Espionage, the process of illegally obtaining secret information (as defined by Encyclopedia Britannica) is a tool used by national leaders, sub-state entities, international corporations and other actors in the global sphere to make better-informed decisions.
The creation and development of cyberspace as a new public space has favored the emergence of new forms of relationship between citizens, states, private entities, etc., including some illegal activities such as black hat hacking, cyber espionage and cyber terrorism.
Cyber security and cyber defense are two areas which are becoming priorities in governments’ defense agendas, mainly due to the rise of cyber espionage and the mentioned internet-based threats. As Enrique Fojón explains in his article on the Elcano Royal Institute’s blog, Obama “brought cyberspace defense and its security to the forefront of the international political agenda during his 2015 State of the Union Address.” The relevant role of cyber security in the political agenda, Fojón says, is due mainly to two events, the cyberattack against Sony Pictures Entertainment and the terrorist attacks in Paris.
In order to classify cybercrimes, a UN Cybercrime Study compiles the views of Member States and private sector organizations regarding the most significant cybercrime threats (2013). Based on these views, a possible list of cyber threats would be (the first figure refers to Member States’ views and the second is private sector’ views): Computer‐related acts causing personal harm or related to children harm (28% – 6%), Computer‐related identity offences (5% – 2%), Breach of privacy or data protection measures (2% – 18%), Computer‐related acts in support of terrorism offences (5% – 0%), Computer‐related fraud and forgery (24% – 8%), Sending or controlling sending of SPAM (2% – 6%), Computer‐related copyright and trademark offences (3% – 8%), Production, distribution or possession of computer misuse tools (2% – 0%), Illegal access, interception or acquisition of computer data (13% – 23%), Illegal access to a computer system (9% – 19%) and Illegal data interference or system damage (7% – 10%).
One sign of the relevance of cyber security in the field of International Relations is the fact that cyber security is a priority in the Sino-American relations since Xi took office in 2013. Both the United States and China know how issues like cyber espionage could harm the two largest economies in the world. As Jordan Robertson from Bloomberg News analyzes, “there is a significant escalation in the importance of cyber security in international diplomacy” and “hacking attacks are really the modern way of committing espionage.”
There is a relevant point in the analysis of data regarding cybercrime and cyberespionage: it is difficult to obtain a comprehensive set of data. For this reason, different sources and websites have been analyzed in order to get a general and updated view of the current state of cyber espionage. As The Economist explains there is little accuracy in the estimations of how many businesses suffer from cybercrime or how much it costs them. Data are not only collected by governments and business, but also by researchers and experts such as Paolo Passeri, author of Hackmaggedon, a blog of reference in the field, where he gathers information and data on cyberattacks.
Reports are usually halfway between corporate and public diplomacy and point to different data and actors involved in cyberattacks depending on the country of origin of the report. For example, Verizon remarks that 96% of state-backed cyber-spying is traced to China. Karspersky indicates Russia is the most attacked country in the world and claims that “44% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US and Germany.” And reciprocal accusations of cyber espionage have been present in media showing the tension between the USA and China.
What is cyber espionage?
Technopedia describes cyber espionage (cyberspying) as “a form of cybercrime in which hackers target computer networks in other to gain access to classified or other information that may be profitable or advantageous for the hacker.”
According to the Financial Times Lexicon, cyber espionage “describes the stealing of secrets stored in digital formats or on computers and IT networks.”
For Mark Russinovich (who differentiates between Cyber espionage, cyberattack and cyber warfare) cyber espionage implies “information gathering or theft of intellectual property”, while a cyberattack “undermines function of computer network” and has “political or national security purpose” and cyber warfare involves only state actors, also “undermines function of computer network”, has “political or national security purpose” and is “equivalent of armed attack or is in context of armed conflict.”
