Category Archives: cyberwar

From Subversive to Submissive: the internet

The corridor where WWW was born. CERN, ground floor of building No.1

Free-Speech advocates were aghast—and data-privacy campaigners were delighted—when the European Court of Justice (ECJ) embraced the idea of a digital “right to be forgotten” in May 2014. It ruled that search engines such as Google must not display links to “inadequate, irrelevant or no longer relevant” information about people if they request that they be removed, even if the information is correct and was published legally.

The uproar will be even louder should France’s highest administrative court, the Conseil d’État, soon decide against Google. The firm currently removes search results only for users in the European Union. But France’s data-protection authority, CNIL, says this is not enough: it wants Google to delete search links everywhere. Europe’s much-contested right to be forgotten would thus be given global reach. The court… may hand down a verdict by January.

The spread of the right to be forgotten is part of a wider trend towards the fragmentation of the internet. Courts and governments have embarked on what some call a “legal arms race” to impose a maze of national or regional rules, often conflicting, in the digital realm
The internet has always been something of a subversive undertaking. As a ubiquitous, cross-border commons, it often defies notions of state sovereignty. A country might decide to outlaw a certain kind of service—a porn site or digital currency, say—only to see it continue to operate from other, more tolerant jurisdictions.

As long as cyberspace was a sideshow, governments did not much care. But as it has penetrated every facet of life, they feel compelled to control it. The internet—and even more so cloud computing, ie, the storage of vast amounts of data and the supply of myriad services online—has become the world’s über-infrastructure. It is creating great riches: according to the Boston Consulting Group, the internet economy (e-commerce, online services and data networks, among other things) will make up 5.3% of GDP this year in G20 countries. But it also comes with costs beyond the erosion of sovereignty. These include such evils as copyright infringement, cybercrime, the invasion of privacy, hate speech, espionage—and perhaps cyberwar.

IIn response, governments are trying to impose their laws across the whole of cyberspace. The virtual and real worlds are not entirely separate. The term “cloud computing” is misleading: at its core are data centres the size of football fields which have to be based somewhere….

New laws often include clauses with extraterritorial reach. The EU’s General Data Protection Regulation will apply from 2018 to all personal information on European citizens, even if the company holding it is based abroad.

In many cases, laws seek to keep data within, or without, national borders. China has pioneered the blocking of internet addresses with its Great Firewall, but the practice has spread to the likes of Iran and Russia. Another approach is “data localisation” requirements, which mandate that certain types of digital information must be stored locally or remain in the country. A new law in Russia, for instance, requires that the personal information of Russian citizens is kept in national databases…Elsewhere, though, data-localisation polices are meant to protect citizens from snooping by foreign powers. Germany has particularly stringent data-protection laws which hamper attempts by the European Commission, the EU’s civil service, to reduce regulatory barriers to the free flow of data between member-states.

Fragmentation caused by government action would be less of a concern if other factors were not also pushing in the same direction–new technologies, such as firewalls and a separate “dark web”, which is only accessible using a special browser. Commercial interests, too, are a dividing force. Apple, Facebook, Google and other tech giants try to keep users in their own “walled gardens”. Many online firms “geo-block” their services, so that they cannot be used abroad….

Internet experts distinguish between governance “of” the internet (all of the underlying technical rules that make it tick) and regulation “on” the internet (how it is used and by whom). The former has produced a collection of “multi-stakeholder” organisations, the best-known of which are ICANN, which oversees the internet’s address system, and the Internet Engineering Task Force, which comes up with technical standards…..

Finding consensus on technical problems, where one solution often is clearly better than another, is easier than on legal and political matters. One useful concept might be “interoperability”: the internet is a network of networks that follow the same communication protocols, even if the structure of each may differ markedly.

Excerpts from Online governance: Lost in the splinternet, Economist, Nov. 5, 2016

The Nationalization of Internet

Seeking to cut dependence on companies such as Google, Microsoft, and LinkedIn, Putin in recent years has urged the creation of domestic versions of everything from operating systems and e-mail to microchips and payment processing. Putin’s government says Russia needs protection from U.S. sanctions, bugs, and any backdoors built into hardware or software. “It’s a matter of national security,” says Andrey Chernogorov, executive secretary of the State Duma’s commission on strategic information systems. “Not replacing foreign IT would be equivalent to dismissing the army.”

