Cyber Security_birgitta Jonsdottir Iceland

8/3/2019 Cyber Security_birgitta Jonsdottir Iceland

1/27

Introduction

1. The ongoing information revolution poses a series of political, cultural,

economic as well as national security challenges. Changing communications,

computing and information storage patterns are challenging notions such as

privacy, identity, national borders and societal structures. The profound chang-

es inherent in this revolution are also changing the way we look at security, of-

ten in unanticipated ways, and demanding innovative responses. It is said thatbecause of this revolution, the time it takes to cross the Atlantic has shrunk to

30 milliseconds, compared with 30 minutes for ICBMs and several months

going by boat.1 Meanwhile, a whole new family of actors are emerging on the

international stage, such as virtual hactivist groups. These could potentially

lead to a new class of international conicts between these groups and nation

states, or even to conicts between exclusively virtual entities.

2. One of the most fundamental characteristics of the Information Age is its

ability to connect. In this regard, the main tool is the Internet and the fact that

its storage capacity is currently doubling every 12 months. Interconnectivity

is now central to government ofces, critical infrastructures, telecommunica-

tions, nance, transportation, and emergency services. Even where commu-

nication and data exchanges are not routed through the Internet, they still, in

many cases, use the same bre optic cables.

Introduction

1. Hacktivists is not new. First hacktivists groups emerged in the 1995. It is

important to understand the root for new found popularity for hacktivism.

Hacktivism is a new form of protest and those that protest in that way should

have the same right to do so as in the ofine world. Not all protesters join pro -

test because of same ideology.

From Wikipedia: Hacktivism is a controversial term, and since it covers a

range of passive to active and non-violent to violent activities, it can often be

construed as cyberterrorism. It was coined to describe how electronic direct

action might work toward social change by combining programming skills

with critical thinking. Others use it as practically synonymous with malicious,

destructive acts that undermine the security of the Internet as a technical, eco-

nomic, and political platform.

2. Interconnectivity is also central to culture, openness and education.


2/27

3. Despite its inherent advantages, this dependence on information technology

has also made state and society much more vulnerable to attacks such as com-

puter intrusions, scrambling software programs, undetected insiders within

computer rewalls, or cyber terrorists. The Internet is inherently insecure as

it was designed as a benign enterprise of information exchange, a decentral-

ized patchwork of systems that ensures relative anonymity. It is ill-equipped

to trace perpetrators or to prevent them from abusing the intrinsic openness

of the cyber domain. In this context, the key national security dilemma of theInformation Age is how to create an effective and transparent government,

which, at the same time, is also able to protect its citizens and vital national in-

terests. Furthermore, in this Information Age, the North Atlantic Alliance faces

a dilemma of how to maintain cohesion in the environment where sharing

information with Allies increases information security risks, but where with-

holding it undermines the relevance and capabilities of the Alliance.

4. It is a critical time for the NATO Parliamentary Assembly (NATO PA) to

discuss cyber security, as the Alliance is working on a comprehensive cyber

strategy to be announced in June 2011. The Rapporteur hopes that some of the

questions discussed in this report will be addressed by this forthcoming NATO

document.

5. This report will focus on three facets of the linkage between Information

Age and national security. First, it will discuss the changing notion of secrecyin international relations. This issue was brought to prominence by the so-

called Cablegate scandal. While the publication of classied diplomatic cor-

respondence was not a result of a cyber attack, it is nevertheless directly linked

to the information revolution: remarkable advances in data storage technology

allowed one person to easily download colossal volumes of data that has taken

the print media months, and possibly years, to digest and to publish.

3. Insiders: Does the rapporteur mean intruders? Insider is a spy or a mole but

intruder someone that hacks in a system.

Who has the legitimacy to claim who is a cyber terrorist and who isnt?

The Nato security system is a state of the art system that has not been the

victim of any serious leaks. The reason for leaks has more to do with the cul-

ture of everything being secret by default rather then the systems. We need to

reverse it into culture of transparency Respect for the Freedom of InformationAct (FOIA) in the USA would for example eliminate the need for leaks.

It is important for NATO member states nations to upgrade their freedom of

information, expression and speech laws in order to ensure the transparency

mentioned in this article.

Lumping security and government together convolutes any debate of transpar-

ency. This is a faulty premise and is a different legal circumstance in every

country. The value and criticality of transparency is ignored. Only the mis-

uses are mentioned. These misuses are all aspects of a free and open society

and not a sufcient argument against transparency.

4. See my rst amendment to the draft report.

5. This issue was brought to light prior to Cablegate: with the release of the

Afghan and Iraq war logs.

The problem is not only because of different technology but also the fact that

many more people have access to the documents as a result of 911.


3/27

6. If the Rapporteur targets Anonymous when he writes about the nega-

tive effect of hacker groups attacking those who do not share their political

view, then he should use the word protest rather than attack. Furthermore

Anonymous always protested in retaliation to actions against itself or against

people or organizations that the Judiciary has failed to defend (Wikileaks,

Bradley Manning, Scientologys victims etc).

7. No comment

8. No comment

9. No comment

10. No comment

6. Second, the explosion of Internet usage is creating the phenomenon we re-

fer to as digital (h)activism. Social media and other Internet-based commu-

nities are creating new, ad hoc and cross-border allegiances that can manifest

themselves in a variety of positive (reinforcing civil societies in authoritarian

countries) and negative (empowering hacker groups that attack those who do

not share their political worldview) ways.

7. Third, the report will discuss the challenge of direct cyber threats againststates and, in particular, NATOs role in cyber defence as one of the principal

topics for the Euro-Atlantic community, particularly in the wake of the Lisbon

Summit.

8. The report will not address the specic issue of cyber crime. While cyber

theft and child pornography are issues of grave concern for the international

community, they do not have direct national security implications and are ad-

dressed by a number of other international organizations, including the UN,

EU, OSCE, OECD and G8. The Council of Europe Convention on Cyber-

crime which requires its parties to criminalise a number of activities in cyber

space relating to infringements of copyright, computer-related fraud and child

pornography is a particularly noteworthy initiative that has yet to be ratied

by several NATO member states.

9. This report also represents the continuing effort by the Committee on the

Civil Dimension of Security to discuss the issue of critical infrastructure pro-

tection within the Alliance. Cyber technologies are not only key enablers for

systems such as energy generation or transport, but can themselves be consid-

ered as critical national infrastructure.

10. The report also builds upon the contribution by other NATO PA Commit-tees, particularly the 2009 Sub-Committee on Future Security and Defence

Capabilities report NATO and Cyber Defence [173 DSCFC 09 E bis] by

Sverre Myrli (Norway) and the 2007 Science and Technology Committee

report Transforming the Future of Warfare: Network-Enabled Capabilities

and Unmanned Systems [175 STC 07 E bis] by Sen. Pierre Claude Nolin

(Canada).


4/27

The Information Age and the notion of secrecy in international relations

11. see comment to 5.