History of cyber espionage and main cybercrimes
The following is an overview of the history of cyber espionage, including some of the cybercrimes that are a milestone in the cyberattacks timeline. The information is based on the conference “Trojan Horse: The Widespread Use of International Cyber-Espionage as a Weapon RSA Conference 2013” by Mark Russinovich, “A Brief History of Cybercrime” by TIME magazine, “A Brief History of Cybercrime” by Wavefront Consulting Group, CIBER ELCANO by Royal Elcano Institute and THIBER and Hackmageddon.
1982: Siberian Pipeline Sabotage.
1983: “War Games”, the movie.
1984: 1st PC virus, Pakistani “Brain”
1986: “The Cukoo’s Egg” by Clifford Stoll (at the Lawrence Berkeley National Laboratory) is the 1st documented case of cyber espionage (Markus Hess and other in West Germany were arrested).
1988: “Morris Worm” created by Robert Morris: more than 6,000 computers damaged and losses of US$ 98 million.
1991: Kevin Poulsen (“Dark Dante”) is captured for selling military secrets.
1992: 1st polymorphic virus, “Dark Avenger”.
1997: “Elegible Receiver” operation, 1st US cyberwarefare exercise: Joint Task Force Computer Defense.
1998: “Moonlight Maze”: cyber penetration of Pentagon, NASA & US Dept. of Energy. Russian implication.
2003: Anonymous is born on a website forum called “4chan”.
2003-2005: “Titan Rain”: Shawn Carpenter discovers breach and data exfiltration. FBI and Army investigate, traced to China and classified.
2005-2010: “Stuxnet”: 1st known cyber-kinetic attack, US on Iranian nuclear enrichment.
2006: WikiLeaks is launched: international journalistic organization which releases secret and confidential information from anonymous sources.
2006-2011: “Shaddy Rat”: penetration of 72 companies and government institutions.
2007: Estonia: The Nashi’s DDOS attack on Estonian government.
2008: South Ossetia War: Alania TV hacked and DDOS on Georgian and Azerbaijani web sites. Russian GRU and FSB connected.
2008: Obama’s and McCain’s campaigns attacked, presumably by China.
200?-2009: “GhostNet”: penetration of political, economic and media targets in 103 countries.
2009-2012: “Flame”: complex, multi-component cyber espionage malware aimed at Iran
2009-2012: “Gauss”: Similar to “Stuxnet”, focused cyber espionage
2009-2010: “Operation Aurora”: penetration to modify source code of Google, Adobe and others.
2009-2011: “Night Dragon”: Exfiltration of energy company information.
2011: “LulzSec” is founded
2011-2015: “Dragonfly” gang, which is believed to be a state sponsored group of hackers, targets strategic industries: energy grid operators, major electricity generation firms, petroleum pipeline operators, energy industry equipment providers, etc.
2012: Penetration of media covering corrupt communist party leader: NY Times, Wall Street Journal, Washington Post
2012: “Shamoon”, 1st “mass Wipe” cyberattack, 30,000 Saudi Aramco desktops, believed from Iran
2013: “TeamSpy” (a decade-long cyberspying operation through Teamviewer, high profile targets throughout Eastern European nations and Commonwealth of Independent States, CIS), “MiniDuke” (Advanced Exploits in Adobe Reader to Collect Geopolitical Intelligence from High Profile Targets, government and institutions worldwide), “Red October” (Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies), “NetTraveler” (International mostly Chinese Cyber spy network, targeting government institutions, embassies, scientific research centers, military complexes and petroleum companies), “Icefog” (cyber espionage campaign focusing on supply chain attacks for Western companies through targets in South Korea and Japan), “Kimsuky” (cyber-espionage campaign targeting South Korean think-tanks). June 2013: Edward Snowden’s disclosures about global surveillance program undertaken by NSA, starting in The Guardian.
