Lecture 6 - Cyber attacks: hype or an increasing headache for open societies?
by Dr Jamie Shea, Director of Policy Planning in the Private Office of the Secretary General
All right, so, ladies and gentlemen, good afternoon. Good to see you. I will start with the good news – this is the last of the lectures on NATO's new security challenges, so you won't have to listen to any more of these after today. And then I will give you the bad news – you will have to find a place to go somewhere else for your lunch on a rainy Thursday in Brussels.
But those of you who have followed the lectures over the last few months will know that, of course, this has not been designed as a series that is covering every conceivable security challenge. I haven't spoken about pandemics; I haven't spoken about the population boom, nor about issues, such as water scarcity or even migration flows. Indeed, there are a lot of security challenges out there, but I have tried to zoom in on those six challenges, which are most likely to be on NATO's agenda in the next few years and which, of course, are the challenges that Madeleine Albright and her group of experts are taking up within the context of NATO's new Strategic Concept.
So, you recall, we started looking at proliferation, we've looked at terrorism, we've looked at energy security, we've looked at climate change, last time – at failed and failing states and today the last major issue, of course, cyber. Now, I mention this because at the back of my mind and probably at the back of your minds, as we've had this series is the question “Well, are these six challenges of equal priority for NATO?”, “Should NATO be devoting its resources equally by cutting them into six equal portions to these six challenges?”, “Are some more dangerous than the others?”.
And this is the question, which I am going to try to answer at the end of my lecture today. Are there one or two of the challenges that I've described, which should, perhaps because of their imminence or their potential destructiveness, have a higher priority ranking than others. So, I’ll leave you in suspense, if I can, for the next 40 minutes or so before I get to that question, but I think it's the one that has to be answered if this series is to be, at least from an intellectual point of view, successfully concluded.
But before we get there, let's look at cyber – an issue, as you know, which is now increasingly in the newspapers and increasingly the focus of all kinds of think-tank and government reports and studies. Now, it's obvious that the most dramatic developments in human existence over the last 20 years has been the incredible growth in information technology. I am one of the very few in this room who actually lived through and remembers the pre-Internet age, which, I imagine, for somebody of my children's generation is like having lived through the Stone Age.
The time when you had to, if you wanted information on an American University course, you had to write a letter, enclose a stamped address envelope and wait for one month, if you were lucky, for something to come back in the post. Now you download the information, of course, and the application forms in a fraction of a moment. Today virtually the whole of human existence, whether private or professional, is moving into cyber space. Most of our lives will increasingly be spent in that virtual world. We communicate online, we do our banking online, we pay our taxes online, we go shopping online, we express our political opinions online. We even get married online! Or at least we find our partners that way! When for my generation if you wanted to find a marriage partner you had to go to the Club “Mediterranean” and spend a lot of money getting yourself to a distant Mediterranean beach in the hope that you would be successful. No more do you need to do that.
Now, of course, we all know that one of the great challenges of the 21st century is “Will we be able to transfer to the virtual world, the world of cyber space, where more and more of our activity will be happening, the same rules, the same regulations, the same behavioral understandings that we've tried to achieve in the physical world?”.
My wife works for the music industry and there the difficulty of transferring issues, such as copyright, for example, into the virtual world has been devastating in terms of the volume of sales of CDs and the revenue of the music industry, which has fallen virtually by two-thirds. In fact, it's also not just the question of new standards, but of developing entirely new business models. And, of course, the big question, particularly when you look at cyber is “Will the next 20 years see the same phenomenal growth of the Internet, as the last 20 years, and therefore, as the use of Internet expands to ever more parts of the globe, will the cyber protection, cyber vulnerability issues also expand at the same exponential pace?”.
I’ll try to answer that question today. But already since the middle of last year we are in the situation where the number of personal computers in the world has passed the 1 billion mark. We are now in the situation where more than half of humanity has a mobile phone -- 3,5 billion are now currently in circulation. And therefore, of course, the number of vulnerabilities, the number of potential attack routes has grown in line with the expansion of the number of systems.
Now, of course, this can sometimes have amusing overtones. Many of you remember when the Spanish EU Presidency kicked off a few weeks ago we had on the Spanish official web-site not the picture of Prime Minister Zapatero, but the picture of Mr. Bean at least for a couple of days! In my country there was some amusement that the wife of the incoming Head of the British Intelligence Service Sir John Sawers put on her Facebook site all of the details of his movements: where they went on holiday or dinner parties with their friends… now, that was, I must say, not an actual cyber attack, that was basically negligence, bad personal security on the Web and I have a few words to say about that in a moment because, obviously, not all compromise of information is the result of a deliberate attack.
Indeed, negligence and bad security is still responsible for the massive proportion, even today, of illicit information transfers and compromises. But more and more what we are seeing is that hackers are not doing this for their own personal reputation or glory, but deliberately for profit. And companies are being increasinglythe victim of cyber attacks.
The recent poll in Germany found that 40 per cent of all of the German companies consulted had experienced significant cyber penetration and loss of information, commercial secrets over the last year. And, of course, we've had in the last couple of days this massive attack against Google launched from China, which not only involved Google, but 24 other companies. And, of course, it's not only the commercial compromises that result from that, but also the fact that e-mails are then accessed, which give access to other people's personal information and, indeed, a number of human rights campaigners using Google have potentially been compromised as well.
So, we see cyber not only as something, which is used for commercial gain, but can also be an instrument of state repression in many respects, as if it's used to spy on one's own population by gaining access to their private e-mails.
We've also seen the increasing use of cyber attacks to promote political information campaigns. Those of you who remember the Copenhagen Climate Conference last year will remember that just about a week beforehand, two weeks beforehand, somebody hacked into the database of the University of East Anglia, the Center for Climate Change, which is one of the most prominent ones in the United Kingdom, downloaded the whole mass of e-mails, which were then exploited to show that even climate change scientists have doubts about the seriousness of climate change, or the speed of climate change. This was, of course, grist to the mill of the anti-climate-change campaigners just in the run-up to Copenhagen.
