Controversies in Military Ethics & Security Policy
Risky War Games: Why We Can Only Lose in the Cyberwar
The roots of the internet go back to 1968, when the ARPANET computer network began to be developed in partnership between the U.S. Department of Defense and Massachusetts Institute of Technology. ARPANET initially connected a handful of research facilities that were working for the U.S. military. Creating a network of computers and transmitting information by splitting it into small packets of data are the basic principles on which the internet still operates today. ARPANET was funded by the Defense Advanced Research Projects Agency (DARPA), which is under the control of the U.S. Department of Defense. DARPA's main task is to promote research activities useful to the military, with a focus on basic research. Created at the end of the 1950s, DARPA now has an annual budget of more than three billion dollars.1 Some of the research funded by DARPA still shapes the digital world today - the TCP/IP internet protocol, for example, and the invention of the mouse. Other projects were focused on aerospace, such as satellite development, and very many were used by the military: from the air force (e.g. detection avoidance for airplanes, drones), to the navy (anti-submarine warfare, unmanned underwater vehicles), and other armed forces (M16, anti-tank weapons, helmet displays, autonomous weapons, field robots.)2
From military technology to the digital society
Over the following decades, what we now know as the internet came into being. At first it was mainly an academic network. It was not until 1994 that more people used the internet commercially than for science and research. Since then, the internet has broken free of its military roots. It became the foundation of the digital society, the starting point of a digital revolution. New business models were created, and with them countless small enterprises but also incredibly large and powerful companies - the ones we now refer to as GAFA, the quasi-monopoly of Google, Amazon, Facebook and Apple. The world's knowledge became accessible at the click of a mouse, while billions of people could network and communicate with each other directly. In 2017, Facebook had 2.3 billion users, 1.9 billion people shared or watched videos on YouTube, and 1.5 billion people sent chat messages, photos or videos to each other on WhatsApp.3 Today, a single smartphone has more computing power than the NASA Apollo Moon mission had in its day, it could navigate 120 million Apollos simultaneously to the moon.4 Whichever aspect you look at, we are increasingly entering dimensions that are hard to imagine. In 2022, around 4.8 zettabytes of data will be transmitted over the internet.5 One zettabyte is 1,000 to the power of seven bytes, equivalent to one trillion gigabytes or a one followed by 21 zeroes. While data volumes and the number of networked devices are growing exponentially, prices are falling through the floor: one gigabyte of storage space in 1981 cost 500,000 U.S. dollars; in 2017 it cost just 3 cents.6
The remilitarization of cyberspace
In this networked big-data society, a noticeable remilitarization has been happening for some time. Cyberspace is becoming a war zone, cyber weapons are being added to the military's arsenal, and the desires of the intelligence services have not only grown, but are realized on a worrying scale. Thanks to NSA whistleblower Edward Snowden, we have all been able to take a look through an unexpectedly opened window into an otherwise closed world. We have glimpsed the almost limitless extent of global surveillance of internet and communication traffic by U.S. intelligence services. We all remember the months when one shockwave after the other rolled through the media, as new, inconceivable dimensions of spying were discovered. Along with industrial espionage between supposedly friendly countries, even Angela Merkel's mobile phone was tapped. And the German intelligence services were involved too. Investigative committees subsequently busied themselves with explaining what had happened, but no legal or personal consequences resulted from the illegal surveillance activities. Instead, they were legalized after the fact7 - e.g. the grossly disproportionate tapping of Germany's largest internet exchange point DE-CIX in Frankfurt am Main.
Quite obviously, parliamentary oversight completely failed, and not least because it is structurally impossible for it to work. The power relations are just too unequal. Desires for new powers are constantly announced, police laws are extended, new cyber institutions are created, "active cyber defense" is mentioned ever more frequently - which of course is no longer defense, but an attack, even if it is called a counter-attack. Germany's interior minister, Horst Seehofer, has repeatedly supported this option in the form of "hack-backs" by the state. This would be contrary to international law, and also incompatible with the German constitution: defense is a matter for the Länder and not the task of intelligence services, the military or any other federal institutions. It is highly irritating that even the President of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), Arne Schönbohm, desires a hack-back capability.8 The BSI's competences extend only to IT security, prevention, and providing assistance in the event of hacker attacks.
