On January 30th 2021, I ended a 2,5 year adventure working in the European Union institutions. I spent this time at the EU Institute of Security Studies, the EUISS, where I worked on the EU Cyber Direct project, providing research support to the European External Actions Service in its cyberdiplomacy endeavours. I have decided to dedicate my full time on my PhD research at the Vrije Universiteit Brussels at IMEC-SMIT and the Brussels School of Governance, where I will be part-time affiliated with the Hannah-Arendt Institute. My doctoral research will focus on platform architectures, the organic spread of misinformation and online radicalisation and the ways platforms shape the agency users have to shape social norms around content sharing.

My time at the EU left me with many impressions and some accomplishments. At the start of the experience it felt like I had been living in Rome all these years and was suddenly summoned to work in Vatican City. The impressive architecture of institutional buildings in Brussels, which I had so often walked past as a Brussels citizen, now felt like cathedrals for democracy (and bureaucracy…). The centrality of Brussels in the European empire, even more epitomised by the inner Brussels bubble and hierarchies, its jargon and odd customs,… at times working for the EU felt similar to working for the Holy Roman Empire. These cynical feelings eventually subsided as I started understanding more about the inner workings of the greatest peace project (and experiment?) ever set up. I gained some respect for the work of the European Union, despite all its defects.

I spent my time at the EUISS providing research support for the EU’s cyberdiplomacy efforts. The EU has many diplomatic endeavours in connecting with countries in the digital landscape, one of them is cybersecurity focused. As every country in the world is navigating its way through the digital revolution, The EU deemed it important to understand how everyone perceives their route. Mass societal connection to the information highway brings many benefits, but also exposes society to many vulnerabilities that are hard to deal with. It’s no secret that some countries have been taking advantage of these vulnerabilities. There’s strategic benefits for these countries in exploiting the digital holes that are left behind while we’re all building digital infrastructure at a breakneck speed. I learned that the EU seems to want this global occurrence to be a collective endeavour where citizens protection online is the main priority (with protection very much interpreted from a liberal-democracy perspective).

Such a collective liberal-democratic strategy previously paid off after the European continent was ravaged by internal war. Cooperation works from the EU’s perspective. In the few years that I was working on the EU Cyber Direct project, I saw an EU trying to understand other countries and regions’ cybersecurity positions in order to adapt its cooperation ideas to the preferences of everyone participating in the global digital space. I saw how the EU and its member states have tried to broker conversations at the United Nations for peace and stability (often too careful in condemning allies) and support other countries in developing cybersecurity strategies.

A more cynical reading of these efforts is that the EU and other global powers prefer other countries to get ready for state-sponsored cyber operations. If countries know how to prevent devastating consequences and unintentional loss of human lives caused by cyberattacks, it will allow technologically advanced countries to wage cyberwar more efficiently. Though never acknowledged as one of the EU’s policy goals, the EU’s cybersecurity capacity building was probably not only coming from a perspective of peace and love for all citizens of the world.

While such a policy perspective is not one I endorse, I did salute the capacity building support and traveled around the world to speak about how the EU does its internal cybersecurity cooperation. Not to push a strategy for completely different regions in the world, but mainly to exchange best practices. Traveling for these conferences gave me new insights on how we think about security of the internet from different perspectives. I bundled these insights in 3 regional engagement mappings for the European External Action Services, one on Latin-America, from which I condensed my analysis of the region’s balancing act in a blog post for the Elcano Institute, one on Africa, and one on Southeast Asia. There is no right or wrong way to do cybersecurity in the end, every country and region approaches cybersecurity cooperation and awareness in ways that work for their region.

During my time working with the EU Cyber Direct project, we connected hundreds of experts, academics and digital rights activists to EU policymakers, putting them in the same room to exchange perspectives. The COVID-19 pandemic made that aspect harder, and working on cyberdiplomacy really made me understand the value of human-to-human contact. I mentioned this importance in my opening statement that I was honoured to make at the 2019 UN multistakeholder intersessional of the Open Ended Working Group (OEWG) on Developments in the Field of ICTs in the Context of International Security. I wrote about what these UN meetings are about for a Belgian audience to create more awareness on the importance of this process.

