Cybersecurity and Internet Governance is part of a series of research papers on Internet Governance. You can read other parts here:
- Internet Governance (1): An Introductory Overview
- Internet Governance (2): Governance by Infrastructure
- Internet Governance (3): Law and Internet Governance
- Internet Governance (4): Cybersecurity and Internet Governance
On November 2, 1988, starting at around 8:30 p.m. some of the 60,000 computers that were connected to the Internet at the time began to experience weird behavior. As the hours passed, more computers had the same experience, and some ran out of resources and came to a halt. Some began to realize that Internet-connected computers are under attack. Within the next 24 hours, this was obvious to everybody concerned. 6,000 computers, i.e., 10% of all the computers connected to the Internet at the time, had been infected with a weird malicious program that was capable of replicating itself and jumping from one computer to the other without any human interference. Computer viruses were already known albeit they were quite rare then, but this thing was new. Viruses need a host; another program that they invade, and then they will work only when this program is executed. Viruses also need some action from a human to get activated; clicking a link, opening a file, etc. This new thing didn’t need any human action to be activated. It needs nothing but connectivity to the Internet and running specific Unix operating systems that were in wide use at the time.
Later computer experts will call this new malicious program a Worm. This specific worm, the first of its kind, will come to be named the Morris Worm, after its creator Robert Morris. Besides being the first known computer worm, the Morris Worm is considered the first Cyberattack, specifically, as it depleted infected computers’ resources causing them to stop working, it can be considered the first Distributed Denial of Service (DDoS) attack. Having exploited undiscovered vulnerabilities in the systems it infected, the Morris Worm is also the first Zero-Day attack. Zero-Day refers to the number of days available to the concerned party (usually the software developer, producer, and/or vendor) to issue a patch for the vulnerability before it is exploited. As in this case, the vulnerability wasn’t discovered before its actual exploitation, the concerned party has zero days to patch it. Finally, the Morris Worm resulted in the first Cybersecurity related case felony conviction under the United States Computer Fraud and Abuse Act, which was enacted two years before (1986).
The damages caused by the Morris Worm were all functional or financial. Many universities and military computers that made up almost the whole set of Internet-connected computers at the time stopped working, either because they were infected, suspected to have been infected, or for avoiding infection. The incurred financial losses were either due to the time computers stopped functioning or the measures taken to deal with infected computers, inspecting computers suspected to have been infected, and securing other computers in fear that they would be infected. All in all, the estimated costs ran from 100,000 dollars in the early days of discovering the worm, to millions of dollars later.
Fast forward, a little more than 20 years later, in June 2010, computer security experts working for a small almost unknown company in Belarus stumbled upon a weird malware that caused a client’s computer in Iran to shut down and restart repeatedly. It took security experts around the world months to take apart what was the most complicated code for the malware they had never come across until then. Step by step they came to know more about this worm/virus that Microsoft had the privilege to name “Stuxnet”, partially after one of Windows DLLs it was designed to exploit. They concluded that Stuxnet had a specific target; computers running two applications developed by Siemens as parts of an industrial control system designed for gas pipelines and energy plants. Moreover, Stuxnet targeted special editions of these applications tailored for working in Iranian projects, most likely nuclear plants. The sophistication of Stuxnet and the time and resources it must have required for being developed, in addition to the required information that had to be obtained by other espionage means, all made clear that suspects can only be some government agents or at least a government-sponsored group of cybercriminals. On the top of the list of the states whose governments are likely to be involved in such an attack against Iran’s nuclear plants were the United States, Israel, and China. However, regardless of the exact culprits, there has been no doubt that this malware that was accidentally discovered is no less than a Cyberweapon, the first to be discovered, and maybe the first to be deployed.
In June 2012, David Sanger, wrote a story for the New York Times based on interviews with White House, CIA, and Israeli intelligence insiders, along with many computer security experts. The story revealed that Stuxnet was indeed a Cyberweapon developed by the United States intelligence agencies, the NSA, and the CIA in collaboration with an Israeli special military intelligence unit. It was part of a program named “Olympic Games”, which was launched by the Bush administration and pursued by the Obama administration under the direct supervision of the two presidents. The purpose of the program and Stuxnet was to carry out attacks against Iran’s nuclear enrichment facilities. The malware was supposed to be confined to the targeted Natanz Iranian plant, but it broke out into the Internet due to an error introduced by an update to its code. Nevertheless, the program continued bringing down almost 1000 uranium enrichment centrifuges in Natanz within a week of its discovery.
