CYBER SECURITY – the challenge of the nearest future Article written for course EU after the Cold War taught by George Hays II, 3 rd semester IRES, Metropolitan University Prague – 1 | 16 – CYBER SECURITY the challenge of the nearest future Nikola Schmidt 1. Introduction Cyber security is a discipline which is hardly understandable for broad public even thou it covers daily problems we face when using our personal computers. On the one hand we know that some worms are destroyed by our antivirus’ shields perfectly every day and we are informed about this incident by small window on our monitor. We do not worry about possible consequences of infection, if so we put the computer to IT “hospital” and predict that those “geeks” will cure it. On the other hand there are highly dangerous worms which are capable to shut down electrical networks or control devices on gas pressure stations and those are capable to do immediate injuries or consecutive damages or run chain of incidents such as shutting down critical infrastructure of modern society. 2. The origin of cyber security discipline 2.1. Background of the networks and its security In 2002 Hungarian physicist wrote a book about networks. Not about a computers network only, but the first book about networking discipline itself. This work begun the journey to uncover how everything in the world is connected (social relations, computer networks, biological systems etc.) and how these networks behave, what rules are applied to networks and what characteristics it has on a physical basis (Barabási, 2002). The most important outcome is that everything what looks decentralized or chaotic tends to be organized, also the computer networks. The most important outcome from the research is that chaotic nodes in the network tend to create centers and then subsequently influence the other. Sometimes it is colloquially called small business waves. Hence when scientists assigned to create a first communication network as a US governmental task, the Arpanet created in 1969, to fulfill the primordial achievements could not be successful challenge because those principles matters. The task was to
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 1 | 16 –
CYBER SECURITY the challenge of the nearest future
Nikola Schmidt
1. Introduction
Cyber security is a discipline which is hardly understandable for broad public even thou it
covers daily problems we face when using our personal computers. On the one hand we know
that some worms are destroyed by our antivirus’ shields perfectly every day and we are informed
about this incident by small window on our monitor. We do not worry about possible
consequences of infection, if so we put the computer to IT “hospital” and predict that those
“geeks” will cure it. On the other hand there are highly dangerous worms which are capable to
shut down electrical networks or control devices on gas pressure stations and those are capable to
do immediate injuries or consecutive damages or run chain of incidents such as shutting down
critical infrastructure of modern society.
2. The origin of cyber security discipline
2.1. Background of the networks and its security
In 2002 Hungarian physicist wrote a book about networks. Not about a computers
network only, but the first book about networking discipline itself. This work begun the journey
to uncover how everything in the world is connected (social relations, computer networks,
biological systems etc.) and how these networks behave, what rules are applied to networks and
what characteristics it has on a physical basis (Barabási, 2002). The most important outcome is
that everything what looks decentralized or chaotic tends to be organized, also the computer
networks. The most important outcome from the research is that chaotic nodes in the network
tend to create centers and then subsequently influence the other. Sometimes it is colloquially
called small business waves. Hence when scientists assigned to create a first communication
network as a US governmental task, the Arpanet created in 1969, to fulfill the primordial
achievements could not be successful challenge because those principles matters. The task was to
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 2 | 16 –
create a decentralized communication network durable for possible nuclear attack on a major
part of it. The network had to survive attack on the major part and be still capable to
communicate between two arbitrary nodes. The problem is that networks tend to create centers
and those are more vulnerable than the rest. The task could not be achieved in the sense of
perfectly decentralized network, but early after this experiment the Internet was created with
present sensitive attributes, mainly with the consecutive character of center based.
Cyber security is very young discipline which does not enjoy the same popularity as
some of the other security related disciplines. At the very beginning the most important problem
of cyber security is its own inviolability for broad public. Apple has been winning on the market
last years because of their philosophy how to design the devices. They focus on simplicity and
easy-to-use approach. This approach is highly complicated for broad acceptance of cyber related
security issues because it does not push people to think about security settings in their own
computer (or any other settings), consumers are satisfied when having everything prepared and
set in default. Steve Jobs said that good application is the one which works well without any
needed settings (Kahney, 2009). Because of the fact that this approach seems to be successful,
the world will not be more secure, but more vulnerable.
2.2. The origin of a problem on the side of the public
Cyber threats are hard to understand for any person who has never faced a virus
destroying their data and following reconstruction of a hard drive. In the first years of personal
computers the viruses were moving from computer to computer on diskettes, the first media used
for data transfer. As the data were transferred very slowly because everybody should copy it
personally, also the antiviruses were distributed very slowly. We could say that this world was
highly separated as the persons using computers and sharing data on diskettes were separated.
