A Netflix documentary “The Great Hack” explores how a data company called Cambridge Analytica came to symbolize the dark side of social media in the wake of the 2016 U.S. presidential elections and its involvement with the Leave.EU campaign by the Brexit Party in the U.K. The power of social media companies such as Facebook and the abuse of its data by companies seems to be growing. As a consequence, Facebook recently created a Facebook Supreme Court. Apparently, Facebook must create their own mechanisms of self-regulation. One might even ask if social media companies now have the power of governance?1 This makes me wonder … where are our governments that should be promoting and protecting democratic principles? Yes, also on social media. In this article I will briefly examine the remarkable rise of Forum for Democracy (Fvd), a conservative, right-wing populist, Eurosceptic political party in The Netherlands. Throughout this article I will argue that FvD has most successfully bought their political power and influence through social media by running its lie machine most effective. This is problematic because these lie machines generate false explanations that seem to fit the facts, erode trust in institutions, and abuse the ability to shape behavior for profit or power based entirely on self-authorization with no democratic or moral legitimacy. Finally, this article concludes by stating that using weapons-grade communications tactics, such as micro targeting groups with political propaganda through social media in elections, has become the new normal. Even in a Western European democratic country like The Netherlands.
The rise of the lie machine(s)
FvD was founded in late 2016. The party first participated in 2017, winning their first two seats out of 150 seats in the House of Representatives. But in the 2019 provincial elections, FvD won the most number of seats. A staggering 86 seats out of 570 in total. What explains this success? It is their use of social media platforms such as Facebook, Twitter and their ability to exploit micro targeting better than other political parties. A quick analysis in a Facebook Ad Library data set clearly shows the numbers.2
I have filtered the data set on ads in The Netherlands and on descending order of amount spent. I have excluded campaigns that cost less than 5,000 Eur. FvD spent a significant amount more than Socialist Party (SP), the number two on the list. FvD spent almost 32 times more than Party for the Animals (PvdD). Leading up to the provincial elections in 2019, it is stated by insiders that approximately 2 million was expended on ads through social media, including Facebook.3
This is problematic because such micro targeting is basically political propaganda organized as lie machines. As Howard explains: “Lie machines are large, complex mechanisms made up of people, organizations, and social media algorithms that generate theories to fit a few facts, while leaving you with a crazy conclusion easily undermined by accurate information. By manipulating data (often illegitimately harvest, bought or stolen) and algorithms in the service of a political agenda, the best lie machines generate false explanations that seem to fit the facts”.4
Lie machines consists out of three main components:
Producer of lies that serve and ideology or the interests of political elites; the producer of lies in this case is the political party FvD itself.
Distributor of lies; the distributor of lies in this case is social media such as Facebook.
Marketer of political lies; the marketer of political lies concerns him or herself with the manipulating of the lies to an individual based on micro targeting.
This tailored political propaganda leads to the creation of lies with text, videos and images that is specifically targeted to a micro group based on privacy invading parameters that are somehow obtained by the marketer.5 By handing out all our data that contains our thoughts, emotions and preference for free to “connect with our friends and family”, Facebook is able to monetize this data as a commodity. This commodity is of high value for commercial organizations to sell their products or services. Recently, dictators in fragile states or political parties in democratic societies seem to tag along in their quest to retain or obtain power and influence. The lie machines no longer are participating in a public debate for different audiences against opponents with different views on societal issues that will challenge the ideology of a political party. Instead, the debate is now highly dispersed through several social media platforms. A level playing field for politicians to pitch their ideas to potential voters and defend their views on societal issues is become less important. Instead, the lie machine goes directly to their audience based on micro targeting. This is problematic for a democratic society. The Ministry of the Interior and Kingdom Relations is working on a new law for political parties to tackle his problem.6 The law will contain rules for financing a political party and how a party shall be organized and on top of that will it try to restrain uncontrolled digital campaigning such as micro targeting via social media platforms. Zuboff, the author of “The Age of Surveillance Capitalism” has this to say about such practices: “The power to shape behaviour for others’ profit or power is entirely self-authorising. It has no foundation in democratic or moral legitimacy”.7
Conclusion
A final remark on buying political power through Facebook by gearing up sophisticated lie machines that occasionally cross ethical borders, relates to something even more obscure. Lie machines tactics employed such as Cambridge Analytica and FvD are not as innocent as they might seem at first sight. “So what they are using my personal data to micro target me with a personalized message?”. Well first of all, it is not an ad to buy toothpaste because you googled something or liked a certain Facebook page. It is about our democracy and its political parties to which we transfer our public voice to in order to represent our interests. Should we transfer our voice through this commercialization of personalized political ads based on a digital profile to the selection of our potential new Prime Minister? Secondly, the methodology used by lie machines via large data sets and micro targeting campaign ads with cleverly crafted different messages by the same political party is considered “a weapon, weapons-grade communications tactics, which means that we had to tell the British government if it was going to be deployed in another country outside the United Kingdom”8 Apparently, it has become the new normal to deploy such tactics on our own citizens and it is tolerated. Although more attention has been given to these practices with means to control the current unlimited and yet uncharted ground to win the “hearts and minds” of voters. By any means necessary, apparently.
42020. Howard, Philip N. “Lie Machines: How to Save Democracy from Troll Armies, Deceitful Robots, Junk News Operations, and Political Operatives”. Chapter 1, p2.
In this article, the intersection of Dutch politics and cyber security will be briefly examined by exploring the party programs of the Government’s political parties. This intersection covers issues such as defense, entrepreneurship & trade, innovation, privacy, and public justice.