Both the Morris Worm and Stuxnet were historical turning points that shaped the field of what we now call Cybersecurity. The long distance from what we may now consider a humble beginning with the Morris Worm to the full-fledged Stuxnet cyberweapon deployed within a complicated scene of coordinated multiple state institutions efforts demarcates the large expansion of this field in our times. Today’s diversity of Cyber threats, the severity of their consequences, and the tight integration of Cybersecurity into national security, national defense, and international relations, make it much more difficult to come up with a simple yet clear and accurate picture of this field.
Understanding what Cybersecurity is all about starts with the simple concept of “Unauthorized Access.” Let’s assume that there’s a room that contains valuables and we want to secure it. For this to happen we need to make sure that only the people allowed (authorized) to enter the room can actually do that. Anybody else shouldn’t be able to enter the room. Entering the room, i.e., gaining access to the inside of the room is the first meaning of authorized access. Now, not everybody entering the room has the same job to do there. Some cupboards within the room may be off limits for some people who can enter the room but shouldn’t gain access to whatever is kept in the cupboard. Based on the job of each one getting in the room, access to things inside the room is determined. Anybody who accesses something inside the room that they aren’t authorized to access has committed unauthorized access. One more level of unauthorized access is acting beyond what one’s job implies. This means that each person entering the room has a specific job that implies specific (authorized) actions. Any (unauthorized) action, renders the access unauthorized.
Taking this example to the realm of computers and networks the same rules still apply. An Information System is the room that we want to secure against any type of unauthorized access. An Information System can simply be your own laptop, or it can be a cluster of servers storing data for Google. Regardless of the physical size of an Information System, it consists of devices, software, data, and persons with different access permissions. A security system will guarantee that only authorized persons will gain physical access to the devices of the Information System, only those allowed to use the software installed on the Information System can do so, each having access only to the subset of software that is necessary for carrying out their job, and each person can only access the data they are authorized to access and can only do to this data what they are authorized to do to it.
Within this simple picture revolving around authorized and unauthorized access, Cybersecurity can be defined as “All the strategies, policies, and practices enacted to prevent unauthorized access to information systems.” This definition adopted by this paper differs from the endless number of Cybersecurity definitions offered by different actors in the Cybersecurity field. For instance, a definition by IBM goes:
Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks.
The United States Cybersecurity and Infrastructure Security Agency (CISA) defines Cybersecurity as:
The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.
While this definition mentions protection from unauthorized access, it still adds more details that are redundant, as they are implied by the prevention of unauthorized access. Access to networks, devices, and data is a condition for criminal use of any or all of them. This definition doesn’t fail to include the CIA Triad. (CIA here shouldn’t be mistaken for the abbreviation of the Central Intelligence Agency.) Here, CIA stands for Confidentiality, Integrity, and Availability, the three guarantees of data or information security. Confidentiality means that information can’t be viewed or published to the public or to a limited group of people without the permission or authorization of its owner. Integrity protects data from modification or destruction. And availability guarantees continuous authorized access to information. For instance, viewing, or publishing photos stored on a smartphone without its owner’s permission violates the confidentiality principle, while modifying such photos using some photo manipulation software violates the integrity principle, and lastly, locking the photos so that the smartphone owner can’t view or manipulate them violates the availability principle.
One more comprehensive definition by the United States Department of Homeland Security states that Cybersecurity consists of:
Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.
This definition gives a clear picture of how governments around the world have come to see Cybersecurity. First of all, one can’t fail to notice how far it is from the technical definitions revolving around unauthorized access to information systems components, or around the CIA triad. This definition reflects the fact that for military, security, and intelligence institutions and agencies, Cyberspace has become a field of operations, both defensive and offensive, just like the land, sea, and airfields. In other words, it’s an arena for warfare conducted with all the means used in other warfare arenas. In conclusion, this definition shows us how Cybersecurity escaped the domain of Internet Governance, or grew too big to be accommodated within it, and became a matter of national security and international relations.