In the UN statement I made an analogy of human interaction to the DNS system. Human networks are connected through routing points, similar to computers. These human routing points have a role to play in connecting everyone in their directory to other parts of the world. This is for me what multistakeholderism is about. It is important that the people who are routing points in their local and regional communities are involved in such global processes on securing the internet. Their presence at fora like the OEWG is key to making sure a broad variety of actors has a say in the security and stability of the internet, so a robust human DNS must be built between them.

The point I wanted to make in that statement, was the need to get a variety of actors involved in the cyberdiplomacy conversation. I supported the European Security and Defense College in the creation of an e-learning module on cyberdiplomacy to demystify the concept and processes for European diplomats. The e-learning is openly accessible to anyone, as the understanding of cyberdiplomacy should stretch far beyond diplomats representing their states interest.

My time at the EUISS was not exclusively spent on cyberdiplomacy and the EU Cyber Direct project. I was grateful to also be able to contribute to the institute’s strategic foresight efforts. These allowed me to develop my insights on the security threats that stem from social media, which are not a topic of debate in cyberdiplomacy. This is also why I decided to pursue this topic further in a dedicated PhD research project.

There are good reasons to keep social media, misinformation and other content issues out of security debates, which are at the centre of cyberdiplomacy. For one, it remains problematic to securitize content, and it plays in the hands of global actors who would prefer to gain greater sovereign control over information that circulates within their borders and reaches their citizens. It does however also negate the fact that there are security threats stemming from content that circulates on the internet. On January 6th 2021, a mix of extremists, Trump supporters and conspiracists stormed the US capitol building, supposedly to ‘take back the steal’ and protest the election loss of Donald Trump. Five people died in this riot. One year earlier, we predicted a scenario of civil unrest in the US fuelled by online misinformation and extremists organising in online groups. Our scenario was supposed to take place in 2024, but perhaps the global pandemic fermented many underlying rotting issues and stank up the place faster than I expected.

Calling the January 6th incident the start of a civil war is hyperbolic, but it was symptomatic to the very real security issue stemming from the social web. The artificial wall held up in the international discussion between harmful code – harmful content also leaves a vacuum for those countries that are dealing with the growing pains of societal digital connection. There are many countries seeing the waves of instability stemming from the internet, but see no clear solution to avoid it from turning into conflict. Without global discussions on this issue, countries cannot support each other in finding viable, human rights-respecting solutions to this problem. This vacuum is easily filled by actors supporting more online repression and surveillance to guarantee stability. If I had more time and space at the EUISS, I would have still written a Brief about the need for global capacity building and best practice exchanges on dealing with disinformation in a rights-and-rules-respecting way. The EU and other countries making policy decisions however haven’t found the best approach themselves. There needs to be more evidence-based policy making first. Countries around the world need to experiment with rights-respecting interventions, acquire evidence together, adapt to local contexts and investigate the effectiveness and impact of certain platform regulations and interventions.

These issues of misinformation and online hatred fester all around the world on social platforms that are ran by companies that seem unbound by any national legislation, and unbothered by their societal responsibility or lack of democratic input. In my view, most of these platforms are inherently problematic because of the business model and architectures that guide their social interactions. That is why, as part of the What If series, I wrote out my utopian ideal of a social media platform in 2024 where users could get their news as well as engage socially.

The key importance of such an interest-based social platform are: trained moderators who are part of the community, understand the norms, context and tone and can be held accountable by their community; and a subscription/wallet based monetization.

I see many challenges ahead for the open internet, as geopolitical interests are seeping into internet governance issues increasingly more often. One such example was the discussion on a potential ban of the Chinese social media app TikTok. I wrote a piece on our Directionsblog how the concerns with TikTok are framed as cybersecurity concerns, but they are actually more a matter of national security where states such as the US don’t want data of their citizens to fall into the hands of a country like China. If states truly want to tackle the security problems with platforms like TikTok, the solution is not to ban the platform and harm user rights that have formed communities on these platforms. The solution is to create a rights-and-rules based social media, for ALL social media platforms.

