by Jared Brow
Cybersecurity is a vague blanket term that encompasses a variety of security threats,mainly due to the fact that cyberspace itself is borderless. Cyberspace is not a traditional, physically restricted space; rather, as defined by the US Department of Defense, it is “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”[i] Within this broad infrastructure, cyberspace can be deconstructed into four sub-infrastructures. The physical infrastructure involves the machines that create the lines of communication as the basis of cyberspace. Code is the next level of infrastructure that refers to the software that operates the flow of communication traffic. Regulatory infrastructure references the norms, rules, laws, and principles that govern cyberspace. Finally, ideas constitute the outermost level of infrastructure and are the videos, images, sounds, and texts that circulate through cyberspace.[ii]
This cyber realm is a vast and largely unexplored frontier; interactions between the various levels of its infrastructure are still being studied and its capabilities are still being defined. Recently, cyberwarfare, after air, land, sea, and space, was named the fifth domain of warfare and “refers to any action by a nation-state to penetrate another nation’s computer networks for the purpose of causing some sort of damage.”[iii] Information breaches are a threat to international security and reflect the changing security environment today. Attackers hiding behind computer screens are not easily identified, are no longer necessarily tied to specific states, and are not restricted by borders. To successfully combat these new and evolving threats, states must develop cybersecurity strategies capable of handling challenges indicative of this new security status quo.
Reflecting the Demand for Greater Cybersecurity
In 2007, Estonia, named the “most wired country in Europe,” suffered the first so-calledcyberwar in history through a series of denial-of-service attacks.[iv] These attacks prevent users from accessing information networks by flooding servers with irrelevant information, making them unable to fulfill requests from actual users. Hackers resorted to blogs and Russian chat rooms to coordinate the attacks, which used more than one million botnets (private computers infected with malicious software linked together to spread viruses and target servers without the owner’s knowledge) from over fifty countries to attack Estonian servers. The botnets first targeted government websites, then online newspapers, and finally the banking system as well as prominent universities. When the government realized that the attacks were coming from outside the country, it blocked international traffic from visiting Estonian websites, essentially cutting Estonia off from the world. Hansabank, the largest Estonian bank, was forced to close all Internet operations. For a brief period, online banking services were unavailable, ATMs could not access Hansabank accounts, and Estonian debit cards did not function outside the country.
Estonia immediately blamed Russia for the attacks. Tensions between the nations had been escalating and Russia had publicly denounced Estonia’s decision to relocate the Bronze Soldier, a Soviet war memorial dedicated to their liberation of Estonia following WWI I. However, for most Estonians, the statue was a reminder of foreign occupation in their country and the government decided to move the Solider away from the city center. The relocation sparked violent riots among anti-Estonian Russian nationalists in the streets, and as the riots subsided, the cyberattacks intensified. Estonia even considered invoking Article 5, NATO’s collective defense agreement that comes into effect when one member considers itself under attack. Despite these tensions, Estonia, in conjunction with NATO, could find no evidence that Russia sponsored the attacks. Instead, evidence indicates that the assault was waged by independent experienced and novice hackers as a form of protest; since 2007, only one hacker has been arrested and convicted.
Regardless of Russian involvement, the cyberwarfare waged against Estonia was a paradigmatic case and a crucial turning point in international security that reinforced the necessity for increased cybersecurity policies. International dependence on cyberspace has increased exponentially in recent years. Financial markets, transportation services, and the energy grid all depend upon cyberspace to store information. Intelligence agencies and defense departments rely on cyberspace to manage international operations and analyze data, among many other things. And everyone, from governments and large organizations and corporations to small businesses and individuals, uses cyberspace for communication, information sharing, and data storing. Because of this dependence, business and government leaders agree that cybersecurity presents one of the greatest risks to socio-economic well being today.[v] The widespread use of cyberspace has made the system vulnerable to attacks, and because the cyber realm is so complex and constantly evolving, many of these vulnerabilities have not yet been exposed.
