Cybersecurity Foundations PDF

Cyber security - https://drive.google.com/drive/folders/10Ghr2bBCaA9r4uaubLgBCDbBJ_vk6fht FOUNDATIONS OF CYBER SECURITY Two main points to consider: 1. Tech 2. Political, economic and military 1.Tech The very rst attempt to create internet, which was not commercial but used for the military and reserved for the military —> end 1960s Public internet appeared in the 1990s 2007: introduction of iPhones —> becoming a product of experiment. We are looking at a evolution from WEB 1 to WEB 2: - WEB1: static web, very limited to get access to it because of the di culties that it involves. Beginning of the 1990s, when the web becomes commercial - WEB2: interactive, i dont have to pay for hosting or the service, I can get a Facebook account and comment or post something. No need for technical knowledges. - WEB3: semantic, integration of AI, Internet of Things, ability of the technology to create content and interact with content These are also connected with the layers of cyberspace: - Physical —> devices, hardwares etc - Instructions /Logical —> systems enabling devices, - Semantic/Social—> information, individuals in cyber activities You can only take into consideration Tallin’s papers de nition of sovereignty: - Physical: hardware, cables - Logical: connection between devices - Social: individuals in cyber activities The very rst phone was Simon, it was a proper smartphones, like the ones we have today. People didn’t have to carry phones or bring a camera. Same functions as iPhones. 2.Political, economic and military Pagina 1 di 36 fi fi fi ffi 2 main approaches to the cyber space: - multi-stakeholder approach - digital sovereignty approach: states want to stay in control of what happens and circulate on the internet Technology and politics Cyberspace has become an integral part of our daily lives. It is changing the way we communicate, do business and interact with the world. As cyberspace evolves, so do the security challenges associated with it. Internet freedom has become a broad concept: it now includes digital rights, freedom of information, the right to to access the Internet, freedom from International censorship, net neutrality. Tech and geopoltical cycles: new products built around the microchip. Cyber security in IR Away form state-centricity: not only states, but individuals, corporations, norms, ethics and social order. Expansion of the concept of security to include non-military threats Challenged traditional notion of sovereignty (exclusive right of a state to exercise authority within its borders). A di erent focus on the role of non state actors in intentional security. Challenges: one challenge is the lack of international consensus on norms and rules for responsible behavior in cyberspace. Another challenge is the di culty of attributing cyberattacks to speci c actors. Where does cyber t? Digital sovereignty approach Who governs the web? This question is central - those who own the infrastructures: ex. undersea cables - those who own websites: are they legitimized to shut down just because the government asks them to shut down, can they be considered a threat? States have issues controlling sovereignty in cyberspace, as they do in the “normal situation”. Are they taking back their control? Multi-stakeholder approach It is one possible approach to how to tackle cybersecurity. Pagina 2 di 36 ff fi ffi fi It involves more actors involved, rather than just states. This diagram illustrates the multi-layered and interconnected global governance system for cybersecurity. It highlights how international organizations, government groupings, corporate entities, law enforcement, and civil society organizations collaborate to develop policies, standards, and mechanisms to secure the internet, prevent cybercrime, and protect human rights online. The image underscores that cybersecurity is not solely a technical issue but one that intersects with international law, human rights, economics, and diplomacy Critical infrastructure The US government has identi ed 16 critical infrastructure sectors, which include physical and virtual assets, systems, and networks. The reason for their identi cation is because their incapacitation or destruction would have a severe and adverse impact on national security, public health, national economic security, public safety, or a combination of the above. How can we de ne power in the cyber space? Who asserts power in the cyber space? In the IR there are many approaches to power, the cyber space has posed new challenges to power. Cyber space has become quite important and critical when it comes to national security: all states now have cyber space embedded into their security strategy. We can distinguish between: - o ensive: cuber attacks - defensive: infrastructures Innovation power It refers to the ability to invent, adopt, and adapt new technologies. It contributes to both hard and soft power. The ability to innovate faster and better — the foundation on which military, economic, and cultural power now rest. In previous eras, the technologies that shaped geopolitics: steel, steam power to nuclear ssion. As developments in drones make clear, innovation power underlies military power. For example, when taking into consideration the Russia-Ukraine con ict we see how Ukraine used innovation power (drones etc) in order to defense and stand against a massive army. Russia could outrange Ukraine in terms of standard security concepts but not when it comes to innovation power. The speed to adapt that technology is a critical aspect: ex AI and its use by states Cyber security and the IR Sovereign state is the key organising principle in global politics —> ‘Star Wars’ project (SDI); control of European space at the heart of the Cold War. Concepts of power, governance, and sovereignty, security. The rollout of 4G networks across the US facilitated the early development of mobile applications such as Uber that required faster cellular data connections. Similar to cyberspace these days, there are no physical territories. Problems with newly created instruments: no regulation EX. Uber: no regaultionn resulted in struggles with other traditional taxi companies, kidnappings and gps connections —> the technology appears faster than the legislative process The regulation goes on di erent levels: consumers, states etc Something that is considered a threat in one country may not be considered as such by another country. Pagina 3 di 36 ff fi ff fi fi fl fi There are di erent approaches to cybersecurity in the IR. The Cyber perspective introduces a more complex, decentralized environment where non-state actors, economic interests, and technological infrastructure play crucial roles in shaping power dynamics and con ict resolution. In cyberspace, actors like corporations and individuals gain power, and the structure of governance is less clear, allowing for both cooperation and con ict. "National security is the absence of threat to a society’s core values. Countries are increasingly becoming information societies. Threats to information can be seen as threats to the core of information societies.” Week 3 - DIGITAL SOVEREIGNTY Digital hegemony / Snowden (2013) revealed the mostly unconstrained exercise of hegemonic power (sovereign but non-territorial) and the enormous possibilities for data gathering, data analysis and data control by intelligence agencies and tech companies in the United States. There are 5 elements of digital sovereignty: - control over data: we produce a lot of data from browsing, uploading etc. EX cookies etc - digital infrastructure: access to speci c sites and rework. Ex China example of closed network - regulations: ability of states’ to regulate speci c sites or social media etc. Ex USA. Nowadays more and more states have regulated cyber, meaning that companies have to follow such regulations - tech - international governance: localize internet State is not a threat? Powerful corporate actors can be described as quasi-sovereign and largely unaccountable via traditional political mechanisms. When it comes to the digital sphere, companies don't challenge state’s authority through traditional measure but rather with other instruments. Sovereignty reimagined Digital sovereignty / Refers to the concept that governments should assert their authority over the internet to protect citizens and businesses from challenges to self-determination in the digital realm. Pagina 4 di 36 fl ff fi fi fl fi Technical and legal tools allowing for the enforcement of national laws and governmental interventions in the digital sphere. It seeks to re-establish the nation-state, including the national economy. The demand for a decoupled digital sphere that allows for exclusive national control over communications, data and regulation. Early days of the internet The digital transformation and global technical infrastructure of the internet pose a challenge to sovereignty, as territoriality and state hierarchy seem at odds with the decentralised nature of digital networks John Perry Barlow’s Declaration of the Independence of Cyberspace (1996). 