Dr Lee Chung Min, Adjunct Senior Fellow for Asian Security Affairs, IISS
My two small questions are to Dr Libicki. Firstly, data mining is becoming humanly impossible in the sense that if you look at all the data that is coming from the drones in Afghanistan and elsewhere, with every port and open source literature, the information is so steep that it is becoming difficult for ground commanders to really understand exactly what is and what is not critical. From your perspective, does this impinge upon data security?
My second question is more specific. As we rely on a new generation of unmanned vehicles - land, air or sea - are these systems vulnerable to any cyber attacks by nation states, cyber warriors or others? Are there built‑in firewalls to these unmanned systems that, in your opinion, give the US or other militaries a built‑in advantage? Thank you.
Nigel Inkster,Director of Transnational Threats and Political Risk
Thank you very much. This question is, I think, primarily to Martin Libicki, but probably to both speakers, who have concurred around the proposition that deterrence in cyberspace is not a realistic option. It is however the case that, for quite some while now, Russia and the United States have been in, to date, unproductive discussions about the possibility of what might be termed an ‘arms control’ approach to cyberpower and cybersecurity. The essential elements of which would seem to be - at least in terms of the Russian proposals - a formal agreement to seek to limit cyber espionage and cyber exploitation in its various forms. The United States has been, understandably, not very enthusiastic about this.
One is starting to hear discourse from the United States to suggest that there may in fact be scope for international negotiation to try to define certain categories of behaviour in cyberspace which might be agreed internationally to be unacceptable, even if they cannot actually be stopped. I wonder if I could get your comments on this option, please.
Major General Golam Mohammad, Director-General, Bangladesh Institute of International and Strategic Studies
I am from Bangladesh. Thank you very much for mentioning Bangladesh. Although it is a developing country, the use of IT is already proliferated in our country. I have a concern, to some extent, about our dependence on software and the software part of the hardware, about which we do not have complete knowledge. I will clarify this a little.
When Windows 95 came onto the market, a few months later we were told that there were ‘Easter eggs’ inside Windows 95. This means that if you execute certain definite keystrokes it shows an altogether different programme. We also found ‘Easter eggs’ in Microsoft Excel. My concern is that the codes of these programmes - Microsoft Windows or Oracle Solaris, for example - with the possible exception of Linux which is an open source, they have their code copyrighted and secret and we do not know whether there is some sort of malicious programming code incorporated there. There is no system involved to check the code to ensure that there is no such malicious thing.
This is possibly, as I understand it, a matter of great ponderous for us, and a global security concern also. It could be a time‑bound instruction that could be executed at a point of time. In terms of this concern, could we have a policy in future - or something similar - so that all products can be checked, scrutinised rigorously, and that safety is ensured?
Brigadier Benjamin Barry, Senior Fellow for Land Warfare - Designate, IISS
My question is from the point of view of a regime or near‑state actor who was confrontational, anti‑Western and hostile. If it wished to engage in some aggression or repression, a possible significant target could be the news media, both that of the state concerned or the international news media networks. You can see scenarios, for example, where the shutting down of CNN, Sky and the BBC for 48 hours would be a great advantage. Do you know if these news media organisations are as well organised on cybersecurity as they should be?
Benjamin Bilski, Faculty of Law, University of Leiden
I have a question about the military uses and also the laws of armed conflict and deterrence. I remember reading an interesting paper written in the late 1990s concerning to what extent the laws of armed conflict apply to cyber attacks, and to what extent the interpretations of Article 2(4) or Article 51 of the UN Charter apply to cyber attacks or not. The scholar argued that you should not look at the nature of the attack, but you should look at the nature of the consequences, to determine whether or not it is an act of war. But of course NATO lawyers could not determine that it was a breach of Article 5 when the Estonian attacks happened.
On the question of deterrence, in 1994 or 1995 NATO members considered launching a cyber attack in the Bosnian war, but eventually did not for two reasons. Firstly, it may shut down hospitals, which would violate international humanitarian laws. Secondly, more importantly, they thought that it could also happen to them in response. There was something of a balance of mutually‑assured annoyance. When they thought about it for the first time, they in fact were both vulnerable and there was in fact some kind of deterrence in place. I would like to know if you could say anything about that or the military role of it, and whether the offensive capabilities that are being developed - that nations do not really talk about - whether these are going to be used as leverage in a certain fashion that does include the same reasoning or logic of deterrence.
François Heisbourg
As I return to the panel, I would like to ask my own question. It is related to the previous question, but not identical to it. To what extent, notably Martin, do you believe that counteroffensive cyberpower should be a part of your doctrine and your organisation in this sphere? Even if you have attribution problems, there are still a number of systems that you can and might want to use.
