25

Cyber-security
Myriam Dunn Cavelty

Chapter Contents
• Introduction 363
• Information security 101 363
• Three interlocking cyber-security discourses 364
• Reducing cyber-in-security 373
• The level of cyber-risk 376
• Conclusion 377

Reader’s Guide
This chapter looks at why cyber-security is considered one of the key national security issues of
our times. The first section provides the necessary technical background information. The second
unravels three different, but interrelated ways to look at cyber-security: the first discourse has a
technical focus and is about viruses and worms. The second looks at the interrelationship between
the phenomenon of cyber-crime and cyber-espionage. The third turns to a military and civil defence-
driven discourse about the double-edged sword of fighting wars in the information domain and the
need for critical infrastructure protection. Based on this, the third section looks at selected protection
concepts from each of the three discourses. The final section sets the threat into perspective: despite
heightened media attention and a general feeling of impending cyber-doom in some government
circles, the level of cyber-risk is generally overstated.
 Cyber-security 363

Introduction The inherent insecurity of computers

and networks
Information has been considered a significant aspect of
power, diplomacy, and armed conflict for a very long Today’s version of the Internet is a dynamic evolution
time. Since the 1990s, however, information’s role of the Advanced Research Projects Agency Network
in international relations and security has diversified (ARPANET), which was funded by the Defense Ad-
and its importance for political matters has increased, vanced Research Projects Agency (DARPA) of the
mostly due to the proliferation of information and United States Department of Defense (DoD) from
communication technology (ICT) into all aspects 1962 onwards, mainly for optimized information
of life in post-industrialized societies. The ability to exchange between the universities and research lab-
master the generation, management, use but also ma- oratories involved in DoD research. From the very be-
nipulation of information has become a desired power ginning the network designers emphasized robustness
resource since the control over knowledge, beliefs, and survivability over security. At the time there was
and ideas are increasingly regarded as a complement no apparent need for a specific focus on security, be-
to control over tangible resources such as military cause information systems were being hosted on large
forces, raw materials, and economic productive capa- proprietary machines that were connected to very few
bility. Consequently, matters of cyber-(in)-security— other computers.
though not always under this name—have become a Due to the dynamic evolution of ARPANET this
security issue. turned into a legacy problem. What makes systems
In this chapter, the cyber-(in)-security logic is un- so vulnerable today is the confluence of three factors:
packed in four sections as described in the Reader’s the same basic network technology (not built with
Guide, with the first providing the necessary techni- sec­urity in mind), the shift to smaller and far more
cal background information on why the information open systems (not built with security in mind), and
infrastructure is inherently insecure, how computer the rise of extensive networking at the same time. In
vulnerabilities are conceptualized, who can exploit addition to this, the commercialization of the Inter-
them and in what ways. net in the 1990s led to a further security deficit. There
are significant market-driven obstacles to IT-security:
there is no direct return on investment, time-to-mar-
ket impedes extensive security measures, and security
Information security 101 mechanisms have a negative impact on usability so
Cyberspace connotes the fusion of all communica- that security is often sacrificed for functionality. Also,
tion networks, databases, and sources of information an ongoing dynamic globalization of information
into a vast, tangled, and diverse blanket of electronic services in connection with technological innovation
interchange. A ‘network ecosystem’ is created; it is has led to an increase of connectivity and complexity,
virtual and it ‘exists everywhere there are telephone leading to ill-understood behaviour of systems, as well
wires, coaxial cables, fiber-optic lines or electromag- as barely understood vulnerabilities. Quite simply, the
netic waves’ (Dyson et al. 1996). Cyberspace, how- more complex an IT system is the more bugs it con-
ever, is not only virtual since it is also made up of tains and the more complex it is the harder it is for an
servers, cables, computers, satellites, etc. In popular IT system’s security to control or manage it.
usage we tend to use the terms cyberspace and Inter-
net almost interchangeably, even though the Inter- Computer vulnerabilities and threat
net, albeit the most important one, is just one part of
agents
cyberspace.
Cyber-security is both about the insecurity created The terminology in information security is often
by and through this new place/space and about the seemingly congruent with the terminology in national
practices or processes to make it (more) secure. It re- security discourses: it is about threats, agents, vulner-
fers to a set of activities and measures, both technical abilities, etc. However, the terms have very specific
and non-technical, intended to protect the bioelectri- meanings so that seemingly clear analogies must be
cal environment and the data it contains and trans- used with care. One (of several possible) ways to cat-
ports from all possible threats. egorize threats is to differentiate between ‘failures’,
364 Myriam Dunn Cavelty

‘accidents’, and ‘attacks’. Failures are potentially dam- d­ estructive programs that masquerade as benign ap-
aging events caused by deficiencies in the system or plications but set up a back door so that the hacker can
in an external element on which the system depends. return later and enter the system. Often system intru-
Failures may be due to software design errors, hard- sion is the main goal of more advanced attacks. If the
ware degradation, human errors, or corrupted data. intruder gains full system control, or ‘root’ access, he
Accidents include the entire range of randomly occur- has unrestricted access to the inner workings of the
ring and potentially damaging events such as natural system (Anonymous 2003). Due to the characteristics
disasters. Usually, accidents are externally generated of digitally stored information an intruder can delay,
events (i.e. from outside the system), whereas failures disrupt, corrupt, exploit, destroy, steal, and modify
are internally generated events. Attacks (both passive information. Depending on the value of the informa-
and active) are potentially damaging events orches- tion or the importance of the application for which this
trated by a human adversary. They are the main focus information is required, such actions will have differ-
of the cyber-security discourse. ent impacts with varying degrees of gravity.
Human attackers are usually called ‘threat agents’.
The most common label bestowed upon them is
Key points
hacker. This catchphrase is used in two main ways,
one positive and one pejorative (Erickson 2003). For
members of the computing community it describes • Cyberspace has both virtual and physical elements.
a member of a distinct social group (or sub-culture); We tend to use the terms cyberspace and Internet
interchangeably, even though cyberspace encompasses
a particularly skilled programmer or technical expert
far more than just the Internet.
who knows a programming interface well enough to
write novel software. A particular ethic is ascribed to • Cyber-security is both about the insecurity created
through cyberspace and about the technical and non-
this subculture: a belief in sharing, openness, and free
technical practices of making it (more) secure.
access to computers and information; decentralization
of government; and in improvement of the quality of • The Internet started as ARPANET in the 1960s and was
never built with security in mind. This legacy, combined
life (Levy 1984). In popular usage and in the media,
with the rapid growth of the network, its commerciali-
however, the term hacker generally describes compu-
zation, and its increasing complexity made computer
ter intruders or criminals. In the cyber-security debate, networks inherently insecure.
hacking is considered a modus operandi that can be
• Information security uses as vocabulary very similar to
used not only by technologically skilled individuals for
national security language, but has specific meanings.
minor misdemeanours, but also by organized actor Computer problems are caused by failures, accidents,
groups with truly bad intent, such as terrorists or for- or attacks. The latter are the main focus of the cyber-
eign states. Some hackers may have the skills to attack security discourse. Attackers are generally called hackers.
those parts of the information infrastructure consid- • The umbrella term for all hacker tools is malware. The
ered ‘critical’ for the functioning of society. Though main goal of more advanced attacks is full system con-
most hackers would be expected to lack the motiva- trol, which allows the intruder to delay, disrupt, corrupt,
tion to cause violence or severe economic or social exploit, destroy, steal, or modify information.
harm because of their ethics (Denning 2001), govern-
ment officials fear that individuals who have the capa-
bility to cause serious damage, but little motivation,
could be corrupted by a group of malicious actors. Three interlocking cyber-security
discourses
Hacking tools
The cyber-security discourse originated in the USA
There are various tools and modes of attack. The term in the 1970s, built momentum in the late 1980s and
used for the totality of these tools is malware. Well- spread to other countries in the late 1990s. The US gov-
known examples are viruses and worms, computer pro- ernment shaped both the threat perception and the
grams that replicate functional copies of themselves envisaged countermeasures with only little ­variation
with varying effects ranging from mere annoyance in other countries. On the one hand, the ­debate was
and inconvenience to compromise of the confiden- decisively influenced by the larger post-Cold War
tiality or integrity of information, and Trojan horses, strategic context in which the notion of asymmetric
 Cyber-security 365