The state becomes a digital attacker
"Hacking back" by the state is not the same as a conventional military counter-strike in the event of an attack. One problem is the difficulty of attribution, i.e. the ability to reliably identify an attacker. With a long-range missile, you can tell with absolute certainty which country it was launched from, which is not possible with a hacker attack. No intelligence service in the world can say with 100% certainty where a cyber attack originated. The possibilities for camouflage are too diverse, false tracks are laid too often, "signatures" of known hacker groups are imitated, or third-party servers are used for attacks, without their owners knowing anything about it. In the best case, you might have clues and suspicious facts, but you cannot be certain.
Let us just imagine that a hack-back of this kind is carried out. A server in another country is attacked from Germany, because it is thought to be controlled by criminals. But what if the server is in a hospital? Or in a government building? What if the attack forces schools to close or causes a power outage? What would an attack like this mean if the country was correctly identified, but the perpetrators were criminals acting on behalf of a different country, or completely independently? What if we attacked servers in a third country that had absolutely nothing to do with the whole affair? You only have to imagine this crazy approach in the context of conventional warfare to see how dangerous and absurd it is. We do not go and bomb a third country because an individual terrorist perpetrator or member of a terrorist group ("probably") comes from that country or only traveled through that country on their way to carry out a terror attack.
Any third country attacked in this way could discover the unjustified hack-back. They might then suspect that it was done by Germany, and in turn interpret it as an attack - especially if critical infrastructure was hit or if the hack-back got out of hand because malware used for the attack had spread. An escalating spiral could now be set in motion, and there is no reason it would have to remain limited to two countries or to cyberspace. We should not even entertain the idea of playing with fire like this. It is potentially more dangerous than a nuclear war. If this comparison seems exaggerated, it is worth reflecting on just how many things around us today are connected to the internet. Just consider all the places that software is installed, and the areas of society and industry that would suffer dramatic consequences if there were a partial or total IT failure. For hospitals, traffic management systems, electricity networks and power plants, government agencies and many businesses, it would be a major disaster. If cyberspace, containing all these civilian institutions, becomes a theater of war, there is no longer any separation between civilian and military parties in a conflict. There would be too many victims, and the conflict could escalate and spread at terrific speed, since the internet knows no national borders.
Sadly, we have apparently not realized yet that the only winning move in a cyberwar is to not to play this kind of war game in the first place - as was vividly demonstrated in the movie "War Games," by the computer that simulates a nuclear war.
But it is not just hack-backs by the state that pose a danger. All potential players - state and non-state - are capable of creating malware that compromises all our security, whether with criminal intent or for surveillance purposes. Nuclear weapons are in the hands of only a few countries. They cannot be acquired by other countries without threat of sanctions, and their production requires so many resources that the barriers to acquisition are very high. In contrast, there is no comprehensive ban on cyber weapons or digital weapons, and the resources required to develop them are orders of magnitude smaller. The danger is great because it has become so much easier to carry out an attack, and at the same time the potential impacts have become much greater. It is conceivable that hacker attacks could essentially catapult us back to the Middle Ages, if this Pandora's box is ever opened.9 The threat to our civilization as a whole is comparable to the impacts of climate change, only even less predictable.
