Spying, data theft, sabotage: the recent spate of accusations flying between the United States and China show that the cyber world is becoming a new arena of international conflict. Even neutral Switzerland is unlikely to get away unscathed.
A recent report by the American computer security company Mandiant has made headlines around worldwide. Its authors claimed that least 140 public administrations and private companies in America and Europe – including multinationals, arms industries, space agencies, energy providers and media – have been victims of computer attacks coming from China over a period of years. Two Swiss companies were included in the list.
These attacks, attributed to a hackers’ unit in the Chinese armed forces, have three possible objectives, reckons Albert Stahel, director of the Institute for Strategic Studies in Wädenswil, canton Zurich.
“First of all, it may be traditional espionage to gather information on secret content in databases. Second, they may want to trace possible contacts between opponents of the regime in China and international media. And third, it can be a way of testing Western security systems, to find any weaknesses or gaps.”
According to Stahel, the Chinese armed forces already have the knowledge and the specialists needed to mount this kind of operation.
“Don’t forget that China has been producing many of the computers used here for years now. It’s the case with Apple, for example. Not only do the Chinese have hardware technology, they have software too.”
In June 2012 the Swiss government presented its new national strategy against cyber risks.
According to this document, cyber attacks against states, corporations and individuals are on the increase. Among the victims in Switzerland have been federal ministries, arms manufacturers Ruag and Mowag, and the Postfinance service.
Often cases go unreported, because the companies affected are afraid to lose clients’ trust. Only a minority of companies believe they are able to defend themselves against high-intensity attacks.
When it comes to the federal government itself, protection against cyber attacks is divided among too many departments across federal ministries, which for the most part are inadequately staffed.
Myriam Dunn Cavelty, a researcher at the Centre for Security Studies at the Federal Institute of Technology in Zurich, agrees that China is capable of launching cyber attacks.
“But we need to be wary of American propaganda”, she says. “The US have been using a lot of rhetoric about the threat of cyberwar for years, but at the same time they are the most advanced country when it comes to developing and using these tools.”
American agencies are suspected of having developed the Stuxnet worm, used to sabotage Iran’s nuclear programme, and discovered in 2010. This is a programme of such complexity that, according to a number of antivirus security specialists, it can take several years to figure out how it works.
Beijing has responded to the accusations publicised by Mandiant – which counts the American administration among its clients – stating that last year the Chinese ministry of defence and army suffered 144,000 cyber attacks each month, over half of which came from the US.
Who’s behind it?
According to the new national strategy for the protection of Switzerland against cyber risks, the most harmful attacks come from states or hackers bankrolled by states, because they can call upon significant financial, technical and human resources.
Another danger is organised crime, which can use very professional techniques.
Less serious but still more frequent are attacks perpetrated by so-called “hacktivists”, who usually just want to attract public attention to their demands.
Terrorists are so far using computer resources mainly to transmit propaganda, but it can be expected that in future they will try to mount cyber attacks against critical infrastructures like nuclear power stations, telephone networks, dams, etc.
Has the cyberwar started, then? “No, it would be an exaggeration to talk in terms of cyberwar as politicians and media often do”, says Dunn Cavelty. “Until now cyber attacks have just involved spying, and, in rare cases, sabotage. The word war can be used, in international law, only if there is major destruction going on.”
In recent years, at least 30 states have set up specialised units to repel – or launch – cyber attacks. As well as China and the US, Russia, France, Britain, Germany, Israel and India are among the countries most active in the field, according to experts.
“Computer risks have been on the political agenda of many governments at least since the discovery of Stuxnet,” notes Dunn Cavelty. “For the first time, we found ourselves dealing with a programme able to cause significant physical damage. So it was clear that such attacks are not some fantasy, but for real.”
Attacks on Switzerland
For Stahel, cyberwar represents the threat of the future.
“If you watch the Americans’ strategy, you see that they are definitely headed in this direction. Right now you can do much more by paralyzing the infrastructure of a country than you could by bombing them. And these threats can come from anywhere – states do not have a monopoly on intelligence.”
Stahel thinks that Switzerland has been slow to respond to these developments. “Even today our security system is focused too much on defence of the traditional sort and neglects the whole high tech arsenal.”
The issue has been raised in recent years by a number of parliamentarians. In response to their questions, the government proposed a national strategy against cyber-risks in 2012.
The document noted that cyber-attacks are increasing against Swiss governments and companies. Switzerland is particularly vulnerable because it has so many service companies like banks that use computer networks.
Furthermore, a considerable number of “critical infrastructures”, in particular energy and communications, have been privatised, so it is much more difficult to ensure they are protected.
According to the new national strategy, it will be necessary to involve all the interested parties, from the public administration to the private sector. But to do this, notes Dunn Cavelty, a new regulatory framework will be needed, and the matter of who pays will have to be sorted out.
“While the state’s job is to ensure the best national protection in every area,” she explains, “for many private companies, even today, cyber-attacks are considered just one risk among many”.