Cyberspace, the Role of State, and Goal of Digital Finland . PDF

Preview

Summary

1 THE FOG OF CYBER DEFENCE Eds. Jari Rantapelkonen & Mirva Salminen National Defence University Department of Leadership and Military Pedagogy Publication Series 2 Article Collection n:o 10 Helsinki 2013 2 © National Defence University/Department of Leadership and Military Pedagogy ISBN 978–951...

Description

Accelerat ing t he world's research.

Cyberspace, the Role of State, and Goal of Digital Finland . Saara Jantunen

Related papers

Download a PDF Pack of t he best relat ed papers 

What Can We Say About Cyberwar Based on Cybernet ics? (p. 154 - 168) Sakari Ahvenainen

Exercising Power in Social Media Margarit a Levin Jait ner T he Power of Social Media Margarit a Levin Jait ner

1

THE FOG OF CYBER DEFENCE Eds. Jari Rantapelkonen & Mirva Salminen

National Defence University Department of Leadership and Military Pedagogy Publication Series 2 Article Collection n:o 10 Helsinki 2013

2

© National Defence University/Department of Leadership and Military Pedagogy ISBN 978–951–25–2430–3 ISBN 978–951–25–2431–0 (PDF) ISSN 1798–0402 Cover: Toni Tilsala/National Defence University Layout: Heidi Paananen/National Defence University Juvenes Print Oy Tampere 2013

3

CONTENTS Foreword ........................................................................................ 5 Summary ........................................................................................ 6 Jari Rantapelkonen & Mirva Salminen Introduction: Looking for an Understanding of Cyber ............. 14

Part I: Cyberspace Jari Rantapelkonen & Harry Kantola Insights into Cyberspace, Cyber Security, and Cyberwar in the Nordic Countries ...................................... 24 Topi Tuukkanen Sovereignty in the Cyber Domain ...................................... 37 Jari Rantapelkonen & Saara Jantunen Cyberspace, the Role of State, and Goal of Digital Finland .................................................................................. 46 Margarita Jaitner Exercising Power in Social Media ....................................... 57 Kari Alenius Victory in Exceptional War: The Estonian Main Narrative of the Cyber Attacks in 2007 ............................. 78

PART II: Cyber Security Anssi Kärkkäinen The Origins and the Future of Cyber Security in the Finnish Defence Forces ................................................. 91 Kristin Hemmer Mørkestøl Norwegian Cyber Security: How to Build a Resilient Cyber Society in a Small Nation ....................................... 108 Roland Heickerö Cyber Security in Sweden from the Past to the Future........................................................................... 118

4

Simo Huopio A Rugged Nation ............................................................... 126 Erka Koivunen Contaminated Rather than Classified: CIS Design Principles to Support Cyber Incident Response Collaboration ..................................................................... 136

Part III: Cyberwar Tero Palokangas Cyberwar: Another Revolution in Military Affairs? ........ 146 Sakari Ahvenainen What Can We Say About Cyberwar Based on Cybernetics? ................................................................. 154 Jan Hanska The Emperor's Digital Clothes: Cyberwar and the Application of Classical Theories of War................... 169 Rain Ottis Theoretical Offensive Cyber Militia Models .................... 190 Jarno Limnéll Offensive Cyber Capabilities are Needed Because of Deterrence ..................................................................... 200 Jouko Vankka & Tapio Saarelainen Threats Concerning the Usability of Satellite Communications in Cyberwarfare Environment ............. 208 Timo Kiravuo & Mikko Särelä The Care and Maintenance of Cyberweapons ................ 218 Mikko Hyppönen The Exploit Marketplace ................................................... 231

