cyber security_birgitta jonsdottir iceland
Post on 07-Apr-2018
218 Views
Preview:
TRANSCRIPT
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
1/27
Introduction
1. The ongoing information revolution poses a series of political, cultural,
economic as well as national security challenges. Changing communications,
computing and information storage patterns are challenging notions such as
privacy, identity, national borders and societal structures. The profound chang-
es inherent in this revolution are also changing the way we look at security, of-
ten in unanticipated ways, and demanding innovative responses. It is said thatbecause of this revolution, the time it takes to cross the Atlantic has shrunk to
30 milliseconds, compared with 30 minutes for ICBMs and several months
going by boat.1 Meanwhile, a whole new family of actors are emerging on the
international stage, such as virtual hactivist groups. These could potentially
lead to a new class of international conicts between these groups and nation
states, or even to conicts between exclusively virtual entities.
2. One of the most fundamental characteristics of the Information Age is its
ability to connect. In this regard, the main tool is the Internet and the fact that
its storage capacity is currently doubling every 12 months. Interconnectivity
is now central to government ofces, critical infrastructures, telecommunica-
tions, nance, transportation, and emergency services. Even where commu-
nication and data exchanges are not routed through the Internet, they still, in
many cases, use the same bre optic cables.
Introduction
1. Hacktivists is not new. First hacktivists groups emerged in the 1995. It is
important to understand the root for new found popularity for hacktivism.
Hacktivism is a new form of protest and those that protest in that way should
have the same right to do so as in the ofine world. Not all protesters join pro -
test because of same ideology.
From Wikipedia: Hacktivism is a controversial term, and since it covers a
range of passive to active and non-violent to violent activities, it can often be
construed as cyberterrorism. It was coined to describe how electronic direct
action might work toward social change by combining programming skills
with critical thinking. Others use it as practically synonymous with malicious,
destructive acts that undermine the security of the Internet as a technical, eco-
nomic, and political platform.
2. Interconnectivity is also central to culture, openness and education.
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
2/27
3. Despite its inherent advantages, this dependence on information technology
has also made state and society much more vulnerable to attacks such as com-
puter intrusions, scrambling software programs, undetected insiders within
computer rewalls, or cyber terrorists. The Internet is inherently insecure as
it was designed as a benign enterprise of information exchange, a decentral-
ized patchwork of systems that ensures relative anonymity. It is ill-equipped
to trace perpetrators or to prevent them from abusing the intrinsic openness
of the cyber domain. In this context, the key national security dilemma of theInformation Age is how to create an effective and transparent government,
which, at the same time, is also able to protect its citizens and vital national in-
terests. Furthermore, in this Information Age, the North Atlantic Alliance faces
a dilemma of how to maintain cohesion in the environment where sharing
information with Allies increases information security risks, but where with-
holding it undermines the relevance and capabilities of the Alliance.
4. It is a critical time for the NATO Parliamentary Assembly (NATO PA) to
discuss cyber security, as the Alliance is working on a comprehensive cyber
strategy to be announced in June 2011. The Rapporteur hopes that some of the
questions discussed in this report will be addressed by this forthcoming NATO
document.
5. This report will focus on three facets of the linkage between Information
Age and national security. First, it will discuss the changing notion of secrecyin international relations. This issue was brought to prominence by the so-
called Cablegate scandal. While the publication of classied diplomatic cor-
respondence was not a result of a cyber attack, it is nevertheless directly linked
to the information revolution: remarkable advances in data storage technology
allowed one person to easily download colossal volumes of data that has taken
the print media months, and possibly years, to digest and to publish.
3. Insiders: Does the rapporteur mean intruders? Insider is a spy or a mole but
intruder someone that hacks in a system.
Who has the legitimacy to claim who is a cyber terrorist and who isnt?
The Nato security system is a state of the art system that has not been the
victim of any serious leaks. The reason for leaks has more to do with the cul-
ture of everything being secret by default rather then the systems. We need to
reverse it into culture of transparency Respect for the Freedom of InformationAct (FOIA) in the USA would for example eliminate the need for leaks.
It is important for NATO member states nations to upgrade their freedom of
information, expression and speech laws in order to ensure the transparency
mentioned in this article.
Lumping security and government together convolutes any debate of transpar-
ency. This is a faulty premise and is a different legal circumstance in every
country. The value and criticality of transparency is ignored. Only the mis-
uses are mentioned. These misuses are all aspects of a free and open society
and not a sufcient argument against transparency.
4. See my rst amendment to the draft report.
5. This issue was brought to light prior to Cablegate: with the release of the
Afghan and Iraq war logs.
The problem is not only because of different technology but also the fact that
many more people have access to the documents as a result of 911.
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
3/27
6. If the Rapporteur targets Anonymous when he writes about the nega-
tive effect of hacker groups attacking those who do not share their political
view, then he should use the word protest rather than attack. Furthermore
Anonymous always protested in retaliation to actions against itself or against
people or organizations that the Judiciary has failed to defend (Wikileaks,
Bradley Manning, Scientologys victims etc).
7. No comment
8. No comment
9. No comment
10. No comment
6. Second, the explosion of Internet usage is creating the phenomenon we re-
fer to as digital (h)activism. Social media and other Internet-based commu-
nities are creating new, ad hoc and cross-border allegiances that can manifest
themselves in a variety of positive (reinforcing civil societies in authoritarian
countries) and negative (empowering hacker groups that attack those who do
not share their political worldview) ways.
7. Third, the report will discuss the challenge of direct cyber threats againststates and, in particular, NATOs role in cyber defence as one of the principal
topics for the Euro-Atlantic community, particularly in the wake of the Lisbon
Summit.
8. The report will not address the specic issue of cyber crime. While cyber
theft and child pornography are issues of grave concern for the international
community, they do not have direct national security implications and are ad-
dressed by a number of other international organizations, including the UN,
EU, OSCE, OECD and G8. The Council of Europe Convention on Cyber-
crime which requires its parties to criminalise a number of activities in cyber
space relating to infringements of copyright, computer-related fraud and child
pornography is a particularly noteworthy initiative that has yet to be ratied
by several NATO member states.
9. This report also represents the continuing effort by the Committee on the
Civil Dimension of Security to discuss the issue of critical infrastructure pro-
tection within the Alliance. Cyber technologies are not only key enablers for
systems such as energy generation or transport, but can themselves be consid-
ered as critical national infrastructure.
10. The report also builds upon the contribution by other NATO PA Commit-tees, particularly the 2009 Sub-Committee on Future Security and Defence
Capabilities report NATO and Cyber Defence [173 DSCFC 09 E bis] by
Sverre Myrli (Norway) and the 2007 Science and Technology Committee
report Transforming the Future of Warfare: Network-Enabled Capabilities
and Unmanned Systems [175 STC 07 E bis] by Sen. Pierre Claude Nolin
(Canada).
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
4/27
The Information Age and the notion of secrecy in international relations
11. see comment to 5.
