Cybersecurity

Cyber Security in the Age of COVID-19: An Interview with Marcus Willett

July 10, 2020 by Ed Stacey

by Ed Stacey

The World Health Organisation has reported a fivefold increase in cyber attacks during COVID-19 (Image credit: Getty Images)

On 22 April 2020, Ed Stacey sat down with Marcus Willett to discuss his recent article for the International Institute for Strategic Studies (IISS). Marcus’ analysis draws parallels between the current coronavirus crisis and global cybersecurity challenges and warns against the Balkanisation of either response. In this exclusive interview, he expands on his thinking.

For more information on the IISS and the latest analysis of international security, strategy, and defence issues, visit them here or follow them on Facebook, Twitter (@IISS_org), and Instagram (@iissorg).

ES: In your article, you explore the idea of a global cyber ‘pandemic’ – what do you mean by this?

Marcus Willett: What the article tries to show is that we like to take a lot of language in the world of cybersecurity from the world of dealing with medical crises – like the horrible one we are currently facing. For example, terms like virus and infection. However, what we have not started doing is using words like endemic and pandemic. The article was merely trying to go that extra step and consider the applicability of these words to what is happening in cyberspace. If you just look at cyber-criminality, for instance, techniques that were developed by people in the most advanced and connected nations have now spread, and are being used, all over the globe, by individuals, hacktivist groups, criminals and, of course, states.

Sitting here at the moment, if a cybercriminal was to try and defraud us, that criminal is as likely to be in Eastern Europe, or Nigeria, or Vietnam, as anywhere else. So what I was trying to show is that the use of cyber has spread globally and that you can get infected – through your network or your device – from anywhere around the globe. ‘Pandemic’ feels like quite a good word to describe that phenomenon, particularly since we are all using it at the moment.

ES: Is there a cure for the cyber pandemic?

Marcus Willett: I do not think there is a silver bullet-like vaccine; a cure is more about how nations might approach the problem. The trouble with people who have worked in my sort of background is the thinking that there is always, waiting for you, some technical silver-bullet – a wonderful technical solution that will solve the world’s problems when it comes to cyber. I do not think that is right.

If you think about offensive cyber, for example, the incentives are not great for states to talk about their most sensitive capabilities. This is because the most advanced states still think they have got such an advantage in terms of cyber that it does not make sense to reveal what they have developed to the world. But I believe states need to start a dialogue about the risks involved in some of these cyber capabilities, building on stuff that is already being done around developing norms of behaviour, to think about how we might better manage them.

So, I think a cure is more in the territory of better understanding the risks and better managing those risks than pursuing technical solutions. And the only way we are going to get to that is to recreate the sort of cooperation we see with the response to the current health pandemic. Additionally, I think that the best way of having those sorts of conversations is not to start at the most difficult end, which is, say, to try and work out some big deterrence theory and proliferation control treaty around offensive cyber capabilities. Because that is going to get silence from some of the big actors from the very beginning.

Instead, it is better to pick an area like cybercrime, where all states have a vested interest in trying to combat the defrauding of their economies and use that as a way to start the dialogue between states about how we can better manage these risks. Always, however, with the goal of an internationally agreed regime over what is a responsible use of cyber capabilities. The same way we have ended up with the understanding that it is generally unacceptable that people use barrel bombs and cluster bombs – that a guided missile is more acceptable.

ES: Is the United Nations (UN) the best space for this dialogue to take place?

Marcus Willett: Whilst it needs to be under the auspices of the UN, I cannot help but feel there is a certain group of nations that need to start the conversation. I would love to see, particularly, the Americans and the Chinese talking about cybercrime. That would start a dialogue that might help bring some of the conversations they are having around technologies – take Huawei, for example – into a better place – and where they need to be. If we carry on with this sort of competitive conversation around the future of cyberspace, I think we will end up with results that are not very good for likeminded nations like ourselves and our allies.

ES: Russia has been quite active at the UN on cybercrime. Do you see their recent proposal as a viable alternative to the Budapest Convention?

Marcus Willett: One of the reasons I suggested the US and the Chinese are to draw that distinction with the Russians, who are quite fond of coming to the UN with grand proposals that are, frankly, a little bit transparent. I did a conference in Berlin last year on a panel around cyber and question number one from the audience came from the Russian cyber representative to the UN Group of Governmental Experts (GGE). She laid out, not a question, but a statement about how the Russians were the good guys around cyber, claiming that they had been arguing for all sorts of things – like the cybercrime treaty you just mentioned – and for the outlawing of any military use of cyber capabilities. This was just after the Skripal incident and when that GRU unit was exposed at the Hague. So you can imagine how the Dutchman to my right reacted; it was an ‘actions speak louder than words’ situation.

A more realistic conversation with the Russians, since a lot of cyber-criminality emanates from bits of their territory, would be around legal jurisdictions and Mutual Legal Assistance in Criminal Matters (MLAC) arrangements – to try and get their assistance in pursuing some of this criminal activity. As you know, they are very unlikely to agree to that. And these are difficult conversations because they are likely to end up in accusation and counter-accusation.

I like the idea of the Americans and the Chinese talking about it; both with a vested interest, both without the past of being connected to cybercriminal gangs. That has got a higher chance of success. Yes, the Russians need to be brought into those sorts of conversations, but I would not start there because, again, it feels like too difficult territory. Cybercrime between the US and China: easier territory. Cybercrime with Russia: very difficult territory. Offensive cyber and military capabilities: very difficult with everybody. It is about trying to find those baby steps.

ES: Is cooperation between the US and China on cybercrime possible in the current context of the ‘tech war’?

Marcus Willett: What I am trying to argue is that there is more potential for a conversation around cybercrime than there is for a conversation on anything else, given the context of the tech war. It would be the best way of starting a dialogue because it is a rare area of mutual interest. Of course, you would have to start the conversation with a very clear definition of what you meant by a ‘cybercriminal’. But there are millions being defrauded from the Chinese economy by cybercrime, just as there is from the US economy; they are both targets of cybercriminals. So, you have got a better chance of starting a conversation there than anywhere else.

Does that feel overly idealistic given what is going on? I would have thought there was a chance if you just had the tech war or even just the trade war. However, if this escalates into finger-pointing around COVID-19 and an inquiry turns into making China some sort of a pariah state, it would be less likely. And you can see already how some of the stuff coming out of the White House is only going to antagonise the US’ relationship with China even more. So, no – perhaps the prospects are not as good as they were a few months back, but it is about more than just the tech war.

ES: Why do states such as Russia and North Korea use cyber organised criminal groups (OCGs) – either by shielding or cooperating with, and perhaps even masquerading as, them – to augment their cyber capability?