The Cablegate = Cablegate delete quotation mark and THE

12. No comment

13. No comment

The Information Age and the notion of secrecy in international relations

11. This chapter will discuss the challenges of protecting classied informa-

tion in the age of Internet. It will also outline the political and security im-

plications of the Cablegate scandal that highlighted the inter-agency and

international co-operation versus sensitive information security dilemma.

The Cablegate

12. According to the September 11th attacks investigation, the US government

failed to ensure adequate information sharing, which could have prevented the

attacks (FBI failed to share details connected to an al-Qaeda operative, who

later proved to be key in uncovering the plot). As a result, representatives of

the political elite, the military, and the nancial world all pressed for wider

sharing of classied information in order to increase operational efciency in

protection of the country. Therefore, the US government adopted a policy of

information-sharing, which it applied to numerous US governmental institu-tions and agencies including the Department of Defense (DoD) and the State

Department (DoS).

13. This policy resulted in an exponential number of people obtaining access

to classied information. Approximately 854,000 people now possess top-

secret security clearances. For almost 10 years now, embassy cables have been

distributed through the SIPRNet (Secret Internet Protocol Router Network

operated by the DoD), which has made them accessible to DoS employees

all around the world, to all members of the US military and contractors with

necessary security clearance. Eventually, several millions of people ended up

having access to materials such as US diplomatic cables. According to infor-

mation-security experts familiar with the SIPRNet, the data-sharing systemwas not programmed to detect unauthorized downloading by anyone who had

access to this pool of data. Thus, those in charge of the network design relied

on those who had access to this sensitive data to protect it from abuse. These

users were never scrutinized by any state agency responsible for the data-

sharing system.


5/27

14. The analysis of the Rapporteur contradicts the confession of President

Obama that one of the main reasons of the leak was over-classication of

documents, and not information-sharing like seems to state the Rapporteur.

Plus the Rapporteurs numbers are not accurate: Wikileaks didnt publish (at

the time) all the documents it received. It had released 12 000+ cables of the

250 000+ it got. Not all of the cables are condential MANY are unclassied

The Rapporteur says [Bradley Manning] then passed these les to the whis-tleblower organization, which made them public when he should have said

[Bradley Manning] who then allegedly passed Bradley Manning is still

considered as innocent.

Reaction to the leaks

15. The Rapporteur cites and praises Mrs. Hillary Clinton for her preven-

tive approach to the cables release, but he forgets to mention that this same

person had asked her diplomatic staff worldwide to illegally collect personal

data of UN staff. He also fails to mention that the aggressive reaction cry

for the assassination of Julian Assange and others WikiLeaks staff was over

reaction. The same people also called WikiLeaks cyber terrorist organization.

At the same time three of the largest print media in the world partnered with

WikiLeaks and used the material WikiLeaks unknown sources provided.

14. The US governments post-9/11 policy on information-sharing received

the most serious blow when the anti-secrecy organization WikiLeaks started

publishing documents of different levels of condentiality. Its rst major

release (April 2010) was a video of a US helicopter shooting into a crowd in

Bagdad in 2007 which killed 18 people, including two Reuters journalists.

Shortly after, the release of 77,000 documents allegedly revealing the reali-

ties of the Afghan war were made public, as well as almost 400,000 secret

Pentagon documents on the Iraq war.9 In November 2010, WikiLeaks pub-lished about 250,000 condential US diplomatic cables, which provided US

diplomats candid assessments of terrorist threats and the behaviour of world

leaders.10 Currently, the US authorities suspect that the material was leaked

by Private Bradley Manning stationed in the Persian Gulf, who had download-

ed the information from a computer in Kuwait. He then passed these les on to

the whistleblower organization, which made them public.

Reaction to the leaks

15. WikiLeaks has spurred public debate with each of its releases. Neverthe-

less, the November 2010 release of US diplomatic cables got the most ag-gressive reactions from politicians world-wide. In anticipation of the leaks,

Secretary of State Hillary Clinton and her diplomats warned foreign ofcials

about the upcoming leak days before the November 2010 release happened.

Following the release, the White House11 as well as the DoS were quick to

denounce the leak and, as Secretary of State Clinton put it, characterised the

cable disclosure as an attack on both the United States and the entire inter-national community.12 At a meeting with Secretary of State Clinton the day

after the release, the Turkish Minister of Foreign Affairs (the largest number of

cables came from the US Embassy in Turkey) thanked Secretary Clinton for

brieng him in advance about the leaks. The Iranian President, Mahmoud Ah-madinejad, hinted that a part of the US government might have been respon-

sible for releasing this sensitive material to satisfy its political objectives. The

Iraqi Minister of Foreign Affairs expressed concern about the possibly destabi-

lizing effect of the leaks on the already fragile political situation in Iraq. Both

Afghan and Chinese political elites emphasized that the leaks will not damage

their countries relations with the United States.13


6/27

16. So far no one has been put into harms way or died as a result of any of the

leaks from WikiLeaks.

17. No comment

16. NATO condemned the leak and described it as irresponsible and danger-

ous In fact, the word dangerous dominated leaders press releases follow-

ing the leaks in November 2010. They feared that publicizing identities of

those co-operating with the US and NATO in unstable regions might compro-mise their cover and jeopardize their lives. Also, ongoing military operations

and cooperation between countries might be put at risk. It is yet to be seen

what the actual effect of the November 2010 cables leaks will be. It is hoped,

however, that the released cables will not pose any more danger than the

Afghan logs, which, according to Defense Secretary Gates, had not revealed

any sensitive intelligence sources and methods.

17. On the day of the release, the White House ordered government agencies

to review security procedures and ensure that only the necessary users had

access to their documents. Soon after, the Presidents Ofce also appointed

an Interagency Policy Committee for WikiLeaks, which was to assess the

damage caused by the leaks, co-ordinate agencies reactions, and improve the

security of classied documents. The US DoD conducted an internal 60-day

review of security procedures. It also disabled the usage of different storage

media and the capability to write or burn removable media on DoD classiedcomputers. The Defense Information Systems Agency has also launched a new

Host-Based Security System, which is meant to monitor software and policy

rules in order to spot suspicious behaviour and alert responsible authorities.

For example, the software should set off an alarm if large quantities of data are

being downloaded. Today, approximately 60% of SIPRNet is protected by the

software. In order for it to be bullet-proof, however, it will probably require

additional compartmentalization of information A similar tracking mechanism

is being adopted by US intelligence agencies (referred to as enhanced auto-

mated, on-line audit capability).


7/27

18. The DoS has limited the number of people with access to the Net Centric

Diplomacy database, which contains diplomatic reports, suspended the access

to SIPRNet and to two classied sites ClassNet and SharePoint, as well as

prohibited the use of any removable data storage devices. Following the leaks,

the US Air Force has blocked its employees access to at least websites con-

taining the leaked documents such as The New York Times and The Guard-

ian. The Pentagon prohibited its employees to access the WikiLeaks website

on government computers because the information there is still considered

classied. Eventually, the administration banned hundreds of thousands of

federal employees of the Department of Education, Commerce Department,

and other government agencies from accessing the site. The Library of Con-

gress, one of the worlds biggest libraries, also issued a statement saying that it

would block WikiLeaks.

