1. SNDC/CATS 0802 LN Presentation at the Symposium “Threats from the Net” New asymmetric threats in modern information societies Tallinn February 29, 2008 Dir. Lars D. Nicander, Center for Asymmetric Threat Studies, Swedish National Defence College

2. Terrorism Studies Dr. Magnus Ranstorp IO Studies Dr. Dan Kuehl Intelligence Studies Dr. Greg Treverton (+ Wilhelm (+ WilhelmAgrell) Asymmetric Threats Synergy Synergy

3. SNDC/CATS 0802 LN The Swedish Concept of IO* Information operations are joint and coordinated measures in peace, crises and war in support of political or military goals by affecting or using information and information systems owned by the opponents or other foreign parties. This can be done by using own information and information systems, which also at the same time must be protected. One important feature is to affect the processing of decisions and decision making. There are both offensive and defensive information operations, which are carried out in political, economic and military relations. Examples of information operations are information warfare, media manipulation, psychological warfare and intelligence operations. Defensive information operations are joint and coordinated measures in peace, crises and war regarding policy, operations, personnel and technology to protect and defend information, information systems and the ability for rational decision making. MoTIC-bill 99/00:86 * MoTIC-bill 99/00:86

4. SNDC/CATS 0802 LN Strategic/Economic Environment IO/IW Synergy Information Systems, Infosec Information, Intelligence Perceptions Joint Operations IO/ IW

5. SNDC/CATS 0802 LN Taxonomy Defensive Information Operations (IO-D)/ Defensive Information Warfare (IW-D) Critical Infrastructure Protection Information Assurance

6. SNDC/CATS 0802 LN The Asymmetric Character Coalitions Nations Organisations Individuals Coalitions Nations Organisations Individuals Classes III II I

7. SNDC/CATS 0802 LN The Dilemmas Anonymous attacks Anonymous attacks –How to detect an attack? –Who is at the other end? »A teenage hacker? »A corporation/organisation? »A nation? »Mix of these? What is an Act of War in Cyberspace? What is an Act of War in Cyberspace?

8. SNDC/CATS 0802 LN Information/Cyberterrorism

9.  Continuity of gov. (incl. media comm.)  Power  Telecom/ISP  Financial systems  ATC CIIP Critical Information Infrastructure Protection

10. SNDC/CATS 0802 LN Home Made HERF/EMP Device 20MWatts 30m Soft Kill Range

11. SNDC/CATS 0802 LN Cyber/Information Terrorism Aum Shinryko Aum Shinryko E-Jihad 2000-2001 E-Jihad 2000-2001 Arrest of an AQ-hacker in US Arrest of an AQ-hacker in US Al-Qaida IPB vs California Al-Qaida IPB vs California ATC – Boston and Schipol ATC – Boston and Schipol –Proliferation of DEW-weapons?

12. SNDC/CATS 0802 LN Physical Digital Target Tool Physical EM(DEW + digital) (a) Conventional Terrorism (Oklahoma City Bombing) (b) IRA attack plan on London Power Grids, July 1996 (c) Spoof (or HPM) Air Traffic Control to crash plane (d) “Pure” Cyber Terrorism (Trojan horse in public switched networks) Infrastructure Threat Matrix Critical Infrastructure Threat Matrix Cell (d) the most difficult to detect and counter

13. SNDC/CATS 0802 LN A scenario Airbus over Schipol or LAX Airbus over Schipol or LAX DEW or ”can-bomb” DEW or ”can-bomb” TV-camera or ”celluar-camera” TV-camera or ”celluar-camera”  9/11-effect…!

