“Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges we face as a nation”. Cyberspace is increasingly perceived as a threat to states and businesses' perpetuation. Recently the US Department of Defense declared cyberspace the fifth domain of warfare. Cyberspace is thought by many to be the future of warfare, and is being progressively militarized. Indeed, the Department of Defense uses cyberspace to function, as it enables: “(. . .) its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations”. However, as of today, cyberspace is primarily being used to conduct acts of espionage. Espionage has been used by states for thousands of years in order to obtain confidential information on an opponent or an ally without the permission of the holder of the information. With the importance of technology in today's world, states, businesses, and individuals are using the cyber world in order to gather intelligence on somebody or something. Since espionage is illegal in many cases, cyber espionage also falls under that realm. Yet, the chance that cyber-spies may be arrested is very low compared to traditional spying because of the anonymous side of the internet. Indeed, it is extremely difficult to find out whom is spying on whom, especially if the spy has only been using zero day vulnerabilities to gather information, and has not acted out (i.e. compromise a system, or shut down a network). The rapidity, efficacy, and anonymity of the internet are reasons why states, businesses, and individuals use cyberspace for spying, as this enables them to gather information that will later on help them achieve financial, technological, social, military or economic gains. Therefore, despite all the anticipation of cyber power changing the future of warfare, it currently remains a tool for conducting espionage, as cyberspace has become the place where people communicate and where information is increasingly located. Hence, cyberspace will continue to be the primary battleground for conducting espionage.
Although cyberspace may change the way warfare is conducted in the future, today it remains the primary battleground for conducting espionage. Cyber spying or espionage, is “the act of engaging in an attack or series of attacks that let an unauthorized user or users view classified material”. The spy's goal is to typically gather intelligence, and acquire things like intelligence property or government secrets. According to Symantec, if they are state-sponsored actors, 90% of them are not motivated by financial gains, but rather in data collection, as it is more valuable for a state. Common targets of cyberespionage include: internal data, intellectual property, client and customer information, and marketing and competitive intelligence. Indeed, there are different explanations for why entities conduct cyber espionage. The most popular reasons for why states and non-state actors engage in cyberespionage are for: financial, technological and/ or military gains, sabotage, and simply for intelligence gathering. Cyberspace is extremely important nowadays because it facilitates the gathering of information on domestic and foreign enemies. It is the place where people communicate the most and where information is permanently stored. All countries strive to achieve information superiority in order to protect themselves and have an advantage over other enemies. One reason why states want information superiority is because this enables them to avoid any surprises that could potentially lead to their demise. Cyberspace is the area where people can gather intelligence and information, and this explains why multiple actors resort to cyber espionage in the name of security. This race to achieve information superiority is important as it can be utilized in warfare for preparing and winning a war or even bringing about peace. More and more, states are conducting acts of cyberespionage in order to collect information and gain either a technological, political, financial or military advantage over other countries.
Stuxnet is a very famous case in which states, in this case the United States and Israel, used cyber espionage with the objective of later on sabotaging Iran's nuclear program. Indeed, the attackers conducted acts of cyber espionage because they needed to spy on their enemy, Iran, in order to gather intelligence. Indeed, the United States and Israel needed to know what type of equipment the other party was using before carrying out an attack on Iran's nuclear reactors. Stuxnet was a computer worm that exploited Windows' zero day vulnerabilities to infect computers, and was thought to be created by intelligence agencies from the United States and Israel in order to derail Iran's nuclear weapons program. Before being able to carry out the attacks on the centrifuges, the attackers had to infect and gather information from five outside companies that were believed to be connected to the nuclear program. Cyber espionage and intelligence gathering were the first step in destroying the centrifuges, and essentially sabotaging Iran's nuclear program. It is overall believed that the virus was able to delay Iran's nuclear development by two years. Therefore, although the consequences of Stuxnet on the reactors still remain unclear, the United States and particularly Israel used the information they were able to collect with the objective of sabotaging Iran's program.
States also engage in acts of cyber espionage for political purposes, as they are seeking for their enemies' weaknesses to take advantage over them. States use hackers so that they can exploit zero day vulnerabilities and secretly gather information on other states. For instance, the United States Office of Personnel Management data breach in 2015 is one of numerous cases where hackers used a breach to access records and gain information on millions of Americans. The Office of Personnel Management was the target of a data breach committed by an advanced persistent threat (often a state sponsored team of hackers), who were able to retrieve the social security number and personal information of millions of federal employees. These hackers were thought to work for the Chinese government, and “have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses' political, economic, and military objectives”. China is regularly using cyber espionage in order to ascend in the international system. By conducting acts of military-technological espionage, and industrial espionage, China can gain military knowledge and gain an economic advantage over other countries. This is why China regularly takes part in cyber espionage, as it has more to gain from spying than the United States does. Another example of an act of cyber espionage used for political purposes is the Democratic National Committee hack in 2016. It is alleged that Russian hackers had been spying on the Democratic National Committee's emails (DNC) before releasing many emails on the internet during the 2016 US election in order to prevent Hillary Clinton from winning the presidency. It is believed that Russian intelligence group Cozy Bear: “infiltrated the DNC network as far back as July 27, 2015, nearly a year before the leaks of the pilfered material began”. The timeline from the penetration of the Russian hackers into the DNC's systems, the information gathering, and the release of the information strongly shows that Russia's end goal was to disrupt the presidential election from the start. The release of this data had overall important political and geopolitical consequences. The Office of Personnel Management and the DNC hack show that states conduct cyber espionage to achieve political objectives, whether the information is used as a leverage for later on or used to sabotage the political system of another country.