Illustration 1: Seat allocation in the House of Representatives The political parties that constitute the Dutch government are VVD, CDA, D66, and ChristenUnie. Therefore the political programs of these parties have been selected and reviewed. Starting with the biggest political party and ending with the smallest. By selecting only the programs of the political parties that form the Dutch government not all political views are taken into consideration. However, the Ministers and State Secretaries are all selected from these parties and thus will probably have more impact than the opposition on the strategies, policies and plans of the Ministries of Defence, Foreign Affairs, Interior and Kingdom Relations, and Justice and Security. These four Ministries have published extensively extensively on cyber security issues. This will be examined in a different article as part of this series on “The current state of Dutch politics and cyber security issues”.
Political party programs and its perspectives on cyber security issues
VVD (Conservative liberals)
This party places emphasizes on countering radicalization, jihadism and terrorism. They argue for increased budget and capabilities for the intelligence services that match new technologies and novel means of secure communications to monitor and track potential terrorists. While acknowledging the use of internet by potential terrorists, there is no shortage of criminal activities taking place on the internet as well. The following measures are proposed:
More investigations and harsher prosecution of cyber crime;
Public awareness and education on how to safely use the internet;
Use of specialized teams that can hack and closely work together with banks and companies;
More knowledge and expertise available at the police and prosecution regarding computer related crime ;
Protection of vital digital systems and networks;
It seems that this party is also worried about the ability of criminals to “shutdown” the country with a cyber attack. Offensive and defensive cyber capabilities for the Dutch Ministry of Defence (MoD) should be operationalized and put to good use. Preferably, with the best of class by placing focus on harnessing the modern en flexible employees benefits of private companies that can attract and hire the best hackers in a better way than the MoD.
The benefits of having good overall cyber security maturity levels are beyond just national security. They extend to commerce, entrepreneurship and innovation. The Netherlands has to promote itself as a “safe place to do business”. Protecting digital systems and networks from malicious intentions is essential to keep the economy going, to safeguard privacy and to keep governmental secrets safe from criminals, hackers and state actors. The use of (new) encryption technologies and data hosting solutions are identified as noteworthy areas of interest to boost this ambition.
The last item on their political party program seems to be the ambition to create a new formal position for some sort of Minister of Technology (including cyber security).
CDA (Christian democrats)
According to the Christian democrats, the whole-of-government does not yet have an effective response to cyber crime. A major catch-up is required. Criminals have plenty of free space to roam around the internet to conduct their malicious activities. Thus, more authorizations ought to be transferred to the police and justice to hack networks and devices, copy data, decrypt encrypted messages, conduct observations and to wiretap communications.
In case of severe illegal acts, a suspect could be enforced with an “encryption warrant” to decrypt encrypted devices or data. Also investing in more knowledge and expertise at the police is done through establishing highly specialized units. Children and young adolescents should be better protected against cyberbullying and “revenge porn” must be made punishable.
Citizen’s control over their own personal data is insufficiently protected by current laws which are from the “analog” era. Most of our personal data is now owned by major foreign companies that sell this data to make profits or lose huge amount of data in breaches due to lack of cyber security measures. This abuse must be protected with better and more modern laws.
In order to increase national security and international stability intensive cooperation is required when it comes to dealing with to cross-border crimes, human trafficking and terrorism by means of sharing information, coordination and joint investigations.
D66 (Social liberals)
The Netherlands should be a digital front runner and digital safe haven by 2030. However, this shall be achieved by balancing technological advancements vis a vis the right to privacy and protection of consumers’ data. The rise of a ‘data proletariat’ must be avoided by protecting the weakest in society from big tech companies selling their personal data and constant monitoring by a surveillance state. Consumers and citizens should be made aware what kind of personal or sensitive information is collected and shared. Giving back control to the individual what is shared and what not is shared benefits liberty of choice and autonomy.
To better serve cyber security, the National Cyber Security Center (NCSC) ought to be truly independent, similar to the National Institute for Public Health and the Environment (RIVM), in order to avoid unwanted influence from Justice & Safety or the General Intelligence and Security Service (AIVD) on its public advice. Furthermore, policies for responsible disclosures by white hat hackers should be more vigorously drafted and put into practice. Especially by producers of consumer electronic goods with chips that can be accessed from the internet.
Defence needs to be able to conduct in cyber warfare operations by strengthening the Defence Cyber Command (DCC), the intelligence services and their networks. Intense collaboration between the government, academia and companies will be required. This will lead to protecting our data and our export position. Specializing Defence in a nice capability such as the ability to conduct full cyber warfare operations needs to be prioritized.
Technological changes are rapidly evolving and its impact on society is increasing. Cybercrime is seen as a threat resulting from these changes. Netherlands’ competitive advantage is linked to the digital infrastructure and the level of cyber security practices implemented. Thus, more companies and individuals in the field of cyber security shall be attracted. However, this digital growth agenda needs to be taking into account the preservation of human rights. Such an agenda is typically cross-disciplinary. Thus, coordination is required. A so called “digital triangle” between several Ministries and independent supervisors. Finally, an “iPlatform” shall be instituted where citizens and organizations shall be able to critically reflect on the relation between technology en fundamental human rights.
ChristenUnie (Conservative christian democrats)
Pornographic material related to children must be combated by specialized teams of detectives that know there way around the darknet. Because of our highly digitalized economy we are vulnerable to online threats. Having a thriving cyber security sector is important to prevent en recover from malicious activities. Start-ups shall be financially stimulated. Start-ups and scale-ups should have a advisory role in “e-governance” issues like cyber security.
