Introduction
A technological revolution is a period of time when a new technology replaces an old one. If the new technology is rapidly adopted so that the rest of the economy and, indeed, most of society is transformed, it is a revolution. A revolution is so consequential to society that the skills of the work force, the laws of society, the culture, and the language of society all change with it. The historical example that we all know from our textbooks is the industrial revolution. A middle class was created; whole segments of society moved from agrarian to urban life. New products were made and readily available to the culture. It had an enormous impact.
The technological revolution of our time is the cyber revolution, or the information age. Our skill sets have changed over the last twenty years. New jobs have been created. Access to speedy internet has made the mobility of our households irrelevant. Our culture has changed. Our interactions have changed. What we value (here’s that speedy internet again) has changed. All that change has also challenged us economically, politically, and militarily.
Cyber Security
In both public and private life, we have a cyber presence. That means that we need to protect our private information and online transactions as well as government systems and commercial enterprises. In other words, the operational security (OPSEC) of our lives is even more consequential than ever before.
Information technology (IT) is the building block of modern commerce. International imports, exports, or any transaction require the interaction between humans and computers. A globalized economy multiples these interactions making economies local, national, and international. So, any IT interaction needs to be protected anywhere. In the workplace, operational security includes the protection of confidential information, like employees’ information, the potential of sensitive shipping, ordering, and warehousing of products. Companies need to protect themselves from cyber fraud, theft, and sabotage. How to do that? IT systems need to be as closed as possible. Without networking, customer information — like credit cards and personal identity information — and sensitive business information can be more easily protected from outside interference. Companies don’t always succeed at this.
If your consumer activities don’t protect you, individuals have to protect themselves online. An open society encourages sharing, though, and operational security for private citizens must include a healthy dose of awareness and common sense.
The public offices with the highest responsibility for operational security are in the government. In the military, diplomatic, and intelligence communities, OPSEC is about protecting against vulnerabilities from hostile attacks. Foreign intelligence services will want to collect national or military intelligence any way possible. Poor OPSEC can provide an opportunity for foreign services to exploit.
Cyber Strategy
A cyber strategy is a “whole of government” approach to protecting ourselves in a defensive and offensive way. The 2015 Department of Defense (DOD) Cyberstrategy document insists on a partnership with other parts of government, international allies, local government, and the private sector to defend the United States from enemy attacks. The three primary missions are: 1. Defend DOD networks, systems, and information; 2. Defend American interests from cyberattacks; 3. Provide integrated cyber capabilities to military operations and other responses to active threats. The latter objective is the offensive part of the team so that the US can protect lives and property (Carter 2015).
Booz Allen Hamilton, a private government contractor and management consulting company, calls it advanced threat hunting. In vulnerable (typically networked) technology, cyber adversaries will “dwell” in a target’s network for about 200-250 days before they are discovered. What can they do during that time? Collect intelligence, install malware, and hijack systems (Medairy 2018). To fix it, you need offensive and defensive capabilities.
In general terms, the electromagnetic spectrum has been used for military purposes since the invention of the telegraph. In a sense, the telegraph was a revolutionary jump so that communications became a force multiplier (National Geographic Society 2011). The “cyber strategy” of the 19th century was to collect, convey, and protect communications via the telegraph. Anytime you can get an information advantage on your enemy by disrupting or tapping their communications, you have an advantage. It was particularly easy then.
With the advent of wireless telegraphy by Marconi, the military took a quantum leap in terms of communications. Of course, as the Germans found on in their invasion of France in 1914, the French radio jammers at the top of the Eiffel Tower destroyed much of the newly established radio network. A communications network, even with the most sophisticated technology, can be hacked, disrupted, or exploited (Wander 2015). Worse followed for the Russians in the Tannenberg campaign that became a disaster in part because they sent and received radio messages in the clear (without any encryption) in 1914 (Sweetman 2002).
By WW II, radio in terms of telegraphy and voice-enabled radio were the preferred means of communications, but users took precautions, like coded messages. The Third Reich took it one step further and utilized a closed system, the Enigma Machine, which was based on a series of rotors that produced a cipher based upon the rotor positions (Kruh and Deavours 2002). You had to know both the beginning and end user positions to decrypt the cipher messages.