Marcus Willett: Something you said earlier resonated with me. When you alluded to the issue of defining cyber-criminality and the Russians perhaps having a slightly different idea. I remember the same sort of trouble around early attempts to talk with the Chinese about counterterrorism. You had to be very careful to define what you meant by terrorism for them not to think that that was an excuse to go after Uighurs in their own country. For the Russians, unless you are very careful about defining cyber-criminality, for them, people that we might call cybercriminals are patriotic hackers – an extension of the Russian state. That definitional point is a problem.

Another thing to note is the sophistication of some of the capabilities that have been developed by the organised criminal fraternity. In a good, realpolitik way, a state like Russia can see an advantage in these sorts of capabilities being developed by people sitting on its own soil. As you know, beyond cyber, plenty of corruption goes on between criminal gangs and the Russian state – and has done for centuries.

I lived in Moscow in 1983-84 as a student, during the height of the Cold War. And even though you could not read about it in the press, every Russian you spoke to knew that all sorts of arrangements were going on between the Soviet government and people they called mafia bosses – the mafia boss in Leningrad, as it was then, or the mafia boss in Moscow. There was the official world and then there was what really happened. So, I cannot help feeling – as so often in cyber – what you see being played out in cyberspace is actually a reflection of what has been going on for a long time in the real world. Sorry to use this phrase and be the first one to use it, but cyber is just a new domain for old age stuff. It is an accident of history and culture, going back through Tsarist times, that some slightly shady stuff goes on between the Russian state and parts of its population. Why should we be surprised to see that being playing out in cyberspace?

In terms of the other point you are making, which is that some states pick up a modus operandi that makes them look like cyber OCGs – and I think you are mainly referring to North Korea there. Well, I wonder if that is out of choice or whether it is simply the case that the level of sophistication that they are able to attain is that of a cybercriminal group.

North Korea is a very interesting example. Everybody knows that they were behind WannaCry and the hack on Sony Pictures, and that they have been trying to defraud the global banking system – Swift and so on. I put it to you that North Korea is not able to do much more than that given its own massive vulnerabilities. For example, the number of connections that come out of North Korea to the global internet is extremely few, and so, for that reason, it often deploys its operatives overseas. It would certainly need to do that if it got involved in any sort of conflict, as it would have no chance of running offensive cyber operations from within its own territory if it was up against a capable cyber actor.

In other words, North Korea has had to develop these more distributed, low-level capabilities. I do not think they are deliberately trying to make themselves look like cybercriminals, it is just that is the sort of capability they know they can use and have access to.

Countries like North Korea and Iran have learnt from what other countries have done in cyberspace, which is perhaps not the lesson that was intended; it certainly was not the lesson intended for Iran around Stuxnet. They saw this activity and thought: ‘Oh, that is interesting. What could we do in cyberspace? And would that give us a reach beyond our own region that we have no chance of achieving with any of our other capabilities? Does it give us a reach even into the great Satan – the US?’. And low and behold, it does. Their attacks are not going to be of the level of sophistication that can bring down the US’ Critical National Infrastructure (CNI), but they can have strategic effect. Whether that is propaganda effect or just being an annoyance, it nevertheless can be used to say to their citizens: ‘Look, we can do harm to the US’.

It is the famous point about cyber, that what can look like unsophisticated capabilities can proliferate and be picked up easily by states, from groups like cybercriminals, and then utilised to have a strategic effect in the mainland of a superpower, in a way that they previously could not. So, North Korea, and I would add Iran, are very interesting studies in some of the risks associated with the proliferation of cyber capabilities.

Sitting in the back of our minds, always – and this is the other thing big, cyber-capable states need to talk about – is the proliferation of some of those more destructive capabilities to terrorist organisations, and what that could mean. Everybody always assesses international terrorist groups when they look at threat actors in cyberspace. And the answer for years has been: ‘They know about the potential; they are interested and looking for it, but they do not have it’. And so, every assessment ends with: ‘So there is no need to worry about them at the moment’. Well, that picture could change. If ever terrorists work out a means of delivering the same sorts of physical destruction that they can through the use of a bomb, with cyber means, that is a bad day for everybody.

ES: How real is the threat of a catastrophic cyber event?

Marcus Willett: Having talked about cyber-criminality, terrorism, and states realising the asymmetric advantages they can gain through cyber capabilities, nevertheless, these are not where I see the greatest risk of a cyber catastrophe. The greatest risk of a cyber catastrophe, in my mind, is what is happening every second of every day, with the reconnaissance and prepositioning by states against their potential adversaries’ CNI – infrastructure like power, transport, communications – the bringing down of which would have catastrophic humanitarian consequences, as well as technical dimensions. And, while I am sure no state short of a conflict situation would intend to do that, my worry is that – as has already been proven in WannaCry and NotPetya – states, in trying to either reconnoitre a network or preposition for a conflict scenario, may accidentally make a mistake.

Prepositioning is necessary because, to have an effect in a conflict situation, you cannot go from a standing start: you either have that presence in the network or you have not. In other words, you need to establish a presence in the network in peacetime to be able to have that capability should a conflict occur. So, states are not only doing reconnaissance, they are doing pre-positioning. And the chances of something going horribly wrong, I would say, are fairly high.

What worries me most about that is, even just the detection of that sort of activity – what some may define as a cyber attack – could cause escalation. And how states try and deescalate in a cyber catastrophe is still something we have not properly thought through. How a prime minister or a president would be brought into the discussions around such a technical subject, that had spilled out into real-world loss of life and escalation, in a way that could deescalate the situation, is an issue at the heart of where we need to get to around international conversations, under the auspices of the UN, for cyber.

My argument is that, although this is the biggest risk, you cannot start with this conversation amongst states. But you have to start the conversation somewhere, so have it about cyber-criminality. Do not be deceived, however, in forgetting that the biggest risk is the one I have just been through: a mistake by a state in cyberspace that is interpreted as a potential act of war. That is the biggest risk in cyberspace.

How likely is that sort of catastrophe? The sad thing is that we do not really know, except to say that it is probably more likely than we should be comfortable with. The problem is we still do not properly understand what is happening in cyberspace. But there is lots of reconnaissance and prepositioning going on, all the time, by states, against each other’s CNI. Do not be deceived as to what is reported in the press about there having been 200 cyber attacks in the last ten years, or whatever the figure is. It all depends on what you mean by a cyber attack.

ES: Your comment on translating technical information to world leaders really resonates with President Trump in the White House. With a lack of precedent for escalation in cyberspace, there is no knowing if and how he might act.