1. Governments are taking an active role in the digital sphere, enforcing national laws and intervening when necessary. 2. They aim to convince their citizens that sovereignty and state authority are essential to protect vital goods. 3. Citizens, in turn, expect their governments to safeguard their online privacy and combat disinformation and cybercrime. Jean Bodin (ruler’s authority to make nal decisions), Jean-Jacques Rousseau (popular sovereignty rather than monarchical sovereignty); democracy, the rule of law and territoriality. State’s independence vis-à-vis other states (external sovereignty) and its supreme power to command all powers within the territory of the state (internal sovereignty). The concept of sovereignty is linked to a speci c geographical territory, leading some to envision a post- sovereign world where states are not the most important source of power. Democracy in such a world would prioritise pluralism and participation over the capacity of a demos to govern itself. The idea of state sovereignty was particularly challenged by two di erent, yet related, discursive strands that signi cantly shaped public and academic discourses: cyber exceptionalism and multi- stakeholder internet governance. Cyber exceptionalism: argues that the digital realm is distinct from the physical world, requiring unique approaches to address cyber threat. Digital politics will lead to decentralised societies, where external sovereignty, law, and territoriality will matter less in transnational networks. Multi-stakeholder internet governance Rather than state regulation of digital matters, non-sovereign roles are emphasised in a regulatory framework that prioritises the responsibility of those impacted by the internet. The multi-stakeholder governance model’s external con icts stem from its rejection of government- dominated international institutions in favor of transnationalism. The vision proposes a multi-stakeholder governance structure based on openness, inclusion, bottom-up collaboration, and consensual decision- making to promote self-governance and eliminate the need for a central decision-making authority. Internal con icts in internet governance stem from coordination issues arising from multiple parallel processes, and the shift from primarily technological issues to political and social questions. Demand for sovereignty? Pagina 5 di 36 fl fi fi ff fl fi The ght for digital sovereignty is an ongoing struggle —> Companies have the power to create and maintain digital technology. States have the power to regulate it (setting legal standards, taxation policies, and compliance measures). States may use domestic companies for political purposes, while companies rely on home states for protection against foreign states. Control of data, software (AI), standards and protocols (5G, domain names), processes (cloud computing), hardware (mobile phones), services (social media, e-commerce), and infrastructures (cables, satellites, smart cities), in short, for the control of the digital. Rethinking sovereignty Four principles for the sovereign: - it possesses authority - this authority is derived “from some mutually acknowledged source of legitimacy”—which can be God, a constitution, or a hereditary law - this authority is supreme - this authority is over a territory. Territoriality is often linked to sovereignty, but other principles have been used in the past, such as family, kinship, religion, tribe, and feudal ties. State sovereignty, based on territorial ownership, is rooted in modern European politics. Popular sovereignty in cyberspace should be based on multi stakeholder participation in organisations like the Internet Governance Forum, rather than the nation-state? Territory should encompass not only land but also resources in the bounded space, such as human infrastructures, air space, or minerals and oil below the surface or in adjacent seas. The free ow of data —> It has come to be perceived as a threat, leading to securitised, territorialised and ultimately geopoliticised debates on data ows. New forms of cross-border interaction, like cloud computing, and new actors, such as digital platforms, challenge traditional concepts of sovereignty, territoriality, jurisdiction, and borders, highlighting the need for rethinking. Pagina 6 di 36 fi fl fl National initiatives have emerged to regain control over strategic data, leading to increasing demands for digital sovereignty from di erent governments and people. Governments and private actors have developed their digital capabilities, or cyberpower. EU sovereignty: the ability of the European Union to control its own digital infrastructure and data. This is important for the EU to maintain its independence and to protect its citizens' privacy in line with the EU values. Week 4 - Cyber operations Sovereignty shift: In the digital age, data is not a nite resource Digital assets are largely private. This forces us to rethink the nature of sovereignty. Digital sovereignty is the control of data, software, and other digital resources. Cyber power is the power to regulate the digital. Law and territoriality are both essential for exercising sovereignty Since the Peace of Westphalia (1648), political geography has provided jurisprudence with an easy answer to the question of how widely a ruling should apply, and that is as far as the national borders within which the legal authority operates. The territoriality problem arises from a misalignment between the normative space of law, the physical space of geography, and the logical space of the digital. The decoupling of law and territoriality became a problem during the debate on the right to be forgotten. It is di cult to implement the right to be forgotten by asking Google to remove links to someone’s personal information in the US because of a decision taken by the Court of Justice of the EU, unless the links are removed from all versions of the search engine. The impact on power Cyber power is the power to regulate the digital sphere This includes the power to set standards for digital technologies, to develop and enforce cybersecurity measures, and to regulate the collection and use of data. Cyber power is important because it allows states and other actors to shape the digital environment and to protect their interests in the digital world. Poietic power is the power to create or shape the digital sphere. This includes the power to develop new digital technologies, to create new digital platforms and services, and to in uence the way that people use digital technologies. Poietic power allows states and other actors to shape the future of the digital world and to promote their interests in this domain. Cyber power These concepts are all interrelated. For example, a state with strong digital sovereignty will be able to exercise greater cyber power and poietic power. Similarly, a state with strong cyber power will be able to better protect its digital sovereignty and to promote its