Chapter 10

Conclusion ¹

,

 

 

 

Throughout the various chapters presented in this book, common issues have manifested themselves — particularly relating to the process of policy-making in terms of cyber-security and cyber-defense.

Although cyberspace emerged during the 1980s, and then really developed in the 1990s with the dawn of the publicly available Internet in a number of industrialized countries, it was not until the latter half of the last decade that concerns relating to cyberspace really seem to have been felt in terms of security and defense policies. The introduction of cyberspace into defense is the fruit of a heightened awareness of threats that States have been able to witness by way of major events:

– the attacks on Estonia in 2007;

– the waves of cyber-attacks that have blighted several governments since 2007;

– the Stuxnet worm which, in 2010, demonstrated the vulnerability of industrial systems; and

– the growing extent of intrusions for espionage purposes affecting the systems of governments and large businesses in all sectors of activity.

This realization has occurred at different paces depending on the country in question. The “slowness” of it, and its “recent” nature, are underlined many times in this book — for while the phenomenon has gained in strength in recent years, it is by no means new. Cyber-attacks have been affecting the entire world for over 20 years. Many nations, led by the US, China and Russia, have written about the offensive and defensive use of cyberspace in their military doctrines and strategies since the early 1990s. This “slowness” means that cyber-security and cyber-defense have only recently become priorities at a political level, the result of an evolution in the perception of the dangers. Anti-militaristic sentiment may sometimes be behind these delays: when military issues are unpopular or when army budgets are constrained by that sentiment, cyber-defense may seem auxiliary, and the subject considered very futuristic and therefore not immediately pressing.

Those States affected by economic crisis may be reticent towards new investments in defense. In these terms, cyber-defense may be viewed in two ways: either as a new source of significant and unacceptable costs, in spite of the necessity; or as an opportunity to reduce costs (a techno-centered approach to problem-solving). The difference is striking between Greece and Slovenia, for instance. In the case of the former, the military enjoy a positive image in the eyes of civil society and political leaders, which enables them to steer choices in terms of defense policy. The military have managed to integrate issues relating to cyber-warfare into the context of Greece’s international and strategic policies. In Slovenia, on the other hand, even today the strong anti-militaristic sentiment plays against questions relating to cyber-defense coming to the forefront.

Delays between the emergence of cyberspace, the appearance of threats and the introduction of cyberspace into defense policies highlights the contrast between aggressor and victim models (this is merely a hypothesis). The victim’s reaction time is incompatible with the attacker’s pace, because their models are opposing: the State machine responds to a vertical logic (it requires hierarchy, planning and organization); the aggressor (who may not be part of a State administrative structure), follows a horizontal logic (with no hierarchy), allowing rapidity, reactivity and capacity for surprise action — capabilities that can be quickly brought together. In addition, this model ignores constraints relating to borders and sovereignty. However, it also falls down on a lack of strategy, and is confined to on the spot actions that may be difficult to concretize (hacker attacks, even en masse, usually run out of steam, and very rarely achieve their political goals).

Yet States do not have total autonomy in establishing their priorities in terms of defense. Those who conceive policies and strategies may first draw inspiration from what has been done abroad. A certain form of mimesis may underlie the task of elaborating concepts and policies. There is also the need to place yourself at the same level as others, both friend and foe. Thus, we must behave like the others and be like the others, which will invariably lead to an armament race. The signal this gives may be perceived badly (an aggressive state). However, it is simply the attitude of a State wishing to maintain its position on the international stage, ensure its security and contribute to international peace (adopting a defensive stance aimed at dissuading potential aggressors).

The international context greatly constrains States’ actions. Members of NATO and the EU, for instance, must adapt their policies to the common market. The weakness of a Member State in terms of cyber-security/cyber-defense may be damaging, both for that State and for its partners (in a team, the “weak link” weakens the others). Geopolitically important States have a major role to play in managing regional and world peace. Weaknesses in cyber-defense raise provisional questions over a State’s stability, and therefore ultimately its capacity to maintain its role as a major piece on the international chessboard. Large-scale cyber-attacks against countries whose geopolitical might is significant are likely to have a greater effect on international stability than those directed at small States.