Hence the networks and their centers reflected more the social relations instead of nowadays
nods relations on the Internet network. The idea of spreading out to the world a virus which
could be a threat to the world peace was something unimaginable just one and half decade ago.
But it is not today.
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 3 | 16 –
Almost all the computers are connected to the Internet and most of them use some
centralized services such as Facebook or Gmail. Those centers represent most vulnerable parts of
the Internet network. More and more people want more standardized systems, minimum of
settings and easy-to-use operating systems what is highly understandable. They would like to
create some valuable outputs using their computers. Have well configured computer full of
tweaks and nice icons is not a value which they seek for. Hence the computer must be simple as
possible and provide maximum of simply accessible services. But this world which is
approaching will be more vulnerable than before and all those go-easy people will be a part of
the world which will arise. As the computers are more connected and more other devices are
synchronized and connected with whole local networks and new kids are more educated in
hacking those networks the more vulnerable world is. At this point governments matters.
2.3. The origin of the problem on the side of governments
Governments are not only responsible for broad public health but will be in the near
future also responsible for security of personal computers which can disturb whole country for
hours or days just because of connected to the infected Facebook. Governments are also
responsible for wide variety of public services such as water or electricity supply. Those services
are consumed today by implication, but the computers running the chain of machines which
provides such services are vulnerable as well. Disturbing those machines could have strategic or
symbolic background. Contemporary attacks against states are rare but they are targeting
computers within state which could harm state interests (Nazario, 2010).
Taking down the air defense by cyber related weapons during the air attack of Syria by
Israel in 2007 was strategic approach per se (Fulghum, Wall, & Butler, 2007). In this case the
target and the attacker or source of the attack was clear. Israel attacked Syria to support its own
air strike and prevent the collateral damage. This type of cyber-attack could be classified as
military one with no confuses.
A virus called Stuxnet which was found more than one year after launch was probably
scheduled to take down centrifuges in Iran because more than half of affected computers where
in Iran (Geers, 2011). The most problematic issue on Stuxnet is firstly unknown origin, secondly
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 4 | 16 –
that it affected thousands of computers around the world because this worm was designed to
maliciously manipulate common commercial software and thirdly, one whole year nobody knew
that it exists and operating on the Internet (Falkenrath, 2011). The question which arises at this
point is whether the commercial companies will cooperate or will be forced to cooperate with
governments when they are not the origin of the threat but only a pathway between adversaries.
It is not only this question which raises a dilemma to be resolved in the future. Stuxnet is just an
evidence that malicious half megabyte could harm highly sensitive systems such as nuclear one
with unknown origin. This fact must interest governments.
2.4. The origin of cyber-security discipline
Department of Defense in US named cyber dimension as a military domain like land, sea,
air and space in the Quadrennial Defense Review Report (DoD, 2010). Cyber space had been
more understood as a tool than the whole domain before. Politics and the public had to be
convinced that the threat is serious and the attacker could be a clever individuality rather than a
strong state (Geers, 2011). This fact has been proved several times. For instance we can
remember the attack of Mafia Boy (Barabási, 2002; Geers, 2011), a fifteen years old kid who
smashed the network of the most important commercial giants like eBay or Yahoo for hours or
days and cause injuries counted in millions of dollars. He did it from the home computer.
Mentioned cyber-attack of Syria by Israel or Stuxnet are well chosen examples to demonstrate
that the attacks by state to harm another state exist and could be evaluated on military level.
Mafia Boy taught us that there is no age limit of hackers who could harm world security.
We should fairly say that such discipline on the political level has been finding its place
during the last years. The first straight forward cyber threat analysis center was established in
Tallinn, Estonia in 2008. It is named NATO Cooperative Cyber Defence Centre of Excellence
(CCD COE). It does not belong under NATO command nor funded by NATO, but provides wide
analytic products to NATO nations on independent basis and funded by the nations directly.
CCD COE was established “to enhance the capability, cooperation and information sharing
among NATO, NATO nations and partners in cyber defence by virtue of education, research and
development, lessons learned and consultation. (CCDCOE, 2011)” On the level of IT specialists
the beginning could be placed into the year of 1995 when the first standards of the computer
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 5 | 16 –
security was written (Bosworth & Kabay, 2002). Those standards are the first wide accepted
standardized methods which should be followed in accordance to defend personal computers
against external threat.
