11 minute read
Cyber espionage: the problem that isn’t
// Eneken Tikk & Mika Kerttunen
After the recent penetrations of a Finnish mental health service provider’s patient database as well as the Finnish parliament, both the Speaker of the Parliament and the President of Finland condemned the breaches as ominous cyberattacks. President Niinistö’s message was very clear:
Advertisement
The 2020 EU Cyber Security Strategy observes “the EU institutions, bodies and agencies being regular targets of cyberattacks, particularly cyber-espionage”. The United Kingdom security service MI5 views cyber espionage to present “a real risk to the economic well-being of the UK” and “a direct threat to UK national security”.
Cyber espionage is hardly a non-issue. Without sufficient level of intelligence preparation, including cyber espionage, any targeted cybercrime activity or effect-creating cyber operation would not be successful. Yet cyber espionage is a stigmatized, dead-on-arrival topic that has become next to impossible to discuss, especially in an international setting. It is time to change that. The absence of any clear international legal stand on espionage does not dilute but underlines the problem.
UNDERSTANDING ESPIONAGE
The purpose of state intelligence - national, military or other agency - is to support political and operative planning and decision-making. Intelligence doctrine refers to assessment and estimations of the operational environment. Accordingly, business or competitive intelligence supports corporate decision-making, for example design, manufacturing and marketing.
Espionage constitutes a particular aspect of intelligence where data and information are gathered by covert means and without the possessor’s authorization, hence the lay-man, and legal, term of spying. Espionage thus exploits target data, information and systems for an actor’s benefit.
Consequently, all espionage is an intelligence activity but not all intelligence activities are espionage. Many forms of intelligence, most obviously open-source intelligence and signal intelligence do not require illegal or unauthorized access, e.g. penetration of other states’ information and communication systems or the stealing of information.
As defined in a US joint intelligence doctrine, intelligence “includes the organizations, capabilities, and processes involved in the collection, processing, exploitation, analysis, and dissemination of information or finished intelligence.” The process begins with intelligence requirements, disseminates immediate, initial and finalized products such as information, assessments, estimates and recommendations for action, and ends with evaluation and reflective feedback – only to start again with new intelligence and information requirements. Intelligence can thus be seen as a cybernetic chain linked to political and operative decision-making, another cybernetic chain of events.
ASSESSING CYBER ESPIONAGE
As a logical chain of considerations, acts and consequences, intelligence activities like all human and social ones can be ethically assessed by their intentions, virtue and consequences. As examined above, political (cyber) espionage is conducted in support of planning and decision-making. We can presume that the thought or anticipated action is against the will of the targeted entity – otherwise covert and unauthorized action would not be needed, because it goes against the target’s interest. Cyber espionage undermines dignity and integrity, steals opportunities - in the concrete terms of data, information and intellectual property - and forces the target to take corrective action, which it otherwise would not have taken. Cyber espionage thus subjects and suppresses one sovereign state to another’s will.
The very act of intelligence gathering, including for example illegal penetration of information and communication systems, does not necessarily cause destructive effects. As Libicki reiterates, virtual penetration does require forced entry but uses stolen credentials or exploits vulnerabilities, and unintentionally open avenues of access. The act nevertheless is illegal or unauthorized by any target state norms and standards. The target entity is thus an involuntary object of another state’s operations. Acts of espionage therefore erode friendly relations between states and trust in international life.
All targeted operations require some intelligence gathering and analysis, nowadays most increasingly in form of cyber espionage. Consequential action is likely to follow espionage. Political and operational actions against another state, which require espionage to be conducted is always unfriendly. When leading to the use of force, espionage becomes part of a hostile, coercive and violent action-chain likely to escalate tensions and intensify open conflicts.
Furthermore, the difference between network based (cyber) espionage and effect-creating operations is a line drawn in the sand. After successful penetration into information systems and the gathering of data and information, it is easy and tempting to plant destructive malware in these target environments. Finally, the proliferation of capable tools and available targets has promoted investigative and inquisitory cyber espionage.
Cyber espionage targets both the public sector and private sectors, human beings and their sensitive information, and national security as well as national health care systems. It is deliberately suppressing, dismisses the autonomy and sovereign stance of the target, and is often by its intended consequences hostile. It is increasing by severity and diversity.
SHORTCOMINGS OF THE CURRENT APPROACH
Capabilities, resilience and deterrence The 2020 European Union Cyber Security Strategy seeks to increase Europe’s collective resilience against cyber threats. This is achieved within three areas of EU action (1) resilience, technological sovereignty and leadership; (2) operational capacity to prevent, deter and respond and (3) global and open cyberspace through increased cooperation.
The Cyber Security Strategy remains silent on how cyber espionage in particular should be tackled nationally, within the EU, or globally. We may conclude that resilience and operational capacity can be seen not only to curb cyber espionage, but also having the potential of making cyber espionage operations more costly. The global/international endeavours the EU needs to take do not contain any explicit or direct means or mechanisms to deal with cyber espionage.
On the other hand, the Cyber Security Strategy facilitates “solid shared situational awareness and the ability to prepare rapidly a joint EU position”. To serve this purpose and to advance intelligence cooperation on cyber threats and activities, a Member States’ EU cyber intelligence working group at the EU Intelligence and Situation Centre is to be established.
