This paper was presented at the Friedrich Ebert Stiftung international conference: “Current Security Challenges for the Western Balkan region - addressed by means of joint responsibility and cooperation”, Nov. 19–21 2014, in Prishtina, Kosovo.
Cyber conflicts are merely a reflection of traditional conflicts. Cyber security is an international problem that requires an international solution. To make tangible progress on strategic cyber security in the Balkans, the creation of a regional center of expertise can help – both at a tactical/technical level, and in a strategic sense by investing in future technologies and modernizing local economies.
1. Introduction: cyber security and national security
Just as Vietnam was the world’s first “TV War”, the Kosovo war in 1999 was the world’s first “Internet War”. A pro-Serbian hacker group called the “Black Hand” subjected the North Atlantic Treaty Organization (NATO), the United States, and the United Kingdom to Denial-of-Service (DoS) attacks and over twenty-five different strains of virus-infected email. They took the NATO Public Affairs website (where NATO sought to portray its side of the conflict) offline for days. NATO spokesman Jamie Shea cited “line saturation” caused by “hackers in Belgrade.” As NATO tried to upgrade nearly all of its computer servers, the location of the attacking computers shifted from Belgrade to other countries around the world. In the U.S., the Secret Service investigated a White House website defacement; in the UK, the government admitted the loss of “some” database information.
The World Wide Web was only created in 1991, but by the turn of the century, it was clear that warfare – like everything else – would find a new home in this new cyber “domain”. In 1948, Hans Morgenthau wrote that national security depends on the integrity of a nation’s borders and its institutions, but today, national institutions have been connected to the Internet – to include everything from elections to electricity. A cyber attack is best understood not as an end in itself, but as a means to a wide variety of ends, some of which can have serious political and/or military consequences. And on this new battlefield, anyone with an Internet-connected computer – regardless of his or her physical proximity to a conflict – can join the fight.
Following the war over Kosovo, the use of cyber attacks in international conflicts has evolved. In Israel, pro-Palestine hackers have hit economic targets such as the Bank of Israel and the Tel Aviv Stock Exchange. In Estonia, in retaliation for moving a Soviet World War II memorial from the center of Tallinn, pro-Russia hackers downed a wide range of Internet domains. In Syria, analysts believe the Israeli military used a cyber attack to cripple the Syrian air defense system during an Israeli air force strike on an alleged nuclear reactor. In Georgia, Russia is said to have employed cyber attacks to facilitate a military invasion. In Kyrgyzstan, a DoS attack knocked the entire nation offline during a domestic political crisis. In Iran, the Stuxnet computer worm reportedly destroyed nuclear centrifuges.
In this geopolitical-cyber context, it is unsurprising that the U.S. – whose example is now being followed by many other nations – has already created a military command devoted exclusively to cyber warfare.
Most recently, Kosovo has again appeared on Planet Earth’s short but growing list of international cyber incidents. In October 2014, during a football match between Serbia and Albania, a small drone trailing a nationalist Albanian flag (which included Kosovo on a map of “Greater Albania”) was flown through the stadium, sparking ethnic tensions in the region and a diplomatic row between the two countries. Serbian President Tomislav Nikolic said “the only thing missing … was an explosive device in the craft.” Cyber attacks by both pro-Serbia and pro-Albania hackers followed the drone incident.
2. In cyberspace, traditional security approaches fall short
In the future, cyber security will grow increasingly synonymous with national security. Today, national security decision makers are already responsible for the security of not one computer or even thousands, but millions, including the cyberspace around them.
How will nations prepare for the cyber wars to come? First, by investing in new technologies such as Internet Protocol version 6 (IPv6), which ends the world’s current shortage of computer addresses and offers improved security features such as mandatory support for Internet Protocol Security (IPSec). This is a logical approach – the best way to fix a technical problem is with a technical solution. However, the dynamic nature of the Internet marketplace, and political tension between data privacy, law enforcement, and human rights, will ensure that there is no silver bullet, at least in a purely technical sense.
