This week I attended the #NATOtalk16 conference held at the (infamous) Hotel Adlon, along with a pre-session discussion with the youth arm of the German Atlantic Association (YATA). This was a great few days with a dedicated ‘cyber security’ group which was great. There are recommendations which were written by all participants (available here), where my short paper on the future of NATO and deterring digital ‘warriors’ (one which I don’t like, but worked with) is. This is also shown below.

It was interesting to see NATO respond to the election of Trump and the future of Germany within Europe in the context of Brexit. The event was in partnership with the British Embassy, Berlin and it was clear there was an emphasis that Brexit does not damage the relationship with NATO. However, with Germany’s new security doctrine published in the Weißbuch (White Book) German/English which gives a more assertive stance to Germany’s positioning, with a growth in spending and in particular citing Russia as a core concern. This has provided me with some interesting background and context for my thesis project in malware ecology, and how this is being thought of in more international relations circles.

 


Fluid Operations: NATO and Cyberdeterrence

Multiple actors, lack of attribution, and hybrid action are all part of modern warfare. The growth of the internet and other digital systems has rapidly led to cyber security becoming a serious concern, from
individual users to (inter)national security. This short piece examines NATO and its ability to deter actors who attempt to subvert its collective security. This follows an analysis of current difficulties in deterrence, namely difficulties with attribution, low engagement barriers, and multiple actors. These concerns are then folded into avenues for further exploration in defence and offensive operations, and what blended or hybrid responses may entail. An exploration of these issues concludes that the distinction between defensive and offensive operations in cyberspace are fluid, where ‘active defence’ utilising situational awareness provides the best deterrence for most actors.

Context

Alertness to cyber security sharpened with attacks against Estonia in 2007. Although never fully attributed to Russia, it exposed the potential vulnerabilities that existed among allies as dependence on assets in cyberspace has grown. Additional events in Georgia in 2008 and more recently in Ukraine have demonstrated how cyberattacks can be blended in forms of hybrid attacks that aim to destabilise states before more conventional incursions occur. NATO has responded through developing a coordinated cyber security apparatus and the formalisation of doctrine that declares that international norms of engagement apply to cyberspace.

Yet, in comparison to previous decades, there has been considerable difficulty in engaging in forms of deterrence. I identify three of the most pressing:

  •   Attribution: Due to the ability to mask location and to lay decoys to the origin of an attack, conventional forms of deterrence are often not applicable.
  •   Low Engagement Barrier: The pervasiveness of digital systems across allied and non-allied states increases the vectors and opportunities for low-skilled actors to engage.
  •  Multiple Actors: Due to the low engagement barrier, it is not only states that have interest in subverting NATO, but also criminals, terrorists, and hired mercenaries that may sell their services to the highest bidder.

Current policy options

We often divide defensive and offensive capacity, which enables clear doctrinal policy, but is of little use to cyber security strategy. NATO is responsible only for its own internal systems and ensuring that these integrate with allied systems. Yet, it currently has no offensive capacity of its own apart from those developed by allies.

Defensive: In all scenarios, defence of critical systems provides the best deterrence from actors in cyberspace. This includes everyday management of critical national infrastructure, ensuring good education, and the monitoring of networks along with other recognised good cyber security ‘hygiene’. My PhD research on malware ecology demonstrates that maintaining good cyber security posture often prevents many subversions at entry points to the system. Yet due to interdependencies between systems, between governments and business, there will always be deficiencies in cyber security, including the opening up of previously unknown vulnerabilities such as zero-day exploits.

Offensive: Discussions of offensive capacity in NATO often focus on the trigger for Article 5, and what an armed cyberattack may constitute. This often descends into theoretical discussions over ‘cyber weapons’, and one which I will not go into. If we disregard the latter, the options remain either symmetric or asymmetric with conventional response. The former is often difficult due to time dependencies in developing a sophisticated response after an attack. The latter could be considered disproportionate, but is an essential arsenal for deterrence.

Recommendations

There is a false dichotomy between defence and offence in cyberspace. Ensuring security often requires scanning for threats a priori an attack or subversion. This means maintaining a high sense of situational awareness, and one that espionage traditionally provides. Therefore, developing potential offensive operations to be deployed in case of attack provide the most appropriate avenue for deterrence. Publicly disclosing an arsenal of non-specific advanced defensive preparation may deter some attacks. This addresses proportionality, enhances situational awareness and allows for preparedness. In addition, it aids with attribution as situational awareness of an array of actors can be pinpointed with greater accuracy whilst also enabling responses that do not wrongly attribute a state for non-state actors.

