Cyber-warfare, cyber-terrorism, and cyber-crime
April 2013 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
One of the unfortunate consequences of political rhetoric is the purposeful brandmarking of the dialogue; controlling the language of the discourse may, as much as substance, determine the conclusions drawn by the target audience. Political strategists understand that the language used in public discourse can be leveraged to autonomically trigger appropriate evocative images and responses within the audience. Typically the strategists attempt to reduce complex concepts to ‘buzz words’ that effectively brand their position and elicit the preferred emotional response in the target audience. The message ‘feels right’ to the audience, regardless of the evidence, logic, intellectual examination, or facts for the position (‘truthiness’ as coined by the American television comedian Stephen Colbert).
With respect to the vulnerability and security of digital information and networks, the language of the discourse within the European Union and the United States is clearly subject to different branding strategies and different standards of truthiness.
In February 2013, the European Commission, in conjunction with the High Representative of the Union for Foreign Affairs and Security Policy, issued a cyber security strategy and the Commission proposed a new directive with respect to network and information security titled ‘An Open, Safe and Secure Cyberspace’. Based upon a series of five strategic priorities, the policy addresses cyber resilience, reducing cyber crime, developing cyber defence, mobilising industrial and technological resources, and establishing a coherent policy that promotes core EU values. The focus on the priorities appears to be promoting individual rights through establishing a consistent network and security strategy across member states, creating a cooperative mechanism to share early warnings for risks and incidents, and encouraging the private providers of infrastructure and the basic enablers of digital information services (cloud computing providers, internet payment providers, social networks, etc.) to adopt best practices risk management. The language of the policy clearly recognises threats to network and information security, but brands the discussion in terms of the needs and rights of the individual.
Within a week of the Commission’s release of the proposed new directive, President Barack Obama issued an Executive Order (EO) entitled ‘Improving Critical Infrastructure Cybersecurity’ (after a stalemate in US legislative attempts in this area). As opposed to the Commission approach, the EO begins with alarmist language that there have been “repeated cyber intrusions into critical infrastructure” and contends that cyber threats to critical infrastructure continue to be “the most serious national security challenges we must confront”. With that language, the US has branded the dialogue for cyber security in terms of “critical infrastructure” rather than individual rights and “a national security challenge” rather than an economic infrastructure issue. Pursuant to the EO, the Director of the National Institute of Standards and Technology is to produce a standard framework to reduce cyber risks for critical US infrastructure (the ‘Framework’) and, while private industry participation is largely voluntary, the Framework requires “guidance for measuring the performance of any affected entity” in implementing the Framework (explicitly mandating very public disclosures of failures of private entities to adopt the preferred government positions established by the Framework). The US approach vests an officer of the Department of Homeland Security with oversight of privacy and civil liberties related to implementation of the EO and suggests (in Section 7(c) of the Framework) that the Framework merely include provisions to “mitigate” negative impacts of the Framework on individual privacy and civil liberties.
Interestingly enough, the EO comes only a few months after President Obama signed another executive order expanding the US military’s authority to carry out cyber attacks (terming them “defensive actions”) and the US Defense Secretary Leon Panetta (in rhetoric reminiscent of the “axis of evil” designation by President George W. Bush in his State of the Union Address on 29 January 2002 with respect to weapons of mass destruction in Iran, Iraq and North Korea) warning that the three potential US adversaries (Russia, China and Iran) are systematically developing cyber threat capabilities.
Certainly recent reports of cyber intrusions, especially intrusions under some level of control of, or financed by, foreign governments, are cause for concern and require a coordinated response to prevent the deterioration of digital commerce, digital confidence, and digital infrastructure supporting common needs across cultures. In February 2013, an American data company, Mandiant, reported tracking 141 cyber attacks performed by the same Chinese hacker group since 2006, 115 against US corporations, stating that the attacks were sponsored by the Chinese government and indicating that these cyber attacks were “just the tip of the iceberg … on average the US is subjected to at least 140 attacks per day”. Prior reports had indicated the involvement of the US in joint venture cyber attacks with Israel against Iran (using the Stuxnet virus to cripple Iran’s nuclear enrichment efforts). Such efforts have been labeled ‘sixth generation warfare’ when perpetrated by states or sub-state entities. Against these public reports of directed attacks at the state or sub-state level, there are innumerable reported and unreported attacks every day from criminals and criminal enterprises trying to steal personal financial or identity information and coordinated attempts to obtain proprietary and competitively significant digital information from private companies in what has been denominated as ‘economic warfare’ (but which is merely traditional corporate espionage for digital information, rebranded).
However, there is a clear distinction between state and sub-state sponsored cyber warfare and mere criminal activity. In the EU this distinction with respect to ‘cyber invasions’ is delineated, linguistically, in terms of cyber resilience and reducing cyber crime on one hand, and cyber defence on the other.
While the results of the two cyber invasions may be a similar security breach, these cyber invasions are inherently of a different nature and mandate a different perspective and response. The new EO may blur this linguistic distinction in the US, with Homeland Security now being responsible for creating policies and scorecards for the cyber security of private industry regardless of the source of the threat. Maintenance of infrastructure, as opposed to the priority of individual rights or source of the threat, appears to be the principle focus of the new US domestic policy. While the EU has branded cyber security in terms of maintaining individual rights and access to digital capabilities, the US had branded cyber security in terms of national defence (with all of the ancillary emotional responses ingrained in the US electorate since 9/11).
Kelly L. Frey is a member at Dickinson Wright PLLC. He can be contacted on +1 (615) 620 1730 or by email: KFrey@dickinsonwright.com.
© Financier Worldwide
Kelly L. Frey
Dickinson Wright PLLC