The cyber threats from state and non-state actors increase international instability and have an impact on our national security. This multi-faceted threat requires Defence to deal with such threats. Acknowledging the cyber domain as a new domain to conduct warfare, so shall we need to invest in acquiring new knowledge, expertise and capabilities to have a future-proof Defence.
Synthesis
Among the political parties, there is a need to set the agenda for cyber security issues in at least four narratives. The first one that stands out is related to crimes against citizens and companies. Politicians are also worried about full blown cyber attacks that could shutdown the country, criminals that steal and sell sensitive data, and predatory pedophiles roaming free on the darknet. The solutions proposed are mainly to invest in strengthening the police apparatus and justice department to embrace the inner workings of the internet and how all kinds of different websites and applications facilitate criminals and pedophiles to conduct their malicious activities. There is an overall consensus to strengthen the capabilities to hack into suspicious network and devices used for criminal activities followed by identifying suspects and prosecute them. The right to privacy and use of encryption should no longer apply to suspects of severe criminal acts.
A second narrative that most parties apparently find important enough is the ability to engage in cyber warfare. Meaning to defend against state and non-state actors or attack on behalf of national or international interests. Defence should not try to do this on its own but by closely collaborating with academia and companies. Making the strategic decision to focus on sharpening just one or a few weapons from the weaponry instead of everything is proposed to become a specialized Defence organization instead of a generalist organization that can do a lot but not really good. However, this implies that conducting cyber warfare is independent from land, sea, air, and space capabilities, which is not the case.
The third narrative relates to linking cyber security with economic prosperity. Having a stable and secure digital infrastructure with proper laws and regulations attracts big tech companies to do business. However, this may conflict with the desire to safeguard the privacy of citizens. The privacy of citizens is at stake when cyber security measures are not in place. Big companies that hold much of our data get continuously breached by hackers and criminals for commercial gains. And if not breached, more and more companies thrive on a business model that offer their services for “free” while making profits on selling your personal data. The need for the protection of the so called “data proletariat” is a striking analogy.
A final narrative is presented that the government itself is need of an upgrade. For example, through the establishment of a new Ministry of Technology including cyber security. The creation of better and modern laws to keep up with the technological advancements including both its benefits and dangers to society. Or some sort of platform where questions and concerns are addressed concerning the relation between technological advancements and fundamental human rights.
These four narratives reveal that all of the cyber security related issues are, to paraphrase DeNardis (2014), deeply political in the sense of involving direct multi-stakeholder governance of technical infrastructure that has direct social implications and that online attacks such as DDoS are often deployed as a proxy for political activism or even part of warfare. Whatever narrative a political party wants to focus on, it most of the time comes down to an important debate where the degrees of internet freedom, related to privacy, expression or to earn money are negotiated against conflicting values of national security and law enforcement.1
1 [2014. DeNardis, Laura. The Global War for Internet Governance. Chapter 10, p243]
Cryptography is both an art and science. It requires a scientific background and a healthy dose of “black magic”. That is, a combination of experience and the right mentality for thinking about security problems.
Chapter 1, p3
This makes me
wonder, is everyone able to think about security problems? What kind of
security problems are we looking at? During my time studying Political Science
and Military Strategic Studies I came across many security related concepts and
issues. People that work in security for the government or a company apply
their knowledge and expertise in a different way than security experts in
cryptography engineering.
But even
though the use of their experience and mentality is applied different to tackle
security problems, they have at least one thing in common. That is to protect
something or someone from something or someone.
Another
major difference that I have experienced between a social sciences type of
security professional and a cryptography engineering security professional has
to do with understanding the adversary. A cryptography engineering security
professional is not really interested nor motivated to analyze the intentions
or motivations of the adversary. It’s just “Eve” who is eavesdropping.
We don’t why, but it happens. Period. Whereas a social sciences security
professional will try to analyze motivations, foresee threats, based on
politics and international relations, and will then implement security measures
(or not).
And of
course, another difference relates to the “asset” that needs
protection. A government representative will look at its security assets on a
much higher level of abstraction in the realm of ideas and social constructs
such as, national security or economic security. The security engineer will
focus on physical systems comprising hardware components and software
containing 0’s and 1’s. The information itself … the security engineer (most
of the time) has no actual clue. All that he/she will know is that the
information managed on that system must be of extreme value for its users.
Else, why bother making secure systems?
Cryptography research contains a wide range of topics, including computer security, higher algebra, economics, quantum physics, civil and criminal law, statistics, chips designs, extreme software optimization, politics, user interface design, and everything in between.
Chapter 1, p3
What I really enjoy about this quote is that it emphasizes that cryptography is an extremely varied field. I can completely get lost in this fascinating and important field because I got to learn about cryptography from such different angles daily since 2016.
So here is your first lesson in cryptography: keep a critical mind
Chapter 1, p4
This first
lesson really resonates within me. A fun fact about me. When I was about 18 and
started going to University, I created a group on of the first real big social
media platform “Hyves” called “Critical Students” :). I
know, this made me not so popular. But to me it felt good. Most people do not
like to be critical because it makes them “tired” of always thinking
about something that can be improved. Also, most people don’t like to be
criticized because they take the critic personal. And, of course, most people
don’t like to give critical feedback out of fear hurting someone’s feelings.
