As Burma’s Nov. 7 election draws near, The Irrawaddy and other Burmese exile media are on something akin to a nonviolent war footing, a position forced upon them by the distributed denial-of-service (DDoS) attacks on their websites on Sept. 27—the third anniversary of the 2007 Saffron Revolution protests. At risk is nothing less than freedom of speech and the right of media to cover important political events such as the Burmese elections.
The notion that an election can be “free and fair” without impartial and independent media coverage is, of course, absurd. According to media watchdog Reporters Without Borders (RSF): “It is essential that these [Burmese exile] websites continue to operate in order to provide the Burmese people and the rest of the world with independent news and information about the upcoming election.”
The Internet is tailor-made for media. However this fast and accessible communications platform comes with a downside. “The Internet was not developed with security in mind. It was developed with transparency in mind; it was developed for ease of technological innovation; it was developed with openness in terms of the system design,” said US Deputy Secretary for Defense William J. Lynn III in a recent speech to the Council on Foreign Relations, where he outlined how the US views the cyber threat.
To some, the concept of “cyberwar” might come across as another faddish national security policy niche, or at best a side issue compared with conventional or old-school war and defense issues. But such views have changed after a cyber attack of unprecedented sophistication using the malware “Stuxnet” hit Iranian nuclear facilities in September.
“The real world implications of Stuxnet are beyond any threat we have seen in the past,” said the web security firm Symantec after it reverse-engineered Stuxnet, which was designed to target specific control systems.
According to German cyber security expert Ralph Langner, the attack was “the first operation in history that: used a cyber weapon; created physical destruction; and hit a dedicated military target.”
“Stuxnet is the type of threat we hope to never see again,” said Symantec in its 2010 Critical Information Infrastructure Protection Survey, which examined “industries that are of such importance either to a nation’s economy or society that if their cyber networks were successfully attacked and damaged, the result would threaten national security.”
There is a growing realization that cyber attacks are likely to become an increasingly important and common way for state and non-state actors to target adversaries. For example, in January 2010, months before Stuxnet was revealed, Australian Defense Minister John Faulkner said his department had detected up to 2,400 attempted cyber attacks on government systems during 2009. And David Irving, the head of the Australian Security Information Organization (ASIO), said in a speech in late August, “The explosion of the cyber world has expanded infinitely the opportunities for the covert acquisition of information by both state-sponsored and non-state actors. Today, we see constant attempts by cyber means to steal the nation’s secrets.”
Cyber defense will almost certainly become a mainstream defense issue in the coming years, with talk already of the need for new international agreements to regulate cyberspace. That will be difficult, as there is no definition or agreement on the nature of cyber warfare, and finding out the source or instigator of any cyber attack is immensely difficult.
This in turn will have implications for existing laws of war, as legitimate response and proportionality will be hard to define amid such practical confusion. In any case, rogue states, terrorists, organized crime and lone hackers will not be party to these treaties. It adds a new dimension to the notion of asymmetric warfare, though at least the element of surprise that facilitated Stuxnet should now be a thing of the past.
The DDoS attacks on The Irrawaddy might be the thin end of the cyber wedge when looked at in the context of an operation such as Stuxnet, or even previous DDoS attacks such as the apparent Russian-sponsored takedown of the Estonia government’s online services in 2007. However, the Saffron Revolution anniversary attack on The Irrawaddy is an indication of how far an authoritarian regime is willing to go to curb independent voices and illustrates the fragility of the Internet for media groups.
As the election in Burma looms, The Irrawaddy is preparing for more attacks sponsored by the military regime, which is labeled by RSF as “an enemy of the Internet.” The challenge is likely to be formidable, partly due to the nature of the Internet itself.
As Lynn noted in his speech to the Council on Foreign Relations: “The defender is always lagging behind the attacker in terms of developing measures and countermeasures. So adept programmers will always be able to find vulnerabilities.”Show