And, finally, and this is, of course, particularly coming from NATO, going to be one of my themes today – we've also seen the increasing vulnerability of cyber space when it comes to defense operations. One of the most spectacular things, just before Christmas, was that by capturing fortuitously a computer belonging to an Iraqi insurgent group the Pentagon learned that, in fact, those insurgent groups were able to hack into the American Predator drone system operating and actually download the video that was being filmed by the drone and all of this, apparently, was made possible because of a “Sky Grabber” system, which is available on the Internet for as little as 25 dollars.
So, cyber is different from the normal type of attack. Normally, you know that you're being attacked, and pretty soon afterwards, but it could be weeks, months, years sometimes after an attack is initiated before you actually know that you've been attacked, your systems have been compromised and you've been attacked. Here we must also, ladies and gentlemen, keep a distinction, which is not always made. You obviously know that you're being attacked, if your systems are paralyzed, if they cannot function any longer and we obviously think of Estonia – I'll come back to that in a moment -- in 2008. Other states or companies that have been subject of these paralyzing attacks, but most, 90 per cent of cyber attacks are basically to download information! Confidential information. To drain information out, which means that you can perfectly use your computer and all of the other systems, while this is taking place, so you don't actually know that you have been compromised.
Like in the case of the Pentagon and the drones over Iraq often is takes is a lucky discovery before you know that something has happened.
So, the question, I think, we have today is “Are cyber attacks going from a kind of inconvenience to a WMD?”. And the WMD can have two meanings: either a “weapon of mass disruption” or a “weapon of mass destruction”. There is, of course, a difference of proportion between the two. Well, at first sight, yes, the problem is increasing. Cyber is the ultimate in asymmetrical warfare. First of all, anybody can do it. You don't have to be a state spending billions of dollars on technical capabilities, which is certainly the case for nuclear weapons, or chemical or biological weapons or air forces, or armies. Now, you only have to be an individual with basic training and a computer. So, there is a tremendous disproportionality in the damage that one computer can do to, potentially, millions of computers in an adversary's system. No other weapon ever known in history has that inverse proportionality. As nobody gets killed, at least until now according to my research nobody has yet died of a cyber attack, the sense of outrage or the need to retaliate is obviously less than what would happen in 9/11 terrorism where people are directly killed.
You can very effectively cover your tracks, it often takes months, a very punctilious investigation for a whole range of countries and jurisdictions before you can be certain that you know where that attack came from. By the time you are able to finish those investigations the attacker has dismantled the system, has changed his or her web address or whatever and has moved on as well. As one analyst put it at the conference I was at the other day, the cyber is, if you like, the conflict between “the strong and the complacent” in Western societies and “the weak, but motivated”. In other words, the ultimate asymmetric weapon.
The other thing, of course, which I think is interesting about cyber – and this point was made by the Chief of the British Defense Staff recently, Sir Jock Stirrup -- is that cyber is unlike previous conflicts. Previous conflicts are normally war and peace. Although, we did, of course, have the Cold War, which was a state of enduring tension – but, you know, the weapons are used and then the weapons fall silent – yes? – Until those weapons are used again. So, we have distinct phases between war and peace, but cyber, as Sir Jock Stirrup put it, means that the switch is always on.
In other words, whatever the state of international relations, in terms of the potentiality for physical conflict, cyber probes, cyber testing, cyber attacks never end. It's even calculated by some analysts that countries, such as China have assembled within the people's liberation army up to 100,000 operators who work full time, as a full-time 9-to-5 job, in probing the systems of other countries and it's also calculated at the moment that about 100 countries in the world – 100 countries, which is the majority – are actively developing offensive, not defensive, but offensive – cyber capabilities.
The company that helped me with my research for today's lecture, SYMANTEC, American-based company, which publishes a very useful, by the way, Annual report on cyber vulnerabilities, mainly in the private sector, but still very good – this company calculates that an attack takes place every quarter of a second! 1.5 billion attacks take place every day and, as I said, unlike previous weapons, these attacks can be organized from anywhere in the world against anywhere in the world.
Of course, one of the reasons for this is that there are more potential viruses, BOTs or whatever, that can be used. About 10 million computers are calculated to be, if you like, BOT-computers or contaminated computers involved in cyber attacks at any one time.
Even in NATO with our own systems it's calculated that we face sometimes more than 100 different attacks or at least attempts to get into our systems with every single week. That means, if you look at the statistics, a phenomenal exponential growth in viruses. SYMANTEC calculates that as little ago as 2002 there were 20,547 malicious codes. That number had gone up to 113,025. These figures seem to be incredibly precise, but those are the figures by 2005. By 2007 the number had gone up to 600,024 and last year 1,656,000 and I was told that by this year, 2010, about 3 million identified viruses will be in circulation.
That means – you know I love the statistics – that if your chance of being struck by lightning is one in 26 million, your chance of being involved in a car accident is one in 300, your chance of getting a snake bite is one in 42 million, but your chance of being a subject to some kind of cyber infiltration or attack is one in 5!
So, this is a truly universal problem and, of course, what worries analysts as more and more information is put onto the web, for example, if you look to the Financial Times yesterday there was a very interesting report. It was an interview with the US Deputy Secretary of Defense William Lynn where it was reported that one attack apparently launched from within China – one single attack – managed to download more information, illicitly, than is contained in the US Library of Congress!
Somewhat mind-boggling yes, but as more of the basic critical infrastructure of our daily lives becomes digitized, whether we are talking about power stations or transport, networks, air traffic control systems, of course, hospital systems or whatever. Then, of course, the ability of attacks not just to compromise information, but in fact to paralyze systems increases.
Now, interestingly enough, according to SYMANTEC, the majority of data breaches occurs in the field of education (27 per cent), government (20 per cent) and health care (15 per cent), but coming back to what I said earlier, interestingly, 57 per cent of all of the breaches is due to theft or loss, when about two years ago the UK government had this unbelievably embarrassing story that the details of all of the social security recipients in Britain, which were on one computer disc, had disappeared.