On the other hand in the year of 2010 we can find eight governmental agencies analyzing
and facing cyber-attacks to United States (Joubert, 2010). US administration have been finding a
way how to tackle with cyber threats. Hence Clinton’s administration put emphasis on the cyber
threat in Presidential Decision Directive/NSC-63 in 1998 which was focused on securing critical
infrastructure of the nation state. This directive was superseded by Homeland Security
Presidential Directive-7 on 17th
December 2003 (DHS, 2008). In the same year US
administration created The National Strategy to Secure Cyberspace (TheWhiteHouse, 2003).
This strategy was created to establish a communication and organizational framework for cyber
security related agencies and to raise the competitiveness in this domain. According to this
National Strategy several exercises like Cyberstorm I&II were conducted to prepare all related
capabilities for possible cyber-attack (Geers, 2011; Joubert, 2010).
3. Environment prepared for cyber attack
3.1. Events involved in cyber security related situations
I mentioned that according to Barabási’s theory of networks all nodes within chaotic
organization tend to organize itself. More detailed explanation using better example is the fact
that not all of the websites are equally important, not all people are equally important, so not all
people are under same surveillance for instance. All people around the world connect to different
web servers or looking for partners according their preferences. This behavior primarily creates
more visited sites and less visited sites. The amount of visitors makes the site important, rising
visitors raises the position of the site on search engines. If we take into consideration for instance
the Facebook, 800 million of users is a high number. But the most important number is that 400
million connect every day (Facebook, 2011). This fact make Facebook the best place for
distribution any malicious software; it is a center of social network between people provided by
the Internet network and the Facebook service. If the users were not permitted to use Facebook
in work on sensitive computers connected to sensitive local networks, they would be infected
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 6 | 16 –
differently. For example in 2008 the military computer situated in Middle East was infected by a
virus transferred on USB flash disk instead of direct attack through Internet (Lemos, 2010).
According to this article almost 50% of US companies have been infected by USB flash disks
simply because of the fact that the computers at homes are not under surveillance of experienced
administrators as those computers in companies. But they are used with the same USB sticks in
the same date by inexperienced users.
Firstly, people tend to make their lives comfortable. Most of them do not want to be
computer geeks, so they will choose the simplest, beautiful, functioning and accessible solutions.
Those are not solutions requiring participation on security issues. Secondly, employer cannot
force their employees to not use their home situated computers just because prevention. Thirdly,
there will be always equipment such as USB sticks which will be capable to transfer malicious
software over firewalls by human mistake or there will be always security holes in firewalls in
direct connection. Hence human and him/her performance influencing him/her reliability cannot
be changed significantly and will be the most used method to attack computers because the
reliability only change the probability of error. It means that according to Zeno’s paradox with
Achilles and turtle there will be always a portion of possible error. For attacker using zombie
computers or botnets (see chapter 3.2 below) a small portion of error is a huge hole. Facebook
with almost one billion of users must be incredible bait for any hacker trainees and stolen data of
100 million users last year is the evidence (BBC, 2010). The fact that the data were not probably
abused but only stolen by unknown hacker and provided to public by torrent1 is the evidence of
her/him exhibitionism or demonstration of power. Power of individuality and this power matters.
3.2. Cyber-attack targets and weapons
There are three basic forms of possible cyber-attack regarding what the hacker want to
do. The first targets confidentiality of data, second targets integrity of information and third
targets availability of computers – DoS attack – Denial of Service (Geers, 2011). Confidentiality
of data means stealing of sensitive information and using them for not mentioned purposes of
their owners. By this attack the hackers are able to create whole ghost networks, also called
1 Torrent is technology for downloading of files which cannot be deleted from internet, because they are situated on thousands of
computers in dozens of instances. Torrent tracker only track the availability of parts of the file and distribute it to downloaders from downloaders
who already downloaded the particular part.
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 7 | 16 –
botnets, which are capable to do the final attack over any target, but without possible reversal
disclosure of the attacker (Nazario, 2010). Integrity of information is less known but also highly
problematic. Hackers are changing the data by the way of their own intention. It could consist of
changing the data on website for particular time or redirect domains to malicious websites. It
includes also stealing of key data for criminal or military purposes like sabotage. The third form
of attack influences availability of computers or services their usually provide and includes well
known DoS attack. DoS consists mainly of huge amount of digital requests from botnets to one
particular server and causes shutting down of the server by overflowing its capacity. When
conducted in chain it could harm whole farms of servers and taking down some key services
such as air defense in Syria before air strike of Israel (Geers, 2011). It is important to emphasize
here that DoS attack cannot be simply closed preventively by firewalls, because closing the port
by firewall is a response of the server. Hence also restricted access creates response of the server
and response takes processor computing time.