Marcus Willett: Unfortunately, if you are an official in the US administration at the moment, you know you dare not mention the word cyber to President Trump. Because – and this is a massive generalisation – to him, all he can equate cyber with is: ‘The hacking into of our electoral processes and people saying that cyber is the reason I got elected’. Whilst he has made statements about the use of cyber in the past, I know from private conversations with ex-colleagues who are in those positions, that cyber is a subject you have to handle very carefully. Otherwise, you press the wrong button with the President, and it ends up not being a conversation, but the receipt of an earful. So, it is a huge challenge.

ES: And finally, in the context of the coronavirus crisis – and discussions around sovereign capability, national tech companies, supply chains, and so on – is the Balkanisation of the internet preventable?

Marcus Willett: This is a very interesting question. Balkanisation, or even bifurcation of the internet, which is the other phrase that is thrown around, is the concept of two internets. One model is what we have at the moment: multi-stakeholder governance, free, with a balance between states, NGOs, the private sector and techy-coders; and then how that internet is developed and run, with a balance between the rights of individual citizens, the private sector and governments. And the second model, which is being pushed by the Chinese and the Russians, which entails greater state control over sovereign cyberspace. This can sound like just a technical issue, but the implications for how the global economy works, for example, are massive.

Why would states not want more control over the threats to them and their own sovereign bit of cyberspace? Well, the net result may be, instead of having a conversation about how you can achieve control with a single internet and a single global economy, you end up with two separate versions, then three, or four, and so on. And do not forget what the word Balkanisation means: it is the disintegration into individual components that compete, or even conflict. And if there were two separate internets, one Chinese and one US, broadly speaking (although there is talk of a RU.net and the Iranians have invested quite a lot of money into trying to develop their own intranet) the current risks around cyber that I described earlier, between states, become even greater.

Imagine if you had no vested interest in that other internet: it is not connected to your economy; none of your CNI is dependent upon it. What would the incentive then be for states to restrain themselves around their use of cyber capabilities?

That is my worry about Balkanisation and why I fear a tech war, to which the only solution is to ban bits of tech from your own networks, ends up being self-defeating. Not only immediately, as you can see with all the US tech providers, for example, going to the White House saying: ‘Do you not realise what that does to our own economy and our ability to export into those markets?’. That is almost putting an Iron Curtain down that virtual world of the internet. And if you think about how dependent we are all becoming – with the Internet of Things, smart cities, and smart homes, and so on – that virtual curtain could only be followed by a real-world equivalent. I think it is incredibly short-cited, and it can only lead to increased risk geostrategically.

Having said all that, if you are sitting here in a place like the UK you speak with two different voices. You certainly support the idea of a single, multi-stakeholder, free internet. But Ministers also worry about the UK’s ability to deal with terrorists and cybercriminals in its own bit of cyberspace because of issues such as the spread of ubiquitous encryption by big US tech companies. So, the UK also has a sovereign problem around understanding some of the biggest threats in cyberspace. It is a difficult question to answer, which becomes especially challenging for a middle-ranking country like the UK: one that instinctively does not want to see Balkanisation and cyber sovereignty, but also wants a bit more sovereign ability for national security reasons, over its little bit of cyberspace. It is a fascinating subject that is, I think, just going to roll. But I do not like the idea of banning tech from your own network; it is unrealistic and just not the way to go.

In some ways, the US has hit the strategic thing that is going on: a global competition about how the internet in the future will be developed, between itself and China – its main rival in this space. That is the big strategic point. And though the UK may not have woken up to that issue, the US tactic feels wrong. The UK tactic, ironically, perhaps not having recognised the strategic issue, feels better. And for those who love their deterrence theory, this is the idea of deterrence through entanglement – which everybody debates whether it really works or not. The notion that a potential adversary entangled with the global economy and in global cyberspace, is far easier to deter from bringing down that economy and that cyberspace than it would otherwise be.

And one more thing: look at this from China’s perspective. China is desperately dependent on eight US companies for how it runs its own networks. You could list them: Microsoft, Qualcomm, IBM, Intel, Cisco, and so on. They call them the eight guardian warriors. Yes, China does talk about having its own internet and ‘the Great Firewall’, and all that sort of stuff. But interestingly, two of those eight companies – Microsoft and Cisco, I believe – sit on China’s cybersecurity internal standards-setting body. IBM and the Bank of China develop technology supporting trillions of dollars of financial transactions around the globe. The People’s Liberation Army (PLA) uses Microsoft. I mean, that is just how it is – they are thoroughly entwined. Why would you try and persuade the Chinese that the better solution is for them to start developing everything indigenously; to not use anything American and wipe out half of the world’s population from your markets? I mean, why would you do that?

Ed Stacey is a BA International Relations student at King’s College London and a Student Ambassador for the International Institute for Strategic Studies (IISS). The #IISStudent Ambassador programme connects students interested in global security, political risk and military conflict with the Institute’s work and researchers.

Marcus Willett CB OBE is a Senior Adviser at the IISS. He helps to develop and deliver a programme at the IISS that researches the use of cyber and related technologies as levers of national power, including their role in future conflict. His initial focus is on developing a methodology for measuring cyber power to assist national-level decision-making.

The Rise of ‘Digital Nations’

April 14, 2017 by Cheng Lai Ki

By Cheng Lai Ki

The Internet-of-Things (I0T) refers to the dense nexus of sensors and computers built on the hyper-connectivity of the Internet essential for economic development, national security and intelligence collection. While dominated by technical solutions, we are seeing an increase in policy-based interventions designed to tackle human vulnerabilities. During closing discussions between a panel of industry experts, Jeff Moss at Blackhat Asia 2017 revealed an interesting concern about the emergence of ‘Digital Nations’, i.e. enterprises that have accumulated considerable international presence which translates into political power— otherwise usually reserved for governments. While the concept remains a friendly discussion between industry experts, the realities behind Digital Nations and its impressions on global geopolitics, intelligence and security are not entirely implausible or restricted merely to works of fiction.

Asymmetric Power of Data

The IoT is constructed around the notion of enhancing data operations through leveraging the masses of computers networks connected via the Internet. Today, more than a zettabyte of data flows through the internet alone. At the Blackhat Asia 2017, one of the panellists, Halvar Flake noted at the closing keynote that contemporary power resides in data. Therefore, big-data and analytics have become the core operations essential to competitive industry expansion and operational streamlining.

Within corporate domains, one can easily identify multiple Cloud Computing-orientated solutions to improve business operations and efficiency. Narrower within cybersecurity domains, Machine Learning solutions are progressively dominating the field, evident from trade halls hosted at the IP Expo Europe (2016) and Blackhat Asia (2017). All these solutions emphasize data management and information security, increasingly demanded universally in all sectors.

Digital Nations’ are well-embedded technology companies that expanded alongside such internet-based models and subsequently monopolised the asymmetric power of data. Our increasing digital integration empowered through IoT has allowed these entities to expand aggressively, thus cultivating political power through extensive integration into critical infrastructure and commercial markets across all sectors. The best example of a Digital Nation with such scales of market reach is the renowned multi-service provider Google.