vulnerabilities, epitomized by the multiplication of systems for their smooth, reliable, and continuous
malicious actors (both state and non-state) and their operation. The referent object that emerged was the
increasing capabilities to do harm, started to play a totality of critical (information) infrastructures that
key role. On the other hand, discussions about cyber- provide the way of life that characterizes our societies.
security always were and still are influenced by the When telling the cyber-security-story we can distin-
ongoing information revolution, which the USA is guish between three different, but often closely inter-
shaping both technologically and intellectually by dis- related and reinforcing discourses, with specific threat
cussing its implications for international relations and imaginaries and security practices, referent objects,
security and acting on these assumptions. and key actors. The first is a technical discourse con-
The cyber-security discourse was never static be- cerned with malware (viruses, worms, etc.) and system
cause the technical aspects of the information infra- intrusions. The second is concerned with the phenom-
structure are constantly evolving. Most importantly, ena cyber-crime and cyber-espionage. The third is a
changes in the technical sub-structure changed the discourse driven initially by the US military, focusing
referent object. In the 1970s and 1980s, cyber-security on matters of cyber-war initially but increasingly also
was about those parts of the private sector that were on critical infrastructure protection (see Figure 25.1).
becoming digitalized and also about government net-
works and the classified information residing in it. The
growth and spread of computer networks into more Viruses, worms, and other bugs
and more aspects of life changed this limited referent (technical discourse)
object in crucial ways. In the mid-1990s, it became The technical discourse is focused on computer and
clear that key sectors of modern society, including network disruptions caused by different types of mal-
those vital to national security and to the essential ware. One of the first papers on viruses and their risks
functioning of (post-)industrialized economies, had was Fred Cohen’s ‘Computer viruses—Theory and
come to rely on a spectrum of highly interdepend- Experiments’, initially presented in 1984 and published
ent national and international software-based control in 1987 (Cohen 1987). His work demonstrated the

Figure 25.1  Three discourses

Technical Crime–Espionage Military/civil

defence

Main actors Computer experts Law enforcement National security

experts
Anti-virus Intelligence
industry community Military

Civil defence
establishment

Main Computers Business networks Military networks,

referent networked armed
Computer Classified
object forces
networks information
(government Critical
networks) (information)
infrastructures
366 Myriam Dunn Cavelty

­ niversality of risk and the limitations of protection in

u defences and then designs malware to get around them
computer networks and solidified the basic paradigm (Symantec 2010). The most prominent example for this
that there can be no absolute security /no zero risk kind of malware is Stuxnet (see Case Study 25.2). How-
in information systems. In 1988, the ARPANET had ever, some IT security companies have recently warned
its first major network incident: the ‘Morris Worm’. against overemphasizing so called advanced persistent
The worm used so many system resources that the at- threat attacks just because we hear more about them
tacked computers could no longer function and large (Verizon 2010: 16). Only about 3 per cent of all inci-
parts of the early Internet went down. dents are considered so sophisticated that they were
Its devastating technical effect prompted DARPA to impossible to stop. The vast majority of attackers go
set up a centre to coordinate communication among after small to medium-sized enterprises with bad de-
computer experts during IT emergencies and to help fences. These types of incidents tend to remain under
prevent future incidents: a Computer Emergency Re- the radar of the media and even law-enforcement.
sponse Team (CERT). This centre, now called the
CERT Coordination Center, still plays a considerable
role in computer security today and served as a role Key points
model for many similar centres all over the world.
Around the same time, the anti-virus industry emerged • Theoretical research on self-replicating programs in the
and with it techniques and programs for virus recogni- early history of computer networks proved that there
tion, destruction and prevention. could be no absolute security in information systems. In
The worm also had a substantial psychological im- 1988, the Morris Worm downed large parts of the early
Internet, proving the theory right and making clear that
pact by making people aware just how insecure and
the Internet was a very insecure technology.
unreliable the Internet was. While it had been accept-
able in the 1960s that pioneering computer profession- • As a consequence, the CERT Coordination Center was
founded. It is still very active today and has served as a
als were hacking and investigating computer systems,
model for similar computer emergency response teams
the situation had changed by the 1980s. Society had
in many countries.
become dependent on computing in general for busi-
• There is a long list of prominent malware, which often
ness practices and other basic functions. Tampering
made headlines. Over the years, malware has become more
with computers suddenly meant potentially endan-
sophisticated and more clearly linked to criminal intent.
gering people’s careers and property; and some even
• The most dangerous malware today is tailored to a
said their lives (Spafford 1989). Ever since, malware as
specific target. However, the large majority of attacks
‘visible’ proof of the persuasive insecurity of the infor-
remains fairly unsophisticated and go after small or
mation infrastructure has remained in the limelight of medium-sized enterprises with little IT security aware-
the cyber-security discourse; and it also provides the ness and/or investment.
back-story for the other two discourses. Table 25.1
lists some of the most prominent examples.
Most obviously, the history of malware is a mirror Cyber-crooks and digital spies
of technological development: the type of malware,
(crime-espionage discourse)
the type of targets and the attack vectors all changed
with the technology and the existing technical counter- The cyber-crime discourse and the technical discourse
measures (and continue to do so). This development are very closely related. The development of IT law
goes in sync with the development of the cyber-crime (and, more specifically, Internet or cyber-law) in differ-
market, which is driven by the huge sums of money ent countries plays a crucial role in the second discourse
available to criminal enterprises at low risk of pros- because it allows the definition and prosecution of mis-
ecution. While there was a tongue-in-cheek quality demeanour. Not surprisingly, the development of legal
to many of the viruses in the beginning, viruses have tools to prosecute unauthorized entry into computer
long ago lost their innocence. While prank-like viruses systems coincided with the first serious network inci-
have not disappeared, computer security professionals dents described here (cf. Mungo and Clough 1993).
are increasingly concerned with the rising level of pro- Cyber-crime has come to refer to any crime that
fessionalization coupled with the obvious criminal (or involves computers and networks, like a release of
even strategic) intent behind attacks. Advanced mal- malware or spam, fraud, and many other things. Until
ware is targeted: A hacker picks a victim, scopes the today, notions of computer-related economic crimes
 Cyber-security 367

