Cyberspace and the National Security of the United Kingdom Threats and Responses Paul Cornish Rex Hughes and David Livingstone Chatham House 10 St James’s Square London SW1Y 4LE T 44 0 20 7957 5700 E contact@chathamhouse org uk F 44 0 20 7957 5710 www chathamhouse org uk Charity Registration Number 208223 Cyberspace and the National Security of the United Kingdom Threats and Responses A Chatham House Report Paul Cornish Rex Hughes and David Livingstone www chathamhouse org uk Cyberspace and the National Security of the United Kingdom Threats and Responses A Chatham House Report Paul Cornish Rex Hughes and David Livingstone March 2009 i www chathamhouse org uk Chatham House has been the home of the Royal Institute of International Affairs for over eight decades Our mission is to be a world-leading source of independent analysis informed debate and influential ideas on how to build a prosperous and secure world for all Detica specialises in collecting managing and exploiting information to reveal actionable intelligence We use this capability to help government and commercial clients reveal intelligence maintain security and strengthen resilience in today’s complex operating environment Detica delivers projects of significant scale across government and commercial markets in the UK US and continental Europe Our principal clients are government agencies responsible for intelligence security and resilience We also assist civil government and commercial organisations with a critical national infrastructure remit www detica com © Royal Institute of International Affairs 2009 Chatham House the Royal Institute of International Affairs is an independent body which promotes the rigorous study of international questions and does not express opinion of its own The opinions expressed in this publication are the responsibility of the authors All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying recording or any information storage or retrieval system without the prior written permission of the copyright holder Please direct all enquiries to the publishers Chatham House 10 St James’s Square London SW1Y 4LE T 44 0 20 7957 5700 F 44 0 20 7957 5710 www chathamhouse org uk Charity Registration No 208223 ISBN 978 1 86203 215 6 A catalogue record for this title is available from the British Library Designed and typeset by Soapbox Communications Limited www soapboxcommunications co uk Printed and bound in Great Britain by Latimer Trend and Co Ltd ii The material selected for the printing of this report is Elemental Chlorine Free and has been sourced from sustainable forests It has been manufactured by an ISO 14001 certified mill under EMAS www chathamhouse org uk Contents About the Authors iv Preface v Acknowledgments vi Executive Summary vii 1 Introduction 1 2 Cyberthreats 3 3 4 5 Cyberthreat domain no 1 state-sponsored cyberattacks 3 Cyberthreat domain no 2 ideological and political extremism 5 Cyberthreat domain no 3 serious and organized crime 7 Cyberthreat domain no 4 lower-level individual crime 11 Summary 11 Cybersecurity Practices and Principles 13 Cybersecurity current practice 13 Strategic principles of cybersecurity 17 Operational principles of cybersecurity 19 Summary 20 A National Cybersecurity Regime 21 The United Kingdom National Risk Register 21 An active strategy for cybersecurity 24 The operational level business process analysis and interdiction 27 Summary 29 Conclusion 31 Notes 33 iii www chathamhouse org uk About the Authors Dr Paul Cornish holds the Carrington Chair in David Livingstone MBE DSC is the Managing Partner of International Security at Chatham House where he directs Morgan Aquila LLP which provides consultancy in the International Security Programme He was educated at business transformation in the anti-terrorism domain the University of St Andrews the London School of focusing on the benefits derived from multi-agency inte- Economics the Royal Military Academy Sandhurst and gration During 21 years in the Royal Navy he was the University of Cambridge He has served in the British variously a helicopter pilot minesweeper captain and staff Army and the Foreign and Commonwealth Office has officer with the Flag Officer Naval Aviation He is a taught at the UK Joint Staff College and at the University graduate of the Army Staff College Camberley and a of Cambridge and was previously Director of the Centre Fellow of the Royal Geographical Society He has written a for Defence Studies at King’s College London His research number of papers on counter-terrorism and resilience and interests include European security and defence institu- is a regular media commentator Mr Livingstone is an tions arms control and non-proliferation counter- Associate Fellow of the International Security Programme terrorism and domestic security at Chatham House Dr Rex Hughes is a Research Associate at the CambridgeMIT Institute where he examines the global governance challenges of cybersecurity He was educated at the Universities of Washington and Cambridge He founded and directed the world’s first multidisciplinary Internet Studies programme at the University of Washington Working in partnership with IBM-Lotus Dr Hughes led the development of iEnvoy the first secure diplomat-todiplomat Internet communications platform deployed by the US Department of State iv iv www chathamhouse org uk Preface This report forms the first part of a major project on cybersecurity undertaken by Chatham House in conjunction with Detica Ltd The project aims to engage government private-sector academic and other specialists in high-level analysis of cybersecurity challenges and responses Where cyberspace and national security are concerned there is a disconnect between technology and public policy which this project seeks to bridge Science and technology should be more closely informed by public policy while a technologically informed political leadership should be better placed to meet the cybersecurity challenge This project will provide a forum for constructive exchange in which the possibilities and limitations of technology can be fully explored and in which the parameters of public policy-making can be more closely understood by those charged with developing the technological dimensions of security policy The project comprises a series of reports This first report identifies the central features of the cybersecurity challenge and examines innovative methodologies for threat analysis and response Future reports will address the specific demands of national cybersecurity policy the requirement for international cooperation and the balance to be struck between safety and security on the one hand and privacy and liberty on the other v v www chathamhouse org uk Acknowledgments The authors wish to thank all those who read and commented upon earlier versions of this report and who attended study group meetings at Chatham House The views expressed in this document are those of the authors who accept responsibility for any errors of fact or judgment March 2009 P C R H D L vi www chathamhouse org uk security and perhaps even as a battlefield where strategic conflicts can be fought The report observes that it is not simply that increasing dependence on ICT creates vulnerabilities and opportunities to be exploited by the Executive Summary unscrupulous but also that ICT has an increasingly important enabling function for serious and organized crime ideological and political extremism and possibly even state-sponsored aggression As a complex security challenge cybersecurity cannot be explained sufficiently in terms of threat In Chapter 3 on cybersecurity practices and principles the report Cyberspace and the National Security of the United argues that cybersecurity amounts to a system-level Kingdom provides a general overview of the problem of challenge to society A system-level response will be cybersecurity The aim of the report is to inform debate necessary so that the activities of different agencies and and to make the case for a more coherent comprehensive bodies complement each other and are mutually rein- and anticipatory policy response both nationally and forcing rather than conflicting Yet society does not internationally In every area society is becoming increas- respond as a coherent system different stakeholders ingly dependent upon information and communications remain focused on their narrow interests and as a result technology ICT With dependency come exposure and the cybersecurity response is dispersed uncoordinated vulnerability to misuse criminality and even attack and inefficient Current practices such as computer and Criminals and extremists are able to take advantage of the network security information security and assurance and same ‘global technological commons’ upon which society the protection of critical national infrastructure must be is becoming so dependent Cybersecurity has become a informed and energized by a set of strategic and opera- fast-moving and complex security challenge one which tional-level principles including governance inclusive- requires a coordinated agile and mutually reinforcing ness agility and risk management response from all those who benefit from the global ICT infrastructure In Chapter 4 which looks at the challenge of building a national cybersecurity regime the report draws on recent After a brief introduction Chapter 2 on cyberthreats experience in the United Kingdom to show how a coherent describes four domains of hostile activity and behaviour framework for cybersecurity policy can be developed in state-sponsored cyberattacks ideological and political which ‘bottom-up’ and ‘top-down’ approaches can be inte- extremism serious and organized crime and lower- grated and in which a more systemic approach to cyber- level individual crime These domains are inter-linked security becomes feasible A national cybersecurity regime Hacking for example is a relatively low-level and disor- should include yet not direct a wide variety of actors ganized activity yet it can have very high-level conse- agencies and stakeholders and must be sufficiently agile quences and it also features prominently in other threat yet without losing focus to meet a rapidly evolving and domains Serious and organized criminal misuse of the transforming security challenge global information infrastructure is increasing in both In summary the report makes a number of observations quantitative and qualitative terms and at considerable cost and recommendations for further research and analysis to the global economy What is more the Internet seems to fit the requirements of ideological and political extremists Cybersecurity is not exclusively a military problem particularly well Finally it seems that the Internet is The language and organizing concepts of cybersecu- increasingly seen by some states and governments as a rity can often seem to be military in derivation strategic asset to be exploited for the purposes of national ‘threat’ ‘aggression’ ‘attack’ ‘defence’ being among the www chathamhouse org uk vii Cyberspace and the National Security of the United Kingdom more familiar terms But cybersecurity is a challenge ated Careful analysis of cyberthreats ideally cross- to society as a whole and requires a broad coopera- governmentally is necessary in order to ensure a tive multi-agency response proportionate and cost-effective response Society is becoming ever more dependent on the Efforts should be made to improve the relationship global ICT infrastructure With dependence comes between the worlds of security policy and technology vulnerability to those who would exploit features of Specialists in cybertechnology – the so-called ‘tech- this infrastructure to prey on society for their own norati’ – should be given a more central and nefarious ends formative role in policy Yet when hackers criminals and extremists use ICT Because cybersecurity affects all sectors and levels of against society they too become ICT-dependent and society there are fundamental choices to be made as therefore vulnerable to surveillance and disruption by to how responsibility for it should be distributed law enforcement and other legitimate agencies between the private commercial and governmental Business process analysis provides a basis for action domains In the sphere of public policy specifically against cyberdependent adversaries decisions must be made over which government Proportionality is essential Cybersecurity is a department should be charged with developing and serious structural challenge But assessment of the articulating a policy and how different aspects of character and scale of cyberthreats can be exagger- policy should be apportioned among agencies viii www chathamhouse org uk achieve The information and communications technology ICT which is increasingly being exploited by miscreants ranging from political extremists to organized criminal groups to individual hackers is essentially indistinguishable from that used for entirely innocent and legitimate 1 Introduction purposes And these legitimate uses are often not ‘optional extras’ which society might set aside for reasons of safety and security Since the introduction of the integrated circuit in the 1950s the world economy has grown increasingly dependent on a digital information infrastructure In 2009 ‘Cyberspace’ ‘cybersecurity’ and other related expressions it is difficult to imagine a major business or organization are widely used as though their meaning were clear and that does not rely on advanced ICT Industries ranging beyond debate The reality however is that these terms from railways to retailing all depend on high-performance mask a range of untested assumptions and unanswered ICT systems to maintain essential business communica- questions posing a serious difficulty for policy-makers and tions with both customers and suppliers In the financial those responsible for national safety and security sector business worth hundreds of billions of dollars is Cybersecurity security in and from cyberspace is widely transacted daily via global data networks public and regarded as an urgent and high-level problem which cannot private In the public sector vital institutions also rely on be ignored But the precise nature of this problem is not well cyber-based systems to deliver critical health education defined This combination of intuition and uncertainty and social services Society’s dependence on ICT systems mixed with pessimism can subvert analysis encouraging a and networks seems likely only to deepen the advent of shift in the direction of worst-case assessment and a ‘cloud computing’ will mean that digital technology will tendency to focus policy and expenditure almost exclu- ‘penetrate every nook and cranny of the economy and of sively on high-impact low-probability events The stakes society ’1 It is no exaggeration therefore to say that the are of course very high and catastrophe is possible even if global economy is now dependent upon a broadband- the likelihood is low But insurance-style arguments of this enabled cyberknowledge complex With dependence come sort risk turning policy-making into something reactive exposure and vulnerability and an ever-widening array of uncritical and disproportionate with any and every imagi- opportunities for the unscrupulous to exploit nable crisis somehow given ‘priority’ status Society’s dependence on ICT is exacerbated by the increasing interdependency of information systems making it difficult to know what repercussions failure in ‘ one part of the system will have in another As dependence With dependence come on this complex system increases so too does society’s exposure and vulnerability and an vulnerability to misuse of it and so too does the severity of ever-widening array of opportunities the consequences of attack or system failure which might for the unscrupulous to exploit ’ in practical terms be indistinguishable And as we have suggested society is increasingly dependent – perhaps absolutely so – upon technology which adversaries themselves might use to attack Neither worst-case analysis nor its opposite compla- In these circumstances it is not easy to determine what cency offers a good basis for policy-making yet in cyber- should be protected against whom and with what means security more considered approaches are difficult to But the challenge of cybersecurity goes far deeper www chathamhouse org uk 1 Cyberspace and the National Security of the United Kingdom Cybersecurity is often described explained and analysed and to provide the basis for subsequent more detailed within a traditional policy framework where the language analysis of national and international policy-making in and organizing concepts are often military in derivation this sphere Although the report is written largely from a ‘threat’ ‘aggression’ ‘attack’ ‘defence’ are among the more general security policy perspective the authors argue familiar terms In some cases it might be appropriate to that technical specialists – the so-called ‘technorati’ – analyse the problem in this way and to act accordingly But should have a more central role in cybersecurity policy- the application of orthodox security and defence thinking making if policy is to be as coherent and agile as it can can too often result in cybersecurity being understood as be Chapter 2 discusses threat describing important something which intrudes from outside which is ‘done’ by ‘domains’ of cybersecurity activity and behaviour In ‘them’ to ‘us’ Yet the correlation between dependence and keeping with the claim that cybersecurity cannot be vulnerability gives an important indication that cyber- explained sufficiently in terms of threat Chapter 3 – security is a more challenging problem than this one which ‘Cybersecurity Practices and Principles’ – begins by might not be conducive to a linear analysis based on action describing current initiatives and procedures in cyber- and reaction cause and effect Indeed cybersecurity is security policy in both the public and the private sectors probably better understood as a complex problem one which It then presents a set of strategic and operational-level is characterized by uncertainty and non-linearity which is principles to help shape cybersecurity policy-making and dynamic and continually evolving and in which it can be implementation Using UK experience to illustrate the difficult to establish clear causal relations and sharp dividing argument Chapter 4 sets out a coherent framework for lines between subject and object cybersecurity