WHO IS THE ENEMY? SOME NOTES ON SECURITY AND DEFENSE ON THE NETWORK

 "In this era it will be possible to hack humans"  
Yuval Noah Harari

In recent years, and thanks to the unstoppable technological advancement, society has made significant progress in improving the quality of life of its members. Today everything happens very fast and it is possible to access information and meet needs just by having a cell phone. In fact, that mobile team has become practically an extension of the human being, because it is difficult to imagine (and, even more, have) a life without it. However, as a counterpart to this improvement, there are also new concerns that are growing in parallel. One of the most important is related to security and defense that, in the digital plane, is represented in the so-called “cybersecurity” and “cyber defense”.

Let's start by differentiating both concepts. Thus, according to ISACA,[1] "Cybersecurity" can be understood as the "protection of information assets, through the treatment of threats that put at risk the information that is processed, stored and transported through the information systems that are interconnected."

On the other hand, “cyber defense” is “oriented to the actions of a State to protect and control threats, dangers or risks of a cyber nature, in order to allow the use of cyberspace normally, under the protection of rights, freedoms and guarantees of citizens, in support of the defense of sovereignty and territorial integrity ”.[2] It should be noted that this defense is carried out in two planes: (i) between States; or, (ii) between a State and private agents.

In this essay we will comment on how both concepts, which face potential threats in the same area (the network), are the subject of concern and analysis in different fields.

We must be aware that the security that should exist in the virtual world is threatened in different ways, but worst of all, we are faced with the impossibility of, in many cases, identifying who the aggressor is. The attacks have been growing in number and importance, and it is extremely difficult to detect who the enemy is. From hacked email accounts, to real digital bombs, the attacks that are occurring in cyberspace are growing alarmingly.

Thus, one of the most popular cases (cataloged as “the first cyber attack that managed to damage the infrastructure of the real world”), occurred in January of the year 2010. The main newspapers[3] of the world realized that serious fact, since “the inspectors of the International Atomic Energy Agency who visited a nuclear plant in Natanz, Iran, noted with bewilderment that the centrifuges used to enrich uranium were failing, so it began replace those machines. The phenomenon was repeated five months later, but this time the experts were able to detect the cause: a malicious computer virus. The 'worm' (now known as Stuxnet) took control of a thousand machines that participated in the production of nuclear materials and instructed them to self-destruct. During the analysis of the 'worm', the analysts made a surprising discovery, because the highly advanced code of Stuxnet had been designed with a warlike mentality ”.

From that fact, which marked a milestone in the existence of cyber attacks, began to become aware of the dangers that can arise due to technological development, because the war began to take different paths to those we already knew and began his move from the real world to the cyberspace world.

At the legal level, and on a global scale, two positions have been highlighted that try to solve the problem related to cyber defense. Thus, “some authors say that a specific legal framework would be needed to address it, but others believe that all the rules of International Humanitarian Law that govern the conduct of hostilities would be adaptable and applicable during a cyber armed conflict, since they are aimed at protect the population and civil property against the effects of military hostilities, which is why cyber attacks can be included in it ”.[4]

As you can see, the debate about how the Law should face this threat is essential, since it is through it that a solution can be given to this problem that is no longer local and has a worldwide reach. It should not be forgotten that any response (informatics or, even, by the way of the facts) has to respect the law, but what to do when a problem arises (such as cyber attacks) that was not provided for in the regulations National and international? How to deal with these threats if we do not have a legal path that allows us to act? How to punish those responsible if in many cases we cannot identify them? What measures can be taken to mitigate the large damages that can be caused?

Due to all the questions and concerns, in the year 2013, a group of defense experts published a regulatory body that, while remaining soft law, grants a series of guidelines to face situations that may occur in cyberspace. This document is called “Tallinn Manual on International Law Applicable to Cyber ​​Warfare"[5], but it is commonly known as the "Tallinn Manual". Its content was created at the express request of the Center for Excellence in Cybernetic Cooperative Defense of NATO.