poietic power. The US government is focused on developing new digital technologies, such as arti cial intelligence and quantum computing, and on maintaining its dominance in the global digital economy. China has developed its own digital infrastructure and platforms, and it is increasingly restricting the access of foreign companies to the Chinese digital market. Pagina 7 di 36 ffi ff fi fl fi The European Union is developing a number of policies to promote digital sovereignty, such as the General Data Protection Regulation (GDPR) and the Digital Services Act. These policies aim to give EU citizens more control over their data and to protect the EU's digital economy from foreign competition. EU and cyber power Three principal policy areas —> Network and Information Security (NIS) Fight against cyber-crime (Military) cyber-defence and other foreign policy aspects The invention of photography had a huge impact on privacy. European governments made travelling with a passport compulsory during the First World War, extending the state’s control over the means of mobility Con icts in cyberspace Cyber con icts are not won in the same way as kinetic —> Victories in cyber con icts are tactic. They are about blocking attack more than achieving long-term, strategic goals. For this reason winning a cyber con ict does not gain political power to the winner, nor does losing a cyber con ict compromises the authority of an already powerful actor in cyberspace. The shift from winning to resolving con icts as a sign of political power. In pre-information societies, political power was transferred from A to B, and con icts facilitated this transfer. Power is now di used among state and non-state actors. The di usion of power. contributes to the erosion of the Westphalian model of nation-state. Escalation is the main challenge. Contexts of cyber power There are two main ways in which scholars have depicted the e ect of cyberspace on power / The initial development of cyber power discussions was driven by utopian visions of a cosmopolitan, ‘emancipated’ society freed from restraints thanks to the democratising e ects of the new technologies. It is most clearly expressed in Barlow’s famous ‘Declaration of Interdependence of Cyberspace’ Second, military strategists started to realise that networked computers had a direct link to war. Doctrine papers about information warfare that emerged in the 1990s started to treat cyberspace as ‘domain of warfare’ in theory and practice. Cyberspace was o cially added as the so-called ‘ fth’ domain by the Pentagon in 2011, next to land, sea, air, and space. Realms of cyber power Cyber power is the use of resources related to cyberspace to achieve speci c (political) ends inside and outside of cyberspace / Cyber power rests on a set of resources that relate to the creating, control and communication of electronic and computer based information – infrastructure, networks, software, human skills and refers to the ability to obtain preferred outcomes through the use of the electronically interconnected information resources of the cyber domain. Apart from ‘compulsory’ (coercive) power, cyber power is hard to attribute to speci c actors. Most of forms of cyber power cannot be ‘wielded’ by states or other actors – they are forms of power emerging through an interaction of technology and social behaviour, which challenges cyber power de nitions that are built on the deliberate ‘use’ of cyber resources Cyber warfare Pagina 8 di 36 fl fl fl fl ff ffi fl ff ff fi fl fi fi fl fi ff Pagina 9 di 36 A cyberattack is an operation that uses digital information to interfere with an information system’s operations. (Not electronic warfare). Cyberwar does not need and is not about cyberspace. Although systems are generally accessed through cyberspace, there are other paths hackers can use to introduce errors into computer systems without using the (public) Internet Cyberwar to refer to a systematic campaign of cyberattacks for political or military ends. Cyberwar comes in two basic types. Strategic targets a country’s critical systems. It is undertaken to weaken its ability to resource combat. Tactical cyberwar targets military systems; in conjunction with a kinetic military operation to enhance the latter’s success (Stuxnet). Pagina 10 di 36 Russian cyber ops Scott Jasper’s analytical framework helps break down Russian cyber operations into technical methods (how they gain access to target systems, confuse or mislead their adversaries about the source and intent of their actions) and legal classi cations (whether they constitute an armed attack, use of force, or internationally wrongful act) Cyber operations allow Russia to achieve strategic objectives, such as undermining adversary states and institutions, without resorting to open warfare. Russia exploits the absence of a de nitive legal framework for cyber warfare. While physical acts of war, such as invasions, are clearly de ned under international law, cyber operations often fall into grey areas. Stuxnet Operation OPERA 8 June 1981 / IDF bombed and destroyed an atomic reactor near Baghdad that would have enabled Iraq to manufacture nuclear weapons. France, Italy helped building the reactor Week 5 - Cyber security strategies Pagina 11 di 36 fi fi fi Strategy’s goals 1. Communicates a detailed strategic vision of the current and future security environment to help informs public audiences both at home and abroad about national intent, nation’s values 2. Present a comprehensive national security threat and risk assessment to de ne and priorities requirements for tackling threats 3. O er prioritized, quantitative and measurable goals and objectives with timelines 4. Identici domestic and international factors, such as comparative capabilities, issues and trends, that will a ect achieving security goals and objectives 5. Develop a framework for collaboration across government on national security policy, roles and missions, and identity policy areas where department and agencies can be more e cient and e ective in working together 6. Indicate elementi of national power, ways and means are directed at solving issues 7. Guide governments departments and agency processes for budgeting, planning and executing and organizing, training and quipping personnel E ective cyber strategy Elements of NCSS should include: a statement of purpose, scope, and methodology. Problem de nition and risk assessment. Goals subordinate objectives, activities, and performance measures; Resources, investments, and risk management; Organisational roles, responsibilities, and coordination; Integration and implementation Pagina 12 di 36 ff ff ff fi ffi fi ff The problem of retaliation Retaliation requires guring out how to make adversary’s systems fail and keep on failing / The ability to induce minor damage, which is quickly repaired, has no deterrent e ect. The US will respond to hostile acts in cyberspace as we would to any other threat to out country. We reserve the right to use all necessary means - diplomatic, informational, military, and economic - as appropriate and consistent with applicable intentional law, in order to defend our national our allies, our partners and our interests. Week 6 - NORMATIVE APPROACHES Pagina 13 di 36 fi ff What is a norm? Norm is a collective expectation for the proper behaviour of actors / A norm exists only when a group agrees with and holds particular beliefs about expected behaviour. National cyber strategies can be normative. Norms articulate a goal or vision of what a group of states wants to achieve (cooperation, privacy prevails in strategies). The problem of attribution in international relations, where state actors are not readily identi able and their actions cannot be accurately attributed, creates disorder and challenges the assumptions that form the basis of the states system, international society, and international order. This introduces a new dimension of anarchy to the social practices of IR, a ecting practices like diplomacy and international law. Attribution