Speech as prepared: "Hollywood has been quick to spot the potential offered by the cyber domain. In 2007, 20th Century Fox released a film entitled Live Free or Die Hard, about an Internet-based terrorist group which is systematically shutting down the United States. Needless to say, this process involves much spectacular on-screen action involving car crashes, planes falling from the sky, and general mayhem and chaos. And equally needless to say, the all-American action hero Bruce Willis saves the day by adopting a resolutely low-tech approach which includes firing limitless quantities of ordinance from semi-automatic pistols - which in my experience only ever deliver a dozen or so rounds before running out of ammunition or jamming. The film offers an exaggerated, apocalyptic vision of what an unrestrained cyber attack might look like. I doubt if it would ever get that bad, for reasons I will set out below; though in reality nobody wants to be in a position of finding out how bad things could get. But the film does make the point about the degree to which the developed world has become increasingly dependent on Information Communications Technology - hereafter called ICT - to deliver a wide range of services and amenities which make modern life possible and vulnerable to disruptions of those systems. A more sober elaboration of the same point has been made by the US State Department in a recent report which states, inter alia, that:
'Networked information systems make an important contribution to the essential functions of daily life, to commerce and the provision of goods and services, research, innovation, entrepreneurship and to the free flow of information among individuals, organisations and governments… As traditional telecommunications and Internet networks converge, and other infrastructure sectors adopt the Internet as a primary means of connectivity, global dependency on Information and Communications Technologies (ICTs) can be expected only to increase.
[But] even as this reliance on ICTs grows, the profound risks associated with these dependencies grow as well. Natural disasters and a diverse range of man-made events and activities threaten the reliable functioning of critical national information infrastructures, the global networks with which they are interconnected, and the integrity of the information that travels over or is stored within them. Increasing in number, sophistication and gravity, man-made threats emanate from many sources. While some of these are state-based, many come from non-state actors and involve criminal activity including terrorism and hacking.'
Before going into the detail of the threats and the ways in which they might be dealt with, we should perhaps stop and think for a moment about some concepts and definitions associated with the cyber domain, and the first question we should perhaps address is what the cyber domain consists of. Because only when we are clear about that will we be able to elaborate realistic approaches for dealing with it. Because this is an area in which technology and operational art have far outstripped policy and strategy. How we conceive of cyber space will to a significant degree determine how we react to it and what policies we develop for dealing with it. And mistakes could prove very costly.
The title of my presentation refers to 'cyberspace', a term which has acquired widespread currency. But so far I have used the term 'cyber domain' which I actually prefer. The word space has about it the connotation of a physical environment, like the oceans or space itself. But nobody provided the oceans or space; they are simply there and it is up to us how we use them. Cyberspace on the other hand is the totality of the networked systems and the information passing over these systems which make up the World Wide Web.
Some academics have argued that the whole has grown beyond the sum of the parts to the point where cyberspace has become autonomously self-generating and hence no longer susceptible to deliberate change. But that assertion to my mind overlooks the basic reality which is that unlike space itself, or the oceans, somebody has provided the physical infrastructure and software which collectively makes up cyberspace and which can in principle be closed down or dismantled. If for example one looks at a map showing the undersea fibre-optic cables which carry the overwhelming bulk of Internet traffic - and for which no amount of satellites would be an effective substitute - it becomes evident that there are a few key choke points the disruption of which would effectively close the network down.
There are those who question whether the Internet can be considered part of the global commons, and one aspect of that argument, currently playing out in the USA is the issue of Net neutrality, i.e. whether service providers should charge everyone the same rate or whether some bandwidth-hungry services should be charged at higher rates. My own sense, for what it is worth, is that the Internet is now on the way to playing such a critical enabling role in so many areas of human existence that it to all intents and purposes does perform that function, though that does not necessarily translate into a case for legislating the right to Web access as some states have proposed. After all we can't even get international agreement on access to clean water as a right. How much the less so can that be true of a medium that requires investment in minimal technology in order to access it?