If the crisis in Estonia was a wakeup call to a general lack of cybersecurity preparedness within the international community, Chinese espionage today serves as a daily reminder of the serious challenges cyberthreats pose. SolarWorld, a German solar panel manufacturer with subsidiaries in the US, knew that Chinese competitors had introduced solar panel equipment into the American market at hugely discounted prices. After filing an unfair trade complaint with US officials, the Federal Bureau of Investigation approached the company to let them know that Chinese competitors had hacked into the company’s servers and stole production information and pricing strategies. However, SolarWorld is just one example of such spying practices, and in the U.S. alone, China is responsible for almost $300 billion per year of stolen intellectual property and business lost to American companies.[vi]
In February 2013, Mandiant, a US-based security firm, released a report exposing a secret Chinese cyber espionage unit comprised of more than 1,000 servers and with connections to state-owned enterprises, charging that they had stolen confidential data from more than 141 organizations in 20 important industries focused on collecting political, economic, and military intelligence in the United States and Europe and other countries that use English as their primary language. This cyberespionage unit has since been identified and nicknamed “Putter Panda,” and is part of the Chinese People’s Liberation Army’s 3rd Department 12th Bureau Unit 61486, which is headquartered in Shanghai and is responsible for the Chinese space surveillance network. It has been spying in various sectors in both Europe and the US for several years and has gathered intelligence including business plans, manufacturing technology, product development plans, as well as user IDs and passwords for executive officials with the ultimate goal of expanding China’s political and economic competitiveness globally.[vii]
Because of global interconnectedness through cyberspace, the number and type of cyber threats has expanded significantly. Cyberattacks can infiltrate and disable military networks and disrupt the private sector. Denial of service attacks, as seen in Estonia, can overwhelm and cripple information networks. Nobody has yet to die from a cyberattack, and because of this, cybersecurity has often played a secondary role to issues of physical conflict that cause casualties. However, according to Jason Healey, the Director of the Cyber Statecraft Initiative at The Atlantic Council who spoke at the conference ‘Overhauling transatlantic security thinking’ sponsored by the Security and Defense Agenda, when cyberthreats advance beyond the cyberspace realm into the physical world, casualties will occur and cyberattacks will more closely resemble more traditional forms of warfare.[viii] With these current and future threats in mind, greater international coordination on cyber policies is crucial to maintain its stability and foster greater public trust in a safe cyberspace.
Cybersecurity Strategy of the European Union
Until recently, the EU placed little emphasis on cybersecurity. As a result, and due to dwindling national defense budgets, the preparedness of member states varies substantially as not all have developed national cybersecurity strategies or have the operational capacity to adequately respond to cyberthreats. Because European cyberspace is integrated into all aspects of daily life and is a highly interconnected system, a single cyberattack against one member state can very easily spread to others. Thus, in 2013, the EU, under the guidance of High Representative Catherine Ashton and the European Commission, launched a cybersecurity strategy entitled “An Open, Safe and Secure Cyberspace,” the first European detailed policy document regarding cyber issues. It provides five explicit priorities for member states to build a comprehensive security policy.
In order to achieve these goals, the EU established a complementary Directive with compulsory legislation that ensures member states adopt a minimum level of cybersecurity capabilities, have an entity responsible for implementing cyberstrategies, and have a Computer Emergency Response Team (CERT) to respond to cyber breaches.[x] Additionally, businesses and organizations will be audited for their cybersecurity preparedness and are required to report significant cyberthreats to national authorities.[xi] Despite these recent efforts on behalf of the Directive, with the recent European Parliament elections held in May 2014 and the selection of new leaders in the European Commission in Fall 2014, there is no guarantee that the directive will become law. And, even if all member states reach an agreement, they will likely have eighteen months to incorporate the directive into their national law.