Since last year, Russia has required foreign internet companies to store Russian clients’ data on servers in the country. In January 2016 the Kremlin ordered government agencies to use programs for office applications, database management, and cloud storage from an approved list of Russian suppliers or explain why they can’t—a blow to Microsoft, IBM, and Oracle. Google last year was ordered to allow Android phone makers to offer a Russian search engine. All four U.S. companies declined to comment.

And a state-backed group called the Institute of Internet Development is holding a public contest for a messenger service to compete with text and voice apps like WhatsApp and Viber. Russia’s Security Council has criticized the use of those services by state employees over concerns that U.S. spies could monitor the encrypted communications while Russian agencies can’t,,

On Nov. 10, 2016, Russia’s communications watchdog said LinkedIn would be blocked for not following the data-storage rules….. That same day, the Communications Ministry published draft legislation that would create a state-controlled body to monitor .ru domains and associated IP addresses. The proposal would also mandate that Russian internet infrastructure be owned by local companies and that cross-border communication lines be operated only by carriers subject to Russian regulation…

The biggest effect of the Kremlin’s internet campaign can be seen in the Moscow city administration, which is testing Russian-made e-mail and calendar software MyOffice Mail on 6,000 machines at City Hall. The city aims to replace Microsoft Outlook with the homegrown alternative, from Moscow-based New Cloud Technologies, on as many as 600,000 computers in schools, hospitals, and local agencies….“Money from Russian taxpayers and state-controlled companies should be spent primarily on domestic software,” Communications Minister Nikolay Nikiforov told reporters in September. “It’s a matter of jobs, of information security, and of our strategic leadership in IT.”

Excerpts from Microsoft Isn’t Feeling Any Russian Thaw, Bloomberg, Nov. 17, 2016

An Overly Militarized Military and its ROI: United States

Syria
Gray zone security challenges…that fall between the traditional war and peace duality, are characterized by ambiguity about the nature of the conflict, opacity of the parties involved, or uncertainty about the relevant policy and legal frameworks….

The U.S. already possesses the right mix of tools to prevail in the gray zone, but it must think, organize and act differently. Gray zone challenges are not new. Monikers such as irregular warfare, low-intensity conflict, asymmetric warfare, military operations other than war and small wars were employed to describe this phenomenon in the past. …

America spends roughly $600 billion every year on defense, and it is the dominant global power by every objective measure. Yet state and non-state actors (e.g., Russia and Daesh) are increasingly undeterred from acting in ways inimical to the global common good.
State actors like Russia and China reasonably believe we will not use nuclear or conventional military force to thwart their ambitions if they craft their aggressive actions to avoid clear-cut military triggers. Despite their inherent ambiguity, the United States should not be
frustrated by gray zone challenges. Rather, we should aim to achieve favorable outcomes by taking some practical steps to improve our ability to address them.

Our responses to gray zone challenges display several clear deficiencies. As separate U.S. government agencies strive to achieve their individual organizational goals, they seldom act in integrated ways to support wider government objectives….

We also need to grow our non-military capabilities. Our gray zone actions are often overly militarized because the Department of Defense has the most capability and resources, and thus is often the default U.S. government answer…. Our counter-Daesh campaign is a perfect example. Thousands of airstrikes helped to check their rapid expansion, but the decisive effort against them will require discrediting their narrative and connecting the people to legitimate governing structures — areas where DoD should not have primacy.

Root Causes: Prudent strategies recognize root causes and address them. Daesh, for example, is merely symptomatic of the much larger problems of massive populations of disaffected Sunnis estranged from legitimate governance and a breakdown in the social order across much
of Africa and the Middle East, which will worsen in coming years by economic and demographic trends. Daesh is also a prime example of gray zone challenges, since the legal and policy framework of how to attack a proto-state is highly ambiguous. Coalition aircraft started bombing Daesh in August of 2014, although the authorization for use of military force is still under debate a year later, highlighting the confusion on how to proceed.
Comprehensive Deterrence: Paradoxically, each deliberate gray zone challenge represents both a success and failure of deterrence — success in averting full-scale war, but a deterrent failure given the belligerent’s decision to take action in the gray zone.