5

Foreword Internet is a good example of how technology can dramatically alter our everyday lives. In the past two decades, Internet has evolved from the “playground of the geeks” to a serious tool to do business with. With a single click of a mouse, it is possible to share information with millions of people. Unfortunately, this evolution has also brought about all of the negative side effects of global communication and digital freedom. As the tip of the iceberg, Internet is full of junk mail, malware, scam, and identity thefts – just to name a few examples. Simultaneously, we – the benevolent users – are suffering more and more from attacks on the availability of services and information. Similarly like the mobile phones, Internet has become a commodity without which our modern lifestyle would not survive. Therefore, we have seen governmental level strategies to “protect our critical information infrastructures” or to “secure cyberspace”. Neither Internet, nor any other communication channel is anymore controllable by a single entity, government or corporate. On the contrary, they are networks of networks on which we have very little control on how they evolve. We are living in a world of ubiquitous computing, where various computing devices are communicating and sharing information around us, for us, and about us. Clouds of computers are formed and deformed dynamically without any need of human intervention. World Wireless Research Forum, WWRF, has predicted that there will be seven billion mobile phones in the world by the year 2017. At the same time, the number of computers will rise to seven trillion, that is, there will be roughly a thousand computing devices per person. Thus, our physical space and “cyberspace” will overlap completely. When considering cyberspace from the military perspective, we can ask whether cyber will cause an evolution or a revolution in warfighting. On the one hand, cyber enables us to “see, hear, and talk” faster and over longer distances, which enables us to perform our military objectives faster and with a greater accuracy. On the other hand, cyber is a totally different battlefield with different rules and engaged players than the conventional land, sea, air, and space. This book generates new ideas and opens new topics of discussion with regard to cyber. Even though bits usually do not kill – at least, not directly – we must consider the consequences of cyber operations also from the military perspective. Plenty of questions will rise on this research area, such as “Who are the enemies?”; “What are the rules of engagement?”; “Shall we be defensive or offensive in Cyber?”; and “How do we define ‘credible defence’ in cyber?”. Hannu H. Kari Research Director, Professor, National Defence University

6

SUMMARY The Fog of Cyber Defence is a study made primarily for the NORDEFCO (Nordic Defence Cooperation) community. Nonetheless, it can be applied to other contexts in which enhanced understanding of the challenges of cyberspace is important. The research project was originally called Cyber Defence in the Nordic Countries and Challenges of Cyber Security. For the purposes of the book and due to issues that were raised during the project, the name was changed to better describe the significance and omnipresence of cyber in information societies. However, cyber remains very much a "foggy" challenge for the Nordic countries which are considered cyber savvies. The book focuses on Nordic cooperation in the field of defence policy on a political level. It is a collection of articles that aim to answer the many questions related to cyber security and take a stand on the practical possibilities of cyber defence. The meeting of the Defence Ministers on the 12th and 13th of May 2009 was an example of political positioning with regard to cyber. All Nordic countries – Finland, Sweden, Norway, Denmark and Iceland – participated. In addition to familiar topics such as cooperation in crisis management, material cooperation and operational cooperation, the meeting also witnessed a new common will to deal with new challenges. In the same year, during the June 2009 meeting of the Ministers for Foreign Affairs in Reykjavik, the Nordic countries acknowledged the need for enhanced cooperation to respond more effectively to cyber security problems. Two years later, when the Foreign Ministers of Denmark, Finland, Iceland, Norway and Sweden met on the 5th of April 2011 in Helsinki, the ministers stated that the Nordic Declaration on Solidarity would be followed up with practical measures, such as cooperation in the field of cyber security. On the political level, there is a desire to move towards concrete and practical cyber cooperation. This study on cyber defence was assigned in the 2012 NORDEFCO MCC Action Plan, and it was Finland's turn to conduct a study of an area of interest that would be implemented within the NORDEFCO framework. It was agreed that the recently commenced study, "Cyber Defence in the Nordic Countries and Challenges of Cyber Security," would form the basis for further exploration of possibilities for Nordic cooperation in the field of cyber defence.

Key Results The concepts of cyber, cyberspace, cyber security and cyberwar are multidimensional and ambiguous. The key results support the development of a common language and understanding in cyber activities among the Nordic countries, as well as the development of practical cooperation. The phenomenon is greater than what a single country can deal with alone. a) Cyberspace o The Nordic countries are the most developed countries in cyberspace. Simultaneously, they recognise the importance of and their dependence on cyberspace for managing the welfare and security of the countries and their citizens.