As I was listening to Chung Min Lee’s question, I was reminded of a story which I read recently about incidents of insurgents in Iraq being able to download real‑time imagery from American UAVs, and therefore being able to see themselves what the Americans were seeing. This opens all sorts of interesting horizons as to what could then follow.
Heli Tiirmaa‑Klaar
I will try to go quickly. There were many questions, and many of them were too technical for me so perhaps Martin should have more time. As for the data mining and non‑manned vehicles, as far as I understand it, the military systems should not be connected to the internet. But of course it might happen that, in the mission area, for operational reasons, there might be some mixed capabilities in the public networks. It therefore might happen that the non‑manned machinery could be attacked by some kind of virus code.
In terms of terrorism and norms in cyberspace, we talked earlier about the UN process. There was a process, at the United Nations level, where a group of intergovernmental experts put together a report looking at the issues of a need for arms control mechanisms in cyberspace. The report concludes that what we need is actually a general norm that the countries refrain from attacking each other’s civilian critical infrastructure. We need to endorse moral behaviour in cyberspace because this is the global good for all mankind. There is a moral argument that no responsible international actor is going to have a devastating cyber attack on another international actor. That is the norm‑building behaviour that is desirable at the international behaviour, but not a binding treaty.
We talked about the dependence on software and policy on safety. There are interesting proposals currently in the policy‑making circles from the European countries that compared cyber viruses. One of the proposals is to actually have the governance model as we have it with the World Health Organisation, when a doctor detects a deadly virus and must block the spread of that virus. Some kind of authority can then deal with the spread of that virus. All of these ideas are around; people in the policy‑making circles are currently discussing these ideas in Europe.
The news media is of course a target. I hope they are well defended. I think they have been targeted and they will have learned from that.
In terms of the UN Charter and Article 5, there is currently a consensus that we do not put cyber issues on Article 5 tickets because Article 5 needs to stay Article 5.
The question of counteroffensive cyberpower is a very technical issue so I turn to Martin for that.
Martin Libicki
Data mining is really a different subject. I will skip it, unless I hear a re‑bid on that one.
I will first go to the question raised about real‑time imagery. It was noted that insurgents in Iraq had intercepted real‑time imagery from UAVs. Pretty much if you have anything that radiates energy and you have not encrypted the signal, somebody else is going to pick it up. I have been told that there were plans to encrypt it, but they had not done it yet. Do not take me as an authority on that particular story though.
To have an unmanned vehicle you are subject to two sorts of risks. The first risk is that you may not be able to communicate with it because of electronic warfare reasons or other reasons such as the ambience or the environment. The other risk is the possibility that someone will get on that channel and interrupt your instructions going to that item. By and large, if you were really worried about this, there are many things that you can do, which are to do with encryption, digital signatures, hardwiring, and so on. I do not want to sound too snide about this, but if you really have enough money to use these instruments, spend a little more to make sure that the equipment is encrypted, because otherwise you are not doing yourself any favours. There are many ‘hard to solve’ problems in cyber war, and this is not one of those ‘hard to solve’ problems; this is actually technically relatively easy.
I now turn to the discussions about limiting computer network exploitation and norms. I am aware of efforts. There are a lot of people who are sceptical about signing treaties that are completely unenforceable. Some people say that we should sign treaties to have norms; others say there is no point. At that point, you are really getting into International Relations writ large. On this, I sort of have two points of view. One view is that it cannot hurt. The other one is that whenever you forbid behaviour by two parties, the people who are more transparent will be much more constricted than the people who are less transparent. You have to take that into account when you enter into negotiations.
If we are going to have norms we have to be very specific. We are not going to stop espionage. We might be able to curtail espionage against non‑national security targets. I have a much longer list of what I think is the art of the possible and the art of the not‑possible.
There is an interesting question that has yet to come up. Let me give you an example. I am making a product. I take advantage of information stolen on another product through computer network espionage. I introduce the product to the market. Do countries have the right to ban that product from their markets? We do ban products from our markets if they violate patents. Should the violation of intellectual property rights be considered equivalent to that? I am only going to raise the question. I am certainly not a trade lawyer, but I think it is worth a certain amount of consideration.