Thus, said Manual “focused on the most severe cyber operations, those that violate the prohibition of the use of force in international relations, entitle States to exercise the right to legitimate defense. The Manual adds a legal analysis of the most common cyber incidents that states face on a day-to-day basis and that fall below the thresholds of the use of force or armed conflict. The 2017 edition covers a full spectrum of international law applicable to cyber operations ranging from legal regimes in peacetime to the law of armed conflict, and covers a wide range of principles and regimes of international law that regulate events in cyberspace. Some belong to general international law, such as the principle of sovereignty and the various bases for the exercise of jurisdiction. (…) In addition, numerous specialized regimes of international law, including human rights law, air and space law, sea law and diplomatic and consular law, are examined in the context of cyber operations. ”[6]

This problem has also been addressed by the States, who have gradually become aware of the potential danger that may exist if the appropriate measures are not taken to stop the threats and face the attacks. The real world is being displaced by the cyber world and states must act, either individually or jointly.

A concrete example of this coordinated action between different States can be seen in the European Union which, through the Foreign Affairs Committee of its Parliament, issued on 25 dated May 2018, the “A8-0189 / 2018 Report”[7] about cyber defense.

In this document (of truly valuable content for all the principles and guidelines that it contains and that, without a doubt, serve to direct the discussion and the proposal of effective solutions for this problem), the European Union “confirms its full commitment to cyberspace open, free, stable and secure, that respects the fundamental values ​​of democracy, human rights and the rule of law, and in which international disputes are resolved by peaceful means, based on the Charter of the United Nations and of the principles of international law ”.

Likewise, this report “asks the Member States to promote greater application of the common and global approach of the Union in the field of cyber diplomacy and of the existing rules in relation to cyberspace, and to develop, together with NATO, criteria and definitions at Union level of what constitutes a cyberattack, in order to increase the capacity of the Union to quickly adopt a common position after an illegal act of international scope in the form of cyberattack" (The highlight is mine).

With this objective, “the application of voluntary and non-binding norms on the responsible conduct of States in cyberspace (…) that include respect for the privacy and fundamental rights of citizens, as well as the adoption, is strongly supported. of regional confidence-building measures; supports, in this context, the work of the World Commission on Stability in Cyberspace in developing proposals for standards and policies that improve international security and stability and guide responsible behavior in cyberspace of both States and actors non-state ”.

As can be seen, there are already important documents that reflect a concern and commitment that social actors and some governments assume together, the same ones that find echo and reception in the laws of Latin American countries, since they have also been becoming aware of the importance of security in the digital world, whether internal or external.

Indeed, on April 28 of 2016, the National Government of Colombia issued the "CONPES 3854 - National Digital Security Policy" (related to cybersecurity). This, in order to grant a series of guidelines on risks and digital threats. In this way, attempts were made to mitigate the damage and provide greater tools for an adequate digital security plan that seeks to strengthen the capacities to identify, manage and mitigate security risks in the digital environment.

In turn, dated 9 of March of 2018, the “Cyber ​​Defense Policy” was published in the Official Gazette of the Republic of Chile, which “is part of a national system of digital policies, which includes the 2020 Digital Agenda , the National Cybersecurity Policy and the International Policy for Cyberspace. The Cyber ​​Defense Policy complements that of Cybersecurity in those aspects directly related to the defense of the country's sovereignty through digital networks, with the protection of critical information infrastructure, and with the protection of the human rights of all people that inhabit their territory. It also sets the objectives to be met gradually until the year 2022, and requires that the National Defense institutions advance in their implementation, including activities in their short, medium and long term planning ”.[8]

For its part, it should be noted that Peru has not been oblivious to the adoption of these measures. Thus, at the end of August of 2019, Law No. 30999, “Cyber ​​Defense Law” was published, which aims to “establish the regulatory framework on cyber defense of the Peruvian State, regulating military operations in and through the Cyberspace in charge of the executing agencies of the Ministry of Defense within its sphere of competence, in accordance with the law ”.

Within that framework, the main purpose of this norm is to “defend and protect sovereignty, national interests, national critical assets and key resources to maintain national capacities against threats or attacks in and through cyberspace, when they affect national security. "

Another feature of this rule is that it grants full powers to implement measures aimed at implementing cyber defense mechanisms to the Armed Forces (constituted by the Army, the Navy and the Air Force, and the Joint Command of the Armed Forces).

However, I consider that this security problem must be put in context and approached from an area that not only belongs to the State, but also to civil society. This, because, from the reading of the Peruvian norm, it is clear that there is no clear mention of the active role that citizens should have in understanding, preventing and combating these potential and true digital threats, but only He mentions the work that the Armed Forces have to do. For example, you have to:

  • An efficient and effective use of cyber defense capabilities is sought by the executing agencies of the Ministry of Defense, according to their functions and within the scope of their respective competencies, against threats or attacks in and through cyberspace, when these affect national security (article 7 of the law).
  • Planning and execution of cyber defense operations is established by the Joint Command of the Armed Forces (article 8 of the law).
  • The law indicates that the use of force by the Armed Forces in and through cyberspace is subject to the provisions contained in Article 51 of the Charter of the United Nations and said legal device, and is governed by the norms of the International Law of the Human Rights and International Humanitarian Law that are applicable (Article 9 of the law).
  • The Joint Command of the Armed Forces is in charge of the cyber defense of national critical assets and key resources (Article 12 of the law).