Table 25.1  Prominent malware

Name of Year of
malware discovery Creator Infected Effect

Creeper virus 1971 Bob Thomas (IT Specific types of computer/ Displayed message on computer screen:
professional), USA operating systems ‘I’m the creeper, catch me if you can!’
Elk Cloner 1981 Richard Skrenta Apple DOS 3.3 operating Displayed poem, first line: ‘Elk Cloner:
(15-year-old high school system The program with a personality’
student), USA
Morris Worm 1988 Robert Morris UNIX systems Slowed down machines in the ARPANET
(computer student), until they became unusable
USA Huge impact on the general awareness
of insecurity
Michelangelo 1992 (unknown) DOS systems Overwrote the first hundred sectors of
the hard disk with nulls
Caused first digital mass hysteria
Back Orifice 1998 Cult of the Dead Cow Windows 98 Tool for remote system administration
(hacker collective), USA (Trojan horse)
Melissa 1999 David L. Smith Microsoft Word, Outlook Shut down Internet mail, clogged systems
(programmer), USA with infected e-mails
I Love You 2000 Reomel Ramores and Windows Overwrote files with copy of itself, sent
Onel de Guzman itself to the first fifty people in the
(computer students), Windows Address Book
Philippines
Code Red 2001 (unknown) Microsoft web servers Defaced websites, used machines for
DDoS-attacks
Nimda 2001 (unknown) Windows workstations Allowed external control over infected
and servers computers
Blaster 2003 Jeffrey Lee Parson Windows XP and 2000 DDos-attacks against ‘windowsupdate.com’
(18-year-old student), Side effects: system crash. Was
USA suspected to have caused black-out in US
(could not be confirmed)
Slammer 2003 (unknown) Windows 95–XP DDoS-attacks, slowed down Internet
traffic worldwide
Sasser 2004 Sven Jaschan (computer Windows XP and Internet traffic slow down, system crash
science student), Windows 2000
Germany
Zeus 2007 (unknown), available to Windows Steals banking and other information,
buy in underground forms botnets
computer forums
Conficker 2008 (unknown) Windows Forms botnets
(several
versions)
Stuxnet 2010 US government (+ Israel) SCADA system Spies on and subverts industrial systems
(Siemens industrial
software and equipment)
Duqu 2011 (unknown) Windows Looks for information useful in attacking
industrial control systems
Code almost identical to Stuxnet
(copy-cat software)
368 Myriam Dunn Cavelty

determine the discussion about computer misuse. How- action. Attacks and exploits that seemingly benefit
ever, a distinct national-security dimension was estab- states might well be the work of third-party actors
lished when computer intrusions (a criminal act) were operating under a variety of motivations. At the same
clustered together with the more traditional and well- time, the challenges of clearly identifying perpetrators
established espionage discourse. Prominent hacking also gives state actors convenient ‘plausible deniability
incidents—such as the intrusions into high-level com- and the ability to officially distance themselves from
puters perpetrated by the Milwaukee-based ‘414s’—led attacks’ (Deibert and Rohozinski 2009: 12).
to a feeling in policy circles that there was a need for The third trend is the increased attention that
action (Ross 1991): if teenagers were able to penetrate ­hac­­­ktivism—the combination of hacking and ­activism—
computer networks that easily, it was assumed that bet- has gained in recent years. WikiLeaks, for example,
ter organized entities such as states would be even bet- has added yet another twist to the cyber-­espionage dis-
ter equipped to do so. Other events, like the Cuckoo’s course. Acting under the hacker-maxim ‘all information
Egg incident, the Rome Lab incident, Solar Sunrise, or should be free’, this type of activism deliberately chal-
Moonlight Maze made apparent that the threat was not lenges the self-proclaimed power of states to keep in-
just one of criminals or juveniles, but that classified or formation, which they think could endanger or damage
sensitive information could be acquired relatively easily national security, secret. It emerges as a cyber-security
by foreign nationals through hackers (see Table 25.2). issue in government discourse because of the way a lot
There are three trends worth mentioning. First, of the data has been stolen (in digital form) but also how
tech-savvy individuals (often juveniles) with the goal it is made available to the whole world through multiple
of mischief or personal enrichment shaped the early mirrors (Internet sites). Somewhat related are the mul-
history of cyber-crime. Today, professionals dominate tifaceted activities of hacker collectives such as Anony-
the field. The Internet is a near ideal playground for mous or LulzSec. They creatively play with anon­ymity
semi- and organized crime in activities such as theft in a time obsessed with control and surveillance and hu-
(like looting online banks, intellectual property, or miliate high-visibility targets by DDoS-attacks, break-
identities) or for fraud, forgery, extortion, and money ins, and the release of sensitive information.
laundering. Actors in the ‘cyber-crime black market’
are highly organized regarding strategic and opera-
Key points
tional vision, logistics and deployment. Like many
real companies, they operate across the globe.
• The notion of computer crime and the development
Second, the cyber-espionage story has also changed.
of cyber law coincided with the first network attacks.
There has been an increase in allegations that China is Though this discourse is mainly driven by economic
responsible for high-level penetrations of government considerations until today, political cyber-espionage, as a
and business computer systems in Europe, North specific type of criminal computer activity, started wor-
America, and Asia. Because Chinese authorities have rying officials around the same time.
stated repeatedly that they consider cyberspace a stra- • Over the years, cyber-criminals have become well-
tegic domain and that they hope that mastering it organized professionals, operating in a consolidated
will equalize the existing military imbalance between cyber-crime black market.
China and the USA more quickly, many officials read- • China is often blamed for high-level cyber-espionage,
ily accuse the Chinese government of deliberate and both political and economic. However, there only is
targeted attacks or intelligence gathering operations. anecdotal and circumstantial evidence for this.
However, these allegations almost exclusively rely on • As there is no way to clearly identify perpetrators that
anecdotal and circumstantial evidence. want to stay hidden in cyberspace (attribution problem),
The so-called attribution problem—which refers anyone could be behind actions that seemingly benefit
to the difficulty to clearly determining those initially certain states. States can also plausibly deny being involved.
responsible for a cyber-attack plus identifying their • Politically motivated or activist break-ins by hacker col-
motivating factors—is the big challenge in the cyber- lectives that go after high-level targets, with the aim to
domain. Due to the architecture of cyberspace, on- steal and publish sensitive information or just ridiculing
line identities can be optimally hidden. Blame on the them by targeting their websites, have recently added to
basis of the ‘cui bono’-logic (which translates into ‘to the feeling of insecurity in government circles.
whose benefit?’) is not sufficient proof for political
 Cyber-security 369

