efforts into blocking malicious software and codes entering military networks. It is decreasing the number of gateways to be protected. Booze Allen Hamilton is building a USD 14-million bunker for the United States’ new US Cyber Command. Some senior military leaders even are musing about establishing a “secure zone,” an Internet within the Internet, aimed at protecting US military networks and essential industries.

The Department of Defense recently obtained additional powers through a memorandum of understanding (MOU) signed in October 2010 between the Department of Defense and the Department of Homeland Security, which aims to increase “interdepartmental collaboration in strategic planning for the Nation’s cybersecurity,{and} mutual support for cybersecurity capabilities development.” Despite the Department of Homeland Security still being the lead agency in cybersecurity, this MOU will significantly reduce its overall importance since the Department of Defense will take the lead domestically in any future computer network warfare scenario.

The striking thing about all of this is how inward-oriented most of these strategies still are. Even the Identify Ecosystem Framework, which was recently proposed by the White House Cybersecurity Coordinator to deal with the “attribution problem” in cyberspace for both the public and private sector, is primarily domestic-oriented and has no true provisions for international collaboration. This is not a critique of the very necessary efforts to strengthen network defenses, but rather to over emphasize it and the neglect of other fields.

It is true that the United States is reaching to international partners in both the public and private sector, but the outreach is largely confined to NATO countries, Canada, Australia, and New Zealand— traditional US allies. It is an old, often repeated truism but nevertheless worth repeating: in cyberspace, there are no boundaries. Talking to these countries and forging partnerships with them is important, but it is only one step.

Data moving at the speed of light along channels owned by commercial carriers knows no national boundaries and no distinction between the West and the “rest.” It helps little to forge partnerships with France and Great Britain when most hardware is manufactured in Asia and enters the United States already compromised with malicious codes embedded in them. This so-called “supply chain vulnerability” already breaches any “Cyber Maginot Line” long before any hacker encroaches upon a US server and tries to disable it with a Distributed Denial of Service Attack. True to its fortress mentality, however, US military brass is considering establishing a cyber distant early warning line for cyber surveillance and better protection against intrusions. (The original distant early warning line was a chain of radar and sonar stations to detect Soviet bombers and submarines during the Cold War.)

Much more pressing is better cooperation between the major cyber nations such as Russia, the United States, China, India, the EU, and Brazil.

What would better international cooperation look like?

First, international cooperation needs to be truly international, i.e., it encompasses both Russia and China despite their reputation as being “rogue cyber nations” in the United States. The United States, Russia, and China have much to gain from cooperation in protecting undersea cables, the Achilles heel of our digital world. One carefully planned attack on one of the three cable chokepoints (spots in the Luzon Strait, the Suez Canal-Red Sea-Mandab Strait passage, and the Strait of Malacca where undersea cables converge) in the world would cost the world economy billions of USD due to the loss of connectivity, which might last from a few days to a few weeks depending on how well the cable system owner, the operator of the repair vessel, and the national government involved can coordinate their efforts. In this volatile economic climate, an outage for more than 24 hours would be disastrous.

An additional initiative could be to gather experts from the United States, China, and Russia and compose clear, mutually agreed upon definitions of key terms that facilitate collaboration among states. For example, what exactly do we mean with terms such as “cyber war,” “information security,” and “probing”? Every nation will have a different answer to that question. A common understanding of key terms is pivotal in a truly collaborative international environment.

Cyber crime could be another potential field of better collaboration, if not the most important one. All industrial nations agree that cyber criminals pose the biggest threat to their respective critical infrastructures. The methods used by cyber warriors are not different from those of cyber criminals or cyber terrorists. Private-public partnerships, i.e., partnerships that share sensitive information across sectors (e.g., type of cyber attacks, level of damage, number and sophistication of attempted intrusions, etc.), play a key role in that respect. So far, they have focused primarily on domestic markets with often limited success due to too many ineffective initiatives and too little trust between the government and the private sector. Instead, these partnerships need to expand across borders.

To build trust, major cyber nations (US, EU, Russia, India, and China) could also compose a “Code of Conduct for Cyberspace” focusing on each other’s vulnerabilities rather than threats. This code would contain provisions of who to hold responsible for cyber crimes originating from nation states. Following the code of conduct, governments would decide upon “Cyber Risk Reduction Centers” set up in the various defense ministries, notably in Russia, China, India, the United States, and major European countries. These centers, permanently staffed and linked with each other, should reduce misunderstanding and tensions in times of crises.

Any fortress wall is vulnerable; they will all, sooner or later, be taken. No matter how good its defenses, every network can and will be breached. The trick is avoiding a siege altogether! In the hard world of power politics, this might not always be possible, but through an increasing emphasis on international cooperation and focus on common security interests, nations will be less vulnerable in the long term.

