8 minute read
Jean-Louis Gergorin /Léo Isaac Dognin, Paris Democracies must learn to withstand, in peacetime, a permanent war in cyberspace Governance remains the number one challenge
Democracies must learn to withstand, in peacetime, a permanent war in cyberspace
Governance remains the number one challenge
18 by Jean-Louis Gergorin and Léo Isaac-Dognin, co-authors of Cyber, la guerre permanente (Editions du Cerf, Paris)
On 4 th October 2019, Microsoft announced that they have uncovered multiple attempts by hackers believed to be linked to the Iranian government to infiltrate a 2020 US presidential campaign 1 . While far from ground-breaking, this revelation is yet another sign of a major strategic disruption: over recent years, cyberspace has become the most fertile battleground for states and non-state actors seeking to further their geopolitical and economic ambitions. The digital world has phenomenally expanded the means and thresholds of aggression, and rendered obsolete the traditional dichotomy between war and peace. Over the years, western democracies have found themselves on the back foot against a boom in cyber threats. At the heart of their vulnerability is their struggle to grasp and act on the full scope of cyberspace.
Cyberwarfare is a reality Cyberspace encompasses all the global hardware and software means of storing, processing and transporting bits and bytes, but also, and most critically, all the information-content of that data. Cyberwarfare is the offensive use of these multiple components with the purpose of exerting influence or control over an adversary. Practically speaking, it can take the form of hacks that seek to compromise the confidentiality or integrity of digital systems for the purpose of espionage or sabotage, but also of assaults on the integrity of the information sphere, such as the mass dissemination of fake, biased or incomplete information through digital media. To cite only a few examples, the disruption and partial destruction of Iranian centrifuges by the Stuxnet malware in 2010, the North Korean-led hack of Sony Pictures in 2014, the mailbox hacks of Hillary Clinton’s presidential campaign and the targeted social media propaganda operation orchestrated over the course of 2016 by a constellation of Russian-affiliated actors (most prominently, Russian military intelligence and the Saint Petersburg based Internet Research Agency), and, last but not least, the WannaCry and NotPetya attacks of 2017 have all made for headline-grabbing news. Far from being isolated events, such operations are increasingly part of integrated strategies that seek to undermine an opponent by acting under the threshold of open warfare. At this early stage of cyber competition, there are clear winners and losers. China and Russia were quick to recognise and experiment with the asymmetric opportunities of cyberspace. China first specialised in the cyber theft of western intellectual property assets. Today, its leaders see digital technology as a major way towards global economic leadership. Russia, for its part, has made cyber operations a key component of what it considers its legitimate response to western attacks on its sovereignty and sphere of influence. Following a string of events that range from endorsements of the “colour revolutions” by American officials and US-based NGOs to the enactment of economic sanctions against Russia, Moscow saw in cyber-attacks an opportunity to hit western countries at their weakest point while remaining below the threshold of open warfare. Smaller actors, namely Iran and North Korea, have also recognised the extent to which cyber operations can transform an
Jean-Louis Gergorin
Photo: private
is the owner of JLG Strategy, an aerospace and defence consultancy. He teaches a course entitled “The New Strategic Upheaval” at Sciences Po Paris. An alumnus of Ecole Polytechnique, Ecole Nationale d’Administration and the Stanford Executive Program, he is the co-founder of the French-American Cybersecurity Conference. He was previously inter alia Executive Vice-President (Strategy) of EADS (now Airbus) and Head of Policy Planning of the French Foreign Ministry.
photo: © vectorfusionart, stock.adobe.com
United States has come a long way since 2017, bolstering its defensive and offensive doctrine and capacities in cyberspace, to the point of pre-emptively knocking IRA servers offline in the run up to the 2018 midterm elections, and ensuring an increasingly active ‘forward’ presence on foreign networks to defend its own critical infrastructure. Similarly it has been revealed by Reuters on October 16 th that at the end of September a US cyberattack targeted the Iranian digital propaganda apparatus. Our Old Continent, however, remains a step behind on both fronts. Europe has struggled to weigh in coherently against “digital powers”, whether they be states or private enterprises, and several EU Member States have already faced serious challenges to their electoral processes and wider security in cyberspace.