Second, nations will incorporate cyber attack and defense into everything they do. In terms of military doctrine, the dream of winning international conflicts without fighting is as old as Sun Tzu’s Art of War. However, no one currently knows whether cyber tactics and strategies will be a positive or negative development on warfare. If cyber attacks play a lead role in future wars, and a sizable portion of the fight is over IT infrastructure, future wars could be shorter and cost fewer lives, with quicker economic recovery and post-war diplomacy – but only time will tell.
Many aspects of “cyber conflict”, however, are revolutionary, and may be hard to square with traditional law enforcement principles and military doctrine. First, the proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography. Second, the blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them – especially “zero-day” attacks, against which there is no defense (or knowledge on the part of the defender). Third, cyber attacks are flexible enough to be effective for propaganda, espionage, and even the destruction of critical infrastructure. And fourth, there are currently few moral inhibitions to cyber attacks because they relate primarily to the use and abuse of data and computer code – so far, there is little perceived human suffering.
What about traditional military deterrence? At least three factors diminish its credibility: acquisition, attribution, and asymmetry. First, cyber tools and tactics are relatively easy to acquire. There is no readily apparent difference between expertise in computer network defense and computer network offense – they are essentially one and the same discipline. Second, “attribution”, or the anonymous hacker problem (e.g. an attacker’s ability to operate quietly and to disguise his or her true location) decreases the chances of deterrence via retaliation for an attack. Finally, there is no better example of cyber asymmetry than “MafiaBoy”, who as a teenager in 2001 caused over $1 billion in corporate losses during a successful DoS attack.
At some point in the future, world leaders may decide to negotiate a cyber arms control treaty or a non-aggression pact for cyberspace. However, the nature of a “cyber weapon” poses a unique challenge to any such regime. How do you prohibit something that is inherently hard to define, such as “malicious” code? How do you inspect something as big as cyberspace, when a single USB Flash drive can hold trillions of data bits? In theory, cyber weapons inspectors could operate at the Internet Service Provider (ISP) level, but such regimes are already commonplace, such as China’s Golden Shield Project, the European Convention on Cybercrime, Russia’s SORM, and the USA PATRIOT Act. Each is unique in terms of guidelines and enforcement, but all face the same problem of overwhelming traffic volume – not to mention political disagreements over data privacy and human rights.
Despite all of this, cyber arms control may be in our future, because in cyberspace, we all live in glass houses. One possible model is the 1997 Chemical Weapons Convention (CWC), which compels signatories to destroy CW stockpiles, forbids them from producing any more, and gives practical aid to its members in the form of advocacy and the peaceful advancement of science. In a similar fashion, a cyber weapons convention could create an internationally staffed institution to help signatories improve cyber defenses, recover from attacks, and promote peaceful uses for computer science.
3. The need for international collaboration
Governments today are confronted with a paradox: to disconnect from the global Internet is folly - and yet network connectivity provides adversaries with a medium through which to commit cyber crime, cyber espionage, or even cyber war. And there is only so much they can do about it, because law enforcement jurisdiction ends every time a network cable crosses an international border. Over the past twenty years, cyber investigators have spent countless hours staring blankly at long lists of foreign Internet Protocol (IP) addresses, with virtually no clue about how to see behind them.
Cyberspace is bigger than any country. Therefore, cyber security is an international problem that requires an international solution. One of the most vexing characteristics of cyber attacks is that they are normally routed through unwitting third parties, in which “middle man” proxy computers are successfully attacked along the way in order to cover the trail of the attacker. Unfortunately, this dynamic not only facilitates short-term cyber attacks, but also has a corrosive effect on the long-term integrity of the Internet as a whole, and suggests that a cyber attack against anyone is a cyber attack against everyone. Progress in strategic cyber security will be difficult, however, due to legacies of conflict, poor technical skills, and the fear of losing national sovereignty. However, in the end, we have no choice. Nations will remain technically, legally, and morally responsible for their own network infrastructure, but forced to reach out to international partners for help on a regular basis.