[Develop and Nurture Surrogates to Fight China]

For example, China is both antagonistically asserting its questionable claims to specific islands
and atolls in the South China Sea while simultaneously expanding its import of raw materials from Africa. Instead of confronting China in the South China Sea directly, surrogates could, theoretically, be used to hold China’s African interests at risk in order to compel a more
favorable outcome of South China Sea disputes. Thus, the point of action (e.g., Africa) might be far removed from the point of effect (e.g., Asia), but the intent would be to alter the decision-making calculus regardless of geography. To be credible, such an approach requires
prep work every bit as important as the infrastructure behind our nuclear and conventional capabilities. Capable and trustworthy surrogates are the result of years of purposeful relationship nurturing, and the vast majority of the work should take place pre-crisis….

Changing our vocabulary could help yield better decisions in the gray zone. Adopting a business vocabulary and a “SWOT” model (strength, weakness, opportunity and threat) would open other opportunities not available in military decision-making models. Similar to the way businesses decide how to allocate capital, we would necessarily distinguish between opportunities and threats and have at least an estimate of our expected return on investment. Talking and thinking differently about national security in the gray zone would help us measure the oft-ignored opportunity costs and come up with some metric, however imperfect initially, to measure our expected return on investment for defense dollars.

Cost should be a significant up front consideration. For example, we famously refused to provide a cost estimate for Operation Iraqi Freedom, other than to know that $200 billion was ar too high. Assuming we established $200 billion as the top end to “invest” in
Iraq, it would at least force us to review our actions and evaluate our return on investment as we blew through initial estimates on our way to spending in excess of $2 trillion.

Excerpts from the Gray Zone, Special Warfare, Oct-Dec. 2015, Volume 28, Issue 4

Swarming Drones

drones and wolves

From the DARPA website:

CODE intends to focus in particular on developing and demonstrating improvements in collaborative autonomy—the capability of groups of UAS to work together under a single person’s supervisory control. The unmanned vehicles would continuously evaluate their own states and environments and present recommendations for coordinated UAS actions to a mission supervisor, who would approve or disapprove such team actions and direct any mission changes. Using collaborative autonomy,

CODE’s envisioned improvements to collaborative autonomy would help transform UAS operations from requiring multiple operators for each UAS to having one mission commander simultaneously directing all of the unmanned vehicles required for the mission. …

CODE’s prototype human-system interface (HSI) is designed to allow a single person to visualize, supervise, and command a team of unmanned systems in an intuitive manner. Mission commanders can know their team’s status and tactical situation, see pre-planned and alternative courses of action, and alter the UASs’ activities in real time.  For example, the mission commander could pick certain individual UASs from a team, circle them on the command station display, say “This is Group 1,” circle another part of the map, and say “Group 1 search this area.”

Companies involved Lockheed Martin Corporation (Orlando, Fla.) and the Raytheon Company (Tucson, Ariz.).  Also:

  • Daniel H. Wagner Associates (Hampton, Va.)
  • Smart Information Flow Technologies, LLC (Minneapolis, Minn.)
  • Soar Technology, Inc. (Ann Arbor, Mich.)
  • SRI International (Menlo Park, Calif.)
  • Vencore Labs dba Applied Communication Sciences (Basking Ridge, N.J.)

 

Excerpts from CODE Takes Next Steps toward More Sophisticated, Resilient, and Collaborative Unmanned Air Systems

The Devil’s Scenario for the End of Tokyo: Fukushima

Spent fuel pool at nuclear plant ....before an accident.  Image from wikipedia

By late March 2011… after tsunami struck the Fukushima Daiichi plant—it was far from obvious that the accident was under control and the worst was over. Chief Cabinet Secretary Yukio Edano feared that radioactive material releases from the Fukushima Daiichi plant and its sister plant (Fukushima Daini) located some 12 km south could threaten the entire population
of eastern Japan: “That was the devil’s scenario that was on my mind. Common sense
dictated that, if that came to pass, then it was the end of Tokyo.”

