SSU Forum with Caroline Baylon and Professor Motohiro Tsuchiya

Date: Wednesday, September 7 2016, 10:30-12:00
Venue: Conference Room, 3rd Floor, Ito International Research Center
Subject: Cyber Security and International Order
Lecture: Caroline Baylon (Information Security Research Lead at AXA)
Motohiro Tsuchiya (Professor of Keio University)
Language: English
Hosted by: Security Studies Unit, Policy Alternatives Research Institute, the University of Tokyo

The Security Studies Unit (SSU) was delighted to host an event concerning cybersecurity in the SSU Forum format with Ms. Caroline Baylon, Information Security Research Lead at AXA, and Motohiro Tsuchiya, Professor at the Graduate School of Media and Governance, Keio University.

Chair of the event was Professor Kiichi Fujiwara, Director of the SSU, who briefly introduced the guests to the numerous audience, thanking them for kindly agreeing to present their work at the University of Tokyo.
Professor Fujiwara also reminded all attendees of the rapidly growing importance of the topic of cybersecurity not only in the domain of law and crime, but also in the strategic domain of cyber-warfare, hybrid war, and the security of vital electronic infrastructure in developed countries.

Ms. Baylon was the first speaker. She thanked the host and introduced her talk as the summary of two papers she has recently written, one concerning the security of nuclear facilities, the other on the security of satellites and space assets.
Regarding the security of nuclear power plants and other facilities, there are four main actors, who can be inclined to produce different kinds of damage. Hacktivists primarily wish to cause reputational harm.
Cybercriminals are chiefly interested in profit (e.g. in the form of ransom), and are unlikely to deliberately seek large scale damage. These are entirely “private” actors. Then we have various degrees of state-backed actors. Indeed states are now engaging quite actively in cyber-security operations; it is known for instance that the US, Russia, and China have been looking for vulnerabilities in order to infiltrate each other’s power grid. Of course in these cases the problem of attribution (i.e. ascertaining who made the attack, where the attack originated from) can be extremely difficult. States can often use proxies and even “cyber-privateers” to engage in this kind of activities. An example can be the large scale power outage which affected the Ukraine in 2015, which was blamed on a cyber-attack allegedly originating in Russia.
A related issue is that there are companies which sell vulnerabilities for infrastructures. Another actor is terrorist groups (it is now know that ISIS attempted to attack the US power grid). Although not currently highly advanced, these are a real concern since their skills are likely to improve and become therefore more threatening in the future.

Ms. Baylon explained then how nuclear facilities can be exposed to cyber-attacks. This happens mainly because such facilities, like any modern industrial plant, contains numerous pieces of complex equipment in need of monitoring and maintenance, and this may require its connection to networks or other devices. This means that unfortunately many nuclear facilities are not entirely “air-gapped”, namely entirely separated from the external world. Virus infection can therefore occur from unknown or unsecured connections to the internet, or connection to other devices (USB memory devices, portable computers or smartphones) in order to upload or download data.

Regarding attacks against satellites, Ms. Baylon explained that it is possible to “hijack” satellites by various means of signal disruption or substitution, therefore changing the satellite’s orbit. This means for instance that a satellite can be put on a collision path with other objects, or that a re-entry in the atmosphere can be induced thus causing the disintegration of the satellite itself. It is known that hackers (possibly from China) were able to seize control of at least two NASA satellites in 2007 and 2008, although they did not cause any harm to the equipment. Russia has accused the Ukraine of a cyber-attack which targeted a communication satellite in March 2014. Even the International Space Station (ISS) has been inadvertently contaminated with a virus carried in a personal computer of one of the astronauts.

Other attacks can target space infrastructure on earth, particularly by signal jamming. The GPS navigation signal can be disrupted rather easily, and devices which can perform such operations that are on sale for a modest sum. They are sometimes used by organised crime for car theft and other similar activities. It is known that North Korea has been disrupting GPS-based navigation systems used by aircraft and ships in South Korea. Besides jamming, spoofing, namely the substitution of one genuine signal with a fake one, is a more subtle, less easy to detect cyber-attack on satellite infrastructure, which may have major consequences, including on financial markets.

Professor Tsuchiya opened his talk by thanking the host Professor Fujiwara and the University of Tokyo. He remarked that at least since the famous American movie WarGames (released in 1983), where a teenage boy hacker almost manages to trigger a nuclear war with the USSR, cyber-security has risen to the attention of international scholars. Professor Tsuchiya recalled a number of recent and less recent incidents, where cyber-warfare proved to have become already an integral part of modern war, particularly in terms of radar jamming, damage to electronic infrastructure, disruption of command and control. Stuxnet, a virus which affected Iran’s nuclear facilities in 2009-2010 and was recognised as a joint US-Israeli operation, has become the most famous cyber-attack story, which has demonstrated how software viruses can destroy physical infrastructure on a very large scale.
All this makes eventually the case for the construction of a (necessarily global) governance framework of cyberspace. Professor Tsuchiya explained that indeed there already exist instances going in this direction, particularly the UN GGE (Group of Governmental Experts) originally an initiative of the Russian government, and “London Process”, namely a series of cyberspace conferences which originated in London under the auspices of the UK government. However, the construction of a binding set of rules for governance remains a rather problematic goal for the near and medium term future.
In general, Professor Tsuchiya remarked, there are two possible approaches to internet security governance. One is in general pursued by the US, the EU, and Japan, i.e. the idea of a free flow of information, without significant institutionalised constraint. China and Russia on the other hand appear to have a preference of a hand-on protection of the cyber-space, to be enshrined in an international treaty. Here it is possible to see therefore an ideological divergence. However, in the past year or so China and the US appear to have reached some common ground on the topic, also reflected in the diminished number of attacks from China, but Russia appears to be less interested in this kind of international understanding.
A key problem in cyber-security remains the correct tracing and attribution of the attacks, but states have the resources to enhance such capabilities if the political will is there. Finally, talking about Japan, Professor Tsuchiya remarked that the Japanese cyber-space is considerable “cleaner” than that of other nations, but numerous challenges will arise, in particular in making the Tokyo 2020 Olympic Games infrastructure safe.