When the mindset of a free and open internet starts taking a backseat in security discussions, the internet will start fragmenting on several layers. A lot has been written about how the internet will not fragment, especially on the DNS layer, but geopolitics can intervene in several other layers of the internet. For the last What If scenario that I made at the EUISS, I hypothesized what a fragmented internet would really look like on a Physical, Data and Application layers of the internet (loosely based on OSI & TCP/IP model).

The global network of information has always been balancing between decentralisation and centralisation. As the balance seems to be tipping more to decentralisation, it is important to keep regions from fragmenting their internet space and cutting off or inhibiting the flows of communication.

The EU can have an important role to play in stimulating cooperation towards protecting a rule-based free and open internet. I look forward to keep working towards these goals in the future, possibly with the European Institutions but always with a sharp and critical eye on the Union.

(this article previously appeared on Knack-Datanews)

October 21, the world is confronted with an unprecedented DDoS attack, mostly caused by insecured Internet of Things devices. IoT manufacturers were put under scrutiny, and we were all given a sneak peek of the consequences when we don’t include including Security by Design. Where do we go from here?

The facts: on October 21 a Distributed Denial of Service (DDoS) attack on the DNS provider Dyn caused disturbances on the internet. Dyn is the equivalent of the internet Yellow Pages; they direct you to the right IP address when you type in the URL of a website. DDoS’ing them is therefore a simple, but effective way of making a large quantity of websites inaccessible. No Netflix and Chill, no Reddit, no Twitter. In short, people had to go outside and be productive.

DDoS attacks are as old as the internet itself. When a server is flooded with requests, it cannot reply to other legitimate requests. This happens sometimes when a site becomes unexpectedly popular and has a surge of visitors, but a malicious DDoS attack usually uses  infected computers to spike the visitor requests.

A lot of organisations have tried to instill measures to mitigate DDoS attacks, yet this incident was remarkable because of its size. Dyn reported that more than 10 million IP addresses were involved, the equivalent of 1,5 Terrabye per second.

It was discovered that this was mostly possible because of the festering supply of vulnerable internet of things appliances.

Internet of shit

The security community has been cursing for a while now about the Internet of Things, often scorned as the #InternetOfShit. These are all the appliances and gadgets that can (often needlessly) connect to the internet, like your tv, security camera, fridge, but also your car, your toaster, your lightbulbs, your doorlock, and even your bottle of wine. It is estimated that in 2016 about 6 billion appliances are connected to the internet. A dizzying number.

When more appliances are connected to the internet, there are more vectors to infect, which contribute to computing power for attacks.

This was also known by the creators of the Mirai virus, which purposefully infected IoT devices. Millions of infected IoT appliances were thus added to a botnet, creating a monster army of zombies that were used for DDoS attacks, unbeknownst to their owners.

Zombie hideout

A logical step if we want to prevent such attacks in the future, is cleaning up those devices. A lot of users know by now that they need to install antivirus software on their computers, but are not aware that their television or security camera can also be infected and participate in attacks. There is very little motivation for users to do something about this, since the impact of the infection is nearly unnoticeable in daily use.

Every country thus has the responsibility to notify users that show up in the IP logs of recurring DDoS attacks. They can inform the general public, generate awareness, and use certain incentives to secure IoT devices. This way, the zombies can be deactivated and botness can lose their strength.

An IoT that deserves our trust

Unfortunately users cannot do much themselves if they are not even capable of securing their devices. It appeared that Xiongmai, a Chinese producer whose devices was omnipresent in the attack on Dyn, had set default passwords on its devices, that couldn’t even be modified.

This was apparently the case with all devices sold before 2015. This kind of vulnerability is sadly recurrent in many devices. If the password cannot be modified, it most definitely can be controlled by someone else.

Producers are still free to choose how much security they want to install. There is no international security norm for connected devices.  Since a cyber-secure connected toaster isn’t exactly a big selling point, this step is often skipped to cut costs.

It is therefore important to call IoT producers to account, force them to have minimum security standards, and penalise those that don’t.

Organisation like the Internet of Things Security Foundation, and volunteers of the security collective I Am The Cavalry are taking matters into their own hands by setting up security frameworks. The latter even managed to make the producers of medical devices swear a hippocratic oath to no longer sell devices that do not have built in security.

The EU is also developing a proposition to force companies to abide to certain security standards, and to find a labelling system for secure IoT devices.