Cybersecurity Strategy of the United States
The United States views cybersecurity as one of the most serious economic and national security threats facing the country, and as such, acknowledges that its cybersecurity infrastructure is neither secure nor resilient enough to address future cyber threats. From 2006 to 2012, cyberthreats against the US increased by 782%, reaching 48,000 incidents in 2012. According to Robert Mueller, former FBI Director, “stopping terrorists is the number one priority for the United States, but down the road, the cyber threat will be the number one threat to the country.”[xii]
Despite startling data, the U.S. has not enacted a major cybersecurity-related provision since the Federal Information Security Management Act in 2002. Because cybersecurity is a relatively new form of security, discussions continue about the responsibilities of the federal government and the Department of Homeland Security, and the private sector for providing an effective cybersecurity infrastructure. Reflecting the increasing severity of cyberthreats and a lack of preparedness to combat them, President Obama has requested $1.3 billion in funding for the Department of Homeland Security on cyber-related issues for the 2015 US budget.[xiii]
In February 2013, President Obama issued the order “Improving Critical Infrastructure Cybersecurity”, establishing that “it is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[xiv] A year later, the National Institute for Standards and Technology issued the Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework that establishes that it is the responsibility of the US government to enhance the timeliness and quality of cyberthreat information it shares with the private sector, and connects companies with resources from the Department of Homeland Security and public sector. The Framework aims to align organizations’ cybersecurity activity with its business requirements, risk tolerances, and resources; because these organizations have unique cyber risks, they will implement recommendations in the framework differently.[xv] And, since cyberthreats are continuously evolving, so too is the framework; it will continue to be updated, responding to feedback from its initial implementation.
Need for Greater EU-US Cybersecurity Cooperation
Especially following the revelation of privacy breaches released by Edward Snowden regarding US spying on European officials and citizens, and most recently with evidence of the NSA listening in to phone calls on German Chancellor Angela Merkel’s mobile phone, trust is fragile between the EU and US. These events demonstrate their fundamental difference in cybersecurity thinking: American cyberspace policies seek to deter threats and maintain an offensive strategy whereas European policies seek to strengthen their resilience and resistance to attacks.[xvi] In light of recent American espionage, a European Parliament resolution from March 2014 requests that the EU establish a code of conduct ensuring that the US does not pursue espionage against its institutions and member states. It also encourages the US to join the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, a treaty that safeguards citizens’ rights, freedoms, and a respect for privacy.[xvii] Fundamentally, this discussion revolves around the age-old debate of increasing security while maintaining citizens’ privacy.
Further complicating this relationship is the fact that both have distinct approaches to combating cyberthreats. The EU has implemented compulsory measures across all member states to guarantee consistency in their capability to respond to cyberattacks. The US has called for a framework that outlines the voluntary sharing of cyber information. However, as these threats become increasingly prevalent, cooperation between nations will be crucial to enhancing cybersecurity internationally. Thus, as both the EU and US continue to develop cyber strategies, joint efforts between both to coordinate cyber policies and increase transparency will be crucial to strengthen cybersecurity worldwide.
A framework for such cooperation was established at the 2010 US-EU Summit in Lisbon focusing on cyber incident management, public-private partnerships on critical infrastructure, raising awareness about cybersecurity, and combating cybercrime. The 2014 US-EU Summit in Brussels strengthened cooperation efforts and formally declared their commitment for greater transatlantic dialogue on cyber issues, serving as a platform for greater coordination regarding issues of international cyberspace developments, the promotion and protection of human rights, international security issues, and cybersecurity capacity building in third countries.[xviii] A joint statement issued by President Barack Obama, European Commission President Jose Barroso, and European Counsel President Herman Van Rompuy relayed the need for transatlantic cooperation on issues of cybersecurity and protection: “Cross border data flows are critical to our economic vitality, and to our law enforcement and counterterrorism efforts. We affirm the need to promote data protection, privacy and free speech in the digital era while ensuring the security of our citizens.”[xix] Especially due to the highly integrated economies and communication systems between the US and EU, more closely integrated cybersecurity policies are needed to ensure similar standards for cyber protection between nations.