Actors and motivations
We also need to ask what we mean by power in cyberspace, how is it exercised and by whom? The precursor to the Internet was developed for military purposes. But those responsible for the development of the Internet in the form we now know it were idealists not motivated by considerations of military or political power but rather by considerations of empowerment, enabling and promoting the free and untrammelled flow of information and ideas. Considerations such as security never entered into their calculations. And it is fair to say that thus far, the Internet has to a significant degree lived up to those ideals. It has quite simply transformed the way in which information is transmitted and stored. It has had a significant flattening and democratising effect, creating substantial communities linked by common interests in ways which simply bypass state sovereignty. This does not mean that the nation state has been consigned to irrelevance. But within the cyber domain, it is now only one actor on a rather crowded stage and not necessarily the most significant.
Because the cyber domain is one in which soft power counts for a great deal. And most of the soft power on the Internet is exercised by the west. The infrastructure, hardware and software which collectively make up the Internet is still overwhelmingly Western. A decade ago, over 90% of the world's Internet traffic transited the USA. That figure is still in excess of 50%. Send an e-mail from Peshawar to Lahore and the chances are it will go via the USA - which is good news if you work on counter-terrorism though not so good if you're Ayman Zawahiri.
Software companies such as Microsoft and Google are able, by developing one software option rather than another, to exercise influence which in some senses is beyond what any nation state could aspire to do. But most of all, the majority of information and ideas which are transmitted by the Internet are Western in origin. And for countries whose leaders do not subscribe to the liberal ideals of the Internet's founders, this can be a significant problem as evidenced by the comments of Chinese State Councillor and Public Security Minister Meng Jianzhu quoted in Xinhua News in January 2009: 'The Internet has become a major vehicle through which anti-Chinese forces are perpetrating their work of infiltration and sabotage and magnifying their ability to disrupt the socialist order.' Other countries, including Iran, have issued similar complaints. Russia has talked about US 'hegemony' over the Internet and expressed private concerns that the USA has a 'red button' i.e. the power to turn off the Internet for certain countries.
That is not the whole story. The dominant discourse on the Internet may be Western. But the Internet has also led to the re-invigoration of indigenous cultures and languages which in the face of a Western cultural onslaught seemed destined for the scrap-heap of history. And of course it has also played an enormously powerful role in enabling the spread of a jihadist ideology which has become one of the principal security threats of our time. Meanwhile authoritarian regimes are not only fighting back, but also becoming increasingly smart about how to use the Internet to their own advantage both at home and abroad whilst still exercising effective control with China very much in the lead. China is using a combination of techniques to exercise control of the Internet; active Internet monitoring conducted at various levels; the blocking of some Western sites such as Youtube and Facebook; but also an increasingly skilful on-line engagement by the government with its Netizen community designed both to appear responsive to and at the same time influence public opinion. There are however still high levels of anxiety about dependence on Western systems and a desire to see these replaced by indigenous alternatives as soon as possible.
In a recent best-selling book entitled Internet Wars, the author Dong Niao compares the role of Microsoft in China with that of the British opium traders of the 19th century, talks of a 'struggle for control of the Internet' and argues that whoever controls the Internet controls the future.
I have started with the question of soft power because that is an issue that tends to get overlooked amid widespread and excitable media reporting about cyber threats. But we must of course also look at the issue of hard power as exercised by a variety of actors who form a spectrum. At one end of this spectrum are individual hackers and hacker groups, whose online behaviour may be benign, malign or a mixture of the two; criminals; terrorists; individuals and entities engaged in a variety of what might be termed cyber exploitation activities - essentially cyber espionage operations designed to steal information and probe the vulnerabilities of systems; and at the other end, cyber warfare though together with US cyber czar Howard Schmidt, I query how useful that term is. I have various examples illustrating all these forms of behaviour which I can draw on in the Q and if people are interested.
None of these categories is rigidly defined and there is a lot of movement between them. Hacker groups may act on their own account but they may also undertake activities designed to benefit a nation state with either the active or tacit acquiescence of the government of that state. Examples are the role of Chinese 'hacktivist' groups attacking the websites of states and entities deemed to have offended China or infringed Chinese interests; and the role of criminal groups such as the shadowy Russia Business Network which appears to have been involved in the cyber attacks on Estonia and Georgia in 2007 and 2008.
And espionage is not confined to state actors. Commercial espionage has become big business, and we are now witnessing a new hybrid form in which countries such as China are engaging on commercial - as well as state -espionage on an industrial scale. The only thing which distinguished the behaviour of these actors is motivation and that can be hard to discern. And the way that the Internet is structured makes it easy for actors to hide their traces, with the result that attributing any given action to any given individual, group or state becomes very difficult - and that has significant implications in the context of cyber warfare which I will address shortly.
But while these different actors may have different motivations, the techniques they use are broadly the same. And many of these techniques have been developed by a global network of cyber criminal groups whose capabilities are widely advertised and traded on line and whose activities are estimated to cost private sector companies and consumers US$ 1 trillion per year. The Stuxnet worm is a good example. While clearly the way in which the Stuxnet worm was directed against the Iranian illegal enrichment programme was ingenious and innovative, and the harm it appears to have done substantial, it was not, as many news reports have stated, the kind of state-of-the-art system which could only have been developed by a nation state. It was in fact a patchwork of techniques and software already developed by criminal groups and by no means state-of-the art. And although the systems attacked by the Stuxnet worm were air-gapped from the Internet, that counts for nothing if you have someone on the inside able to introduce the worm into the target system.
Clearly the Internet requires us to think about security in different ways, with a much greater focus on systems integrity rather than just individual items of information to be found on systems. This matters for governments who have come increasingly to rely on the private sector for the delivery of critical national infrastructure, and for the private sector whose reputation and share price can quickly suffer if it becomes known that their systems have been breached - which may explain why so few of them admit to such episodes when they do occur. Total Internet security will never be possible but a good collaborative relationship between government and the private sector can undoubtedly go a long way to make the Internet safer.
As Iain Lobban, the Director of GCHQ said when he spoke last autumn at IISS - the first time a Director of GCHQ has ever spoken publicly - 80% of Internet threats can be dealt with by good housekeeping - the regular updating of security software. But he went on to say that 'patch and pray' was not enough. The other 20% of threats comes at a much higher level of sophistication and requires an equally sophisticated response based on active defence, i.e. engaging proactively in exploitation activities so as to understand the environment and be aware of what is possible -and Lobban was quite unapologetic in saying that that was what his organisation was doing.
I have only two more substantive points to address - so for those of you losing the will to live, hang on in there. These are cyber warfare and the regulation of the cyber domain.
I'm not entirely sure what cyber warfare means or what it would look like - or even if it is a meaningful term. And in this context I would draw to your attention some observations by Martin Libicki, the Rand Corporation's cyber guru, as follows:
'Nobody ever forces an entry in the cyber domain. If your system is breached, this is because there was a way in, which, due to the complexity of the system, you had been unaware of.
- No-one has yet verifiably been killed or seriously injured because of an attack on an ICT system;
- No attack on any ICT system has ever inflicted irreparable damage. If your system comes under attack, you close it down, disinfect it and resume operations; and
- While much attention is focused on cyber warfare, a still largely untested proposition, virtually no attention is given to electronic warfare, which is an existing reality. The electromagnetic pulse from a small nuclear device detonated in space would cause widespread, indiscriminate and possibly irreparable damage. The only way this could be achieved in the cyber domain would be through the large-scale and systematic destruction of physical infrastructure.'
These are all valid points. But the Internet is a rapidly evolving and dynamic environment the evolution of which is much influenced by the behaviour of key actors on it. Major military powers have focused on cyberspace as an additional domain within which warfare can take place, with the USA in the lead through its recent creation of the Pentagon's US Cyber Command. China, too, has focused on the asymmetric possibilities afforded by the US military's heavy reliance on ICT systems and sees the capacity to attack such systems and thereby shape the battle space as an integral feature of its doctrine of Integrated Network Electronic Warfare.
