Six years after gaining independence from the Soviet Union, Estonia launched its Tiger Leap project in 1997, immersing its society into a period of rapid economic development and digitalization. Today, 99 percent of public services are available as e-services. Almost all of Estonia’s 1.3 million citizens have a digital ID card that secures citizens’ access to online services such as e-Tax, i-Voting, e-Banking and e-Health. Yet, Estonia’s digitalization has not been confined to its borders; the e-state is committed to the creation of a global digital society.

Reaching Beyond Borders

Estonia launched its e-residency program in December 2014, allowing people all around the world to run their own EU-company from the comfort of their home. E-residents receive access to countless digital and financial services to help them run their global business securely online. A digital identity card assigned to them by the Estonian government allows them to securely make transactions and sign documents abroad. Applicants need only submit required documentation and 100 euros to become e-residents.

However, one limitation is the lack of locations for accepted applicants to pick up their e-residency kits and digital ID cards, with generally only one pickup location per each of the 38 countries included on their pick-up map. There are no pick-up locations available in South America and only one location on the African continent in Cairo, Egypt.

Yet, Estonia is prepared to make e-residency more efficient and accessible. Estonian President Kersti Kaljulaid unveiled the E-Residency 2.0 White Paper in December 2018 which lists recommendations for an upgraded version, e-residency 2.0. The white paper includes plans for “opening outlets where external service providers would be able to issue e-residency digital IDs, in addition to the current network provided by Estonia’s foreign representations.”

Specifically, the e-residency program is aiming to expand their digital ID pick-up scope to Sao Paulo, Bangkok, and Johannesburg. The white paper also states its goal to diversify the e-residency community by finding ways to attract more female entrepreneurs. Estonia’s dedication and ongoing success in advancing its e-residency and other e-programs has distinguished the nation-state as a global digital leader, placing it first on the 2019 International Innovation Scorecard list.

Maximizing Security

Nevertheless, Estonia’s digitalization has not been without obstacles. Estonia faced a debilitating cyber attack beginning on April 26, 2007 after a dispute with Russia over the Bronze Soldier, a controversial statue erected in the city of Tallinn during Soviet Occupation of Estonia. After the Estonian government decided to move the statue from the center of the city to a cemetery on its periphery, Estonia fell victim to a Distributed Denial of Service Attack. This type of cyber attack floods websites with spams and automated requests with the aim of barring the general public from accessing online services. The cyber attacks, which came in waves for the next three or so weeks, shut down various Estonian media, banking and government sites. The attacks were linked to various Russian IP addresses, yet the Estonian government was not able to prove the attack was directed by Russian government authorities. Nevertheless, the Estonian government skillfully handled the cyber attacks and learned tremendously from the crisis.

A Powerful Digital Niche

Since the major cyber attacks in 2007, Estonia has been recognized by the international community for its proficiency in cyber security and defense. Estonia now advises many nation-states on cyber security and even has formal agreements with Austria, Luxembourg, South Korea and NATO that focus on training and cooperation in the field. The small country’s digital niche makes them an attractive candidate for the non-permanent seat on the UN Security Council for the 2020 to 2021 two-year term. Estonia aims to use their digital expertise to contribute creative solutions for how the Security Council can tackle cybersecurity and artificial intelligence issues. The Estonian ambassador to the United States, Jonatan Vseviov highlighted Estonia’s goal of shaping international cyber laws through the UN Security Council while speaking to Fifth Domain at Cybercon 2018 in Pentagon City, Virgina. Vseviov emphasized the need for official international laws surrounding cyber activity, stating “if it’s not okay to violate somebody’s sovereignty in the physical world, it’s also not okay to do that in the digital world.” Yet, before Estonia can bring their digital expertise to the UNSC, they must first garner more votes than their opponent in the race, Romania. Estonia will need votes from at least 129 of the 193 states when the UN votes on the seat on June 8, 2019 in order to be elected. If they succeed, the UNSC could provide Estonia with an outlet to increase their influence in the international community and encourage multilateral approaches to cyber security issues.

The post Estonia’s Expanding Digital Empire appeared first on Glimpse from the Globe.

As 2015 draws to a close, every region of the world is experiencing some amount of volatility that will persist into 2016. Some countries around the world will resolve their problems and thrive;  others will fail to meet their challenges and continue to suffer.

Europe continues to muddle through its occasional economic crises while bearing the weight of a politically fractious influx of Middle Eastern refugees. Russia is attempting to punch above its weight in conflicts on its near abroad while NATO beats its chest in response. Former Soviet states in the Caucasus and Central Asia have seen their economies take a collective nosedive, following the descent of both oil prices and the Russian ruble. China’s government is grappling with a domestic economic slowdown while trying to secure a sphere of influence. The rest of Asia, suspicious of Beijing’s initiatives, is coalescing around security concerns, but each nation there is dealing with its own domestic challenges. Latin America is enduring simultaneous political crises in Argentina, Brazil and Venezuela. Several countries in Africa are dealing with persistent terrorist threats from Islamic State (IS) affiliates, while others have seen their domestic politics unwind into violence. In North America, the United States is witnessing the ugly sides of domestic politics emerge as the November 2016 presidential election looms. Looking forward, it is better to focus on larger international issues rather than the futures of individual states.

Global Economic Outlook

The global economy is slowly piecing itself back together. Europe has pushed through a number of economic crises, East Asian economies are still moving along and North America is rebounding well. “The Economist” predicts a global growth of 2.7% in 2016. They also predict that Asia, Africa and North America will grow at or above 3% in the coming year. With the US Federal Reserve set to hike interest rates, this seems plausible, but financial markets will need time to adjust. This will also have consequences for the value of currencies worldwide—the rate hike is meant in part to stave off inflation in the US where years of quantitative easing have flooded the economy with cheap dollars. A rebounding dollar could hit developing states hard, especially in emerging markets across Latin America and Asia. But it would also make their exports more attractive compared to American goods and services.

Natural resource exporters will suffer from low commodity prices. The addition of Iranian and American hydrocarbons to world markets will keep energy prices depressed. These same low prices can help fuel growth in other countries that leverage the availability of cheap energy and raw materials. More developed and sophisticated economies like India and South Korea are best positioned to take advantage of cheap, plentiful energy. Economies that depend on a sole supplier – especially those in Eastern Europe that depend on Russian hydrocarbons – may use this time to diversify their supply options.