Table 25.2  Cyber-crime and cyber-espionage

Year of
Name of incident occurrence Description Perpetrators

414s break-ins 1982 Break-ins into high-profile computer systems Six teenage hackers from
in the United States Milwaukee
Hanover Hackers 1986–1988 Break-ins into high-profile computer systems German hacker recruited by
(Cuckoo’s Egg) in the United States the KGB
Rome Lab incident 1994 Break-ins into high-profile computer systems British teenage hackers
in the United States
Citibank incident 1994 $10 million siphoned from Citibank and transferred Russian hacker(s)
the money to bank accounts around the world
Solar Sunrise 1998 Series of attacks on DoD computer networks Two teenage hackers from
California plus one Israeli
Moonlight Maze 1998 Pattern of probing of high-profile computer systems Attributed to Russia
Titan Rain 2003– Access to high-profile computer systems Attributed to China
in the United States
Zeus Botnet 2007 Trojan horse ‘Zeus’, controlled millions of International cyber-crime
machines in 196 countries network, over 90 people
arrested in US alone
GhostNet 2009 Cyber-spying operation, infiltration of Attributed to China
high-value political, economic, and media
locations in 103 countries
Operation 2009 Attacks against Google and other companies Attributed to China
Aurora to gain access to and potentially modify source
code repositories at these high tech, security, and
defence contractor companies
Wikileaks 2010 251,287 leaked confidential diplomatic cables from Wikileaks, not-for-profit
Cablegate 274 US embassies around the world, dated from activist organization
28 December 1966 to 28 February 2010
Operations 2010 Coordinated, decentralized attacks on opponents Anonymous, hacker
Payback and of Internet piracy and companies with perceived collective
Avenge Assange anti-WikiLeaks behaviour
Sony and other 2011 Highly publicized hacktivist operations LulzSec, hacker collective
corporate as well as
government attacks
Theft of CO2- 2011 Theft of 475,000 carbon dioxide emissions Attributed to organized
Emmission allowances worth €6.9 million, or $9.3 million cyber-crime (purpose
Papers probably money laundering)

Cyber(ed) conflicts and vital system information age conflicts in which physical force
alone was not sufficient, but was complemented by
security (military–civil defence
the ability to win the information war and to secure
discourse)
‘information dominance’. As a result, American mili-
The Gulf War of 1991 created a watershed in US mili- tary thinkers began to publish scores of books on the
tary thinking about cyber-war. Military strategists topic and developed doctrines that emphasized the
saw the conflict as the first of a new generation of ability to degrade or even paralyse an opponent’s
370 Myriam Dunn Cavelty

communications systems (cf. Campen 1992; Arquilla entire information infrastructure of an adversary—
and Ronfeldt 1993). political, economic, and military, throughout the con-
In the mid-1990s, the advantages of the use and tinuum of operations from peace to war. NATO’s 1999
dissemination of ICT that had fuelled the revolu- intervention against Yugoslavia marked the first sus-
tion in military affairs were no longer seen only as tained use of the full-spectrum of information war-
a great opportunity providing the country with an fare components in combat. Much of this involved
‘information edge’ (Nye and Owens 1996), but were the use of propaganda and disinformation via the
also perceived as constituting an over-proportional media (an important aspect of information warfare),
vulnerability vis-à-vis a plethora of malicious ac- but there were also website defacements, a number
tors. Global information networks seemed to make of DDoS-attacks, and (unsubstantiated) rumours that
it much easier to attack the US asymmetrically and Slobodan Milosevic’s bank accounts had been hacked
as such an attack no longer required big, specialized by the US armed forces.
weapons systems or an army: borders, already porous The increasing use of the Internet during the con-
in many ways in the real world, were nonexistent in flict gave it the distinction of being the ‘first war fought
cyberspace. There was widespread fear that those in cyberspace’ or the ‘first war on the Internet’. There-
likely to fail against the American military would in- after, the term cyber-war came to be widely used to
stead plan to bring the USA to its knees by striking refer to basically any phenomenon involving a delib-
vital points fundamental to the national ­sec­urity and erate disruptive or destructive use of computers. For
the essential functioning of industrialized societies at example, the cyber-confrontations between Chinese
home. Apart from break-ins into computer networks and US hackers plus many other nationalities in 2001
that contained sensitive information (see previous have been labelled the ‘first Cyber World War’. The
section), exercises designed to assess the plausibility cause was a US reconnaissance and surveillance plane
of information warfare scenarios and to help define that was forced to land on Chinese territory after a col-
key issues to be addressed in this area demonstrated lision with a Chinese jet fighter. In 2007, DDoS-attacks
that US critical infrastructure presented a set of at- on Estonian websites were readily attributed to the
tractive strategic targets for opponents possessing in- Russian government, and various government offi-
formation warfare capabilities, be it terrorist groups cials claimed that this was the first known case of one
or states. state targeting another using cyber-warfare (see Case
At the same time, the development of military doc- Study 25.1). Similar claims were made in the confron-
trine involving the information domain continued. For tation between Russia and Georgia of 2008. In other
a while, information warfare remained essentially lim- cases, China is said to be the culprit (see previous sec-
ited to military measures in times of crisis or war. This tion and Table 25.3).
began to change around the mid-1990s, when the ac- The discovery of Stuxnet in 2010 changed the overall
tivities began to be understood as actions ­targeting the tone and intensity of the debate (see Case Study 25.2).