problems Pagina 14 di 36 ff fi Attribution is essential to deterrence of attackers through fear of retaliation / Arguments on deterrence, balancing power, and preserving peace assume identi able states. Attribution of a cyber attack to a state is the key element in building a functioning legal regime to mitigate attacks. The laws of war requires one state to identify itself when attacking another state (The Hague Convention Relative to the Opening of Hostilities, 1910, art. I). In the realm of cybersecurity, it’s challenging for states to deter other state actors who can conceal their actions or hire private hackers as proxies. International law in cyber space The focus of international negotiation has revolved around two axes / First, establishing whether and how existing international law applies in cyberspace; and second, negotiating norms of responsible state behaviour. Pagina 15 di 36 fi Although states agreed in 2013 that existing international law does apply in cyberspace, the problem of how to apply it has yet to be resolved. Questions persist about the interpretation of Article 2(4) of the UN Charter, which prohibits states from the ‘use of force’ unless granted authorisation by the UN Security Council or unless (as stipulated under Article 51) responding to an ‘armed attack’. Law vs norms Chris Demchak has called attention to what she calls ‘wars of disruption’, in which the focus is no longer lethality but organisational disruption through information systems (2011). Hedley Bull articulates three reasons why states obey international law. Because the law may be regarded by them as ‘valuable, mandatory or obligatory’; because of the threat of coercion; in the hope that doing so may prompt reciprocal behaviour from other states. Russia and China have argued strenuously for a treaty to address global cyber security concerns, the US view that no new law is necessary has thus far prevailed. One exception is the Council of Europe Convention on Cybercrime, but this does not address global security concerns beyond criminal activity. Pagina 16 di 36 Ex: In October 2014, hackers raided the computer network of Sony Pictures. The hackers downloaded nearly the entirety of Sony Pictures’ records, including internal communications, scripts, and even unreleased movies, and the hackers proceeded to dump these all online while erasing them from Sony’s computers. Only 25 days after the attack, the FBI attributed it to North Korea / FBI Director James Comey announced that he had “very high con dence” that the attack came from North Korea, and NSA Director Michael Rogers similarly said that he was “con dent” that “this was North Korea.” But how exactly did they reach this conclusion, and reach it with such con dence? The attribution of the attack was made easier through context. Although this attack targeted a private actor, instead of public one (as in the Stuxnet attack), Sony o cials were well aware that The Interview could antagonize North Korea, whose regime “had been widely blamed for a series of cyber attacks” in the past. North Korea had means and motive. There was also forensic evidence. FBI o cials noted similarities to the DarkSeoul attack, a previous cyber-attack that North Korea launched against South Korean banks. Evidence that the malware was produced on computers with Korean language settings was found. The data revealed a trail of internet staging points for the attack that similarly pointed towards North Korea. UN GGE UN GGE process has provided a mechanism for states to express their views, articulate their interests, and negotiate both the common ground upon which they agree / Russia and China are closer to each other in threat perceptions. They put an emphasis on sovereignty in cyberspace, while the US is concerned with network security and a free ow of information for economic and political reasons. US: its approach to attribution is one that avoids the di culties of the accurate forensic analysis of cyber incidents through technical means and relies instead upon judgements about who one feels was most likely behind the attack, given a whole range of other factors like capability and motivation. China and Russia: the accusations of organising and implementing wrongful acts brought against states should be substantiated Open-ended working group The UN GGE and the Open-ended Working Group (OEWG) have proposed several important norms to guide responsible state behavior in cyberspace States should avoid cyber operations targeting another nation’s critical infrastructure, especially assets essential to public safety, like energy grids, healthcare systems, and water supplies. this norm seeks to protect hospitals, medical research facilities, and humanitarian organizations from cyber threats. Interstate Cooperation on Cybersecurity: The norms encourage states to assist one another in managing and responding to cyber incidents. This cooperation might include sharing information about threats, vulnerabilities, and mitigation techniques. Such collaboration is particularly important for addressing large- scale cyber incidents that could a ect multiple countries simultaneously. Attribution’s non-tech problems The challenge is in convincing other states that a source has correctly been identi ed / A state that wishes to employ countermeasures needs to convince other states of the accuracy of its attribution in order to establish the legitimacy of its attack. This issue may arise for two main reasons: attribution may be based on data collected through state espionage or intelligence-gathering e orts that states may wish to keep secret; when states have plausible factual bases for attributing an attack, they may not want to Pagina 17 di 36 ffi fi ff fi fl fi ffi ffi ff fi disclose such evidence, since cyber-attackers could learn from those mistakes and avoid leaving the same ngerprints in the future. The state responsibility doctrine is a legal problem that exists beyond the realm of cyber-attacks, and has consequently been addressed before in other contexts. International law already possesses a state responsibility doctrine for attributing the malicious behavior of non-state actors to a state. Bull noted in regard to the di erent problems of his time, the value of international law lies not in its capacity to dictate rules that states must adhere to and to stipulate consequences for the violation of those rules. Rather, the value of international law lies in its capacity to provide a mechanism or a channel through which agreed interests may be institutionalised, acknowledged, and organised. In doing so, international law provides some measure of predictability and reassurance about state behaviour. It allows states to signal their ‘intentions with regard to the matter in question’ (1977, 142). Pagina 18 di 36 fi ff What would be the use of force in the cyber space? Physical damage towards infrastructure Week 7 - In uence operations Sharp power Sharp power penetrates the political and information environments in the targeted state to undermine the political and social fabric of the state / Not attraction or persuasion (soft) ─ it centres on distraction and manipulation (sharp). Not to convince that autocratic system is attractive, but making democracy appear relatively less attractive. Make something look better by comparison. The concept emerged from the in uence operations used by China and Russia in Eastern Europe and South American. Sharp power is characterized by e orts to undermine the legitimacy of foreign institutions, manipulate public perceptions and exert pressure on individual actors in the host state. When is power sharp? Focusing on divisions The conspiracy theory that AIDS was the result of a biological weapons experiment conducted by the US government. During the AIDS epidemic, Soviet operatives leaked questionable evidence into foreign institutions and media outlets to cast doubt on the virus’s origin. The US government’s slow response to the epidemic, which mainly a ected gat men and people of color, fueled conspiracy