DIPLOMACY
An EU non-paper on cyber diplomacy comprehensively emphasises human rights, and the voluntary non-binding rules of responsible state behaviour in cyberspace and cyber capacity-building. This, however, is stuck in the quagmire created by the previous rounds of the United Nations Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security. Given the chosen threat-centric and confrontational context, cyber diplomacy is reduced to a function of cyber security where dialogue and consultation are more curiosities than normalcies.
On the other side, Russia and China stress an absolute view of state sovereignty and promote the use of information technology for internal security and the control of their publics’ on-line and off-line behaviour. They do not want to restrict network intelligence (cyber espionage), either.
INTERNATIONAL LAW
The international community has vividly, and for relatively long, debated the parameters of cyberoperations, countermeasures and responses and the right of self-defence. Quite surprisingly, there is less interest in decisively tackling the peacetime protection of civilians and the civil society, and there is close to zero discussion, in the context of international cybersecurity, of cyber espionage.
Admittedly, certain aspects of international law may be legally questionable, privacy infringements comprise an obvious example. The question, turned to the intentions and consequences of espionage, quickly results in replies that nothing is broken and no harm is done – and therefore the prohibitions of the use of force and intervention do not lead to computer network exploitation, either. Yet, when the US National Security Agency had tapped the mobile phones of Chancellor Merkel and President Rousseff, Germany and Brazil tabled a UN General Assembly resolution referring to human rights - and explicitly to “arbitrary or unlawful interference with privacy, family, home or correspondence, and the right to enjoy protection of the law against such interference or attacks.”
The discussion gets somewhat more complex when the question of violation of sovereignty is tabled – this could well be the context of the (in)famous claims about sovereignty not being a rule at all in the context of cyber operations. The mainstream international cyber law discourse only underscores (and feeds) the appetite to conduct cyber espionage without any serious legal outcry.
TAKING ACTION AGAINST CYBER ESPIONAGE
It is possible to start promoting and developing international law and peaceful relations to rein in cyber espionage. The issue is not about prohibiting either espionage or defence.
If, and when, cyber espionage is identified as a serious cyber security challenge and national security concern, cyber security strategies should contain explicit countering lines of action. For effective prioritization of efforts and allocation of resources there is the need to analyse the logic and conduct of cyber espionage. Based on this analysis, espionage-specific measures may include changes in penal, administrative and cyber legislation, improved confidentiality of data, increasing situational and work force awareness as well as developing professional and academic programs. The analysis should also reveal areas and threats which may be less prioritized.
Similarly, states need determined and creative diplomatic manoeuvring to gather a group of like-minded countries to counter the threat of the cyber establishment. There is the need to draw a clear line between the tolerable and intolerable state behaviour in cyberspace. States can demand political (public) control of intelligence activities, restrict intelligence targets and, based on the exposed incidents start drafting more binding political and normative measures. Instead of dictating, states need discussion and global diplomacy pursuing shared understanding. Based on our observations of numerous cyber capacity-building events, desire for this kind of policy and diplomacy is increasing.
States should not accept the self-righteous justification President Obama offered for the NSA’s activities abroad, which did not mention the NSA-Merkel issue:
[t]he legal safeguards that restrict surveillance against U.S. persons without a warrant do not apply to foreign persons overseas. This is not unique to America; few, if any, spy agencies around the world constrain their activities beyond their own borders. And the whole point of intelligence is to obtain information that is not publicly available.”
There are restrictive legal views on espionage. Apart from the harm arguments, as discussed above, it is hard to see how any cyber operation, including computer network exploitation, would stand the test of good faith, friendly relations, international cooperation or even peaceful settlement of disputes – all part of international law in their own right. A good exercise would be to examine what makes states and some scholars go to such great lengths to justify the ‘no-problem’ view of cyber espionage.
Is it true there are no victims, no escalatory tendencies, no harm and no impact whatsoever on the target governments, societies or international organizations? If the answers to these questions are negative, states need to determine whether or not international law has anything at all to contribute to this discussion? Or how should the claim that every state has some sort of national legal consequences for conducting espionage be read? That cyber espionage is not an international issue? What possible reading is there of the currently seemingly life-long exile of Edward Snowden and the 140 years of imprisonment facing Julian Assange? Their putative penalties signal that espionage is a tradecraft that powerful countries want to be free to exercise but are willing to go to great lengths to mute both the existence of and any discussion. Or, if espionage indeed has not been problematic under international law for a long time, is cyber espionage changing the scene? The presumed silence of international law should not stop but ignite debate how to develop international law to better shape a friendlier and more peaceful public international order.
States that: care about their independence and rule of law; have suffered cyber espionage both from adversarial and “friendly” actors; and do not consider the current practice of cyber espionage as conducive of developing shared understanding of and responses to issues of cybersecurity, all need to make a move at least towards the discussion of the issue. Opinions, political, legal as well as public, even slowly evolving to restrict or other wise restrain peacetime cyber espionage will make it harder for the superpowers to step outside the norms.
ENEKEN TIKK AND MIKA KERTTUNEN
Dr.Iur. Eneken Tikk and D.Soc.Sc Mika Kerttunen are founders of the Cyber Policy Institute, an independent consultancy specialized on cyber diplomacy, regional capacity building, IT law and policy. Together with the Erik Castren Institute, Eneken and Mika are running the 1nternat10nal Law project. Their current research focuses on friendly relations, peaceful settlement of disputes and cyber conflict prevention.
