The threat from the internet
Cyberwar
It is time for countries to start talking about arms control on the
internet
July 3rd 2010
THROUGHOUT history new technologies have revolutionised warfare,
sometimes abruptly, sometimes only gradually: think of the chariot,
gunpowder, aircraft, radar and nuclear fission. So it has been with
information technology. Computers and the internet have transformed
economies and given Western armies great advantages, such as the
ability to send remotely piloted aircraft across the world to gather
intelligence and attack targets. But the spread of digital technology comes
at a cost: it exposes armies and societies to digital attack.
The threat is complex, multifaceted (having many different parts) and
potentially very dangerous. Modern societies are ever more reliant (to
need a particular thing or the help and support of someone or something
in order to continue, to work correctly, or to succeed OR to trust someone
or something or to expect them to behave in a particular way) on
computer systems linked to the internet, giving enemies more avenues of
attack. If power stations, refineries, banks and air-traffic-control systems
were brought down, people would lose their lives. Yet there are few, if
any, rules in cyberspace of the kind that govern (to have a controlling
influence on something) behaviour, even warfare, in other domains. As
with nuclear- and conventional-arms control, big countries should start
talking about how to reduce the threat from cyberwar, the aim being to
restrict attacks before it is too late.
The army reboots
Cyberspace has become the fifth domain of warfare, after land, sea, air
and space (see article). Some scenarios imagine the almost instantaneous
failure of the systems that keep the modern world turning. As computer
networks collapse, factories and chemical plants explode, satellites spin
out of control and the financial and power grids fail.
That seems alarmist (DISAPPROVING - intentionally showing only the bad
and dangerous things in a situation, and so worrying people OR someone
who makes people worried by telling them about bad or dangerous things
when it is not necessary or helpful) to many experts. Yet most agree that
infiltrating (to move slowly into a substance, place, system or
organization OR to secretly become part of a group in order to get
information or to influence the way that group thinks or behaves)
networks is pretty easy for those who have the will (mental power),
means and the time to spare. Governments know this because they are
such enthusiastic hackers themselves. Spies frequently break into
computer systems to steal information by the warehouse load, whether it
is from Google or defence contractors. Penetrating networks to damage
them is not much harder. And, if you take enough care, nobody can prove
you did it.
The cyber-attacks on Estonia in 2007 and on Georgia in 2008, the latter
strangely happened to coincide (to happen at or near the same time) with
the advance of Russian troops across the Caucasus, are widely assumed
to have been directed by the Kremlin, but they could be traced only to
Russian cyber-criminals. Many of the computers used in the attack
belonged to innocent Americans whose PCs had been hijacked.
Companies suspect China of organising mini-raids to ransack (to search a
place or container in a violent and careless way) Western know-how
(practical knowledge and ability): but it could just have easily been
Western criminals, computer-hackers showing off or disillusioned
(disappointed and unhappy because of discovering the truth about
something or someone that you liked or respected) former employees.
One reason why Western governments have until recently been reticent
(FORMAL - unwilling to speak about your thoughts or feelings) about cyber-
espionage is surely because they are dab hands (INFORMAL - someone who
is very good at a particular activity) at it, too.
As with nuclear bombs, the existence of cyber-weapons does not in itself
mean they are about to be used. Moreover, an attacker cannot be sure
what effect an assault will have on another country, making their
deployment highly risky. That is a drawback (a disadvantage or the
negative part of a situation) for sophisticated military machines, but not
necessarily for terrorists or the armies of rogue states. And it leaves the
dangers of online crime and espionage.
All this makes for dangerous instability. Cyber-weapons are being
developed secretly, without discussion of how and when they might be
used. Nobody knows their true power, so countries must prepare for the
worst. Anonymity adds to the risk that mistakes, misattribution (when
something is mistakenly attributed to a particular person or thing, for
example when it is said to be the work of someone else or the result of
something else) and miscalculation will lead to military escalation—with
conventional weapons or cyberarms. The speed with which electronic
attacks could be launched gives little time for cool-headed reflection and
favours early, even pre-emptive, attack. Even as computerised weapons
systems and wired infantry have blown away (INFORMAL - to defeat
someone or something completely, especially in a sports competition)
some of the fog of war from the battlefield, they have covered cyberspace
in a thick, menacing (making you think that someone is going to do
something bad) blanket of uncertainty.