Case Study 25.1 Estonian ‘cyber-war’

When the Estonian authorities removed a bronze statue of a Sec- and publicly blamed the Russian government. Also, despite the
ond World War-era Soviet soldier from a park a cyberspace-’battle’ fact that the attacks bore no truly serious consequences for
ensued, lasting over three weeks, in which a wave of so-called Estonia other than (minor) economic losses, some officials even
Distributed Denial of Service attacks (DDoS) swamped various openly toyed with the idea of a counter-attack in the spirit of
websites—among them the websites of the Estonian parliament, Article 5 of the North Atlantic Treaty, which states that ‘an
banks, ministries, newspapers, and broadcasters—disabling them by armed attack’ against one or more NATO countries ‘shall be
overcrowding the bandwidths for the servers running the sites. considered an attack against them all’. The Estonian case is one
of the cases most often referred to in government circles to
Even though it will likely never be possible to provide sufficient
prove that there is a rising level of urgency and need for action.
evidence for who was behind the attacks, various officials ­readily
 Cyber-security 371

Table 25.3  Instances of cyber(ed)-conflict

Year of
Name of incident occurrence Description Actors /perpetrators

Gulf War 1991 First of a new generation of conflicts US military

where victory is no longer dependent
only on physical force, but also on the
ability to win the information war and to
secure ‘information dominance’
Dutch hacker incident 1991 Intrusions into Pentagon computers Dutch teenagers
during Gulf War. Access to unclassified,
sensitive information
Operation ‘Allied Force’ 1999 ‘The first Internet War’: sustained US military, hacktivists
use of the full-spectrum of information from many countries
warfare components in combat.
Numerous hacktivism incidents
‘Cyber-Intifada’ 2000–2005 E-mail flooding and Denial-of-Service Palestinian and Israeli
(DoS) attacks against government and hacktivists
partisan websites during second Intifada
‘Cyber World-War I’ 2001 Defacement of Chinese and US websites Hacktivists from many
and waves of DDoS-attacks after US nations (Saudi Arabia,
reconnaissance and surveillance Pakistan, India, Brazil,
plane was forced to land on Chinese Argentina, Malaysia,
territory Korea, Indonesia, Japan)
Iraq 2007 Cyber-attack on cell phones, computers, US military
and other communication devices that
terrorists were using to plan and
carry out roadside bombs
Estonia DDoS-attacks 2007 DDoS-attacks against websites of Attributed to Russian
the Estonian parliament, banks, ministries, government
newspapers, and broadcasters
Georgia DDoS-attacks 2008 DDoS-attacks against numerous Attributed to Russian
Georgian websites government
GhostNet infiltrations 2009 GhostNet related infiltrations of computers Attributed to Chinese
belonging to Tibetan exile groups government
Stuxnet 2010 Computer worm that might have been US government (+
deliberately released to slow down Israel)
Iranian nuclear programme
Korean network 2011 Botnets and DDos-attacks against Attributed to North-
intrustions government websites. Experts Korean government
suspected North Korean
‘cyber-weapons’ test
372 Myriam Dunn Cavelty

Case Study 25.2 Stuxnet

Stuxnet is a computer worm that was discovered in June 2010 It was also reported that Stuxnet damaged centrifuges in the
and has been called ‘[O]ne of the great technical blockbust- Iran nuclear programme. This evidence led several experts to
ers in malware history’ (Gross 2011). It is a complex program. the conclusion that one or several nation states—most often
It is likely that writing it took a substantial amount of time, named are the USA and/or Israel–were behind the attack. The
advanced-level programming skills and insider knowledge of involvement of the US government has since been confirmed.
industrial processes. Therefore, Stuxnet is probably the most
On another note, Stuxnet provided a platform for an ever-
expensive malware ever found. In addition, it behaves differ-
growing host of cyber-war-experts to speculate about the
ently from malware released for criminal intent: it does not
future of cyber-aggression. Internationally, Stuxnet has had two
steal information and it does not herd infected computers into
main effects: first, governments all over the world are currently
so-called botnets from which to launch further attacks. Rather,
releasing or updating cyber-security strategies and are setting
it looks for a very specific target: Stuxnet was written to attack
up new organizational units for cyber-defence (and -offence).
Siemens’ Supervisory Control And Data Acquisition (SCADA) sys-
Second, Stuxnet can be considered a ‘wake-up’ call: ever since
tems that are used to control and monitor industrial processes.
its discovery, increasingly serious attempts to come to some
In August 2010, the security company Symantec noted that 60
type of agreement on the non-aggressive use of cyberspace
per cent of the infected computers worldwide were in Iran.
between states are undertaken.

