© REUTERS/Ints Kalnins

The digital era, with all of its benefits, has profoundly changed the security environment of liberal democracies. We face potential destruction of national infrastructures and militaries in ways unimaginable a quarter century ago. Even the electoral process in a number of democracies has come under severe threat, with attempts to alter outcomes in a number of elections in the past two years. The response should be a new “Cyber NATO,” a coalition of liberal democracies that better meets the ubiquity of threats. This will be difficult to achieve, yet the alternatives are worse.

Threats can affect anyone. Only one Russian cyber operation, APT28 or “Fancy Bear,” has attacked servers of ministries, political parties, and candidates in the US, Germany, the Netherlands Sweden, Ukraine, Italy, and France and indeed even the servers of the International Association of Athletics Federations responsible for anti-doping monitoring. Military communications have also been targeted. Yet APT28 is but one of numerous groups from Russia alone. Nor is Russia the only authoritarian government seeking to increase its advantage through cyber operations. It is also clear that Iran has carried out its own offensive cyber operations. Chinese, primarily groups affiliated with the People’s Liberation Army, have targeted militaries as well as intellectual property in companies the world over.

In other words, the digital age also has ushered in an era of new security threats, perhaps imaginable but not seen until the past decade. Governments, meanwhile, have been slow to respond; multilateral organizations such as NATO and the EU have been slower. Meanwhile international organizations such as the UN have failed even to broker a treaty arrangement to prevent the use of digital weapons.

From Blocking to Hacking

Virtually every history of what is now known as “cyber war” or “cyber warfare” begins with an account of an attack on Estonia ten years ago. In 2007, the country’s governmental, banking, and news media servers were paralyzed with “distributed denial-of-service” or DDOS attacks. People’s access to virtually all major online and digitally-based services was blocked.
Cyber attacks have a far longer history of course, but until then, they were generally carried out for espionage, not to create damage to adversaries or make a political point. This case was different: it was overt and public. It was digital warfare, described by the theoretician of war, Carl Paul von Clausewitz, as “the continuation of policy by other means,” meant as punishment for the Estonian government’s decision to move a Soviet-era statue from the center of the capital.

Since 2007, overt cyber warfare and the continuation of policy by other means has proliferated and in ever more virulent form: attacks blanking out regions preceding bombing in conflict zones with DDOS attacks (Georgia, 2008); crashing electrical grids (Ukraine 2016, 2017); private companies (Sony 2015); hacking into parliaments (the Bundestag 2015 and 2106); political think tanks and parties before major elections (the Democratic and Republican National Committees 2015-16), presidential campaigns (Hillary Clinton 2016, Emmanuel Macron, 2017), government ministries (Dutch ministries, Italy’s Foreign office 2016-17, the U.S. Departments of State and Defense).

In one especially egregious case, records of 23 million employees of the US Federal government were stolen in what is known as the “Office of Personnel Management hack.” Recent testimony and leaks in the US report attempts by a foreign power to delete or alter voter data in 21 (or possibly 39 states) before the US presidential elections. These represent merely the attacks admitted to by the victims, not those unreported.

Shutting Down A Country

A decade ago, the idea of a major cyber attack was strictly hypothetical. Indeed NATO was originally skeptical about the attack on Estonia in 2007. Since the recognition of politically motivated DDOS attacks and their paralyzing impact, the focus of cyber security has shifted to more elaborate possibilities: the use of malware to shut down or blow up critical infrastructure, including electricity and communication networks, water supplies, and even traffic light systems in major cities. This goes beyond DDOS and requires “hacking,” as we know the term―breaking into servers or a computer system, not merely blocking access as in DDOS. Indeed the vulnerability of critical infrastructure became a primary concern of governments and the private sector.

These kinds of cyber attacks could mean shutting down a country, or its military, rendering it unable to oppose a conventional attack. In 2010 the Stuxnet worm, which spun Iranian plutonium-enriching centrifuges out of control, warned us of the power of cyber to do serious damage to physical systems. Leon Panetta, US Secretary of Defense from 2011 to 2013, warned in 2012 of the potential of a “cyber Pearl Harbor.” Subsequent events such as the shutting down of a Ukrainian power plant in 2016 and again this year through cyber operations showed that such concerns were hardly unwarranted.