Learning to think critically, giving and receiving critical feedback is not
easy but I think it can be very, very valuable. Especially when you are trying
to build a secure system that needs to protect valuable assets. This is where
the term “professional paranoia” comes in to play.
Cryptography by itself is useless
Chapter 1, p4
Just like putting a lock (or the use of encryption) to protect valuable assets that are inside the tent, cryptography by itself is indeed useless.
The use of
cryptography by itself is indeed useless. The adversary can easily open the
tent without ever attempting to break the lock (or trying to decrypt). Or what
about having a lock, locking it, but keeping the key in the lock or badly
hidden underneath the carpet of the front door :).
Furthermore,
cryptography is always part of a much larger security system and must be able
to distinguish between good and bad access. This is the most difficult part
of cryptography. Keeping everyone out of a system is way easier, but,
completely useless. Cryptography is only useful if the rest of the system is
also sufficiently secure against adversaries. And the rest of the system can
contain many, many, different sub-systems (people, procedures, quality
assurance, supply-chain, bugs, unknown vulnerabilities, new technologies, law,
politics, insider threats, weak design, etc. the list can go on much further).
However, once the burglar has the key to your home. He or she can steal
anything without leaving traces. Thus, using a strong enough lock (encryption)
and safeguarding your (digital) key is very important.
“A security system is only a strong as its weakest link”
No matter
how strong parts of a system are designed, if there is one weak link in the
system … the attacker will try to attack that part where the system is at its
weakest. In order to improve the security of a system, the weakest link needs
to be improved first. But finding out which parts are part of the security
system and which ones are weak, requires extensive security analyses and
in-depth knowledge about the system itself and the type of adversaries that
could attack it (more later on this in blogs about Red Teaming).
A simple,
yet efficient way to find these weak links can be done using a hierarchical
tree structure (an attack tree):
Steal car
Use physical key
Steal key from driver’s house
Steal key from driver
Force driver to hand-over the
key
Use cloned digital key
Copy signal from key with
electronic device and transceiver
Tow away
Lift car onto a truck without
activating the alarm
Disable the alarm
Break the window
Each link (node) can be analyzed and split up until only single components are left. This can be a lot of work for a real security system. Attack trees provide valuable information about possible lines of attack. Securing assets without first doing analysis it not a very good idea and it is likely that the measures taken are only giving its users the feeling that their assets are secured instead of knowing it.
Strictly speaking, strengthening anything but the weakest link is useless
Chapter 1, p7
Engineering security systems must design their systems in the adversarial setting. The adversaries are intelligent, malicious and persistent. They don’t play by the rules and are unpredictable. Playing on the defense is much harder than playing on the offense. A securely designed system from 10 years ago, may not be so secure anymore with current technologies. The attacker only must find one weak link, break into that part of the system to get into the whole system. The defender must take protective measures for all parts of the system. So, there is a fundamental imbalance between the attacker and the defender.
To work in this field, you have to become devious yourself
Chapter 1, p8
The adverserial setting causes a healthy “professional paranoia”. Such a security mindset has benefits. Security problems exist in most systems. And that is alright. There is no such thing as a 100% secure system as I noted before. Discussing attacks on vulnerabilities should always be on something and not specifically on someone (unless a flaw is purposefully designed to exploit the vulnerability i.e. backdoor).
Threat modelling is an important part of designing secure systems. Questions to ask and find answers to should be something like:
“What are the assets of value?”
“What are the threats?”
“What are the motivations?”
“Who would be capable and willing to transform these motivations into an actual attack?”
Assessing the security of system needs to be performed with a designated threat model in mind. The persons responsible for establish such a threat model have a big responsibility in order to avoid a painful mismatch with the threat vis a vis the system to be designed, or to be put into operations.
Governmental organizations involved in information security typically use so called Risk Reduction Overview (RRO) methods with benefits such as:
Rethink the design
Optimize the design
Review of risks
Review of measures
Chief Security Officer get lists of residual risks
Review a design after changes to risks
Inspiration for a new design
You should have a look at the post Security Risk Management on this blog for more on the RRO, the tool and an example to encourage thinking (and playing) with risks, measures and residual risks in (socio-technical) systems that secure assets.
Cryptography is not the solution, is very difficult, and is the easy part
Chapter 1, p12-13
With quotes like these … why even bother trying to understand cryptograhpy engineering? Good guestion! Cryptography can be something like voodoo. It’s a feeling … A feeling of security because there is a digital lock on it.
Remember the picture with the lock on a tent? …
Therefore, cryptography is always just a part of the security solutions for a secure system. Cryptography is also difficult because of the weakest-property and the adverserial setting. Furthermore, there is no known one way to test the security of a system.
Still, cryptography is one of the “easy” parts of a secure system because of its well defined boundaries and purpose. Securing an entire system with users, procedures, a supply-chain, poor quality of much software on surrounding components, key management/storage, network security, etc. is much harder.
Then there is the fact that there are generic attacks that no ammount of cryptography can fix. These generic attacks our typically taking place outside the secure system. It is important to realize the possibility of generic attacks, otherwise you might be trying to solve an unsolvable problem. An example, to control copying of digital material on a secure workstation. With a secure system, no file can be copied nor send via e-mail over the internet outside the trusted netwerk. The malicious actor simply takes a photo of the screen …
“Cryptography is the
art and science of encryption. At least, that is how it started out. Nowadays it
is much broader, covering authentication, digital signatures, and many more
elementary security functions.”[1]
I find security
technologists like Bruce Schneier and his blog https://www.schneier.com inspirational. They
write about such important 21st century issues at the intersection
of security, technology and people.