The Cyber World

Cybersecurity continues its rise in importance and prominence. Developed nations will compete to create better cyber capabilities to protect utilities, banks and other types of infrastructure that are connected to the internet, and the demand for skilled information technologists will continue to surge worldwide. Developing nations, beset with other challenges, will struggle to keep apace. The most advanced countries, such as the US, China and Russia, may begin to offer cyber capabilities to developing nations in efforts to gain influence.

Meanwhile, increased government interest in the cyberworld will be matched by private citizen efforts to protect internet freedoms. Nations will settle debates over the competing importance of security and privacy differently. Those that land on the side of security and surveillance may find themselves under scrutiny from both hacker collectives like Anonymous and prominent civil liberties advocates. But mass surveillance and data collection will continue across the world; internet privacy for individuals will continue to be dismantled in 2016.

Terrorism

Terrorism will remain a worldwide security concern in 2016. Countries across the globe will continue to collaborate to combat terror threats, although different governments will implement vastly different measures. Inevitably, headline-grabbing attacks will be attempted in the West and Asia this year. The victimized nations will ramp up their security capabilities, possibly at the expense of civil liberties.

The Islamic State’s appeal to jihadists will remain strong, but it will remain physically isolated within parts of Iraq and Syria and focused on securing and legitimizing its caliphate. While fresh attacks are all but certain, an event on the scale of 9/11 is highly unlikely based on what information is available. IS cannot match al-Qaeda’s former capabilities, and multinational efforts will likely prevent IS from reaching that level. Al-Qaeda itself is no longer potent enough to carry out major attacks on the West, and it does not seem capable of resurrecting itself this year.

Politics and Security in the Middle East

The Syrian crisis won’t be resolved. Refugees will continue to flee the conflict zone and surrounding nations must deal with the consequences. As the Islamic State is continually bombarded, outside actors like the United States, Russia and Iran will pick their proxies on the ground and commit to them this year. The US will continue to back Iraq as long as possible, but with Iranian and Russian military advisors also present in Baghdad, the Iraqi-American relationship may start to unravel. As relations deteriorate, the US will have no choice but to put its weight behind the Kurds. Washington must attempt to forge a mutual understanding between Kurdish leaders and Turkey to bring them both together against IS and the Assad regime. But the US will likely fail to create a meaningful Turkish-Kurdish alliance, unless both the Islamic State and the Assad regime cause all three enough pain to bring them together.

Turkey will not stand for the Kurds, IS or Assad gaining power in Syria and will vehemently protest American support for Iraqi Kurds. It will consider a unilateral incursion into Syria, and taking some of northeastern Syria under its control is likely. However, Turkey will not aim to engage Russian forces, limiting its activities to Kurdish and IS territories.

Russia and Iran will continue to support the Assad regime. However, they will seek a diplomatic solution where Assad remains in power over the Alawite-controlled areas of Syria between the western cities of Damascus and Aleppo. Russia will push hard for a diplomatic solution ensuring Assad’s survivability, even if that means leaving the regime with a smaller territory and putting the rest up for grabs among rebel groups. Assad’s forces have lost substantial manpower, and Russia needs to get out and focus its attention on issues closer to home. Iran has apparently begun withdrawing some of its forces from Syria. If IS becomes threatening enough to demand the full attention of other rebel forces, a settlement may become a possibility. But rebel enmity for Assad will not fade this year, and no agreement will be reached.

Sunni Arab nations will mull the possibility of extending support to non-Islamic State Sunni factions in Iraq and Syria, but will not get deeply involved unless a major Shia-led atrocity occurs. But in this conflict, the possibility of genocide cannot be ruled out. Arabs will maintain their strong focus on the civil war in Yemen where they will increase their support for anti-Houthi forces. Kuwait recently became involved on the ground alongside Saudi, Bahraini and Emirati forces; all these nations will redouble their efforts to eliminate the Houthi rebels. On the other side of the conflict, Iran will struggle to provide comparable aid to the Houthis due to Saudi Arabia’s effective blockade around Yemen. Yemen’s civil war could end this year in favor of the ousted Sunni government. The coalition of Sunni forces are certainly stronger right now, but they must achieve a decisive victory over the Houthis to see the conflict end. Iranian support will not enable the Houthis to push back, but economic pressure on the Gulf nations may diminish the total commitment that coalition members can make, delaying the end of the conflict.

Maritime Claims in Asia

China will continue to aggressively exert control over its proclaimed possessions in the South China Sea and East China Sea. Japan and South Korea will hold fast against these claims in the East; Japan’s recent apology to South Korea for atrocities committed during World War II is a sign of the two states’ emerging strategic alliance. Similar apologies may be coming out of Tokyo to nations such as the Philippines or Vietnam, but Beijing will get no such treatment.

In the South China Sea, the US will publicly raise the profile of its military and diplomatic support for nations with maritime claims competing against China. The US has announced its intent to base more forces in the Philippines, and it has also declared its intent to hold more multilateral exercises with ASEAN nations, obviously to deter Chinese aggression. America will be successful in forging a common cause across Asia to prevent the spread of China’s navy, but a formal alliance of nations aimed at deterring China is unlikely.

However, China will not be intimidated. It will continue its strategy of building and developing artificial territory that it claims for its own. No country will resort to the use of force against China in defense of an uninhabited island, but inhabited islands will be actively defended. China may succeed in taking control of most of its desired area, but won’t prevent American naval vessels from patrolling throughout the South China Sea. Neither side will provoke a military conflict; the economic impact would be disastrous.

Western Hegemony

The United States will remain the world’s superpower throughout 2016 and NATO the most potent military coalition. When bundled together, the European, North American and Australian economies dwarf the rest of the world, and this is the foundation of Western power today. However, the political appeal of the West has been diminishing and will continue to decline; China has proven that economic growth can be achieved without implementing democracy and developing nations have taken notice. The West cannot rely on its own perceived political superiority or glorifying human rights to influence other nations. Economic strength and cultural appeal are the foundations of Western soft power.