Google and the IoT

As one of the largest global enterprises, Google possesses multiple services intricately integrated within commercial and governmental entities. Aside from the enterprise’s core internet-related services, Google has aggrandized into Telecommunications (Fiber), Cloud Computing (Spanner), Robotics (X), and Artificial Intelligence (DeepMind). While Google’s expansion in its business development is eye-catching, such widespread reach has raised several key political and security concerns.

Google’s expansion is also closely related to their powerful political networks. In the United Kingdom, former civil servants such as Sarah Hunter or Verity Harding were hired to strategically support of key projects targeting various critical services. As early as 2010, Marc Rotenberg raised his concern ‘about Google’s role in the political system because they learned how to lobby very effectively’, and the remarkable levels of influence the company holds. While undoubtedly an effective business expansion strategy, this political entrenchment creates complicated legal and jurisdictional situations and raises further concern over the security applications of its internet-related services.

For instance, the PRISM program was a 2013 American electronic surveillance operation utilising information obtained from several internet giants. Regardless of the industry’s scale of compliance, the existence of the program underlined a significant security risk imposed by powerful internet companies. Although Google claimed that it ‘does not have a backdoor for the government to access private user data’, such a position needs to be reviewed within the context of emerging political-technology relationships.

A Hybrid Challenge

Today, most of the world’s leading technology giants with significant investments within the IoT are located and headquartered in the United States. Other Digital Nations’ like Google, invariably position themselves as a political proxy or intelligence resources. With the revelation of more cyber-espionage operations, policy communities will face two main challenges to maintain order where commercial organisations are accumulating enough political powers to influence geopolitics. Driving global digitisation through providing essential services allows key enterprises to influence political decision-making and potentially support cyber intelligence operations, thus muddying the geopolitical and jurisdictional relationships between nations as political proxies. However, various solutions can be proposed to rebalance skills across cybersecurity communities to empower international regulatory and oversight bodies.

First is the need for balanced technical, policy and social science expertise. Cybersecurity remains a technically dominated field, and will always be required to combat adaptive and ingenuous threats. However, as society becomes increasingly digitised, all agencies should increase their investment into researching cyber-social behaviours. A possible solution is to cultivate an understanding of the contemporary socio-technological landscape, which can assist governments to develop effective policies capable of maintaining pace with a rapidly modernising world. This enables greater oversight and limits enterprises from becoming political proxies.

Second, greater empowerment of international oversight bodies and legislation is a must. As society progressively moves ‘online’, there have been increasing concerns about how human-right issues can translate to the digital realm. Since the opening of the Internet to the public (and the world), there have been many organizations established to achieve such objectives. However, existing institutions still operate primarily as liaisons and think-tanks. Digital Nations are only going to grow alongside the IoT. Ergo, a solution is the establishment of specialised cyber working groups within existing international oversight bodies to confront, and manage cross-national jurisdictional issues in digital space.

Rebalancing Cybersecurity

As we continue to depend on data and interface globally via the Internet-of-Things, Digital Nations will only culminate more political power. While not necessarily a globalised threat, Digital Nations carry potential to upset the traditional balances between nations and are capable of significant security compromises. Bolstering current oversight capabilities and empowering other non-technical sectors to balance our digital dependency is thus a collective resolution that needs to be adopted.

Cheng Lai Ki is a Freelance Intelligence Analyst in Singapore and works in the field of cybersecurity, geopolitical risk and international security. He has an MA in Intelligence and International Security from King’s College London and was a former Managing Editor at StrifeBlog.

Image source: http://www.digitaltrends.com/computing/open-source-parsey-mcparseface/

Strife Feature – A Beginners Guide to the Musical Scales of Cyberwar

December 28, 2016 by J. Zhanna Malekos Smith

By: Jessica “Zhanna” Malekos Smith

Musical scales of cyberwar: the graphic of a piano keyboard illustrates how the core principles of the law of war apply to cyberspace

Whether you are a cybersecurity professional, policymaker, or student, this article is a beginner’s guide to understanding the ‘musical scales’ of cyberwar. As such, it addresses what constitutes a use of force in cyberspace and how states may lawfully respond.

Understanding the legal confines of offensive and defensive cyber operations is a burgeoning area of study. In fact, as the former legal advisor to the U.S. State Department, Harold Koh, famously remarked at U.S. Cyber Command in 2012: “How do we apply old laws of war to new cyber-circumstances, staying faithful to enduring principles, while accounting for changing times and technologies?”[1]

To provide granularity in answering this question, this article uses the analogy of a piano keyboard. The accompanying graphic illustrates how the core principles of the law of war apply to cyberspace. Using the concept of Middle C and musical intervals known as octaves, it displays the range of permissible state conduct during times of conflict.

As the illustrious American poet, Henry Wadsworth Longfellow wrote, “music is the universal language of mankind.”[2] By juxtaposing the law of war with a keyboard, the process of how states evaluate the scale and effects of a cyber operation and determine a basis for resorting to a use of force under the Law of Armed Conflict (LOAC), can be more readily conceptualized.

Middle C – The Starting Position

Just as Middle C is the traditional starting position for beginner’s learning to play the piano, the United Nations (U.N.) Charter and customary international law can be similarly regarded as a state’s starting position for conducting peacetime military operations and combatant operations.[3] Even the 2016 U.S. White House Report on Legal Frameworks Governing Use of Military Force begins with using the Charter to determine an international legal basis in employing force.[4] The Charter is central to public international law, including the principles of jus ad bellum (the right to war) and jus in bello (the law in waging war). [5]

While these legal regimes govern all domains of war, can it be extended to include cyberspace? According to Robin Gei, a legal advisor to the International Committee of the Red Cross, since LOAC is “flexible enough to accommodate new technological developments” it applies equally to cyberspace.[6] Further, Gei offers parallel historical evidence of this by noting that the International Court of Justice considered the same issue when evaluating the legality of nuclear weapons.[7] Thus, while cyberspace is an artificial space that lacks traditional physical borders, the principles of LOAC still apply to this medium.[8] The central challenge remains, however, measuring how far the outer limits of this doctrine can be tested in cyberspace and yet still maintain its operative core.