While its certainly useful to secure European production, it lacks some impact in a globalised world. If producers are prohibited to use cheap Chinese components when they don’t abide to those standards, it will be hard to stay competitive. If there’s little knowledge of the issue, few consumers will pay more for a “secured” IoT device.

We need international rules, although it’s not bad to start with a European label.

Too little, too late

When IoT devices didn’t have proper built-in security settings, it’s difficult to secure them afterwards. It’s commendable (and necessary!) that we try to force security by design right now, but it’s actually too late already.

The IoT craze has started a while ago already, and many appliances were sold that can’t install patches remotely. Often users must make a manual firmware update, or even hand in their appliance. Since the lifespan of many of those devices, which are often household appliances, are often only replaced after 5 to 10 years but its users, it’s quite possible we’ll still be living for a while with the consequences of the IoT zombie army.

it’s very pessimistic to say, but this is only the beginning.

How the Sony hacks made the US go into a cyber war frenzy

Is this really how we’ll deal with cyberattacks in the future?

 (this article was previously published in Dutch on Datanews)

Whether the Interview is a good movie or not is debatable, but we can all agree that it has caused a lot of commotion. Not only did it enjoy the weirdest marketing campaign in movie history and caused a diplomatic riot, it also set some special precedents, making many think the Cyberwar has commenced.

 The events unfolding in the past few months could have been a movie on its own. Two comics make a silly movie about assassinating the current North-Korean dictator. The actual North-Korean leader is offended. Coincidentally the film production house is met with a heavy cyber attack destroying their entire systems. Theatres are threatened to “not forget” 9/11 in case they would play the movie. The theatres and production companies cowardly withdraw, which is met with a public outcry, and the film is released anyway with alternative means. The FBI is quick to point the finger to North-Korea, sanctions the country, while the North-Korean internet ‘coincidentally’ also goes offline. Obama is called a monkey, and in between people start remembering both country also have nuclear weapons.

We’ll have to wait for the DVD-release and the next Wikileaks to see the behind-the-scenes footage, but for now it has all been very amusing.

While the dust is settling, it’s interesting to have a closer look at what the Interview and the ‘Sony Hack’ has set in motion.

Playing the blame game with North-Korea

In the entire analysis of the Sony Hack, the diplomatic aspect is the most striking.

Already after a few days the FBI concluded the cyberattack and the threats made could be attributed to North-Korea, based on flimsy evidence.
A lot of doubt has been cast on this attribution by several experts.

While the FBI refuses to admit how exactly the trail of its investigation leads to North-Korea, most of the evidence it gives or would credibly be able to give, is indirect circumstantial evidence according to experts.

While one would hope the US wouldn’t make such harsh accusations without a solid backing, we mustn’t forget the assumed Weapons of Mass Destruction in Iraq. Back then the US was also very sure of what later proved to be false accusations.

North-Korea denied the responsibility for the attack, but the New York Times saw a half confession in North-Korea’s statement that the attacks were ‘righteous deed of supporters and sympathizers’.

Was North-Korea aware these attacks were being launched? And is a country also responsible when it sees evil being done and doesn’t try to stop it?

The US turned down North-Korea’s offer to launch a joint investigation, and went in the offence. The 2^nd of January it raised sanctions on the most heavily sanctioned country in the world. This was a world first, effectively being the first time the US punished a country for a cyber attack on an American company.

Very ‘coincidentally’ the North-Korean internet also went offline.
The US denied any role, although fingers can also be pointed to a country with suspicious motives. Such actions would be giving North-Korea just as much right to strike back covertly.

North-Korea currently only responded furiously, with press releases like “U.S. Urged to Honestly Apologize to Mankind for Its Evil Doing before Groundlessly Pulling up Others”.

Whether the US has proof or not, according to Allan Friedman, researcher at the George Washington University’s Cyber Security Policy Research Institute, it is a smart diplomatic strategy to be overconfident in assigning blame for the cyber attacks. To prevent precedents from being made, it’s best to discourage other states from engaging in similar behaviour by punishing North-Korea, even when lacking concrete proof.

Is this the beginning of a Cyber War?