Another reason why states engage in acts of cyberespionage is to acquire technological and military advantage over their enemies. This is the case of Buckshot Yankee, which is known as the most significant breach in the United States' military computers. This was caused by a flash drive, which was inserted into a military laptop in the Middle East in 2008. This code established a digital breach and spread widely where data could be transferred to other servers under foreign control: “It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary”. It took fourteen months for the United States military to get rid of the virus, but the attacker, which is believed to be Russia, had already acquired thousands of files from the United States' network and the networks of US allies and industry partners. It is believed that Russia collected many: “weapons blueprints, operational plans, and surveillance data” among other things. This case is an illustration of how one country can acquire a huge advantage over another country's military through cyberespionage.
Cyberespionage is also used for financial reasons, as industrial espionage can lead a state to gain an economic advantage over another country. Indeed, espionage can lead to the theft of intellectual property and possibly result in the loss of market share and revenues for corporations. This in turn could undermine a country's promising businesses, and remove wealth and job in the process. Operation Aurora in 2009 is the illustration of a large scale economic espionage where operators from China had hacked into Google China operation to gather information about human rights activists in the country. Google stated that the attackers had stolen intellectual property of at least 34 companies in the technology, financial and defense sectors. Although the details of the operation still remain unclear many have speculated that “the attack was part of what is thought to be a concerted Chinese industrial espionage operation aimed at getting high-tech information to jump-start China's economy". Even though the spying and stealing of intellectual property is often less talked about when it comes to cyber space, it is still a pervasive threat to a country's strength. Every year, intellectual property is stolen from the United States' businesses, universities, and government agencies. It is believed that the amount of intellectual property stolen is larger than what is contained in the Library of Congress. Cyber espionage which leads to the gathering of intelligence and the theft of intellectual property is a real threat to society as the military ultimately depends on a country's economic vitality, and: “sustained intellectual property losses erode both U.S. military effectiveness and national competitiveness in the global economy”. Therefore, cyber espionage can also be used to gather information and steal intellectual property, which can affect a country's overall strength.
Cyber espionage is not always carried out by state-sponsored groups, as there are many hacking groups that spy on individuals or states for different reasons. For instance, in 2014 the Butterfly hacking group compromised many important companies, like Apple, Facebook, and Microsoft, in order to gather information and steal intellectual property. The Butterfly hackers compromised and eavesdropped on email conversations, retrieved data of interest, and ended up selling it to the highest bidder. They solely conducted cyber espionage for financial gains. Another famous group that is not state-sponsored and that continuously uses cyber space to spy on individuals is the group Anonymous. The Anonymous group is known for its hacktivism, as they use information that they have scouted on personal emails, phones, etc. to raise attention on a political or social issue. For instance, the group declared that they had found the names and personal information of dozens of KKK members through hacking and spying, and proceeded to release all this data on the web in order to strip them from their privacy. Therefore, different groups have different objectives that motivates them into using cyber space and gathering information. State sponsored groups are primarily motivated by military, technological and intelligence gains, and groups like Butterfly and Anonymous seem to lean more towards cyber espionage for financial and social gains. Moreover, more and more organizations are realizing that governments aren't the sole targets of hackers. Indeed, organizations can be targeted by other organizations in order to acquire intelligence on customers, steal intellectual property, and eventually eliminate them from the supply chain.
In order to achieve these financial, technological, military, and political gains, hackers use different means to access information. Spear phishing is a very common method and spear phishing attacks are “(. . .) designed to trick unsuspecting employees. Attackers create fake profiles on social media and networking sites to gather information and launch targeted email attacks in the future”. In Operation Red October, the malware was installed via email, which when opened exploited the vulnerabilities of Microsoft Word and Excel. The malware apparently had been embedded worldwide and gathered geopolitical intelligence and personal data over a period of five-years. Spear phishing has a huge advantage, as it enables attackers to focus specifically on targets and information that they are interested in. In other words, spear phishing enables attackers to access a target's system immediately. It can exploit zero-days but unlike other methods, it doesn't rely on vulnerabilities. Common cyber espionage operations use zero day exploits in tandem with hacking methods like spear phishing or watering hole attacks. The goal is to penetrate a network, infect systems, and either gather intelligence or steal sensitive data. Watering hole attacks are legitimate websites that are compromised in order to facilitate the installation of a malware virus onto a computer. In other words, watering hole attacks compromise websites used by large number of users and infect computers and devices. In 2012, the US Council on Foreign Relations' website was infected with the watering hole method, and a malware was spread to users using Internet Explorer in English, Chinese, Japanese, Korean and Russian. Although this enables easy access to considerable amount of data and information, it also takes a lot of efforts to go through all the data and find information of value. Another downside to this hacking method is that most of these attacks use zero day vulnerabilities, and with the growing popularity of watering hole attacks, “attackers are burning through zero-days faster, and companies are responding faster as well, stopping attacks earlier in the kill-chain”. Therefore, hackers tend to use the spear phishing method in order to spy on their adversaries, gather information and achieve their objective(s).