19. As far as the WikiLeaks website was concerned, following the leak it suf-

fered repeated distributed denial of service attacks, which prompted it to move

its server. Also companies such as Visa, Mastercard or Paypal suspended alltheir services to the organization, which heavily relies on online donations

from its supporters worldwide.

18. The Rapporteur should condemn over reaction such as banning Penta-

gon staff to visit The New York Times and The Guardian because they

released the cables. Freedom of Information is the cornerstone of true democ-

racy and the right for access to information available in the public domain.

Pentagon staff are still prohibited fro reading the cables because theyre still

classied, yet many of the cables were not classied - how are they supposed

to counteract that which they cant assess?

(FYI: State Department Employee Faces Firing for Posting WikiLeaks Link

By Kim Zetter September 27, 2011 | 7:03 pm | Categories: WikiLeaks. A

veteran U.S. State Department foreign service ofcer says his job is on the line

after he posted a link on his blog to a WikiLeaks document.

Peter Van Buren, who has worked for the department for 23 years and just

published a book that is critical of U.S. reconstruction projects in Iraq, said

this week that the State Department had launched an investigation against him

earlier this month for disclosing classied information.

His crime, he said, was a link he posted on August 25 in a blog post discussing

the hypocrisy of recent U.S. actions against Libyan leader Muammar Qadaf.

The link went to a 2009 cable about the sale of U.S. military spare parts to

Qadaf through a Portuguese middleman.)

19. No comments


8/27

Transparency vs. secrecy

20. The relationship between transparency and secrecy remains a key dilemma

in the Information Age and has dominated world-wide media, especially since

the outbreak of the WikiLeaks phenomenon. On the one hand, there are pro-

transparency advocates who argue that the existence of WikiLeaks certies

that transparency of governments and other organizations are publicly desired.

According to them, it is precisely the current Internet age that is conducive to

institutional reform, increases public trust in government conduct, and enhanc-

es co-operation. And, as transparency proponents argue, we should not react to

this development by limiting the spread of technologies and information, but

instead by focusing on adapting the conduct of diplomacy, military affairs and

intelligence to the new paradigm.

21. That said, the Rapporteur believes that even if one is in favour of transpar-

ency, military and intelligence operations simply cannot be planned and con-

sulted with the public. Transparency cannot exist without control. The govern-

ment, and especially its security agencies, must have the right to limit access

to information in order to govern and to protect. This is based on the premisethat states and corporations have the right to privacy as much as individuals do

and that secrecy is required for efcient management of the state institutions

and organizations. In addition, transparency can be misused on several levels

by providing unprofessional or poor-quality interpretation of information or

documents, by conducting supercial or biased analysis, by lack of experience

on the topic or by pursuing a political agenda. Thus, not everything carried out

under the transparency label is necessarily good for the government and its

people. Moreover, the very ideal of transparency can also force public gures

to become more secretive. The Information Age and its transparent nature

may, for example, prevent diplomats from conducting business as usual suchas making off-the-record statements or engaging in frank discussions with

their colleagues.29 It also increases pressure on decision makers, who have

to identify, assess, and react to information, which is immediately and widely

accessible to other governments, organizations, as well as the public.30 This is

an unnecessary and possibly dangerous pressure, especially when it comes to

the issues of security.

Transparency vs. secrecy

20. General public should have access to all documents by default. Secret

documents should be listed and a footnote why they need to be kept sealed.

21. States are in the service of the people and should not be above the people

they are serving. Corporations should not be classied like individuals, by

stating in the report that their right to privacy should be as much as individu-

als do. the Rapporteur is showing a serious non-recognition of what theFundamental Rights of the citizens are for. Several contradictory court deci-

sions related to this issue have taken place recently which show how serious

this threat to democracy is (especially in the US).


9/27

Digital (H)activism

22. This chapter will discuss the phenomenon of emerging borderless commu-

nities and networks, most of which are welcome, but some of which are highly

dangerous. Virtual communities operating on-line provide new opportunities

for civil society, but they have also increased the potential for asymmetrical

attacks.

A. The phenomenon of Hactivism

23. Apart from causing harm, destruction or conducting espionage, most

recent cyber attacks have also been used as a means to reach a rather different

goal. Hactivism is a relatively recent form of social protest or expression

of ideology by using hacking techniques. Hactivists use different malware (or

malicious software) and Distributed Denial of Service (DDoS) attacks to

publicize their cause rather than for crime. Such attacks rst occurred in 1989

but have gained more prominence over the last decade. In the past hactivists

have attacked NASA, the Indonesian and Israeli governments, Republican

websites, as well as the University of East Anglia.31

24. One of the most prominent group of on-line hackers - Anonymous - led a

campaign against Iran, Australia and the Church of Scientology. Their most

prominent campaign, however, took off in 2010 after WikiLeaks had released

the US diplomatic cables. In its on-line seven-point manifesto, Anonymous

announced its engagement in the rst infowar ever fought and named Pay-Pal as its enemy.What followed were DDoS attacks against Mastercard, Visa,

PayPal, and other companies that had decided to stop providing services for

WikiLeaks (they used to administer online donations for the site), against the

Swiss bank PostFinance, that had earlier closed Julian Assanges bank ac-count, and against the Swedish Prosecution Service.The group also attacked

Amazon.com, which was previously renting server space to WikiLeaks.

Digital (H)activism

22. No comment.

A. The phenomenon of Hactivism

23. instead of different - use various

instead of attack use as a form of protest

Hactivism such as Anonymous actions to help of the Tunisian people against

Ben Alis criminal regime should also be mentioned.

24. Anonymous current most prominent campaign is operation payback: twit-

ter action urging Paypal users to close down their Paypal accounts, resulting

in 30.000 people closing down Paypal accounts in one day. A perfectly legal

peaceful protest. Also recent action: starting occupy wall street protests that

has spread all over the USA and the world. Plus actions to raise awareness

of the shutting down of mobile and smart phones in the Bart system by Bart

police in the USA.

It is bizarre that UK and USA politicians nd it to be justiable to shut downand control social media in their own open and free democratic countries but

condemn Egypt and Tunisia for blocking their citizens from access to social

media and closing down communication networks, such as shutting down

mobile networks.


10/27

25. Observers note that Anonymous is becoming more and more sophisticated

and could potentially hack into sensitive government, military, and corporate

les. According to reports in February 2011, Anonymous demonstrated its

ability to do just that. After WikiLeaks announced its plan of releasing in-formation about a major bank, the US Chamber of Commerce and Bank of

America reportedly hired the data intelligence company HBGary Federal to

protect their servers and attack any adversaries of these institutions. In re-

sponse, Anonymous hacked servers of HBGary Federals sister company and

hijacked the CEOs Twitter account. Today, the ad hoc international group of

hackers and activists is said to have thousands of operatives and has no set

rules or membership. It remains to be seen how much time Anonymous has for

pursuing such paths. The longer these attacks persist the more likely counter-

measures will be developed, implemented, the groups will be inltrated and

perpetrators persecuted.

