CEE, DemocraCE
The Postmodern Gauntlet

Outdated ideology weakens security in cyberspace

Botond Feledy
5 lipca 2018

The changing nature of war is transforming our everyday life, even during more peaceful moments. The arrival of air raids at the beginning of the 20th century – and later on when they were extended against civilian populations – drove the modern civil defence mechanisms and led to the construction of mass air-raid shelters, such as the repurposing of entire subway networks as mass bunkers.

To understand the impact this transformation has had on us requires coming to terms with two common trends. First, civilian populations have become increasingly exposed to military threats far behind the frontlines: hostile actors can now reach deeper and deeper into the hinterland, bypassing conventional military defences.

The second feature is that policy makers accepted that administrations of modern nations must be in charge of these unconventional threats and safeguard their populations against attacks. They did not support the masquerade that these weapons and tactics wouldn’t be used against the populace, so they taught and made basic chemical protection available to the public. These countries were trying to prevent conflict and were indisputably in charge of organising everyday life during times of war.

A new battlefront

These two trends have emerged once again in the challenge of cyber security. Today, it is clear that cyber warfare is within the domain of general warfare (NATO formally made this decision during the 2016 Warsaw summit). The dilemma over cyberwar is a modern incarnation of the classical impasse over hybrid warfare: there is no formal declaration of war, hence traditional state mechanisms are not put in motion.

In the past, it was accepted that the governments may oversee territories in wartime where normally it has nothing to do with or is strictly prohibited from. Now, there is no formal declaration of war, but we are suffering constant threats and damage – theft of intellectual property, identity theft, disinformation, sabotage, etc. The level of their impact could perhaps soon approach the cost of former armed conflicts.

This is possible because attacks in cyberspace are similar to air raids from the sky: they can hit almost anything.

  • In traditional warfare, the entire government may come under attack, but they must be directed and usually focus on specific areas. However, the scope of cyber targets is exceptionally broad and keeps widening. From the sabotage of government infrastructures (DDoS attacks on Estonians) or the simple interception of communication (Obama’s e-agenda hacked by Russians) and through to public service threats (attacks on a Kiev transistor station) or the leakage of state secrets (DNC materials on Wikileaks), all of these have strategic, deceptive goals and are difficult to defend against.
  • The corporate sector is also vulnerable. Oft-noted examples include the violation of databases and the theft of intellectual property (where a preventive Sino-US Convention was already put in effect in 2015) as well as specific attacks on industrial facilities (the melting of a German steel mill). The susceptibility of some sectors inherently poses a greater risk to the general public. The final knock-out could simply come from an inaccessibility to critical financial infrastructure, accompanied by the subsequent social upheaval that can easily lead to physical violence within 24 hours if the state does not intervene. In the energy market, the loss of electric power can lead to loss of human life and end with unpredictable social reactions. Though one should be able to survive a breakdown of telecommunications and the internet, in the meantime countless services will suffer financial damages.
  • Finally, citizens have become personally exposed to cybercrime. According to US Federal Communications Commission figures, personal identity theft may affect 9 million people a year; private security companies have estimates close to double this figure. The ransomware programs can ruin our family photos and private correspondence; malicious crypto mining codes burn our devices’ processors. Or remember the psychographic micro-targeting campaigns on social media now associated with Cambridge Analytica; or the infamous VPNfilter malware, present in thousands of civilian routers.

But even indirectly it is pretty easy to feel a cyber threat. Consider an increase in airport lockdowns or worse, a suspension of air traffic entirely; due to the subsequent logistics failures, there would be a lack in food supplies or we might simply be unable to make an online bank transfer.

Then, the paper-thin veneer of civilization – as Tom Lantos used to put it – may get ripped apart very quickly, similar to what happened during the aftermath of Hurricane Katrina in New Orleans or the London riots of 2011.

Democracy is embedded in cyberspace

There is one more corner of cyberspace where the majority of society is exposed: social media and the online information space. Society is affected as a whole whether it is financially motivated (when Macedonian children push American voters to click on certain news items to generate advertising revenue) or it might well be disinformation with political objectives (false accounts or fabricated stories filled with erroneous facts {e.g., “news” about the Russian-Ukrainian conflict or migration crisis}).

It is no coincidence that the Chinese cyber authority took considerable pains to ban the British cartoon Peppa Pig, saying that the childish character promoted gangster behaviour. Basically, anything might turn out to be a national security risk in the information space where citizens can be fed alternative or artificial narratives.

From a European perspective, social media and information space is largely confined to a few global monopolies, the so called GAFA: Google, Amazon, Facebook and Apple. Even the US government itself is having a hard time getting a grasp on the situation in order to propose regulation of any sort on these companies and their activity.