Vibrant economies will also support hard power, financing Western military expeditions worldwide as the West continues its global counterterrorism campaign. America’s combat mission in Afghanistan will also continue unabated through this year and the next American president will decide its fate. Eastern European NATO members will be bolstered as NATO’s original nemesis continues to revive itself. Russia may be seething at the loss of a jet to Turkey, but it will not seriously entertain the idea of confronting NATO. With the economy reeling, Putin cannot afford any defeat in foreign affairs, much less one with such astronomical consequences.

Trade between Eastern and Western economies will hold steady, with Western demand keeping manufacturing alive in East Asia and providing a basis for the expansion of the services sector. China and India will continue to feed off this energy to grow and diversify their own economies. American growth and European steadiness will keep demand for goods high. Dollars and Euros will continue to circulate globally as the preferred currencies for trade, and Western financial institutions will remain the standard bearers of the economy. Alternative financiers like the Chinese-led Asian Infrastructure Investment Bank will see their influence grow, but the West will maintain a strong lead in available capital. China will counter the West by attempting to invest faster and more actively in infrastructure projects across Asia and Africa, but its own economic slowdown will constrain its capabilities.

Overall, Western hegemony may not remain as powerful as it has been, but the West’s economic and military strength will persist even as other states ascend into regional powers.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors or governors.

The post A Glimpse of the Future: 2016 Global Forecast appeared first on Glimpse from the Globe.

Not a day goes by without something going awry in this wonderful, horrible world of ours. Follow any daily newsletter (The American Interest’s Daily News Brief is particularly concise for the amount of detail it provides) and you’ll find headlines that, not too long ago, would have shocked “civilized” readers and dominated conversation for days or weeks. Now they’re daily trivia in places like Yemen, Afghanistan, Libya, Ukraine, the South China Sea and Nigeria, and they are seriously complicating American security policy.

Over the last few years, some commentators have described this rise in violence and chaos around the globe as “The Return of Geopolitics,” or something similar. And truth be told, though geopolitics never quite left, we are seeing a resurgence of conventional great power competition and  violence within supposedly sovereign states as the liberal world order of the last few decades erodes. An unsustainable state system and a decaying international balance of power have provided fodder for a new medievalism—chaotic decentralization and devolution of power to sub-state actors across the Middle East and Africa, and a growing sense of competition between great powers resembling the empires of old in Asia, Eastern Europe and parts of the Middle East. In the chaos, crises are nurtured; and some will grow into true monsters.

But geopolitics – let’s call it “geographical space” for now – is not the only arena of conflict in the 21st century. For all the bombings and beheadings and out-migrations and impoverishments haunting today’s world’s “geographical space”, the world’s cyber space is faced with total anarchy. Hackers of no particular national or corporate origin can humiliate even the world’s mightiest states and wealthiest corporations. Cyber crime and cyber warfare are on the rise, and there are very few effective national institutions regulating and counteracting them, much less international institutions. So, it comes as no surprise when hacker groups like Anonymous release top-secret military documents, when China-originating cyber spies steal US government employees’ security clearances en masse, when North Korea forces the closure of theaters across America by means of cyber blackmail against Sony or when the Israelis manage to shut down the Iranian nuclear program for a few days with a web worm called “Stuxnet”. But these are not the only sorts of cyber attacks that are possible.

With advances in information technology rapidly making transactions cheaper online and physical services more efficient when digitized, the world’s infrastructure and economy are fusing into an all-embracing physical Internet. And when water distribution systems, power plants, retiree insurance archives, social media sites, driverless car networks, online grocery delivery services and digital communications networks are connected in the same system and run by the same technology, they all become vulnerable to attack and disablement by sophisticated online actors. Shut down a country’s power grid in the wintertime or turn off the water reservoirs in a desert state, and see how devastating cyber warfare can really be. It’s only a matter of time before some state or other actor manages to pull such an attack off, and as the world’s economy and infrastructure advance, the threat will only rise.

But there is another threat, beyond geographical space and cyber space, in a third theater. For decades, the United States led the world in space exploration and space technology. But it has since more or less abandoned that pursuit, and other powers are moving in to fill the gaps. China’s space program is rapidly becoming legendary, and India propelled an unmanned craft to the Martian atmosphere in 2014. It’s been well-documented, meanwhile, that NASA is no longer able to supply the International Space Station (ISS) on its own, being bereft of space shuttles; the Russian space program remains American astronauts’ only means of supply in the ISS. All this is happening as strategic developments and technological innovations on Earth render military equipment like satellites in Low-Earth Orbit (LEO) all the more important. Truth be told, Americans don’t really have to worry about a sudden strategic militarization of space by rival powers for the moment. But the fact that the US is no longer at the cutting edge of space exploration, even if it maintains a lead in current space technology, should give American strategists pause.

What happens when the Russians radically update their satellite fleet in such a way as to threaten American orbital dominance? What happens when China or India puts a man on the Moon just to demonstrate that they can? Looking further to the future, it seems clear that whichever nation first discovers a way to exploit and transport the mineral and energy resources of the Asteroid Belt and the Outer Planets will be a wealthy nation indeed. Is it prudent to leave such thoughts to the future, especially when American strategists are competing with strategists who think in terms of decades and centuries rather than months or years? In short, Outer Space may not seem particularly valuable right now, but it certainly will be in the future, and Americans are doing less than any other nation to take advantage of it.

A worsening international situation in Geographical Space, absolute chaos in Cyber Space, and a severe investment deficit in Outer Space. What is a nation to do?

It can prepare for these crises, and more. The US should improve its strategies and bolster its capabilities on all three fronts. The technical skill is there, in every area—the federal government need only bring policy coherence to the picture.

The federal government should continue and expand its partnerships with the cybersecurity industry, for the obvious reason that economic and infrastructure systems are increasingly open to ever-proliferating threats from hackers of all types. For the sake of maintaining an acceptable quality of life for American citizens and upholding the country’s security, the US government now must ensure that American cyberspace is also protected. That will require the formation of new agencies and the distribution of many funds for the purpose. But done rightly, a new emphasis on cybersecurity can prepare America for yet more challenges in the decades to come.