policy in which ‘bottom-up’ and ‘top- The aim of this report is to provide an overview of the problem of cybersecurity in order to inform the debate 2 www chathamhouse org uk down’ approaches can be integrated and in which a systemic approach to cybersecurity can be developed spectrum of activities has merit as an organizational device it is flawed analytically These diverse users of the Internet do not fall into discrete camps and least of all into a simple hierarchy of threats Hacking for example can 2 Cyberthreats have uses in very serious organized crime organized criminality can be linked to international terrorism and terrorism can be used as a tool of state aggression This point is made most strikingly in the late ‘Bali bomber’ Imam Samudra’s prison autobiography in which a section entitled ‘Hacking Why Not ’ reportedly urges young Muslims to ‘take the holy war into cyberspace by attacking The integrity of the global cyberknowledge complex is U S computers with the particular aim of committing critical not only to the day-to-day functioning of the world credit card fraud’ with which to fund the struggle against economy but also to the security and well-being of the US and its allies 4 With that caveat in mind this chapter governments organizations and people public bodies can discusses challenges to cybersecurity in terms of four be attacked commercial interests can be defrauded and cyberthreat domains state-sponsored cyberattacks ideo- individuals can be subject to a range of assaults In the logical and political extremism serious and organized United Kingdom in 2007–08 by one account approxi- crime and lower-level individual crime mately 830 000 businesses experienced an online or computer-related security incident and in 2007 around 40 per cent of personal identity fraud – some 84 700 cases – 2 took place online The first step in any analysis of cyber- Cyberthreat domain no 1 state-sponsored cyberattacks security must indeed be to chart the range of cyberthreats by which we mean security challenges made either via or Interstate misuse of the cyberworld can begin at a rela- to ICT equipment and networks An apparently straight- tively low level of technology It would be a mistake to forward descriptive task this can be a difficult under- assume however that the significance of such attacks is taking not least because these two broad categories of commensurately low-key In April 2008 for example security challenge can overlap considerably Microsoft for reports circulated of an attack against eight Internet sites example has developed a data centre near Chicago which operated by Radio Free Europe Radio Liberty In an requires three electricity substations with a capacity of 198 orchestrated attempt to overwhelm the target sites some megawatts – ‘as much as a small aluminium smelter’ – 50 000 fake hits were recorded every second This was disruption of which could fall into both categories of scarcely the most sophisticated form of cyberoperation 3 attack just described Yet the source of the attack was alleged to be none other The transformation of the Internet from an elite than ‘Europe’s longest-ruling dictator Belarus’s Aleksander research network to a mass communications medium has Lukashenko’ who reportedly wanted to limit media altered the global cyberthreat equation dramatically The coverage of opposition protests against his regime 5 global ICT system can be exploited by a variety of illegiti- The RFE RL case illustrates a recent trend in Internet mate users and can even be used as a tool in state-level misuse which is more systematic and which has conse- aggression These activities can be organized along a quences far more serious than the temporary jamming of spectrum running from lower-level individual crime e g radio broadcasts In September 2000 Israeli hackers hacking to the behaviour of non-state actors and groups attacked and defaced websites owned by Hezbollah and i e criminals and terrorists to plans orchestrated by the Palestinian National Authority In the Palestinian governments But it is important to note that while this response – tellingly described as a ‘cyber holy war’ – Israeli www chathamhouse org uk 3 Cyberspace and the National Security of the United Kingdom government and financial websites came under assault In indication of things to come ‘More and more often cyber 2001 following a dispute over damage to US and Chinese attacks on government servers signal a physical attack in aircraft in the South China Sea both countries suffered a the offing ’10 This warning rang true within one year series of cyberattacks and at one stage California’s elec- during the Russo-Georgian conflict over South Ossetia in tricity grid was almost shut down Neither government summer 2008 Described as ‘the coming of age of a new accepted responsibility for launching the operations dimension of warfare’ 11 the conflict saw private computing although both have reportedly conducted research into the power organized and coordinated in such a way as to have 6 viability and effect of cyberweapons More recently the strategic effect on a national enemy It is not clear that the cyberattacks launched against Estonia in April and May Russian government was directly behind or formally 2007 have captured attention internationally In a dispute approved the DDOS attacks on Georgia but it seems likely over a Russian war memorial in Estonia Estonian govern- that the attacks were at least officially not prevented ment and banking websites and Internet providers were Although no serious long-term Georgian cyberdamage the targets of Distributed Denial of Service DDOS was reported the coordinated attack showed an ‘untapped attacks These attacks – the so-called ‘Clickskrieg’ – were potential for using the Internet to cause mass confusion for especially disabling for a country which held itself up as a political gain’ 12 pioneer of electronic government There was some uncer- It is likely if not certain that cyberwarfare will be an tainty as to who had orchestrated the attacks – was the increasingly important feature of conflict between states in 7 culprit a ‘flash mob’ of Russian computer users or the years to come 13 Indeed losses and gains made in cyber- Russian government itself – although the Estonian space might be so decisive that the character of warfare authorities eventually prosecuted a lone hacker One could change fundamentally as the physical and the terri- important lesson of the Estonian affair was that even very torial parameters of conflict give way to the virtual and the large organizations and government departments are digital Analysis clearly points in this direction It is vulnerable to disabling attacks of this sort and the episode estimated that a large-scale DDOS attack against the contributed to the decision to consolidate NATO’s Co- United States for example could have devastating effect if 8 power and other services could be shut down for a period operative Cyber Defence Centre of Excellence in Estonia of three months the damage could be equivalent to ‘40 or 50 large hurricanes striking all at once’ 14 China’s intentions ‘ and capabilities often feature prominently in analysis of It is likely if not certain that this sort According to a recent US Congress policy review cyberwarfare will be an increasingly panel ‘China is aggressively developing its power to wage important feature of conflict cyber warfare and is now in a position to delay or disrupt ’ between states in years to come the deployment of America’s military forces around the world potentially giving it the upper hand in any conflict ’15 An increasing number of electronic ‘intrusions’ are reported to originate in China although it is not 4 Drawing lessons from the long military tradition of entirely clear how far this activity is officially approved electronic warfare cyberoperations have also become a China is thought to be allocating very significant resources feature of conventional military attacks In September to computer network operations CNO including 2007 for example an Israeli air strike against a target in computer network attack CNA computer network Syria was reportedly assisted by a parallel cyberattack exploitation CNE and computer network defence against Syrian air defences enabling non-stealthy Israeli CND By reducing vulnerability to countermeasures aircraft to move into Syrian airspace without fear of CND would be a crucial feature of cyberdependent opera- 9 detection and interdiction For one analyst this was an www chathamhouse org uk tions and it is consistent with the view that the Chinese Cyberthreats People’s Liberation Army would seek to achieve ‘electro- proficient at conducting operational-level planning on the magnetic dominance’ early in a conflict and to maintain Internet 24 that advantage 16 The popularity of the Internet for ideological and If cybersecurity does become increasingly militarized political extremists can be explained in a number of ways and if the Internet does become one more weapon in a By origin design and function the Internet could scarcely 17 ‘state sponsored act of war ’ then a number of intriguing be improved upon as a medium for extremist organization political technological and ethical questions are raised and activity The origins of the Internet lie in the Cold War What is the best form of defence in cyberwarfare What and in the need to ensure redundancy in governmental exactly are ‘cyberweapons’ Are they weapons of war and military communications systems in the event of a combat aircraft and artillery guns Is the Internet merely nuclear strike It should be no surprise therefore that harmless technology or is it to be regarded like traditional extremists are also attracted to a system which offers in- weapons as something which can be used to damage built resilience and virtual anonymity They may also be destroy and kill and to be regulated as such Is it reason- attracted to a system which is relatively cost-free and able or useful to regard cyberweapons as equivalent in where the investments necessary to develop and maintain 18 magnitude to ‘weapons of mass destruction’ And finally the global communications infrastructure have already how could the origin of a cyberattack and the identity of been made – ironically by their enemies 25 The Internet is the perpetrator be ascertained an anarchic common ground – some might call it an ungoverned space – which extremists can exploit in unremarkable ways just as society does for such purposes as Cyberthreat domain no 2 ideological and political extremism communication and information sharing 26 By design the Internet is also especially suitable for use by organizations which are deliberately opaque in their Terrorists and other extremists are known to make structure and intention Indeed as organizations become extensive use of the Internet The number of extremist more opaque and complex so the value of the Internet websites has increased at an enormous rate from ‘a increases accordingly making it progressively more 19 handful in 2000 to several thousand today’ and by one difficult to identify the organizations in question and to account the Internet is becoming ‘the most important track their progress In April 2007 a senior UK counter- meeting place for jihadis all over the world to communi- terrorism police officer described the problem as one of 20 cate discuss and share their views ’ So-called ‘cyber- dealing with ‘networks within networks connections terrorism’ begins with hacking and lower-level criminality within connections and links between individuals that Younis Tsouli described as ‘one of the most notorious cross local national and international boundaries ’27 cyberjihadists in the world’ 21 used hacking skills in which In functional terms the Internet offers a number of he trained others to break into and subvert computer useful services for extremists In the first place it is a networks in order to distribute video files of terrorist medium for communications at various levels of obscurity attacks and to use the proceeds of common credit card clear encrypted and steganographic 28 Executive orders fraud to set up jihadi websites 22 By these means Tsouli was can be transmitted by these means operations can be to become ‘the administrator of one of the most important planned and fund-raising campaigns organized Through extremist websites which facilitated contacts between the use of discussion forums bulletin boards media 23 thousands of individuals’ Following his arrest and subse- groups blogs and web postings the Internet can also allow quent imprisonment Tsouli’s activities were described by a training and techniques – and even ideas – to be discussed senior counter-terrorist official as ‘the first virtual interactively Tactics and procedures can be improved conspiracy to murder that we had seen’ and as an through a process of rapid online evaluation and doctrine important indication of the way extremists had become and ideology can be subject to criticism By this approach www chathamhouse org uk 5 Cyberspace and the National Security of the United Kingdom something as uncompromising and determined as a means of communication because the global jihadist terrorist campaign can give the impression not least to movement is in practice ‘a chaotic amalgam of interna- potential recruits of being inclusive and consensus-based tional terror cells and localized insurgencies that espouse As a versatile communications medium the Internet loosely articulated common goals yet lack the organiza- lends itself to the production and distribution of propa- tional cohesion of a movement and face an unprecedented ganda Extremist groups have always of course made global security clampdown’ Kimmage sees the jihadists’ heavy use of propaganda in the form of printed publicity use of electronic media as a function of weakness rather and more recently video recordings The Internet makes than strength and argues that they are determined to this material vastly more accessible and reproducible impose more control and organization rather than less ‘to through passive web postings and interactive chat rooms mimic a “traditional” structure in order to boost credibility It can also give immortality to a propaganda message and facilitate message control ’34 Others consider the ensuring that the words of an imprisoned or deceased ‘virtual training camp’ idea to be an exaggerated assess- radical leader remain as a source of inspiration Finally it ment of the capabilities of al-Qaeda and similar organiza- can act as a propaganda library a repository for religious tions While it is certainly the case that virtual training and political and ideological literature and for more prosaic teaching do take place they do not necessarily form part of instruction manuals and videos covering tactics and oper- a carefully constructed programme driven centrally by al- 29 Qaeda Instead the Internet is better understood as a ational techniques With instruction manuals so readily available the ‘resource bank maintained and accessed largely by self- Internet has become a place of teaching and instruction radicalized sympathizers’ and more of a ‘pre-school of Interactive tutorials can be offered in a wide range of jihad’ than a university 35 subjects from weapon handling through to the skills There is generally more agreement not least among needed to write malicious code and sabotage computer government agencies on the importance of the Internet networks 30 Tactical and operational training can be for the indoctrination recruitment and radicalization of conducted through simulators and even online computer extremists The Dutch domestic intelligence service for games including Massively Multiplayer Online Role- example describes it as the ‘turbocharger’ of radicaliza- 31 Playing Games MMORPGs With all this activity the tion 36 and in May 2007 the Saudi Interior Ministry Internet is often described as a ‘virtual training camp’ or claimed that the Internet was responsible for 80 per cent of ‘open university’ for extremists where recruits can be the recruitment of youths for the jihad 37 In the UK prepared to the level necessary to mount a terrorist or security agencies are described as fighting a ‘covert war in insurgent attack or selected to attend a live training camp cyberspace against extremist Islamist Internet sites’ 38 such as those in Iraq and Pakistan 32 For some this is all by Recruiting has become such an important feature of design – a distinct and deliberate feature of the global cyberextremism that one ‘al-Qaeda jihadi Internet forum’ Islamist insurgency In a May 2008 report by the US has uploaded a 51-page manual entitled ‘The Art of Senate for example Internet activity of this sort was Recruitment’ intended to show how individuals can be described as a ‘virtual extremist madrassa’ part of a drawn in and eventually establish an active jihadi cell 39 ‘comprehensive tightly controlled messaging campaign by With so many resources available on the Internet recruit- al-Qaeda and like-minded extremists designed to spread ment and radicalization are no longer simply a matter of 33 their violent message ’ Some analysts are more sceptical however Daniel Kimmage claims that the use of the Internet for these 6 ‘organizational pull’ but are also increasingly a matter of ‘individual push’ or self-recruitment and self-radicalization 40 purposes is a matter of necessity rather than choice Self-radicalization is an important and intriguing Extremists he argues have been ‘impelled’ to adopt a concept Some extremist groups have advocated the decentralized organization and by extension online establishment of disconnected self-starting independent www chathamhouse org uk Cyberthreats terrorist cells not linked directly to any network or ideas’ ‘Twentieth century insurgency’ writes Steven Metz hierarchy but able to carry out large-scale terrorist ‘sought to eject the state from space it controlled usually attacks Abu Mus’ab al-Suri author of The Global Islamic physical territory Contemporary insurgency is a compe- Resistance Call is reported to have recommended that tition for uncontrolled spaces ’46 Terrorism and insurgency jihadist training should take place in ‘every house every are distinct but in many functional respects are closely 41 quarter and every village’ Out of this process the so- related forms of ideological and political extremism As called ‘home-grown terrorist’ can develop a combination the recently published US Army and Marine Corps of