A State’s regional environment and its geopolitical strength largely determine its priorities:

– Japan’s considerations relate to defense against China and North Korea, its alliance with the US and its role in Pacific Asia;

– Greece’s relate to defense in terms of its relations with Turkey;

– Cuba’s choices are defined according to its relation to the US and its political partners in South America;

– Canada’s defense strategies relate to the US;

– etc.

Cyber-defense is no exception to this phenomenon. Cyber-defensive policies are not initially conceived in view of the worldwide increase in threats: North Korea is undoubtedly an immediate threat for Japan, but far less so for Greece or Italy, in spite of the progressive removal of boundaries in cyberspace, the globalization of networks, exchanges and communications. A server located in country A can be used by a hacker in country B to attack a server located in country C; however, this does not mean that the question of defense extends to country A. The relation between B and C is central.

Also often raised are the questions of the efficiency of the policies put in place, the appropriateness of policies/strategies, means deployed and problems to be dealt with. Strategies for reinforcing cyber-security and cyber-defense rely on a set of developments, an integrated approach, which is common to a large group of nations dependent on cyberspace (including states not dealt with in this book, e.g. the US or China):

– development of the legal apparatus;

– an integrated approach to emergency management;

– involvement of national defense in national security;

– militarization of cyberspace;

– collaboration:

- between actors at national level,

- public-private,

- civil-military, and

- international;

– formation/training:

- of experts, engineers, and

- of directors;

– exercises (CDX)¹;

– participation in international forums;

– creation of organizations, dedicated State, civil and/or military structures (cyber-units, cyber-defense agencies, etc.);

– digitization of armies;

– struggle against cybercrime;

– protection of critical infrastructures: questions about responsibility for defense of civil infrastructures (most of these infrastructures belong to private companies, so who should take care of their defense?); and

– modulation of the budgets allocated to cyber-defense

However, we cannot simply decree that actors (individuals, sectors, organizations, and States) must collaborate for the principle to take effect. The difficulty lies in coordinating, implementing and measuring the effectiveness of that collaboration. The involvement of more actors does not necessarily guarantee the expected efficacy. In addition to the vulnerability of cyberspace due to technical and human factors, there is thus vulnerability due to structural factors (proliferation of actors).

To conclude this book, we wish to make our own contribution to the task of defining the concepts. This phase is essential in implementing common referents, whose usefulness is recalled many times in the various national approaches. Common definitions will, in particular, allow an international legal framework to be drawn up for defensive/offensive operations in cyberspace. The two concepts we are interested in here are “cyberspace” and “cyber-attacks”.

10.1. Cyberspace

Defining cyberspace entails defining that fifth dimension which is not solely that of combat but more generally of human activity in today’s world.

We define cyberspace as a dimension consisting of three layers, and transversal to the four conventional dimensions.²

To begin with, we will look at the conventional dimensions of sea, air and space. The first characteristic of cyberspace is its transversality: it intersects and crosses all of the conventional dimensions.

When we group the conventional dimensions into one, we obtain the real dimension (R), which is crossed by the virtual dimension (V) of cyberspace. Indeed, cyberspace innervates each of the real-world dimensions.

However, this cyberspace itself should not be understood as a homogeneous whole, or as a block.

We can consider it to be an object made up of three superimposed, interdependent layers:

– a first material, physical layer of infrastructures and hardware;

– a second layer of software and applications; and

– a third, so-called “cognitive” layer.

This formulation is inspired by that advanced in 1998 in Information Warfare: Principles and Operations by Edward Waltz [WAL 98] who conceived the “cyberspace dimension” as the middle layer (the informational infrastructure) in the three domains of space in information warfare. These three domains are the physical layer, the informational infrastructure and the cognitive layer.