In restricting a state’s use of force, Article 2(4) of the Charter states:

“All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”[9]

Although there is no precise set of indicators for measuring a “use of force” in cyberspace, Koh identifies three examples of aggressive cyber activity that would constitute a use of force: “(1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control resulting in plane crashes.”[10]

Article 39 of the Charter also delineates the Security Council’s role in both determining “any threat to the peace, breach of the peace, or act of aggression” and offering recommendations on a proper course of action.[11] Walter Gary Sharp notes that this nexus demonstrates that “[e]very threat or use of force proscribed by Article 2(4) is a threat to international peace and security within the meaning of Article 39.”[12]

While no international consensus exists on defining a “cyber attack,”[13] the Tallinn Manual defines it as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”[14] A significant limitation to a state’s resort to force, however, is the right to self-defense from an “armed attack” under Article 51. It reads in relevant part:

“Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations until the Security Council has taken measures necessary to maintain international peace and security.”[15]

But how is a use of force different from an armed attack?

A general good rule of thumb here, as Professor Michael N. Schmitt of the U.S. Naval War College suggests, is that “all armed attacks are uses of force, but not all uses of force qualify as armed attacks.”[16] This distinction is legally significant. The reason being, if a cyber operation does not satisfy the de minimus damage/injury threshold to constitute an “armed attack” under Article 51, then the victim state has two modes of recourse: “[1] the victim state may bring the matter before the Security Council, or [2] it may employ non-forcible countermeasures.”[17] And although Schmitt’s distinction between a use of force and armed attack represents the predominant view amongst the international community, the U.S. Government does not subscribe to it. Rather, from the U.S.’s standpoint, there is no legal difference between a use of force and an armed attack in the jus ad bellum.[18]

In summary, the Charter and customary law symbolize Middle C.

Octave Set 1: Evaluating an Armed Response to Cyber Operations

The green octave depicts the range of permissible action for a state that has fallen victim to a hostile cyber act. Rather than examine the scope of non-forcible countermeasures and economic sanctions here, the article’s chief focus is on evaluating an armed response.

As a first step, the victimized state must assess the amount of damage produced. This baseline analysis is necessary to determine if an armed response is justified. Second, it must identify the proper basis for employing force under international law. [19] Furthermore, if the U.S. were the victim state, any decision to employ a use of force must also comport with U.S. domestic laws like the 1973 War Powers Resolution.[20]

Pursuant to the U.S. Army’s Law of Armed Conflict Deskbook, the victim state must first determine whether the adversary’s action(s) constituted such high-level destruction amounting to an armed attack under de minimus damage/injury threshold. [21] The jus in bello definition of ‘attack’ is set forth in Additional Protocol I, Article 49.1, which describes such action as being “acts of violence against the adversary, whether in offense or in defense.”[22] Thus, if the military cyber operation satisfies the de minimus damage threshold to persons or property, then it qualifies as an attack. In military cyber operations, the jus in bello definition of an attack also imparts clarity in understanding what should constitute a cyber “armed attack” in the jus ad bellum.

If the requisite level of harm is not produced, however, then the hostile cyber act may qualify as a cyber intrusion.

The question then becomes, however, what constitutes a cyber intrusion? According to the laws of war, Professor Gary Solis of Georgetown University, a cyber intrusion is “a cyber operation short of an attack on another state’s cyber systems.” [23] Under this framework, acts of “cyber theft, intelligence gathering, espionage, or periodic disruptions or denials of nonessential cyber services”[24] would not constitute a use of force. Thus, in the absence of the requisite levels of death, destruction, or damage, as traditionally observed from kinetic attacks, cyber intrusions are generally not a use of force and do not violate LOAC.[25]

From a military perspective, retired U.S. Air Force Major General, Charles Dunlap Jr. reasons that “cyber attacks that have a violent effect are the legal equivalent of armed attacks, or what the military calls a ‘use of force.’”[26] While there is no fixed rule for calculating a use of force, as Koh explains, “most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force.”[27]

On the other hand, prominent international legal scholars like Professor Matthew Waxman of Columbia University have advocated for less of a preoccupation with direct physical effects, and instead broadening the definition of a cyber attack to include the destruction or harmful degradation of data. For Waxman, a cyber attack requires an “effort to alter, disrupt, or destroy computer systems or networks or the information or programs on them[.]”[28]

While this area of law is unsettled, the predominant viewpoint amongst scholars is if the cyber act produces “death, damage, destruction or high- level disruption,”[29] it yields a violent effect and would qualify as use of force under Article 2(4).

Octave Set 2: Anticipatory Self-Defense in Cyberspace

The second octave in yellow depicts the range of state action that is likely to be permissible when evaluating a need for anticipatory self-defense. Here, the Army’s LOAC Deskbook provides that this category of defense “justifies using force in anticipation of an imminent armed attack.”[30]

The difference between a permissible act of anticipatory self-defense and an impermissible act of preventative self-defense lies in the state’s ability to demonstrate a decision by the aggressor state to attack it. For anticipatory self-defense to be lawful, there is a high standard of proof. This requirement goes beyond merely proffering evidence of a state’s hostile intent, but also evidence of some pending attack. To that end, the complexities of pairing evidentiary standards with attribution also make it difficult for a state to confidently identify a state’s hostile intent and plans of a pending attack in cyberspace.

Putting the attribution challenge aside, however, the following scenario is conditioned on the existence of proper attribution: Imagine that an Innocuous State I’s electrical grid was compromised by Nefarious State N and also accurately attributed to State N. In order for State I to be entitled to a use of force against State N under international law, Schmitt provides a three-part requirements test: the victim state’s opponent must have (1) “decided to actually exploit those [system] vulnerabilities; (2) the strike is likely to generate consequences at the armed attack level” and the victim state must “(3) act immediately to defend itself.”[31] Unless all three of these requirements are met, State I’s response would be restricted to only non-forceful responses such as economic sanctions or legal action.

Overall, state acts of self-defense must comply with the principles of necessity and proportionality. Necessity requires states to “consider the exhaustion or ineffectiveness of peaceful means of resolution, the nature of coercion applied by the aggressor State, the objectives of each party, and the likelihood of effective community intervention.”[32] Proportionality is met when states “limit the magnitude, scope, and duration of any use of force to that level of force which is reasonably necessary to counter a threat or attack.”[33]

Octave Set 3: Responding to a Kinetic Attack by Non-State Actors

The third orange octave depicts the range of state action that may be ‘somewhat’ permissible in responding to a kinetic attack launched by a non-state actor, like ISIS.

The reason why this octave is labeled – somewhat permissible – is that the surrounding circumstances, such as the scale and effects of the cyber operation and the legal status of the aggressor, will influence how the victim state may respond.