anonymity and violent potential which is a cause of Counterinsurgency Field Manual makes clear much that concern for Western intelligence and counter-terrorist could be said of cyberterrorism could also be said of agencies Self-radicalization also suggests that for cyberinsurgency extremists the Internet is both much more and curiously much less than a global communications network It Interconnectedness and information technology are new offers a way not only to proliferate but also to ‘atomize’ aspects of this contemporary wave of insurgencies Using 42 the global jihad can be the Internet insurgents can now link virtually with allied achieved in other words without the continued require- groups throughout a state a region and even the entire ment for elaborate communications networks and a well- world Insurgents often join loose organizations with organized global command structure Widely dispersed common objectives but different motivations and no and self-radicalized jihadists are brought together in a central controlling body which makes identifying leaders ‘global Islamic movement fighting to defend the global difficult 47 the extremist campaign ummah or community from a common enemy ’43 By this ingenious route the extremist message is adopted and implemented by self-radicalized individuals who are then connected with each other less through the infrastruc- Cyberthreat domain no 3 serious and organized crime ture of command control and communications than through a simple common cause The Internet has become a hub of personal political and Once radicalized and trained in this way extremists can commercial activity as well as a vitally important medium then find that the Internet continues to be useful as a for financial and intellectual transactions It should come weapon In the clearest illustration of this trend there are as no surprise therefore that criminal interest in the those extremists for whom it has become a ‘battle space’ in Internet has developed accordingly With the capacity to its own right a territory in which a ‘virtual jihad’ can be transmit several hundred billion dollars of economic value fought by via the Internet infrastructure and other IT systems every commenting upon reproducing and distributing the day the cyberworld has become a tempting and lucrative thoughts of terrorist leaders by collecting and distributing target for the modern criminal enterprise By one estimate open-source information useful to operational planners there were for example some 255 800 cases of online and by taking part in more active measures such as financial fraud in the UK in 2007 with losses amounting hacking and ‘denial of service’ attacks ‘These self- to £535 million 48 Many technologies and software applica- appointed amplifiers of the violent Islamist message … tions are available to enable a wide range of criminal activ- choose to advance the cause not necessarily with guns but ities in cyberspace to be carried out But for cybersecurity These individuals might contribute 44 with propaganda ’ Others see the Internet as a more active policy-makers and planners the problem is not just quan- weapon enabling terrorists and insurgents to magnify the titative but also qualitative and evolutionary 49 As in other symbolic effect of their attacks 45 Clearly if the ‘infosphere’ areas of security and defence policy an action-reaction is indeed an ‘ungoverned space’ it is one where the cycle can be discerned whereby a given cybersecurity insurgent is determined to fight and win the ‘battle for measure will prompt a criminal attempt to defeat or bypass www chathamhouse org uk 7 Cyberspace and the National Security of the United Kingdom it which in turn will be met by a countermeasure of some between US$169bn and US$204bn and in 2005 the cost of sort and so on In these circumstances any description of spam transmissions alone was US$17bn in the US cybercriminal activities – such as that which follows – can US$2 5bn in the UK and US$1 6bn in Canada 55 It is not at best be illustrative rather then definitive inconceivable that an ICT-aware extremist group could In their biannual Global Internet Security Threat Report use these techniques to overwhelm sections of the Internet the Symantec Corporation describes the variety of tools in order to reduce significantly the performance of the and systems which are used to criminal ends the vigour Internet as a whole and by so doing marginalize its with which they are being deployed and the main targets business benefit of this activity Basic spam – which may amount to as 50 It is of course important to understand how cybercrime much as 94 per cent of monitored email traffic – can be can be carried out and to what effect not least in order used to deliver viruses and Trojans and as a vehicle for that appropriate countermeasures can be devised and ‘phishing’ operations some 80 per cent of which occurred implemented But as a ‘cyberthreat domain’ serious and 51 in the financial sector in 2007 Symantec detected over organized crime is rather more than the sum of the activi- 700 000 new ‘malware’ malicious software threats in ties described above The first step towards a closer 2007 This represented a vast increase in such activity over awareness of the implications of serious and organized previous years which they attributed to ‘the increasing crime for cybersecurity is to understand what is meant by professionalization of malicious code and the existence of the term – and what is not The meaning of ‘crime’ is organizations that employ programmers dedicated to the obvious enough the acquisition of wealth or some other production of these threats’ The goal of all this activity form of benefit through illegal means such as theft deceit seems clear enough ‘Many of these threats can be used for or extortion ‘Organized crime’ is less easily defined The financial gain by performing actions such as stealing confi- United Nations Convention against Transnational dential information that can be sold online These Organized Crime defines an ‘organized criminal group’ in proceeds can then be used to pay the programmers to the following somewhat vague terms 52 continue creating new threats ’ Black market forums such as ShadowCrew and Darkmarket have used underground A structured group of three or more persons existing for a economy computer servers for a variety of data-brokering period of time and acting in concert with the aim of activities buying and selling stolen bank account details committing one or more serious crimes or offences estab- government-issued identity numbers credit card details lished in accordance with this Convention in order to personal identification numbers and email address lists In obtain directly or indirectly a financial or other material the ‘TJX hack’ between 2005 and January 2007 for benefit … ‘Structured group’ shall mean a group that is example a sophisticated criminal operation was able to not randomly formed for the immediate commission of an 53 steal at least 47 5 million credit card numbers Networks offence and that does not need to have formally defined of compromised computers – also known as ‘botnets’ – are roles for its members continuity of its membership or a also traded Symantec detected almost 62 000 bot-infected developed structure 56 computers active every day from July to December 2007 Botnets can be used to distribute spam and malware can ‘Serious crime’ is a clearer concept In England and Wales provide a convincing framework for a phishing campaign for example serious crimes are listed in the Serious Crime and can be used for large-scale denial of service attacks Act 2007 and include trafficking in people drugs and The rewards for all this effort can be extraordinary A arms prostitution and child sex armed robbery and a single botnet campaign uncovered by the FBI in 2007 wide range of financially-motivated crimes These last caused losses estimated at over US$20m 8 54 In 2004 include money-laundering fraud ‘offences in relation to according to the British-North America Committee the public revenue’ corruption and bribery counterfeiting cost to business globally of malware and viruses was blackmail and intellectual property offences 57 As far as the www chathamhouse org uk Cyberthreats analysis of cybersecurity is concerned it is significant that scale fraud operation using the simple expedient of the majority of these serious crimes could either be under- having teams of runners available to make illegal ATM taken in cyberspace or be assisted by some form of cyber- cash withdrawals from their victims’ bank accounts 58 For activity But a simple read-across from real world to virtual many years businesses with a dominant Internet presence world does not provide the most accurate explanation of such as eBay CNN Yahoo and Amazon have all experi- the emergence of serious organized crime as a ‘cyberthreat enced denial of service attacks through the receipt of tens domain’ If cybersecurity policy and countermeasures are of thousands of common junk messages 59 And in 2004 to be well positioned and effective then it must be the British Columbia Institute of Technology reported a acknowledged that in cyberspace ‘serious and organized tenfold increase since 2000 in malicious attacks on crime’ not only loses some of its coherence as an organ- process control systems affecting critical services such as izing concept it can also evolve in response to the unique power utilities sewage systems and wireless networks circumstances of cyberspace These attacks amounted to ‘significant safety environmental reputational and financial risks that organizations are running every day ’60 ‘ In 2004 the British Columbia Institute of Technology reported a When serious and organized crime ventures into cyberspace it can either continue more or less to conform to traditional definitions and understandings of the type tenfold increase since 2000 in seen in the UK Serious Crime Act or it can adapt to malicious attacks on process changed circumstances evolving into something new and control systems affecting critical services such as power utilities sewage systems and wireless ’ networks distinctive In other words as a ‘cyberthreat domain’ serious and organized crime can be manifested in two ways on the one hand a serious and organized criminal organization can make use of cyberspace in order to continue its criminal activities while on the other hand a new genre of serious and organized crime can evolve one that is unique to cyberspace Choo and Smith draw a distinction between ‘traditional organized criminal In the first place it is not the case that all cyberspace groups’ and ‘organized cybercriminal groups’ 61 crime must be ‘organized’ before it can be considered Cybersecurity policy which overlooks this distinction and ‘serious’ nor indeed that organized cyberspace crime which assumes cybercriminality to be a unitary mono- must necessarily use the most sophisticated means An lithic threat will almost certainly lack the focus necessary illustration of this is offered by low-level computer for effective planning misuse which can be either an individual and individu- Serious criminal groups such as the Asian triads the alistic activity or orchestrated at some level in order to Japanese Yakuza and East European organizations may achieve a more dramatic and public effect The central exploit cyberspace for a variety of fairly predictable point to note is that whatever the level of organization at purposes including money-laundering drug-trafficking which it takes place low-level activity and misuse of this extortion credit card and ATM fraud software piracy sort can be associated with very serious cyber-based industrial espionage counterfeit documentation and so criminality For example individual hackers discussed on 62 This phenomenon has usefully been described as ‘the more fully in the following section can be drawn into the migration of real-world organized crime to cyberspace ’63 criminal gang culture using their skills to support drug- For groups of this sort cyberspace offers new opportuni- related and other crime When organized in call centres ties to acquire vast wealth very quickly In other words hackers can systematically set out to implement a large- technology-enabled crime is essentially a new means to a www chathamhouse org uk 9 Cyberspace and the National Security of the United Kingdom familiar end Secretive and highly effective organizations insignificant … strength is in software not in numbers such as these often capable of extreme violence to support of individuals ’67 Indeed there might be very little need or protect their activities present a serious challenge to for complex least of all hierarchical organization national law enforcement agencies particularly where Brenner argues that an elaborate organizational structure criminality crosses national borders ‘online crooks can should not be necessary for criminals to operate in a easily jump from one jurisdiction to another whereas the virtual world which can be created more or less as the authorities from different countries have yet to learn how user wishes Cyberspace is mutable what the cybercrim- 64 to co-operate’ But all is not lost for law enforcement inal needs therefore is agility and responsiveness rather agencies Although they may operate in the new world of than structure If cybercriminality does require some cyberspace groups such as the Yakuza retain many of their form of organization it need be no more than a ‘Mafia of traditional features such as a hierarchical structure built the moment’ which will disappear when no longer upon a culture of loyalty and belonging Groups such as needed 68 Cybercriminal groups will use sophisticated these are therefore to some extent predictable in their technology and will also have international coverage The organization and their interests and in what might loosely disruption of the Darkmarket forum saw arrests in the be described as their ‘business practices’ United Kingdom Germany Turkey and the United States and followed several years of investigative work The Deputy Director of the UK Serious Organised Crime ‘ Law enforcement will require a decentralized and devolved way of doing things in order to meet the threat at the moment it develops and wherever it does so ’ Agency described Darkmarket as ‘a one-stop shop for the online criminal’ before insisting ‘these aren’t geeks we’re talking about These are serious and organized criminals ’69 Cybercriminal groups are likely to adopt flatter nonhierarchical more networked and more occasional models of organization improving their ability to adapt rapidly to changing circumstances albeit making them more vulnerable to being cut off from any form of leader- The greater challenge to national and international law ship that may exist Nevertheless variable geometry of enforcement could be the organized cybercriminal this sort could also appeal to extremist groups drawn into group carrying out ‘third generation cybercrimes’ which criminality for one reason or another Such groups will 65 Groups in this value a structure which on the one hand is effective at category may have interests very similar to those of their wealth creation but on the other hand does not require a traditionally organized brethren although cybercrimi- cumbersome and traceable infrastructure The law nality might be more conducive to particularly furtive enforcement response to the threat of cybercriminality crimes such as paedophilia But cybercriminal organiza- must be similarly sophisticated and agile seeking to tions will place far less emphasis on physical strength and understand and anticipate the threat as it evolves appears the use of force and will be less concerned to develop an disappears and reappears Law enforcement will require a exclusive and extremely loyal membership As Choo and decentralized and devolved way of doing things in order Smith suggest the members of a cybercriminal organiza- to meet the threat at the moment it develops and are ‘wholly mediated by technology’ 66 10 tion might only ‘meet’ online The cybercriminal organ- wherever it does so It will also be essential not only that ization will typically be more pragmatic driven less by law enforcement agencies be able to cooperate across gang loyalty than by the need to bring the necessary tech- national boundaries but also that they remain open to the nological skills together at the right moment ‘In the possibility of a functional relationship between cyber- cyberworld’ suggests Brenner ‘physical strength is criminality and extremist groups www chathamhouse org uk Cyberthreats Cyberthreat domain no 4 lower-level individual crime youths seeking recreational stimulus The reality is that for the first six months of 2008 of all security breach incidents reported around the world only 23 per cent could be At the final point on the notional and non-hierarchical attributed to the activities of hackers 71 Nevertheless it is spectrum of cyberthreats we find the ‘script kiddie’ using clear that the consequences of individual hacking can be software tools devised and provided by others to intrude anything but low-level On some occasions the motive is into computer networks and his more sophisticated and far from recreational and the hacker concerned is revealed infamous cousin – the hacker In any analysis of computer to have been acting apparently with clear purpose in mind hacking a sense of balance is often difficult to maintain for Accused of hacking into scores of government computers some analysts hacking should be considered a more or less in 2001 and 2002 Glasgow-born Gary McKinnon discrete activity in cybersecurity but for others it lacks admitted to planning attacks in response to what he coherence is not particularly meaningful and is in no perceived to be the post-9 11‘terrorism’ sponsored by the sense equivalent to the much more serious cyberthreat United States McKinnon’s case also shows how govern- domains discussed above Yet as we have shown hacking ment responses to the activity of hackers can vary widely is often a central feature of these more serious When the UK National Hi-Tech Crime Unit NHTCU cyberthreats Hacking is also widely and erroneously seen tracked down McKinnon in 2002 he was informed that he among the media and in public opinion as the archetypical might face community service among the most lenient of cyberthreat For both reasons therefore a brief descrip- punishments available to the British courts That same tion