The role of the social media

26. The discourse on the Information Age and new social media gained a new

momentum in the beginning of 2011, as numerous countries in North Africaand the Middle East began experiencing popular anti-government uprisings.

It was the Internet, in combination with other new and old media such as cell

phones and television, that has enabled global resistance to authoritarian rule

in the region. The sight of protesters holding up signs Thank you, Facebook!

has become common in Egypt and Tunisia. Journalists, experts and politicians

are increasingly using terms such as Facebook Revolution, Twitter Diplo-

macy, or Cyber-Activism. Today, Facebook is a community that unites

more people than in any country in the world, save for China and India, and

if the growth trends keep going as they are, the social network site will soon

have more users than India has inhabitants.

27. Social media, and most prominently Facebook, have helped activists in

many of these countries to organize anti-government protests, evade surveil-

lance, discuss issues that have been taboo for decades such as torture, police

violence or media censorship, and provided a platform for trading practical

tips on how to stand up to rubber bullets and organize barricades. Recognizing

that new social media have had an important share on the success of public

25. Anonymous are moving from online Hactivism to online encouragement

for people to protest in peaceful manner in the ofine world all over the world.

The Rapporteurs statement is not correct. The main reason why Anonymous

hacked HBGarys emails was because Aaron Barr, HBGarys CEO, had

publicly declared that he was about to uncover the identities of Anonymous

members.

The role of the social media

26. It is important to note that Facebook and Google store sensitive data about

their users and their backend information, online proling and networks andsometimes hand over this information without the users knowledge to third

parties such as governments and corporations. This serious issue has to be ad-

dressed in this report.

27. It is important to note that many NATO countries have sold and are still

selling surveillance systems to repressive states. EU has now banned tech

companies within the EU to do so.


11/27


12/27

ments to his site. According to him, it was the US diplomatic cables leaked by

WikiLeaks that revealed the extent of corruption among the Tunisian elite and

consequently empowered the army to turn against its leaders.

Cyber Attacks and Cyber Defence

30. As mentioned above, the Information Age has brought about an environ-

ment that has made the state and society more vulnerable to digital attacks.

They are vulnerable because we no longer keep our les and data in a shelf,

but in a virtual world accessible from any one of the worlds corners. As in the

case of WikiLeaks, these les can be physically removed from a computer,

handed over to adversaries, or simply made public. Apart from that, however,

one of the greatest strengths as well as weaknesses of the Information Age is

that les can also be accessed and on-line services disrupted from afar by vari-

ous cyber attacks. The term cyber attack represents a myriad of activities

ranging from stealing passwords, to accessing accounts, disrupting critical

infrastructure of a country or spying on an enemy. As cyber experts testied to

the members of two NATO PA Sub-Committees during the recent visit to TheHague on 18-20 April 2011, there is still no agreement within the international

community as to which of these cyber activities constitute a crime. NATO C3

Agencys Principal Scientist Brian Christiansen suggested that the existing

legislative black holes should be addressed in a multinational manner due to

the transnational nature of the threat.

31. Due to its decentralized nature, the Internet per se is in fact extremely

robust and resilient as it was designed to withstand nuclear war. However,

separate parts of this network of networks are vulnerable to cyber threats. The

most disquieting feature of the cyber domain is that the attacker has the advan-tage over the defender. Perpetrators need only one weak point to get inside the

network, while defenders have to secure all vulnerabilities. These attacks also

take place at the speed of light which leaves little or no time react to attacks.

Furthermore, the inherent nature of the Internet allows an attacker to forge the

senders address or to use botnets (zombie computers often located in differ-

ent countries), thereby disguising the true identity of an attacker and leading to

misattribution of the source of an attack.47

Cyber Attacks and Cyber Defence

30. Existing legislative black holes should be addressed in a multinational

manner due to the transnational nature of the threat: add: the lack of civic

rights online are of grave concern because of the transnational nature and lack

of international framework to protect those rights, specially when cross border

issues arise.

31. No comment


13/27

32. The problem of attribution is widely recognized as the biggest obstacle

for effective cyber defence. Professional hackers can easily cover their tracks

and thus avoid penalties. Deterrence, a critical element of a traditional defence

paradigm, does not work in cyber space. In addition, most of cyber attacks

are performed by civilian hacker groups so it is almost impossible to prove

government involvement. For instance, experts suggest that the thriving Chi-

nese hacker community is not directly supervised by respective government

authorities but merely encouraged nancially or through patriotic educa-

tion mechanisms such as the Peoples Liberation Armys militia and reserve

system. It makes it difcult to blame Beijing for the attacks such as the one in

2007, when some 25-27 terabytes of information (equivalent to roughly 5,000

DVDs) were stolen from the Pentagon.

33. As sources of cyber attacks are usually impossible to trace, it cannot be

said with certainty who has, so far, dominated the cyber world. Neverthe-

less, when it comes to the involvement of states in cyber attacks, Russia and

China are said to be the usual suspects. From what we know today, terrorist

groups such as al Qaeda do not yet have the capability to carry out such at-tacks. In the future, however, organized crime and hacker groups could sell

their services to terrorist groups.

A. Types of cyber attacks

34. Generally speaking, there are two types of cyber attacks: Distributed De-

nial of Service (DDoS) and malware attacks.

DDoS attacks

35. DDoS attacks aim to overwhelm a target by sending large quantities of

network trafc to one machine. Attackers take over a number of other com-

puters (botnets) and use them without the knowledge of their owners for

instance, the Estonia attack, roughly one million computers were hijacked in

75 countries. The goal of DDoS is to prevent legitimate users from accessing

32. It says that data was stolen from the Pentagon, but it was copied, not cop-

ied then erased.

33. From what we know today, terrorist groups such as al Qaeda do not yet

have the capability to carry out such attacks. In the future, however, organized

crime and hacker groups could sell their services to terrorist groups.

This is a speculation that is not tting for this report.

A. Types of cyber attacks

34. no comment

DDoS attacks

35. No comment


14/27

information and services, such as the actual computer, email, websites, online

accounts (banking, etc.). DDoS attacks are extremely difcult to deal with be-cause they do not attempt to exploit vulnerabilities of a system. Vulnerabilities

may be patched, but essentially one cannot do much to prevent DDoS attacks.

36. One of the rst major attacks aimed to cripple a countrys critical infra-

structure hit Estonia in May 2007. The e-government country experienced co-

ordinated DDoS attacks on websites of the Estonian President and Parliament,

almost all of its government ministries, political parties, major news organi-

zations, two banks and several communication companies. The attacks came

soon after Estonian authorities had relocated a Soviet war memorial in Tal-linn a step which spurred protests by ethnic Russians living in Estonia and

resulted in hundreds of casualties. The series of cyber attacks, which occurred

weeks after the event, supposedly originated in Russia and were hosted by

Russian state computer servers. Russia denied these allegations, but in March

2009, an activist with the pro-Kremlin youth group Nashi claimed responsibil-

ity for organizing the cyber attacks on Estonia. It should be noted that Estonia

is extremely dependent on the Internet. At the last parliamentary elections,

of the voters cast their votes via Internet.