There is only one sensible conclusion that can be drawn from this realization: we should do everything we can to make our IT systems more secure. But what we find instead is an immoderate attitude, devoid of ethical boundaries, that has lost sight of the big picture. Intelligence services see only the surveillance potential that a digitalized society offers them. They imagine how nice it would be if they could not only wiretap phone calls, but also eavesdrop on virtual assistants like Alexa and Siri, if they could hack into the Internet of Things and bug fridges, toasters and washing machines. They want surveillance software built into cars, so that not only can they track someone who moves from A to B, but also know who is in the car with them, and what they are talking about.10
State surveillance fantasies
I grew up in East Germany, and I remember the Stasi. When I was a student, my letters were opened, my dorm room with a typewriter in it was searched. I lived knowing that I was being watched, and from my own experience I know that there can be no freedom with surveillance, because if you are under surveillance, you are not free. Mass surveillance is not compatible with democracy. It is the tool of totalitarian systems seeking to prolong their existence by controlling their populations. Yet security services in all countries have an inherent desire always to know more, to collect and analyze as much data as possible, even if they are in a democratic country. Their dream is to have a transparent population while maintaining their own complete obscurity to the greatest possible extent. As the devil flees holy water, so they shy away from parliamentary oversight. Yet this is a necessary safety net for our democracy. Its purpose is to draw clear boundaries for intelligence activities, in line with our democratic values. The activities of the NSA just show too clearly that this description is not an Orwellian delusion. The potential dangers of mass surveillance, too, are completely different today than during the Stasi era, when the world still largely ran on analog technology and there was no Facebook, WhatsApp, cookies on websites or Internet of Things.
Alongside the intelligence services, the desires of the armed forces in Germany are also growing; and increasingly often they are working hand-in-hand and sometimes even together with the police. In 2017, the Central Office for Information Technology in the Security Sphere (Zentrale Stelle für Informationstechnik im Sicherheitsbereich, ZITiS) was set up. This new institution will ultimately be located at the Bundeswehr site in Munich. Its main tasks include breaking encryption, investigating social networks in real time, and telecommunication surveillance. On its advisory board, the German Federal Police (Bundespolizei), Federal Criminal Police Office of Germany (Bundeskriminalamt, BKA), German Federal Intelligence Service (Bundesnachrichtendienst, BND), Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz) and the German Military Counterintelligence Service (Militärischer Abschirmdienst, MAD) jointly determine its work program.11 This composition violates the separation of powers between the police and secret services, which was established after the terrible experience of the Gestapo regime during the Nazi period. Parliamentary oversight of ZITiS is practically impossible, since it does not lie within the competences of the Parliamentary Oversight Panel (Parlamentarisches Kontrollgremium, PKGr) set out in the Act concerning parliamentary oversight of intelligence activities (Parliamentary Oversight Panel Act (Kontrollgremiumgesetz, PKGrG)), nor is it subject to general parliamentary scrutiny: answers to specific questions by the Left Party group in the Bundestag were refused, because as classified information they could not even be lodged in the parliamentary Secret Records Office (Geheimschutzstelle). ZITiS is therefore located in an oversight gap. Close involvement with the military is also evident from the fact that the agency offers study sponsorships at the University of the Federal Armed Forces.
ZITiS is set to employ 400 people by 2020. Meanwhile there is a shortage of security experts in the jobs market, which represents another security problem. In October 2018, the first 81 vacancies at ZITiS were filled, but three out of every four persons employed had been poached from other jobs in government. Only one in four came from the "open market." ZITiS offers higher salaries, on average, than other government agencies. In early 2019, according to published recruitment advertisements,13 starting salaries in telecommunication surveillance14 are higher than those at the BSI.15 If cyber security experts at a government agency designed to attack are better paid than at an agency tasked with defense, one can imagine what will happen and what impacts that will have on the quality of our defense capabilities.
Another example of the militarization of cyberspace in Germany is the creation of a cyber agency (formerly ADIC). This agency for innovation in cyber security will be established in the Halle-Leipzig region in 2019, and employ around 100 people. The German federal government has said very clearly that this facility to support cyber research projects will function in a way similar to DARPA in the United States, and has approved a budget of 200 million euros over the first five years. In the words of defense minister Ursula von der Leyen, the cyber agency should act as a "'treasure hunter' [...] in the military and civilian sector"16 and cooperate with all cyber bodies of the Bundeswehr: the Cyber Innovation Hub in Berlin, the Cyber and Information Domain Service (Kommando Cyber- und Informationsraum, KdoCIR), and - like ZITiS - also with the cyber security degree program at the University of the German Federal Armed Forces in Munich.17 Even though this institution was set up jointly by the German Federal Ministry of the Interior (Bundesministerium des Innern, BMI) and Federal Ministry of Defense (Bundesministerium der Verteidigung, BMVg), it is obvious that it is really under the control of the Bundeswehr and BMVg. Having said that, in the field of IT security there is an explicit intention to link internal and external security more strongly,18 in other words, to bind the military and intelligence services more closely together. This is a worrying prospect, as then a cyber deployment of the Bundeswehr within Germany becomes possible, which should be just as much of a no-go as any other military deployment of the Bundeswehr inside Germany. To enable it to pay higher salaries, the cyber agency was granted an exemption by the German finance ministry, and as a result - just like ZITiS - it attracts important IT security and defense experts, luring them away from other government bodies. And, like ZITiS, the cyber agency too completely escapes any kind of parliamentary oversight, since it was formed as a limited company (GmbH), like any public sector enterprise.
Defending digital security
We will not be able to control the growing risks in a digitalized society unless we concentrate fully on defense. The times are long past when we were only talking about computers or cellphones. In a few years, there will be 50 billion networked devices19 in the world, from smart meters and fitness watches to self-driving cars. With its exponential growth, particularly the Internet of Things confronts us with major challenges in respect of IT security. Many products have a very poor security level, with no or inadequate password protection, zero or insufficient maintenance via software updates, and numerous security flaws that are open like a barn door. It is simply too much to expect consumers even to assess the risks associated with buying these kinds of products, particularly since in most cases the risks are not transparent because the necessary information is not provided.
It is also owing to this very frequent poor product quality that an extension of product liability to IT manufacturers is overdue. It should cover precisely the kind of damage caused, for example, by a smart toaster that becomes part of a malicious botnet due to inadequate IT security.
According to BSI, there are already more than 600 million known types of malware, with another 280,000 or so being added every day. In 2016, around 1,000 vulnerabilities were known in the ten most frequently used software products alone.20 Anyone who builds up attack capabilities, i.e. hacking skills, is intentionally harming all our IT security, since you can only hack IT systems if you exploit security flaws instead of fixing them. But there are no good security flaws that let us monitor terrorists, and bad security flaws that expose the rest of society to hacking risks; there are just hardware and software security flaws in general, which expose anyone to a risk who uses a device with that hardware or software. For this reason, the danger for us all increases every time an intelligence service discovers a security vulnerability - or buys one on the black market, using taxpayers' money - so that they can use it themselves for hacking later on.
The state as a security risk
According to press reports, the BND itself was given a budget of 4.5 million euros for the period from 2015 to 2020, to buy security vulnerabilities.21 The National Security Agency (NSA) in the United States received more than 25 million dollars for the same purpose in 2013. We gained an impression of the risks this practice entails, in 2017, when criminals used the WannaCry malware worm - which exploits a security flaw in Windows - as part of an extortion scam. The NSA had already known about the security flaw for five years, but kept it secret - and so more than 230,000 computers in 150 countries got infected. Among those hit were the telecommunications company Telefónica, the British National Health Service, the Romanian foreign ministry, and 450 computers at German railway operator Deutsche Bahn, knocking out one regional control center and many display boards.
What is needed, instead, is a strict ban on government agencies buying information on previously unknown vulnerabilities, and a mandatory general duty to report security flaws - which of course must also include weaknesses discovered by the intelligence services. There should be an international ban on the security vulnerabilities trade. In its place, other incentives can be created that make it attractive to find and report security flaws.
Our armed forces should be purely a peace army that relies on defense, not offense, even if the country is under attack. At any rate, an "active cyber defense" is inconceivable without developing attack capabilities and without increasing the general security risks. Moreover, considering the uncertain attribution of cyber attacks, it also amounts to a kind of "self-defense just in case" against a state to which the attack is attributed - which is completely impermissible under international law.