of hacking is appropriate here year however although he had not been charged by the Stereotypically a troubled and or bored teenager with UK Crown Prosecution Service he was nevertheless a yawning gap where a normal social life should be the indicted by the United States government After an appeal hacker may actually be highly educated and skilled in process lasting up to 2008 McKinnon finally lost his case programming But he is motivated perversely to in the UK and the European Union and was set for extra- compete against himself and his peers using and testing dition to the United States 72 his skills to intrude into ICT networks either for his own The grave dangers associated with hacking are also amusement or to cause gratuitous disruption or damage acknowledged and dramatized in the world of fantasy and for petty theft or to acquire some celebrity within his fiction In the 1983 thriller War Games a teenage hacker peer group So-called ‘digital natives’ who have grown up from Seattle initiated a process which could have resulted with digital technology and the world of the Internet are in nothing less than the outbreak of ‘World War III’ had he thought to be anxious ‘to achieve geekdom immortality’ been unable to bring things to a halt This fictional account moving beyond mere ‘piracy and cheating’ in order to appears to have had an inspirational effect in a case of life 70 ‘create a headline-grabbing piece of … malware ’ A more reflecting art since the 1980s there have been numerous sinister version of the individual hacker might be a disap- media reports of teenagers hacking into supposedly secure pointed customer or a disaffected insider such as a sacked military and government systems This is a trend that employee who intrudes into his former employer’s seems set to continue network to seek revenge by causing damage or who colludes with outsiders as a result of coercion or bribery More serious still an individual hacker might see himself Summary acting on an international stage participating in a grand political or ideological campaign The four cyberthreat domains discussed here – state- The threat from hacking is often overstated and even sponsored cyberattacks ideological and political dramatized as if the global ICT infrastructure were close extremism serious and organized crime and lower- to destruction by the incessant efforts of networks of bored level individual crime – present a broad range of often www chathamhouse org uk 11 Cyberspace and the National Security of the United Kingdom interconnected hazards and risks with which security and governments it would appear that in some quarters policy-makers must contend Hacking is a relatively low- the Internet is increasingly viewed in straightforward and level and disorganized activity yet it can have very high- all too familiar terms as a strategic asset to be exploited level consequences and also features prominently in for the purposes of national security and perhaps even as other threat domains Serious and organized criminal a battlefield where strategic conflict can be won or lost misuse of the global ICT infrastructure is increasing in The central observation we draw is not simply that both quantitative and qualitative terms and at consider- increasing dependence on ICT infrastructure creates able cost to the global economy The Internet seems to fit vulnerabilities and opportunities to be exploited by the the requirements of ideological and political extremists unscrupulous but also that ICT has an increasingly particularly well and governments can only expect the important enabling function for serious and organized ‘ungoverned space’ of the global ‘infosphere’ to remain crime ideological and political extremism and possibly closely and bitterly contested Finally at the level of states even state-sponsored aggression 12 www chathamhouse org uk meaningless and is used too often and too seriously for it to be useless But when it is understood from many different perspectives each of them valid and urgently felt the general effect is one of disjointedness If cybersecurity can 3 Cybersecurity Practices and Principles only be understood in terms of this or that narrow context then it becomes impossible to understand it as a strategic problem and to act accordingly This is problematic since in its many permutations cybersecurity represents a challenge to society as a whole even though society appears unable or unwilling to respond in a similarly holistic manner In this chapter we argue that a common conception of cybersecurity is necessary in order not only to understand the breadth and depth of the problem but also as a basis for policy-making in the public and private sectors and as the context in which individual responses ‘Cyberspace’ clearly means many different things to many can be informed and made If governments businesses very different constituencies As we have shown the global and individuals are to make the best use of limited ICT infrastructure provides an efficient and effective resources and are to ensure that their decisions and actions networking tool for people and organizations The complement rather than conflict with each other then a unprecedented capacity for real-time communications has common conception of cybersecurity will be essential fostered a climate of spontaneity and entrepreneurialism We begin with a review of current initiatives and proce- in business nationally and internationally In political dures in cybersecurity policy We then outline a range of terms there is a republican quality to the electronic principles both strategic and operational according to communications revolution a global technological which a more coherent cybersecurity policy might be 73 commons has been established and the bars to entry are shaped moving ever lower As the Internet becomes more firmly embedded as a global public good for some it even offers the prospect of a progressive realignment of global politics Cybersecurity current practice along cosmopolitan liberal lines But like any common good cyberspace has also proved to be open to misuse In Cybersecurity has been conceptualized in several different Chapter 2 we have shown that however many benign uses ways and has prompted a wide range of policy responses there might be for the Internet it is also open to misuse by These responses can generally be described as ‘bottom-up’ hackers criminals and extremists and is even becoming insofar as they represent a unit-level response to perceived seen as both a battlefield and a weapon in interstate cybersecurity threats and challenges The unit concerned conflict Unfortunately cyberspace seems especially may be an individual but it may also be a commercial conducive to uses and users of these sorts entity or a government department The key point here is It follows that ‘cybersecurity’ must also have many that the threat is perceived and analysed in the unit’s own different meanings as various sectors of life and society terms reflecting the unit’s interests and preferences and seek to protect themselves and their interests from a range the response is tailored by and is proportionate to the of potential harms This is not to argue that ‘cybersecurity’ unit’s capabilities and expertise We begin our description has so many meanings for so many people that it has with the vast numbers of individual ICT users for whom become a meaningless and useless term The opposite is the problem has been one of ensuring computer security true cybersecurity means too much rather than being and network security At this low level responses and www chathamhouse org uk 13 Cyberspace and the National Security of the United Kingdom solutions have been disconnected and often largely cost-intensive and inefficient Furthermore any security technical Next to be considered are organizational efforts advantages are at best temporary victories both private-sector and governmental to ensure infor- Computer security is complemented by network mation security and its close relative information security When vulnerabilities arise – as they must – from assurance Finally at the level of government as a whole connection to a network it becomes necessary to there is the approach known as Critical National safeguard ‘computer networks and the information they Infrastructure Protection CNIP contain from damage or disruption ’75 Network security is achieved once again through a combination of physical Computer security and network security measures to prevent unauthorized access to the network For the individual user cybersecurity is best understood and to network-accessible resources and equipment and as a combination of computer security and network electronic measures to protect the computing network security Computer security is concerned with the infrastructure Network security therefore encompasses a protection of the system both hardware and software wide range of tools including administrative and physical and the information it carries from theft corruption or controls and on the electronic side firewalls encryption interdiction It can therefore involve both physical and authentication software anti-virus and intrusion- measures such as limiting access to ICT systems and detection systems These defensive reactive measures are controlling the user base as well as digital security proving increasingly ineffective however According to a enhancements such as the creation of a secure ICT archi- recent UK government assessment UK companies can tecture and operating system and the use of secure coded suffer many security breaches every day and over 50 per software and anti-virus software To an extent the goal of cent of large businesses experience up to hundreds of computer security is to ensure security at the level of the attempts to break into their networks daily 76 component parts of the system This approach should as Computer security and network security are serious and a consequence improve the security of the ICT system as sophisticated approaches to cybersecurity based on a whole The computer security approach is largely careful planning and preparation Both approaches protective and reactive in that physical and digital function essentially in the area of the so-called ‘known security measures are designed either to limit unautho- knowns’ – the source seriousness and style of likely cyber- rized access or to react to a software vulnerability once it attacks the extent of vulnerability to such attacks and so has been identified It follows that in computer security a on – and can offer effective responses within these param- good deal of initiative must rest with the illicit actors who eters But these responses are closely scripted configured can continue to devise political and digital intrusions to meet certain types of challenge from certain quarters until they find one which does not elicit a full-scale Computer security and network security with their defensive response A parallel can be found in the context combination of physical security protocols and technolog- of terrorism where it is often said that the attacker need ical security measures will be less robust in the face of be lucky only once whereas the defender must be lucky novel threats and so-called ‘wicked’ problems and might all of the time In fact a sophisticated terrorist attack be overwhelmed by a rapidly expanding array of security would probably require the perpetrators to be ‘lucky’ on challenges If cybersecurity is understood narrowly in many occasions and in many different settings if their terms of the ‘bottom-up’ approach offered by computer 74 14 elaborate plan is to work What might at least be said is security and network security then the only conclusion to that in computer security it seems to be the defender who be drawn is that cybersecurity is by definition obsolescent has the most difficult time and whose resources are often There would seem to be two ways to avoid this trap The of patchy quality With regular updates required in some US National Institute of Standards and Technology NIST cases daily by most commercial off-the-shelf anti-virus has claimed that ‘Many of today’s tools and mechanisms software for example computer security is labour- and for protecting against cyber attacks were designed with www chathamhouse org uk Cybersecurity Practices and Principles yesterday’s technology in mind ’77 The first option Information security and information assurance therefore might be to seek a ‘bottom-up high-capacity’ At one level both the private commercial sector and approach whereby the most sophisticated cybersecurity national governments have adopted a technological capability is distributed to the lowest levels including busi- approach to cybersecurity usually summarized by the nesses and private individuals term information security IS Driven by the need to safeguard e-commerce the private sector in particular has been concerned to protect information and information ‘ Bottom-up improvements in technological capacity as well as systems from unauthorized access and interference A comprehensive definition of IS has been provided by the US government top-down acceptance of more overall responsibility must be part The term ‘information security’ means protecting informa- of an effective and durable tion and information systems from unauthorized access cybersecurity regime ’ use disclosure disruption modification or destruction in order to provide — a integrity which means guarding against improper information modification or destruction and includes ensuring information nonrepudiation and Something like this idea surfaced in an August 2008 authenticity b confidentiality which means preserving report of the Science and Technology Committee of the authorized restrictions on access and disclosure including House of Lords The committee recorded the public means for protecting personal privacy and proprietary perception of the Internet as ‘a lawless “wild west”’ and was information and c availability which means ensuring uneasy that the UK government might have ‘distributed’ timely and reliable access to and use of information 79 too much responsibility for cybersecurity to the underequipped individual 78 This comment could of course lead Private-sector commercial IS has also been addressed by to a very different judgment as to the best way to avoid multilateral organizations 80 The European Union’s obsolescence in cybersecurity Rather than focus on European Network and Information Security Agency improving the lot of the ‘under-equipped individual’ ENISA initiative for example has focused on IS as a through the distribution of more sophisticated technology means to facilitate the flow of legitimate e-commerce In the second option could be to reverse the distribution of Article 2 of ENISA’s charter the goal of the agency is responsibility insisting instead that government and described as enhancing ‘the capability of the Community central authorities assume more control over and respon- the Member States and as a consequence the business sibility for the cybersecurity system as a whole As we community to prevent address and to respond to network suggest generally in this report both options – bottom-up and information security problems ’81 improvements in technological capacity as well as top- With its primary concern to ensure the flow of data IS down acceptance of more overall responsibility – must be embodies what might be termed an objective or quantita- part of an effective and durable cybersecurity regime tive approach to cybersecurity Furthermore IS concen- Difficult questions then arise how can responsibility for trates on specific types of attack and as with computer cybersecurity be distributed between the private indi- security and network security is very largely a reactive vidual commercial and governmental domains And as posture Addressing a relatively narrow range of events far as public policy is concerned who within government and effects the IS model has less interest in underlying should take ownership of which aspects of the cybersecu- causes Arguably therefore IS has less to offer to the rity challenge charged with developing and articulating analysis and understanding of the global ICT infrastruc- policy ture as a whole and to the generation of a coherent www chathamhouse org uk 15 Cyberspace and the National Security of the United Kingdom comprehensive and above all anticipatory approach to cybersecurity 82 involved in IA-related activities it would seem that the United Kingdom has sought to adopt not only a qualitative Information assurance IA is usually understood to be very closely related to IS There are considerable overlaps but also a broad-spectrum approach to this aspect of cybersecurity in usage of the two terms and as a result some argue that they should be merged or that a new omnibus term should Critical National Infrastructure Protection be introduced Yet at least for the present the two expres- Critical National Infrastructure Protection CNIP is the sions do have somewhat different meanings If IS can be cross-governmental effort to protect vulnerable and inter- understood as a largely reactive policy of defence and connected national infrastructures covering a wide denial with an emphasis on technological and physical variety of services In the United Kingdom the inter- solutions to the security of data and data systems then IA departmental Centre for the Protection of National is more qualitative in both method and outcome Giving Infrastructure CPNI advises government and appro- some sense of this qualitative shift the UK Cabinet Office priate non-governmental agencies as well as those defines the goal of IA as ‘the confidence that information sections of commerce and industry whose services and systems will protect the information they handle and will products form part of the Critical National Infrastructure function as they need to when they need to under the CNI The UK government defines the CNI as those 83 16 control of legitimate users ’ IA takes an approach which is assets services and systems that support the economic more strategic than IS in that IA might for example political and social life of the UK whose importance is address the consequences of and the recovery from an such that any entire or partial loss or compromise could information attack and might offset i e accept a data cause large-scale loss of life could have a serious impact risk in one area by achieving a level of security in some on the