One of the main focus
areas within cyber security to me is definitely cryptography engineering and gaining
a better understanding of the design principles and its practical implications.
That’s why I started studying the book Cryptography Engineering by Niels Ferguson,
Bruce Schneier and Tadayoshi Kohno.
On this blog I will write
down some of my notes, thoughts and exercises throughout the studying process. By
reading, thinking and writing I will aim to learn more about this fascinating
focus area.
[1] 2010. Ferguson, Schneier & Kohno.
Cryptography Engineering. The Context of Cryptography.p3
In this research paper, the cyber operation “Beebus” will be analyzed
by using strategic, technical and (military-) operational perspectives.
A conceptual model will be applied in order to operationalize military
cyber operations like operation Beebus in relation to fighting power.
Furthermore, operation Beebus will serve as a case study to highlight
various perspectives and academic debates on cyberwarfare. Finally, this
research paper will present an evaluation on how this operation may
contribute to a government’s cyber capabilities and the effectiveness of
operation Beebus, and suggests countermeasures.
“China’s slow, incremental march toward a cutting-edge air force quietly continues”.[1] The development of drone technology serves two purposes for China. First, as a lucrative export product. Second, as a defense capability to deter adversaries in the South China Sea which is of strategic importance. It is believed that China has been stealing sensitive U.S. drone technology information from at least 20 defense contractors for more than two years.[2] In 2013, an U.S. network security company FireEye, Inc. has discovered this Advanced Persistent Threat (APT) campaign consistently targeting companies in the aerospace and defense industries related to drone technology.[3] This research paper will analyze operation Beebus and is structured in three sections. The first section will provide a comprehensive analysis of the operation based on the conceptual model for operationalizing military cyber operations in relation to fighting power by Ducheine and van Haaster (2014). The second section will introduce various perspectives and academic debates regarding military cyber operations like operation Beebus and cyberwar in general. The third section will provide an evaluation how a military cyber operation like Beebus may contribute to a nation-state’s cyber capabilities and how it threatens a nation-state’s interest and suggests countermeasures.
Section 1: Analyzing Operation Beebus
In this section operation Beebus will be analyzed based on the
conceptual model for cyber operations in relation to fighting power. In
order to understand the context of cyber operations like operation
Beebus, the following definition of cyber war is adopted (Shakarian,
Shakarian, & Ruef, 2013, p. 2): “Cyber war is an extension of policy
by actions taken in cyber space by state or non-state actors that
either constitute a serious threat to a nation’s security or are
conducted in response to a perceived threat against a nation’s
security”. By clarifying the definition of cyber war it is emphasized in
this research paper that cyber war is different from cyber security in
general because of the reference to a serious threat to a nation’s
security. This implies an explicit role for the armed forces. A malware
on an individual user’s laptop to steal credit card details or the
infiltration of a corporate network to steal intellectual property can
be a nuisance but is not part of cyber warfare. However, when the
individual is targeted because he or she is a high ranking government
official or when the corporate network is a closed network containing
classified information it can be a matter of national security indeed.
Operation Beebus specifically targeted individual and companies with
access to drone technology in order to boost the drones capability
development of a certain country. The operation is considered an APT
campaign that lasted at least two years. APT processes require a high
degree of covertness over a long period of time with the use of
sophisticated techniques, an external command control server for
continuously monitoring and extracting data, and the direct human
involvement in orchestrating the attack (Musa, 2014). Furthermore, in
this research paper military cyber operations are defined as (Ducheine
& van Haaster, 2014, p. 313): “The employment of cyber capabilities
with the prime purpose of achieving military objectives in or by the use
of cyberspace”. The following conceptual model to analyze military
cyber operations related to fighting power will be used (see figure 1).
Figure 1: Fighting Power and Cyber Operations. Adapted from Ducheine & van Haaster (2014).
Intelligence suggests that a group called ‘Comment Crew’ is behind the operation and it is believed to be a state-sponsored hacker group.[4] The fact that drone technology is the targeted asset aligns with the recent signs of the growing ambitions of China’s drone capability development program. However, it cannot be proven for sure that this operation has been ordered by the Chinese government. This problem is related to the question of attribution. Nevertheless, by analyzing operation Beebus it will seem likely that this was a state-sponsored (military) cyber operation by the Chinese government. A security analyst has to identify basically three things when examining a cyber operation; origin, structure, and purpose (Shakarian, Shakarian, & Ruef, 2013, p. 4). Throughout this research paper the attribution question will be answered, although not definitely. However, another problem arises because of the question of deception. Whenever an attribution is assumed, the possibility of an adversary using deception, the “deception hypothesis” must be considered. Thus, the likelihood that several pieces of intelligence are accurate and feasible (attribution), it can be established whether the deception thesis should be applied by asking the right questions such as “Does organization Z have the capability conduct operation X”, “Does organization Z have a reason to conduct operation X”, “How likely is it that organization Z would have left intelligence Y indicating its responsibilities?”, “Is there another organization Q that has the capability to conduct operation X?” and so on and so forth. Nevertheless, analyzing a cyber operation and its findings cannot provide real hard evidence but this is out of the scope of this research paper.
