Arbor Networks: Security to the Core

This week’s EU and NATO summit in Bucharest is making the news for a variety of reasons. NATO is almost 60 years old this year, there is talk of NATO expansion (and any unease that causes with Russia), and also the role of cybercrime and Internet security as a possible NATO defensive front. The AP, in a story posted on CNN (European Union, NATO to tackle cybercrime), writes:

Separately, the North Atlantic Treaty Organization’s summit in Romania beginning Wednesday will debate NATO’s own guidelines for coordinating national cyber defense efforts.

…

As the Internet becomes an essential part of daily life across the world, experts from police forces, as well as technology companies Microsoft Corp. and eBay, Inc., will debate possible legal solutions to cyber-related crime and training possibilities at the Council of Europe workshop in Strasbourg, France.

The challenges posed by cybercrime are different from conventional terror attacks because of the fast exchange of data and the vast international reach of computers, said Marco Gercke, a lecturer in computer law at University of Cologne in Germany.

“Compared to regular terror attacks, it is much easier for the offenders to hide their identity. There are at least 10 unique challenges that make it very difficult to fight computer-related crime,” said Gercke, one of the conference participants.

“The success rate of cybercrime is very high,” he added.

This is a problem that’s been growing for some time. Parties that are willing to take on the responsibility are long overdue, be they NATO or the EU.

A group like NATO and a group like the EU have disjoint constituencies (there’s some overlap but it’s not total), and they have slightly different drives. But, one of their shared mandates is to protect their member nations’ common infrastructure (ie a common defense plan, and also shared burdens). The Internet is nothing if not a large, shared “good”, and with the role of Internet commerce taking on such a dramatic portion of a country’s GDP, this is a shared necessity. A common defense of that, just as you would protect rail lines, power, or water, makes sense to me. The problem is who really owns that, and so far no one has really stepped up to accept that responsibility.

As you would expect, any international effort to protect member states has at least three major components to protect: the group’s infrastructure, how the member nations communicate with it, and the member nations’ infrastructure itself. In other words, (taking NATO as an example), the NATO Internet presence, member states’ individual NATO efforts, and (finally, what NATO was designed to help protect) the member states’ national infrastructure. Coordinating across all of those, while maintaining national sovereignty and autonomy, is difficult.

Then, you have to think about the problem in terms of the targets. If we’re not talking about member states’ national infrastructure but instead the end consumer (ie you, me, and our fellow citizenry), then we’re talking about something else. In “iWar”: A new threat, its convenience – and our increasing vulnerability (NATO Review, Winter, 2007), Johnny Ryan spells it out pretty clearly:

iWar is distinct from what the United States (US) calls ‘cyber war’ or from what China calls ‘informationalized war’. These refer to sensitive military and critical infrastructure assets, and to battlefield communications and satellite intelligence. China’s December 2006 Defence White Paper, for example, refers to the importance of gaining supremacy in space to control information assets such as satellites.

[Cyberwar] refers to attacks carried out over the internet that target the consumer internet infrastructure, such as the websites providing access to online services.

In contrast, iWar exploits the ubiquitous, low security infrastructure. It refers to attacks carried out over the internet that target the consumer internet infrastructure, such as the websites providing access to online services. While nation states can engage in “cyber” and “informationalized” warfare, iWar can be waged by individuals, corporations, and communities.

Now we’re talking about the primary mission of some of these organizations - helping to protect the citizens of the member states - but you also wind up with the biggest hurdles of all for an external organization to go and help directly. No one has yet clearly stood up and taken on this responsibility. NATO, for example, has not been clear about its role in defending against the type of attack that hit Estonia last year. Part of this is that it wasn’t clear if the Internet was critical infrastructure. This, it appears, has been clarified within NATO. In 162 CDS 07 E rev 1 - THE PROTECTION OF CRITICAL INFRASTRUCTURES, part of a committee report from the 2007 Annual Session, it clearly states:

81. The European Commission announced in May 2007 a new communication entitled “towards a general policy on the fight against cyber-crime”, which covers three categories of criminal activities: crimes, such as fraud or forgery, committed over electronic communication networks and information systems; the publication of illegal content over electronic media; crimes directed against electronic networks, such as attacks against information systems, denial of service, hacking, etc. The communication plans actions to improve co-ordination of Internet surveillance, reinforce operational cross-border law enforcement co-operation, and strengthen public-private co-operation. Despite these additional efforts, the Union’s initiatives are constrained by the reluctance of some member states to acknowledge its competence in this area.

Maybe there’s some hope yet. What that role means is unclear. It could be that NATO facilitates bringing all member states to some common competency of cybersecurity (it is unevenly distributed, to say the least). NATO is doing just this with its Center of Excellence for Cyber Defense, which will be set up in May in Talinn, Estonia. It could be that NATO will help bring together the right people and coordinate their needs during an Internet attack, regardless of if the attack is from an adversarial nation or a criminal gang. The private sector has worked out a lot of this (FIRST, as an example organization, comes to mind, and even they are hampered by politics), so perhaps NATO should simply facilitate this activity.

Or maybe not. As Ryan spells out in the writeup above, you’re defending a national infrastructure against all attackers, possibly, a classic asymmetric warfare scenario. On the Internet, it’s been said, no one knows you’re a dog. When it comes to political DDoS no one knows that you’re acting independently, outside of a national backing. The Internet has leveled the playing field, and maybe even elevated the power of a criminal beyond some governments’ abilities. As a whole, the complicated entanglements of NATO and the EU mean that they have a lot of political hurdles to overcome, not just technical. For NATO and the EU defense forces, this carries with it some very real concerns about scope and capabilities.

While it’s unlikely that there will be a solution that comes out of this week’s summits on cybercrime, the fact remains that there is movement to accepting NATO’s role in protecting the Internet infrastructure of its member nations, and that this means that the end user will benefit when this sort of defensive scheme comes. In some ways this is uncharted territory. After all, NATO doesn’t have to defend Estonia against street thugs, nor does it have to ask the private sector to borrow their tanks and battleships, both analogies to what NATO or the EU is facing right now on the Internet. However, with the Internet more important to national and international commerce than ever before, the need for a role is pressing.

Elsewhere on the net:

• Estonia to drill NATO’s future cyber-war defenders, in The Age (AU)

Update: Sat, April 5 2008

In a news report - NATO boosts cyber-attack response force: senior official (AFP via The Age) - it’s been revealed that NATO has solidified its plans for building rapid response units for cyber-attacks, which we knew (see above, the Center for Excellence in Talinn).

But the official, speaking on terms of anonymity, stressed that a cyber-attack on a NATO member state would not trigger a military response.

“It’s far, far away from any question of those scenarios,” he said.

So, it looks like some boundaries have been defined and clarified.

UPDATE 7 April 2008: Corrected the location.

This entry was posted on Wednesday, April 2nd, 2008 at 7:00 pm and is filed under Arbor Networks, Critical Infrastructure, Policy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.