theories that it was responsible. Social, religious, gender divides: part of thereon why the HIV/AIDS conspiracy was e ectively instilled into the belief systems of everyday people was because it invoiced identifying and exploiting pre-existing divisions among society and then using disinformation to sow further discord and distrust. It’s a platform society State and non state actors have increasingly used the internet to pursue poltical and military agendas, by combining traditional military operations with cyberattacks and oi online propaganda campaigns. These hybrid methods often make use of the spread of disinformation to erode the truth and undermine the credibility of international institutions and governments. In uence operations form part of a larger e ort by nations to exert power over adversaries in multiple spheres. Military, diplomatic, economic. These e orts can involve targeted corruption, funding and setting up political parties, think thanks or academic institutions; exploiting ethnic, linguistic, regional, religious and social tensions in society. Pagina 19 di 36 fl ff fl ff fl ff ff ff In uence operations In uence operations are an umbrella term covering all operations in the information domain. They include all soft power activities (e.g. public diplomacy) intended to galvanize a target audience (e.d individuals, speci cally groups or a broad audience) to accept approaches and to adopt decisions that mesh with the interests of the instigators of the operation. IOs are inherently deceptive with the intention to do harm and distrust. As such, they constitute interference with normal behavior and opinion formation, but also domestic (democratic) processes and the sovereignty of states. Change of traditional media Cyberspace acts as liberator from traditional controls of information, which implies that today anyone can become a propagandist. The internet has shifted the traditional model of information dissemination via the media and government entities to the dispersal of information by individuals and small groups, who may operate without a clear hierarchical model, lack rules, or regulation. Pagina 20 di 36 fl fl fi Traditional media and the state have lost the monopoly on information dissemination. In comparison to most social media, established news media have editorial guidelines which oversee the type and accuracy of information published. The breakout scale Ignoring: US ambassador in Russia stays away form engaging with online critics. Former ambassador McFaul engaged online with his followers and to explain the position of his country (scandal with the Russian MFA and departure from Russia). Debunking: #EuropeUnited campaign launched by the German MFA in 2018 in repose to the rise of nationalism populism and chauvinism (to correct misperceptions and falsehoods spread online about Europe by representing veri able information about what European citizens have accomplished tighter as members of the European Union) Turning the tables: the use of humor and of sarcasm, de ecting challenges to ones’ narrative, undermining the credibility of the source. Discrediting: FCO campaign, took advantage of the Russian attempt to generate confusion about the Scribal poisoning o ering di erent explanations made absolutely no sense, therefore Russian claims could not be trusted Week 8 - Internet regulations Fairness vs e ciency The multi-stakeholder model, which is fundamental to cyberspace governance, brings a con ict between fairness (the need for inclusive participation) and e ciency (the ability to make timely decisions). This model allows diverse actors to participate equally, re ecting the open nature of the Internet, but also results in delays and often lacks decisive outcomes due to the requirement for broad consensus. Pagina 21 di 36 ffi ff fi ff fl fl ffi fl Governance in cyberspace is fragmented due to the wide array of institutions involved and the overlap in their responsibilities. This fragmentation leads to ine cient coordination among international, national and non-governmental entities, making it di cult to form a uni ed approach to cybersecurity threats. Regulatory models There are three prominent regulatory models: the American market-driven regulatory model, the Chinese state-driven regulatory model, and the European rights-driven regulatory model. Tech companies face dilemmas complying with con icting regulations. For instance, Microsoft was pressured by US law enforcement to share European users’ data while complying with EU privacy standards. These con icts demonstrate how companies must balance di ering expectations from governments in the US, EU, and China. Shift from traditional Internet governance on technical and infrastructural management, to cyberspace governance, which includes a wide range of political economic, social and security concerns. This shift was recognized as a necessity due to the growing in uence of cyberspace across multiple domains. The US model emphasises free-market principles, limited government intervention, and protecting free speech. Tech giants like Google and Meta have thrived under these policies, prioritising innovation over regulation. However, the US approach has faced criticism for enabling monopolies and privacy violations, exempli ed by Facebook’s role in disinformation campaigns like those preceding the Brexit vote. China prioritises state control and economic growth through technology, using platforms for surveillance and social stability. The “Great Firewall” censors undesirable content, while companies like Huawei are seen as extensions of state in uence. China’s use of AI and social credit systems to manage citizens, illustrates its surveillance-heavy, authoritarian approach. The EU values digital rights, privacy, and competition. Its regulations, such as the GDPR, aim to balance tech growth with individual rights, positioning the EU as a “digital rights protector.” This model restricts tech giants from excessive data collection, which has in uenced global data protection norms through the “Brussels E ect” pushing companies worldwide to comply with EU standards. EX. Revolut Revolut has announced the rollout of its Revolut X crypto exchange across all 30 European Economic Area (EEA) countries. The alignment with EU MiCA legislation demonstrates how regulatory clarity can enable traditional nancial institutions to con dently enter the crypto space. This could set a precedent for similar expansions in other regions as regulatory frameworks mature. Europe can establish itself as a solid hub for all things digital assets. On June 14, 2024, the EU adopted a new regulation that aims to create standard rules for device repairability. Regulation like this starts with the European Commission adopting it and then issuing a date on which Member States must incorporate the rules into their respective law books. For this one related to device repairability, that date is July 31, 2026. Smartphone makers have until August 2026 to make their designs meet new EU repairability standards. Right now, to replace a battery in a recent agship smartphone from Apple, Samsung, or Google, you need specialised tools and varying levels of repair skills. The intensifying competition between the US and China for technological supremacy: Both countries use export controls and investment restrictions to limit the other’s access to critical technologies, leading to rising tech nationalism. The US has restricted Chinese tech rms from American markets, while China has blocked major US tech rms like Google. Tensions arise over privacy, antitrust, and taxation. For example, the EU’s strong stance on privacy contrasts with US national security priorities, leading to restrictions on transatlantic data ows. The EU Pagina 22 di 36 fi ff fi fi fi fl ffi fl fl fl ffi fl fi fi fl fl ff has imposed nes on companies like Google for antitrust violations, while the US views the EU’s regulations as protectionist. The once-dominant US model faces global backlash, as other regions criticise its leniency on