The Cablegate = Cablegate delete quotation mark and THE
12. No comment
13. No comment
The Information Age and the notion of secrecy in international relations
11. This chapter will discuss the challenges of protecting classied informa-
tion in the age of Internet. It will also outline the political and security im-
plications of the Cablegate scandal that highlighted the inter-agency and
international co-operation versus sensitive information security dilemma.
The Cablegate
12. According to the September 11th attacks investigation, the US government
failed to ensure adequate information sharing, which could have prevented the
attacks (FBI failed to share details connected to an al-Qaeda operative, who
later proved to be key in uncovering the plot). As a result, representatives of
the political elite, the military, and the nancial world all pressed for wider
sharing of classied information in order to increase operational efciency in
protection of the country. Therefore, the US government adopted a policy of
information-sharing, which it applied to numerous US governmental institu-tions and agencies including the Department of Defense (DoD) and the State
Department (DoS).
13. This policy resulted in an exponential number of people obtaining access
to classied information. Approximately 854,000 people now possess top-
secret security clearances. For almost 10 years now, embassy cables have been
distributed through the SIPRNet (Secret Internet Protocol Router Network
operated by the DoD), which has made them accessible to DoS employees
all around the world, to all members of the US military and contractors with
necessary security clearance. Eventually, several millions of people ended up
having access to materials such as US diplomatic cables. According to infor-
mation-security experts familiar with the SIPRNet, the data-sharing systemwas not programmed to detect unauthorized downloading by anyone who had
access to this pool of data. Thus, those in charge of the network design relied
on those who had access to this sensitive data to protect it from abuse. These
users were never scrutinized by any state agency responsible for the data-
sharing system.
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
5/27
14. The analysis of the Rapporteur contradicts the confession of President
Obama that one of the main reasons of the leak was over-classication of
documents, and not information-sharing like seems to state the Rapporteur.
Plus the Rapporteurs numbers are not accurate: Wikileaks didnt publish (at
the time) all the documents it received. It had released 12 000+ cables of the
250 000+ it got. Not all of the cables are condential MANY are unclassied
The Rapporteur says [Bradley Manning] then passed these les to the whis-tleblower organization, which made them public when he should have said
[Bradley Manning] who then allegedly passed Bradley Manning is still
considered as innocent.
Reaction to the leaks
15. The Rapporteur cites and praises Mrs. Hillary Clinton for her preven-
tive approach to the cables release, but he forgets to mention that this same
person had asked her diplomatic staff worldwide to illegally collect personal
data of UN staff. He also fails to mention that the aggressive reaction cry
for the assassination of Julian Assange and others WikiLeaks staff was over
reaction. The same people also called WikiLeaks cyber terrorist organization.
At the same time three of the largest print media in the world partnered with
WikiLeaks and used the material WikiLeaks unknown sources provided.
14. The US governments post-9/11 policy on information-sharing received
the most serious blow when the anti-secrecy organization WikiLeaks started
publishing documents of different levels of condentiality. Its rst major
release (April 2010) was a video of a US helicopter shooting into a crowd in
Bagdad in 2007 which killed 18 people, including two Reuters journalists.
Shortly after, the release of 77,000 documents allegedly revealing the reali-
ties of the Afghan war were made public, as well as almost 400,000 secret
Pentagon documents on the Iraq war.9 In November 2010, WikiLeaks pub-lished about 250,000 condential US diplomatic cables, which provided US
diplomats candid assessments of terrorist threats and the behaviour of world
leaders.10 Currently, the US authorities suspect that the material was leaked
by Private Bradley Manning stationed in the Persian Gulf, who had download-
ed the information from a computer in Kuwait. He then passed these les on to
the whistleblower organization, which made them public.
Reaction to the leaks
15. WikiLeaks has spurred public debate with each of its releases. Neverthe-
less, the November 2010 release of US diplomatic cables got the most ag-gressive reactions from politicians world-wide. In anticipation of the leaks,
Secretary of State Hillary Clinton and her diplomats warned foreign ofcials
about the upcoming leak days before the November 2010 release happened.
Following the release, the White House11 as well as the DoS were quick to
denounce the leak and, as Secretary of State Clinton put it, characterised the
cable disclosure as an attack on both the United States and the entire inter-national community.12 At a meeting with Secretary of State Clinton the day
after the release, the Turkish Minister of Foreign Affairs (the largest number of
cables came from the US Embassy in Turkey) thanked Secretary Clinton for
brieng him in advance about the leaks. The Iranian President, Mahmoud Ah-madinejad, hinted that a part of the US government might have been respon-
sible for releasing this sensitive material to satisfy its political objectives. The
Iraqi Minister of Foreign Affairs expressed concern about the possibly destabi-
lizing effect of the leaks on the already fragile political situation in Iraq. Both
Afghan and Chinese political elites emphasized that the leaks will not damage
their countries relations with the United States.13
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
6/27
16. So far no one has been put into harms way or died as a result of any of the
leaks from WikiLeaks.
17. No comment
16. NATO condemned the leak and described it as irresponsible and danger-
ous In fact, the word dangerous dominated leaders press releases follow-
ing the leaks in November 2010. They feared that publicizing identities of
those co-operating with the US and NATO in unstable regions might compro-mise their cover and jeopardize their lives. Also, ongoing military operations
and cooperation between countries might be put at risk. It is yet to be seen
what the actual effect of the November 2010 cables leaks will be. It is hoped,
however, that the released cables will not pose any more danger than the
Afghan logs, which, according to Defense Secretary Gates, had not revealed
any sensitive intelligence sources and methods.
17. On the day of the release, the White House ordered government agencies
to review security procedures and ensure that only the necessary users had
access to their documents. Soon after, the Presidents Ofce also appointed
an Interagency Policy Committee for WikiLeaks, which was to assess the
damage caused by the leaks, co-ordinate agencies reactions, and improve the
security of classied documents. The US DoD conducted an internal 60-day
review of security procedures. It also disabled the usage of different storage
media and the capability to write or burn removable media on DoD classiedcomputers. The Defense Information Systems Agency has also launched a new
Host-Based Security System, which is meant to monitor software and policy
rules in order to spot suspicious behaviour and alert responsible authorities.
For example, the software should set off an alarm if large quantities of data are
being downloaded. Today, approximately 60% of SIPRNet is protected by the
software. In order for it to be bullet-proof, however, it will probably require
additional compartmentalization of information A similar tracking mechanism
is being adopted by US intelligence agencies (referred to as enhanced auto-
mated, on-line audit capability).
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
7/27
18. The DoS has limited the number of people with access to the Net Centric
Diplomacy database, which contains diplomatic reports, suspended the access
to SIPRNet and to two classied sites ClassNet and SharePoint, as well as
prohibited the use of any removable data storage devices. Following the leaks,
the US Air Force has blocked its employees access to at least websites con-
taining the leaked documents such as The New York Times and The Guard-
ian. The Pentagon prohibited its employees to access the WikiLeaks website
on government computers because the information there is still considered
classied. Eventually, the administration banned hundreds of thousands of
federal employees of the Department of Education, Commerce Department,
and other government agencies from accessing the site. The Library of Con-
gress, one of the worlds biggest libraries, also issued a statement saying that it
would block WikiLeaks.