37. Another signicant DDoS attack was launched against Georgia in the sum-

mer of 2008. This is of note due to the fact that it was coupled with the use of

conventional military force, something that a number of experts predict will

occur more often in the future. Georgia blamed Russia for the attack only for

Russia to deny any involvement.53 A year later, the combination of cyber and

conventional force was supposedly also employed in the case of the bombing

of the Syrian nuclear reactor, which was allegedly orchestrated by Israel.54

Malware attacks

38. Malware or malicious software attacks refer to techniques capable of

inltrating ones computer without the users knowledge and taking control of

it, collecting information, or deleting its les (see examples of malware in the

Annex). Attack malware can reportedly be bought online for several hundred

dollars or even downloaded for free.

36. No comment

37. No comment

Malware attacks

38. No comment


15/27

39. Malware-based cyber attacks are increasingly being used for espionage.

In 2008, the Unites States experienced a major attack on the classied net-works of US Central Command in charge of oversee military operations in the

Middle East and Central Asia. Based on available information, the attack was

carried out by a foreign intelligence service, which used portable data stor-

age devices to spread malware. Espionage cyber attacks, however, can also be

carried out against non-state actors such as private companies and think tanks.

Operation Aurora carried out in late 2009/early 2010 is a case in point. Dur-

ing the course of several months, Chinese hackers managed to penetrate the

networks of at least 34 nancial, technological, and defence companies via

exploiting aws in e-mail attachments.56 One of the attacks targets, the giant

search engine Google, admitted that hackers had penetrated Gmail accounts

of Chinese human rights advocates in the United States, Europe and China.

A number of human rights organizations and Washington-based think tanks

focusing on US-China relations were also hit by the attacks. According to

experts, the attack reached a new level of sophistication as hackers exploited

multiple aws of different software programs multiple types of malware

codes were allegedly used against multiple targets and the whole process was

very precisely co-ordinated. This series of attacks was aimed at gaining in-formation about the latest defence weapons systems, source codes powering

software applications of prominent technological companies, as well as gain-

ing background about Chinese dissidents.

Stuxnet

40. The Stuxnet is technically a malware, but its characteristics originality and

potential for disruption are so novel that it merits special attention. The Stux-

net worm has been described as the most sophisticated cyber weapon ever

deployed58 and its widely-acknowledged role in damaging Irans Bushehrnuclear reactor and Natanz uranium enrichment plant has put Stuxnet rmly

in the spotlight recently.59 Essentially, the worm is a direct-targeting cyber

attack: it sniffs around its targets operating system and only attacks if this

system matches its targeting criteria, thereby making detection harder for other

defences. Once it has acquired its target, Stuxnet deploys two extremely com-

plicated programming payloads to bomb them. In the Iranian example, the

rst of these cyber bombs attacked the centrifuges in the nuclear plant, slowly

39. No comment

Stuxnet

40. No comment


16/27

unsynching them so that they collided with each other, causing serious dam-

age. The second cyber bomb compromised the digital warning, display and

shut-down systems controlling the centrifuges, thereby blinding these systems

to the reality of what was happening.

41. This characteristic makes Stuxnet unique in that it specically attacks and

compromises the Supervisory Control and Data Acquisition (SCADA) systems

of critical infrastructures. Thus, the real danger of Stuxnet is that, although the

Iranian example was a specically targeted attack, the same method could be

used to attack virtually any information technology system used in any criti-

cal infrastructures around the world. Stuxnet has therefore been described as

a cyber weapon of mass destruction.60 Of particular note is that the vast

majority of complicated information technology systems that are potentially

vulnerable to Stuxnet are located in NATO and NATO partner countries.

NATO and Cyber defence

NATOs cyber agenda

42. The cyber domain is often described as the fth battlespace; represent-

ing both opportunity and risk for the military. In the context of the revolution

in information and communication technologies, the military institutions of

major powers have been working relentlessly to interconnect commanders,

soldiers, sensors and platforms in order to improve agility and achieve better

situational awareness. Today, more than 1/5 of US defence and security acqui-

sitions are in the cyber sector.61 Network-centric capabilities has become a

buzzword in militaries, while new technologies enable commanders to make

better-informed decisions and to reduce human losses by, for example, operat-ing an unmanned aerial vehicle (UAV) over Afghanistan from a base in Ne-

vada.

43. On the other hand, our armed forces are now faced with risks they have

not experienced before, such as the incident reported by The Wall Street Jour-

nal in December 2009, when Iraqi insurgents managed to intercept feeds com-

ing from American UAVs using inexpensive software that is available on the

41. No comment

NATO and Cyber defence

NATOs cyber agenda

42. No comment

43. no comment


17/27

Internet.62 The Pentagon computer systems are probed up to six million times

per day, according to US Cyber Command.

44. NATOs increasing involvement in cyber security is therefore inevitable.

As NATO Secretary General Anders Fogh Rasmussen put it: there simply

can be no true security without cyber security. The Alliance has included this

issue on its agenda since 2002 when it approved a Cyber Defence Programme

a comprehensive plan to improve the Alliances capability to defend against

cyber attacks by improving NATOs capabilities. However, it was not un-

til the 2007 attacks against Estonia that NATO embarked upon developing a

comprehensive cyber defence policy that would include not only the protec-

tion of the Alliances own networks but would also augment the cyber security

of individual member states. The Group of Experts Report (the Albright

report) recommended that NATO must accelerate its efforts to respond to

the dangers of cyber attacks. It recommended focusing on protecting NATOs

communications and command systems, helping Allies to improve their ability

to prevent and recover from attacks, and developing an array of cyber defence

capabilities aimed at effective detection and deterrence. At the Lisbon Summit,

NATO member states committed the organization to developing a new Cyberstrategy by June 2011. This strategy will most likely require regular revisions

and updating as the developments in cyber domain are remarkably rapid.

45. At present, individual members continue to bear principal responsibility

for the security of their networks, while relevant NATO structures, apart from

protecting their own networks and providing support for NATO operations,

are expected to assist member states by sharing best practices and dispatching

Rapid Reinforcement Teams in case of emergency. Key NATO institutions in

the area of cyber security include:

NATO Cyber Defence Management Authority (CDMA), which is responsiblefor coordinating cyber defence systems within NATO and providing advice to

member states on all the main aspects of cyber defence. NATO CDMA oper-ates under the auspices of the new Emerging Security Challenges Division in

NATO HQ.;

The Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn,

Estonia, which was established in 2008, is responsible for research and train-

ing on cyber warfare;.

44. no comment

45. no comment


18/27

The NATO Consultation, Control and Command (NC3) Board and NATOs

Consultation, Control and Command Agency (NC3A) control the technical

aspects and operational requirements of NATOs cyber defence capabilities;.