tech giants privacy and monopoly issues. Through its “Digital Silk Road” China exports its technology and regulatory norms to developing nations. Concerns over espionage, illustrating the risks of adopting China’s state centered model. The EU exports its rights-driven approach globally, with the GDPR setting a high bar for data protection standards. This “Brussels E ect” has in uenced data protection laws in countries like Brazil and Japan. European regulations on AI and content moderation continue to impact global tech governance. The American model The American model emphasises market reliance and limited government intervention to foster innovation and economic growth. It advocates for less regulation, enabling tech companies, especially in Silicon Valley, to thrive through meritocracy and risk-taking. Key legislation like Section 230 protects tech companies from liability for user-generated content, allowing platforms like Facebook and Twitter to moderate without censorship. However, this raises concerns about unchecked in uence and misinformation. While generally favouring minimal regulation, the US government does intervene when national security is at stake, especially in cybersecurity and strategic technology areas. For instance, the CHIPS and Science Act, which provides substantial funding for semiconductor development, illustrates government support to maintain technological leadership amid global competition, especially against China. Monopoly power? Critics argue that the American model’s light regulatory touch has led to monopolistic practices among tech giants like Google, Amazon, and Meta, whose in uence is often perceived as undermining competition and consumer choice. Tim Wu describes this as the “curse of bigness” where corporate power grows at the expense of democratic values and economic equality. Can cyber self regulate? Unlike the European Union, which has stringent data protection laws (e.g.GDPR), the US lacks a federal privacy law. The dominance of American tech companies has allowed the US regulatory model to shape the global digital economy. However, countries worldwide are now responding with their regulations to counter the in uence of US-based platforms, with some adopting the European rights-driven model or China’s state- driven approach as alternatives Pagina 23 di 36 fl fi ff fl fl fl Semantic capital There is a wealth of resources. Ideas, insights, discoveries, inventions, traditions, cultures, languages, arts, religions, sciences, narratives, stories, poems, customs and norms, music and songs, games — that we produce, curate, consume, transmit, and inherit as humans. We use this as semantic capital in order to give meaning to, and make sense of, our own existence and the world surrounding us, to de ne who we are, and to develop an individual and social life. Semantic Capital: any content that can enhance someone’s power to give meaning to and make sense of (semanticise) something. The content in the de nition refers to well-formed and meaningful data. Human focused capital Humans have semantic capital. Animals and robots do not and cannot. Animals handle only meaning at most, but never sense. They do not have narratives within which meanings are embedded: they may feel the ames, but have no re ective sense of their past and future. Robots only handle syntax, not even meaning. Semantic capital is not the only thing that de nes us, but it is certainly what de nes only us. Three categories of capital: - economic - social: network of interpersonal relationships (shared sense of identity, shared norms and expectations, mutual acquaintance and recognition) that can have an economic value, for example in the advancement of one’s own personal career. - cultural X-Risks Over the past decade, some AI researchers have raised alarms / Su ciently powerful AI models, if not properly controlled, could pose an existential threat to humanity (often called "x-risk" for existential risk). In particular”, "AI takeover" is a hypothetical future in which AI systems gain the ability to control or manipulate human behavior, resources, and institutions, usually leading to catastrophic consequences. A separate but often interrelated eld called AI alignment research. In AI, alignment refers to the process of ensuring that an AI system’s behaviors align with those of its human creators or operators. Generally, the goal is to prevent AI from doing things that go against human interest. Transparency as an issue? Self-regulation / OpenAI granted the group Alignment Research Center (ARC) early access to multiple versions of the GPT-4 model to conduct tests. ARC evaluated GPT-4’s ability to make high-level plans, set up copies of itself, acquire resources, hide itself on a server, and conduct phishing attacks. We now believe we were wrong in our original thinking about openness, and have pivoted from thinking we should release everything to thinking that we should gure out how to safely share access to and bene ts of the systems. We still believe the bene ts of society understanding what is happening are huge. Approaches to AI regulations The EU AIA was proposed by the EU’s executive branch, highlighting strong institutional backing for the act. In contrast, the US AAA has yet to win support in the Senate or the House. While the bill is a revised (and improved) version of the 2019 Algorithmic Accountability Act, it remains unclear whether it will gather su cient political support to become law. The EU is a lengthy, opaque document that attempts to lay down rulers for using ADS and provide details about how these are to be enforced. In comparison, the US AAA takes a high-level approach. It de nes critical terminology and stipulates requirements that owners of ADS must ful ll. Pagina 24 di 36 fl ffi fl fi fi fi fi fi ffi fi fi fi fi fi Pagina 25 di 36 Week 9 - Geopolitics of cyberspace From steel to silicon The birth of semiconductors / The historical context of semiconductor development, from vacuum tubes to transistors. The pivotal role of William Shockley's invention of the transistor in 1948. Context of World War II and steel dominance. The shift towards computation as a crucial need. Introduction of transistors and their limitations. Invention of integrated circuits (ICs). Demand for ICs driven by America's space (Apollo mission 1961, NASA 1958) and defence needs (Texas Instruments from USAF ICBM Minuteman missile guidance system 1962; US nuclear triad). Cold War competition Pagina 26 di 36 Global competition in semiconductors / The US, USSR, Japan, and other countries engaged in the semiconductor race during the Cold War. Strategies such as "copy it" and "license it.” US defeat in Vietnam sent shock waves through its east Asian allies, which relied on the security arsenal provided by America. This led to the strategy of o shoring the production facilities to the East Asian allies. Soviet Union's e orts to compete with the US in semiconductors. "Copy it" strategy vs. "license it" strategy. Japan’s entrepreneurial spirit and emergence of the semiconductor race (calculators, Walkman with US chips). Impact of the Vietnam War on microelectronics-led defence (Air Force struggled with a lack of precision). Loss of leadership Rise of Japan and challenges to the US / Japan's “license it" strategy and superior production methods led to its dominance in the semiconductor market. The decline of the US semiconductor industry. Post-World War II arrangements with Japan (defence spending was capped at 1%). Japan's success in the US market. Shortcomings of US companies in recognising Japanese in uence. GCA's downfall (breaking up with Nikon) and the decline of the US semiconductor industry by 1993. America resurgent US recovery and challenges ahead / The US, led by companies like Intel, aimed to regain market share. The competition with Japan, Korea, and Micron, as well as Intel’s focus on microprocessors. Intel's strategy to regain market share (processor leader). Micron's challenge to Japan in the DRAM market. Korea as a strategic US ally