Click here to read the article in the Foreign Policy Journal

International Cyber Diplomacy Needs Unmet

"We haven't seen in the international community much appreciation for what multilateral diplomacy in cybersecurity means," EWI Vice President Greg Austin says in an interview for Homeland Security Today. "Neither the United States nor the United Kingdom have come to terms fully what is needed globally in conversations with countries like Russia, China, and India to provide for their own national cybersecurity."

Homeland Security Today
Source Author: 
Mickey McCarter

Stuxnet -- A Cyber "Cold Start"?

Writing for The News, EWI Director Ikram Sehgal discusses Stuxnet, the recent cyber attack on Iran’s nuclear power plant.Stuxnet is a “malware” that spies on and reprograms industrial systems – the first form of malware to successfully attack critical industrial infrastructure.

“Designed as a kind of guided missile to target facilities, this virus is not the work of some odd hacker sitting at a computer,” Sehgal explains. The complexity of the attack is such that it appears to be the work of a government or a government-level organization.  Sehgal warns, “A virus of this type can effectively destroy an entire factory or power plant causing them to fail in ways virtually undetectable, the results could be as spectacular as the detonation of a bomb.  There would be no trace of the bomber, or any way to find out who it is.”

Citing EWI’s 2010 Cybersecurity conference in Dallas and Lieutenant General (USAF Ret) Harry D. Raduege, Jr., Sehgal introduces Raduege’s concept of the “cyber triad.”  The “cyber triad” is a play off the concept of the “strategic triad” from the Cold War. Sehgal writes that the strategic triad would be comprised of “resilience,” “attribution” and “offensive capabilities.”  Resilience would help discourage an attack, while at the next level attribution would help identify the attacker, and finally, offensive capabilities would allow for a response to an attack.

“Our strategic planners must put in place (and soon) a potent and credible defense mechanism against of cyber ‘COLD START’ from malware of the Stuxnet-kind,” concludes Sehgal.

Click here to read this piece online

Power Hackers: The National Smart Grid is Shaping Up to be Dangerously Insecure

President Barack Obama’s talk about the need for a “smart grid” sounds, well, smart. What’s not to like about the idea of an electricity grid that can work at top efficiency? By wrapping power transmission lines in advanced information technologies and the Internet, a smart grid would enable us to integrate alternative energy sources such as rooftop solar panels and local wind turbines into the power supply, balance supply with demand and optimize the flow of power to each consumer—even down to the level of individual appliances. It would vastly improve the reliability, availability and efficiency of the electric system. As currently envisaged, however, it’s a dangerously dumb idea.

The problem is cybersecurity. Achieving greater efficiency and control requires hooking almost every aspect of the electricity grid up to the Internet—from the smart meter that will go into each home to the power transmission lines them­selves. Connecting what are now isolated systems to the Internet will make it possible to gain access to remote sites through the use of modems, wireless networks, and both private and public networks. And yet little is being done to make it all secure.

The grid is already more open to cyberattacks than it was just a few years ago. The federal government has catalogued tens of thousands of reported vulnerabilities ­in the 200,000-plus miles of high-voltage transmission lines, thousands of generation plants and millions of digital controls. Utilities and private power firms have failed to install patches in security software against malware threats. Information about vendors, user names and passwords has gone unsecured. Logon information is sometimes unencrypted. Some crucial systems allow unlimited entry attempts from outside.

As the power industry continues to invest in information tech­nology, these vulnerabilities will only get worse. Smart meters with designated public IP addresses may be susceptible to denial of service attacks, in which the devices are overwhelmed with spurious requests—the same kind of attacks now made on Web sites. Such an attack could result in loss of communication between the utility and meters—and the subsequent denial of power to your home or business.

The smart grid would also provide hackers with a potential source of private information to steal. Just as they use phishing attacks to elicit passwords, credit-card numbers and other data stored on home computers, hackers could find ways of intercepting customer data from smart meters. A sophisticated burglar might use these data to figure out when you’re away on vacation, the better to rob your house.

Customer data could also give hackers a way to bring down the grid. Smart meters injected with malware, for instance, could disrupt the grid just as networks of PC botnets—home computers hijacked by viruses—now disrupt the Internet. A network of drone smart meters could cause a swath of the grid to power down, throwing off the grid’s electrical load. The imbalance would send large flows of electricity back to generators, severely damaging them or even blowing them up.

A smart grid isn’t a bad idea if we build cybersecurity into it from the start. But we’re not doing that. Under the smart grid funding programs, part of the fiscal stimulus package, the government has released $3.4 billion for a nationwide smart grid and plans to spend more than $4 billion more, but the Department of Energy has only recently begun to address the security requirements. So far utilities have been so focused on tamping costs that they haven’t been willing to pay for robust across-the-board security measures. Regulation alone won’t be enough.