national economy could have other ‘grave social other area IA should therefore be understood as the consequences’ or could be of immediate concern to the management of risk where the quality reliability and avail- national government The CPNI arose from a merger on ability of information are concerned using the standard 1 April 2007 of the National Security Advice Centre tools of mitigating excluding accepting or transferring NSAC and the National Infrastructure Security Co- risk and doing so cost-effectively As such IA should be ordination Centre NISCC both formerly part of the expected to make more of a contribution than the Security Service NSAC had been responsible for narrower IS approach to the development of cybersecurity providing advice on physical and personnel security strategy while NISCC’s task had been to provide advice and infor- Organizationally in the UK information assurance mation on computer network defence and information policy is driven by the Wider Information Assurance assurance Before the merger NISCC had joint accounta- Centre WIAC with policy implementation being under- bility to the Director of GCHQ and employed staff from taken by a variety of governmental bodies including the GCHQ’s Communications Electronics Security Group Central Sponsor for Information Assurance CSIA in the CESG By extending and formalizing this cross-depart- Cabinet Office the Centre for the Protection of National mental approach the CPNI incorporates physical Infrastructure the personnel and cybersecurity specialisms into a single Communications-Electronics Security Group CESG – the publicly acknowledged body The CPNI also works closely UK national technical authority for information assurance with the private sector and with international partner and a part of GCHQ the Government Communications organizations The CPNI thus provides security advice in Headquarters the Department for Business Enterprise both the physical and the virtual domains works within and Regulatory Reform BERR the Home Office and the and between governments acts as a bridge between the e-crime unit of the Serious and Organised Crime Agency public and the private sectors and has brought cybersecu- SOCA With so many agencies and departments rity more into the mainstream of security policy 84 CPNI – www chathamhouse org uk discussed below Cybersecurity Practices and Principles Strategic principles of cybersecurity could be made other than in a climate of transparency and accountability Effective and durable governance of cyber- A general policy for cybersecurity would be one which space requires a shared awareness which might alterna- enables the alignment of the various concerns interests and tively be described as a culture of cybersecurity Drawn up approaches operating in the realm of cybersecurity the indi- in 2002 the OECD Guidelines for the Security of vidual the corporate and the national the technical the Information Systems and Networks emphasize the need to political and the economic the bottom-up ‘tactical’ with the move away from technological concerns and definitions top-down ‘strategic’ and the public with the private One towards an understanding of the broader environment way to achieve alignment across and within all sectors might The OECD Guidelines describe this environment as a be to make one perspective national security for example culture of security in which ‘due account’ is taken ‘of the the priority and organize all others around it We argue interests of all participants and the nature of the systems however that the foundation of a more integrated and robust networks and related services’ and in which action is cybersecurity regime requires a common conception of guided by nine principles among them ‘awareness’ cybersecurity – both the problem and responses to it At the ‘responsibility’ ‘ethics’ and ‘democracy’ 85 strategic level a common approach to cybersecurity can be encouraged by observing the principles of governance Management management and inclusiveness Cyberspace could be described albeit not calculated as the sum of countless interactions among countless users of Governance the global ICT infrastructure To achieve absolute perfect The governance of cybersecurity should consider three security in cyberspace would require all malign users and things First cybersecurity should have a normative components to be identified and isolated and certain dimension That is to say policy should be configured in interactions to be interdicted But to do so – even if it were such a way that it privileges legitimate users while possible – would be to contradict the very essence of increasing the costs for illegitimate users Second cyber- cyberspace as a technological global commons a world- security should have a collective dimension involving as wide ‘republic’ of communications and information many legitimate stakeholders and agencies as necessary exchange According to Vinton Cerf popularly known as and feasible Clearly where openings remain in critical the ‘father of the Internet’ ‘if every jurisdiction in the infrastructure protection or in information assurance world insisted on some form of filtering for its particular these are likely to be sought out and exploited by criminals geographic territory the web would stop functioning’ 86 If and aggressors The protective fence must in other words perfection is not feasible – and perhaps not even desirable be unbroken and of uniform height A collective approach given the constraining effect it would have on the Internet will also mean that cybersecurity becomes a self-rein- – then the requirement must be to manage rather than forcing dynamic environment if each participant can eliminate threats and risks which come from cyberspace learn from the experience of others the sum of cybersecu- Furthermore rather than hope in vain to anticipate every rity should increase As well as the normative and the imaginable cybersecurity contingency a more mature collective there is also a quantitative dimension to the approach would be to devise a cybersecurity regime which governance of cybersecurity in that cyberspace and its has the flexibility and durability to meet contingencies as myriad uses remains a vast complex and constantly they develop Cybersecurity thus becomes a matter of risk evolving phenomenon which cannot be controlled management managed or even overseen by any one user or stakeholder Risk can be defined as a compound of threat or natural By this analysis the governance of cybersecurity amounts hazard vulnerability and impact Where cybersecurity is to a self-governing effort by a wide range of legitimate users concerned risk must be understood in the broadest of cyberspace and it is difficult to see how such an effort possible sense and at the level of society as a whole as ‘the www chathamhouse org uk 17 Cyberspace and the National Security of the United Kingdom potential that a given threat will exploit vulnerabilities of then the policy process will have excluded those who could an asset or group of assets and thereby cause harm to the have a central and decisive role in the evolution adapta- 87 organization ’ Risk management in this context becomes tion and effectiveness of cybersecurity policy a matter of identifying ICT vulnerabilities and potential threats or harms followed by an assessment of countermeasures and the assignment of ‘differential and often limited resources to sometimes incompatible priorities’ 88 ‘ As cyberspace evolves so the in order to reduce either likelihood or impact or a combi- threats and challenges which nation of both The goal of risk management is to reduce emanate from it should also be risk to an acceptable level by mitigating excluding trans- expected to evolve ferring or accepting risk and by doing so to improve the ’ prospects for security Risk management is necessarily an iterative process countermeasures must be constantly reevaluated as new assets emerge as priorities and vulnera- Understanding the intersection between the technical bilities change and as threats evolve And clearly where the the social and the political goes to the heart of the assignment of scarce resources is involved a balance must problem of solving or even merely mitigating the be struck between the cost and the effectiveness of a given problem of cybersecurity Cyberspace is better under- countermeasure and the value of the asset being stood as a global information and communication envi- protected Furthermore in a complex network environ- ronment where technology is not only an entry point to ment the risk reward evaluation by one actor must be set the debate but also a vitally important driver of change against the possibly very different risk reward calculus of Cyberspace is a diverse arrangement of technology other actors products collaborative environments and applications These elements all interact in a constantly evolving 18 Inclusiveness system which is largely dynamic and unpredictable Given its technological sophistication the rapidity of its Furthermore this system is driven by a vast and diverse evolution and the diversity of its user base the global array of stakeholders – some more benign than others – information infrastructure could be described as an over- including individual users ad hoc communities the whelmingly complex problem for analysts industrialists private sector the public sector the national security and policy-makers alike The complexity of cybersecurity community and of course the ‘technorati’ Self-evidently can result in a preference for a largely technical language technology contributes considerably to the evolution of where awkward and unpredictable political nuance can be cyberspace And as cyberspace evolves so the threats and kept at bay This tendency should be avoided where challenges which emanate from it should also be possible Although cybersecurity is to a considerable expected to evolve In order to understand and ideally to extent a matter of technology technology alone is not a anticipate these shifts in cyberspace and in the nature of sufficient basis for policy an approach to cybersecurity threats and challenges to society there is a convincing which is entirely or largely technological might lack the case for involving the ‘technorati’ yet more closely in the breadth necessary to ensure the broadest possible under- development and implementation of policy even at the standing of participation in and response to cybersecurity highest levels of national security They are after all challenges Yet cybersecurity policy which deliberately those most likely to understand developments in cyber- marginalizes those with technological expertise – the so- space and involving them more closely should lead in called ‘technorati’ – makes the equal and opposite error If the policy process to a clearer understanding not only of the preferred response to complexity is to simplify and to the ways in which cyberspace is likely to evolve but also reduce the problem to more manageable components of the threats and challenges that might emanate from it www chathamhouse org uk Cybersecurity Practices and Principles Furthermore if for their part the ‘technorati’ can develop adversary could do and to have the policies procedures a clearer sense of the constraints and requirements of and equipment necessary to meet or anticipate that national security it might even be possible to steer the challenge whatever the source and whenever it occurs evolution of cyberspace in more benign directions This approach is borrowed from the ‘capability-based’ as opposed to ‘threat-based’ approach to military planning As far as the nature of the response is concerned at the Operational principles of cybersecurity very least it is essential to move away from definitions of cybersecurity which correspond to the roles and interests We have argued that the first step towards a common of this or that department of government or private- conception of cybersecurity is to agree upon a set of prin- sector concern towards a common management of the ciples – discussed above – by which strategy can be problem One way to encourage a more standard and guided Policy coherence at the strategic level can never- inclusive response to cybersecurity challenges would be theless be undermined by inconsistencies in implementa- once again to focus less on the identity of the adversary tion At the operational or implementation level various and more on those elements of the risk equation – additional principles might be identified such as agility vulnerability and impact – which society itself can do and initiative actor neutrality and risk management most to mitigate Agility and initiative Risk management The range of cyberthreats is so broad and mutates so It would not be reasonable to expect to eliminate all quickly that a static defensive stance an ‘electronic cyberthreats permanently threats are diverse and Maginot Line’ will mean two things First the agile and constantly evolving and it will be impossible to filter out intelligent cyberadversary will enjoy a good deal of all criminal or hostile use actual or potential of the initiative in the struggle and will not have had to global ICT infrastructure This situation is in part compete particularly vigorously to gain that initiative – a caused by widespread dependence on ICT a global relatively docile and complacent opponent will have public good has been created and the barriers to entry surrendered it Second the response to cyberthreats will are low if not non-existent Dependence cannot be elim- be reactive rather than anticipatory or pre-emptive In inated and neither consequently can exposure and other words the point at which society the commercial vulnerability to cyberthreats If threat dependency and sector and individuals begin to address cyberthreats is vulnerability cannot be excluded they can nevertheless the point at which those threats are fully formed and at be managed A risk management approach to cybersecu- their most potent Cybersecurity policy should therefore rity would seek as much agility in implementation as can be achieved and should focus on winning and maintaining the initiative Indicate that legitimate use of ICT cannot be assumed to be free of plausible adverse consequences Enable cybersecurity to be assessed on the basis of Actor neutrality proportionality perceived benefits can be set against In terms both of threat and response an ‘actor neutral’ possible penalties and benefits can therefore be approach to cybersecurity can help to ensure that energy prioritized challenges evolve priorities can be recalibrated and resources are applied promptly and efficiently and where they can be of most benefit With a diverse and evolving set of cyberadversaries it is arguably less Encourage agility and adaptability as cybersecurity Allow cybersecurity policy to be framed at a system important to know the identity and ambitions of the level with risks and dangers in one sector being offset adversary than to know what an adversary any by benefits and advantages in another www chathamhouse org uk 19 Cyberspace and the National Security of the United Kingdom Summary second step should be to base cybersecurity policy on an agreed set of strategic and operational principles with the As described in Chapter 2 hacking cybercriminality following objectives to turn cyberspace from a permis- terrorism and insurgency and cyberaggression are all sive ungoverned environment into a self-governing features of what amounts to a system-level challenge to network to heighten the costs of use by illicit actors to society This is problematic essentially because society encourage a comprehensive and inclusive understanding itself does not act and respond as a coherent system of cybersecurity across society and to facilitate and where cybersecurity is concerned Stakeholders remain assure legitimate use of the global ICT infrastructure The segregated and concerned with security within their breadth of the cybersecurity challenge is such that narrow ambit and as a result fail to see that they can be modern society could be said to be threatened compre- affected by another stakeholder’s security or lack of it hensively or systemically A system-level response will be Thus the business community can be narrowly focused necessary to meet a system-level threat in order that the on cybercrime even though cybercriminality increas- activities of different agencies and bodies complement ingly exploits techniques and technology which have each other and are mutually reinforcing rather than migrated from the world of espionage for example conflicting Yet an approach to cybersecurity which Equally anti-government hackers have been known to draws in a very wide range of agencies and organizations use the techniques of cybercriminals The first step in conceivably from all sectors of society including scientific meeting this general challenge would be to accept in and technical experts is scarcely one which will be principle that cybersecurity policy can and should be susceptible to central direction There is a need extended beyond its default settings the largely reactive therefore for approaches at the strategic and operational and ‘bottom-up’ or sectoral concerns with computer and levels which are to a large extent self-informed self- network security information security and assurance governing and spontaneous yet which form part of an and the protection of critical national infrastructure The overall mutually agreed framework or regime 20 www chathamhouse org uk contend that a new approach to cybersecurity will be required one which is both more inclusive and more active The case for an inclusive approach was set out in the previous chapter with the argument for a common 4 A National Cybersecurity Regime conception of cybersecurity We show in this chapter how this common conception becomes the basis of a national cybersecurity regime By this approach the dual problem of cybersecurity – the relationship between dependency and vulnerability and the dilemma of the technological commons – can be turned from weakness into strength We make this argument in three steps drawing on the experience of the United Kingdom First we show how a common national conception of cybersecurity can be achieved by making use of the United Kingdom’s National Risk Register Second we show how this common concep- We have described cybersecurity as a problem in two tion might then be given substance as an active strategy for parts In the