A lot of talk in popular media mentions cyberwar when referring to the Sony hacks, but was the crippling of a company really an act of war?

This lack of certainty on attribution is already vital to define this attack as an act of war. It is almost impossible to speak of a cyberwar in such a covert domain since wars are traditionally only fought between nations.

But let’s assume for the sake of the argument the FBI is right and North-Korea was behind the hacks.

When treating the term ‘war’ literally, we have to look at whether this was a use of force, as described in the United Nations Charter. It’s forbidden to use force, unless when used in self-defense, or when permitted through a UN Security Council resolution. If you don’t have that justification, you might have started a war.

Based on a lot of discussions and precedents, it has sort or less been agreed what such a forbidden use of force can be; inflicting harm with such a scope, duration and intensity that it threatens the territorial integrity or political independence of a state.
So when a lot of people die, and the national security is threatened, it’s a use of force. Makes you think twice about the impact of crippling a company that, according to Dr. Evil in Saturday Night Live ‘hasn’t been relevant since the Walkman’.

But even here, when it comes to war, the cyber domain is a grey zone. A difficult domain where no clear lines can be drawn about what is enough ‘damage’ to regard something an act of war. There’s no international legislation, there are no precedents and thus there are no norms telling us when we feel enough damage is done for something to be classified a use of force.
Something Pentagon Press Secretary Rear Adm. John Kirby also repeated, with the plea to urgently set up international rules.

A lack of such international legislation and precedents also means a country can attack another, and a country like the US can reply at will. Its permissibility depends on whether the international community condemns such actions or not, shaping the norms as a consequence.

But it would also mean this would be where the line is drawn for future reference. The US knows better not to turn these hacks into the great ‘cyber Pearl Harbour’. As cyberwar expert Peter Singer said on the Motherboard, ‘we’re not going to war with North-Korea because Angelina Jolie is angry at some Sony Executive’.

At the same time the US is taking the matter very seriously, treating the hack on American soil as a matter of national interest.

Especially after threats were also made.

Cyberterrorisme?

“The World will be full of fear. Remember the 11^th of September 2001. We recommend you to keep yourself distant from the places [where the movie is shown] at that time.”

The threats made by the hackerscollective responsible for the Sony Hacks apparently left a great impression that made many speak of ‘Cyberterrorism’.

The term terrorism is used frequent to describe any threat without a clear state actor, solving the attribution conundrum. The concept of the ‘war on terror’ is still a controversial way to circumvent the traditional paradigm of “wars are only fought between nations”. The reminder of the US’ collective trauma made the nation immediately up in arms.

Sony added fuel to the fire by caving, and allowing the film to be withdrawn from 180.000 theatres. Allowing fear to rule and complying with threats is how to ‘let the terrorists win’. As Peter Singer also said, the way Sony handled the entire ordeal has turned into a case study on how NOT to respond to terrorist threats. Especially when these hackers have not shown any capability to carry out anything remotely physically damaging.

Such scaremongering comes with ignorance on what damage cyber attacks can actually cause.

Did Sony have the right to panic?

Coming back to the use of force, there has thus far not been an overt cyber attack that could be classified as an act of war, even though the possibility exists. With the Aurora Project the US even proved how much physical damage a cyber attack can cause.

The damage done to Sony was nowhere near comparable to such physical damage.

100 Terabyte worth of data was stolen, as well as ‘wiper malware’ was used. This type of malware destroyed Sony’s internal systems (from production planning to human resources). This meant the company has to replace all their systems, paralyzing it for a while.

But this type of malware was also used in the South-Korean DarkSeoul case attacking banks, and the Saoudi Aramco case attacking the oil company. Lack of international regulations made these cases also hard to classify and respond to. But while they also caused a lot of commotion, they were not considered an act of war or terrorism, nor did it result in a witch hunt.

Important to remember is Sony also has a history of leaks and security breaches. The Playstation hack of 2011 is still fresh, where 2,2 million credit card details were stolen through the Playstation network.
Yet Sony hit the panic button this time, when critical company details were compromised. The perceived gravitas was beneficial for Sony, where the attack seemed so sophisticated they would not have been able to prevent it. The idea of being ‘hacked by a dictator’ added to their benefit, where they could claim ‘circumstances beyond their control’ when they would be put on trial.

