cyberarmscontrolblog

International Agreement for Control of Cyber Weapons

Tag: Cyber Arms Control

USA –– The World’s Cyber Superpower


A Cyber Superpower

The United States of America is the World’s cyber superpower.

History shows that the revolution in computing and information technology started not in the United States, but instead in England. But as the onslaught of the Second World War began to dim the starched and crusty sun of the British Empire, the world’s center of computing innovation shifted to the United States, and has never left. Today, the United States has emerged as the world’s cyber superpower. No other country comes close, in fact, the rest of the world added up together does not equal the cyberpower of the United States. Nevertheless, with cyber-greatness, comes cyber-vulnerability, and thus the United States faces many challenges going forward.

Technology Growth and Innovation

Birth of Computing. The foundations of computing were defined by Alan Mathison Turing (1912-1954), an English mathematician in his paper “On Computable Numbers, with an Application to the Entscheidungsproblem” delivered to the London Mathematical Society in 1936. After a long discussion, he writes “If this is so, we can construct a machine to write down the successive state formulae, and hence to compute the required number.” (Don’t try to read the paper unless you know a great deal of math.  A better explanation is found in Andrew Hodges book “Alan Turning: The Enigma“.)

Turing was recruited to work at Bletchley Park, the center of the UK’s codebreaking operation during the Second World War. The central challenge was learning how to break the enigma coding machine. Turing and his team built the world’s first electro-mechanical machine to break the code (bomba kryptologiczna [Polish]). Eventually the German Navy deployed an improved enigma machine with more coding rotors. This blunted the English effort.

Nevertheless, the United States Naval Computing Machine Laboratory at a secret location in Dayton, Ohio started work on a more advanced code-breaking machine using vacuum tubes. You can see a picture of the U.S. Navy Cryptanalytic Bombe at the National Security Agency’s (NSA) National Cryptologic Museum here. The Museum has a picture of coding rotors on its facebook page here. This project was located in “Building 26” on the campus of the National Cash Register Machine company. This is where the future founder of IBM worked.

Growth of Computing. The history of computing is long, but most of the book was written in the United States. In particular, the release of the IBM System 360 included the first operating system. Mainframe computers, minicomputers, personal computers, handheld computers, integrated circuits, and so on. Much of this evolution was powered by companies in Silicon Valley, but also around Route 128 in Boston. As a note, much work in development of supercomputers was funded by NSA, especially the work of Seymour Cray.

Telecommunications and Networking. Most of the world’s innovation in telecommunications and networking has occurred in the United States. There is no need here to retell the long history of developments: Telegraph, Telephone, Radio & Television, Satellite, Internet, Mobile Cellular Technology. (See Desmond Chong’s comments here.) The Internet now connects most citizens of the world. (See: Internet Society report here.) From 1992 to 2015, the number of websites grew from 10 to 863,105,652 and from 1993 the number of Internet Users grew from 108,935 to 3,185,996,155. (See Internet Live Stats.)

This growth of “cyberspace” in effect has created an entirely new virtual geography for conflict between nation states.

Control of Cyber Infrastructure. Apart from manufacturing much of the technology, US companies produce the software, cloud systems, other Internet based services, and social media systems that dominate the world. There is no European Google, for example. Companies such as Google, Facebook, Twitter, Microsoft, IBM, Apple and others dominate the world’s ICT landscape.

Emergency Response to Cyber Attacks

In the Post-9/11 world, the United States has built up and incredible infrastructure to defend against terrorism and respond to it promptly once it occurs.  These investments envision threats from weapons of mass destruction, lone wolf terrorist attacks, Electromagnetic Pulse (EMP), and cyber attacks. A few days after the September 11th attack, the US Congress handed over to the executive $40 billion dollars to “get started” on building these defensive systems. Then it wrote another check and another. The total amount invested is classified.

Investments were made in two direction; foreign intelligence, and emergency response in the homeland.  Although the development of foreign intelligence capabilities using cyber espionage is secret, revelations from illegal criminal leaks published by the traitor Edward Snowden and the brutal Wikileaks, plus high quality yet legal investigative reporting by authors such as Dana Priest and William M. Arkin (Top Secret America: The Rise of the New American Security State) suggest the incredible capabilities of the United States.

  • A large amount of all Internet traffic worldwide is intercepted, stored, and subjected to analysis by organizations such as the National Security Agency (NSA).
  • A large amount of telephony traffic is intercepted and stored, then used for analysis of a number of problems.
  • Breakthroughs in artificial intelligence and other innovations in software have greatly expanded the effectiveness of intelligence analysis (although there are constant complaints that much more information is being collected than can be analyzed).
  • In response to the threat of terrorism, the USA has greatly increased the integration of law enforcement and intelligence gathering and analysis by building fusion centers linking local and state resources (police; emergency response) into the Federal Government.
  • The U.S. Military has been tasked with responding to threats that occur within the United States (and this requires it to collect and analyze threat data originating from within the country).