19. As far as the WikiLeaks website was concerned, following the leak it suf-
fered repeated distributed denial of service attacks, which prompted it to move
its server. Also companies such as Visa, Mastercard or Paypal suspended alltheir services to the organization, which heavily relies on online donations
from its supporters worldwide.
18. The Rapporteur should condemn over reaction such as banning Penta-
gon staff to visit The New York Times and The Guardian because they
released the cables. Freedom of Information is the cornerstone of true democ-
racy and the right for access to information available in the public domain.
Pentagon staff are still prohibited fro reading the cables because theyre still
classied, yet many of the cables were not classied - how are they supposed
to counteract that which they cant assess?
(FYI: State Department Employee Faces Firing for Posting WikiLeaks Link
By Kim Zetter September 27, 2011 | 7:03 pm | Categories: WikiLeaks. A
veteran U.S. State Department foreign service ofcer says his job is on the line
after he posted a link on his blog to a WikiLeaks document.
Peter Van Buren, who has worked for the department for 23 years and just
published a book that is critical of U.S. reconstruction projects in Iraq, said
this week that the State Department had launched an investigation against him
earlier this month for disclosing classied information.
His crime, he said, was a link he posted on August 25 in a blog post discussing
the hypocrisy of recent U.S. actions against Libyan leader Muammar Qadaf.
The link went to a 2009 cable about the sale of U.S. military spare parts to
Qadaf through a Portuguese middleman.)
19. No comments
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
8/27
Transparency vs. secrecy
20. The relationship between transparency and secrecy remains a key dilemma
in the Information Age and has dominated world-wide media, especially since
the outbreak of the WikiLeaks phenomenon. On the one hand, there are pro-
transparency advocates who argue that the existence of WikiLeaks certies
that transparency of governments and other organizations are publicly desired.
According to them, it is precisely the current Internet age that is conducive to
institutional reform, increases public trust in government conduct, and enhanc-
es co-operation. And, as transparency proponents argue, we should not react to
this development by limiting the spread of technologies and information, but
instead by focusing on adapting the conduct of diplomacy, military affairs and
intelligence to the new paradigm.
21. That said, the Rapporteur believes that even if one is in favour of transpar-
ency, military and intelligence operations simply cannot be planned and con-
sulted with the public. Transparency cannot exist without control. The govern-
ment, and especially its security agencies, must have the right to limit access
to information in order to govern and to protect. This is based on the premisethat states and corporations have the right to privacy as much as individuals do
and that secrecy is required for efcient management of the state institutions
and organizations. In addition, transparency can be misused on several levels
by providing unprofessional or poor-quality interpretation of information or
documents, by conducting supercial or biased analysis, by lack of experience
on the topic or by pursuing a political agenda. Thus, not everything carried out
under the transparency label is necessarily good for the government and its
people. Moreover, the very ideal of transparency can also force public gures
to become more secretive. The Information Age and its transparent nature
may, for example, prevent diplomats from conducting business as usual suchas making off-the-record statements or engaging in frank discussions with
their colleagues.29 It also increases pressure on decision makers, who have
to identify, assess, and react to information, which is immediately and widely
accessible to other governments, organizations, as well as the public.30 This is
an unnecessary and possibly dangerous pressure, especially when it comes to
the issues of security.
Transparency vs. secrecy
20. General public should have access to all documents by default. Secret
documents should be listed and a footnote why they need to be kept sealed.
21. States are in the service of the people and should not be above the people
they are serving. Corporations should not be classied like individuals, by
stating in the report that their right to privacy should be as much as individu-
als do. the Rapporteur is showing a serious non-recognition of what theFundamental Rights of the citizens are for. Several contradictory court deci-
sions related to this issue have taken place recently which show how serious
this threat to democracy is (especially in the US).
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
9/27
Digital (H)activism
22. This chapter will discuss the phenomenon of emerging borderless commu-
nities and networks, most of which are welcome, but some of which are highly
dangerous. Virtual communities operating on-line provide new opportunities
for civil society, but they have also increased the potential for asymmetrical
attacks.
A. The phenomenon of Hactivism
23. Apart from causing harm, destruction or conducting espionage, most
recent cyber attacks have also been used as a means to reach a rather different
goal. Hactivism is a relatively recent form of social protest or expression
of ideology by using hacking techniques. Hactivists use different malware (or
malicious software) and Distributed Denial of Service (DDoS) attacks to
publicize their cause rather than for crime. Such attacks rst occurred in 1989
but have gained more prominence over the last decade. In the past hactivists
have attacked NASA, the Indonesian and Israeli governments, Republican
websites, as well as the University of East Anglia.31
24. One of the most prominent group of on-line hackers - Anonymous - led a
campaign against Iran, Australia and the Church of Scientology. Their most
prominent campaign, however, took off in 2010 after WikiLeaks had released
the US diplomatic cables. In its on-line seven-point manifesto, Anonymous
announced its engagement in the rst infowar ever fought and named Pay-Pal as its enemy.What followed were DDoS attacks against Mastercard, Visa,
PayPal, and other companies that had decided to stop providing services for
WikiLeaks (they used to administer online donations for the site), against the
Swiss bank PostFinance, that had earlier closed Julian Assanges bank ac-count, and against the Swedish Prosecution Service.The group also attacked
Amazon.com, which was previously renting server space to WikiLeaks.
Digital (H)activism
22. No comment.
A. The phenomenon of Hactivism
23. instead of different - use various
instead of attack use as a form of protest
Hactivism such as Anonymous actions to help of the Tunisian people against
Ben Alis criminal regime should also be mentioned.
24. Anonymous current most prominent campaign is operation payback: twit-
ter action urging Paypal users to close down their Paypal accounts, resulting
in 30.000 people closing down Paypal accounts in one day. A perfectly legal
peaceful protest. Also recent action: starting occupy wall street protests that
has spread all over the USA and the world. Plus actions to raise awareness
of the shutting down of mobile and smart phones in the Bart system by Bart
police in the USA.
It is bizarre that UK and USA politicians nd it to be justiable to shut downand control social media in their own open and free democratic countries but
condemn Egypt and Tunisia for blocking their citizens from access to social
media and closing down communication networks, such as shutting down
mobile networks.
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
10/27
25. Observers note that Anonymous is becoming more and more sophisticated
and could potentially hack into sensitive government, military, and corporate
les. According to reports in February 2011, Anonymous demonstrated its
ability to do just that. After WikiLeaks announced its plan of releasing in-formation about a major bank, the US Chamber of Commerce and Bank of
America reportedly hired the data intelligence company HBGary Federal to
protect their servers and attack any adversaries of these institutions. In re-
sponse, Anonymous hacked servers of HBGary Federals sister company and
hijacked the CEOs Twitter account. Today, the ad hoc international group of
hackers and activists is said to have thousands of operatives and has no set
rules or membership. It remains to be seen how much time Anonymous has for
pursuing such paths. The longer these attacks persist the more likely counter-
measures will be developed, implemented, the groups will be inltrated and
perpetrators persecuted.