At a technical level, international institutions already lie at the heart of Internet management. Since 1998, the Internet Corporation for Assigned Names and Numbers (ICANN) has managed the communication protocols that once belonged to the U.S. Department of Defense. In theory, the U.S. government has the right to veto fundamental changes to the system, but in practice ICANN operates independently. That said, ICANN only makes sure that information – in the form of data “packets” – gets from point A to point B on the Internet; it does not control access, police Internet content, or stop cyber attacks.
The task of making sure that information sent across the Internet does not break national or international law falls to national-level law enforcement and counterintelligence organizations. Toward this end, the most important international legislation to date is the Council of Europe’s Convention on Cybercrime, issued in 2001 and now signed by 51 nations (acceded by 44) from around the world. This treaty, supplemented by the Protocol on Xenophobia and Racism Committed through Computer Systems, is the only binding international agreement related to cyber security, and is considered an archetypal template for countries to use domestically.
A successful cyber crime treaty is a good start, but what happens when cyber attacks cross the threshold of terrorism – or even warfare? The Russian government has long argued that an agreement similar to those that have been signed for weapons of mass destruction (WMD) could be helpful in securing the Internet. In 1998, Russia successfully sponsored United Nations (UN) Resolution 53/70, “Developments in the field of information and telecommunications in the context of international security;” which states that while modern information and communication technology (ICT) offers civilization the “broadest positive opportunities”, it was nonetheless vulnerable to misuse by criminals and terrorists. In 2010, this resolution was co-sponsored by the U.S. There are currently two streams of ongoing cyber dialogue at the UN: one relative to cyber crime and another on cyber warfare. One concrete achievement has been the UN’s sponsorship of a conference series called the World Summit on the Information Society (WSIS). Despite these achievements, however, the UN’s enormous size can also be an obstacle to progress, as there are numerous antagonistic political and military alliances within the organization, and a great disparity among Member States in terms of ICT infrastructure, law, policy, and threat perception.
Therefore, quicker and more tangible progress on strategic cyber security may come within the context of regional political and military alliances. The European Union (EU), with the highest GDP in the world, already has a legal and policy framework that includes robust support for electronic signatures, online services, spam filtering, consumer protection, individual privacy and digital copyrights. Furthermore, the entry into force of the Lisbon Treaty in 2009 strengthened the EU’s security credentials by increasing the Council’s authority to define a common approach to foreign and security challenges, and by encouraging Member States to act in closer security cooperation with one another. The Organization for Security and Cooperation in Europe (OSCE) – a 56-nation group that extends from North America to Central Asia – has sponsored many cyber security “Expert Workshops,” including in both Serbia and Croatia.
In terms of international military might, however, no organization today can match NATO, whose raison d’être since 1949 has been the collective defense of its Member States. NATO links Europe with North America, and has a formal dialogue with dozens of additional nations in its Euro-Atlantic Partnership Council, Mediterranean Dialogue, Istanbul Cooperation Initiative, and Contact Countries. All told, these partnerships span the globe. According to Suleyman Anil, Head of Cyber Defence in NATO’s Emerging Security Challenges Division, the 2007 crisis in Estonia transformed the organization’s perspective on cyber security: “Estonia was the first time … [we saw] possible involvement of state agencies; that the cyber attack can bring down a complete national service, banking, media…” NATO’s latest Strategic Concept describes cyber attacks as threatening “Euro-Atlantic prosperity, security and stability,” and recently NATO announced that cyber attacks could lead to an invocation of Article 5, which declares that “an armed attack against one ... shall be considered an attack against them all,” which is the Alliance’s core organizing principle of collective defense.
To the east of NATO, the Shanghai Cooperation Organization – a group composed of China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan – signed an agreement on “Cooperation in the Field of International Information Security” in 2009; and in 2011, Russia and China proposed an “International Code of Conduct for Information Security”.