By the Cold War, the electromagnetic spectrum was viewed as a potent element of warfare by the Soviets. To that end, the Soviets devoted intensive research and resources into jammers to defeat the use of battlefield communications by NATO. NATO countered by the development and issuance of satellite phones to headquarters elements to help alleviate the ability of the Warsaw Pact to collect and disrupt their radio transmissions (Bluth 2004). And the one-upmanship of military and civilian communications continued into the 21st century as needs dictated.
Cyber Attacks
In the 21st century, there were at least a dozen major attacks on private and public sector networks. In 2015 alone (sometimes called the year of cyber attacks), 300 million records were leaked, and $1 billion was stolen in remote, online attacks (Szoldra 2015). Of course, some cyber attacks are not remote. In 2013, Edward Snowden leaked millions of documents he stole from his employer, the NSA, at his workplace. These documents focused public attention on privacy concerns from metadata cell phone collection by the National Security Agency (Greenwald 2015). Thus, a cyber threat can exist almost anywhere.
For example (this is not a comprehensive list):
2012-2014: Office of Personnel Management (OPM) is the personnel resources department for the US government. Hackers stole the personal information (probably from background check applications) of about 22 million people. See: https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
2013: Target Store customers were hacked on Black Friday for 40 million debit and credit cards. See: https://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/index.html
2013/2014: Yahoo was hacked for the data of more than 1 billion users, but it wouldn’t be the first or last time. See: https://www.technologyreview.com/s/603157/a-history-of-yahoo-hacks/
2014: ebay is an online shopping website in which the personal data of all 145 million users was hacked. See: https://www.businessinsider.com/cyber-thieves-took-data-on-145-million-ebay-customers-by-hacking-3-corporate-employees-2014-5
2014: Home Depot was hacked for 53 million email addresses and 56 million credit card accounts using malware on self checkout registers around the United States. See: https://www.usnews.com/news/newsgram/articles/2014/11/07/53-million-customer-email-addresses-leaked-in-home-depot-hack
2014: JP Morgan Chase was the largest bank in the United States in 2014, and hackers obtained phone numbers, emails, and addresses of 76 million customers. See: https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/
2015: Anthem is a large insurance company, and the personal data of more than 78 million consumers was exposed through a phishing email. The perpetrators are believed to be a foreign government agency. See http://fortune.com/2017/01/09/anthem-cyber-attack-foreign-government/
2015: Experian is a British company and one of three credit reporting companies in the United States. A server which stored personal information for 15 million T-Mobile users was hacked. See: https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information
2016: Uber was hacked by two people who collected names, email addresses, and phone numbers of 57 million customers along with license numbers of about 600,000 drivers. See: https://money.cnn.com/2017/11/21/technology/uber-hacked-2016/index.html
2017. Equifax is one of three credit reporting companies in the United States. Nearly 3 million people were affected. The hackers stole driver’s license numbers. See: https://www.equifaxsecurity2017.com/consumer-notice/.
Cyber Threats
Cyberspace is “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify and exchange data via networked systems and associated physical infrastructure” (Pace 2006, 3). Therefore, it is an extension of Earth’s environment as sea, air and outer space are. Like these other environmental spaces, it is considered a global commons in which political activity takes place (Bederman 2008). The Information Society is what is emerging as the main political unit in cyberspace. It is based on democratic principles that encourage creation and transmission of information and knowledge utilizing information and communications technology (ICT). Sources and evidence for a law of cyberspace do exist. However, unlike other commons cyberspace lacks an international convention similar to those governing sea, air and outer space.
In this era of globalization, with militaries, governments, critical infrastructures, businesses, and civil society increasingly depending on the ICT composing cyberspace to operate, we are witnessing the emergence of an Information Society. The basis of this new political partnership is trust and security in cyberspace. However, this global society lacks a body of international law with the appropriate political, law enforcement, technical regimes and institutions to govern human activity in the cyber environment.
