Bad analogies and the threat to “cybersecurity”

By EDRi · March 25, 2015

In policy discussions about the online world a general pattern repeats: The online sphere is differentiated from its offline equivalent by adding the prefix “cyber”, giving it both immediacy and generating a fear of the unknown “cyberworld”. Then, in order to explain “cyberspace”, practitioners draw analogies between cyber and non-cyber, often being blissfully unaware of, or indifferent to, the invalidity of the comparisons.

Often, simplistic distinctions are made only to be “bridged” by means of equally simplistic – and politically expedient – analogies, leading to poor or even dangerous policies. Here we will focus on two clear examples stemming from recent news, namely Germany’s and Switzerland’s capability to hack computer systems and networks located abroad.

In Switzerland, the National Council, the higher chamber of the parliament and, in this case, the first to vote on the issue, has approved the plans of the defence minister that envisage an extensive broadening of the Federal Intelligence Service’s competences. Not only will the Service have increased surveillance capabilities – both concerning Swiss and foreign citizens – but it will also be given the option to attack foreign computer systems and networks.

The legislative proposal states the Swiss executive can in – undefined – “special circumstances and to preserve national interests” allow the Federal Intelligence Service to hack foreign systems. Defence Minister Ueli Maurer specifically mentioned economic espionage as one of the threats on which the service could act, hinting thus at a broad interpretation of “national interest”. What is more, such attacks can be undertaken not only to fulfil intelligence agencies’ classical goal of collecting information: they can also disrupt foreign systems if these are used to attack Swiss infrastructure. It is important to note that these decisions are not taken by the parliament but the executive, which can in “minor cases” (again lacking a clear definition) delegate decision-making power to the director of the federal intelligence service.

The analogy here runs of course between the standard “offline” field of operations in which national intelligence agencies have worked for years and the new field and threats they perceive in the digital world. Foreign spies in Switzerland could be stopped when they snooped on Switzerland’s soil, why not do the same online?

Well, for one these activities now require actively disrupting systems located abroad. What is more, the Swiss defence minister and parliament seem not to have paid sufficient attention to the fact that in the online sphere one cannot easily distinguish between acts perpetrated by states and those of private entities. The tools and methods used to compromise systems online are essentially the same for everyone, which makes it difficult to ascertain who did what. This can be observed after each major hacking incident, when conspiracy theories and (often false) accusations abound. What would for example happen if a functionary of a Swiss state institution by accident decided to disrupt the computer systems of an innocent state?

A similar case in Germany shows us something else – what is framed as active (counter-)intelligence work in the Swiss case can just as easily be defined as “cyberwarfare”. The German Federal Defence (“Bundeswehr”) has recently shed more light on its “Computer Network Operation” unit, which is developing its ability to wage war using the Internet. The unit has the stated goal of infiltrating, exploring, manipulating and destroying foreign networks – a scope of actions very similar to the Swiss case. However, unlike in Switzerland, it is Germany’s armed forces that act, and attacks are only allowed in a state of war and thus require a mandate by the German Bundestag.

The German government intends its “Computer Network Operation” unit to be able to act without ever making it known that the German army was behind the attacks. The argument here is that the identification requirement for soldiers only extends to the actual persons (“cyber soldiers” will have to wear official uniforms, too) but not to the technologies they use. Ground troops do not need to announce that it was them who shot a rocket, and thus Germany’s “cyber-troops” do not have to sign their hacks either.

The analogy of course conveniently forgets that military activities in the offline world cannot usually be confused with civilian activities, whereas the digital world makes it very difficult to distinguish the two. Consequently, retaliation might very likely strike the wrong target – either not the state that actually perpetrated the attack or possibly even a civilian actor.

The digital rights and hacker community has long criticised the obsession with “cyber” that many policy-makers seem to have fallen victim to or actively exploit. The fact that the same activity can be framed as either an intelligence operation or “cyberwarfare” in these examples shows the arbitrariness of the analogies that many policy-makers draw between the analogue and digital world.

More importantly, these analogies are also dangerous: An action by the Swiss Federal Intelligence Service might be interpreted as an act of war by a government looking at the same incident through a different prism. Adding to this the fact that perpetrators – and thus potential targets – cannot be easily identified, the danger to what is commonly called “cybersecurity” is clear indeed.

Secret service will be able to disrupt foreign computer networks (only in German, 17.03.2015)

Government proposes allowing army to hide their involvement in cyber attacks (only in German, 12.02.2015)

Swiss secret service should protect the financial market like a “Mini-NSA” (only in German, 18.03.2015)

(Contribution by Julian Hauser, EDRi intern)