nformation technologies and infrastructure―from satellites orbiting
the earth to the smart phones in our hands, from undersea cables to
wireless networks all around us, and from the global banking system to
household appliances―play an increasingly indispensable role in daily
life. At the same time, threats to cyber security are becoming both more
numerous and more serious.
Recognizing the threat
President Obama provided a high-profile warning of the growing threat
in the cyber domain in his February 12, 2013 State of the Union
Address.
[1] He
pointed out that “America must also face the rapidly growing threat
from cyber-attacks” and “our enemies are also seeking the ability to
sabotage our power grid, our financial institutions, and our air traffic
control systems.” He revealed that he had signed a new executive order
“that will strengthen our cyber defenses by increasing information
sharing, and developing standards to protect our national security, our
jobs, and our privacy.”
Cyber security has become a top priority in national and
international security, even if some experts are skeptical about
possibilities for an actual cyber war. In a speech to business
executives in October 2012, then-U.S. Secretary of Defense Leon Panetta
noted that a “cyber attack perpetrated by nation states and violent
extremist groups could be as destructive as the terrorist attack of
9/11,” and that “the collective result of these kinds of attacks could
be a cyber Pearl Harbor; an attack that would cause physical destruction
and the loss of life.”
[2]
Is cyber war really a possibility, as high-ranking government
officials have begun to warn? Many cyber experts have been debating this
question for more than a decade,
[3] but the question is yet to be answered.
It is true that many countries face cyber espionage, cyber sabotage
or subversive activity, varying from cyber snooping aimed at news
media―New York Times, Wall Street Journaland Washington Post, to name a
few―and think tanks
[4] to the corporate sabotage aimed at Saudi Aramco.
[5] We
have, however, not seen cyber acts resulting in “hurting, injuring, and
killing human beings, even a single one” as Thomas Rid argued recently
in a panel discussion at Brookings.
[6]
Cyber warfare in the future might be far from what we might imagine.
It is sure that a cyber war would not meet the rigid social scientific
definition of “war” codified in the notable and long-standing
“Correlates of War Project (COW)”
[7] which
describes it as “sustained combat, involving organized armed forces,
resulting in a minimum of 1,000 battle-related fatalities.”
[8]
Even though fatalities may not occur in a future cyber war, experts
are seriously concerned about cyber attacks as part of a larger act of
aggression. As Secretary Panetta argued in his speech, “the most
destructive scenarios involve cyber actors launching several attacks on
our critical infrastructure at one time, in combination with a physical
attack on our country.”
[9]
Glimpses of the future
In fact, there is a high incidence of country-level cyber attacks
aimed at critical infrastructure in the past half-decade: on Estonia in
2007, on Georgia in 2008, and on South Korea in 2009 and 2013.
In the Estonian case, a nationalistic confrontation between Russia
and Estonia over the relocation of the Soviet-era Bronze Soldier
monument, which to some in Estonia symbolizes Soviet oppression,
triggered large scale of distributed denial-of-service (DDoS) cyber
attacks targeting the country's infrastructure. It caused the websites
of government authorities, political parties, and financial institutions
to shut down. At that time Estonia had one of the most advanced
information infrastructures in Europe and depended heavily on
information technology, so the results of the attack were quite
disruptive. In the second wave of DDoS attacks on May 10, 2007, nearly a
million computers outside Estonia requested Estonian servers to respond
to external communications and filled the national network with
meaningless data. As a result, on-line baking services and ATMs
belonging to Estonia’s two largest banks came to a standstill.
South Korea faced cyber attacks more severe and sophisticated than
DDoS in 2013. On the afternoon of March 20, internal computer networks
of television broadcasters and three major banks were forced to shut
down, caused by a premeditated malware assault on servers and tens of
thousands computers in the networks. The banks’ ATMs and the
broadcasters’ news distribution systems were paralyzed for several
hours. South Korea’s official investigation team blamed North Korea for
masterminding the cyber attacks
[10] and
the government estimated the damage to South Korea of the March attack
and a subsequent June attack to be at least US$800 million, according to
a ruling party legislator.