But while there now exists a growing list of possible ways in which the cyber domain might be exploited militarily, it still remains unclear how such behaviour might evolve. And it may at this point be worth recalling the words of General Sir Rupert Smith in his book The Utility of Force on the changing nature of contemporary warfare. 'War no longer exists. Confrontation, conflict and combat undoubtedly exist all round the world - most noticeably, but not only, in Iraq, Afghanistan, the DRC and the Palestinian Territories - and states still have armed forces which they use as a symbol of power. Nonetheless, war as cognitively known to most non-combatants, war as battle in a field between men and machinery, war as a massive deciding event in a dispute in international affairs: such war no longer exists.'
I think it highly probable that military activity within the cyber domain will follow this paradigm, a situation of constant skirmishing at a level just below what might elicit a retaliatory response in other dimensions. But of course the possibility exists that either by design or more probably accident an action by one party might cross the red lines of another, leading to escalatory behaviour. And this raises the issue, now much debated, of what constitute red lines in the cyber domain. At what point might a cyber attack have such impact as to justify a conventional military response, particularly when the issue of attribution is, as mentioned early, impossible to determine to evidential standards and the linkages between different actors so hard to ascertain? Can the Law of Armed Conflict (LOAC) have application in the cyber domain and if not, what else might be needed? This issue had become too detailed and complex to sum up in a few sentences but it is something we might explore further in the Q and A.
But it takes us to what is, genuinely, my final point and that is the question of Internet governance and regulation. There are a number of interrelated issues here. If the Internet is indeed a global commons, how should it be secured? What are the obligations of the international community, individual nation states, service providers and even individuals? At the moment the assignation of all Internet domain names is undertaken by a California-based not-for-profit organisation, the Internet Corporation for Assigned Names and Numbers (ICANN). This seems to work tolerably well but it has to be acknowledged that ICANN has had difficulty verifying the bona fides of those registering domain names, many of whom prove on subsequent examination to have provided verifiably false data in support of their registrations. Should ICANN's responsibilities be transferred to an international body under the UN? The head of the International [Telecommunication] Union (ITU), which is searching for a new role as its existing one comes close to disappearing would probably agree.
For the past decade, the USA and Russia have been engaged in a fairly desultory arm-wrestling contest on the subject of Internet governance. Russia has argued for this to take place within the context of arms-control negotiations and has proposed a treaty outlawing attacks on computer networks and the development of cyber weapons. Russia - supported by China and a number of other states- has also majored on the issue of information security, by which is meant mechanisms for controlling Internet content. This of course is anathema to the USA which vigorously defends freedom of content and argues instead for a focus on network security with each state being required to undertake whatever measures are needed to assure the integrity and continued functions of those parts of the Internet under their control. The USA has also been resistant to an arms-control approach on the basis that verification is impossible in the cyber domain - one would have to have permanent visibility of every computer and mobile phone on the planet for that to be possible. And the reality is that no country is ever going to agree to compromise its freedom to undertake cyber exploitation operations any more than it will compromise its freedom to engage in espionage.
Another issue which has featured in discussion is cyber crime. There is in fact an existing Convention on Cyber Crime sponsored by the Council of Europe which came into force in 2004. Forty-six states, mainly European, have signed the Convention and 26, including the USA, have ratified it, accounting for about a third of total global Internet users. A number of states, including predictably Russia and China, have refused to sign this Convention because it permits states who are the victims of cyber crimes to undertake immediate investigations of the sites deemed responsible for the attack in ways which breach positions on national sovereignty - though quite how one can investigate cyber crime if one cannot operate on Internet timescales is not readily apparent. (In this context, it is also perhaps worth mentioning that the Russian state has acquired an unenviable reputation for appearing to tolerate the activities of cyber criminals on the basis that their activities are directed almost exclusively against the West).
Some form of regulation of the Internet looks to be desirable, at least in terms of agreeing some basic norms of conduct for the Internet and devising effective mechanisms for the investigation and prosecution of cyber crime. But there must be a real risk that this issue could become a political football kicked back and forth between two teams with ideologically very different concepts of what the Internet should be and how it should function. I hope that outcome can be avoided, but I am not optimistic."