To put it in simple terms, apart from its not inconsiderable activities overseas, the United States has trained its military to fight, defend infrastructure, and collect intelligence within the United States itself.

Result: There has been a blurring of lines of responsibility between local, state, and Federal efforts to fight a cyber war.

The result is a nation state with dominant cyberpower:

  1. Control over the bulk of cyber technology.
  2. Largest and most sophisticated intelligence collection and analysis systems.
  3. World wide response capabilities, both kinetic and cyber, both offensive and defensive.
  4. The largest penetration into cyber networks around the world.
  5. Highest level of integration between cyber intelligence and cyber response.

Since 9/11, the United States in the cyber arena likely has invested more than 25 times as much as any nation that is in a distant second place. There is a cyber arms race, and the United States is winning, and will continue to do so for the foreseeable future (providing it keeps investing, as it probably will).


What is “Cyber Power”?

It is difficult to have an undisputed definition of cyberpower, but as a starting point, we can say that for a nation state, it may be defined by the following factors:

  1. w1 – The number of cyber-weapons deployed and under the control of the nation-state.
  2. w2 – The percentage of zero day cyber weapons deployed and under the control of the nation-states.
  3. p1 – The maximum number of cyber warfare operators per capita that are on duty under peak deployment.
  4. p2 – The maximum number of volunteer or militia cyber warfare operators that may be deployed to support the government.
  5. Rg – The number of websites that may be attacked by government cyber fighters.
  6. Rp – The number of websites that may be attacked by militia cyber warfare operators.
  7. e1 – The number of emergency response centers dedicated to monitoring cyber attacks and coordinating response.
  8. e2 – The number of emergency response centers with cyber-response capabilities.
  9. e3 – The number of emergency response centers with capabilities to respond to secondary targets of a cyber attack, e.g., infrastructure damage, but with no cyber capabilities.

Cyberpower might be estimated as follows:

(9[w2w1]+[w1-9{w2w1}]+3.5p1+p2) * (Rg+.6Rp) + (.9e1+.4e2+.15e3)

Getting this type of data, applying proper quantification and operationalization of the relationships, however, is somewhat problematical, to say the least.


Lingering Challenges Going Forward

Government and Private Sector Coordination. The United States has a peculiar arrangement whereby the government is responsible for defense of the nation, but is unable to control how private enterprises, and the private sector in general, avails itself of defensive technologies. The private sector is left to defend itself.  For example, Under the National Security Agency (NSA), the Cyber Command (“Cybercom”) component is responsible for development of both offensive and defensive cyber weapons. However, it is not clear at all how and under which specific circumstances the power of Cyber Command would be used. See Figure 1.

CYBER-ATTACK-RESPONSE.001

Figure 1 –– Attack and Defense in Cyberspace. The US Government (NSA’s Cyber Command) is tasked with defending the U.S. Government from cyber attacks. But in case of cyber attacks against important private sector components, including infrastructure, there is no clear role or authority.

As of 2018 Cyber Command should have a 6,200 member force.  It is under the command of the U.S. Strategic Command, which also is in charge of the USA’s nuclear weapons. This number, 6,200 might possibly be only a fraction of the true size of Cyber Command, considering that it is common practice in  many parts of the U.S. government, including the military, to make extensive use of outsourcing and subcontractors to get its work done. If the government employee/subcontractor ratio for other parts of the government is applied to Cyber Command, then a force of 27,900 might be more realistic.

Since it operates under the auspices of the National Security Agency (NSA), Cyber Command has responsibility for protecting the communications, including data communications and thus data processing and ICT infrastructure, of the United States Government. Presumably this means that should government ICT infrastructure come under attack from another nation state, Cyber Command could respond. The rules of cyber war are not yet worked out because it is difficult to have a “cyber war”, without any real “war”. And if there is not real “war”, then presumably government weapons would not be used to fight the conflict.

This leaves a vulnerability for the United States. If the private sector, including the USA’s vast infrastructure (electricity, transportation, finance, business process computing, communications, distribution), came under attack, it is not clear that the NSA would respond. Perhaps it has standing orders to aid the private sector, but it is difficult to see how this could happen except through the mechanism of providing warning and advice to victims of cyberattacks.

It is possible that cyber militia might be used by either the private sector or by the government, but there is not much known about this possibility, and in any case, there would be legal and regulatory barriers for this to be done by the government.