first place dependence on ICT on the part of cybersecurity And finally we show how this strategy might governments commercial enterprises and individuals be operationalized in the form of business process analysis creates vulnerability And as dependence increases in the and interdiction global information revolution so too does vulnerability The second part of the problem is the dilemma of the technological commons Criminals terrorists and other miscreants are all able to exploit the same ICT networks The United Kingdom National Risk Register and systems on which legitimate users depend in order to attack those users in some way The dilemma is clear a A useful basis for a common understanding of and restrictive approach to the global technological commons common approach to cybersecurity is provided by the UK might narrow the scope of action of illegitimate users but Cabinet Office’s National Risk Register published in it would also constrain the behaviour of legitimate users August 2008 89 Within its first pages the National Risk for whom a permissive and perhaps even unregulated Register provides a visual representation of relative likeli- ICT environment would be preferable In these circum- hood and impact of ‘high consequence risks facing the stances it becomes difficult for legitimate users to move United Kingdom’ The authors of the document are beyond a passive or self-preserving stance whereby illegit- cautious making clear that ‘due to the nature of the risks imate users are tolerated as the inevitable corollary of legit- contained within each grouping it is not possible to imate uses of the commons As a result cybersecurity represent an exact comparison but only to give an idea of postures have generally but not exclusively focused on the position of each group of risks relative to others in defensive capabilities intended to protect individual users terms of likelihood and impact ’90 Nevertheless in spite of and lawful businesses against the damage caused by their caution the result is a straightforward and useful hackers identity thieves cyberbrokers and so on graphic reproduced in Figure 1 As the information revolution progresses cybersecurity There are several things to be said of this graphic both must be understood as more than a list of threats to be presentational and substantive First it illustrates the reviewed and amended from time to time more than a breadth of security challenges with which society might be problem of technology or engineering and above all more confronted and as such provides the basis for a common than a matter largely of defence and self-preservation We understanding of vulnerability Second it offers a societal www chathamhouse org uk 21 Cyberspace and the National Security of the United Kingdom High Figure 1 UK National Risk Register high-consequence risks Pandemic influenza Relative impact Coastal flooding Major industrial accidents Major transport accidents Attacks on critical infrastructure Inland flooding Attacks on crowded places o n a l Non-conventional attacks Attacks on transport Severe weather Animal disease Low Electronic attacks High Low Relative likelihood Excluding CBRN terrorism Source UK Cabinet Office National Risk Register London Cabinet Office 2008 p 5 22 rather than a sectoral view of security and is consistent but also of responses Thus pandemic influenza is not only with a cross-governmental or ‘comprehensive’ approach to the most serious risk represented here it is also self- national security It touches on most concerns and evidently the risk which requires an urgent and high-level functions of modern government including economic response The graphic also provides a framework with performance transport and logistics food supply security which to consider whether those ‘high consequence risks’ and defence industry environment and coastguard and which are relatively less likely or which would have rela- public health Given that the National Risk Register is tively less impact could be managed by mitigating produced by the UK Cabinet Office it could also be excluding transferring or accepting the risk Finally and described as an approach to security management which is most significantly as a national risk management tool the informed but not driven by central government and in this National Risk Register provides not merely a common respect it is more likely to complement than contradict the sense of vulnerability but also a common multi-stake- ‘bottom-up’ approaches to security described in Chapter 3 holder conception of national security More substantively this graphic offers a generic and How might this common conception be applied to flexible approach to national security analysis and cybersecurity On the assumption that the relative posi- management rather than a more rigid model focused on a tioning of the various risks is reviewed from time to time given threat or range of threats It allows risks to be moved we consider that the review process could also cover the around or deleted and new risks to be added as they cyberdependency of each risk through the simple become apparent what matters is the idea of risk and that expedient of a shading system Cyberdependency can be risk can be identified graded and managed rationally and interpreted here from two perspectives First there is a proportionately The graphic also has merit as a visually level of cyberdependency associated with the activities of accessible risk management tool By setting impact against governments businesses or individuals in each of the risk likelihood the definition of risk it encourages prioritiza- areas that requires a level of protection Second there is tion not only of threats man-made and hazards natural also a level of cyberdependency in the response to that www chathamhouse org uk A National Cybersecurity Regime risk These can both be represented in the following way assist in the development of a common operating picture In Figure 2 the cyberdependency of stakeholders’ activities for cybersecurity Government departments and agencies and functions can be represented by the shading on the left and commercial organizations could be invited to of each risk while the cyberdependency of their response contribute to and improve the model by providing advice can be represented on the right Thus ‘electronic attacks’ as to cyberdependency in those risk packages with which will expose varying degrees of cyberdependency in this they are most concerned Third the model allows cyberse- example a stakeholder’s cyberdependency might be curity effort to be prioritized The priority for cybersecu- medium shown in blue to the left while the response rity efforts could be those risk packages which show a might be highly cyberdependent shown in grey to the combination of high impact high likelihood and high right Pandemic influenza might also expose cyberdepen- cyberdependency – i e ‘Attacks on critical infrastructure’ dency but at a medium level coloured blue some key ICT and ‘Non-conventional attacks’ Next in importance could workers might be incapacitated by the epidemic and ICT be those risk packages which are highly cyberdependent networks might experience greater demand than usual as and either high impact or high likelihood – i e ‘Electronic efforts are made to manage the epidemic effectively In this attacks’ The model then provides a broader framework for example both sides of the risk would be coloured blue cost-benefit analysis in cybersecurity responses Given Finally animal disease might have little effect on the limited financial resources governments businesses and cyberinfrastructure and might not cause much additional individuals could address and prioritize those risk demand on ICT capacity it could therefore be shown in packages which show medium cyberdependency It should white for low cyberdependency in both function and be possible to assess the cost of a given cybersecurity effort response against expected benefit within each risk package and Figure 2 could have a number of uses in cybersecurity then to make an overall assessment across the model as a analysis and response First it establishes and locates the whole Thus if a cybersecurity effort in ‘Coastal flooding’ idea of cyberdependency within the broad field of national would be high-cost but of marginal benefit it could take security analysis and policy-making The model could also second place to ‘Attacks on transport’ where the opposite Figure 2 High-consequence risks illustrating cyberdependency High Nil Medium Pandemic influenza High Relative impact Coastal flooding Major industrial accidents Major transport accidents Inland flooding Attacks on critical infrastructure Attacks on crowded places o n a l Non-conventional attacks Attacks on transport Severe weather Animal disease Low Electronic attacks Low High Relative likelihood Excluding CBRN terrorism 23 Source UK Cabinet Office National Risk Register London Cabinet Office 2008 p 5 www chathamhouse org uk Cyberspace and the National Security of the United Kingdom calculation might have been made Finally the model is acknowledged in a corresponding range of security measures versatile it could be scaled down to meet the requirements of and protocols put in place by public and private authorities regional or local government or scaled up to the inter- and described in Chapter 3 Yet for all the awareness of the governmental level e g the EU and the model is also trans- cybersecurity problem and for all the breadth and ferable between public and private sector for example complexity of the countermeasures it cannot yet be said that comprehensive counterbalancing cybersecurity policies are fully operational Society broadly understood is of course An active strategy for cybersecurity becoming progressively more engaged in the cybersecurity problem But so far that engagement has been largely passive Cybersecurity as we have argued throughout this paper is defensive and uncoordinated both ‘agility’ and ‘organization’ much more than a traditional problem of national security seem in short supply With the exception of some national or of conventional military defence Nevertheless if the and classified capabilities related to ‘information opera- language of conventional warfare were to be applied to tions’ and associated with military capability there are few cybersecurity society could be described as being engaged offensive capabilities that can be directed in a timely fashion in a long-term attritional conflict i e trench warfare but against the broad range of cyberadversaries Exceptions to against a weaker adversary which acts differently i e the rule would include self-starting unregulated groups such ‘asymmetrically’ which is flexible and which moves too as the Internet Haganah 91 along with others such as right- fast for the mechanics of a highly structured response to wing Christian organizations which in the absence of interdict In conventional military terms this would not be government-led operations are combating Islamist-related considered a favourable battlefield encounter Accordingly cyber campaigns on their own initiative In terms both of at its simplest what is required is for society to transform scope and of substance however efforts of this sort can its ability to match or better still to overtake the speed of scarcely be said to represent society’s best response to the the opponent and thereby to seize the initiative However challenge of cybersecurity a more detailed analysis of the conflict space is required While cybersecurity strategies lack agility and organiza- Since society is resource-limited and cannot afford and tion the problem is compounded A passive stance on the probably would not want a broad-spectrum approach to part of society permits faster-thinking faster-moving and cyberspace denial it must instead focus its most appro- unregulated actors to dominate cyberspace operating essen- priate capabilities against critical elements of illegitimate tially on their own terms These people groups and gangs organizations and structures And the problem of the have almost unlimited freedom of manoeuvre Being unen- global technological commons should always of course be cumbered by any requirement to comply with legislative or borne in mind any initiative that impinges unnecessarily operational protocols they can be opportunistic and on legitimate use of cyberspace will be met with significant dynamic While society reacts defensively cyberadversaries disapproval and possibly defection at whatever level they operate can achieve significant opera- An active strategy for cybersecurity can be developed in a tional advantages in the virtual world because their series of steps by establishing an agile organization for decision action cycle the so-called ‘OODA loop’ Observe cybersecurity by articulating a national cybersecurity Orient Decide Act92 is significantly faster and much less doctrine by careful planning and deconfliction and finally complicated than that of public authorities or commercial through responsiveness bodies and operates relatively free of interference from these bodies Agile organization 24 The goal of an agile and active organization should be to Chapter 2 describes a wide range of cybersecurity threats limit cyberadversaries’ use of the technological commons – and challenges many of them well known and observable the global ICT infrastructure – while at the same time and covered in detail by the media These activities are also ensuring that the commons remain accessible to legitimate www chathamhouse org uk A National Cybersecurity Regime users This goal can be achieved in three ways first by does not yet appear to have been exploited in the cybersecu- making illegal activity so dangerous or costly that cyber- rity domain adversaries abandon their cause altogether second by In cybersecurity organization is a prerequisite for agility forcing cyberadversaries to abandon cyberspace and to without it interaction between stakeholders and actors will continue their illicit activities in the physical world where be inefficient and ineffective The various agencies and they will be more vulnerable to observation and interdiction bodies involved public and private will find that they do by security and law enforcement agencies and finally by not operate with the same aim and in accordance with the disrupting adversaries’ activities within cyberspace in order same set of principles Planning and preparation will be to lengthen their decision action cycle making them more limited in scope with operations conducted at best on an ad susceptible to intelligence oversight and making it possible for hoc basis One way to counter this problem and to achieve a security and law enforcement agencies to decide and act faster more organized and disciplined approach would be to than their adversaries If these goals are to be achieved and establish a primus inter pares among the various organiza- the overall effect required will probably be some combination tions concerned with cybersecurity in the UK this would of the three outcomes then law-abiding entities commer- include the Police service HM Revenue and Customs the cial leisure or academic for example should be able to Border Agency the Serious Organised Crime Agency the continue to use cyberspace with minimal fear of inadvertent Security Service the intelligence services and several others disruption caused by over-regulation of the environment In The purpose of such an exercise would be to articulate a other words one of the principal aims of a cybersecurity unified cross-governmental plan for cybersecurity to be strategy should be to reduce both harmful effects to and implemented by all agencies involved We argue however unnecessary constraints upon the information environment that this approach would not be conducive to agility in The current UK response to the exploitation of cyberspace cybersecurity a centrally organized plan for cybersecurity is by adversaries lacks both agility and organization making it likely to be too elaborate and bureaucratized too inflexible difficult to achieve these goals systematically and efficiently and unable to keep pace with events A better approach Governmentally the response is more multi-agency than would be to organize a national cybersecurity posture inter-departmental a characteristically ‘stovepiped’ posture around concepts and perhaps even ethics rather than with different agencies responding in different ways to around bureaucratic structures and hierarchies The UK may different perceptions of cybersecurity There have recently already have an appropriate policy vehicle in the form of the been attempts at a more coordinated effort not least the Transformational Government initiative This is intended to creation in April 2007 of the Centre for the Protection of formalize ICT interoperability along the lines of SOA prin- National Infrastructure CPNI described in Chapter 3 Yet ciples in order to focus better on the users of IT i e those while there is certainly enough defensive capability available who use IT to support their business processes rather than in the CPNI itself in the use of Original Equipment upon IT suppliers 93 An approach of this sort would require Manufacturer’s OEM licences for technology and in self- that interoperable IT architectures support rather than help precautions for individual ICT users there is no drive a business process-led policy which would in turn national-level capability at least in the law enforcement encompass doctrine planning and deconfliction and domain that is able to take the initiative to the adversary responsiveness to which we now turn other than some limited examples in child protection and counter-terrorism intelligence operations Significantly Cybersecurity doctrine Service Oriented Architectures SOA in which larger To a large extent doctrine is a matter of intellectual disci- systems are composed of more numerous but less tightly pline and consistency Thus a national cybersecurity coupled ‘Lego bricks’ of computing capability have emerged doctrine would seek to standardize analytical and as a practical instrument to reduce stovepiping among stake- decision-making methodologies both horizontally across holder groups although the full potential of this initiative the spectrum of governmental activity and vertically from www chathamhouse org uk 25 Cyberspace and the National Security of the United Kingdom the highest level i e strategic down to the lowest i e that will enable