It is no secret though that Sony’s security prescriptions were flawed, with the leaks even showing one of the CEO’s having an embarrassingly simple password. The panic ruled in their favour.
Bruce Schneier concludes that Sony wasn’t afraid of the damage the hackers would do in a terrorist attack, but feared for the commercial damage to the company.

The leaked information is probably being sold to the highest bidder by now.

Such a perspective makes one think about the role North-Korea played in all of this. Did they really cripple a multibillion dollar company as a sadistic move because their Supreme Leader was insulted by a movie?

It is scary not to be able to tell whether an attack came from a small group of criminals playing a mean prank by releasing a threat, or an entire country. It’s causing big countries like the US to lose their cool.

Not only was the damage not that significant, was the target no matter of national security, 
but harsh accusations were made and sanctions were lifted against a country based on very flimsy evidence.

A long term vision is necessary to protect against cyber attacks towards the future. Especially now that the Aurora target list of American critical infrastructure was leaked.

It is highly doubtful though whether flexing some muscles and scaremongering will help to win a ‘war’ against anonymous hackers.

Biggest digital release ever

The conspiracy theorist would expose this entire debacle as an amazing marketing campaign for a movie.

Sow fear, boost patriotism, create a Barbara Streisand effect where people want to see this hyped movie. Release the movie and have everyone watch it as their personal act of rebellion. ‘That’s my kind of war on terror’ was tweeted by those proudly watching the movie.

Causing a diplomatic riot to promote a film, nothing is surprising anymore in this day and age. And whether it was deliberate or not, the film can also claim the record of the biggest digital release ever. With 15 million dollars income in the first 4 days, the movie finally catapulted the movie industry in the digital age.

The transition from 2014 to 2015 was one of many interesting phenomena. The biggest hack on American soil, fear of cyberwar and cyberterrorism, a diplomatic riot between two nuclear countries, the biggest online movie release,… All centred around one movie: The Interview. The film is definitely one for the history books, although probably not for its content.

Moord en brand werd er de voorbije weken wereldwijd geschreeuwd over onze privacy. De recentste onthullingen van het Cyber Command van de VS, onder leiding van de National Security Agency (NSA), laten dan ook een wrange smaak na over wat er allemaal te grijpen valt online.

Dit waren zaken die we al in 2001 na 9/11 te weten waren gekomen, maar waar de wereld geen graten in zag door de verblindende horror van 9/11. In 2006 kwam het nogmaals bovendrijven dat de NSA ieders telefoon aan het afluisteren was en kopieën van andere communicatievormen bezat.

Maar ondanks een kleine oproer bleef men KGB en Stasi-gewijs gewoon voortluisteren. Ergens is de huidige verontwaardiging verrassender dan het feit dat de NSA toegang heeft tot AL onze communicatie. De rechten van alle wereldburgers zijn immers ondertussen al meermaals geschonden in de naam van veiligheid. Maar goed, beter laat dan nooit zeker?

Een iets frappanter gegeven dat veel minder aandacht kreeg sinds Edward Snowden naar buiten kwam met zijn vertrouwelijke informatie, waren de hoogst confidentiële paragrafen over de VS’s OCEO, Offensive Cyber Effect Operations. De naam zegt het zelf; een departement waar men cyberoffensieven uitvoert of is aan het voorbereiden. (gelekte beleidslijn te vinden op https://epic.org/privacy/cybersecurity/presidential-directives/presidential-policy-directive-20.pdf )

De OCEO heeft een target list van infrastructuur die essentieel is voor bepaalde staten. De taak van deze afdeling is om de zwaktes van deze infrastructuur te ontdekken en deze allemaal binnen te dringen en al te infecteren, zodat men koude-oorlog gewijs slechts op 1 knopje moet drukken om de cyberaanval te lanceren.

Dit soort penetraties kan toch niet legaal zijn?