The role of the social media
26. The discourse on the Information Age and new social media gained a new
momentum in the beginning of 2011, as numerous countries in North Africaand the Middle East began experiencing popular anti-government uprisings.
It was the Internet, in combination with other new and old media such as cell
phones and television, that has enabled global resistance to authoritarian rule
in the region. The sight of protesters holding up signs Thank you, Facebook!
has become common in Egypt and Tunisia. Journalists, experts and politicians
are increasingly using terms such as Facebook Revolution, Twitter Diplo-
macy, or Cyber-Activism. Today, Facebook is a community that unites
more people than in any country in the world, save for China and India, and
if the growth trends keep going as they are, the social network site will soon
have more users than India has inhabitants.
27. Social media, and most prominently Facebook, have helped activists in
many of these countries to organize anti-government protests, evade surveil-
lance, discuss issues that have been taboo for decades such as torture, police
violence or media censorship, and provided a platform for trading practical
tips on how to stand up to rubber bullets and organize barricades. Recognizing
that new social media have had an important share on the success of public
25. Anonymous are moving from online Hactivism to online encouragement
for people to protest in peaceful manner in the ofine world all over the world.
The Rapporteurs statement is not correct. The main reason why Anonymous
hacked HBGarys emails was because Aaron Barr, HBGarys CEO, had
publicly declared that he was about to uncover the identities of Anonymous
members.
The role of the social media
26. It is important to note that Facebook and Google store sensitive data about
their users and their backend information, online proling and networks andsometimes hand over this information without the users knowledge to third
parties such as governments and corporations. This serious issue has to be ad-
dressed in this report.
27. It is important to note that many NATO countries have sold and are still
selling surveillance systems to repressive states. EU has now banned tech
companies within the EU to do so.
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
11/27
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
12/27
ments to his site. According to him, it was the US diplomatic cables leaked by
WikiLeaks that revealed the extent of corruption among the Tunisian elite and
consequently empowered the army to turn against its leaders.
Cyber Attacks and Cyber Defence
30. As mentioned above, the Information Age has brought about an environ-
ment that has made the state and society more vulnerable to digital attacks.
They are vulnerable because we no longer keep our les and data in a shelf,
but in a virtual world accessible from any one of the worlds corners. As in the
case of WikiLeaks, these les can be physically removed from a computer,
handed over to adversaries, or simply made public. Apart from that, however,
one of the greatest strengths as well as weaknesses of the Information Age is
that les can also be accessed and on-line services disrupted from afar by vari-
ous cyber attacks. The term cyber attack represents a myriad of activities
ranging from stealing passwords, to accessing accounts, disrupting critical
infrastructure of a country or spying on an enemy. As cyber experts testied to
the members of two NATO PA Sub-Committees during the recent visit to TheHague on 18-20 April 2011, there is still no agreement within the international
community as to which of these cyber activities constitute a crime. NATO C3
Agencys Principal Scientist Brian Christiansen suggested that the existing
legislative black holes should be addressed in a multinational manner due to
the transnational nature of the threat.
31. Due to its decentralized nature, the Internet per se is in fact extremely
robust and resilient as it was designed to withstand nuclear war. However,
separate parts of this network of networks are vulnerable to cyber threats. The
most disquieting feature of the cyber domain is that the attacker has the advan-tage over the defender. Perpetrators need only one weak point to get inside the
network, while defenders have to secure all vulnerabilities. These attacks also
take place at the speed of light which leaves little or no time react to attacks.
Furthermore, the inherent nature of the Internet allows an attacker to forge the
senders address or to use botnets (zombie computers often located in differ-
ent countries), thereby disguising the true identity of an attacker and leading to
misattribution of the source of an attack.47
Cyber Attacks and Cyber Defence
30. Existing legislative black holes should be addressed in a multinational
manner due to the transnational nature of the threat: add: the lack of civic
rights online are of grave concern because of the transnational nature and lack
of international framework to protect those rights, specially when cross border
issues arise.
31. No comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
13/27
32. The problem of attribution is widely recognized as the biggest obstacle
for effective cyber defence. Professional hackers can easily cover their tracks
and thus avoid penalties. Deterrence, a critical element of a traditional defence
paradigm, does not work in cyber space. In addition, most of cyber attacks
are performed by civilian hacker groups so it is almost impossible to prove
government involvement. For instance, experts suggest that the thriving Chi-
nese hacker community is not directly supervised by respective government
authorities but merely encouraged nancially or through patriotic educa-
tion mechanisms such as the Peoples Liberation Armys militia and reserve
system. It makes it difcult to blame Beijing for the attacks such as the one in
2007, when some 25-27 terabytes of information (equivalent to roughly 5,000
DVDs) were stolen from the Pentagon.
33. As sources of cyber attacks are usually impossible to trace, it cannot be
said with certainty who has, so far, dominated the cyber world. Neverthe-
less, when it comes to the involvement of states in cyber attacks, Russia and
China are said to be the usual suspects. From what we know today, terrorist
groups such as al Qaeda do not yet have the capability to carry out such at-tacks. In the future, however, organized crime and hacker groups could sell
their services to terrorist groups.
A. Types of cyber attacks
34. Generally speaking, there are two types of cyber attacks: Distributed De-
nial of Service (DDoS) and malware attacks.
DDoS attacks
35. DDoS attacks aim to overwhelm a target by sending large quantities of
network trafc to one machine. Attackers take over a number of other com-
puters (botnets) and use them without the knowledge of their owners for
instance, the Estonia attack, roughly one million computers were hijacked in
75 countries. The goal of DDoS is to prevent legitimate users from accessing
32. It says that data was stolen from the Pentagon, but it was copied, not cop-
ied then erased.
33. From what we know today, terrorist groups such as al Qaeda do not yet
have the capability to carry out such attacks. In the future, however, organized
crime and hacker groups could sell their services to terrorist groups.
This is a speculation that is not tting for this report.
A. Types of cyber attacks
34. no comment
DDoS attacks
35. No comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
14/27
information and services, such as the actual computer, email, websites, online
accounts (banking, etc.). DDoS attacks are extremely difcult to deal with be-cause they do not attempt to exploit vulnerabilities of a system. Vulnerabilities
may be patched, but essentially one cannot do much to prevent DDoS attacks.
36. One of the rst major attacks aimed to cripple a countrys critical infra-
structure hit Estonia in May 2007. The e-government country experienced co-
ordinated DDoS attacks on websites of the Estonian President and Parliament,
almost all of its government ministries, political parties, major news organi-
zations, two banks and several communication companies. The attacks came
soon after Estonian authorities had relocated a Soviet war memorial in Tal-linn a step which spurred protests by ethnic Russians living in Estonia and
resulted in hundreds of casualties. The series of cyber attacks, which occurred
weeks after the event, supposedly originated in Russia and were hosted by
Russian state computer servers. Russia denied these allegations, but in March
2009, an activist with the pro-Kremlin youth group Nashi claimed responsibil-
ity for organizing the cyber attacks on Estonia. It should be noted that Estonia
is extremely dependent on the Internet. At the last parliamentary elections,
of the voters cast their votes via Internet.
