Surf security calls for cyber situation awareness

Cross-border cyber attacks have led to a need for strategies from both state and private organisations

Syrian president Bashar al-Assad: the Syrian Electronic Army attacked the BBC and Guardian

Syrian president Bashar al-Assad: the Syrian Electronic Army attacked the BBC and Guardian

 

As cyber concerns cross new technologies and territories it creates a need for a better understanding of the borders of “cyber-space”; a need for “cyber situation awareness”.

The ongoing saga of Edward Snowden underlines the fact that “knowledge is power and wisdom is control”.

However, the recent allegations about the bugging of EU offices by US intelligence demonstrates that, in its pursuit of knowledge, the US has compromised its earlier control over increasingly unfriendly trade relations – in this case with the European Union.

Should the EU choose to make judicious use of this situation, it can forgo internal divisions and forge a cohesive institutional-level response during the upcoming free-trade agreement discussions.

The US, having lost the chance of some principled posturing against China, has scored an own goal with Europe.

All this comes within weeks of the Chinese government somewhat isolating the county of Hongyuan, by curbing the ability of its ethnic Tibetan population from communicating beyond its boundaries.

Meanwhile the South Korea government issued a cyber alert at the end of last month, after a hacking attack on its government websites marking the anniversary of the start of the 1950-53 Korean War.

The latest incident comes on the heels of an earlier cyber attack in March, during which 32,000 South Korean computers were affected (in the state that has the world’s fastest internet connection).

The increasing use of cyber attacks as a means of inciting diplomatic tension has opened up a new area of concern for governments and the private sector alike.

On June 10th and 11th Chatham House (also known as the Royal Institute of International Affairs) hosted a meeting on cyber security called Balancing Risks, Returns and Responsibilities.

The congregation of cyber specialists was timely in light of recent tip-of-the-iceberg revelations regarding Prism, the code-name for the US government’s secret internet surveillance programme that collects customer data from internet and phone companies.

The Prism predicament involves issues of public information, privacy laws and patriotism.

Since its inception in 2007, Prism has become the US National Security Agency’s main source of raw intelligence, building “libraries of information” on citizens and competitors alike.

The legal ambiguity of Prism and cyber power is at the heart of the coordination problem for civil-liberty advocates, just as it is for governments.

As yet, there is no agreed legal framework for response to cyber attacks or cyber intrusions. The Prism revelations are all the more damaging since they increase demands for rule changes at a time when the capacity of states to implement legislative and regulatory change is limited.

At Chatham House a clique of the international cyber-security community contemplated how to combat the growing array of cyber threats.

All cyber attacks are not equal; even the most severe attacks are below the conventionally understood military threshold.

A cyber conflict between states, and non-state groups using cyber capabilities to attack each other for political or security purposes, is the priority for protagonists and policy makers alike.

Cyber crime encompasses any criminal act mediated through cyberspace, for example targeting critical infrastructure most vulnerable to direct “denial of service” (DoS) and cyber-attacks.

US-based banks – Bank of America, JP Morgan, PNC and Wells Fargo – were subjected to initial attacks in September 2012 and these were promptly followed by attacks on energy companies (Aramco in December 2012) and telecommunication firms, all mapping a discernible shift in the geographical activities of cyber warfare.

Attacks notwithstanding, the internet has proved remarkably resilient to cyber crime and, as a system of information sharing and commerce, it has thrived within the private sector rather than as a public-run and owned system.

Government bodies are behind the curve in their ability to either pre-empt or contain attacks.

Constrained by budgets and a limited capacity, governments are careful to avoid hastily agreeing to legislative measures.

Nevertheless, European cyber security agreed a legal framework that allows for a system of attribution and enforcement: an internet governance framework might prove promising.

The strategy acknowledges that, with rare state exceptions, advances in cyber security reside in the private domain.

The consensus reached is that what’s needed now is a non-state centric national and European regional security strategy.

Data access to gauge the size and scale of risks is hindered by incomparable data access globally.

In the Middle East, for example, data is not as accessible as it is in Europe or the US, though recent attacks on the BBC, the Guardian and the Associated Press (AP) by the Syrian Electronic Army (SEA), representing Syrian president Bashar al-Assad, illustrates the capacity to wield cyber power.

An associate, Rodrigo Bijou, observed recently, in the Harvard Law Review, that the attack on Saudi Aramco, which supplies a 10th of the world’s oil, “failed to disrupt production but was one of the most destructive hacker attacks against a single business site”.

Moreover, the Middle East North Africa region is “increasingly susceptible to threats and cyber-attacks, threatening to escalate risk and undermine economies already susceptible to capital flight”.

The Middle East region would benefit as readily as Europe from a non-state-centric national and, in time, regional cyber-security strategy.


Mark Dempsey, along with Dr Shelley Deane and Tristan Salmon, runs Brehon Advisory. The UK-based company provides strategic advisory and mediation services to governments, private companies and international donors. It’s currently examining cyber security in the Middle East North Africa region.