Thus, there are already hints of emerging alliances in cyberspace. Hopefully, this trend will tend not toward greater conflict, but greater international security and stability.
4. Conclusion: a regional cyber center in the Balkans
One way to make real progress on strategic cyber security, especially for small nations, is via international partnerships. In this light, the Balkan countries would be wise to create a regional center of computer security expertise, with a future-oriented mission of conflict resolution in cyberspace.
At a tactical, technical level, the center should focus on defending the region’s computer networks from attacks. Proactively, it should offer cyber security education in “best practices” as well as more advanced technical training. Reactively, it should employ a multinational forensics team that can deploy in the event of a crisis, with the authority to openly publish the results of an investigation. At the strategic level, the center could become a magnet for economic investment in international efforts to promote information technology and cyber security.
Cyber conflicts do not occur in a vacuum; they are reflections of the traditional conflicts that have always plagued humans, even before the rise of nation-states. Of course, objective technical expertise will be the foundation of any such project, but a good understanding of the regional geopolitical context is also necessary, and only local experts can provide that.
There should be no fear of being “behind” in cyber security expertise or experience. All nations are just now beginning to address strategic cyber security issues. The Balkans are a microcosm of the wider world, and could easily become a role model in the global cyber security domain. Small countries such as Estonia, Israel, Iceland, and Finland have proven that small nations can make large contributions in this dynamic field, where everything is by nature asymmetric.
The center’s staff should hail from every country in the Balkans. However, the center could have a virtual “home” in cyberspace – thus keeping overhead costs to a minimum. Its training program should be shared, open, objective, and rigorous. A strong, internationally based core of subjects and certifications could help to unify the personnel and program. One of the center’s primary goals should be to develop trust, both within the institution and from the perspective of the outside world. During times of crisis, the personal and professional relationships developed at the center over time would become invaluable assets.
There is no doubt that the center, from its first day, would be busy. For new legislation, it could help to write basic definitions. For disaster planning, it could classify and help to protect critical infrastructures. For law enforcement, it could teach computer forensics, and raise awareness vis-à-vis intellectual property and data privacy. For decision makers, it could interpret technical jargon.
One existing model for the center is the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, where multinational personnel engage in research and development, and offer training to both computer scientists and senior-level decision makers. Since its founding in 2008, CCDCOE has established an annual conference examining the nature of cyber conflict, created a hands-on cyber defense exercise (CDX) called “Locked Shields”, and published numerous legal studies such as the Tallinn Manual on the International Law Applicable to Cyber Warfare.
The new center’s overall goal should not be perfection, but a proactive, methodical reduction in the potential fallout from future cyber attacks. Information technology and cyber security are new disciplines in the world, and the exact formula for success has yet to be written. The countries of the Balkans can make a significant impact in this field, while simultaneously making investments in their economic development.
“53/70: Developments in the field of information and telecommunications in the context of international security,” (4 Jan 1999) United Nations General Assembly Resolution: Fifty-Third Session, Agenda Item 63.
“Active Engagement, Modern Defence: Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organisation,” (2010) NATO website: www.nato.int.
“An International Code of Conduct for Information Security – China’s perspective on building a peaceful, secure, open and cooperative cyberspace,” (10 Feb 2014) http://www.unidir.ch/files/conferences/pdfs/a-cyber-code-of-conduct-the-best-vehicle-for-progress-en-1-963.pdf
“Evidence Mounts of Pro-Serbian Internet Attack on NATO Countries,” (17 Apr 1999) mi2g: www.mi2g.com.
“Nurgaliyev urges common SCO approaches to cyber crime,” Voice of Russia (28 Apr 11).
“Overview by the US-CCU of the Cyber Campaign against Georgia in August of 2008,” (Aug 2009) U.S. Cyber Consequences Unit.