Due to the attribution problem, it was impossi- Key points

ble to know for certain who was behind this piece
of code, though many suspected one or several state • The Gulf War of 1991 is considered to be the first of a new
actors (Farwell and Rohozinski 2011). In June 2012, it generation of conflicts in which mastering the information
was revealed that Stuxnet is part of a US and Israeli domain becomes a deciding factor. Afterwards, the infor-
intelligence operation and that it was indeed pro- mation warfare doctrine was developed in the US military.
grammed and released to sabotage the Iranian nuclear • Increasing dependence of the military, but also of society
programme. For many observers, Stuxnet as a ‘digital in general, on information infrastructures made clear
first strike’ marks the beginning of the unchecked use that information warfare was a double-edged sword.
of cyber-weapons in military-like aggressions (Gross Cyberspace seemed the perfect place to launch an
2011). However, other reports think this unlikely (cf. asymmetrical attack against civilian or military critical
Sommer and Brown 2011), mainly due the uncertain infrastructures.
results a cyber-war would bring, the lack of motivation • The US military tested its information warfare doctrine
on the part of the possible combatants and their shared for the first time during a NATO operation ‘Allied Force’
inability to defend against counterattacks. in 1999. It was the first armed conflict in which all sides,
including actors not directly involved, had an active online
Future conflicts between nations will most cer-
presence, and in which the Internet was actively used for
tainly have a cyberspace component but they will be
the exchange and publication of conflict-relevant infor-
just a part of the battle. It is therefore more sensible mation. Thereafter, the term ‘cyber-war’ came to be used
to speak about cyber(ed) conflicts, conflicts ‘in which for almost any type of conflict with a cyber-component.
success or failure for major participants is critically de-
• The recent discovery of a computer worm that
pendent on computerized key activities along the path sabotages industrial processes and was programmed
of events’ (Demchak 2010). Dubbing occurrences as by order of a state actor has alarmed the international
‘cyber-war’ too carelessly bears the inherent danger of community. Some experts believe that this marks the
creating an atmosphere of insecurity and tension and beginning of unrestrained cyber-war among states.
fuelling a cyber-security dilemma: many countries are • Others think that highly unlikely and warn against an
currently said to have functional cyber-commands excessive use of the term cyber-war. Future conflicts
or be in the process of building one. Because cyber- between states will also be fought in cyberspace, but
capabilities cannot be divulged by normal intelligence not exclusively. One useful term for them is cyber(ed)
gathering activities, uncertainty and mistrust are on conflicts.
the rise.
 Cyber-security 373

Key Ideas 25.1 Presidential Commission on Critical Infrastructure Protection

Following the Oklahoma City Bombing, President Bill Clinton classical physical disruptions and new virtual threats. While the
set up the Presidential Commission on Critical Infrastructure study assessed a list of critical infrastructures or ‘sectors’—for
Protection (PCCIP) to look into the security of vital systems example the financial sector, energy supply, transportation, and
such as gas, oil, transportation, water, telecommunications, etc. the emergency services—the main focus was on cyber-risks.
The PCCIP presented its report in the fall of 1997 (Presidential There were two reasons for this decision: first, these were the
Commission on Critical Infrastructure Protection 1997). It least known because they were basically new, and second, many
concluded that the security, economy, way of life, and perhaps of the other infrastructures were seen to depend on data and
even the survival of the industrialized world were dependent communication networks. The PCCIP linked the cyber-security
on the interrelated trio of electrical energy, communications, discourse firmly to the topic of critical infrastructures. There­
and computers. Further, it stressed that advanced societies rely after, CIP became a key topic in many other countries.
heavily upon critical infrastructures, which are susceptible to

Reducing cyber-in-security sectors,1 but state actors are also incapable of pro-
viding the necessary level of security on their own
The three different discourses have produced specific (unless they heavily regulate, which they are usually
types of concepts and countermeasures in accordance reluctant to do).
with their focus and main referent objects (see Figure Public–Private Partnerships (PPP), a form of co­
25.2), some of which are discussed later. operation between the state and the private sector, are
Despite fancy concepts such as cyber-deterrence widely seen as a panacea for this problem in the policy
the common issue in all discourses is information as- community—and cooperation programmes that fol-
surance, which is the basic security of information low the PPP idea are part of all existing initiatives in the
and information systems. It is common practice that field of CIP today, though with varying success. A large
the entities that own a computer network are also re- number of them are geared towards facilitating infor-
sponsible for protecting it (governments protect gov- mation exchange between companies and between
ernment networks, militaries only military ones, and companies and government on security, disruptions,
companies protect their own, etc.). However, there and best practices. Mutual win–win situations are to
are some assets considered so crucial to the function- be created by exchanging information that the other
ing of society in the private sector that governments party does not have: the government offers classified
take additional measures to ensure an adequate level information acquired by its intelligence services about
of protection. These efforts are usually subsumed potentially hostile groups and nation states in exchange
under the label of critical (information) infrastruc- for technological knowledge from the private sector
ture protection. that the public sector does not have (President’s Com-
In the 1990s, critical infrastructures became the mission on Critical Infrastructure Protection 1997: 20).
main referent object in the cyber-security debate. Information assurance is guided by the manage-
Whereas critical infrastructure protection (CIP) ment of risk, which is essentially about accepting that
encompasses more than just cyber-security, cyber- one is (or remains) insecure: the level of risk can never
aspects have always been the main driver (see Key be reduced to zero. This means that minor and prob-
Ideas 25.1). ably also major cyber-incidents are bound to happen
The key challenge for CIP efforts arise from the because they simply cannot be avoided even with
privatization and deregulation of large parts of the perfect risk management. This is one of the main
public sector since the 1980s and the globalization
processes of the 1990s, which have put many critical 1 The most frequently listed examples are banking and
infrastructures in the hands of private (transnational) finance, government services, telecommunication and in-
enterprises. This creates a situation in which market formation and communication technologies, emergency
forces alone are not sufficient to provide the aspired and rescue services, energy and electricity, health services,
level of security in designated critical ­infrastructure transportation, logistics and distribution, and water supply.
374 Myriam Dunn Cavelty

Figure 25.2  Countermeasures

Technical Crime–Espionage Military/civil defence

Main actors  Computer experts  Law enforcement  Security professionals,

military, civil defence
 Anti-virus  Intelligence establishment
industry community

Main  Computers  Business sector  Military networks,

referent networked forces
object  Computer  Classified
networks information  Critical infrastructures

Protection Information assurance

concept

National  CERTs (specific  Computer law  Critical (information)

level for different infrastructure protection
domain, milCert,
govCert etc.)  Resilience