A Toxic Relationship
Both Cybersecurity and Internet Governance had a history that preceded their definition and the emergence of the terms referring to them. Threats targeting information systems have existed since such systems were born back in the 40s and 50s of the last century. And governing the workings of the Internet started before it was born within its precursor ARPANET. It wasn’t before the early stages of the UN World Summit of Information Society (WSIS) in 2003 that the term Internet Governance was used. And then under the pressure of governments seeking to figure out what this Internet thing is all about, and seeking means to get it under their control, the term has expanded to include a much larger domain of activities and issues than what was before thought of as the technical processes governing the daily workings of the network and managed by the Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Engineering Task Force (IETF) and their likes.
It was then that Cybersecurity became one of the domains Internet Governance expanded to include. This however didn’t last for long. Throughout the next decade, Cybersecurity grew so fast and gained much more public attention than any other Internet and Cyberspace related issues. By 2010, when the first deployment of a Cyberweapon in an actual international struggle was discovered, it became evident that Cybersecurity can no longer be considered a sub-domain of Internet Governance, and their relationship needs to be redefined, for indeed neither can’t be defined as a totally independent and separate domain from the other.
Throughout the second decade of the 21st century and up to the current time, Cybersecurity continued to grow in importance and became more tightly integrated into national security strategies for most nation-states. In many cases, it became the top priority for these states’ national security new paradigms. A reveres process was in operation during these years when it came to the relationship between Cybersecurity and Internet Governance, in which the first was swallowing what used to be sub-domains of the latter, one after the other. Today it seems that Internet Governance has practically gone back to only include those technical processes like managing IP addresses and the DNS. Still, even these processes are the target of incisive efforts from governments demanding that they become under their control in the name of Internet sovereignty and specifically for guaranteeing their Cybersecurity. So now, if governments managed to have things go their way, Internet Governance would become a sub-domain of Cybersecurity, and thus a matter of national security, with dire consequences for the openness, freedom, and unity of the network.
When Stuxnet broke out of the Natanz plant into the Internet wilderness, it infected millions of personal computers around the world. As it used a vulnerability existing in all Windows operating systems since Windows 2000 up to Windows 8, a great majority of the computers around the world at the time were potential victims. While the worm lurked on many of these systems unnoticed, it caused mysterious issues for others. What should be of interest to every Internet user is the fact that agencies of a state that at the very time it deployed this cyberweapon has avowed commitment to making the Internet a secure space, have actually kept the vulnerabilities known to them a secret so that they can exploit them for their own purposes.
Not only state agencies keep software and hardware vulnerabilities as war secrets, Big Tech companies also keep them as industry secrets to exploit them for data mining on a wide scale. Criminal groups that thrive on their close relations with some governments like the Russian and Chinese ones accumulate a wealth of money, skills, and elaborate malware that wouldn’t be available if not for the generously financed operations they carry out for governments. They then use these for their own purposes, breaking into large companies and banks systems, and stealing credit cards numbers and other sensitive data of these institutions’ clients.
Where does the normal Internet user’s security stand in this picture? Collateral damage is the term most accurately describes it. In a time where data is more valuable than its owners, human beings have no value of their own. They are there to make more nodes connect to the network so tech companies, governments, and cybercriminals may use them for their purposes.
This paper by no means claims to cover its topic. It rather has sought to provide starting points that highlight the great expansion of the Cybersecurity field, the threat of Internet Governance becoming swallowed into it, and the direct threats for Internet users due to incorporating it into the national security paradigms of nation-states.
If the Internet can become a safer space in the future, and more importantly if it may become a freer, more open, and more unified space, significant changes have to be made to nation-states’ approaches to Cybersecurity, starting with a disarmament treaty that keeps Cyberspace free from weapons deployed by states and their agents. A different business model also needs to prevail, in which human rights become valued and respected. Both Cybersecurity and Internet Governance will continue to be tightly related, but neither should become a sub-domain of the other, though compatible governance models, based on multistakeholderism should be used in both.