This leaves open the challenge of coordination.

Focus and Coordination. Within the U.S. government, as well as the states and local jurisdictions, a large number of fusion centers and other points of shared operational responsibility has been developed and deployed. Everything from response to a chemical biological attack to a full scale nuclear war has been prepared for. There is a particularly vigilant infrastructure in place to handle the aftermath of a severe terrorist attack against any community.  But these centers specialize in different areas: some on electricity, others on public health, terrorism, or a number of other focus area. They have different degrees of cyber defense and response capabilities, if any at all.

But we can be sure that in any cyber emergency, it will be very difficult to coordinate the activities of these many centers and there is no integrated cyber response plan to do so.

Effectiveness Against Cyber Attack

So looking below at Figure 2, we might hypothesize that there is an optimum number of centers of cyber excellence that determines the level of effectiveness against a cyber attack. In the initial stages of build-up, there is a rapid rise in effectiveness.  But if too much is built, the response teams will face increasing difficulty in coordinating their response, and the effectiveness will start to fall, even as investments continue to rise.

RESPONSE-EFFECTIVENESS.001

Figure 2 – Too much cyber defense might weaken the overall national efforts. Response to cyber attacks are coordinated a various national centers. As the number of these centers increases, the effectiveness of response increases, but never becomes perfect. But it never approaches perfect. At some point further increases in cyber response centers weakens national cyber defense because of the cost of coordination.


Control of the Proliferation of Cyber Weapons

Cyber Arms Control.  Understanding the prospects of cyber arms control must be based on realistic assumptions about nation state motivation. when seeking international agreement, the cardinal rule is that no nation state will support any regime that does not yield it a benefit. So any international convention to control the proliferation of cyber weapons most present some advantage for each nation in acquiescence. A “win-win” scenario, to use popular game theory lingo. So from the point of view of the United States, we must examine if it is possible to identify any specific advantages from such a treaty. Here are a few to consider:

  1. Uncertainty Mitigation. The exchange of information between nation states, even if imperfect (as it certainly will be), will lessen the uncertainty surrounding a potential cyber attack or cyber war.  This is because it will be necessary to keep a tab on the development of new cyber weapons by competing nation states. In addition, an international warning and coordination system for potential cyber war will enable the USA to better allocate the correct forces for the attack. In the absence of mutually exchanged information concerning the cyber weapons arsenals of the USA’s strategic competitors, there will be a tendency to over-build cyber-weapon counter-measures, thus wasting resources, and leading to further uncertainty. Finally, getting an insight into the cyber warfare operations and capabilities of its strategic competitors (China and Russia) will be less problematic and more accurate than obtaining an incomplete picture using traditional espionage and intelligence collection methods. In general, any regime that can lessen uncertainty in cyber war would be a stabilizing factor.
  2. Law Enforcement. International enforcement against cyber-based crime currently faces many serious obstacles. A short list includes: (1) extradition of cyber-criminals from one jurisdiction to another; (2) rules of evidence that are internationally recognized; (3) attribution of criminality and responsibility; and (4) variances in definitions of crimes. By putting in place the type of government-to-government coordination required for a successful cyber arms control regime, part of its function, by necessity, would be to distinguish nation-state originating weapons from other cyber abuses. Since these other abuses are by default the responsibility of criminals, this would enhance international coordination and law enforcement to bring them to justice.

 

Advertisements

The Wikileaks Vault 7 “Year Zero” Leak

ON MARCH 7th, 2017, Wikileaks released a giant file of 8,761 documents from the U.S. Central Intelligence Agency (CIA). Wikileaks called the leak the “first full part of the series “Year Zero”.  The documents were stolen from a network that supposedly was “isolated” within the CIA itself.

CYBER-CIA-CHART.001

Figure 1: The structure of the CIA’s cyber weapons development group, according to Wikileaks.

What is surprising about the leak to Wikileaks is that it contains not only documentation regarding CIA development activities, but also the actual code (“several million lines of code”) used in these various exploits.

It appears that these cyber weapons allow almost any electronic device to be hacked for purposes of intelligence collection.

Since there already is a great deal of publicity regarding these weapons, there is no need to discuss them here.

Effect on U.S. National Security

If the leak is genuine, then this is another giant blow to the intelligence community.  It will make it easier now for criminals, terrorists, human traffickers, heroin cartels or others, including other nation states to deploy cyber weapons against the United States. It also will allow these enemies to avoid detection.

It further will erode faith in U.S. technology exports and harm U.S. technology companies.

The persons who leaked the information are traitors, and what they have done will result in people being killed or otherwise harmed. If they are found, then they should be prosecuted.