I wrote earlier about self-indulgence of common computer users. Those are the most
powerful weapon at all. It is not about taking down huge firewall on huge systems by one
sophisticated attempt with logged information what happened to administrator. It is all about an
invisible penetration of security by human mistake (USB sticks with family photos or one
successful chain on Facebook). If hacker targets sufficient amount of people who will be willing
to open malicious emails or copy infected photos to USB stick which they use for work purposes
too, the networks will be vulnerable forever. There are no countable holes in security which
could be covered. There will always be one particular hole for one particular attack for particular
portion of time for one pivotal attack in particular date. The cyber space is under development by
millions of developers constantly. Security matters, but against kids who are in training mode so
far. “If the attacker is careless and leaves a large digital footprint (e.g., his home IP address),
law enforcement may be able to take quick action. If the cyber attacker is smart and covers his
digital tracks, then deterrence, evidence collection, and prosecution become major
challenges.(Geers, 2011, p. 36)”
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 8 | 16 –
4. Answering to cyber threats and attacks
4.1. IPv6 protocol
The first problem is a technical character of the Internet. The communication protocol
IPv4 is old almost as the Internet itself and provides wide amount of identity stealth possibilities.
New protocol IPv6 is under development for years, it is already implemented, but not widely
used. At my own opinion it will be implemented in democratic countries with obstacles because
at first or at last it damages the core principle of the Internet, the anonymity. The only one
forcible technical argument is the limit of IP addresses within IPv4, but this can be solved by
NAT and local networks. Do we really need a fridge connected to the internet on its own IP
address? We can solve it by bridging over NAT in our router by specific ports, hence we do not
need it and we will not early. But when the human being will be covering whole solar system by
technical devices we will need it immediately. It is about perspective in which position we are in
present day. The discussion will be about technical issues but background will be at first political
or security related. It will be governments who will be forced to make a decision, but the
transition will be slow and complicated (Geers & Eisen, 2007).
4.2. Cyber space characteristics
Strategy of deterrence was invented when the USA and the Soviet Union developed
enough powerful weapons to destroy the whole world, the absolute weapon (Brodie et al., 1946).
At this point destroying of an enemy loses its meaningful sense as it endangers the attacker itself.
It created MAD concept of Mutual Assured Destruction (Burchill, 1996). Cyber space has
specific character which could be stressed by Stenley Milgram’s psychological theory of the
authority obedience (Milgram, 1974). Imagine the situation on a scale of two extremes. One
extreme represents the situation when a hacker sitting in front of a computer training what is
possible in cyber space and cannot evaluate the authentic results of his/her behavior because
he/she is not in touch with witnesses of the attacker’s results. For example any shut down of the
electricity over half of the Europe will not provide with the circumstances of car accidents in
cities with pedestrians to the hacker. He/she will not take into consideration the chain of
accidents caused. On the other extreme pushing the Enter key running a huge cyber-attack under
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 9 | 16 –
command of high authority will never be understood by the attacker the same way as the knife in
hand during face-to-face fight. Remember the advertisement about software piracy – you are not
going to steal a car, so how you can steal a movie? Hence on both extremes we have very
different situations, but the psychology works the same way. Today it is commonly known
psychological concept. Cyber space emphasizes its power. However, how should we deter a
possible attack when the circumstances are unknown for the attacker? Who is the attacker?
On the one hand attacker is highly isolated from the victims, especially when the victims
are the result of chain of the causes. On the other hand state is identifiable subject when firing a
rocket, not simply when firing a DoS attack (Geers, 2011). Hacker could be hidden behind
highly sophisticated identity firewalls and proxies. The possibility to be hidden is fact as the
example of Estonia cyber-attack in 2007 showed us (Geers, 2011; Kaminski, 2010; Nazario,
2010). The sources of the attack were botnets in the USA but the ignition of the attack was
moving of the statue of Russian soldier from the center of Tallinn to the city border.
Investigation never uncovered who stood behind the attack and an idea of state supported or
directly conducted attack is only a speculation (Nazario, 2010). In the end of the investigation
Prime Minister of Estonia Urmas Paet accused Russia, but no evidence was collected to support
such claim (Wickramarathna, 2009, August 27).
4.3. Deterrence as a possible defense strategy
It is not so simple to deter a state from cyber-attack as the probability of uncovering
attacker after well conducted attack is near to zero. It is possible to deter a hacker who is training
his/her teenage hacking capabilities (Geers, 2011) but as argued in the previous paragraph it is
not possible to deter somebody who is obeyed to authority and know that the curtain of identity
is reliable. The obedience to authority prevails over moral values of persons (Milgram, 1974).