At the same time it is worth noting that one can do considerable damage to national security and the private sector without disabling infrastructure; the hack of Sony and of the Office of Personnel Management in which the records of up to 23 million past and present federal employees are good examples of an extremely dangerous breach that endangers a country’s national security or its commerce.

From these examples, we can see that “cyber attacks” as a term is a catch-all, spanning a range of activities from attacks that can destroy a nation’s critical infrastructure on the extreme side to subtler attacks: hacking politicians, leaking compromising information, and jeopardizing election integrity.

Slow Responses

Recognition of threats in the digital world has been slow in coming, although the US and others foresaw potential threats as far back as the early 1990s. In security policy circles, it was only in 2011 that the Munich Security Conference, the West’s premier forum of security policy makers, held its first panel on cyber security.

All of these concerns have fallen under the broad rubric of symmetrical warfare. Whatever they did to you, once you figured out who “they” were, you could do back to them. Cyber attacks were all in the realm of traditional warfare but in a new domain. The US in 2010 declared cyber the fifth domain of warfare, after land, sea, air, and space. Moreover, the US Department of Defense has explicitly said that a cyber attack need not be met in the cyber domain; a kinetic response to a digital one is possible.

While NATO has acknowledged the potential threats of cyber and propaganda, it has done little operationally. NATO did set up a Center of Excellence in Cyber Security in Tallinn, Estonia, and later a similar Center for Strategic Communication in Riga, Latvia. Yet even within the alliance, there has been little cooperation.

Elections Under Attack

It has been only a year since a broader consensus has emerged among intelligence agencies and security policy experts that electoral processes themselves have come under attack. Manipulations have included “doxing” or publishing materials obtained through hacking as seen in the case of Hillary Clinton and Emmanuel Macron. Such tactics have been bolstered by manufacturing fake news on an industrial scale and propagating these through “bots” or robot accounts on social media. Gaining currency, these can be further propagated by real users. One study showed that in the three months leading up to the US election, some 8.7 million fake news stories were called up by users on Facebook but only 7.3 million genuine stories. More worrisome is the prospect of manipulations through hacking into unsecured voting machines and by altering or deleting voter data, as both the Department of Homeland Defense and a leaked NSA memo have averred.

Indeed, the propagation of fake news stories need not be tied to elections and no longer is. Instead they can simply be used in an attempt to sway public opinion. The #Syriahoax hashtag, alleging Syria’s use of chemical weapons in Spring 2017 was a Western hoax, spread virally on Twitter via bots. Fake news regarding NATO troop assignments in Eastern Europe have become commonplace. In the French election campaign in Spring 2017, bots and fake news accounts spread lies and scurrilous “facts” about one candidate, Emmanuel Macron, while leaving his primary opponent, Marine Le Pen, untouched.

A New Threat Landscape

As the past several years in this new digital age have shown, the threat landscape facing democracies has dramatically changed, ranging from traditional threats such as destruction or incapacitation of critical infrastructure to what may be termed soft threats, the manipulation of electoral democracy and public opinion. Two fundamental differences to pre-digital threats emerge:

First, geography or physical distance, a key determinant of security since the beginning of conflict, has become irrelevant. For as long as people have been thinking, proximity to threats or hostile actors was a primary motivator in security policy. NATO is the North Atlantic Treaty Organization for a reason: it is a defense organization of liberal democracies in a geographical space, constrained inter alia by tank logistics, bomber ranges, the placement of troops.

Countries traditionally have invaded or been attacked by neighbors, not by adversaries from far away. Indeed, until the age of intercontinental ballistic missiles, distance from threats was the greatest source of security and proximity the greatest vulnerability.

This is no longer true. Digital threats do not recognize distance. One is just as vulnerable half the globe away as from next door to an adversary. This is why, in the digital age, the earlier basis of alliances, be they NATO or Sparta’s Peloponnesian League, weakens or even disappears. Everyone is equally vulnerable to attack, regardless of borders or of physical distance. Cyber is a tool that can be used anywhere.

