The Outsourcing of the Cyberwar
Increasingly, non-state actors pose the biggest cyber-security threat argues Jon Penney.
Among certain national-security and public-policy circles, there is a growing trend to approach the challenges of cyber-security and cyber-war through the lens of the Cold War. While Cold War experiences can be useful to understand recent developments like the “militarization” of cyberspace, adopting Cold War strategies for cyber-security may do more harm than good for many reasons, not the least of which is that such a framework puts at risk Internet freedom – a value recognized at last year’s G8 summit – as it is much easier for governments, both foreign and domestic, to justify Internet censorship and citizen surveillance during times of war.
But Cold War strategies may also pose a risk to security because, in focusing on state-led conduct or state-on-state cyber-activity and conflicts, they fail to adequately address an emerging threat to cyber-security: the role of non-state actors.
The most successful, invasive, and large-scale global cyber-espionage operations discovered in recent years were likely carried out by non-state actors. The Ghostnet cyber-spying ring, exposed by the Citizen Lab, involved 1,295 computers infected in over 103 countries. Evidence surrounding Ghostnet suggested a link to China, but no clear link to the Chinese government. Operation ShadyRAT, reported on by McAfee last year, was comparable to Ghostnet in both method and scope, and also pointed to China, again without a clear government link. Though the absence of a clear link does not rule out Chinese state actors, the methodology involved in these operations – common phishing-style attacks and remote access control servers – was not technically sophisticated, suggesting that such cyber-espionage was carried out by non-state actors with some level of tacit state sponsorship, or, at the very least, co-operation.
Furthermore, private companies are increasingly implicated in the cyber-security and surveillance activities of foreign governments. This includes Canadian companies like Vineyard Networks, AdvancedIO, and Sandvine, which have been accused of selling surveillance technologies to authoritarian foreign governments. It also includes communications firms like RIM, which have made “security” arrangements to give foreign security officials access to user communications. Not only do such activities undermine aspects of Canadian foreign policy – like Internet freedom and human rights – but these very technologies and arrangements can just as easily be used to spy on Canadian citizens, government officials, or military forces travelling or acting abroad, or their strategic allies.
Finally, cyber-crime carried out by individuals or larger criminal organizations is an increasing threat to security. Cyber-security breaches or vulnerabilities induced or exploited by criminal organizations can just as easily be exploited by foreign governments or any non-state actors they are sponsoring.
Beyond these threats and concerns, non-state actors pose a special problem for cyber-security and international efforts to address it, because the international system – along with its international laws and norms – was designed to address relations and conflicts between states. International law has had a difficult time dealing with non-state actors in more traditional armed-conflict settings, and these problems are only compounded in the complex sphere of cyber-war and cyber-security.
There are no simple solutions to these challenges, but a few worthwhile steps can be taken. First, efforts should be made to link domestic and foreign policy on cyber-security matters. Canadian laws that require greater transparency in relation to cyber-security breaches – such as strong data breach disclosure laws – could ensure that citizens, businesses, and government have the information they need to quickly address vulnerabilities arising from foreign cyber-attacks, enabling them to protect their data and other assets. Also, the Canadian government has a role to play with respect to Canadian “cyber-intelligence” contractors – if not in regulating, then at least in articulating clear rules or guidelines for business conducted between Canadian firms and foreign governments, particularly authoritarian regimes. Presumably, those rules would reflect Canadian values and human rights.
Of course, foreign policy must also adapt. One way to ameliorate the international system’s difficulty in dealing with non-state actors’ cyber-activities is to give more priority to cyber-security when negotiating bilateral or multilateral arrangements with states like China, pressuring them to take more responsibility for cyber-crime and espionage that originate within their borders. Moreover, to fill the void left by international agencies and rules, non-governmental organizations have a greater role to play, such as tracking, monitoring, and exposing cyber-security threats with the kind of transparent reporting much less common to government in this area.
These suggestions are no panacea, but they at least provide some directions for government and policy makers. States around the world are unquestionably ramping up their cyber-warfare capabilities, and our government, military, and national-security officials must take steps to respond in kind. Yet, the cyber-security threats posed by non-state actors are growing, and increasing in complexity – they cannot be ignored.
Photo courtesy of Reuters