2014: “CosmicDuke” (Targeting diplomatic organizations, energy sector, telecom operators, military contractors and individuals involved in the traffic and selling of illegal and controlled substances), “Epic Turla” (massive cyber espionage operation targeting government institutions, embassies, military, education, research and pharmaceutical companies in 45 countries), “The Mask” (Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims with complex toolkit), “Crouching Yeti” (ongoing spying campaign with more than 2,800 highly valuable targets worldwide), “Energetic Bear” (infiltrated the computers and systems of more than 1,000 organizations in global energy sector, access to sensitive data and power to disrupt energy supplies). Sony Pictures Entertainment hack incident.
2015: Charlie Hebdo terror attacks are followed by around 19,000 cyberattacks to French technological infrastructures undertaken pro-Islamist hackers. Anonymous launches a campaign against Daesh and jihadist sites. Some US CENTCOM’s social media accounts are also targeted. Russian intrusion inside the White House. “APT30”, state-sponsored campaign to obtain data from South-East Asian assets (states, companies, journalists, etc.) for China.
Some key figures in cyber espionage
The following data have been selected because they give a general view of cyber espionage and its current impact in international relations.
According to Verizone cyber espionage accounts for 22% of data breaches, with 87% of electronic spying conducted by governments, 11% by organized crime, 1% by competitors and the remaining 1% by a former employee.
In a report measuring the economic impact of cybercrime, McAfee shows cybercrime as a percentage of GDP, with a range of 0.01% for Kenya as the lowest and 1.60% for Germany as the highest percentage of GDP: 0.08% for Australia, 0.32% Brazil, 0.17% Canada, 0.63% China, 0.41% for the European Union, 0.11% France, 1.60% Germany, 0.21% India, 0.02% Japan, 0.17% Mexico, 0.10% Russia, 0.17% Saudi Arabia, 0.07% Turkey, 0.16% United Kingdom, 0.64% United States, 0.14% Colombia, 0.20% Ireland, 0.04% Italy, 0.01% Kenya, 0.18% Malaysia, 1.50% Netherlands, 0.09% New Zealand, 0.08% Nigeria, 0.64% Norway, 0.41% Singapore, 0.14% South Africa, 0.11% United Arab Emirates, 0.13% Vietnam and 0.19% Zambia.
EMC2 and RSA FirstWatch released a blueprint on cyber espionage in 2013 in which they study the commonalities in targeted malware campaigns. They include the main cyber espionage malware domains: .com 48%, .org 18%, .net 17%, .biz 6%, .info 5%, .eu 1%, .kr 1% and other 4%. They also study cyber espionage malware IP addresses: US 54%, Korea 17%, Taiwan 12%, China 9% and Hong Kong 8%. These data are interesting to get a global idea, but even the authors acknowledge the IP addresses may be located in a different country than the attacker. The figures show which countries are in general more active in cyber spying.
Problems to combat cybercrime and cyber espionage
Source and anonymity
One of the problems facing the states to combat cyber espionage is the difficulty to identify the source of cyberattacks. The access, communication and action through the Internet is cheap, simple and effective, as mentioned by expert Diana Barrantes in her post “¿Cuál es el alcance del ciberterrorismo?” (What’s the scope of cyberterrorism?). And the massive reach of any action through the Internet is other main problem.
Other problem pointed out by Diana Barrantes is the anonymity on the Internet, which is a significant advantage to commit such crimes.
Security and privacy trade-off
The debate about how to combat cybercrime and cyber espionage is now centered in the trade-off between security and privacy. In fact, encryption, which is one of the main strategies to avoid unauthorized intrusions in third parties systems, encounters some governments’ opposition due to their surveillance programs.
New America recalls in its article how David Cameron “threatened to ‘ban encryption’ in the UK” because “there should be no ‘means of communication’ which ‘we cannot read’.” This has been analyzed in the post Snowden era, in a debate regarding “the access to strong encryption technologies which government investigators cannot break.”