Our approach, for its part, encapsulates the three layers — the three domains in the definition of cyberspace — rather than being limited to the middle layer.

This representation of cyberspace as a matrix composed of three layers and four spaces enables us to reposition incidents, actions, stakes, threats, actors, etc.

From the point of view of the three-layer model, actions carried out on one layer may be targeting the other layers.

This three-layer model can be used:

– To reconsider our perception and representation of the threat: are there particular types of operations, types of aggressors and specific skills that correspond to each layer?

– To organize cyber-defense. This entails taking account of technical aspects, but also of cognitive, political, legal and economic aspects. It must involve multiple skills, different sectors (Internet service providers and telecom operators, technology providers, think tanks and social networks, capable of acting at the level of “manipulation of information”). These considerations validate the holistic approach to cyber-defense.

Based on this model, cyber-attacks can simply be defined as aggressive operations by R against S, through the medium of V. In terms of transversality, aggressions (cyber-attacks, offensive operations) and defensive actions, initiated in R, are intended to cause an impact in S. Ultimately V is only a vector, a space in which actions are carried out.

An attack on the lower layers always has an impact on the layers above it, but the reverse is not necessarily true:

– an attack on infrastructures prevents the code from functioning and has a cognitive impact;

– an attack on the code by way of the code has an impact on the cognitive layer, but not necessarily on the previous layer; and

– an attack on the code may disrupt computers’ function, or even destroy them.

There are combinations of actions on the various layers, in accordance with the equation (act on to produce an effect on). These are:

The layers overlap. In order to affect one, we may or must affect another. For instance:

– cutting in L1 (cutting undersea Internet cables, destroying communication/observation satellites, etc.) to produce an effect in L2 (inability to use networks or communicate) and L3 (disorganization);

– acting in L2 (pirating, intrusion, website defacement, etc.) to produce an effect in L3 (destabilization) or L1 (a viral attack can destroy systems, computers, etc.); and

– acting in L3 to active L2 (broadcasting lists of websites to be attacked, and passing the baton to hackers acting in L2 to pirate the designated sites; providing tools for computer attacks; mobilizing communities of hackers, and so on).

This layer model may be complexified by crossing it with the representation of the transversal dimension, thus defining cyberspace as a three-layered domain over a matrix of four. It is this 3 × 4 architecture that describes or defines the nature of that fifth dimension, which is cyberspace. Table 10.2 expresses the transversality of cyberspace with the real dimension.

The reading of these models (cyberspace; cyber-attacks) must be complexified by taking account of the following variables:

– civilian/military actors;

– public/private actors; and

– State/non-State actors³.

Cyber-warfare, for its part, is the cybernetic dimension of conventional warfare.

10.2. Bibliography

[ARQ 93] ARQUILLA J., RONFELDT D., Cyberwar is coming!, Rand Corporation, USA, 1993. Accessed at http://www.rand.org/content/dam/rand/pubs/reprints/2007/RAND_RP223.pdf

[VEN 11a] VENTRE D., “Cyberwar and Cyberspace”, Conference CIOR — OTAN, Warsaw, Poland, August 2011.

[VEN 11b] VENTRE D., Ciberguerra, XIX Curso Internacional de Defensa, Jaca, Spain, 26 September 2011, acts to be published in 2012.

[VEN 11c] VENTRE D. (Ed.), Cyberwar and Information Warfare, ISTE Ltd., London and John Wiley and Sons, New York, 2011.

[WAL 98] WALTZ E., Information Warfare: Principles and Operations, Artech, Boston, 1998.

 

 

1 Chapter written by Daniel VENTRE.

1 CDX: Cyber Defense Exercise.

2 All the considerations put forward in the section that follows have been expounded in [VEN 11a, VEN 11b].

3 For an analysis of these distinctions and their various combinations, see [VEN 11c].