Another critical industry open to public-private partnerships is the space industry. The US government used to engage with NASA at a far more proactive level than it does now, offering generous funds and articulating key and discrete goals (most notably, putting a man on the Moon). US space policy for the last several decades has been lackluster by comparison, and the Eurasian powers’ relative advances in space exploration and logistics are testimony to this. It would be beneficial to reinvest a significant portion of the entitlement-heavy federal budget into a renewed and reformed NASA, and set exploratory goals like landing a human on Mars or establishing a permanent space station in orbit around another planet. Expanding our presence in space will set the United States up for a future where outer space, and all its dangers and opportunities, is more immediately open to its use.

Of course, though it would be beneficial for the US to partner with strategic industries to produce war material, secure its cyber domain and expand its space program, it is very unlikely that, absent a major push like a great international crisis, the Americans will shift their focus from relatively innocuous issues to these truly critical ones. That’s unfortunate, but it’s also how American political history works—it takes a real crisis to get the country moving in the right direction. Long-term strategic thinking is not a natural characteristic of American democracy.

Fortunately (or unfortunately, depending on how one prefers to look at it) there are crises brewing on the horizon. It would be good for Americans to act first before they arrive. But even if they don’t, they’ll act soon enough, once the crises come.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors or governors.

The post Three Perfect Storms appeared first on Glimpse from the Globe.

Despite the existence of previous cyber incidents more severe than the recent attack on Sony Pictures Entertainment, the last month has seen cybersecurity penetrate the American psyche and affect day-to-day news like never before. The involvement of a major movie studio, an anticipated film, two famous actors and a direct effect on moviegoers’ holiday plans have caused fallout from the Sony cyber attack to make national headlines over the last few weeks.

Due to the complex nature of these events, I will provide a timeline before presenting my analysis.

June 20: Sony Pictures Entertainment releases the first trailer for its upcoming comedy The Interview, which depicts an assassination attempt on Kim Jong-un, supreme leader of the Democratic People’s Republic of Korea (DPRK), by American celebrity journalists recruited by the CIA. Kim Myong-chol, executive director of The Centre for North Korea-US Peace and unofficial spokesman for Pyongyang, issues the following statement in an interview with The Telegraph:

“There is a special irony in this storyline as it shows the desperation of the US government and American society. A film about the assassination of a foreign leader mirrors what the US has done in Afghanistan, Iraq, Syria and Ukraine…President Obama should be careful in case the US military wants to kill him as well.”

June 25: Pyongyang releases an official statement promising “merciless retaliation” against the US if The Interview is released. Most notably, the statement contains the following excerpt:

“The act of making and screening such a movie that portrays an attack on our top leadership…is a most wanton act of terror and act of war, and is absolutely intolerable.”

November 24: A month before the scheduled release of The Interview (Christmas Day), Sony suffers a major cyber breach caused by unknown attackers identifying themselves only as the “Guardians of Peace.” Sony employees are unable to access the company’s network, and instead see this ominous image (a large red skeleton making a menacing gesture) on their computers instead. Personal information, private emails and unreleased movies such as Annie, To Write Love, Fury, Still Alice and Her Arms are compromised in the attack. The attackers begin releasing the sensitive data in large dumps over the next two weeks. Due to the aforementioned statement from Pyongyang over the summer, some pundits speculate that the attack was perpetrated by the DPRK in response to the imminent release of The Interview.

November 28: After spending several days over the Thanksgiving holiday restoring functionality to its network and mitigating public relations damage, Sony begins investigating the possibility that the DPRK was behind the attack.

December 1: The FBI announces that it is also investigating the possibility that the DPRK was responsible for the attack. It issues a warning to US businesses announcing that unidentified hackers have used malicious software to launch a destructive cyber attack against Sony. The statement describes the nature of the attack: the malware involved overrides all data on the hard drives of computers affected, and even wipes the master boot record (the mechanism that enables computers to boot up). The result of the attack is that employees cannot use their computers at all—they finish the day’s work with pens and paper. The warning concludes by urging companies to contact the FBI immediately if they detect similar attacks.

December 3: An unnamed DPRK diplomat tells Voice of America that the DPRK was not responsible for the attack. The official states: “linking the DPRK to the Sony hacking is another fabrication targeting the country. My country has publicly declared that it would follow international norms banning hacking and piracy.”

December 7: The Korean Central News Agency, a state-run media outlet, issues a statement calling the attack a “righteous deed” but denies any involvement by the DPRK. The statement also says the following:

“We do not know where in America the Sony Pictures is situated and for what wrongdoings it became the target of the attack, nor do we feel the need to know about it. But what we clearly know is that the Sony Pictures is the very one which was going to produce a film abetting a terrorist act while hurting the dignity of the supreme leadership of the DPRK by taking advantage of the hostile policy of the US administration toward the DPRK.”

December 11: The Interview’s West Coast premiere takes place in Los Angeles at a red carpet event. The event is open to photographers, but closed to reporters.

December 15: Two former Sony employees file the first of several class-action lawsuits against the company, alleging that Sony ignored obvious signs that their computer network was vulnerable to attack. The breach exposes tens of thousands of employee Social Security numbers, medical records and personal emails. The plaintiffs also state in their filing that Sony “kept employees in the dark” regarding the extent of the breach for a week after the attack occurred.

December 16: The Guardians of Peace release the following message (note: nonsensical in some places):

“We will clearly show it to you at the very time and places ‘The Interview’ be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment. All the world will denounce the SONY.”

Immediately following the threat, a number of major theater companies announce that they will no longer be showing The Interview at all, Christmas Day or otherwise. Sony cancels the New York City premiere of The Interview. Homeland Security releases a statement saying that “there is no credible intelligence to indicate an active plot against movie theaters within the United States.”

December 17: In light of the threat made by the Guardians of Peace, Sony announces that it will no longer release The Interview on Christmas Day.

December 19 (morning): The FBI’s National Press Office releases a statement announcing that “the FBI now has enough information to conclude that the North Korean government is responsible” for the attacks on Sony. The FBI’s conclusion, according to the statement, is based on the following pieces of evidence:

1. Technical analysis of the data deletion malware used in the attack revealed links to other malware that the FBI knows to have been developed by DPRK actors.