Operation Beebus is believed to be conducted by the “Comment Crew”
and related to the “Shanghai Group” which is allegedly part of China’s
People Liberation Army (PLA). The Comment Crew is known for placing
encrypted HTML comments embedded in benign websites, transforming them
into malicious websites. During operation Beebus, companies in the
aerospace and defence industries, and academia have been consistently
targeted for gathering research design and manufacturing details of the
latest U.S. drone technologies. Furthermore, the malware used was
socially engineered and constructed in documents and whitepapers related
to South Asian military affairs and international relations. If it is
assumed that the Chinese government is in some way involved in operation
Beebus it could be argued that the following instruments and components
of power have been used. Betz & Stevens (2011, pp. 45-53) propose
four distinct forms of cyber-power which are; compulsory, institutional,
structural, and productive. Hence; “Cyber-power is therefore the
manifestation of power in cyberspace rather than a new or different form
of power” (Ibid, p 44).
This research paper identifies the direct and indirect use of all four distinct forms of cyber-power. Namely, compulsory power has been applied through coercive action and control over the behavior humans and computers in order to steal drone technology which could potentially be used against U.S. national security interests. Second, institutional power is used to indirectly control an actor through the mediation of formal and informal institutions. China’s efforts to approve a Russian-drafted agreement in the international system, in 2009, based on certain rules and norms on behavior in cyberspace by nation-states in favor of the Shanghai Cooperation Organization (SCO) members is an example of a coordinated institutional power instrument. [5] [6] Third, structural power has been applied via operation Beebus because it has the potential to disrupt the status quo in the international system where currently the U.S. is considered as the global superpower. China might seek to disrupt this status quo by gathering and collecting crucial U.S. drone technology for its own interests. Specializing in conducting covert military cyber operations which are difficult to attribute does seem as a powerful instrument to disrupt the status quo. Fourth, productive power is used through a mediated discourse by and enacted in cyberspace to facilitate and constrain social action. China released reports and statements countering U.S. claims with their own charges of cyber-espionage conducted by the U.S.[7] By doing so, China might strive to persuade non friendly nation states towards the U.S. and tip the mediated discourse balance in favor of China.
It is difficult to assign operation Beebus into a single threat
category in relation to national security mandates. It is also important
to understand that national cyber security is not one single subject
area. The following five distinct mandates are mentioned by Klimburg and
Mirtl (2012) which are: Military cyberactivities; counter-cybercrime;
intelligence and counter-intelligence; critical infrastructure
protection and national crisis management; and cyberdiplomacy and
internet governance. Operation Beebus has elements of social engineering
e.g. the ‘weaponized’ pdf files with specific titles to spur interest
of a target. Also, there is the stealing of intellectual property and
espionage. The operational Technique, Tactic and Procedure (TTP) applied
in operation Beebus is spear-phishing. Socially engineered emails with
pdf attachments in the form of documents and reports by well-known
companies such as Boeing and KPMG and white papers with titles such as
“Pakistan’s Indigenous UAV Industry” were sent to persons of interest.
The technical TTP applied is modifying pdf files using Ghostscript in
order to infect users with malware using a well-document vulnerability
known as DLL search order hijacking. Upon opening the pdf file a DLL
(trojan) is dropped in the C:\\Windows Directory and will persist on the
device. Then, it sends back an initial GET request to a Command and
Control (C&C) server which is traced back to somewhere in China. The
trojan collects information from the computer and sends back encrypted
information in order to avoid detection. However, this C&C server
used a TCP Proxy tool in order to disguise either the true source or
destination of the stolen information traffic. Thus, it is clear to see
that the attribution problem arises and that the deception thesis needs
to be taken into account. Nevertheless, intelligence suggests that the
Chinese government is somehow directly or indirectly involved based on
targeted objects and persons, and the operational and technical TTPs.
But is operation Beebus part of military cyberactivities? In this
research paper it is argued that it is, because in or through cyberspace
military objectives are being achieved. Namely, stealing drone
technology in order to boost the drone capability development program.
Second, information could be used to research and develop TTP on how to
hack the drones of potential enemies via reverse engineering and finding
the exploits in a Cyber-Physical System (CPS) like drones. Finally, the
effect of such an operation increases distrust and forces countries
like the U.S. and China to engage in cyberdiplomacy. Thus, the
components related to fighting power which are affected by this
operation are physical, moral, and conceptual (Ducheine & van
Haaster, 2014, p. 305). First, the equipment and the confidentiality,
integrity and confidentiality has been compromised. China has procured
and manufactured a drone, Wing Loong, that is very similar to the U.S.
drone, Predator, but produces and sells its drone for much cheaper than
the U.S. version. Second, the moral component of fighting power has been
affected because this operation has raised doubts on what the Chinese
government knows about U.S. manufactured drones and what they can do
with this information. Third, the conceptual component has been affected
that should lead to certain training and education for drone operators
in order to raise awareness about the possibility that drones contain
vulnerabilities and can be exploited by a willing and capable adversary.
But is operation Beebus an act of cyberwar? When a cyber operation
constitutes a significant threat to a nation’s security, it can be
considered an act of cyberwar. In the next section several perspectives
and academic debates on cyberwar will be taken into consideration and
applied to operation Beebus.
Section 2: Perspectives and Debates on Cyberwar
In this section various perspectives and academic debates on cyberwar
will be introduced. Cyberwar is a contested and loaded term (Klimburg
& Mirtl, 2012, p. 15). It is argued by Klimburg and Mirtl that a
cyberattack constitutes ‘battlefield cyberwarfare’ if military
cybercapabilities are used only within a clearly defined tactical
military mission. In the case of operation Beebus, the effects are not
limited to the operational-tactical environment. Furthermore, the
emphasis of military cyberactivities can lie on ‘strategic cyberwarfare’
that is the ability to strike at the heart of a nation (Ibid, p 16).