That was, of course, a boom potentially for criminals with details about bank accounts and so on, but it wasn't a result of a hack; that was the result of somebody mishandling the disc. Indeed, a recent poll of a number of companies in Western Europe revealed, and I am not sure if any of you here today are also going to confess to this, but that 59 per cent of employees admitted to taking company information home. One in ten reported that in the last two years they had lost a laptop, a smart-phone or a USB flash drive as well.
So, bad policies, in other words, lack of security, bad practice still accounts for about, well, the majority almost, of cyber compromises.
Now, that's the good news, ladies and gentlemen, but before we get to the more worrying news that's the good news. In other words, it does suggest that if we tighten up our security arrangements we can potentially eliminate, according to NATO source that I've consulted on this, up to 90 per cent of potential compromises of information.
Crime is still responsible for about 90 per cent also of all cyber compromises. Some statistics, for example, a report by the former Director of National Intelligence in the US actually put the damage to the US economy at up to 100 billion dollars per year over the theft of confidential commercial information. Other reports that I've consulted put it at far less – around 1 or 2 billion dollars a year. I admit there is a big difference between that, but we know that nonetheless anything over 1 billion dollars is still rather significant.
One particular hack in the United States managed to steal the identities of 8,4 million Americans – 3 per cent of the population. One credit card company – I won't give the name – calculates that one attack managed to steal the details of 94 million of its credit card users! And that credit card company also reported that every breach of confidential information cost the company 67 million dollars to repair.
What is that information for? It's basically criminal gangs who then sell it. Credit card info, identity info, bank account info and so on. Unsurprisingly, because of its broadband and its number of connected digitalized citizens, the US is the top country for malicious activity – 23 per cent. China – 9 per cent, growing fast as well, which means, though China is often, in the newspaper reports as a country where much of the cyber activity takes place, it's also a country, which is increasingly the victim too of those cyber attacks.
It's interesting though that many of the NATO countries are on the list: Germany – 6 per cent of the number of attacks, the UK – 5 per cent, Spain – 4 per cent, France – 3 per cent. And as the access to broadband increases, other countries are coming onto the list: Brazil, Poland, Russia, Turkey, India, are the ones that I've covered recently.
At the same time, this, of course, has led to a massive investment in cyber defense. The US Congress last year appropriated 7,3 billion dollars (massive amount!) simply for the protection of government computer systems and you have to add that to the billions of dollars that private American companies are now spending and the company, again, which was very helpful to me for my research, SYMANTEC, also reports that they now have 240,000 centers in over 200 countries of the world and they are now monitoring over 130 million systems, gateway systems, in their database. So, clearly, this is going to be – whether you're a criminal or whether you're defending yourself – an increasingly financially strenuous area.
Now, I mentioned that a lot of the answer lies in better security. So what should we be doing if 90 per cent of the solution is in our hands? Well, the first thing is that cyber attack is a bit of a misnomer. Attack sort of suggest that you have to, sort of, force your way in, overcome resistance. But, of course, that's not the way it happens.
Attacks happen because the software lets you in if you simply find the right approach.
So, obviously, in terms of protecting, the first thing is that we have to expect to be probed. We have to consider that this is the norm rather than the exception. And we obviously have to sponsor research, which is clearly going to find ways, first of all, of being able to detect attacks and secondly which is going to test the vulnerability of our systems.
George Marshall, one of my great heroes, the founder of the Marshall Plan, he had a phrase. At the end of every meeting Marshall would always say: “Right, well, tell me what can go wrong”. That was his phrase, all the time. And I think we need to answer that question also – what can go wrong?
We need to sponsor research in that area. We also have to create standards in computer network defense. I am struck that many organizations run a number of different computer networks and interestingly some have much higher standards of protection than others. One thing, which is classic, particularly in military systems is that people tend to protect the networks, which contain secrets. But if you're in Afghanistan what's the most important computer network? Logistics! But logistics doesn't contain secrets, so it's less protected. But it can be far more important to run a military operation than the network, which is, in fact, protecting secrets.
Government also has to promulgate standards, like it does for chemical industries or nuclear industries – safety standards, also for companies in the area of cyber. And I also believe that one of the things that the government is increasingly going to do is to form some kind of back-up system where industry can relocate, if key industries, like health or food or water are subject to cyber attacks. For example, after the Georgian attack in 2008, which was the prelude to the conflict in Georgia, the Georgians were able to re-host their information systems on an American Internet service provider. So we need an international form of cooperation whereby countries that are subject to attacks are able to, as I said, relocate elsewhere very quickly.
Another area is cyber forensics. You may recall, ladies and gentlemen, when we spoke about proliferation, at the very beginning we spoke about nuclear forensics – can you actually sort of find out from a particular fissile substance where it came from, does it carry a signature? And I think increasingly of cyber forensics – can we, sort of, find out from a particular style, a particular methodology, a particular sort of code that country X is behind this rather than country Y?
We also need deception. All classic wars or any type of competition has an element of deception. My favorite story, which is well-known is the one, in which the American and the British created a fictitious army, the American First Army in Kent, Sussex in WWII under General Patton with tents, with rubber tanks, with cardboard aircraft to fool the Germans that the attack (remember D-Day?) was going to come across the Pas-de-Calais into Boulogne and Hitler believed it! And therefore left Normandy where the real attack occurred comparatively defenseless. If the German troops in Pas-de-Calais under General Rommel had been in Normandy on D-Day God knows, God knows how WWII would have ended...
We need similar deception against cyber attackers. They are trying to deceive us, so we have to deceive them. There are things, which I am not technically able to understand, which include honey pots or honey nets and so on, which you can use to sort of attract a cyber attacker and then learn about the techniques that he is using in order to see what he knows about you and therefore plug your vulnerabilities as well. We have to use far more safety measures, like authentication codes, so that you know that the information is coming from the person who says that that person is providing the material. We need more encryption as well. It sounds very military, but in our private systems as well.