law enforcement agencies to operate tactical or individual But the more important question to more effectively and disruptively which doctrine provides the framework of an answer is not To foster an environment of delegated and distributed ‘How is this to be done ’ but ‘Why ’ Doctrine would authority in order to promote spontaneity self-confi- therefore make explicit the fundamental principles by dence and responsibility among responding agencies which the various responding agencies’ actions would be guided in support of national objectives If cybersecurity Planning and deconfliction doctrine could be made a national priority it should have To achieve agility in cybersecurity the planning process the effect of promoting both joint activity and under- should have the capacity to focus on rapidly moving standing between governmental ‘stovepipes’ leveraging targets and should seek to avoid administrative and best practice currently retained and in some cases bureaucratic drag The most appropriate way to achieve hidden within separate departments and agencies and this would be for the planning process to be as decentral- would connect the cybersecurity efforts of governmental ized contextualized and spontaneous as possible yet agencies and non-governmental bodies such as commer- without losing overall consistency among the various cial firms It would of course be necessary for doctrine to agencies involved Consideration should be given to the be consistent with the body of UK security policy particu- development of cross-governmental understanding larly the National Security Strategy and to shadow closely through the articulation of a common analytical picture any operational plans currently undergoing development or ‘common conception of cybersecurity’ as discussed in or revision in the UK’s case the National Security Strategy Chapter 3 Common operational principles should also be itself as well as the Pursue Prevent and Protect capability agreed which might additionally include a constant focus strands in CONTEST – the UK counter-terrorism on the overall purpose of the cybersecurity activity the strategy efficient use of scarce resources flexibility and responsive- Doctrine should be concise and generally comprehensible ness in decision-making and the use of surprise to setting out broad principles to allow maximum flexibility as dislocate an adversary and force uncharacteristic errors the cybersecurity scenario progresses Consistent with the and perhaps even procedural and psychological basic principles of risk management the core of a national paralysis Having established the broad principles of a cybersecurity doctrine might be a list of methods and objec- common planning approach adversaries should also be tives intended to guide cybersecurity policy and operations subjected to cyberdependence analysis This information such as the following made widely available to all relevant agencies will be the key to effective targeting and will require constant moni- 26 To raise the costs so that adversaries are less inclined to toring the cyberadversary must be presumed to be inher- pursue their goals in or through cyberspace ently flexible and likely to change communications To force adversaries and their networks to surface into protocols very rapidly across cyberspace the physical world where they must function at a slower Effective planning is also a matter of deconfliction pace and where they are more vulnerable to identifica- Coordination will be required between cyberoperations and tion and interdiction more conventional operations and there should be full To disrupt the adversary’s activity inside cyberspace understanding of the doctrinal principles and constraints lengthening their decision action cycle and making which might obtain in the law enforcement and security them more visible to intelligence and investigative sectors for example Provision must also be made for the processes lawful use of cyberspace Unintended effects and unneces- To cause dislocation of an adversary’s business sary constraints on normal commerce could rapidly have a processes by causing internal workflow dysfunction dysfunctional effect on cyberspace leading to an early To identify the top-level infrastructure or critical nodes breakdown of consensus Synthetic environment modelling www chathamhouse org uk A National Cybersecurity Regime should be able to highlight the hazards to lawful use of cyberspace and might have the additional benefits of refining law enforcement workflow models and predicting the adversaries’ most likely actions Clearly understood limits on actions permitted in the face of observed activity by the adversary Independent and empowered oversight to provide appropriate checks and balances Responsiveness To achieve responsiveness in cybersecurity the decisionmaking process will require delegated and distributed The operational level business process analysis and interdiction powers of authority in order to encourage spontaneity and to enable rapid results The process must also be driven by a We have shown how a common conception of cybersecurity statement of the desired outcome and underpinned by a can be achieved and how the notion of cyberdependency can legislative framework with robust but flexible protocols validate and reinforce this common conception This Results should be gauged by rapid follow-up assessments of common conception can then be given substance in the form whether the desired outcome has been achieved A closer of the active strategy for cybersecurity discussed above The synthesis of analysis and decision-making – possibly final step in our argument for a national cybersecurity supported by artificial intelligence processing – will also be regime is to show how cyberdependency is much more than needed to anticipate the adversary’s most likely response a metaphor for society’s vulnerability and weakness and can once it recognizes that it is under pressure This will in turn be transformed into a positive advantage in the struggle enable pre-emptive activity by law enforcement or security against cyberadversaries adversaries are cyberdependent agencies all with the aim of staying within the adversary’s too and are also vulnerable There are currently however OODA loop Of the many enablers that would contribute to insufficient tools with which to model the end-to-end the generation of responsiveness in cybersecurity the susceptibility of the cyberdomain to support illicit or adver- following are of particular importance sarial activity Our first step therefore is to suggest a conflict spectrum which in turn will become the basis upon which to A command and control system which can delegate analyse adversaries’ cyberdependency authority to the lowest appropriate level The facility for constant and all-informed coordination Conflict spectrum of activities among a range of agencies A spectrum could be drawn which maps potential A leadership comprising high-quality well-trained conflicts from very low-order crime such as pickpock- personnel who are trusted and who have agreed eting through murder and terrorism to global insurgency freedoms of manoeuvre to interstate armed conflict and culminating in nothing Intelligence-led operations at the lowest level practi- less than a nuclear exchange along the lines feared during cable the Cold War A spectrum of types and levels of conflict Figure 3 Conflict spectrum Conflict type Scale Minor Pickpockets Drugs Fraud Laundering Murder Severe Terrorism Interstate conflict Nuclear war Insurgency Script kiddies Hackers Cyber brokers Interstate conflict Trafficking Ideological and political extremism Serious and organized crime Low-level crime Individual crime 27 Source Morgan Aquila 2009 www chathamhouse org uk Cyberspace and the National Security of the United Kingdom Figure 4 Conflict spectrum illustrating cyberdependency Harm Degree of cyberdependence Conflict type Scale Minor Drugs Pickpockets Murder Fraud Laundering Script kiddies Severe Terrorism Interstate conflict Nuclear war Insurgency Hackers Cyber brokers Interstate conflict Trafficking Ideological and political extremism Serious and organized crime Low-level crime Individual crime Source Morgan Aquila 2009 incorporating the four cyberthreat domains discussed in Persistent disruptive attacks in cyberspace will inevitably Chapter 2 is shown in Figure 3 lead to business change by the adversary actor and ideally a return to the physical domain where the adversary’s Cyberdependency analysis decision action loop will lengthen because real-world Elements of this conflict spectrum can be analysed further constraints the requirement to travel or use surface mail not only to identify the harm likely to be caused to society will inevitably cause a reduction in the pace of their activity at each point of the spectrum and therefore to judge the In the first place this approach will require careful consid- severity of the threat but also to assess the extent to which eration and mapping of the adversary’s internal processes each threat is dependent upon cyberspace as part of its as illustrated in the value chain model in Figure 5 It then business process Cyberdependency analysis can be incor- becomes possible to identify bottlenecks and cybercritical porated in the conflict spectrum as shown in Figure 4 nodes and to assess how and where to interdict the key processes as Figure 5 shows Business process analysis A business process-led methodology now introduces some A more sophisticated and selective approach to value chain interdiction is illustrated in Figure 6 new dynamics Standard business and risk modelling can The business process value chain interdiction model is a identify critical weaknesses in the adversary’s ability to tool for to identifing and exploiting the adversary’s own continue operations with the key focus being on identi- cyberdependency and vulnerability what we have identi- fying bottlenecks which are abhorrent to business and fied as a structural weakness on the part of society is thus other processes which are vulnerable to disruption and transformed into a useful tool Furthermore it is a tool which may have no or poor backup modes that is easily comprehensible and widely applicable Yet for all its merits the business process methodology can be 28 Risk assessment matrix challenged in a number of respects The phenomenon of The next step in the process is to construct a risk assessment the ‘information blizzard’ for example might well cloud matrix of the adversary’s organization as a preliminary to the picture and could require a shift in the targeted activity against the critical nodes identified data intelligence management dynamic possibly towards www chathamhouse org uk A National Cybersecurity Regime Figure 5 Value chain model – interdiction Interdiction Business infrastructure Human resource management Capability development Procurement organization Raw coca Inbound logistics Distilation Operations Trafficking Information Street sales Sales and marketing Outbound logistics Service Figure 6 Selective value chain interdiction Compliant security forces Interdiction Consumer society Narcotics Laundering Agricultural infrastructure Finance Legal transactions left untouched Communications services a ‘feed the monster’ data-intensive approach Furthermore adversary can cope with In other words to enable a where critical node analysis is concerned future success human-led response there must be a step change in tech- might be described as a matter not so much of finding the nology to support the decision-making process to create proverbial ‘needle in a haystack’ but of finding in among agility and flexibility on the part of the law enforcement the mass a particular piece of straw of the right length and security response width and colour A challenge of this sort would require a new look at data extraction and information analytics And in order to support the ‘human in the loop’ there Summary would be a need for real-time or near real-time surfacing and visualization of threat activity in order to enable more One frequently used definition of a regime in international rapid changes in the orchestration of the response than the politics is a set of ‘implicit or explicit principles norms www chathamhouse org uk 29 Cyberspace and the National Security of the United Kingdom rules and decision-making procedures around which and which must be sufficiently agile yet without losing actors’ expectations converge in a given area of interna- focus to meet a rapidly evolving and transforming security tional relations Principles are beliefs of fact causation and challenge Our first step was to show how the recently rectitude Norms are standards of behaviour defined in published UK National Risk Register could help to achieve terms of rights and obligations Rules are specific prescrip- greater coherence among the various agencies involved in tions or proscriptions for action decision-making proce- cybersecurity a ‘top-down’ approach which could comple- dures are prevailing practices for making and imple- ment the ‘bottom-up’ security measures set out in Chapter 3 94 menting collective choice ’ In other words according to Furthermore an adapted version of the National Risk this definition regimes offer a way to inform and organize Register could be used to explain and develop the idea of effort in public policy while remaining loosely federal cyberdependency Our next step moving from theory to rather than centrally driven or overly directive A practice was to show how an active strategy for cybersecu- successful and durable regime is one which functions rity could be achieved by giving consideration to agile intelligently and responsively within its area of concern organization doctrine planning and deconfliction and and which is sufficiently elastic to maintain a unified responsiveness Finally we showed how cyberdependency approach as circumstances change could be much more than a structural weakness on the part We argue that the regime offers the most suitable basis for of society and could become an operational tool in a national a national cybersecurity strategy which must include yet not cybersecurity strategy using the example of business process direct a wide variety of actors agencies and stakeholders analysis and interdiction 30 www chathamhouse org uk still as a battlefield where strategic conflict can be won or lost The key observation here is not simply that society’s increasing dependence on ICT infrastructure creates vulnerabilities and opportunities to be exploited by adversaries but also that ICT has an increasingly important 5 Conclusion enabling function for serious and organized crime ideological and political extremism and state-sponsored aggression In other words society’s adversaries are also ever more dependent upon ICT systems creating a counterbalancing set of vulnerabilities Any analysis of cyberspace and the security threats it entails should first acknowledge that this is not the concern exclusively of governments and public authorities commercial enterprises or individuals Cybersecurity is a problem which concerns everyone particularly as society becomes ever more dependent on the global ICT infra- ‘ The various illicit uses of cyberspace amount to a ’ system-level challenge to society structure and therefore vulnerable to interference by adversaries able to act within or against ICT systems In The various illicit uses of cyberspace amount to a system- cyberspace different interests and constituencies are chal- level challenge to society This is problematic because society lenged by a variety of interconnected actors and actions does not act and respond as a coherent system where cyber- And if society – for all its diversity – cannot respond in a security is concerned Stakeholders remain largely segre- similarly interconnected way then the sum of security gated concerned to maintain security within their narrow diminishes overall ambit As a result public bodies commercial enterprises and The challenge of cybersecurity can be described in private individuals can all fail to see that they are affected by terms of a spectrum of cyberthreat domains state- another stakeholder’s security or lack of it Cybersecurity sponsored political policy can and should be extended beyond its default settings extremism serious and organized crime and lower- – the largely reactive and ‘bottom-up’ or sectoral concerns level individual crime The value of this spectrum is more with computer and network security information security presentational than analytical however Lower-level and and assurance and the protection of critical national infra- individual crime such as computer hacking can appear structure It should then be possible to shape cybersecurity trivial and to lack organization but it can have high-level policy in accordance with the general principles set out in consequences and can feature prominently elsewhere on Chapter 3 governance management and inclusiveness the spectrum Serious and organized criminal misuse of Acting coherently and purposively the various agencies and the global ICT infrastructure is increasing in both quanti- bodies involved should have as their goals to turn cyberspace tative and qualitative terms and at considerable cost to the from a permissive ungoverned environment into a self- global economy The Internet seems to fit the requirements governing network to increase the costs of use by illicit of ideological and political extremists particularly well actors to encourage a comprehensive and inclusive under- and governments can expect access to and use of the global standing of cybersecurity across society and to facilitate and technological commons to remain closely contested assure legitimate use of the global ICT infrastructure cyberattacks ideological and Finally for some states and governments it is clear that the As cybersecurity policies and processes are transformed Internet is seen as a strategic asset to be used for the in these ways it becomes reasonable and useful to describe purposes of national security and perhaps more simply these efforts as aspects of a national cybersecurity regime www chathamhouse org uk 31 Cyberspace and the National Security of the United Kingdom Regime thinking offers a way to inform and organize effort weaknesses can then be exploited and their efforts in public policy while remaining loosely federal rather than degraded thereby reducing cyber-enabled risk to society as centrally driven or overly directive