7 o

o

o

o

o

o

Cyberspace is a vague domain in relation to state and defence activities. It raises many unanswered and significant philosophical, but also clearly critical national security questions about how states should relate themselves to cyberspace. Cyberspace has different qualities and attributes than physical spaces. Cyberspace can be described as a “ubiquitous,” “networked”, and “virtual” world, and cyber activities have even been considered “anonymous.” If this is understood through power politics, bureaucracy and hierarchical leadership, new kinds of political practices can be created and cyber cooperation can be strengthened. In any case, cyberspace on its own forces the Nordic countries to continue modernising themselves. Activity in cyberspace is controlled by individuals and companies, and it is not statecentric. Despite the attempts, international organizations (such as the ITU and the EU) and states have at least not until now had a significant role in controlling the activity. We are prompted to ask whether states should give up the idea of control and adapt to cyberspace with a different kind of philosophy, objectives, and cooperation models than to which they are accustomed. The military has recognised cyberspace as an operational domain similar to land, sea, air and space, that is, as a space to be used for military purposes and for waging war. Social media makes events and issues more transparent. Transparency is a trend that is already present but not necessarily understood by the nation states and the armed forces. Cyberspace is still a new and ever-developing domain, which is evident, for example, in the lack of development in legislation.

b) Cyber Security o The Nordic countries use traditional security language to address a new security phenomenon, that is, the phenomenon of cyber security. o Problems relating to cyber security reach across the borders and resources of individual countries and thus, they cannot be resolved by a country alone. o Threats relating to cyber security are complex and do not involve only technology. They are mainly social and human, and implicate the diverse customs of different countries, organisations, companies and individuals. Cyber threats cannot be treated as isolated phenomena. Instead, they must be addressed jointly with other threats in which the cyber domain plays a significant role as an enabler. For this reason it is suggested that the multiple problems relating to cyber security should be resolved together. o Social media makes evident how widespread the challenge of cyber security actually is. o Cyber security is only in part a military challenge. It is mostly a challenge in other areas such as the technological, social, procedural, legislative, etcetera. The defence forces are not responsible for protecting countries from cyber threats in the Nordic countries. o State related threats (espionage, intelligence, offensive) are on the rise, and they are believed to be more serious than individual, group or network based threats. However, threats are relative and a state related threat towards a country is not necessarily a threat towards another country. In the Nordic countries, threats are

8

o

o

o o

primarily seen as relating to the functionality of the society rather than directed expressly towards the state. All Nordic countries have cyber security strategies to address the challenges of cyberspace, but they differ in how they allocate resources and organise security activities. There is still an obvious need to raise cyber security awareness and to clarify the related roles and responsibilities on the governmental level. There is also an important need for enhanced cyber competence amongst decision makers. The Nordic countries lack significant cooperation in cyber security on a practical level. Concepts related to cyber security are important in defining the phenomenon. To overcome problems with the current concepts, such as offensive cyber defence and cyberwar, it is necessary to study new concepts, such as resilience or cyber resilience, which can reveal new perspectives for dealing with cyber threats and security.