Here, the range of qualifying hostile cyber activity can range from “writing and executing malicious code, launching distributed denial of service [DDoS] attacks, providing malware or other cyber tools to a party to the conflict[.]”[34] The state’s analysis is further complicated when dealing with proxy cyber actors (i.e. digital strawmen), that may be clandestinely receiving financial or other material support from a state entity. In terms of the legal considerations at issue, under the Protocol Additional to the Geneva Conventions of 1949, the minority of the International Group of Experts is that malicious non-state cyber actors that do not qualify as a state-sponsored armed opposition group are unprivileged belligerents – i.e. “a civilian taking a direct part in hostilities.”[35] The majority view, including that of the U.S., however, does distinguish between civilians that engage in cyber operations during an armed conflict and unprivileged belligerents.[36] Under Rule 29 of The Tallinn Manual, civilians “are not prohibited from directly participating in cyber operations amounting to hostilities, but forfeit their protection from attacks for such time as they so participate.”[37] In contrast, the majority of the International Group of Experts held that unprivileged belligerents neither possess combatant immunity, nor a prisoner-of-war status.[38]

To how a state may respond to a cyber intrusion or attack, there is no requirement that a state respond using the same medium. Rather, from the perspective of Pentagon spokesman Colonel Dave Lapan, “[a] response to a cyber incident or attack on the US would not necessarily be a cyber-response. All appropriate options would be on the table . . . .”[39] The Army LOAC Deskbook reasons that how a victim state may respond to an armed attack “may rest on issues of state responsibility and ability to satisfy a higher burden of proof to invoke a use of force in self-defense.”[40] Moreover, according to Tallinn Paper No. 5, LOAC extends to “all cyber operations that have a nexus to the conflict, whether they are launched by states, non-state groups or individual hackers.”[41] In closing, how a victim state mounts a response will vary based on its evaluation of the surrounding circumstances, informational awareness, and mission readiness.

Out-of-Range Area: Impermissible State Action

The out-of-range area in red illustrates state action that is impermissible. Typically, such forms of prohibited state behavior include preventative self-defense and a use of armed force in response to a cyber intrusion. To be clear, preventative self-defense is force employed to counter non-imminent threats and is illegal under the customary international law.[42]

Recall that if a cyber operation satisfies the requisite de minimus damage threshold, then it qualifies as an attack. If it does not produce such harm to persons and/or property, then it may qualify as a cyber intrusion. Under this framework, an intrusion into another state’s cyber system to conduct espionage operations would not constitute a use of force.[43] Thus, absent the requisite level of death, destruction, or damage as traditionally observed from kinetic attacks, cyber intrusions do not violate LOAC.

Conclusion

By encouraging society to learn about the basic principles of the law of war in cyberspace, we can collectively better strategize ways to mitigate conflict in this domain. For each of us has a vital perspective to contribute as a cyber stakeholder. If music is indeed the universal language of mankind, then may the euphonious sound of peace always appeal to our ears.

With special thanks to Professor Eric Talbot Jensen of Brigham Young University Law School.

Jessica “Zhanna” Malekos Smith is a postdoctoral fellow with the Belfer Center’s Cyber Security Project at the Harvard Kennedy School. Previously she was a fellow of the Madeleine Korbel Albright Institute for Global Affairs in 2013. Malekos Smith received her B.A. from Wellesley College and J.D. from the University of California, Davis School of Law. She is an M.A. candidate in International Relations and Contemporary War at King’s College London, War Studies.

Notes:

[1] Harold Hongju Koh, International Law in Cyberspace, Yale University Faculty Scholarship Series. Paper 4854 (2012), http://digitalcommons.law.yale.edu/fss_papers/4854. (date accessed December 11, 2016).

[2] Henry Wadsworth Longfellow, BrainyQuote, https://www.brainyquote.com/quotes/quotes/h/henrywadsw379339.html (date accessed December 11, 2016).

[3] See Walter Gary Sharp, Sr. CyberSpace and the Use of Force, 68 (Aegis Research Corporation, 1999).

[4] Chris Mirasola and Helen Klein Murillo, A Summary of the U.S. White House Report on Legal Frameworks Governing Use of Military Force, Lawfare, (December 5, 2016), https://www.lawfareblog.com/summary-white-house-report-legal-frameworks-governing-use-military-force. (date accessed December 12, 2016).

[5] See Gary Solis, Cyber Warfare, 219 Mill. L. Rev 1, 10-11 (2014).

[6] See Robin Gei, The Conduct of Hostilities in and via Cyberspace, 104 Am. Soc’y Int’l L. Proc. 371, 371-72 (2010).

[7] See id.

[8] U.S. Dep’t of Def., Dep’t of Def. Directive No. 2311.01E, DoD Law of War Program (Feb. 22, 2011), http://dtic.mil/whs/directives/corres/pdf/231101e.pdf.

[9] U.N. Charter art. 2(4). (emphasis added).

[10] See Koh, supra note 2.

[11] U.N. Charter art. 39. (emphasis added).

[12] See Sharp, supra note 3 at 49.

[13] See Matthew C. Waxman, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int’l L. 421, 433 (2011).

[14] See Tallinn Manual on International Law Applicable to Cyber Warfare, gen. ed. Michael N. Schmitt (New York: Cambridge University Press, 2013). [hereinafter Tallinn Manual]) (emphasis added).

[15] U.N. Charter art. 51. (emphasis added).

[16] See Michael N. Schmitt, Cyber Operations and the Jus Ad Bellum Revisited, 56 Vill. L. Review 569, 587, (2011).

[17] See Solis, supra note 4 at 15.

[18] See Koh, supra note 2. (explaining that “the United States has affirmed that established jus ad bellum rules do

apply to uses of force in cyberspace. I have also noted some clear-cut cases where the physical effects of a hostile cyber action would be comparable to what a kinetic action could achieve: for example, a bomb might break a dam and flood a civilian population, but insertion of a line of malicious code from a distant computer might just as easily achieve that same result.”)

[19] See David Lee et al., Law of Armed Conflict Deskbook, U.S. Army J. Advocate Gen.’s Legal Ctr. & Sch., Inter’l and Operational L. Dep’t 29 (2015), https://www.loc.gov/rr/frd/Military_Law/pdf/LOAC-Deskbook-2015.pdf [hereinafter Law of Armed Conflict Deskbook 2015]

[20] See id.

[21] See id.

[22] Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977.

[23] See Solis, supra note 4 at 15.

[24] See id. at 21 (citing Michael N. Schmitt, The Law of Cyber Warfare: Quo Vadis, 25 1 Stan. L. POL. REV. 9, 11 (2015)).

[25] See id. (internal citation omitted here).

[26] See Siobhan Gorman & Julian E. Barnes, Cyber Combat: Act of War, Wall St. J. (May 31, 2011), http://www.wsj.com/articles/SB10001424052702304563104576355623135782718 (emphasis added).

[27] See Koh, supra note 2.

[28] See Waxman, supra note 10 at 422.

[29] See Gorman & Barnes, supra note 20.

[30] See Law of Armed Conflict Deskbook 2015, supra note 14 at 37.