and its impact on Japanese exports. Japan's focus on DRAM over microprocessors. US dominance in microelectronic weaponry during the Cold War. Foundry model Foundry model / Chang proposed a business model of starting a "foundry" business serving "fabless" rms, which will help them scale up rapidly. The idea was that technology rms could focus on designing their own chips, which could then be o shored to Taiwan for mass production. TSMC was founded in 1987 with investments from Philips and Taiwanese government. SMIC was founded in 2000 and soon started competing with TSMC. Morris Chang's role in setting up Taiwan’s semiconductor industry. The "foundry" business model and its success. China's recognition of falling behind and the founding of SMIC. ASML's monopoly in lithography tools. Changing dynamics in supply chain nodes. Between 1990 and 2000, clear leaders started emerging in each of the supply chain nodes. Intel wanted to maintain its dominance in the microprocessor space. This oligopoly was too pro table for Intel to even consider a vertical expansion. This blinded them to the future of computing: smartphones. When Intel turned down the iPhone contract, it went to Samsung and then to TSMC (which manufactures it today). Intel could never nd a lucrative window to enter the smartphone industry. O shoring innovation Pagina 27 di 36 fi ff ff fi ff ff fl fi fi Changing industry dynamics / The shift towards the foundry business model and how companies like TSMC and Samsung played a crucial role in manufacturing. The importance of lithography tools and innovation. There are three major types of chips being manufactured: logic, memory (DRAM and NAND), and sensors. The role of foundries allowing technology rms to focus on innovation. Examples of innovation by companies like Nvidia (GPU, AI) and Qualcomm (mobile). The importance of lithography tools in chip manufacturing. Challenges faced by Global Foundries. The missed opportunity in the smartphone industry. China’s challenge China's ascent in the semiconductor race / China's e orts to become self-reliant in semiconductors and its challenges in competing with established players. The geopolitical signi cance of semiconductor dominance China's desire for self-reliance in semiconductors. The Made in China–2025 plan and its goals. Technology transfers and partnerships with China. Huawei's role in leading China's self-reliance mission. The signi cance of advanced chips in the era of AI. Chip choke The US is trying to pressure the Dutch government into not shipping chip-making equipment to China / The US is trying to cut o China’s ability to make advanced semiconductors, on the judgment that advanced semiconductors are critical to training AI systems. If you can’t get access to the most advanced chips, then you can’t make meaningful advances in AI. Taiwanization of the semiconductor industry. China's strategies including espionage and secrets theft. US stranglehold on critical semiconductor supply chain chokepoints. Pandemic-induced disruptions and the world's reliance on East Asian chip manufacturers. Future prospects and the battle for chips. Pagina 28 di 36 fi ff fi ff fi Week 10 - Privatization of cyber security Public-private dynamics Public-private partnerships / The complexity of integrating: public and private e orts in cybersecurity, emphasising governance, ethical challenges, and the need for accountability. Protecting vital systems requires nuanced collaboration and clear policies to manage the roles of private entities. The privatisation of cybersecurity services poses risks, particularly in de ning permissible activities and ensuring alignment with public interest. Public-private partnerships (PPPs) are crucial for addressing cybersecurity challenges due to the privatised and decentralised nature of the internet. Challenges include balancing public authority with private-sector roles and managing the risks of over-securitisation. Pagina 29 di 36 fi ff The EU’s cybersecurity framework emphasises partnerships through agencies like ENISA and the EC3 Cybercrime Centre in Europol. The ethics of private cyber security From Defence to O ence / Ethical considerations in private-sector involvement in cybersecurity range from defensive measures to controversial o ensive capabilities like “hacking back.” Moderately Restrictive Approach is where private rms can provide defensive cybersecurity but should avoid o ensive actions. Cybersecurity raises broader ethical questions about the privatisation of security and the balance of public and private interests. Big Tech as Guardians and Gatekeepers Dual function / Guardianship functions: Development of critical cyber security tools (e.g., Microsoft Defender, Google Safe Browsing). Innovations in encryption and secure cloud storage. Gatekeeping concerns: Monopoly on critical technologies (AWS, Azure, and Google Cloud dominate global cloud infrastructure). Control over data ows, in uencing information access and privacy. Allegations of complicity in state surveillance and censorship. The emergence of Big Tech as key players post-2000: Microsoft, Google, and Amazon as infrastructure providers. Snowden revelations on PRISM and tech companies’ compliance with state actors Asymmetries Implications of privatisation on international relations and sovereignty / Ethical asymmetry: Who is responsible for securing cyberspace: states, corporations, or a hybrid model? Geopolitical asymmetry: Big Tech as geopolitical actors: US-based tech companies vs China’s state- backed cyber ecosystem. In uence on global norms and standards (e.g., encryption policies and 5G networks). Economic asymmetry: The power imbalance between states and tech giants. The digital divide and its implications for international relations. Pagina 30 di 36 ff fi fl fl ff fl ff The tension between private pro t motives and public accountability. Apple’s stance on user privacy contrasts with Google’s data-driven ad model, showing divergent approaches to security and privacy. Regulation vs innovation Public good vs for pro t / Search engines, like Google, are not just tools of convenience but critical gatekeepers of information and perception. Their rankings, inclusions, and exclusions shape societal understanding and decision-making. The algorithms used for search rankings are kept secret, leading to concerns about fairness, bias, and manipulation. Challenges to Regulation: Balancing this freedom with the need to curb harmful speech like fake news and propaganda presents ethical and legal dilemmas. For instance, while the US permits certain forms of hate speech under free speech protections, many European jurisdictions impose stricter limitations. Private actors in cyber security Private actors of cyber security / Private rms are both the objects and agents of cybersecurity. They both need protection and provide protection – and sometimes do both. In terms of being the objects of cybersecurity, rms have been subject to notable attacks, with several high- pro le cyber incidents for rms such as Equifax, FedEx, Google, Maersk, and Sony. The distinction between defensive and o ensive cyber security. Defensive measures vary in how passive or active they are depending on the activity beyond the defender’s own network. Passive measures are purely defensive weapons, with no activity beyond the defender’s own network. Agents vs objects Intersection of state and private / Important is the fact that the private sector is now responsible for much of the maintenance of some states’ critical infrastructure – it owns much of it – and so is a key object in need of protection. Inadequate private cybersecurity also a ects national defence and internal security. This is in part because civilian infrastructure is used to transmit military data, such as cables and satellites. The agents of security. Private rms provide in-house cyber security to protect themselves. There are also cyber security rms such as Novetta, Cloudfare, Crowdstrike, Trend Micro, and FireEye that are hired by other rms, governments, and other