In some ways, democracy provides an organisational principle for the exercise of power. It is a form of government to avoid anarchy. Of course, the other governmental models are also influenced by the features of cyberspace, not just democracies. It is no accident that Beijing, Moscow and Tehran are using their authority in the cyber realm to take care of domestic issues as well.

As far as democracies are concerned, we often fall in the silo-mentality trap. This means that our administrations are trained in separating vertically the problems and finding solutions for them individually, without sharing their information with other departments. At the end of the day, cyber threats are not equal to fake news or to some hackers gaining control over public transportation ticket distributors. Things will be frightening once we take this threat horizontally, seeing how they can affect, for instance, the functioning of democratic institutions. Fair elections, respect of private information, party democracy are all necessary and constitutive parts of the democratic process, and they are all being threatened.

  • Elections themselves should remain untampered: the citizens of the given country should make their decisions. Recently, Mitt Romney’s campaign boss launched a large-scale global campaign in this area. Paradoxically, the V4 public opinion is rather sceptical: in a recent survey by the Globsec Institute in Bratislava, the majority of the Visegrad population believes that no Russian influence took place at the US presidential election in 2016 and even less think that there would have been foreign influence in the recent European elections. Meanwhile, not only the US Congress has invited Mark Zuckerberg to testify, but the European Parliament also heard him.
  • Recently, leaks of state secrets/confidential information are simply pouring out: allegedly, Chinese linked hacker groups have downloaded the complete database of millions of US government officials, including their personal health data. In the Snowden case, US offensive cyber capabilities were stolen and released to NATO’s rivals, Russia and China, but cybercriminals are also making excellent use of it as well. So too, the Central-European government officials’ inboxes are quietly being copied from time to time by Russian-affiliated hacker groups like Fancy Bear. This type of intervention has become much cheaper and more efficient, resulting in a serious informational and political asymmetry. Now, a small and relatively under-resourced state is capable of causing considerable damage to those rich countries with superior conventional military capabilities.
  • The DNC hack – when the party chair quit over allegations that Clinton was supported against Sanders inside the party – has shown how easy it is to influence decision-making within a party: John Podesta, Hillary Clinton’s campaign boss and his hacked emails were enough to seed mistrust with strategic timing. Meanwhile, the democratic internal organization of parties is a must for enduring democracies.
  • Finally, without detailing the foreign-sponsored Facebook campaign during the US elections, it is by now apparent that checks and balances also need to be tightly guarded in cyberspace (and sometimes against cyberspace).

Difficulties in acting

The million-dollar question of our era is born out of these above described circumstances: the state is now facing a peculiar challenge, how to control the quasi-war in cyberspace in peacetime without the tools and resources that previous open war declarations enabled? In other words, is it possible to protect the citizenry and minimize the damage and risks without entering into a real war or deconstructing democratic rights and institutions?

Taking a look at recent cyberspace challenges, one aspect has come to the forefront: democracies have a tough time trying to control the already waging cyber war with the legal tools at hand.

This problem can be outlined by the following set of dilemmas. Should we have mass surveillance, and if so, can they capture the metadata or content itself? What can the government have access to without a court order? Can we legally intercept the citizens of another country? Can we engage market actors to actively participate in the state defence duties (Apple breaking a phone’s encryption at the FBI’s request)? Does Facebook have to publish transparently the political ads paid by Russians or not? How far can we fly with a drone? How can we control AI since we can hardly track the deep learning of machines? How can we regulate autonomous machines capable of targeted killings?

No postponing

While each lost day in counterbalancing cyber threats does count, the process is painstakingly slow as is the case with most international horizontal policies, such as climate change. Even in developed countries, members of the elite are not entirely aware of the emerging threat. The Slovak Secret Service, the SIS, released its annual review recently where it specified how little public investment was secured to protect cyberspace.

The director of the UK National Cyber Security Centre (NCSC) spoke extensively in January about alleged and prevented cyberattacks. His most important remark was that it was not the question of whether there would be a full-scale cyber attack on the British network but when. Over the past year, more than seven hundred C3-level medium attack and dozens of C2-level attacks were perpetrated. Other countries in Europe have already fallen victim of the most dangerous C1-level attacks, just like the infamous case of bringing down the networks of the French television station TV5.

Cyber security is therefore a new and urgent need of democratic social order and power management. Any crack might have an impact on the entire democratic structure due to the increasing interdependence of our systems. We need a healthy new vision of European internet sovereignty, proportionate resources to support it and for decision-makers to have realistic understandings of these threats; all of this is required to truly enable the protection of 21st century democratic societies.

This article is part of the #DemocraCE project organised by Visegrad/Insight. It was originally published in Hungarian in Index and can be found here.

Botond Feledy is foreign policy expert and analyst.