In this scenario, David Kaye, the UN Special Rapporteur on the protection and promotion of the right to freedom of opinion and expression, declared that his 2015 report to the Human Rights Council will cover the use of encryption and anonymity in digital communications. “States, corporations, and civil society organizations” were called to collaborate in the report. The Open Technology Institute OTI use the experience in the Crypto Wars of the 1990s to explain why encryption causes more benefit than harm. They outline the four reasons why strong encryption is positive:
- Strong encryption is good for Internet security.
- Strong encryption protects individual privacy.
- Strong encryption supports freedom of expression.
- Strong encryption promotes growth of the information economy.
From the law perspective, cyber espionage and in general any type of cybercrime “entail important procedural and jurisdictional issues”, in a context in which law enforcement is not adapted to the crimes because of the newness and skill-intensive nature of the same. In fact, many countries do not have laws prosecuting cybercrimes, according to Nir Kshetri.
From an economic point of view, it is also clear that for the cybercriminal, the benefit outweighs the cost. Nir Kshetri provides a theoretical frame in his book “The Global Cybercrime Industry: Economic, Institutional and Strategic Perspectives”. Many sources explain how cybercrime is growing due to economic incentives within the IT industry, the globalization of markets and inadequate law. A representative case is that of the students in Russia and Eastern Europe who are good at mathematics and computer and cannot find jobs easily because their countries’ economies are too small to absorb the computer talent, says Kshetri. Organized crime groups pay up to 10 times as much as legitimate IT jobs to top graduates.
Strategies to combat cyber threats and cyber espionage
Development of cyber intelligence
A strong cyber intelligence developed through a cyber policy and operating via cyber strategies is the foundation of cyber defense. As contained in the U.S. Army publication “JP 2-0, Joint Intelligence” and explained by Adolfo Hernández, deputy director of THIBER and Institutional Relations at (ISC)², in his article “Ciberinteligencia: it’s all about the information” (Cyber intelligence: It’s All About Information) intelligence is “the product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations.” Hernández explains that cyber intelligence seeks to obtain the information to anticipate incidents, identify threats and safeguards, vulnerabilities (…) and malicious activity indicators, enabling a proactive security approach.”
Collaboration public-private entities
According to MIT in the report “Spies, Technology and Business”, “we’re living in a very interesting time, where companies are becoming unwilling pawns in cyber warfare” and “nobody can say where the responsibilities of a company may end and those of a nation might begin.” For this reason, collaboration between public and private entities is vital to effectively combat cyber espionage.
New business and devices
As the MIT reflects, due to the lack of trust derived from cases such as the Snowden case or Huawei (whose devices are supposed to be a Trojan horse for China’s intelligence services) consumers and companies are changing their consumption patterns and security may become one of the main points to decide between brands and services. New business are also emerging: the secure server farms in Switzerland (Deltalis, for example) a country which is becoming “a hub for advanced security technology”, or ESD America’s cryptophones are only a couple of examples.
Legitimate channels for technology transfer: protecting innovation
In terms of economic impact, cyber espionage is still highly topical as new Chinese cyber security regulations imposed on foreign technology companies attracts Media’s attention. Obama urged to change them if “they are to do business with the United States.” The next step by Obama has been an executive order, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” which experts like The Diplomat have described as a way to ensure that the technology transfer from the US to China follows legitimate channels while controlling “the behavior of US firms operating in the PRC” through the possible sanctions by the Chinese government.
Defense and cyber forces
Regarding defense, countries are increasingly militarizing the cyberspace. According to Chatham House’s paper “Challenges at the Intersection of Cyber Security and Space Security: Country and International Institution Perspectives” by Caroline Baylon this “escalatory cycle” is due to the militarization of a small number of states. An effective approach to meet this challenge is training of highly skilled specialists to combat cybercrime and cyber espionage. Modern warfare requires creative professionals “tasked with fighting wars using unconventional methods” as in the “Twitter troops” formed by the British Army called the 77th Brigade. The Computer Emergency Response Teams (CERT) and the Cyber Mission Force (CMF) are examples in the US; the NCIA (NATO Communications and Information Agency) coordinates cyber defense activities within NATO and with member countries and the EU has also the CERT (Computer Emergency Response Team) to protect EU institutions, bodies and agencies.