37. Another signicant DDoS attack was launched against Georgia in the sum-
mer of 2008. This is of note due to the fact that it was coupled with the use of
conventional military force, something that a number of experts predict will
occur more often in the future. Georgia blamed Russia for the attack only for
Russia to deny any involvement.53 A year later, the combination of cyber and
conventional force was supposedly also employed in the case of the bombing
of the Syrian nuclear reactor, which was allegedly orchestrated by Israel.54
Malware attacks
38. Malware or malicious software attacks refer to techniques capable of
inltrating ones computer without the users knowledge and taking control of
it, collecting information, or deleting its les (see examples of malware in the
Annex). Attack malware can reportedly be bought online for several hundred
dollars or even downloaded for free.
36. No comment
37. No comment
Malware attacks
38. No comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
15/27
39. Malware-based cyber attacks are increasingly being used for espionage.
In 2008, the Unites States experienced a major attack on the classied net-works of US Central Command in charge of oversee military operations in the
Middle East and Central Asia. Based on available information, the attack was
carried out by a foreign intelligence service, which used portable data stor-
age devices to spread malware. Espionage cyber attacks, however, can also be
carried out against non-state actors such as private companies and think tanks.
Operation Aurora carried out in late 2009/early 2010 is a case in point. Dur-
ing the course of several months, Chinese hackers managed to penetrate the
networks of at least 34 nancial, technological, and defence companies via
exploiting aws in e-mail attachments.56 One of the attacks targets, the giant
search engine Google, admitted that hackers had penetrated Gmail accounts
of Chinese human rights advocates in the United States, Europe and China.
A number of human rights organizations and Washington-based think tanks
focusing on US-China relations were also hit by the attacks. According to
experts, the attack reached a new level of sophistication as hackers exploited
multiple aws of different software programs multiple types of malware
codes were allegedly used against multiple targets and the whole process was
very precisely co-ordinated. This series of attacks was aimed at gaining in-formation about the latest defence weapons systems, source codes powering
software applications of prominent technological companies, as well as gain-
ing background about Chinese dissidents.
Stuxnet
40. The Stuxnet is technically a malware, but its characteristics originality and
potential for disruption are so novel that it merits special attention. The Stux-
net worm has been described as the most sophisticated cyber weapon ever
deployed58 and its widely-acknowledged role in damaging Irans Bushehrnuclear reactor and Natanz uranium enrichment plant has put Stuxnet rmly
in the spotlight recently.59 Essentially, the worm is a direct-targeting cyber
attack: it sniffs around its targets operating system and only attacks if this
system matches its targeting criteria, thereby making detection harder for other
defences. Once it has acquired its target, Stuxnet deploys two extremely com-
plicated programming payloads to bomb them. In the Iranian example, the
rst of these cyber bombs attacked the centrifuges in the nuclear plant, slowly
39. No comment
Stuxnet
40. No comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
16/27
unsynching them so that they collided with each other, causing serious dam-
age. The second cyber bomb compromised the digital warning, display and
shut-down systems controlling the centrifuges, thereby blinding these systems
to the reality of what was happening.
41. This characteristic makes Stuxnet unique in that it specically attacks and
compromises the Supervisory Control and Data Acquisition (SCADA) systems
of critical infrastructures. Thus, the real danger of Stuxnet is that, although the
Iranian example was a specically targeted attack, the same method could be
used to attack virtually any information technology system used in any criti-
cal infrastructures around the world. Stuxnet has therefore been described as
a cyber weapon of mass destruction.60 Of particular note is that the vast
majority of complicated information technology systems that are potentially
vulnerable to Stuxnet are located in NATO and NATO partner countries.
NATO and Cyber defence
NATOs cyber agenda
42. The cyber domain is often described as the fth battlespace; represent-
ing both opportunity and risk for the military. In the context of the revolution
in information and communication technologies, the military institutions of
major powers have been working relentlessly to interconnect commanders,
soldiers, sensors and platforms in order to improve agility and achieve better
situational awareness. Today, more than 1/5 of US defence and security acqui-
sitions are in the cyber sector.61 Network-centric capabilities has become a
buzzword in militaries, while new technologies enable commanders to make
better-informed decisions and to reduce human losses by, for example, operat-ing an unmanned aerial vehicle (UAV) over Afghanistan from a base in Ne-
vada.
43. On the other hand, our armed forces are now faced with risks they have
not experienced before, such as the incident reported by The Wall Street Jour-
nal in December 2009, when Iraqi insurgents managed to intercept feeds com-
ing from American UAVs using inexpensive software that is available on the
41. No comment
NATO and Cyber defence
NATOs cyber agenda
42. No comment
43. no comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
17/27
Internet.62 The Pentagon computer systems are probed up to six million times
per day, according to US Cyber Command.
44. NATOs increasing involvement in cyber security is therefore inevitable.
As NATO Secretary General Anders Fogh Rasmussen put it: there simply
can be no true security without cyber security. The Alliance has included this
issue on its agenda since 2002 when it approved a Cyber Defence Programme
a comprehensive plan to improve the Alliances capability to defend against
cyber attacks by improving NATOs capabilities. However, it was not un-
til the 2007 attacks against Estonia that NATO embarked upon developing a
comprehensive cyber defence policy that would include not only the protec-
tion of the Alliances own networks but would also augment the cyber security
of individual member states. The Group of Experts Report (the Albright
report) recommended that NATO must accelerate its efforts to respond to
the dangers of cyber attacks. It recommended focusing on protecting NATOs
communications and command systems, helping Allies to improve their ability
to prevent and recover from attacks, and developing an array of cyber defence
capabilities aimed at effective detection and deterrence. At the Lisbon Summit,
NATO member states committed the organization to developing a new Cyberstrategy by June 2011. This strategy will most likely require regular revisions
and updating as the developments in cyber domain are remarkably rapid.
45. At present, individual members continue to bear principal responsibility
for the security of their networks, while relevant NATO structures, apart from
protecting their own networks and providing support for NATO operations,
are expected to assist member states by sharing best practices and dispatching
Rapid Reinforcement Teams in case of emergency. Key NATO institutions in
the area of cyber security include:
NATO Cyber Defence Management Authority (CDMA), which is responsiblefor coordinating cyber defence systems within NATO and providing advice to
member states on all the main aspects of cyber defence. NATO CDMA oper-ates under the auspices of the new Emerging Security Challenges Division in
NATO HQ.;
The Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn,
Estonia, which was established in 2008, is responsible for research and train-
ing on cyber warfare;.
44. no comment
45. no comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
18/27
The NATO Consultation, Control and Command (NC3) Board and NATOs
Consultation, Control and Command Agency (NC3A) control the technical
aspects and operational requirements of NATOs cyber defence capabilities;.