Governance in cyberspace is the challenge Governance remains the number one challenge: no one would contest the fact that the internet is now a vital global infrastructure yet there is no international body in charge of protecting it. What the International Civil Aviation Organisation (ICAO) is for commercial aviation or the International Atomic Energy Agency (IAEA) for nuclear energy simply does not exist in the cyber sphere. To date, the only significant initiative in this direction is the Paris Call for Trust and Security in Cyberspace launched by President Emmanuel Macron in November 2018. This code of good conduct in cyberspace has the merit of hailing signatories from 67 States, 139 international and civil society organisations, and 358 private companies and its principles have already started to positively influence UN debates on global cybersecurity. However, it lacks the signatures of the USA, Russia and China. As we argue in our book, the creation of an “International Cybersecurity Agency” is essential, and it will only see the light once major powers agree to mutual confidence-building measures in cyberspace. At a European level, the Council agreed on two major decisions in 2019 to improve governunfavourable balance of power. Iran’s response to the Stuxnet attack is most telling: within the space of two years after discovering the US-Israeli malware, Iran was able to mount a series of incursions on US financial institutions that completely inhibited President Obama from further cyber offensive actions. After two decades of overconfidence in their cyber intelligence collection, US officials were alarmed to discover foreign actors’ proficiency in hacking into their critical infrastructure, and completely caught by surprise by the information attacks that took place during the 2016 presidential campaign. That said, the Léo Isaac-Dognin
is an engagement manager at Capgemini Invent in Paris, where he advises public and private organisations on digital strategy and artificial intelligence. He holds a BA from the University of Cambridge and a joint MPA/MIA from Columbia University and Sciences Po, focused on technology and policy. He also lectures at Sciences Po Paris. He previously worked for the UK’s Financial Conduct Authority as a financial crime analyst and policy advisor. Photo: private
ance and security. First, on 9 th April, the Council adopted the Cybersecurity Act, thereby establishing EU wide certification schemes and transforming the current ENISA into a EU Cybersecurity Agency. Secondly, on 17 th May, it decided to give the EU the capacity to sanction persons or entities directly or indirectly responsible for cyber-attacks against its institutions or Member States.
Information sharing and partnering These moves are significant but remain insufficient to cope with two emerging challenges. First, states are seeing an increasing amount of ”pre-positioning” cyber-attacks against their critical infrastructures, particularly in the energy sector. While implants may be innocuous, they put targets at risk of sabotage at the will of an aggressor, with potentially devastating effects. This very capacity serves to pressure the targeted country. Secondly, artificial intelligence will soon make attribution far more difficult, reducing a target’s ability to retaliate, and increasing the risk of escalation in the case of ”false flag” attacks. To face these challenges, the cyber commands and intelligence agencies of the most capable and determined Member States must reinforce information sharing, and develop common plans of response to attacks below the threshold of open warfare. In spite of Brexit, partnership with the UK remains essential. In addition, we recommend the establishment of a cyber innovation unit within the new Directorate-General for Defence, able to work with the private sector in agile ways that reflect the speed of technological change and to grant contracts exclusively based on the technological merits of their proposals.
1 Media reports suggest the target was President Donald Trump’s re-election campaign: https://reut.rs/2AOGkYB
PUBLICATION Cyber, la guerre permanente, by Jean-Louis Gergorin and Léo Isaac-Dognin (2018, Editions du Cerf).
20 Call for papers
Annual Privacy Forum 2020
The European Cybersecurity Agency (ENISA) issued a call for papers for the 8 th
ENISA
Annual Privacy Forum (APF) to be held on 4-5 June 2020 in Lisbon, Portugal, in collaboration with the Católica University of Portugal, Lisbon School of Law. Bringing together contributions from policy, research and industry, the conference seeks to support the implementation of information security in the area of privacy and personal data protection.
The APF sets the stage for discussions of research proposals, solutions, models, applications and policies. In the last few
years, the APF has also developed a deeper industry footprint, to complement its original research and policy orientation.
The conference is looking for papers presenting original and previously unpublished work on the themes of data protection
and privacy and their repercussions on information security technology, business, government, law, research, society and
policy. Policy makers and implementers, Data Protection Authorities, industry, research, consultants, NGOs and civil society
are invited to contribute, as the forum aims at broad stakeholder participation that stimulates interaction and the exchange of
opinion.
To promote the participation of young researchers, the submission of papers by students is particularly welcome.
The deadline for submission is 17 th
January 2020.
More information: https://privacyforum.eu/call-for-papers