Wikileaks reports that approximately 22,000 IP addresses located within the United States were targets of these cyber weapons.

The Danger of Cyber Weapons Proliferation

As if they are some type of hero, the leaker wishes “to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

This blogger agrees that we should have a debate, but inflicting severe damage against the intelligence community is hardly the way to do it. An alternative debate might be whether or not the leaker should be shot. 

In any case, this leak emphasizes the following dangers of cyber proliferation:

  1. Unlike the difficulties found in nuclear proliferation, cyber weapons can be dispersed and moved around the world in seconds.
  2. It is impossible to determine who has access to cyber weapons once they are released.
  3. Cyber weapons are asymmetric in nature; that is, their cost is a tiny fraction of the value of damage they can cause.

The Need for Cyber Arms Control

This unfortunate compromise in U.S. national security again emphasizes the need for the nations of the world to begin the process of creating an international convention for cyber arms control.  The proliferation of cyber weapons needs to be stopped before there is a tremendous disaster.

 

Highlights of James Clapper Testimony

National Intelligence Director James Clapper; Mike Rogers, the Chief of NSA’s Cyber Command, and Marcel Lettre, a Defense Undersecretary for Intelligence testified today to the U.S. Senate Armed Services Committee. The overall theme of the hearing was supposed to be Russian interference in the recent presidential election in the United States. As it turns out, the intel community has not yet completed its study. Nevertheless, a few notes on the hearing are provided below.

The intelligence community has concluded that Russia interfered with the election and that the plan was directed and planned directly by the Kremlin, including with knowledge of the President of the Russian Federation.

No proof was offered, because to offer the proof would destroy intelligence collection methods.

cyber-war-matrix-001

Cyber War Matrix.

This was a long testimony. Here, the intent is only to report on what was said, that is, the major conclusions that have been made by the intelligence community regarding Russian hacking. The set-up to the testimony by Senator John McCain was tricky. He stated that attacks against election emails were “consistent” with Russian techniques of hacking, but he did not say the hacks were Russian.

2,000,000 personnel records of the U.S. government were stolen by China, according to McCain. “Indecision and inaction” has thus far been the U.S. response. The cost needs to be raised for conducting cyber attacks against the United States. The opening statement from the Democratic side blamed election problems on Russia. These statements were made by Jack Reed, Democrat, Rhode Island, who argued also that Russia takes these actions because democracy is a threat to countries near to Russia, which is in what it claims is its “sphere of influence”.

Marcel Lettre. Threats. DOD defines 5 challenges. Russian coercion and aggression, particularly in Europe. Historic change in Asia Pacific. Risks with China’s destabilizing actions there. Iranian influences in Middle East. North Korea nuclear provocations. And Terrorism fighting, ISIS and Al Qaeda. All of these present a cyber threat.

The DOD strategy is to maintain dominance in this domain. Three missions: Defend DOD networks; giver cyber options to commanders; defend US against cyber attacks. “Cyber Mission Force”  now is operational.

Clapper (DNI). Regarding Russian interference in the electoral process. Said that the Russian tools detailed in the NCCIC report showed how they influenced the election. Russia has increased cyber espionage operations, and has leaked crucial data. China continues to attack US government and US companies. Iran and North Korea continue improve their capabilities. ISIS is using Internet to collect funds, broadcast propaganda, and recruit new members. Cyber attacks can also change or alter information. All of this chips away at the public trust. All instruments of power should be used to respond to cyber attacks. Using cyber to counter cyber attacks. Recommends separating NSA and Cyber Command.

Rogers (Cyber Command and NSA).They are awaiting the findings of a joint intelligence review. Their conclusions still have not been collected. Russian cyber groups have “a history of aggressively hacking into others’ governments”.

McCain first started to discuss Julian Assange. Confirmed that Wikileaks published names of people who had their lives put in danger. No credibility should be attached to his views, according to Clapper, Rogers and McCain.  McCain does not believe Russian actions

“They did not change any vote tallies; we have no way to gage the impact it had choices of the election.” Would that be act an of war if elections were changed? That is a “very heavy policy call”, but it definitely should carry great gravity. No one seems to know what to do if there is a cyber attack. They report it, but remain bystanders.

A “deterrence and response” framework needs to be put into place. There is a conclusion that the Russians interfered in the election. CIA, NSA and DHS will create joint report. They DO conclude that Russia interfered in the election. Rogers (NSA) said largest problem is “speed; speed and speed”.