14. SNDC/CATS 0802 LN The International Context

15. SNDC/CATS 0802 LN Three Challenges Management issues (”bending pipes”) International Co-operation, Regimes etc International law (”use of force”) etc Domestic tasks International tasks

16. SNDC/CATS 0802 LN Some examples Conflict between East Timor and Indonesia in the end of 1997-99 Conflict between East Timor and Indonesia in the end of 1997-99 –The website (the ”.tp”-domain) of the East Timor independence movement located in Ireland was ”shot down” 990119. Indonesian Intelligence service suspected. “e-Jihad” 2000-2001 “e-Jihad” 2000-2001 –Attack on the Israeli Land Register Authority routed over Berlin and London Estonia Spring 2007 Estonia Spring 2007 Who´s law applies? Who´s law applies? What are the ROE`s for governments and LEA? What are the ROE`s for governments and LEA?

17. SNDC/CATS 0802 LN Collective Security in Cyberspace There are no borders in Cyberspace! There are no borders in Cyberspace! A cyber-intrusion could be routed from country A through country B, C and D before it ends up in country E. A cyber-intrusion could be routed from country A through country B, C and D before it ends up in country E. How can we trace back these intrusions? How can we trace back these intrusions? –Today: International Law Enforcement or private initiatives (FIRST etc) –Tomorrow: ”Fishwebs” between national CERT:s for tracing intrusions back in real time?

18. SNDC/CATS 0802 LN Country X Country E Country C Country D Country ACountry B Country Y Country Z Building “fishwebs” in Cyberspace UN, ITU etc

19. SNDC/CATS 0802 LN How to get an IA outreach? Closed technical and other arrangements (Five-eyes etc) has limited relevance when IT-attacks could pass through 192 countries Closed technical and other arrangements (Five-eyes etc) has limited relevance when IT-attacks could pass through 192 countries Global approach needed Global approach needed –How to deny “safe havens”? –What kind of incentives (“sticks and carrots”)? –Could the Stanford Treaty be a model?

20. SNDC/CATS 0802 LN Three Challenges Management issues (”bending pipes”) International Co-operation, Regimes etc International law (”use of force”) etc Domestic tasks International tasks

21. SNDC/CATS 0802 LN Conclusions of the Estonian case for Crisis Management  Enhancement of the security policy toolbox? –A state actor (with big resources) can act through cyber attacks and still conceal it's involvement.  Cyber attacks can be used in several ways: –As an add-on to economic sanctions or other non-miltary means of power projection (The Estonia Case) –As a force multiplier (taking out emergency systems after bomb attacks)  To improve preparedness and contingency planning in this area there is a need for: –Operational experience (More of Red Team exercises to detect critical vulnerabilities i societal networks, a GovCERT working 24/7 etc) –Cooperation – between agencies, private-public and international

22. SNDC/CATS 0802 LN Swedish IO and International Law* The use of cyber-weapons to attack information systems does not constitute violence in terms of international law but it may nevertheless contravene international law. At the same time it should be possible to make use of such weapons within the provision of the UN Charter (Article 41) – given an appropriate UN Resolution and consequent legal mandate – in order to uphold sanctions or for other conflict prevention measures even though this has hitherto not happened. A more flexible arsenal of non-violent measures of this type would be in line with traditional Swedish policy in this field. Another legal question is how, using measures permitted under international law, it is possible to bring to book, for example, terrorists who make use of such weapons. An international review of the provision of international law would be of interest to Sweden, with regard both to cyber-attacks perpetrated by states or individuals and to the possibility of using such a weapon as an instrument of sanction enforcement. *Parliament Decision 1999 (99/00:30)

23. SNDC/CATS 0802 LN Conclusion Areas of international co-operation Doctrines concerning use of IO/IW under UN or other international legal auspices (international operations, upholding sanctions etc.) Doctrines concerning use of IO/IW under UN or other international legal auspices (international operations, upholding sanctions etc.) Principles of building Regimes for defensive actions taken in Cyberspace (tracing, counterhacking etc.) Principles of building Regimes for defensive actions taken in Cyberspace (tracing, counterhacking etc.)

24. SNDC/CATS 0802 LN Q&A www.fhs.se/cats