Asymmetric Attacks

Secondly, in the digital era, liberal democracies are far more vulnerable to asymmetric attacks from autocratic states than before. Propaganda, fake news, disinformation are all as old as the Trojan Horse, yet most of what was considered disinformation as late as the 20th Century had little effect. In the pre-digital age, disinformation could not easily be propagated. Fake news could not swamp and overwhelm the news media. Election rolls could not be manipulated on a massive scale and across many election districts.

Moreover, only liberal democracies are fundamentally vulnerable to attacks and manipulations of the electoral process. Authoritarian governments need not fear external manipulations of electoral processes as these are manipulated by those in power anyway. While it would be difficult to imagine a liberal democracy employing the same methods against Russia as the Russians used in the US and French presidential elections, attempting to do so simply would have no effect. To have an effect, one needs free and fair elections to affect.

From a security policy perspective, however, the possibilities of using digital manipulations can be quite attractive to an adversary. Why bother with military interventions or attacks (even digital attacks for that matter), if it suffices to use digital means to get a candidate or even a political party into office that will do your bidding or at least follow a policy line favorable to you? Certainly a Le Pen in France or the defeat of Angela Merkel in the 2017 German elections would have done more to disrupt European policy toward Russia than any kind of military action.

An Alliance of Democracies

In light of these developments in this age of “cyber,” democracies need to think beyond the hitherto geographical bounds of security. We need to rethink our security. In addition to those already in existence, we need a new form of defense organization, a non-geographical but strictly criteria-based organization to defend democracies―countries that genuinely are democracies as defined by free and fair elections, the rule of law, and the guarantee of fundamental rights and freedoms.

This idea is not new, yet proposals predating the digital era were guided more by a philosophical approach than hard security concerns. In different contexts, both Madeleine Albright and John McCain at the turn of the century proposed the creation of a community or league of democracies. Neither proposal went far at the time. The threats to democracies then, however, were not of the type described here; neither proposal was based on security concerns. Today, every liberal democracy is potentially vulnerable.

Could such an organization do the job to face this new threat? I propose that we consider a cyber defense and security pact for the genuine democracies of the world. After all, Australia, Japan, Uruguay, and Chile, all rated as free democracies by Freedom House, are just as vulnerable as NATO allies such as the United States, Germany, or my own country.

The prospects for safeguarding democracies in the digital era through such a pact are probably better now than even a year ago. Nonetheless, until this is taken up by the governments of major countries, both in NATO and outside the Alliance, liberal democracies will remain vulnerable to the new threats of the 21st century.

The post A Digital Defense Alliance appeared first on Berlin Policy Journal - Blog.

© Mikhail Klimentyev/Sputnik via REUTERS

It is not entirely surprising that Russia has made a name for itself in the cyber world. Russians are, after all, good at hacking―very good. It’s an ironic by-product of backwardness. If one goes back to the 1980s and 1990s, and even the 2000s, Russians were often unable to buy the latest technology that we in the West could access; at the same time, Russia is historically strong in mathematics. Quite a few Russians, deprived of the programs we rely on, actually learned to code. Hacking systems and programs was meant as a workaround, but these hackers eventually developed a subculture of their own.

Hackers are by definition nearly always ahead of the game. They are looking to exploit vulnerabilities that are largely unknown until they are weaponized. Because of this, hacker activity often says more about Western vulnerabilities than Russian capabilities. The Russians have not really been able to break anything that is not broken already; they have merely been able to exploit opportunities. Rather than recognize what this means about our own failings, we often use the Russians as scapegoats.

Conversations with those in the security establishment and military in Moscow inevitably reveal the extent to which they feel Russia is at war with the West―a war they believe the West started. This is a non-connected, non-military war, one where they are fighting for Russia’s place in the world and Russian sovereignty.

At the same time, under Putin, Russia is invested in a campaign to make Russia great again, to assert itself as a great power when in fact it is not. Despite Russia’s vast physical scale, its economy is smaller than that of New York state. Its soft power is almost non-existent. And its military power, while not inconsiderable, is reaching the point of being overstretched.