One response to this growing threat has been military. Iran claims to
have the world’s second-largest cyber-army. Russia, Israel and North
Korea boast efforts of their own. America has set up its new Cyber
Command both to defend its networks and devise attacks on its enemies.
NATO is debating the extent to which it should count cyberwar as a form
of “armed attack” that would oblige its members to come to the aid of an
ally.
But the world needs cyberarms-control as well as cyber- deterrence.
America has until recently resisted weapons treaties for cyberspace for
fear that they could lead to rigid (stiff or fixed; not able to be bent,
moved, changed or persuaded) global regulation of the internet,
undermining the dominance of American internet companies, stifling
(preventing something from happening) innovation and restricting the
openness that underpins (to give support, strength or a basic structure to
something) the net. Perhaps America also fears that its own cyberwar
effort has the most to lose if its well-regarded cyberspies and cyber-
warriors are reined in (to control an emotion, activity or situation to
prevent it from becoming too powerful).
Such thinking at last shows signs of changing and a good thing too.
America, as the country most reliant on computers, is probably most
vulnerable to cyber-attack. Its conventional military power means that
foes (LITERARY - an enemy) will look for asymmetric (when an enemy is
militarily weaker, it will try to take advantage of the other countries
weaknesses, not only military options) lines of attack. And the wholesale
(affecting almost everything or everyone) loss of secrets through
espionage risks eroding (to slowly reduce or destroy) its economic and
military lead.
Hardware and soft war
If cyberarms-control is to America’s advantage, it would be wise to shape
(to form) such accords (a formal agreement) while it still has the upper
hand (advantage) in cyberspace. General Keith Alexander, the four-star
general who heads Cyber Command, is therefore right to welcome
Russia’s longstanding calls for a treaty as a “starting point for
international debate”. That said, a START-style treaty may prove
impossible to negotiate. Nuclear warheads can be counted and missiles
tracked. Cyber-weapons are more like biological agents; they can be
made just about anywhere.
So in the meantime countries should agree on more modest accords, or
even just informal “rules of the road” that would raise the political cost of
cyber-attacks. Perhaps there could be a deal to prevent the crude “denial-
of-service” assaults that brought down Estonian and Georgian websites
with a mass of bogus (false, not real or not legal) requests for
information; NATO and the European Union could make it clear that
attacks in cyberspace, as in the real world, will provoke (to cause a
reaction, especially a negative one) a response; the UN or signatories of
the Geneva Conventions could declare that cyber-attacks on civilian
facilities are, like physical attacks with bomb and bullet, out of bounds (If
an area is out of bounds, people are not allowed to go there) in war; rich
countries could exert (to use something such as authority, power,
influence, etc. in order to make something happen) economic pressure on
states that do not adopt measures to fight online criminals. Countries
should be encouraged to spell out their military policies in cyberspace, as
America does for nuclear weapons, missile defence and space. And there
could be an international centre to monitor cyber-attacks, or an
international “duty to assist” countries under cyber-attack, regardless of
the nationality or motive of the attacker—akin (similar; having some of
the same qualities) to the duty of ships to help mariners in distress.
The internet is not a “commons”, but a network of networks that are
mostly privately owned. A lot could also be achieved by greater co-
operation between governments and the private sector. But in the end
more of the burden (a heavy load that you carry OR something difficult or
unpleasant that you have to deal with or worry about) for ensuring that
ordinary people’s computer systems are not co-opted (to include someone
in something, often against their will) by criminals or cyber-warriors will
end up with the latter (the second of two people, things or groups
previously mentioned) —especially the internet-service providers that run
the network. They could take more responsibility for identifying infected
computers and spotting (to see or notice someone or something, usually
because you are looking hard) attacks as they happen.
None of this will eradicate (to get rid of completely or destroy something
bad) crime, espionage or wars in cyberspace. But it could make the world
a little bit safer.