Polity
Copyright © Damien Van Puyvelde, Aaron F. Brantly 2019
The right of Damien Van Puyvelde, Aaron F. Brantly to be identified as Authors of this Work has been asserted in accordance with the UK Copyright, Designs and Patents Act 1988.
First published in 2019 by Polity Press
Polity Press
65 Bridge Street
Cambridge CB2 1UR, UK
Polity Press
101 Station Landing
Suite 300
Medford, MA 02155, USA
All rights reserved. Except for the quotation of short passages for the purpose of criticism and review, no part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publisher.
ISBN-13: 978-1-5095-2809-7
ISBN-13: 978-1-5095-2810-3(pb)
A catalogue record for this book is available from the British Library.
Library of Congress Cataloging-in-Publication Data
Names: Van Puyvelde, Damien, author. | Brantly, Aaron Franklin, author.
Title: Cybersecurity : politics, governance and conflict in cyberspace / Damien Van Puyvelde, Aaron Brantly.
Description: Cambridge, UK ; Medford, MA, USA : Polity Press, 2019. | Includes bibliographical references and index.
Identifiers: LCCN 2018056638 (print) | LCCN 2018056905 (ebook) | ISBN 9781509528134 (Epub) | ISBN 9781509528097 | ISBN 9781509528103 (pb)
Subjects: LCSH: Internet--Security measures--Government policy. | Computer security--Government policy. | Internet governance. | Internet--Political aspects. | Computer crimes--Prevention. | Security, International.
Classification: LCC TK5105.59 (ebook) | LCC TK5105.59 .V358 2019 (print) | DDC 005.8--dc23
LC record available at https://lccn.loc.gov/2018056638
Typeset in 10.5 on 12 Sabon
by Fakenham Prepress Solutions, Fakenham, Norfolk NR21 8NL
Printed and bound in the UK by CPI Group (UK) Ltd, Croydon
The publisher has used its best endeavors to ensure that the URLs for external websites referred to in this book are correct and active at the time of going to press. However, the publisher has no responsibility for the websites and can make no guarantee that a site will remain live or that the content is or will remain appropriate.
Every effort has been made to trace all copyright holders, but if any have been overlooked, the publisher will be pleased to include any necessary credits in any subsequent reprint or edition.
For further information on Polity, visit our website: politybooks.com
1.1 ENIAC, c.1946
1.2 ARPANET in December 1969 and July 1977
1.3 Internet users since 1990
1.4 The growth of significant cyber incidents, 2006–2017
1.5 Geographic spread of significant cyber incidents by continent, 2006–2017
2.1 The electromagnetic spectrum
2.2 Packet-switched v. circuit-switched networks
2.3 OSI and DoD models compared
2.4 Heartbleed logo
4.1 Polymorphic malware sample
7.1 Phishing email example
7.2 Logo of the Tech of the Islamic State
7.3 A dark net weapons market
3.1 Major Internet governance entities
4.1 Malware types
4.2 Malware features
4.3 The Cyber Kill Chain
4.4 Kinetic v. cyber capabilities
1.1 The ENIAC
2.1 The “spade-hacker”
3.1 Net neutrality
5.1 Russian interferences: Hit and miss
6.1 Cybotage: From Stuxnet to Operation Olympic Games
6.2 Ukrainian blackouts
6.3 Leveraging cyberattacks: The Russo-Georgian war of 2008
7.1 The ISIS hackers
8.1 The greatest transfer of wealth in human history
9.1 The global surveillance disclosures of 2013
9.2 The EuroMaidan movement
9.3 GhostNet
9.4 The Apple–FBI debate over digital privacy
Aaron would like to dedicate this book to his three sons, Andrew, Oliver and Daniel, who patiently waited for him to play or read books to them while he worked on various sections of it. Damien dedicates this book to his wife Ana. He would also like to thank Liam Mcvay for his helpful comments on several chapters.
We would both like to thank Louise Knight who encouraged us to write this book and who, together with Nekane Tanaka Galdos and Sophie Wright, provided valuable assistance throughout its preparation.