2. The FBI observed “significant overlap” between the infrastructure (hard-coded IP addresses that indicate the origin of an attack, for example) used in the Sony attack and the infrastructure used in other malicious cyber activity that has been linked to the DPRK.

3. The tools used in the Sony attack displayed “strong similarities” to a cyber attack in March 2013 that the DPRK propagated against South Korean banks and media outlets.

December 19 (afternoon): In an end-of-the-year press conference, President Obama says the following about the Sony cyber attack:

“I think they [Sony] made a mistake…I’m sympathetic that Sony as a private company was worried about liabilities and this, that and the other, but I wish that they had spoken to me first.”

Mr. Obama also warns:

“We will respond…we’ll respond proportionally, and we’ll respond in a place and time and manner that we choose…if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like, or news reports that they don’t like.”

December 21: David Boies, a top lawyer for Sony, says in an interview with Meet the Press that while Sony will not show the movie in theaters over the Christmas holiday, the film will eventually be released.

December 22: For reasons currently unknown to the American public, the DPRK’s entire Internet system fails for about 10 hours. The country’s computer connections were limited to begin with (roughly 1000 IP addresses compared to billions in the United States) and connections to the outside world were available to only the elite, but networks across the country fail nonetheless. Some people speculate that the outage was the result of a cyber counter-attack.

December 23: Sony announces that The Interview will have a limited theatrical release on Christmas Day (roughly 200 independent theaters). Michael Lynton, Sony’s Chairman and CEO, says that the company will continue its efforts to secure more platforms and theaters to show the film.

December 24: Google announces a partnership with Sony whereby users of Google Play and YouTube Movies can rent or buy The Interview on their computers and phones.

December 25-28: More cybersecurity experts begin to doubt that the DPRK propagated the attack.

Even the smallest details of the above events are worth noting because of the implications that this saga has for future cybersecurity incidents against both private companies and national governments. Although previous cyber attacks against the US have succeeded – and thousands of unsuccessful attacks occur every day – there has never been an attack that has elicited such strong responses from both the American public and American officials. Furthermore, if indeed propagated by the DPRK, then the attack was orchestrated for ideological reasons rather than financial reasons. This fact alone is a new development in large-scale cyber crime.

I will present my opinion on the following questions in this whirlwind of activity:

1. How confident can we be that the DPRK indeed propagated the attack?
2. Did Sony provide a befitting response for private company?
3. Did Mr. Obama provide a befitting response for a US President?
4. Was the US behind the DPRK’s recent Internet outage?

1. How confident can we be that the DPRK indeed propagated the attack?

Despite the ostensible confidence by the FBI in its findings, not enough evidence was released to prove that the DPRK was behind the attack.

Discounting potential motives and past behavior, the situation is still essentially a “he said, she said” situation. The FBI has clearly stated that it believes that the DPRK propagated the attack, and the DPRK still denies its involvement. Pyongyang even offered its assistance: “As the United States is spreading groundless allegations and slandering us, we propose a joint investigation with it into this incident…we have means to prove that this incident has nothing to do with us.”

The statement ends with a promise of “grave consequences” if the US rejects the joint inquiry proposal, also noting that the accusations by the FBI have “hurt the dignity of the supreme leadership.”

From a technical perspective, attribution is usually difficult with cyber attacks. The FBI could have a smoking gun, or they could have little actual evidence. The uncertainty stems from the lack of evidence released, and some experts are beginning to question the validity of the FBI’s accusation. Kurt Stammberger, a senior vice president with the cybersecurity firm Norse, said: “We [Norse] are very confident that this was not an attack masterminded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history.”

On December 23^rd, two scholars at the War Studies Department of King’s College London published a scholarly paper describing the key challenges in attributing cyber attacks. The authors, Thomas Rid and Ben Buchanan, conducted focus groups with commercial security software vendors and spoke to intelligence officials to survey the state of attack attribution practices. Their paper outlines the process of finding a culprit and communicating that information.

The authors’ first point is about the victim’s ability and willingness to respond to the cyber attack with an investigation. Although seemingly obvious, this assertion raises an interesting question about the FBI’s resources: “The more severe the consequences of a specific incident, and the higher its damage, the more resources and political capital will a government invest in identifying the perpetrators.” The Sony attack was certainly prolific enough in terms of reputational and financial damage done to the company (Variety estimates that the company stands to lose $75 million) to warrant a large amount of leeway given by Washington for an FBI investigation of the attack.

Furthermore, the attack struck a nerve with many Americans, who judged Sony’s response as a failure of free speech and an act of censorship. Given the attack’s impact on Sony, as well as the strong emotional reaction from the American public, I believe it likely that the FBI was given adequate resources by Washington to conduct a thorough investigation. Nonetheless, the fast turnaround time (18 days from announcement to conclusion) still raises questions about the investigative methods employed, and calls into question the conclusion that the DPRK did indeed propagate the attack. The majority of Rid and Buchanan’s 30-page paper, in fact, deals with the challenging issue of determining who propagated a cyber attack. The authors argue that attribution is rarely an open-and-shut case. “On a strategic level, conclusions are further removed from forensic artifacts, and may contain a significant amount of assumptions and judgment,” they write.

The authors’ third point is about communication of the results of an investigation. The FBI’s statement clearly outlines the reasons why it believes that the DPRK instigated the attack, but fails to provide actual evidence. I do not mean to imply here that I think that they should provide evidence, as doing so would jeopardize their sensitive process, but I do mean to say that the lack of evidence is ample cause for numerous experts to question the validity of the result. Rid and Buchanan seem to agree: “Publicising intelligence can harm sources as well as methods,” they write. Unfortunately, there is no easy solution here. The tension between the public’s desire for hard evidence and the FBI’s need to protect its information-gathering process cannot be resolved.

The authors’ final point is about the credibility of all parties involved. As mentioned previously, few can doubt the resources or capabilities of the FBI. The DPRK, though, may be a different story. Is it possible that the DPRK could have executed such a successful cyber attack on American soil? Previous cyber incidents, such as the DPRK’s attack on South Korea, would seem to indicate so, but this question may never be answered definitively.