The NATO Communication and Information Services Agency (NCSA),
through its NCIRC (NATO Computer Incident Response Capability) Technical
Centre, provides technical and operational cyber security services for NATO
and its operations and is responsible for responding to any cyber aggression
against the Alliance networks.
46. NATO conducts annual exercises aimed at enhancing an understanding
of NATOs cyber defence capabilities and identifying areas for improvement.
This years exercise, Cyber Endeavor will take place on 5-22 September in
Grafenwhr, Germany.
47. A lot remains to be done, however. NATOs principal cyber unit NCIRC
is only partially operational and does not yet provide 24/7 security for all
NATO networks. Full operational capability is expected to be achieved in
2012. NCIRC is also only engaged in passive defence, monitoring network
activities and dealing with incidents. It does not have a mandate, however, togo after an attacker.
48. More importantly, NATO needs to devise its policy regarding the key
question of how to react to cyber attacks against one of its member states.
Can one invoke Article 5 of the Washington Treaty after a cyber attack? And
what response mechanisms should the Alliance employ against the attacker?
Should the retaliation be limited to cyber means only, or should conventional
military strikes also be considered? Furthermore, the Alliance must decide to
what extent it can engage in cooperation on sensitive cyber issues with partner
countries, such as Russia.
National policies of member states
49. As noted above, member nations bear the principal share of responsibility
for their cyber security. Before the 2007 attacks against Estonia, most Europe-
an nations were developing national strategies to promote information society
focusing on economic and cultural benets offered by new communication
46. no comment
47. no comment
48. no comment
National policies of member states
49. no comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
19/27
and computing technologies, largely neglecting possible risks. After 2007, the
need for a more balanced approach has been increasingly acknowledged.63
50. The 2010 UK House of Lords report on cyber security noted wide differ-ences between various European countries in terms of preparedness to meet
cyber threats. Since in cyber domain the system is as strong as the weakest
link, the report stated that the European countries have an interest in bring-
ing the defences of the lowest up to those of the highest.64 The exact level
of preparedness is difcult to measure, however, due to the lack of full under-standing of the complexity of cyber domain.
51. The highest level of preparedness in the Alliance is in the United States
and the United Kingdom. The US feels more threatened by cyber attacks than
any other nation due to its highly pervasive use of information and communi-
cation technologies as well as to its status as a superpower. President Obama
identied cyber security as a strategic priority. From 2010 to 2015, the US
government is expected to spend over US$50 billion on its cyber defences.65
The Departments of Defense and Homeland Security share the responsibility
for the security of American government networks and implement this man-date through several agencies such as National Security Agency and US Cyber
Command (inaugurated in 2010 and specically tasked to protect US military
networks). In terms of legislation, three separate Acts streamlined executive
responses to cyber warfare on critical national energy infrastructures, while
another Act coordinated wider cyber security efforts, including those against
nancial institutions and industry.66
52. The UKs lead cyber agency is the Government Communications Head-
quarters (GCHQ). Cyber security occupies central place in the National
Security Strategy and the Strategic Security and Defence Review publishedin October 2010. Experts note that review contains all the early signs of a
well-balanced and (now) better-funded approach to UK cyber security.67 UK
Computer Misuse Act is also hailed as a robust and exible piece of legisla-
tion in terms of dealing with cybercrime.68
53. That said, even in the US and UK there are still important questions that
need to be addressed. In particular, experts note the insufcient degree of
50. no comment
51. no comment
52. no comment
53. no comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
20/27
cooperation between the government agencies and private sector which owns
most of information capabilities and infrastructure more than 90% of Ameri-
can military and intelligence communications travel through privately-owned
telecommunications networks.69 However, private entities are reluctant to al-
low greater government involvement and monitoring. The UK House of Lords
report noted that representatives of the commercial United Kingdom Internet
industry showed little interest in giving evidence for this report. Many experts
stress that private industry makes its decisions on cyber security measures
based on nancial rather national security calculations.
54. While the US and the UK tend to lead on these matters, other NATO
members have also updated their existing legal frameworks and made cy-
ber security increasingly prominent in their security strategies. In particular,
signicant progress has been achieved in establishing Computer Emergency
Response Teams (CERTs). A CERT is an organization that studies computer
and network security in order to provide incident response services to victims
of attacks, publish alerts concerning vulnerabilities and threats, and to offer
other information to help improve computer and network security. The 2010
House of Lords report identied the lack of CERTs in some European coun-tries as a major concern. However, in 2011 the situation seems much better.
According to the register of the European Network and Information Security
Agency (ENISA), CERTs were established in all European NATO countries.
Furthermore, the establishment of more advanced Computer Security and
Incident Response Teams (CSIRTs) is being promoted. CSIRTs are CERTs
that have extended their services from being a mere reaction force to a more
complete security service provider, including preventive services like alerting
and security management services.70
55. However, there is no basis for complacency. Establishment of new institu-tions must be followed by more intensive schedule of joint exercises. The leg-
islative basis must also be further reviewed and updated to take into account
the new realities of the cyber domain. According to NATO Deputy Assistant
Secretary General Jamie Shea, legislative frameworks in many NATO coun-
tries are lagging behind in terms cyber realities.71 At the meeting with NATO
Parliamentarians in The Hague on 19 April 2011, NATO C3 Agency General
Manager Georges Dhollander said that not all NATO member states have ad-
54. no comment
55. no comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
21/27
opted legislation that would make it mandatory for the private sector to protect
their data and their networks. For instance, it should be mandatory to install
safeguards that would prevent computers or networks being hijacked and used
as botnets. NATO C3 Agencys Principal Scientist Brian Christiansen also
suggested that all NATO nations should employ the so-called red teams that
use hackers methods to probe security levels of various national networks
(without malign intentions, of course).
56. The less advanced NATO nations must realize that in the cyber domain
there cannot be a free ride. One study notes that nations that do not have ad-
equate legislative and institutional framework to protect their cyber assets are
less likely to receive assistance from the international community because in
a rapid reaction situation, existing procedures better support effective interac-
tion () because there is a certain amount of homework that can only be
performed by the victim.72
Information and Cyber security: options for the international community and
NATO
57. The challenges of the Information Age for national and international se-
curity are complex and require the combined efforts of international, regional
and national authorities and the private sector, as well as sub- and trans-na-
tional groupings of active individuals. NATO is not in a position to address all
aspects of this challenge, but it does have a signicant role to play, not least
because it unites nations with the most developed information and communi-
cation infrastructure (infrastructure, hardware and software which collectively
make up the Internet are still overwhelmingly Western designed and produced;
more than 50% of the worlds Internet trafc transits the USA).