Now, ladies and gentlemen, all of this debate, of course, has now prompted a very important question, which is “How can we defend ourselves against this type of activities?”. As you know, any military person, strategists will look at this: there is defense, there is deterrence and there is counterattack. These are essential principles of strategy and you do have, of course, a whole group of people who believe that the cyber world is not different from other areas of military activity, which is to say that you can't rely upon defense alone.
William Lynn, I quoted him, who was on the Financial Times yesterday, the American Deputy Secretary of Defense was saying “We can’t have a “Maginot Line” here. We cannot simply wait to be attacked. No, you've got to have some sort of maneuverable facility” and I've read whole papers, for example, from the American Academy of Sciences on the issue of cyber attack, in the sense of counterattack, the defender counterattacking, and deterrence. My own feeling after having looked a lot of this is that defense is still probably the best option that we possibly have, improving our defenses.
Why is this? Well, essentially, as you can imagine, because deterrence is difficult. Deterrence relies upon the other person having assets, which are as valuable to him, as your assets are to you. So, in the Cold War it was that, if you destroy Moscow, I can destroy New York. That's equivalent and therefore I hold that hostage, so we both lose equally. The problem, as I said, ladies and gentlemen, when it comes to cyber is that the asymmetry doesn't make this happen – that your, sort of, water system is much more important to you than the attacker's one single PC is to him.
So, how can you use deterrence if you can't hold something hostage? Indeed, most analysts feel that you have to go outside cyber to deal with this issue. For example, if you know that country X is launching attacks on your system you probably send the Prime Minister to go to that country, as Chancellor Merkel went to Beijing some months ago and you raise the issue publicly or you use diplomacy or you use economic sanctions or you take the issue to the UN because of unfriendly behavior, but deterrence within cyber where you're dealing with this asymmetry is very difficult.
You cannot disarm, you cannot have a disarmament treaty as much as you would like to have one, as you have with with nuclear weapons to sort of get rid of the other person's assets when that person can buy the means to re-constitute a cyber attack so cheaply. There are BOTs, for example, which you can buy on the Internet now for as little as 25 cents. The price is coming down all the time. The only good news, by the way, in cyber is that as the price of the bugs goes down, the actual price of firewalls goes down as well. So, that is at least something that we can build on.
Similarly, with retaliation, counterattack. The problem here is – what if you get it wrong? Who has attacked you, because you do it over-hastily? One of the problems with cyber attacks is what the experts call “false flags”. It's very easy for somebody to disguise. So YOU are attacking me, but I think it's YOU. Because you disguise under a false flag your identity and therefore I attack a third party who then gets involved in a cyber confrontation against me because that person says “ why me, why you attacked me?”.
The other thing is, as a very brilliant analyst called Martin Libicki who writes very interestingly on these issues, has said, I quote: “Digital clarity is a property of high-definition television, not cyber war” In other words, electrons do not always behave in the way that you want. For example, one problem is that you may, if you attack somebody else's systems, not only sort of dismantle the thing that you're trying to attack, let's say a military system, but lots of civilian infrastructure at the same time. Nobody wants to counterattack against the military system and end up by putting, for example, a hospital incubator out of action. There would be the consequences of international law for that sort of thing happening.
There is, of course, a big difference here, conceptually, in terms of an attack, which causes inconvenience, such as espionage, which has been going all, we all know, since the beginning of time. -- The world's second oldest profession, as it was often called in the old days, and cyber is simply another form of human intelligence so it's much cheaper to do it by cyber than having to recruit spies and send them to a country to gather information. So, that cannot really be called a casus belli – something, which would start an actual confrontation, particularly if nobody dies. So, at what level does a cyber attack actually become a NATO Article 5 or a casus belli, which you believe that you are dealing with the equivalent of an actual physical attack of the same standing?
Robert Gates, the American Defense Secretary, has said, I quote: “We need a declaratory policy about which level of cyber attack can be construed as an act of war”. But so far we lack that type of definition. In the same way, as I said, in my terrorism lecture: it's very difficult to know when a terrorist attack is of a magnitude, which should instigate an Article 5 collective response or a military response as well.
Another thing, of course, is that people sometimes don't like to admit they're being attacked. It's embarrassing to admit that your system has been penetrated. If you're a bank the last thing you want is to tell to your customers that all of their credit card details have been stolen. There is a temptation to keep it quiet to avoid embarrassment while you try to improve your system or deal with the issue quietly with the party that you feel has been attacking you. If you go public, then you get into all kinds of problems of posturing, of face-saving, you know, not being seen to lose face, public pressure and so on.
The other thing about, by the way, a public insticts is that other people may decide to attack on your behalf when you don't want them to. For example, you remember the Estonian, the famous Estonian cyber attacks of a few years ago, which for three days had a very damaging effect on the public administration systems of Estonia. A lot of that was caused by the emotional reaction to the Estonian decision to remove a Soviet statue from the center of Tallinn, you remember? And therefore many of the people who instituted that attack may have been what we call “patriotic hackers”. People who say “I am not waiting for the government to hit back, I am going to do it on behalf of the government”.
NATO suffered in 1999 a major pin bombardment during the Kosovo air campaign and, again, these was very much people who were sympathetic to the Serb cause internationally – the diaspora – not waiting for Belgrade to do something, but saying “we are going to do it on behalf of the government” and therefore how can you control these people who may then precipitate a diplomatic crisis by thinking that they are doing what you want them to do and that they're acting on your behalf?
So, ladies and gentlemen, I think when we come to going beyond defense into deterrence or counterattack – not that governments won't develop capabilities or look at this if only, again to deter attacks, but they are fraught with all kinds of legal, and technical and procedural complications, which still, to my mind, makes defense the best policy.
But, of course, it's got to be an intelligent defense. A person I spoke to recently showed me two photos on this. He said: “Jamie, here's the Great Wall of China and here are the walls around Istanbul (Constantinople)”. And the Great Wall of China was just one – not the Chinese firewall, but the Great Wall, which means you only have to breach one defense and you're in. Istanbul was interesting – it was a series of walls, which means that, therefore, as the first line of defense doesn't succeed, others are behind. This strikes me as a good way to go.