While arguably lacking capability, the DPRK did not lack motive. The DPRK’s propaganda machine is well oiled; decades of history have shown that the government will go to extreme measures to defend the sanctity of the supreme leadership. Furthermore, The Interview charted new territory: never before has the assassination of a current government official been so prominent. Imagine if a major Russian movie studio had planned to release a comedic movie about the assassination of Mr. Obama on its most celebrated national holiday. Needless to say, there would have been plenty of uproar from the American public; it is not a large leap to say that many would have believed the movie to be anti-Western and anti-American.

Although the threats and extreme statements about war and merciless retaliation seem to be empty, they are threats nonetheless. While it is unlikely that the DPRK would resort to physical violence or acts of war over just The Interview, it is obvious that Pyongyang wanted to send a strong message and assert itself. If the DPRK was indeed behind the attack, then Pyongyang certainly celebrated a wide victory given Sony’s strong response.

2. Did Sony provide an appropriate response as a private company?

As mentioned above, the American public reacted strongly to Sony’s decision to pull The Interview from theaters. Despite the numerous allegations that Sony “let the terrorists win” and “sacrificed free speech,” I believe that the company responded appropriately to the threat.

First of all, a threat with the magnitude and seriousness of the one that Sony received can never be taken lightly. The reference to September 11^th alone is an immediate red flag that demands a thoughtful response. The threat by the Guardians of Peace to target movie theaters also triggers an emotional response, given the history of incidents like the Aurora shooting in recent memory.

More importantly, though, we have to remember that Sony is a private company with business interests. Its decision to pull The Interview was not, in fact, a loss for free speech, as so many would like to believe. As a company, Sony received a threat that promised horrible violence and death to moviegoers. Even if the chance of those events actually occurring was slim, Sony made the correct decision. Why endanger the lives of thousands of people and risk the reputational ruin of the company?

Furthermore, the issue was determined by the FBI two days later (after Sony’s decision not to show The Interview) to involve a foreign national government. Do we expect a private American company to have a standoff with the government of the DPRK? Such issues are meant for the American government, not private sector, to decide. Sony had to protect its own interests (not to mention the public safety of moviegoers) immediately.

Finally, it is important to remember that individual movie theaters (both large movie chains and independent theaters) acted even before Sony did. Especially given the unwillingness of theaters to screen The Interview, Sony was wise to avoid risking a humanitarian tragedy.

3. Did Mr. Obama provide a befitting response for a US President?

First of all, the fact that Mr. Obama has been talking openly over the last few days about the DPRK as instigators of the attack seems to indicate that the FBI’s unreleased evidence may be stronger than most experts think it is.

I believe that Mr. Obama’s categorization of the attack as “cyber-vandalism” and not cyber warfare is correct. Despite the strong rhetoric from the DPRK, it is unlikely that the attack was intended as a true act of war. It seemed to be a long shot revenge attempt on Sony that resulted in surprisingly successful chaos on American soil due to discord between the company and the American people.

The problem with Mr. Obama’s response is that he bought into the public rhetoric that Sony’s business decision to pull The Interview was somehow an act of censorship. This meme is convenient because it provides an easy explanation for an otherwise complex situation. Unfortunately, it is misleading. In an interview with CNN, Mr. Obama said the following: “If we set a precedent in which a dictator in another country can disrupt through cyber a company’s distribution chain or its products, and as a consequence we start censoring ourselves, that’s a problem.”

Again, there is nothing about the situation that involves censorship. Sony made a legal and measured business decision. Unfortunately, Mr. Obama has offered the company little support, while repeatedly vowing a “proportional response” on a national level to the DPRK. The President’s first priority here should have been supporting Sony in its decision to protect the safety of the American people. Instead, he publicly criticized Sony and offered little understanding of the company’s business decision.

This case is an example of having your cake and eating it too. If Mr. Obama wants to categorize the act as cyber-vandalism and make the issue one of censorship, then perhaps the government could have subsidized Sony for some of its losses or supported an online release of The Interview. The main problem here is that the American government left a private corporation with the responsibility to manage the fallout from an attack by a foreign government. Mr. Obama offered nothing himself but a vague and predictable threat.

4. Was the US behind the DPRK’s recent Internet outage?

While some have speculated that the DPRK’s Internet outage was also the result of a cyber attack, this possibility is unlikely. Although Mr. Obama promised a response to the attack, disabling the country’s limited computer connections would hardly qualify as proportional to the attack on Sony. China has also denied its involvement in the outage (the DPRK’s Internet is provided by a Chinese company).

In reality, the DPRK or its Chinese provider may have taken the system offline in advance of a possible cyber threat. It is also possible that independent hackers took down the system. Given the timing of the outage, though, mere coincidence was probably not the cause. Regardless, I think that the outage is unlikely to affect directly any relations or talks between Washington and Pyongyang in the future.

In conclusion, I believe it unfortunate that the narrative regarding the fallout from the Sony cyber attack has been centered on the future of Hollywood and free speech. The lesson to be learned from this situation is instead about the relationship between the private sector and the government in the wake of cyber incidents. In this case, the United States may have set a dangerous example for the future. That a private company is being so widely blamed – by both the public and the American government – for being the victim of an attack ostensibly propagated by a foreign government is troubling, to say the least.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

The post Making Sense of the Sony Cyber Attack appeared first on Glimpse from the Globe.

Cyber warfare, defined as espionage or sabotage conducted through politically motivated hacking, has existed as long as networked devices. In 1998, US officials discovered systematic unauthorized access to sensitive data at NASA, the Department of Energy, private research labs, and the Pentagon. The DoD traced the attacks to a mainframe computer in the former Soviet Union, although Moscow to this day denies any involvement. In 2003, cyber attackers gained access to the networks of several major US defense contractors, including Lockheed Martin. The SANS Institute, a US security company, determined two years later that the attacks were “most likely the result of Chinese military hackers attempting to gather information on U.S. systems.” In the decade since these two milestone incidents, known by their codenames Moonlight Maze and Titan Rain, networked systems have experienced order-of-magnitude growth. Over 80,000 pieces of malware are reported daily in the United States. Despite the best efforts of financial institutions and large corporations, defending against cyber warfare has never been so difficult.