Nevertheless, approaches considering the defense against cyber-attack are mainly focused on
deterrence or defensive attacks with effect of deterrence (Gable, 2010; Geers, 2011; Kaminski,
2010; Libicki & Force, 2009).
Gable (2010) suppose that the deterrence by universal international law is the best way
how to avoid cyber-attacks when there is not feasible prevention. Other authors argue that rise
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 10 | 16 –
and speed of hacking tools development is astonishing (Geers, 2011) and based on the fact that
deterrence is the only way how to avoid cyber-attacks. I argue that we should make difference
between state conducted war and patriotic nation war conducted by private persons who are
powered by their own passion. This was the pivotal question when accusing Russia after the
attack on Estonia.
However, international organizations have made important steps too. Since 2004 OSCE
have been focusing on cyber terrorism as on one of the focal point. NATO has taken several
steps, most important is the agreement on common security policy on cyber defense in Bucharest
on 2008 which was the precedent of creating mentioned CCD COE (Gable, 2010). NATO has
not recognized cyber-attack as clearly military attack. It means that Article V cannot be utilized.
New institution named Critical Information Infrastructure Protection Initiative was established
within European institutional framework. UN Security Council have created several resolutions
since 2001 which addresses cyber terrorism or using cyber space for terrorist attacks and calls
upon international cooperation to tackle it (resolutions: 1373, 1566, 1624).
According to Gable the most important step is the Council of Europe’s enactment of the
Convention on Cybercrime in 2004. He supposes that “The Convention is significant because it
is the first multilateral treaty to address the issues of computer crime and electronic gathering of
evidence related to such crimes. As of July 17, 2009, twenty-six states had ratified the
Convention, and an additional twenty had signed but not ratified it. (Gable, 2010, p. 94)” OSCE
and Interpol reacted positively on this Convention as “providing an important international legal
and procedural standard for fighting cyber-crime.(Ibid)” Those are important steps for possible
deterrence as the international jurisdiction is needed. Also general indication of cyber-attack as
internationally recognized threat and crime is highly important for deterrence, especially against
highly intelligent kids which surpassing the previous generations in computer excellence.
Technology matters too. If the state is prepared for cyber-attack it will be less likely for
cyber terrorists or adversary states to fulfill their intents. Technological deterrence does not lie
only on high capable firewalls as argued above, but it lies also on capability of powerful
retaliation. During such method of defense the question about escalation is highly on place
(Libicki & Force, 2009). If the reaction will not be targeted, but based on unorganized spread out
CYBER SECURITY – the challenge of the nearest future
Article written for course EU after the Cold War taught by George Hays II, 3rd semester IRES, Metropolitan University Prague
– 11 | 16 –
of distributed DoS attacks, one has to take into consideration that also the domestic systems can
be harmed. At this point cyber war could grow to level where MAD concept becomes realistic.
Nowadays the power of cyber weapons is maybe not so high, but we can predict simply
following development of human dependency on cyber infrastructure.
However, a distinction needs to me made between non dangerous crime and highly
dangerous threat. Regarding the crime, Europe already established an agency called ENISA –
European Network and Information Security Agency, but its mandate focus strictly to the cyber-
crime and related jurisdiction (ENISA, 2012).
We have to take into consideration that the recent “successes” of closing down
megaupload.com on 19th
January 2012 or library.nu on 15th
February is the reaction of so called
cyber-crime against intellectual property. Those cases will primarily open a public discussion.
Physical libraries don’t infringe the law while they are renting books, so why it is needed to close
down functional digital distribution system which only has to begin share their revenues with the
authors? This is act of distributors instead of the authors and such criminal law infringement is
highly questionable, because it raises questions whether the law doesn’t need to be reconsidered
regarding new technology possibilities. The second part of cyber related crime is cyber threat,
because its activity threats the society in security issues and at last puts the lives of people under
the threat. There are no questions while human security is in danger. In this case Europe has been
sleeping out of doubt.
4.4. The European approach
On 23rd
November 2001, in the shadow of 9/11 attacks and related consequences, a
conference related to cyber-security and European approach took place in Budapest. The
outcome of the conference was to motivate states in policy development regarding new cyber
related threats such as any computer related fraud, copyright infringements, child pornography or
network security violations. Treaty entered into force on 1st January 2004 (Council-of-Europe,
2012). It is important to note that during the conference the distinction between cyber-crime and
cyber-threat was vague. CCD COE according to the web pages (www.ccdcoe.org) was finally
established in 2008. As mentioned above the consequences of a cyber-attack had been