Now, at the end. Strategic implications. From a point of view of the strategist, cyber is a worrying, yes, but a fascinating subject. The key issue, of course, is to what degree does this go beyond a societal threat, an inconvenience, a commercial problem to become a threat to, sort of, our societies, which is what we associate classical war with?
Here strategists tend to divide into two camps. There are those, like, for example, Bruce Berkowitz, well-known American war commentator who, [in his book “The new face of war”] says: “The main message is this. The information revolution has fundamentally changed the nature of combat. To win wars today you must first win the information war”.
So, in other words, war in cyber space, and only in cyber space, is a decisive, sort of, campaign in its own right. You know, you can actually win the war just in cyber space without doing anything else.
Other well-known strategists, like Colin Gray, University of Reading in the UK, is somewhat more skeptical and believes that cyber warfare can win battles, but not the actual war itself.
My own sense, having sort of, looked at this, is to be more on the side of Collin Gray than Bruce Berkowitz. There is no doubt, ladies and gentlemen, if any of you studied history of warfare, that a technological advantage gets you a very long way. The whole history of WWII is that there was, on the one hand, a campaign fought on the battlefield – Stalingrad, Normandy, elsewhere – but there was, of course, another campaign, which you can argue was almost equally significant, which was being fought in the laboratory, the decisive breakthroughs there when the British broke the German navigation beam technology, which was used in the German bombing campaign against the UK in 1940.
Of course, then there was the great battle where the British broke the Ultra Code used in the German “Enigma” machine so they could read the German cable traffic as well.
Those, of course, gave the UK a significant advantage or the Allies a significant advantage, but I don't believe, ladies and gentlemen, frankly that anybody would argue that that and of lot of other breakthroughs alone were really what won the WWII for the Allies. What won was ultimately having to go all the way to Berlin, on both sides, and bring about the end to the Hitlerian regime in that way.
So, if you look at Clausewitz who said famously that war consists of four elements: danger, exertion , uncertainty and chance. I would say that information superiority is something that certainly helps you to lessen the impact of those four elements, but you can't eliminate them all together. One thing is to have superiority of information, another thing is to know what to do with it. And I think WWII is a very good example where the country, which was the most technologically advanced of all – Nazi Germany – in many, many respects: the best scientists, the best technology, the first to invent, you know, the rockets, V-1's, the V-2's etc – ultimately still failed to win.
It's all about morale, discipline, training, leadership, public support and, of course, having the right strategy at the end of the day. So, I do not believe that cyber attacks are going to be any more the kind of “miracle weapon” that wins conflicts in itself any more than, for example, air power was in the 1920's and 30's. There was a tremendous fear in Europe that air power would be such a decisive weapon that once used populations would give up immediately. Stanley Baldwin, British Prime Minister has said: “The bomber will always get through”.
When it happened, on both sides: the German blitz against the UK, the US-British bombardment of Germany from 1941 to the end – when it came, air power achieved far less, far less than the proponents of it believed. It did not break the will of population, it did not stop the German production of aircraft or ball bearings or whatever. Indeed, Richard Overy who is Britain's best historian of WWII, looked at this very closely and concluded that, yes, the Anglo-American air campaign against Germany did have a very big impact on the WWII, but not because it did what it was intended to do – break German infrastructure, break the will of the population, paralyze the German economy – but because it forced Germany to take so many assets out of the Russian campaign on the Eastern front to devote to air defense against the bombers that the Germans left themselves short. It was more asset transfer rather than disruption as such. I find that a convincing argument.
So there's no therefore evidence, to my mind, that cyber will sort of revolutionize the basic nature of war any more than the nuclear weapon has done, or any more than the air power has done at the time. What happens is that we learn to live with these weapons ultimately and integrate them in our strategy.
So, therefore what is the implication of cyber attacks in this respect? The first thing that I believe is that it can give you a short-term advantage at the beginning. Rather like WWI shelling the enemy – you remember? – at the Western front, softening up the enemy before you went over the top and moved the troops in. It was a prelude to combat. You know, you try to sort of paralyze, “shock and awe” during the Iraq war in 2003 – you tried to paralyze adversary's communication systems so that there is less resistance when the troops go in.
What we found so far is that impact of cyber attacks is rather short-lived. For example, Estonia in -– what was it 2007, 2006, 2005? – anyway, a few years ago, recently – the one that had most publicity. The attacks were very short-lived. They were short burst of about one hour each time, very few longer, and after three days the Estonians patched their systems and were back up and running. So, in other words, you suffer a temporary setback, but very quickly you reroute your system, you put a patch on and you're up again. So, the impact of cyber is surprisingly short-lived.
So, it's best if it's done by surprise, but, of course, to the extent we expect to be attacked and we are constantly building defenses against the probes. The element of a mass cyber surprise can be somewhat restricted. So, that's therefore where I see cyber as intervening.
Secondly, I think that there are some principles that we need to look out for. The first one is that we have to build a disincentive to somebody to try to attack us first by making it more complicated, by quicker responses and by being out to anticipate the attack is happening. Secondly, and these are intellectual problems, we have to prevent a cyber attack from turning into a real war. The problem, as you know, ladies and gentlemen, with strategy is that sometimes needling each other -- remember the Arabs and the Israelis in the past before 1967, before the Yom Kippur war of 1973 -- you know, needling each other, just testing each other can get out of hand. There can be a miscalculation by one side, and suddenly, you know, instead of having a little sort of boxing game you're in a real war. So how do you prevent this kind of constant cyber attacks from turning into a real confrontation? How could we deescalate and not just escalate?
Thirdly, how do we know when a cyber attack has been terminated? What guarantee do we have that the other side says: “Well, I am giving up now, I've stopped, we can sign a peace treaty, I promise not to do it again”, as opposed to just a pause before the whole thing starts up again. We have to work our way, to my mind, through those three key issues.