Fake news sites; fake news stories also were part of Russian actions. A multi-facited campaign. Hacking was only one part of it. It also included classical propaganda,  disinformation, and fake news. Russian’s used “classical tradecraft”, particularly for misinformation, to hide source of the news information.

“People in glass houses should not throw too many rocks”. The attack against the Office of Personnel Management (OPM) was an act of espionage, not a cyber-attack. We do the same type of espionage. “Large data sets have become a particular high priority target” because “it is possible to mine the data”, according to Rogers.

The implication of Clapper’s statement is that cyber-espionage is not an “attack”. This is because every nation does it.

“If there is any connection with the Internet, there is an inherent security vulnerability,” according to Clapper.

Senator Nelson (Florida) compared cyber war to nuclear war. He argued that there is “no deterrence” in the field of cyber. A cyber response to a cyber act “may not be the best response”, according to Clapper. Also, you never know “what kind of cyber-retaliation” will be bought back from the other side. “All instruments of national power” should be used.

If a country launches a cyber counter-attack, then it is necessary to use the infrastructure of other countries, and this brings up a variety of legal issues.

Senator Claire McCaskill, Missouri Democrat, was highly critical of any contact with Assange. He is under indictment by Swedish government for sexual crimes. He exposed information that put people at risk. The “people in the intelligence community do not have much respect for him.”

Conclusions

The intelligence community has not yet completed its report. There appears to be a significant amount of evidence that Russia participated in the election, but there is no hard evidence yet presented. The key actors that oppose the United States are (1)~Russia; (2)~China; (3)~North Korea; and (4)~Iran.

One theme emphasized several times was that there is little strategy developed for responding to cyber attacks. “We don’t have a strategy.”  Also, the coordination needed for a response is very complicated, and takes too long. This prevents the United States from have a coherent and effective response to a cyber attack. “We are being hit repeatedly because the benefits  outweigh the cost”.

There also were indications that the intel community may have an idea of what happened inside the Kremlin. This will not come to light, because it obviously would give away too much information about “sources and methods” of intelligence collection.

In addition, there is no policy of responding to acts of espionage because we do the same.

Bottom line: The current thinking is that the Russians at the highest levels approved of and directed the hacking campaign against the United States. In this context, it means President Putin himself. This is not really good news. Clapper sees Russian actions as being in the same tradition as the Cold War, like what happened in the 1960s.

Below is a rough sketch of the categories of cyber activities under discussion.

 

Prospects for Cyber Arms Control

There are two ways to think about the election hacking. First, there are arguments that political activity should be considered to be a “critical infrastructure”, and the consequence of this would be that such hacking would be considered to be an aggressive attack against the country. Second, the current line of thinking is that espionage (passive information collection) should be separated from collection of commercial industrial espionage, or political interference.

In the Cyber War Matrix, above, cyber arms control would apply to the warfare rows. There will never be any international agreement to limit espionage or active measures.

 

 

 

 

 

 

Making After Before

Intelligence is about finding out about something before it happens.  Detective work is about finding out how something happened after the event already has taken place.

In the cyber world, the detective work is much easier than the intelligence work, although neither are particularly elementary.

Before the fact, and after the fact.  Lets start with after.  A criminal act is carried out.  These days, it is either a cyber act in itself, or it is dependent in some way upon some aspect of the cyber world.  Once a person involved has been identified then law enforcement can get a court order to demand all of the cyber baggage being carried around by the perpetuator.   Phone calls, travel records, banking records, credit card records, social media accounts, emails.  Each of these sources of information give important clues to the network of individuals who are the living system supporting the defendant.  Degrees of separation.  By linking the responsible person to their contacts, and then those contacts to all of their contacts, then by the second or third level the number of affiliated persons becomes very great.

But usually it is possible to determine the wheat from the chaff, and to use the numerous hints given by the cyber footprints left by the perpetuator. It is possible to uncover a network of individuals, places of interest, and even more about what happened before the event.  With good detective work, it is possible to find anyone else involved, and even get hints regarding any future similar event if one seems to be planned.

But finding out things before the fact is much harder.  For one thing, there may be no starting point, no person who can be identified.  This essential first step is easy after the fact, but before is another issue.   So the essence of the problem becomes how to find the subject of interest, the starting point.

This is one of the reasons why in combatting terrorism and its use of social media and Internet, investigators are caught in a dilemma.  On the one hand, there is a need to stop or severely limit this type of activity.  On the other hand, if the activity is cut off, then there no longer remains any cyber clues left regarding the identity of the terrorists or criminals or other subjects of interest.

In discussions over a cyber arms limitation treaty, one of the stumbling blocks is the question of how to determine the source of an attack.  It is the same type of problem.  How to find out the after before it it happens.  Making after before.