56. no comment
Information and Cyber security: options for the international community and
NATO
57. no comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
22/27
58. On the global level, NATO should support initiatives to negotiate at least
some international legal ground rules for the cyber domain. This framework
must discourage the cyber arms race and dene thresholds above which at-
tacks constitute an act of war. International law should clearly prohibit the use
of cyber attacks against civilian infrastructures. The principles of international
law should also recognize indirect responsibility of a state to ensure that its
territory is not used by non-state actors to launch attacks against a third coun-
try. If a country systematically fails to ensure that or provides sanctuary for
perpetrators, it should be considered as breaching international law and should
face sanctions.
59. However, achieving this agreement will not be easy, since some critical
players such as Russia and China view cyber security from an informa-
tion security perspective. This perspective is based on their desire to limit
dissent and access to information deemed threatening to their regimes. These
nations have proposed in-built tracking devices on all Internet packets that
would allow all actions on the Internet to be traced. Western analysts argue
this would be cumbersome, costly and easily negated by criminal groups, in-telligence agencies and militaries. Therefore, the real target of such proposals
is the average Internet user and their ability to access information and engage
in political dialogue anonymously. Such a surveillance approach is prohibited
by many NATO member states own laws governing surveillance, propaganda
and counter-terrorism.
58. Threshold for cyber-war is very dangerous: how can one know for sure
that an attack came from a precise location? If an attack is cyber, the response
may very well be physical. This could be a new excuse to start wars based on
speculations like the Iraq war where misinformation at highest levels played
a big role. Threshold for cyber-war needs to be out in the open and those that
use this term have to understand how easy it is to bluff within the internet
landscape where attacks originate. For example within Struxnet is a trace that
shows it originates from Israel yet everyone is cautioned not to take that as a
prove it really comes from there.
Censorship is a dangerous territory to go into and should not be a part of this
report. Nations need of course to be responsible for ensuring that their infor-
mation systems arent used by groups with bad intentions to harm other na-
tions. However, who will decide what should be censored in order to protect
all of us from cyber attacks? And to whom will those people be accountable
to? Who is checking the checker? WL released documents about how Austra-
lia was censoring the internet for the own good of australians without their
knowledge or permission.
59. no comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
23/27
60. Other approaches to policing the cyber domain focus on developing tech-
nical solutions within Internet infrastructure itself to help maintain security.
The Internet was originally designed to be interoperable and has therefore paid
little attention to security aspects. The 2003 US National Strategy to Secure
Cyberspace identied vulnerabilities within three key Internet protocols:
the Internet Protocol, which guides data from source to destination across
the Internet; the Domain Name System, which translates Internet Protocol
numbers into recognizable Web addresses; and the Border Gateway Protocol,
which provides the connection between networks to create the network of
networks76. None of these protocols have in-built mechanisms to verify the
origin or authenticity of information sent to them, leaving them vulnerable to
being manipulated by malicious actors. Therefore, funding and developing
technical solutions for a new set of secure protocols that will address many of
the vulnerabilities in the current Internet infrastructure whilst falling short of
surveillance of member states populations could be useful to NATO.
61. In addition, NATO member states should support wide ratication of
binding international treaties, like the Council of Europes Convention on
Cybercrime, because banning cyber criminal activities would also help negatecyber terrorists as well as state-sponsored cyber attacks that often use the same
techniques as cyber criminals.
62. In terms of public-private co-operation, relevant authorities of NATO
nations should be more pro-actively engaging private IT companies when it
comes to setting stricter rules on the use of cyber space. Dialogue is essential
because software companies like Microsoft and Google remain able, by devel-
oping various software options, to exercise inuence beyond what any nation
state could aspire to do using their legislative powers. Incentives must be put
in place to encourage private companies, particularly those running critical na-tional infrastructures and designing cyber hardware and software, to upgrade
their security systems beyond simple prot vs. loss calculations.
63. The Alliance should also establish closer co-operation with the EU. Al-
though NATO is developing cyber defence capabilities, it still needs the EU
because it issues laws on comprehensive standards for cyberspace and NATO
does not. It would be useful, however, if the EU established the position of an
61. This year a bill to provide a so-called Internet kill switch was proposed
again by Sen. Susan Collins in the USA. Very dangerous trend that needs to be
addressed in the same manner as the kill switch in egypt earlier this year.
What does the rapporteur mean when he states the following: The Internet
was originally designed to be interoperable and has therefore paid little atten-
tion to security aspects. Who is THE INTERNET?
61. No comment
62. No comment
63. No comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
24/27
EU Cyber Czar in order to have a clear contact point for NATO.
64. With respect to its own contribution, NATO should incorporate its cyber
policies (and encourage its member states to do likewise) into a broader frame-
work for adapting the military to the realities of the Information Age. Cyber
security is not a value per se, it must be seen within the context of the develop-
ing concept of network-enabled capabilities. In other words, we need to nd
the right balance between the advantages offered to our armed forces by the
new information and communication technologies, and the protection against
cyber threats stemming from this information revolution.
65. It also goes without saying that NATO must clarify its response mecha-
nisms in case of a cyber attack against one or more of its members. It is
important that while the Alliances cyber strategy is under preparation, it is not
prevented from adequately responding to such attacks. Some argue that Article
5 should not be applied with respect to cyber attacks because their effect so
far has been limited to creating inconvenience rather than causing the loss of
human lives and because it is hard to determine the attacker. However, The
Rapporteur believes that the application of Article 5 should not be ruled out,given that new developments in cyber weapons such as Stuxnet might eventu-
ally cause damage comparable to that of a conventional military attack.
66. In more practical terms, NATO should consider its role in protecting physi-
cal infrastructure associated with the cyber domain. The physical vulnerability
of bre-optic cables and information hubs represent a serious challenge within
the cyber domain. Most long-haul bre-optic cables reach land at obvious
choke points, which make them susceptible to attack or damage. Of note is
the choke point for transatlantic cables Widemouth Bay, Cornwall, in the UK,
where four major EUUS cables reach land.77 This area has reportedly beendesignated vital to US security because of these cables.78 Meanwhile, the
vast majority of the physical cables that connect the United States and Asia
run through the Luzon Strait choke point between Taiwan and the Philip-pines.79 Cables in the Malacca Strait are also congested, and island NATO
members and partners, like Iceland, Japan and Australia, are particularly vul-
nerable.80 To date, the best form of protection for these sub-surface cables has
been their anonymity. However, sometimes this is not enough, as highlighted
64. No comment
65. So far there has been no link with the loss of human lives in relation to
cyber attack, thus it is way to steep to suggest article 5 should be used. Strux-
net is not a good example simply because there are traces within the virus that
track it to Israel.
66. no comment
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
25/27
by the fact that 75% of Internet capacity between Europe and a large part of
Asia was temporarily lost when, in 2008, ships off the Egyptian coast severed
two inter-continental bre-optic cables by dragging their anchors.81 A Geor-gian woman denied 90% of Armenians access to the Internet for 5 hours when
she inadvertently cut through a cable with her spade.82 There have also been
other large Internet disruptions caused by cable incidents in Malta, Sicily the
US and Asia.83 These highlight the possibility of sabotage by state or non-
state actors. In terms of bandwidth capacity, NATO member states are heavily
dependent on infrastructure in the UK for their transatlantic communications.