[11] After
eight months of careful preparation, Pyongyang apparently put a mass
cyber attack plan into action, coinciding with increasing military
tension on the Korean Peninsula after its third nuclear test on February
12.
Japan’s response
In Japan, since around 2006, ministries and agencies, other
governmental organizations, think tanks, and scholars have faced
sophisticated cyber attacks from so-called “advanced persistent threats
(APT)” aimed at stealing top-secret information from specific
organizations and individuals. Only recently, however, has Japan
recognized the reality of wide-ranging cyber espionage against not only
government ministries and agencies but also against private-sector
businesses. The year 2011 could even be termed the “first year of cyber
war” for Japan, in that it was the year in which the scope of the threat
became widely known. It was revealed, for example, that there had been
cyber espionage on defense industrial companies and on the internal
network of the House of Representatives.
Careful attention to each cyber attack in this half-decade reveals
that cyber attacks frequently follow incidents of international discord.
In addition to targeted attacks with the objective of stealing
classified information, signs of attacks designed to paralyze the
control systems of vital social infrastructure have begun to appear in
recent years. With the realization that successful attacks on electrical
grids, transportation facilities, industrial sites, or others would
have an adverse impact on people’s actual lives, detecting and
preventing attacks on control systems has become the top cyber defense
priority.
Perhaps more seriously, the ability of politicians, bureaucrats,
military officers, and experts to react efficiently to crises or threats
without access to communications networks or control systems is a major
threat, representing the potential dark side of our globalized
information world. Therefore, cyber attacks present at least a two-tier
threat: they are damaging in themselves, and they create potential for
widespread physical damage exacerbated by potentially ineffective
government response.
In the face of new challenges, in March 2012 the Ministry of
Economics, Trade and Industry (METI) of Japan and eight Japanese
electronics companies established a “Control System Security Center
(CSSC).” This is a technology research association designed to
strengthen the security of control systems of important infrastructure
and to establish verification methods and evaluation of control systems.
In collaboration with eighteen companies including manufacturers,
vendors, and consumers of control systems, the CSSC opened a test-bed
laboratory for the security of control systems in Miyagi, Tohoku on May
17, 2013. The lab has several objectives: 1) to provide the latest
security verification tools for controls systems, 2) to develop secure
technology for control systems, 3) to drive international system
security standardization, 4) to develop certification tools, 5) to
provide incident support, 6) to develop human resources, and 7) to
establish security guidelines.
In order to protect cyberspace, early detection of cyber attacks is
essential and warnings must be shared without delay among like-minded
countries. At the same time, it is difficult to defense against cyber
attacks and cyber espionage through defensive measures alone. It will
also be necessary to invade attackers’ networks in return as measures of
“cyber-counterattacks in self-defense” for purpose of identifying
enemies’ activities and striking back at them. This may be considered
“collective cyber defense.”
U.S.-Japan alliance
U.S. Secretary of State John Kerry and Secretary of Defense Chuck
Hagel met with their Japanese counterparts, Minister for Foreign Affairs
Fumio Kishida and Defense Minister Itsunori Onodera, for a meeting of
the U.S.-Japan Security Consultative Committee (SCC) in Tokyo on October
3, 2013. The SCC meetings, so-called “2+2,” are convened on an
irregular basis, usually in Washington, and rarely with two Ministers
and two Secretaries―normally only one U.S. leader is able to participate
at any one time. This time, however, was a landmark in the long history
of the alliance, as a true 2+2 meeting was held for the first time in
Tokyo.
The joint statement
[12] announced
in Tokyo covers a gamut of alliance-related concerns but places
particular emphasis on five topics: 1) revising the U.S.-Japan 1997
Defense Guidelines by the end of 2014 in a way that reflects new
challenges, such as in the space and cyber domains, and enhancing the
alliance to enable a more active international role; 2) enhancing the
ballistic missile defense capabilities of both countries, and deploying a
second X-band defense radar in the middle of the coast along the Sea of
Japan, which will cover the Japan as well as the U.S. homeland; 3)
widening the role of the alliance for more active regional engagement,
especially in the maritime security and humanitarian assistance/disaster
relief arena; 4) pursuing steady implementation of the realignment of
U.S. forces in Japan; 5) deploying more advanced U.S. military
capabilities into Japan, including the introduction of the MV-22, P-8
maritime patrol aircraft, Global Hawk unmanned aerial vehicle, and the
F-35B.