Prime Minister Naoto Kan asked Dr. Shunsuke Kondo, then-chairman of the Japanese Atomic Energy Commission, to prepare a report on worst-case scenarios from the accidenta .  Dr. Kondo led a 3-day study involving other Japanese experts and submitted his report (Kondo, 2011) to the prime minister on March 25, 2011. The existence of the report was initially kept secret because of the frightening nature of the scenarios it described. An article in the Japan Times quoted a senior government official as saying, “The content [of the report] was
so shocking that we decided to treat it as if it didn’t exist.” …
One of the scenarios involved a self-sustaining zirconium cladding fire in the Unit 4 spent fuel pool. Radioactive material releases from the fire were estimated to cause extensive contamination of a 50- to 70-km region around the Fukushima Daiichi plant with hotspots significant enough to require evacuations up to 110 km from the plant. Voluntary evacuations were envisioned out to 200 km because of elevated dose levels. If release from other spent fuel pools occurred, then contamination could extend as far as Tokyo,…There was particular concern that the zirconium cladding fire could produce enough heat to melt the stored fuel, allowing it to flow to the bottom of the pool, melt through the pool liner and concrete
bottom, and flow into the reactor building.

Lessons Learned from the Fukushima Daiichi Accident for Spent Fuel Storage: The U.S. nuclear industry and its regulator should give additional attention to improving the ability of plant operators to measure real-time conditions in spent fuel pools and maintain adequate cooling of stored spent fuel during severe accidents and terrorist attacks. These improvements should include hardened and redundant physical surveillance systems (e.g., cameras), radiation monitors, pool temperature monitors, pool water-level monitors, and means to deliver pool makeup water or sprays even when physical access to the pools is limited by facility damage or high radiation levels….

[At nuclear power plants there must be…adequate separation of plant safety and  security systems so that security systems can continue to function independently if safety systems are damaged. In particular, security systems need to have independent, redundant, and protected power sources…

Excerpts from Lessons Learned from the Fukushima Accident for Improving
Safety and Security of U.S. Nuclear Plants: Phase 2, US National Academies, 2016

Bitcoin Technology and the US Military

The United States Department of Defense and DARPA [seek to establish] a secure messaging system that can provide repudiation or deniability, perfect forward and backward secrecy, time to live/self delete for messages, one time eyes only messages, a decentralized infrastructure to be resilient to cyber-attacks, and ease of use for individuals in less than ideal situations….The messaging platform will transfer messages via a secure decentralized protocol that will be secured across multiple channels, including but not limited to: 1) Transport protocol, 2) Encryption of messages via various application protocols, 3) Customized blockchain implementation of message deconstruction and reconstruction, and decentralized ledger implementation

Excerpts from SBIR.defense business. org

An Unhackable GPS

loran-c receiver used in merchant ships, image from wikipedia

South Korea has revived a project to build a backup ship navigation system that would be difficult to hack after a recent wave of GPS signal jamming attacks it blamed on North Korea disrupted fishing vessel operations, officials say.Global Positioning System (GPS) and other electronic navigation aids are vulnerable to signal loss from solar weather effects, radio and satellite interference and deliberate jamming.

South Korea, which says it has faced repeated attempts by the rival North to interfere with satellite signals, will award a 15 billion won ($13 million) contract this month to secure technology required to build an alternative land-based radio system called eLoran (enhanced LOng-RAnge Navigation), which it hopes will provide reliable alternative position and timing signals for navigation….

GPS vulnerability poses security and commercial risks, especially for ships whose crews are not familiar with traditional navigation techniques or using paper charts.The General Lighthouse Authorities of the UK and Ireland, which tried to pioneer an eLoran system in Europe, conducted simulated communications attacks on ships at sea and said the results “demonstrated the devastating effects of jamming on the ships’ electronic bridge systems”.The United States, Russia and India are all looking into deploying versions of eLoran, which sends a much stronger signal and is harder to jam, as backup.

Installing an eLoran receiver and antenna on a ship would cost thousands of dollars, although cheaper options could include incorporating eLoran systems into satnav devices, according to technical specialists.

Excerpts from South Korea Revives GPS Backup After Cyber Attack  Reuters, May 1, 2016