 Cyber-offence; cyber-
defence; cyber-
deterrence

International  International  Harmonization of  Arms control

level CERTs law (Convention on
Cybercrime)  International
 International behavioural norms
information  Mutual judicial
security standards assistance
procedures
 Cyber-security 375

reasons why the concept of resilience has gained so c­ yber-weapons, or to their use. However, traditional
much weight in recent debates (Perelman 2007). Resil- capability-based arms control will clearly not be of
ience is commonly defined as the ability of a system to much use, mainly due to the impossibility of verify-
recover from a shock, either returning back to its orig- ing limitations on the technical capabilities of actors,
inal state or to a new adjusted state. Resilience accepts especially non-state ones. The avenues available for
that disruptions are inevitable and can be considered a arms control in this arena are primarily information
‘Plan B’ in case something goes wrong. exchange and norm-building, whereas structural
In the military discourse, the terms cyber-offence, approaches and attempts to prohibit the means of
cyber-defence, and cyber-deterrence are often used ­cyber-war altogether or restricting their availability
as countermeasures. Under closer scrutiny, cyber-­ are largely impossible due to the ubiquity and dual-
defence (and to some degree -offence) are not much use nature of information technology.
more than fancy words for information assurance prac-
tices. ­Cyber-deterrence on the other hand deserves
Key points
some attention. Cyberspace clearly poses considerable
limitations for classical deterrence. Deterrence works
• There are a variety of approaches and concepts to sec­
if one party is able to successfully convey to another
ure information and critical information infrastructures.
that it is both capable and willing to use a set of avail-
The key concept is a risk management practice known as
able (often military) instruments against him if the information assurance, which aims to protect the confi-
other steps over the line. This requires an opponent dentiality, integrity, and availability of information and the
that is clearly identifiable as an attacker and has to fear systems and processes used for the storage, processing,
retaliation—which is not the case in cyber-security be- and transmission of information.
cause of the attribution problem. However, this is not • Critical (information) infrastructure protection (C(I)
stopping US government officials from threatening to IP) has become a key concept in the 1990s. Because a
use kinetic response in case of a cyber-attack on their very large part of critical infrastructures are no longer
critical infrastructures (Gorman and Barnes 2011). in the hands of government, CIP practices mainly build
Naturally, the military discourse falls back on well- on public–private partnerships. At the core of them lies
known concepts such as deterrence, which means that information sharing between the private and the public
the concept of cyber-deterrence, including its lim- sector.
its, will remain a much discussed issue in the future. • Because the information infrastructure is persuasively
In theory, effective cyber-deterrence would require insecure, risk management strategies are complemented
a wide-ranging scheme of offensive and defensive by the concept of resilience. Resilience is about hav-
­cyber-capabilities supported by a robust international ing systems rebound from shocks in an optimal way.
The concept accepts that absolute security cannot be
legal framework as well as the ability to attribute an
obtained and that minor or even major disturbances are
attack to an attacker without any doubt. The design
bound to happen.
of defensive cyber-capabilities and the design of bet-
• The military concepts of cyber-defence and cyber-
ter legal tools are relatively uncontested. Many inter-
offence are militarized words for information assurance
national organizations and international bodies have
practices. Cyber-deterrence, on the other hand, is a
taken steps to raise awareness, establish international concept that moves deterrence into the new domain of
partnerships, and agree on common rules and prac- cyberspace.
tices. One key issue is the harmonization of law to fa-
• If cyber-deterrence were to work, functioning offensive
cilitate the prosecution of perpetrators of cyber-crime. and defensive cyber-capabilities, plus the fear of retali-
While there is wide agreement on what steps are ation, both militarily and legally, would be needed. This
necessary to tackle international cyber-crime, states would also include the ability to clearly attribute attacks.
are unwilling to completely forgo offensive and ag- • Internationally, efforts are underway to further har-
gressive use of cyberspace. Due to this, and increas- monize cyber-law. In addition, because future use of
ingly so since the discovery of Stuxnet, efforts are cyberspace for strategic military purposes remains one
underway to control the military use of computer of the biggest fears in the debate, there are attempts to
exploitation through arms control or multilateral be- curtail the military use of computer exploitation through
havioural norms, agreements that might pertain to arms control or multilateral behavioural norms.
the development, distribution, and deployment of
376 Myriam Dunn Cavelty

The level of cyber-risk about worst-case scenarios but also give them a lot of
(often too much) weight despite their very low prob-
Different political, economic, and military conflicts ability is high.
clearly have had cyber(ed)-components for a number of There are additional reasons why the threat is over-
years now. Furthermore, criminal and espionage activi- rated. First, as combating cyber-threats has become a
ties with the help of computers happen every day. Cy- highly politicized issue, official statements about the
ber-incidents are causing minor and occasionally major level of threat must also be seen in the context of dif-
inconveniences. These may be in the form of lost intel- ferent bureaucratic entities that compete against each
lectual property or other proprietary data, maintenance other for resources and influence. This is usually done
and repair, lost revenue, and increased security costs. Be- by stating an urgent need for action (which they should
yond the direct impact, badly handled cyber-attacks have take) and describing the overall threat as big and rising.
also damaged corporate (and government) reputations Second, psychological research has shown that risk per-
and have, theoretically at least, the potential to reduce ception is highly dependent on intuition and emotions,
public confidence in the security of Internet transactions as well as the perceptions of experts (Gregory and Men-
and e-commerce if they become more frequent. delsohn 1993). Cyber-risks, especially in their more ex-
However, in the entire history of computer net- treme form, fit the risk profile of so-called ‘dread risks’,
works, there have been only very few examples of which appear uncontrollable, catastrophic, fatal, and
attacks or other type of incidents that had the poten- unknown. There is a propensity to be disproportionally
tial to rattle an entire nation or cause a global shock. afraid of these risks despite their low probability, which
There are even fewer examples of cyber-attacks that translates into pressure for regulatory action of all sorts
resulted in actual physical violence against persons and a willingness to bear high costs of uncertain benefit.
or property (Stuxnet being the most prominent). The The danger of overly dramatizing the threat mani-
huge majority of cyber-incidents have caused incon- fests itself in reactions that call for military retalia-
veniences or minor losses rather than serious or long- tion (as happened in the Estonian case and in other
term disruptions. They are risks that can be dealt with instances) or other exceptional measures. Though the
by individual entities using standard information sec­ last section has shown that there are many different
urity measures and their overall costs remain low in types of countermeasures in place, and that most of
comparison to other risk categories like financial risks. them are in fact not exceptional, this kind of threat
This fact tends to be disregarded in policy circles, rhetoric invokes enemy images even if there is no
because the level of cyber-fears is high and the military identifiable enemy, favours national solutions instead
discourse has a strong mobilizing power. This has im- of international ones, and centres too strongly on
portant political effects. A large part of the discourse national-security measures instead of economic and
evolves around ‘cyber-doom’ (worst-case) scenarios business solutions. Only computer attacks whose ef-
in the form of major, systemic, catastrophic incidents fects are sufficiently destructive or disruptive need the
involving critical infrastructures caused by attacks. attention of the traditional national security appara-
Since the potentially devastating effects of cyber-­ tus. Attacks that disrupt nonessential services, or that
attacks are so scary, the temptation to not only think are mainly a costly nuisance, should not.