Japan and the U.S. seek in particular to enhance the “collective
cyber defense” capability of the alliance, aiming to make it a
foundation for information security and information protection more
broadly. As a senior Obama administration official told reporters in a
background briefing at the Tokyo 2+2 meeting, cyber security is “also an
important line of effort in the U.S.-Japan alliance, ensuring that our
practices, our standards, our procedures are as strong and robust as
they can be, because that’s the thing – that’s the foundation for
everything else that we do together.”
[13]
Japan could make an important contribution to collective cyber
defense by developing secure technology for control systems and by
promoting global standardization of control system security. This dual
track would help create a more robust social infrastructure among allies
and like-minded countries.
In addition to the effort to ensure the safety of social
infrastructure in the case of cyber warfare, it is inevitable for allies
to attempt to preempt cyber attacks with dual aims of deciphering signs
of impending cyber attacks and taking measures against them. From that
standpoint, global surveillance of the sort conducted by the National
Security Agency (NSA) is absolutely imperative to secure our society not
only from terrorist attacks but also from cyber attacks. According to
some recent news reports,
[14] in
2011 Tokyo rejected the NSA’s offer of cooperation in wiretapping
fiber-optic cables across the Asia-Pacific region; Article 21
[15] of
the Constitution of Japan strongly forbids the government from
violating the secrecy of any means of communication. On the other hand,
Article 12
[16] asks
Japanese citizens to utilize their freedoms and rights for the public
welfare. Judged in light of the potential benefit to the common welfare
that collective cyber defense could produce, Tokyo should re-consider
its refusal to participate in joint global surveillance against cyber
attacks.
In any event, better judgment on the scope and scale of surveillance
is needed. Even if President Obama and senior U.S. government officials
plead their ignorance, the NSA surveillance scandal which now involves
the monitoring of telephone calls of world leaders including German
Chancellor Angela Merkel, casts doubt over the trust between Western
allies and the United States. Merkel told President Obama that
wiretapping among allies is “completely unacceptable.”
According to the secret NSA documents unveiled by Edward Snowden, the
U.S. SIGINT system has targeted on both enemies and allies.
[17] The
documents show that the NSA has been snooping not only around European
countries but also around U.S. Pacific allies, South Korea and Japan,
aiming to gather information on strategic technologies, economic
influence and foreign policy, for the purpose of ensuring economic
advantage and national security interests.
Despite of a lot of press coverage on NSA spying in Japan, Tokyo
somewhat surprisingly has not publicly criticized the United States for
these activities. It is not as yet clear whether this silence indicates a
deep-seated belief in the alliance or a lack of basic knowledge for
cyber security literacy.
No matter how strong the belief in the alliance, however, the
betrayal of a friend leads to the catastrophe of the end of the trust
and to severe difficulties in collective cyber defense against real
enemies.
[3] See.
Richard A. Clarke, Cyber War: The Next Threat to National Security and
What to Do About It, New York: Harper Collins Publishers, 2010. Thomas
Rid, Cyber War Will Not Take Place, London; C. Hurst & Co., 2013.
[5] See. Christopher Bronk, Enekenand Tikk-Ringas, “The Cyber Attack on Saudi Aramco,”Survival, Vol. 55 Issue 2 (2013), pp.81-96.
[7] David
Singer founded COW as a project in the University of Michigan in 1963.
After his retirement, Penn State has archived all data and materials of
COW:
http://www.correlatesofwar.org/.
[8] Meredith
Reid Sarkees, “The COW Typology of War: Defining and Categorizing
Wars,” and Frank Wayman, Resort to War: 1816 – 2007, 2010, CQ Press.
[9] “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security.”
[14] The Japan Times, “NSA asked Japan to tap regionwide fiber-optic cables in 2011,” October 27, 2013.
[15] Article 21: “No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.”
[16] Article 12; “these freedoms and rights and shall always be responsible for utilizing them for the public welfare.”
2 million passwords have been stolen, compromising accounts at Facebook, Gmail, Twitter, Yahoo and ADP.