Much of these key Internet peering points are based in and around London and
have previously been threatened by ooding.84 Any disruption to these infra-
structures could have far-reaching economic and military effects.
67. The Rapporteur also suggests that NATO considers applying common
funding procedures for procurement of some critical cyber defence capabilities
for its member states. The Alliance and its nations should also redouble their
efforts to invest in human capital, because currently the Western nations are
widely believed to be losing their advantage in cyberspace in terms of num-bers of cyber experts and qualied personnel.
68. Other practical measures should include reviewing our policies in terms
of critical information that is to be stored online. The Cablegate revealed
some documents that date back to 1966. Nigel Inkster, a prominent British
expert, says that this suggests an excess of zeal among those tasked to place
State Department data on SIPRNet, since these cannot be relevant to todays
operational requirements. It is also necessary to review the operating systems
of critical national infrastructure with a view to limiting their unnecessary
exposure to online connections. Furthermore, new safeguard mechanismsmust be put in place to prevent unauthorized downloading of sensitive data to
digital storage devices. Procedures for vetting relevant personnel should also
be revisited.
69. That said, the Rapporteur wishes to emphasize that all necessary security
measures should not cross the line where they would violate the fundamental
principles and values cherished by the nations of the Euro-Atlantic commu-
No comment on this page
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
26/27
nity. It is also important for our national security interests: since the cyber
domain is to a large extent governed by the people, it is important to win the
moral support of the majority of the virtual community. In order to prevent the
abuse by the governments, stricter security rules should be accompanied by
measures ensuring democratic oversight. For instance, the United States an-
nounced recently the establishment of the Privacy and Civil Liberties Over-
sight Board (PCLOB) to ensure that privacy and civil liberties are protected.85
70. Last but not least, the Rapporteur would like to underline the role of par-
liamentarians not only in terms of issuing relevant legislation, but also in com-
municating with a public that is often insufciently informed about the scope
of opportunities and risks posed by the Information Age.
Annex
Types of Malware
Logic BombThe earliest and simplest form of malware. It is not a virus but a computer
code, which needs to be secretly inserted into the computer software. When
triggered (positive trigger setting a time or date of the bomb exploding such
as removing an employees name from the salary list; or negative trigger
failing to insert certain data or code by a specic time). The bomb can cause
system shutdown, delete les, send secret information to wrong people, etc.
Trojan Horse
Creates a back door into a computer, which can be obtained via the Internet
from anywhere around the world. It can delete, steal or monitor data on some-one elses computer. It can also turn the computer into a zombie and use it to
hide the real perpetrators identity and cause further damage to other systems.
86
Key-logger
Monitors and keeps track of keystrokes on a computer usually without the user
being aware of it. The information can be saved to a le and sent to another
70. The Rapporteur does not go into detail in any way about the lack of civic
rights in cyberspace. I wish to draw the attention of the Rapporteur about an
ongoing case I have personally been dealing with and is resulting in a special
report at the human rights committee at the IPU. Here is a part of a recent ar-
ticle I have written about this and should perhaps give the writers of this report
a deeper perspective in this regard.
First of all I want to express my gratitude to the USA Department of Justicefor their attempts to have my personal backend information handed over to
them from my Twitter account because of my volunteer work for WikiLeaks.
It has raised my awareness about the lack of civic rights social media users
have and thus given me reasons to ght for these rights.
Before my Twitter case I didnt think much about what rights I would be sign-
ing off when accepting user agreement with online companies. The text is usu-
ally lengthy in a legal language most people dont understand. I think it is save
to say that very few people read the user agreements, and very few understand
its legal implications if someone in the real world would try to use it against
them. It is simply virtual until case is made in the real world.
Many of us who use the Internet, be it to write emails, work, browse its grow-
ing landscape, mining for information, connecting with others or use it to
organize ourselves in various groups of likeminded, are not aware of that our
behavior online is being monitored. Proling has become a default with com-panies such as Google and Facebook. These companies have huge databases
recording our every move within their landscape in order to groom advertise-
ment to our interests. For them we are only consumers to push goods at, in
order for them to sell ads in a clever business model. For them we are not re-
garded as citizens with civic rights in their world. This notion needs to change.To be fair, I guess no one really knew where we were heading when these
companies were start ups. Neither us the users, nor the companies hogging and
gathering our personal information for prot. Very few of us had the imagina-
tion that governments that claim to be democratic would invade our online
privacy with no regard to rights we are supposed to have in the real world. We
might look to China and other stereo type totalitarian states and expect them
to violate the free ow of information and our digital privacy, but not our very
-
8/3/2019 Cyber Security_birgitta Jonsdottir Iceland
27/27
computer. Acquiring private data such as usernames and passwords are usually
the key targets of the program.
Virus
Infects les when they are opened or being run and is capable of selfreplica-
tion. It often manifests itself as a logic bomb or a Trojan. Viruses are difcult
to track and can spread very quickly. In 2000 the ILOVEYOU virus caused
damage of approximately US$10 million.
Embedded MalwareIs inserted malicious software that accepts additional covert commands into
operational systems of machines ranging from phones to weapons systems.
According to General Wesley Clark and Peter Levin, an example of such op-
eration was Israels alleged attack on Syrian nuclear sites in 2007, which was
supposedly made easier because of embedded malware that turned off Syrian
defence radar.
own democratically elected governments.
What I have learned about my lack of rights in the last few months is of con-
cern for everyone that uses the Internet and calls for actions to raise peoples
awareness about their legal rights and ways to improve legal guidelines and
framework online be it locally or globally.
I guess the problem and the dilemma we are facing is that there are no proper
standards, no basic laws in place that deal with the fundamental question: are
we to be treated as consumers or citizens online? There is no international
charter that says we should have the same civic rights as in the ofine world.
Our legal systems are slow compared to the speed of online development.
With the social media explosion many people have put into databases very
sensitive information about themselves and others without knowing that they
have no rights to defend themselves against attempts by governments to obtain
their personal data be in locally or like in my case globally. According to
the ruling of the judge in my Twitter case, we have fortied those rights when
we agree to the terms and conditions by the company hosting our data even ifit is not kept on servers in the USA, the company would only need to have a
branch in the USA for authorities to be able to demand the information to be
given to them. We have to rely on, for example, Amazon, Facebook, Google
and Twitter to look out for our interests. It might not always be in their interest
to look out for us.
I want to stress that Twitter did ght for the interests of their users in my case
by going to court to unseal a document demanding them to hand over personal
backend information about me and four other users connected to WikiLeaks.
The document Twitter managed to unseal stated that they were to hand overour personal information without our knowledge within three days. If Twit-
ter had not managed to unseal the document we would not know how far the
DoJ is reaching to get their hands on our data and how difcult it is to guard
our privacy in the borderless legal jungle. I am for example not a USA citizen
and because of that I am not protected by the 1st and 4th amendment in the
USA constitution. Users from the USA are protected in the same case by these
fundamental rights.
top related