Cybersecurity: The Future is Now
The technological developments of the past decades have created a digital offshoot of our physical societies. We now trade, bank, communicate and live on online platforms. Our uncertainties and anxieties have become digital as well. US President Barack Obama and former FBI director Robert Mueller have made comparable remarks that organized cybercrime may have already replaced terrorism as the number one perceived threat to American national security. Still, cybercrime and cyber terrorism are highly different from other, older threats. Fighting digital threats comes with its own specificities, characterized as it is by the blurred boundaries of the worldwide web. In the digital realm criminal behavior and defense mechanisms bleed into each other. This ambiguity should inform government thinking about issues of cybersecurity.
Felons and freedom fighters
Though cyber-attacks have been carried out since at least the Second World War, their frequency has grown exponentially with the advent of private computers in the nineties. Ever more devices, buildings and systems are becoming part of ‘the internet of things’ and are therefore vulnerable to intrusion and sabotage. The motivations behind cyber-attacks are many, but they are often divided into four general categories: national security/espionage, activism, monetary gain, and personal revenge/thrill-seeking. Its perpetuators may be cybercriminals, hacktivists, governmental institutions or even big companies. Attacks can take the form of taps on phones of political leaders, hacks into vital infrastructures like damsor theft of personal and financial records.
The epitome of the cyber threat’s ambivalent and multifaceted nature is the well-known political hacker network Anonymous. This leaderless and almost anarchistic movement attacks the websites of governmental, religious and corporate institutions. Anonymous members share an ideological aversion to the status quo, a distrust of the powers that be and an aspiration to ‘shift public discourse, raise awareness and create public pressure’ by exposing misconduct. Some may consider them the internet’s freedom fighters, but most governments label them as cyber terrorists that pose a threat to national security. Anonymous’ egalitarian set-up makes it an unpredictable, largely invisible and highly ungraspable group. Much like in other cyber threats, Anonymous’ characteristics and tactics thus force governments to rethink their security policies and seek intergovernmental cooperation.
Digital arms race
The difficulty with countering cyber threats is that offensive and defensive technologies are developing and changing at rapid speeds. The cycle of new hacking techniques and updated security measures is starting to resemble a dizzying whirl. It is a circular process that resembles a perpetuated arms race. This digital dynamic is almost medieval: just like when attacking parties started to use ladders to climb castle walls, bigger castles were built, moats were dug, and boiling oil was poured from the walls. The process is recurrent throughout history: each new defense mechanism brings an attacking party to start thinking of new ways to crush their opponent. Cybersecurity heralds a new spin of the arms race in which sides are not always clear. Governments, hacktivists and criminals sometimes start to resemble each other in their pursuit of innovation.
Because hacker networks like Anonymous are largely hidden, confronting them through persecution and security operations is not just costly but also a juridical nightmare. Due to its complex and border-transcending nature, cybersecurity could be an international issue par excellence, but without an international legal basis cooperation between states may never take off. To date, cybercrime has primarily been addressed through national legislation and regional frameworks such as the European Cybercrime Center (EC3). An international treaty on cyber threat prevention (UNODC 2013) is also in the making, but thus far without much success. The most successful effort to date has been the 2001 Budapest Convention on Cybercrime, which mainly sought to harmonize national laws and increase inter-state cooperation. Up to now, 48 states have ratified the convention including the US and many EU members. Yet important countries such as Brazil, India and Russia, have not signed the convention. Their reluctance may stem from reasons of self-interest and national security. With hacktivism or cybercrime, governments may be quick to agree on notions of shared threats and interests, but cybersecurity also comprises national security and espionage. Governments themselves are active in these areas and may not want to see their room for manoeuver limited by international law. Official intelligence and security agencies may be reluctant to share information or see their mandates restricted. International cybersecurity thus stands on a tight footing with concerns of national security.
Hack the Pentagon and be rewarded
As national security concerns make governments shy away from international cooperation, they seek alternative cooperative strategies with sometimes unlikely partners. Searching for solutions in the threat itself, government officials have regularly attended hacker meetings. US security services have now also begun to actively recruit hackers at main hacker events like DEF CON and Black Hat. Senior intelligence officials have started to realize the value of the expertise within these communities. In 2012, then NSA chief Keith Alexander spoke at DEF CON: ‘In this room, this room right here, is the talent our nation needs to secure cyberspace. You folks understand cybersecurity’. Recently the Pentagon has even gone one step further and has begun to invite hackers to hack their system randomly or during so-called hackathons in return for rewards. Such a bounty system has been common practice with companies like Google and Microsoft who usually abundantly reward hackers for finding leaks or bugs.
Friend or foe
In fighting cyber threats states may turn to unusual partners. If security agencies cling to bounded conceptions of national interests and partake in cyberattacks themselves, then hacker networks may prove more fitting cooperators. In the digital realm a thin pixelated line distinguishes enemies from friends. The ambiguity of cybersecurity highly complicates the containment of threat, but it may also be the key to its attainment. Cybersecurity, with all its complexities and uncertainties of who is friend or foe should force us to update our thinking about security to the 21st century.
Daan Donkers is an MA student at Utrecht University, his guest contribution to the USHS Blog results from an assignment he made for the course ‘Security Politics in Europe since the 19th century’.