We hope this book inspires future cybersecurity scholars and practitioners in their efforts to address the many challenges ahead.
| ABC | Atanasoff–Berry Computer |
| AI | Artificial Intelligence |
| ANSSI | Agence Nationale de Sécurité des Systèmes d’Information (France) |
| APT | Advanced Persistent Threat |
| ARPA | Advanced Research Projects Agency (United States) |
| ARPANET | Advanced Research Projects Agency Network |
| BGP | Border Gateway Protocol |
| C2 | Command and Control |
| CCD COE | Cooperative Cyber Defense Centre of Excellence (NATO) |
| CENTCOM | Central Command (United States) |
| CERN | European Council for Nuclear Research |
| CERT | Computer Emergency Response Team |
| CIA | Central Intelligence Agency (United States) |
| CIA triad | Confidentiality, Integrity and Availability |
| CPU | Central Processing Unit |
| CSIS | Center for Strategic and International Studies |
| DARPA | Defense Advanced Research Projects Agency (United States) |
| DDoS | Distributed Denial of Service |
| DHCP | Dynamic Host Configuration Protocol |
| DISA | Defense Information Systems Agency (United States) |
| DNC | Democratic National Committee (United States) |
| DNS | Domain Name System |
| DoD | Department of Defense (United States) |
| DoS | Denial of Service |
| DPRK | Democratic People’s Republic of Korea (North Korea) |
| EFF | Electronic Frontier Foundation |
| ENIAC | Electronic Numerator, Integrator, Analyzer and Computer |
| EPO | Entry Point Obfuscator |
| EU | European Union |
| FBI | Federal Bureau of Investigation (United States) |
| FSB | Federal Security Service (Russia) |
| FTP | File Transfer Protocol |
| GDPR | General Data Protection Regulation (European Union) |
| GPU | Graphics Processing Unit |
| GRU | General Staff Main Intelligence Directorate (Russia) |
| GUI | Graphical User Interface |
| HTTP | Hypertext Transfer Protocol |
| IAEA | International Atomic Energy Agency |
| IANA | Internet Assigned Numbers Authority |
| IBM | International Business Machines |
| ICANN | Internet Corporation for Assigned Names and Numbers |
| IDPS | Intrusion Detection and Prevention System |
| IDS | Intrusion Detection System |
| IETF | Internet Engineering Task Force |
| IGF | Internet Governance Forum |
| IMP | Interface Message Processor |
| IoT | Internet of Things |
| IP | Internet Protocol |
| IPB | Intelligence Preparation of the Battlefield |
| IPS | Intrusion Prevention System |
| ISAC | Information Sharing and Analysis Center |
| ISAO | Information Sharing and Analysis Organization |
| ISP | Internet Service Provider |
| ITRs | International Telecommunications Regulations |
| ITU | International Telecommunications Union |
| JTF | Joint Task Force |
| KGB | Committee for State Security (Soviet Union) |
| LOIC | Low Orbit Ion Cannon |
| LOL | Laugh Out Loud |
| MAC | Media Access Control |
| MILNET | Military Network |
| MVD | Ministry of Internal Affairs (Russia) |
| NASA | National Aeronautics and Space Administration (United States) |
| NATO | North Atlantic Treaty Organization |
| NCCIC | National Cybersecurity and Communications Integration Center (United States) |
| NGO | Non-Governmental Organization |
| NHS | National Health Service (United Kingdom) |
| NIPRnet | Non-Classified Internet Protocol Router Network |
| NIST | National Institute of Standards and Technology (United States) |
| NOG | Network Operators’ Group |
| NORAD | North American Aerospace Defense Command (United States) |
| NSA | National Security Agency (United States) |
| NSDD | National Security Decision Directive |
| NSF | National Science Foundation (United States) |
| NSFNET | National Science Foundation Network |
| NSI | Network Solutions Inc. |
| NTIA | National Telecommunications and Information Administration (United States) |
| OSI | Open Systems Interconnection |
| PC | Personal Computer |
| PII | Personally Identifiable Information |
| PLA | People’s Liberation Army (China) |
| RBN | Russian Business Network |
| RFC | Request for Comment |
| RUNET | Russian segment of the Internet |
| SCADA | Supervisory Control and Data Acquisition |
| SDL | Security Development Lifecycle |
| SIGINT | Signals Intelligence |
| SMTP | Simple Mail Transfer Protocol |
| SVR | Foreign Intelligence Service (Russia) |
| TCP | Transport Control Protocol |
| TLD | Top-Level Domain |
| TLS/SSL | Transit Layer Security / Secure Socket Layer |
| Tor | The Onion Router |
| UDP | User Datagram Protocol |
| UK | United Kingdom |
| UN | United Nations |
| UN GGE | United Nations Governmental Group of Experts |
| URL | Uniform Resource Locator |
| US | United States |
| W3C | World Wide Web Consortium |
| WSIS | World Summit on the Information Society |
| WWW | World Wide Web |
| XSS | Cross-site scripting |
Every day, people interact with hundreds, if not thousands, of different devices, each connected to the Internet, forming a massive network of networks that has broadly become known as cyberspace. Everything from coffeepots to cars, mobile phones to grocery stores and gas stations is increasingly connected and sharing information with the world around us. We have come to depend on this connected world in innumerable ways. We rely on the Internet to share information about our lives with friends and family, to check our bank accounts and to verify our purchases at stores.