Policy Recommendations

  1. Furtherenhancedefensivecapacitythroughgoodpracticesofcybersecuritythatharmonise across allied states.
  2. Developanoffensivearsenalthatcanberapidlydeployedintheeventofanattackthrough ‘active defence’.
  3. Maintain conventional asymmetrical response.

I am thoroughly looking forward to the AAG with a session Pip Thornton and I have put together on ‘Curating (in)security: Unsettling Geographies of Cyberspace’. The programme is above, along with the original session outline below.

Curating (in)security: Unsettling Geographies of Cyberspace

In calling for the unsettling of current theorisation and practice, this session intends to initiate an exploration of the contributions geography can bring to cybersecurity and space. This is an attempt to move away from the dominant discourses around conflict and state prevalent in international relations, politics, computer science and security/war studies. As a collective, we believe geography can embrace alternative perspectives on cyber (in)securities that challenge the often masculinist and populist narratives of our daily lives. Thus far, there has been limited direct engagement with cybersecurity within geographical debates, apart from ‘cyberwar’ (Kaiser, 2015; Warf 2015), privacy (Amoore, 2014), or without recourse to examining this from the algorithmic or code perspective (Kitchin & Dodge, 2011; Crampton, 2015).

As geographers, we are ideally placed to question the discourses that drive the spatio-temporal challenges made manifest though cyber (in)securities in the early 21st century. This session attempts to provoke alternative ways we can engage and resist in the mediation of our collective technological encounters, exploring what a research agenda for geography in this field might look like, why should we get involved, and pushing questions in potentially unsettling directions. This session therefore seeks to explore the curative restrictions and potentials that exude from political engagement, commercial/economic interests, neoliberal control and statist interventions. The intention is not to reproduce existing modes of discourse, but to stimulate creative and radical enquiry, reclaiming curation from those in positions of power not only in terms of control, but by means of restorative invention.

For anyone who has been following my twitter will realise I have been writing about malware as objects. This seems like a fundamentally weird and albeit useless thing to do (and one I have wondered myself). Yet thinking of objects as something that matter in cybersecurity is essential.

This is a question I posed myself: can malware be an object?

This was somewhat triggered by my other side as a geographer interested in space, time, and place. Evidently when malware was emerging in the 1990s as a political concern, cyberspace was still often referred to as ‘frictionless’ and transversing the Westphalian model of individual sovereign states – all part of a growing post-Soviet triumphalism of western liberalism. This is how malware is often seen, as being ‘out-there’ and something bounded and what travels without little connection to anything else. Yet I’ve never been able to put my finger on to what may be a malware object – it clearly is much more than the software used to construct it. How about the writers (sometimes known as hackers and artists), the malware ecology of different interdependencies? Can it extend out to speeches, political discourse, malware laboratories? Some of these things would not exist if it wasn’t for malware. Yet who knows what this is.

In a good start to thinking through these issues and implications for cybersecurity, Balzacq and Cavelty (2016) (open access available here) talk of an actor-network theory approach. Though I disagree with some points they do highlight the importance that objects have to, in this case, international relations. Yet it is also true they have a huge impact on computer science and cybersecurity. I do not want to overly dwell on the philosophy here, but there have been movements to appreciate objects as things in themselves over the past two decades or so, with one of these being Object Orientated Ontology (OOO). This helps us comprehend how objects, such as malware, have an ability to act and cause things to change. I am not saying that malwares have intention, as that would suggest they have a human quality to be malicious – that is the human working with them. Of course objects in computer science have a somewhat different meaning to what I’m referring here, but do fit in. Without falling into the trap that Alexander Galloway notes in his work (2013) that we orientate our thinking around the technology we talk about, objects have states and behaviours.

However I do not think we can locate malware in a specific location on a map. If we think of how malware communicate – through command and control servers, in botnets, through peer-to-peer networking, using the internet – to download modules, to share information, to activate, then malware is stretched across multiple different places. If you require some information from a server that is routed through Ukraine, let’s say, but your target is in the USA, then where is malware as an object in the broader sense? Yes, there is local software on the individual machine, but it requires connection to extract information for instance. Then there are the political reasons that certain groups operate out of certain places, the training required, the knowledge to do certain things are all geographically disperse. Can you separate the malware object from this? I think not, and it becomes part of the malware object, made up of different malicious elements, such as the local software on the machine, with a sever elsewhere, with the right political conditions that enable it to become malware in a sense that we can detect and analyse it and it becomes successful.