The NATO Communication and Information Services Agency (NCSA),

through its NCIRC (NATO Computer Incident Response Capability) Technical

Centre, provides technical and operational cyber security services for NATO

and its operations and is responsible for responding to any cyber aggression

against the Alliance networks.

46. NATO conducts annual exercises aimed at enhancing an understanding

of NATOs cyber defence capabilities and identifying areas for improvement.

This years exercise, Cyber Endeavor will take place on 5-22 September in

Grafenwhr, Germany.

47. A lot remains to be done, however. NATOs principal cyber unit NCIRC

is only partially operational and does not yet provide 24/7 security for all

NATO networks. Full operational capability is expected to be achieved in

2012. NCIRC is also only engaged in passive defence, monitoring network

activities and dealing with incidents. It does not have a mandate, however, togo after an attacker.

48. More importantly, NATO needs to devise its policy regarding the key

question of how to react to cyber attacks against one of its member states.

Can one invoke Article 5 of the Washington Treaty after a cyber attack? And

what response mechanisms should the Alliance employ against the attacker?

Should the retaliation be limited to cyber means only, or should conventional

military strikes also be considered? Furthermore, the Alliance must decide to

what extent it can engage in cooperation on sensitive cyber issues with partner

countries, such as Russia.

National policies of member states

49. As noted above, member nations bear the principal share of responsibility

for their cyber security. Before the 2007 attacks against Estonia, most Europe-

an nations were developing national strategies to promote information society

focusing on economic and cultural benets offered by new communication

46. no comment

47. no comment

48. no comment

National policies of member states

49. no comment


19/27

and computing technologies, largely neglecting possible risks. After 2007, the

need for a more balanced approach has been increasingly acknowledged.63

50. The 2010 UK House of Lords report on cyber security noted wide differ-ences between various European countries in terms of preparedness to meet

cyber threats. Since in cyber domain the system is as strong as the weakest

link, the report stated that the European countries have an interest in bring-

ing the defences of the lowest up to those of the highest.64 The exact level

of preparedness is difcult to measure, however, due to the lack of full under-standing of the complexity of cyber domain.

51. The highest level of preparedness in the Alliance is in the United States

and the United Kingdom. The US feels more threatened by cyber attacks than

any other nation due to its highly pervasive use of information and communi-

cation technologies as well as to its status as a superpower. President Obama

identied cyber security as a strategic priority. From 2010 to 2015, the US

government is expected to spend over US$50 billion on its cyber defences.65

The Departments of Defense and Homeland Security share the responsibility

for the security of American government networks and implement this man-date through several agencies such as National Security Agency and US Cyber

Command (inaugurated in 2010 and specically tasked to protect US military

networks). In terms of legislation, three separate Acts streamlined executive

responses to cyber warfare on critical national energy infrastructures, while

another Act coordinated wider cyber security efforts, including those against

nancial institutions and industry.66

52. The UKs lead cyber agency is the Government Communications Head-

quarters (GCHQ). Cyber security occupies central place in the National

Security Strategy and the Strategic Security and Defence Review publishedin October 2010. Experts note that review contains all the early signs of a

well-balanced and (now) better-funded approach to UK cyber security.67 UK

Computer Misuse Act is also hailed as a robust and exible piece of legisla-

tion in terms of dealing with cybercrime.68

53. That said, even in the US and UK there are still important questions that

need to be addressed. In particular, experts note the insufcient degree of

50. no comment

51. no comment

52. no comment

53. no comment


20/27

cooperation between the government agencies and private sector which owns

most of information capabilities and infrastructure more than 90% of Ameri-

can military and intelligence communications travel through privately-owned

telecommunications networks.69 However, private entities are reluctant to al-

low greater government involvement and monitoring. The UK House of Lords

report noted that representatives of the commercial United Kingdom Internet

industry showed little interest in giving evidence for this report. Many experts

stress that private industry makes its decisions on cyber security measures

based on nancial rather national security calculations.

54. While the US and the UK tend to lead on these matters, other NATO

members have also updated their existing legal frameworks and made cy-

ber security increasingly prominent in their security strategies. In particular,

signicant progress has been achieved in establishing Computer Emergency

Response Teams (CERTs). A CERT is an organization that studies computer

and network security in order to provide incident response services to victims

of attacks, publish alerts concerning vulnerabilities and threats, and to offer

other information to help improve computer and network security. The 2010

House of Lords report identied the lack of CERTs in some European coun-tries as a major concern. However, in 2011 the situation seems much better.

According to the register of the European Network and Information Security

Agency (ENISA), CERTs were established in all European NATO countries.

Furthermore, the establishment of more advanced Computer Security and

Incident Response Teams (CSIRTs) is being promoted. CSIRTs are CERTs

that have extended their services from being a mere reaction force to a more

complete security service provider, including preventive services like alerting

and security management services.70

55. However, there is no basis for complacency. Establishment of new institu-tions must be followed by more intensive schedule of joint exercises. The leg-

islative basis must also be further reviewed and updated to take into account

the new realities of the cyber domain. According to NATO Deputy Assistant

Secretary General Jamie Shea, legislative frameworks in many NATO coun-

tries are lagging behind in terms cyber realities.71 At the meeting with NATO

Parliamentarians in The Hague on 19 April 2011, NATO C3 Agency General

Manager Georges Dhollander said that not all NATO member states have ad-

54. no comment

55. no comment


21/27

opted legislation that would make it mandatory for the private sector to protect

their data and their networks. For instance, it should be mandatory to install

safeguards that would prevent computers or networks being hijacked and used

as botnets. NATO C3 Agencys Principal Scientist Brian Christiansen also

suggested that all NATO nations should employ the so-called red teams that

use hackers methods to probe security levels of various national networks

(without malign intentions, of course).

56. The less advanced NATO nations must realize that in the cyber domain

there cannot be a free ride. One study notes that nations that do not have ad-

equate legislative and institutional framework to protect their cyber assets are

less likely to receive assistance from the international community because in

a rapid reaction situation, existing procedures better support effective interac-

tion () because there is a certain amount of homework that can only be

performed by the victim.72

Information and Cyber security: options for the international community and

NATO

57. The challenges of the Information Age for national and international se-

curity are complex and require the combined efforts of international, regional

and national authorities and the private sector, as well as sub- and trans-na-

tional groupings of active individuals. NATO is not in a position to address all

aspects of this challenge, but it does have a signicant role to play, not least

because it unites nations with the most developed information and communi-

cation infrastructure (infrastructure, hardware and software which collectively

make up the Internet are still overwhelmingly Western designed and produced;

more than 50% of the worlds Internet trafc transits the USA).

56. no comment

Information and Cyber security: options for the international community and

NATO

57. no comment


22/27

58. On the global level, NATO should support initiatives to negotiate at least

some international legal ground rules for the cyber domain. This framework

must discourage the cyber arms race and dene thresholds above which at-

tacks constitute an act of war. International law should clearly prohibit the use

of cyber attacks against civilian infrastructures. The principles of international

law should also recognize indirect responsibility of a state to ensure that its

territory is not used by non-state actors to launch attacks against a third coun-

try. If a country systematically fails to ensure that or provides sanctuary for

perpetrators, it should be considered as breaching international law and should

face sanctions.

59. However, achieving this agreement will not be easy, since some critical

players such as Russia and China view cyber security from an informa-

tion security perspective. This perspective is based on their desire to limit

dissent and access to information deemed threatening to their regimes. These

nations have proposed in-built tracking devices on all Internet packets that

would allow all actions on the Internet to be traced. Western analysts argue

this would be cumbersome, costly and easily negated by criminal groups, in-telligence agencies and militaries. Therefore, the real target of such proposals

is the average Internet user and their ability to access information and engage

in political dialogue anonymously. Such a surveillance approach is prohibited

by many NATO member states own laws governing surveillance, propaganda

and counter-terrorism.

58. Threshold for cyber-war is very dangerous: how can one know for sure

that an attack came from a precise location? If an attack is cyber, the response

may very well be physical. This could be a new excuse to start wars based on

speculations like the Iraq war where misinformation at highest levels played

a big role. Threshold for cyber-war needs to be out in the open and those that

use this term have to understand how easy it is to bluff within the internet

landscape where attacks originate. For example within Struxnet is a trace that

shows it originates from Israel yet everyone is cautioned not to take that as a

prove it really comes from there.

Censorship is a dangerous territory to go into and should not be a part of this

report. Nations need of course to be responsible for ensuring that their infor-

mation systems arent used by groups with bad intentions to harm other na-

tions. However, who will decide what should be censored in order to protect

all of us from cyber attacks? And to whom will those people be accountable

to? Who is checking the checker? WL released documents about how Austra-

lia was censoring the internet for the own good of australians without their

knowledge or permission.

59. no comment


23/27

60. Other approaches to policing the cyber domain focus on developing tech-

nical solutions within Internet infrastructure itself to help maintain security.

The Internet was originally designed to be interoperable and has therefore paid

little attention to security aspects. The 2003 US National Strategy to Secure

Cyberspace identied vulnerabilities within three key Internet protocols:

the Internet Protocol, which guides data from source to destination across

the Internet; the Domain Name System, which translates Internet Protocol

numbers into recognizable Web addresses; and the Border Gateway Protocol,

which provides the connection between networks to create the network of

networks76. None of these protocols have in-built mechanisms to verify the

origin or authenticity of information sent to them, leaving them vulnerable to

being manipulated by malicious actors. Therefore, funding and developing

technical solutions for a new set of secure protocols that will address many of

the vulnerabilities in the current Internet infrastructure whilst falling short of

surveillance of member states populations could be useful to NATO.

61. In addition, NATO member states should support wide ratication of

binding international treaties, like the Council of Europes Convention on

Cybercrime, because banning cyber criminal activities would also help negatecyber terrorists as well as state-sponsored cyber attacks that often use the same

techniques as cyber criminals.

62. In terms of public-private co-operation, relevant authorities of NATO

nations should be more pro-actively engaging private IT companies when it

comes to setting stricter rules on the use of cyber space. Dialogue is essential

because software companies like Microsoft and Google remain able, by devel-

oping various software options, to exercise inuence beyond what any nation

state could aspire to do using their legislative powers. Incentives must be put

in place to encourage private companies, particularly those running critical na-tional infrastructures and designing cyber hardware and software, to upgrade

their security systems beyond simple prot vs. loss calculations.

63. The Alliance should also establish closer co-operation with the EU. Al-

though NATO is developing cyber defence capabilities, it still needs the EU

because it issues laws on comprehensive standards for cyberspace and NATO

does not. It would be useful, however, if the EU established the position of an

61. This year a bill to provide a so-called Internet kill switch was proposed

again by Sen. Susan Collins in the USA. Very dangerous trend that needs to be

addressed in the same manner as the kill switch in egypt earlier this year.

What does the rapporteur mean when he states the following: The Internet

was originally designed to be interoperable and has therefore paid little atten-

tion to security aspects. Who is THE INTERNET?

61. No comment

62. No comment

63. No comment


24/27

EU Cyber Czar in order to have a clear contact point for NATO.

64. With respect to its own contribution, NATO should incorporate its cyber

policies (and encourage its member states to do likewise) into a broader frame-

work for adapting the military to the realities of the Information Age. Cyber

security is not a value per se, it must be seen within the context of the develop-

ing concept of network-enabled capabilities. In other words, we need to nd

the right balance between the advantages offered to our armed forces by the

new information and communication technologies, and the protection against

cyber threats stemming from this information revolution.

65. It also goes without saying that NATO must clarify its response mecha-

nisms in case of a cyber attack against one or more of its members. It is

important that while the Alliances cyber strategy is under preparation, it is not

prevented from adequately responding to such attacks. Some argue that Article

5 should not be applied with respect to cyber attacks because their effect so

far has been limited to creating inconvenience rather than causing the loss of

human lives and because it is hard to determine the attacker. However, The

Rapporteur believes that the application of Article 5 should not be ruled out,given that new developments in cyber weapons such as Stuxnet might eventu-

ally cause damage comparable to that of a conventional military attack.

66. In more practical terms, NATO should consider its role in protecting physi-

cal infrastructure associated with the cyber domain. The physical vulnerability

of bre-optic cables and information hubs represent a serious challenge within

the cyber domain. Most long-haul bre-optic cables reach land at obvious

choke points, which make them susceptible to attack or damage. Of note is

the choke point for transatlantic cables Widemouth Bay, Cornwall, in the UK,

where four major EUUS cables reach land.77 This area has reportedly beendesignated vital to US security because of these cables.78 Meanwhile, the

vast majority of the physical cables that connect the United States and Asia

run through the Luzon Strait choke point between Taiwan and the Philip-pines.79 Cables in the Malacca Strait are also congested, and island NATO

members and partners, like Iceland, Japan and Australia, are particularly vul-

nerable.80 To date, the best form of protection for these sub-surface cables has

been their anonymity. However, sometimes this is not enough, as highlighted

64. No comment

65. So far there has been no link with the loss of human lives in relation to

cyber attack, thus it is way to steep to suggest article 5 should be used. Strux-

net is not a good example simply because there are traces within the virus that

track it to Israel.

66. no comment


25/27

by the fact that 75% of Internet capacity between Europe and a large part of

Asia was temporarily lost when, in 2008, ships off the Egyptian coast severed

two inter-continental bre-optic cables by dragging their anchors.81 A Geor-gian woman denied 90% of Armenians access to the Internet for 5 hours when

she inadvertently cut through a cable with her spade.82 There have also been

other large Internet disruptions caused by cable incidents in Malta, Sicily the

US and Asia.83 These highlight the possibility of sabotage by state or non-

state actors. In terms of bandwidth capacity, NATO member states are heavily

dependent on infrastructure in the UK for their transatlantic communications.

Much of these key Internet peering points are based in and around London and

have previously been threatened by ooding.84 Any disruption to these infra-

structures could have far-reaching economic and military effects.

67. The Rapporteur also suggests that NATO considers applying common

funding procedures for procurement of some critical cyber defence capabilities

for its member states. The Alliance and its nations should also redouble their

efforts to invest in human capital, because currently the Western nations are

widely believed to be losing their advantage in cyberspace in terms of num-bers of cyber experts and qualied personnel.

68. Other practical measures should include reviewing our policies in terms

of critical information that is to be stored online. The Cablegate revealed

some documents that date back to 1966. Nigel Inkster, a prominent British

expert, says that this suggests an excess of zeal among those tasked to place

State Department data on SIPRNet, since these cannot be relevant to todays

operational requirements. It is also necessary to review the operating systems

of critical national infrastructure with a view to limiting their unnecessary

exposure to online connections. Furthermore, new safeguard mechanismsmust be put in place to prevent unauthorized downloading of sensitive data to

digital storage devices. Procedures for vetting relevant personnel should also

be revisited.

69. That said, the Rapporteur wishes to emphasize that all necessary security

measures should not cross the line where they would violate the fundamental

principles and values cherished by the nations of the Euro-Atlantic commu-

No comment on this page


26/27

nity. It is also important for our national security interests: since the cyber

domain is to a large extent governed by the people, it is important to win the

moral support of the majority of the virtual community. In order to prevent the

abuse by the governments, stricter security rules should be accompanied by

measures ensuring democratic oversight. For instance, the United States an-

nounced recently the establishment of the Privacy and Civil Liberties Over-

sight Board (PCLOB) to ensure that privacy and civil liberties are protected.85

70. Last but not least, the Rapporteur would like to underline the role of par-

liamentarians not only in terms of issuing relevant legislation, but also in com-

municating with a public that is often insufciently informed about the scope

of opportunities and risks posed by the Information Age.

Annex

Types of Malware

Logic BombThe earliest and simplest form of malware. It is not a virus but a computer

code, which needs to be secretly inserted into the computer software. When

triggered (positive trigger setting a time or date of the bomb exploding such

as removing an employees name from the salary list; or negative trigger

failing to insert certain data or code by a specic time). The bomb can cause

system shutdown, delete les, send secret information to wrong people, etc.

Trojan Horse

Creates a back door into a computer, which can be obtained via the Internet

from anywhere around the world. It can delete, steal or monitor data on some-one elses computer. It can also turn the computer into a zombie and use it to

hide the real perpetrators identity and cause further damage to other systems.

86

Key-logger

Monitors and keeps track of keystrokes on a computer usually without the user

being aware of it. The information can be saved to a le and sent to another

70. The Rapporteur does not go into detail in any way about the lack of civic

rights in cyberspace. I wish to draw the attention of the Rapporteur about an

ongoing case I have personally been dealing with and is resulting in a special

report at the human rights committee at the IPU. Here is a part of a recent ar-

ticle I have written about this and should perhaps give the writers of this report

a deeper perspective in this regard.

First of all I want to express my gratitude to the USA Department of Justicefor their attempts to have my personal backend information handed over to

them from my Twitter account because of my volunteer work for WikiLeaks.

It has raised my awareness about the lack of civic rights social media users

have and thus given me reasons to ght for these rights.

Before my Twitter case I didnt think much about what rights I would be sign-

ing off when accepting user agreement with online companies. The text is usu-

ally lengthy in a legal language most people dont understand. I think it is save

to say that very few people read the user agreements, and very few understand

its legal implications if someone in the real world would try to use it against

them. It is simply virtual until case is made in the real world.

Many of us who use the Internet, be it to write emails, work, browse its grow-

ing landscape, mining for information, connecting with others or use it to

organize ourselves in various groups of likeminded, are not aware of that our

behavior online is being monitored. Proling has become a default with com-panies such as Google and Facebook. These companies have huge databases

recording our every move within their landscape in order to groom advertise-

ment to our interests. For them we are only consumers to push goods at, in

order for them to sell ads in a clever business model. For them we are not re-

garded as citizens with civic rights in their world. This notion needs to change.To be fair, I guess no one really knew where we were heading when these

companies were start ups. Neither us the users, nor the companies hogging and

gathering our personal information for prot. Very few of us had the imagina-

tion that governments that claim to be democratic would invade our online

privacy with no regard to rights we are supposed to have in the real world. We

might look to China and other stereo type totalitarian states and expect them

to violate the free ow of information and our digital privacy, but not our very


27/27

computer. Acquiring private data such as usernames and passwords are usually

the key targets of the program.

Virus

Infects les when they are opened or being run and is capable of selfreplica-

tion. It often manifests itself as a logic bomb or a Trojan. Viruses are difcult

to track and can spread very quickly. In 2000 the ILOVEYOU virus caused

damage of approximately US$10 million.

Embedded MalwareIs inserted malicious software that accepts additional covert commands into

operational systems of machines ranging from phones to weapons systems.

According to General Wesley Clark and Peter Levin, an example of such op-

eration was Israels alleged attack on Syrian nuclear sites in 2007, which was

supposedly made easier because of embedded malware that turned off Syrian

defence radar.

own democratically elected governments.

What I have learned about my lack of rights in the last few months is of con-

cern for everyone that uses the Internet and calls for actions to raise peoples

awareness about their legal rights and ways to improve legal guidelines and

framework online be it locally or globally.

I guess the problem and the dilemma we are facing is that there are no proper

standards, no basic laws in place that deal with the fundamental question: are

we to be treated as consumers or citizens online? There is no international

charter that says we should have the same civic rights as in the ofine world.

Our legal systems are slow compared to the speed of online development.

With the social media explosion many people have put into databases very

sensitive information about themselves and others without knowing that they

have no rights to defend themselves against attempts by governments to obtain

their personal data be in locally or like in my case globally. According to

the ruling of the judge in my Twitter case, we have fortied those rights when

we agree to the terms and conditions by the company hosting our data even ifit is not kept on servers in the USA, the company would only need to have a

branch in the USA for authorities to be able to demand the information to be

given to them. We have to rely on, for example, Amazon, Facebook, Google

and Twitter to look out for our interests. It might not always be in their interest

to look out for us.

I want to stress that Twitter did ght for the interests of their users in my case

by going to court to unseal a document demanding them to hand over personal

backend information about me and four other users connected to WikiLeaks.

The document Twitter managed to unseal stated that they were to hand overour personal information without our knowledge within three days. If Twit-

ter had not managed to unseal the document we would not know how far the

DoJ is reaching to get their hands on our data and how difcult it is to guard

our privacy in the borderless legal jungle. I am for example not a USA citizen

and because of that I am not protected by the 1st and 4th amendment in the

USA constitution. Users from the USA are protected in the same case by these

fundamental rights.

Documents

Cyber Security_birgitta Jonsdottir Iceland