Not Much Impact

This helps to explain the country’s enthusiasm for cyber warfare: if you are sensible, you move the field of battle to where you feel your opponents are most vulnerable. Putin believes that the West’s vulnerability is precisely that it is a constellation of democracies, with legitimate internal and inter-state disputes and disagreements along various fault lines. He is aided by the fact that the West is going through something of a legitimacy crisis, with real suspicions about the political class, questions about the future of the EU, and pressures on the transatlantic alliance. Even if Putin had never been born, these tensions would still have arisen.

The Russians have exploited these weaknesses. In terms of the American election, the Kremlin was clearly trying to influence the outcome, though it is still unclear how great an effect its efforts had. The much-vaunted Facebook campaign has been shown to be relatively marginal, and so far research on voting patterns and intentions as a result of that, or the leak of Democratic emails, have not been able to demonstrate substantive shifts in any statistically robust way.

Donald Trump won to a large extent because of his own capacity to create a groundswell of public support, and perhaps more importantly thanks to both James Comey’s unexpectedly timed announcement about the investigation into Hillary Clinton and Clinton’s own clumsy campaign strategy. In general, when Russian hackers act abroad, their impact is often relatively small. But even when the effect is significant, this does not mean they are particular capable.

Many Russian people genuinely believe they are fighting Western attempts to muzzle or restrain their country. While there is a certain degree of exasperation in Russia over the claims of hacking, on another level it fits into a very convenient narrative: it elevates Putin to a status he frankly does not deserve, as this terrifying Bond-type villain threatening Western democracies. One would almost believe that Putin can reshape elections and topple governments with the click of a mouse. He cannot, but it suits him to maintain that appearance.

Democratic Resilience

In reality, we should not assume Russia is any more secure than we are, not least because we have witnessed a series of cyber crimes carried out against Russian targets as well. Instead, it is important to examine the country’s political intent and its willingness to take geopolitical risks. When you are fighting a war like the one the Russians believe they are, you are willing to take risks. The West, on the other hand, does not regard itself as being at war with Russia, so we have a very different set of basic operating principles.

If we question which global powers have the greatest offensive cyber capabilities, America would undoubtedly be at the top of that list. Western nations, however, are not deploying their capabilities against the Russians the way the Russians are deploying theirs against the West. The difference really is about politics and mind-set―indeed, the Russians are lucky we are not seeking to hack them in the same way as they are hacking us on a state level.

We should not underestimate the fundamental resilience of democratic systems and democratic societies. The Russians did not even seek to elect Trump, or believe he could be elected; they believed the American establishment would not allow a Trump to win, and that American democracy is much more managed than it is in reality. They simply wanted to ensure that Clinton, whom they were certain would be elected, would be as weak as possible on Day One of her presidency. It is entirely possible they played some small role in Brexit, but ironically enough, news about the scale of that support could give the British political elite the chance to renegotiate and revisit the decision to leave the European Union. The Russians supported the Front National in France, but they could not secure a victory. And in Germany, Russian meddling has in many ways forced the country and Chancellor Angela Merkel into a much more anti-Russian position. Time and again, what is seen as a tactical success by the Russians is really a strategic defeat.

Cyber Is Cheap

There is a strong case to be made for far less hysteria over Russia’s capabilities. When we overestimate Putin, we not only encourage him but also empower him; people begin to believe we need to make a deal with Russia. Instead of obsessing over Russia, however, we need to push for greater resilience in general. This is not merely a Russia problem, after all, it is a modernity problem.

There are various other protagonists that could be using these strategies, and quite possibly with much more serious intent. If one looks at Chinese military and political thinking, for example, it already embodies many of the principle of so-called “hybrid warfare,” and they have used similar tactics in the South China Sea. It is certainly not implausible that they will also be looking carefully at the lessons of Russia’s information warfare campaign for future reference. Other actors are unlikely to be operating on the same scale, but as cyber and information operations can be relatively cheap, we cannot exclude them being used in more limited ways, whether to try and tip the balance of power in the Balkans or other complex political environments. Finally, let’s not assume this is purely the province of states; in the US elections and the Brexit vote in particular, we have already seen significant legal campaigns by pressure groups and powerful individuals to manipulate the information environment for political purposes. This is only likely to become more common, and perhaps in some cases also shade into the realms of illegal operations―or at least morally questionable ones, given that laws tend to lag behind the technical capabilities.