International humanitarian law also clearly prescribes a principle of distinction: military attacks may only be directed at military targets, not at civilians or civilian property. With hack-backs, it is impossible to predict exactly what kind of target you are actually attacking. High civilian collateral damage therefore cannot be ruled out. It is also not clear who in Germany is actually supposed to carry out these hack-backs. But if the cyberwar capabilities of the Bundeswehr are to be used, this raises the additional issue of the requirement for parliamentary approval. After all, it would seem unrealistic to expect an attack by government hackers on a foreign target to be openly debated in parliament beforehand. When interior minister Seehofer addressed the Bundestag's Committee on the Digital Agenda, in the context of his desire to legalize hack-backs via an amendment to the constitution, he mentioned that such decisions "may have to be taken within a few minutes." In this case, the Bundestag could definitely not give the required approval of Bundeswehr deployments.
Transparency and digital education for greater digital security
It is right to invest in IT security and IT security research, but the focus should be on defense. That includes a clear expansion of the development and use of open-source software and hardware, because in an ever more complex, digitally networked world, transparency and traceability are increasingly important conditions for greater security and trust. Open products allow a look inside. They are not black boxes, where back doors can be especially well hidden. Open source is not more secure per se, but its verifiability increases the likelihood of vulnerabilities being found, and also fixed. We should place a greater emphasis globally on chips and software that have longer development cycles, but for that reason are more reliable and verifiable. "Security by design and security by default"22 should be the guiding principle for all IT products, although state regulation setting minimum standards for IT security is also needed. These standards should include minimum update obligations for software, as well as password protection worthy of the name for networked devices, so that poorly chosen passwords like "123456", "qwerty" or "password" are not accepted. The fact that millions of these passwords are used is not just down to users. Irresponsible product design is also to blame.
But people themselves are actually one of the greatest weaknesses. So there is a need for more lifelong education and training programs - which should be easily accessible and include all sections of society - to improve basic IT security skills. Too often, we naively plug an unknown USB stick into our own or the company's computer. Too many times we click on links in phishing emails, or use an easy-to-guess password. All too infrequently do we encrypt our emails, protect social network accounts with two-factor authentication, or regularly install software updates. The BSI should be expanded, for this purpose too, as a national consumer protection authority. Better prevention across the country is an important step in the right direction. Greater security for us all requires engagement by all of us - politicians, business people, scientists and civil society.
I very much hope that it does not take a catastrophic event to make us understand that we can only make our infrastructure and the foundations of the digital society more secure by acting together - and together also means that we stop thinking about IT security in terms of national borders.
11 Deutscher Bundestag, Drucksache 19/6246 (2019): "Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Dr. André Hahn, Gökay Akbulut, Anke Domscheit-Berg, weiterer Abgeordneter und der Fraktion DIE LINKE [The Federal Government's reply to a minor interpellation by Dr. André Hahn, Gökay Akbulut, Anke Domscheit-Berg and other members of parliament and the group DIE LINKE]." Berlin. dipbt.bundestag.de/dip21/btd/19/062/1906246.pdf (accessed April 1, 2019).
22 Security by Design: Development of products and services, with a state of the art security level. Security by default: the basic setup of a product has to be as secure as possible, which excludes default access passwords like "0000" or "admin." See: Hahn, André (MdB) et. al. (2018). Fraction THE LEFT. in the Bundestag (ed.). "Cybersicherheit" - ein Beitrag für einen sicheren digitalen Raum [Cyber security" - a contribution to a secure digital space]." p. 12. www.linksfraktion.de/fileadmin/user_upload/180709_Digitale_Sicherheit.pdf (accessed May 23, 2019).
Anke Domscheit-Berg (51) is a publicist, an internet activist, and a Member of the German Bundestag. For the DIE LINKE parliament group, she is spokeswoman for network policy, chairwoman of the Committee on the Digital Agenda, and a deputy member of the Artificial Intelligence Study Commission. After nearly 15 years at Accenture, McKinsey and Microsoft, she went freelance in 2011. She has authored several books, publishes in numerous media, and is a regular public speaker in Germany and other countries. Designing a digital society for the common good is her main focus.