What we need is a partnership among the standards setters, the regulators and industry to build security into the system from the ground up. These measures would include procedures for assessing the security of smart grid devices and other systems, for certifying personnel and business processes, and for compensating power companies for their security investment. We also need more research into improving the security of computer chips and other hardware that gets installed in the grid. We need a plan to deal with grid failures. We need international cooperation and research into forensic technology to deal with attacks from abroad. The energy sector could take a page from financial firms, which do a good job of ensuring that Internet-based transactions are secure. We do not need to abandon the idea of a smart grid. But we need to be much smarter in planning it—with cybersecurity as a key element, not an afterthought.

Click here to read this piece in Scientific American.

Maritime Diplomacy Necessary for Cybersecurity

Writing for the Huffington Post, Fred Teng, CEO of NewsChina magazine, discusses EWI’s emphasis on cybersecurity and maritime security.  Referring to EWI’s Worldwide Cybersecurity Summit in Dallas as well as its study of undersea communications cables, Teng analyzes the intrinsic connections between cybersecurity and maritime security, and how that impacts overall security around the globe.

The Huffington Post
Source Author: 
Fred Teng

Cyber War is Hell

Andrew Nagorski wrote this piece for Newsweek.

We’ve been focused on the wrong spies. When 11 Russian sleeper agents were discovered living in the United States—and then sent home in exchange for their counterparts—it was hard to resist the sexy espionage tale with echoes of the Cold War. But while we’ve fixated on Anna Chapman and her cohorts, top diplomats were working on a wonkier but more important advance in spycraft. This month, experts from 15 countries agreed to begin serious negotiations on establishing international norms on cybersecurity. This story is far more significant in the long run because, without basic agreements about cyberspace, cyber attacks, and even cyber wars could become a daily danger.

Sure, spy stories are irresistible—particularly when a sexy redhead like Chapman is involved and there are plenty of racy photos to titillate readers. It’s also true that the press may have been too quick to write off the Russian sleeper agents as a bunch of bunglers who accomplished nothing. We don’t know what support roles they may have had for more serious operations; human intelligence can still trump electronic spying in many situations, and spying will always be with us.

But, increasingly, international relations will be shaped by new challenges that require new tactics—and new assumptions about where we can and should cooperate, even with former enemies. Look at the United Nations group of experts that overcame at least some of their mutual suspicions to take a first step toward international cooperation on cybersecurity last week. After years of talks that went nowhere, they—United States, Russia, China, India, and several others—agreed to begin discussing ways to exchange information about national cyber strategies, strengthen protection of computer systems around the world, including in less-developed countries, and even set some ground rules on cyber warfare. Other nations in attendance may not be G7 economies, but online they are powerhouses: Israel, Brazil, South Korea, and Estonia.

The idea that Russian and Estonian experts, in particular, could join forces to issue cybersecurity recommendations would have sounded absurd until recently. Just three years ago, Estonia was the target of a massive cyber attack, which now is held up as Exhibit A when it comes to cyber warfare. The Estonians, and much of the rest of the world, were convinced that this was an attack orchestrated by the Kremlin in retaliation for Tallinn’s decision to remove a World War II memorial honoring Red Army troops. Moscow and local Russians were furious about this “desecration,” and there were violent clashes in the streets. Although the Russian authorities denied any involvement, the concerted cyber attacks on Estonia’s government and private-sector Web sites, designed to cripple the country’s digital infrastructure, certainly looked like angry and organized retaliation.

What’s changed? Those hard feelings haven’t disappeared, but there’s a growing realization that no country can protect itself from cyber attacks on its own. One key problem is attribution—the inability to definitely pinpoint the source of an assault. Terrorists, criminals, and political groups can now launch sophisticated salvos using “botnets”—armies of computers around the world that they have commandeered without the knowledge of the people who own those machines. That makes it hard to prove—and easy to deny—any state’s role in a specific cyber attack. And it makes everyone and everything, including critical infrastructure such as transportation and electricity grids, vulnerable.

That’s why not just Estonia but also the United States is increasingly interested in finding a way to work with Russia and the other key players. It won’t be easy. For more than a decade, Russia has pushed for a broad international cybersecurity treaty to establish norms on these issues. As in the case of China, Washington and many human-rights organizations have opposed anything that looked like an excuse to limit political freedoms on the Internet—and to track dissidents. The latest compromise language suggests that the Obama administration wants to find a formula to address common security concerns while skirting such disagreements. Some experts argue that countries, like individuals, could join protected Internet networks, where all communications are sourced. That would go a long way toward instituting a system of deterrence, since cyber aggressors inside these networks would be instantly identifiable. There could still be a larger, more Wild West-style Internet, but anyone operating there would be doing so at their own risk.