In the case of more direct cyber attacks, unless it comes to a real conflict situation, Putin is not going to try and crash national power systems in the middle of winter, for example. That would mean war, a shooting war. But there may well be terrorists and pariah regimes that are less concerned about the implications.

So this is a useful opportunity to consider the vulnerability of our modern systems and shore up their security and resilience. European security would be served better by investing more in cyber security rather than simply assuming that hitting the 2 percent of GDP mark on defense spending in terms of tanks and guns and rockets provides guaranteed protection.

Asymmetric Response

We must also rethink our response to Russia. There has been very little cost to the Putin regime as a whole, because we have a tendency to fetishize symmetry: If you carry out a cyber attack, then our response ought to be something cyber; if you limit our media, we will limit yours.

We can and should think more imaginatively and asymmetrically. It is perfectly legitimate for us to make clear that we regard hacking our systems as unacceptable, and that rather than responding by hacking into theirs, we will expel Russian companies from our countries or find other, comparable avenues of creating real, tangible costs. There should be more personal sanctions targeting people associated with Russia’s cyber and information warfare activities, but also those who simply order or encourage or justify them. We need to show there is some kind of price without feeling the need to be equally aggressive and equally cyber militarist.

Regardless of how we respond, the sound and fury hides the fact that Russian hacking is not some kind of existential threat to the West. We need to stop treating it like one, and instead consider specific responses to a specific problem.

The post Cyber Hysteria appeared first on Berlin Policy Journal - Blog.

© REUTERS/Axel Schmidt

These days it does not take very long for the “cyber” prefix to be dropped into any discussion on foreign policy or national security in Berlin: cyber sabotage to shut down the energy system, cyber operations to influence elections, or cyber espionage to steal secrets and intellectual property―all examples given to show that future risks to our security will emanate from cyber space.

The urgent need for strategic responses has captured Berlin’s policy circles. Endorsing “hack-backs,” Germany’s interior minister Thomas de Maizière told German media last spring that police officers should not only wear body armor but also carry guns. This is more than mere rhetoric. The interior ministry is currently building a controversial new agency that is supposed to provide hacking capabilities to domestic security agencies. Ministry officials have also warned they may need to amend the constitution to hit back at hackers targeting private companies.

Defense Minister Ursula von der Leyen, meanwhile, is pursuing her own cyber agenda with similar arguments. At a ceremony launching the military’s new Cyber Command last April, she justified counterattacks in cyber space as effective response to cyber attacks.

Both ministers argue that Germany needs to be able to better defend itself in cyber space. But what does that actually mean? We need to unpack “cyber” if we want to understand the real problems that lurk behind this increasingly catchy term. Unfortunately, cyber defense is far more complicated than many policymakers realize.

More Clarity Needed

While “Internet” remains the term of choice for talking about the global connectivity of information networks in a civilian context, the term cyber in Germany has become a catchphrase for its military and security aspects. As such, it has climbed to the top of security experts’ and officials’ agendas. But the proliferation of the word cyber often obscures more than it clarifies. For example, spreading disinformation through social networks presents an entirely different issue from securing government IT systems or protecting critical infrastructure against hacking.

What is more, cyber is often used without making the important distinction between offense and defense. The German military, for example, uses “cyber defense” to refer to both its offensive and defensive capabilities. This includes the protection of its IT systems against attacks by foreign forces as well as conducting offensive cyber operations against adversaries to breach and disrupt their IT systems.

The distinction between offensive and defensive cyber operations here is crucial, and it reveals one of the most important challenges cyber space poses for national security: Offense and defense are directly linked, but mostly as a tradeoff. Offensive capabilities often come at the expense of IT security, especially if they pertain to globally used IT systems.