[31] See Schmitt, supra note 13 at 592-3.

[32] See id. at 35.

[33] See id.

[34] See Solis, supra note 4 at 13 (quoting Laurie R. Blank, International Law and Cyber Threats from Non-State Actors, 89 Int’l. L. Stud. 406, 430 (2013).

[35] See Solis, supra note 4 at 13 (internal citation omitted here) (emphasis added).

[36] See Tallinn Manual, supra note 11 at 101.

[37] See id. at 104.

[38] See id. at 101.

[39] US Pentagon to treat cyber-attacks as ‘acts of war,’ BBC News (June 1, 2011), http://www.bbc.com/news/world-us-canada-13614125.

[40] See Law of Armed Conflict Deskbook 2015, supra note 14 at 39.

[41] See Michael N. Schmitt & Liis Vihul, The Nature of International Law Cyber Norms, NATO Coop. Cyber Def. Ctr. of excellence 8 (2014); see also Tallinn Manual, supra note 11, at 113-14.

[42] See id.

[43] See Solis, supra note 4 at 15.

Image credit: https://www.goodfreephotos.com/albums/vector-images/piano-keyboard-with-notes-vector-file.png

Feature image credit: https://www.goodfreephotos.com/albums/other-photos/hand-playing-keyboard-keys.jpg

Strife Feature, Abstract: A Beginners Guide to the Musical Scales of Cyberwar

December 15, 2016 by J. Zhanna Malekos Smith

By: Jessica “Zhanna” Malekos Smith

In Strife’s long-form feature piece for December, Jessica Malekos Smith writes about the beginner’s guide to the ‘musical scales’ of cyberwar. Using the analogy of a piano keyboard, her article aims to promote an understanding of what constitutes a use of force in cyberspace and how a state may lawfully respond. Understanding the legal confines of offensive and defensive cyber operations is a burgeoning area of study. In fact, in Harold Koh’s famous remarks at U.S. Cyber Command’s Inter-Agency Legal Conference in 2012, he posed the following question to the audience: “how do we apply old laws of war to new cyber-circumstances, staying faithful to enduring principles, while accounting for changing times and technologies?”[1]

To help achieve this, Jessica uses the concept of Middle C and musical intervals known as octaves to explain the range of permissible state conduct during times of conflict. By juxtaposing the law of war with a piano keyboard, Jessica illustrates the arcane legal precepts of how states evaluate the scale and effects of a cyber operation and determine a basis for using force under the Law of Armed Conflict. Music is a language that is universally understood, and the analogies used here will encourage society to learn about the law of war, and help collectively better strategize ways to mitigate conflict in the cyber domain.

Jessica “Zhanna” Malekos Smith is a Postdoctoral Fellow of the Belfer Center’s Cyber Security Project at the Harvard Kennedy School. Her feature was published on 29th December 2016.

Notes:

[1] Harold Hongju Koh, International Law in Cyberspace, Yale University Faculty Scholarship Series. Paper 4854 (2012), http://digitalcommons.law.yale.edu/fss_papers/4854.

Image credit: https://www.goodfreephotos.com/albums/vector-images/piano-keyboard-with-notes-vector-file.png

Feature image credit: https://www.goodfreephotos.com/albums/other-photos/hand-playing-keyboard-keys.jpg

Cybersecurity in Practice (Part V): Securing the Digital Frontier

November 18, 2016 by Cheng Lai Ki

By: Cheng Lai Ki

‘Norse Attack Map’ A threat monitoring program developed by cybersecurity firm Kaspersky showing live cyberattacks in real time around the world.

The digital-physical divide is shrinking, evident from the increased incorporation of cloud computing alongside an exponential increase in development of smart systems and products. With billions of people connected to the internet today, this globalized informatization can be represented as an ‘Internet-of-Things’ (IoT). IoT can be defined as the nexus of smart devices connected to the internet through inbuilt components, supporting or augmenting end-user experiences and communication. Within the last decade alone, cyberspace has revolutionized our recreational experiences, corporate decision-making and national security services. In a period dominated by data and hyper-connectivity, consumers, developers and service providers all share the responsibility to understand the main cybersecurity trends of today. Here, we address three major cybersecurity trends of IoT-Data Security, Non-Viral Threats, and Evolving Computerized Solutions.

IoT-Data Security

In August 2016, Prof. Yuval Noah Harari from the Hebrew University of Jerusalem suggested the emergence of a new market called Data-ism. All human activity– especially in an IoT-driven landscape – can be deconstructed into quantifiable elements and is subsequently collated by Big Data companies. There is a reason why Google services (i.e. Gmail, Chrome, and GoogleEarth) are all free. Every piece of commercial or recreational software and smart product in our possession generates data, which is crunched through analytics software and sent back to the developers so they may streamline their marketing strategies. This was also visible in the political domain when big-league prognosticators failed to take into account for ‘uncertainties of their [predictive] models’, which lead to a miscalculation about the outcome of the 2016 Presidential Election in the United States. Everything you do is collated as data and subsequently delivered to marketers for targeted advertising purposes – which is actually all stated in their notoriously long Terms of Service agreements.[1]

Mentioned earlier, a characteristic of our IoT environment is cloud computing and the marketization of software, information and platforms as services by large tech companies such as IBM or Google. The expedited convenience towards information sharing and processing has made the cloud an increasing attraction to Data Analytic firms. The attractiveness of convenience has stimulated a growing trend, ‘with 74% [stating that] they expect to adopt a hybrid or cloud-only approach to analytics over the next three years’.[2] While the incorporation of cloud computing remains attractive to large organizations, the technical infrastructure required has become commoditized as a service – which presents its own vulnerabilities.

Earlier this year, there has been an increased cyber-attacks targeting user data. This places everyone’s information at significant risk to being extracted by cyber criminals and distributed for profit, especially to service providers with a heavy reliance on cloud computing. The broad application characteristics enabled in our IoT landscape enabled through cloud computing have since become an increasing focus of cybersecurity companies in providing secure services and Information Security (InfoSec) solutions.

Non-Viral Threats & Ransomware

Within the continuous emergence of new recreational and threat-detection software and platforms, cybercriminals are evolving their tactics when conducting Computer Network Exploitations (CNEs). Over the last decade, cybercriminals have begun to incorporate script-based exploits, where commands are injected directly into the firmware of targeted Operating Systems (OS). The broad application windows programs have led malicious state and non-state actors to conduct CNEs using PowerShell, JavaScript or VBScript. Through using command and control elements already present, attackers are able to quickly access and hijack targeted OS. As the exploit is not a virulent code, older or obsolete anti-virus programs could not detect such CNE tactics – until recently.