And then, finally, ladies and gentlemen, international law. What can we do to bring about a new sort of international regime, which could produce a consensus that cyber attacks are criminal offenses, which will be punished as such, not just as, you know, boys in garages, teenagers in garages having some fun to amuse themselves in the evening and which could act as a deterrent, particularly, as I said, when you can't have “computer disarmament”.
Well, I think, first of all, there can be a law vis-a-vis Internet service providers, an international agreement that they are responsible for the malware or spyware or adware, whatever, that passes through their systems so they have a responsibility for policing their systems. They are not just passive transmitters. Finland, for example, has a very effective legislation regarding anti-spoof activity on Internet service providers. That's perhaps a model that can be looked at.
Secondly, there has to be, if you like, a standardization of legislation that cyber attacks are treated equally wherever they occur. For example, Argentina is the case where, I am not sure if this is the case today, but a few years ago cyber crime as such was not recognized and therefore hackers could go free and you cannot anymore than want havens to terrorists in Yemen or in Afghanistan, you cannot want safe heavens for hackers in areas where legislation is far less strenuous.
Thirdly, you need international conventions with teeth. The problem at the moment is we have Council of Europe Convention on Cyber Crime, but where there is no implementation or enforcement mechanisms, these things are nice in the moral sense of condemning attacks, but don't have teeth. One problem is that Russia has had hesitations about this Convention because it does not like the idea of international officials or the law enforcement agents of other countries being able to play a role in Russia itself. You know, all countries are very sensitive about the law officials of other countries having jurisdiction on their territory.
Forgive for my historical analogy, but when I did my research into the origins of the WWI at university I was really struck: you know, in 1914 Serbia rejected an ultimatum from Austria-Hungary, remember? But what maybe you don't remember is that the Serbs accepted every single point of the Austrian ultimatum, except one, and that caused the WWI, which was that they would not allow Austrian judges to sit on their courts. That was it. That was the deal-breaker, which produced the WWI. So, that is a sensitive issue, but still the international legal convention is something that has to be looked at far more.
So, ladies and gentlemen, where are we? I think on cyber, like everything else, no panic, no paranoia. Particularly, as I said that 90 per cent of infiltrations can be stopped through better security procedures. That's the first thing. Secondly, this is not the equivalent of a classical weapon. If a major nuclear exchange took place in the world we could go back to the Stone Age. If all of our computer systems were paralyzed tomorrow by some unbelievable hack, we'd go back to the 60's. What's wrong with that? Well, I am being a bit facetious , but, you know, we had cars in the 60's, we had TV sets in the 60's, we had refrigerators in the 60's, yes, dishwashers, you know, it was a pretty comfortable time. OK, we didn't have everything we have today in terms of information. Things were a bit more primitive, but it's not the Stone Age, so we have to keep essential proportion.
And also, societies are incredibly resilient, ladies and gentlemen, to efforts to disrupt them. I mean, I mentioned the bombing campaigns of WWII where the sense that people would panic, would desert, would never go back to work, those fears proved totally, at the end of the day, overplayed. The brave citizens of Sarajevo withstood a siege from 1992 to 1995. We are more resilient, frankly, when confronted with this type of problems than we think we are, but that said, no complacency because we don't know how this is going to evolve over the next few years and the potential of cyber attacks is major.
I read, for example, one article in Foreign Affairs recently by Wesley Clark, the former Supreme Allied Commander, which claims, and I don't know whether this is true or not, but it claims that when the Israeli Air Force attacked the Syrian reactor – you recall? – Which was covered by secrecy and the details came out later. The article claims that the Syrian Air Defense did not operate against the Israeli Air Force because of a bug, which was activated inside the computers of the Air Defense system, which could then be put out of action before that took place. If that kind of level of sophistication is possible, then it's clear that as long as our military systems, we see this, with network-centric warfare, the revolution of military affairs, require increasingly digitized weaponry, digitized communications and so on that we could be vulnerable, not necessarily to a defeat, as I said, the effect is likely to be temporary, but at least a major setback and I do not want to illuminate the possibility of massive loss of life flowing from this.
So far, all of the research I've done and I don't claim to be the world's expert on this, but all of the research I've done only came out with one example where an American generator was put out of action in a minor explosion by a cyber attack. We've had examples of disgruntled people in Los Angeles putting the traffic light system out of action, which could cause car accidents and deaths, that's true, but, as I said, so far it's mainly the systems fail rather than people die, but there is no room for complacency, as this goes on. So, no panic, but no complacency either. This is like nuclear weapons, like something that we simply have to learn to live with in our lives, as we go forward.
That said, as I come now to the end, looking at the six challenges what would therefore I recommend, if I were able to recommend, to the people developing NATO's new Strategic Concept about the challenges?
Well, clearly, the first conclusion would be: “We have to keep and eye on all of them”. The art of strategy is not cutting up your resources six-fold, like one-sixth for this, one-sixth for that because that often means that you won't develop any progress on any of them through too modest an investment. But the other strategy is to keep an eye on things, so even though you're dealing with priorities, you're nonetheless tracking what is going on in other areas and if these other areas suddenly develop into a massive existential threat you don't start from scratch, you have the policies, you have the knowledge, you have the technologies to deal with them.
But, that said, looking at all of the challenges I would nominate two to be at the top of the priority. The first one is proliferation. Why? Because, as I said, so far, thank God, cyber attacks have not led to massive loss of lives and the primary function of an Alliance, like NATO, is to protect the lives of its populations and, as far as possible, the lives of other people. At the end of the day, dying from a bullet is much worst than having your bank account shut down for two of days in a cyber attack. You can survive that and you can recover. And today, whether you like it or not, the one thing that can kill millions of people is a nuclear exchange and, I said in a previous lecture, that proliferation is now a reality. Not that that worst case scenario was going to happen, but we can't say that it's excluded either. So, to my mind, preventing that proliferation nightmare through arms control, through missile defenses and so on should be at the top of NATO's priorities.
