Vancouver Sun | 3.1.11
Montreal Gazette | 3.1.11
Calgary Beacon | 3.1.11
By Alan W. Dowd
The recent spate of cyber-attacks against Canada, emanating from China, aren’t the first and won’t be the last assaults on Western computer networks, which is why Canada and its closest allies need to get serious about protecting cyberspace. The good news is that military, government and industry leaders in allied countries are already at work applying the principles of collective defence to this newest theatre of operations. The bad news is that the bad guys have gotten a head start.
Some argue that cyber-attacks aren’t a threat to real-world security. They’re wrong. Just consider the worrisome words of the head of the UN agency on information technology, who fears “the next world war could happen in cyberspace,” or ask our friends in Estonia and Georgia.
Estonia weathered what some call “Web War I” in 2007, when Russian nationalists unleashed a withering volley of “distributed denial of service” attacks that crashed networks across the country, including those supporting government agencies, media outlets, the mobile-phone system and the country’s largest bank.
A year after Estonia, Russian cyber-militiamen launched a digital invasion ahead of the Russian military’s ground invasion of Georgia, crippling government networks and servers.
If Russia’s cyber-attacks on Estonia and Georgia were intended to intimidate and confuse, China’s attacks are aimed at stealing and probing.
According to the German government, victimized by massive cyber-attacks in 2007-08, “The People’s Republic of China is intensively gathering political, military, corporate-strategic and scientific information in order to bridge their technological gaps as quickly as possible.”
In fact, Beijing tacitly encourages hundreds of quasi-independent hacker teams and even trains some at Chinese military bases. The U.S.-China Economic and Security Review Commission reports that Chinese hackers have attacked government ministries in Canada, Europe, Japan, India, Taiwan, South Korea, Australia and dozens of other countries. Inside the U.S., they have penetrated computer systems at defence firms, the White House, the State Department, NASA and the Pentagon.
The British government worries that utilities-network upgrades carried out by a Chinese telecom firm may have given Beijing the ability to shut down essential services, including power and water supplies. Similarly, The Wall Street Journal has reported on “pervasive” penetration of the U.S. electrical grid, whereby malicious software and sleeper switches have been implanted to allow China or Russia to disrupt service at a time of their choosing.
To prevent cyber-skirmishes from triggering real-world conflicts, several nations are calling on the UN to “create norms of accepted behavior in cyberspace,” as The Washington Post recently reported. But given that two of the countries calling for cyber-cooperation are Russia and China—each guilty of some of the most egregious cyber-assaults to date—it’s unlikely that much will come from the UN’s plan for cyber-peace in our time.
A more likely source of peace and security in this new frontier is developing the assets, doctrine and resolve to deter and, if necessary, answer in kind cyber-attacks. As Gen. James Cartwright, vice-chairman of the U.S. Joint Chiefs of Staff, has argued, it’s time to “apply the principles of warfare to the cyber-domain.”
Toward that end, NATO’s new Strategic Concept, the first reworking of the alliance’s mission statement since 1999, calls on the allies to enhance their capacity to “defend against and recover from cyber-attacks.” After Estonia, NATO formed a center to help member states “defy and successfully counter” computer-network attacks.
Gen. Keith Alexander, who heads the Pentagon’s new Cyber Command, likens “freedom of action in cyberspace in the 21st century” to “freedom of the seas…in the 19th century and access to air and space in the 20th century.” As Adam Smith noted long before there was such a thing as cyberspace, it’s “the first duty of the sovereign” to protect society from “violence and invasion.” What serves as the launching pad for violence, invasion or threat—land, sea, sky, space or cyberspace—diminishes neither the danger nor the sovereign’s duty to confront it.
Of course, cyber-defence is not solely the responsibility of the military. Businesses and civilian agencies play a key role in detecting, preventing and preparing for cyber-attacks. Canada and the United States, for example, have orchestrated at least three massive cyber-security exercises under the codename “Cyber Storm.” The most recent of these exercises, held in 2010, enfolded 60 private-sector firms and 13 partner countries.
As it did in defending against the Soviet threat during the Cold War, Canada needs to do its part in defending against today’s cyber-threat. The new Cyber Security Strategy is a start but is probably not enough for a nation as reliant on cyberspace as Canada. Consider that the contingency plan for continuity of operations after the recent attacks was, apparently, directing thousands of government employees to use home Internet connections or “wireless Internet connections at nearby cafes” for several weeks, as The New York Times reports.
The $90 million pledged to protect Canada’s swath of cyberspace is paltry relative to what other nations are investing in cyber-defence. The U.S. has committed some $30 billion to its cyber-security initiative, Britain more than a billion. Germany is setting up a National Cyber-Defence Center this year.
These are prudent steps. As Ene Ergma, the speaker of the Estonian parliament, observed after Web War I, “Cyber-war doesn’t make you bleed. But it can destroy everything.”