Key points

• The majority of cyber-incidents so far have caused minor though very unlikely, remains the main concern and the main
inconveniences and their cost remains low in comparison to reason for seeing cyber-security as a national security issue.
other risk categories. Only very few attacks had the poten- • The level of cyber-risk is overstated. Reasons are to be
tial for grave consequences and even fewer actually had any found in bureaucratic turf battles due to scarce resources
impact on property. None have ever caused loss of life. and in the fact that cyber-risks are so called ‘dread risks’, of
• Despite this, the feeling persists in policy circles that a large- which human beings are disproportionally afraid. Overstat-
scale cyber attack is just around the corner. The potential ing the risk comes with the danger of prioritising the wrong
for catastrophic cyber attacks against critical infrastructures, answers.
 Cyber-security 377

Conclusion
Despite the increasing attention cyber-security is get- crisis can also be seen as a turning point rather than
ting in security politics and despite the possibility of an end state where the aversion of disaster or catas-
a major, systemic, catastrophic incident involving trophe is always possible. If societies become more
critical infrastructures, computer network vulner- fault tolerant psychologically and more resilient
abilities are mainly a business and espionage problem. overall, the likelihood for catastrophe in general and
Depending on their (potential) severity, however, catastrophic system failure in particular can be sub-
disruptive incidents in the future will continue to fuel stantially reduced.
the military discourse, and with it fears of strategic Cyber-security issues are also challenging for stu-
­cyber-war. Certainly, thinking about (and planning dents and academics more generally. Experts of all
for) worst-case scenarios is a legitimate task of the na- sorts widely disagree how likely future cyber-doom
tional security apparatus. However, they should not scenarios are—and all of their claims are based on
receive too much attention in favour of more plaus­ (educated) guesses. While there is at least proof and
ible and more likely problems. experience of cyber-crime, cyber-espionage or other
In seeking a prudent policy, the difficulty for deci- lesser forms of cyber-incidents on a daily basis, cy-
sion makers is to navigate the rocky shoals between ber-incidents of bigger proportions (cyber-terror or
hysterical doomsday scenarios and uninformed cyber-war) exist solely in the form of stories or nar-
complacency. Threat-representation must remain ratives. The way we imagine them influences our
well informed and well balanced not to allow over- judgement of their likelihood; and there are an infi-
reactions with costs that are too high and benefits nite number of ways in how we could imagine them.
that are uncertain. For example, an ‘arms race’ in Therefore, there is no way to study the ‘actual’ level
cyberspace, based on the fear of other states’ cyber- of cyber-risk in any sound way because it only exists
capabilities, would most likely have hugely detrimen- in and through the representations of various actors
tal effects on the way humankind uses the Internet. in the political domain. As a consequence, the focus
Also, solving the attribution problem would come at of research necessarily shifts to contexts and condi-
a very high cost for privacy. Even though we must tions that determine the process by which key actors
expect disturbances in the cyber-domain in the future subjectively arrive at a shared understanding of how
we must not expect outright disasters. Some of the to conceptualize and ultimately respond to a security
­cyber-disturbances may well turn into crises, but a threat.

Questions

1. Who benefits in what ways from calling malware cyber-weapons?

2. What are the pros and cons of abolishing anonymity (and therefore partially solving the attribution problem) on
the Internet in the name of security?
3. What side effects does the indiscriminate use of the terms cyber-terror and cyber-war have?
4. Are hacktivism activities a legitimate way to express political or economic grievances?
5. What are the limits of traditional arms control mechanisms applied to cyber-weapons?
6. Why does the intelligence community not have more information on the cyber-capabilities of other states?
7. What are the similarities and what the differences between information security and national security?
8. Which aspects of cyber-security should be considered a part of national security, and which aspects should not?
Why?
9. What might be the next referent object in the cyber-security discourse?
 378 Myriam Dunn Cavelty

Further Reading

• Arquilla, J. and Ronfeldt, D. F. (eds) (1997), In Athena’s Camp: Preparing for Conflict in the Information Age, Santa Monica:
RAND. This is one of the key texts about information warfare.
• Brown, K. A. (2006), Critical Path: A Brief History of Critical Infrastructure Protection in the United States, Arlington,
VA: George Mason University Press. Provides a comprehensive overview of the evolution of critical infrastructure
protection in the United States.
• Deibert, R. and Rohozinski, R. (2010) ‘Risking Security: Policies and Paradoxes of Cyberspace Security’, International
Political Sociology 4/1: 15–32. An intelligent account of the threat discourse that differentiates between risks to cyber-
space and risks through cyberspace.
• Dunn Cavelty, M. (2008), Cyber-Security and Threat Politics: US Efforts to Secure the Information Age, London:
Routledge. Examines how, under what conditions, by whom, for what reasons, and with what impact cyber-threats
have been moved on to the political agenda in the USA.
• Libicki, M. (2009), Cyberdeterrence and Cyberwar, Santa Monica: RAND. Explores the specific laws of cyberspace
and uses the results to address the pros and cons of counterattack, the value of deterrence and vigilance, and other
defensive actions in the face of deliberate cyber-attack.
• National Research Council (2009), Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack
Capabilities, Washington, DC: The National Academies Press. Focuses on the use of cyber-attack as an instrument
of US policy and explores important characteristics of cyber-attack.
• Sommer, P. and Sommer, I. (2011), Reducing Systemic Cybersecurity Risk, OECD Research Report, http://www.
oecd.org/dataoecd/3/42/46894657.pdf. A down-to-earth report that concludes that it is extremely unlikely that
cyber-attacks could create problems like those caused by a global pandemic or the recent financial crisis, let alone
an actual war.

Important websites

• http://cipp.gmu.edu  George Mason University (GMU), Critical Infrastructure Protection (CIP) Program Web-
site: The GMU CIP program is a valuable source of information for both US and international CIP-related issues
and developments.
• http://www.schneier.com  Schneier on Security: Bruce Schneier is a refreshingly candid and lucid computer
security critic and commentator. In his blog, he covers computer security issues of all sorts.
• http://www.iwar.org.uk  The Information Warfare Site: an online resource that aims to stimulate debate on a
variety of issues involving information security, information operations, computer network operations, homeland
security, and more.
• http://www.infowar.com  Infowar Site: A site dedicated to tracking open source stories relating to the full-spec-
trum of information warfare, information security, and critical infrastructure protection.

Visit the Online Resource Centre that accompanies this book for lots of interesting additional material:
www.oxfordtextbooks.co.uk/orc/collins3e/

View publication stats