Secondly, ladies and gentlemen, failed states – the subject of my lecture last time. Why do I nominate this? Well, because it's going to be such a universal problem. I came out with 60 failed and failing states last week and because, as I said last time, we've seen how these failing states cannot only be a miserable experience for their own populations in terms of women's rights, human rights abuses, the death of innocent civilians, the exploitation of natural resources by criminal networks, the syndrome of Michela Wrong – “it's our turn to eat”. “It's Our Turn to Eat” is the name of her recent book. In other words, one ethnic group takes power and takes revenge in terms of monopolizing resources, giving them only to its ethnic group because it feels that it's its turn to eat. It's been excluded from power for too long. But it's not these failed states are not only a menace to their own population, but in terms of playing host to criminal networks, terrorist networks, illicit drug production and so on. We've increasingly seen that they contaminate our security before too long as well.
So, if for both strategic reasons, but also for humanitarian reasons I put failed states, proliferation on the top of my list. But, as I said, you never know – everybody who predicts the future gets it wrong. I would be no different from anybody else in that respect and we should keep a close eye on these other challenges in the hope that they do not reach the priority level of the first two, but knowing that that could still, yet, happen to us.
Thank you very much.
Q: - I don't know if it's relevant for you here, but why would the hacker hack the health system?
Shea: - In a sense, it's to basically steal secrets and information, which have some kind of commercial value for re-sale. Commercial value for re-sale, yes. Which can be, for example, you can use confidential information on patients, for instance, which can be sold to pharmaceutical companies, as well as results of lab tests, results of drug tests and so on. That's one thing. There are a lot of organized criminal networks around that share this information to each other.
That said, it's true that the financial institutions of the world are the ones that report suffering the greatest number of attacks because the dream of every criminal is to be able to, sort of, transfer money from legal account into illegal account, but the statistics do show up that health features very strongly indeed.
Q:- Thank you. Seeing the vulnerability of cyber space, how do you see e-governance progressing in the future?
Shea: - Well, I think now, of course, with all of the security issues we are in a situation where there are two basic approaches – and this comes out in climate change too – when you talk about governance. The first one is the idea of universal regimes, like, for example post-Kyoto Universal Climate Change Agreement, but if that's not achievable or if that would be meaningless, because it would be the lowest common denominator, then the second approach is sort of regional agreements. You see that in trade as well – if you can't have a global, WTO trade agreement – a Doha Round -- you go for regional agreements. One has been recently been launched in Asia – a free trade regime. And you hope that more and more people join those regional agreements and, gradually spread and in time they set the universal standard.
I think in cyber what we are going to see, for example, in organizations, like NATO, that bring together like-minded states, is increasingly the attempt to forge, sort of, internal arrangements, which protect the interests of the organization and in the case of an organization, like NATO, because you can add all your partners, then it becomes more universal.
For example, I mentioned last week that we have in Afghanistan 15 non-NATO countries participating in operations, well, those countries – Sweden, Finland – have to have the same cyber protect protection for their intelligence, for their command, communication arrangements, as Allies. And, in fact, we can't afford theirs to be compromised, because if theirs is compromised, everything is locked together, ours would be compromised.
So, my sense is that we will go for the sector-by-sector type of arrangements. Private companies will come together to exchange best practice, for example, to establish an effective early warning system as well. One of the problems is that there are so many areas of vulnerability, for example, the software, obviously, the hardware.
Manufacturers could put into the system before they deliver it to you, a virus that you don't know about. It happens. For example, in my country, the UK, after WWII we gave the German “Enigma” code machine away to a number of countries... with bugs in. Very good, eh? So, you never know that the hardware has been compromised before you even buy it.
And one of the issues, by the way, of computer hardware is that more and more of it is imported. You know, the United States, 20 years ago, IBM, made its own computer hardware. Now it buys components from India, from China, from Indonesia, from everywhere. How do you know they haven't been compromised? Then, there is the seams between the hardware and the software, the communication channels, the configuration of the system, the behavior of users and operators and, of course, as I said, Internet service provider.
So, there is a number of ways, in which hackers can get into your system. And, of course, that means to say that as people are more and more joint-up, of course, like in the Alliances acting together, you know, individual country protection has less and less value, frankly, than it had in the past. And therefore you have to try to have a sort of universal systems of all of the people that you deal with, so it can't be compromised.
Let me just add something here. When I first joined NATO – I won't say when because you'd be even more horrified than me – but basically we developed our own software, for example, for air defense systems. Now, everybody stopped this these days, everybody uses the commercial stuff, you know, the Microsoft, the Windows and those applications, which are universal, and tries to build security into those universal applications. You know, people have, sort of, stopped trying to develop their own internal systems, which nobody else can access.
And, therefore, as I say, I think the idea of at least trying to draw together a wider community of people you deal with and forge a system there in a hope that that best practice would then catch on. It's probably the way it's gonna go. A universal agreement, if it's toothless, and that's probably what is likely, it would not fix the problem.
Q: Dacossa, from the Council of the European Union.
I have a question concerning Internet BOTs armies that are up for hire on the Internet. There have been recently some activities from security experts that got together and dissected a bit about the behavior of these BOTs armies and proceeded in dismantling them in fact to make them harmless and ending it. What's your view on that? I mean, taking the law a bit in your own hands...
Shea: - Well, this is true. This is why there is so much ambiguity in this area. For example, you need to, sort of, probe other people's systems so that you know whether your own system is vulnerable in many respects. So, to some degree, some so-called attack systems could be defense. In the sense that you think you're being attacked because you think somebody is attacking you because you see activity, illicit activity, and so you probe others to try to sort of find out who is attacking you and that person thinks that is being attacked. Do you understand?
It's like the origin of the WWI – everybody thought that they were defending themselves when they mobilized and, yet, everybody else thought that they were being attacked. The difference between aggressive measures and defensive measures, if you like, became incredibly blurred, so that everybody thinks that they are the victim and the other person is aggressor. So, I agree with you, I think this is a particularly difficult area where you have more and more people and military establishments or states that can devote quite considerable resources to this kind of activities, spending their days trying to gather information, but what's more important, trying to probe other systems not only to seek out the vulnerabilities in the other person's system, but the vulnerabilities of their own system as well and this leads to this kind of action-reaction, to this chain of events.