Beyond the obvious devices we hold in our hands or interact with consciously, we depend on hundreds more that we are unaware of, but that keep us safe and facilitate modern life. Nearly every aspect of our daily lives is touched by computers and networks. For instance, cars rely on hundreds of computer chips to manage traction control, and environmental and braking systems. Connected computers at intersections manage the flow of traffic and prevent accidents. The natural resources our modern society depends on are managed by industrial control systems that regulate voltages between substations, or water pressure in city utilities. Every computer chip we come into contact with plays a role in the larger ecosystem of cyberspace. Each of these individual pieces fits within a broader puzzle that is deeply vulnerable to manipulation, misuse and error.
This book focuses on the interactions of individuals, groups and states in cyberspace, and walks the reader through the security challenges faced in an increasingly digital world. While many of the problems faced at the individual device level and in small networks are highly technical, the broader systemic implications of their use and misuse are inherently political. From relatively humble and hopeful beginnings, social scientific thought on issues related to cyberspace has been evolving for nearly 70 years.1 Debates on the technological connectedness of human society have changed from prognostications on the future to analyses of the present.2
Cyberspace is a unique and often perplexing environment, one referred to by the United States Department of Defense (DoD) as a domain of operations on a par with the other combat domains of land, sea, air and space.3 Cyberspace, unlike its counterpart domains, is entirely man-made and depends on physical, logical and human structures and organizations to operate. Some scholars even refer to cyberspace as a “substrate” that forms the foundation of much of modern life and permeates political, social, economic, technical and environmental sectors.4
Cyberspace, as a term, was first derived from a work of fiction in the 1980s and defined as a “consensual hallucination,” referring to its ability to alter the perceived reality of those who engage one another through it in chat rooms or virtual environments such as Second Life.5 Its importance in popular culture has been prevalent long before it was widely used and its impact on national security policy has been significant almost from its inception. Social and cultural commentary on computers, individuals and networks and much more has often outpaced technological reality and informed discussions of the moral and ethical, legal and policy ramifications of an ever-connected world.
Among the most discussed ramifications in the development of cyberspace is security. Security is not an isolated concept. Security failures in cyberspace can result in a wide range of challenges that plague actors from individuals to states. Cybersecurity is often presented as an afterthought in the design and development of the Internet and its related technologies.6 Although this is partially true, the lack of systemic security in cyberspace is a function of a variety of complex processes that include social, political, technical and economic considerations. Social scientific analysis of these attributes of cyberspace and associated technologies helps to examine the pieces of the puzzle and provides insights on how various outcomes occur or might be avoided.
The significance of cyberspace, and in particular security within cyberspace, to social scientists is growing every year. At present, more than half the world’s population is connected in some way to cyberspace. Those who are not presently connected are expected to come online in the years to come. At the close of 2017, by some estimates, more than 250,000 new pieces of malicious software (malware) were being released daily.7 The growth and diversity of malware spreading within cyberspace are having a substantial impact on nation states, businesses and individuals. Global anti-virus firm Symantec estimated that 978 million people in 20 countries were affected by cybercrime, equating to a total of approximately $172 billion or $142 per person in 2017.8 Other malicious activities in cyberspace – such as espionage, Distributed Denial of Service (DDoS) attacks, social engineering, information operations and a host of other activities – are challenging modern societies in new ways.