National and international cyber strategies
On the subject of law, countries should develop national cyber strategies within national policies with clear objectives and engaging the main actors in the national cyber sphere. This should be the base for the creation of international frameworks for cooperation. As clearly explained by Caroline Baylon in the mentioned Chatham House’s paper, this will only be possible if there are “internationally agreed definitions of key terminology in the cyberspace, in order to establish enduring treaties, enable international cooperation and determine what constitutes an act of cyber warfare. This is particularly necessary due to increased offensive activities “under the justification of ‘defensive’ activities.”
In April 2015 US Secretary of Defense released the new cyber security strategy, “The DoD Cyber strategy” focused on information sharing and interagency coordination, building bridges to the private sector and alliances, coalitions and partnerships abroad. It includes 3 missions: the DoD will defend its own networks, systems and information, defend the US against cyberattacks and support military operations if directed by the President or the Secretary of Defense. These 3 missions will have 5 strategic goals: build and maintain forces and capabilities for cyber operations, defend the DoD, defend the US homeland and interest, use cyber options in conflicts and build international alliances to prevent threats and increase international security. Especially noteworthy is the fact that the Pentagon considers neither the NATO nor the EU as strategic partners in cyber defense. For the United States, only Canada, UK, Australia, New Zealand, its allies in Middle East, Asia-Pacific or some key actors in NATO are relevant, as Enrique Fojón and Guillem Colom point out in their article “La ciberguerra de Obama” (Obama’s cyberwar).
The EU has approved a new European Agenda on Security which prioritizes terrorism, organized crime and cybercrime, 3 areas which are interconnected and where the EU could have a relevant role. The adoption of the proposal for a Directive on network and information security is the first step proposed in the strategy. Other key points are the cooperation with the private sector, continuing with the work at Europol’s European Cybercrime Centre and, in general, strengthening cooperation among Member States and the different European bodies.
Follow the lead of cyber pioneers
Other example to follow is Estonia, a country which hosts the NATO Cooperative Cyber Defence Centre of Excellence. The CCDCE was suggested before the attacks in 2007 and sought more intensively after the attacks. Estonia is considered a cyber pioneer: it has a 150-member Cyber Defense League, which would deploy under the National Defense League (volunteer force created to safeguard the country).
There is other aspect to be considered in the fight against cyber espionage and cybercrime: the cyber security workforce gap. As stressed in the Infosecurity Magazine “according to US Department of Homeland Security (DHS), by 2020 there will be 1.2 million positions in cyber security—and only 400,000 graduates to fill them.” Cyberattacks are increasing and the American government is promoting cyber security careers among millennials, not only four-year degrees but also K-12 programs. Another line of prevention should be focused on increasing people’s awareness on internet vulnerabilities and the need to be informed and protected.
In line with this idea, the DoD cyber strategy places emphasis on building a cyber workforce “through enhanced training; improved military and civilian recruitment and retention; and stronger private sector support.”
A concept to be considered by organizations, be they public or private, is cyber resilience. Brian Honan explains the case for business in Security Intelligence, but it is applicable for any institution: organizations should understand “the impact of a potential cyberattack and the steps required to prevent, survive and recover from such an attack.” He speaks of moving from the technical approach to the strategic management, keeping the most valuable assets at the core of the security infrastructure. Cyber resilience also requires risk assessment exercises, security policies and an incident response plan.
In short, the cyber world constitutes a new sphere and implies a new type of relationship in international relations; it is growing rapidly and is increasingly sophisticated. Cyber security and cyber espionage in international relations constitute a new paradigm at a global level. Developing national and supranational cyber security strategies and strengthening international cyber cooperation should be among the priorities in the states’ agendas in order to protect their citizens and accomplish progress through ICT.
What else did I read for this blog post?