230 likes | 246 Vues
This lecture discusses the perception of cyberwar in US security policy, the underlying assumptions, real threats, incidents, vulnerabilities, military answer, central coordination, best practices, cyber security policy, U.S. influence on cyber-threat, and the need for cyber arms control. Presented by Ralf Bendrath, a visiting scholar at George Washington University.
E N D
CyberwarFiction, Facts, and the Future of Arms ControlRalf Bendrath, BerlinFoG:ISForschungsgruppe Research Group on the Informationsgesellschaft und Information Society and Sicherheitspolitik Security PolicyVisiting Scholar LectureGeorge Washington UniversityThe Elliott School of International AffairsCenter for International Science and Technology Policy (CISTP)Security Policy Studies Program (SPS)26 March 2001
Cyberwar in political perception • „one of the central challenges for security policy in the future“(Senator John McCain in primaries 1999) • „There will be an electronic attack sometime in our future”(John Hamre, Deputy Secretary of Defense 1996) • „Cyberspace ain´t for geeks, it´s for warriors“(John Hamre, Deputy Secretary of Defense 1999) • „electronic Pearl Harbor“(popular meme since 1991) • „This is a classic deterrence mission”(Condoleezza Rice last week)
Cyberwar in US Security Policy • Part of counterterrorism policy PDD-63, May 1998 • Seen as “emerging threat”Congress • Included in military strategy planningJV 2010 & 2020, QDR 2001 • “Homeland defense”CSIS, Hart-Rudman Commission • a task for military strategy?
Underlying Assumptions • real threat • foreign nations or terrorist groups • have capabilities • with intentions to use • vulnerability of US systems • can be answered militarily • can be coordinated centrally • threat independent of US policy
It could be just junk mail, Colonel, or the beginning of a major enemy attack...
Real Threat? • foreign nations • Russia: media management • China: “People’s Information War” • India/Pakistan: just began • Germany: working on it, mainly defense • France: economic espionage • Cuba: ridiculous • terrorist groups • prefer bombs • bin Laden uses encryption - so what?
Incidents • Solar Sunrise • not Iraq, but US & Israeli teens • Kosovo War • website hacks, viruses, e-mails • Middle East • website hacks, DoS-attacks • China & Taiwan • private hackers, no govt. involved
Vulnerabilities? • no sound estimates or statistics • national security systems not connected to public networks • critical systems not connected to public networks • patches! • main damage from viruses
Military Answer? • deterrence is communication • unknown opponent • not a precise weapon • Posse Comitatus • law of armed conflict • political oversight?
Central Coordination? • private ownership of systems • technology decentralised • centralised structures too slow
Best Practice • local solutions and defenses • awareness & education • info-sharing • open source • computer scientists, not soldiers
Cyber Security Policy (Clinton) • law enforcement • coordination within government • cooperation with industry • education for IT security • awareness
U.S. Influence on Cyber-Threat • have done it • computer intrusions since 1980s • cyberwar waged 1991 & 1999 • part of military strategy • Joint Doctrine for Info-Operations • FM 100-6 (Info Operations) • specialised military units • infowar units (since 1994, expanding) • part of combat commands (2001)
U.S. influence on Cyber-Threat • mid-eighties: CIA and NSA hack into Soviet and other computers • late eighties: U.S. armed forces develop computer viruses and recruit hackers • 1991: US forces hack into Iraq‘s C2 systems • 1994: „School for Information Warfare and Strategy“, National Defense University • 1996: „Information Warfare“ makes way into „Joint Vision 2010“ • October 1998: Joint Pub. 3-13 „Joint Doctrine for Information Operations“, offensive use of hacking
U.S. influence on Cyber-Threat • Spring 1999: Computer Network Attacks on Serbia • May 2000: „Joint Vision 2020“, even bigger role for information warfare than in JV 2010 • October 2000: US Space Command assumes responsibility for Computer Network Attacks • February 2001: Air Intelligence Agency becomes part of Air Combat Command, goal: integrate computer network attacks into operational planning
The IT - Insecurity Cycle IT vulnerability usage of IT-security holes cyber warfare military and intelligence services
Dangers of U.S. Cyberwar Plans • export problems for U.S. computer industry • chilling effect on digital economy • U.S. as role model • cyber-arms race • Cyberspace less safe
Cyber Arms Control needed • to prevent cyber arms race • to secure digital economy politically possible • already proposed by other nations • computer industry would love it urgent • dynamic still slow - how long? U.S. policy critical • most advanced, role model
Weapons systems approach • quantitative • what to count? • manpower, computer power, network connections,...? • qualitative • what to prohibit? • hacking tools, planning tools, network mapping tools,...? • Verification almost impossible
Normative approach • Doctrines • offensive use of hacking? • Units • computer attack units? • Operations • network attacks part of wargames? • Verification difficult, but not impossible
Options for Action • political oversight • no first use • international convention on peaceful use of cyberspace • collaboration of security policy studies and computer science • see you in Berlin? Conference on Cyber Arms Control29 June - 1 July
If you have become curious... Dipl. Pol. Ralf Bendrath e-mail discussion list Infowar.de • http://userpage.fu-berlin.de/~bendrath FoG:IS Forschungsgruppe Informationsgesellschaft und Sicherheitspolitik • http://www.fogis.de Telepolis Dossier „Infowar“ • http://www.heise.de/tp/english/special/info Federation of American Scientists • http://www.fas.org/irp/wwwinfo.html