Mark Zuckerberg wasn’t the first to cover his laptop’s webcam with a piece of tape. However, when a photo of the co-founder and CEO of Facebook putting tape on his laptop camera and microphone surfaced in 2016, it went viral and convinced many people to follow this practice. Today, many of the visitors of cafés and libraries working on their computers can be seen covering the lens of the camera that is usually integrated into the laptop frame. Video meetings, not least accelerated by the COVID-19 pandemic, have become a common element of collaboration in many organizations globally. To participate, a camera is required. While stationary computers connected to a USB-webcam offer an easier way to prevent unauthorized access to the camera, almost every laptop includes an integrated webcam that cannot be unplugged. If the CEO of one of the most meaningful big-data tech companies fears being observed despite thorough organizational security measures, why should the ordinary citizen feel safe?
Better safe than sorry
In 2016, The Guardian published an article analyzing Zuckerberg’s decision to limit the functionality of his computer’s camera to occasions in which he explicitly wants to use it. The Guardian’s report states that the risk of unauthorized access to one’s webcam should be taken seriously; however, it depends on the user’s device. Mac computers, for example, have a warning light next to the webcam, which is integrated into the hardware and therefore extremely hard to bypass when accessing the camera remotely. However, as long as there is some risk of unauthorized remote access to your webcam, does it hurt to put a piece of paper over it?
The everyday visible example of the covered webcam is an appropriate indicator of the public’s awareness of cyber risks. With many households possessing at least one laptop, there are almost no more inaccessible dark corners – even in their own apartment. What once had to be secretly installed by secret service agencies is now more or less voluntarily provided by the users themselves when they place a laptop with a camera inside the apartment – at least theoretically.
Not only our problem
Yes, there are arguably worse cyber risks than having strangers spy on you looking stressed while you are trying to reach a project deadline. Identity theft and credit card theft belong to the more severe matters of cybersecurity. However, these cyberattacks targeting single ordinary citizens on the individual level are usually carried out by smaller criminal gangs seeking to profit financially. On the organizational level, companies are typically targeted because of financial motives. These attacks usually try to gain access to company networks and encrypt crucial files or systems. The hackers then blackmail the company and ask for ransom money to decrypt the files.
These attacks must be differentiated from systemic attacks whose motives are not financial. In recent years, newspapers have often published reports containing terms such as “hybrid warfare” or “cyberwar.” Cyberwar can be understood as an element of so-called hybrid warfare. The definition of the term hybrid warfare is contested and disputed by different scholars. However, broadly speaking, it combines aspects of conventional and unconventional instruments of war. Often, the term refers to hostile actions that are “below the threshold of war or direct overt violence.” The aggressors consider acts of hybrid warfare less risky as they do not require physical invasions or breaches of the national territory in the narrow sense. Thus, it is also harder to detect when and if war acts are carried out and secondly who is behind them. With unconventional acts of war, such as in cyberspace, the attack’s origins are more challenging to identify. The increase of hybrid warfare tactics, especially in cyberspace, has increased international awareness of these threats. International organizations such as the United Nations and the military alliance NATO have recognized, addressed, and reacted to this issue with declarations and the installment of cyber defense units.
Cyberwar refers to a combination of digital war tactics that are not as easily visible as actual armed fights on a battlefield. Generally, one decisive element of war is trying to cripple and paralyze the opponent. Through thorough digitization measures, many state services and infrastructure today rely on the internet – or are at least connected to it. Targeted attacks against this infrastructure can cause significant disruptions to daily life. For example, an externally caused disruption of energy supply, hospitals, or traffic control infrastructure can pose severe threats to a country.
Adding to that, many states have started to offer their government services online. Estonia is one shining example of E-Government services. E-Government services refer to delivering government services online through information and communications technology. These services arguably make the citizens’ life easier by saving time and reducing bureaucracy on the side of the state. However, when relying on vast digitized state services, the apparent downside is a higher risk of paralyzation if the infrastructure is breached. Not only a shut-down is a threat. The leakage of private sensitive financial or medical information, but also sensitive, confidential, or classified state information regarding the military or secret services that are stored within these databases could have severe consequences.
Estonia has already experienced a significant cyberattack on its technological infrastructure. The attack crippled the Estonian infrastructure momentarily. In 2007, the Estonian government decided to move a Soviet statue from the city center of Tallinn to the Military Cemetery, which was perceived as an insult by ethnic Russians living in Estonia. The decision to move the statue was answered with riots and so-called distributed denial-of-service (DDoS) attacks. DDoS attacks refer to a method of sending many requests in a brief time period to specific servers. These servers are overloaded with requests which cause them to freeze. These DDoS attacks were directed at the whole landscape of the Estonian technological infrastructure, including government agencies, political parties, and banks. The services could not be accessed temporarily. While Estonian officials accused Russian hacker groups of carrying out the attacks, an official investigation could not find any proof for these allegations, as noted by Stephen Herzog in the Journal of Strategic Security.
As a consequence of the attacks, Estonia has opened a “data embassy” in Luxembourg. Vivienne Walt dedicated an article in Fortune magazine to the digitized Estonian state, to which she referred to as “Tomorrowland”. While it is not an embassy in the narrow sense of international law, the choice of the term is smart. It conveys a sense of security and territorial sovereignty over sensitive data. The servers store an entire backup of the Estonian technological infrastructure. In the case of frozen main servers caused by DDoS attacks, the infrastructure could also run on the Luxembourg located backup servers, ensuring continuous service availability.
In pursuit of peace
Cyber peace, literally speaking, is the opposite of the state of cyberwar. Moving towards a universally accepted definition of this relatively new concept has been challenging. However, more and more resources and even institutions and think tanks are being dedicated to the field of cyber peace. The International Telecommunication Union (ITU), a specialized agency of the United Nations, has defined cyber peace as “a universal order of cyberspace” that is built on “a wholesome state of tranquility, the absence of disorder or disturbance and violence.” Considering that the current geopolitical situation is rather tense, nearing a state of cyber peace according to the definition provided by the ITU seems hardly imaginable in the near future. The cybersecurity scholar Scott Shackelford suggests a more realistic and pragmatic approach to understanding cyber peace. According to Shackelford, cyber peace should not refer to the complete absence of attacks but rather to a “network of multilevel regimes working together to promote global, just, and sustainable cybersecurity.” He suggests understanding the clarification of internationally recognized norms for companies and countries as an essential element to reduce the earlier introduced risks of cyber-conflict, cyber-crime, and cyber-espionage to “levels comparable to other business and national security risks.” However, the world’s countries do not agree on how to get there. The suggested approaches could be summarized by the conflict between implementing stronger unified cyber regulations vs. keeping the internet a free and somewhat unregulated space.
The first step towards cyber peace is cyber defense. Acknowledging cyber attacks nationally and internationally as a security threat and thus prioritizing cyber defense as a crucial part of the defense strategy is the prerequisite for further developments.
James Lewis, a former US diplomat and current senior vice president and director of the think tank CSIS, was once quoted as follows: “We have a faith-based approach to cybersecurity; we pray every night that nothing bad will happen.”
Managing cyberspace is not an easy task. National initiatives might not be sufficient to tackle the war on the worldwide web. While every contribution can help increase awareness of the issue, be it a prayer or some good thoughts, the global community has to come together and take on the challenge of achieving cyber peace.