Membership in the Information Society increases as all forms of human activity are increasingly transferring into, and rely upon, cyberspace. The misuse of this domain by criminals and violent non-state actors (VNSAs), such as terrorists, and the proliferation of strategic information warfare programs among states has made the need to develop and harmonize national and cybercrime laws all the more urgent (Goodman and Brenner 2002). The technical complexities of the Internet, which are now developed by the private sector, rely on the TCP/IP protocol and (increasingly) wireless communications methods, both of which lack secure identity management protocols, present challenges to the international community’s efforts to prevent, identifying and prosecuting perpetrators of cybercrime, cyberterror, and cyberwar (Hancock 2006). As a result, the Information Society lacks the critical elements of trust and security required for it to reach its full potential.
It is not just the large Multi-National Corporations or nation states that face the threat of cyber domain issues and exploitation. We all face if we are unaware of it Kill chains, zero-day attacks, ransomware, alert fatigue and budgetary constraints. The one where the home user has the least excuse is a budgetary constraint as effective home protections systems cost pennies a day. But it requires using them or setting up an auto routine for checking the system.
20th Century style, broad, scattershot attacks designed for mischief have been replaced with advanced persistent threats in the 21st Century. They focus on acquiring valuable data from an organization — private, public or government. Modern cyber attacks are often conducted across multiple vectors and stages. The hackers have a plan to get in; they signal back from the compromised network, and then they extract valuable data despite network security measures. Traditional defense-in-depth security measures, such as next-generation firewalls, antivirus (AV), web gateways and even newer sandbox technologies only look for the first move—the inbound attack. Advanced cyber attacks are designed to evade traditional network security (Piper 2014).
Cyber Warfare
War without a physical space does seem to elicit definition problems. Even the term ‘cyberspace’ still elicits a sense of a fundamental departure from business as usual. Dynamic new technologies and new applications are the epitome of a global project that does not recognize the importance of geographic space. There are no states on the internet, are there? Yet the reality is that the processes of negotiation and bargaining, as well as the endemic politics of cyberspace, are surprisingly familiar; indeed, there are states in the laws, rules, regulations, culture, and habits of cyberspace. Regulatory issues are repeatedly contested, and efforts to conclude agreements proven inconclusive. International negotiations to establish global norms of behavior in cyberspace have led to a succession of dead ends.
A response to any cyber-incident requires the identification of the origin of an attack – a complex task. Sophisticated Distributed Denial of Service (DDOS) attacks may be launched via computers located in different countries whose owners are unaware that their computers are infected with malware that allows for the attacker to remotely access a computer and launch an attack (FBI 2016). National efforts are therefore insufficient to ensure that cybersecurity is maintained. Collectively, the international community understands such problems and has articulated the need for global norms intended to secure cyberspace and has identified the International Telecommunications Union (ITU) as the appropriate institution through which to organize global cybersecurity efforts.
Negotiations to collaborate on single, international laws have been held under the auspices of the United Nations — the World Summit on the information Society (WSIS), held in 2003 and 2005, and United Nations Government Experts on Information Security (GGE) held in 2016 and 2017, to name a few — without satisfactory results. The conferences show that competing national interests impede progress in creating and implementing global norms and regimes of mutual self-restraint that may serve to deter cyber attacks. To add to the geopolitical hurdles, numerous technological challenges also exist to achieving consensus on governing cyberspace (Liaropolous 2016).
Does Cyber Technology alter the characteristics of war? The international and ethereal nature of the internet (in all cyber domains) means that the internet may not be governed by the same laws (natural or otherwise). Or perhaps it is covered by laws that already regulate on-the-ground battles, wars, and other kinds of conflicts?
Discussion Questions: When has the U.S. been under a cyber-attack that amounts to an act of war? How should it respond? Kinetically, diplomatically or with like cyber-counterattack? Search for the Stuxnet virus incident that destroyed part of Iran’s nuclear production capabilities. Was that a Cyber-attack? How should Iran have responded? The U.S. and Israel have been accused of inserting the virus through a flash drive. Was that an “attack”? If the virus was created by a civilian, was he/or she subject to prosecution under whose law?
Last Completed Projects
| topic title | academic level | Writer | delivered |
|---|