Cyber security : different conceptions of Internet regulation
« The new concept of weapons will cause ordinary people and military men alike to be greatly astonished at the fact that commonplace things that are close to them can also become weapons with which to engage in war. (…) some morning people will awake to discover with surprise that quite a few gentle and kind things have begun to have offensive and lethal characteristics. »
* Quote from “Unrestricted Warfare in 1999” written by Quiao Liang & Wang Xiangsui. Or how a nation such as China can defeat a technologically superior opponent through a variety of means….
The Internet is at the heart of our new interconnected globalised world. It also provides many positive opportunities, but it is also seen as a source of new threats, concerns which has been expressed at the highest level. Devastating effects to economy and structures of a country can be caused without one single soldier crossing the border; without firing one single shot. The West and China have accused each other of being the source of cyber attacks, and claimed to have been victims of these attacks.
China wants to develop a kind of independent cyber-capacity and somehow setting it apart from American servers. Attacks have focused on financial and political target but it’s the link with military that causes the most of concerns.
Are we in the middle of a new Cyber Cold War ?
Let’s make a short overview of the situation…
There are 3 main modes of “cyberwar”:
- war through information : propaganda, disinformation, political action
- war for information: recuperation of information
- war against information: destabilization, destruction of data…
2. Who are the targets ?
- Sites and services available to the public: create disruption of social and economical life
- Operational systems that use systems SCADA (supervisory, control and data acquisition), military systems…
- Data holder (especially for sensitive data)
3. Attacker profile
- White hats : ethic and deontology
- Grey hats: no criminal intention
- Black hats : cybercriminal, spyers, terrorists – for money, or for personal purposes
4. Examples :
- Estonia (April 2007): attacks by DDos (Distributed denial of service) Suspicion on Russia.
- STUXNET (June 2010) : at that period, the most complicated and sophisticated weapon considered as a cyberweapon of mass destruction. Suspicion on USA and Israel.
- FLAME : twenty times more powerful than STUXNET, FLAME was identified by Kaspersky Lab on May 2012. The infected countries were Iran, Syria, Libya, Egypt, Soudan…
- France : DDos on the Senate website (January 2012), cyberspying attacks against Areva (2011)…
But there is also a raise of new “Robin Hood” spirit, with people who want to defend the freedom of speech on the Internet and the transparency of information (Anonymous, Wikileaks…)
There are different conceptions of internet regulation, which are finally several barriers to the international cooperation:
- “liberal” countries (such as Sweden, the Netherlands) are attached to the idea of freedom and don’t want any form of regulation.
- China/ Russia promote the adoption of binding rules regarding the security and the defence of information systems (and even their content)
- France adopts a middle position: regulation minimum but protection of copyright. Against the concept of “security of information”…
Some countries raise a regulation of the international internet flow. The key gap is the absence of international agreement. China and Russia proposed a code of conduct in 2009 in the General Assembly of United Nations.
In November 2011, an international conference in London about the cyberspace passed several resolutions: there were discussions about the adoption of non-binding rules.
Cybersecurity is also one of the areas of action of ITU. International Telecommunication Union (ITU) is a specialized organisation of UNO, which deals with Internet governance and ICT in general. Dr Hamadoun Toure, the General Secretary of ITU, told the BBC that “there is a fine line between security and freedom (…) Some people try to oppose them. We say no, we want both. You can’t be free if you’re not secure. You can’t have privacy without security – that’s why we want to have both.”
And what about NATO? A long process policy :
- Prague Summit 2002 : building its own protection system
- Bucarest Summit 2008: building its role as a defensive alliance, in the case of an attack against one of its members.
- Creation of the CyberDefense Management Authority in 2008
- Lisbon Summit 2010-11 : new concept of cyberdefense. In addition to accepting the Strategic Concept that addressed the alliances modern challenges such as terrorism and cyber attacks, the members agreed to develop a mutual missile defense system.
But NATO has been targeted by several cyberattacks (Anonymous…) So the question of its vulnerability can be raised…
http://blog.economie-numerique.net/2012/11/26/a-labordage-de-la-typologie-des-pirates-informatiques/ (Article in French, by Jonathan Choinka)