It’s hard enough for each country to come up with its own coherent national cyber strategy. President Obama has called this a high priority, but The Washington Post’s “Top Secret America” series last week vividly demonstrated how unwieldy the U.S. national-security apparatus has become, especially since the terrorist attacks on September 11, 2001. According to the report, some 1,271 government organizations and 1,931 private companies are involved in counterterrorism and other national-security programs; an estimated 854,000 people hold “Top Secret” security clearances. That whole world is dependent, of course, on the most modern, complex computer communications. Yet top intelligence officials openly admit that they haven’t been able to produce a coherent set of policies, including a way to organize responses to cyber warfare. “Frankly, it hasn’t been brought together in a unified approach,” CIA Director Leon Panetta declared in the Washington Post series.

Take that problem and add the complexity of coordinating cybersecurity measures on the international level and you begin to see the magnitude of the problem. But in the virtual world where national boundaries are often meaningless, international cooperation on cybersecurity isn’t a choice; it’s a necessity. We’re especially vulnerable to this kind of attack: imagine 24 hours when your computers at work and at home would be out of service, when you can’t get money from your ATM, when electricity stops flowing, when planes stop flying—you get the picture. Everything depends on computers these days, and everything can be targeted.

Our near-total digital dependence underpins the governmental, financial, economic, energy and every other structure. If we can’t build the kind of safety measures that are so desperately needed into this virtual world that is no longer separable from our physical world, we are all in trouble. In that case, even spicy tales of female spies won’t be enough to distract us from the consequences.

Nagorski is vice president and director of public policy at the EastWest Institute and the author of The Greatest Battle: Stalin, Hitler, and the Desperate Struggle for Moscow That Changed the Course of World War II. He wrote this article for NEWSWEEK’s Polish edition, NEWSWEEK Polska.

Report Calls for International Coordination on Cybersecurity

The EastWest Institute and the Data Security Council of India released a report today laying out several recommendations to begin building the legal, technical and administrative foundations for an international system to secure cyberspace.

The study, The Cybersecurity Agenda: Mobilizing for International Action, calls for the collaborative use of defensive technology, information gathering, astute analysis and traditional diplomacy to defend global information and communications systems.

Above all, the study urges governments and businesses around the world to work not as competitors but as partners to ensure cybersecurity.

“No country or entity can achieve universal dominance in cyberspace,” said Kamlesh Bajaj, author of the report and CEO of the Data Security Council of India.

“All countries must work together to manage grave and growing cyber risks that can have a direct and devastating impact on the world’s people and economy.”

Among the report’s recommendations: creation of an international network of national nodal centers that engage both public and private sectors; establishment of emergency response teams and an international clearing house to serve as an early-watch-and-warning system; and development of legal norms to address issues of territorial jurisdiction, sovereign responsibility and the use of force.

“Cybersecurity lies at the nexus of policy, law, ethics and national security,” said Bajaj.

“We cannot manage the risks inherent in cyberspace without the active involvement of private and public sectors around the world.”

“Businesses and governments must act immediately to catch up with the rapidly proliferating threats to the communications networks and the world’s digital economy,” added Greg Austin, Vice President of Program Development at the EastWest Institute.

“This report provides an extremely useful starting point, and we will work to ensure it gets the attention it demands.”

Security Watch
Source Author: 
Janet Harris

Technical and Policy Expertise Come Together for Cybersecurity

The EastWest Institute and the IEEE Communications Society, the world's premier professional society focusing on communications technology, have joined forces to develop new solutions and mobilize international action to ensure worldwide cybersecurity.

The two organizations signed a memorandum of understanding on May 4, 2010, at the first Worldwide Cybersecurity Summit in Dallas. The MOU commits both organizations "to work together to better promote the safety, stability and security of cyberspace."

Under the agreement, the IEEE Communications Society will bring essential technical expertise in hardware, software and networks to the Worldwide Cybersecurity Initiative and help build the technical foundation for international cybersecurity measures. Meanwhile, EWI will bring its reputation as a global policy change agent and help build trust and mobilize resources to develop and implement such measures.

The partnership between EWI and the IEEE Communications Society is an innovative combination of technical and policy expertise. Such a partnership is critical to understand threats and vulnerabilities in cyberspace, devise solutions to address them and build international consensus to implement these solutions.

The two organizations have already started working together, producing groundbreaking reports such as The Reliability of Global Undersea Communications Cable Infrastructure. In creating this formal partnership, they will intensify their efforts to ensure cybersecurity and work together to meet their joint goal "to improve the world by making it safer and better for humanity."

Click here to download the full text of the EWI-IEEE memorandum of understanding (610K PDF).


Subscribe to RSS - Cyberspace Cooperation