Thus, operation Beebus would not fall under the national cybersecurity
mandate of military cyberactivities but more likely under mandate of
intelligence and counter-intelligence. Although distinguishing the act
of espionage from military activities is not uncontroversial. More
fittingly, discussing cyberwarfare is controversial and creating
separate mandates with separate roles and responsibilities might not be
the best way to properly deal with cyber operations like Beebus.
In 2010, a Chatham House report “On Cyberwarfare” described
cyberspace as ‘terra nullius’ and beyond the reach of a mature political
discourse (Cornish, Livingstone, Clementa, & Yorke). Therefore,
cyberspace is an attractive place for nation-states and non-state actors
to pursue certain goals. The Chinese government is believed to have
embraced cybercapabilities in order to target sensitive information from
a military superior U.S and fits within the doctrine of ‘using
information superiority to achieve greater victories at a smaller cost’
(Cornish, Livingstone, Clementa, & Yorke, 2010, p. 8). It would also
be wise to realize that the strategic and military thinking in China is
not based on writings of the soldier-philosopher Clausewitz or general
Jomini like most advanced Western nations. The Chinese cyber strategy
offers room for cyber espionage campaigns like Beebus (Shakarian,
Shakarian, & Ruef, 2013, pp. 116-117). In the game of Go, the
equivalent for the game of chess, it not the goal to seek the
destruction of pawns in order to capture the king but the goal is to
conquer parts of the game space. Furthermore, one of China’s strategic
objective is to maximize the strategic configuration of power, called
“Shi” which refers to the ability to ensuring a victory over a superior
force and on setting favorable conditions for when a conflict does arise
(Ibid). Hence, operation Beebus fits within the doctrine of using
information superiority, the strategy of conquering parts of cyberspace,
and setting favorable conditions for a future conflict.
Furthermore, setting the battlefield for a game of Go and
establishing Shi in order to conduct military cyber operations is backed
up with the ‘three warfares’ (Shakarian, Shakarian, & Ruef, 2013,
p. 119). These include media which is used to support the righteous
cause of China. Second, the legal justification of this cause and third,
psychological warfare to aide friendly and attack the enemy’s morale.
Even though intelligence suggests that the Chinese government is
responsible for operation Beebus, it would be wise to consider the
possibility of a Reflexive Control (RC) military operation. For Russia,
RC is one the primary methods to interfere with decision-making process
of an enemy commander (Thomas, 2004, p. 237). RC is defined as a means
of conveying an opponent specially prepared information to incline him
to voluntarily make the predetermined decision desired by the initiator
of the action (Ibid). The following describes how computer technology
creates new opportunities to RC: “In present conditions, there is a need
to act not only against people but also against technical
reconnaissance assets and especially weapons guidance systems, which are
impassive in assessing what is occurring and do not perceive to what a
person reacts” (Thomas, 2004, p. 247). Through RC, Russia could be
applying a form a ‘perception’ management through the control of cyber
operations like Beebus in order to distract, paralyze, deceit or provoke
the U.S. government in engaging a long and costly cyber war.
Regarding the likelihood of cyber warfare, Rid (2012, p. 6) argues
that cyber war does not take place in the present and that it is highly
unlikely that cyber war will occur in the future. Rid considers
cyber-attacks merely as sophisticated versions of subversion, espionage,
and sabotage and not as an act of war because they are non-lethal.
Correspondingly, Libicki (2012, p. 335) argues that the notion of seeing
cyberspace as a warfighting domain that needs to be dominated just like
the other warfighting domains is misleading and pernicious because
superiority cannot be achieved in cyberspace. In contrast, Stone (2013,
p. 107) concludes that cyber-attacks could constitute acts of war if it
becomes clear what is meant by force and violence, and their
relationship with lethality (i.e. kinetic impact). In addition, Zetter
(2015) contends that we are already at cyber war and observes that more
than 20 countries like the US, China, UK, Israel, North Korea, Iran and
Russia have built cyber offensive capabilities in the past few years.
Section 3: Evaluating the Effects and Suggested Countermeasures
This research paper concludes with an evaluation how a military cyber
operation like Beebus might contribute to a nation-state’s cyber
capabilities and how it threatens a nation-state’s interest. For the
sake of arguments, it is now assumed that the Chinese government is
responsible for operation Beebus. But is stealing drone technology cyber
war? It is clear to see that drone technology relates to a nation’s
security. It would be reasonable to categorize this operation as part of
the intelligence and military cyberactivities national cyber security
mandates. According to Applegate (2015, p. 1) there is a: “credible
capability to use cyber attacks to achieve kinetic effects”. The main
targets for kinetic cyber attacks CPS. A CPS is the integration of
computer systems with physical processes such as drones. And like other
information technologies, drones were designed with little security.
Drones are prone to attacks as they are equipped with sensors to process
data and this exposes them to vulnerabilities (Rani, Modares, &
Sriram, 2015).