Alweer duikt de VS in het grijze gebied waar de wet ambigue is over wat mag en niet mag. En dat komt hen maar al te best uit, want waar er geen wet is, kan de VS de bestaande wetgeving op maat laten aanpassen naar hun noden en wensen, en er een wettelijke logica aan verbinden. Want ook al zijn er geen interstatelijke verdragen over wat wel en niet mag in cyberspace als het op aanvallen aankomt, de logica van conventionele oorlogen wordt hiervoor gebruikt. Alleen zit men met enkele lacunes waar de conventionele wetgeving geen antwoord op heeft. Een cyberaanval die economische schade aanricht, mag je daar defensief op reageren? En mag je zodanig preventief handelen uit zelfverdediging dat je de vijand’s infrastructuur al besmet en binnendringt, maar er niets mee doet tenzij er een dreiging komt?

De schade die zulke cyber aanvallen kunnen aanrichten valt trouwens niet te onderschatten. Aangezien we tegenwoordig in wat in het jargon the internet of things leven, waarbij alles verbonden is aan een bepaald netwerk, is alles ook ontzettend fragiel en penetreerbaar. Zo’n cyberaanval gaat dus niet om het platleggen van enkele websites en servers, maar effectief beschadigen van materiaal. Doordat bijna alles tegenwoordig aangesloten is op IDS’en (Industrial Control Systems)  kunnen die systemen gehackt en overgenomen worden.

IDS’en (ook gekend als SCADA-systemen) zijn netwerken van infrastructuur die het gemakkelijker en overzichtelijker maken om een systeem van op afstand te besturen. Dit kan gaan van de straat- en verkeerslichten, tot de controle over een hele dam en het besturen van geplaatste pacemakers bij patiënten. Het lijken sci-fi doemscenario’s maar niets is minder waar. In 2010 kwam bovendrijven dat een reactor in het Iraanse nucleaire kernprogramma zwaar beschadigd was door een cyberaanval. De cyberworm Stuxnet was al maanden geleden het systeem binnengedrongen en zat daar te wachten tot de beslissing genomen werd actie te ondernemen. Nadat Iran de VN-resoluties negeerde om zijn kernprogramma stop te zetten, nam men dankzij het geïnfecteerde systeem de controle over de SCADA-systemen over die de centrifuges bedienen. Men bestuurde ze zodanig dat ze zichzelf oververhitten en uiteindelijk kapot draaiden. Het bewijs van een cyberaanval met levensechte schade.

Al was het lange tijd slechts een vermoeden dat de VS en Israel achter de aanval zaten, werd het bevestigd door de recente lekken dat de VS achter de aanval zat. Een onheilspellende voorbode van wat de rest van de wereld wacht die niet wil luisteren naar Uncle Sam.

de Offensive Cyber Effects Operations kunnen gezien worden als een voorbereiding om snel te reageren wanneer ze in een conflict terecht komen, en mogelijk een de-escalatie voorkomen door de digitale systemen plat te leggen.

Wie in een glazen huis woont, gooit beter geen stenen.

De VS gelooft dat het handelt met de juiste intenties, maar zulke invasie van netwerken kan evengoed gezien worden als een dreiging van de VS uit, die het slagveld gereed maakt om ten oorlog te kunnen trekken. In die hoedanigheid kunnen de eigenaars van de geïnfecteerde netwerken net zo goed hun eigen recht uitvoeren en hetzelfde doen uit zelfverdediging. Deze acties werken alleen maar escalatie in de hand. In plaats van de andere staten op te roepen tot kalmte en reguleren, legitimiseren ze het zulke acties door er zelf aan mee te doen.

Bij gebrek aan internationale verdragen, of een gewoonterecht dat dit soort bewegingen controleert, verkent de VS de grenzen van wat acceptabel lijkt, en heeft al nieuwe rechtvaardigingen in de maak waarom zij het recht hebben zodanig preventieve maatregelen te kunnen nemen.

Er wordt wel eens langs de neus weg gezegd dat het niet erg zou zijn als er een cyber Pearl Harbour zou gebeuren, of een cyber 9/11, gewoon maar om de regels te kunnen vastleggen omdat het dan duidelijk zou zijn dat er een echte dreiging is die tegengehouden moet worden. Maar zolang die er niet komt blijft het bij verkennen en op gereed staan.

De militarisering van cyberspace is geen al te best vooruitzicht, en men kan zich afvragen of we echt nog een koude oorlog nodig hebben, maar dan in cyber space.