The Cyber Security of the State
On November 24 2014 unidentified hackers released troves of personal and business information from Sony Pictures, including personal emails, information about salaries and unreleased films. The hack and the subsequent threats made to Sony led to the temporary cancellation of the release of their film, The Interview. This ordeal had a serious financial impact on the company, not to mention the precedent it set in terms of censorship. President Obama went as far as to question Sony’s decision to withdraw the movie, stating that: “We cannot have a society in which some dictator someplace can start imposing censorship in the United States. (…) That’s not what America is about.”
This was not the first time that a major company experienced such a breach; Target and Staples were hacked earlier in the year. In his 2010 book on cyber warfare Richard Clarke predicts that cyber attacks such as these will be part and parcel of traditional warfare as our societies increasingly become reliant on ICT. The President’s State of Union showed precisely how important cyber security is. But are cyber attacks becoming more common and if so, will the protective measures promulgated by President Obama reduce the occurrence of such events?
One of the main issues that resurfaces every time networked technology is involved in contentious politics, is the definitional ambiguity of what constitutes a cyber attack. Considering the relative novelty of this type of aggression, there is limited international consensus or jurisprudence on how to deal with it. It is precisely this regulatory and legal ambiguity that makes hacking and cyber attacks attractive to a plethora of actors, from the lone wolf basement-based teenage hacker to the Chinese army hack division unit 61398. The United Nations Group of Governmental Experts (UN GGE) recently came to a consensus that International Humanitarian Law applies to cyberspace and the Tallinn manual on cyber warfare set the first steps towards codifying the rules of engagement of cyber warfare. These developments increase the regulatory framework to evaluate and guide attacks, putting in place some institutional and legal safeguards. But the problem is that even though these developments improve the mechanisms for redress after a cyber attack, they provide limited options to prevent them.
It is not clear if increased information sharing in the case of the Sony hack would have prevented it from happening
In the last State of the Union, President Obama focused on the need to integrate intelligence to combat cyber attacks, saying that: “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.” His accompanying legislative proposals focus on increasing information sharing between the government and the private sector and improving the ability of law officials to go after cyber criminals. The proposals will also create a federal mandate for companies that are hacked to inform their employees and customers of such an attack.
The second and third proposals are not flawless, but the information-sharing proposal is particularly problematic for several reasons. Firstly, it is already being done. Companies share data amongst themselves and with the government about hacks and other security breaches. It is not clear if increased information sharing in the case of the Sony hack would have prevented it from happening. Often data-breaches are not only the result of corporate security failure but also of human error; and more sophisticated social engineering used by hackers whether they are disgruntled former-employees or overseas foes. In addition, various digital rights organizations, like the Electronic Frontier Foundation (EFF), raised concerns about the potential for privacy violations associated with increased information sharing. They fear it might be a politically acceptable means of (re)increasing surveillance after the Snowden revelations.
Will these types of attacks become more common, or as Alec Ross argues, are we moving from a ‘post-Cold War era to a Code War era’? It is difficult to give a definitive answer to this question, not only because of the ongoing technological and regulatory developments that might impact the evolution of cyber contention but also because cyber security is increasingly becoming a political bargaining chip. National governments and private companies are not afraid to yell ‘Cybergeddon’ to get things done. Implementing the measures proposed by President Obama in The State of the Union is about dealing with a very real problem, but it has the added bonus (at least from the perspective of certain actors) of legitimizing dragnet intelligence collection and increasing the revenue of companies in the cyber security business. The extent to which different actors can profit from the public’s fear of cyber attacks factors into political decisions on cyber security. And if there is anything that (recent) history tells us, it’s that the powers-that-be are not shy about using cyber incidents to push their own agendas at the expense of civil liberties.
List of references
Clarke, Richard: 2010 Cyber War: The Next Threat to National Security and What to Do About It. Harper Collins: New York.
Ross, Alec: 2014 Interview on CNN. Retrieved from: http://www.msn.com/en- us/travel/article/the-era-of-weaponized-computer-code/vp-BBgYmxk 18/12/2014.
President Obama State of the Union full transcript: http://edition.cnn.com/2015/01/20/politics/state-of-the-union-2015-transcript-full-text/