States have a couple of solutions when it comes to neutralizing cyber espionage, and one of them is deterrence. Indeed, many governments have stated that they would take military action in the event of a cyber-attack. Deterrence can be a useful counter espionage strategy for states that have the capacity and resources to carry out an attack. Cyber deterrence like air deterrence can have a huge impact on a targeted country. If a country is conducting cyber espionage, another country could for example shut down that state's electrical power grid, rail lines, communication networks, etc. without having to send troops in. Yet, because of the intrinsic anonymity of the internet, it is usually hard to determine who is behind these acts of cyber-espionage, and this therefore makes deterrence not always a successful strategy. Moreover, deterrence does not necessarily imply using military action against a country who is conducting acts of cyber-espionage. For instance, in 2015, Xi Jinping vowed to work with the US to reduce acts of commercial espionage after Obama threatened to impose heavy sanctions against China in following the Office of Personnel Management data breach. Since then, it seems that Chinese economic espionage has heavily decreased. This shows that implementing cyber espionage norms is possible if it is agreed upon between individual states. China has been a pioneer in this area, as it already has agreements with the United States, the United Kingdom and Germany.
The United Nations has been striving for the establishment of international norms that would regulate cyber security and notably cyber espionage. For the United Nations, “(. . .) norms do two things: they keep many people, most of the time, from doing something bad, and they provide the rationale that helps everyone else understand what must be done to protect them”. International norms do not prohibit or regulate espionage, which is why the United Nations would not be able to address cyberespionage despite it being a threat to international security. Like traditional espionage, cyber espionage does not have any regulations because it doesn't always facilitate aggressive acts. Indeed, a lot of states like the United States and Germany have been caught spying on their own allies. Many states have already discussed the option of having treaties that would bind them legally into declaring cyber-espionage off-limits, just like with nuclear weapons. However, an international ban on cyber-spying will probably be very difficult to implement, as countries have spied on each other for hundreds of years in order to maintain a military and tactical advantage over other countries. On the contrary, cyber espionage is even acknowledged as a legitimate method used by countries to protect themselves: “Among the big powers, there has been a traditional understanding that everybody is trying to gather intelligence on everybody else. It's no secret that Russian intelligence officers, or Chinese, or for that matter Israeli or British or other intelligence agencies, their job is to get insight into the workings of other countries that they're not reading in the newspapers every day. This is why some scholars have proposed a norm that states that countries can conduct cyber espionage but cannot release the information gathered, as the intelligence gathered should be for the state. Although establishing international norms on cyber security could be an option for regulating cyber espionage and attacks, the process of doing so and having other countries abide by them will be difficult.
Another option that states and companies can use to protect their critical and valuable information from cyber espionage and theft is constantly reinforcing their cyber defenses. Cyber defenses are made for prevention, detection, and mitigating intrusions. Networks, servers, and routers need to be updated and patched regularly in order to prevent security breaches. Individuals can also protect themselves from being infected by shutting down their computers or in some cases, switching browsers. Operation Aurora infected the computers of thousands of individuals who used Internet Explorer in French, English, Chinese and other languages, which is why the French and German governments urged their citizens to switch to different browsers in order to protect themselves from cyber espionage and from having their computers infected.
Therefore, although cyber space may change the nature of warfare in the future, it remains nowadays one of the primary battleground for conducting espionage. States businesses, and individuals use espionage for different reasons and the principal ones are for: political, financial, military, and technological gains but also for raising awareness on social issues, like the Anonymous group does. Among others, there are two different popular methods that hackers use in order to access information: spear phishing and watering holes. States are competing against each other to gain information superiority, as information gives them a huge advantage over other countries. The whole point of having this information superiority is to be able to maintain security, whether it's a state's, business', or individual's security. The United Nations and other states like China, the United States, and the United Kingdom have started regulating cyber espionage through the establishment of norms, as cyber espionage can lead to devastating events. However, as of now, individuals, businesses, and states are still the victims of cyber espionage on a daily basis due to the lack of regulations, and the ingrained tradition of espionage in the business and international world.
...(download the rest of the essay above)