c) Cyberwar o The military is planning and preparing for cyberwar. o There is no single cyberwar or a single type of cyberwar – like there is not only one type of land or air war. On the other hand, the whole concept of cyberwar as “real” war has been both promoted and questioned. However, war without any kind of use of cyber means seems now unlikely. o Cyberwarfare is a hybrid that originates from heterogeneous sources; consists of different elements; produces the interaction of distinct cultures and traditions, as well as of different people and organisations. o In future wars, the Nordic countries will be increasingly dependent on computers, electricity, electronics and networks. Therefore, it is difficult to imagine future wars without cyber activities. o Several states and networks, rather than individual hackers, are developing cyber capabilities for attack. Destructive cyber attacks, such as Stuxnet, will increase in 2013 as states continue to develop offensive capabilities. o Cyber weapons are very dynamic. The leading countries in cyberwarfare produce modular cyber weapons software with continuous updates, shared components and parallel independent lines of development. o In practice, cyberwarfare capabilities are kept secret either for maintaining a deterrent, concealment and increasing competitive edge or due to the lack of offensive resources. o There are businesses that weaponize and exploit codes to attack vulnerabilities in operating systems and applications. Vulnerabilities and codes have become the everyday trading goods of the cyber arms industry. On the other hand, there is a commercial effort to make exploited code worthless to the vendor. However, the real world in cyberwar is not black and white. Cyberwar and cyber security are weird and chaotic phenomena taking place in cyberspace. o The best way to protect against cyberwar is the development of C4 systems to secure all processes and applications in use. However, the human nature and unpredictable behaviour remain the most important threats in future cyberwarfare. This idea seems to be counter to the current technological and procedural trends that the Nordic countries are heading towards in cyberspace, although, for example, cloud

9

o

o

o

services providing valuable information can be compromised if they are used in critical situations. The “do-it-alone era” has passed, regardless of this being the best approach in the past. Cyber security is full of compromises. Even computer programs and integrated chips are important in cyberwar. Human knowledge and understanding together with technology form the heart of cyberwar. Cyberwar is human, not just high-tech driven. Building cyberwar capabilities is politically sensitive. However, the related discourse has neglected this on the strategic level. A (political) country can be defensive, but on the operational (practical) level it should not limit its offensive capabilities. This also guarantees the effectiveness of strategic defence. The term “cyberwar” and its use need to be reconsidered: is cyberwar war at all? Regardless of the answer, different war-like phenomena take place in cyberspace and they have the potential to change warfare.

d) The Nordic Countries, Further Points o Finland aims to be a globally strong player in the field of cyber and cyber defence. Originally known as information security, cyber defence has become an issue on the strategic and individual levels. Protection against threats requires strategic level decisions, because cyber defence not only depends on security technologies but also on strategic guidance and coordination, as well as on the allocation of resources. Cyber development has been rapid and currently Finland is struggling to keep her global leading position in this field. The current challenge is to decide how cyber security and cyber defence will be implemented in practice. Finland is known to have good cooperation between cyber actors within the country. However, in order for her to be successful in this area, she needs real practical decisions and new resources for cyber, national cooperation, as well as cooperation with globally leading countries. o Norway released a revised "National Strategy for Information Security" in late 2012. This strategy is but the latest in a series of strategic documents on cyber security dating back to 2003. Norway has a long history of extensive cooperation in cyberspace, partly due to the nature of digital threats, but also a long history of civil-military cooperation in all areas relevant to crisis management (the concept of "Total Defence"). Norway defines threats against information and communication systems as a strategic security challenge, and the effort to protect against these threats is given a high priority. The endeavour to enhance Norway's cyber security is making progress in all sectors of society. The Norwegian national CERT has been provided increased funding for 2013, and the Norwegian Armed Forces Cyber Defence (NOR CYDEF) changed its name in the second half of 2012 in order to underscore the increased importance of cyber defence in the military sector. o Sweden Swedish cyber defence aims at protecting Sweden and the Swedish interests against cyber attacks from resourceful and advanced players. This includes strategic control and planning, cooperation and coordination as well as operational protection measures. Sweden is looking to the future and developing cyber fields such as automated information collection, sensor information and analysis of events. She is focused on creating robust information infrastructures and effective technical and administrative security processing. Cooperation and exchange of information are becoming increasingly important. Authorities are setting up routines for incident

10 reporting and information sharing between the different CERTs, to other authorities, to the private industry and to international organisations. Coordination, exercises and exchange of information with skilled and well-informed parties internationally is a top priority for the Swedish Armed Forces, as well as for other authorities that are in charge of national cyber security. Future options and scenarios are still open, but the idea is that the future Swedish Computer Network Operations (CNO) capacity for the armed forces will include all components for defensive measures in the electromagnetic spectrum and cyberspac...