Recent events have revealed that cyber attacks can come from various sources, including national governments, militaries, organized crime, or individuals. In March 2014, a group of unknown hackers installed a malicious piece of software in Target’s security and payments system designed to siphon customer to a remote server. Over the course of two weeks, the hackers obtained 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information that Target had been trusted by its customers to protect. Just a few days later, the tech world was rocked by the discovery of the Heartbleed Bug, an accidental mistake in the coding of the OpenSSL cryptography library – part of the backbone of the Internet. In this case, a concerned citizen reported the vulnerability; had it been exploited, an attacker could theoretically have decrypted the web traffic on 20% of the world’s servers.

If cybersecurity was not in the national spotlight already, then these two events certainly pushed it in. The Pew Research Center reported that 39% of Internet users surveyed either changed at least one account password or shut down at least one online account to protect personal data as a result of Heartbleed media coverage.

The private sector was similarly quick to respond. On May 9, General Electric (GE) announced its acquisition of the privately held company Wurldtech, a Vancouver-based leader in cybersecurity solutions for oil refineries and power grids. On May 14, Gap, JC Penney, Lowe’s, Nike, Safeway, and Walgreen’s partnered with a large group of other retailers (including Target) to launch the Retail Industry Leaders Association (RILA), an independent organization combining the cybersecurity efforts of private retailers with those of the Department of Homeland Security. Finally, private firms funded this year’s United States Cybercrime Conference – an annual gathering of hundreds of private-sector administrators and CISOs (Chief Information Security Officers) – instead of the DoD as is typical.

There is little argument in Washington with the opinion that the government must now protect public infrastructure and sensitive national data at all cost. Homeland Security, in its 2013 year-end report, stated that it responded to 256 cyber invasion incidents last year, 151 of which occurred in the energy sector.(2) The thought of hackers compromising energy grids, or troop configurations and weapon designs falling into the hands of a foreign military, is chilling. A repeat of Moonlight Maze or Titan Rain in 2014 could compromise America’s position in a number of domestic and international affairs.

But the rapid emergence of cyber threats elicits two difficult questions. One, what should be the role of the government in protecting private sector institutions against cyber attacks? Two, how will voters and policymakers balance the need for cybersecurity with their desire for online privacy?

In a 2009 speech, President Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.” He commissioned a comprehensive review (entitled “Cyberspace Policy Review”) of the US government’s ability to defend information and communication infrastructure. The resulting report outlined a ten-point plan designed to accomplish two objectives: improving US resilience to cyber incidents and reducing the general threat of cyber attacks. The ten-point plan, like the two objectives it was supposed to accomplish, was vague and largely procedural. Its scope was limited to the appointment of officials, the creation of preparedness plans, the promotion of national awareness, and the creation of new international relationships.

In February 2013, the President urged Congress to pass a more comprehensive and action-oriented plan named the Cyber Intelligence Sharing and Protection Act (CISPA). CISPA’s aim is to help the US government investigate cyber threats and ensure the security of networks against attacks. Introduced in 2012, the bill has twice passed the House and twice failed to pass the Senate due to concerns over a lack of civil liberties safeguards. Dozens of Internet privacy activist organizations have decried the bill for its failure to provide specificity on when and how the government can monitor an individual’s browsing history. Ron Paul (R-TX) labeled the bill “Big Brother writ large.”

Recent reports from Capitol Hill suggest that Intelligence Committee Chair Dianne Feinstein (D-CA) and Ranking Member Saxby Chambliss (R-GA) have drafted a new piece of cybersecurity legislation currently being circulated for comment. Yet, the stated aim of the bill sounds too similar to that of CISPA to have a chance of passing the Senate. The new bill’s goal is reportedly to “allow companies to monitor their computer networks for cyber attacks, promote sharing of cyber threat information, and provide liability protection for companies who share that information.”

Two new proposals have also been introduced in the Senate. The first, proposed by John Thune (R-SD), would allow the Federal Trade Commission to punish companies retroactively for failing to adopt “reasonable” data security practices and would preserve Congress’s authority to determine what those security practices should be. The second, proposed by Jay Rockefeller (D-WV), would give the Federal Trade Commission (FTC) legislative authority to set cybersecurity standards, removing Congress’s authority altogether.

Given the rapidly increasing threat that cyber attacks pose and Congress’s relative lack of cybersecurity knowledge compared to the FTC, Rockefeller’s plan seems more reasonable. But the past history of the Senate’s concern for privacy indicates that neither bill will garner enough votes to pass.

The unfortunate reality for cybersecurity policy is that online security is simply not a top priority for enough Americans. Edward Snowden’s unauthorized disclosure of the PRISM program profoundly altered the public psyche toward online privacy, creating a largely irrational belief among many technology users that the government should not have a right to ensure maximum cyberspace security with their personal data. In CISPA’s case, people seem to value the privacy of their Internet browsing histories alone over the reduction of imminent cyber threats. Given Washington’s inability to pass legislation promoting cooperation between the private sector and the government, and that its chief responsibility is to ensure the security of nationwide systems and government facilities, individual companies are beginning to realize that the security of private sector networks is their prerogative alone.

Evidence suggests that the private sector is up to the task. In April, the National Retail Federation, a trade association comprising both independent and chain retailers, established the Information Sharing and Analysis Center, which links the threat data of all member retailers and shares anonymized data with the US government. The steps of GE in protecting its infrastructure through the acquisition of Wurldtech will bolster private sector confidence in the value of cybersecurity and will dispel fear that the return on investment of protecting critical information is outweighed by its cost.

In the coming years, companies will need to focus their efforts in these areas:

1. Transitioning the chief objective of cybersecurity from preventing attacks to reacting quickly and determining their source. Given the difficulty of predicting hacker behavior and the inevitability of eventual breaches, companies must develop robust internal programs that can destroy cyber attacks before they do damage. Target’s shortcoming was not its failure to prevent a breach, but rather its failure to act swiftly once it diagnosed the problem. The post-mortem investigation showed that Target’s systems set off unmistakable red flags, yet officials waited several days before acting on the information. Had they responded immediately, the stolen data would never have made it to the hacker’s servers.

2. Holding third-party providers to a higher standard. Most major company data breaches come through third-party service providers rather than through the company’s infrastructure. Data security is inconsistent across platforms and industries, and companies need to subject all of their partners and contractors to rigorous stress tests to ensure that attackers have no easy entry points.