As can be seen, the full weight of the handling of this problem is placed on the work that the Armed Forces have to do, when the approach should be more complete and include all the social actors, as do the different documents we have cited. in this work.

Notwithstanding this, the regulation of this law is still pending.[1] and it is hoped that an adequate understanding of this reality will be embodied and included in the work to counter it not only to the Armed Forces, but also to all social actors who, without a doubt, can give great contributions to address these dangers that the cyber age is developing.

In that sense, it is essential that the regulations to be issued develop in more detail what is established in the Fourth Final Complementary Provision of the law, since it states that “the Presidency of the Council of Ministers coordinates with the Ministry of Defense and the Ministry of Education the relevance of the development of specialized content in digital security, which includes cyber defense, in university and technological higher education institutions, at the undergraduate and postgraduate level. To this end, it establishes instruments for inter-institutional cooperation with private sector entities, academia, civil society and the technical community.. ”(The highlight is mine).

This is due to the fact that we must be aware of the important role that universities, institutes, non-governmental organizations, civil associations, etc. can play in this matter, since they can contribute knowledge and a series of proposals to improve the system of National Cyber ​​Defense

A separate task is the one to implement a document that can be approved in the regional community framework to, as well as the European Union, have general guidelines that allow achieving a joint cyber defense system that responds to the realities and needs of Latin America.

However, it must be clear that this matter concerns everyone, because to a greater or lesser extent technology is in our day to day. Thus, our cybersecurity and cyber defense in general depend on the actions we are going to take to face an enemy without a face and, apparently, has the gift of ubiquity. The State is not the only one called to propose solutions, but also society as a whole has the obligation to act.


[1] View: https://www.isaca.org/Pages/default.aspx

[2]Cf.. Vargas Borbúa, Robert. Cyber ​​defense and cybersecurity, beyond the virtual world: Ecuadorian model of cyber defense governance. In https://www.redalyc.org/jatsRepo/5526/552656641013/html/index.html

[3] See, among others, https://www.bbc.com/mundo/noticias/2015/10/151007_iwonder_finde_tecnologia_virus_stuxnet; https://www.elmundo.es/elmundo/2010/11/23/navegante/1290510462.html; https://actualidad.rt.com/actualidad/view/111953-stuxnet-virus-iran

[4] Fonseca, Claudia and others. The Tallinn Handbook and the Applicability of International Cyberwar Law. En http://www.cefadigital.edu.ar/bitstream/123456789/993/1/Revista%20ESG%20no.588-2014_Fonseca_172.pdf

[5] The full text of this document can be downloaded at the following link: http://csef.ru/media/articles/3990/3990.pdf

[6]Cf.. https://ccdcoe.org/research/tallinn-manual/

[7] The complete document of said report is in the following link: http://www.europarl.europa.eu/doceo/document/A-8-2018-0189_ES.html

[8] View: https://www.diariooficial.interior.gob.cl/publicaciones/2018/03/09/42003/01/1363153.pdf

[9] See the note entitled: “Peru gives the green light to the elaboration of the regulation of the Cyber ​​Defense Law”. In https://www.infodefensa.com/latam/2019/09/07/noticia-verde-elaboracion-reglamento-ciberdefensa.html?utm_source=twitter&utm_medium=referral&utm_campaign=tt-comp

- Advertising Notice-
Jhoel Chipanahttps://works.bepress.com/jhoel-chipanacatalan/
Jhoel Chipana Catalán is a lawyer from the Pontifical Catholic University of Peru and has pursued postgraduate studies in Digital Law and New Technologies at the Universidad del Pacífico. His areas of specialization are Contracts Law and Civil Liability, State Contracting, Arbitration and Conflict Resolution, and Law and Technologies. He is a referee and a university professor. He has published seven books and more than fifty articles on legal matters; and is a founding member of Arbitration360 °, a non-profit civil association dedicated to the dissemination of arbitration.

Similar

es Spanish
X