The economic and security futures of the EU and US rely on subduing cyberthreats. Both parties view the cyber realm as a global public good that is incredibly useful for communication, decision-making, and free markets. Many economic interactions occur via Internet, and crucial sectors (including energy, healthcare, and transportation) rely on the Internet as a means of communication. To ensure the stability of these interconnected realms, cyber infrastructure must be protected. This protection, however, is not limited to the transatlantic partnership, and transatlantic cybersecurity cooperation can encourage other nations to join in efforts to combat cyberthreats. Thus far, the Convention on Cybercrime, commonly referred to as the Budapest Convention, is the first and only binding international treaty dealing with criminal law and persecution related to the Internet. Ratified by forty-two states, it regulates areas of fraud, child pornography, infringement of intellectual property rights, and hacking of computers. However, due to limited criminal justice capacities and the political disagreements of signatory states, the Convention has not sparked complete coordination on the implementation of policies. While it is significant in showing international resolve to regulate cyberspace, more effective measures must be taken to increase cybersecurity globally. Because the cyber realm is a global good without physical borders, it will require greater global governance to remain an open platform for communication, data storing, and information sharing.
[i]“Cyberspace.” Department of Defense Dictionary of Military and Associated Terms, Mar. 2014.
[ii]Deibert, Ronald, Rafal Rohozinski, and Masashi Crete-Nishihata. “Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia-Georgia War.” Security Dialogue 43.1 (2012): 3-24.
[iii]“Cyberwarfare.” United Nations Interregional Crime and Justice Research Institute.
[iv]Richards, Jason. “Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security.” International Affairs Review, Elliott School of International Affairs 18.1 (2009).
[v]Robinson, Neil, Agnieszka Walczak, Sophie-Charlotte Brune, Alain Esterle, and Pablo Rodriguez. Stocktaking Study of Military Cyber Defence Capabilities in the European Union. Rep. RAND Corporation, 2013. Web.
[vi]Harris, Shane. “Exclusive: Inside the FBI’s Fight Against Chinese Cyber-Espionage.” Foreign Policy. 27 May 2014.
[vii]Zhou, Dillon. “Why Is China the Cyber Espionage Capital Of the World?” PolicyMic. 27 Feb. 2013.
[viii] “Overhauling Transatlantic Security Thinking.” Security and Defense Agenda. Palais D’Egmont, Brussels. 06 June 2014.
[ix]EU-US Cooperation on Cyber Security and Cyberspace. European Union External Action Service, 26 Mar. 2014.
[x]Vyskoč, Jozef, Zsolt Illési, Joanna Świątkowska, and Tomáš Rezek. “Protecting Cyberspace in the V4: Towards Implementation of the EU’s Cyber-security Strategy.” Central European Policy Institute, 23 Nov. 2013.
[xi]“EU, US Go Separate Ways on Cybersecurity.” EurActiv. 05 Mar. 2013.
[xii]Kominsky, Mitchell. “The Current Landscape of Cybersecurity Policy: Legislative Issues in the 113th Congress.” National Security Journal. Harvard Law School, 06 Feb. 2014.
[xiii]Johnson, Nicole. “President’s Budget Proposes $1.3B for DHS Cyber Activities.” Federal Times. 4 Mar. 2014.
[xiv]Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology, 12 Feb. 2014. Web.
[xv]“Executive Order and Framework: Improving Critical Infrastructure Cybersecurity.” Council on Foreign Relations. 12 Feb. 2014.
[xvi]Bendiek, Annegret. Tests of Partnership: Transatlantic Cooperation in Cyber Security, Internet Governence, and Data Protection. Transatlantic Academy, Mar. 2014.
[xvii] European Parliament Resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs. 12 Mar. 2014.
[xviii]Office of the Press Secretary. The White House. Fact Sheet: U.S.-EU Cyber Cooperation. 26 Mar. 2014.
[xix]Embassy of the United States. EU-US Summit: Joint Statement. 26 Mar. 2014.