So, when we consider malware as geographically distributed in this way, it is in tension, with lots of potential for something to happen (think of the Conficker botnet that did very little). So it is when all elements of the malware object are part of doing something that it really formulates, and it becomes malicious. Yes, we can see the warning signs through signatures, but it is only when the malware object comes together that it is something we can track, analyse, detect through networks. This is why Advanced Persistent Threats (APTs) are so interesting, as they are so sleuth that the object is very difficult to detect – and may not seem to be acting differently to the norm. When is an APT part of a malware object? This is something I need to do a bit more thinking on.

Therefore when talking about malware, when detecting it, it’s about the entire ecology of malware, it is not just the end-point detection, but it only becomes malware when all the elements forge an object. This may now sound obvious – but it disrupts the idea that an object is material, located in a fixed place at a certain time, and adds tension to the mixture. Therefore you have to tackle all parts of the ecology – computer science, international relations, crime – to attempt to force it to something that is only ever partially controlled. This means that connected thinking is essential to consider how to tackle malware, and cannot be simply at the end-point. Evidently, this is just me dropping an idea at the moment but I hope to work with this much more as a core tenet of how malware can be reconsidered to assist in cybersecurity, but also challenge some geographical thinking.

Unfortunately, Evernote cannot be used for any personal or confidential information it seems if you’re from the EU. As I was wading through the required confidentiality and data protection required for my DPhil fieldwork, I had to really dig around to find out what the University’s (that is Oxford’s) policy on cloud storage. It appears this excludes any transfer of data outside of the EEA (the European Economic Area). That is even with the new ‘Privacy Shield’ between the EU and the USA.

I was thinking of using Evernote as a simple tool to store notes and my research diary – with the syncing a useful back-up tool. However Evernote is not yet a signatory to the new ‘Privacy Shield’, which you can check here. Although Evernote is a signatory to the old ‘Safe Harbor’ agreement, this is now invalid – as can be seen on this page – following the European Court of Justice’s ruling in October 2015. Therefore if you are a researcher, and are using Evernote with information that falls under Data Protection, you are likely falling foul of your obligations to ensure it remains under EU jurisdiction.

Therefore I recommend you follow instructions here to create a local notebook only that is stored only on the computer you are using it on. Instructions are here. This is the only way to ensure you are keeping with requirements under EU data protection and ensuring your research maintains data security integrity. I’m hoping Evernote sign up to ‘Privacy Shield’ soon so that I can sync my notes as this would be very useful.

screen-shot-2016-10-03-at-15-32-53

If I am wrong, it would be great to know, but after a good time searching I cannot find evidence to the contrary.

I wish I could have attended my centre’s open day, from which I hear was a major success! It’s great to be part of a group of individuals pursuing some very different areas of cyber security across computer science, international relations, law, philosophy, and geography (well, only me, so far). Below is the poster that summarises my current DPhil onto A1. I haven’t seen it printed and it will have been there yesterday.

I’m currently in the process of organising my fieldwork (still), but hopefully I will get there. I am also still obsessing and dragging my feet over a piece on ‘objects’ I am writing, which I will be presenting first at the ISA conference in February – this is definitely the furthest in advance I’ve been writing and thinking in depth for a conference, and subsequent paper, so I think that must be progress?

malware-ecologies-poster-v005

It’s great to be on board for the ISA 2017 Annual Convention in Baltimore. I thought I would drop my abstract below for this, where I’m exploring the object as a way to think around malware and its implications for cybersecurity and a malware politics.

Malicious Modulation: Collusions of a Laboratory 
Malicious software, often referred to as malware, is a multifaceted, interrelational being. In working through a laboratory, this paper explores how the space of analysis and detection of this more-than-human cousin are consistently emergent. In working through the limits of an object-orientated ontology (OOO), I ask how we can question objects as being in modulation through and of themselves. Though I draw upon OOO in similar ways to Meehan et al (2013) on the political geographies of the object, I question the temporal and spatial assumptions with reference to Deleuze’s modulation. Hence, I bring together code artists, virtual machines, curators, algorithms, legal structures, computer monitors, silence, international treaties, among others without attempting to resort to the tyranny of the list. Taking the locale of the malware laboratory as place where movement, collaboration and curation of our cousins is made known, I expose how this place is a dense site of security logics. These malwares exceed any technical or humanly approach to their existence. To embrace their vibrancy, one has to modulate, play, to discover forms of malicious encounter. This requires a technological artistry, a coagulation of disparate elements in assembling spaces that challenge the enclosure of the malware lab.

