Wednesday, February 09, 2011

Setting the rules of engagement in a Cyberwar

The 47th Munich Security Conference has ended in Germany with many leaders calling for clear rules of engagement in the event of a cyberwar. But it may be many years before any real framework is finalised.

The international think tank met in Munich to work jointly in limiting the threat of cyber attacks and to determine appropriate courses of action in such events.

Proposals for adapting the Geneva and Hague conventions to provide "rules of engagement" for "cyber war" were delivered to the Munich Security Conference by American and Russian experts at the influential EastWest Institute, a New York-based think-tank.

Amongst those in attendance were UK prime minister David Cameron, US secretary of state Hillary Clinton, Germany's chancellor Angela Merkel and Russian Foreign Minister Sergey Lavrov. UN Secretary General Ban Ki Moon, EU president Herman Van Rompuy and NATO Secretary General Anders Fogh Rasmussen also attended the event.

While issues surrounding transatlantic security, NATO-Russia relations, non-proliferation of nuclear weapons, and conflicts in Afghanistan and the Middle East were on the agenda, it was cyberwarfare that was the main focus of the meeting.

Many leaders believe that current laws of war, as laid down in the Geneva and Hague accords, no longer suffice when so many organisations and governments rely so heavily on their online operations. As such many say that new rules will be needed to protect civilian facilities such as hospitals and schools from being hit in future online conflicts [Telegraph / BBC].

Identifying attackers presents major new challenges in the Internet era, and while strong suspicions may exist as to who may have launched an attack, hackers have become particularly sophisticated in hiding their actual location. Clues however do exist in the code employed, though this too could be a deliberate rouse to throw an enemy off the scent.

The UK foreign secretary William Hague speaking at the conference confirmed that Britain had come under sustained and targeted attack from malware in recent months.

The attacks included a campaign to infect government computers with the Zeus Trojan by employing an e-mail that appeared to originate with the White House to an attack on the a Trident nuclear submarine defense contractor. Another e-mail attack from a hostile intelligence agency contained a PDF that could have compromised PCs used by staff had it been allowed to execute.

"Our experts were able to clear up the infection, but more sophisticated attacks such as these are becoming more common," Hague told the conference.

Such attacks concerned the foreign secretary deeply. "It [the Internet] has opened up new channels for hostile governments to probe our defences and attempt to steal our confidential information or intellectual property. It has promoted fears of future 'cyber war'." [Speech in full]

The international response to cyber attacks was "fragmented and lacks focus", Hague has said, but that Britain was offering to host an international conference later this year aimed at establishing global standards. But he has admitted there are difficulties. "Many countries do not share our view of the positive impact of the Internet, and others are actively working against us in a hostile manner."

"As liberal democracies we also have a compelling interest in supporting democratic ideals in cyberspace, and working to convince others of this vision."

Hague did not say who had initiated the recent attacks but some have speculated at least some came from China. According to the Guardian intelligence sources familiar with the incidents said he was referring to China. However the sources did not want to be identified because of the sensitive nature of the issue. It is not the first time such allegations have been labelled at China. In 2009 the Guardian, citing comments made by Director General of MI5 John Evans, reported that both Russia and China were targeting the UK [BBC / Guardian - MP3].

While China may well have been behind the attack on Google's servers in late 2009, as purported in Wikileaks cables released last year, the west too has been engaged in its own form of cyber attacks.

It was recently revealed that the US and Israel collaborated to create the "Stuxnet" worm in order to disable Iran's nuclear fuel facility, according to another leaked cable [Guardian].

Such revelations will put Britain in a difficult position as it calls for an agreement on how countries should behave in cyberspace, especially given some of the countries accused of perpetrating attacks are key allies or business partners. As previously stated, any attempt to impose rules on cyberspace may be thwarted since it is often impossible to confirm the source of hacking. Despite evidence of US, Israeli and Chinese involvement in previous attacks, they have never been decisively proved [Guardian].

But such problems have not deterred many nations calling for rules to be set. India joined the effort on Saturday with National Security Advisor Shivshankar Menon asking for an international effort to examine whether the laws of armed conflict can cover organised cyber attacks as well. He was open to suggestions from some quarters to even look at the arms control approach that resulted in conventions and treaties to control the spread of nuclear weapons in the 1960s and 1970s.

Menon was among the key speakers at the Munich Security Conference on Saturday to call for a serious discussion on ways to discipline and regulate cyber space.

"In our view an effort by the international community is necessary because cyber security threats have reached the stage of undermining public confidence and of sowing distrust among nations. This could then become a recipe for disaster, leading to all kinds of troubles," Menon said.

He highlighted the manner in which the handlers facilitated the Mumbai attacks through Internet communication tools and also told the conference about how something as "apolitical and seemingly non-controversial and harmless as the Commonwealth Games was subject to 8,200 attacks on the ticketing, scoring and timing networks".

German Interior Minister Thomas de Maiziere shared the view as he revealed that Germany faces four to five cyber attacks of different degrees daily. He highlighted one case in which someone defrauded millions from carbon credits [Indian Express].

Meanwhile China has been quiet on the issue. While its foreign minister Yang Jiechi made a keynote speech last year there was no prominent role at this year's event. Xinhua did report the event as it began but have failed to follow up with any further articles.

John Bumgarner, a research director for security technology at the US Cyber Consequences Unit, spoke to BBC's Newsnight about the kind of threats which exist. "There's things out there that right now that exist that the general public really doesn't know about - stealthy type technologies that can be embedded into systems that can run that you'll never see. Those things already exist."

And they pose a real risk Bumbarner claims. He says such exploits could turn off power grids, disrupt water supplies and manufacturing systems. The malware could even be installed into satellite navigation devices to give incorrect directions or to start fires at a pre-set time. Some of his claims have been dismissed as hysteria by some, though the cyber threat is real enough [BBC].

Last year US security expert Bruce Schneier called for governments to establish 'hotlines' between their cyber commands, much like the those between nuclear commands, to help counter cyber attacks. Writing in the Financial Times in December, he said that a hotline would "at least allow governments to talk to each other, rather than guess where an attack came from." [TechWorld]

There is evidently a clear need for rules of engagement to be set. At the Pentagon, General Keith Alexander, who heads the new US Cyber Command, conceded to Congress in November there were no clear rules of engagement clarifying what cyber activity might trigger an armed cyber response from the US. Itchy fingers on the trigger without clearly defined rules could lead to disastrous consequences.

Writing in The Atlantic, Ella Chou, a graduate student at Harvard who grew up in Hangzhou, China, says both sides need to be careful in a world with such growing threats. She refers to an article in the People's Daily warns that a "cyber war" could be used as an excuse to launch a conventional war.

"Both United States and China should be cautious not to over-exaggerate the threat from the other, and the United States could benefit from trying to understand China's cyber strategy by analyzing Beijing's own political priorities," Chou writes.

Hamadoun Touré, secretary-general of the UN-affiliated International Telecommunications Union, says a cyber-arms treaty is his main priority. "We have crossed the boundary between cyberspace and the real world," he says. Touré, who wants a code of conduct banning behaviour opposed by all countries, such as disabling of networks and data theft, says that "[Stuxnet] should serve as a wake-up call for all nations regarding the threat we all face." But he concedes that a solution may be years away [Financial Times].

[Munich Security Conference / Speeches]

tvnewswatch, Beijing, China

No comments: