Defence Against the Next Web War

Canada and its closest allies need to get serious about protecting their shared swath of cyberspace.

Reuters describes the recent spate of cyber attacks on Canada’s Finance Department and Treasury Board as “unprecedented.” Reportedly emanating from China, the attacks targeted computers of senior government officials in an effort to gain access to government data and systems. These aren’t the first and won’t be the last assaults on western computer networks, which is why Canada and its closest allies need to get serious about protecting their shared swath of cyberspace.

The good news is that military, government, and industry leaders in allied countries are already at work applying the principles of collective defence to cyberspace. The bad news is that the bad guys have already fired the first salvos in this newest theatre of operations.

Some argue that attacks in cyberspace aren’t a threat to real-world security. They’re wrong. Just consider the worrisome words of the head of the UN agency on information technology, who fears that “the next world war could happen in cyberspace,” or ask our friends in Estonia and Georgia.

In 2007, Estonia weathered what some call “Web War I,” when Russian nationalists unleashed a withering volley of “distributed denial of service” attacks. These attacks crashed networks across the country, including those supporting government agencies, media outlets, the mobile-phone system, and the country’s largest bank.

A year later, Russian cyber-militiamen launched a digital invasion ahead of the Russian military’s ground invasion of Georgia, crippling government networks and hijacking servers.

If the Russia-based cyber attacks on Estonia and Georgia were intended to intimidate and confuse, the Chinese attacks were aimed at stealing and probing.

According to the German government, which was victimized by massive cyber attacks in 2007 and 2008, “the People’s Republic of China is intensively gathering political, military, corporate-strategic, and scientific information in order to bridge their technological gaps as quickly as possible.” One German official even used the phrase “Chinese cyber war” in describing the attacks, and understandably so:

• In 2007, the Pentagon was forced to disable computer systems serving the Office of the Secretary of Defence after it was discovered that the Chinese military had hacked into the system.
• The U.S.-China Economic and Security Review Commission reports that Chinese hackers have: planted computer components with codes that could be activated to steal or destroy data; penetrated computer systems at U.S. defence firms, the White House, the State Department, and NASA; and attacked government ministries in Canada, the U.K., Europe, Japan, India, Taiwan, South Korea, Australia, and dozens of other countries.
• The British government expressed worries in 2009 that utilities-network upgrades carried out by a Chinese telecom firm may have given Beijing the ability to shut down essential services, including power and water supplies. Similarly, the Wall Street Journal has reported on “pervasive” penetration of the U.S. electrical grid, whereby malicious software and sleeper switches have been implanted to allow China or Russia to disrupt service at a time of their choosing. We don’t have to imagine the impact a massive power-grid failure would have. Consider the chaos that followed the East Coast blackout in 2003: New York, Detroit, Ottawa, and Toronto went dark; nine nuclear reactors were knocked offline; six major airports were shut down; hospitals and prisons lost power; cellular towers failed – and none of this was the result of a malicious attack.
• NATO reports that all of its member states have weathered cyber attacks of some kind. That list included Canada long before this year’s cyber attacks by China. In 2005, Canada’s Communications Security Establishment, which provides signals intelligence and protects information infrastructure, reported “sophisticated intrusions” into government computer systems.

Chinese officials claim they oppose “any crime, including hacking, that destroys the Internet.” Yet Beijing tacitly encourages hundreds of quasi-independent hacker teams, and even trains some at Chinese military bases. In fact, the Pentagon concluded in 2007 that the Chinese military had “established information warfare units to develop viruses to attack enemy computer systems and networks.”

The Washington Post recently reported that to prevent cyber skirmishes from triggering real-world conflicts, several nations are calling on the UN to “create norms of accepted behavior in cyberspace [and] exchange information on national legislation and cyber-security strategies.” But given that two of the countries calling for cyber cooperation are Russia and China – and that both are guilty of some of the most egregious cyber assaults to date – it’s unlikely that much will come from the UN’s plan for cyber peace in our time.

A more likely way of achieving peace and security in cyberspace is to have the assets, doctrine, and resolve to deter cyber attacks and, if necessary, to answer them in kind. As Gen. James Cartwright, vice-chairman of the U.S. Joint Chiefs of Staff, has argued, it’s time to “apply the principles of warfare to the cyber domain.”

Toward that end, NATO’s new Strategic Concept – the first reworking of the alliance’s mission statement since 1999 – calls on the allies to enhance their capacity to “defend against and recover from cyber attacks.” After “Web War I” in Estonia, NATO formed a centre to help member states “defy and successfully counter” computer-network attacks.

Indeed, history offers lessons that can be applied to the digital realm. Gen. Keith Alexander, who heads the Pentagon’s new Cyber Command, likens “freedom of action in cyberspace in the 21st century” to “freedom of the seas … in the 19th century and access to air and space in the 20th century.” As Adam Smith noted long before there was such a thing as cyberspace, “the first duty of the sovereign” is to protect society from “violence and invasion.” It makes no difference whether the launching pad for violence, invasion, or threat is land, sea, sky, space, or cyberspace. None of these diminish the danger, or the sovereign’s duty to confront it.

Of course, cyber defence is not solely the responsibility of the military. Businesses and civilian agencies play a key role in detecting, preventing, and preparing for cyber attacks. Canada and the U.S., for example, have implemented at least three massive cyber-defence exercises under the code name “Cyber Storm.” The most recent of these exercises, held in 2010, involved 60 private-sector firms and 13 partner countries.

Canada needs to do its part in defending against today’s cyber threat, just as it defended against the Soviet threat during the Cold War. The new Cyber Security Strategy is a start, but it’s probably not enough for a nation as reliant on cyberspace as Canada. Consider that the contingency plan for continuity of operations after the recent attacks was, apparently, to direct thousands of government employees to use home internet connections or “wireless internet connections at nearby cafés,” as the New York Times reports.

The $90 million pledged to protect Canada’s swath of cyberspace is paltry relative to what other nations are investing in cyber defence. The U.S., by way of comparison, has committed some $30 billion to its Comprehensive National Cybersecurity Initiative. Britain has dedicated more than $1 billion to a similar enterprise, and Germany is setting up a National Cyber Defence Centre this year.

These are prudent steps. After “Web War I,” Ene Ergma, the speaker of the Estonian parliament, observed that “cyber war doesn’t make you bleed. But it can destroy everything.”