As I am going to be busy on fieldwork over the next year, I have decided to limit where I am going to be and focus on doing some ethnographic research. This means I will only be taking on limited activities outside of my core PhD. Thus, I have taken on more requests in the last year to be involved with projects, talks, and debates which will now take a back seat – don’t be offended if I say no! Therefore the only things I will be going to over the next 9-12 months will be:

  • YATA Seminar on ‘NATO’s Future Challenges’ (Berlin, Germany – November 2016)
  • International Studies Association (ISA) panel on ‘Modular Performances of Security’ with my paper on ‘Malicious Modulation: Collusions of a Laboratory’ (Baltimore, USA – February 2017)
  • Association of American Geographers (AAG) with my CfP on ‘Curating (in)security: Unsettling Geographies of Cyberspace’ and possibly presenting on another panel (Boston, USA – April 2017)

All of these pieces will be focusing on the more ‘human’ sides of malware, and how malware interacts with us, particularly in what is typically to be deemed to be political to develop a core tenet of my work.

I’m very excited with what looks like a fascinating workshop with a great set of people (I don’t believe the list is finalised yet, so will hold off on that) on living with algorithms. This is being hosted by Royal Holloway, University of London. I’m particularly excited with the short 5 – 10 minute provocations that this call for papers asked for – I’m sure they’ll be a some pretty diverse, and contentious, contributions on the day.

Below is my abstract for the workshop:

The kiss of death: an algorithmic curse.

Malicious softwares slither through noise of systems, of cyberspaces, attempting to avoid the signal, to defy their abnormality to their surrounding ecological condition. It’s a parasitical existence, to avoid the kiss of death.

Algorithmic detection: The curse of malwares. The curse of humans?

In similar techniques deployed against humans, the collection of data, its analysis, abnormality breathes from ever-modulating normalised abstractions. Or that is the intention, at least. Modern malware mostly emerges as malicious through the deployment of the detecting algorithm. Circulation and mobility are absolutely necessary for malwares to carry out their deeds of infection, exfiltration and so on. Yet precisely this circulation is its downfall. To be malware, it must move. Yet in moving it changes its ecological condition. Two cultures emerge at the point of software’s algorithmic detection; one becoming-human, one becoming-malware. Indeed, it is tempting to focus on humanly responses, looking at things in relation to ourselves. Yet how does algorithmic detection expose the malicious intentionality of otherwise ‘normal’ software? What human-malware normality is required?

We, malwares and humans, are rightly concerned with algorithmic detection. This is where our cultures converge in a more-than-human political project. We are unlikely to ever sense each other in that way however. Humans and malwares develop everyday practice at certain sites, sometimes technological, other times not. These include anti-virus programs, the secure connection to banking credentials, stealing ‘confidential’ big data, in organisational practice, in the virtue of the software programmer, in the chatter of politicians. When malware is detected, when it becomes known, it is sealed-off, destroyed, deleted. As humans, can similar algorithmic detection mechanisms come from our dividualisation? Can looking to a more-than-human offer potential futures of hope and resistance to the dominance of algorithms? A way for us to slither through our spatial registers?

 

I will be presenting at the Durham conference on May 4 2016 with the paper:

W32.Stuxnet: An Olympic Games.

Sprinting, jumping, throwing, shooting, running, leaping.

 

Siemens Programmable Logic Controller (PLC)? Seimens SIMATIC Step 7 Industrial Control Software? Yes… Next Step.

 

Welcome to the most wonderful of Olympic Games. A brilliant new, sophisticated cyber weapon has been created. A game against Iran, against its nuclear enrichment programme in Natanz. Those who played we can only deduce; the USA and Israel. Stuxnet is the name attributed to this multifaceted, modular, updating malicious software(s?). It slithers, propagating between machines, checking, stealthily, hiding, the joker of the system. What a game, to travel with this more-than-human. Enter this cyberspatial ecology, driven by a tension of potentiality, beyond virtual, the real. Collaborations between malware artists and their offspring, malwares, generate peculiar, novel methods of movement. USB sticks, Seimens PLCs, network shares, command and control servers. It is simultaneously divided and yet constituted, materialised. Its mobility disguised, tricking, mimicking normal flows. Through its movement it becomes known. Static analyses neglect the agential vibrancy this malware exudes; it is through flows it is malicious – to us humans – ultimately it is (simply) software. Experience how Stuxnet interacts with complex geopolitical interactions of Iran and the USA / Israel, confused engineers at their screens, Windows operating systems, zero-day exploits and modular malware engineering. Let’s explore what our expert human friends tell us of malware, the conflicting narratives of their movement, one that disjoints dominant human action from the ecology within which cyber security develops. Join us on a geographical adventure to experience an ever-incomplete picture of our destructive (productive?) compatriot.