To respond to cybercrime, espionage and other malicious behavior in cyberspace, businesses are spending large sums of money to develop robust cybersecurity strategies, and are investing in global governance organizations and fighting for norms and other behaviors to constrain the proliferation of cybercrime, espionage and malfeasant behaviors by states.9 Within the business community, technology companies are leading the fight against cybercrime through the implementation of more ubiquitous encryption within platforms, and they are fighting government policies and legal efforts to undermine encryption within their products.10 Businesses’ efforts to secure their products come with trade-offs for law-enforcement and intelligence agencies. More secure communications devices and online platforms have been used by transnational criminals and terrorist organizations to plan and engage in attacks against citizens of multiple countries.11
Beyond the proliferation of malware for criminal activities, countless cyberattacks have targeted nation states and their critical infrastructures – including hospitals, public transit, electric and water facilities and many more. Most of these attacks were undertaken with the intent of destroying, degrading or denying critical national capabilities. Many states are now opting to invest substantial resources in the development of civilian and military cyber programs for both offensive and defensive purposes. International organizations such as the North Atlantic Treaty Organization (NATO) have begun outlining military responses to cyberattacks. Some countries, such as the United States, are going as far as claiming the prerogative to respond to certain cyberattacks with nuclear weapons.12
It is increasingly difficult to deny the immense importance and impact of cyberspace on every aspect of life in many developed and developing nations. There are huge socio-economic benefits associated with the increased development and proliferation of cyberspace into communities never before connected to the global community. We are now able to share information with friends and family members around the world instantaneously. We can learn about other countries and cultures, engage in global commerce and support communities around the world affected by natural disasters or political repression in ways never before possible. The potential of cyberspace to achieve a great many benefits is limited only by the creativity of those who leverage the increasing range of technologies available to them. Yet, as cyberspace expands and becomes more vital to everyday life, the security challenges often found offline – crime, war, terrorism, cultural and political repression, among many others – must be addressed within cyberspace.
This book is designed for readers with limited prior experience in cybersecurity, or as a refresher for those with more robust backgrounds. The combined work introduces a variety of concepts, practical problems and core policy debates necessary to understand security in and through computer networks. Each chapter is carefully constructed to provide our readers with a comprehensive introduction to the complexities and challenges of cybersecurity in an engaging and relevant fashion. The chapters include case studies presented in storyboxes to help our readers analyze the complexity of cybersecurity in practice, as well as discussion questions to hone critical thinking skills, and a brief list of suggested readings. Upon reading this book, readers will know the key attributes of, controversies surrounding, policies and laws regarding, and challenges posed by cybersecurity, and will be well positioned to continue to advance their knowledge, should they choose to do so.
We structured this book around ten chapters designed to introduce readers to a range of concepts associated with cybersecurity. The core argument bringing these chapters together presents cyberspace as a complex socio-technical-economic domain that achieves relevance and importance through human design and manipulation. Despite its technical specificities and unique character, cyberspace is a domain of human activity and interactions. Humans created cyberspace, and have used digital means to serve both beneficial and malicious purposes. The centrality of humans in cyberspace makes social scientific approaches imperative to the study of cybersecurity. An emphasis on human interactions in and through cyberspace allows us to approach cybersecurity from multiple perspectives, ranging from realism to liberalism and constructivism, as well as multiple levels of analysis from the individual to the organizational, the local to the national and international, where rising norms of governance are redefining human interactions. The interactions between the actors of cyberspace and the structure of cyberspace constitute the core of our analytical framework. Users of cyberspace have a unique opportunity to shape the structure of cyberspace and are in turn shaped by its structure.
Chapter 1 introduces readers to the history of cyberspace, and the evolution of security and economic issues that have arisen over the years as cyberspace has grown. Chapter 2 explores what cyberspace really is and how it works by examining the basic technical functions of the domain. Most importantly, chapter 2 introduces readers to the “layers” of cyberspace as a means of making what seems to be an overwhelmingly complex environment more intellectually manageable. Chapter 3 traces the development of governance in cyberspace and examines the political tensions between different models of governance. Chapter 4 dives into the details of how cyber capabilities are developed by state and non-state actors, and how the development of these capabilities generates insecurity. Chapter 5 provides an overview of the complex national security implications of an evolving man-made domain that has come to pervade modern life. Chapter 6 presents the challenges of waging war in cyberspace, and explores how war in cyberspace is both similar to and different from more conventional notions of war and conflict. Chapter 7 takes a step back from state-to-state interactions and shifts the level of analysis to non-state threats associated with cyberterrorism and cybercrime. Chapter 8 looks at how actors across all levels organize for defense and deterrence in response to a multitude of cyber threats. Chapter 9 probes how cybersecurity and democracy, once thought to be mutually reinforcing, have become increasingly uneasy bedfellows, by examining how cyberspace can be both a tool for the enhancement of democracy and damaging to it. Finally, the book concludes by examining what the future of cyberspace has to offer with the increasingly important Internet of Things (IoT), Artificial Intelligence (AI) and biotechnologies.