A regime should be a whole responsive to change and should be sufficiently elastic to Society faces considerable risk from and within cyber- maintain a coherent approach as circumstances evolve A space and it must respond appropriately Whether it does so national cybersecurity regime would involve a wide variety in the form of a national cybersecurity regime or by some of actors agencies and stakeholders yet would not require a other means the response must be as effective as efficient tightly disciplined central hierarchy and bureaucracy It and above all as agile as possible Yet dealing with the problem would also have the agility to meet a rapidly evolving and of cybersecurity is as much a matter of the quality and transforming security challenge yet without losing purpose comprehensiveness of the response as it is one of identifying and focus Drawing upon recent experience in the United and countering cyberthreats In important respects the Kingdom Chapter 4 described in outline how such a regime quality of the response will be determined by process and might be achieved The recently published UK National Risk procedure by effective coordination and by timely decision- Register to be revised in 2009 provides the basis for greater making But cybersecurity also poses complex structural coherence and a common understanding among the various challenges which society must address in all sectors and at all agencies involved in cybersecurity a ‘top-down’ approach levels How and on what authority should responsibility for which could complement the ‘bottom-up’ security measures cybersecurity be distributed between the private individual set out in Chapter 3 above For the purposes of this report commercial and governmental domains As far as public an adapted version of the National Risk Register can be used policy is concerned which government department should to explain and socialize the central idea of cyberdepen- be charged with developing and articulating policy and dency The next step moving from theory to practice is to which departments should take ownership of the various show how a regime-based approach can generate a national aspects of the cybersecurity challenge Addressing such strategy for cybersecurity by giving consideration to agility questions effectively requires a close and mutually supportive and organization cybersecurity doctrine planning and engagement by a triumvirate of key actors policy-makers at deconfliction and responsiveness Finally in order to various levels of government technical experts – the so-called mitigate both the likelihood and the impact of illegal and ‘technorati’ – and not least all lawful users of the global ICT extremist activities a national cybersecurity regime can infrastructure Society must have the knowledge the agility make use of business process analysis in order to identify the and the resilience to meet and preferably to anticipate the adversaries’ cyberdependencies and vulnerabilities Their constantly evolving challenge of cybersecurity 32 www chathamhouse org uk Notes 1 ‘Let it rise A special report on corporate IT’ The Economist 25 October 2008 p 3 2 S Fafinski and N Minassian UK Cybercrime Report 2008 Garlik September 2008 pp 12 21 http www garlik com static_pdfs cybercrime_report_2008 pdf 3 ‘Let it rise’ p 7 4 A Sipress ‘An Indonesian’s Prison Memoir Takes Holy War into 31 Stenersen ‘The Internet’ p 233 note 53 MMORPGs and Massively Multiplayer Online Games MMOGs can also be used for financial crimes such as extortion and money-laundering since MMOG and MMORPG players must exchange real currency for virtual cash such as Linden Dollars in order to participate See K R Choo and R G Smith ‘Criminal Exploitation of Online Systems by Organised Crime Groups’ Asian Criminology Vol 3 No 1 June 2008 p 49 Cyberspace’ Washington Post http www washingtonpost com ac2 wp- 32 ‘World wide web of terror’ The Economist 14 July 2007 dyn A62095-2004Dec13 language printer 14 December 2004 33 US Senate Committee on Homeland Security and Governmental Affairs 5 ‘Cyberjamming’ Wall Street Journal Europe 29 April 2008 Violent Islamist Extremism the Internet and the Homegrown Terrorist Threat 8 6 M Reilly ‘When nations go to cyberwar’ New Scientist 23 February 2008 May 2008 http hsgac senate gov public _files IslamistReport pdf pp 1 8 7 I Thomson ‘Nato builds cyber-security bunker’ Information World Review 15 May 2008 8 T Skinner ‘War and PC’ Jane’s Defence Weekly 24 September 2008 9 Reilly ‘When nations go to cyberwar’ 10 M Fickes ‘Cyber Terror’ Government Security 1 July 2008 http www govtsecurity com federal_homeland_security cyber_terror_atta cks index html 11 Skinner ‘War and PC’ 12 B Acohido ‘Some Russian PCs used to cyberattack Georgia’ USA Today 18 August 2008 www damballa com downloads news ITN_USA_Today_ 2 pdf Acohido Georgian cyber attack hl en ct clnk cd 1 gl us client firefox-a 13 For an analysis of the scope of cyberwarfare see European Security and Defence Assembly Cyber Warfare Assembly of the Western European Union Defence Committee Report C 2022 5 November 2008 14 Scott Borg Director of the US Cyber Consequences Unit quoted in Fickes ‘Cyber Terror’ 15 US-China Economic and Security Review Commission 2008 Report to Congress cited in ‘China winning cyber war Congress warned’ The Guardian online 20 November 2008 http www guardian co uk techn ology 2008 nov 20 china-us-military-hacking 16 Skinner ‘War and PC’ 34 D Kimmage The Al-Qaeda Media Nexus The Virtual Network Behind the Global Message Washington DC RFE RL Special Report 2008 pp 17 21 35 Stenersen ‘The Internet’ pp 216 231 36 Quoted in ‘World wide web of terror’ 37 ‘Saudis claim Internet responsible for 80 per cent of jihadi recruitment’ Terrorism Focus 4 13 8 May 2007 38 K Sengupta ‘Spies take war on terror into cyberspace’ The Independent 3 October 2008 39 ‘Jihadis publish online recruitment manual’ Terrorism Focus 5 34 24 September 2008 40 S Drennan and A Black ‘Jihad online The changing role of the Internet’ Jane’s Intelligence Review August 2007 41 Stenersen ‘The Internet’ p 222 42 Drennan and Black ‘Jihad online’ 43 ‘World wide web of terror’ The Economist 14 July 2007 44 US Senate Violent Islamist Extremism p 5 45 C H Kahl ‘COIN of the Realm Is There a Future for Counterinsurgency ’ Foreign Affairs 86 6 November December 2007 p 175 46 S Metz Rethinking Insurgency Carlisle US Army War College Strategic Studies Institute June 2007 pp 11 13–14 47 US Army and Marine Corps Counterinsurgency Field Manual Chicago University of Chicago Press 2007 para 1-22 p 8 17 Ibid 48 Fafinski and Minassian UK Cybercrime Report 2008 p 14 18 General James Cartwright Vice Chairman of the US Joint Chiefs of Staff 49 For an assessment of the role of innovation in and against cybercrime see quoted in Skinner ‘War and PC’ See also Reilly ‘When nations go to H Rush C Smith E Kraemer-Mbula and P Tang Organised Crime and cyberwar’ 19 ‘World wide web of terror’ The Economist 14 July 2007 20 A Stenersen ‘The Internet A Virtual Training Camp ’ Terrorism and Political Violence Vol 20 2008 p 228 21 G Corera ‘The world’s most wanted cyber-jihadist’ BBC News Illegal Innovation London NESTA forthcoming 2009 50 British-North America Committee Cyber Attack A Risk Management Primer for CEOs and Directors BNAC 2007 p 3 51 Symantec Corporation Global Internet Security Threat Report Trends for July-December 2007 Vol XIII April 2008 http eval symantec com http news bbc co uk go pr fr - 2 hi americas 7191248 stm 16 mktginfo enterprise white_papers b-whitepaper_internet_security_ January 2008 threat_report_xiii_04-2008 en-us pdf pp 8 64 75 22 ‘World wide web of terror’ The Economist 14 July 2007 52 Symantec Global Internet Security pp 45-46 23 Corera ‘The world’s most wanted cyber-jihadist’ 53 CBR Online ‘TJX hack is biggest ever’ 30 March 2007 http www 24 Ibid 25 D W Barno ‘Challenges in Fighting a Global Insurgency’ Parameters Summer 2006 p 19 26 Stenersen ‘The Internet’ p 215 cbronline com news tjx_hack_is_biggest_ever 54 Symantec Global Internet Security pp 17 20–22 55 British-North America Committee Cyber Attack p 2 56 United Nations Convention against Transnational Organized Crime Article 27 ‘World wide web of terror’ The Economist 14 July 2007 2 a and c United Nations General Assembly A Res 55 25 8 January 28 Distinct from cryptography the encryption of communications steganog- 2001 http www unodc org pdf crime a_res_55 res5525e pdf raphy ‘hidden writing’ is a means of covert communication in which the message itself and not just its meaning is concealed For added security a concealed message can also be encrypted See ‘Link between child porn and Muslim terrorists discovered in police raids’ The Times 17 October 2008 29 Stenersen ‘The Internet’ p 219 30 J Emigh ‘Terror on the Internet’ Government Security http govt 57 Serious Crime Act 2007 Schedule 1 Serious Offences Part 1 Serious Offences in England and Wales Office of Public Sector Information http www opsi gov uk ACTS acts2007 ukpga_20070027_en_9 58 B Acohido Zero Day Threat The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity New York Union Square Press 2008 pp 22–24 59 ‘Cyber-attacks batter Web heavyweights’ CNN com http archives cnn security com federal_homeland_security terror_internet I October com 2000 TECH computing 02 09 cyber attacks 01 index html 9 2004 February 2000 www chathamhouse org uk 33 Cyberspace and the National Security of the United Kingdom 60 ‘New and original study on industrial cyber security reveals tenfold 79 US Code Title 44 Chapter 35 Subchapter III 44 U S C Sec 3542 increase in number of successful attacks on process control and SCADA 2002 3542 b 1 US Code Collection Cornell University Law School systems since 2000’ British Columbia Institute of Technology http www law cornell edu uscode html uscode44 usc_sec_44_000035 http www bcit ca news releases newsrelease100404883 shtml 4 October 2004 61 Choo and Smith ‘Criminal Exploitation’ pp 39–40 42——000- html 80 For a review of multilateral efforts at cybersecurity focusing on the European Union see P Cornish Cyber Security and Political Social and 62 Ibid p 40 Religiously Motivated Cyber Attacks Brussels European Parliament 63 S W Brenner ‘Organized Cybercrime How Cyberspace May Affect the 2009 Structure of Criminal Relationships’ North Carolina Journal of Law Technology Vol 4 Issue 1 Fall 2002 p 24 81 Regulation EC No 460 2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and 64 ‘Clouds and judgment’ The Economist 25 October 2008 Information Security Agency Text with EEA relevance http eur- 65 Fafinski and Minassian UK Cybercrime Report 2008 p 8 lex europa eu smartapi cgi sga_doc smartapi celexapi prod CELEXnumdo 66 Choo and Smith ‘Criminal Exploitation’ p 40 67 Brenner ‘Organized Cybercrime ’ p 27 c lg EN numdoc 32004R0460 model guicheti 82 Advocates of ISO 27002 the Code of Practice for Information Security 68 Ibid pp 37 46 might take issue with these observations With its emphasis on the ‘plan 69 ‘Fraudsters’ website shut in swoop’ BBC News online 17 October 2008 do check act’ cycle ISO 27002 arguably seeks to encourage a more http newsvote bbc co uk mpapps pagetools print news bbc co uk 1 hi uk 7675191 stm 70 Acohido Zero Day p 18 71 Microsoft Security Intelligence Report Key Findings Summary January through June 2008 http www microsoft com security portal sir aspx 72 K Poulsen ‘UK hacker Gary McKinnon plays the Asperger’s card’ Wired anticipatory management of threats 83 UK Cabinet Office A National Information Assurance Strategy p 12 84 P Cornish Domestic Security Civil Contingencies and Resilience in the United Kingdom A Guide to Policy London Chatham House June 2007 pp 7–8 85 Organisation for Economic Co-operation and Development Guidelines for 28 August 2008 ‘British UFO hacker Gary McKinnon is coming to the Security of Information Systems and Networks Toward a Culture of America’ Wired 30 July 2008 http blog wired com 27bstroke Security Paris OECD 25 July 2002 pp 10–11 http www oecd org 6 2008 08 uk-hacker-gary html A judicial review of McKinnon’s case is scheduled for June 2009 73 ‘Commons’ used in this report in the context of a ‘global commons’ or a document 42 0 3343 en_2649_34255_15582250_1_1_1_1 00 html 86 Quoted in ‘Geography and the Net Putting it in its Place’ The Economist 9 August 2001 ‘global technological commons’ is defined in the Oxford English Dictionary 87 UK Cabinet Office A National Information Assurance Strategy p 12 as ‘provisions for a community or company in common’ In the sense 88 E Gibbs van Brunschot and Leslie W Kennedy Risk Balance and Security employed in this report use of the commons is non-rivalled and nonexcludable – a public good in other words 74 M Levi argues that terrorists need to be serially ‘lucky’ which should London Sage 2008 p 10 89 UK Cabinet Office National Risk Register London Cabinet Office 2008 http www cabinetoffice gov uk reports national_risk_register aspx actually make interdiction less difficult than is often assumed On Nuclear 90 UK Cabinet Office National Risk Register p 4 Terrorism Harvard University Press 2007 p 7 91 See http www internet-haganah com haganah index html 75 J Lewis ‘Cybersecurity and Critical Infrastructure Protection’ Center for 92 Coined by Colonel John Boyd US strategic analyst and commentator In Strategic and International Studies Washington DC January 2006 combat indeed in any walk of life the goal should be to complete the http www csis org media csis pubs 0601_cscip_preliminary pdf OODA cycle before the adversary thereby retaining the initiative and 76 UK Cabinet Office A National Information Assurance Strategy London Central Sponsor for Information Assurance June 2007 p 6 77 National Institute of Standards and Technology ‘Comprehensive National Cyber Security Initiative Leap-Ahead Security Technologies’ http www nist gov public_affairs factsheet cyber2009 html 1 February 2008 78 House of Lords Science and Technology Committee Personal Internet Security Follow-Up London The Stationery Office July 2008 Fourth Report of Session 2007-2008 p 5 Minutes of Evidence p 2 col 1 34 www chathamhouse org uk ensuring success For a full account and explanation of Boyd’s insight see B Berkowitz The New Face of War How War Will be Fought in the 21st Century New York Free Press 2003 pp 38–45 93 See Cabinet Office Chief Information Officer Council ‘Transformational Government’ http www cio gov uk transformational_government index asp 94 S Krasner ‘Overviews’ in S Krasner ed International Regimes London Cornell University Press 1983 p 2 The International Security Programme The International Security Programme at Chatham House has a long-established reputation for independent and timely analysis and for its contribution to the public debate on security and defence International security policy is a vast complex and urgent environment for research and analysis With this in mind the mission of the programme is to be an internationally recognized and respected policy research group offering independent expert advice for the public and private sectors on matters of international European and national security and defence Recent publications include US-UK Nuclear Cooperation An Assessment and Future Prospects Edited by Jenifer Mackby and Paul Cornish Co-published with the Center for Strategic and International Studies August 2008 Coalition Warfare in Afghanistan Burden-sharing or Disunity Timo Noetzel and Sibylle Scheipers Briefing Paper October 2007 Global Non-Proliferation and Counter-Terrorism The Impact of UNSCR 1540 Edited by Olivia Bosch and Peter van Ham Co-published with Brookings Institution Press and Clingendael Institute March 2007 The CBRN System Assessing the Threat of Terrorist Use of Chemical Biological Radiological and Nuclear Weapons in the UK Paul Cornish Chatham House Report February 2007 The UK Contribution to the G8 Global Partnership Against the Spread of Weapons of Mass Destruction 2002–06 Paul Cornish Chatham House Report January 2007 EU and NATO Co-operation or Competition Paul Cornish Chatham House Report October 2006 Divided West European Security and the Transatlantic Relationship Tuomas Forsberg and Graeme P Herd Chatham House Paper co-published with Blackwell Publishing June 2006 For a full list of publications please visit http www chathamhouse org uk research security 35 Chatham House Reports Transit Troubles Pipelines as a Source of Conflict Paul Stevens March 2009 978 1 86203 210 1 The Outlook for Tokyo New Opportunities or Long-Term Decline for Japan’s Financial Sector Vanessa Rossi March 2009 ISBN 978 1 86203 213 2 Ready to Lead Rethinking America's Role in a Changed World Robin Niblett February 2009 ISBN 978 1 86203 209 5 Food Futures Rethinking UK Strategy Susan Ambler-Edwards et al February 2009 ISBN 978 1 86203 211 8 The Feeding of the Nine Billion Global Food Security for the 21st Century Alex Evans January 2009 ISBN 978 1 86203 212 5 Against the Gathering Storm Securing Sudan’s Comprehensive Peace Agreement Edward Thomas January 2009 ISBN 978 1 86203 213 2 Iran Breaking the Nuclear Deadlock Edited by Richard Dalton December 2008 ISBN 978 1 86203 208 8 A British Agenda for Europe Designing Our Own Future Commission on Europe after Fifty September 2008 ISBN 978 1 86203 207 1 The Coming Oil Supply Crunch Paul Stevens August 2008 ISBN 978 1 86203 206 4 Ending Dependence Hard Choices for Oil-Exporting States John V Mitchell and Paul Stevens July 2008 ISBN 978 1 86203 205 7 The Gulf as a Global Financial Centre Growing Opportunities and International Influence Vanessa Rossi June 2008 ISBN 978 1 86203 204 0 Lost Opportunities in the Horn of Africa How Conflicts Connect and Peace Agreements Unravel Sally Healy June 2008 ISBN 978 1 86203 203 3 The European External Action Service Roadmap for Success Brian Crowe May 2008 ISBN 978 1 86203 202 6 Changing Climates Interdependencies on Energy and Climate Security for China and Europe Bernice Lee et al November 2007 ISBN 978 1 86203 196 8 36 For further information on any of these titles please visit www chathamhouse org uk publications or call 44 0 20 7957 5700 Cyberspace and the National Security of the United Kingdom Threats and Responses Paul Cornish Rex Hughes and David Livingstone Chatham House 10 St James’s Square London SW1Y 4LE T 44 0 20 7957 5700 E contact@chathamhouse org uk F 44 0 20 7957 5710 www chathamhouse org uk Charity Registration Number 208223 Cyberspace and the National Security of the United Kingdom Threats and Responses A Chatham House Report Paul Cornish Rex Hughes and David Livingstone www chathamhouse org uk