3. Building stronger relationships with the government and the police so that attackers can be prosecuted. Regardless of what legislation is passed in Congress, the government’s role in cybersecurity should include, at a minimum, the vigilant pursuit of known cyber marauders.

While the burden may seem to fall hard on private sector companies today, the government will eventually pass definitive and meaningful legislation. The political climate toward national cybersecurity is simply too charged for a bill not to pass at some point in the next few years. The Pentagon’s annual reports to Congress have become increasingly direct in their condemnations of national militaries and governments. The 2012 report openly accused both the Chinese government and the People’s Liberation Army of propagating cyber attacks against the United States in deliberate attempt to “gain strategic advantage.” The government is aware of the grave threat posed by cyber attackers; it now needs to match its rhetoric with legislation and action. Although largely symbolic, the Justice Department’s May 19 indictment of five members of the Chinese People’s Liberation Army for hacking into US networks was a step in the right direction. The hackers allegedly compromised the networks of Westinghouse Electric, the US Steel Corporation, and several other private companies. Attorney General Eric Holder Jr. stated that these actions crossed the line because the government commissioned covert actions for the purpose of gaining a commercial advantage, not for advancing national security.²²

Nonetheless, it is not and should never be the government’s responsibility to ensure the full security of private sector networks. For the sake of both national security and auxiliary benefits to individual companies – such as liability protection after security breaches in exchange for sharing data with the government – Washington should still attempt to pass legislation that will improve cooperation between the private and public sectors. Perhaps the upcoming midterm elections will yield a Congress more appropriately focused on pushing a cybersecurity bill into law. If the Senate, as well as the American public, can realize the relative importance of national cyber attack preparedness over the disclosure of personal user data to the government, then US cybersecurity strategy may have a promising near-term future.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff and editorial board.

Update 8/13/2014: Citations format updated

The post Defense in the Information Age appeared first on Glimpse from the Globe.

Where does the Internet come from?

Think about this question for a moment. While the answer may seem obvious, the John Q. Public will likely stumble through an explanation of satellite technology and “Wi-Fi clouds” as though the Internet were some fantastical intangibility. In a way it is; the Internet is a remarkable human invention – used by 81% of Americans on a daily basis – yet our understanding is remarkably limited. This je ne sais pas quoi that makes the world go round is in fact a physical architecture; 500,000 miles of undersea fiber-optic cables connect the US and Singapore, Egypt and Brazil, Japan and India. These cables, which carry 90% of Internet data around the world, are vulnerable.

How do these cables work? On a micro scale, the email you send from a coffee shop in San Francisco to your colleague in Beijing travels overland to an Internet exchange facility operated by a telecommunications company, then through their facility, across the Pacific Ocean in two-inch fiber-optic cable laid along the ocean floor, out through another exchange facility in Shanghai, and overland to your colleague’s computer. And by the way, minute strands of glass carrying data via light at different wavelengths transmit that very email. For the technologically naïve, the process of sending an email certainly is magical, but it is also tangible.

What are probable threats to the cable system?

(1) Natural disasters. One would think that telecommunication cables are secure; however, the vast majority of cables lie on the ocean floor, exposed to everything from shark bites to cyclones. In 2006, an underwater landslide between Taiwan and the Philippines inflicted damage on 19 of 20 nearby cables. 90% of the region’s Internet capacity was cut for a period ranging from one to thirty days.

(2) Accidents. The most common cause of cable damage is an accident. For instance, fishing vessels often rip lines when removing cages and nets. Larger vessels slice cables with their anchors, accounting for 70% of all incidents. However, even the most innocent damaging of a cable can have major ramifications. For instance, a 75-year-old woman in Georgia (the country) severed an underground Internet cable while digging for copper in her backyard. The result? The entire state of Armenia was without Internet for five hours.

(3) Attack on the underwater cables. The image of an Al-Qaeda operative in scuba gear cutting wires off the shores of New York City is as fantastical as it is frightening. The cables transmit such high voltage that an attempt to snip the cable with wire cutters would be suicidal. However, the threat of a terrorist attack on cables is still very real. Terrorists could drag a ship’s anchor, deploy a bomb, or use some other means to impair the cables. The location of every cable is publicly available information (because ships and fishermen need to know where not to drop anchor), and thus targeting the cables becomes a matter of creativity and execution.

(4) Attack on the exchange facility. Cables typically emerge from the ocean at private telecommunication exchange facilities, which, despite being heavily guarded, are vulnerable to attacks. For instance, Verizon Terremark’s headquarters in Miami contain 90% of the telecommunication cables between North and Latin America, servers for Facebook and the US Department of Defense, and vital infrastructure for global financial transactions. Were Terremark’s facilities to be compromised, everything from your bank account to US national security would be threatened. In short, global operations on a micro and macro scale would be compromised.

How can American Internet security be bolstered?

Shortly after his first inauguration, President Obama highlighted the potential risks of a web-operated world: “America’s economic prosperity in the 21st century will depend on cybersecurity. And this is also a matter of public safety and national security. We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control. Yet we know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.”

An attack on oceanic cables could cripple infrastructure and threaten national security plunging the nation into darkness. So how can the US limit attacks? For one, the US must increase cyber security funding in both the physical and network dimensions of the Internet system. The US government is aware of threats of cyber attacks, such as malware infiltrating nuclear facilities or worms penetrating electrical infrastructure. However, physical attacks, though less likely, could be far more damaging. Thus, the protection of cables must be a priority, and at least the partial responsibility, of the US security community rather than private telecommunication companies. Second, redundancy of the cable system will limit the potency of any terrorist attack. Currently, when one cable is severed, telecommunications are routed around the crippled zone. Though Internet service may be delayed, the global system remains fully operational. At certain “choke points” throughout the world, such as near the Suez Canal where only three cables connect the Mediterranean to East Africa and South Asia, a series of cable breaks would be catastrophic. Thus, greater cable redundancy across a variety of geographic zones is imperative in an effort to eliminate the “choke point” threat.

In sum, the US government must pay greater attention to physical Internet security. As it stands now, an enemy with a boat may be the greatest single threat facing domestic – and global – operations.

The post How the Internet Works and Why the Answer is Alarming appeared first on Glimpse from the Globe.