In essence, offense often relies on the exploitation of software or hardware vulnerabilities. While cyber security requires that such vulnerabilities are identified and fixed, cyber offense seeks to keep knowledge of their existence secret. But leaving such vulnerabilities unpatched amplifies the risk that an adversary, be it a foreign country or a criminal, could exploit them as well. Thus, accumulating so-called cyber weapons that rely on the exploitation of undisclosed vulnerabilities also means that potential weaknesses in our own systems remain open to exploitation.

It’s Complicated

It is not only this dilemma that makes the cyber dimension of national security so complex. One of the fundamental principles of national security – the distinction between foreign and domestic – also gets blurred in cyber space. One of the core problems of any sort of cyber operation is attribution. Using a global communication network makes it possible to obscure the origins of an operation or to plant false flags that point to an uninvolved third party.

The structure of Germany’s national security agencies makes it essential, however, that we quickly identify whether the attackers are operating from German soil or from abroad, and if they are sponsored by criminals or foreign states. That information is decisive in determining which government agencies get involved and what countermeasures they will take. This does not mean that attribution is impossible. But unlike in a conventional attack, when the origin of a missile is relatively easy to detect, attribution in cyber space is complicated, and thus more contested. The process involves computer forensics as well as conventional intelligence work, and it often takes weeks or months.

It is not only difficult to pinpoint the origins of a cyber operation, its purpose is often not self-evident. In their early stages, digital espionage missions and the manipulation of IT systems, for example in order to disrupt government services, are difficult to distinguish. Digital espionage and sabotage both require infiltrating IT networks. From the perspective of the network’s defender, both kinds of intrusion initially look the same. But what is the purpose? Is it an espionage operation that seeks to access and copy information only? Or will the intruder go further and manipulate the network to cause malfunctions or a breakdown?

Crucial Differences

The answer to these questions is crucial. Espionage operations violate national laws and undermine national security, but they are generally not seen as breaches of international law. However, if a foreign state’s cyber operation disrupts energy supply or disables financial services, it could be seen as a legitimate cause for a military response according to the right to self-defense in international law. Therefore, the distinction between espionage, sabotage, and a military attack is very important. Yet in cyber space this distinction is far more nebulous.

Arms control is also much more difficult to implement in the cyber sphere. Unlike conventional arms, cyber weapons only have value if they are kept secret. A cyber weapon is essentially malware developed for use in a military context. If the malware agent is disclosed, the vulnerabilities it exploits can be reinforced, rendering the weapon useless; this also means a cyber weapon will eventually be made defunct after deployment.

All of this complicates international cooperation. Even allies are reluctant to share cyber weapons, which is a serious concern. Few things are easier to copy and distribute than lines of code. The protection of this malware is crucial, but it is also hard. Even the National Security Agency (NSA) and the Central Intelligence Agency (CIA) had their malware tools stolen and published on the Internet with disastrous consequences. Two of them were used by the ransomware worm “WannaCry” that infected more than 200,000 computers in over 150 countries.

“WannaCry” was an important reminder of the enormous damage cyber attacks can unleash. Multinational companies like Fedex or Nissan were affected, as well as the National Health Service in the United Kingdom and government agencies in Romania and Russia. Yet as the debate about creating hacking capabilities in Berlin illustrates, many government officials and MPs here believe that they can have it both ways, strengthening offensive and defensive cyber capabilities alike.

The tradeoffs involved, often ill-understood, simply work differently. The United States has great offensive capabilities. But it is reluctant to use them, and for good reason. As the US economy and society have become more digitized, there is hardly a country that is more vulnerable to cyber attacks. And after the leak of some critical offensive cyber tools, even in the US many experts are now publicly questioning whether the focus should shift from offensive cyber capabilities to policies that improve IT security.

That focus has served Germany well over the past decades. Given that its vulnerabilities are growing as it, too, digitizes its industry, the country should be wary of losing sight of this strategic priority. All the talk about cyber is important. But the discussion needs to grow more nuanced, informed, and open to secure good outcomes.

The post Decoding the Debate appeared first on Berlin Policy Journal - Blog.