Cybersecurity – How Policy Makers Fail

Code-based attacks on civilian and military infrastructures pose one of the great new challenges for security policy. Political decision-makers, the security industry and media pundits are increasingly warning of a “cyberwar” that could throw the economy and society into unpredictable turmoil. Despite this rhetoric, such scenarios have yet to materialize.

But the militarization of the digital realm and an ensuing global arms race is already reality. The extension of state-imposed military control over the digital sphere constitutes a threat to freedom, innovation and security of the Internet – with disastrous consequences for human rights and global economic development, and ultimately for national security, which it is supposedly protecting. 

In 2012, nearly 50 nations told the United Nations that they were working on military cyber strategies or capabilities. For defense against cyber threats, governments are developing mass electronic surveillance and reconnaissance systems. As an offensive strategy, a number of countries, with the United States, Israel, China and Russia leading the way, are developing capabilities such as weapons based on malicious code. The Stuxnet case is a well-known example. The United Kingdom and France, as well as Iran and North Korea, are also striving to acquire offensive cyber capabilities.

Furthermore, the militarization of the digital realm is manifest in how expenditures for military cyber technologies are growing in the midst of shrinking overall defense budgets in the US and Europe. Although the U.S. defense budget for 2015 has decreased in comparison with the previous year, the portion set aside for military “cyber activities” rose to four billion euros, or one percent of defense spending. Last year the U.K. also announced investments in cyber defense and surveillance capabilities totaling one billion euro. China’s defense budget rose by more than seven percent this year, and Russia’s by around five percent. A large part of these expenditures is likely to be spent on the development of better cyber capabilities.

In light of these developments, it is all the more alarming that there is currently no comprehensive set of norms to regulate cyberwarfare between states. Although the Tallinn Manual, adopted by a number of NATO countries in 2013, formulates some initial rules for cyberwar, key questions of international law still remain unanswered. For example: At what point does a cyberattack justify a military counterstrike? This is mirrored in the recent extension of the principle of collective defense – as set out in Article 5 of the NATO Washington Treaty - to include cyberattacks. The Alliance does not define the threshold an attack would need to reach in order to trigger the collective defense clause. Therefore, potential attackers and defenders are operating in a gray zone.

The militarization of the digital sphere is directed not only against other states, but increasingly also against the states’ own citizens, as demonstrated by the documents Edward Snowden revealed. Authoritarian regimes have long used their national Internet infrastructure for comprehensive censorship and surveillance of their citizens. Here, “information security” is meant to protect the stability of the regime against subversive movements.

While in democracies we are very far away from the Chinese “information security” model, American and European intelligence agencies and militaries do use the Internet for mass surveillance. The National Security Scandal (NSA) scandal has shown how, over many years, decision-makers in the U.S. have collaborated with European intelligence agencies, developing a globally operated military secret service apparatus under the guise of „protecting cybersecurity“ and “fighting terrorism.” The fact that the director of the NSA is also part of the military speaks volumes.

At the same time, the NSA has also willingly accepted direct weakening of Internet security. Reports show that the agency has compromised at least one international encryption standard issued by the National Institute of Standards and Technology (NIST) in order to gain access to millions of computers. The Snowden documents also show that the NSA gained back-door access to IT products made by American companies, such as routers, servers and other network devices. These purposefully implemented vulnerabilities also provide ways for cybercriminals, hackers and intelligence services of other countries to attack national networks and critical infrastructures that the NSA is tasked to protect. Quite frankly, this is a risky way to handle your own national security. Similar reports emerged a few years ago revealing that the Chinese government had asked its two IT champions Huawei and ZTE to build back-doors into the program codes of their globally exported products. Such intentional weakening of Internet and product security has devastating consequences for the security of individuals, businesses and governments. It is also a threat to innovation and free trade. The resulting mistrust of foreign IT products and American spy agencies has provoked a new online nationalism in the form of vociferous calls in Europe – and especially in Germany – for national or European solutions to the problem of surveillance and espionage. These include proposals for a European cloud or purely domestic IT production. If such proposals were implemented, the economic damage to the American IT industry and global trade would be substantial.

Instead of falling back on militarization and online nationalism, we need to rethink our security culture. Our prime objective in democratic societies should be to maintain the fundamental pillars of our freedom. The prioritization of military interests must once again give way to a nuanced discussion about what is necessary and feasible. Rethinking cybersecurity policy requires, above all, a clear differentiation between the various forms of threats, and adequate response mechanisms. Although code-based attacks do pose a military threat, cybercrime and cyberespionage are far greater problems. They cost the global economy an estimated US$ 500 billion every year. But the problem of cybercrime should not be addressed with military measures; it requires effective civilian cooperation, particularly by judicial and police institutions in international law enforcement. Furthermore, in their response to digital threats, decision-makers should involve all relevant civilian stakeholders in politics, business and civil society as well as network operators. 

For governments, the greatest challenge lies in helping private network operators, businesses and banks to secure their networks – if necessary, by introducing appropriate legislation. In general, decisions concerning the security of civilian networks should not be left primarily to the military and intelligence agencies. It would be an important step if the governments of Germany and other countries were to do more to encourage investment in secure IT technology in their economic development programs. Here, priority should be given not to the geographical origin of IT products, but to the verifiable security standards these deliver. 

In a globalized economy no European or other country is realistically able to source its IT technology exclusively from domestic manufacturers. In large part this technology will have to continue being supplied from overseas. The sole condition should be that, before they are used in the public or private sector, these technologies pass appropriate technical inspection procedures and not include back doors. At the international level, governments should strive for greater cooperation and implement confidence-building measures to prevent any escalation of the digital arms race. A few first steps toward such a process have already been taken at UN level. But due to differing national security interests and understandings of security, it is very unlikely that governments will sign an international cybersecurity treaty in the near future. Instead, international cooperation could take place within less formal mechanisms, based on common and less politically charged interests. All countries share an interest in the reliable functioning of the Internet and in controlling cybercrime. For example, signatories to the 2001 Convention on Cybercrime of the Council of Europe include not only the member states of the Council of Europe but also non-European countries such as the United States, Japan and South Korea, thus extending its reach to other parts of the world. Governments could also work to enhance existing cooperation between technological institutions such as Computer Emergency Response Teams (CERTs) and other stakeholders, e.g. network operators and Internet providers. These informal efforts for Internet security could help to create international security standards as a basis for cooperation in other areas. Every individual user would benefit from such a strengthening of security on the Web. At the national level, democratic governments should strive to ensure that parliaments have better control over their intelligence services and militaries. This is precisely what distinguishes them from authoritarian regimes. Unfortunately, the NSA, like the Government Communications Headquarters (GCHQ) in the U.K., is subject to insufficient oversight by the legislative and judiciary. In Germany, too, judicial and parliamentary control over the German Federal Intelligence Service (Bundesnachrichtendienst, BND) is deficient. 

Freedom of the individual must remain at the heart of security policy in the digital age – that would be the strongest pillar guaranteeing both national and international security.