“The North Atlantic Treaty,” (4 April 1949) Washington D.C., NATO website: www.nato.int.
“Yugoslavia: Serb Hackers Reportedly Disrupt U.S. Military Computer,” (28 Mar 1999) Bosnian Serb News Agency SRNA (reported by BBC Monitoring Service, 30 Mar 1999).
At CERN: http://home.web.cern.ch/.
Bilefsky, D. (17 Oct 2014) “Drone Stunt at Belgrade Soccer Match Stirs Ethnic Tensions,” The New York Times.
Broad, W.J., Markoff, J. & Sanger, D.E. (15 Jan 2011) “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times.
Cheng, Gracye, Cohen, Morgan, Green, Josh, Oliveira, Carlos & Stadnyk, Mark. “Responses to Questions Posed by CNAS on International Law & Internet Freedom,” The Harvard Law National Security Research Group www.law.harvard.edu.
Davis, J.l (21 Aug 2007) “Hackers Take Down the Most Wired Country in Europe”, WIRED.
E.g. Internet fraud, credit card fraud, bank card skimming, the dissemination of child pornography, etc.
Falkenrath, R.A. (26 Jan 2011) “From Bullets to Megabytes,” The New York Times.
Freedberg, S. (7 Nov 2014) “NATO Hews To Strategic Ambiguity On Cyber Deterrence,” Breaking Defense.
Fulghum, D.A., Wall, R. & Butler, A. (26 Nov 2007) “Cyber-Combat’s First Shot,” Aviation Week & Space Technology 167(21) 28.
Gardner, Frank. (3 Feb 2009) “NATO’s cyber defence warriors,” BBC News.
Geers, K. “Cyberspace and the Changing Nature of Warfare,” SC Magazine (2008).
Geers, K. “IPv6: World Update,” coauthored with Alexander Eisen, ICIW 2007: Proceedings of the 2nd International Conference on Information Warfare and Security 85-94 (2007).
Geers, K. (2010) “Cyber Weapons Convention,” Computer Law and Security Review 26(5) 547-551.
Geers, K. (2010) “The Challenge of Cyber Attack Deterrence,” Computer Law and Security Review 26(3) 298-303.
Geers, K. (9 Feb 2011) “Sun Tzu and Cyber War,” Cooperative Cyber Defence Centre of Excellence, 1-23.
In 2010, the European Union had a GDP of nearly $15 trillion USD (www.cia.gov).
Jovanovic, J. (18 Oct 2014) “Serbian hackers Deface the Website of the Albanian State Television”, Tech Worm.
Keizer, G. (28 Jan 2009) “Russian ‘cyber militia’ knocks Kyrgyzstan offline,” Computerworld.
Markoff, J. & Kramer, A.E. (27 Jun 2009) “U.S. and Russia Differ on a Treaty for Cyberspace,” The New York Times.
McCullagh, Declan. “ICANN rejects US domain-name veto proposal,” CNET News, (01 Mar 11).
Morgenthau, H.J. (1948) Politics among nations: the struggle for power and peace (A. A. Knopf) 440.
Pellerin, C. (18 Oct 2010) “Lynn: Cyberspace is the New Domain of Warfare,” American Forces Press Service.
Stoil, R.A. & Goldstein, J. (28 Jun 2006) “One if by Land, Two if by Modem,” The Jerusalem Post.
The Council of Europe Convention on Cybercrime (www.coe.int).
Verton, D. (2002) The Hacker Diaries: Confessions of Teenage Hackers (NY: McGraw-Hill/Osborne).
Verton, D. (4 Apr 1999) “Serbs Launch Cyberattack on NATO,” Federal Computer Week.
Walker, M. (18 Nov 2014) The Cyber-Attacks And Fears Of Cyber-War To Come, InSerbia Network Foundation.
WSIS is co-sponsored by the International Telecommunications Union (ITU).
Система Оперативно-Розыскных Мероприятий or “System for Operative Investigative Activities.”