Considering the game of Go, establishing Shi, the possibility of RC
and the exploits to CPS like drones, operation Beebus seems less of an
isolated cyberespionage campaign but indeed part of a coherent cyber
security doctrine and strategy against a nation’s security with
intelligence suggesting that the Chinese government is in some way
involved. Does this mean that operation Beebus is battle in a cyberwar
between China and the U.S? Let us turn back to the definitions used in
this research paper. “Cyber war is an extension of policy by actions
taken in cyber space by state or non-state actors that either constitute
a serious threat to a nation’s security or are conducted in response to
a perceived threat against a nation’s security” (Shakarian, Shakarian,
& Ruef, 2013, p. 2). Operation Beebus can now be considered as an
extension of the Chinese doctrine and strategy against U.S. national
security interests. Also, the definition of military cyber operations
can be applied to Beebus; “The employment of cyber capabilities with the
prime purpose of achieving military objectives in or by the use of
cyberspace” (Ducheine & van Haaster, 2014, p. 313). At first glance,
the operation might fall under the ‘artificial’ national security
mandate of intelligence and counter-intelligence. However, due to the
targeted specific technology related to U.S. drones the operation can
also be considered as part of military cyberactivities. It all depends
on which perspective is applied when interpreting a cyber operation.
In its most basic form operation Beebus is a spear-phishing campaign
designed to be highly personalized therefore hitting the human weak
spots (Parmar, 2012). Employees of drone technology companies regularly
open and reply to emails on the move. The cause of this is the
proliferation of mobile devices. To counter the threats from operations
like Beebus, organizations need to increase awareness of spear-phishing
and educate on how to avoid cyber-fraud (Ibid, p 10). Blacklisting
certain Internet Protocol (IP) addresses could be a solution but easily
bypassed. Therefore, a layered protection strategy, or ‘defence in
depth’ should be applied. Instead of blacklisting, IT managers should
whitelist exactly which programs should be permitted to run and does not
depend on updates from anti-virus programs. Also, a method for
restoring systems to their original setting should be made available at
every computer and mobile device containing sensitive information.
Conclusion
China’s drone capability development program has been steadily
growing the past five years. Intelligence suggests that the Chinese
government is responsible for operation Beebus although this paper does
not provide any hard evidence. The operation is an APT campaign that
lasted for at least two years. In this research paper is it argued that
cyber war is an extension of policy by action taken in cyber space by
state or non-state actors that constitutes a serious threat to another
nation’s security. A conceptual model for analyzing military cyber
operations related to fighting power has been used to interpret the
operation. The problem of attribution and the possibility of deception
has been introduced and it is stated that there cannot be any real hard
evidence for the claim that China is indeed responsible. Nevertheless,
forms of cyber-power have been found which are applied via operation
Beebus. Drone technology is stolen, indirect control over U.S. is
applied, the status quo is indirectly challenged if China ought to be
the number one drone manufacturer in the next ten years, and China
released reports and statements countering U.S. claims with their own
charges of cyber-espionage conducted by the U.S. government. Operation
Beebus can be considered as part of the intelligence and
counter-intelligence, and the military cyberactivities national cyber
security mandate because of its relation to U.S. national security
interests. The operational and technical TTP’s of the operation
indicates direct human orchestration. Because cyberspace is still beyond
the reach of a mature political discourse, it is an attractive place
for pursuing military goals for rising powers such as China to challenge
U.S. hegemony. The Chinese cyber strategy and doctrine provides
sufficient possibilities to engage the U.S. via cyber operations like
Beebus. Operation Beebus fits within the doctrine of using information
superiority, the strategy of conquering parts of cyberspace, and setting
favorable conditions for a future conflict. Stealing drone technology
alone does not directly indicate serious threats to a nation’s security.
Therefore, the credible capability to use cyber attacks to achieve
kinetic effects is also mentioned. Drones are CPS prone to attacks and
exploitation of vulnerabilities. It is thus wise to not only look at the
operation itself but also to consider its context within international
security and the power struggle between nation-states. A layered
protection strategy, or ‘defence in depth’ could be a good
countermeasure against spear-phishing operations like Beebus, this
includes blacklisting, whitelisting applications and systems restoring
methods at the touch of a button on any device containing sensitive
information.
Literature
Applegate, S. D. (2015). The Dawn of Kinetic Cyber. 5th International Conference on Cyber Conflict. Talinn: NATO CCD COE Publications.
Betz, D. J., & Stevens, T. (2011). Chapter One: Power and Cyberspace. In D. J. Betz, & T. Stevens, Cyberspace And The State (pp. 35-53). Adelphi Series.
Cornish, P., Livingstone, D., Clementa, D., & Yorke, C. (2010). On Cyber Warfare. Chatham House.
Ducheine, P., & van Haaster, J. (2014). Fighting Power, Targeting and Cyber Operations. 6th International Conference on Cyber Conflict. Talinn: NATO CCD COE Publications.
Klimburg, A., & Mirtl, P. (2012). Cyberspace and Governance – A Primer. Austrian Institute for International Affairs.
Libicki, M. C. (2012). Cyberspace Is Not a Warfighting Domain. I/S: a journal of law and policy for the information society, 321-336.
Musa, S. (2014, March). Advanced Persistent Threat. Academia.
Parmar, B. (2012). Protecting against spear-phishing. Comptuter Fraud & Security, 8-11.
Rani, C., Modares, H., & Sriram, R. (2015). Security of unmanned aerial vehicle systems against cyber-physical attacks. Journal of Defense Modeling and Simulation: Applications, Methodology, Technology, 1-12.
Rid, T. (2012). Cyber War Will Not Take Place. Strategic Studies, 5-32.
Shakarian, P., Shakarian, J., & Ruef, A. (2013). Introduction To Cyber-Warfare: A Multidisciplinary Approach. Waltham: Syngress.
Stone, J. (2013). Cyber War Will Take Place! Strategic Studies, 101-108.
Thomas, T. L. (2004). Russia’s Reflexive Control Theory and the Military. Journal of Slavic Military Studies, 237-256.