I think that the only way we are going to get basically around that ultimately, when you mentioned the BOTs elements, is that we are going to have to have a sort of clear distinction between that, which is kind of normal practice, where states are spying on each other all the time and they make protest and people are expelled and then everything goes back to normal. That kind of level, which I think is a reality that we are going to live with. I don't see any way around that. You're not going to tell countries to stop gathering information on each other, but a clear distinction has to be made as to that type of level and the level, which is then more malicious style, which is either paralyzing activities or getting information that could paralyze activities or hacking into core systems and so on.
I mean, you could, for example, try to have some sort of arms control regime to stop this happening. For example, you know, in classical arms control you have an agreement not to use space for weapons, so as to put the competition into certain areas, so we have an agreement since 1967 not to put weapons in space or an agreement not to put weapons on the seabed; or we're trying now to think of an agreement not to have anti-satellite capabilities. Just like a few years ago the United States [and Russia] had an agreement with each other not to have missile defense systems. Remember the ABM Treaty? There was just one system, and then no system.
So, I think the only way around there, as I see, would be if you can have, maybe, not universally, but between states that have the most major capabilities – Russia, China, obviously, the United States and some others – sort of bilateral arms control agreements, which is that “OK, will do this, but certain areas, maybe, air defense, maybe satellite systems, GPS navigation systems will sort of be off-limits” and therefore then you would have sort of diplomatic instruments when those off-limit systems are going to be attacked. I think this sort of “code of conduct”, which would be negotiated between states would be the best approach.
Let me just add to this in this respect that the United States and Russia have been trying for some years to negotiate a cyber agreement between the two, the difference being that the Russians want to focus mainly on the military systems and the Unites States wants to do more with private sector, sort of criminal activities as well, but they are trying and I think it would be really fascinating, if you have this first sort of “cyber arms control” agreement, which could be a model for others.
Q: - You mentioned the banks, health structures and the issues with software and hardware reliability, and I would like to hear from you a little bit more about cyber attacks being a huge threat in terms of massive disruption to critical infrastructure? We are talking about electrical networks, water supply, energy supply, which are key supplies, - so, basically about critical infrastructure that might be at risk.
Shea: - Well, obviously we are going to have to design these systems increasingly with vulnerabilities in attacking them in mind. The one thing, and this also responds to a previous question, that may help is that, as more and more countries come to depend upon the Internet for their vital services, they all may have an interest in keeping the Internet open because it was not designed for secrecy – you remember?
In other words, the value to them, economically, you know, the Chinese financial system or the Russian dependence on pipeline flows may be such that the value to them of keeping them open is greater than the value of disrupting somebody else's. In other words, why hurt somebody else, if the hurt to you is going to be greater? It doesn't make sense. That one may be a saving grace in cyber.
We still have a problem, of course, of people using it to extract information, but the idea of cyber attacks for disruption will go down simply because, again, well, what we don't have at the moment is, what I mentioned, the idea of deterrence-based proportionality. My system is as valuable to me, as your system is valuable to you and therefore I won't attack you. We don't have that, but if we could have that, it could be different. That's a more philosophical point to make, but let me just illustrate what I mean. There has not been a great deal of evidence, so far, of terrorists or al-Qaeda launching sort of cyber attacks, obviously information and so on.
The reason is that they rely, as I said in my Terrorism lecture, overwhelmingly today not on training camps in Afghanistan in Pakistan, but on cyber recruiting, recruiting from the web-sites where they preach the Salafist form of Islam, where they show the videos, you know, where they give the techniques and so on. And, therefore, if suddenly they were denied that use of Internet their value as a terrorist organization would decline very, very dramatically. So, again, it's a rather perverse example where a group has got more of an interest in having the current open system continue, which, they believe, is working in their favor as a recruitment, then getting into a sort of, you know, system of terrorist cyber attacks against us knowing that at the end of the day they would lose and they would suffer more.
But in the meantime, you're right, we have to design air brakes between various systems, we have to have back-up systems, just like in Lebanon a few years ago every house had a generator for when electricity was switched off, then they brought up the generator and off they went. – We have to have back-up systems; and, my own sense, frankly, is that we also will need a kind of the old-fashioned manual system to be kept in use, if the high-tech computerized system is put out of action, frankly, for extreme, sort of, circumstances so that essential functions can continue to work.
That said, also early warning is important. Cyber attacks are basically announced in advance – you see a high degree of activity before the critical mass is achieved. And I think the intelligence function of being able to very quickly realize that something abnormal is happening, to pinpoint which vulnerability it's going to and then be able to shut down that particular thing. What I've learned, at least, (not being a technical person, but simply from research) is that what happens with the cyber attack is that it's like a peephole. It's like “I don't see into your bedroom in the evening because your curtains are closed, but I am peeping through a little gap in your curtain and trying to see what I can find inside”.
So, the attack creates a kind of breach, but does not immediately allow to the virus to, sort of, immediately spread in the entire system. So, to the extent that you were able to detect the initial breach, you can sort of ….-- like a ship, you know, a ship is designed – should be – I don't think this was the case with the Titanic – but the ship is designed to have sort of water-tight compartments, as you know, so if you hit an iceberg, a-la Titanic, the water comes in, but you shut down that compartment with firewalls so that the water doesn't spread and you can continue with the ship. Just like an aircraft, you know, you shut down the engine, which has caught on fire.
So, I think, we are going to build systems in future with the idea that the contaminated areas can be immediately shut down with firewalls before the viruses replicate themselves, obviously, and spread elsewhere.
Again, ladies and gentlemen, thank you so much for being with me. You can't have lectures, if you don't have an audience. Again, I appreciate that, I wish you all the best and hope to see you again some time in the future...when there are more security challenges to discuss.