JIGSAW Crypto-Ransomware notification window – good luck

Such covert CNEs would mean attackers could easily gain access to their targeted computer networks and initiate their main objectives. According to a 2016 Symantec ISTR Special Report, crypto-ransomware has emerged as ‘one of the most dangerous cyber threats facing both organizations and consumers’.[3] Crypto-ransomware is when the attacker hijacks and encrypts the files or OS and – as the name suggests – holds it for a monetary fee. While these originated as crimes of opportunity, Symantec discovered that business organizations are increasingly targeted through sophisticated CNE tactics rivaling those utilized in state-level cyberespionage. In addition, their incident response teams also discovered that crypto-ransomware have also been used as a Distributed Denial of Service (DDoS) distraction to cover up other CNEs.

Ergo, the next cybersecurity trend is the increased focus on developing tools (i.e. Threat Detection and Monitoring Interfaces) to identify script-based CNEs alongside other advanced persistent threats (APTs) involving crypto-ransomware or other DDoS techniques.

Evolving Computerized Solutions

It was predicted in 2012 that Internet traffic would reach 1.3 Zettabytes by 2016.[4] Adding onto that, this series has revealed how interconnected our IoT-driven world is. As the size of our networks grow, so does the need for consistent and omnipotent security. Currently, cybersecurity firms are continuously developing and perfecting programs for threat detection or monitoring and data management such as Splunk. The latest ‘trend’ within these domains is the emergence of advanced computerized cybersecurity countermeasures powered through Machine Learning and Deep Learning.

Machine Learning (ML) represents the development of computerized programs that could learn and evolve from its exposure to new data. ML solutions are developed with specialized ‘algorithms [designed] to build a model from example inputs to [develop] data-driven predictions or decisions’.[5] Cybersecurity companies such as Cylance are investing a significant amount of research into applying ML towards advancing cybersecurity analytics and encapsulating upon the magnitude and value of our data-driven world.

Teetering closer to artificial intelligence is Deep Learning (DL), an advanced computerization reflecting the neural networks of the human brain and mimicking its ‘ability to learn and identify objects’.[6] DL solutions are more advanced and capable to self-developing new recognition algorithms, resulting in higher processing functions. Most cyber threats are modified versions of other malware or older variants.

Recorded information of older malware gives DL solutions a checklist of search parameters which mimics how human cybersecurity experts can recognize recycled code or scripts. Currently, cybersecurity firm Deep Instinct is the first company to pioneer DL into a cybersecurity platform.

‘invincea’s advanced malware detection system is based in part on DARPA’s Cyber Genome project’. Source: Woodie, A. ‘Machine Learning’s Big Role in the Future of Cybersecurity’, Daranami, (16 November 2015)

Unlike ML, DL requires minimal human input and possesses a significantly higher degree of self-sustainability, thereby reducing the propensity of human error when developing recognition algorithms to identify APTs and other CNE characteristics. Regardless, either solution provides cybersecurity technicians and incident response teams expedited abilities to address intrusions quickly. This makes such solutions highly valuable to commercial and governmental security agencies coordinating large amounts of (perhaps sensitive or classified) data and requiring extensive InfoSec services.

Singularity & Security

Throughout this series, we have fundamentally addressed the power of software, the emerging vulnerabilities of robotic platforms, the vulnerabilities of limited information and platform security, and the importance of cyber crisis-management. Within the current cybersecurity landscape today, it can be identified that the industry is focusing on cultivating STEM (Science, Technology, Engineering and Mathematics) personnel capable of handling the technical domains within cybersecurity – due to an apparent lack of skilled personnel to match increasingly sophisticated threats. Given the increasing sophistication of cyber criminals and APTs, the demand for technical specialists is understandable.[7] However, we also need to cultivate personnel who are capable of understanding and deploying cybersecurity measures from a strategic and policy level.

Cybersecurity is in itself a reflection of singularity, the integration of man and machine. Where technical specialists, ML and DL solutions can provide critical information to deployment specialists to develop and implement human-element strategies for national and commercial infrastructures. Cyberspace is not only ubiquitous but has become an integral element of the modern world, supporting national security, military intelligence, business exchanges, global data management and critical infrastructures. In practice, the threats are consistently evolving, requiring specialist knowledge in multiple domains. This series has shown that all a malicious actor essentially needs is one vulnerability to initiate a CNE. Hence, we all share the responsibility to welcome a secure digital future.

Cheng is a graduate from the MA Intelligence and International Security program at King’s College London, his Master’s thesis examined the characteristics and trends defining China’s emerging cybersecurity and cyberwarfare capabilities. He was a finalist at the 2016 Cyber 9/12 Student Challenge in Geneva, contributed to other security journals such as IHSJane’s Intelligence Review and was a Former Managing Editor (Blog) at Strife.

Notes:

[1] Lee, W. & Rotoloni, B. Emerging Cyber Threats Report 2016, (Georgia Tech Cyber Security Summit 2015: Georgia Institute of Technology), (2015); [Online]; Available from: http://www.iisp.gatech.edu/sites/default/files/documents/2016_georgiatech_cyberthreatsreport_onlinescroll.pdf, (Accessed 1 Nov 2016).

[2] An ISTR Special Report: Ransomware and Businesses 2016, Symantec, (2016).

[3] 1 Zettabyte = 1,000,000,000,000,000,000,000 Bytes

[4] Newman, S. ‘Intro to Machine Learning & Cybersecurity: 5 Key Steps’, DARKReading, (7 September 2015); [Online]; Available from: http://www.darkreading.com/analytics/intro-to-machine-learning-and-cybersecurity-5-key-steps-/a/d-id/1322539, (Accessed 1 November 2016).

[5] Caspi, G. ‘Introducing Deep Learning: Boosting Cybersecurity Within an Artificial Brain’, DARKReading, (9 June 2016); [Online]; Available from: http://www.darkreading.com/analytics/introducing-deep-learning-boosting-cybersecurity-with-an-artificial-brain/a/d-id/1326824, (Accessed 13 October 2016).

[6] Goodman, M. Future Crimes: Inside the Digital Underground and the battle for our Connected World, (Transworld Publishers: London, UK), 2015.

[7] ‘15% of the 200 IT [Information Technology] and business decision markers in the survey say they have deployed one or more cloud analytics solutions…[and] with 68% of respondents saying they intend to investigate, analyze or actively plan to deploy analytics solutions over the coming year.

Image 1 credit: http://map.norsecorp.com/#/

Image 2 credit: http://blog.trendmicro.com/trendlabs-security-intelligence/jigsaw-ransomware-plays-games-victims/

Image 3 credit: https://www.datanami.com/2015/11/16/machine-learnings-big-role-in-the-future-of-cybersecurity/, (Accessed 1 November 2016)

Cybersecurity

Footer

Contact

Recent Posts

Tags