A question was raised about open source software, and I hate to be in the anomalous position of trying to defend Microsoft, but let me actually try to do that. There are ‘Easter eggs’ in Microsoft products. They are usually there for the amusement of programmers who, goodness knows, need the amusement. Microsoft has done a lot of work to show their source code - most of their source code - to a lot of governments, including the United States and China, and there may be some others, in terms of gaining trust. That does not mean that the little piece they have not shown does not have an ‘Easter egg,’ but I just do not see any motive from Microsoft to do that sort of thing. Most of the people who worry about Microsoft code worry about Microsoft getting into bed with Hollywood to enforce intellectual property rights on entertainment. But that was a fear that was expressed five years ago. Now everybody worries about Apple and iStore and things of that nature. If you really are worried about it, there is always Linux. But, as the Microsoft people say, then you have to maintain it on your own and ‘good luck.’ You pay your money; you take your chances.
There was a question about the news media. There are two threats to the news media. I am not worried about the threats to satellite except from electronic warfare. If you have cyber threats from your satellite you have a really poorly run satellite system. Distributed denial of service (DDOS) attacks against media are possible and there are a lot of people such as Google, Akamai, Tulip Services – I hope I have not slighted anybody – who will work on your DDOS problems for a small fee. You basically want to make friends with people who have lots and lots of fibre[?] and stick your sites on their network. The nice thing about cyber war is that you can not only outsource offence, as we have seen in the case of Estonia; you can outsource defence. You can outsource the whole thing and sit back and take casualties, I guess. Military use in the laws of war is a great idea in theory, but in practice I am a little sceptical about it because of the difficulty of predicting collateral damage. We do not have the physical models that allow us to have that prediction of collateral damage that we have in cyberspace. There was a man called John Deutch who in 1996 testified before Congress that the electron is the ultimate precision weapon. I’m sorry John, but that is utter crap. There is so much potential for collateral damage. Not because the weapon is not precise, but because your knowledge of the target is highly imprecise. If you get to issues such as the guy who makes his hospital look like a military base, in other words to make non-targets look like targets and vice versa, that is so much more difficult in cyber war. All I can say is that if you are a nice, international lawyer I look forward to you trying to adjudicate any of those courses in law. The first thing that you are going to have to do is find a judge who understands the technology in the first place, and good luck on that one.
The use of cyber in Kosovo was mooted and I think it was a good thing that it was rejected. There are a lot of military folk who complain about lawyers, but then there are a lot of lawyers who complain about military folk; I do not feel sorry for either of them. Here’s the problem: A lot of people in Serbia kept their accounts in foreign banks. If you wanted to zero out their accounts you would end up attacking a foreign bank, and if some of those banks are in Greece will NATO start declaring war on Greek banks? That did not seem to make a great deal of sense. In deference to my host country I will not even start to talk about Swiss banks. However, that is one thing that you really do not want to get started.
Regarding the counter-offensive on cyberpower, should capable countries develop cyber capabilities for use in military conflicts? The answer is that there is no good reason why not. If we think it is legitimate to bomb a surface-to-air missile and take it out, it is equally legitimate to try to take it out using what the military calls non-kinetic means. Should the United States or any other country try to take out civilian infrastructure with offensive weapons? Every time you hit someone over the head you engender two reactions, fear and anger, or maybe annoyance. I think that if you go after somebody’s infrastructure you will engender a lot more annoyance and anger than you will fear, for a lot of technical reasons. I do not think it is a particularly good weapon, and I think that it legitimises something that is not in the interests of the Western countries to legitimise.
I will now answer a question that nobody has asked but it has come up in my answers, and that is that there is a lot of interest in cyber war. You see magazine covers with cyber warfare on them all the time. You do not see magazine covers with electronic warfare on them, even though electronic warfare to a military professional is in fact far more applicable and far more of a danger to US and similarly-equipped militaries because we are depending on over-the-air signals all the time. If I worried about these things at all I would spend a lot less time worrying that someone can take over a UAV (Unmanned Aerial Vehicle) and much more time that they could jam it. Electronic warfare does not get the respect that it deserves because it is just not sexy. Cyber warfare gets a lot more attention than it deserves because it is extremely sexy. In 1996 there were three movies that hit the summer blockbuster circuit: Independence Day, Eraser and Mission: Impossible. All of these films had their plot pivot on the act of cyber warfare. If you are writing Hollywood plot, how do you show that somebody is really bright? You show that he is a hacker. You have to be suspicious about a form of warfare that Hollywood embraces so greatly and nobody else does. With that, I will conclude my remarks.
Prof François Heisbourg
Thanks to both of our panellists for this absolutely fantastic and too short session. Along with many in this room I have been exposed to quite a lot of discussion on cyber warfare. I said that the last one I attended was the best, but that is no longer true because the best session was today’s.