actors to provide cyber security. The 2019 UK election, the protection o ered by the US-based rm Cloudfare helped the British Labour Party to survive a DDoS attack. Privatisation or default option? Can we talk about privatisation of security in cyber space? The development of the cyber domain has happened to a considerable extent in private hands. Unlike traditional military and security services, which have been outsourced, cyber security was not in public hands in the rst place. To be sure, some states now possess some of the largest and most sophisticated cybersecurity capabilities. Cyber security, unlike traditional military and security services, is not being privatised since it was private to start with. This has important normative implications. Pagina 31 di 36 fi fi ff fi fi fi fi fi fi ff ff fi fi fi Problem of privatization Swiss cvheese model: private defense cybersecurity faces some negative externalities particularly in relation to its e ects on inequality and democratic accountability. The issue of inequality in access to cybersecurity provision. One concern in this context is exclusion, where those who cannot a ord to purchase security are left unprotected. With PMSCs, the reliance on the market to provide security services creates a Swiss Cheese model. The poor and disadvantage lack protection because they cannot a ord it. Introducing the market logic intro cybersecurity, in uential agents may no longer be willing to support a general, basic, level of public protection because they do not require it since they can purchase expensive private protection. Democratic control: a second set of issues concerns the lack of democratic control over private, defensive cyber security. Democratic oversight has been one of the main challenges with PMSCs, given the secretive nature of the industry, the lack of understanding o it by the public and legislature, and the absence of data, such as money spent on contracts and the details of the contracts. Pagina 32 di 36 ff fl ff ff Private cybersecurity extends beyond traditional lines of democratic accountability - that is, the state - which is the main locus if democratic rights. Week 11 - Cyber crime Types of cyber crime Most cybercrime has real world implications despite its virtual context / Therefore, it is useful to distinguish between two broad categories of cybercrime. No clearly articulated and globally-accepted de nition of cybercrime, a complex phenomenon in uenced by many di erent actors and technological and socio-economic drivers Europol de nes cybercrime as criminal acts that are committed online by using electronic communications networks and information systems. Cyber-enabled crime refers to existing crimes that have been transformed in scale or form by the use of the internet, such as on line fraud and forgery Cyber-dependent crime refers to crimes that employ a digital system as the target as well as the means of the attack, viruses or other malware and hacking. Actors of cyber crime Various reasons for cyber criminal activity / Individuals (Individual interest, personal gain, fame, challenge); Hacktivists (ideology); Organised crime ( nancial gain, access to other systems), Nation state and state-sponsored actors (espionage, exploitation). Pagina 33 di 36 fi fi fl fi ff Use of tech in crime Technology as a victim / Technology as a target of crime – is traditionally considered to be true “computer crime” and involves such o ences as hacking, denial of service attacks and the distribution of viruses. Technology as an aid to crime: is where computers and other devices are used to assist in the commission of traditional crimes. For example, to produce forged documents, to send death threats to blackmail demands or to create and distribute illegal material such as images of child abuse Technology as a comms tool / Technology as a communications tool – is where criminals use technology to communicate with each other in ways which reduce the chances of detection, for example by the use of encryption technology. Technology as a storage: is the intentional or unintentional storage of information on devices used in any of the other categories and typically involves the data held on computer systems of victims, witnessed or suspects. Technology as a witness to crime / Technology as a witness to crime – can be found when evidence contained in IT devices can be used to support evidence to which it is not obviously related, for example to prove or disprove an alibi given by a suspect or a claim made by a witness. Pagina 34 di 36 ff Microsoft Digital Defence Report Week 12 - Digital rights and freedoms Human security and oversight Human security, including rights to privacy and freedom of expression, is becoming key issue to cybersecurity governance / Not enough transparent, multi-stakeholder mechanisms to hold governments and companies accountable while ensuring the protection of civil liberties. Initiatives such as the US CLOUD Act and the EU e-evidence regulation allow law enforcement to obtain electronic evidence directly from companies, shifting some enforcement responsibilities to private actors. This trend raises concerns about the balance between e ective oversight and democratic governance. The erosion of privacy? Pagina 35 di 36 ff The evolution of the data economy and the erosion of privacy / Three key drivers of this transformation: the discovery of data’s pro tability, the post-9/11 security paradigm, and a cultural shift away from valuing privacy. Governments began leveraging corporate data collection for mass surveillance, with the US Patriot Act exemplifying how national security justi ed privacy intrusions. Privacy was no longer a social norm, re ecting a broader narrative that individuals willingly traded privacy for convenience? The power dynamics of data Privacy is a form of power that ensures autonomy / When individuals lose control of their data, they lose autonomy. Conversely, entities that aggregate data (e.g., governments or corporations) gain disproportionate power. Giving data to companies fuels economic inequality, as wealthier entities exploit it for pro t. Giving data to governments risks authoritarianism, as surveillance mechanisms can suppress dissent. Centralising data with corporations orgovernments createsharmful power imbalances. Privacy decentralises power, enabling individuals to retain autonomy over their lives and decisions. Countermeasures include encryption, data minimisation, and user empowerment to mitigate these concerns and protect individual privacy. EU’s strategic autonomy The EU's lack of major tech companies has prevented it from being proactive in the global race to technological leadership / This has led to the EU implementing protectionist initiatives and regulations to protect its internal digital market, with digital sovereignty tied to being a regulatory actor in the international digital environment. The impact of these initiatives has been limited to US digital service providers and Chinese tech companies in the European market. Since 2013 the EU has sought to gain more control over third country-based tech giants through legislative solutions regulating its internal market. EU and private sector in cyber Governance models / Cybersecurity governance is moving from a eld typi ed by “Regulatory Capitalism”, in which the private sector holds a privileged co-regulatory position within the Commission's regulatory e orts, to one of “Regulatory Mercantilism” in which the Commission positions the private sector as something to be overseen and controlled. Regulatory mercantilism In this governance mode, the domestic private sector maintains a position of active cooperation in regulation through steering. The foreign private sector is seen as economic competitors and potential agents of other states. They are no longer part of the solution to cyber security threats but presented as threats in and of themselves. Pagina 36 di 36 ff fi fi fl fi fi fi

Cybersecurity Foundations PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue