Georgetown Journal of
International Affairs
International Engagement on Cyber 2012
Establishing Norms and Improving Security
Georgetown University Institute for Law, Science, and Global Security
insert
UPC bar here
E dmund A. W alsh S chool
of
F oreign S ervice
$10.00
usa
Georgetown Journal of International Affairs
1
Introduction
CATHERINE LOTRIONTE AND TIM MAURER
In a diverse cyberspace, building and maintaining trust amongst the public and private entities that operate within the domain becomes increasingly necessary. Without proper institutions to safeguard this understanding, a myriad of moving pieces will render the system increasingly volatile.
5
Multilateral Approaches for Improving Global Security in Cyberspace ROBERT J. BUTLER & IRVING LACHOW
Nation-states must take the lead in promoting greater cyber security by being appropriately organized, employing best technical capabilities, and partnering with the private sector.
15
Cyber Operations Conflict Under International Law CATHERINE LOTRIONTE
The post-Charter digital era presents complex and unique challenges to the manner in which the traditional protocol of warfare interacts with international legal norms. The rubric of inter-state cyber policy needs to be augmented in order to account for hostile engagement in this new domain.
25
Confidence Building Measures The Future of Global Information Infrastructure ANATOLY STRELTSOV
Confidence-building measures can serve as international rules of law governing state actors’ use of “information weapons” and thereby produce the mutual understanding needed for a peaceful information domain.
35
China’s Perceptions of Cybersecurity WANG PEIRAN
Despite taking the threat of cyber warfare seriously, the Chinese government has actually struggled to create a bureaucratic mechanism to handle emergencies. China’s reluctance to engage in international cyber security cooperation stems more from its diplomatic discourse and national interests than from any desire to engage in cyber warfare.
41
The Implications of Mandates in International Cyber Affairs ENEKEN TIKK-RINGAS
Hazy notions of cyber security and the inconsistency of mandates of international organizations result in oftentimes trivial and non-actionable output from these organizations’ discussions of strategic cyber issues. Venue-shopping for friendly entities by nations compounds the problem of ineffective international cyber-security governance. Better defining the issues and expected remedies as well as a reasonable choice of venue would add consistency and credibility to international cyber deliberations.
[ i]
49
A Balkanized Internet? The Uncertain Future of Global Internet Standards JONAH FORCE HILL
The Internet as it exists today faces the threat of the potential collapse of the Internet standardsdevelopment process, as many nations feel the current process unfairly benefits Western and developed countries. Were the Internet standards development process to collapse, the Internet would likely “balkanize” with individual nations or groups of nations using different underlying technologies for the Internet.
59
Cyber Conflict and the War Powers Resolution JASON HEALEY AND A.J. WILSON
The War Powers Resolution should apply to cyber operations in the same way that it applies to physical conflicts because the waging of cyber warfare should not be left to the Executive alone. This article analyzes the critical provisions of the WPR, discusses its narrow interpretation by the current administration, and introduces the concept of ‘logical presence.’
Leadership and Responsibility for Cybersecurity
71
MELISSA E. HATHAWAY
Leaders in government and private industry must work proactively to study, adapt, and enact cyber security measures and integrate them into core infrastructures to meet the continuously evolving nature of cyber threats. When this fails to occur, leaders must be held accountable.
Why Cyber Security is Hard
81
ROBERT GHANEA-HERCOCK
Cyber security remains an unresolved problem because it is a complex adaptive system that is complicated by multiple technical, policy, and social dimensions. Unfortunately, the wider cyber security community has yet to recognize the real nature of the threat and persists in utilizing rigid strategies. Ghanea-Hercock outlines a number of defenses that must be implemented to address this problem.
91
Perspective: Not all Vendors and Products are Created Equal JOHN N. STEWART
In an electronic world, digital security threats have myriad ways of infiltrating infrastructure systems and supply chains. Preventing this requires a renewed focus on verifiable, quantifiable trust at every step of the business process.
99
The Key Terrain of Cyber JOHN R. MILLS
Traditional, Clausewitzean concepts of key terrain apply to the realm of cybersecurity. This critical cyber terrain must be controlled, or at least decisively influenced, to maintain relevancy and construct the future path of cyber.
[ii] Georgetown Journal of International Affairs
Contents
109
Global Fight Against Cybercrime Undoing the Paralysis ZAHID JAMIL
The Budapest Convention on Cybercrime represents the only international instrument and the best hope for countries to establish common minimum standards of relevant offenses, prevent criminals operating from jurisdictions with lower standards, and enable speedy and twentyfour-seven international cooperation between law enforcement. However, the Convention faces determined and organized opposition from several corners, which have traditionally promoted a greater role in the regulation of the Internet for UN bodies.
121
Achieving International Cyber Stability FRANKLIN D. KRAMER
Stabilization of the cyber domain is key to the security interests of both the United States and the international community. Building up relevant institutions and norms to ensure a measure of order will rely upon a tri-pronged platform of resilience, cooperation, and transparency.
139
Introductory Remarks
167
Panel 1: National Security and Diplomatic Efforts
189
Panel 2: Law Enforcement Efforts Across National Borders
Keynote Speakers: Hon. William J. Lynn III, Hon. Jane Hull Lute, Hon. Howard Schmidt Panel Chair: Christopher M. Painter Panelists: Gerben Klein Baltink, Steven Schleien, Rear Admiral Samuel J. Cox, Dr. Anatoly Streltsov Panel Chair: Shawn Henry Panelists: Adrian Ciprian Miron, Zahid Jamil, Judge Stein Schjolberg, Noboru Nakatani
209 Panel 3: Commercial Perspectives on Cyber Security
Panel Chair: Eddie Schwartz Panelists: Robert Dix, Dr. Robert Ghanea-Hercock, Rick Howard, Rear Admiral Jamie Barnett (Ret.), Scott Borg
243 Panel 4: International Collaborative Responses to Cyber Incidences
Panel Chair: Gen. Michael Hayden (Ret.) Panelists: Andrea Rigoni, Dr. Gregory J. Rattray, Rt. Hon. Lord Reid of Cardowan, Peiran Wang, Gavin Reid, Jaan Priisalu
[ iii]
Georgetown Journal of International Affairs
EDITORS-IN-CHIEF
Nora McGann, William Handel
MANAGING EDITORS
Paul Lindemann, Medha Raj, Elizabeth Blazey, Benjamin Mishkin
ASSOCIATE EDITORS
Gideon Hanft, Michael Lopesciolo, Meredith Strike, Christian Chung, Alex Pommier, Aliza Appelbaum, Mary Grace Reich, Caroline Puckowski, Michelle Kwon, Daye Lee, Masha Goncharova, Georgia Pelletier, Gina Park, Matthew Sullivan, Lucas Chan, Benjamin Boudreaux
DESIGN MANAGER DESIGN ASSISTANTS
ADVISORY BOARD
UNIVERSITY COUNCIL
Shannon Galvin Yuli Lin, Mallika Sen
David Abshire, Susan Bennett, H.R.H. Felipe de Borb贸n, Cara DiMassa, Robert L. Gallucci, Michael Mazarr, Jennifer Ward, Fareed Zakaria Charles Dolgas, Charles king, Mark Lagon, Eric Langenbacher, Catherine Lotrionte, John McNeil, Kathryn Olesko, George Shambaugh, Charles Weiss, Jennifer Windsor
[iv] Georgetown Journal of International Affairs
The
Georgetown Journal of International Affairs would like to thank the following sponsors S piros D imolitsas S enior Vice -P resident for R esearch & Chief T echnology O fficer Georgetown University for his support for the CyberProject and his vision for the university
Dr. Catherine Lotrionte Director
Institute for Law, Science & Global Security Director Georgetown University CyberProject
Institute for L aw , S cience & G lobal S ecurity Georgetown U niversity The Atlantic Council Jennifer Windsor Associate Dean for Programs and Studies
School of Foreign Service, Georgetown University
To become a sponsor, contact Victoria Moroney, Director of Advancement, Edmund A. Walsh School of Foreign Service 301 ICC, Georgetown University, Washington, DC 20057 Email: vrm24@georgetown.edu; gjia@georgetown.edu
[ v]
Notice to Contributors
Articles submitted to the Georgetown Journal of International Affairs must be original, must not draw substantially from articles previously published by the author, and must not be simultaneously submitted to any other publication. Articles should be around 3,000 words in length. Manuscripts must be typewritten and double-spaced in Microsoft™ Word® format, with margins of at least one inch. Authors should follow the Chicago Manual of Style, 15th ed. Articles may be submitted by e-mail (gjia@georgetown.edu) or by U.S. mail; those sent by U.S. mail must include both a soft copy on a compact disc and a hard copy. Full names of authors, a two-sentence biography, and contact information including addresses with zip codes, telephone numbers, facsimile numbers, and e-mail addresses must accompany each submission. The Georgetown Journal of International Affairs will consider all manuscripts submitted, but assumes no obligation regarding publication. All material submitted is returnable at the discretion of the Georgetown Journal of International Affairs. The Georgetown Journal of International Affairs (ISSN 1526-0054; ISBN 0-9824354-2-8) is published two times a year by the Edmund A. Walsh School of Foreign Service, Georgetown University, 301 Intercultural Center, Washington, DC 20057. Periodicals postage paid at Washington, DC. Annual subscriptions are payable by check or money order. Domestic: $16.00; foreign: $24.00; Canada: $18.00; institutions: $40.00. Georgetown Journal of International Affairs, Subscriptions Edmund A. Walsh School of Foreign Service 301 Intercultural Center Washington, DC 20057 Phone (202) 687-1661 Facsimile (202) 687-1431 e-mail: gjia@georgetown.edu http://journal.georgetown.edu All articles copyright © 2012 by Edmund A. Walsh School of Foreign Service of Georgetown University except when otherwise expressly indicated. For all articles to which it holds copyright, Edmund A. Walsh School of Foreign Service permits copies to be made for classroom use, provided the following: (1) the user notifies the Georgetown Journal of International Affairs of the number and purpose of the copies, (2) the author and the Georgetown Journal of International Affairs are identified, (3) the proper notice of copyright is affixed to each copy. Except when otherwise expressly provided, the copyright holder for every article in this issue for which the Georgetown Journal of International Affairs does not hold copyright grants permission for copies of that article for classroom use, provided that the user notifies the author and the Georgetown Journal of International Affairs, the author and the Georgetown Journal of International Affairs are identified in the article, and that proper notice of copyright is affixed to each copy. For reprinting permission for purposes other than classroom use, please contact Georgetown Journal of International Affairs, Permissions, Edmund A. Walsh School of Foreign Service, 301 Intercultural Center, Washington, DC 20057. Email: gjia@georgetown.edu The views expressed in the articles in the Georgetown Journal of International Affairs do not necessarily represent those of the Georgetown Journal of International Affairs, the editors and staff of the Georgetown Journal of International Affairs, the Edmund A. Walsh School of Foreign Service, or Georgetown University. The Georgetown Journal of International Affairs, editors and staff of the Georgetown Journal of International Affairs, the Edmund A. Walsh School of Foreign Service, and Georgetown University bear no responsibility for the views expressed in the following pages. These articles were not subject to peer review.
[vi] Georgetown Journal of International Affairs
Introduction: Building Trust in Cyberspace Catherine Lotrionte and Tim Maurer In a diverse cyberspace, building and maintaining trust amongst the public and private entities that operate within the domain becomes increasingly necessary. Without proper institutions to safeguard this understanding, a myriad of moving pieces will render the system increasingly volatile. In 2007 Georgetown University established the CyberProject under the auspices of the Institute for Law, Science & Global Security. The CyberProject seeks to hone the Institute’s resources to help policymakers develop a greater understanding of current international cybersecurity issues. On 10 April 2012, the Institute held its second annual international cyber conference entitled, “International Engagement on Cyber: Establishing International Norms & Improved Cyber Security.” Under the direction of the CyberProject and the Institute, we have devoted this second annual special issue of the Georgetown Journal of International Affairs to cyber exclusively, and the challenges that societies face as they seek to establish norms of behavior so all may coexist peacefully in this domain. In the pages that follow, participants from the Institute’s second international cyber conference and other leaders, domestic and foreign, lay out their visions for protecting cyberspace and maintaining its stability.
Catherine Lotrionete is the Director of the Institute for Law, Science, & Global Security and the CyberProject. She is also an Assistant Visiting Professor of Government at Georgetown University. Tim Maurer is a research associate in the Technology and Public Policy Program at the Center for Strategic and International Studies and a nonresident fellow at the Global Public Policy Institute in Berlin.
[1]
INTRODUCTION: BUILDING TRUST IN CYBERSPACE
The Internet is a complex, interactive system built on trust.1 It starts with users’ expectations that data split into packets will arrive at the destination pieced back together fully. On its way, Tier 1 Internet Service Providers count on their competitors to honor the peering agreement, transporting the packets across the network settlement-free. In
a definition of cyberwar and devotes particular attention to jus ad bellum, examining under what circumstances a cyber operation would constitute a “use of force” or an “armed attack” under international law. Trust among states can be disrupted. In cyber, more so than in other contexts, it seems likely that maintain-
In cyber it seems likely that maintaining trust without a consensus among states about what constitutes acceptable behavior may prove extraordinarily difficult. between, companies rely on security certificates to authenticate each other. Countries on the other hand will trust the infrastructure only as long as those governing it will not use it against them. Internationally, trust between nations is the guardian of peace. After World War II, states became the dominant feature of the international order when the Westphalian notion of sovereignty was enshrined in the Charter of the United Nations. The maintenance of international peace and security has since been based on the expectation that states will adhere to existing international rules and that those who do not will be punished. Robert J. Butler and Irving Lachow offer a framework for action to develop norms and principles to establish a collective security system extending this expectation into cyberspace. These will include existing norms such as those codified in international law. Catherine Lotrionte examines how the specific international rules related to the use of force can be applied to cyber operations. She offers
[ 2 ] Georgetown Journal of International Affairs
ing trust without a consensus among states about what constitutes acceptable behavior may prove extraordinarily difficult. Stuxnet has been the most prominent recent example illustrating not only the capabilities of cyber tools, but also the willingness of states to use them against other states’ critical infrastructure. Cyber-espionage, as espionage conducted for centuries, constitutes a new face to an old profession that has been undermining trust not only in cyberspace, but also in international relations generally. Certainly, today, governments cannot afford to ignore the Internet. It is no longer considered simply a tool for academic research or to build a new economy. Internet policy has risen from low to the high politics of national and international security. Against this background, Anatoly Streltsov offers a Russian view on how confidence building could help manage cybersecurity internationally and restore trust. He points out that the future of information infrastructure depends on states’ confidence that their
LOTRIONTE & MAURER
infrastructure will not be exploited by foreign states. Peiran Wang outlines China’s approach to cyber security and identifies China’s traditional foreign policy principle of non-interference, the mutual distrust between China and the West, as well as the threat to the social order by freedom of speech as hurdles to international cooperation. Eneken Tikk-Ringas proposes that more precise definitions of ‘cyber’ and a more consistent approach to engaging international organizations could help reduce such mistrust. Security threats have not been the only source of states’ increasing mistrust. How cyberspace is governed has also been an area of contestation. The United States created and therefore historically dominated Internet gover-
International Engagement on Cyber 2012
have been blurring the lines between the civilian and military spheres as well as the domestic and foreign space. In the United States, the idea of cyber warfare has created new opportunities and challenges for war fighters and those politically accountable for such operations. Jason Healey and A.J. Wilson focus on the latter, arguing that the War Powers Resolution, enacted into U.S. law in 1973, should also apply to cyber operations. They outline that the United States needs the capacity to carry out offensive operations in cyberspace, but that such operations should be subjected to the same checks and balances under U.S. domestic law that apply to traditional U.S. military operations involving physical violence. Maintaining trust is not only crucial between
As the number of Internet users rapidly increases, bringing together diverse cultures and value systems, so too will the challenges to building trust in cyberspace. nance. The perception of continued U.S. dominance has been the reason why other countries have been pushing to change the way the Internet is governed. Jonah Force Hill sheds light on this debate arguing that the domain is at a crossroads, exploring the potential “balkanization” of the Internet as mistrust leads states to depart from the existing universal and interoperable system. Domestically, governments have also been struggling to find the right balance. The crosscutting characteristics of cyberspace pose organizational challenges for public administration, and
states but also within the state itself. Maintaining legitimacy internationally can be impacted by a state’s ability to maintain legitimacy domestically. These political and policy questions relating to trust in cyberspace are intertwined with technology. The private sector owns and operates most of the technical infrastructure. Butler and Lachow also highlight in their piece the importance of the public-private partnership and trust between the two sectors. Melissa Hathaway takes this further, identifying a lack of attention among leaders in the public and private sector. She describes several case studies
[ 3]
INTRODUCTION: BUILDING TRUST IN CYBERSPACE
showcasing the crucial role of certificate authorities and the effect of cloudbased architecture. Robert GhaneaHercock explains why maintaining trust is so difficult in a co-evolving, complex, adaptive system with technical, political, and social implications. He concludes that as a result of the limited governmental control over the private sector and users, the system’s problems cannot be solved, but merely shaped and influenced, by the government. John Stewart, whose piece ultimately inspired the theme of this introduction, makes the important point that not all vendors and their products are created equal in their ability to develop a “trustworthy system,” a more advanced network security infrastructure. And John Mills reminds us that cyberspace is a hybrid of the physical and virtual world, and that in our endeavor to understand cyber it is important to scrutinize even established beliefs. Two articles taking technical approaches to problem solving in this new domain conclude the issue. Zahid Jamil advocates for further efforts in reducing cybercrime through the framework of the Budapest Convention, while Franklin Kramer argues
that cyber stability must first be attained before focus can be diverted to other ends. Kramer calls for an international platform of resilience, buttressed by cooperation and transparency, to usher the global system into this realm of order. There are many reasons that lead to a loss of trust in cyberspace. Originally, those individuals who created the Internet, as well as those who became the original users of it, constituted a small community of academics and computer scientists. This community was small enough for everyone to know each other. Today, the Internet counts over two billion users with thousands gaining access every day. Most of them live in rich Western countries. The next billion people accessing the Internet, however, will come from developing countries. As the number of Internet users rapidly increases, bringing together diverse cultures and value systems, so too will the challenges to building trust in cyberspace. That is why this edition is an important contribution to the necessary debate on how trust in cyberspace can be maintained – today and in the future.
NOTES
1 For a very interesting analysis of trust as a depletable common resource in cyberspace applying Nobel Prize winner Elinor Ostrom’s theory, see Roger Hurwitz’s recent article, “Depleted Trust in the Cyber
[ 4 ] Georgetown Journal of International Affairs
Commons,” Strategic Studies Quarterly, Fall 2012, Internet, http://www.au.af.mil/au/ssq/2012/fall/fall12.pdf (date accessed: 5 October 2012).
Multilateral Approaches for Improving Global Security in Cyberspace Bob Butler and Irving Lachow Effective cyber security requires that national governments, private companies, and non-governmental organizations work together to understand threats in cyberspace and to share information and capabilities for mitigating those threats. This is necessary because cyberspace is an interconnected environment that provides tremendous benefits to nations, organizations and individuals. Unfortunately, this environment is also a haven for criminals, terrorists, and other actors whose intentions could undermine the value of the cyberspace commons for the majority of its users. If likeminded actors fail to understand and mitigate these risks, they are placing national and economic security in jeopardy. Global security in cyberspace is predicated on nations coming together with like-minded will, intent, and capabilities to defend against common threats. This article will explore how multilateral approaches can be applied to the cyber security challenge.1 It begins by describing the importance of principles and norms for building a common understanding of goals, terms and concepts. The awrticle then identifies the key players that must participate in a multilateral framework. Although nation states are the principal actors in our proposed approach, businesses, political and
Bob Butler is the Vice President of Government Strategies for IO. Prior to assuming his current role he served as the first Deputy Assistant Secretary of Defense for Cyber Policy. Irving Lachow is a Principal Cyber Security Engineer with the MITRE Corporation.
[ 5]
MULTILATERAL APPROACHES FOR IMPROVING GLOBAL SECURITY IN CYBERSPACE
military alliances, and international organizations must all play a role in securing the international cyber ecosystem. Our paper addresses the strengths and challenges that each player brings to the table, and ends with a summary of our findings.
Principles and Norms. Govern-
ments, businesses, and individuals all derive enormous benefits from cyberspace. While cyberspace is generally a safe “commons,” it does contain a number of actors who pose a threat to the well-being of others. Such threat actors include, but are not limited to, nation-state intelligence services, militaries of potentially hostile countries, criminals, terrorists, and “hacktivists” (e.g. Anonymous). The United States has recognized these potential threats as a challenge to its national security and has publicly declared its right to defend itself in cyberspace.2 However, acting alone is not sufficient. The International Strategy for Cyberspace, released by the White House in May 2011, makes it clear that, “the world must collectively recognize the challenges posed by malevolent actors’ entry into cyberspace, and update and strengthen our national and international policies accordingly.”3 Other nations have expressed similar views. For example, British Foreign Minister William Hague recently stated that the constant evolution of cyberspace is introducing additional complexity to foreign affairs. The same digital means that are bringing hope and opportunity to millions around the world and fueling change in the Middle East also empower terrorists, criminals,
[ 6 ] Georgetown Journal of International Affairs
and some states with new means of attack and organization…In this period of uncertainty and turbulence it is important that our foreign policy ranges further afield to look for new partners and to tackle global challenges.”4 Multilateral actions require a common understanding of terms, goals, responsibilities, and acceptable behaviors. At the state level, principles for behavior in cyberspace are defined both by traditional statecraft and by emerging cyber-specific guidelines. For example, the United States’ International Strategy for Cyberspace describes several traditional principles of interstate conduct that lay the foundation for behaviors in the cyber realm: • Upholding fundamental freedoms; • Respect for property; • Valuing privacy; • Protection from crime; • Right of self-defense.5 The adoption of these principles provides a foundation for common understanding and the potential for multilateral security in cyberspace. It also lays the building blocks for the development of effective public-private coalitions whose actions can improve the security and health of cyberspace. Principles and norms set the stage for nations to establish declaratory policies on what is acceptable and not acceptable in the global commons that is cyberspace. Although many nations agree on several basic principles of cyberspace, such as those found in the European Convention on Cybercrime, there is also some disagreement about basic tenets underlying behaviors in cyberspace. For example, “governments in
BUTLER & LACHOW
Russia and China see internal dissent and anti-government writings disseminated on the Internet as a threat. Both have curtailed free speech and access to the Internet as part of their vision of ‘cyber security.’”6 Like-minded nations need to encourage other countries to adopt widely accepted principles that support fundamental freedoms and condone criminal actions while being prepared to counter demurring nations if encouragement fails. While cyber principles and norms provide a good starting place for behavior at the nation-state level, they are not explicitly designed to address the actions of corporations and other private sector actors. However, businesses
International Engagement on Cyber 2012
sector and what is permitted there is something that we would never let the private sector do in physical space.”10 Further, there is the issue of coordination between private and public sector actors. While businesses have the right to defend themselves, private sector actions should not encroach on the legitimate powers and roles of governments without both a clear mandate and legal guidelines that delineate acceptable behavior.11 Government actions, however, have the potential to undermine the functioning of the cyber security marketplace, and could possibly even decrease the ability of private sector organizations to defend themselves. For example,
Private sector actions should not encroach on
the legitimate powers and roles of governments without both a clear mandate and legal guidelines. are frequent targets of both cybercrime and cyber espionage and some of them are growing increasingly capable of responding to such threats either directly or indirectly. For example, Microsoft has demonstrated both the means and the will to take down botnets associated with popular malware such as Zeus and SpyEye.7 New companies are being created for the explicit purpose of taking active steps to defend organizations from cyber threats.8 In this context, it is important to consider the development of norms for businesses.9 For example, General Michael Hayden, former Director of the CIA and NSA, has stated that “we may come to a point where defense is more actively and aggressively defined even for the private
assume that a large and sophisticated corporation has developed outstanding intelligence on the behaviors of certain malicious actors. If the government were to deploy a capability that blocked malware emanating from those actors but did so without informing the company in question, the company might detect a change in the actors’ behaviors but would not understand why the change had occurred. The corporation in question might take actions assuming that the malicious actors’ techniques had changed because they did not know that the government had blocked the malware.12 This could end up reducing the security posture of the corporation, increasing its costs, or both. In sum, there is a need to begin
[7]
MULTILATERAL APPROACHES FOR IMPROVING GLOBAL SECURITY IN CYBERSPACE
developing principles and norms that can create a framework for coordinated multilateral action between states and across public and private sectors. This framework will need to define the proper roles of both public and private sector actors within and across national borders. In the following sections, we examine who these actors are and what short-term actions they can take to foster greater coordinated cyber security actions.
tify a government organization that is responsible for coordinating its national cyber defenses. This lead organization must be able to coordinate actions both across government entities and between the government and private sector. In addition, the organization must be empowered to quickly coordinate response actions and develop mitigation strategies for parties that are facing concerted cyber attacks. Finally, each nation should provide its lead cyber organization with the necessary Key Actors. Nation states both alone legal authorities it needs to conduct its and through public-private partner- mission. ships (PPPs), political and security alliWith authorities in place, nationances, and international bodies all play al cyber leads need to efficiently and a critical role in global cyber security. effectively build cyber defense coordiThis section will explore the specific nating and synchronization activities roles that each of these organizations around the best technical capacities can and should play on the global stage. of the country. National cyber leads must maintain an inventory of national Nation-states. Nation-states must take cyber defense capabilities and deterthe lead in promoting greater security mine the best way to align and leverage in cyberspace because they are the main these capabilities for the betterment actors for motivating, if not mandating, of the nation. Further, each country’s coordinated security actions. National cyber strategy should be developed with champions on the international stage the understanding that nation states, are needed to drive agendas, set exam- corporations, and international orgaples, and educate others with less expe- nizations all play a critical role in colrience. In order for multilateral cyber lective cyber security for the globe. An security to work, each participating example of this approach is found in state needs to start by developing and the Dutch Cyber Strategy, which lays exercising its own unifying national out a well-constructed plan for using framework for cyber defense. These both public and private sector assets to frameworks must ensure continuity of tackle the cyber security challenge.13 operations across military, civilian, and The Dutch Strategy begins by describcommercial networks that are critical ing a series of basic principles: to national well-being. Without such a • Linking and reinforcing initiatives; framework, a given nation will find it • Public-Private partnership; difficult to coordinate with other actors • Individual responsibility; in the international cyber ecosystem. • Division of responsibility between In addition to developing a unifying departments; framework, each nation must iden• Active international cooperation;
[ 8 ] Georgetown Journal of International Affairs
BUTLER & LACHOW
• Proportionate measures (balancing security and fundamental rights); • Self-regulation if possible, legislation and regulation if necessary. To implement these principles, the Dutch government proposes the creation of a Cyber Security Board, comprised of representatives from both private and public sector stakeholders, that reports directly to the Cabinet. They also call for the creation of a new Cyber Security Centre to leverage the “information, knowledge, and expertise” of both public and private parties in order to gain insights into “developments, threats and trends.” Finally, the Dutch strategy focuses on several key initiatives and identifies the organization(s) responsible for each effort: • Preparing threat and risk analyses; • Increasing the resilience of vital infrastructures; • Improving the capacity to withstand and respond to information and communications technologies (ICT) disruptions and cyber attacks; • Intensifying investigation and prosecution of cyber crime; • Stimulating research and education. Because the majority of cyberspace infrastructure resides in the private sector, nations must develop robust partnerships with businesses, including (but not limited to) Internet service providers (ISPs), software and hardware vendors, managed security service providers, and owners/operations of critical infrastructures. We will provide three examples of such partnerships: two from the United States and one from Australia. First, the PPP between the U.S. Department of Homeland Security
International Engagement on Cyber 2012
(DHS) and the Defense Industrial Base (DIB) illustrates how a government can work with ISPs to improve the cyber security posture of a specific infrastructure sector (in this case, the DIB). This PPP began as a Department of Defense pilot that explored how the U.S. government could share threat information with ISPs who could in turn use that information to better protect DIB companies that chose to participate in the experiment. The initial success of the pilot led to the formalization of the program, which is now led by DHS. The program is expected to add many more participants and possibly service as a model for other infrastructure sectors.14 A second example is a U.S. government-industry partnership to combat botnets. The White House coupled with the Departments of Commerce and Homeland Security (DHS) are working with the Industry Botnet Group, which represents thousands of companies across the information, communications, and financial services industries, to identify botnets and minimize their impacts on personal computers.15 This PPP includes initiatives, such as: • A framework for shared responsibility across the botnet mitigation lifecycle from prevention to recovery; • A pilot program between the Financial Services Information Sharing and Analysis Center, DHS, and the Treasury Department to share information about botnet attacks; • An education campaign for consumers supported by DHS, the Federal Trade Commission, the National Cybersecurity Alliance, and several companies; • Improved information sharing
[ 9]
MULTILATERAL APPROACHES FOR IMPROVING GLOBAL SECURITY IN CYBERSPACE
between the FBI, the Secret Service, and companies to shut down massive criminal botnets. A third example is the Australian Internet Security Initiative (AISI). This public-private partnership between the Australian Communications and Media Authority and over 127 organizations, including numerous ISPs, is focused on combating the threat from infected computers: The AISI collects data from various sources on computers exhibiting ‘bot’ behaviour on the Australian internet. Using this data, the ACMA provides daily reports to internet service providers (ISPs) identifying IP addresses on their networks that have generally been supplied to the ACMA in the previous 24-hour period. ISPs can then inform the customer associated with that IP address that their computer appears to be compromised and provide advice on how they can fix it.16 There are certainly other examples of PPP worth mentioning, but we believe that the three efforts cited here illustrate the level of cooperation that is needed to combat the advanced threats facing the world’s nations.
Political and Security Alliances. While nations must develop their own unifying frameworks for coordination of cyber authorities and capabilities, the lead cyber organization in each nation must work with counterparts in other countries to develop a mutual understanding of the authorities, capabilities, and national will that are required to enable coordinated action in cyberspace. This knowledge enables national
[ 1 0] Georgetown Journal of International Affairs
leads to better understand how to align policies and capabilities within their own country, and it provides a means for each country to define its comparative advantage within the international cyber ecosystem. The need for such cooperation is evident in the priorities that different countries place on various threats. For example, “Germany has determined that botnet infestation of its private infrastructure is a priority for national defense...On the other hand, the United Kingdom has determined the data breaches caused by crime and espionage are its highest priority.”17 The differing priorities of these two countries are leading them to focus on policy and capability development in different areas. If one begins to consider the varying priorities of additional countries, the picture grows increasingly complicated and the need for coordinated action becomes even more apparent. There is clearly a need for nations to develop a baseline understanding of common threats and capabilities to enable coordinated actions. Formal political and security alliances, such as NATO and ASEAN are one way to achieve that end. On the plus side, such alliances are at least theoretically designed to strengthen the collective security of their members: Under the presumption that the mission and infrastructure of NATO primarily exist for the purpose of supporting international peace and security, NATO as an organization is in a good position to develop and apply security measures in the case of a [cyber] relevant threat or attack.18 Indeed, NATO has taken important
BUTLER & LACHOW
steps to develop its cyber capabilities, including the creation of the Cyber Defense Centre of Excellence, the development of a rapid reaction team to assist member states in the event of a significant attack, and the creation of a cyber exercise “designed to give its participants a better understanding of NATO’s Cyber Defense capabilities and to identify areas for improvement within the NATO-wide Cyber Defense community.”19 On the other hand, there are many reasons why it is difficult for large alliances to develop coherent policies and advanced operational capabilities, starting with the fact that reaching consensus among large numbers of states is challenging in the best of circumstances.20 ASEAN has done little more
International Engagement on Cyber 2012
Finally, alliance members need to reach a common position on how they are going to deal with complex issues such as cloud computing and information sharing that involve technical, legal, and political aspects.22 While reaching a consensus on these issues may be difficult, alliances are going to have to operate in a world filled with these technologies – the only question is whether they will decide to respond to the challenge effectively.
Other International Organizations. There are a large number of governance and standards organizations that play a key role in the cyberspace ecosystem, including but not limited to: the International Telecommunications Union (ITU), the International Criminal
Alliance leaders and member nations must
increase their knowledge of the threats they face and the capabilities they need to respond to those threats. than call for the development of a cyber strategy.21 NATO has taken many steps in the right direction, but its overall capabilities for taking decisive action across the alliance are still limited. Alliance leaders and member nations must increase their knowledge of the threats they face and the capabilities they need to respond to those threats. They must also inventory their collective cyberspace capabilities, and update their organizational structures and processes to enable effective employment of these capabilities. It is important to exercise these processes to identify what works, what doesn’t work, and to foster a culture of continuous improvement.
Police Organization (INTERPOL), the International Multilateral Partnership against Cyber Threats (IMPACT), the European Commission and the European Network and Information Security Agency (ENISA), and technical groups like the Internet Engineering Task Force (IETF). If they wish to participate in multilateral efforts to secure cyberspace, these organizations must define and deconflict their roles and responsibilities so that each specific body contributes its strengths to the broader coalition. In general, roles should be sorted out based on organizational charter and recognized competency to contribute in positive ways to
[11]
MULTILATERAL APPROACHES FOR IMPROVING GLOBAL SECURITY IN CYBERSPACE
international cyber security. For example, one area where international organizations can play an important and unique role is in the development and promulgation of standards. Standards can provide guidance on best practices, they can establish metrics by which to assess performance, and they can enable coordinated action by creating agreed-upon lexicons for the sharing of information. Standards can focus on cyber security practices or they focus on technical aspects. Examples of the former include ISO 27002, NIST guidelines, and the Standard of Good Practice published by the Information Security Forum. Examples of the latter include the Common Vulnerabilities and Exposures (CVE) dictionary, the Incident Object Description Exchange Format (IODEF), the Secure Content Automation Protocol (SCAP), and the Structured Threat Information eXpression (STIX).23 Finally, standards for privacy of personal information need to be developed and normalized across nations. For example, privacy laws in the EU and the United States do not always agree in their views of personal information and corporate access to that information.24 Other actions that can be taken by international organizations include the development and expansion of legal frameworks for reducing cybercrime, such as the European Convention on Cybercrime, clarification on how international law applies to cyber warfare,25 and agreement on the global responsibilities of private sector actors, such as Internet service providers.26
Conclusion. In summary, we advocate for greater multilateral action to
[ 1 2] Georgetown Journal of International Affairs
improve cyber security across the globe. First, like-minded nations should agree on a common set of principles and norms that can enable coordinated action. These guiding concepts need to be developed in a public-private sector partnership that balances privacy, security, and economic livelihood. Second, nations must develop their own unifying frameworks for cyber defense. A state cannot function effectively in a coordinated manner on the global stage if its own house is not in order. In addition, each nation must identify a lead agency for cyber security, align authorities to that lead, and provide sufficient resources to enable the organization to achieve its mission. Third, in an increasingly interconnected world, we must realize that norms, national policies, and national frameworks for cyber defense are necessary, but not sufficient. We must go to the next level by linking national plans to coalition planning, exercises, and greater understanding of coordinated security in cyberspace. These efforts must leverage political and military alliances as well as international organizations (governmental ones and non-governmental ones). They may include activities focused on military, legal, political, economic, and technical aspects of cyber security. We will draw new lessons from these actions that will enhance our ability to share information and act in a coordinated manner at the coalition level while fostering further development of policy and capability delivery within our respective nations. This will begin to change the cyber playing field from one dominated by offensive-minded adversaries to one based on mutually assured defenses.
BUTLER & LACHOW
International Engagement on Cyber 2012
NOTES
1 Multilateralism can be defined as “the practice of coordinating national policies in groups of three or more states through ad hoc arrangements or by means of institutions.” See Robert O. Keohane, “Multilateralism: An Agenda for Research,” International Journal, 45:4 (Fall 1990): 731. 2 “International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World,” May 2011, Internet, http://www.whitehouse.gov/ sites/default/files/rss_viewer/international_strategy_ for_cyberspace.pdf (date accessed: 20 August 2012). (hereinafter International Strategy for Cyberspace). 3 International Strategy for Cyberspace, p.3 supra note 2. 4 Dave Neal, “William Hague Rings the Cyber Attack Alarm, Again,” The Inquirer, 17 November 2011, Internet, http://www.theinquirer.net/inquirer/ news/2125649/william-hague-rings-cyber-attackalarm (date accessed 10 June 2012). 5 See International Strategy for Cyberspace, p. 10, supra note 2. 6 Martha Finnemore, “Cultivating International Cyber Norms,” America’s Cyber Future: Security and Prosperity in the Information Age, Kristin M. Lord and Travis Sharp, eds., June 2011, p. 89, Internet, http://www.cnas.org/ cyber (date accessed: 20 August 2012). 7 See “Microsoft Takes Down Dozens of Zeus, SpyEye Botnets,” 26 March 2012, Blog Post, Internet, http://krebsonsecurity.com/2012/03/microsofttakes-down-dozens-of-zeus-spyeye-botnets/ (date accessed: 20 August 2012), and Nick Wingfield and Nicole Perlroth, “Microsoft Raids Tackle Online Crime,” New York Times, 26 March 2012, Internet, http://www.nytimes.com/2012/03/26/technology/microsoft-raids-tackle-online-crime.html?_ r=2&pagewanted=1# (date accessed: 20 August 2012). 8 See Kelly Jackson Higgins, “Startup Targets the Attackers behind the APT,” Security Dark Reading, 28 February 2012, Internet, http://www.darkreading.com/advanced-threats/167901091/security/news/232601696/startup-targets-the-attackersbehind-the-apt.html (date accessed: 20 August 2012). 9 The U.S. Federal Communications Commission and the new U.S. Industry Botnet Group, among others, could be good focal points for coordinating this type of action. 10 Desire Athow, “Former NSA & CIA Director Suggests Employing Mercenaries for Cyberwarfare,” ITProPortal, 1 August 2011, Internet, http://www. itproportal.com/2011/08/01/former-nsa-cia-director-suggests-employing-mercenaries-cyberwarfare/ (date accessed: 20 August 2012). 11 The U.S. Constitution provides for letters of marquee. In this context, it could be appropriate to have private sector actions in cyberspace approved by the government. 12 We are grateful to Gary Gagnon, Chief Security Officer and Senior Vice President at the MITRE Cor-
poration for providing this scenario. 13 European Network and Information Security Agency (ENISA), “Dutch Cyber Security Strategy 2011,” Internet, http://www.enisa.europa.eu/media/ news-items/dutch-cyber-security-strategy-2011/view (date accessed: 20 August 2012). 14 Amber Corrin, “DoD to Expand PublicPrivate Cybersecurity Project,” Federal Computer Week, 25 April 2012, Internet, http://www.fcw.com/articles/2012/04/25/DOD-expanding-DIB-cybersecurity-pilot.aspx?p=1 (date accessed: 20 August 2012). 15 Press release, “White House Announces PublicPrivate Partnership Initiatives to Combat Botnets,” 30 May 2012, Internet, http://www.commerce.gov/news/ press-releases/2012/05/30/white-house-announces-public-private-partnership-initiatives-combat-b (date accessed: 21 August 2012). 16 Australian Internet Security Initiative, Internet, http://www.acma.gov.au/WEB/STANDARD/ pc=PC_310317 (date accessed: 20 August 2012). 17 Melissa Hathaway, “Toward a Closer Digital Alliance,” The SAIS Review of International Affairs 30, no. 2 (Summer-Fall 2010): 21-31. 18 Eneken Tikk, “Global Cyber Security-Thinking About the Niche for NATO,” The SAIS Review of International Affairs 30, no. 2, (Summer-Fall 2010): 105-119. 19 NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), Tallinn, Estonia, “Cyber Defence Exercises,” Internet, http://ccdcoe.org/215. html (date accessed: 20 August 2012). 20 Other factors could include policy or legal roadblocks, differing priorities, funding issues, a lack of personnel with the right skill sets, and many others. 21 For example, see Wendell Minnick, “Malaysia calls for ASEAN ‘Master Plan’ to Fight Cyber Attacks,” Defense News, 3 June 2012, Internet, http://www.defensenews.com/article/20120603/ DEFREG03/306030004/Malaysia-Calls-ASEAN8216-Master-Plan-8217-Fight-Cyber-Attacks (date accessed: 20 August 2012). 22 For example, see Bob Butler, “Personal Devices in the Workplace: Advantage or Risk?” SafeGov, Internet, http://safegov.org/2012/6/14/personal-devicesin-the-workplace-advantage-or-risk (date accessed: 27 June 2012). 23 We strongly support the move towards information sharing focused on threats because we believe it can enable rapid and coordinated action across multiple organizations. For more information on this standard, see MITRE, Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression, (McLean, VA, 2012), Internet, http://measurablesecurity.mitre.org/docs/STIX-Whitepaper.pdf (date accessed 24 August 2012). For further information on the topic of information sharing, see MITRE, Information Sharing Models: An Overview, 11-4486, (McLean, VA, 2011). 24 Bob Sullivan, “Privacy Lost: EU, U.S. Laws
[ 1 3]
MULTILATERAL APPROACHES FOR IMPROVING GLOBAL SECURITY IN CYBERSPACE
Differ Greatly,” MSNBC, 19 October 2006, Internet, http://www.msnbc.msn.com/id/15221111/ns/technology_and_science-privacy_lost/t/la-difference-starkeu-us-privacy-laws/#.UDOj_90iZic (date accessed: 21 August 2012). 25 The “Tallinn Manual” on the Applicability of International Law to Cyber Warfare, a book sponsored by the NATO Cooperative Cyber Defense Centre of
[ 1 4 ] Georgetown Journal of International Affairs
Excellence, is currently in draft. Forthcoming, Cambridge University Press, 2013. 26 A detailed discussion of the ISP issue can be found in Melissa E. Hathaway and John E. Savage, “Stewardship of Cyberspace: Duties for Internet Service Providers,” March 2012, Internet, http:// www.cyberdialogue.citizenlab.org/wp-content/ uploads/2012/2012papers/CyberDialogue2012_hath-
Cyber Operations
Conflict Under International Law Catherine Lotrionte On 6 September 2007, Israeli jets flew into Syrian airspace unobserved by Syrian military forces and bombed what Israeli government sources believed to be a nuclear facility. The failure of the Syrian air defense network was the result of an Israeli cyber attack. In the age of cyber warfare, the Israelis defeated the enemy before the battle had begun. The cyber operation facilitated the successful use of kinetic military resources. Cyberspace, however, can also be used by states to conduct a war without ever needing to engage in kinetic military operations. In 2007, ethnic tension escalated between native Estonians and ethnic Russians in Estonia following the movement of a Soviet era war memorial. That April, Estonia was hit by a Distributed Denial of Service attack (DDOS), which overwhelmed computers and servers across the country for two weeks.1 By the end of the attacks, Estonia’s largest bank had lost over $1 million.2 The Estonian authorities ultimately blamed Russia, claiming that at least one query had been traced to an IP address in the Russian administration.3 Both episodes demonstrate that cyberspace is a real battleground in today’s warfare operations. The first section of
Catherine Lotrionte is Director of the Institute for Law, Science, & Global Security and a Visiting Assistant Professor of Government and Foreign Service at Georgetown University. Dr. Lotrionte has served as Counsel to the President’s Foreign Intelligence Advisory Board at the White House and as Assistant General Counsel at the Central Intelligence Agency. She is the Director and Founder of the Cyber Project at Georgetown University and a Life Member of the Council on Foreign Relations.
[ 1 5]
CYBER OPERATIONS
this article examines the challenges in defining the term cyberwar and will propose a working definition for the legal analysis of the topic. The second section considers the relevance of the contemporary jus ad bellum to the problems of cyberwar, examining five questions of law: 1) Does international law apply to cyber? 2) Is cyberwar permissible? 3) When is a cyber operation a use of force? 4) When is a cyber operation an armed attack? 5) How does a victim state legally respond to a cyber attack? 6) When can a victim state legally respond to a cyber attack? 7) Where can a victim state legally respond to a cyber attack? This analysis will focus on state practice in digital activities since 1945, analogous areas of state practice over the same period, and the writings of legal experts and publicists. Finally, the article will set forth a number of conclusions about the relevance of the Charter jus ad bellum and jus in bello to the post-Charter digital era and the onset of cyber conflict.
Outlining Cyberwar. As early as
2006, at least 20 nations had their own cyberattack programs.4 The rising prominence and risks of cyberspace have forced states to define cyber threats and develop a legal framework for cyberwar operations. There is no one universally accepted definition for “cyberwar,” but most working definitions include a few common elements of all cyber warfare acts: 1. Violence against computers, com-
[ 1 6 ] Georgetown Journal of International Affairs
puter networks or information within computers, 2. The disruption or destruction of information or computer systems. For the purposes of this article, cyberwar will be defined as: “the unauthorized penetration by, on behalf of, or in support of, a government into another nation’s computer or network, or any other activity affecting a computer system, in which the purpose is to add, alter, or falsify data, or cause the disruption of or damage to a computer, or network device, or the objects a computer system controls.”5 It is currently waged by states that use cyberspace to achieve the same ends they pursue through the use of conventional military force: achieving advantages over a competing nation or preventing a competing nation from achieving advantages over them. That said, the realm of cyber warfare is not likely to remain the exclusive province of states. By 2009, experts agreed that beyond states, “some nonstate actors - such as criminal organizations, terrorist, and activists - are developing sophisticated arsenals of cyber weapons and that some have demonstrated a willingness to use them for political objectives.”6 Non-state actors will use cyberspace with or without state support, further complicating the understanding of cyberwar. This poses unique challenges to the developing of a legal framework for cyberwar, such as determining what, if any, relationship non-state actors have with a state sponsor. The relationship between cyber actors and states can be analyzed within four categories: 1. Cyber actors without state toleration, support, or sponsorship;
LOTRIONTE
2. Cyber actors with state toleration, but without state support or sponsorship; 3. Cyber actors with state support, but without immediate state sponsorship; and 4. Cyber actors with state sponsorship. “State toleration,” exists when a state does not sponsor or support the cyber group within its borders, but knows of their existence and fails to suppress them and their activities. A state “sponsors” cyber attacks when it “contributes active planning, direction, and control” to a cyber warrior or group.7 “State support” of a cyber warrior group includes “a state’s provision of intelligence, weapons, diplomatic assets, funds or rhetorical endorsement.”8
Does International Law apply to Cyber Warfare? The laws gov-
erning the legality of the recourse to the use of force (jus ad bellum) and the laws related to the behavior of actors while engaged in conflict (jus in bello) are applicable to cyber operations. This article focuses on jus ad bellum legal issues but introduces some of the principles of jus in bello in addressing the last three questions. Jus ad bellum is a set of rules that govern the resort to armed conflict and determine whether the conflict is lawful or unlawful in its inception.9 In 1945 the UN Charter, in articles 2(4) and 51, redefined previously accepted ideas of jus ad bellum and codified the contemporary jus ad bellum in its entirety.10 If a state activity is a use of force within the meaning of Article 2(4), it is therefore unlawful. Article 2(4) prohibits the threat or use of force to
International Engagement on Cyber 2012
violate another sovereign state.11 There are two primary exceptions within the UN Charter to this restriction, namely when it is an exercise of a state’s inherent right of self-defense in response to an armed attack as recognized under Article 51 of the Charter12 and when it is authorized by the Security Council under its coercive Chapter VII authority. There are competing views as to international law’s applicability in cyberspace. On one hand, the United States has explicitly stated that the laws of war apply to cyberspace, and that it will therefore abide by them.13 On the other hand, states such as China have asserted that “existing mechanisms”, such as the international laws of war, do not apply to cyber operations. Such positions taken by states is a point of concern for the United States and other states that seek to minimize the use of force in cyber and maintain peace and security in this domain.14 This article examines some the difficulties in addressing cyber operations under these jus ad bellum principles.
Is Cyber Warfare Permissible under International Law? No
existing provision of international law explicitly prohibits cyber warfare. This absence of any detailed prohibition is significant, as it is generally understood that that which international law does not prohibit it permits.15 International law, however, traditionally places limits on when a state may use force. These restrictions as applied in the domains of land, air, space, and sea would also be applicable in cyberspace. In an area where the law is not well-established, such as cyberspace, state practice will likely dominate in establishing what is
[17]
CYBER OPERATIONS
acceptable behavior. Where there is a lack of consensus on the applicability of treaty law in this area and little likelihood of a new treaty regulating the cyber domain, state practice will inform the interpretation of the relevant treaty provisions over time. As state expectations shift in the context of cyber warfare the international norms will evolve to meet those expectations.
tially, the U.S. denied the existence of the U-2, claiming that the plane was a missing National Aeronautics and Space Administration (NASA) meteorological observations plane that accidentally crossed into Soviet territory. On 23 May the Soviet Union proposed a draft resolution to the UNSC claiming that actions by the U.S. were acts of aggression in violation of international law.18 The then-Soviet Foreign MinisWhen Is a Cyber Operation a ter Andrei Gromyko argued that under Use of Force? Although the UN the circumstances where one plane can Charter outlaws the “use of force,” no carry an atomic weapon, such an act international treaty, including the UN justified military retaliation.19 Charter, actually defines the “threat or The UN Security Council rejected use of force.” Therefore, the existing the Soviet draft resolution. While the international law that governs the use of incursion into Soviet airspace was a force must be derived from an analysis violation of the territorial integrity of of how the Charter’s use of force para- the Soviet Union, it was not an act of digm has been interpreted by interna- aggression or unlawful use of force.20 tional courts and the Security Council As in this case of the U-2 flights, acts of and applied through state practice. espionage are generally not considered On 1 May 1960, the U.S. high- to be a use of force or act of aggression
As state expectations shift in the context of cyber warfare, the international norms will evolve to meet those expectations. flying reconnaissance plane, the U-2, piloted by Francis G. Powers, came down within Soviet territory.16 The U.S. had been clandestinely collecting overflight operations within Soviet territory in order to assess its development of military weapons. Following the incident, the Soviets protested to the United States and on 18 May the Soviet Union requested that the United Nations Security Council convene to consider the U.S. U-2 flight into its territory as “aggressive action.”17 Ini-
[ 1 8 ] Georgetown Journal of International Affairs
under international law. At the time of the U-2 incident, both the Soviet Union and the United States assumed that aggression meant the use of armed force in international relations with aggressive intent. They disagreed, however, as to whether the penetration of foreign territory by an unarmed reconnaissance plane operated by another state could be regarded as such a use of armed force. Based on the UNSC discussions, it was generally accepted that such an unarmed plane within another
LOTRIONTE
territory would not constitute an act of aggression as used in the Charter. Over time, states, including the United States and the Soviet Union, have sought to include a broader range of acts within the meaning of a use of force including acts that would not necessarily be armed, but that had aggressive intent. During the 1960s, however, the predominant opinion confined the term to direct uses of or threats to use armed force with aggressive intent justifying defensive military action.21 It is notable, however, that article 2(4) does not use the word armed in reference to force. Today, there is a general understanding that uses of force do not necessarily have to be actions conducted by a state’s armed forces to constitute a use of force.22 Most international legal scholars today accept that in analyzing actions that may rise to the level of a use of force consideration should be given to the scale and effects of the actions rather than focusing solely on whether it involved armed action by a state’s forces.23 Certainly, if the actions cause the death or injury to persons or damage to property the actions would constitute a use of force. In the cyber context, a cyber operation causing an air traffic control system to fail leading to deaths would constitute a use of force. Furthermore, if the consequences of a cyber operation were to cause significant disruption and turmoil for a state, such was the case of the cyber attacks against Estonia in 2007, even without lose of life, such an operation may constitute a use of force under a scale and effect threshold. In sum, while in the U-2 case infringement of another state’s airspace was found by the UNSC
International Engagement on Cyber 2012
not to constitute an unlawful use of force, the infringement of a state’s computer networks may constitute an unlawful use of force or act of aggression based upon the consequences of the action. Overtime, state practice will provide more clarity on what cyber operations will be considered by states to be uses of force.
When Is a Cyber Operation an Armed Attack? In assessing wheth-
er a state’s action would constitute a use of force, as discussed above, the goal is to determine whether the actions violate international law (i.e., the UN Charter and customary international law). In contrast, in assessing whether an action constitutes an armed attack under international law, the goal is to determine whether the victim state may forcibly respond in self-defense without violating the article 2(4) prohibition. In Nicaragua v. United States, the International Court of Justice (ICJ) asserted that states do not have the right of armed response to acts that do not constitute an armed attack as envisioned by the UN Charter. According to Article 51 of the UN Charter, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken the measures necessary to maintain international peace and security.”24 Accordingly, a state’s right of self defense is dependent upon whether the particular use of force at issue amounts to an armed attack. In the Nicaragua case, the ICJ drew a clear distinction between lower-level uses of force and “the most grave forms of the use of force” that
[ 1 9]
CYBER OPERATIONS
would constitute “armed attacks.”25 The UN Charter itself does not provide a definition for an “armed attack” creating some difficulty in extending the notion of armed attack to address non-kinetic cyber attack operations. Using a consequence-based approach reliant on the use of force scale and effects model from the Nicaragua case, however, provides a basis for assessing whether a particular cyber attack constitutes an armed attack. Under this approach, an armed attack does not need to be carried out by traditional military forces. Rather, its consequences would need to be equivalent to an attack by conventional military forces in order for the
armed attack against the facility would have caused great physical destruction and potentially death to those within and near the facility. Similarly, a cyber attack that caused a generator to overheat and fail to function properly, temporarily interrupting service and requiring a replacement, would not meet the threshold of an armed attack. The Stuxnet operation as well as the operation against the generator, however, would likely be categorized as uses of force. The more difficult cases to analyze are those computer operations deployed for purposes of stealing or altering data. Without any physical consequences such cyber operations will
Without a consensus on what constitutes an armed attack in the cyber domain, states risk being condemned by others for “acts of aggression.” attack to constitute an armed attack for purposes of Article 51.26 For example, if a cyber attack operation does not have the potential to cause the analogous devastating results that a military armed force would, it would not constitute an armed attack, thereby prohibiting any forcible self-defense action. Such a cyber attack, however, may constitute a use of force. According to this analysis based upon the Nicaragua standard, the Stuxnet cyber attack against the Iranian nuclear facility at Natanz would likely not constitute an armed attack since the result of the cyber operation was the malfunctioning of centrifuges at the facility resulting in no actual physical damage to the facility or death. A military
[ 2 0] Georgetown Journal of International Affairs
not meet the armed attack threshold. If, however, such computer intrusion operations were to result in the disruption of an air traffic control system causing it to fail and planes to crash, the computer operations would rise to the level of an armed attack. The benefit of adopting a standard for armed attacks under international law for cyber operations would be to assist states in determining when it would be lawful to exercise self-defense using forcible measures to stop and prevent cyber attacks. Without a consensus on what constitutes an armed attack in the cyber domain, states either risk responding against harmful cyber attacks and being condemned by others for “acts of aggression” or refrain-
LOTRIONTE
ing from responding, putting national security at risk.
How Can a Victim State Legally Respond to a Cyber Attack?
International law has developed a number of legal requirements for uses of force beyond the requirements in the UN Charter for self-defense. For example, all uses of force must be necessary and proportional.27 In the Nicaragua case the ICJ confirmed that both principles were requirements.28 These limitations were asserted by then-U.S. Secretary of State Daniel Webster in the Caroline Affair of 1837, which involved Great Britain sinking a ship in U.S. territory being used by Canadian rebels to carry out attacks into Canada. In his correspondence with Great Britain, Webster wrote that, to be justified, the use of force in self-defense must be necessary and proportionate under the circumstances of the particular case.29 Webster asked the British Government to show that the action was “nothing unreasonable or excessive; since the act justified by the necessity of selfdefense, must be limited by that necessity, and kept clearly within it.�30 A state’s use of cyber weapons in self-defense is not limited to a specific weapon or type of attack as long as under the necessity principle the forcible response is required in order to address the threat (no other nonforcible measures could address the threat) and under the proportionality principle such forcible actions cause no further damage than needed to address the threat under the circumstances. With respect to necessity, for example, if the use of passive measures such as firewalls could stop a cyber attack, a state
International Engagement on Cyber 2012
must use these measures and not resort to a forcible measure of self-defense. The requirement of proportionality is determined by the size and magnitude of what is reasonably necessary to achieve the permissible objectives of any self-defense operation.31 States must also follow the principle of discrimination and the principle of chivalry when responding in self-defense. Under customary international law, the principle of discrimination requires that those involved in hostilities distinguish between combatants and noncombatants, avoid targeting civilians and their property, and take all reasonable precautions against injuring civilians or damaging their property in the course of attacking military targets.32 The modern principle of chivalry dictates that those involved in hostilities are required to distinguish between lawful ruses and unlawful perfidy. While ruses are meant to mislead the enemy and are lawful under the laws of war, acts of perfidy are breaches of expressed or implied agreement between belligerents, such as the misuse of a flag of truce or Red Cross flag, and are prohibited under the laws of armed conflict.33 These prohibitions apply just as readily to cyber operations as they do to kinetic operations. For example, if a state sent a logic bomb disguised as an email from the International Committee of the Red Cross to an enemy, this action would be considered perfidious behavior. Another example of a perfidious cyber operation would be an email sent to an adversary declaring its intention to surrender and specifying the time and place that the surrender would take place. However, at the
[ 21 ]
CYBER OPERATIONS
pre-planned time of surrender those that sent the email ambush the adversary. Just as a state would expect men and women in Red Cross uniforms to be genuine and therefore under legal protection and acts of surrender to be legitimate, so too are Red Cross-based emails and emails of surrender reasonably expected to be genuine, and thereby free of subterfuge. In contrast, permissible ruses in cyber operations could entail the use of false computer identifiers or networks such as a honeypot.
moment for deliberation.”35 Traditionally, under anticipatory self-defense, it was understood that the threat would need to be imminent before the right of self-defense was triggered. Particularly with cyber operations where attacks can occur within milliseconds, there may not be any time to act to prevent the attack from occurring once the attack is launched. With cyber operations that threaten the security of the state, state practice may dictate that states will act in anticipation of cyber attacks, before the attacks are launched, in order to ensure the security of the state. Measures of When Can a Victim State “active defense” may develop through Legally Respond in Self state practice further developing the Defense to a Cyber Attack? area of international law with respect to Assuming a cyber attack constitutes an anticipatory self-defense. armed attack under international law, a state can legally respond in self-defense Where Can a Victim State to the cyber attack while the attack is Legally Respond in Self on-going in order to stop the attack and Defense from a Cyber Attack? after the attack has occurred in order to The UN Charter does not provide comprevent further attacks. Clearly, article plete answers to questions such as how 51 of the UN Charter recognizes the far the right of self defense against cyber right of states to defend themselves attacks extends, or whether this right once an armed attack has occurred or can be exercised solely at the site of the is in the process of occurring. The launch of the actual or potential attack, more controversial position is if a state or beyond that area. If a state allows its responds in self-defense against an territory to be used by another state for attack before the attack occurs. This launching armed attacks against a third principle is referred to as anticipa- state, the third state can legally use force tory self-defense and, although not in self-defense against both the forexplicitly mentioned in article 51, has mer states. What if the attackers, howsupport in the travaux of the UN Char- ever, are not a third state but instead ter’s drafting committee.34 Anticipatory simply a group of individuals residing self-defense’s legal basis comes from within a neutral state? The United the 19th century Caroline case. Accord- States is concerned about the potential ing to then-Secretary of State Webster, for non-state actors such as terroranticipatory self-defense is only justi- ist groups or criminal organizations fied when “the necessity of that self- to use cyber operations to attack the defense is instant, overwhelming, and United States.36 Traditionally, interleaving no choice of means, and no national lawyers have characterized the
[ 2 2] Georgetown Journal of International Affairs
LOTRIONTE
right of self-defense as applicable only to armed attacks conducted by states. After the 9/11 attacks, however, the Security Council and the international community recognized the applicability of the right of self-defense against al Qaeda as a non-state actor.37 In the context of cyber where perfect attribution for cyber attacks to a state may be impossible and non-state actors may launch attacks against a state, states may resort to the use of force against nonstate actors residing in another state’s territory. According to both treaty and customary international law, the territory of neutral states is inviolable by the forces of those engaged in armed conflict.38 An attack using a neutral
International Engagement on Cyber 2012
country’s satellites, computers, or networks could be viewed as infringing upon the neutral’s territory. The attack would therefore be considered illegal and perhaps an act of war against the neutral state.39 Conversely, a neutral state’s failure to resist the use of its networks for attacks against another country may actually make it a legitimate target for an attack by the country that is the ultimate target of those attacks. All states have a responsibility under customary international law not to allow their territory to be used to cause harm to another state.40 If a state is unwilling or unable to prevent such harmful use of its territory, a victim state may use proportionate force in order to stop the harmful attacks.
NOTES
1 “Estonia and Russia: A cyber-riot,” The Economist, 10 May 2007, Internet, http://www.economist.com/ node/9163598 (date accessed: 7 October 2012); Jaak Aaviksoo, Minister of Defense of Estonia presentation to Centre of Strategic and International Studies, 28 November 2007. 2 Mark Lander and John Markoff, “Digital Fears Emerge After Data Siege in Estonia,” The New York Times, 29 May 2007. 3 Ibid. 4 Dawn S. Onley and Patience Wait, “Red Storm Rising,” Government Computer News, 21 August 2006, Internet, http://www.gcn.com/print/25_25/41716-1. html (quoting John Thompson, chairman and chief executive officer of Symantec Corp.). 5 Richard A. Clarke and Robert Knake, Cyber War, (Harper Collins, 2010), 228. 6 McAfee, Inc., “Virtual Criminology Report: Virtually here: The Age of Cyber Warfare,” 2009, Internet, http://www.mcafee.com/us/resources/ reports/rp-virtual-criminology-report-2009.pdf (date accessed: 7 October 2012). 7 Robert J. Beck and Anthony Clark Arend, “Don’t Tread on Us: International Law and Forcible State Responses to Terrorism,” Wisconsin International Law Journal 153, 12 (1994). 8 Ibid. 9 Adam Roberts and Richard Guelff (eds.), Documents on the Laws of War, 2nd edition (Oxford: Oxford University Press, 1989), 2-3. 10 Bruno Simma and others, eds., The Charter of the
United Nations: A Commentary (Oxford: Oxford University Press, 2002), 111. 11 UN Charter, art. 2, para. 4, “All Members [of the United Nations] shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the Purposes of the United Nations.” This prohibition is also accepted as customary international law. 12 UN Charter, art. 51: “[n]othing in the present Charter shall impair the inherent right of individual or collective shield-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken the measures necessary to maintain international peace and security…”. 13 Siobhan Gorman and Julian E. Barnes, “Cyber Combat: Act of War,” Wall Street Journal, 30 May 2011, Internet, http://online.wsj.com/article/SB10 001424052702304563104576355623135782718. html?mod=WSJ_hp_LEFTTopStories#articleTabs%3 Darticle (date accessed: 7 October 2012). 14 “Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China 2012,” Office of the Secretary of Defense (May 2012), 9, Internet, http://www.defense.gov/pubs/ pdfs/2012_CMPR_Final.pdf (date accessed: 7 October 2012). 15 Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J., paragraph 21, July 8, 1996. 16 U.S. Department of State, E. Europe Region; Soviet Union, Foreign Relations of the United States:
[ 23]
CYBER OPERATIONS
1958-60: pt. 1 n. 147 (1993), Internet, http://dosfan. lib.uic.edu/ERC/frus/frus58-60x1/13soviet7.html (date accessed: 7 October 2012). 17 The Department of State Bulletin, vol. 42 (23 May 1960). 18 United Nations Security Council Document 4321, Union of Soviet Socialist Republics: draft resolution on 23 May 1960. 19 Summary of Gromkyo’s remarks in the United Nations Review, July 1960, 44. 20 The UN General Assembly as equated the use of force by a state against the territory of another state as an “act of aggression.” See Definition of Aggression, G.A. Res. 3314 (XXIX), Annex art. 3(a), U.N. Doc. A/RES/3314 (Dec. 14, 1974) 21 Harvard Research in International Law, Rights and Duties of States in Case of Aggression (Philip Jessup, Reporter), Art. I (c), 33 A.J.I.L. Supp. 847 (1937). 22 During the proceedings leading to the UN General Assembly’s Declaration on Friendly Relations the suggestion to limit the prohibition on the use of force to armed force was rejected. See U.N. GAOR Special Comm. on Friendly Relations, U.N. Doc. A/ AC.125/SR. 114 (1970). 23 The threshold of scale and effect was originally employed by the ICJ in the Nicaragua case in the Court’s assessment of what would constitute an armed attack. The Court drew a distinction between the arming and training of the Contras by the United States which the Court ruled was a use of force versus the funding of the Contras by the U.S. which it ruled did not constitute a use of force. See Nicaragua v. U.S., 1986 I.C.J. 14 (June 27), para. 228. 24 UN Charter, art. 51. 25 Nicaragua v U.S. paras. 191, 210, supra note 23. 26 The U.S. Department of Defense appears to have accepted this notion of “equivalence” as part of its Strategy for Operating in Cyberspace. See Department of Defense, Department of Defense Strategy for Operating in
[ 2 4 ] Georgetown Journal of International Affairs
Cyberspace (July 2011). See Siobhan Gorman and Julian E. Barnes, “Cyber Combat: Act of War,” The Wall Street Journal, 30 May 2011. 27 John Norton Moore, Crisis in the Gulf: Enforcing the Rule of Law (New York: Oceana Publications Inc., 1992), 22, 156. 28 Nicaragua v U.S.: paragraph 194, supra note 23. 29 Letter from Daniel Webster, U.S. Secretary of State to Lord Ashburton, British Special Minister (Aug. 6, 1842). Reprinted in John Bassett Moore, A Digest of International Law (1906) 412. 30 R.Y. Jennings, “The Caroline And McLeod Cases,” American Journal of International Law 32 (1938), 89. 31 Moore, Crisis in the Gulf, 158, supra note 27. 32 Nuclear Weapons Advisory Opinion, para. 78 (“States must never make civilians the object of attack and must consequently never use weapons that are incapable of distinguishing between civilian and military targets.”). 33 IV Hague Convention, 1907, Arts. 2, 3, 24. 34 Derek W. Bowett, Self-Defense in International Law (Great Britain: Manchester University Press, 1958), 188-89. 35 Simma, The Charter of the United Nations: A Commentary, 675-76. 36 The White House, National Security Strategy 27 (May 2010), Internet, http://www.whitehouse.gov/ sites/default/files/rss_viewer/national_security_strategy. pdf (date accessed: 7 October 2012). 37 S.C.Res. 1373, U.N. Doc. S/RES/1373 (Sept. 28, 2001); S.C. Res. 1368, U.N. Doc. S/RES/1368 (Sept. 11, 2001). 38 Hague Convention (V) Respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land (1907), Article 1. 39 United Nations Manual on the Prevention and Control of Computer-Related Crime, paras. 262264 (1993). 40 Corfu Channel (U.K. v Albania), I.C.J. (1949) 4.
Confidence-Building Measures The Future of the Global Information Infrastructure Anatoly Streltsov Creating confidence-building measures in the information sphere has become a major foreign policy priority for many states.1 Confidence-building measures and other collaborative efforts to counter military, terrorist, or criminal threats create conditions for the maintenance of international peace and security in the information sphere. Confidencebuilding measures in the information sphere are similar to confidence-building measures between militaries in that they are a set of measures that facilitate information sharing between states regarding their information and communication technologies and strategies.2 The measures are created to neutralize the cyber threats of opposing states in peacetime and wartime, to prevent and resolve crises in the area of information infrastructure, to combat cybercrime and information terrorism, and to promote states’ national cultural values and political preferences in foreign countries.3 As such, confidence-building measures are used as instruments in maintaining international peace and security and provide an environment of mutual understanding between nations. This environment reduces the risk of a surprise attack on key national information infrastructure facilities or a politically-motivated, violent conflict triggered by
Anatoly Streltsov is the Vice-Director of Lomonosov Moscow State University’s Information Security Institute. He has worked as a Research Physicist in the Naval Research Laboratory and as a Research Associate Professor at Dartmouth College. His research in physics and mathematics has been sponsored by NASA, ONR, Air Force and DARPA.
[ 25]
CONFIDENCE-BUILDING MEASURES
“information weapons.” In this paper ‘information weaponry’ is defined as special information technologies and communications technologies; this includes attempts to violate computer security by using a piggyback entry, tailgates, and aborted connections. Confidence is the only tool that can be used in international cooperation on cyber. Confidence is the first step in developing proposals for the formation of responsible state behavior in the information sphere. Information security has been discussed at the UN General Assembly, at the UN Group of Governmental Experts, and at international conferences and seminars over the last decade.4 These discussions are important in that they have allowed the international community to develop the political capital required to reduce the danger posed by the malicious use of information and communications technologies, criminal organizations, and individuals. Meetings held between the United States and Russia in 2010 and 2011 on global information security demonstrate this potential. What emerged from these meetings is a joint U.S.-Russia statement on measures to enhance confidence in cyberspace. The statement recognizes that the relationship between the two countries on cyberspace security has advanced to a new level, making it possible to build confidence and ensure transparency. In addition to these efforts, the international community has already developed and implemented some confidence-building measures, examples include the exchange of information on cybersecurity between the members of NATO. Similar work in the field
[ 2 6 ] Georgetown Journal of International Affairs
of information security has been carried out within the framework of the Union State of Belarus and Russia, as well as by the members of Collective Security Treaty Organization (CSTO). However, because confidence-building measures can mitigate threats to states’ national interests, international peace, and security, much remains to be accomplished in this area. This first section of this paper explores four threats of information infrastructure and how confidencebuilding measures can be used to eliminate these threats. The second section of the paper explores three potential scenarios that can result from different levels of confidence-building measures.
Threats to global information infrastructure and confidencebuilding measures. The report
that followed session 65 of the UN General Assembly outlined the following four threats: (1) use of information and communications technologies as warfare and intelligence tools towards political ends; (2) use of information and communications technologies to plan and organize terrorist activities; (3) use of information and communications technologies as a crime tool in the information sphere; and (4) use of the global information infrastructure for subversive activities, including activities carried out by individuals, groups, and organizations, to perform intermediary functions in organized subversive activities on behalf of other persons.5 This section of the paper will discuss each of these four threats and explain how confidence-building measures can mitigate or overcome these threats.
STRELTSOV
The threats listed by the UN impact most significantly the development of states’ foreign policy concerns relating to national and international information security. The first threat of information and communications technologies used as tools of warfare and intelligence for political ends raises three major concerns. The first concern is that if information and communications technologies are used as means of warfare for political purposes there is the possibility to disrupt the stable operation of the Internet, which is the foundation of the global information infrastructure. This is especially troublesome since many nations are working on expanding the global infor-
International Engagement on Cyber 2012
To overcome this threat confidencebuilding measures should be built in such a way as to involve interested nations to perform certain Internet control functions that would remove the concern of technologies being used as warfare. However, not all Internet control functions are equally important in sustaining the stable operation of the global information infrastructure.7 If we assume that the main network operation controls are handled by Internet providers then, regarding the implementation of confidence-building measures, it would be possible to start discussing the following issues: developing the international regulatory environment of Internet servic-
Destabilizing the operation of the global
information infrastructure can produce grave implications. mation infrastructure in an effort to meet commitments that the Worlds Summit on the Information Society (WSIS) established in 2003 and 2005.6 The objective of the WSIS is to develop e-commerce, enable government authorities to provide information services to their citizens, enhance transparency of government control, expand international cultural exchange, develop distance-learning systems, and improve healthcare. Thus, destabilizing the operation of the global information infrastructure can produce grave implications on the performance of business, the exercise of rights and freedoms by citizens, the successful social and economic development of nations, and national security.
es; determining quality standards for those services; and internationalizing the process of taking and implementing decisions to control the stable operation of the network in emergencies caused by political and terrorist factors. Because non-government structures perform functions to control this network, it is important to ensure coordinated operation of these non-government actors and newly established government authorities. A second concern is the ability to include latent malicious functions in these technologies. This is especially important in light of research and efforts by states to create ‘information weapons.’8 This threat increases with the resulting temptation to integrate
[ 27 ]
CONFIDENCE-BUILDING MEASURES
such ‘weapons’ into information and communications technology products available in the market. This potential substantially heightens the risk of destabilizing the operation and security of key national information infrastructure facilities and creating situations with the potential for international conflicts. This concern can be decreased if confidence-building measures focus on setting up forums to establish the following measures: setting special safety standards for information and communications technology products, introducing a system of voluntary certification to meet the above standards, and establishing an international judicial body to review claims of certified-
national legal instruments. This would involve developing norms of international humanitarian law, international security law, and laws of war as they apply to the use of the ‘information weapon’ in interstate conflicts. An international hotline that authorized representatives of states could call to discuss suspicions and misunderstandings, a communications channel between members of the UN Security Council, and an intergovernmental agency tasked with conducting joint investigations on the employment of information and communications technologies should all be established. This cooperative effort would disrupt the threat posed by key national information infrastructure facilities to other national information
A growing number of states utilize information weapons as support for or in lieu of traditional kinetic weapons. product non-compliance with requirements and enforce liability for offenders. The third concern that this threat raises is the risk of an ‘information arms’ race and the use of information weapons. A growing number of states utilize information weapons as support for or in lieu of traditional kinetic weapons. Stuxnet, Flame, and other viruses demonstrate the destructive capabilities and the dangerous implications of malicious software. The trends in upgrading ‘information weapon’ destructive capabilities show the same pattern. In these conditions the concern could be eliminated by adopting inter-
[ 2 8 ] Georgetown Journal of International Affairs
infrastructures. The second threat to international information security, as outlined above, is that information and communications technologies can be used to plan and organize terrorist activities. Terrorist organizations and individual terrorists can access prototyped ‘information weapons’ and the methods that can be used to employ such weapons for political purposes. Information and communication technologies can be used to facilitate the preparation of terrorist acts and harmonization of terrorist groups’ actions, as demonstrated by the terrorist attacks in the United States on 9/11 and in Mumbai, India, on 26 November 2008. On the one
STRELTSOV
hand, the international community is working to impede terrorists from using ‘traditional’ means of committing acts of terror and to interdict access to nuclear weapons. On the other hand, nations are working to upgrade their national information infrastructure and technological capabilities. Using an ‘information weapon’ in an attack or to coordinate an attack are tactics garnering increased attention from terrorists. Although to date there is no case of successfully employing information and communications technologies to carry out acts of terror (9/11 and the Mumbai attacks information and communication technologies were used to prepare the terrorist attacks, not directly carry them out), the likelihood of such an event is rising. In this case, as well, confidencebuilding measures can eliminate the threat. They could include, for example, information sharing regarding the aspirations of terrorist organizations and individual terrorists to gain access to prototyped information weapons and methods of employing such weapons. Sharing this information would enhance national efforts to prevent terrorist organizations from accessing information about the research and development of information weapons, detect and suppress the activities of terrorist organizations, and reduce the risk of confusion in the use of information weapons by nation states. The third threat to international information security, as outlined by the UN General Assembly, is that information and communications technologies can be used to commit “information crimes.” In spite of considerable efforts by law enforcement services, thus far
International Engagement on Cyber 2012
there is nothing that can be done to alleviate information criminality. This is partly due to the trans-border nature of most information crimes and the nascent state of international cooperation in crime investigations. The Budapest Convention on Cybercrime was adopted in 2001 with the purpose of addressing information criminality but the situation has not changed. The Budapest Convention has actually generated new concerns about the potential use by foreign law enforcement agencies to access information infrastructure facilities for illegal activities. For example, information access could be used to review personal details of citizens and industrial and military secrets, and to install ‘information weapon’ components at national information infrastructure facilities. To overcome this threat, confidence-building measures could include the adoption of an international treaty to combat cybercrime which would address mutually beneficial mechanisms for fighting information crime and could draw from existing international treaties regulating this area. Such a treaty would allow government authorities and international organizations, such as INTERPOL, to fight computer crime. The fourth threat to international peace and security is that the global information infrastructure can be used for subversive activities. This threat raises the concern that some states could use information agencies, social networks, and other information and communications technologies to undermine the stability of foreign states, to support decisions to use military force, or to force independent
[ 29]
CONFIDENCE-BUILDING MEASURES
nations to change their policies. Foreign states that publish information on biological and chemical weapon systems, violations of human rights to freedom of speech and expression, or inadequate attention by states to existing humanitarian problems could spark the subversive activities listed above. In this case, exchanging information can be used to manipulate public opinion by other states and international organizations.
but one of the most important is how confident states are that investing in the development of the global information infrastructure will not be used by foreign states to damage national economies, destabilize public administrations, or undermine human rightsand sovereignty in the information sphere. Scenario 1: In this scenario the maximum level of security is achieved due to successful implementation of confidence-building measures: the global information infrastructure continues Scenarios. The importance of coun- to grow and citizens, businesses, and teracting these four threats is evidenced government authorities maintain a high by the Intergovernmental Agreement level of confidence in the implemented on Information Security signed by the infrastructure. Cooperation among law Member States of the Shanghai Orga- enforcement agencies is efficient, thus nization in July 2009.9 One goal of reducing the risk of information crime this multinational organization is to and information terrorism. The use
The level of confidence-building measures
that states employ and how they are implemented will impact the development of information infrastucture. build information security. To achieve this, the Member States must establish confidence-building measures. Trust between states is crucial for international cooperation, especially to counter threats to international information security. The level of confidencebuilding measures that states employ and how they are implemented will impact the development of information infrastructure. This section of the paper considers three scenarios that could result from different levels of confidence-building measures.10 The future of the global information infrastructure depends on many factors,
[ 30] Georgetown Journal of International Affairs
of information and communications technologies in business processes and government authorities increases; businesses turn to these technologies as the capitalization of companies involved in the creation and development of these technologies increases. Furthermore, governments use these technologies to provide services to communities. This situation helps achieve a sufficient degree of protection for the national interests of Member States of the international community, related to information and communications technologies, from malicious activities by foreign states. Circumstances
STRELTSOV
improve the transparency of government activities and, as a result, efficiency of control over government activities by the society and interested nongovernment organizations. Democratic procedures of society’s participation in public administration develop. The level of industrial and military espionage raises no concern with states. Scenario 2: In a less favorable but more realistic scenario, the global information infrastructure develops with limited and inadequate confidence-building measures. States are concerned about national and international information security. The global information infrastructure positively affects the development of the global information economy but less so than in the first scenario. Information risks present in businesses rise. The use of the global information infrastructure to enhance the economic potential of states is confined by significant political risks. The use of foreign information and communications products in setting up key national information infrastructure assets, information, and communications products is restricted. International cooperation in information and communications technologies is suppressed by states and regional organizations. There remains the risk of encroaching on the national interests of Member States of the international community. However, the level of confidence by citizens, businesses, and states in the infrastructure remains sufficiently high to support its development. Countermeasures provided by law enforcement agencies to combat information crime remains inefficient and criminal activities continue to increase. Spontaneous
International Engagement on Cyber 2012
disruption of operations at key national information infrastructure facilities caused by both terrorist organizations and security agencies of foreign states becomes more frequent. Interventions are discussed more often at UN Security Council meetings and states budget more money for countermeasures in the global information infrastructure. There is an ongoing fierce information fight in the mass media which is attributed to attempts made by foreign states and their non-government affiliates to interfere with the internal affairs of other states. At times, low intensity armed conflicts erupt out of deep political controversies over the sociopolitical implications of the disrupted operation of key information infrastructure facilities. States and their regional authorities undertake some measures to single out the national information infrastructure into a relatively independent global information infrastructure segment. States continue to exercise certain restrictions on human rights to freedom of information exchange and expression. State security services continue with their active efforts to gain illegal access to industrial and state secrets. Scenario 3: In the worst case scenario the global information infrastructure develops without any confidence-building measures. States and their regional authorities isolate information infrastructures into independent information and communications networks. As a result, the global economy degrades and stagnates, isolating national economies, due to the deteriorated efficiency of international cooperation in industry and trade. Risks relating to the use of information and communications
[ 31 ]
CONFIDENCE-BUILDING MEASURES
technologies are high, which undermines the development of an information economy. Citizens, businesses, and government authorities have almost no confidence in the global information infrastructure. There is no interface between states in computer crime - information criminals and terrorist organizations use information and communications technologies for their own purposes. The level of social risk is high. Information fighting in information infrastructure between opposing states become fiercer. This fighting disrupts the operational capabilities of national communications systems and satellite constellations. Armed conflicts are common among states and can potentially trigger a world war. Enforcing human rights and freedoms globally is no longer a priority to nations that are more concerned with counteracting military threats. Spontaneous disruption of capabilities of key national information infrastructure facilities committed by terrorist organizations and foreign states are common, which contributes to the formation of a hostile multipolar world. States actively integrate information weapon components into information and communications systems of foreign states, thus raising suspicions between states. Information fighting in the mass media is attributed to attempts made by states and their non-government affiliates to interfere with internal affairs of other
[ 32] Georgetown Journal of International Affairs
states.
Conclusion. International peace and
security in the information sphere is necessary to realize the full potential of information and communication technologies, while simultaneously respecting the rights and freedoms. Achieving international peace and security is possible only through international cooperation and confidence-building measures in the field of information security, which will create a sense of trust among states. The substance and scope of the confidence-building measures implemented by states will shape the future global information infrastructure. This paper has discussed the four threats to the global information infrastructure outlined by the UN General Assembly and how confidence-building measures can be used to overcome those threats. The second section of the paper examined three potential scenarios that could result from different levels of confidence-building measures implemented into the international system. The most favorable scenario of the future global information infrastructure is feasible if confidence-building measures are developed to help states ensure human rights and freedoms, provide free and independent development of national communities, improve the well-being of citizens, and preserve its cultural integrity and safety.
STRELTSOV
International Engagement on Cyber 2012
NOTES
1 The information field represents the totality of public relations-related information and information infrastructure. 2 Treaty between the United States and the Russian Federation on Measures for the Further Reduction and Limitation of Strategic Offensive Arms, New START (8 April 2010). 3 Organization for Security and Co-operation in Europe. Final Act. Helsinki, 1975. 4 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN A/65/201 (30 July 2010). 5 Ibid. 6 Declaration of Principles, Building the Information Society: A Global Challenge in the New Millennium, WSIS-03/GENEVA/ DOC/4-E (12 December 2003).
7 Report of the Working Group on Internet Governance, 05.64122 (June 2005). 8 Recall ‘information weapons’ are special information technologies and communication technologies, including technologies used to violate computer security. 9 Agreement Between the Members of Shanghai Cooperation Organization in the Field of Information Security, 15.06.0001 (2009). 10 The idea for these three scenarios is based on Jason Healey’s predictions for five future possibilities of cyber conflict. Jason Healey, “The Five Futures of Cyber Conflict and Cooperation,” Georgetown Journal of International Affairs Special Issue: Cybersecurity, (2011).
[ 33]
CYBER RESILIENCY
ANTICIPATE WITHSTAND
RECOVER
EVOLVE
RAYTHEON MEANS
RESILIENCE.
Raytheon delivers the talent, technology and partnership organizations need to ensure continued operations in the face of persistent threats. Our layered Cyber Resiliency strategy leverages over three decades of expertise to help you anticipate, withstand and recover from cyber attack — and to evolve as new threats emerge. Raytheon. Be ready. Be resilient.
They can attack you but they can’t stop you. See how Raytheon enables mission continuity. Raytheon.com | Keyword: Cyber Resiliency Follow us on: © 2012 Raytheon Company. All rights reserved. “Customer Success Is Our Mission” is a registered trademark of Raytheon Company.
IIS184_CyberResiliency_InternationalEnagement_Oct2012.indd 1
9/28/12 3:54
China’s Perceptions of Cybersecurity Wang Peiran Interest and research in cybersecurity issues began in China in the 1980s. In April 1987, retired Major Shen Weiguang published the essay “The Harbingers of Information Warfare,” where he introduced his ideas on information warfare.1 In 1987, the Chinese government established the Center for InfoSec Studies2 and Service, which is the main Chinese cybersecurity agency, and the National Information Center. This article explores China’s approach to cybersecurity, and specifically its infrastructure for dealing with cybersecurity threats, the role the Internet has played in changing traditional Chinese norms, and the obstacles to Chinese cooperation with the rest of the world in the field of cybersecurity. In order to successfully confront the challenges of cybersecurity it is imperative that China increase its engagement on both a domestic and international level.
Wang Peiran has been a visiting researcher at the Center for Economic Law and Governance, Vrije Universiteit Brussel, Belgium, since September 2010. He most recently published “A Tough Sell: Overcoming the EU Arms Embargo” in China Security, and has been interviewed by China Daily and People’s Daily, the official newspaper of the Communist Party of China. His research interests cover security studies and international relations theory.
Chinese Infrastructure/Bureaucracy/Domestic Strategy for Cybersecurity. Herbert S. Lin, Chief Scientist at the Computer Science and Telecommunications Board at the National Academy of Sciences argues, “information technology is seen as a threat to the regime, because
[ 35]
CHINA’S PERCEPTIONS OF CYBERSECURITY
it provides perspectives beyond the control of the party.”3 Due to these fears, China focuses on protecting critical national infrastructure and controlling the flow of information online. China has invested in its infrastructure and in national policies for cybersecurity. In China, there are sixteen departments handling cybersecurity issues. Departments are either ‘specialized’ or ‘comprehensive.’ Specialized departments are similar to functional bureaus
China has also developed policies that address cybersecurity. In May 2006, the General Office of the CPC Central Committee and the State Council issued the “State Informatization Development Strategy: 2006– 2020 (SIDS).” This makes substantially improving national information security a strategic objective. In the twelfth edition of the Five-Year Plan (FYP), the document charting China’s national priorities for a five-year interval, the
The government has sought to create a balanced approach to cyber policy, ensuring military preparedness and strategic necessities. and regulate solely within their specific area. These departments include the Information Office of the State Council, the Ministry of Culture, the State Administration of Radio Film and Television (SARFT), the Ministry of Education, the Ministry of State Security (MSS), and the Administration for the Protection of State Secrets (APSS). Comprehensive departments create guidelines for national cyber policy. There are two ‘comprehensive departments’: the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS).4 In addition to these departments, in September 1999 the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) was established. This body, which answers to the MIIT, handles cyber crises.5 6 This shows that MIIT is the critical agency in China’s domestic strategy of cybersecurity rather than the Ministry of State Security.
[ 36 ] Georgetown Journal of International Affairs
CPC Central Committee explains how information security can be achieved. The Committee stresses the importance of information security in military development and made cybersecurity a national priority. These documents demonstrate that China views cybersecurity as a multi-dimensional problem, involving both military and civilian agencies. The government has sought to create a balanced approach to cyber policy, ensuring military preparedness and strategic necessities. While building an infrastructure and introducing policies on cybersecurity is a good start, more remains to be done. Although different agencies exist, there is no clear mechanism for inter-agency cooperation in the event of a cyber attack. The government needs to develop not only the necessary technology for dealing with a public cyber emergency, but also a national policy for coordinating government policy and a platform for contradiction between
PEIRAN
contradicting viewpoints. There is no evidence, however, of a commitment to such a policy by the country’s leadership. According to Ning Jiajun, a member of the Advisory Committee for State Informatization and Information, “a lack of coherent leadership, organization and coordination” is a serious challenge to China’s cybersecurity development.7 In addition to policy, new legislation on cybersecurity is urgently required. In March 2012, Mr. Xu Long, Deputy to the National People’s Congress (NPC), pointed out there is no coherent information security law. The functions of existing laws and regulations are unclear, inefficient, and contradictory. He concludes that the laws needs to be clarified with regards to legislative aim, sphere of application, conceptual framework scope, supervisory administration, protection for system computer information, internet information service, e-business security, information, and legal responsibility (civil, administrative, and criminal).8
The Implications of Cyber on China’s Social Transformation. Since the late 1970s, China has
experienced profound social transformations that threaten traditional culture and ideology. The economic boom of the last thirty years has brought in more stakeholders in the policy-making process. The party leadership is now forced to consult private businesses, state-owned enterprises, the military, and others. Technology has introduced new forms of media into the country. Social media and the resulting increased transparency have reduced corruption
International Engagement on Cyber 2012
and created a platform for confrontation between contradicting viewpoints. The role technology plays in reducing corruption has been acknowledged by Chinese authorities in “The Internet In China,” a report issued by the Chinese government in June 2010: In order to facilitate the public’s reporting of corrupt and degenerate officials, the central discipline inspection and supervision authorities, the Supreme People’s Court, the Supreme People’s Procuratorate and other relevant bodies have set up informant websites. The informant website of the CPC Central Commission for Discipline Inspection and the Ministry of Supervision and the website of the National Bureau of Corruption Prevention are playing an important role in preventing and punishing corruption and degeneration among officials. According to a sample survey, over 60 percent of netizens have a positive opinion of the fact that the government gives wide scope to the Internet’s role in supervision, and consider it a manifestation of China’s socialist democracy and progress.9 The Internet has made it increasingly difficult for any one actor to dominate political discourse. The debate between nationalism and liberalism in China is exemplary of the growing diversity of opinion in China and can be attributed at least in part to the increased access to the Internet. In 1996 the book China Can Say No: the Political and Emotional Choice in the Post-Cold War was published. The book was a nationalist diatribe against the West, and, at that time, few
[ 37 ]
CHINA’S PERCEPTIONS OF CYBERSECURITY
books with alternative viewpoints were published. Thirteen years later, a new nationalist text, China Is Not Happy: Epoch Times & Great Goals and Our Troubles at Home and Aggression from Abroad, was published. But in the same month, Who Are Unhappy in China: Three Cyber Swordsmen, which supports universal values, was published. This book challenges the narrow vision of the nationalist texts. The Internet has facilitated liberalism and universal values that challenge the traditional nationalist discourse to enter Chinese society more easily. Chinese elites, who have greater access to these discussions of liberal and universal values in cyber space, will play key roles in developing civil society and working towards democratization. This new political discourse in China has led to the acceptance of the importance of the freedom of speech and the protection of human rights in China’s intellectual communities.
of respecting national sovereignty and non-interference have been central to PRC’s diplomacy. In the post-Cold War period, China’s ability to act in international forums has been constrained by this emphasis on state sovereignty. China has found it difficult to collaborate with the international community on cybersecurity issues because international treaties formed on the basis of universal values challenge the traditional Chinese view of sovereignty. Despite the end of the Cold War, China’s relationship with the West remains mixed. From the Chinese perspective, the Western community’s focus on human rights constitutes a potential and practical threat to the survival of the CCP and the stability of China’s society. Many in China’s leadership consider the Internet to be a tool for western intervention. This fear is tied to the Chinese perception of sovereignty. Simultaneously, the West is concerned about China’s capacity for China and International Coop- cyber espionage and information wareration. Considering the transna- fare. Unrestricted Warfare, published by two tional character of cyber warfare and PLA Air force officials, is a good examthe importance of non-state actors in ple of the mistrust between the Chinese the Post-Cold War world, international and Western communities. The quick cooperation on cybersecurity should be success of the U.S. military in the premised on the basis of global gover- 1991 Gulf War surprised PLA leaders nance. As an emerging power, China and revealed the massive capability gap should take a leading role in cooperat- between the conventional armed forces ing with relevant stakeholders to help of the United States and China. Couestablish international norms and over- pled with tension in the Taiwan Strait sight bodies. To date, however, China’s throughout the 1990s, the incidental engagement in this area has been mini- Belgrade embassy bombing in 1999, mal as a result of its diplomatic promise and the Hainan Island Incident on 1 of respecting national sovereignty, the April 2001, the PLA began to see the mutual-distrust between China and the United States as a potential future miliWest, and the threat to the social order tary adversary. Asymmetric warfare was presented by freedom of speech. considered by the authorities the only Since its founding, the principles solution to closing the capability gap.
[ 38 ] Georgetown Journal of International Affairs
PEIRAN
Unrestricted Warfare demonstrates the PLA officials’ intentions to win any future conflicts in an asymmetric way, not an intention to engage in unrestricted cyber warfare at present. At the same time, the gap in technological capabilities between China and the West results in China’s rejection of international cooperation. Zhang Yongfu, a professor at the PLA Infor-
International Engagement on Cyber 2012
reluctance results in more criticism and so the spiral continues. This cycle, reminiscent of the security dilemma witnessed during the Cold War, will promote rising conservative nationalism in China, which will be a further obstacle to cooperation. Thus China’s participation in international talks on cybersecurity is mutually beneficial for China and other key stakeholders.
It will be important to emphasize build-
ing a consensus between Chinese and Western values. This consensus is the social and intellectual basis of international cooperation between China and the Western stakeholders. mation Technology University Committee declared “the core technology is monopolized [by the West], especially in areas of national and military security, which cannot be imported or bought. Hence, we must build [a] robust base of core technology with our [own] intellectual property, master fate in our hands.”10 But all key stakeholders should play a role in building the institutional framework for transnational cybersecurity policy. Once China is accepted internationally, it will comply with the rules and norms. China’s access to the international nonproliferation regimes is an excellent example. If China were excluded from the Nuclear Non-Proliferation Treaty, the EU’s and U.S.’s debates over nonproliferation and related issues with China would be more difficult than at present. If criticism against China pervades, China will be reluctant to play a role. This
In developing international cybersecurity norms it will be important to emphasize building a consensus between Chinese and Western values. This consensus is the social and intellectual basis of international cooperation between China and the Western stakeholders. To promote China’s engagement in international-regime building, a multi-track dialogue mechanism should be established, including official, academic, and civilian channels. Through academic exchange, the Chinese intelligentsia comes to understand Western perceptions and accept Western values. These intellectual leaders are then able to exert influence on policy-makers in Beijing.
Conclusion. China has engaged in cyber research since the 1980s but much more remains to be done at both a domestic and international level for China to successfully confront cyber-
[ 39]
CHINA’S PERCEPTIONS OF CYBERSECURITY
security attacks. First, China needs to develop inter-agency policy for its sixteen departments to coordinate with each other in the event of a cyber attack. Second, it needs to develop legislation that addresses cybersecurity needs. Third, it needs to participate in international talks on cybersecurity. China has benefited from the peaceful international environment since the
end of the Cold War. New transnational security challenges require more coherent international cooperation outside the bounds of normal national security perceptions and interests. China must place more emphasis on improving transnational security cooperation. By engaging in the rule-making process, China will earn considerable goodwill and protect its strategic interests.
NOTES
1 Shen Weiguang, “The Harbingers of Information Warfare,” Newspaper of the People’s Liberation Army, 17 April 1987. 2 The term ‘InfoSec’ or ‘Information Security’ is the synonym for cybersecurity in Chinese discourse. 3 Brigid Granman, Cyber-security: The Vexed question of global rules, February 2012, Internet, http://www. mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf (date accessed: 7 October 2012). 4 Wei Liurong, Wang Rong, “The Analysis of China’s Internet Management System,” China New Telecommunication (Zhongguo Xin Tongxin), 18 November 2007. 5 National Computer Network Emergency Response Technical Coordination Center of China (CNCERT or CNCERT/CC), Internet, http://www. cert.org.cn/publish/main/34/index.html. 6 http://www.jscert.org.cn/page/content/level/1 (date accessed: 7 October 2012).
[ 4 0] Georgetown Journal of International Affairs
7 Zhang Zhiyu, Huangkai, ‘The Present Status of InfoSec in China’ (Zhongguo Xinxi Anquan Xianzhaung), Chinese Information Community (Zhongguo Xinxijie), No. 8, 2003. 8 Zheng Jiaxin, Zhang Peifa, “XU Long Suggests Legislation of InfoSec and Electronic Payment,” 4 March 2012, http://politics.people.com.cn/ GB/70731/17286002.html (date accessed: 7 October 2012). 9 The Information of Office of State Council, The Internet in China, white paper, 8 June 2010, Internet, http://english.gov.cn/2010-06/08/content_1622956.htm (date accessed: 7 October 2012). 10 Cheng Xiangran, “Master the Strategic Highland of Cyber Security” (Zhangwo Wangluo Anquan Zhanlue Xin Gaodi), PLA Daily, 2 February 2012, http://chn.chinamil.com.cn/jskj/2012-02/02/content_4779740. htm (date accessed: 7 October 2012).
The Implications of Mandates in International Cyber Affairs Eneken Tikk-Ringas The combination of hazy notions of cybersecurity and the inconsistency of mandates of international organizations results in oftentimes trivial and non-actionable output from these organizations’ discussions of strategic cyber issues. Simultaneously, there are indications of venue-shopping by nations for friendly entities to deal with aspects of cybersecurity. Better defining the issues and expected remedies as well as a balanced choice of venue would add consistency and credibility to international cyber deliberations. Creating an international cyber governance and security regime faces two critical challenges: jurisdiction-shopping by nations for friendly venues to discuss and promote their and their allies’ strategic goals and messages; and, at the same time, general confusion and uncertainty regarding the scope of authority and substance of international cyber talks, resulting in duplicated efforts and frequent non-actionable guidance. To ensure the consistency and efficiency of international organizations addressing international cybersecurity issues, the term ‘cyber’ must be contextualized within the broader issue. Defining ‘cyber’ for the purposes of a particular discussion and referring to the organization’s mandate to
Eneken Tikk-Ringas is a Post-Doctoral Fellow at the Citizen Lab at the Munk School of International Affairs at the University of Toronto, and Lecturer on Cybersecurity Law at Tallinn Technical University. She has worked at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn and has advised the Estonian government on cyber issues. Dr. Tikk-Ringas has published several books, articles and presentations on legal and policy aspects of cybersecurity and is a frequent speaker at strategic cybersecurity events.
[ 41 ]
THE IMPLICATIONS OF MANDATES IN INTERNATIONAL CYBER AFFAIRS
address the issue are two sides of the same coin, as one component alone will not suffice to distinguish and empower a line of decisions and action. Given that the term ‘cyber’ can, depending on one’s perspective, accommodate anything from information society development, e-commerce, e-governance and cyber crime to national or international peace and security threats, the quality of any discussion in the field depends on how well the issue is defined and how accurately the expected remedy is outlined. 1 On the other hand, the essence of the problem and the expectation for an outcome will also define which international organizations are most appropriate to manage the issue. There is,
of laxly defined mandates of international organizations in achieving and even defining strategic cybersecurity goals. After elaborating briefly on the terms “cyber” and “security” the author argues that no single international organization will be in position to cover the whole agenda of global cybersecurity. In that light, assessing the ability of each organization to resolve particular pieces of this puzzle requires care in considering the ramifications of mandates under international law.
Problem Indicators. There are numerous examples of inconsistencies related to the ‘cyber’ mandate and, consequently, the authority of international organizations. One example is
The search for a one-stop-shop for all cyber problems, such as the United Nations, as has been proposed by some nations, ignores the existing concepts. at least theoretically, something that any given organization does best—on account of its legal authority, constituency, experience, or posture in the global community. The search for a one-stop-shop for all cyber problems, such as the United Nations, as has been proposed by some nations, ignores the existing concepts of, and international legal frameworks already in place for dealing with, trade, crime, terrorism, and warfare. This undermines the understanding about what any specific international organization can contribute to global cybersecurity and how it can do so. This article will look at some problem indicators and the potential impact
[ 4 2] Georgetown Journal of International Affairs
the rather broadly scoped 2010 report of the UN Governmental Group of Experts, indicating a dilution of the international peace and security focus, and thus cybersecurity focus, of United Nations General Assembly’s Disarmament and Security (First) Committee.2 The growing unease around the scope and outcome3 of the World Conference on International Telecommunications (WCIT) process is another example of how ambiguous mandates create confusion, disorder and disagreement in the international community.4 NATO’s mandate on cybersecurity is much broader than many commentators believe. It is often assumed that Estonia invoked collective defense
TIKK-RINGAS
International Engagement on Cyber 2012
in response to the 2007 attacks simply because the Estonian authorities brought the incident to the attention of the North Atlantic Council and the Military Committee. In fact, NATO’s mandate on cybersecurity also involves a dimension of cooperation and consultations below the threshold of use of force and armed attack. The issues of cyber terrorism have been raised not only at the UN Institute for Disarmament Research (UNIDIR), but also at the Council of Europe’s Committee on Experts on Terrorism (CODEXTER) and the UN First Committee. Despite the promotion of the Convention on Cybercrime by several countries as an appropriate instrument to deal with cyber crime, a parallel initiative has been started in the UN. Parallel discussions on confidence building measures (CBMs) are being held at the Organization for Security and Co-operation in Europe, the UN First Committee and under the auspices of the ASEAN Regional Forum (ARF).
co-sponsor proposals; Iran to the ITU, possibly due to the former’s tense relationship with the UN Security Council; or Estonia to NATO as its strategic security guarantor.5 Such practice does not necessarily constitute a (legal) issue per se, but confusion will arise over time as to which decision or position takes priority over the others and what are the criteria that justify a particular action in a particular venue. A divide over technological advancement and cyber policy priorities between nations on a global scale will not make the situation any easier. The promotion of certain venues over others may have already affected the functioning of existing frameworks as political coalitions often de facto overrule expert venues, leaving the latter powerless. The difficulty with the new ratification of the Budapest Convention stands as an example as do the challenges faced by the ITU in its push for stronger control over the Internet. Such “venue shopping” can have legitimate justifications: different representation bases at different organizaSo What? Although not all of the tions or adding perspectives to the disabove developments represent an cussion in the next round that may not immediate issue, they do indicate a have been tabled before. However, it considerable overlap of authority to nonetheless burdens organizations and address aspects of information society leads to dilution or even misappropriagovernance and security by interna- tion of the issue. tional organizations. An opaque and Increasingly, assuming authority lax mandate allows nations to change over ‘cyber’ under different aegis has venues of discussions that have dead- resulted in tensions between nations. ended at one venue, to another organi- While divergent interests and positions zation, in effect resetting and delaying are an inherent factor in the relations the process. Currently, nations often of sovereign states, there is a legal aspect take their ‘cyber matters’ to the venue of involved in empowering international their liking, for example, Palestine to organizations with aspects of uses of ITU where it has status as observer with information and communication techthe right to raise points of order and nologies.
[ 43]
THE IMPLICATIONS OF MANDATES IN INTERNATIONAL CYBER AFFAIRS
Insufficient attention to mandates could also lead to an oversimplified understanding of an organizations’ potential in handling an incident, crisis, or conflict. An error in the assessment may lead to a legal right of subjects of international law to refuse to carry out a conclusion or guidance arising from a specific process or action. Therefore nations need to be held to a higher standard in justifying their decisions to change venues or seek a different action. With international cyber affairs still in an early stage, the exercise of the right or duty to justify a venue may not occur tomorrow as very few states have created conclusive national arrangements on strategic cybersecurity, not to mention international positions. Given the trend towards venue-shopping, the number of organizations and groups addressing different aspects of cybersecurity, the growing unease about the lack of decisive progress compounded with the exertion of pressure by a variety of countries on certain international regulatory processes, an assessment of some ramifications of authority is appropriate.
therefore difficult to see how any one venue or entity could effectively cover or address the whole ‘cyber.’ The term ‘cyber’ is also used in a variety of meanings depending on the context of the issue (technical incident, personal gain, political motivation), the target (a private web server, an information system supporting governmental functions, a specific industrial control system, global DNS system or a home computer), the discussant (her scoping of the topic, angle of interest, her subject matter expertise), or the venue. Therefore, the term can denote any, all, or none of the above. Under the category of ‘cybersecurity,’ different subject matter areas, circumstances, and remedies interact yet remain substantively part of their disciplines and mechanisms of enforcement and implementation mechanisms.7 In other words, there is little, if any, additional substance in ‘cyber’ other than already existing aspects of information security, human rights, governance, trade, crime, and national and international peace and security. The notion of ‘security’ is as ambiguous, denoting technical security of ICTs to the technical community and a The Ambiguity of ‘Cyber.’ broad spectrum of adverse consequenc‘Cyber’ is generally understood as “of, es to national or international peace relating to, or involving computers or and security to policy communities. computer networks (as the Internet).”6 Thus the notion of ‘cybersecurity,’ Considering the advances in tech- without further explanation or defininology, the notion ‘cyber’ potentially tion can lead to indiscriminate, indisencompasses satellites, weapon systems, tinctive and therefore, non-actionable aircrafts, ATMs, home appliances, pets, guidance. Before any ‘cyber issue’ can and passports. In this vein, different be discussed in an international orgacategories of harm can arise – econom- nization, it is therefore imperative that ic consequences, disruption to critical the context of the issue is clearly defined infrastructures, threats to national and as well as the nature of the problem in international peace and security. It is question.
[ 4 4 ] Georgetown Journal of International Affairs
TIKK-RINGAS
International Engagement on Cyber 2012
No All-Embracing Mandate. the solution to the problem. Increasingly understood as means rather than an end, cybersecurity is an obligation of governments, international organizations, corporations, and citizens alike.8 It is impossible to put any single international organization in charge of ‘cybersecurity’ en large, as the legal, policy, and technical aspects of physical infrastructure, content, devices, and protocols for information and communication are already divided between organizations and regimes. That explains why ITU or the Internet Corporation for Assigned Names and Numbers (ICANN) play a role in technical assurance of telecommunication infrastructure and the broad reliability
The potential contribution by each organization to global cybersecurity is framed by the mandate deriving from its legal personality under international law. The latter is generally framed by the intent of the States Parties. Each international organization has a purpose that defines its right and authority to intervene in discussions and decision-making. Such purpose usually comes from the foundation documents of any particular organization or body thereof. In principle, an international organization’s capacity to act is defined by the instrument establishing the organization e.g. the UN Charter in the case of
Before any ‘cyber issue’ can be discussed in an international organization, it is therefore imperative that the context of the issue is clearly defined. of the Internet and the domain name system, respectively, and it is difficult to see either of them alone in charge of strategic global cybersecurity. The UN is undoubtedly the premiere venue on an international level to discuss a wide range of cybersecurity issues, both because of its global membership and comprehensive mandate. The organization is increasingly used by nations to advance their national strategic cyber interests.9 Even with a variety of topics under its purview and a global membership, however, the UN cannot be generally charged with global cybersecurity, as a task like this would do little to clarify the means or ends of
the United Nations.10 Further, an organization’s capacity to have an impact on international affairs derives from its actions and the actual effects of this action on the behavior of States. The purpose is clearer cut for some organizations than for others. As the aim of the Council of Europe is to achieve greater unity between its members11, it is easier to understand why national security and military aspects of cybersecurity hardly fall into its scope of activity and experience. In contrast, NATO’s main purpose can be derived from the preamble of the North Atlantic Treaty, and the focus on peace and security12 makes it diffi-
[ 45]
THE IMPLICATIONS OF MANDATES IN INTERNATIONAL CYBER AFFAIRS
cult to bring cybercrime, distinct from cyber defense, to the attention of this organization.
tion15, such decisions should be based on a clear understanding of the issue, the stake(holder)s involved and the impact needed and feasible. Further, No Finite Mandate. The role of under international law it is required international organizations in inter- that the authority is assessed by the national relations is not constant. context and proper interpretation of Over time, mandates or aspects thereof the constitutional instruments, keepget revised (NATO after Cold War), ing in mind the structure and authorupdated (ITU in 1989 considering the ity between different organizations and topic of the Internet), expanded (EU), within the organization.16 and shrunk with or without rewriting Ultimately, it is nations that empowrelevant treaties. Cybersecurity is an er international organizations, and it excellent example of how organizations is their judgments about which issues like the United Nations and NATO to bring to the attention of which body have recently engaged in a new field of that determine which organizations activity – the UN began to deal with it discuss which issues and how. Without a in 1998 (disarmament), and NATO doubt, the requests by the constituency adopted its first cyber defense strat- do not always meet the immediate area egy in 2007. A shift like this can be of attention or experience of a particuonly partially explained by the emer- lar organization. gence of new technologies. Rather, the cyber issues becoming relevant to these Possible Remedies. In order to international organizations have been optimize the role and impact of any givdefined by emerging uses of infor- en international organization in global mation and communication technolo- cybersecurity talks, it is essential to add gies and the social and political conse- focus and frame to the issue so that the quences of such uses. That such topics desired impact can be achieved. Given for discussion overlap is justified due that ‘cyber’ and ‘security’ are both rathto differing memberships, e.g. cyber er vague terms, they should be defined crime regulations in selected European for the purposes of the process either Union instruments and the Budapest implicitly or by referring to relevant Convention. existing concepts. To avoid an overly From a legal perspective it is not technical approach to a strategic issue, uncommon that international orga- the agendas and processes can further nizations can justify a broader man- be framed by a reference to the authordate than that originally agreed to or ity embedded in a treaty provision or documented. However, to determine otherwise manifested in relevant docuif an extension of mandate is essential ments or acts. This exercise would help to the performance of constitutionally better understand and align the expecarticulated duties13, consistent with the tations and remedies in cybersecurity expressed aim of the founding docu- governance, a highly interdisciplinary, ments14 or appropriate to the fulfill- controversial, and high profile area of ment of the purpose of the organiza- international affairs.
[ 4 6 ] Georgetown Journal of International Affairs
TIKK-RINGAS
Therefore, before submitting a request to an international organization, governments should evaluate alternative venues and weigh the appropriateness of the specific venue. Similarly, when accepting a request to address an issue or promote a change, international organizations need to critically assess their mission and purpose as well as their institutional capability to deal with the case at hand. It will be up to the members of a particular organization to grant, endorse, and waive the powers of an organization or a body thereof. Either way, entrusting an international organization with the promotion of common interests comes with the responsibility of verifying any subsequent task against such national interests and the powers conferred to the organization in question.
Conclusion. There are two complementary approaches to achieving more clarity and consistency in international organizations’ cyber agendas – more precisely outlining the issue or topic under question and more strictly considering the mandate of any given international organization to address cybersecurity. In the absence of a defined focus, the expectations of the constituency towards the authority, the level of engagement, and the impact
International Engagement on Cyber 2012
of different international organizations differ and the interests of actors diverge. This makes a coherent consensus and effective process almost impossible. Duplication of effort and shopping for favorable venues is a detriment to innovation, trade, development, and improvements in quality of life – the goals that have shaped the development of the Internet and information technologies for decades. The clarity of strategic goals set by or invoked by the constituency and their alignment with the original or updated mandate of the organization will enable stable and predictable decisions about the admissibility of a request and the scope of potential engagement and action. Transparency regarding the mandate and potential areas of involvement will contribute to constructive contributions, avoid contradicting guidance, and, thereby, increase international organizations’ credibility, acceptance and impact. A well-defined tasking adds focus and substance to processes and results, thus increasing the odds that outcomes are implemented and enforced. Finally, rationalized and focused mandates will reveal remaining overlaps and gaps between activities of different international organizations and allow for a discussion of the need for reassigned rights and duties.
[ 47 ]
THE IMPLICATIONS OF MANDATES IN INTERNATIONAL CYBER AFFAIRS
NOTES
1 See also Eneken Tikk, Cyber Security: Solutions of Tomorrow, Experience of Yesterday, Tomas Reis, ed., (Swedish National Defense College: 2012, forthcoming) 2 U.N Office for Disarmament Affairs. Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (A/65/201), 16 July 2010, Internet, http:// www.un.org/disarmament/HomePage/ODAPublications/DisarmamentStudySeries/PDF/DSS_33.pdf (date accessed: 7 October 2012). 3 See for example Bob Sullivan, “Is Flame virus fallout a Chinese, Russian plot to control the Internet?” 12 June 2012, Internet, http://redtape.msnbc. msn.com/_news/2012/06/12/12172042-is-flamevirus-fallout-a-chinese-russian-plot-to-controlthe-internet?chromedomain=bottomline&lite (date accessed: 7 October 2012). 4 World Conference on International Telecommunications (WCIT) convened under the auspices of the International Telecommunications to review the current International Telecommunications Regulations (ITRs). 5 Resolution 99 (Rev. Guadalajara, 2010). 6 Merriam-Webster Dictionary, ‘cyber’ either as an adjective or as a combining form is generally understood as “of, relating to, or involving computers or computer networks (as the Internet)”, Internet, http://www.merriam-webster.com/dictionary/ (date accessed: 7 October 2012).
[ 4 8 ] Georgetown Journal of International Affairs
7 See also Helen Nissenbaum, “Where Computer Security Meets National Security,” Ethics and Information Technology, vol.7 (2005): 61–73. 8 National positions of, for example, US, UK, Australia. 9 Russia 1998, China and Russia 2011. 10 See H. Schermers and N. Blokker, International Institutional Law: Unity within Diversity (Hotei Publishing: 1995); Dan Sarooshi and Rosalyn Higgins, International Organizations and Their Exercise of Sovereign Powers (Oxford University Press: 2005); C. Amersinghe, Principles of the Institutional Law of International Institutions (Cambridge University Press: 1996); Philippe Sands and Pierre Klein, Bowett’s Law of International Institutions (Thomson Publishing: 2001), José E. Alvarez, International Organizations as Lawmakers (Oxford University Press: 2005). 11 Statute of the Council of Europe, 5 May 1949, London. Article 1 (a). 12 The North Atlantic Treaty, 4 April 1949, Washington D.C. 13 This is the criterion highlighted in the Reparation case (ICJ Reports, 1949: 174, 182). 14 The Effect of Awards of Compensation Made by the UN Administrative Tribunal case (ICJ Reports, 1954, pages 47, 56-7). 15 Certain Expenses of the UN case (ICJ Reports, 1962: 151, 168). 16 Legality of the Use by a State of Nuclear Weapons case (ICJ Reports, 1996: 66, 78-79).
A Balkanized Internet? The Uncertain Future of Global Internet Standards Jonah Force Hill The Internet is at a crossroads. Today, it is generally open, interoperable and unified. Any Internet user can exchange email with more than two billion other global Internet users; entrepreneurs can launch services such as eBay and Amazon and quickly turn them into multibillion-dollar businesses; and people from all across the world can connect with others, share ideas, and improve democratic governance through social networking sites such as Facebook and Twitter. Over the past decade, however, an increasing number of journalists and academics have noted – often in alarmist terms – the ways in which government censorship programs, powerful commercial interests, concerns over cybersecurity, and other dynamic changes in the Internet ecosystem are pulling the global network apart into various distinct, idiosyncratic “internets,” threatening the global communication, economic prosperity and innovation the Internet has fostered over the past two decades.1 Yet despite the proliferation of articles and commentaries on this “balkanization” of the Internet, there has been little consensus about which parts of the Internet are fragmenting, what changes in the Internet ecosystem are causing the fragmentation to occur, and to what degree these
Jonah Force Hill is a technology and international strategy consultant and recent graduate of the John F. Kennedy School of Government at Harvard University, where he was a Belfer Center for Science and International Affairs Fellow.
[ 49]
A BALKANIZED INTERNET? THE UNCERTAIN FUTURE OF GLOBAL INTERNET STANDARDS
processes should be a concern. This article, drawn from a larger working paper exploring Internet balkanization, will highlight one of the lesser-explored threats to a unified global Internet: the potential collapse of the Internet standards process.
– including China, Russia and others – has argued that the organizations and processes that lead to standardization are both outmoded and inequitable. They contend that the current process unfairly favors American firms; that it produces standards with insufficient built-in security; and that it leads to Keeping the Internet Together standards that allow for a degree of Through Standards. The Internet freedom fundamentally at odds with is held together as a globally interop- the social norms of some nonwestern erable platform through its common nations.2 As a result of these concerns, set of technical protocols, message the technical design decisions that were formats and computer languages, col- historically the sole province of engilectively known as Internet standards. neers and academics have increasingly Internet standards – such as IPv4 and come under the political pressures of IPv6, Hyper-Text Mark-up Language governments seeking to influence and (HTML), Hyper-Text Transfer Proto- reform them. col (HTTP), and Border Gateway ProThus far these efforts have remained tocol (BGP) – set the normative tech- largely unsuccessful. The standards
They contend that the current process un-
fairly favors American firms...and that it leads to standards that allow for a degree of freedom fundamentally at odds with the social norms of some nonwestern nations. nical specifications for communication on the Net. By ensuring the Internet’s reliability, and by providing a predictable marketplace for goods and services, a globally common set of Internet standards has allowed the Internet to rapidly (and comparatively inexpensively) expand around the world. Yet the organizations and processes that decide which protocols should be adopted as the international standard for a particular networking function are not without their critics. A growing chorus of national governments
[ 5 0] Georgetown Journal of International Affairs
bodies continue to churn out new and improved standards for the international market. Yet there is concern about the future viability of these organizations. If governments were to become sufficiently frustrated with the way standards are being designed, or find that existing standards-development processes no longer serve their national economic or security interests, then we might witness a large country, or a coalition of countries, decide to withdraw from the current standards process, effectively cleaving the Inter-
HILL
International Engagement on Cyber 2012
net at the logical layer, at the Internet’s core.
term left intentionally indefinite by the IETFs founding members. The IETF likes to boast that its rough consensus How Anarchy Works3 - The model streamlines decision-making in Internet Engineering Task a way that more formalized majority Force. Much of the tension sur- decision-making cannot. rounding the standards arena revolves The IETF also calls itself an “open around the future of the Internet Engi- standards organization,” in that its neering Task Force (IETF). The IETF standards are available to the public and is an association of researchers, aca- all of its internal discussions leading to demics and engineers, many of whom the adoption of a particular standard were instrumental in the early devel- are transcribed on the organization’s opment of the Internet in the 1960s website. Moreover, IETF memberand 1970s. Since its founding in 1986, ship is open to anyone. An individual the IETF has helped shape the major- who regularly participates in an IETF ity of the Internet’s core networking e-mailing list or attends an IETF meetprotocols (such as TCP/IP) and the ing can be said to be an IETF member.5 protocols for the Internet’s basic appli- Certainly participation in the IETF cations (such as SMTP for e-mail). decision-making process requires a The IETF is not the only standards strong technical understanding of the body relevant to the Internet – there standard under development, but IETF are dozens of other technical standards rules nonetheless permit any person bodies that write and publish Internet- willing to contribute to participate in related standards – but since the early their standards development process. days of the Internet the IETF has been the body in which the most important Criticisms of the IETF. It is standards needed for internetworking undeniable that the IETF has been have been developed.4 extraordinarily successful at producing The IETF is an unusual standards technically sound standards over the body among other standards organiza- years. Its standards tend to be more tions. It calls itself a “multi-stakehold- reliable, come to market faster, and er” Internet standards organization – are more readily adopted than those indicating that it seeks to represents a produced in competing standards bodcomprehensive set of interest groups ies.6 Yet despite its success at developing (ICT companies, civil society groups, standards, the IETF is viewed with susetc.) with a stake in the standards pro- picion by a number of both developing cess. But perhaps even more than other and developed nations.7 Beyond seeing so-called multi-stakeholder organiza- the IETF as an anarchic institution with tions, the IETF seeks to be an inclusive, little oversight and few controls, critics transparent, and intentionally (and also suspect that the IETF is – as is the unapologetically) non-hierarchical sys- case with many institutions of Internet tem of decision-making. Decisions at governance – merely an instrument the IETF are based not on majority of American political and commercial voting, but on “rough consensus,” a interests.8
[ 51 ]
A BALKANIZED INTERNET? THE UNCERTAIN FUTURE OF GLOBAL INTERNET STANDARDS
These critics stress the fact that Americans have dominated the IETF since its founding. Americans have held a disproportionate number of high-level positions within the organization and American engineers have been responsible for the vast majority of the IETF’s “Request for Comments” (RFCs) documents, the technical peer-reviewed reports that often lead to standards.9 Of the more than 6,000 RFCs drafted between 1986 and 2012, American engineers have drafted over 70 percent of them. Compare that number with the mere 4 percent of RFCs drafted by Chinese engineers, the 2 percent from India, and the less than one-half of one percent from Russia.10 Granted, these RFC numbers date back to 1986, when the Internet was predominantly an American enterprise, but the pattern remains today: a more recent review of the RFCs reveals an IETF with an overwhelming American preponderance.11 This perceived American domination is more than simply an affront to the pride of non-American engineers: there is big money at stake. Although IETF standards are said to be “open,” in that the process and technical specifications of the standard are available to the public, and although no central authority mandates the adoption IETF standards, most IETF standards contain within them patented technologies with licensing obligations due to the patent holder. As official policy, the IETF favors patent-free standards, but given the high cost of research and development for firms writing these standards patent-free is often economically unfeasible.12 With potentially billions of dollars at stake, one can see why non-
[ 5 2 ] Georgetown Journal of International Affairs
American observers would be skeptical of a system that, in their eyes, favors American patent-holders. A look at the number of RFCs on a firm-by-firm basis further validates the IETF’s critics’ skepticism. From 1986, for instance, authors from one American corporation, Cisco Systems, have produced more RFCs than all of China’s submissions combined for the same period. Huawei, China’s largest information and communications technology (ICT) firm, is ranked a mere 13th in terms of RFCs and it is the only Chinese firm among the forty top RFC drafters.13 Americans and IETF supporters argue that more American RFCs are received and more American-designed standards are adopted because they are the most technically sound standards. No government or firm is formally required to adopt an IETF standard; they do so because they are the best, they argue. But given the IETF’s historical role as the Internet’s core standards body, IETF standards have been the de facto standards for internetworking since the Internet’s founding. Consequently, given the dominance of American engineers and firms at the IETF, and the vast amount of money exchanging hands in licensing fees, it is easy to see why non-American companies and governments might find the current process unsustainable, even if the IETF is indeed advancing the most “technically sound” standards. Many American engineers – and likely many of their non-American IETF colleagues – respond with the argument that American engineers are simply better trained and more experienced than their non-American colleagues. They point out that the top research
HILL
institutions are in the United States and that the Internet itself was created under American auspices. Other countries’ engineers are catching up technologically, but there is a lag time that has yet to be overcome. This argument may be the correct explanation, but while American engineers may in fact be better trained than their non-American counterparts, the numbers are still disproportionately weighted towards the Americans. The real reason American engineers have been so dominant at the IETF, the critics maintain, is that the IETF as an institution is fundamentally unreceptive to the participation of non-Americans, despite its attempts at (or claims of) radical inclusivity. First, critics argue that cultural barriers preclude non-Americans from equal participation in IETF discussions. IETF meetings and email correspondences are conducted in English; English is the language of the all-important informal discussions that take place in the bars and hotel lobbies on the sidelines of the IETF meetings.14 Second, procedurally, the “rough consensus” model, the IETF self-proclaimed paradigm of inclusive decision-making, actually serves to give undue influence to incumbent engineers (read, Americans). Although everyone is free to participate in the IETF, it does not follow that every participant is equal. A member’s reputation within the IETF often determines how seriously people take his or her opinion, and consequently in what direction the “rough consensus” of the group will go.15 Since these reputations and relationships take years to form, new entrants (read, non-Americans) who have not been present at the meet-
International Engagement on Cyber 2012
ings since the early years, or who have not been present on the sidelines of the conferences at MIT or Cal Tech, not unrealistically perceive themselves as at a significant disadvantage. Thus as Baisheng An, former Deputy Director of the WTO Affairs Department of the Chinese Ministry of Commerce, succinctly summarized, “[i]f the United States currently claims more faithful adherence to international standards rules, those claims are only valid because those international rules were first and foremost designed by, and thus already in line with, the interests of the United States.”16
Standards Clash and Demands for Change. In response to these real or perceived inequities, as well as a more general concern about the failure of the IETF to design standards with adequate security (often a euphemism for the ability to track and censor online activity) built in, China, Russia, Brazil and India, among others, have attempted both to circumvent the standards process, and to take the de facto standards-development power out of the hands of the IETF. Towards that end, the Indian government formally called for the creation of an entirely new body, the Committee for Internet Related Policies (CIRP), which would oversee and coordinate all Internet standards bodies, among other Internet governance functions.17 Additionally, in December 2012 at the renegotiation of International Telecommunications Regulations (ITRs) at the World Conference on Information Technology 2012 (WCIT-12) in Dubai, it is expected that Russia, China and perhaps other nations will propose that
[ 53]
A BALKANIZED INTERNET? THE UNCERTAIN FUTURE OF GLOBAL INTERNET STANDARDS
the ITU-T – a quasi-UN international treaty organization – take over responsibility for several areas of Internet governance, including Internet standards production.18 Although their actual proposals are not publically available at the time of writing, the Internet Society, the organizational home for the IETF, and the Center for Democracy and Technology (CDT) have both indicated that China and others will likely propose revisions to Articles 1.4 and 3.5 of the ITRs that would “have the effect of making it compulsory for states to impose ITU-T standards.”19 It is unclear exactly how the IETF or any of the other major Internet standards organizations would function if either the Indian CIRP plan or the ITRs renegotiation were to lead to a UN or ITU-T takeover, or what “compulsory” ITU-T standards would mean in practice. It is also unclear how the United States, as a signatory to the
A Split Standard? What is gener-
ally omitted from these discussions, however, is the question of what would happen if neither the CIPR nor the ITR proposals were accepted, yet the standards process as it exists today were to continue unchanged. If China and others continue to find that the IETF and the multi-stakeholder model of standards production are unacceptable, what would they do? Might China or a coalition of countries unilaterally pull out from the IETF process by mandating the adoption of non-IETF standards? It has happened before, albeit on a much smaller scale. In 2003, in one prominent example, the Chinese government mandated a Chinese-designed standard called the WLAN Authentication and Privacy Structure (WAPI) as the domestic alternative to the Wi-Fi wireless family of standards developed by the Institute of Electrical and Electronics Engineers
What would happen if neither the CIPR nor the ITR proposals were accepted, yet the standards process continued unchanged? ITRs, would respond. In order to avoid having to resolve these tough questions, the U.S., EU, Australia, Korea, Japan, and Internet freedom advocates around the world have responded vociferously to these proposals and are currently waging an international diplomatic campaign to have them rejected, arguing that an ITU or a UN takeover of the standards process would mean a significant drop in the quality and speed of production of standards, and broader limitations on Internet freedoms.20
[ 5 4 ] Georgetown Journal of International Affairs
(IEEE).21 The Chinese government argued that the IEEE wireless standard had serious security flaws and that it required the payment of such high royalties that it was damaging domestic Chinese firms. In order to promote the domestic WAPI standard, the Chinese government set a requirement that all new devices in China using wireless technologies would have to include WAPI configurations. This break from the international standard posed a serious problem for non-Chinese vendors
HILL
who, under the particularly protectionist terms of the WAPI requirement, would have been unable to enter the Chinese market. It was only under high-level pressure from the U.S. government and the threat of WTO intervention did China ultimately suspend its WAPI requirement – although the issue remains under discussion in the International Organization for Standardization (ISO).22 While the WAPI case did not pose a risk to the Internet’s core internetworking protocols and only impacted those devices in China using wireless technology, the WAPI case is nonetheless illustrative of the type of standards policy China, or perhaps a coalition of countries including China, could pursue if their concerns are not addressed. Governments could mandate that all domestic vendors configure their equipment to run on non-IETF standards; in a more extreme situation, governments could even place an outright ban on IETF standards altogether. Given its large consumer market, growing self-confidence, and desire to advance domestic technologies, China would likely take the lead in any standards cleavage. But other countries, similarly dissatisfied with the IETF and the other multi-stakeholder Internet standards bodies, or hoping to move closer economically or politically to China, might follow suit. Recent announcements by Pakistan and Iran indicating their intention to withdraw in large part from the global Internet have demonstrated that countries are not unwilling to take drastic steps to create a domestic Internet environment favorable to what their governments perceive to be compelling state security
International Engagement on Cyber 2012
and economic interests.23 Such a move by China or a coalition of countries might not cleave the Internet in a dramatic way, but instead lead to a more expensive market for Internet products. However, it also could, depending on the type of standard and the way the laws and regulations were written, significantly affect the interoperability of the Internet.24
Moving Forward. Today, Western
governments, particularly the United States, are waging a concerted diplomatic campaign to keep the Internet free from the type of UN/ITU control proposed by India through the CIRP, and by China, Russia and others through amended language in the ITRs. The U.S. and its international partners have tried to make the case that such a move would, among other things, significantly limit the Internet’s ability to grow and innovate. The U.S. Congress has even adopted a Concurrent Resolution calling for the United States government to block all proposals that “would justify under international law increased government control over the Internet and would reject the current multi-stakeholder model that has enabled the Internet to flourish.”25 Strongly worded public statements such as this send a clear message to governments around the world that the United States and its allies are committed to a multi-stakeholder model of Internet governance, and will not accept a major deviation from the existing regime. But while strongly worded statements and international outreach are useful, and should be amplified in the months leading to WCIT-12 in Dubai, even
[ 55]
A BALKANIZED INTERNET? THE UNCERTAIN FUTURE OF GLOBAL INTERNET STANDARDS
under the best of outcomes at WCIT, it is an unfortunate reality that there are powerful political and commercial forces that will continue to exert pressure on the existing standards process, with the concomitant risk of a technically bifurcated Internet. It is encouraging that the IETF and other multistakeholder organizations are in the process of reforming their decisionmaking processes to allow the input of a greater diversity of participants, but that will not alone allay the concerns of national governments that continue to view the current standards process as inimical to their economic and security interests. In short, the Western diplomatic effort needs to entail more than strong statements and more than minor reforms of the regulatory processes. In particular, American policy-makers, who inevitably will take the lead in this effort to ensure a continuing cooperative standards process globally, will need to initiate a renewed effort to address the underlying concerns of those countries that view themselves at a disadvantage in the current standards environment. The keys in the months and years ahead—especially in the run up to WCIT-12—will be those countries currently sitting on the fence in this struggle, countries that may not yet have made a definitive assessment of whether and how their interests are being affected. Representatives of the United States, its allies, and concerned members of civil society, must seek to inform – “to lobby” might be a more honest verb – responsible leadership from those countries about the very real threat balkanized standards pose
[ 5 6 ] Georgetown Journal of International Affairs
to their specific political and commercial interests. Further, policy-makers will need to devise creative proposals to offer these countries tangible benefits for their continued support of the multi-stakeholder system. For example, the United States and the EU could attempt to persuade the international companies that are paid royalties for the intellectual property embedded in standards to accept reduced royalties from poorer nations that are especially burdened by royalty payments (following the manner in which the great international pharmaceutical companies were persuaded to discount HIV medications to sub-Saharan Africa). As a second example, the United States could facilitate increased admissions opportunities in its leading engineering schools (and corresponding visa availability) for students from nations whose citizens have historically not been found on the membership lists of standards organizations. Not only would those American-trained engineers in the long-run contribute to their home countries’ development, in the shortrun, they would earn credentials that would permit them to participate in, and influence, the multi-stakeholder system. The present challenges to the current Internet standards system are numerous and varied. It is the thesis of this essay, and of the larger research project from which these ideas were drawn, that those challenges present a real threat to the continuing growth and value of the Internet. Too much can be made of the harm that could result from an adverse vote at WCIT-12—surely the language of the Congress’ Concurrent Resolution was disproportionate to the potential
HILL
problems. Nevertheless, Dubai should serve to focus Western attention on the full range of those challenges—perhaps especially the challenges that are not going to be on the agenda at WCIT-12— and ought to inspire policy-makers to develop a correspondingly broad range of responses. The nations supporting
International Engagement on Cyber 2012
the current system, including the United States and its Western allies, need to use traditional diplomatic persuasion, economic muscle, and “soft power” to sustain a system that has benefited not just the West but those nations so desperately in need of the development potential that the Internet offers.
NOTES
1 See John Bernoff, “Prepare for the Age of the Splinternet.” PBS Marketplace, Internet, http://www. marketplace.org/topics/tech/prepare-age-splinternet (date accessed: 9 September 2012); Kevin Werbach, “The Centripetal Network: How the Internet Holds Itself Together, and the Forces Tearing it Apart,” UC Davis Law Review vol. 42 (2009): 343; Bob David, “Rise of Nationalism Frays Global Ties, Trade, Environment Face New Threats; Balkanized Internet.” The Wall Street Journal Online, 28 April 2008; Rana Foroohar, “The Internet Splits Up,” The Daily Beast, 14 May 2006, Internet, http://www.thedailybeast.com/newsweek/2006/05/14/the-internet-splits-up.html (date accessed: 10 September 2012). 2 A. Michael Foomkin, “Habermas@discourse. net: Towards A Critical Theory of Cyberspace.” Harvard Law Review 116: no. 3 (2003): 749-873. 3 Subheading taken from a much-read 1995 article from Wired Magazine by Paulina Borsook, “How Anarchy Works,” Internet, http://www.wired.com/ wired/archive/3.10/ietf.html (date accessed: 10 September 2012). 4 The World Wide Web Consortium (W3C), the American National Standards Institute (ANSI), the International Organization for Stan¬dardization (ISO), the International Electrotechnical Commission (IEC) and countless others also contribute to the standards process. However, for the purposes of this section, I will refer only to a small subset of these groups. The criticisms of IETF are also waged against other multi-stakeholder standards organizations, such as the W3C, albeit to a lesser extent. 5 There is significant disagreement among scholars and standards professionals over the definition of an open standards process. The IETF definition is expansive. See S. Bradner, “The Internet Standards Process,” 1996, Internet, http://tools.ietf.org/html/ rfc2026#page-24 (date accessed: 10 September 2012) and the Berkman Center Guide, “Roadmap For Open ICT Ecosystems,” Internet, http://cyber.law.harvard. edu/epolicy/roadmap.pdf (date accessed: 10 September 2012). 6 See Timothy Simcoe, “Delay and De Jure Standardization: Exploring the Slowdown in Internet Standards Development” in Standards and Public Policy,
Shane Greenstein and Victor Stango, eds., (Cambridge University Press, 2007), 260-295. 7 Timothy Simcoe, interview with Jonah Hill, written interview notes, Boston, 2 December 2011. 8 For a common critique of the current state of Internet governance and its perceived American domination, see Parminder Jeet Singh, “India’s proposal will help take the web out of U.S. control,” The Hindu, 17 May 2012, Internet, http://www.thehindu.com/ opinion/op-ed/article3426292.ece (date accessed: 10 September 2012). 9 The RFC series constitutes the IETF’s primary body of work. Once developed, standards are published as RFCs, but other categories of work such as experimental protocols, informational documents, and proposed/draft standards are also included in the RFC series. For more information see: RFC 1792, “Not All RFCs are Standards” and RFC 3160, “The Tao of the IETF.” 10 “Distribution of RFCs According to the Countries of their Authors,” 5 January 2012, Internet, http://www.arkko.com/tools/rfcstats/d-countrydistr. html (date accessed: 10 September 2012). 11 “IETF Document Statistics: What’s Going On in the IETF?,” Internet, http://www.arkko.com/tools/ docstats.html (date accessed: 10 September 2012). 12 S. Brim, “Guidelines for Working Groups on Intellectual Property Issues,” Internet Engineering Task Force RFC 3699, February 2004, Internet, http://www.ietf.org/rfc/rfc3669.txt. 13 “Distribution of Author per Companies” supra note 10. 14 David Clark, interview with Jonah Hill, written interview notes, Massachusetts Institute of Technology, 22 November 2011. 15 Ibid. 16 Baisheng An, “Intellectual Property Rights in Information and Communications Technology Standardization: High Profile Disputes and Potential for Collaboration Between the United States and China,” Texas International Law Journal, Vol. 45 (2009): 175. 17 For a complete text of the Indian statement to the 66th session of the UN General Assembly, see “India’s Proposal for a UN Committee for Internet Related Policies (CIRP),” IGFWatch News, 29 October
[ 57 ]
A BALKANIZED INTERNET? THE UNCERTAIN FUTURE OF GLOBAL INTERNET STANDARDS
2011, Internet, http://igfwatch.org/discussion-board/ indias-proposal-for-a-un-committee-for-internetrelated-policies-cirp (date accessed: 12 September 2012). 18 Joe Watz and Phil Weiser, “Internet Governance at a Crossroads,” The Huffington Post, 15 January 2012, Internet, http://www.huffingtonpost.com/joewaz/internet-governance-at-a-_b_1203125.html (date accessed: 10 September 2012). 19 “Civil Society Must Have Voice as ITU Debates the Internet,” Center for Democracy and Technology, 16 March 2012, Internet, https://www.cdt.org/policy/ civil-society-must-have-voice-itu-debates-internet#3; “Internet Society comment to WCIT Preparations: February 2012,” Internet, http://internetsociety.org/ February%202012%20Internet%20Society%20comment%20to%20the%20WCIT%20Preparations (date accessed: 10 September 2012). 20 Robert McDowell, “The UN Threat to Internet Freedom” Wall Street Journal Online, 21 February 2012, Internet, http://online.wsj.com/article/SB100014240 52970204792404577229074023195322.html (date accessed: 10 September 2012); and Ambassador David Gross and Ethan Lucarelli “The 2012 World Conference on International Telecommunications: Another Brewing Storm Over Potential UN Regulation of the Internet,” November 2011, Internet, http://www. whoswholegal.com/news/features/article/29378/the2012-world-conference-international-telecommunications-brewing-storm-potential-un-regulationinternet/ (date accessed: 10 September 2012). 21 The IEEE is responsible for a number of telecommunication standards, which, like the IETF is a majority American-member organization. More than 50 percent of the IEEE’s members are from the
[ 5 8 ] Georgetown Journal of International Affairs
US, see: http://www.ieee.org/about/today/at_a_glance. html#sect1. 22 For an excellent overview of the WAPI case, see Baisheng An, 2009, supra note 16. 23 Haroon Rashid. “Pakistan’s quiet erosion of Internet freedom,” BBC News Online, 23 March 2012, Internet, http://www.bbc.co.uk/news/worldasia-17476763 (date accessed: 10 September 2012); Christopher Rhoads and Farnaz Fassihi, “Iran Vows to Unplug Internet” Wall Street Journal Online, 19 December 2011, http://online.wsj.com/article/SB1000142405 2748704889404576277391449002016.html (date accessed: 10 September 2012). 24 A useful case study is the split that occurred between the MPLS and T-MPLS standards. As a result of IETF/ITU failed coordination, and Chinese ndustry lobbying efforts, the ITU advanced an uninteroperable version of an IETF standard. For a good overview, see Iljitsch van Beijnum, “ITU bellheads and IETF netheads clash over transport networks,” Ars Technica, 3 May 2011, Internet, http://arstechnica. com/tech-policy/news/2011/03/itu-bellheads-andietf-netheads-clash-over-mpls-tp.ars (date accessed: 10 September 2012); and the comment by the Internet Society, and “IETF and Internet Society Statement relating to today’s ITU-T SG15 decision that will lead to non-interoperability in MPLS development,” February 2011, Internet, http://www.coisoc. org/2011/02/ietf-and-internet-society-statementrelating-to-today’s-itu-t-sg15-decision-that-willlead-to-non-interoperability-in-mpls-development/ (date accessed: 10 September 2012). 25 H. Con. Res. 127, 2 August 2012, Internet, http://www.govtrack.us/congress/bills/112/hconres127/ text (date accessed: 10 September 2012).
Cyber Conflict and the War Powers Resolution
Congressional Oversight of Hostilities in the Fifth Domain Jason Healey and A.J. Wilson Since 1973, Congress has claimed the right to terminate military engagements under the War Powers Resolution (WPR).1 Beginning with Richard Nixon, whose veto had to be overturned to pass the WPR, presidents have typically regarded its provisions as unconstitutional limits on the authority of the Commander-in-Chief.2 The Obama administration has taken a slightly different tack, however, accepting “that Congress has powers to regulate and terminate uses of force, and that the [WPR] plays an important role in promoting interbranch dialogue and deliberation on these critical matters,” but seeking nonetheless to limit the application of the WPR to certain types of conflict.3 In a recent report, the Pentagon has made clear its view that, on its own, a cyber conflict would not require congressional approval under the WPR.4 However, since future cyber conflicts could involve physical injury and death, this is neither the only possible view nor the most obvious one. The alternative position—that the waging of cyber war ought to receive as much legislative scrutiny as kinetic conflicts—depends in large part on the recognition that, since cyber is indeed the fifth domain of conflict, logical presence in cyberspace counts for as much as physical presence
Jason Healey is the Director of the Cyber Statecraft Initiative of the Atlantic Council, focusing on international cooperation, competition and conflict in cyberspace. Since the 1990s, he worked on cyber issues as a policy director at the White House, vice president at Goldman Sachs and a U.S. Air Force intelligence officer. A.J. Wilson is a Visiting Fellow with the Atlantic Council’s International Security program. He is a former Political Advisor in the British Parliament, and previously practiced law with the firm of Dorsey & Whitney LLP.
[ 59]
CYBER CONFLICT AND THE WAR POWERS RESOLUTION
in the kinetic domains. This paper argues that the WPR does, in fact, apply to cyber operations, even on the basis of the Department of Defense’s own policy statements on the matter. And so, in our view, WPR should be adopted because the waging of significant cyber warfare should not be left to the Executive alone. We will first analyze the critical provisions of the WPR and identify the key terms. We will then focus on the current administration’s view of the Resolution, as developed in the context of the Libyan conflict, and show that it is remarkably narrow in light of the WPR’s history and intent. Then we will
tory, airspace or waters of a foreign nation...; or (3) in numbers which substantially enlarge United States Armed Forces equipped for combat already located in a foreign nation.5 Situations falling within items (2) or (3) only trigger the reporting requirement. However, in the circumstances contemplated by item (1), the president must, in addition to satisfying the reporting obligation (and absent congressional approval of his actions), terminate the use of U.S. armed forces within sixty days.6 A further thirty days are available if the president certifies that only with such an extension can
The waging of significant cyber warfare should not be left to the Executive alone. examine how the Pentagon has applied a similar approach in the realm of cyber conflict, and contrast that approach with other recent policy statements from the Department of Defense. Finally, we will introduce the concept of ‘logical presence’ and argue on that basis that the WPR ought to apply to cyber conflicts in the same way that it applies to physical ones.
The War Powers Resolution. Under the WPR, the president is obliged to report to Congress within forty-eight hours of: [A]ny case in which United States Armed Forces are introduced— (1) into hostilities or situations where imminent involvement in hostilities is clearly indicated by the circumstances; (2) into the terri-
[ 6 0] Georgetown Journal of International Affairs
the forces committed be safely withdrawn.7 In other words, the president, as Commander-in-Chief, may commit forces for a maximum of ninety-two days without the approval of Congress.
Examination of the War Powers Resolution. To analyze how
the WPR may affect current or future cyber conflicts, it is first necessary to examine the law and how the present administration applies it. From Nixon to George W. Bush, presidents have regarded the WPR as an affront to their constitutional prerogatives. Yet all presidents since Nixon’s successor, Gerald Ford, have submitted reports in accordance with the resolution’s terms, although using varying thresholds.8 The text of the War Powers Resolution has four operative terms which are
HEALEY AND WILSON
critical to understanding the requirement set by Congress: “Armed Forces,” “Hostilities,” “Territory,” and “Introduction.” None of these are expressly defined. This is highly significant for present purposes: whether cyber conflict falls within the WPR depends largely on the width of the interpretations placed on these key terms. At a higher level of analysis, the narrower the interpretation of these terms, the more power to commit forces is left in the hands of the Executive alone, and the smaller the space for legislative oversight. Analysis of the Term “Hostilities.” The Obama administration, in justifying its expansive vision of Executive power, has generally sought to put forward what, in our view, are troublingly narrow definitions.9 With regard to U.S. operations over Libya, Obama administration officials have sought to limit the scope of the WPR by adopting a narrow approach to the definition of “hostilities.” Initially, the president reported the Libyan engagement to Congress within the forty-eight hour window provided by the WPR, describing his report as “part of my efforts to keep the Congress fully informed, consistent with the War Powers Resolution.”10 As noted, sixty days after the submission of his initial report the president is required either to pull the forces out or to certify that a thirty-day extension is necessary in order to withdraw them safely. When that deadline arrived with respect to Libya, Obama did neither of these things. Instead, on 20 May 2011, the sixtieth day, he sent another letter soliciting congressional support for the deployment. This second letter did not
International Engagement on Cyber 2012
mention the WPR.11 Subsequently, a few days before the ninety-two day outer limit of the WPR, the president provided to Congress a “supplemental consolidated report... consistent with the War Powers Resolution,” which reported on a number of ongoing deployments around the world, including the one in Libya.12 At the same time, the Pentagon and State Department sent congressional leaders a report with a legal analysis section justifying the non-application of the WPR, but also calling again for a congressional resolution supporting the war.13 Later, State Department legal adviser Harold Koh expanded upon this analysis in testimony before the Senate Foreign Relations Committee, arguing that operations in Libya should not be considered relevant “hostilities” for four reasons (our emphasis): First, the mission is limited… U.S. forces are playing a constrained and supporting role in a NATOled multinational civilian protection operation, which is implementing a UN Security Council resolution tailored to that limited purpose…Second, the exposure of our armed forces is limited… our operations have not involved U.S. casualties or a threat of significant U.S. casualties… active exchanges of fire [or] significant armed confrontations or sustained confrontations of any kind…Third, the risk of escalation is limited… [there is no] significant chance of escalation into a broader conflict characterized by a large U.S. ground presence, major casualties, sustained active combat, or expanding geographical scope…
[ 61 ]
CYBER CONFLICT AND THE WAR POWERS RESOLUTION
Fourth and finally, the military means we are using are limited… The violence that U.S. armed forces have directly or indirectly inflicted or facilitated… has been modest in terms of its frequency, intensity, and severity.14 It is apparent that in defining “hostilities” the administration’s focus is on kinetic operations passing a certain threshold of intensity: while there is no detailed indication in Koh’s testimony of what weight is to be accorded to each of these the factors he enumerates, the overriding emphasis is on physical risk to U.S. personnel. As Koh himself said, “we in no way advocate a legal theory that is indifferent to the loss of non-American lives. But... the
provided there is no danger of U.S. casualties. This is not a new view; indeed, Koh relied heavily on a memorandum from his predecessor in the Ford Administration, which defined “hostilities” as “a situation in which units of the U.S. armed forces are actively engaged in exchanges of fire with opposing units of hostile forces.”17 This formulation would presumably exclude drone attacks, air strikes against primitively defended positions and, most importantly for present purposes, remote cyber operations.18 Indeed, a large part of the administration’s case for the absence of “hostilities” in Libya, and therefore the non-application of the WPR, rested
The administration’s restrictive defini-
tion of “hostilities” could open up a huge area of untrammeled executive power. Congress that adopted the War Powers Resolution was principally concerned with the safety of U.S. forces.”15 The consequences for opposing forces, and for the foreign relations of the United States, matter less, if not at all. Libyan units were decimated by NATO airstrikes; indeed, it was a U.S. strike that initially hit Muammar Gaddafi’s convoy in October 2011, leading directly to his capture and execution. Significantly, though, the strike came not from an F-16 but from a pilotless Predator drone flown from a base in Nevada.16 The apparent significance of this for present purposes is that even an operation targeting a foreign head of state does not count as “hostilities,”
[ 6 2 ] Georgetown Journal of International Affairs
on its ability to keep pilots out of harm’s way by carrying out low-level, tactical strikes such as the raid on Gaddafi’s convoy using unmanned aerial vehicles instead of traditional manned aircraft.19 As remote war-fighting technology becomes ever more capable, reliable, and ubiquitous, the administration’s restrictive definition of “hostilities” could open up a huge area of untrammeled executive power.20 For example, neither the current administration nor its immediate predecessor has reported under the WPR any of the hundreds of remote drone strikes carried out in Pakistan, Yemen, or Somalia over the past decade. Speculation about their reasons for failing to do so
HEALEY AND WILSON
International Engagement on Cyber 2012
is beyond the scope of this paper.21 But the Pentagon has recently made clear its position that another form of remote warfare, cyber operations, are also not covered by the WPR.22
forces. Without such an “introduction,” even the reporting requirements are not triggered. As we have seen, in addition to its “hostilities” provisions, which set the sixty-day clock running, the WPR also Analysis of the Term “Introduction.” A recent requires notification (though without Department of Defense pronounce- starting the clock for withdrawal) when ment reveals how Obama’s minimalist armed forces are “introduced” into approach to the WPR has been carried foreign “territory, airspace, or waters” into the cyber realm. In a report sub- in circumstances short of hostilities. mitted to Congress in November 2011, This provision is ignored in the Secpursuant to a mandate in section 934 tion 934 report. The Pentagon seems of the National Defense Authorization to have interpreted the congressional Act for fiscal year 2011, the Pentagon, request to address “use of force in quoting the WPR’s operative language, cyberspace”24 as mandating an exclusive stated that:23 focus on introduction into hostilities. Cyber operations might not But, as we argue below, the “introducinclude the introduction of armed tion” provisions are as important as the forces personnel into the area “hostilities” provisions when it comes of hostilities. Cyber operations to understanding the WPR’s applicamay, however, be a component tion in cyberspace. of larger operations that could trigger notification and reporting War Powers and Offensive in accordance with the War PowCyber Operations. ers Resolution. The Department The Administration’s Argument. One advanwill continue to assess each of its tage (to the Pentagon) of the Section actions in cyberspace to determine 934 report’s focus on “introduction” when the requirements of the War rather than “hostilities” is that it potenPowers Resolution may apply to tially creates a fallback argument for those actions. the DoD’s lawyers: even if there is This declaration receives no further “introduction” in a cyber operation— explanation in the Section 934 report. requiring a report to Congress—there But the general assumption is clear: the may nevertheless be no “hostilities” to WPR will typically not apply to exclu- trigger the sixty-day pullout provision sively cyber conflicts, because the per- because, consistent with Koh’s Libya sonnel carrying out such operations will testimony, Americans are not put at usually work from centers inside the risk.25 Such an argument would be a United States, such as the CYBERCOM tough sell, however, given that the same facility at Fort Meade, Maryland, at a report expressly refers to “hostile acts in significant distance from the systems cyberspace.”26 Indeed, as we shall see, they are attacking and well out of harm’s current U.S. military doctrine appears way. Thus, the report argues, there is to accept the notion that hostilities can no relevant “introduction” of armed and do take place in the cyber realm.
[ 63]
CYBER CONFLICT AND THE WAR POWERS RESOLUTION
The view that there can be no introduction of forces into cyberspace follows naturally from the administration’s argument that the purpose of the WPR is simply to keep U.S. service personnel out of harm’s way unless Congress authorizes it. If unequal campaigns of manned airstrikes and devastating unmanned missions do not fall under the scope of the resolution, it is reasonable to argue that a conflict conducted in cyberspace does not either. Never mind that the cyber weapons an operator deploys might be causing physical destruction—even death—on the other side of the planet; according to the administration, the WPR focuses on the “introduction” of forces, not the consequences of such introduction for the adversaries of the United States or,
who wield them. And that brings us back to our cyber-soldier who, without leaving leafy Maryland, can choreograph electrons in Chongqing. Finally, even if armed forces are being introduced, there are no relevant “hostilities” for the same reason: no boots on the ground, no active exchanges of fire, and no body bags. The administration might further argue that the WPR was passed in the wake of an open-ended war in Vietnam whose principal tragedy was its mass, fruitless casualties. The intention, surely, was simply to protect future generations of American boys from this fate. If future operations do not put them in harm’s way in the first place, the WPR’s objective has already been achieved.
There are no relevant “hostilities” for the same reason: no boots on the ground, no active exchanges of fire, and no body bags. for that matter, for U.S. foreign policy. Arguing the point, an administration lawyer might ask, rhetorically, what exactly do cyber operations “introduce”? On a literal, physical level, electrical currents are redirected; but nothing is physically added to—nor taken away from—the hostile system. To detect any “introduction” at all, we must descend into metaphor, and even there, all that is really introduced are lines of code, packets of data: in other words, information. At most, this information constitutes the cyber equivalent of a weapon. “Armed forces,” by contrast, consist of weapons plus the flesh and blood personnel
[ 6 4 ] Georgetown Journal of International Affairs
Rebutting the Administration’s argument. Yet, these explanations fall short. First, they are divorced from the history of the WPR. Previous administrations submitted WPR reports on remote strikes that did not put Americans in danger. Notably, Reagan reported the bombing of Tripoli in 1986, and Clinton reported his cruise missile attacks on Afghanistan and Sudan in response to the 1998 bombings of U.S. embassies in Africa as well as the high-level bombing of Yugoslavia during the Kosovo conflict in 1999.27 At least one contemporary scholar concluded that a major reason the WPR was able to
HEALEY AND WILSON
pass in 1973—and not in 1970, 1971, or 1972, when Congress had debated similar drafts—was the widespread public revulsion towards the bombing of North Vietnam and Cambodia during late December 1972 and early 1973: remote, high-level operations which can scarcely be said to have put U.S. personnel at risk.28 Secondly, and more fundamentally, while preventing unnecessary American deaths is an essential part of the justification for having curbs on the Executive’s power to initiate hostilities, it is by no means the whole story. Military force is also the most drastic—not to mention the most costly—manifestation of national power on the international stage. It should not be used, and nor should its use be prolonged, recklessly. Recognizing this, the framers of the Constitution made the president Commander-in-Chief—but gave Congress the power to declare war.29 The WPR’s language is deliberately drafted broadly in order to give voice to this careful parceling of power in an age in which formal declarations of war are as out of fashion as the imperial-collared diplomats who once delivered them. Moreover, nowhere other than in the single passage of the Section 934 report discussed above has the DoD asserted that forces cannot be introduced into hostilities in cyberspace. Other DoD writings clearly imply the opposite, and even the Section 934 report itself discusses “hostile acts in cyberspace.” What are “hostilities,” after all, if not a succession of hostile acts? Elsewhere, the DoD has made clear its intention to “treat cyberspace as an operational domain … to ensure the ability to operate effectively in cyberspace,”30 while
International Engagement on Cyber 2012
the U.S. Air Force’s mission is to “fly, fight, and win in air, space, and cyberspace.”31 It would make little sense to prepare to operate or fight, let alone win, in a domain into which one’s forces cannot be introduced for the purpose of engaging in “hostilities.” More pithily, we might simply say that the Pentagon’s cyber strategy refers to cyber operations both as “intrusions” and “breaches” for good reason.32 It is therefore appropriate to take a broader view of when it is that “United States armed forces” are “introduced into hostilities.” That view should pay attention to the consequences for U.S. foreign relations as well as the risks to American personnel. From this point of view, it would be surprising—to say the least—if a campaign designed, as cyber warfare can be, to degrade another sovereign nation’s economy or ability to defend itself required no congressional imprimatur. Why should such a campaign be treated differently simply because it is conducted not from the air, but from (or, for that matter, in or through) cyberspace?
Physical & Logical Presence.
What, then, might it mean for “armed forces” to be “introduced” into foreign “territory, airspace, or waters” in the cyber realm, or into “hostilities” taking place in cyberspace? In other words, what is the difference between physical and logical introduction? With a little thought, we can begin to sketch out an answer. Presence in cyberspace—that is to say, logical or virtual presence—is not a monolithic concept; but this is also true in the physical space. As with the physical world, where a satellite taking images
[ 65]
CYBER CONFLICT AND THE WAR POWERS RESOLUTION
Table 1: “Introduction” of Armed Forces in Cyber Conflict Type of logical presence
WPR status
Approximate physical world equivalent
Connecting own sytem to None (passive presence) the public Internet
Setting up sensors to detect and respond to incoming attack, e.g. a PATRIOT missile battery
Mapping or scanning foreign systems
None (transient presence)
Photographing hostile installations, e.g. from the ground or from a satelitte
Intrusion into foreign systems and “owning” them
“Introduced” into “terrority of a foreign nation” but not “into hostilities” (active presence). Congress requires notification in 48 hours.
Limited covert operation short of attack on host country, e.g. Iranian hostage rescue attempt; raid on Bin Laden compound.
Maliciously manipulating “Introduced into hos(i.e. breaking) foreign tilties” (hostile pressystems ence). Unless Congress Long-term campaign of approves, forces must be withdrawn in 60/90 such manipulation days. of a battlefield would be regarded very differently from a team of commandos rappelling into it, not all forms of cyber-presence would count as an “introduction,” or as an introduction into “hostilities.” Table 1 shows a provisional typology of forms of logical presence that may be useful in determining when U.S. armed forces have been sufficiently “introduced into foreign territory [etc.]” or “into hostilities” to trigger the WPR’s reporting and/or withdrawal
[ 6 6 ] Georgetown Journal of International Affairs
Armed attack on host country, e.g. Operation Unified Protector.
requirements. Since the DoD has been clear that cyberspace is a domain like air, land, sea, and space, consistency requires application of the WPR whenever US armed forces are “introduced” into a foreign corner of cyberspace.33 Just as in the physical world, armed forces may have to be introduced into a potential cyber battlefield prior to the onset of hostilities, to scout or prepare the ground for the main assault. Such intrusions may constitute “introduc-
HEALEY AND WILSON
tions” sufficient to trigger congressional notification. Administrations may regard this as problematic because prehostilities preparation must be secret and notification is seen as inviting leaks. But separation of powers is an important precept, and the WPR achieves it in a subtly proportionate way for intrusions conducted under Title 10 military authority.34 In the planning phase, prior to any introduction of forces, the only requirement is “consultation” with Congress, and even then only when such consultation is possible in the circumstances. Once forces are introduced, but before they engage in hostilities—as in the scouting or preparation scenarios described above—Congress must be notified. But the sixty day window for withdrawal does not begin until the onset of actual or imminent hostilities. The involvement of Congress is thus phased in a manner appropriate to the magnitude of the operations concerned. Intrusions under Title 50 intelligence authority, where secrecy is paramount, would receive congressional oversight through the appropriate intelligence committees and not through a WPR report. As a practical matter, the intrusions may be similar (and may even be conducted by the same units and personnel), but this distinction between war fighting and intelligence-gathering is an important one for U.S. foreign policy, and indeed for the balance between secrecy and oversight. The gradation in the WPR, and the availability of two distinct authorities, thus provides a reasonable compromise between executive freedom of action and legislative oversight. Indeed, presi-
International Engagement on Cyber 2012
dents may well prefer this to the alternative: namely, the prospect of Congress using its power of the purse to regulate military activity. This “nuclear option” of restraint via the federal budget is politically far easier to use in cyber conflicts: whereas few congressmen would approve of cutting funds to soldiers in harm’s way in foreign fields, they need have no such reservations in respect of malware in foreign hard drives. Involving the legislative branch in executive decision-making in this gradated manner—which, as the table shows, is easily transposed to the logical realm—need be neither unreasonable nor disproportionate. On the contrary, it needs to occur to some extent. After all, openness is required of those who govern open societies. Especially in this information age, we as citizens are right to expect it.
Conclusion. The United States
needs the capacity to carry out offensive operations in cyberspace, but the executive must accept that the same checks and balances that apply to physical hostilities apply also to cyber conflict. Future cyber attacks may have the ability to destroy or degrade an adversary’s critical infrastructure, cripple its economy, and seriously compromise its ability to defend itself. They may cause physical injury or even death. Their strategic consequences—not to mention their fiscal and economic costs—may be just as significant as a physical attack. This is, indeed, why the Pentagon has rightly decided to treat cyberspace as the fifth domain. But it must, by the same token, accept that logical forms of presence matter in cyberspace in the same way that physical forms matter in
[ 67 ]
CYBER CONFLICT AND THE WAR POWERS RESOLUTION
the kinetic space, and therefore it must apply the WPR accordingly. The Founding Fathers could not have imagined a world in which weapons made of information travel around
the globe at the speed of light; but they did know how to distribute power to encourage restraint in its application. Even in cyberspace, there is a voice for both branches.
NOTES
1 War Powers Resolution, U.S. Code 50 (1973), § 1541ff. 2 United States Constitution. art. II, sec. 2. 3 Harold Hongju Koh, “Testimony on Libya and War Powers Before the Senate Foreign Relations Committee,” Internet, http://www.foreign. senate.gov/imo/media/doc/Koh_Testimony.pdf (date accessed: 28 June 2011). 4 “Cyberspace Policy Report,” Internet, http:// www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20 Report_For%20webpage.pdf (date accessed: November 2011). 5 War Powers Resolution, § 1543(a). 6 Ibid, § 1544(b). 7 Ibid. 8 Richard F. Grimmett, “The War Powers Resolution: After Thirty-Six Years,” Internet, http://www. fas.org/sgp/crs/natsec/R41199.pdf (date accessed 22 April 2010). “War Powers Resolution: Presidential Compliance,” Internet, http://www.fas.org/sgp/crs/ natsec/RL33532.pdf (date accessed: 1 February 2012). 9 The lack of definition in the statute is probably intentional (Koh, 4-5). “Armed forces” is defined in Title 10 of the US Code as comprising the Army, Navy, Air Force, and Marines, but that definition does not apply for Title 50 purposes, and in any event scarcely takes our understanding any further. 10 “Letter from the President regarding the commencement of operations in Libya,” Internet, http:// www.whitehouse.gov/the-press-office/2011/03/21/ letter-president-regarding-commencement-operations-libya (date accessed: 21 March 2011). 11 “President Obama’s Letter About Efforts in Libya,” Internet, http://www.nytimes.com/2011/05/21/ world/africa/21libya-text.html (date accessed: 20 May 2011). 12 Note that the WPR requires six-monthly reports on ongoing deployments, whether or not involving hostilities. War Powers Resolution, § 1543. “Letter from the President on the War Powers Resolution,” Internet, http://www.whitehouse.gov/the-pressoffice/2011/06/15/letter-president-war-powers-resolution (date accessed: 15 June 2011). 13 “United States Activities in Libya,” Internet, http://www.foreignpolicy.com/files/fp_uploaded_ documents/110615_United_States_Activities_in_Libya_--_6_15_11.pdf (date accessed: 15 June 2011). This document states, under the heading “Legal Analysis and Administration Support for Bipartisan Resolution,” that “US military operations are distinct from
[ 6 8 ] Georgetown Journal of International Affairs
the kind of ‘hostilities’ contemplated by the Resolution’s 60 day termination provision. US forces are playing a constrained and supporting role in a multinational coalition, whose operations are both legitimized by and limited to the terms of a United Nations Security Council Resolution… US operations do not involve sustained fighting… active exchanges of fire… the presence of US ground troops… US casualties or a serious threat thereof, or any significant chance of escalation into a conflict characterized by these factors. The Administration has repeatedly indicated its strong support for the bipartisan resolution… that would confirm that both branches are united in their commitment to supporting the aspirations of the Libyan people for political reform and self-government.” 14 Koh, 7-10, supra note 3. 15 Ibid, 9. 16 Thomas Harding, “Col Gaddafi killed: convoy bombed by drone flown by pilot in Las Vegas,” Internet, http://www.telegraph.co.uk/news/worldnews/ africaandindianocean/libya/8839964/Col-Gaddafikilled-convoy-bombed-by-drone-flown-by-pilotin-Las-Vegas.html (date accessed: 20 October 2011). 17 Koh, 6, supra note 3. 18 Of course, political reality must be acknowledged. If the administration had been able to obtain congressional authorization, it surely would have welcomed it, and discarded its argument that such approval was unnecessary. A deeply divided and warweary legislative branch made such decisive support unlikely, however. No doubt it was this political impasse more than anything else that drove the administration to field its restrictive interpretation of “hostilities.” Nevertheless, as Koh’s reference to a Fordera opinion makes clear, presidential statements about WPR applicability set precedents. 19 Charlie Savage and Mark Landler, “White House Defends Continuing U.S. Role in Libya Operation,” Internet, http://www.nytimes.com/2011/06/16/us/ politics/16powers.html?pagewanted=all (date accessed: 15 June 2011). 20 Peter W. Singer, “Do Drones Undermine Democracy?” Internet, http://www.nytimes. com/2012/01/22/opinion/sunday/do-drones-undermine-democracy.html?pagewanted=all (date accessed: January 21st, 2012). 21 One argument for failing to report the strikes— albeit, in our view, a deeply unattractive one—might be that drone strikes outside Afghanistan are carried out by the CIA, not the military, and therefore fall outside
HEALEY AND WILSON
the scope of a resolution that deals with the deployment of “armed forces.” 22 Singer 23 Cyberspace Policy Report 24 Ibid, 9. 25 This is probably the legal explanation for why the Administration felt obliged to report the Libyan operation to Congress, but denied that it required congressional approval to continue the conflict. 26 Cyberspace Policy Report, 2. 27 Grimmett War Powers Resolution: Presidential Compliance 28 William B. Spong, Jr., “The War Powers Resolution Revisited: Historic Accomplishment or Surrender?” Internet, http://scholarship.law.wm.edu/wmlr/ vol16/iss4/8, 827-828. 29 United States Constitution. art. II, sec. 2; art. I, sec 8.
International Engagement on Cyber 2012 30 “Strategy for Operating in Cyberspace,” Internet. http://www.defense.gov/news/d20110714cyber. pdf (date accessed July 2011). 5. 31 “The Official Website of the U.S. Air Force,” Internet. http://www.af.mil/main/welcome.asp. 32 Strategy for Operating in Cyberspace, 6. 33 Unless an administration chose to make the case that a cyber operation was not an intrusion but akin to flying a satellite in space over another nation, which doesn’t involve any intrusion. It would be odd indeed if the U.S. were to make this argument, given the characterization of cyber operations as “hostile acts” discussed above. 34 While the WPR is codified under Title 50 of the U.S. Code, here we are using ‘Title 10’ and ‘Title 50’ as shorthand for the president’s authority in federal law to, respectively, use military force and gather intelligence.
[ 69]
CyberDialogue-georgetown-final.pdf
1
12-09-28
9:21 AM
Leadership and Responsibility for Cybersecurity Melissa E. Hathaway According to Darwin, “it is not the most intellectual of the species that survives; it is not the strongest that survives; but the species that survives is the one that is able best to adapt and adjust to the changing environment in which it finds itself.�1 We have certainly adapted to the Internet and the technology that underpins it. In fact, we have made it an integral part of just about everything in our life; and in many ways we take it for granted that it will always work twenty-four hours a day, seven days a week. There are approximately 2.5 billion Internet users around the world of which nearly half are below the age of twenty-five.2 Yet, there is another set of actors that have adapted more successfully: criminals, spies, and some clever guys. Media headlines announce daily that our bank accounts are being robbed, our intellectual property is being illegally copied, and our critical infrastructures are penetrated and could stop working at any moment. The very fabric that contributes to nearly 40 percent of the productivity growth of the global economy also facilitates an equally robust underground economy.3 These messages appear to fall on deaf ears as our corporate and political leaders continue to talk about the troubled environment, yet too few are adapting to or assuming the
Melissa Hathaway is President of Hathaway Global Strategies, LLC and former Acting Senior Director for Cyberspace, U.S. National Security Council. Hathaway served as Cyber Coordination Executive and Director of the Joint Interagency Cyber Task Force in the Office of the Director of National Intelligence. Previously, Hathaway was a Principal with Booz Allen & Hamilton, Inc.
[71]
LEADERSHIP AND RESPONSIBILITY FOR CYBERSECURITY
responsibility for resolving it. Instead, our leaders appear to be paralyzed by the prolonged economic recovery and are in denial of the security needs of our infrastructures and enterprises. Why? Because of the difficulty in balancing parallel demands: economic recovery and growth vis-à-vis national security and infrastructure protection. This tension is further exacerbated by the competition for resources, lagging policy implementation, and an ill-defined technology roadmap to address security shortfalls as we adopt and embed the next-generation technology into our infrastructures and enterprises. Policy makers, legislators, and businessmen should assess the gap between the current defense posture and our needed front line defense in the face of an increasingly sophisticated range of actors. This paper describes a series of case studies that highlight the lack of attention being paid to this serious problem and the subsequent policy and technology solutions that are being brought to bear to close the gap.
liferate undetected from network to network. The code was designed to illegally copy information and, when possible, transfer it to servers under foreign control. The DoD code-named the discovery of, and recovery from, this incident “Operation Buckshot Yankee.” Government leaders wanted to learn the extent of the penetration and whether the networks could still be “trusted.” Thousands of man-hours were expended to hunt and isolate the infections. The DoD developed and deployed technology to detect and close communication channels, as well as to eradicate the infections. The total operational and capital cost has yet to be publicly disclosed. From a policy perspective, the Secretary of Defense and the Chairman of the Joint Chiefs of Staff announced a temporary abandonment of the use of portable media/storage devices. This affected department performance, enterprise agility, and for some, the ability to execute their missions. From a technology perspective, it required Operation Buckshot Yankee. a change in architecture. Prior to this In the fall of 2010, Deputy Secre- event, the DoD focused its defensive tary of Defense William Lynn stated posture from an outside-in, defensethat the Department of Defense (DoD) in-depth strategy. And even though had “suffered a significant compro- in 2007, the Comprehensive National mise of its classified military computer Cybersecurity Initiative (CNCI) articunetworks.”4 The penetration occurred lated and funded defensive programs in 2008 and was delivered via trust- along four attack vectors—insider access, ed uniformed military personnel who proximity access, remote access, and were using USB mass-storage devices to supply chain access—the DoD had not move important operational informa- yet implemented technology to detect tion between unclassified and classified and deny tainted technology brought systems in support of U.S. Central into the enterprise by way of trusted Command’s military operations. The insiders.5 Operation Buckshot Yankee devices at issue contained a malicious required the DoD to begin to configure computer code, which was able to pro- its sensors to look for and alert anoma-
[ 72] Georgetown Journal of International Affairs
HATHAWAY
International Engagement on Cyber 2012
lous behavior inside its networks. It also required the DoD to implement a data loss prevention program to block illegal data loss. The DoD continues to suffer from more than 6 million probes per day with an untold number of successful intrusions against their unclassified networks.6 Who is being held accountable for the DoD’s cyber posture? Is it the DoD Chief Information Officer, the Director of the Defense Information Services Agency, or the Commander of United States Cyber Command? Actually, it is a combination of these individuals and offices and many more. Ultimately, however, the overall defensive posture for the DoD rests in the hands and responsibility of the Secretary of Defense. And while he may have been embarrassed by a foreign country being able to penetrate the armor of the classified networks, neither the DoD nor any of its leaders appear to have suffered any real penalties or repercussions. If we are to adapt and adjust, we must require greater accountability and demand leaders who will take charge rather than sit back and react only when necessary.
help enhance “trust” for financial or other private Internet transactions by confirming that something or someone is genuine.7 These certificates have become the de-facto credential used for secure online communications and sensitive transactions, such as online banking or accessing corporate email from a home computer. In March 2011, RSA informed its customers of a breach of its corporate network, which could reduce the effectiveness of its SecurID two-factor authentication token.8 RSA’s SecurID two-factor authentication system is a widely used digital certificate system for remote access logins to corporate networks through virtual private networks and by many financial institutions including the United States Federal Reserve Bank. On 21 May 2011, a leading U.S. defense contractor, Lockheed Martin, had its networks penetrated. The perpetrators used duplicates of RSA’s SecurID tokens to gain access to Lockheed’s internal network.9 After this breach and several others resulting from the SecurID issue, RSA leadership stated it would replace tokens, upon customer request but not necessarily free of charge.10 Certificate Authorities. In 2011, Another certificate authority progovernments and corporations alike vider was penetrated in June 2011. observed a new trend that threatened DigiNotar’s corporate network servers their ability to trust Internet transac- were successfully penetrated and hacktions: the targeting, penetration, and ers gained administrative rights to its compromise of companies that pro- system. An audit was ordered by its duce security products. In particular, parent company, Vasco, in July 2011 the weak security postures of certifi- and the auditors discovered that the cate authorities, including Commodo, cryptographic keys had been comproDigiNotar, and RSA, were exploited, mised and rogue certificates had been causing a wave of other crimes and issued.11 The Dutch government was consequences. Digital certificates rep- among DigiNotar’s key customers. resent a second form of identity to These compromises represent “a
[ 7 3]
LEADERSHIP AND RESPONSIBILITY FOR CYBERSECURITY
threat to one of the most fundamental technologies used to secure online communications and sensitive transactions.”12 The impact of these events is multifold. First, it calls into question the validity of two-factor authentication. Clearly, the cryptographic keys can be compromised and therefore, whoever has the “keys to the kingdom” can impersonate something or someone and compromise the integrity of that remote transaction. Second, these companies sell security; it is their brand. If a security company is unwilling to invest in its own security, then why should others invest in theirs? Finally, the incidents caused harm. DigiNotar closed its doors after filing bankruptcy, and RSA suffered a loss of nearly $66 million and a diminished reputation.13 One could even debate whether RSA’s lack of full disclosure of the extent of their breach and compromise of their product’s integrity could lead to actions being filed against them—either by customers or government investigators. Time will tell what
the basic investment required to secure their own infrastructures and enterprises. They are not even implementing the minimal information security procedures and controls outlined in the Consensus Audit Guidelines or the National Institute of Standards and Technology (NIST) 800-53, Recommended Security Controls for Federal Information Systems and Organizations.14 Security vendors should use these available resources and implement a policy that recognizes that some data should not be accessible via the Internet and publicly acknowledge the need for and implement better information security controls. From a technology perspective, these companies have discovered that they need to install new technologies and employ more vigilant processes in their enterprises to detect anomalous behavior and continuously monitor their enterprises for good and bad activity. Additionally, given that the key authentication technology used today has been compromised, it is necessary
The lack of corporate leadership and accountability for these events demonstrate that other market levers may be needed. the true cost of these intrusions will be to the certificate authorities and their customers. From a policy perspective, certificate authorities in particular and security vendors in general need to get back to security basics. The very enterprises that make a profit on their customers’ insecurity are insecure themselves. They are failing to lead by example by not making
[ 74 ] Georgetown Journal of International Affairs
to move toward the research, design, and employment of multiple chains of trust for devices, users, services, and data sources for all transactions. Furthermore, the lack of corporate leadership and accountability for these events demonstrate that other market levers may be needed to get the attention of the Chief Executive Officers and Boards of Directors. In Octo-
HATHAWAY
International Engagement on Cyber 2012
ber 2011, the Securities and Exchange Commission (SEC) issued a notice to industry regarding cybersecurity, confirming that cyber risk and cyber intrusion events must be reported to the SEC and disclosed to the investing public as risks.15 If the SEC doesn’t hold RSA accountable, will its shareholders and customers do so? It is actions like these that will get the attention of corporate leadership and thereby focus their attention on adapting to address cyber risks.
lenges with cloud-based services. In October 2011, Research in Motion’s (RIM) Blackberry services suffered a three-day outage due to a core switch error in RIM’s infrastructure. As a result, BlackBerry users in Europe, the Middle East, Africa, India, Brazil, Chile, and Argentina had limited or no access to email, web services, and in some cases voice services.18 The problem cascaded when the backup system, according to RIM’s co-CEO Mike Lazaridis, “did not work the way we intended.”19 For a company whose reliability Cloud-based Architectures. had consistently helped it maintain a According to the NIST, “Cloud com- strong customer base, RIM’s service puting is a model for enabling conve- outage shook customer confidence.20 nient, on-demand network access to a RIM didn’t deliver on its promise to shared pool of configurable computing provide reliable, real-time communiresources [e.g., networks, servers, stor- cations around the world, and cusage, applications, and services] that can tomers lost confidence in the product be rapidly provisioned and released with and service. For shareholders, RIM’s minimal management effort or service domination of the corporate and govprovider interaction.”16 The networked ernment mobile IT market share was environment is often measured by one jeopardized. This service outage left of three attributes: its ability to deliv- room for the iPhone, Android, Galaxy, er or make information available, its and others to take market share and ability to preserve its confidentiality, capture displeased customers. and its ability to protect its integrity. From a policy perspective, it highCloud computing is attractive to many lighted the need to have disaster recovbusinesses and governments because it ery mechanisms in place. If you were promises to make information available a customer of RIM, it highlighted the to its customers anywhere and at any gap in continuity of business operations time. But the other two cornerstones and the fact that RIM could not deliver of information security—integrity and on its service level agreements. The tanconfidentiality—are not readily com- gible and intangible costs are immeamanded by the cloud environment. An surable. From a technology point of October 2010 report on cloud security view, it demonstrated the fragility of the from Forrester Research, a consulting cloud and the need to test technology and research firm, states that security is prior to embedding it into core operathe single biggest barrier to broad cloud tions. It also showed the need for those adoption.17 who promise a 24/7 service to have a Citizens around the world are begin- graceful degrading architecture so that ning to experience some of the chal- customers do not suffer from a lack of
[ 7 5]
LEADERSHIP AND RESPONSIBILITY FOR CYBERSECURITY
quality or continuity of service. RIM is not the only company to have suffered from cloud computing issues. Recently, LinkedIn, e-Harmony, Yahoo!, and other social networking sites disclosed that their systems had been breached and their customers’ passwords and other personal identifiable information had been stolen. Data breaches have serious consequences— according to a recent report, “victims of data breaches are 9.5 times more likely to be a victim of identity fraud than consumers who did not receive such a data breach letter.”21 In 1994, Citibank suffered from one of the first data breaches that resulted in loss of funds. It also resulted in the creation of a new corporate position, the Chief Information Security Officer (CISO). Many corporations, especially those selling information services, have personnel responsible for the security of their infrastructure and service offering. LinkedIn, whose June 2012 data breach affected nearly 6.5 million customers, had neither a Chief Information Officer nor a CISO. In a focused inquiry of this gap, the company stated that they have a person who is responsible for the functions of a CISO.22 Yet, LinkedIn apparently was not taking the appropriate measures to secure customer information until after the breach, according to their corporate blog, when they instituted additional or “enhanced” security measures by adding a layer of technical protection.23 It remains unclear whether they will appoint an executive who is focused on protecting the corporation’s infrastructure and customer data. Furthermore, for LinkedIn and others, an apology may not be sufficient for
[ 76 ] Georgetown Journal of International Affairs
its customers or the government. The Federal Trade Commission (FTC), which has filed suits in the past for failure to protect consumers’ personal information, is exercising its consumer protection and e-commerce authorities to ensure that “companies live up to the promises they make about privacy and data security.”24 Today, LinkedIn faces at least one class action suit for failure to properly safeguard its users’ digitally stored information. Again, whether it is government or private actors, we are witnessing reactions to failures in leadership. Ultimately, we need proactive leaders to drive change and address cyber risk early.
Weapons and the Internet. Critical infrastructures deliver essential services like water, electricity, oil and gas, and sewage, requiring certain components to be able to deliver the product (e.g., electricity) to the customer (e.g., business or household). These infrastructures are comprised of many computer, controller, and network communications components. A supervisory control and data acquisition system (SCADA) or industrial control system (ICS) is at the heart of the functionality of this ecosystem, as it monitors and controls processes and flows of information. Over the last decade, industry has increased connections between information technology and control system networks to reduce cost and increase efficiency of systems. Executives acknowledge that such connections create security issues because they have chosen to shift their operations from once isolated systems to open protocols where individuals and computers can
HATHAWAY
gain access to remote sites through the use of modems, wireless, private and public networks, all of which are facilitated by the Internet. The Stuxnet worm infected more than sixty thousand computers around the world and was “designed to penetrate and establish control over remote systems in a quasi-autonomous fashion.”25 Its use resulted in the degradation and ultimate shut down of Iran’s nuclear facility in Natanz. The source code was analyzed around the world, replicated (e.g., Flame and DuQu),
International Engagement on Cyber 2012
industrial control computers that were wide open to exploitation and digital sabotage.28 From a policy perspective, enterprises that are dependent on control systems are forced to conduct vulnerability assessments and review their risk management controls (e.g., risk register) due to the potential issues related to worms, such as Flame and Stuxnet.29 The worry is that the malware could deliberately or inadvertently shut down infrastructures and/or operations. These same enterprises also have to
The deployment of Stuxnet raises a new set of questions and...even more concerns about the future of the Internet and Internet-based infrastructures. proliferated, and has been traded on the black market. In fact, security officials worry that this worm will be used again to attack other critical infrastructures that rely on computers and have the same security flaws.26 Finding the ICS vulnerabilities does not require a strong industrial base or well-financed operations—even a kid could do it. As a young explorer of the Internet, a teenage computer programmer named John Matherly developed an Internet mapping tool called Shodan. By combining a search engine, Google Maps, and his understanding of the Internet, he was able to locate thousands of Internet connected devices based on city, country, latitude/longitude, hostname, operating system, and IP.27 He gave this tool to his friends, and they quickly realized they were able to access uncounted numbers of
review, create, or update their disaster recovery plans. Architecturally, technology needs to be inserted into the enterprise to detect any changes in the “state” of the system. For example, electric utilities and grid operators can use the Cyber Security Self-Evaluation Survey Tool, developed by the United States Department of Energy to “identify opportunities to further develop their own cyber security capabilities,” by considering “a series of questions that focus on areas including situational awareness and threat and vulnerability management.”30 The deployment of Stuxnet raises a new set of questions and for many, even more concerns about the future of the Internet and Internet-based infrastructures. Did the decision-makers who decided to use Stuxnet consider the consequences of proliferation of the
[77]
LEADERSHIP AND RESPONSIBILITY FOR CYBERSECURITY
capability and potential re-use or retaliatory deployment of a similar weapon? Or were they seduced by the technology and ability to deliver it stealthily over the Internet? Did they review their infrastructure’s own vulnerabilities and determine that the offensive use outweighed the risk and consequences of domestic infrastructure outage? Was there even a responsible debate?
and other certificate authorities that suffered critical breaches, RIM’s crippling service outage, or the Stuxnet worm infecting critical infrastructures around the world. Denials, apologies, or reactive change will not solve the problem, nor will continued study and debate on potential legislative changes or government oversight. Darwin taught that to survive one must adapt and adjust to a changing Conclusion. Leaders—both in gov- environment. As the world continernment and business—are expected to ues to progress digitally, real leaderbe responsible and address key prob- ship requires adopting and embedlems. The inescapable conclusion from ding sometimes-costly security soluthe examples discussed in this paper, tions into our core infrastructures and however, is that our leaders are failing enterprises and stop leaving the security in their duties by not acting quick- of companies, governments, and indily enough, and are instead being out viduals to chance.31 Leaders in governmaneuvered and outwitted by those ment and business must work proacwho intend harm. The examples in tively to finally take steps to adapt and this paper show a reactive approach adjust to where the cyber environment to change, whether in the DoD after already has evolved, and if they don’t, Operation Buckshot Yankee, with RSA they must be held accountable.
[ 78 ] Georgetown Journal of International Affairs
HATHAWAY
International Engagement on Cyber 2012
NOTES
1 Charles Darwin, On the Origin of Species (London: John Murray, 1859). 2 International Telecommunications Union, “The World in 2011: ICT Facts and Figures,” Internet, http://www.itu.int/ITU-D/ict/facts/2011/material/ ICTFactsFigures2011.pdf. 3 Jesus Rodriguez and Diego Martinez, “The Role of ICT in the Economic Growth and Productivity of Andalucia,” European Commission, Joint Research Centre, Institute for Prospective Technological Studies (2007): 11, Internet, http://ftp.jrc.es/EURdoc/eur22781en.pdf. 4 William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstratgy,” Foreign Affairs (September/October 2010), Internet, http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain. 5 Insider Access: Unauthorized use or access to information, systems, and networks by otherwise trusted agents (employees). The White House, “The Comprehensive National Cybersecurity Initiative,” (August 2009), Internet, http://www.whitehouse.gov/ cybersecurity/comprehensive-national-cybersecurityinitiative. See also, Melissa E. Hathaway, “Examining the Homeland Security Impact of the Obama Administration’s Cybersecurity Proposal,” (Statement for the Record House of Representatives Committee on Homeland Security, Sub-Committee on Cybersecurity, Infrastructure Protection and Security Technologies, 24 June 2011). 6 Probe: Any attempt to gather information about an automated information system or its on-line users. Computer intrusion: An incident of unauthorized access to data or an automated information system. Keith Alexander, “Testimony,” (Statement for the House of Representatives Committee on Armed Services, Subcommittee on Emerging Threats, 20 March 2012). 7 Certificate Authorities issue secure socket layer (SSL) certificates that help encrypt and authenticate websites and other online services. 8 EMC Corporation, “8K Report for the Securities and Exchange Commission,” (filed 17 March 2011). 9 Jeffrey Carr, “An Open Source Analysis Of The Lockheed Martin Network Breach,” Digital Dao Blog, (31 May 2011), http://jeffreycarr.blogspot.com/2011/05/ open-source-analysis-of-lockheed-martin.html. 10 Arthur W. Coviello, Jr., “Open Letter to RSA Customers,” (March 2011), Internet, http://www.rsa. com/node.aspx?id=3872. See also, Kim Zetter, “RSA Agrees to Replace Security Tokens After Admitting Compromise,” Wired Magazine, (7 June 2011), Internet, http://www.wired.com/threatlevel/2011/06/rsareplaces-securid-tokens/. 11 Fox-IT, “Interim Report: DigiNotar Certificate Authority breach “Operation Black Tulip,” (5 September 2011): 5. 12 Symantec Corporation, “Symantec Internet
Security Threat Report: 2011 Trends,” (April 2012): 13. 13 Arthur W. Coviello, Jr., “Written Testimony,” (For the United States House of Representatives, Permanent Select Committee on Intelligence, 4 October 2011). 14 NIST develops and issues standards, guidelines, and other publications to assist public and private institutions with managing cost effective programs to protect their information and information systems. The controls outlined in the 800-53 document include a set of management, operational, and technical safeguards (or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. The CAG outlines best practice guidelines for computer security and recommends twenty security controls that organizations should implement to block or mitigate known attacks. National Institute of Standards and Technology, “Information Security,” (August 2009). SANS, “Twenty Critical Security Controls for Effective Cyber Consensus Audit Guidelines,” October 2011, Internet, http://www.sans.org/ critical-security-controls/cag3_1.pdf. 15 U.S. Securities Exchange Commission, “CF Disclosure Guidance: Topic No. 2, Cybersecurity,” (13 October 2011), http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Public companies have existing obligations to disclose material risks and events on their public filings. A risk or event is material if it is important for the average investor to know before making an investment decision. Material risks can include cyber risks and material events can include cyber breaches, including the theft of intellectual property/trade secrets, penetrations which compromise operational integrity, etc. See also, Melissa Hathaway, “Creating the Demand Curve for Cybersecurity,” Georgetown Journal of International Affairs. Special Issue: International Engagement on Cyber, (Winter 2011): 165. While RSA disclosed the incident with the SEC, it claimed that the event was not material in nature. 16 Peter Mell and Tim Grance, “The NIST Definition of Cloud Computing,” (Version 15 October 2009), Internet, http://csrc.nist.gov/groups/SNS/ cloud-computing/cloud-def-v15.doc. 17 Jonathan Penn, “Security and the Cloud: Looking At The Opportunity Beyond The Obstacle,” Forrester Report, (October 2010). 18 Charles Arthur. “BlackBerry users revolt against RIM as disruption spreads,” The Guardian, (11 October 2011), Internet, http://www.guardian.co.uk/technology/2011/oct/11/blackberry-users-revolt-against-rim. 19 Julianne Pepitone. “BlackBerry service restored after worst outage ever,” CNN Money Tech, (13 October 2011), Internet, http://money.cnn.com/2011/10/13/ technology/blackberry_outage/index.htm. 20 The fact that it occurred the same week that Apple was launching its iPhone 4S further compli-
[ 7 9]
LEADERSHIP AND RESPONSIBILITY FOR CYBERSECURITY
cated its situation, as RIM has struggled to keep up in the smartphone and tablet markets. 21 Javelin Strategy & Research, “2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier,” Internet, https://www.javelinstrategy.com/brochure/239. 22 Eric Chabrow, “LinkedIn Has Neither CIO nor CISO,” Data Breach Today, (8 June 2012), Internet, http://www.databreachtoday.com/blogs/linkedin-hasneither-cio-nor-ciso-p-1289. 23 Vincente Silveira, “Taking Steps to Protect Our Members,” LinkedIn Blog, (7 June 2012), Internet, http://blog.linkedin.com/2012/06/07/taking-stepsto-protect-our-members/. 24 Federal Trade Commission, “FTC Files Complaint Against Wyndham Hotels for failure to Protect Consumers’ Personal Information,” (26 June 2012), Internet, http://www.ftc.gov/opa/2012/06/wyndham. shtm. 25 James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War,” Survival 53, no. 1 (February–March 2011): 24. 26 Stewart Meagher, “Stuxnet worm hits the black market,” THINQ. (25 November 2010), Internet, http://www.thinq.co.uk/2010/11/25/stuxnet-wormhits-black-market/. 27 See Shodan software at: http://www.shodanhq. com 28 Robert O’Harrow Jr., “Cyber search engine Shodan exposes industrial control systems to new
[ 8 0] Georgetown Journal of International Affairs
risks,” The Washington Post, 3 June 2012, Internet, http://www.washingtonpost.com/investigations/cybersearch-engine-exposes-vulnerabilities/2012/06/03/ gJQAIK9KCV_story.html. 29 A worm is a destructive program that replicates itself throughout a single computer or across a network, both wired and wireless. It can do damage by sheer reproduction, consuming internal disk and memory resources within a single computer or by exhausting network bandwidth. It can also deposit a Trojan that turns a computer into a zombie for spam and other malicious purposes. Very often, the terms “worm” and “virus” are used synonymously; however, worm implies an automatic method for reproducing itself in other computers. “Worm Definition,” PC Magazine, Internet, http://www.pcmag.com/encyclopedia_term/0,2542,t%3Dworm&i%3D54874,00.asp. 30 AOL Energy, “How Good is Your Security? A New DOE Tool Will Help You Find Out,” (10 July 2012), Internet, http://energy.aol.com/2012/07/10/ how-good-is-your-security-a-new-doe-tool-willhelp-you-find-out/. 31 Jack Goldsmith and Melissa Hathaway, “The Cybersecurity Changes We Need,” The Washington Post, (29 May 2010), Internet, http://www.washingtonpost.com/wp-dyn/content/article/2010/05/28/ AR2010052803698.html.
Why Cyber Security is Hard Robert Ghanea-Hercock In the twenty-first century we face unprecedented challenges in securing the information assets and intellectual property of our public and private organizations. Yet only a few years ago, the cyber war was often derided and declared a mere nuisance to business as usual. Painful experiences over the past two years, such as the Sony and RSA attacks, have now dispelled this naive stance.1 The truth of cyber security, however, is both overt and subtle. It is overt in the sense that the arena is now clearly driven by a mix of political expression, such as the Anonymous social hactivism movement, and economic incentives for criminal gangs to state-sponsored industrial espionage. The subtle facet of cyber security, however, is why it remains a difficult problem. Specifically, the mix of technical, policy, and social dimensions have combined to create and complicate a coevolving, complex adaptive system (CAS). This is the essence of the cyber problem. More importantly, once we accept this is the case, it perforce reshapes our entire policy and technical approach to the problem. Ultimately, we cannot solve a CAS; at best we can merely shape and influence its evolution. The article will first overview what we mean by a CAS in the computer domain, and then will review the characteristics of the technical, social, and legal cyber security themes.
Robert GhaneaHercock is a Chief Research Scientist in the British Telecommunications Security Research Practice.
[ 81 ]
WHY CYBER SECURITY IS HARD
Complex Adaptive Systems. biological or ecological system does. When a bright young student, Robert Morris, released the first self-replicating computer worm in 1988, he was actually making real a vision shared by the founders of computing, John von Neumann and Alan Turing, who both envisaged the ability of computers to mimic the capacity of life to reproduce.2 Thus, the power to replicate and evolve was ingrained in the very genesis of modern computing. It is no surprise, therefore, that the emergence of the Internet provided the ideal ecology for malicious self-replicating code to spread and thrive as well. What we now define as malware remains a technical challenge, precisely because of its ability to spread and adapt at machine speed.
There are multiple definitions of CAS, but a sufficient one is by John Holland, a leading thinker in this domain: “CAS [complex adaptive systems] are systems that have large numbers of components, often called agents, that interact and adapt or learn.” Ultimately, if we have a large number of interacting agents, such as the global cyber domain, then it may be categorized as a CAS.4
Game Theory as a Model for Cyber Security. A closely related research domain to complex adaptive systems, with which we can understand the issues surrounding cyber security, is a Game Theoretic approach.5 Originally developed as a strategic tool in
What we have in the cyber domain is [a]
game... where there are far more avenues for attack than there are ways to defend. Of course this Promethean power has been harnessed, with varying levels of sophistication, by many human actors, from the grassroots political activist to organized criminal gangs or even to state-sponsored spy-rings. It is also understood that a fundamental aspect of the problem is that offense is favored over defense simply by the geography of cyberspace, since only a single point of failure in a cyber network, or process, is required for a successful attack.3 The nature of CAS is such that there is no longer an ‘off-switch’, as dreamed of by many political commentators. The Internet is now the world’s digital nervous system, and suffers from parasitic and predator-prey activity, just as any
[ 8 2] Georgetown Journal of International Affairs
the nuclear Cold War, Game Theory studies the choice of optimal behavior when the costs and benefits depend upon the choices of other individuals. What we now have in the cyber domain is an N player game of benign and malicious players, where there are far more avenues for attack than there are ways to defend.6 We are therefore in a state of co-evolution, where each new defense strategy leads to co-adaptation by a corresponding set of attacks. A useful consideration of these aspects can be found in a report by the JASON group, where they state: “Most importantly, the threats associated with cyber-security are dynamic in that the nature and agenda of adver-
GHANEA-HERCOCK
International Engagement on Cyber 2012
saries is continually changing and the type of attacks encountered evolve over time, partly in response to defensive actions...game theoretic ideas will be useful in understanding how to prioritize cyber defense activities. It is not possible to protect everything all the time and so some notion of risk must be established; game theoretic approaches provide a framework for reasoning about such choices.�7 With respect to modeling risk, Nassim Taleb in the Black Swan discusses the disproportionate role of very high-impact, hard-to-predict events that are beyond normal expectations in history, science, finance, and technology.8 For example, in any highly networked system, such as the Internet, the risk distribution is inherently nonlinear. Firstly, the hub and spoke nature of many physical and logical cyber networks greatly accelerates the speed at which replicating code can propagate.9 Secondly, the economic or social impact of an attack is not linearly proportional to the scope or size of the attack vector. For example, an eBook containing 500kb of data may retail for $15, yet a malware exploit and associated code may only contain 5kb of data, yet cause $100M of damage.10 Ultimately, the Game Theory approach contains a number of useful models and techniques, and it is likely to emerge as a major element in future strategies for developing cyber defense processes.
the intent of a malware source agency? Are the attackers simply hunting for an easy credit card breach, or are they a serious state-backed group targeting a critical asset? The problem is that the measurable online behavior for these two very different attacks often looks identical, especially as hostile players are using increasingly sophisticated means of camouflaging their intent and origin. Compared to the military tactics of traditional warfare, cyber security is additionally complicated by the broader range of objectives each adversary may have. These include economic interests, social hacking as a form of political expression, organized crime, and state actors with offensive cyber operations. In the cyber domain, regulation is the primary weapon, and ISPs are the primary target. A crude analogy may be made between ISPs and commercial owners of major transport systems. As with any transport process, each packet, vehicle, or individual must be filtered and verified or malicious actors who use the network for hostile purposes will remain. Solving the problems of intent and regulation in the cyber domain will require a great deal of research and a broader psychological and sociological perspective. Another aspect of the problem in handling cyber attacks is that some are weak feints that precede a later full-scale assault, while others are background noise in the sea of malware. People tend to focus on the possible technical capabilities of hackers, but this is increasingly irrelevant as Technical Dimension. There are sophisticated attack tools are now free a number of inherent technical com- and ubiquitous. plexities that stem from the CAS modFor example, in China there is a el. For example, intent is crucial in any complex mix of actors, such as criminal combat scenario, but how do we infer groups, state-backed industrial espio-
[ 83]
WHY CYBER SECURITY IS HARD
nage activity, and hacker/nationalistic students. While each of these groups has distinct objectives, they are similar in that they employ constantly evolving attack methods. Hence, the Chinese state makes use of its hacker sub-culture as part of nationalistic online campaigns and can therefore distance itself diplomatically from the hacker’s behavior. Yet, the Chinese state also constantly monitors such hacker groups, as they use the Internet to express social dissent. Three additional issues of specific technical complexity in the cyber domain that vex the policy debate include attribution, self-replication, and political control. First, cyber actors frequently use camouflage and mimicry as in natural ecosystems, thus making attribution difficult. This makes the selection of a response by policy makers inherently difficult, even though a range of proportionate responses exists.11 As in the Stuxnet example, where digital forensics revealed a possible state origin of the attack (Israel), it
modify and adapt the code. Thirdly, the loss of government control, will, or capacity to enforce national cyber controls that limit the activity of organized cyber-criminal or political groups, like in former Soviet states, is the most challenging social-political aspect of cyber security.
Social Dimension. The cyber
sphere plays an important role for society, but social issues also complicate cyber security. Cyberspace is driven by the actions of the individual members of human society; it is a powerful medium for social change precisely because it empowers individuals, which is why it is used so much. The quid pro quo is that this has disadvantaged the state in its ability to impose social control and centralize policies. Iran, for example, is engaged in erecting a cyber wall around the entire Iranian cyber domain, and China maintains a ‘Great Firewall’ around the networks in mainland China through state mandated control and censorship.13
Cyberspace is driven by the actions of the
individual members of human society; it is a powerful medium for social change precisely because it empowers individuals. was apparent that this could easily have been faked by a third party to implicate that state.12 A second technical issue that muddles the policy debate is the ability of code to self-replicate. Malware can spread spontaneously, which is similar to trying to contain a bio-viral outbreak. Worse still is the fact that the code rapidly mutates as new actors
[ 8 4 ] Georgetown Journal of International Affairs
A strict censoring policy, like China’s, might in fact increase cyber security, as Jason Healey aptly notes that, “a Balkanized Internet may actually improve many of the current security problems of cyberspace, as nations would have more levers to stop all kinds of unpleasant traffic.”14 But the Internet teaches us that a free and open process
GHANEA-HERCOCK
of human engagement and communication has the greatest social value.15 Hence in the Western hemisphere, we should tread very lightly before calling for draconian controls on individuals’ activity in cyberspace, despite the potential benefit to cyber security.16 A cyber ‘Wild West,’ however, is not constructive either. Individuals need the protection of state laws and a national policy of education on safe cyber practice, especially given the exponential growth of social networking and the ensuing decrease in cyber security. For example, the United Kingdom, which is embracing the online domain as a means of reducing the cost of delivering public services and advancing innovation and economic development, is also using a process of social dialogue to engage its entire population in constructively developing online standards for behavior.17 Yet in the summer of 2011, the United Kingdom witnessed some of the worst riots and social unrest in a generation, some of which were fueled and coordinated via cyber networks and social media, particularly through BlackBerry messenger.18 The ensuing debate over regulation versus personal freedom was predictable, but missed the point. Any tool inherently has positive and negative uses—what works is a process of accountability and social norms that regulate behavior.
Legal Dimension. From a legal
perspective, the issues in the cyber domain revolve around protecting and balancing the rights of the individual versus those of wider society and organizations. But the exponential rate of evolution in the cyber domain outpaces
International Engagement on Cyber 2012
the speed of legal and judicial processes. The ongoing futile battles over digital rights management are evidence of this in action. Technology makes instant sharing of digital media a reality, which content creators need to substantively address, rather than resorting to punitive measures under the law. However, the use of stricter legal measures against serious cyber crime can be a constructive tool in the normalization of the cyber domain as a safe environment for individuals to operate within. Current legal systems have failed to keep pace with the migration of crime into the cyber domain, and few states have empowered or resourced their police agencies to act effectively in cyberspace. Digital forensics in particular is often underfunded or poorly resourced, making convictions of serious online crime difficult. Careful consideration of the wider social consequences of cyber law is required, such that we avoid suppressing information and media sharing, but rather focus legal action on cases of serious harm or abuse. In more technical terminology, we require a ‘non-linear’ legal response. This echoes back to the Game Theory concepts discussed earlier where we need laws guided by a clear technical understanding of human responses to rewards and punitive measures, within a cyber context. Hence defending digital rights is best approached as a process of cultural norm development.
Cyber Demographics. A final
issue of concern is the fundamental increase in the total cyber population, as another two billion people come online within the next two years, mostly from developing nations with minimal
[ 85]
WHY CYBER SECURITY IS HARD
cyber laws or treaty provisions to deal with cyber attacks that originate from within their borders. This alone will make the problem of attack attribution insurmountable. Attitudes towards digital copyright, censorship, cyber crime, privacy, and freedom of speech, which are already complex, will become vastly more so by the sheer cultural heterogeneity of the new wave of cyber citizens, with multiple religious, political, tribal, and racial facets. Even within relatively culturally homogenous regions, such as Western Europe, the differences in social attitudes towards cyber privacy and state censorship are immense: Germany has strict privacy laws driven by a deep historical fear of state intrusion, but in the United Kingdom, significant social trust in the state security apparatus remains relatively strong, resulting in weaker privacy laws. Furthermore, most of the new users are poor, and many of the machines they use are running either counterfeit or open source operating systems and applications. Hence, they are at maximum risk of malware attack or for their machines to be used as botnet platforms. Many access the internet solely via smartphones, specifically Android devices, which have relatively weak security and are expected to become a major attack channel in the coming months, challenging cyber security efforts.19 In particular, the cyber emergence of Africa, India, and the South East Asian states, such as Vietnam, is occurring faster than local legal frameworks can adapt. Such states should be offered more expert assistance on best cyber practice across both their public and private cyber domains, ideally, via new international cyber security centers of
[ 8 6 ] Georgetown Journal of International Affairs
excellence.
Conclusion. Cyber security remains
a difficult and unresolved problem, precisely because it is a complex adaptive system. This is a difficult message to convey, as we all seek simple technical or policy levers to resolve the issue of securing a computer network. The cyber research community has partly grasped that the cyber world is a complex adaptive system. A 2007 report by Goodman and Lin identifies that, “in many ways security is an emergent property of a complex IT system that depends on both the underlying system architecture and its implementation.�20 More recently, Stephanie Forrest has initiated research on bio-inspired defense strategies, which has the ongoing aim of understanding the complex adaptive nature of cyber threats and discussing means to counter them using similar adaptive strategies.21 The latest research in this domain was reported in the 2012 Adaptive Resilient Complex Systems (ARCS) workshop, and it focused on the social and economic dimensions, particularly through the use of social media channels as attack vectors.22 The wider cyber security community, however, has yet to recognize the real nature of the threat and persists in utilizing rigid strategies based on boundary control, access management, or linear risk models. This new stance requires a deep philosophical shift, and there is no easy solution. There are better practices and defenses that can and must be implemented and maintained. Fundamentally, though, the best defense is to first understand the true nature of the problem. We
GHANEA-HERCOCK
can then begin to adopt useful defense strategies, instead of offense strategies. And even though perfect cyber security is not an achievable state, we can achieve a dynamically stable and robust defense, ideally using a combination of signature and adaptive behavior-based responses. It may also be productive to consider Maynard Smith’s idea of Evolutionary Stable Strategies (ESS) as a model of how the long-term dynamic behavior of offensive and defensive strategies will evolve in cyber security, and if the introduction of a new secu-
International Engagement on Cyber 2012
structures that have survived for centuries in a major earthquake zone. They should have been destroyed many years ago, but they remain standing because they are fluid, loosely coupled structures with a resilient design that absorbs quake shocks like a sponge. In contrast, any modern rigid steel and concrete building design in that area gets shaken to pieces. We need research into similar parallel design concepts within the cyber defense realm. The complicating issue is that this can incur greatly increased costs in the system specifications, such
The question is how to continue exploiting the creative social and economic value of the Internet while fulfilling the basic duty of the state to stafeguard. rity mechanism will lead to a dynamically stable defensive effect over time. This is a difficult question to resolve for any complex adaptive system, and particularly for cyber security, which is so dependent on human socio-economic processes. The best technical approach is to engineer all computing systems for resilience as an inherent quality. We need to reorient our design philosophy for all ICT systems, and especially cyber defense systems, to reflect this philosophy of resilient flexibility. An excellent example is the work by Arun Sood on adaptive Firewall design, using a mechanism known as Self-Cleansing Intrusion Tolerance (SCIT).23 As a philosophical example, the beautiful Pagodas in Japanese ceremonial gardens are a curious anomaly: they are tall wooden
as through duplicated hardware or failsafe software design. As such, there is an open research challenge to create resilient computing systems with a minimal cost increase.24 Furthermore, we urgently need an improved science of cyber security driven by the establishment of interdisciplinary centers that connect academia, industry, national laboratories, and government agencies, in order to formalize our understanding of the complex and evolvable nature of the domain, as advocated in the JASON report25 (This also happens to be a priority for the UK GCHQ and its new centers of excellence in cyber security).26 Deeper international collaboration and the pooling of resources is also required with joint public and private sector information exchange
[ 87 ]
WHY CYBER SECURITY IS HARD
programs, ideally in the form of senior level standing councils with international representation. At the social level, as discussed, there is a fine balance within democratic states between allowing freedom of online expression and preventing the use of cyberspace as a vector for malicious hactivism. For society as a whole, we clearly require a constant education program to raise awareness of cyber security and online social responsibility. Again this will cost a state resources and time, but it is vital to raise the collective cyber defense of a nation. At the legal level, the implications of the required paradigm shift are extensive and problematic. In policy terms, the question is how to continue exploiting the creative social and economic value of the Internet while fulfilling the basic duty of the state to safeguard its cyber (and physical) domain. As in the discussed case of the riots of 2011 in the United Kingdom, the urge to impose new legal constraints on social media channels was severe, but a process of social dialogue around the causes of the unrest proved to be more productive. Looking forward, it is crucial to address several distinct time-scale requirements for the short, medium, and long term. In the short-term, governments need to devote resources to educating the population, beginning in the primary-level and also training
[ 8 8 ] Georgetown Journal of International Affairs
future legal and policy makers, on best practices in cyber defense and awareness. In the medium-term, we need policy backing for new cyber centers, like the Santa Fe Institute in the United States, that put strong emphasis on an interdisciplinary forcus and deep government and business engagement.27 For the longer-term, we need a new science-based international cooperative effort to improve cyber defense for all states. The existing international system of CERT groups that operate globally to detect and remediate cyber-attacks, are primarily a reactive mechanism. Rather, we need more predictive and adaptive collaborative cyber institutions. The comparison has been made between current cyber crime and piracy up to the sixteenth and seventeenth centuries, when strong international treaties and laws of the sea began to control the piracy problem. This analogy has merit and may act as a guiding principle for policy formulation; however, it is best not stretched too far. The pirates are no longer sailing off the cost of Jamaica, but rather live in your neighbor’s garage, basement, office, college, and in entirely virtual worlds with no physical location. The views expressed are entirely personal to the author and do not reflect those of British Telecommunication.
GHANEA-HERCOCK
International Engagement on Cyber 2012
NOTES
1 Bruce Schneier, “Details of the RSA Attack,” Bruce Schneier Blog, Internet, http://www.schneier.com/blog/ archives/2011/08/details_of_the.html (date accessed: 2 September 2012). 2 John von Neumann, Theory of Self-Reproducing Automata (Urbana and London: Univ. of Illinois Press, 1966), Internet, http://cba.mit.edu/events/03.11. ASE/docs/VonNeumann.pdf (date accessed: 2 September 2012). 3 Jason Healey, “The Five Futures of Cyber Conflict and Cooperation,” Georgetown Journal of International Affairs Special Issue: Cybersecurity (2011) 110-117. 4 John H. Holland, “Studying Complex Adaptive Systems,” Journal of Systems Science and Complexity 19, no.1 (2006): 1-8, Internet, http://hdl.handle. net/2027.42/41486 (date accessed: 2 September 2012). 5 John von Neumann and Oskar Morgenstern, Theory of Games and Economic Behavior (Princeton University Press, 1944). 6 Further complicating matters, legitimate users may also choose to switch roles to become a defecting agent at any instant. 7 D. McMorrow, “Science of Cybersecurity,” Internet, http://www.fas.org/irp/agency/dod/jason/ cyber.pdf (date accessed: 2 September 2012), 2. 8 Nassim N. Taleb, The Black Swan (Penguin Books, 2008). 9 R. Pastor-Satorras and A. Vespignani, Epidemic spreading in scale-free networks (Physical Review Letters, 2001) 86, 3200-3203. 10 Schneier, supra note 1. 11 Herbert Lin, “Responding to Sub-Threshold Cyber Intrusion, A Fertile Topic for Research and Discussion,” Georgetown Journal of International Affairs Special Issue: Cybersecurity (2011) 127-135. 12 Irving Lachow, “The Stuxnet Enigma – Implications for the Future of Cyber Security,” Georgetown Journal of International Affairs Special Issue: Cybersecurity (2011) 118-126. 13 This massively limits what net users within China are allowed to see online and the Chinese state monitors internal traffic for signs of dissent activity. It also has a biasing economic effect in favor of Chinese companies by limiting competition from major international companies, such as Google, and therefore creating commercial opportunities for Chinese companies. In addition, a constant cyber battle exists between the Chinese state censors and micro-blogs of Chinese activist groups. This is yet another example of a complex adaptive social/political game being acted out in cyberspace. 14 Healey, supra note 3. 15 The antithesis of this process was the mindset of the Soviet and Communist block, in which an Orwellian state imposed its central view of what individuals required and should have access to. The consequences of that mind set are still with us and will require decades of economic and social development
to remediate. 16 One of the reasons for the exponential growth in social networks is the fundamental human desire to communicate and interact. As more of an individual’s social contacts go online, then the value of that individual following suit increases in rough proportion to Metcalfe’s law. As such, the growth of social media is a nonlinear function, and the resulting virtual social network displays complex properties that are only loosely correlated with the physical world. Metcalfe’s law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system. Bob Briscoe, “Metcalfe’s Law is wrong,” IEEE, (July 2006), Internet, http:// spectrum.ieee.org/computing/networks/metcalfeslaw-is-wrong (date accessed: 2 September 2012). 17 “UK Cyber Challenge,” Internet, https://cybersecuritychallenge.org.uk/. 18 Josh Halliday, “London Riots: Blackberry to help Police Probe Messenger looting role,” The Guardian, 8 August 2011, Internet, http://www.guardian. co.uk/uk/2011/aug/08/london-riots-blackberry-messenger-looting (date accessed: 2 September 2012). 19 Dave Neal, “Android Phones Are A Big Security risk, Says Security Analyst Firm,” The Inquirer, 27 February 2012, Internet, http://www.theinquirer.net/ inquirer/news/2155213/android-phones-securityrisk-security-analyst-firm (date accessed: 2 September 2012). 20 Seymour E. Goodman and Herbert S. Lin, “Toward a Safer and More Secure Cyberspace,” National Research Council, (2007) 81, Internet, http://www.nap. edu/catalog/11925.html (date accessed: 2 September 2012). 21 In 2002, Forrest and a group of industrial researchers started a workshop series based at the Santa Fe Institute. Stephanie Forrest et al., “A Sense of Self for Unix Processes” (Los Alamitos: IEEE Computer Society Press, 1996) 120-128, Internet, http://webpages.math.luc.edu/~pld/courses/intrusion/sum08/ class9/forrest.etal.1996.sense_of_self_for_unix_processes.pdf (date accessed: 2 September 2012). 22 “Adaptive Resilient Complex Systems Workshop series (ARCS),” ARCS Workshop Blog, (6 January 2012), Internet, http://www.arcs-workshop.org (date accessed: 2 September 2012). 23 Arun Sood, “Intrusion Tolerance to Mitigate Attacks that Persist,” (Paper presented at Second Workshop on Cyber Security and Global Affairs, ETH, Zurich, 6 July 2010). 24 ARCS, supra note 21. 25 McMorrow, supra note 7. 26 GCHQ, “UK GCHQ establishes new centers of excellence in cyber security, 2012,” Internet, http://www.gchq.gov.uk/Press/Pages/Cyber-SecurityResearch-Centres-of-Excellence.aspx (date accessed: 2 September 2012). 27 Ibid.
[ 89]
Working at the nexus of law, science, and policy
InstItute for Law, scIence & GLobaL securIty presents
Annual Conference
InternatIonaL enGaGement In cyberspace In 2011 and 2012, the Institute hosted experts from around the world, including domestic and foreign policymakers, private sector leaders and notable scholars to share their visions for protecting cyberspace in the face of emerging challenges. The Institute is currently organizing next year’s conference, to be held at Georgetown University’s main campus, April 10-11, 2013. Visit our website for more information.
Past conference speakers included: Gen. Michael Hayden (Ret.), Principal, Chertoff Group and former Director of the NSA and CIA Hon. Jane Holl Lute, Deputy Secretary of the U.S. Department of Homeland Security Hon. William J. Lynn III, Former Deputy Secretary of the U.S. Department of Defense Lt. Gen. Brent Scowcroft (Ret.), former National Security Advisor Hon. Howard A. Schmidt, Cybersecurity Coordinator, The White House Mr. Khoo Boon Hui, President, INTERPOL
lsgs.georgetown.edu • (202) 687-6237
Perspective: Not all Vendors and Products are Created Equal John N. Stewart We do not just use the Internet, we rely upon it, and as we continue to use it across the globe it in ways previously undiscovered, the criticality for it increases in parallel. The Internet now is as vital to society as electric power. The importance is different–we lived through a two-decade transition from scientific novelty to essential technology–and is noteworthy all unto itself. Today talented hacking teams seek new ways to infiltrate national systems, await the moment to disrupt services in critical infrastructures, steal information for known and unknown purposes, and use methods that often adapt as the actions are underway. Governments and businesses increasingly, and correctly, invest from server to cloud in three key technologies—mobility, collaboration, and virtualization—to improve resiliency, increase efficiency, and reduce costs. We increasingly use technology to create value, so much so that it is now the enabler for our communications, business goals, and service delivery. Last is who we are all choosing as providers to design, develop, and even run our core services infrastructures. Given that we align our own goals to those of vendors, scrutinizing their reputation and behavior is an essential part of the selection process. Since not all vendors
John N. Stewart is Senior Vice President and Chief Security Officer at Cisco Systems, Inc. In his 25-year career, Stewart has been a leader in expanding the definition of security, working with academic think tanks, government, and numerous enterprises. He currently leads the Cisco Global Government Solutions and Corporate Security Programs.
[ 91 ]
PERSPECTIVE: NOT ALL VENDORS AND PRODUCTS ARE CREATED EQUAL
and their products are created equal, we are in a market transition where trust has a paramount role. Trust is increasingly present in our dialogues, manifesting itself in supply chain security discussions, vendors’ executives past connections, software quality and design processes in vendor product development and service deliveries, and public examples where a vendor broke its trust with their customer. Today, vendor and product selection are based on the ability to fulfill need, price-point, and vendor attributes such as viability. The “trust” market transition introduces three essential criteria: vendor trustworthiness and transparency, product trustworthiness and integrity, and vendor commitment to and understanding of security issues. Today, it is possible to address the hidden risk in choosing a vendor, and reduce known risk while operating national infrastructures. This ideal—a “trustworthy system”—can be achieved through vendor inspection, delineation between assumed and verifiable trust, and, ultimately, a network security infrastructure more advanced than the one in which we operate today.This article explores each of these elements of a “trustworthy system.”
worthy systems. Vendors with proven track records, original and innovative security development, and the structure to support in a transparent manner international security efforts are often the best qualified to build trustworthy systems. When we chose vendors for security and critical infrastructure, we often buy based on technical qualifications and reputation. Lately, the vendor’s process and evolving security approach has also become an increasingly important factor. If the vendor for the product has a bad reputation, the buyer might never use its products. If the buyer trusts a product, and then the vendor does something they disagree with, they may never trust that vendor again. And, if the vendor has many strikes against it— despite perhaps the buyer never using their products directly—they might not trust the vendor purely because of others’ respected opinions. We decide who we trust based on past behavior, others’ respected opinions, and current actions. The same should be true for vendors.
Assumed Trustworthiness versus Verifiable Trustworthiness. Trustworthiness is not a new
Trust Starts with Your Ven- thought. It is vital to differentiate dor. Trust matters, plain and simple, and it between “assumed” and “verifiable” doesn’t happen overnight. In order to trust systems, it is essential to trust the technologies upon which they are built and the people who build those technologies. Due to past practices, limited resources, government requirements, experience, or business philosophies, not all vendors are qualified, willing, or able to develop trust-
[ 9 2 ] Georgetown Journal of International Affairs
trustworthiness, and, equally importantly, to recognize that it is not a binary concept. Trustworthiness is situational in that it can change over time. “Assumed” trustworthiness is more prevalent than “verifiable” trustworthiness, both in real life and in the electronic world. If a person is acting “normally” in a room or on the train,
STEWART
we may take the risk and stand next to them. We may not assume sufficient trust in that same person with our money, underscoring the situational aspect of trustworthiness. If that person changes behavior in an abnormal manner, we may re-assess and move away, demonstrating how trustworthiness can change over time, especially when new information is introduced. “Verifiable” trustworthiness is a score of sorts, where, based on data and process, a confidence level is manufactured. The data could be producing
International Engagement on Cyber 2012
ate, the end resulting services built upon it, that demonstrates in a provable manner the trust and risk management required for today’s standards of security and reliability. For vendors, including Cisco, trustworthy systems are both the finished product and the processes required to build and run it. The product and the processes need to be measureable, as they are part of the “verifiable” trust described above. The required elements include process and technology. Process is com-
“Verifiable” trustworthiness is a score of sorts,
where, based on data and process, a confidence level is manufactured. a passport, displaying the results of a medical test, or answering questions that can be proven correct to increase trustworthiness. In today’s electronic world, the data may be a validated software signature, which implies that the product is unaltered; the vendors’ reputation; commitments by the product manufacturer to abstain from installing backdoors in their products; or a third-party proving the service provider’s processes are sound. The existence of “verifiable” trustworthiness in our systems is vital for today’s multi-threat environment.
Trustworthy Systems – A Definition and Its Elements. Trust matters, plain and simple, it doesn’t happen overnight, and it is more than just saying, “Trust me.” A trustworthy system is a combination of verifiable trustworthy hardware, software, firmware, and, as appropri-
posed of elements such as security checkpoints throughout the product lifecycle; supply chain operational processes designed to minimize assembly risk; standards-based, multi-national security certifications; Product Security Incident Response Teams (PSIRT); and industry collaboration to help establish future standards and mutually develop new security concepts. Technology factors include hardware anchor points for integrity and uniqueness, hardened encryption based on industryleading algorithms, signed software for attestation on author and integrity, and advanced software protections like ASLR and encrypted software storage. Based on process and technology, the entire underlying network has attestable trustworthiness. The remainder of the paper explores each of these processes and technologies to examine their respective elements.
[ 93]
PERSPECTIVE: NOT ALL VENDORS AND PRODUCTS ARE CREATED EQUAL
Process: Security Checkpoints Department of Defense investigation in throughout the Product Life- 2011 showed that no fewer than ninetycycle. Developing trustworthy systems three separate suppliers to the DoD had
provided suspect parts on at least one occasion, and some up to more than ten times.2 However, the vast majority of these situations arise with users who purchase equipment from nonapproved vendors on the “gray market.� Supply chain security activities include, but are not limited to, credentialing of each step in the supply chain throughout the development process, monitoring and validating the chain of custody, locking systems and chips and requiring validation before installation, screening and validating of equipment as it is shipped, notifying the destination country in advance of package contents, ensuring the security of cargo while in transit via a variety of security precautions, and inspecting all equipment upon entry. This set of interlocking practices, procedures, technologies, and impleProcess: Supply chain opera- mentation checkpoints embed physitional processes designed to cal, logical security at each node of the minimize assembly risk. Sup- supply chain, from the design stage, ply chain security combines traditional through service, and finally to end-ofpractices of supply chain management life management. with verifiable system security requirements. It focuses on protecting against Process: International Secumalicious modification or substitution rity Certifications. In our globalof technology, misuse of intellectual ized world, governments increasingly property, supply chain disruptions, and cooperate with each other to combat cyber threats. One of the most imporcounterfeit products. Issues with the supply chain are a tant areas of cooperation is in the develmajor threat in some sectors today. opment of global certification processes Thirty-nine percent of companies and focused on quality assurance and the organizations encountered counterfeit security of networking products and electronics just from 2005-2008, with solutions. Such certifications are critithe number of encounters increasing cal to ensuring that customers can confrom year to year.1 The problem con- fidently purchase the equipment they tinues to recur: For example, a U.S. need and that the equipment performs means building security starting from the ground level. A secure development lifecycle as a part of product development methodology provides a repeatable and measurable process designed to mitigate the risk of vulnerabilities and increase product resiliency. This allows vendors to detect and remove potential defects early in development, streamlining the process and allowing engineers to accelerate feature and product innovation. The development community must have a comprehensive and secure design principle, understand secure coding practices, perform vulnerability testing and threat modeling, and ensure extensive product security requirements. These requirements create a baseline from which competing developers can build secure systems.
[ 9 4 ] Georgetown Journal of International Affairs
STEWART
as advertised, is as secure as claimed, and is compatible and interoperable with existing infrastructure. Currently mutually recognized by twenty-six participating nations, ISO 15408, the international Common Criteria standard has been successful in providing resources for government organizations and industry. Many global governments consider Common Criteria mandatory for network security and it is a purchasing requirement for many nations. Enterprises are increasingly following suit by demanding this standard as a critical component of trustworthy systems. Other key standards that support trustworthiness include: cryptographic validation for any product containing encryption functionality, such as the U.S. Federal Information Process Standard (FIPS); IPv6 certification,
International Engagement on Cyber 2012
and public reporting of security vulnerability information related to the vendor’s products and networks. This team would work with users, independent security researchers, consultants, industry organizations, and other vendors to gather information, identify, and quickly patch possible security issues with products and networks. It would also support the monitoring of internal and external security threats and assess other vendors’ products as well as their own.
Process: Industry Collaboration A number of industry organizations are working on trusted computing and trustworthy networking initiatives. These organizations, such as the Trusted Computing Group and the Open Group, provide international leadership to create a demanding stan-
A dedicated global task force would
manage the reception, investigation, repair, and public reporting of security vulnerability information related to the vendor’s products. such as USGv6 and IPv6 Ready Logo certification; and the U.S. Department of Defense Unified Capabilities Approved Products List (UC APL).
dard for security and set the strategy for defending systems, companies, and nations from ever-changing attack vectors. Companies work closely with these partners to help establish guidelines for Process: Product Securi- the future of trustworthy systems. ty Incident Response Team This work is closely tied to that of (PSIRT). Organizations must be national and international standards able to offer proactive intelligence as bodies, such as the Institute of Electriwell as rapid and effective incident cal and Electronics Engineers (IEEE), response to any security attack. A dedi- the North American Energy Regulatory cated global task force would man- Commission (NERC), the Internaage the reception, investigation, repair, tional Standards Organization (ISO),
[ 95]
PERSPECTIVE: NOT ALL VENDORS AND PRODUCTS ARE CREATED EQUAL
the American National Standards Institute (ANSI), and the Internet Engineering Task Force (IETF). These organizations oversee and establish the standards for technologies used across their respective industries and directly impact and guide security requirements for both the government and private sector.
worthiness, and then continue the boot sequence until the system is fully running, with various checks along the way. In addition, given it is hardware, it may provide a unique capability which can be used to validate running software again to “re-attest� the trustworthiness. In either case, the hardware anchor is irreplaceable.
Technology: Hardware anchor Technology: Next Generation points for integrity and Encryption based on industryuniqueness. Integrity on systems, leading algorithms. Cryptograincluding critical security systems, network infrastructure systems, or services delivery platforms, is fundamental to the attested trustworthiness for that system or service. It has been proven that software, despite efforts, is persistently corruptible in runtime conditions without an architecture that supports and uses a trust anchor. The goals for every trust anchor are to offer unique identity, software verification, and a secure zone for critical function execution. Many times, the trust anchor is hardware-based and exists in multiple forms with functions distributed through several components. Often, the anchor point can be a separate chip which includes a unique and digitally immune unique identifier, as well as a digital certificate that is used when loading software to assure the software has not been altered since production. Other times, this hardware anchor point is embedded in other hardware, such as an FPGA chip or an onboard multicore processor. For both architectures, the anchor point creates a stronger trustable place from which to start. Once available, a system can power on, have a higher probability for trust-
[ 9 6 ] Georgetown Journal of International Affairs
phy provides confidentiality, integrity, authentication, and non-repudiation for communications and data. Cryptography is foundational in helping ensure trustworthiness, whether to assure software integrity and authenticity or to protect data at rest. For an encryption system to have a useful shelf life and securely interoperate with other devices throughout its lifespan, the system should provide security for ten or more years. Building trustworthy systems provides developers with guidelines for incorporating secure, agile, high performance-validated cryptography across the portfolio of vendor products. They are based on a hardware trust anchor that supports security elements, such as a Secure Unique Device Identifier (SUDI), the secure storage of cryptographic keys, the generation of security certificates, a randomized number generator, and the storage protected within an anti-tamper envelope. Next generation cryptographic capabilities drive improved security and robustness, increase scalability and efficiency, reduce validation costs, and increase revenue protection and cost savings, all while meeting global stan-
STEWART
International Engagement on Cyber 2012
dards. These technologies simultaneously satisfy security requirements while using scalable cryptographic algorithms.
new threats. Software protections are needed as “signed” software only gives you an author; it does not protect against onTechnology: Signed software host threats designed to tap into the for attestation on author and running software. Signatures assure integrity. With or without hardware, original quality, but an on-host threat being able to test and attest to the integ- can modify operations at the point of rity and authorship of software goes a contact, the next reboot, or anothlong way to a trustworthy system. Of er pre-defined and delayed moment, note, a digital signed software bundle making software protection an addiattests to authorship and confirms that tional necessity. the software has not been tampered A rather well-known advanced secuwith since signed; it does not attest rity protection at the time this paper to the security designs for that soft- was developed is Address Space Layout ware. That said, authorship and integ- Randomization (ASLR), a design that rity matter: confidence in the fact that helps ensure that it is difficult to find the original software is identical to the where software is loaded into memory. program that is running on the device In turn, this makes it equally difficult, enables the buyer to make projections if not harder, to tamper with the runon trustworthiness. If the author for ning software by modifying its memory. the software isn’t the vendor’s name, Turning on the NX-bit and compiler’s you may also make projections on it’s using BOSC fall into this category as trustworthiness. well, along with many others. It is also helpful to have digitally signed software that is checked at boot Conclusion: Actions speak time. For example, if a device powers Louder than Words. Trust matters, on and goes to load software, and that plain and simple, it doesn’t happen overnight, it is software is digitally signed with a valid more than just saying, “Trust me,” and it matters signature and the correct checksum, a today given our reliance on technology. trustworthy system will then load the Trusting a vendor is essential. Too software. If not, it might not load the much is at stake to experiment or guess, software at all. and not all vendors are created equal. We are in a market transition where Advanced software protec- trust matters, and process and technoltions. We build on our successes and ogy must be integral features of product learn from our mistakes, and software design for a vendor to meet the needs development is no different. Advanced of today’s threats. A company’s promise software protections are created is insufficient: firms need verification through research at universities, prac- through certified products, integratticed at companies who share them with ed development processes, innovative the broad community, and interaction technology, and respected standing in with government and individuals, all of the industry. whom invent new ideas to help address Some have strong reputations, with
[ 97 ]
PERSPECTIVE: NOT ALL VENDORS AND PRODUCTS ARE CREATED EQUAL
records demonstrating a commitment to integrity. Some have invested the time and effort to build security into their development process. Some have innovated with hardware technology and security defenses, advancing the protections inherent in shipping prod-
ucts. Some, however, have not. As we increasingly rely on digital infrastructure and services, this difference needs to be central to considerations as we march onwards. This is only an article, the proof is what your vendors are doing. Ask them.
NOTES
1 Defense Industrial Base Assessments: Counterfeit Electronics,” U.S. Department of Commerce, January 2010, Internet http://www.bis.doc.gov/defenseindustrialbaseprograms/osies/defmarketresearchrpts/final_ counterfeit_electronics_report.pdf (date accessed: 7 October 2012).
[ 9 8 ] Georgetown Journal of International Affairs
2 Tam Harbert, “US Government Fails Counterfeit Detection 101,” EBN, 29 August 2012, Internet, http://www. ebnonline.com/author.asp?section_ id=1084&doc_ id=249910&itc=ebnonline_gnews (date accessed: 7 September 2012).
The Key Terrain of Cyber John R. Mills It is said that “cyber” is distinct from other domains in that it is created by humans and does not necessarily have physical manifestations.1 The legacy domains of air, sea, land, and space, however, do have physical manifestations of distinct brick and mortar infrastructure, which are needed to generate and project national power. The infrastructures in these pre-cyber domains are not only key terrain elements of the operational space, but also distinct centers of gravity that provide lucrative targets for threat vectors.2 It was originally thought that we were released from the earthly bondage of brick and mortar infrastructure into cyber’s non-existent land of ones and zeros.3 Assuming the Cyber domain frees us of traditional Clausewitzean key terrain concepts, however, is a faulty logical starting point because Cyber does have physical manifestations.4 Classic theories of conflict cite the need to control key terrain.5 Examples of key terrain in nation-state conflict include high ground such as the Golan Heights and the critical North Atlantic sea lines during the Second World War. At the height of Operation Iraqi Freedom, the “human terrain” of the Sunni tribal families in Anbar Province of Iraq was the decisive key terrain.6 Moreover, as discussed by Dr. Jorge
John R. Mills is the Special Assistant for Cybersecurity in the Department of Defense. He was the DoD representative to the Executive Office of the President and the National Security Council for the 60 Day Cyberspace Policy Review conducted in the spring of 2009. He is currently a Colonel in the U.S. Army Reserve and, post-9/11, spent two years conducting operations and planning with the Joint Staff at the Pentagon and at Central Command.
[ 99]
THE KEY TERRAIN OF CYBER
Benitez, the domestic human terrain of political will and public support could also be the decisive key terrain and center of gravity for success in Afghanistan.7 Clausewitzean principles of key terrain can be similarly applied to Cyber; it has a number of earthly manifestations including data centers, internet service providers, undersea cables, international standards bodies, BIOS, supply chain, the cyber workforce and the engine of technology innovation. This article will demonstrate that the domain of cyber has several of the tra-
Policy Bob Butler commented on this in a recent interview: [Data center] is the place where information technology and critical infrastructure come together for national security and public safety...To counter advancing threats, we need to make intelligent data centers a key foundation in our approach to cyber security.9 In the idyllic countryside around Culpepper, Virginia, stands an impressive complex that represents the latest in physical and network security for a data center—the Terramark facility recently
Data centers have become the foundation of the digital economy. ditional nodes of key terrain and also contemporary key terrain elements that Clausewitz might not have foreseen but would possibly include in an updated version of his theory of key terrain. The key terrain elements identified in this article show significant pressure points for Cyber that must be considered and would likely be ruinous if discounted.
acquired by Verizon.10 Known as the National Access Point (NAP) for the Capital Region, the facility is a model of cyber resiliency; no design feature was spared in ensuring it would be the standard for infrastructure supporting physically dislocated network operations centers and data storage for the cloud environment.11 Each data center structure is a secure bunker, designed Data Centers. With the emerging to provide clients who require it colphenomenon of “cloud,” data centers location space that meets the governhave become one of the decisive key ter- ment’s standards for secure collocation rains of cyber. They demonstrate that facilities.12 When fully built, the NAP even in the world of cyber, the ones will have almost nine hundred thouand zeros have to be physically located sand square feet of raised floor space. somewhere.8 This provides a national Other examples of data centers are security quandary; data centers repre- the Facebook efforts in both North sent a large grouping of our data and, Carolina and Oregon.13 Although consequently, are large targets. impressive physical manifestations like Data centers have become the foun- the NAP, they are different in that dation of the digital economy. Former Facebook’s intent with data centers is Deputy Secretary of Defense for Cyber to share all details of the data center
[ 1 00] Georgetown Journal of International Affairs
MILLS
International Engagement on Cyber 2012
publicly through its “Open Compute Project.”14 This effort intends to fully “crowd-source” the design and operation of data centers to help shape and drive the future.15 These two approaches to data centers have similarities to the debates over Windows, Mac and Linux on the proper way to establish operating systems—namely open or proprietary.16 Rapidly scaleable and deployable data center constructs are also offered by HP and IO.17,18 Interestingly, these data centers can rapidly re-scale and reprice based nearly on the daily needs of the user. When the cloud is not needed, the models can dissolve this virtual infrastructure through replication of individual computers, directories, and networks on a massive scale in Cyber. They can also re-form this same infrastructure instantaneously when needed. Regardless of the data center trend trajectory, data centers need to provide greater security and resiliency to give customers the confidence to use them. Although centers may consider the minutiae of physical security and mission assurance in their designs, threat vectors will inevitably find design flaws. In essence, every grand design has a “small thermal exhaust port” which emphasizes the dependency and vulnerability of cyber in brick and mortar infrastructure. Furthermore, details of data centers used for supporting national security purposes should be significantly obfuscated and significant geographic duplicity of data stores must be enforced.
and maintained government owned and operated communications centers and communications lines. But because the modern state’s rapidly changing environment, the government-owned/ government-operated model for infrastructure is no longer realistic. Although the U.S. government does have entities such as the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and Department of Defense’s Cyber Command, the real command and control for the flow of ones and zeros in Cyber occurs through Commercial Internet Service Providers (ISPs).19,20 In other words, government entities are merely attempting to aggregate and depict a small segment of the deep internet. This depicted data is essentially dependent on feeds derived from ISPs. ISPs are the rapidly-evolving, “flagship airlines” and the true intermodal transit centers of the cyber age. The legacy cyber airlines, such as AOL and Yahoo, are desperately trying to transform to survive as the next generation of cyber flagships, such as Google and Facebook, evolve beyond the simple concept of ISPs. This new generation is taking cyber to the next level of holistic managed services where programs, software, security, and data storage are provided as ubiquitous managed environments to the individual consumer and business which can be accessed from anywhere and by any medium, including the dynamic mobility environment. With these rapidly evolving trends Commercial Internet Service also come distinct duties and responProviders. There was a time when sibilities of the evolved ISPs.21 These the U.S. government built, provisioned duties and responsibilities can range
[101]
THE KEY TERRAIN OF CYBER
from the obligation to report on security incidents to the duty to inform the public of impending threats. Only by ascribing to these duties and responsibilities will evolved ISPs instill confidence in their ability to handle our data in the market, the public and the government. The exponential growth of ubiquitous cyber availability is simply beyond the capacity of the U.S. government to match or maintain pace with, so it must learn to deliver unmatched cybersecurity in an environment where its national security apparatus is no longer driving technology and innovation. Attempting to emulate the innovation of Silicon Valley internally will ensure
U.S. government is dependent upon the private sector. Terrestrial lines and geographic confines provide security for nation-states; the same delineations do not apply to the relatively small network of undersea cables.23 These cable networks lie in international waters for significant lengths, displaying one of the most distinct physical manifestations of cyber. Furthermore, these lines are dependent solely on deep water for protection. Blind Man’s Bluff, a book about the Cold War era, details the U.S. Navy Submarine Service’s protection of friendly undersea cables and exploitation of adversaries’ undersea cables.24 With an attack submarine force of close to one
The government must adapt to an environment where critical infrastructure is no longer under direct control. dated government offerings. In contrast, the evolving private sector cyber services providers and their infrastructures are the future of cyber. Consequently, the government must learn to deliver national security in an environment where it is dependent upon private sector ISPs.
hundred boats during the height of the Cold War and a plethora of specialized auxiliary submarines and submersibles, the U.S. Navy had a healthy force to provide surveillance of the undersea cable structure. Unfortunately, over the last several decades the size of the U.S. Navy has greatly diminished; today only fifty-five Undersea Cables. Even with the attack submarines remain in service and great increase in commercial launches much of the specialized undersea force of satellites, the great majority of our is retired with essentially no in-kind cyber traffic runs on terrestrial lines replacement.25 In reducing this force, and undersea cables. These lines and the U.S. government virtually removed cables process 99 percent of cyber traf- a distinct capability-set and, by default, fic, as they are still more efficient and accepts risk in this capability area. Like less expensive than satellites given the ISPs, the government must adapt to an growing bandwidth demands of cyber.22 environment where critical infrastrucThis is another situation in which the ture is no longer under direct control.
[ 1 02 ] Georgetown Journal of International Affairs
MILLS
International Engagement on Cyber 2012
International Standards Bod- same; surrendering leadership in this ies. This is arguably the most decisive area diminishes the American advankey terrain for the future of cyber, through which the future of the internet or alternatives to the internet will be decided. The U.S. government, in partnership with the private sector, must provide coherent and consistent leadership in bodies such as the Internet Corporation for Assigned Names and Numbers (ICANN) or the International Telecommunications Union (ITU).26,27 The American Nation State must influence and provide leadership in this environment or it will fall behind in technical and policy standards. Standards define the riverbed path of revenue streams for the next generation of mercantile activity. Therefore, whichever organization has the ability to influence standards influences the future. Lack of leadership or erratic participation in such organizations cedes the playing field to others who have greater “will” to influence the future. The PAL/VHS/Beta struggle for dominance of the 1970s in the first generation of home audio-visual recording systems was an early example of debate over global standards in the modern economic environment. Other examples include debates over IPV6 versus alternatives, or competition for leadership in software defined radios or 4G networks. This is a continuum of innovative friction that has existed throughout human history long before European nation states were squabbling over rail gauges. It is a debate that will continue on throughout the future. The United States must provide leadership and advocate for a solution before another nation-state does the
tage in innovation. The government must work closely with the private sector to ensure decisive and coherent representation at these critical forums.
BIOS. That first synapse event in a
computer resides in the Basic Input Output System (BIOS).28 BIOS is the lowest level of firmware that starts a PC.29 In the 1990s, on the first internet compatible PC computers, the bootup process churned away on multiminute start-up that had the anti-virus program several noticeable steps down from the boot-up sequence. This painfully slow sequential process offered threat vectors a golden opportunity to control the device at the push of the power button, when the very first time a synapse fired in its brain. The National Institute for Standards and Technology (NIST) recognizes the critical and seminal role of BIOS and has created guidelines for BIOS protection.30 The whole defense of BIOS is based on one starting assumption— integrity of the supply chain. In other words, the original manufacturer of the motherboard’s BIOS chip must have procedures and controls in place to ensure this BIOS chip is untainted by malicious firmware that violates the intended boot sequence. But assuming that the pedigree of the BIOS is inviolate, there are a number of guidelines in the NIST document that outline methods to maintain and update the BIOS. There seems to be a heavy dependence on digital encryption of BIOS.31 Although there have been recent compromises of digital encryption in encryption tokens, this paper
[ 1 0 3]
THE KEY TERRAIN OF CYBER
does not intend to be a technical document for firmware designers.32 The point of relevancy to this paper is that BIOS is one of the most critical, vulnerable, and strategic terrain features of cyber and it must be secured. This requires a close partnership between the government and industry. NIST has provided guidance on BIOS security, but this should be considered the starting point on a path toward ensuring the security of that first critical computer synapse event at start up.
Supply Chain. As described in the
previous section, having decisive oversight of the supply chain is critical to ensuring the sanctity of root products at the silicon and firmware level. To maintain this integrity, it is important to consider diversity of source and the role of value-added resellers. One strategy to address the supply chain issue is to set up trusted in-house production such as the Trusted Foundry effort.33 In the supply chain, aggressive diversity of sources for basic information technology components must be relentlessly sought. This embraces the trend of globalization and provides counter-ambiguity back to the threat vector on source pedigree and intended final location of the IT component. Threat vectors have lower success rates in inserting themselves at root production when significant uncertainty is introduced on sourcing and intended end-state. Another strategy is through the use of the Value Added Reseller (VAR) in information technology provisioning for the national security apparatus.34 Many of the major information technology end-items that are used in the
[ 1 04 ] Georgetown Journal of International Affairs
private and public sector enterprise network environments pass through VARs. In other words, the IT line units arrive at the VAR less than complete. At the VAR, they are completed to the final specifications of the end-use customer. Thus, the VAR is a key terrain to control between supplier and end user. Both diversity of source and security of the VAR are essential strategies in securing the chain of custody. This requires a closer partnership between the government and industry, as both have a vested interest in supply chain security.
Cyber Workforce. The need is
great for Cyber Warriors.35 Similar to the human terrain of Iraq’s Anbar Province between 2006 and 2008, the international cyber workforce is critical terrain for influencing current cyber as well as the future of cyber. The key terrain of the cyber workforce is both a qualitative and quantitative issue. But with certain peer competitors grossly outpacing the U.S. Science, Technology, Engineering, and Math (STEM) production rates in our primary and secondary school systems, it is unlikely the country can maintain nation-state dominance based on sheer numbers of our workforce.36 The reality is that in today’s globalized environment, our STEM output is at best constant while the rest of the world’s output is accelerating. For every STEM member the United States can throw at the cyber problem set, the rest of the world, including threat vectors, can throw ten at the cyber barbed wire of the United States. Eventually, it is quite likely that at least one will get through. Therefore,
MILLS
the quality and innovative edge of our STEM lifecycle system must remain superior. The U.S. government’s National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology, is creating a holistic public and private sector effort to address the STEM issue for the entire nation state.37 Allowing
International Engagement on Cyber 2012
happenings of Silicon Valley. As said at one gathering in April 2012 in the South Bay Region of San Francisco, “this is the Golden Age of Silicon Valley.”39 Between the next Apple product roll out, the Facebook IPO and the rise of Google, among many other formative events, modern Silicon Valley is reminiscent of the halcyon days of
If the world of cyber is a contest of attrition, the United States has lost. international STEM graduates into our system through preferential granting of citizenship is also a wise strategy for maintaining the United State’s competitive edge.
aerospace in Los Angeles in the 1950s through the 1980s. Silicon Valley must be leveraged by the government, “[t]he U.S. government essentially birthed Silicon Valley and has since wandered away from Innovation. The United States can- it—the U.S. government needs to renot maintain pre-eminence solely by establish [its] relationship with the Valincreasing the volume of production ley,” said Robert Rodriguez, a leading in the world marketplace. If the world member of the innovation culture in of cyber is a contest of attrition, the Silicon Valley.40 If the United States United States has lost. A strategy for loses innovation, it has lost the decisive success in cyber must be one of relent- key terrain of cyber. less innovation of intellectual property and information technology,“ [i]ntel- Summary. As outlined in this artilectual property is the DNA of inno- cle, there are a number of critical tervation for the United States, and any rain features in cyber. Cyber is actually threat to steal, alter, or disrupt that dependent on physical manifestations, threatens our way of life.”38 It is essen- just as Clausewitz posited for previtial that various levels of government ous domains of struggle and conflict. continue to induce innovation through This critical cyber terrain must be conappropriate encouragement of venture trolled, or at least decisively influenced, capital; risk-taking; restraint on growth to maintain relevancy in contemporary of government spending and intrusion cyber and to help build the future path into the market place; and incentives and direction of cyber. Discounting, for the creation of wealth and employ- denying or overlooking Clausewitzean ment. principles in cyber is dangerous. The This decisive cyber terrain feature of cyber domain is subject to the role of innovation is manifested in the con- key terrain just as the legacy domains of temporary technology and business the past.
[ 1 0 5]
THE KEY TERRAIN OF CYBER
NOTES
1 William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyber Strategy,” Foreign Affairs, Internet, http://www.foreignaffairs.com/ articles/66552/ william-j-lynn-iii/defending-a-new-domain. 2 Christopher Bassford, “Clausewitz and His Works,” Internet, http://www.clausewitz.com/readings/Bassford/Cworks/Works.htm. 3 Greg Rattray, Chris Evans, and Jason Healey, “American Security in the Cyber Commons,” Contested Commons: The Future of American Power in a Multipolar World: 140. 4 Prussian Military theorist Carl Von Clausewitz (1780 – 1831) had immense influence on military and nation state conflict theory. Key terrain refers to vital ground that needs to be obtained via military or security strategies. 5 Hans Gatzke, Internet, http://www.clausewitz. com/readings/Principles/#IId (date accessed: 1 May 2012). 6 In essence, social system construct and dynamic of the population 7 Jorge Benitez, “NATO’s Center of Gravity: Political Will,” Internet, http://www.acus.org/new_ atlanticist/nato%E2%80%99s-center-gravity-political-will (date accessed: 15 May 2012). 8 Sean Patrick McBride, “The Mainframe Strikes Back: Enterprise and the Birth of Hybrid Computing,” Internet, http://www.millennialmainframer. com/2011/11/mainframe-strikes-back-zenterpriseand.html (date accessed: 17 May 2012). 9 Interview with former DoD Deputy Assistant Secretary of Defense for Cyber Policy, Bob Butler, 5 May 2012. 10 Jim Duncan, “Terremark in Culpeper Sold to Verizon,” Internet, http://www.realcentralva. com/2011/01/27/terremark-in-culpeper-soldto-verizon/ (date of posting 27 January 2011, date accessed: 17 May 20). 11 “NAP of the Capital Region,” Internet, http:// www.terremark.com/data-centers/americas/nap-capitol-region.aspx (date accessed: 17 May 2012). 12 Ibid. 13 Rich Miller, “Facebook to Build Second Data Center in NC,” Internet, http://www.datacenterknowledge.com/archives/2011/10/04/facebook-tobuild-second-data-center-in-nc/ (date accessed: 17 May 2012). 14 “Hacking Conventional Computing Infrastructure”, Internet, http://opencompute.org/ (date accessed: 17 May 2012). 15 “What is Crowdsourcing?,” Internet, http:// www.cbsnews.com/8301-505125_162-51052961/ what-is-crowdsourcing/ (date accessed: 9 June 2012). 16 “Linux Windows debate perspectives on the Open Source community vs Microsoft,” Internet, http://sfswlinux.blogspot.com/ (date accessed: 17 May 2012). 17 “Critical Facilities Implementation,” Internet, http://www8.hp.com/us/en/business-services/
[ 1 06 ] Georgetown Journal of International Affairs
it-services.html?compURI=1078696#tab=TAB1 (date accessed: 17 May 2012). 18 “Data Center Solutions,” Internet, http:// www.iodatacenters.com/data-center-colocation-solutions/, (date accessed: 17 May 2012). 19 “About the National Cybersecurity and Communications Integration Center (NCCIC),” Internet, http://www.dhs.gov/xabout/structure/ gc_1306334251555.shtm (date accessed, 17 May 2012). 20 U.S. Internet Service Provider Association, Internet, http://www.usispa.org/ (date accessed, 17 May 2012). 21 Melissa E. Hathaway and John E. Savage, “Stewardship of Cyberspace: Duties for Internet Service Providers,” Internet, http://wwww.cyberdialogue.citzenlab.org/wp-content/uploads/2012/2012papers/ CyberDialogue2012_hathaway-savage.pdf. 22 Rob Waugh, “The deep web: Incredible new map of the undersea cables that keep 99 per cent of the world clicking,” Internet, http://www.dailymail. co.uk/sciencetech/article-2039974/The-deep-webThe-new-map-undersea-cables-world-clicking.html (date accessed: 17 May 20). 23 Global Bandwidth Research Service, “Submarine Cable Map,” Internet, http://www.submarinecablemap.com/ (date accessed: 17 May 2012). 24 Sherry Sontag, Christopher Drew, and Annette Lawrence Drew, Blind Man’s Bluff: The Untold Story of American Submarine Espionage, (New York: Public Affairs, 1999). 25 “Fast Attack Submarines,” Internet, http:// www.navy.mil/navydata/cno/n87/today/ssn/html (date accessed: 12 July 2012). 26 Internet Corporation for Assigned Names and Numbers, Internet, http://www.icann.org/ (date accessed: 17 May 2012). 27 International Telecommunications Union, Internet, http://www.itu.int/en/Pages/default.aspx (date accessed: 17 May 2012). 28 Tim Fisher, “BIOS, (Basic Input Output System),” Internet, http://pcsupport.about.com/od/ termsb/p/bios.htm, (date accessed: 17 May 2012). 29 Do Apples have a BIOS? – that is an excellent question – I am not a technical person and the point of this paper is not to compare and contrast the Windows environment to the Apple environment. All computer systems have some variant of a boot up process. The reason for BIOS receiving so much attention in the Windows environment is another interesting branch and sequel out of this paper. The closest thing I can derive is that Apple is a very small part of the home computing environment compared to Windows. But with the rapidly evolving trends in mobility and their sharp rise in sales combined with a drop in computer sales for the individual consumer, the point is still unchanged – all computing equipment regardless of its size, shape, and form, has some form of a boot up sequence – and maintaining that sanctity is of the utmost importance. 30 “Build Safety into the Very Beginning of the
MILLS
Computer System,” Internet, http://www.nist.gov/itl/ csd/20110428_bios.cfm (accessed 17 May 2012). 31 “What is Encryption,” Internet, http://www. wisegeek.com/what-is-encryption.htm (date accessed 9 June 2012). 32 Kim Zetter, “RSA Agrees to Replace Security Tokens After Admitting Compromise,” Internet, http://www.wired.com/threatlevel/2011/06/rsareplaces-securid-tokens/ (date accessed: 17 May 2012). 33 Trusted Foundry, Internet, http://www.trustedfoundryprogram.org/list-view (date accessed: 17 May 2012). 34 CRN Website, Internet, http://www.crn.com/ index.htm (date accessed: 17 May 2012) 35 “US Recruiting Cyber Security Warriors,” Internet, http://www.abc.net.au/news/2010-07-22/ us-recruiting-cyber-security-warriors/916052 (date accessed: 9 June 2012).
International Engagement on Cyber 2012 36 Keith Kleiner, “World Sees Astounding Surge in Number of Scientists, China Becomes Physics Powerhouse,” Internet, http://singularityhub. com/2008/08/05/world-sees-astounding-surge-innumber-of-scientists-china-becomes-physics-powerhouse/ (date accessed: 17 May 2012). 37 “National Initiative for Cybersecurity Education,” Internet, http://csrc.nist.gov/nice/ (date accessed: 17 May 2012) 38 Interview with Shawn Henry, retired Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch (CCRSB), 21 May 2012. 39 Security Innovation Network, Internet, http:// www.security-innovation.org/ITSEF_2012.htm (date accessed: 17 May 2012) 40 Interview with Robert Rodriguez, retired Secret Service Special Agent in Charge, 18 May 2012.
[107]
STRATEGIC INSIGHTS Spying in America
Espionage from the Revolutionary War to the Dawn of the Cold War Michael J. Sulick “Spying In America reveals how important espionage has been to the American chronicle. Historian Michael Sulick tells the story from a unique perspective—a career clandestine services officer who knows what is important. As motivating as Lawrence of Arabia; as insightful as le Carré; as reliable as David McCullough . . . indispensable reading for a basic foundation.” —Hayden B. Peake, former army and CIA intelligence officer
978-1-58901-926-3, hardcover, $26.95
Persuasion and Power
The Art of Strategic Communication James P. Farwell Foreword by John J. Hamre “There is an art to effective communication, to be sure, but art without a strategic objective is of dubious merit. In this intelligent and sweeping book, James P. Farwell provides profound insights into how different countries, cultures and institutions use words and deeds to inform and shape the ideas, values and actions of others.” —William S. Cohen, former Secretary of Defense
Conflict and Cooperation in the Global Commons A Comprehensive Approach for International Security Scott Jasper, Editor “America’s ability to project power underwrites global peace and prosperity. Yet US power projection and freedom of action are threatened—at sea, in the air, in outer space, and in cyberspace. This volume provides a treasure trove of insights about how to protect the global commons well into the future.” —Patrick M. Cronin, senior advisor and senior director of the Asia program, Center for a New American Security
978-1-58901-922-5, paper, $29.95
978-1-58901-942-3, paperback, $29.95
Strategy in the Second Nuclear Age Power, Ambition, and the Ultimate Weapon
Toshi Yoshihara and James R. Holmes, Editors “Good books on strategy are hard to find. Good books on nuclear strategy are even harder to find as we celebrate the twentieth anniversary of the ending of the Cold War. The world, strategy, technology, and economic interdependence provide a profoundly changed and dynamic environment. This book fills a huge void and will be welcomed by both scholars and military strategists alike.” —Gen. Eugene Habiger, US Air Force (Ret.), former Commander, US Strategic Command
Cyberspace and National Security
978-1-58901-928-7, paperback, $32.95
Threats, Opportunities, and Power in a Virtual World Derek S. Reveron, Editor
“[An] impressive contribution to cyber scholarship with essays from leading academics and practitioners. Some essays survey the landscape in novel ways and others break new ground and provide excellent reading whether you are new to cyber statecraft issues or a long-time veteran.” —Jason Healey, director, Cyber Statecraft Initiative of the Atlantic Council and former policy director for cybersecurity at the White House
978-1-58901-918-8, paperback, $29.95
MANY OF OUR TITLES ARE AVAILABLE AS EBOOKS FROM SELECT EBOOK RETAILERS.
Global Fight Against Cybercrime Undoing the Paralysis Zahid Jamil As the Internet exploded across the globe in the mid-1990s, the Council of Europe was the only intergovernmental treaty organization to recognize that “only a binding international instrument can ensure the necessary efficiency in the fight against [cybercrime]”1 and began the work of drafting a convention as early as 1996 that would “not only deal with criminal substantive law matters, but also with criminal pro– cedural questions as well as with international criminal law procedures and agreements.”2 At the time, the developed countries from across the globe, which possessed the infrastructure and the majority of Internet users, came together out of a common interest to negotiate a draft convention. Four years of negotiations later, in 2001, they finalized the Treaty – the Budapest Convention on Cybercrime (“the Convention”).3 The Convention not only assisted in the convergence, consistency and compatibility of cybercrime legislation between infrastructure countries but also guided developing nations towards best practices in writing their own cybercrime legislation. For instance, in 2002, having drafted and assisted my country, Pakistan, in enacting its Electronic Transactions Ordinance, my government sought my advice
Zahid Jamil is a Senior Partner with the family law firm of Jamil and Jamil. He qualified as a Barrister from Gray’s Inn and is currently practicing law in Pakistan specializing in corporate and commercial law, technology, intellectual property rights, cybercrime and counterterrorism.
[ 1 0 9]
GLOBAL FIGHT AGAINST CYBERCRIME
on cybercrime legislation.4 The only model of effective legislation for international cooperation for combating cybercrime available then and now was the Convention; my advice was to promulgate legislation consistent with the Convention and consider accession. Today, even after ten years, the Convention represents the only international instrument and the best hope for countries to establish common minimum standards of relevant offenses, prevent criminals operating from jurisdictions with lower standards and enable speedy and 24/7 international cooperation between law enforcement. Nonetheless, the continued growing support for the Convention, particularly in developing nations, is by no means assured or inevitable. The Convention faces opposition from certain quarters that traditionally tend to promote a greater role for the regulation of the Internet by UN bodies.5 This article attempts to raise awareness about the challenges faced by those advocating in favor of the Convention in many developing countries, with the hope that a coalition of ‘friends of the convention’ can help reverse the permeating but weak narrative of its opponents, which seems to have embedded itself in the hearts and minds of some developing nation policymakers.
Internet frequently span jurisdictions. Law enforcement investigations and mutual legal assistance, however, are hampered by the inefficiencies underlying conventional international cooperation and mutual legal assistance treaties, not the least of which is the snail’s pace at which such cooperation proceeds, if at all. Consequently, any jurisdiction that does not have legislation equivalent to the Convention’s minimum standards for offences or procedural powers or is not a party to the Convention, may become a safe haven for cybercriminals committing crimes in other jurisdictions. Such jurisdictions connected to the Internet are a threat to the entire international community. Since this global problem cannot be tackled by a regional or fractured patchwork of laws, it requires an international solution and a multilateral approach, which only the Convention currently provides. It is essential that conduct on the Internet criminalized in one jurisdiction be similarly criminalized in other jurisdictions. In order to investigate cybercrime across jurisdictions, law enforcement needs to have the legal and procedural tools to do so; rules for the collection and securing of digital evidence need to be compatible across jurisdictions around an international standard.7 This has been successfully The Case for the Convention. achieved, to a great extent, in infraIn a globally interconnected world, a structure countries. However, in the threat emanating from one part of the developing world the necessary legislaInternet threatens the entire Internet. tion is either not sufficiently consistent It is not enough to rely upon firewalls with this international standard or simand blocking threats, since the Inter- ply does not exist. net’s very architecture is designed to In a sense, the Convention proves overcome obstructions to communi- more valuable in its utility to developing cation.6 Crimes committed over the countries than to infrastructure coun-
[ 1 1 0] Georgetown Journal of International Affairs
JAMIL
tries. Infrastructure countries tend to have trust mechanisms both established (mutual legal assistance) and ad hoc. Cooperation between infrastructure country law enforcement tends to be far more efficient and forthcoming. The most common grievances of developing country law enforcement tend to be that their requests for assistance from infrastructure countries, both law enforcement and the private sector, are rarely readily forthcoming due to the lack of established mutual legal assistance treaties between them and the reluctance on the part of infrastructure country law enforcement to trust developing country law enforcement requests.8
International Engagement on Cyber 2012
economies and infrastructure states. The Convention, therefore, provides the best hope for developing countries for an international mechanism for binding cooperation. Ratification of the Convention ensures that if a country were to “request help from another country, they can be certain that their request can be considered efficiently, and the recipient will have in place the appropriate laws and procedures to assist. This is a significant advantage over a country saying that it has the right legislation, because it means that a country has agreed that not only does it have the right legislation, but that it is equivalent to that for
One of the unique advantages of the Convention is its ability to enable cooperation across borders. This is particularly problematic for developing countries since cooperation in terms of information and evidence for investigation and prosecution from several key cyberspace infrastructure and resources9 is vital. Most developing countries seem to be unanimous in their desire to have law enforcement of other countries and foreign private sector entities such as Google, Yahoo and Facebook provide information and evidence on an expedited basis. One of the unique advantages of the Convention is its ability to enable cooperation across borders. It is the only effective international mechanism in force for ensuring this expeditious exchange of critical information that legally binds members to cooperate, which is in use by a substantial number of major
the requesting country,” as James Brokenshire, the United Kingdom’s Parliamentary Under-Secretary for Crime and Security has explained; this enables law enforcement agencies to efficiently “cooperate with each other to prevent, detect and investigate crime.”10 Although most developed nations have become signatories – just in the last year (2011-2012) Belgium, Austria, Japan, Georgia, Malta, Switzerland and the U.K. have ratified bringing total ratifications to thirty-seven in addition to numerous nations having requested accession pending completion of internal procedures – this is not enough. The developed world remains exposed to threats from developing countries where the Convention is being lobbied against. Conversely, developing
[111]
GLOBAL FIGHT AGAINST CYBERCRIME
countries grow vulnerable as a result of recent economic (outsourcing, e-payments) and social (social networks) progress. The rest of the world needs to be brought on board.
The Problem: Opposition to the Convention. Most countries
and organizations are working towards genuine international cooperation in support of the Convention. However, a handful of nations11,12 are spearheading efforts to limit support for the Convention. Since these nations are active members of various international organizations,13 it is perhaps not surprising that these organizations may be seen lobbying their political views.14 These nations have intensively been promoting what may be described as myths about the Convention and diverting energies of many nations to support an alternative cybercrime treaty under the aegis of the UN.15 These efforts have consisted of well-organised and well-resourced opposition in partnership with ministries of certain develop-
As a result, many developing country governments find it an internal challenge to take a decision with respect to the Convention, giving cybercriminals more time to act with impunity while the developing world waits for the dust to settle on the divisive politics energized by the opposition. At regional workshops for developing countries and international forums organized by such international organizations, the narrative tends to focus on presenting arguments largely based on myths against the Convention,18 as opposed to its benefits to cybersecurity, global trade and prosperity. These forums tend to be weak on substance or solutions and strong on the promotion of political arguments for an alternative UN treaty or the development of new regionally focused model legislations inconsistent with the Convention. The forums thus promote divergence, inconsistency and incompatibility between regions and across the globe. Developing countries and small developing states across the Pacific19 in
Many developing countries find it an internal
challenge to take a decision with respect to the Convention, giving cybercriminals more time to act. ing countries responsible for Foreign Affairs, Information Technology and Telecommunications (interestingly not Ministries of Interior or Justice16). The opposition to the Convention argues that developing countries should wait until a new UN Treaty on Cybercrime/ Cybersecurity.17 Any such agreement is likely to take years and will likely be a less effective version of the Convention.
[ 1 1 2 ] Georgetown Journal of International Affairs
regional workshops20 appear to have been discouraged from acceding to the Convention or using it as model legislation and have instead been motivated towards a UN Treaty or new regional model laws. Similarly, various representatives of IT and Foreign Ministries of my country were dissuaded from the Convention by myth-building at a regional workshop organized by an
JAMIL
international organization21 and subsequently at the UN 12th Crime Congress in 2010.22 This is just one of several examples where efforts towards the Convention were thwarted by the opposition. Such developing countries often walk away opposed to the Convention, overwhelmed by the politics, and thinking it best to avoid entirely; they leave with confusing and mixed messages and a general aversion to the Convention that then translates into a lack of momentum towards converged legislation and accession, slowing the development of an effective global response to cybercrime. An example of mixed messages is the ITU Project,23 which spearheads most of the aforementioned lobbying efforts away from the Convention, contrary to its donors’ (EU) policy. The project promotes regionally based cybercrime model laws24 with differing provisions and definitions. This patchwork approach of regional cybercrime models mandates into law technology specific, frequently unclear, or technically incorrect definitions and overreaching provisions related to “search engines,” “hyperlink providers” and “caching providers,” “access provider,” “hosting provider.” It notably fails to provide either adequate or any provisions for mutual legal assistance or international cooperation25 and also criminalizes “religious acts” which may include blasphemy.26 These programs have done much to dispel developing countries’ interest in the Convention. The Project incorrectly projects a perception that the European Commission looks favorably upon this divergence from the Convention, driving recipient
International Engagement on Cyber 2012
developing countries further away from the Convention. Similarly, the Commonwealth Cybercrime Initiative, initiated by donors27 favoring convergence, compatibility and consistency around the Convention,28 has witnessed ITU (for the moment) take a lead role in projects; the Initiative has diluted its literature and redefined itself as calling itself “neutral” and “agnostic” towards the Convention. Even some countries, such as Singapore, that traditionally may have been expected to partner with infrastructure countries appear reluctant to demonstrate all out support. This is despite Singapore’s cybercrime legislation being consistent with the Convention and its hosting of the Interpol cybercrime and digital security complex in 2014.29
Myth Busting. A key challenge to
advocates of the Convention are the myths spread about the Convention by opponents and proxy international organizations. These arguments span three broad categories: labeling the Convention as a regional instrument; developing countries’ non-participation during its drafting; and the allegation of it being out-datedness, technology non-specific, and non-prescriptive. With respect to labeling the Convention as regional,30 the fact is that members of the Convention include nations from North America, the majority of Europe including the U.K., France and Germany, Japan, and South Africa,31 with numerous others requesting accession.32 To refer to a Convention that includes the whole of North Amer-
[ 1 1 3]
GLOBAL FIGHT AGAINST CYBERCRIME
ica, Europe, soon Australia33 and parts of Africa, South America and Asia with thirty-seven nations having ratified and eighteen others signed on or having been invited to accede as regional is factually incorrect. Moreover, it detracts from the central benefit of the treaty, namely that developed ‘infrastructure nations’ are members, i.e, that it binds developed nations to cooperate with developing nations. This falsity directly undermines the Convention. Opponents also criticize the fact that developing nations did not participate in the drafting process.34 This is meant to create an ‘us against them’ dynamic between developing and developed nations. However, the Internet and its
more beneficial as opposed to the politics, prejudice, and strategic interests of others. Another criticism is that the convention is outdated and does not take into account new threats.37 It is argued that the Convention does not specifically mention interception of VoIP (voice over Internet protocol, i.e., Skype). This argument fails to take into account Article 21 on the “Interception of content data”38 which enables real-time collection and recording of any type of content data, which includes VoIP data. The argument turns an advantage of the Convention on its head and favors technology specific and prescriptive provisions such as VoIP. Such a detailed
The Convention also only establishes a
minimum standard of crimalized behavior internationally. threats are identical for users in developed and developing countries. The tools, both technical and legal, required to investigate and prosecute cybercrime are the same for a developed as well as a developing nation. Unlike today, in 2001 most developing countries did not view Cyber as a priority. Moreover, many treaties, including ones dealing with technical issues, led and drafted by mostly developed nations were acceded to later by others: The Paris Convention of 1919 which established the International Commission for Air Navigation35 or the Hague Rules 1924 and Hague-Visby Rules 1968 for Carriage of Goods by Sea.36 For developing countries, an analysis on merits, utility and their own national interest proves
[ 1 1 4 ] Georgetown Journal of International Affairs
prescriptive approach would limit the ability of nations to adapt to changing technologies in the future; limit their flexibility in drafting their own laws for implementation; and demonstrate a lack of respect for the sovereignty and jurisprudence of nations that might join in the future.39 The Convention also only establishes a minimum standard of criminalized behavior internationally. It in no way impedes the ability of nations to establish offences that go beyond this threshold. Another criticism is that the Convention does not address botnets or phishing.40 Botnet attacks consist of illegally accessing a computer through the use of malware, usually for the purposes of interception, data interference and
JAMIL
International Engagement on Cyber 2012
system interference. The Convention criminalizes and establishes offences against illegal access (Article 2), illegal interception (Article 3), data interference (Article 4), system interference (Article 5) and the misuse of programs (Article 6). Phishing is generally the sending of an email with a false reply-address and false header information, impersonating another person or organization to fraudulently obtain personal information from a victim followed by the theft of the funds and causing of economic loss. The Convention’s provisions on computer-related forgery (Article 7) and computer-related fraud (Article 8) apply to phishing. That most subsequent attempts to draft legislations, model laws, regional treaties or legislative guides have used the Convention as a base document41 along with the technology non-specific definitions of its offences, speaks volumes about the enduring value of the Convention.
it the “world’s leading international legal tool to combat cybercrime”, referring to it as “effective” and attributing “foresight” to its drafter and even stating that “any suggestion that [the Convention] is out of date” as “totally without foundation”45 and has recently passed legislation designed to enable accession to the Convention.46 Several developing countries have been helpful in speaking out in support of the Convention, such as Costa Rica, when it passed its recent cybercrime law consistent with the Convention47 and Sri Lanka, when it declared it “would soon become a signatory,”48 and that their “legislation provides adequate checks and balances, consistent with the Budapest Convention,” whilst thanking “the Council of Europe for getting us on these international lines.”49 More of such efforts with and statements from developing countries would be useful. These views are unfortunately rarely communicated effectively enough to developing countries. It is therefore imperative that ‘friends of the convenSolutions. First and foremost, the tion’ expand and improve their mythConvention’s supporters should make busting efforts and conduct greater its adoption a policy priority, ensur- outreach with developing countries ing that all funded projects and policy through unambiguous and vigorous statements unambiguously support and support of developed country governadvocate for ratification in the public ments and international donor agendiscourse. Recent steps in this direc- cies with the assistance of partners and tion include the United States’ Inter- friends of the Convention through a national Strategy for Cyberspace42, large body of experts enlisted in the the United Kingdom’s Cyber Secu- advocacy efforts ranging from practirity Strategy43, and various statements tioners, academics, the technical comby member states of the Convention munity and the private sector from the upon its tenth anniversary in 2011. In developed as well as developing world. response to criticism, the British govCountries can support these efforts ernment has said “there was no appetite by taking their international cyber for an alternative Convention”44, whilst security strategies and implementing the Australian Government, has called them through various policy directives.
[ 1 1 5]
GLOBAL FIGHT AGAINST CYBERCRIME
Possible ways of doing this include: tasking economic officers at embassies with the advocacy of accession to the Convention as part of foreign policy, having Ministries of Interior or Justice more engaged in international processes by having their representatives, rather than representatives from IT or Foreign Affairs, participate in international cybercrime forums, workshops and negotiations, as they are the ones with the responsibility for handling cybercrime; or treating the accession to the Convention as a metric when measuring a country’s status and progress towards cybersecurity.50 In the case of the United States, this could be treated
as criterion in the United States Trade Representative’s Annual Special 301 Report on Intellectual Property.51 The debate about cybercrime needs to consist of practical cooperation in areas where the Convention can be of greatest value, not of political posturing. Only a collaborative effort can provide an effective international strategy towards combating cybercrime. This will not just be of benefit to the developing countries but will benefit the developed world and the global economy, rooting out cybercrime havens and securing the Internet.
NOTES
1 Council of Europe, “Convention on Cybercrime,” Internet, http://conventions.coe.int/Treaty/EN/Reports/Html/185.htm, paragraph 9 (date accessed: 30 September 2012). 2 Ibid, paragraph 10. 3 Council of Europe, “Convention on Cybercrime – What Do You Want to Know?” Internet, http:// conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG (date accessed: 30 September 2012). 4 Based upon the UN Commission on International Trade Law (UNCITRAL) model law, http:// unpan1.un.org/intradoc/groups/public/documents/ apcity/unpan010245.pdf (date accessed: 30 September 2012). The Electronic Transactions Ordinance is the bedrock of everything cyber in Pakistan and overnight it gave recognition to electronic documents, signatures and records and provided the principles of evidential admissibility both in civil as well as criminal cases. 5 International Telecommunications Union (ITU) and UN Treaties, promoted by Russia, China, Iran, see L. Gordon Crovitz, “The U.N.’s Internet Power Grab,” Wall Street Journal, 17 June 2012 and Nina Easton, “Where’s the outcry on the U.N. push to regulate the Internet?” CNNMoney.com, 30 May 2012, http://tech.fortune.cnn.com/2012/05/30/unitednations-internet-regulation/ (date accessed: 30 September 2012). 6 A globally interconnected network without a single point of failure where data packets would find a route to their destination even if they came across an obstruction or had to use alternative routes to reach their destination.
[ 1 1 6 ] Georgetown Journal of International Affairs
7 Currently, the Convention is the only binding international treaty and therefore serves as the standard agreed upon by sovereign states under international law. 8 Law enforcement of developed countries hesitates to comply with these requests because of issues such as the authenticity of the requests from developing country law enforcement, their compliance with human rights and civil liberty requirements, and their susceptibility to corrupt practices and abuse of process due to weak governance. 9 Evidence from vital platforms such as social networks, search engines, Web mail services, ISPs, etc. tends to concentrate in infrastructure countries. 10 James Brokenshire, “Speech delivered at the 10th anniversary of the Budapest Convention, Council of Europe, Strasbourg,” Internet, http://ukcoe. fco.gov.uk/resources/en/22792210/pdf-brokenshire (date accessed: 30 September 2012) 11 Ernest Chernukhin, Department on New Challenges and Threats, Ministry of Foreign Affairs of the Russian Federation, “Cooperation against Cybercrime,” (presentation at Octopus Conference, June 6-8 2012), Internet, http://www.coe.int/t/DGHL/ cooperation/economiccrime/cybercrime/cy_Octopus2012/presentations/Conclusions_E_Chernukhinpresentation-2012%20Octopus.pdf (date accessed: 30 September 2012). 12 “Is Convention enough to respond effectively to the new dynamic challenges in the computer sphere? NO” [slide 19] “Convention on Cybercrime does not provide any systematic response to the new trends of cybercrime” [slide 20] “….encourage the international community to establish a comprehen-
JAMIL
sive international legal instrument …..” [slide 22] “possible structure of the UN Convention on cybercrime..” [slide 23-28], from Ernest Chernukhin, Department on New Challenges and Threats, Ministry of Foreign Affairs of the Russian Federation, “Cybercrime: New Threat and Global Response,” presentation at Octopus Conference, 6-8 June 2012, Internet, http://www.unodc.org/documents/treaties/ organized_crime/EGM_cybercrime_2011/Presentations/Russia_1_Cybercrime_EGMJan2011.pdf (date accessed: 30 September 2012); see also, Sixth Annual Meeting of the Internet Governance Forum, “Main Session - Security, Openness and Privacy,” transcript, 29 September 2011, Nairobi, Kenya, Internet, http://www.intgovforum.org/cms/component/ content/article/108-transcripts/862-main-sessionsecuirt-openness-and-privacy (date accessed: 1 October 2012), especially: “I am from Ministry of Foreign Affairs of China.... In September 12, China, Russia, Tajikistan and Uzbekistan sponsored a code of behavior on the cybersecurity to the General Assembly as an official document to be circulated among the General Assembly....We call upon countries to discuss this question under the framework of United Nations.... China and Russia, in response to this kind of call, have tabled this motion to the General Assembly to provide business to take this kind of action. However, United Nations as a universal organization is the best forum to come to consensus on these kind of code of behavior. Including ITU and other international organizations, we have already reached some consensus which has already been reflected in these documents....This is a formal document that doesn’t have any binding effect on any country. We call upon all countries to join this motion voluntarily.”; see also especially response of Zahid Jamil in transcript further below; see also, Internet Governance Forum 2, “Security Session,” transcript, 14 November 2007, Rio de Janeiro, Brazil, Internet, http://intgovforum.org/cms/Rio_Meeting/IGF2-Security-14NOV07.txt (date accessed: 1 October 2012), especially: “I am Elena Batueva from the Ministry of External Relations of the Russian Federation...The importance of this international security was confirmed in the 62nd session of the general assembly when there was a unanimous vote on a proposal by Russia as to how to have security for information at international level. And this confirms that international security and Internet security, which is a very important part of it, they have a technical aspect and a political and military aspect. The whole thing has to be considered en bloc...The preparation of an international approach in the field of security for information will allow us to simplify the work of international organisms that don’t exist right now and should exist. And there should be international agreements on the subject…”; see also, “Conflict over proposed United Nations cybercrime treaty,” ComputerWeekly.com, 15 April 2010, Internet, http://www. computerweekly.com/news/1280092581/Conflictover-proposed-United-Nations-cybercrime-treaty
International Engagement on Cyber 2012 (date accessed: 1 October 2012). 13 In particular the ITU and the UNODC, supra notes 10 and 11. 14 Marco Gercke, International Telecommunication Union, “Understanding Cybercrime: A Guide for Developing Countries,” Internet, http://www. itu.int/ITU-D/cyb/cybersecurity/docs/ITU_Guide_ A5_14092011_rev.pdf (date accessed: 30 September 2012). 15 Twelfth United Nations Congress on Crime Prevention and Criminal Justice, “Cyberspace Treaty – A United Nations Treaty or Protocol on Cybersecurity and Cybercrime,” Internet, http://www.cybercrimelaw.net/documents/UN_12th_Crime_Congress. pdf (date accessed: 30 September 2012); “….examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime.”; Twelfth United Nations Congress on Crime Prevention and Criminal Justice, Salvador, Brazil, 12-19 April 2010, “Salvador Declaration,” esp. paragraph 42, http://www.unodc.org/documents/crime-congress/12th-Crime-Congress/Documents/Salvador_Declaration/Salvador_Declaration_E. pdf (date accessed: 30 September 2012); the UNDOC study as a precursor for “development of an international instrument” see: United Nations Office on Drugs and Crime, Organized Crime & Illicit Trafficking Branch, Division of Treaty Affairs, “UNODC & the Global Response to Cybercrime,” esp. Slide 12, PowerPoint Presentation, Internet, http://www.itu. int/ITU-D/arb/ARO/2011/CyberSecurityForum-Eg/ Docs/Doc2-UNODC.ppt (date accessed: 1 October 2012). 16 This is despite Interior and Justice Ministries being the ones with the relevant expertise and responsibility for investigation and prosecution with established cross border cooperation mechanisms, mutual legal assistance and extradition. 17 Ministry of Foreign Affairs of the People’s Republic of China, “China, Russia and Other Countries Submit the Document of International Code of Conduct for Information Security to the United Nations,” 13 September 2011, Internet, http://www. fmprc.gov.cn/eng/zxxx/t858978.htm (date accessed: 1 October 2012). 18 UN Office on Drugs and Crime (UNODC), “An International Treaty on Cybercrime?”, PowerPoint presentation, September 2011, http://www. itu.int/ITU-D/asp/CMS/Events/2011/CyberCrime/ S5_UNODC.pdf (date accessed: 1 October 2012); a UNODC presentation from May 2012 stated as a goal of the UNODC Cybercrime study that it “will examine options for strengthening existing and proposing new national and international legal or other responses to cybercrime: UNODC, Organized Crime & Illicit Trafficking Branch, “Comprehensive Study on Cybercrime,” PowerPoint presentation, May 2012, http://www.unodc.org/documents/eastasiaandpacific//2012/05/cyber-crime/Bangkok_intro_presentation.pdf (date accessed: 1 October 2012); for infor-
[117]
GLOBAL FIGHT AGAINST CYBERCRIME
mation on UNODC Cybercrime study, see: UNODC, “Regional experts meet to support UNODC global cybercrime study,” 17 May 2012, Internet, http:// www.unodc.org/eastasiaandpacific/en/2012/05/cybercrime-workshop/story.html (date accessed: 1 October 2012); for information on an Asia-Pacific regional workshop, see UNODC East Asia and Pacific, “AsiaPacific acts to counter cybercrime,” 29 September 2011, Internet, http://www.itu.int/ITU-D/asp/CMS/ Events/2011/CyberCrime/index.asp (date accessed: 1 October 2012), esp. “The UN-sponsored conference of prosecutors and information communications technology (ICT) experts called for a strengthened international response to security threats from cyberspace.”; “THE BAD NEWS – Non[sic] of the above listed offences is covered by the “old” regional approaches such as the Budapest Convention on Cybercrime (2001)”, “An Overview of Cybercrime Offences,” PowerPoint presentation at ITU AsiaPacific Regional Workshop on Fighting Cybercrime, 21-23 September 2011, Seoul, South Korea, Internet, http://www.itu.int/ITU-D/asp/CMS/Events/2011/ CyberCrime/S2_Marco_Gercke.pdf (date accessed: 1 October 2012). 19 ITU event for Pacific Islands, ITU, ICB4PAC, 3 March 2011, Vanuatu. “Regional and International Approaches,” esp. slides 16-19, PowerPoint presentation at ITU ICB4PAC 3 March 2011, Internet, http:// www.trr.vu/attachments/article/14/Presentation_3%20 ICB4PAC%20workshop_Vanuatu.pdf (date accessed: 1 October 2012), Presentation concludes with a scathing criticism of the Convention. 20 “THE BAD NEWS – Non[sic] of the above listed offences is covered by the “old” regional approaches such as the Budapest Convention on Cybercrime (2001)”, “An Overview of Cybercrime Offences,” PowerPoint presentation at ITU Asia-Pacific Regional Workshop on Fighting Cybercrime, 21-23 September 2011, Seoul, South Korea, Internet, http://www.itu. int/ITU-D/asp/CMS/Events/2011/CyberCrime/S2_ Marco_Gercke.pdf (date accessed: 1 October 2012). 21 Ibid. 22 Twelfth United Nations Congress on Crime Prevention and Criminal Justice, “Cyberspace Treaty – A United Nations Treaty or Protocol on Cybersecurity and Cybercrime,” Internet, http://www.cybercrimelaw.net/documents/UN_12th_Crime_Congress. pdf (date accessed: 1 October 2012). 23 International Telecommunications Union, “Support for the Establishment of Harmonized Policies for the ICT Market in the ACP,” Internet, http:// www.itu.int/ITU-D/projects/ITU_EC_ACP/index. html (date accessed: 1 October 2012). 24 For examples of regional cybercrime model laws, see: Caribbean - HIPCAR (http://www.itu.int/ ITU-D/projects/ITU_EC_ACP/hipcar/index.html), Sub-Saharan Africa - HIPSSA (http://www.itu.int/ ITU-D/projects/ITU_EC_ACP/hipssa/index.html), Asia Pacific- ICB4PAC (http://www.itu.int/ITUD/projects/ITU_EC_ACP/icb4pis/index.html) (all
[ 1 1 8 ] Georgetown Journal of International Affairs
accessed: 1 October 2012). 25 ITU Telecommunication Development Bureau, “Establishment of Harmonized Policies for the ICT Market in the ACP: Countries Cybercrime/e-Crimes: Model Policy Guidelines and Legislative Texts,” PowerPoint presentation, 2012, Internet, http://www.itu. int/ITU-D/projects/ITU_EC_ACP/hipcar/reports/ wg2/docs/HIPCAR_1-5-B_Model-Policy-Guidelinesand-Legislative-Text_Cybercrime.pdf (date accessed: 1 October 2012). 26 Part II Article 21 simply stating without any definition, explanation or guidance that: “A country may criminalize racial and religious acts committed by using means of electronic systems.” “Pacific Island Regional Model Cybercrime Legislation: Prepared as part of the ITU-EC project on “Capacity Building and ICT policies, Regulations and Legislative Frameworks” for Pacific Islands Countries (ICB4PAC)”. The project is for ACP member countries in the Pacific Islands, with the Assistance of the Pacific ICT Regional Regulatory Center (PIRRC). April 2012 27 UK and Malta, both having ratified and supported the Convention. 28 Note changes in versions of Commonwealth Cybercrime Initiative from 2011, Commonwealth Secretariat, “Commonwealth Cybercrime Initiative Proposal,” Internet, http://www.comnet.org.mt/wpcontent/uploads/2011/07/Cyber-Crime-ProposalVer-6-.pdf (date accessed: 1 October 2012), 10; and from 2012: Lara Pace, Commonwealth Secretariat, “Commonwealth Cybercrime Initiative: Project Description,” August 2012, Internet, http://www. commonwealthigf.org/wp-content/uploads/2012/08/ CCI-Project-Description-August-2012.pdf. 29 Daniella Cheslow, “Interpol Ups the War Against Cyber Crime,” 8 May 2012, Huffington Post, http://www.huffingtonpost.com/2012/05/08/interpol-cyber-crime_n_1499734.html (date accessed: 1 October 2012). 30 “…….regional initiatives, including the Council of Europe Convention on Cybercrime.” in UN General Assembly Resolution 64/211, 17 March 2010, http://daccess-dds-ny.un.org/doc/UNDOC/GEN/ N09/474/49/PDF/N0947449.pdf?OpenElement (date accessed: 1 October 2012), paragraph 13. 31 South Africa participated in the negotiations and signed it. Ratification is still pending. 32 Argentina, Australia, Chile, Costa Rica, Dominican Republic, Mexico, Philippines, and Senegal. 33 Attorney-General for Australia, “New laws in the fight against cyber crime,” 22 August 2012, Internet, http://www.attorneygeneral.gov.au/Media-releases/ Pages/2012/Third%20Quarter/22August2012-Newlawsinthefightagainstcybercrime.aspx (date accessed: 1 October 2012). 34 It is interesting to note that at the time when the negotiations started, about one third of the member states of the Council of Europe member states participating found themselves in the bottom half of UNDP’s
JAMIL
Human Development Index. The member states from Eastern Europe were considered “States in Transition”. For more information, see UN Development Programme, “Human Development Report 1998,” Internet, http://hdr.undp.org/en/media/hdr_1998_ en_indicators1.pdf (date accessed: 1 October 2012). 35 The US invited fifty-five states to attend the International Civil Aviation Conference in November 1944, in Chicago. 54 States attended this Conference. The conference organizer and depository was the US with the seat of ICAO being in Montreal, Canada. For the full treaty text, see: “Convention on International Civil Aviation,” Internet, http://www.icao.int/publications/Documents/7300_orig.pdf (date accessed: 1 October 2012); Russia joined this Convention as late as 1970 and China recognized it in 1974. For a full list of countries and their date of ascension, see: http://www.icao.int/publications/Documents/chicago. pdf (date accessed: 1 October 2012). 36 Notwithstanding its negotiation largely by the UK as a colonial power, developing countries, including those achieving independence from colonial rule, continue to adhere to these Rules now applied by all ocean carriers. The Belgian Government serves to this day as its depository. Russia still does not recognize the Hague nor the Hague-Visby Rules whilst China recognizes both the Hague Rules and Hague Visby Rules. 37 The Chair of the ITU’s High-level Experts Group (HLEG) stated at the UN’s Twelfth Crime Congress that the Convention “is based on cyber conducts in the late 1990s and do not necessary [sic] be suitable for the 2010s.” Stein Schjolberg, “A Cyberspace Treaty – A United Nations Convention on or Protocol on Cybersecurity and Cybercrime – A Background paper,” Twelfth United Nations Congress on Crime Prevention and Criminal Justice, http://www. cybercrimelaw.net/documents/UN_12th_Crime_Congress.pdf (date accessed: 1 October 2012), 3. 38 Convention on Cybercrime (Budapest Convention), Article 21 – Interception of content data 1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to: a collect or record through the application of technical means on the territory of that Party, and b compel a service provider, within its existing technical capability: i to collect or record through the application of technical means on the territory of that Party, or ii to co-operate and assist the competent authorities in the collection or recording of, content data, in real-time, of specified communications in its territory transmitted by means of a computer system. 39 Ranging from common law, civil law, Nordic to
International Engagement on Cyber 2012 Asian, Islamic and indigenous legal traditions, 40 A mainstay of the Russian Federation’s argument against the Convention. For further information, see: Ernest Chernukhin, Department on New Challenges and Threats, Ministry of Foreign Affairs of the Russian Federation, “Cybercrime: New Threat and Global Response,” presentation at Octopus Conference, June 6-8 2012, Internet, http:// www.unodc.org/documents/treaties/organized_crime/ EGM_cybercrime_2011/Presentations/Russia_1_ Cybercrime_EGMJan2011.pdf (date accessed: 30 September 2012). Ernest Chernukhin, Department on New Challenges and Threats, Ministry of Foreign Affairs of the Russian Federation, “Cooperation against Cybercrime,” presentation at UNODC Expert Group on Cybercrime, 17-21 January 2011, Internet, http://www.coe.int/t/ DGHL/cooperation/economiccrime/cybercrime/ cy_Octopus2012/presentations/Conclusions_E_Chernukhinpresentation-2012%20Octopus.pdf (date accessed: 30 September 2012). 41 Commonwealth Secretariat, “Model Law on Computer and Computer Related Crime,” October 2002, Internet, http://www.thecommonwealth. org/shared_asp_files/uploadedfiles/%7BDA109CD25204-4FAB-AA77-86970A639B05%7D_Computer%20Crime.pdf (date accessed: 1 October 2012), 1: “Ministers asked that an expert group be convened to consider the content of a model law on the basis of the work of the Council of Europe on the Draft Convention on Cyber Crime (COE Draft Convention).”; Business Software Alliance, “BSA Global Cybersecurity Framework,” 2010, Internet, http:// www.bsa.org/~/media/Files/Policy/Security/CyberSecure/Cybersecurity_Framework.ashx (date accessed: 1 October 2012), 2: the BSA recommends ratifying the Budapest Convention or ratifying the BSA’s Model Law, which is based upon the Convention; see also, Zahid Jamil, “An International Solution to a Global Problem,” PowerPoint presentation, Internet, http:// www.comnet.org.mt/wp-content/uploads/2011/06/ The-Cybercrime-Convention-Zahid-Jamil.ppt (date accessed: 1 October 2012); 3: ITU’s HPCAR project Model text Articles 4, 6, 7, 9, 10, 11, 12, 13, 20, 22, 23, 24, 25, 26 based on the Convention; Information on this proposal is available at: ITU Telecommunication Development Bureau, “Establishment of Harmonized Policies for the ICT Market in the ACP: Countries Cybercrime/e-Crimes: Model Policy Guidelines and Legislative Texts,” PowerPoint presentation, 2012, Internet, http://www.itu. int/ITU-D/projects/ITU_EC_ACP/hipcar/reports/ wg2/docs/HIPCAR_1-5-B_Model-Policy-Guidelinesand-Legislative-Text_Cybercrime.pdf (date accessed: 1 October 2012); “HIPSSA Draft Computer Crime and Cybercrime Bill Version 1.0,” especially articles 2, 3, 4, 7, 8, 9, 10, 11, 27, 29, 30, 31, 32, based on the Convention January 2012, Internet, http://www. itu.int/ITU-D/projects/ITU_EC_ACP/hipssa/Activities/SA/SA_4%20docs/cybercrime.doc (date accessed:
[ 1 1 9]
GLOBAL FIGHT AGAINST CYBERCRIME
1 October 2012); ITU’s ICB4PAC Pacific Island Regional Model Cybercrime Legislation Articles 4, 6, 7, 9, 10, 12, 13, 14, 26 28, 29, 30, 31, 32 based on the Convention; Information on this proposal is available at: International Telecommunications Union, “Capacity Building and ICT Policy, Regulatory and Legislative Frameworks Support for Pacific Island Countries (ICB4PAC),” Internet, http://www.itu.int/ ITU-D/projects/ITU_EC_ACP/icb4pis/index.html (date accessed: 1 October 2012). 42 “International Strategy for Cyberspace: Prosperity, Security, and Openness,” May 2011, Internet, http://www.whitehouse.gov/sites/default/files/rss_ viewer/international_strategy_for_cyberspace.pdf (date accessed: 1 October 2012). 43 “The UK Cyber Security Strategy: Protecting and promoting the UK in the digital world,” November 2011, Internet, http://www.carlisle.army. mil/dime/documents/UK%20Cyber%20Security%20 Strategy.pdf (date accessed: 1 October 2012), 29. 44 “there was no appetite for an alternative Convention, and that is a view that the UK strongly supports….. encourage the work that the Council has done to reach out to countries across the globe and assist them in developing their legislative framework for tackling cyber crime. “James Brokenshire, “Speech delivered at the 10th anniversary of the Budapest Convention, Council of Europe, Strasbourg,” Internet, http://ukcoe.fco.gov.uk/resources/en/22792210/pdfbrokenshire (date accessed: 30 September 2012). 45 “In retrospect, the foresight of the drafters of this Convention has proven to be quite remarkable. And any suggestion that it is out of date is totally without foundation. A reading of the Convention shows that it is about practical co-operation.While technology has unquestionably developed exponentially in the decade since the Convention came into operation, its framework and practical mechanism are still relevant.……Through its practical approach the Convention remains the world’s leading international legal tool to combat cybercrime. The Convention has been effective, it continues to be effective and will become more so with an increasing number of countries becoming a party to the Convention.”. The Honourable Robert McClelland MP, “Cyberspace:
[ 1 20] Georgetown Journal of International Affairs
The new international legal frontier,” Keynote address to the Council of Europe Convention on Cybercrime, 23 November 2011, Internet, http://www.coe. int/t/dghl/cooperation/economiccrime/cybercrime/ cy_octopus_interface_2011/Presentations/R_McLelland_Keynote_address_10th_anniversary_B_Convention.pdf (date accessed: 1 October 2012), 5. 46 Attorney-General for Australia, “New laws in the fight against cyber crime,” 22 August 2012, Internet, http://www.attorneygeneral.gov.au/Media-releases/ Pages/2012/Third%20Quarter/22August2012-Newlawsinthefightagainstcybercrime.aspx (date accessed: 1 October 2012). 47 Marcel Evans, “What you need to know about Costa Rican Cybercrime Offence Law 9048,” Costa Rica Star, 18 July 2012, http://news.co.cr/what-you-needto-know-about-costa-rican-cybercrime-offencelaw-9048/10702/ (date accessed: 1 October 2012). 48 “Sri Lanka to sign international cybercrime prevention convention,” Sri Lanka Guardian, 9 November 2008, http://www.srilankaguardian.org/2008/11/ sri-lanka-to-sign-international.html (date accessed: 1 October 2012). 49 Information and Communication Technology Agency of Sri Lanka, “Sri Lanka to be signatory to global Cybercrime Prevention Convention - Prof. Tissa Vitharana,” press release, 2 November 2008, Internet, http://www.icta.lk/en/component/content/ article/45-press-releases/338-sri-lanka-to-be-signatory-to-global-cybercrimeprevention-conventionprof-tissa-vitharana-.html (date accessed: 1 October 2012). 50 See for example, Business Software Alliance (BSA), “BSA Global Cloud Computing Scorecard: A Blueprint for Economic Opportunity,” Internet, http://portal.bsa.org/cloudscorecard2012/assets/ PDFs/BSA_GlobalCloudScorecard.pdf (date accessed: 1 October 2012). 51 Office of the United State Trade Representative, “USTR Releases Annual Special 301 Report on Intellectual Property Rights,” press release, May 2011, Internet, http://www.ustr.gov/about-us/press-office/ press-releases/2011/may/ustr-releases-annual-special301-report-intellectual-p (date accessed: 1 October 2012).
Achieving International Cyber Stability Franklin D. Kramer New inventions often generate new problems. Information technology, the Internet, digital networks, cyberspace—whatever the preferred appellation—is no different. Cyber crime affects consumers and businesses. Cyber espionage, both of business and national security secrets, is prevalent. However, potentially the most disruptive cyber concern is the capacity of information technology to generate or escalate geopolitical conflicts into open or uncontained hostilities through attacks on operational networks. Undermining critical operational capabilities such as the military or the electric power grid dependent on cyber—and in today’s Information World, most operational capabilities are cyber dependent—could generate a perceived need to move a confrontation toward conflict or to escalate a contained conflict into a broader arena. Cyber systems now are more-or-less in equilibrium. Despite some problems, they are running adequately, but a small push will destroy the balance. Unfortunately, the geopolitical world is full of pushes—many of which are unanticipated. International cyber stability can be achieved by generating a platform of resilience, cooperation and transparency, with resilience being the fundamental component and cooperation and transparency providing support. For the United
Franklin D. Kramer is a member of the Atlantic Council Board of Directors and also a member of its Strategic Advisors Group. Mr. Kramer served as Assistant Secretary of Defense for International Security Affairs during the Clinton Administration and, previously, as Principal Deputy Assistant Secretary of Defense for International Security Affairs.
[ 1 21 ]
ACHIEVING INTERNATIONAL CYBER STABILITY
States, achieving these ends will require a three-part strategy of internal action to reduce vulnerabilities focused on key operational networks, collaborative activities with close allies and partners, and transparent interaction for the creation of norms, provision of assistance, and dialogue with others, including potential adversaries, to reduce risk.
Scoping the Problem. One of the
fundamental questions for developing a strategy is to be clear on the problem one is attempting to solve. The strategist Clausewitz made the point this way: “The first, the supreme, the most far-reaching act of judgment that the statesman and the commander have to
networks on US soil and beyond. Technical challenges can be equally disruptive, as one country’s method for blocking a website can cascade into a much larger, international network disruption. Extortion, fraud, identity theft, and child exploitation can threaten users’ confidence in online commerce, social networks and even their personal safety. The theft of intellectual property threatens national competitiveness and the innovation that drives it. These challenges transcend national borders; low costs of entry to cyber-
We must generate adequate international
cyber stability so that a cyber attack on key operational networks will not tip us into or escalate hostilities. make is to establish . . . the kind of war on which they are embarking.”1 In the context of cyberspace, however, there is a tendency not to focus on the particular problem to be resolved and instead to describe all the problems all at once—in part because the underlying technologies are the same. For example, in the United States’ International Strategy for Cyberspace, the challenge posed by the adoption of networked information technology is set forth as follows: These challenges come in a variety of forms. Natural disasters, accidents, or sabotage can disrupt cables, servers, and wireless
[ 1 22 ] Georgetown Journal of International Affairs
space and the ability to establish an anonymous virtual presence can also lead to “safe havens” for criminals, with or without a state’s knowledge. Cybersecurity threats can even endanger international peace and security more broadly, as traditional forms of conflict are extended into cyberspace.2 This listing of issues encompasses pretty much every type of cyber problem. And while that breadth has virtue in helping the nation understand the full spectrum of concerns, the downside is that it is set forth without prioritization. It is true that all stated points are
KRAMER
International Engagement on Cyber Security 2012
important, but it is likewise true that it is very hard to work all issues equally, especially given real-life resource and political constraints. The U.S. Department of Defense Strategy for Operating In Cyberspace is a more focused document with an emphasis on operations, but it too is quite broad, stating: Potential US adversaries may seek to exploit, disrupt, deny, and degrade the networks and systems that DoD depends on for its operations. DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial of access or service that affects the availability of networks, information, or networkenabled resources; and destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks or connected systems.3 There are very good reasons for this breadth and for including the problem of the espionage threat, but the latter is not the same problem as the attack threat to operations. Recently, however, President Barack Obama highlighted the criticality of operations point extremely clearly in an op-ed published in the Wall Street Journal: It doesn’t take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger
a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill. This is the future we have to avoid.4 We must generate adequate international cyber stability so that a cyber attack on key operational networks will not, in and of itself, tip us into or escalate hostilities. It is to this point that the following analysis is dedicated.
Instability and Escalation. In
the real world, cyber probes, penetrations, and attacks are ongoing continually. The Department of Defense has stated that its networks are “probed millions of times every day.”5 Critical infrastructure is likewise subject to intrusion. As noted above, the president has stated “foreign governments, criminal syndicates, and lone individuals are probing our financial, energy and public safety systems every day.” General Keith Alexander, head of Cyber Command and the National Security Agency, has testified, “Furthermore, we believe it is only a matter of time before someone employs capabilities that could cause significant disruption to civilian or government networks and to our critical infrastructure here in the United States.”6 More recently, he noted that the number of probes against critical infrastructure systems has risen from nine in 2009 to 160 in 2011.7 Industry itself agrees. Edward Amoroso, Chief Security Officer at AT&T, has stated, “The current risk of cata-
[ 1 23]
ACHIEVING INTERNATIONAL CYBER STABILITY
strophic cyber attack to national infrastructure must be viewed as extremely high, by any realistic measure.”8 Similarly, the North American Electric Reliability Council’s High Impact, Low Frequency study issued in June 2010 notes, “the bulk power system remains an attractive target for acts of both physical and cyber terrorism.”9 Such attacks on military and critical infrastructure would be highly destabilizing and potentially escalatory. Joseph Nye of Harvard has noted the multiple factors, analogous to the early days of the nuclear arena, that make the cyber realm less stable, including:
the possibility of irresponsible actions by marginal states or non-state actors. Like Nye, Mallery also notes the learning problem and the lack of shared calibrations of hostility levels arising from, among other things, the short history of cyber conflict and the limited guidance available from international law. Mallery emphasizes cross-domain responses in cyber conflict and explains how differing strategic doctrines as well as divergent perceptions and calibrations of hostile action can catalyze broader political and military conflict. Taken together, these factors make conflict generation or escalation in or via the The superiority of offense over defense, the cyber realm a significant risk that major potential use of weapons for both tactical states, like the United States, China and strategic purposes, the possibility of first and Russia have yet to deeply analyze and second-use scenarios, the possibility of and incorporate into their doctrines. creating automated responses when time is 13 As major actors compete for posishort, the likelihood of unintended consetion across the new cyber terrain, they quences and cascading effects when a technology is new and poorly understood, and need to reflect on the consequences the belief that new weapons are ‘equalizers’ for systemic stability created by the colthat allow smaller actors to compete directly lectivity of their individual actions and strategies.14 but asymmetrically with a larger state.10 Moreover, the problem is not limited Nye further points out that “Even to nation state confrontation. Terrorist more important than these technical groups are focusing on infrastructure. and political similarities is the learning experience as governments and private “We are very vulnerable,” John Carlin, actors try to understand a transforma- principal deputy in the Department of tive technology—and adopt strategies to Justice’s national security division, said in an interview, “terrorists groups are cope with it.”11 John Mallery of MIT has similarly saying publicly what they want to do considered multiple factors that add to – knock down the stock exchange and the destabilizing potential of cyber.12 disrupt the electrical grid. We need to He points to cyber’s strategic reach, be more focused on this threat and we offense dominated nature, lack of stra- need to be ready.”15 As a recent news tegic depth, making preemption poten- article notes, “The prospect was undertially more effective, poor warning with scored in a chilling al-Qaeda video short detection times, momentum released recently by the Senate Homedriven actions in early stages of military land Security Committee. The video conflict, and readily usable techniques exhorted al-Qaeda followers to engage and low barriers to entry including in ‘electronic jihad’ and carry out cyber
[ 1 24 ] Georgetown Journal of International Affairs
KRAMER
International Engagement on Cyber Security 2012
attacks against Western governments and critical infrastructure.”16 From a U.S. perspective, reduction of cyber instability and the prospect for escalation would be highly advantageous. The general U.S. approach to conflict is to respond in a time and place of the United States’ choosing. Instability and escalatory potential take control away from the United States. While there can be no absolute defenses and confrontational situations are always highly dynamic, creating as much advantage as possible is a highly desirable U.S. objective.
nerabilities reduces the risk of adversary attack, since such an attack will be less able to achieve its objectives. Equally, to the extent an attack is nonetheless undertaken, the harm will be reduced. Second, by generating cooperation, it increases the prospect of successful defense. Moreover, it also creates an international geopolitical environment that can shape attitudes and thereby further reduce the likelihood of an attack in the first place. Third, by increasing transparency, it may create international norms of behavior both with respect to possible partners and potential adversaries. For the first group, it Cyber Stability. Security in the offers the prospect of information and geopolitical world has long been sought assistance. For the potential adversaries through the creation of international it may create shared learning possibly stability. While obviously not always leading to two conclusions: first, that successful, techniques have included there may be useful areas of collabora-
Priorities are necessary since a desire to
protect everything equally is not practically implementable from either a resource or a political standpoint. development of technological capabilities, organization of national assets, including militaries but also other capacities, establishment of alliances and partnerships, and treaties including with potential adversaries. All those approaches potentially have value in the cyber realm. The context of cyber, including both its ubiquity as well as its potential for change, must be included in any analysis. The value of cyber stability through resilience, cooperation, and transparency is three-fold. First, reducing vul-
tion — even though there is not universal agreement — and, second, that there may be good reasons to limit cyber use in order to avoid inadvertent generation or escalation of conflict. With these objectives in mind the question becomes how actually to achieve resilience, cooperation, and transparency in order to create a greater degree of cyber stability.
Resilience. Two fundamental questions in discussing resiliency are why “resilience” as opposed to “protec-
[ 1 25]
ACHIEVING INTERNATIONAL CYBER STABILITY
tion,” and if resilience, then “resiliency of what?” On the first point, the record is clear: the best cyber security entities from the Department of Defense to Google have all experienced significant intrusions. Deputy Secretary of Defense William Lynn stated that the Department of Defense has “not always been successful in stopping intrusions. In fact, over the past several years we have experienced damaging penetrations.”17 Similarly, the Google intrusion by China led Secretary of State Hilary Clinton to go on the record with respect to the problem.18 The technical experts agree that, at least for now, offense beats defense and so planning must encompass that concern:
nals Directorate (DSD) responded to in 2010 could have been prevented by following the first four mitigation strategies listed in our Top 35 Mitigation Strategies.”20 Of course, “could have been prevented” is not the same as “actually were prevented.” Most organizations do not have adequate protection and even for those knowledgeable as to what can be done, issues of implementation arise including personnel and other resource availability, organization, scale, and cost.21 Particularly with respect to key operational networks, potential adversaries have not only determination and persistence, but also high-end capabilities; therefore a “successful penetration or major disruption” must be planned for.22 Scale and complexity add to the The notion that we can achieve 100% pro- scope of the problem. Resilience then tection is not only unrealistic but also results becomes a critical approach. in a false sense of security that puts our misOn the second point — “resilience sions and businesses at serious risk. Conse- of what?” — priorities are necessary quently, we must compensate for our inabil- since a desire to protect everything ity to achieve full protection by ensuring equally is not practically implementable that we can accomplish our missions despite cyber attacks. The cyber defenses gener- from either a resource or a politially available today help address the low-end cal standpoint. Despite the fact that threats against our less essential systems, but the Department of Homeland Security are often ineffective against most forms of has identified eighteen critical infracyber attacks targeting our most mission- structures,23 not all such infrastruccritical systems. It is at the high end of the tures equally underpin United States continuum that architecture resilience will security or the economy. Most clearly, matter most—to enable continuity of mis- the military and other national secusion critical operations and support rapid rity agencies need to be able to operreconstitution of existing or minimal essen- ate in a confrontation. Likewise, no tial capabilities or the deployment of alter- activities in the United States can take native means of accomplishing the mission.19 place without electric power. TelecomThis is not to say that there is no munications and financial systems are value in undertaking protective actions. similarly crucial. To be sure, others Quite the contrary is true. As the Aus- could be added,24 but focusing on these tralian Department of Defence has four key infrastructures would allow stated, “at least 85% of the targeted resources and tailored solutions to be cyber intrusions that the Defence Sig- generated and prioritized. Such an
[ 1 26 ] Georgetown Journal of International Affairs
KRAMER
International Engagement on Cyber Security 2012
effort would have three key elements: development of hardware and software for improved capabilities, integration of Internet Service Providers into an architecture utilizing such capabilities, and improved operational techniques focusing on system visibility and system knowledge. The development of resilience through a more effective cyber architecture begins with the enhancement of hardware and software capabilities. The cyber security problem certainly goes beyond technology, but technological improvements underlie the solution as a necessary, though not sufficient, component. Harriet Goldman of MITRE has described such a technological approach that requires using at scale capacities that are now known, but not widely deployed. Goldman’s analysis underscores that there are no “silver bullets,” but that a combination of multiple approaches dependent on technology will be necessary. While the instant analysis is not intended to provide a technical architecture, it is important for policymakers to understand available technologies so as to combine resource, personnel, organizational, and operational considerations into a coherent strategy. Goldman’s description of capabilities and their benefits is useful in this regard, and include: 1. Diversity and Redundancy to “minimize the impact of technologyspecific attacks.” 2. Integrity to “provide assurance of correctness and integrity of essential software and hardware functions and data wherever possible.” 3. Isolation/segmentation/containment to “partition off components
of dubious pedigree from those we trust [and to] reduce attacks on critical processing and data by separating them from non-critical data and processing.” 4. Detection/monitoring — “sensors across the environment: at network segment boundaries, gateways, end systems, and servers, as well as for applications and data, not just at the perimeter as is commonly done today.” 5. Least privilege “to decouple capabilities in order to prevent ripple effects that can contaminate large portions of our systems as the result of a single attack or failure.” 6. Non-persistence “to set the periodicity . . . to prevent the spread or intended impact of an attack, but not so frequently that it makes the system unstable.” 7. Distribution and moving target defense — “By distributing critical processing and data across different hardware and physical locations, we create multiple points that attackers would have to compromise in order to defeat critical operations.” 8. Adaptive management and response “to measure, quantify, and set thresholds that specify acceptable levels of system.” 9. Randomness and unpredictability because “confusing an attacker or adding the element of surprise may possibly foil an exploit, introduce uncertainty into the results, put the attacker at risk of being detected or exposing tradecraft, or buy us time when systems are under attack.” 10. Deception—“If we can deceive adversaries about the exact components of our system as they attempt to map out our technologies and configurations
[ 1 27 ]
ACHIEVING INTERNATIONAL CYBER STABILITY
during the reconnaissance phase, we can increase the probability an exploit will fail against the actual system.”25 But most important is Goldman’s conclusion: “To reverse the asymmetric advantage of the cyber attacker and minimize the impact on our critical mission capabilities, we must be proactive in building secure and resilient systems . . . While it is not realistic to assume we can stop all cyber attacks or make them totally ineffective, redesigning architectures for resilience will make attacks less likely to succeed, will minimize the consequences when they do succeed, will increase adversary cost and uncertainty, and may act as a deterrent against future attacks. Improving resilience will also increase system reliability.”26 Goldman’s analysis is not architecture in and of itself, and the capabilities and techniques noted above will not be effective unless integrated into an architecture that can operate at scale. The first step, however, is undertaking a developmental effort that makes such capabilities available for use with the critical infrastructures described. The second step will be developing and integrating the components into an operational architecture. Such an architecture will focus on what the military calls “mission assurance,” that is, the ability to do the task required, and not on maintaining the same high level of performance as would be available if the systems were not under attack. Given the differences between and among the military, electric grid, telecommunications, and financial industry, the high likelihood is that the architectures themselves will differ somewhat. There is a good deal of work being under-
[ 1 28 ] Georgetown Journal of International Affairs
taken by the Department of Defense on advanced cyber security and some by the Department of Homeland Security, but a very substantial, highly focused R&D program directed toward resiliency and focused on architectures as well as components should be a key element of future national security budgets.27 Finally, as the third element of resiliency, an architectural approach based on advanced capabilities can itself be significantly improved by successful use of operational techniques—and especially improved system visibility and greater system knowledge. Very few entities have the capacity for system visibility, but the large Internet service providers (ISPs) do have precisely that capability—and it should be utilized. As the ISPs themselves note, they know a great deal with respect to activities on their networks. However, though they do already undertake significant protections for their customers, the multiple vulnerabilities discussed above demonstrate that obviously there have not yet been taken enough actions so that the problem of vulnerability of operational networks has been resolved.28 To help achieve a better result will require ISPs to do more. However, precisely what, how much, and under what circumstances” are key questions. Melissa Hathaway of Harvard’s Belfer Center and former Acting Senior Director for Cyberspace, National Security Council staff, and Brown University computer scientist John Savage have proposed eight rules of behavior for ISPs that relate to creating the necessary conditions to accomplish resilience on operational networks. They propose that ISPs have a duty to:
KRAMER
International Engagement on Cyber Security 2012
1. Provide a reliable and accessible conduit for traffic and services, 2. Provide authentic and authorita-
the ISPs to advise the government if there were infections or other existent threats to reliability and then have the
Focusing on a small group of like-minded
entities will reduce the complexity and potential for political disagreement while allowing constructive dialogue on difficult questions of resilience and regulation. tive routing information, 3. Provide authentic and authoritative naming information, 4. Report anonymized security incident statistics to the public, 5. Educate customers about threats, 6. Inform customers of apparent infections in their infrastructure, 7. Warn other ISPs of imminent danger and help in emergencies, 8. Avoid aiding and abetting criminal activity.29 While there are good grounds for each of these rules, resilience would be most enhanced if there were agreement on the need to advise of infection (rules 6 and 7) and the need to provide a reliable conduit (rule 1). While ISPs have to be engaged, it does not seem entirely sensible to put the entire burden on the ISPs since they cannot necessarily take all of the actions required to eliminate infections and ensure reliability. Neither should the ISPs be asked to deal with inherently governmental functions — protection of the national critical infrastructure — without appropriate government involvement. Accordingly, rather than ISP activity alone, there should be a combined governmental/ ISP arrangement which would require
government either take or authorize the ISP to take action to help eliminate that threat.30 The ISP/governmental approach proposed above does not intrinsically require the software and hardware capabilities, and redesigned architecture that Harriet Goldman recommends. The latter focuses on requirements for user networks. However, the two approaches are entirely complementary and put together would create a very significant architectural upgrade. What would be created would be an approach based on enhanced user networks complemented by ISP actions to increase reliability and government oversight and activities to improve resilience. As part of the focus on operational techniques, a further element that would go a long way to establishing a resilient cyber architecture would be to improve knowledge of how the system actually works, particularly when being stressed by attack. There has been a great deal of conversation — and proposed legislation — about enhancing the ability to share information between and among the government and private entities. Several programs have been undertaken with that in mind
[ 1 29]
ACHIEVING INTERNATIONAL CYBER STABILITY
including the Defense Department’s cyber pilot program for defense industrial base firms.31 While sharing is a good approach, sharing is not the only key information requirement. Most importantly, there
This would need to be done in a way that did not adversely affect the reliability and safety of those networks. With such a tripartite approach, resilience would be significantly enhanced. While the capabilities and require-
Isolating military from civilian and public from private is a certain way to ensure failure. Building new institutions to enhance cooperation will be required. is all too little knowledge as to how to proceed in the event of a significant attack against critical infrastructures. The military has long undertaken modeling and exercises to add to its capacity to respond to kinetic attacks and has begun such efforts in the cyber arena. However, as President Obama’s article indicates, there is a long way to go in terms of understanding the operational aspects of the critical infrastructures under attack. Expanded modeling and use of regular exercises (including red teaming to stress the system) will develop a better understanding of vulnerabilities as well as tactics, techniques, and procedures needed to combat them including through the development of indications and warning to get ahead of the problem. Such modeling and exercises will include the government but also the owners/operators of the key critical infrastructures as well as the ISPs.32 Such efforts are highly important since, to be most effective, the government’s authority would need to extend to taking active defense steps to disrupt or disable attackers operating on critical infrastructure and ISP networks.
[ 1 30] Georgetown Journal of International Affairs
ments noted above apply to all cyber activities, a more focused approach would be to start with the four key critical infrastructures of the military, electric grid, telecommunications, and financial both because of their importance and because of their ability to build the type of framework as suggested above. The military has the competency and resources to undertake the hardware and software, and architectural changes suggested. While the electric grid is composed of some 3200 operators, much of the grid is run by a much smaller group who have the capacity to provide system-wide efforts. Moreover, the grid is already heavily regulated and the operators have begun to create cyber security standards. The ISPs are the telecommunications companies; the so-called Tier 1 companies (e.g., Verizon, AT&T) are already heavily regulated and have the capacity to operate at scale. Their rate structures, as is also true of the electric power companies, can allow for recovery of costs to enhance cyber security. The financial industry, at least at the large company level and with respect to significant monetary flows (as opposed
KRAMER
International Engagement on Cyber Security 2012
to retail activities), is heavily engaged in cyber security to protect their business model. In short, a focused approach to cyber security with hardware and software upgrades integrated in an effective architecture combined with duties on the ISPs who will work with government and the critical infrastructure providers to respond to attacks, informed by greater understanding of the operations of the system under attack by use of exercises and modeling, would very significantly upgrade cyber security for critical operational networks.
plexity of the political and bureaucratic environment. That is equally true — perhaps truer — in determining how to go about international cooperation. To accomplish certain of the goals noted above, it will be necessary to start with a small group of like-minded nations. To put in context the small group of like-minded nations approach recommended here, this is not to suggest that broader multilateral efforts be ignored. Rather, it is important to recognize that there are already a multitude of cooperative efforts begun in the cyber arena that operate at a broad multi-participant level. The U.S. International Cooperation. Cyber is inherently Strategy for Cyberspace notes: international, but multiple elements We have worked to include relevant cyberare subject to national sovereignty. space issues on the agenda at the OrgaWhile electrons move quickly over nization of American States (OAS), the international networks, the networks Association of Southeast Asian Nations themselves including the means of (ASEAN) Regional Forum (ARF), the Asiatransmission, the routers and servers, Pacific Economic Cooperation Organizathe data storage centers, and the users’ tion (APEC), the Organization for Coopcomputers all are within some sovereration and Security in Europe (OSCE), the eign realm. Those sovereign entities African Union (AU), the Organization for can join together to create more effecEconomic Cooperation and Development tive international cyber stability. Secu(OECD), the Group of Eight (G-8), the rity would be significantly enhanced by European Union (EU), the United Nations a four-part approach of establishing: (U.N.), and the Council of Europe, and to 1. A cooperative small group of likeensure that work is supported by an effective minded nations, institutional framework.33 2. Utilizing agreed standards, All these activities are potentially 3. Working together on operational worthwhile, but to make significant activities, and progress, focusing on a small group 4. Including key private sector enti- of like-minded entities will reduce the ties in the effort. complexity and potential for political Cyber is inherently a complex envi- disagreement while allowing construcronment and it becomes more complex tive dialogue on difficult questions of the more entities are involved in deci- resilience and regulation. It is much sion-making. For example, the recom- more likely that, for example, the Unitmendation above to focus on only a few ed States and the United Kingdom, critical infrastructures derives in part which have years of cooperative effort, from the value of limiting the com- will be able to agree on actions in cyber
[ 1 31 ]
ACHIEVING INTERNATIONAL CYBER STABILITY
critical infrastructure. A Cyber Stability Board, along the lines of the financial stability board established by nations for financial issues under the Basel agreements, could be created. It should be recognized that effective cooperation along these lines would require changes in domestic legislation and regulation. As has previously been written:
number of well-publicized cooperative efforts have been undertaken to reduce the threat from botnets. Microsoft has worked with United States’ authorities and others to take down the Rustock botnet,36 and FireEye partnered with multiple entities to take down the Grum botnet.37 Botnets, however, are hardly the only threat to critical However, to go beyond current efforts and infrastructures. Cooperative action by achieve adequate resilience will require like-minded nations will significantly coordinated regulation by . . . countries far enhance resilience efforts. beyond current approaches. It should be The fourth points can be drawn from clearly recognized that the required legisla- these examples above. The involvement tive and regulatory authorities do not exist of private entities is at a minimum very for the most part. And, beyond the authori- valuable and often indispensable. Such ties themselves, no concept of operations involvement, however, is not something has been developed that meets both security that can be done with existing instituneeds and private sector requirements. All tions working as they have done until of this means that a new approach to cyber now. For example, the North Atlantic security will be necessary, one that is much Treaty Organization does not deal with more inclusive and requires a combination electric power or telecommunications. of military, civilian governmental and pri- The European Union does not include vate industry action.35 the United States, and has only limited Third, it will not be enough sim- authority over cyber activities and even ply to create standards under a Cyber less over the military. Neither organizaStability Board. In addition, it will be tion is able to coordinate in any major necessary to create a coordinated oper- way private entities to meet operational
Keeping terrorists from having significant
cyber capabilities is a common interest of each of the United States, China, and Russia. ational approach. For example, one of the fundamental areas of cooperation that efforts by like-minded nations could significantly improve is the enhanced operationalization of selfdefense efforts. These would include sharing data, analysis, and tools concerning threats and remediation as well as undertaking combined operations. A
[ 1 32 ] Georgetown Journal of International Affairs
cyber challenges. An operational entity that combines all these capabilities will be necessary to meet challenges that cut across existing bureaucratic lines. That entity will have to include in its operational approach key private sector bodies. One key element will be to create a network of strategic decision makers — including those from the
KRAMER
International Engagement on Cyber Security 2012
private sector — who could be identified in advance to deal with attacks on critical infrastructure. There is no virtue in having an ad hoc approach to such a significant problem, and organized procedures would be of great value. The key here is a much-increased set of actions in terms of scope. While nations have long focused on classic kinetic efforts in terms of national security, there is no such analogue in terms of cyber security. Partly, this is because significant cyber threats are only relatively recently phenomena. It is also because cyber crosses over from classic military to what are generally considered civilian activities and because civilian entities such as Microsoft and FireEye as well as the operators of critical infrastructures need to be involved in the efforts as opposed to governmental entities. All this requires a different approach to international security than has heretofore been the case. Isolating military from civilian and public from private is a certain way to ensure failure. Building new institutions to enhance cooperation will be required.
resulted in very general propositions to be put forth as norms. However, the recommendations set forth above allow for a more specific set of norms that can be adopted as guides for countries seeking to improve cyber security. In particular, if the discussion herein is followed, three norms emerge for at least the group of like-minded nations associated with the proposed Cyber Stability Board: 1.Governments should establish resilient architectures in four key critical infrastructures of military, electric power, telecommunications, and finance through development of hardware and software, use of private sector capacity for visibility, and increased knowledge regarding escalation potential via modeling and exercises. 2.Governments should cooperate on the creation of an international Cyber Stability Board that has standards setting and operational capacities. 3.Governments should enter into engagements with ISPs and other key critical infrastructure and informaTransparency. The third element tion technology entities to create of an international strategy for cyber resilient international cyber security stability will be to enhance resilience architectures including in connecand cooperation through transparency. tion with the operation of the proThat effort will itself have three parts: posed Cyber Stability Board. the development and promulgation of While, as the discussion in this paper norms for those who would work with emphasizes, it is important to start with the like-minded countries, assistance to —and to have at the core of the cyber countries willing to be effective partners stability effort —a small group of liketo enhance resiliency, and dialogue with minded nations, it is also important to others, including potential adversaries, recognize that stability will be enhanced to reduce risks. as more entities are engaged. This is The development of global norms simply an example of the well-known for cyber security is an ongoing effort. networking effect, often discussed in For the most part, the effort has as only the cyber arena under the particulars
[ 1 33]
ACHIEVING INTERNATIONAL CYBER STABILITY
of Metcalfe’s Law.38 It will be valuable for the like-minded nations to expand their cyber security capabilities to other nations who are willing to participate effectively in the creation of cyber stability. While some have called for a “duty to assist,” it is not necessary to go that far to recognize the self-interest factor that nations have long noted in the national security arena. The United States, for example, in its new defense strategy specifically looks to partnering with or mentoring other nation to increase their capabilities including in global commons such as cyber.39 A key element of expanding cooperation will be the necessary transparency that allows other entities to feel that their interests are appropriately taken account of in undertaking cooperation. This will involve the development of trust both with respect to creation of standards and agreement on operational approaches. The proposed founding nations for the Cyber Stability Board—United States, United Kingdom, Australia, Canada, France, Germany, Japan, and the Republic of Korea—have developed real relations of trust through alliances and activities over many years. Others will need time to come to the same conclusions. Transparency will also be important to bring standards and operational approaches to relevant multilateral organizations including NATO and the European Union. The politics and limitations of each of those organizations argue against their being a place to develop the standards and operational approaches recommended for the Cyber Stability Board itself. However, successful actions by the Cyber Stability Board can be of high relevance [ 1 34 ] Georgetown Journal of International Affairs
to the members of NATO and the EU. Finally, transparency in cyber can be of importance regarding nations with which relations have traditionally rendered cooperation difficult. As noted above, China and Russia have been identified by the United States as very significant centers of cyber espionage.40 Further, China and the United States have very complicated relations over Taiwan and increasingly over the South China Sea. Russia continues to list NATO as its top security concern and cites the NATO missile defense plan as a significant area of contention. In these circumstances, with each of China and Russia having an element of military competition with the United States, the question is whether there could nonetheless be any constructive arrangements concerning cyber dependent critical infrastructures. Despite these real differences, there are two areas of engagement that would be of value. The first would be reducing the capacity of terrorists and other third parties to launch an attack on any of these countries. The second would be to generate a common understanding of the issues relating to cyber’s potential role in conflict generation and conflict escalation. As an opening point, it is worth noting that there is certainly no inevitability of military confrontation or conflict between the United States and either China or Russia. As has been noted by many, each of those countries has multiple positive involvements with the United States especially in the arenas of international trade and economics, and even in some areas on the military side — China in the counter-piracy efforts off the coast of Africa, Russia
KRAMER
International Engagement on Cyber Security 2012
in supporting logistics for Afghanistan through its territory. To be sure, there are also differences — both as noted above, and also especially in the governing systems, and the degree of democracy and individual rights. However, a common arena has been dealing with the problem of terrorists. Since 9/11, both China and Russia have provided certain types of useful assistance to the United States and cooperation in particular areas continues.41 Keeping terrorists from having significant cyber capabilities is a common interest of each of the United States, China, and Russia. Any such capabilities could be used against any of the three countries, all of whom have consequential terrorist concerns. A good approach to transparency would be to work toward and expand intelligence sharing on the issue. Likely, this would best be done on a calibrated bilateral basis. The focus might be on cyber criminal networks which have significant cyber capabilities and which potentially could provide those capabilities to terrorists. It is entirely possible that there will be differences in the success of this approach between China and Russia, but it a general direction that might be utilized. Such transpar-
[ 1 35 ] Georgetown Journal of International Affairs
ency might even allow for combined actions, though that probably will take some significant time. A second level of transparency with potential adversaries would be to increase mechanisms to support dialogue on the issues of cyber attacks. The United States has made some good strides in this regard though there is still far to go. Among other efforts, there are effective non-official dialogues,42 and the United States and Russia have instituted a cyber hot line. Dialogue takes time to be effective, but it is a valuable way to understand others, and should be continued. Some of the key issues include matters of the relevance of the laws of armed conflict (LOAC), what rules, if any, apply if that LOAC threshold level has not been reached, the factors leading to escalation either before or during conflict, and what would be the elements of an effective risk reduction approach. To put these questions on the table is neither to suggest that they are easily resolved nor that they will necessarily affect other problems such as espionage, but they could be the basis of a continued dialogue with benefits for international cyber security.
ACHIEVING INTERNATIONAL CYBER STABILITY NOTES
1 Carl von Clausewitz, On War, Howard and Paret, eds., Book One, Section 27, 100. 2 The White House, “International Strategy for Cyberspace,” (May 2011): 4, Internet, http://www. whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf (date accessed: 7 October 2012) [hereinafter International Strategy]. 3 “Department of Defense Strategy for Operating in Cyberspace,” July 2011: 3, Internet, http://www. defense.gov/news/d20110714cyber.pdf (date accessed: 7 October 2012) [hereinafter Defense Strategy]. 4 Barack Obama, “Taking the Cyberattack Threat Seriously,” Wall Street Journal, 19 July 2012, Internet, http://online.wsj.com/article/SB10000872396 390444330904577535492693044650.html (date accessed: 7 October 2012). 5 Defense Strategy: 3, supra note 3. 6 Keith Alexander, “Statement of General Keith B. Alexander, Commander United States Cyber Command, Before The Senate Committee On Armed Services,” (27 March 2012) 4, Internet, http://www. armed-services.senate.gov/statemnt/2012/03%20 March/Alexander%2003-27-12.pdf (date accessed: 7 October 2012). 7 Sari Horwitz, “Justice Department trains prosecutors to combat cyber espionage,” Washington Post, 26 July 2012, Internet, http://www.washingtonpost.com/world/national-security/justice-department-trains-prosecutors-to-combat-cyber-espionage/2012/07/25/gJQAoP1h9W_story.html (date accessed: 7 October 2012). 8 Edward G. Amoroso, Senior Vice President and Chief Security Officer, AT&T, Cyber Attacks (2011) ix. 9 North American Reliability Corporation (NERC), “High-Impact, Low-Frequency Event Risk to the North American Bulk Power System,” (June 2012) 26, Internet, http://www.nerc.com/files/HILF. pdf (date accessed: 7 October 2012). 10 Joseph Nye, “Nuclear Lessons for Cyber Security,” Strategic Studies Quarterly (Winter 2011): 23. 11 Ibid. 12 John C. Mallery, “Models of Escalation and De-escalation in Cyber Conflict,” presentation at The International Information Security Research Consortium Fourth Scientific Conference, National University of Defense Technology, (Changsha, China, 24-27 October 2011). 13 Based on presentations made by John Mallery at various workshops and discussions with the author. 14 John C. Mallery, discussion with the author, 8 August 2012. Mallery made this point in the context of a track 1.5 US-China dialogue organized by CSIS and CICIR in Beijing on 13 June 2012. See the “Joint Statement from CSIS and CICIR on Sino-US Cyber Security Dialogue,” June 2012, Internet, http://www. cicir.ac.cn/chinese/newsView.aspx?nid=3878 (date accessed: 7 October 2012). 15 Horwitz, supra note 7. 16 Ibid. 17 William J. Lynn, “Remarks at Stratcom Cyber
Symposium, as delivered by Deputy Secretary of Defense William J. Lynn, III,” (Omaha, Nebraska, 26 May 2010). 18 Hillary Rodham Clinton, “Statement on Google Operations in China,” 12 January 2010, Internet, http://www.state.gov/secretary/rm/2010/01/135105. htm (date accessed: 7 October 2012). 19 Harriet G. Goldman, “Building Secure, Resilient Architectures for Cyber Mission Assurance,” MITRE, (2010) 1, Internet, http://www.mitre.org/ work/tech_papers/2010/10_3301/10_3301.pdf (date accessed: 7 October 2012). 20 Australia Department of Defence, Intelligence and Security, “Top 35 Mitigation Strategies,” 21 July 2011, Internet, http://www.dsd.gov.au/infosec/ top35mitigationstrategies.htm (date accessed: 7 October 2012). The DSD’s top four strategies are: patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers, patch operating system vulnerabilities, minimize the number of users with administrative privileges, and use application whitelisting to help prevent malicious software and other unapproved programs from running. 21 For example, while according to some, “application whitelisting is . . . the most effective way to significantly reduce the impact of malware in today’s environments,” the same analysis also states, “Application whitelisting is not perfect. Managing the whitelist can prove difficult in large, open environments.” See Jim Beechey, “Application Whitelisting: Panacea or Propaganda,” 20 December 2010 Internet, http:// www.sans.org/reading_room/whitepapers/application/ application-whitelisting-panacea-propaganda_33599 (date accessed: 7 October 2012). 22 Eric Hutchins, Michael Cloppert, and Rohan Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” March 2011, Internet, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-PaperIntel-Driven-Defense.pdf (date accessed: 7 October 2012). “APT actors continually demonstrate the capability to compromise systems by using advanced tools, customized malware and ‘zero-day’ exploits that antivirus and patching cannot detect or mitigate.” 23 See list at: http://www.dhs.gov/critical-infrastructure. 24 For example, transportation and nuclear facilities. 25 Goldman, supra note 19: 9-17. 26 Ibid, 18. It is also worth noting, as Goldman states, “By promoting resilience against escalating cyber attacks, we can simultaneously achieve resilience against acts of nature, loss of physical network elements, and other threats.” 27 For example, the DOD has established a Steering Council Roadmap. See Steven King, “Cyber S&T Priority Steering Council Research Roadmap,” 8 November 2011, Internet, http://www.acq.osd. mil/chieftechnologist/publications/docs/2011%20
KRAMER
International Engagement on Cyber Security 2012
11%2001%20Cyber%20PSC%20Roadmap.pdf (date accessed: 7 October 2012). It would be very valuable to upgrade the underlying hardware and software because their vulnerabilities flow downstream to the critical infrastructures. Scott Charney has described Microsoft’s efforts in this regard. See Scott Charney, “Trustworthy Computing Next,” 28 February 2012, 11-13 Internet, http://blogs.technet.com/b/microsoft_blog/archive/2012/02/28/trustworthy-computing-next-building-trust-in-a-connected-world.aspx (date accessed: 7 October 2012). 28 The Federal Communications Commission has led efforts with the ISPs to establish and implement three voluntary best practices: 1) Anti-Bot Code of Conduct, 2) Domain Name System Best Practices, and 3) IP Route Hijacking Industry Framework. For more information, see http://hraunfoss.fcc.gov/ edocs_public/attachmatch/DOC-313159A1.pdf. 29 Melissa E. Hathaway and John E. Savage, “Cyberspace: Duties for Internet Service Providers,” March 2012, Internet, http://live.belfercenter.org/ files/cyberdialogue2012_hathaway-savage.pdf (date accessed: 7 October 2012). 30 If appropriate rules can be established, the ISPs could be authorized to act in designated circumstances without the necessity of checking back with the government. 31 See “News Release, DOD Announces the Expansion of Defense Industrial Base (DIB) Voluntary Cybersecurity Information Sharing Activities” 11 May 2012, Internet, http://www.defense.gov/releases/ release.aspx?releaseid=15266 (date accessed: 7 October 2012). 32 There will be a cost component to the private sector participants and this should be covered, perhaps by including the amounts in the DOD or DHS budgets for reimbursements. 33 See International Strategy: 18, supra note 2.
34 Office of the National Counterintelligence Executive, “Foreign Spies Stealing US Secrets in Cyberspace,” Report to Congress (2011), Internet, http://www.ncix.gov/publications/reports/fecie_all/ Foreign_Economic_Collection_2011.pdf (date accessed: 7 October 2012). 35 Franklin Kramer, “Transatlantic Nations and Global Security: Pivoting and Partnerships,” The Atlantic Council (March 2012): 11, Internet, http://www. acus.org/files/publication_pdfs/403/031912_ACUS_ Kramer_TransatlanticNations.PDF (date accessed: 7 October 2012). 36 Larry Seltzer, “How Microsoft Took Down Rustock,” PCMag, 18 March 2011, Internet, http:// www.pcmag.com/article2/0,2817,2382203,00.asp (date accessed: 7 October 2012). 37 “FireEye Leads Takedown of World’s ThirdLargest Botnet,” FireEye, 20 July 2012, Internet, http://www.fireeye.com/news-events/press-releases/ read/fireeye-takes-down-grum-botnet (date accessed: 7 October 2012). 38 Metcalfe’s law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system (n2). 39 United States Department of Defense, “Sustaining US Global Leadership: Priorities for the 21st Century Defense” (January 2012): 11, Internet, http://www.defense.gov/news/Defense_Strategic_ Guidance.pdf (date accessed: 7 October 2012). 40 Office of the National Counterintelligence Executive, “Foreign Spies Stealing US Secrets in Cyberspace,” Report to Congress (2011). 50 See, for example, the State Department’s “Country Reports on Terrorism” for 2011 and 2010. 51 See the “Joint Statement from CSIS and CICIR on Sino-US Cyber Security Dialogue” (June 2012). Found at: http://www.cicir.ac.cn/chinese/newsView. aspx?nid=3878
for more info or to subscribe visit http://journal.georgetown.edu
Introductory Remarks
Keynote Speakers
Hon. William J. Lynn III, Former Deputy Secretary of the U.S. Department of Defense Hon. Jane Holl Lute, Deputy Secretary of the U.S. Department of Homeland Security Hon. Howard A. Schmidt, Cybersecurity Coordinator, The White House
April 10, 2012 Lohrfink Auditorium Georgetown University Washington, D.C.
Cybersecurity Address
Hon. Howard A. Schmidt, Cybersecurity Coordinator, The White House
Moderator
Dr. Catherine Lotrionte, Director, Institute for Law, Science & Global Security, Georgetown University
DR. CATHERINE LOTRIONTE: Welcome to the
second annual International Cybersecurity Conference here at Georgetown University. My name is Catherine Lotrionte, [ 1 39]
INTRODUCTORY REMARKS
and I am the director of the Institute for Law, Science & Global Security here at Georgetown. As you all may know, the Internet, as we know it, has evolved into a global system that is an essential element in our daily lives, global commerce, and national security. From a remarkable technical achievement supporting a limited number of users originally, today it is a massive network. In the past 30 years, the Internet has developed from a small university and defense-based network to a worldwide grid of over 2 billion users that influences every facet of modern life. Because so many of our daily operations are now conducted in cyberspace, they become a valuable target for daily attack by a variety of actors, ranging from modern-day criminals interested in pure financial gain to nation states seeking to steal technology or potentially to cripple a nation’s war-fighting capability or infrastructure. While this network of networks has led to incredible gains in efficiency and has been a driver of worldwide economic growth, it has also created a new domain for crime, espionage, and potentially more dangerous actions. Many have noted that these cyber threats represent one of the most seriously disruptive challenges to our national security since the onset of the nuclear age, 60 years ago. U.S. senior policymakers, intelligence professionals, military leaders, and private sector stakeholders have all described the importance of cybersecurity. In every survey of enterprise CIOs, security is called out as the number-one or number-two concern for them, and in the tough economic climate over the past 3 years, security
[ 1 4 0] Georgetown Journal of International Affairs
spending by private industry has grown on a relative basis, even though in many cases, overall IT budgets have not. Other nations have also followed suit in recognizing the challenges they face in cybersecurity. We can discuss whether enough is being done or how to work better on international issues, but clearly, cyber issues are being identified as among the most important ones challenging us today. Despite the efforts by many in the government and the private sector, cybersecurity has become an increasingly urgent problem. There continue to be multiple reports of cyber intrusions across both industry and government. While both types of intrusions are troubling, each type represents different concerns for the nation and requires different levels of response and involvement by the government and private sector. Both types of intrusions may be national-level incidences calling for a serious coordinated response, but how we respond, who responds, and under what guidelines and legal authorities to date has not been worked out. Today gathered here at the second annual cybersecurity conference at Georegtown are the key leaders from government and the private sector that are and will be some of the decisionmakers involved in addressing the critical challenges we face as a community of nations when it comes to securing the Internet and all aspects of what we hold dear that transverses that technical marvel. The Internet has connected all nations for good or ill, and it is the community of nations that must come together to resolve these challenges. Since its establishment of Georgetown
International Engagement on Cyber 2012
University in 1815, international peace through international understanding has always been the university’s rule of conduct. It is how we teach and live as a family here: a university and community. In 1919, Father Walsh established the School of Foreign Service at Georgetown in recognition of the need to equip young men and women with the necessary knowledge and training to go into the world as our future business men and women and official government representatives to effectively solve the problems of tomorrow. The school was established on the heels of World War I and the horrible lessons that were learned in that war. At the inauguration of the School of Foreign Service, Father Walsh stated that, “The definition lesson from World War I was the realization that the world constitutes one huge family, whose interests are common and whose members are interdependent.” In no sector is this more true than with cybersecurity and the network of networks that connect us all. Before Father Walsh passed away, he established the Institute for World Polity. After he passed away, we picked up where he left off and established the Institute for Law, Science & Global Security, which took up some of the issues that Father Walsh felt so dearly about. In 2006, I set up the Cyber Project under the auspices of the Institute in order to more concertedly examine the challenges of cybersecurity for the international community. Today, I have tried to gather some of those members from the community of nations for this conference so we can continue the
critical dialogue on the steps needed to move the entire international community to a place where the Internet and life as we know it and wish it to be is secure for all. The prosperity and tranquility of nearly all of us has been and will in even greater degree continue to be bound up with the course of events beyond our own territorial frontiers. International peace and prosperity in the cyber domain will result from a satisfactory ordering of rights, obligations, and mutual conduct. We hear much about the rights attaching to nationhood, but we hear less about the obligations resulting from membership in the great family of nations. In cyberspace, much more work still remains to be done among nations, within nations, to establish those rights and obligations for cybersecurity. So let us be realists without ceasing to be idealists and learn something from the lessons of the past as we move forward to try to solve the problems of cybersecurity. Much has been successful done, particularly in the way of arousing a popular consciousness of the problem, but much remains for the undisclosed future. I for one – are far from being discouraged. But today, there is no time for nostalgia for the good old times when it was okay for the Internet to be insecure, no trepidation in the face of new and untried situations. The times have changed, and it behooves us to change with them. What we must do is keep in mind the factors influencing foreign policy, national security, international economic prosperity, and international relations in the context of cybersecurity, change those factors that we can for
[ 1 41 ]
INTRODUCTORY REMARKS
the better of all, and deal with those that we cannot change. And lastly and most importantly, there is a job to be done, so let’s get to it, and that’s what I hope we continue this year as we started last year in doing. I’m excited about our joint keynote this morning. Bill Lynn and Jane Holl Lute will give individual remarks and then come together to jointly take questions and answers from the audience. Our first speaker this morning is William J. Lynn. He is the chairman of the board of directors and chief executive officer of DRS Technologies, Inc. Prior to joining DRS, Mr. Lynn served as the 30th United States Deputy Secretary of Defense from 2006 until 2011 where he managed 3 million personnel and oversaw an annual budget of $700 billion. He also personally led the Department’s efforts in cybersecurity, space strategy, and energy policy. From 2002 to 2009, Mr. Lynn was senior vice president of Government Operations and Strategy at the Raytheon Company. Previously, he served as Under Secretary of Defense and as director of Program Analysis and Evaluation in the Office of the Secretary of Defense. Mr. Lynn also worked on the staff of Senator Ted Kennedy as his counsel for the Senate Armed Services Committee. It is my great honor to welcome Bill Lynn to the podium.
bring together the private sector, the government and academia, both U.S. and international. You have, I think, most of the thought leaders in the cybersecurity discussion, so I’m sure you are going to have a great day. I see in the audience many of the people I spent the last couple of years with. Actually, in a room like this, it was smaller, but it had no windows and bad lighting, the Situation Room. I see Shawn Henry, Bob Butler, and Chris Painter. And I am particularly pleased to be sharing the stage with another veteran of those meetings, Jane Holl Lute. She’s done an extraordinary job as the Deputy at Homeland Security, leading the agency through the thickets of cybersecurity, border patrol, border control, and emergency response. People, I think, forget what a young agency DHS is. It is less than a decade old. The challenges that I just mentioned would be hard for any agency, but they are particularly difficult for one that you are building from the ground up. It is a little bit like finishing the airplane while you are in flight. So I particularly want to recognize Jane’s efforts, and I look forward to her remarks. I would like to focus my remarks on the three major threats that I see facing the nation in cybersecurity: the threat to our technological competitiveness from the rampant and increasing theft of our most important intel[Applause.] lectual property, the threat to our military superiority due to asymmetric HON. WILLIAM J. LYNN III: challenges from potential adversaries’ Thanks. Thanks very much, Catherine, cyber capabilities, and the threat to our for that nice introduction, and thank critical infrastructure from destrucyou for putting together this terrific tive attacks on our power grid, transconference. It really does, as you said, portation network, financial sector, or
[ 1 4 2 ] Georgetown Journal of International Affairs
International Engagement on Cyber 2012
telecommunications backbone. These three threats are all inked together by overlapping technologies, but I want to separate them because I think they are going to take different legal and policy approaches to address each of them in turn. The first threat is the long-run threat to our competitiveness due to the loss of technology and intellectual property through cyber theft. It is important to understand that this isn’t a new phenomenon. Nations have been stealing each other’s technologies for centuries.
ic, and military. We need to seek a halt to this hemorrhaging of technology. In particular, as this conference is focused on, we need to establish international norms to create a stronger regime to fight what Mike McConnell has called the “greatest and largest transfer of wealth in history.” Second, the military dimension of cyber capabilities. Simply put, information technologies are changing the nature of conflict. IT has added a fifth domain of warfare that is as critical to military effectiveness as land, air, sea,
It’s no longer possible to expect the buffer of significant lags between the theft of technology and its introduction into service. Indeed, in the early industrial age, the United Kingdom complained about intellectual property theft by Germany and, yes, the United States. They argued accurately, in fact, that they were stealing their manufacturing secrets. In the nuclear age, the USSR stole the plans for the atomic weapons from us, but I would argue the issue has changed with the advent of cyber technology, which has increased both the volume of data that can be taken and the speed at which it can be transferred. It’s no longer possible to expect the buffer of significant lags between the theft of technology and its introduction into service. As a consequence, I believe we must take the current generation of military and industrial transfer more seriously than those of the past. To address this threat, we need to employ more fully than we have to date all of the tools at our disposal: trade, diplomat-
and space. Warfare was first transformed by the industrial age, then by the atomic revolution, and it is now being shaped by the information age. Information technologies are now at the core of our most important military technologies. They give us the capability to communicate with certainty, to navigate with accuracy, to see the battlefield with clarify, and to strike with precision. The information age has, without a doubt, increased the substantial comparative advantages the U.S. military already possessed, but the price for this increased capability has been to introduce new vulnerabilities. If adversaries can compromise our networks, they can rapidly degrade our capabilities. They can blind our satellites, they can jam our communications, they can follow our logistics, and they can make smart bombs dumb again. The opportunity
[ 1 43]
INTRODUCTORY REMARKS
for asymmetric advantage is not lost on other militaries, many of whom are developing world-class cyber capabilities. It is essential that we respond to this asymmetric threat to our military superiority. We must ensure that our military is able to act freely in the cyber environment. We must also be able to act in a degraded cyber environment. We cannot assume our protections will be perfect, but we nevertheless must ensure that our cyber networks have the highest protections possible. Finally, on defense is going to be perfect, so we must have offensive cyber capabilities that can at a minimum act as a deterrent to major nation states. The deterrent capability will be particularly important in protecting critical infrastructure from cyber attacks in potential conflicts with other nations. This crosses over to the final threat in the cyber arena: the potential for destructive attacks on our critical infrastructure. Over the past decade, we have seen an escalation in the harmfulness of cyber attacks. To date, the most prevalent cyber attacks have been exploitation of our networks. By that, I mean the theft of data from both government and commercial networks. This kind of cyber exploitation does not have the dramatic impact of conventional military attacks, but as I noted earlier, these exploitive attacks have long-term impacts on our technological competitiveness that need to be addressed. But in the last few years, a second type of cyber threat has emerged: disruption of our networks where intruders seek to deny or degrade the use of important government or commercial networks. The denial of service attacks against Estonia in 2007 and then Georgia in
[ 1 4 4 ] Georgetown Journal of International Affairs
2008 were early examples of this type of threat. More recently in the commercial sector, we have seen denial of service attacks mounted against banks, other financial institutions, and some other commercial entities. But the third and most dangerous cyber threat is a destructive attack where cyber tools are used to cause actual physical damage. This development, which marks a strategic shift in the cyber threat, is only just emerging, but when you look at what tools are available, it is clear that this destructive cyber capability already exists. It could be used against our military networks, but more dangerously, it could be used to cripple critical infrastructure segments. Attacks against the transportation system, the financial network, or the energy sector could cause severe economic loss, physical damage, and even the loss of life. Of course, it is possible that we will never see a destructive cyber attack, but regrettably, few weapons in the history of warfare once developed have gone unused, and what makes it especially likely that destructive cyber attacks will actually occur is the potential for their proliferation, the potential for the proliferation of the destructive tools. For as this cyber threat has moved up a latter of escalation from exploitation to disruption to destruction, the groups that possess these capabilities have been expanding in dangerous directions. We are moving from a world where only sophisticated nation states have destructive capabilities to the possibility that rogue states or even terrorist groups could develop or acquire these capabilities. We, therefore, stand at an impor-
International Engagement on Cyber 2012
tant crossroads in the development of cyber threats. More destructive tools are being developed but have not yet been used, and the most malicious actors have yet to acquire the most harmful capabilities. This situation will not hold forever. Terrorist groups or rogue states could and probably will obtain destructive cyber capabilities. We need to develop stronger defenses before we see this marriage of capability and intent. We, in short, have a window of opportunity of uncertain length to protect our networks against these more perilous threats. We can either adopt strong policies to prevent these types of disruptive attacks or we can wait until they occur, and then we will have to overhaul our policies as a response to such attacks. Let me conclude by outlining what I think we need to do with this window of opportunity, and then let me turn then to Jane for her comments. Defending our critical infrastructure will require more than perimeter defense like firewalls and intrusion detection systems. We need to extend active defenses to critical infrastructure. Bob Butler is going to talk more at lunch about what actually constitutes active defenses, but let me say by active defenses, I mean defenses that use more sophisticated techniques to divert attacks, defenses that assume some level of penetration and allow us to hunt on our own networks, and most importantly, defenses that allow us to use our intelligence capabilities to anticipate and preempt the type and pattern of attacks. All of these elements of active defenses, especially the call for intelligence capabilities,
require the government and private industry to partner in defense of our critical infrastructure. Since the challenge in cyberspace is much broader than a traditional military threat, the response must encompass both government and private entities. We need joint efforts to defend critical infrastructure. We need better information or better information sharing on cyber threats as they materialize, and we need joint research to improve cybersecurity in the longer term by reducing the inherent advantages that attackers now enjoy on the Internet. In short, I think it is possible to make progress on all of these lines, but I also think our time is short, and the time to act is now. Thank you. [Applause.]
DR. CATHERINE LOTRIONTE:
I would like to now introduce Deputy Secretary Jane Holl Lute, a graduate of Georgetown University’s Law School. She has over 30 years of military and senior executive experience in the United States Government. She currently serves as the second-highest official and chief operating officer in the Department of Homeland Security. At DHS, she works to secure our nation while enhancing Federal, State, and local capabilities to prepare for, respond to, and recover from threats and disasters of all kinds, including preventing terrorism, enhancing security, securing and managing our borders, enforcing and administrating our immigration laws, safeguarding and securing cyberspace, and strengthening national resilience through disaster and all-hazard preparedness, response, and
[ 1 45]
INTRODUCTORY REMARKS
recovery. Previously, Ms. Lute served as Assistant Secretary General of the United Nations, responsible for logistical and administrative support to UN peacekeeping operations worldwide, and as Assistant Secretary-General for Peacebuilding, responsible for coordinating efforts to build sustainable peace in countries emerging from violence conflict. Ms. Lute also served on the National Security Council staff under both President George H.W. Bush and President William Jefferson Clinton and had a distinguished career in the United States Army, including service
room. It was all wonderful hours. But particularly, Bill, you were always wise, always thoughtful, and a wicked sense of humor, which I for one really appreciated. I am going to build a little bit on what Bill was talking about, but before I do and talk about cybersecurity specifically, I thought I would spend just a couple of minutes and talk about Homeland Security. It is a relatively new department, a department that is 9 years old. That is good news. It is not 1-year-old for the ninth time. Some of us have been in organizations like that. But the Department of Homeland
In Homeland Security, what we are trying
to do is help create a safe, secure, resilient place where the American way of life can thrive. in the Gulf during Operation Desert Storm. Deputy Secretary Lute, it is an honor to have you here today.
Security really is a department that has come into its own and has matured in many ways, and it is an extraordinary thing to say, but I think it is true that if we had to invent this Department today [Applause.] again, we could do it. You can’t always say that about organizations, and that DEPUTY SECRETARY JANE is because I think the value proposition HOLL LUTE: Catherine, thanks of the Department has become clearer very much, and, Bill, thanks so much over the course of time, building on for those very warm words. experience of the past 9 years. It struck When the Obama administration me when I joined the Department that began, one of the unusual things about while we had extraordinary brand-name it was that all of the Deputy Secretar- recognition – everybody has heard of ies of the Departments, 12 or 14 of us the Department of Homeland Security had already served together, and it was – we had something less than extraora great privilege and a great relief to dinary brand-name understanding. be able to join the company of folks What is it that the Department does? like Bill Lynn. Bill is right. We spent People know Secret Service. They know a lot of hours together in the Situa- the Coast Guard. They know TSA, tion Room with many of you in this Border Patrol, et cetera, but when we
[ 1 4 6 ] Georgetown Journal of International Affairs
International Engagement on Cyber 2012
talk about Homeland Security, what do we think we are trying to do? What do we tell people that we are trying to do? What we say is the following. In Homeland Security, what we are trying to do is help create a safe, secure, resilient place where the American way of life can thrive. “Create a safe, secure, resilient place where the American way of life can thrive,” every word in that sentence is important. In order to do that, we think we need to do five things. We need to prevent another 9/11, prevent terrorism. We need to secure our borders. We need to enforcement our immigration laws. We need to ensure our cybersecurity, and I will spend time on that, and we need to build national resilience. We need to do all of these things, but when you look at these things and you examine these missions and how we do them, you can see some of the duality that is inherent, maybe tension some say, in the missions of Homeland Security. Let’s take border security, for example. On the one hand, border security, we want to maintain the integrity and the confidence in our borders. We want to keep out people and goods that might be dangerous, but at the same time, we want to expedite legitimate trade and travel. At the same time, we want to expedite legitimate trade and travel, and so we have hard-to-find ways working with the Department and the Federal Government and, indeed, with all of the American people in doing both, stopping things that might be dangerous but helping to create a safe, secure, resilient place where our way of life can thrive. Three years ago, when we wrote the QHSR, the Quadrennial Homeland
Security Review, the first one ever, we called this mission out, creating the safe, secure, resilient place, and these five tasks or missions of Homeland Security that I mentioned, preventing terrorism, securing our borders, enforcing our immigration laws, building our cybersecurity, and building national resilience. And we called out cybersecurity and brought it up to a level of these other missions because we believed it was essential to the success of the American homeland: How should we think about cybersecurity? And there is an endless search for an analogy that works. Is it a marketplace? Is it a library? How should we think about cyberspace, that is? The way I think about it is as the endoskeleton of modern life. It is hard to imagine anything that we do in modern life, certainly in this country, that doesn’t in some part depend on cyberspace. But one of the truths about operating in cyberspace was raised to me by Jeff Moss, a colleague whom many of you may know, the founder of DEF CON and Black Hat. He said, “You know, it’s extraordinary that 25 years after sort of the explosion, the beginnings of the explosion of the Internet, 25 years later there is not a single thing you can do in cyberspace, confident that your information or your identity will not be compromised. You can’t plug in your computer, you can’t get on the Internet, you can’t stop, shop, visit, talk, or do anything confident that your identity and your information will not be exploited. Bill talked in detail about some of the threats at the upper end of the spectrum, but if any of you have been compromised, had your Facebook compro-
[ 1 47 ]
INTRODUCTORY REMARKS
mised, your Facebook page compromised, or suffered any other kind of cyber intrusion, then you know what I am talking about, even at the lower end. In fact, all throughout the spectrum of crime and mischief leading up to the very upper end of espionage and other mischief, there is nothing that you can do in cyberspace confident that your information and your identity will not be compromised. So what is our theory of the case? If what Bill says is true about the threat, not only the potential threat but the existing threat, what do we do about that threat? How should we understand it, and what should the government do? And here I would like to talk about a misconception, a problem, and an opportunity. What’s the misconception? The misconception is that the role of government in cybersecurity is clear to everyone who asked themselves that question. That is a misperception. It’s not clear. In fact, this is really a present-at-the-creation moment when it comes to cybersecurity and when it comes to understanding the role that government should play in cybersecurity. We have our views, it won’t surprise you to learn. What’s the problem? Well, the problem is, like many issue today, the views on this question are extremely polarized. On the one hand are those who believe that government should have nothing to do with cybersecurity, that it was the private sector notwithstanding the deep origins of the Internet that came out of DARPA and the Department of Defense, but really the explosion and expansion and the greatest opportunity that is presented in cyber-
[ 1 4 8 ] Georgetown Journal of International Affairs
space, presented in our interactions on the Internet, the greatest opportunities have come from the private sector, and we should rely only on the private sector, only on the market to resolve the problems and challenges that we face in cyberspace. On the other hand are those who believe that it’s a war zone out there and that the only way we can secure ourselves is by asserting a very heavy government hand, not only by this government but by others, in securing and setting the rules for security in cyberspace. What’s the opportunity? The opportunity exists now to resolve a way forward and craft a way forward that is both suitable to the problem that we have and pragmatic. So how do we begin? In the Department of Homeland Security, we begin by protecting dot-gov. What does that entail? We believe that protecting dotgov is very much like what it would take to protect the rest of the Internet and protect dot-com. It takes a layered system, and it takes the efforts of all. There is no single Department that can do all that needs doing when it comes to cybersecurity, not even the Department of Homeland Security, the thirdlargest Federal Department. Even if it works together with the Department of Defense, the largest Federal Department – quiz, what’s number two? – but no single Department of combination Departments, no single government can do all that needs doing when it comes to the security of cyberspace. So what do we need? We need a system that distributes the responsibilities of security, where we have smart users, where users would not only be people but also smart machines, and we have
International Engagement on Cyber 2012
got to make it easier to introduce and access and use cybersecurity tools and systems. It’s simply too difficult right now. It’s too difficult for the individual user. It’s too difficult for many institutionalized users as well. That simply cannot prevail. We need to make it easier to use cybersecurity tools. So we need a system where smart users, smart machines are supported by intelligent networks and augmented by an appropriate and proper role for government in this space. In other
big data exchange in the area of aviation security and data exchange, passenger name records, if any of you are familiar with it, and we spend a great deal of our time talking about privacy and the importance of privacy. And what we have learned over the course of these negotiations is that we and the Europeans have two very different views, two very different starting points when it comes to privacy. Now, I’m not an expert in European law, but it has been characterized to me
The United States is not the be-all and end-all of the Internet. words, we need to build and manage a cyber ecosystem where we can ensure your security at the same time while we are securing your identity and your information and maintaining the values of privacy, civil rights, and civil liberties that we have all come to expect and in fact that we have all come to honor. As we think about this, though, what we know certainly is that the United States is not the be-all and end-all of the Internet. It’s a global institution, in fact, and we have views on how the Internet should be managed in the global space. I know Chris Painter will be talking about this later. In our view, cyberspace needs to be open. It needs to be interoperable. It needs to be reliable, and yes, it does need to be secure, but above all, we want an open Internet that is secure. We don’t want a secure Internet that is not open. And we understand the importance and the value complexity in this openness. My colleagues and I have just finished negotiating with the Europeans a
and I have come to know this to be true that the European view of privacy is the ability of an individual to put information out there and control it in the full extensiveness of its existence wherever “out there” is. The American view of privacy is somewhat different. Ours begins from the understanding that we can restrict the intrusion that government is able to make into our lives, equally legitimate views but different starting points when you are trying to reconcile them in a practical operational regime of information sharing. What are some of the things that we have learned as a practical matter in trying to square that circle? We know we can architect systems that emphasize data minimization, purpose and use limitations, and that have very pragmatic workable solutions for anonymization, masking of data, restricting access and other controls that ensure the physical and actual security of people’s information. So governments are playing a role
[ 1 49]
INTRODUCTORY REMARKS
here, and they are going to continue to play a role. Why? Because the status quo is unacceptable. It is dangerous out there in cyberspace. We are all victims potentially, and we cannot any longer ignore the problems that we face. What can be done about it? Plenty. We can all begin by exercising basic cyber hygiene. I used to ask a question in audiences when I was spending a lot of time working on preventing violent conflict. People would say to me, “You can’t prevent violent conflict. It’s always been with us. It has been with us from time immemorial,” and my response to that has been, “You know, war is not the weather, and we shouldn’t act like it is.” So, some of you, cybersecurity is an impossible problem, one that has been with us since the advent of the Internet and one that will always be with us. It’s not true. We can undertake basic preventive measures as we do with our personal health, as we do with our automobiles, and other complex machinery to prevent bad things from happening. We have a program called “Stop. Think. Connect.” It is simply designed to cause you to think more about what you are hooking up to, what you are opening in your e-mails, what sites you are visiting and running routine software patches and cybersecurity updates. Cybersecurity at an individual level is a key part of any regime of cybersecurity. That must be done. So individual users need to be smart. They need to be switched on, and they need to be attuned to their responsibilities in this. We also know that it simply needs to be easier. Manufacturers need to be encouraged to ship equipment with the cybersecurity capabilities enabled and
[ 1 5 0] Georgetown Journal of International Affairs
already switched on, and we need to have standards. With respect to what that means, we can expect when we buy a computer, we plug it in and we access the Internet. And governments, too, should play their part, and we will play our part. The Obama administration, both domestically and internationally, has been an active participant in the debates on cybersecurity, and we will continue to do this. I will close with just reflecting on this notion that it takes all of us to do our part. When I was a peacekeeper at the United Nations, I was struck about how civilians and soldiers would come together to keep the peace. Why? Because peace will not keep itself, as we know, and that the purpose of peacekeeping is to protect and strengthen fragile peace. But I found that you needed both, the efforts of civilians and the efforts of soldiers and the efforts of militaries. You needed both the efforts of insiders and the efforts of outside governments to help protect and strengthen the fragile peace. Why was that the case? And what I realized was soldiers confront these problems and go to these places around the world, expecting the worst humanity has to offer, and civilians confront these problems and go to these place believing in the best humanity has to offer. And we need both perspectives, and we will continue to work together with our partners in the Federal Government and certainly with our partners in the private sector in whose hands so much of the critical infrastructure of this country lies, to ensure a safe, secure, resilient cyberspace where our way of life, indeed the way of life of humanity
International Engagement on Cyber 2012
can thrive. Thanks very much. [Applause.]
DR. CATHERINE LOTRIONTE:
Thank you, Deputy Secretary Lute. As Bill joins us back on stage with Ms. Lute, I ask that the audience, please stand – if you have a question, please stand behind the microphone. Give your name and organization when you are called, and please precisely ask one question, so we can get to as many people as possible.
more damage in a cloud-enabled world than they might have been able to do in a more distributed world. So I think we have to move forward in this area, but I think we need to do it carefully.
DEPUTY SECRETARY JANE HOLL LUTE: Yeah, I would agree
with that. I think the other thing, I mean, we are all talking about clouds. I’m not sure we were 2 years ago. It brings up an interesting point that both the problems and the opportunities and the technology that we will be dealing ATTENDEE: I’ll ask one. Chris Fall, with even 2 or 3 years from now haven’t Office of Naval Research. been invented yet. I’m interested from the U.S. GovSo, just as Bill said, what will happen ernment perspective about the push in the cloud, certainly what will happen towards cloud computing. Is that a is we’re moving in that direction, and good thing? What are the new security people’s reliance then on not only the challenges? It seems like we could gain cloud services that are offered but cona lot of efficiencies, a lot of capabilities, nectivity to the cloud will increase, and but a little bit unknown there about the we need to take account of that as this security implications. migration occurs.
HON. WILLIAM J. LYNN III: ATTENDEE: Thank you. Well, I think, like most things, it’s mixed. It’s certainly a good thing in terms of, I think, we’re going to be able to save quite a bit of money by taking hardware out from under the desks and putting it in the cloud. I think the individual security will be higher. You will have fewer points of entry. You will have fewer ways to get at the targets. The problem is there are then fewer targets, so you make them more lucrative. So particularly for high-end threats, I think you have to worry. I don’t think you want to reverse it, and I don’t think it makes it worse, but I think you have created a framework where incursions may do
Jason Healey with the Atlantic Council. Since we are at an international conference, it has been very important for us to work with our traditional allies; for example, the Five Eyes, U.K., Canada, Australia, and New Zealand. But we also know in cyberspace that the emerging countries, for example, the G-77s or Japan, Korea, or China and Russia are important. How as leaders do you balance that between working with our traditional allies, with those people that are emerging? And a related question, when you approach cyber, you are both approaching it from a very national security perspective, and do you find that leads to
[ 1 51 ]
INTRODUCTORY REMARKS
clashes when you deal with more technical people? Thank you.
driven. I mean driven by the communities and the States and the municipalities I this countries. It’s a very difDEPUTY SECRETARY JANE ferent orientation on problem solving HOLL LUTE: So, a couple of quick but, again, a very potent collaboration. points, you’re talking to somebody who spent a good deal of time in the United HON. WILLIAM J. LYNN III: States as well as being a U.S. official. Let me just chime in as well. On the The United States has always, I think, international issue, that’s one of the taken a refreshingly enlightened view of reasons I tried to divide the problem the world and been very attentive not the way I did. I think there is a class only to our traditional partners but to of issues that are security issues for the others around the world as well. United States, and there, as you said, In the Department of Homeland we naturally turn to our allies, startSecurity, in fact, one of the, I think, ing with the Five Eyes but moving on
It can be in everyone’s best interest to set up a regime.
striking developments over the past half dozen years or so, the degree to which we have homeland dialogues now with a number of partners internationally, some of our traditional allies but also others like India, for example, while an important partner for the United States in so many respects, well, we have begun to explore new dimensions of our relationship through this homeland dialogue. They are certainly important and importantly vocal on the whole question, the development of the Internet and consumers and normative development there as well. And on the question of national security, as someone who spent most of their career in national security, I am struck by the degree to which homeland security is different. National security is strategic, centralized, and top driven, and homeland security is transactional, operational, decentralized, and bottom
[ 1 5 2] Georgetown Journal of International Affairs
through NATO, and that’s a natural progression. But there is also a set of issues particularly having to do with the exploitation, the theft of intellectual property, which I think are broader issues in which we can deal with a very wide array of allies, of potential allies, neutral countries, even potential adversaries, because I think it can be in everyone’s interest to set up a regime. People used the model of a public health regime. Others have used money laundering, but there are regimes where you don’t have to agree with everyone even on basic issues to be able to make progress on things like international norms and a regime that makes the whole entity more secure. So I think we need to do both, and I think we need to make sure we understand which lane we’re in as we talk to people. On the issue of national security, is
International Engagement on Cyber 2012
cyber a national security issue, obviously from my remarks, I most definitely think it is, because I think cyber has become the central nervous system of our economy. It is critical, the whole aspects, of what this nation does. That said, not all cyber issues are national security issues, and in fact, most are not. There’s a whole series of issues that are law enforcement issues that I don’t think the Department of Defense, the national security agencies have any business getting involved in. Again, drawing a line and trying to decide and to be precise, I’m saying I think the line extends to critical infrastructure in terms of national security but at this point not beyond. I mean security for individual – and Jane talked some about it – individual security, protecting your identity, I don’t treat as a national security. It is a very important issue. It is a very important government issue, but it’s more of a law enforcement, not a national security.
DEPUTY SECRETARY JANE HOLL LUTE: Can I have a footnote
to this? I think we really need to update ourselves when we talk about international. It is really no longer simply the providence of nation states and of governments. When you think of the things that can claim active affinity and allegiance of a billion people or more on the planet, I can think of five or six things: being an Indian, being Chinese, being Catholic, being a Muslim, or being on Facebook. Now, that’s extraordinary. What does it mean to talk about international anymore?
ATTENDEE: I was struck by a recent
report, I think from Trend Micro –
Stewart Baker – which actually identified with considerable precision a hacker from China that they thought was behind a number of attacks recently against U.S. corporations associated with Tencent, the big instant messaging company in China, and with Sichuan University. This is an opportunity for the United States, if we’re taking this seriously, to demand answers from these institutions about what they know about the activities of this individual, what their roles were in his activities, and to come up with punishments if the answers aren’t satisfactory. What is the Department of Homeland Security, which controls visas for these folks to the United States and other possible punishments, doing to investigate the Trend Micro report?
DEPUTY SECRETARY JANE HOLL LUTE: So, Stewart, I am not
going to comment on any particular ongoing investigation, it may surprise you to hear. But, as Bill mentioned and you’ll hear, I think, later from Shawn on the whole law enforcement front with respect to consumers, we have certainly the Immigrations and Customs Enforcement (ICE), and we also have the Secret Service that’s very active in consumers, forensic analysis, generally. In fact, we have almost 400 certified cyber forensic specialists in the Department of Homeland Security alone, and so this is something, again, that we are very active on in a number of fronts with active investigations but here, too, not operating alone, working together with our other law enforcement partners in the Federal Government, at the
[ 1 53]
INTRODUCTORY REMARKS
State and local level, and internationally. But on the specifics of an individual case, I really don’t have much to say.
are approaching the problem in slightly different ways, but I think it’s fair to say with a joint commitment to figure out the problem of how to appropriately ATTENDEE: Yeah. So this raises engage, recognizing that in many places the question, though, whether we can in Europe and Australia as well, key find ways to incentivize institutions who and critical infrastructure to the funcmay be associated with this or who may tioning of those economies and those only know something about it to coop- societies lies in private hands. So this erate with U.S. investigators, something is not going to be a problem that govthat otherwise a U.S. subpoena isn’t ernments are going to be able to solve going to carry very far in China. on their own. There has to be a deeply intertwined connectivity to the private DEPUTY SECRETARY JANE sector with, I think, a high degree of HOLL LUTE: No. Actually, we information sharing. believe very strongly, A, in exercising One of the differences, again, as the full extent of law enforcement capa- someone who spent their whole career bilities in dealing with the cybersecurity in national security, there is a culture, problem, and that extends to our dip- understandably, of keeping informalomatic and other dialogues as well. tion confidential, secret even, sharing only on the basis of need-to-know. ATTENDEE: Hi. Ashton Perry with In Homeland Security, there is a preRenesas. sumption of transparency and a duty I have heard talk from some people to share. Again, we can combine those who should be in the know that Aus- things, not only nationally but internatralia and The Netherlands have shown tionally as well with our partners. But leadership in consumers, and I was I repeat myself and apologize for saying wondering if you could comment on this is very much a present-at-thethe nature of that kind of leadership creation moment. and what impact it may have on how we think about U.S. policy and/or cyberse- HON. WILLIAM J. LYNN III: curity in our country. I think the report is right. Australia has taken, I think, some leadership, both in DEPUTY SECRETARY JANE terms of technologies as well as maybe HOLL LUTE: Again, certainly from more importantly policy approachmy perspective, you are going to have es. They have, I think, as coherent a opportunities to talk about this later. national policy. It doesn’t mean it’s There are a number of countries actu- gone unchallenged, but I think they ally that are seized with the importance have a national policy on cybersecuof dealing with the cybersecurity prob- rity that, while not perfect, suggests that lem. I mean, it’s not a particularly great things can be done at that level. So I insight to say the status quo is unac- think we can learn. ceptable. We all have different systems, And then, as Jane alluded or as somehowever, and each of the governments one else alluded, our natural security
[ 1 5 4 ] Georgetown Journal of International Affairs
International Engagement on Cyber 2012
partners in NATO, The Netherlands, and I particularly look at the United Kingdom, have also, I think, taken steps where we can learn and collaborate to our benefit. It’s very unsettling when somebody puts up a sign that says “End.” [Laughter.]
DR. CATHERINE LOTRIONTE:
I would like to thank you both for your time this morning and for joining us, and I think that the best way, I think, to follow this discussion would be to have a cybersecurity address from Howard Schmidt, the Cybersecurity Coordinator for the White House. Quickly, I’d like to introduce him. First, to you all, it’s a great honor that he has taken the time out of his very busy schedule to come and join us on this important topic. Mr. Schmidt’s distinguished career expands more than 40 years in defense, law enforcement, and corporate security. His private sector executive roles cover companies such as Information Security Forum, eBay, and Microsoft, while his government service includes assignments at the White House, the FBI, and the Air Force Office of Special Investigations. His military career includes active-duty tours with the U.S. Air Force, service in the Arizona National Guard as a computer communications specialist, and in the U.S. Army Reserves as a special agent, Criminal Investigation Division, where until his ret from the reserves, he served with the Computer Crime Investigations Unit. In short, there is nothing he cannot do. However, it’s a pleasure to have you with us this morning.
[Applause.]
HON. HOWARD A. SCHMIDT:
Well, good morning, and thanks very much for that kind introduction. I am glad to see everybody here this morning. I was worried about myself. Traffic was typical in D.C. this morning, trying to get from the White House over to here, and I’ll tell you what, you talk about our military. The Army person that was riding over here did a wonderful job weaving through traffic, and he didn’t even have to use a tank this time, which was nice. Anyway, my appreciation to Bill and Lynn [sic], for their comments, I wish I was able to get here through all of them, but clearly, you two have not only led this for a number of years on the government side – I know, Bill, you continue to do that – but I think on a very personal basis, you made my life so much easier. Part of the job, I think, when the President established my office was to coordinate across government, and that’s always a struggle, because you have individual perspectives from different departments and agencies, you have different levels of expertise, you have different levels of understanding in this area, and clearly, what you and Jane did and continue to do in different roles now really made that workable, so thank you, and it’s good to see you again. One of the things that I think is very important to emphasize are some of the things the President has said about this particular issue, and I quote, “Every American depends either directly or indirectly on our system of information networks. They are increasingly the backbone of our economy and our
[ 1 55]
INTRODUCTORY REMARKS
infrastructure, our national security, and our personal well-being.” And that is why an event like this is so vitally important, because it ties all these pieces together. When you start looking at – and I’ll just touch on the economic piece for a moment. While there’s a lot of numbers that are thrown out there about the losses and economic perspective, the loss of intellectual property, the cost to implement systems in cybersecurity to be more robust, more resilient, there are some numbers that we have some pretty good data around, and one of them I find probably the most compelling, that over $8 trillion are exchanged over the wired and wireless networks each year, and it’s growing. And effectively, if you look at the ability to disrupt that activity on the Internet at any time, it has a dramatic impact on our economy. So, with that in mind, when the President established this office, as Jane had mentioned in her long career in national security, clearly it was recognized that this is not just a national security issue. It is national security, public safety, as well as economic, and that is why I am dual-hatted to both the National Security Council and the National Economic Council. But when we start looking at where we have come – and I will take just a couple minutes to talk about that – I think what we need to do is not always look in the rearview mirror and see where we’ve been but see where we need to go. I think, clearly, that’s the piece that we work on the hardest, what are the things that we need to do, not only from creating strategies, because we’ve done a really good job in working across
[ 1 5 6 ] Georgetown Journal of International Affairs
agencies, FBI, DHS, DoD, Department of Energy, Department of Treasury, really coming together with some great strategies on some of the things we need to do about trusted identities. Again, I will speak about that in a few moments. On the international basis, adding State to that mix of great departments and agencies looking at this, but as both Bill and Lynn [sic] commented on, the private sector has a critical role, if not a leadership role, in many of the things that we’re doing. So, when we look at this and we look across all these different strategies, the intent is to implement national and international cyber security policies to reduce our threats to the vulnerabilities that exist in our networks today and make sure that none of us are impacted negatively by any of the threats that are out there against us. So when you look at the way sort of the state of cybersecurity today, one of the key things we recognize is there is no shortage of bad threat actors out there. And we can put them in different buckets, and oftentimes we do. One of the things we need to be very cautious of as a society is not to conflate all these different groups into some massive action across our international systems as well as our domestic systems. So, clearly, if we break it down into areas around cyber criminals, where we are in a situation where we have seen this for 20-some odd years – I remember my first cyber crime case was what we called now in the days a “computer crime” was in 1986, and that was with the advent of many of the things we see today around telecommunications fraud, and it’s evolved since that time. But we also look at the area when
International Engagement on Cyber 2012
we look at nation state activities, and there’s enough of that activity to make sure that we have to guard against that. We have to make sure their systems are better protected, but we also have to send a clear messages that this is unacceptable behavior. I know later on this morning, there will be another panel talking more broadly about that. But there’s another piece of it that I think probably gets the biggest amount of activity and the activity that basically we have not moved forward fast enough, and that’s around the theft of intellectual property. And this is really challenging, because the vast majority of the IP we are looking at is in the hands of private sector, and when we talk with private sector, there’s different perspectives about what to do about it. Some say, and in many cases not inaccurately so, “Gee, yes, we don’t like it. We’ve been intruded upon, “ “Yes, we don’t like it that someone has had unauthorized access to our network,” “We don’t like the idea that someone has stolen our intellectual property, but we can outrun them, because by the time they figure out what to do with it next, we’ll be on our next product. We will be on our next set of standards, our next piece of software development.” And while that may be the case today, I’m not sure that’s always going to be the case. Matter of fact, I doubt it will be the case, because what we are doing is then giving other entities the keys to the kingdom, and as we all know, the Internet, as we have developed it, society has evolved. Many of the benefits we have were directly related to the technology that has been developed. There is another set of perspectives that believe that, yeah, they are taking it,
they are going to at some point develop against us, but there is nothing we can do about it. And that is also inaccurate. There is a lot we can do about it. If we look at the statistics that have been given to us by the FBI, by the Department of Defense, NSA, look at the information given to us by DHS, U.S. Cert, about 80 to 85 percent of the successful things that we see going on, on networks today, both in and outside of government are basically things that could have and should have been fixed. The term has been coined oftentimes “using good cyber hygiene,” and if we go back, as we often times do, go back and look for the root cause of why some of these things happen, it is the same thing that we have been saying for the past 20-some odd years. And for those of us that have been doing it for that long and have had an operational responsibility and see the same vulnerabilities that existed more than 20 years ago that exist today, the recognition of those, the exploitation of those that fail to patch some of the systems, because as a business imperative, it takes too much trouble, it’s too slow, it may break some of our applications, but I can guarantee you talk to the people that investigate these sort of things, and when they talk about the cost of recovering from that, it is much higher than fixing it from the very outset. So, yeah, we believe it’s always difficult when you have to shut down a system for a multiple number of hours for the course of a business day or a weekend, but to better protect yourself, that’s the better way to go. And sort of the third piece of it and those that are truly, truly, truly concerned about it and say, yes, this is a tremendously difficult problem to
[ 1 57 ]
INTRODUCTORY REMARKS
solve, we are bleeding like crazy. We need the government’s help. We need an all-of-government approach to this. We need to work with our private sector partners. We need to make sure that we have the ability not only to share information between the government and amongst the government agencies but also amongst the private sector. I think a number of you in this room
and services. That is an issue that we are looking at through the NSTIC, the National Strategy for Trusted Identities in Cyberspace. We are looking at this on the bigger privacy issues that we deal with, but that is only a part of it. The other piece that we are looking at in the legislation we propose, it says, well, if information sharing was enough, that is all we would have
People say, “What’s more important? Pri-
vacy or security?” and the answer is both, and we can do both. recognize that when we put forth the proposed legislation just about a year ago now, one of the things that we addressed in that was the ability to share information at all levels, and while we share that, to make sure we have tremendous controls in place to protect privacy and civil liberties. And we can do both. I remember conversations over the years, people say, “What’s more important? Private or security?” and the answer is both, and we can do both. For number one, when it comes to protection of data, without security you have no privacy. That’s one of the things that we have seen over the years with a number of databases that have been intruded upon, the amount of personally identifiable information that has been exploited and exfiltrated, those could have been prevented, once again, with better security controls. And there is another piece of the privacy dimension, and that is basically when it comes down to what information that we are giving up to get goods
[ 1 5 8 ] Georgetown Journal of International Affairs
asked for, but there’s other components. There has got to be a clear message from a cyber crime perspective that hold people accountable to a higher level when they interfere with critical infrastructure. There has got to be a higher level when it comes to organized crime. Those are two specific areas that we are looking at. Another component of this is the area when it comes to government systems, making sure that we have defined codified processes in place to make sure that we are doing what we can to protect USG systems. Now, I recognize some of the faces in the audience, so I know those of you may have either heard this before or said it yourselves, but we have to move from an environment where FISMA-compliant, you can still be insecure. We want to flip that around. By becoming secure, you indeed become FISMA-compliant, and that’s working now with continuous monitoring, trusted Internet connections, the ability to make sure we are doing strong authentication not only to
International Engagement on Cyber 2012
humans to the machines but machines to machines, and have a mechanism to do this on a basis where we can look at it in any given moment and find out where we are and fix these things. The ability to be competitive in hiring is another piece that we are looking at, and probably the one that we get the most discussion about and seems to be the most controversial, how do we make sure that the core critical infrastructure, those owners and operators of that, have an ability to prove to the government and to the consumers and to the businesses that they are doing all they can do to make sure that their systems are secure, so the core critical infrastructure that we depend on is being designed and maintained to the best international standards that exist today in cybersecurity. And one would think that would not be that big of an ask, because I think all of us when we contract somebody, when we look for services, we don’t go out and look to be an automobile that says, yeah, I might or might not decide to add brakes, I might or might not decide to have tires on there that are not bald. These are things that we expect for safety and security. We have to do the same thing when it comes to the core critical infrastructure. And while I hear a lot of discussions about this being a Federal issue, it is not a Federal issue, because every one of us in this room has a community that we go back to, whether it is locally or someplace else, that we live in a State or a district, we have a governor who oftentimes looks at the first level of response going out there, we have a mayor, we have a city manager. So when we look at the failure that could exist in our critical
infrastructure, yeah, the Feds, we will be there, but who is going to be the first responders? How many budgets and how many State and local governments can afford to have the first responder paying double time and triple time to deal with something that conceivably we could have prevented? And let me flip a little bit to the economic side of this, and both in my background in private sector and being a part of venture capital businesses and seeing small- and medium-size businesses, the backbone of much of the innovation we see, what about them? We have natural things that take place that affect their businesses, snowstorms, hurricanes, ice storms, windstorms, you name it. They are out of business for reasons that we can’t control, but can they afford to be out of business for any period of time in today’s economy because the core critical infrastructure was not available to them? Yes, we care about it for the military. Yes, we care about it for government operations on the Federal side, but where does the impact really, really lie if we don’t have core critical infrastructure level brought up as far as resilience and its availability to be there? It’s not just the Federal Government. It’s the State and local governments and the small-, medium-size businesses that we have to protect. So, when people talk about the proposed legislation specifically and talk about the impact on businesses, let’s look underneath that top layer. Let’s look at all the businesses that will be affected if these things aren’t better protected, and when you look at that $8-trillion figure, figure out what your local business is, your local govern-
[ 1 59]
INTRODUCTORY REMARKS
ments, what piece of that would be affected if it hit them directly. So I want to then move on and just take a couple of minutes to talk about the cybersecurity international strategy. When we talk about the expectations, once again, anybody that’s been doing this for a while fully recognizes we will never be 100-percent secure, but internationally, we also recognize that no two countries are going to agree on 100 percent of the issues affecting national security. So what we are looking to do is build a partnership for our international partners to make sure it’s secure enough to earn people’s trust and reliable enough to secure their work. But in many cases, this is a road, we’ve already gone down this path. Many of the rules of the road that we talk about currently exists, and I’ll give you some examples, the UN Charter, the Law of Armed Conflict, the Universal Declaration of Human Rights, International Covenant on Civil and Political Rights, Budapest Cybercrime Convention. A lot of these things already exist, and they do apply when we start talking about cyberspace. While some believe that is not the case, when you look at the legal aspects of this, clearly they apply. And when we talk internationally, I will give you the classic example, which we hear an awful lot about, and that is the Law of Armed Conflict. That’s a universal agreement. It applies in cyberspace like anyplace else. So we need to make sure that we apply that across the board. So when we start looking at sort of the next level down and when we start saying how do we do this internationally, we need to make sure that we are working on a bilateral or multilateral
[ 1 6 0] Georgetown Journal of International Affairs
basis around the world, and this doesn’t mean to say, “Gee, we are not going to talk to these people, because we don’t like what they are doing in other cases.” In cyberspace, we have to have those discussions. We are in the process of fostering them. We are making sure that all parts of the U.S. Government are, indeed, engaged in this as an allgovernment approach. The number of bilats that we have had in the past as we sit at the table with our counterparts from other countries, it is representatives from all the different pieces of the U.S. Government, from the civilian side of government to the military and defense side of government, the intelligence community, the law enforcement community. We sit around the table together because none of us can solve this problem ourselves, nor do we believe our international partners that we are looking to engage and work with can do it on their own as well. And no surprise, some of those countries that we’re working very closely with in this area, this was new for them as well, because when we talk about – and we have done it in U.S. Government as long as I can remember back to my early days in the military. We talk about the stovepipes in the U.S. Government. This is one topic where the stovepipes not only are disappearing but need to continue to disappear. So other governments look at that and say, “Well, yeah. We only have people working on this. Why would they be a part of this?” And when we sit down across the table with them, they truly understand how we have an all-government approach, that it’s a coordinated approach, that we bring the expertise of every part of the government to bear on these very, very
International Engagement on Cyber 2012
challenging problems to make sure that we are moving forward. And some of the domestic things that we look at have international reach as well; for example, our power grid. When we start looking at what we are seeing in this country that is going to save us energy, save us money, do a better job of managing the natural resources we have, but clearly, there are security implications that we need to take a look at. So the Office of Science Technology Policy and my office work together to the cybersecurity components of the smart grid. We start looking at the eHealth Initiative, the Health Information Exchange. Clearly, that is something else that we need to work for as citizens. We need to not only bring that level up as far as what the technology can give us, but how we can protect that technology as well, and with that, it ties in all the other pieces that we’re working together. And my last sort of pitch, if you would, is to take a moment and talk about the National Strategy for Trusted Identities in Cyberspace, or the NSTIC. When you look at the things that I have discussed today, both domestically and internationally, a lot of these things boil down to the digital identities that we have online, but to the extent that we need digital identities in some aspects, we need to also make sure we are preserving the anonymity that takes place out there. Many of us talk repeatedly about what happened during the Arab Spring. Much of that was only possible because of the ability to do some of the things anonymously on the Internet, because otherwise repressive regimes would have stopped it right in the very beginning.
But we also want to make sure at that end of the spectrum, we preserve the anonymity, we preserve the ability to have freedom of expression without fear of being beaten down on it, but we also need to make sure that we have identity management in place for our transactions that we depend on, whether it’s government services, whether it’s banking and finance, whether it’s travel, whether it’s entertainment online. So what we are looking to build is an identity ecosystem, which we have asked private sector to take the lead on. We were able to secure about 20 million in grants, run through the Department of Commerce. A really great leader over there by the name of Jeremy Grant came into government with a great level of experience in digital identities and sharing that across the government, but we are looking to private sector to help build that. So we are looking to draw not only on the current marketplace of identity providers, but also making sure that we as a government are the customers of those. So, if you’re not familiar, there was recently a memo that we put out that was sent out to all the departments and agencies that said, “Move away from having your own password schemas. Move away from an environment where you have to provide tech support to people that forget their password,” and by the way, I’m one of them. There was a recent national lottery for, I think it was, the holiday tree lighting ceremony, which I had not logged into since last year, and one of the first things they ask you to do is login to your account. And the first thing you say is, “I don’t remember my password. I did that once a year ago.” So the memo went out that
[ 1 61 ]
INTRODUCTORY REMARKS
says, “Let’s start accepting third-party credentials,” Open ID, Google ID, and the list is growing, working with GSA, to have approved identity providers. It reduces our cost, and it normalizes the identity ecosystem out there that we are working with. But there’s bit components to this we need to make sure we’re working on. We have to make sure we’re working on the technical standards. We make sure we have a component that builds privacy protections into this, and last thing, we have to have a governance component of this. That is vitally important to make sure that we’re building a system that 5 years from now, we’re not looking back and finding there’s holes in it and saying, “Well, gee, why didn’t we think about that?” or “What happened to this company that built a really good system that was acquired by another company or had some other sort of an exit?” How do we make sure that we can preserve and do the things that we are saying when it comes to those digital identities in cyberspace? And coupled with that is the National Initiative for Cybersecurity Education, educating K-12, making sure that we have awareness programs like the one the Department of Homeland Security runs in concert with the FTC and a number of departments and agencies, making sure that the tools are in place so end users can do a better job of protecting themselves, because I hear people say all the time in the meetings that we have in the White House, about, “Yeah, the private sector, if they only knew.” And while they don’t need to know all the difficult details, they are welcome to, but that is not what people are about. That is not their core competency, but
[ 1 6 2] Georgetown Journal of International Affairs
what they do have to understand or what tools are available to them, to enjoy the rich and robust capabilities that the technology gives us and minimize the risk that bad things could happen to them, because oftentimes when I do run into victims, when I have in the past, they say, “Oh, I didn’t know that was a problem. I didn’t know someone could do this.” So I want to make sure that they are educated on what is out there and what risks are out there, not to dissuade them from using the technology but to help them use it smarter. But we also need to make sure that we are doing the workforce development, both for private sector and for the government, to make sure when we hire a security professional, that indeed we understand what we are getting, because right now we have different programs across different parts of the world that “security professionals” mean different things to different people, so to harmonize and normalize that. So, with that, I want to just conclude before I take some questions and sort of talk about what the President has asked us to do on this. He has asked us to bring together government, industry, and academia to look for the best ways to garden the infrastructure that supports our nation. We have done that. We continue to do that. This forum today is another extension of that with all the right people getting together. We have an opportunity here in this room alone to have some of the country’s leading thinkers, policy-makers, and experts in international affairs come together to shape our future. While we still have to live in a world of legacy technology out there in some cases, we have to better protect that sys-
International Engagement on Cyber 2012
tem, but we can’t lose sight of what we are going to build for the future. So I know from an operational perspective, we have spent a lot of energy protecting what we have got and maybe not being as focused on moving forward. So we need to make sure we are building the capacity to identify, isolate, respond to any cyber threat, from no matter what sector it comes from;
tunity to meet with people, and that’s while we can’t solve all of these at one time, what we can do is each of us can do our part to secure our part of cyberspace, which makes us all more secure. So thank you very much for the opportunity to make these comments this morning. Thank you.
ATTENDEE: Question?
We never let down our guard, nor should we ever suffer another failure of imagination. that we are implementing these new cybersecurity standards that protects our most important infrastructure, from the grids to the water systems, the transportation systems, home computer systems, and the international markets. President Obama said this is the task that lies before us. We never let down our guard, nor should we ever suffer another failure of imagination. And believe me, when it comes to protecting cyberspace, there’s a lot of people that are thinking on the backside of this, the negative side of this, that we need to make sure we are countering that. So the roles that we have, everybody has a role. We need to work together, academia, private sector, government, State and local and Tribal governments, international partners, innovators, longstanding companies. We need to make sure that we are working as hard as we can as a collective to make these things work, and yeah, that is a shot at one of the science fiction movies when we talk about the collective. So, in closing, what I’d like to do is say what I say anytime I have an oppor-
HON. HOWARD A. SCHMIDT: Yes, please
ATTENDEE:Andy Oguz, Gorenesis
[ph]. Very hierarchical resource public infrastructures that are being proposed to secure cyberspace and various infrastructure components have very poorly understood vulnerabilities to revocation of authority by third parties, and therefore, businesses participate in such schemes lose autonomy of decision, who is secure and who is not. What efforts are you devoting to understand better the risks carried by public infrastructures for resource edification?
HON. HOWARD A. SCHMIDT: When you talk about the revocation, you are talking about certificate revocation?
ATTENDEE: Yes. Yeah. Third party can essentially–
HON. HOWARD A. SCHMIDT: Right.
[ 1 63]
INTRODUCTORY REMARKS
ATTENDEE: –execute a total denial of public-private cooperation. That’s
something that’s come up with your two predecessors here and yourself several HON. HOWARD A. SCHMIDT: times. Indeed, it’s across – I don’t know Obviously, with what we have seen over – a good 25 or 30 different countries, the past – and quite honestly past 15 cybersecurity strategies or policies, sort years where we have seen certificates of one of the primary articles of faith issued through fraudulent means, one at this point, if you will, and of course, of the things I think we’d find out most it is essential to bringing about outoften is while we can identify it, there comes, but what does that look like for are not full implementation of revoca- companies that are operating in dozens tion processes. We need to do a better of countries and are required in some job about making sure that they’re set cases under enormous levels of coercion in place, that the technology automati- to cooperate with many different govcally updates it, as we look at some of the ernments, not all of whom are friendly things within the Federal Government with one another? That can be bad for our certificate authorities, to make enough just across two, but when you sure we’re not 6 months down the road scale that up across hundreds of comwondering if we actually got to do the panies, across dozens of governments, to what does that add up? revocation. There’s clear standards. The certificate policy statements, the CPS that’s HON. HOWARD A. SCHMIDT: been around for years, talks about the That’s a very good question, and a revocation process, and it’s a matter of number of the discussions we’ve had like so many of the other things, on a with our international partners in the good hygiene perspective, we know what past couple years have been specifically to do. We just need to implement it and around that. Multinational companies make sure we are moving forward on it. should not be in a position where they Going back to the certificate author- have to sort of maneuver in different ity issuers themselves, we need to make waters because of political environments sure that they are being held to a higher between government to governments. standard. We depend on those certifi- So there’s two pieces that I think are cates. We depend on their authenticity, important. It is, one, we of those and if we can’t rely on them, that begins that do the government-to-government the castle crumbling, if you would, on interactions, make sure that we are not our ability to depend on those things. basically levying additional work on our So that is part of the discussion. That international partners that run, operis part of the development, but it is an ate, and develop the critical infrastrucimportant more so than developing new ture, so not asking them to do the same thing 15 different ways across different policy. Thank you. countries, better coordination across ATTENDEE: Hi, there. Eli Jellenc. that area. The other piece goes into the norms I work with VeriSign. I wanted to ask about the notion of cyberspace, and I know there’s going of service against you.
[ 1 6 4 ] Georgetown Journal of International Affairs
International Engagement on Cyber 2012
to be some discussion later on about that. What are the rules of operations by which governments can provide working with the private sector partners? You have laid out some really interesting things, because when we start looking internationally, the relationship that the U.S. has had with private sector over our history is much different than many other countries. Matter of fact, I’ve been in some environments where we talk about from the law enforcement perspective and requesting law enforcement information, and we say it doesn’t fit in the constitution. And they’ll say, “Wait a minute. That doesn’t make sense. We don’t have a constitution. It doesn’t apply to us,” but the answer is yes, it does, and that’s some of the things that we’ve got to work towards through this international cooperation, is how do we get to those norms that everybody benefits and not that everybody has to build a business process that’s a hundred different countries have a hundred different set of rules. It continues to be a challenge, and we need to hear not only from the companies on the challenge that they’re seeing, but the companies themselves have to also make sure you’re communicating with the countries that are more challenging and difficult to deal with. Thank you. And I only have time for one more, if you would. Sorry.
ATTENDEE: There was a comment
earlier that we need to rethink, for example, what international is. What I’m wondering is, you mentioned workforce, and workforce is a key challenge everywhere, but perhaps what I’d like to get your comment on is I think we may need to rethink and reset the whole way we view this problem. We have taken a view for a long time that this is a technology system into which people are embedded. It’s actually a people system into which technology is embedded, and therefore, shouldn’t we be looking to rethink the way we define workforce for the problem? This is a basic set of communication and leadership, and we need to be bringing together people from all – for example, the Foreign Service School, everyone, and they need to understand the cyber situation and the technology as a basic insertion into the way we do human things and policy. If we rethink that, then we will look other places for the workforce.
HON. HOWARD A. SCHMIDT:
Yeah, that’s a very good point, and that’s why as part of NICE, one of the first things we did across the United States of Government is the Office of Personnel Management (OPM) did a survey of about 50,000 employees to say what does it mean in your environment, what are the skill sets we need to be a cybersecurity person. And you’re ATTENDEE: Brett Berlin, Dynam- absolutely correct. We have seen a ics Research Corporation and George convergence over the years where there Mason University. It’s good to see you were those of us that came in sort of the again, Howard. vertical – back in the day, we called it “information security,” but we moved HON. HOWARD A. SCHMIDT: up that stack, and then we wound up It’s good to see you as well. having a whole set of other technologies
[ 1 65]
INTRODUCTORY REMARKS
that we were going back and trying to as you’re saying, make sure that we’re secure those. looking at it in the future sense, not And what we are seeing is a good what it used to be years ago. IT professional now not only has the Thank you very much. Thank you. specifics about router configuration or database administration or desktop [Applause.] configurations but also how to do that securely. So, as we look at all things like the colloquium for information systems, security education across the 120-some odd universities that are part of the Centers of Academic Excellence, look across internationally and build those standards, so indeed we’re doing
[ 1 6 6 ] Georgetown Journal of International Affairs
National Security and Diplomatic Efforts Panel 1
Panel Chair
Christopher M. Painter, Coordinator for Cyber Issues, U.S. Department of State
10 April 2012 Lohrfink Auditorium Georgetown University Washington, D.C.
Panelists
Gerben Klein Baltink, Ministrty of Justice, Cyber Security Council, The Netherlands Steven Schleien, Principal Director for Cyber Polisy, OSD Rear Admiral Samuel J. Cox, Director of Intelligence (J2), U.S. Cyber Command Dr. Anatoly Streltsov, Vice-Director, Lomonosov Moscow State University Information Security Institute
Moderator
Dr. Catherine Lotrionte, Director, Institute for Law, Science & Global Security, Georgetown University
[ 1 67 ]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
DR. CATHERINE LOTRIONTE: presentations and will instead just talk, We are just starting our first panel for today: National Security and Diplomatic Efforts. It is my pleasure to introduce our first moderator today, Chris Painter, whose panel will cover the topic of national security and diplomatic efforts in cybersecurity. Mr. Painter served in the White House as Senior Director for Cybersecurity Policy and the National Security Staff where he was a senior member of the team that conducted the President’s Cyberspace Policy Review and helped coordinate the development of a forthcoming international strategy for cyberspace. Mr. Painter began his Federal career as an Assistant U.S. Attorney in Los Angeles. He subsequently helped lead the case and policy efforts of the Computer Crime and Intellectual Property Section in the U.S. Department of Justice and served as the Deputy Assistant Director of the FBI Cyber Division. For over 10 years, Mr. Painter has been a leader in international cyber issues, and I am pleased to have him and his panel with us today to talk about the national security and diplomatic efforts that are ongoing. Thank you. [Applause.]
CHRISTOPHER M. PAINTER:
Thanks so much. So we have decided largely as a panel to talk from our seats to make this a little more informal and maybe to encourage people to ask questions after we give our remarks, and I would say the other thing you should all be happy about is that I understand all the panelists have foregone their PowerPoint
[ 1 6 8 ] Georgetown Journal of International Affairs
which I think will be better too, much as I love PowerPoint. I think you have heard some this morning about the range of threats and pretty much everyone in this room is very familiar with the range of threats we are facing in cyberspace. I go back now to May of 2009 when President Obama released the Cyberspace Policy Review that Melissa Hathaway, who is here, and I and others were privileged to work on. He characterized the threats we face in cyberspace as some of the greatest economic and national security threats we face as a nation. I think as you have heard from other speakers this morning, that clearly is true not just for the U.S., but for all countries around the world. The other thing that I have seen – and so that was, I think, a landmark event in terms of raising the awareness of this issue, but the other thing I’ve seen and something that – as was mentioned, I’ve been involved in various cyber activities for about twenty years now, and that gives me some perspective on how things have changed, and although the threat certainly has become more acute, the thing that I am far more hopeful about and that I have seen over these years and particularly over the last few years is far more attention given to this issue not as it has been traditionally conceived, which is often as a very technical or niche issue. Often you mention cybersecurity to people, and their eyes would roll back into their heads, and they would say, “Well, that is the province of this small group of people who do this kind of stuff” – to being really a national security issue and really being a foreign policy issue and a
PANEL 1
foreign policy priority. We have had multiple countries around the world, many, many countries – and more are in the process of doing this – release national strategies, cybersecurity strategies, and also organize their government around this issue. We in the United States have released back last May the International Strategy for Cyberspace, which I’ll talk a little bit more when I get to my remarks, and we have had Secretary Clinton, when
International Engagement on Cyber 2012
you need to do domestically, and this conference and this panel is about what we are doing internationally at an international engagement, and I would like the focus to be predominantly there, although obviously what we are doing domestically does feed into what we are doing internationally. And I think it is very important to do as much as we can to prevent and do what we can to mitigate the threat at home, but we can only get so far acting
We have to act in concert as a collective,
collectively with countries around the world to address this problem she spoke, releasing the international strategy saying that this basket of issues, which it includes everything from the kind of political military issues to the Internet governance issues to the free speech issues to the cybersecurity due diligence issues, this whole range of different issue, constitutes a new foreign policy imperative, and I think that is important because it really does raise the level of dialogue to something that those people who often didn’t play in the sandbox before and foreign ministries at the heads of government level are now dealing with these issues, and that is, I think, both important and an important opportunity. So what I’d like to do today – and I will very briefly introduce the panelists, but I will ask each of them to give a little more introduction of themselves in terms of what their background and experience is as they give their remarks. We have heard a little bit about what
unilaterally. We have to act in concert as a collective, collectively with countries around the world to address this problem and I think in many different ways and I think ways that will be positive in the long run. So my overall question for the panel as you are giving your presentations is what do we do to achieve this. We have called this goal – and the international strategy – achieving an open, interoperable, secure, and reliable information communications infrastructure, but I think in this context and in a national security context, you can phrase it this way. What do we do? How do we achieve a more stable cyber environment for all countries around the world? I think I certainly have a lot of ideas about that, and I will exercise the prerogative of the moderator and speak last. What I will do now is I will ask each of the panelists to give just short com-
[ 1 69]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
ments, five to seven minutes, so we will have some time for questions, because I definitely want to do that, and we do have a distinguished and varied panel. We have who we will ask to speak first, Mr. Gerben Baltnik from the Ministry of Justice of The Netherlands and also on the Cyber Security Council there. We have Steve Schleien, who I have worked with for many years, is the Principal Director for Cyber Policy at the Office of the Secretary of Defense. We have Rear Admiral Samuel Cox, who is at Cyber Command, and finally, we have Dr. Anatoly Streltsov, who I have also worked with for many years, as have my colleagues, who is previously part of the Security Council in Russia, but has had many different positions over the years and very familiar with cyber. So I’d ask first for Gerben to begin. I will then go to Steve, then to Rear Admiral Cox, and then finally to Dr. Streltsov. So, please.
GERBEN KLEIN BALTINK:
Thank you, Chris. It is a pleasure to be here for the second time. I joined the conference last year as well, and I thought it was important to be back. Starting with your question, what The Netherlands’ view is on how we can achieve a better, more secure, a more reliable digital domain for the global community, I am not sure whether we do have the answer. It may be surprising to you, but we have the same problems in The Netherlands as have been depicted beforehand. A lot of people simply do not yet understand the critical vulnerabilities we deal with on a daily basis. We have done a few things in the past that I would like to talk about a little bit
[ 1 70] Georgetown Journal of International Affairs
to show you what the Dutch approach on cybersecurity is and my own background in that field has been over the last thirty years with a defense and security career. I have been involved in information security and cybersecurity for at least the last fourteen, fifteen years and currently as the Secretary to the Cybersecurity Council. The Dutch approach has to do with the same things I think every nation has to deal with. We have insecure situations when we look at cybercrime. Fortunately, we do work together internationally on cybercrime issues; for example, with the FBI on a very, very interesting basis with FBI officers stationed in The Netherlands in very close cooperation. So that is possible. It is something you can actually do. It doesn’t solve a lot of the other issues. It does not solve the lack of expertise we see. It does not solve the lack of awareness of individual citizens and individual companies, and it doesn’t solve all the issues that government has. So what we try to do is develop a framework that started off with a national strategy last year. February 2011, the national strategy was issued, and I think that should be a starting point for everybody to realize as a nation what your own strategy in the cybersecurity domain is. Then, of course, you can start to work on international collaboration and on trying to develop perhaps a global strategy on cybersecurity. The second thing we did was establish a cybersecurity council in June of last year, which is a true public-private partnership, and that’s good, because academia, industry, and government are sitting with each other at the table.
PANEL 1
They developed over the last 9 months a cybersecurity council that is actually a very important advisory body to our government. We see that the advice we give is listened to and commented upon. That’s good. We also established at the same time, June last year, a national research agenda on cybersecurity. The good news is we started discussion with the Department of Homeland Security last February to see how we could work together on that respect as well, and we found a few, at least a few, issues of mutual interests where we will try to find funding to start combined research. And perhaps last but not least, we established a National Cybersecurity Center, building upon the Dutch GovCert organization, but enhancing it with research capabilities, and a knowledge center, not only for government but also for the critical infrastructure. The main issues the Netherlands deals with aren’t too different from what you deal with in the United States and in other countries. We have to deal with awareness and raising the level of cyber hygiene from the individual employee to the individual citizen, because that will at least save us 80-85 percent of trouble in daily security issues. We need perhaps more awareness in the legal field as well. There are a lot of legal issues relating to cyber that we have not solved yet in the international community, and the Netherlands is trying to start with that, especially from the Ministry of Foreign Affairs in the Internet Government Forum and other bodies. And perhaps last but not least, we are now looking for international cooperation for the standards, organizations
International Engagement on Cyber 2012
like the European Union, NATO, and some bilateral context. So I think we are not there yet. We have made a start in defining a national strategy, and we are opening up to the international world of countries where we hope to find like-minded organizations and like-minded countries to work with. Thank you.
CHRISTOPHER M. PAINTER:
Thanks very much for that, and I take your point about some of the legal arguments, being a recovering lawyer myself. There’s plenty of work to do there, but there’s plenty of policy work too. Steve, can you start addressing it from your perspective?
STEVEN SCHLEIEN: Thank
you, Chris. Following the release of the International Cyber Strategy from the President last May and the release as we developed our DoD strategy for operating in cyberspace within our Department, we realized that to really operate effectively in cyberspace, to work at the problems, it is really a team sport. That is the Defense Department working with other government agencies, working with the private sector, and working with our international partners. So we started to think about how to build those defense-to-defense relationships. What’s important here is building those relationships and those processes because, as one of the previous speakers talked about, the technologies will be changing. When we first started talking to other ministries of defense, nobody used the word “cloud.” So we really have to build those relationships
[171]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
so they can move on towards the future. Like in other operational domains, DoD’s international cyber relationships reflect our core commitments and our common interests. We talk to many ministries of defense about our DoD strategy. Some haven’t really thought about it yet. Many countries have. The Netherlands, Australia, U.K., and France have national strategies but not always led by their ministries of defense. Often it’s justice, interior, or a public safety candidate, for example. So, from a defense perspective, we talk with them
the Atlantic Council is a co-sponsor of this conference, but we worked really hard with our allies and with the NATO international staff to develop in the Lisbon Summit heads of state and government commitments to cyber defense for the alliance, and to bring all of NATO’s networks, civilian and military, under the NATO Cyber Incident Response Center, something that should be done by the end of 2012. We worked so closely with NATO that they hired one of our best people to be part of their Cyber Policy Office and Inter-
This is not an area where arms control
works. We need to establish norms of international behavior for cyberspace. about how we as a DoD look at this, how we work with our partners, how we will be dealing with issues in cyberspace, whether it’s business operations, military operations, intelligence operations, and how we can work together. But there are a lot of relationships we have as a Defense Department. Where should we start on cyber relationships? So we started with our traditional treaty allies, those with whom we have commitments. As the International Cyber Strategy states, “Hostile acts through cyberspace could compel actions under our mutual defense treaties.” So we chose to work with them first, and our aspirational goals are collective cyber self-defense, collective deterrence, because, as I said, those are aspirational goals. We are working through how would that work. We began some of our work with NATO. I’m not just saying that because
[ 1 72 ] Georgetown Journal of International Affairs
national staff - unfortunate for us, but good for them. We were working closely. We’re starting to talk to Japan, South Korea, and New Zealand ministries of defense on cybersecurity, and working very closely with the U.K. and Australia and their colleagues to talk about a full spectrum of cyber interoperability. Those are just some of our international efforts. But there are other aspects that aren’t just pure DoD efforts that we feel are important for the Defense Department as part of the U.S. Government team. In our view, and I think it’s the U.S. Government view, arms control doesn’t work in cyberspace. I’m an old arms control guy. I was a CFE inspector. I represented the U.S. at the Organization for the Prohibition of Chemical Weapons. This is not an area where arms control works. I don’t know what
PANEL 1
we would monitor. I don’t know how we would verify anything in terms of cyber weapons or cyber tools, something that my Russian Ministry of Defense colleagues have raised, but we do believe that we need to establish norms of international behavior for cyberspace. As several speakers have already mentioned, the Law of Armed Conflict comes to mind as one that is essential to DoD, because in our view, the Law of Armed Conflict applies to cyberspace as it does to the other operational domains. But also, how do we deal with other issues in terms of behavior? How do you deal with proxies? How do you deal with hactivists from your soil? Are you responsible as a sovereign nation for what comes out of your country? How do you deal with speech content? The terminology for this area is challenging. We talk about cyberspace. Many of our colleagues talk about information security, the information space. To us, cyberspace is just the technical parts of the Internet, whereas they look at the information that flows across as also something governments control and should control. We disagree with that, and that may be one of the challenges. I will leave that challenge to Chris Painter and his team to solve, but it is an important piece of that. So, as such, in Defense, we have participated supporting the State Department with the UN Group of Governmental Experts, which had success about 2 years ago in a final document that said norms of behavior are something that should be agreed upon internationally. We look forward to participating in the next round of Group of Governmental Experts that will start I think in August
International Engagement on Cyber 2012
of this year or sometime later this year. We look forward to the international gathering, such as the London conference, which will continue on with the Budapest and then Seoul conferences following on, so, again, an international forum to talk about how norms should be developed. And what was important in those conferences is the involvement of the private sector. Internet government bodies are something that are not the providence of just governments. The private sector began them, many of them. They set standards. They set security issues that are important to the Defense Department, so we participate and watch those, but again, it is a discussion of the team sport. Private sector is an important piece of this, but the private sector is not monolithic. So we constantly have challenges of dealing with the private sector and those bodies. And finally, beyond our treaty partners, we need to work with other countries in the world, other ministries of defense, because cyberspace is ubiquitous, dealing with Brazil and India, and importantly, our strategic dialogues with Russia and China. I am proud to say I actually know who in the Russian Ministry of Defense handles these issues. I know who they are. They know who we are. We have had some very good country-to-country dialogues. We have exchanged white papers, our DoD strategy for operating in cyberspace. They provided a white paper this year that not only did they hand it over to us, but for those who speak Russian, it is on the Russian MOD website, talking about how they view the information space. This was something that, having dealt with the Russians and the
[ 1 7 3]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
Soviets on arms control for many years, surprised me in a very positive way. And we’d like to deal with our Chinese counterparts, the People’s Liberation Army, more than we do now. We have the strategic dialogue, but we would like to really deepen that discussion with them on how they view cyberspace from that perspective. So, with that, Chris, as an outline, I’d like to leave it at that and hand it over to the Admiral, if I could.
CHRISTOPHER M. PAINTER: Admiral?
REAR ADMIRAL SAMUEL J. COX: Good morning, ladies and gen-
tlemen. On behalf of my boss, General Keith Alexander, I thank you for this opportunity to share some thoughts. My mission is to describe the military perspective on the challenges dealing with international engagement in cyber. Before getting into that, I would like to step back and give you a little bit of background about what U.S. Cyber Command is. It is a Department of Defense organization. The boss is a four-star Army general, General Alexander. General Alexander is also simultaneously the director of the National Security Agency. The National Security Agency is a unique Department of Defense and national intelligence organization. It is an intelligence collection organization and in the realm of cyber is responsible for exploiting foreign potential adversary networks for intelligence purposes. On the U.S. Cyber Command side, we have three missions, one of which is to operate Department of Defense networks, which we do through our Army,
[ 1 74 ] Georgetown Journal of International Affairs
Navy, Air Force, and Marine service components. The second mission is to defend Department of Defense networks. That is an important distinction. The Department of Defense is heavily reliant upon communications and networks that go through civilian critical infrastructure, but we are not tasked with the responsibility for defending those, only our own internal piece of it. And the last mission is to be prepared to conduct offensive cyber operations only if and when directed by the president of the United States. Cyber Command is actually only about 1½ years old. Its previous incarnations date back to about 2005, and it was driven by the trends within the threat environment. I can’t add much to what Mr. Lynn talked about, but I would say from our perspective what we are looking at is a global cyber arms race. It is not proceeding in a leisurely or even linear fashion but is in fact accelerating. I wouldn’t claim that it is following Moore’s Law, but the curve looks kind of similar. And this increasingly vertical nature of the threat is what is motivating my boss and others with a particular sense of urgency in being able to move forward on this. In order to discuss how we interact with international partners, I would like to describe first how hard it is to do this internal to the Department of Defense and even within our own organization. There are four primary cultures that have been put together in essentially a shotgun marriage, but an extremely necessary one from our perspective. One is the network operators who are trying to get information from one place to another as efficiently as possible, preferably without being
PANEL 1
verbally abused by the general or the admiral in charge, and then you have the network defenders whose mission in life is to make it hard for the first group to do their job by instituting fourteen-character hard passwords that no one can remember and a whole host of other security measures. And the defenders can go from very basic to extremely sophisticated, but traditionally, the defenders and the operators have been operating at a lower level of security clearance, if you will, secret, many times unclassified. The two other groups, which I would characterize as the exploiters, which are your intelligence collectors and your attackers, tend to, no matter what country they are in, operate at an extremely high level of close compartmented security. They do not like to share how they do, what they do, with anybody, because those techniques tend to be very perishable if exposed. Those two groups have a lot in common because a huge investment in intelligence is required to do either exploitation or attack. Where they do come into conflict is that most of that work is done by the intelligence folks who do the exploitation, and then the attackers will go, “Thank you very much for doing that work. We would like to destroy what it is you have just done,” and that causes a certain amount of friction between the groups. Cyber Command is taking all those and putting it together, and the reason is because if you don’t get the people who understand how to exploit and attack the networks talking to your own defenders, then your defenders will be absolutely hopeless in being able to defend their own networks. If you don’t have the intelligence that goes into both
International Engagement on Cyber 2012
the exploitation attack, you are not using the intelligence on the defensive side, then all you are doing is plugging, closing the barn door after the horses are gone, clean up on Aisle 9. The intelligence piece is absolutely critical in order to get the defense out in front of the threat. If you don’t do that, it is not going to happen. Now, when it comes to our engaging with the international partners, it is relatively easy for traditional longstanding allies, particularly the United Kingdom and Australia, but also Canada and New Zealand, but significantly harder when we get behind that. And one of the reasons is—when I talked about Cyber Command and NSA’s organization—few countries in the world have taken that route yet of combining all these different cultures into one organization. Frequently, they are in different parts of the government, frequently not in the department or ministry of defense or whatever it is, and many countries have very different views of how this is. Some people are absolutely appalled by the idea that anyone even would consider offensive cyber operations and don’t want anything to do with it, and then for others, it is just whether it is a civilian issue or a defense issue. Every country is different. I wouldn’t characterize this as a problem, but it is a fact of life. The U.S. ambassador is a senior person in a country. The State Department is responsible for foreign policy, and while there may be significant institutional arm-twisting that goes between State and DOD in Washington, D.C., fundamentally DOD will not do anything that is counter to the foreign policy of the United States. So that
[ 1 7 5]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
immediately dictates what we can and cannot do in the cyber defense realm with any other country. Another critical factor is that the classification of the information tends to be extremely high, with very strict rules on how you can share it with foreign governments. No one went to jail by withholding classified information, but if you do not do it correctly, you can get into big trouble. So, that is a significant impediment. The Office of the Secretary of Defense provides the policy for what we can talk about and what we can not talk about, and that is evolving. In turn, it has led to some interesting situations where General Alexander, in his national intelligence hat, has authorities to deal with certain countries at very high levels of sensitivity, but when he turns and puts on his Cyber Command hat, he can talk to those same countries at secret or even unclassified level. This naturally confuses some of the other countries as to what is going on here. It is not a problem for General Alexander, because he can use whichever hat he wants, but for the rest of us on his staff, it is a challenge. And then you get into issues where a lot depends on the technical capacity of the country you are trying to work with, do they have the ability to be of significant help in the cyber domain. In some cases, it makes sense for us to help them with their security apparatus or capability. In some cases, they are countries that we prefer not to have good security, because that actually helps us collect on them. But the other thing is you may even have a very friendly country, but if their security is not good, if their networks
[ 1 76 ] Georgetown Journal of International Affairs
are penetrated by what we see as adversaries, then if we were to share with them, then it is like a conduit direct to an adversary. Lots of intelligence works in this fashion; don’t go against the hard target. You go against the weak one and work your way in there and that is true in conventional or cyber intelligence. And then there is a whole host of legal issues that are involved with working other countries that are challenging, law of war kinds of issues. The bottom line is that when it gets to military cooperation in cyberspace with foreign countries outside the U.K. and Australia, it is still an extremely difficult environment to try to navigate through. The bottom line is we are trying to work to accomplish our own national objectives as well as those of allied and friendly countries, because it is a global problem, and if we don’t work together with many of those key allies, then we will not be able to make a significant improvement in the current threat enforcement. And I think I will quit there.
CHRISTOPHER M. PAINTER: Thank you for those comments. Finally, or finally for the panelists, I want to turn to Dr. Streltsov.
DR. ANATOLY STRELTSOV [via interpreter]: I would like to express my gratitude for the opportunity to be present at this conference. Taking into consideration the fact that I don’t have a lot of time, I would like to start talking about the most important issues. The problem of the security of cyberspace and the security of the informa-
PANEL 1
tion communications in general, it is not a new problem for the Russian Federation. We started to work on this issue in 1994, and we were able in 1997 to achieve some very significant results with the concept of the doctrine of providing everything necessary for the creation of the security of the information systems. And in the year 2000, the President of the Russian Federation adopted and signed the Doctrine of the Information Security of Russian Federation. This document contained
International Engagement on Cyber 2012
ment, by the private sector, and by the civil society of this particular state. But, nevertheless, there are issues, which require, demand international cooperation, because otherwise they cannot be resolved separately by separate states. And we tried all the directions we tried in order to be successful in this particular field. We have extensive bilateral agreements and bilateral activities with many countries who are interested in these issues. Last year, we had a very specific and very sincere
The main aim or mission of every state is the development of the national security of this particular state. the information on the main national security concerns of the Russian Federation and all the measures which have to be taken in order to provide for the 100 percent security of the information and the security of the cyberspace. It happened long ago when we had come to the full understanding that there is a need for the international cooperation. For more than 10 years, we have been starting to prove to the international community and other countries the importance of international cooperation in order to be successful in fighting these cyber threats, and we can see how the situation is changing. The changes are dramatic, especially the changes which took place in the last years. And we have a full understanding that the main aim or mission of every state is the development of the national security of this particular state, and of course, this task has to be done by every state separately, by the govern-
negotiations bilat with the American side and we came up with the excellent plan of how to move ahead and this plan is being implemented right now. In the year 2000, we were able to come up with the agreement in the framework of the Shanghai Organization on Cooperation and we came up with the documents on our mutual plans and our mutual activities in order to achieve cybersecurity. In the same year, the year 2000, we came to the agreement with the Government of Brazil on these same issues. Also, we have conducted bilateral consultation with the governments of many other countries on these same issues. And our experience has shown to us that notwithstanding the facts that many countries have very different visions and very different understandings of the issues of national security in cyberspace, there are some common positions, common points, and we have to
[177]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
use it as a base for the future cooperation. And on the basis of all this experience and this vision, Mr. [Nikolai] Patrushev is the head of the Presidential Council of Security. He came up with the idea of the development or creation of the international convention on providing the information security in cyberspace, and this convention was introduced during the meeting of the high representatives who are in charge of the issues of information security in different countries. And by the decision of the head of the Ministry of Foreign Affairs of the Russian Federation, this document was sent to the governments of all the countries who participated in these activities, and the responses which we have received from the governments of many countries have demonstrated to us that these governments are very interested in this document and consider that some positions or more of the positions of these documents can be used in the future for successful cooperation. And shortly, the content of this document is based on three major points. Number one, the information security is the major part of the national security for every country. Second one, international cooperation should be focused on the major threats which are considered to be major threats by all or the majority of the countries who are involved in the fight against cyber threats. And such threats were identified by the UN Group of Government Experts on international information security, and you can find these threats in the report of the UN Secretary-General, which was delivered at the 65th Session of the UN General Assembly. These other threats, the first one, the
[ 1 78 ] Georgetown Journal of International Affairs
aggressive use of information technology, the use of information technology for the preparation of the terrorist acts, and the fight against this cybercrime. And point number three, which is fundamental for this concept: it is very important to take into consideration the different cultures which exist in different countries of the world while you are working on the preparation of such a concept or such a document. It just happens historically that every country has its own culture, and if you want to build a really stable building when it comes to the informational security, you have to take into consideration this particular factor, because different countries have different cultures. What is important in my view is that right now we have two processes, which go along in parallel. The first one, the building of confidence measures between different cultures, and number two – and I think we can start to discuss this issue – the creation of an international understanding of an international concept of information security or security in cyberspace. The creation of such a system or such an understanding is a long-term process, and we don’t think it will be successful tomorrow, but maybe it can be done successfully the day after tomorrow. And we don’t have illusions that everything which we included in our concept of information security, that all of the positions or all of the points are going to be implemented, but I hope that it would serve as a base for the dialogue, of a dialogue devoted to this extremely important and acute program. Thank you very much for your attention.
PANEL 1
International Engagement on Cyber 2012
[Applause.]
Obviously, there has been a lot of other activity too. Secretary Clinton CHRISTOPHER M. PAINTER: created my office, which was new in the Thank you for your comments. State Department, to try and bring all I will deliver just brief comments of those things together there. A numfrom my perspective, and then we will ber of other governments have done open it up for questions from the audi- the same thing. It has happened in the ence. As you’ve heard, I think, from U.K. It has happened in Germany. It all the panelists, this is something that has happened in France. It has hapincreasingly I think all countries are pened in Japan, recently. More and prioritizing, and it really is, as I ref- more, governments are looking at this erenced in the beginning, becoming as something that they really need to more of a national policy priority and a engage in, and that is not surprising, foreign policy priority. given that you have heard some of the Here in the U.S., we released – the activities from the panelists here, but in President released the International Strat- almost every single multilateral forum egy, which I thought was a remarkable or regional forum out there and the document for a couple of different majority I think now of our bilateral reasons. One of them is that it brought engagements, these issues are coming together what were previously very up, and they are coming up with more stovepiped areas, including economic urgency. issues, standards issues, Internet govJust to give an idea of some of the ernance issues, political military issues, activities, you heard about the Group of cybercrime issues, cybersecurity issues, Government Experts. I will talk a little all under one framework that tied all bit more about that, and I am sure we of those things together and made clear will talk about it in the question and that all of those things were interre- answers. There was, I think, a real suclated, and the decisions and positions cess in saying that we need to talk about you took with respect to any one actually norms in cyberspace, and make sure we impacted the others. apply them to the space. Others have In service of an overall goal, which said, and I will reemphasize, it does was to achieve not just for the United not mean “create new norms;” we have States, but for the rest of the world as norms in cyberspace. well–and this strategy was really an inviWe have had the Deauville Declaratation to the rest of the world to par- tion from the G8, which was the leadticipate and to work on achieving this ers of the G8 coming up with literally a goal–an open, interoperable, secure, page and a half on the Internet that was and reliable information and commu- unprecedented, which really covered all nications infrastructure. It is important these issues, and I think in a very good to note that openness and security are way. both important goals, and they are not, We have had discussion in prinas I think often is thought, diametrically ciples that came out of the OECD on opposed goals. You can and should be Internet policymaking, which touched able to achieve both. on a number of these issues and really
[ 1 7 9]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
emphasized the idea of openness and transparency. We have had for a long time, the Budapest Convention on Cybercrimes as one of the core documents, and Vice President Biden said in his remarks at the London Conference, itself I think a good landmark event, that the Law of Armed Conflict applied in cyberspace— that norms apply in cyberspace—and I think that is very important. I think when we think about this, we have to think “what is the framework.” For some of these things, like cybercrime, I think there is a framework.
ing between countries, and that is a multilateral and a bilateral effort that we need to undertake. It is also a long road. I mean, I think this is something we are still in the beginning part of these discussions. It has been raised to a level where it is significant, but we are still discussing it in these ways, and part of that is really listening to what other countries have to say, both countries we agree with and countries we do not agree with. We have had many discussions over the past couple of years, and I think we will have many others.
Confidence-building measures are very
important, and we have been turning to various international organizations to look at those. For some of the international security issues, we are still developing that framework. And what is the end goal? What are we trying to achieve? Obviously, that goal from the international strategy, but I think more specifically to create a stable international environment or an environment of stability, or maybe to put it another way, an equilibrium that no state really has an incentive to disrupt. And I am not talking about in warfare now. There has been a lot of talk about a cyber war or a cyber conflict. I for one think that is far less likely than cyber being used in a normal conflict. I do not really think that there will be a cyber-on-cyber conflict. I think that it has perhaps been overhyped a bit in the press and others, and naturally, it is kind of an exciting topic. But at the same time, we need to build a framework of stability and understand-
[ 1 8 0] Georgetown Journal of International Affairs
We have talked about the idea of building a consensus around norms in cyberspace. That is a critical element, but we have also engaged in this idea of confidence and transparency-building measures, particularly with countries that maybe there is some distrust with. There may be some chance of escalation that we want to try to make sure does not happen. So confidence-building measures are very important, and we have been turning to various international organizations like the OSC and others to look at those, but we have had, as Dr. Streltsov has noted, a dialogue with Russia on confidence-building measures. Steve noted the white paper on some of their defensive aspects. There has been a dialogue about that, and I think that has been very productive. And I think that is a real strong, optimistic step forward.
PANEL 1
My colleague, Michelle, said at the dinner last night she was very optimistic in this area, and I am too. I think there are a lot of things that we can achieve, and there are great opportunities, to be sure; great risks, but also great opportunities. Now, that does not mean we agree on everything that we have been discussing with our colleagues. Our Russian colleague talked about a new treaty for cyberspace. We do not think that is necessary. We don’t think that is the way to go. We think really we need to take the step of socializing around norms, but we do not have to agree on everything to have these conversations to start building this environment of trust and get countries to think about these various issues. So I guess what I would close with– and I do really want to have some robust questions and discussion here–is that this is a dialogue that is going to take a while, but I think it is one that has already started off and started off in a good way. From the United States, it is really an invitation to all countries to talk about these issues. That includes the developed world and the developing world. It includes the G77 countries. It includes engaging them on a host of different issues across the board in the cyber realm, but particularly in the security area, and I think that we are going to do a lot more of that in the next couple of years. And I am looking forward to that and looking forward to dealing with all of my colleagues here. With that, let me open it to questions.
ATTENDEE: Yes. I am Randy Fort with Raytheon Company.
International Engagement on Cyber 2012
Admiral Cox made the point about the need in the future to be able to help some of our allies with technology to improve their cyber capabilities. So my question to Steve and to Chris is what are we doing to change our export control laws, our ITAR laws and so forth, to be able to facilitate the rapid export of the technologies that the Admiral would have us share. Most of those technologies are going to be developed by private sector companies. They will have to go through the usual process, and if it takes 18 months or 24 months or 36 months to get an approval, then we are two, three, or however many Moore’s Law cycles obsolete before the technology necessary gets into the hands to whom we would wish have it. So I just wondered if you thought about how we are going to change some of those export control regimes, to enable this policy objective that the Admiral suggested should be done. Thank you.
STEVEN SCHLEIEN: Thank
you. We know it is on our list of issues to look at. We are just starting our discussion with our export control experts within DoD on those kind of issues, and the honest answer right now is we are just looking at – we are trying to explore what restrictions would be there versus not, what are really ITAR or CCL issues with this area. So we know it is something we have to explore. Like many of the cyber issues, the first challenge is knowing you have a problem or knowing you have an issue you have to deal with. I can tell you we haven’t come to fruition with that, but we have begun the dialogue.
[ 1 81 ]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
ATTENDEE: Hi. I am Eric Louie ca, there are a lot of cable landings [ph] at American University. This is a question for Mr. Painter. You mentioned the developing world, and I was wondering how you properly incentivize your partners in the developing world to work with you, when you have a combination of weaker central governments, proliferation of devices, particularly mobile ones, which tend to be more vulnerable - which adds up to botnets and things that get colonized and employed and usually get employed against us, targets in the developed world. So how do you incentivize them when even if and when their networks are perhaps more colonized and compromised, they might not see the benefit in them in providing security benefits that are perhaps more reached by us? So how do you work with them?
CHRISTOPHER M. PAINTER:
So there are two aspects of engaging with all countries, including the developing world. The developing world both do their own defenses, because that also helps our defenses and the collective defenses of everyone, and the second is thatthe developing world, just like all countries, are now engaged in all these different policy debates around the world, and it’s, I think, very important for them to be part of that conversation and to understand what is at stake there. Now, how do you get them involved and incentivize them? I think one way is, as we have seen increasingly, as governments are becoming more dependent in those countries on whether it’s mobile broadband or traditional broadband – and for instance, in Afri-
[ 1 8 2] Georgetown Journal of International Affairs
now, so there is more broadband coming to Africa. Kenya is a good example of a country that’s had an explosion in mobile devices and has been really an innovator on some of that using, for instance, their M-pesa payment system. So they are understanding not just the rewards but the challenges. So partly, I think you pitch this as an economic issue, because it is. I mean, if you have good security, you can really, I think, bolster your economic development that these technologies allow you to do, and I think that that is, you know, one key argument that I think really does persuade a lot of countries that this is an important issue. The other is I think we have to do a better job of capacity building and engaging with these countries. This goes back to one question that came up earlier. We can’t simply engage with the countries that we already know are with us. That is not going to get us nearly where we need to go. We need to talk to all these countries. We do have limited resources, but we also can work with our allies, we can work with the EU, we can work with others to do more capacity building in the developing world. I will give you one example. We did a cybersecurity, cybercrime, and also talked about governance and freedom and other issues in Kenya last year for five East African countries, and we put that on. And we did a couple things that the U.S. Government doesn’t always do well, which his, one, we made sure we had the public and private sector there. It wasn’t just one government. And we had a range of different government institutions. We did it in partnership with the Govern-
PANEL 1
ment of Kenya, and we also made sure there was follow-up. That’s one of the things we don’t do very well, and I think it’s important for us to do that and get the right people to those meetings and really raise that level within those governments. Of course, Kenya hosted the IGF later on that year. So I think we need to do more of that. One of my priorities at the State Department is this capacity-building effort and trying to figure out where we can use our resources regionally to have the most effect. That is part of our training to mainstream this issue with a foreign policy issue. DoD has been doing some of the work. FBI has been doing some training. I mean, there’s a lot of development and capacity building we need to do, and that brings them into the game. Anyone else?
International Engagement on Cyber 2012
One of the things we have to deal with is that if we want to make some progress in the cybercrime scene, we have to deal with quite a few of those legal issues beforehand, because it is not just law enforcement that can take care of all things that go wrong. We need to have legislation in place that is more adapted to the digital domain. The general feeling in The Netherlands is that the loss we have in The Netherlands and in most of Europe are adequate enough also in the digital domain, but if you do global transactions, you find out that other jurisdictions do offer some real issues that have to be solved.
CHRISTOPHER M. PAINTER:
And I think from the U.S. perspective, we will take a couple of the categories you mentioned. In terms of data protection sort of laws, I think the key there CHRISTOPHER M. PAINTER: is interoperability. You are not going Yeah. to have exact same systems in different parts of the world, but you have to make ATTENDEE: Hi. Good afternoon. sure they are interoperable, and that has Raymond Barr with The Reporter. been something I think we have been For Mr. Painter and Mr. Baltink, talking about for a while. you both said there are some outstandWith respect to cybercrime, I do ing legal issues. If you would be able think that is why this Budapest Conto expand on that, particularly maybe vention - either adopting it or emufrom the U.S. domestic point and also lating its provisions is so important, sort of say cross-border, international because that sets this framework, this as well. base legal framework that every country would have to enable more coopGERBEN KLEIN BALTINK: eration between them, and I think that’s Well, I don’t have a, let’s say, global important. overview on all the legal things that Then on other issues, I think as we apply to the digital domain, but believe said before, you don’t need to create me, there is quite a different view in whole new legal frameworks when you some parts of the world regarding to have international humanitarian law privacy issues, ownership issues, what is and other international instruments a criminal act, et cetera. apply, but there are some ways of how
[ 1 83]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
you apply these to cyberspace. And I think certainly lawyers have a piece of that. We don’t have an international lawyer on the panel, but that is certainly at our department. The international lawyers are very engaged in these issues. I think they will continue to be, but I don’t think any of these are insurmountable issues. I don’t see anyone else on the microphone. Anyone else on the microphone? Come on. Don’t be shy. We have a winner!
ATTENDEE: Good morning. My
name is Chris Vote from Pacific Northwest National Lab. A question for our international guests here. We have heard about Department of State equities, Department of Defense, Department of Commerce from the U.S. From your point of view, how difficult is it for you to deal with the U.S.? Does the U.S. speak with one voice, or are you hit with problems from a number of different angles when you deal with the U.S.?
is not completely the same as talking to Mr. Painter about what we should do internationally together, but I don’t see an issue where there are different voices or something like that. Of course, in The Netherlands, in Europe, we have the same situation where different departments traditionally handle different aspects of the digital domain. In The Netherlands, the Ministry of Economic Affairs, the Ministry of Education, the Ministry of Foreign Affairs, State Department, and the Ministry of Security and Justice are just a few, besides the Ministry of Defense, that are involved in this arena. So I don’t think it is a specific U.S. issue.
CHRISTOPHER M. PAINTER:
Anyone else?
DR. ANATOLY STRELTSOV [via interpreter]: Thank you for
the question. We don’t see a huge problem in cooperation with different departments or agencies of the United States. In the framework of our negotiations with American delegations, we have to deal with the delegation as a GERBEN KLEIN BALTINK: whole. We also have our conversations I think there is a growing awareness with the representatives of different that from all the different perspectives, departments and agencies who are repyou have to try to find some common resented in these delegations. I think denominator that works for U.S. Gov- that we developed an understanding ernment as a whole, and in the civil of the very high level of cooperation context, we have from The Netherlands and interoperability between different from the last one year, two years, I agencies and the departments and we see that there is not much difference didn’t face any problem. We are quite between the approach from the differ- successful in our activities. ent departments, although, of course, So I think that we should just complia Department of Defense does have its ment the high level of organization and own specific issues related to cyber and cooperation between different departworking with, as I mentioned before, ments and agencies in the United States. the FBI on cybercrime. Sometimes it
[ 1 8 4 ] Georgetown Journal of International Affairs
PANEL 1
International Engagement on Cyber 2012
CHRISTOPHER M. PAINTER: strategy in the fall of this year. The fifth I’ll say this on that question. I don’t like to even use terms like “State Department equities” or “DoD equities.” I mean, I think that implies this kind of stovepiping that is too common in government, and I think that’s one thing where we have succeeded . There’s still some work to go, but we have succeeded in bringing the different agencies together and talking to each other and collaborating. We talk to our DoD colleagues all the time. We talk to our Commerce colleagues all the time. We really talk to our Department of Homeland Security (DHS) colleagues, and that’s very important. Almost the number one thing I am asked by another government – this happened yesterday – representatives from a government saying what can we do, what is the number one thing we should do in the cybersecurity area. I say, “Well, you should organize your own government so that you are all talking to each other, and so that the people who, for instance, go to International Telecommunications Union (ITU) meetings to talk about certain issues, which could be critical to cybersecurity, know what the issues are. So you have your governments conversing with one another and you know what the different risks are and how you can collaborate together. Increasingly, I think that’s happening. Some of these national strategies do exactly that. Yes.
component of the press release dealt with an international dimension of the strategy, but it was also the shortest and the least detailed of the press release. So I was curious if you had some more details on what the strategy might actually look like with regard to the international dimension of this. Thank you.
CSIS. I have a question for Mr. Baltink. Ten days ago, the European Union announced that it will release a cyber-
Secure Communications. Hey, Chris, good seeing you again. A couple of times, we have heard a
GERBEN KLEIN BALTINK:
Well, the short answer is no, I don’t have the details, but I can explain why it is not addressed as fully as the other aspects. Even within Europe, where the European Union has existed for some time already and cyber has been discussed over the last so many years, it is still very difficult to find enough commonality within the European Union, let alone to stress the need – well, the need will be stressed, but to find the right ways and the right wording to address international collaboration outside the European Union.
CHRISTOPHER M. PAINTER:
I can say we have been dealing increasingly with different parts of the European Union, certainly, obviously with the member states but also with DG, Information Society , Neelie Kroes and with Milestrom [ph] and others in the European Union. The External Action Service (EAS) has become very active in this area just in the last year, and it is really standing up its capabilities, recognizing some of these issues.
ATTENDEE: Hi. Eric Berger, ATTENDEE: Tom Moore with Director of the Georgetown Center for
[ 1 85]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
number of the speakers – and this is something completely different – talking about openness, interoperability, transparency, and its relationship to cybersecurity. I wanted to get the panel’s perspective on a movement by a number of governments that would like to move the Internet Assigned Numbers Authority (IANA) functions, some of the IP addressing and naming functions, as well as the providence of the Information Assurance Task Force (IATF), where a lot of the Internet
That has been one of our core precepts.
STEVEN SCHLEIEN: That is the U.S. Government-wide view, not just State.
GERBEN KLEIN BALTINK:
I would like to add that the Dutch view is almost the same. Our Secretary Rosenthal of Foreign Affairs makes a comparable statement, and I think our view is that multi-stakeholder approach is essential.
The United States has been very clear
that we believe in, and we support, the multistakeholder nature of Internet governance. protocols are developed, into the ITT, either by treaty or by other mechanisms. I was wondering what your perspectives were on that sort of undercurrent.
CHRISTOPHER M. PAINTER:
I mean, I think the United States has been very clear that we believe in, and we support, the multi-stakeholder nature of Internet governance, and that is what we have today. We do not think moving all of that into some other international institution is the way to go, especially if the institution either doesn’t have this expertise or is really not a true multi-stakeholder institution that includes not just governments who have an important role here, but the private sector and civil society. And that is really core. That was spelled out in the OECD policymaking principles. That is something that Secretary Clinton has said. That is something that Vice President Biden said in his speech.
[ 1 8 6 ] Georgetown Journal of International Affairs
DR. ANATOLY STRELTSOV [via interpreter]: I would like to provide more specific response to this question. The governance of Internet does not represent the unified process, so to speak. There are many independent tasks that are being resolved by different bodies or organizations in the process of the governance of Internet, and not all of these tasks are influential on the national security, the interest of the states or the members of international community in equal measures. I think that some tasks that used to be resolved by the nongovernment organizations should continue with the same practice. They should be governed by the nongovernment bodies. But at the same time, some tasks just cannot be achieved without participation of the government bodies, and here I am talking about providing information security or the operation
PANEL 1
International Engagement on Cyber 2012
and transactions security in the Internet. I think it is very important to have a clear distinction between these different tasks, and to find the common position that we can use to work together closely, in close cooperation.
successful in coming up with the consensus, which served as a base for the report of the UN Secretary-General. I think it is an extremely important tool that can be used and should be used to guide our common aims and the measures that we have to take in order to ATTENDEE: Jamie Magoy [ph], be successful in our cooperation in the Department of State. field of cybersecurity. This is a very respected panel, with so many years of experience on cyber- REAR ADMIRAL SAMUEL J. security issues. So I wondered if you COX: I guess my observation would could speak briefly – this is sort of a be is that it is a pretty common theme question to everybody – on how well across all administrations and most the issues of cyber diplomacy ensure countries right now of just how difthrough different administrations, ficult it is to achieve any forward proghow this sort of continues over time ress whatsoever. There is a tendency and evolves slowly or whether you see to think that a lot of this cyber thing in your years of experience any sort of is new, but actually, many of the same abrupt changes in sort of policies in the difficult questions we have been wresway cyber diplomacy works. Thank you. tling with today were being talked about and argued over in the early 1990s and CHRISTOPHER M. PAINTER: probably even before that. So it is a Start at that end of the table if anyone cheap shot to say that no one can make wants to talk about this and then we will much in the way of progress, because move up the table. Starting with the the issues are extremely difficult, chalRussian colleague, do you have any- lenging, in many cases going to fundathing to say on this? mental liberties and security issues that there are no easy answers to. And I’ll DR. ANATOLY STRELTSOV just leave it at that. [via interpreter]: I think that cyberdiplomacy is extremely impor- GERBEN KLEIN BALTINK: I tant, and it is one of the major tools think in The Netherlands, traditionthat can be used to provide security in ally, it has been left as a topic to intelthe cyberspace. I was a participant of ligence community and the Ministry of the activities of two groups of the UN Defense, but over the past few years, called Groups of International Experts we have seen a growing interest of our on the information security. The first Department of Foreign Affairs. And I meeting took place in 2004-2005, think they pick it up very neatly. and the second meeting took place in The London Conference was men2009-2010. I was able to witness how tioned a few times already. That is one difficult it was to find out the common of the things they are very active in and positions, how difficult was the job of want to proceed with. It will not be an the diplomats. Nevertheless, they were easy task to balance security and trans-
[ 1 87 ]
NATIONAL SECURITY AND DIPLOMATIC EFFORTS
parency, openness, economic efforts, free access to information, et cetera, but they are really busy working on their diplomatic efforts.
of lost currency. It is still a strategy that is in place today. It is still part of our group of documents that guide us, but I don’t think that is going to happen again, because the difference is now. It STEVEN SCHLEIEN: I will say is not just a concern for one political that I think you can actually track the party or one country. Both the Repubimportance in activities of government licans and Democrats in this country to this area to how it’s actually being take this issue seriously. Institutionally, dealt with in private sector and civil you heard Bill Lynn and Jane Lute speak society as a whole in growth of use of this morning. I can tell you that in some cyberspace, Internet for everything every of the meetings, the high-level meetday. ings, when you get these deputy groups As a career civil servant, I am not together, they talk about these issues. going to pick out one administration They are not just reading talking points. versus the other, but I will say over the It is really a big change in terms of how last several years, the Defense Depart- our government looks at these issues and ment has both created Cyber Command how high it has been raised, and that and published the first DoD-wide strat- has been in the last administration too. egy on operating in cyberspace. Now, There was a Comprehensive National that was based on a directive by our Cyber Initiative that Melissa probably Secretary of Defense at the beginning of will speak a little bit about later, and this administration, but that Secretary then the activities in this administraof Defense was appointed by the previ- tion. So there has really been a lot of ous President. So I am not going to pin attention paid to this. that on one administration versus the The other thing is that it is not just at other. It is the same gentleman. But I the working level or the technical level. think you can really track the impor- It is the highest levels of all the departtance throughout in just a recognition ments, and you see all these countries by governments that this is something issuing strategies, and in our case an that permeates society and therefore international strategy, which had never permeates governments. been done before, and I think that is significant. And you had them treating CHRISTOPHER M. PAINTER: this as a major policy issue, both domesI think it’s a very good question, and tically and as a foreign policy issue. I think the question is borne in some That is, I think, a glide path you canpart by the fact that there has been sort not go back on. I think that you are not of a sign or sort of wave in the past of going to start seeing a slippage in the this, and this is an area where I think attention paid to this issue. If anything, past is not prologue. When you go back I think it is going to accelerate around to 2003 and the U.S. issued a strategy the world, no matter what happens. for cyberspace and part of that had an international strategy, and it was a good strategy, but shortly after 2003, it wasn’t really talked about all that much. It sort [ 1 8 8 ] Georgetown Journal of International Affairs
Law Enforcement Efforts Across National Borders Panel 2
Panel Chair
Shawn Henry, Cybersecurity Professional, Executive Assistant Director, Federal Bureau of Investigations (retired)
10 April 2012 Lohrfink Auditorium Georgetown University Washington, D.C.
Panelists
Adrian Ciprian Miron, Home Affairs Attaché (Police Liaison), Embassy of Romania Zahid Jamil, Barrister-at-Law, Jamil & Jamil, Pakistan Judge Stein Schjolberg, Court of Appeals Judge in Norway, Co-Chair of the East-West Institute Cybercrime Legal Working Group Noboru Nakatani, Director of INTERPOL’s Complex for Innovation (Singapore)(effective April 2, 2012), Chief Superintendent for Japan’s National Policy Agency
Moderator
Dr. Catherine Lotrionte, Director, Institute for Law, Science & Global Security, Georgetown University
[ 1 89]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
DR. CATHERINE LOTRION- here last year and recognizing the chalTE: So our second panel for today is lenges that we face – and you’ve heard
from a number of esteemed colleagues of mine and people I’ve worked with in this space over the years who have talked about the challenges that we face and the threat and how significant that it is. I would like to say that I have had my head behind the curtain and I have seen what those threats are from both an unclassified and a classified perspective. And I have to concur with my colleagues about that threat. I heard a lot of folks talk this morning about some of the policies and the practices and some of the preventive techniques that are being utilized. We have talked about arms control and norms of behavior and many of the things that need to be done or can be done, can be implemented going forward to help make us more secure at the international level. But regardless of those practices that are put in place, regardless of the controls or the norms of behavior, we really recognize that we are not going to stop determined adversaries from breaching networks, which is going to require then that there be some type of a response, whether it be from a national security agency or an intelligence agency or, in many cases, a law enforcement agency, for them to get involved. And certainly the breadth and scope of this threat requires us to cross national borders because, in this space, there are no borders. So what we are going to talk about today – and I have got just a tremendous level of expertise here across so SHAWN HENRY: Thanks, Cath- many different areas, but we are going erine. Excellent. Thank you very much. to talk about international law enforceI really appreciate the opportunity to ment issues surrounding cybercrime. It be here. I had the pleasure of being is an incredibly complex issue and it is on law enforcement efforts that span national borders. The moderator of this panel is Shawn Henry, a good friend and somebody who puts up with my constant annoyances and nagging and someone who has been part of this conference for the second year. So he keeps coming back. But today Shawn has a secret and he really hasn’t given me any hint on the answers. So some of you may actually be able to get it from him. After 24 years of service in the FBI, Shawn Henry has retired as the Executive Assistant Director from the FBI in March of just last month, 2012. While he was there he had the responsibility of all FBI criminal and cyber programs and investigations worldwide. So, as I just said, he has yet to disclose where he is going, but supposedly he is going to tell folks soon. During his career as a special agent, Mr. Henry served in three FBI field offices and at FBI Headquarters where he held a wide range of operational and leadership positions, including Assistant Director in charge of the Washington Field Office. Mr. Henry has been the Bureau’s outspoken top agent on cybersecurity issues and is credited with boosting the FBI’s computer crime and cybersecurity investigative capabilities over the last couple of years. Thank you, Shawn, for leading this panel and, as always, being one of the great leaders for the country.
[ 1 9 0] Georgetown Journal of International Affairs
PANEL 2
certainly a worldwide problem. When I started in the FBI more than 24 years ago and there was somebody who physically walked in and robbed a bank, the pool of suspects for that bank robbery was limited to the small number of people that happen to be in the vicinity of the bank at that particular exact time the bank was robbed. So it is a relatively small pool of potential suspects. Fast forward over 20 years and, electronically, banks are being robbed very single day. And the pool of suspects for these electronic bank robberies is limited only by the number of people on the planet earth with a computing device and an internet connection. And that is about 2.3 billion people, according to most recent studies. So the pool is somewhat larger and it gives a whole new name to canvassing the neighborhood, which is what we used to do after a physical bank robbery, right, go around and knock on doors. In the FBI, we recognize the need to station our agents overseas to build these collaborative relationships with our international partners and we were able to put representatives into Romania and into Estonia, into Ukraine, into The Netherlands, into the national police agencies of these organizations as well as some other organizations around the world. What we are going to do here today is look at this response at the international level from a law enforcement perspective, talking about the investigative needs and capabilities, some of the legal issues, and the framework surrounding these international law enforcement responses. Then we will talk about the judicial perspective and what that might mean and some of the things that we
International Engagement on Cyber 2012
might be able to do globally. And then we will look from an INTERPOL’s perspective how all these things kind of wrap together. So I’ve got just a tremendous group of folks here. Our first speaker, from Romania, Adrian Ciprian Miron, who is the Police Liaison at the Embassy or Romania here in Washington, D.C. He’s held multiple positions within the Romanian National Police since 2000. He has been involved with the Romanian Cybercrime Initiative. And I will start with Adrian and then I will introduce the other panel members as we move along. At the conclusion of our final speaker, it is really important for us to get a dialogue from the audience. You all have a unique perspective. You have different ideas and thoughts and in order to take full advantage of the expertise we have up here this afternoon in front of you, it is really important to have that dialogue. So let me turn it over to Chip, and then we will proceed.
ADRIAN CIPRIAN MIRON:
Thank you very much. Thank you very much, Shawn, for your introduction. I would like to stand because I want to follow my presentation. As Shawn said, I am working as a Police Liaison, more like a Home Affairs Attaché for the Romanian Embassy in Washington, D.C., and I represent the Ministry of Administration and Interior. Inside the Ministry we have the General Inspectorate of Romanian Police. One of the structures of the Romanian Police is the General Directorate for Combatting Organized Crime and inside that is the Cyber Crime Division.
[ 1 91 ]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
Our Cyber Crime Division was created in 2003 because we need new strategies for preventing and combatting cybercrime, and the way we started, the way we saw the first cybercrime complaints were registered in Romania in early 2000 with a classic scam, offer high-end electronics or other goods for sale or auction, take the order, confirm the shipment, and simply vanish the moment the customer has wired payment. Soon this kind of crime began to extend to a national level and we needed to investigate the whole country. So that is why our management decided to create the Cyber Crime Division. Next slide, please. As you can see
which slowly they are shipping members all over the world. Today, almost every cyber criminal is a part of a specialized group, and they commit from scamming bank or wire fraud to hacking and hacktivist. International cooperation appeared to be even from the beginning. We must have, especially because these kinds of crimes, as Shawn already mentioned, are cross-border crimes and the investigations are hard to finalize without exchanging information. Through the MLAT process–MLAT process is the Mutual Legal Assistance Treaty–requests that we have between U.S. and Romania, for example, we were able to prosecute the criminals
Today, almost every cyber criminal is part of a specialized group.
here, the Cyber Crime Division has two offices and at the national level we have 15 brigades for combatting organized crime. Every brigade has an officer who works for cybercrime investigations, and also we have another 27 offices for combatting organized crime, the 41 counties that we have in Romania. Even with this structure, I think we don’t have more than 200 police officers specialized in investigating cybercrime. Next slide, please. Well, about the evolution of cybercrime in Romania, as I mentioned earlier the first cybercrime cases began to appear in the early 2000s and, since then, every year the number of complaints has grown, although at that moment criminals acted by themselves using a very simple way to earn easy money and without ever thinking they will be caught. These days they are organizing big criminal groups
[ 1 9 2] Georgetown Journal of International Affairs
in Romania and the U.S. authorities helped us in interviewing the victims. Next slide, please. The next one. The main factors behind the reorientation of gangs to cyber offices, like I mentioned, they made huge amounts of money in a relatively short time. They realized they can obtain this money with a low risk and, in fact, those who lead the criminal groups are not those who participate in the front line in committing the crimes. We call those “arrows” because the criminals send others to pick up the money sent to them by the victims using Western Union or MoneyGram. Services and the arrows only get a small percentage of the amounts. Recently, they chose not to pick up the money from Romania, for example, because we have Western Union and MoneyGram offices also in my country. But they travel around the world and
PANEL 2
access the services from other countries, making the tracking more difficult. In fact, if law enforcement is complicated by the transnational nature of cybercrimes, the cooperation across national borders to solve and prosecute crimes is necessary, but at the same time it is very complex and sometimes could be slow. Cyber criminals can defy the conventional jurisdictional realms of sovereign nations, originating an attack from almost any computer in the world, passing it across multinational boundaries, or designing attacks that appear to be originating from several sources. Such techniques increase both the technical and legal complexity of investigation and prosecuting cybercrimes. Next slide, please. Well, about 80 percent of the computer fraud and phishing attacks committed in Romania have U.S. citizens as targets and, from our perspective, it is pretty easy. Sorry, Shawn, for that. From our perspective – yeah. From our perspective, it’s pretty easy because U.S. has a really developed online market, banking online, and commerce online. So, for our criminals, it is very easy to commit these crimes here. The most active areas in Romania, they are the counties that are mentioned here. And about the Internet child pornography, I can mention that it exists in Romania, but it is not a huge, big deal. Actually, we cannot talk about the phenomenon. Next slide, please. We have the legislation in Romania developed since 2003 and, actually, Shawn just revealed the fact that he was present in Romania in 2003 when my government tried to punish these crimes. And computer
International Engagement on Cyber 2012
fraud, it is punished with imprisonment from 3 to 12 years, but if you are organizing a criminal group and the prosecutors and the Romanian police officers can actually prove that you’re a part of a criminal group the prison is up to 15 years. Next slide, please. To date, Romanian cyber criminals are known to be actively involved in, as you see, unauthorized access, computer fraud, credit card fraud, and hactivism, which is pretty recent. Next, please. These are some examples. The next three slides are examples for the escrow scams that we faced in Romania and these are, for example, fake announcements of selling cars posted on Mobile.de. That is a site in Germany, very, very well-known and famous for selling new and used cars So they offered, for example, this E Class for 30,000 euros as almost a brandnew car. Next, please. These are examples for apartment rental scams that run in Spain, France, Germany, and Belgium. The next one, please These are the fake docs that a criminal will use to gain the trust of the victims and you can see here even a Missouri insurance card, all kinds of diplomas, all kinds of IDs, passports, and they use those to travel abroad and just to cash the money using the Western Union and MoneyGram, as I said, but from the foreign countries, not from Romania. Next one, please. Which are the risks for us? Well, the phenomenon has a negative impact upon Romania’s image and perceptions abroad. We already face a lot of problems with other issues in other countries, especially in Europe, but cybercrimes makes everybody to just
[ 1 93]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
be afraid of Romania and the investments in Romania, they are not very, very huge in this field. That’s one of our biggest problems, I think, and we always try to fight against this image that we have. And I think in the partnership that we have with the other law enforcement, even in Europe and in the USA, we try to prove that we actually can fight against this phenomenon. Next slide, please. These are some of the statistics from 2011 and how it works for us, it’s from January to December. So it is for the whole year. We had 2,344 criminal cases registered in Romania, and we succeed to solve 1,091. 1,174 criminal cases were sent to trial with 1,512 crimes committed. We had 278 people who were previously arrested and then, from the investigation, we succeed to send to trial and to prosecute 558 criminals. If you think, like I said and like I mentioned the first time, that we only have 200 officers who are specialized in investigating cybercrimes, I think these results show that we really want to do the job as best as we can. The next slide, please. Well, this is an example of the international cooperation and I think Shawn remembers because this was one of our biggest cases in Romania. It was in July 2011, last year. We cooperated with many law enforcement agencies from the U.S. and we targeted a big organization group with many arrests and searches that took place in Romania. Next one, please. More than 100 individuals who have been arrested and charged in Romania and judicial districts in the United States, and you can see here the police unit who acted together and worked together, sharing
[ 1 9 4 ] Georgetown Journal of International Affairs
information and finalizing this action. We have all the Romanian important structures to fight against organized crime. And from the U.S., it was FBI, Secret Service, the Computer Crime and Intellectual Property Section, and the U.S. Attorneys’ Offices from around U.S. Thank you very much. I will be answering your questions after my colleagues will finish. Thank you very much.
SHAWN
HENRY: Excellent. Thanks, Adrian. Our next speaker is Zahid Jamil, who is a barrister from the United Kingdom, practicing in Pakistan on cybercrime and counterterrorism areas. He wrote Pakistan’s IT legislation and e-payments legislation and, with the Department of Justice and the Council of Europe, conducts training of law enforcement and prosecutors, currently working as a legal advisor to the Board of the Commonwealth Cybercrime Initiative, and he is going to discuss some of the things we can do internationally as it relates to the Commonwealth Cybercrime Initiative. ZAHID JAMIL: Thank you, Shawn,
and thank you to the organizers. It is a great opportunity and a privilege to be here today. I am speaking in my personal capacity, although I am the legal advisor to the Commonwealth Cybercrime Initiative, and I would like to sort of express certain aspects of that initiative as well. But let me preface by starting off with sort of addressing some of the things, how we saw what the problem was and how we went on to address it within the
PANEL 2
context of the Commonwealth. Obviously, whether you are a hacker or a terrorist and you think in the jurisdiction you are living, it is not illegal, one, that what you are doing, if you are launching an attack, or the fact that there is no international mechanism that reaches into your country; therefore, you feel there is complete immunity. So what do you need in this, the way we looked it, you need three basic things. You need interoperable legislation within that country, wherever these people are. Two, you need international cooperation, like MLAT, the Mutual Legal Assistance, to be able to have that international reach and
International Engagement on Cyber 2012
ously, everybody has talked about the Budapest Convention today. This is the only treaty that actually encompasses all of these areas. And even when we talk about network speed, you know, maybe it’s not network speed but 24/7 contact points and other mechanisms to really try to address this problem. Unfortunately, it seemed to many people in my part of the world and other parts that there was very little coordinated global diplomacy, if you will, on trying to get this instrument sort of advocated and lobbied. On a side bar, for instance, the U.S. Embassy could play a very important role with its legats and econ sections trying to make this one of the core principles of one of
The only solution is if you have an inter-
national treaty. Unfortunately...there was very little coordinated global diplomacy. cooperation between law enforcement across national boundaries, and the most important aspect of that is that the law enforcement in one country should have the right to be able to ask for information, not just on an ad hoc basis but on a legal basis. There should be a document, a treaty, an instrument on some legal basis so requests can actually go forth and a response has to come forth. So where do we look at this? And by the way, this was the biggest issue when I was training law enforcement. We asked a request to X country to give us information from Y corporation. We don’t get a response. So what is the solution to this? The solution only is if you have an international treaty. There is one. Obvi-
the policies it advocates in any country, for instance. But anyway, in this space of vacuum, what we saw was being formed, certain IGOs and certain member states of countries were basically starting to advocate against this treaty. Not only that, but there were certain myths that were forming. So you had certain things like, you know, it goes against sovereignty, it doesn’t cover VOIP, it doesn’t go far enough, all these sort of different criticisms, but when you actually have discussions with law enforcement within those countries say, “Let’s read the text,” the response was, “Oh, it does cover it. Oh, so it does address my problem. Oh, it actually gets me cooperation.” And those are the sort of
[ 1 95]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
myth-busting exercises which are very limited and don’t happen too much. So, anyway, having seen this and seeing that there was this sort of division that was created within developing countries, G77 countries on the one hand, Russia, China, et cetera, and then the ones who were sort of lobbying around the COE, et cetera, the Commonwealth said, “Where do we go with this? How do we contribute to basically the cybersecurity and cybercrime realm?” So one of the ideas that I posed to the Commonwealth in a governance forum was you have something that’s very valuable within the Commonwealth context. You have a shared legal tradition. You have common law, which is the basis for many of the countries that you cooperate within the Commonwealth. And guess what? You have a model legislation, the Commonwealth model law, and that model law is based upon the Budapest Convention, the Council of Europe Convention on Cybercrime. So, without speaking too much about anything else, without getting into the politics, one of the things that could be done is have the Commonwealth go and lobby its own document, its own model law, and use its own reputation with these countries and try to get these countries moving. Because what was happening was that whenever you went into any country, the question was, well, “Which model do I follow? Do I follow anything?” At the moment you put the Budapest Convention in front of them, the answer would be, “Oh, no. We don’t want to use that.” So what are you going to use? So there is literally a status quo in trying to move legislation and even international cooperation on
[ 1 9 6 ] Georgetown Journal of International Affairs
these countries. So one of the things we did was – and while I am saying this, the recent White House International Strategy and also getting the U.K. to actually ratify the Budapest Convention are fantastic recent efforts to try and move around that path. So what is the Commonwealth Initiative and what does it do? In 52 countries that share legal tradition, coming around basically the first doc which is the model law, saying we would like to bring to these countries an understanding of why the model law, which is based on the COE Convention, is good for you. And by the way, the language that is used in this model law is very similar to the language that you use in your jurisdictions, not just in the in your national legislations, but also your judges and the persons to understand when they are creating case law. So around that, one of the things that we tried to do was not try to get partisan. You have the Council of Europe Convention on Cybercrime as a member and partner to this initiative, yet you also have the ITU and the UNODC partnering and working on projects, which are going into different countries. This, at least from what I know, is a first, because these organizations don’t necessarily work very well together sometimes. What, in addition, could we do apart from just having model legislation? Is a national law sufficient? No. You need to have cooperation across countries in law enforcement. So the Commonwealth has a scheme. It is called the “Harare Scheme.” The Harare Scheme is basically sort of a mutual legal assistance compact. It is not a treaty, so it’s
PANEL 2
not exactly like the convention, but what it does is give a model basis for countries to adopt certain provisions that allow them to do mutual legal assistance. So that would be the second aspect. And basically, when you have these two – and most experts agree with this – if you have the model legislation on the Commonwealth and you have the Harare Scheme in the national legislation, you are really getting countries very close to being ready to be able to come on board if they choose, because they’re a sovereign nation and they have to make that political decision, but as far as a substance of what’s in their country national law is concerned, they have come close to being able to say, “Yes, we can ratify that treaty and come on board.” So that was one of the main reasons we thought that this would be very helpful. Now, the Commonwealth brings us Q-DAS and acceptance within those different political and legal regimes and it creates compatibility with the kind of model law that it has within those regions. So the idea is to cut through the myths, bust those myths about the convention, about various language within it, and try to get the countries to have a more informed approach as to what it is that they would need if they were to follow this. And what does the initiative do in the different areas? One, it will provide assistance to those who ask on policy. It will provide assistance on legislation, drafting, actually sending in experts. Law enforcement cooperation, working with law enforcement on trying to train them. We are not just talking about forensic experts, investigators, but we
International Engagement on Cyber 2012
are also talking about prosecutors and the judiciary. And very important, the private sector. The answer is not just to work with the government, but it is also to work within the private sectors within those different jurisdictions. So, for instance, currently ICANN and the ccTLDs, the assistants that ICANN will provide in trying to provide technical assistance to those ccTLDs in Commonwealth countries is one of the examples of what is just about to start there. So getting them ready for ratification, what is happening right now? We have three different projects that we are trying to look at; one, Ghana. Ghana wanted some assistance on legislative and cybersecurity policy. We have gone in. We have actually had discussions there and, basically, we are formulating an actual implementation plan as to how to deal with what we are going to do in Ghana. Also, the Pacific Islands have asked for some assistance and so has Trinidad. So, basically, stay tuned. Next year, we will have more information about how this initiative that has just started, which only in October got heads of government approval within the Commonwealth, how the implementation process moves out through the next year. And just a plug for everybody, I mean, I think that the London Cyber Conference was a fantastic event last year and we all in the Commonwealth are really looking forward to seeing what happens in Hungary, in Budapest later on in October of this year. Thank you very much.
SHAWN
HENRY: Excellent. [ 1 97 ]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
criminal tribunal for cyberspace. A tribunal should have the power to prosecute persons responsible for the most serious cybercrimes of global concern in accordance with provisions in a statute. The potential tribunal may be necessary for future law enforcement efforts across national borders. Next slide, please. Today, there is no international court or tribunal for serious criminal acts committed in cyberspace. Is there a need for one? In my opinion, yes. Next slide, please. The most obvious alternative should be a separate international criminal tribunal for cyberspace based on a United Nations JUDGE STEIN SCHJOLBERG: Security Council decision. An international criminal tribunal may be seated Thank you, Shawn. I am going to speak today on, title, in The Hague. The tribunal may pros“Potential New Global Legal Mecha- ecute anyone who commits any of the nisms Against Cyber Attacks and Other cybercrimes included in international cybercrime law. It will be a signal for the Cyber Crimes.” Can I have the next slide, please? I United Nations and the global comwould like to open with my presentation munity that cyber attacks are no lontoday with a quotation from Benjamin ger tolerated. INTERPOL will also in B. Ferencz, one of the most famous the future coordinate law enforcement U.S. prosecutors. I quote, “There can across national borders. The INTERbe no peace without justice, no justice POL Global Complex will be estabwithout law, and no meaningful law lished and operational in Singapore in without a court to decide what is just 2014, including enhancing preparedand lawful under any given circum- ness to effectively counter cybercrime. Singapore may thus be an alternative stances.” The most serious global cyber attacks seat for an international criminal triin the recent years, such as massive bunal for cyberspace. It would open up and coordinated attacks against criti- the possibility of assistance and coopercal information infrastructures, have ation with an outstanding investigation revealed that almost nobody is investi- institution, thus enabling the global gated, prosecuted, or sentenced. Such justice to promote the rule of law and acts need to be included in a global ensure that the gravest international treaty or a set of treaties and investi- cybercrimes do not go unpunished. The existing UN-based tribunals gated and prosecuted before an international criminal court or tribunal. have proven that efficient and transThis is a proposal for an international parent international justice is possible Thank you, Zahid. Our next guest speaker, Judge Stein Schjolberg, who is from the Court of Appeals, Judge in Norway, and co-chairs the East-West Institute on Cybercrime Legal Working Group. He is an international expert on cybercrime and one of the founders of the Global Harmonization of Computer Crime Legislation. He has published widely on computer crime and cybercrime legislation and will talk to us today about some of the judicial aspects as it relates to this international issue and international tribunal in cyberspace. Judge?
[ 1 9 8 ] Georgetown Journal of International Affairs
PANEL 2
and they have been setting important precedents for future international law enforcement. Next slide, please. Global cyber attacks against critical civil and military communication and information infrastructures should be included in a draft treaty for a global statute since it had not yet been regulated by international law or in regard to which the law has not yet been sufficiently developed in the practices of states. The most important article should include
International Engagement on Cyber 2012
tally murdered one by one in addition to the destruction of three government buildings and death of an additional nine people, it is already obvious that all the responses from Facebook will not be available before the court trial opens in Oslo next week. The requests were sent several months ago. The prosecutor’s office must also have the power to seek assistance in investigations by a global virtual task force. A task force may be established by key stakeholders, including private
The prosecutor’s office must also have
the power to seek assistance in investigations by a global virtual task force. massive and coordinated global cyber attacks against civil and military communications and information infrastructures. Next slide, please. And here, you should see a proposal for a text. I will not go through it, because I have a time limit. So I ask for the next slide, please. The prosecutor’s office in the tribunal should be responsible for investigation and prosecution of persons committing the most serious cybercrimes of global concern. The current law enforcement requests across national borders may often be very slow and complicated, especially for requests including social networks in cyberspace. In a serious murder case in Norway, the response by Facebook took almost a year and was sent to the prosecutor one day before the court trial opened. And in the world’s most serious murder case in 2011, where 68 young people were bru-
industry, nongovernmental organizations, and the global enforcement through INTERPOL. Working in partnership with global virtual task force may be necessary for effectively combatting global cybercrimes, especially for delivering real-time responses to cyber attacks. The Metropolitan Police Central E-Crime Unit in partnership with a task force in the United Kingdom and the National Cyber Investigative Joint Task Force chaired by FBI in the United States may be used as models for a global virtual task force. Next slide, please. The International Telecommunications Union, ITU, in Geneva launched in 2007 the Global Cyber Crime Agenda for a framework where the international response to growing challenges on cybersecurity could be coordinated. In order to assist the ITU in developing strategic proposals a global higher level expert group,
[ 1 99]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
HLEG, was established. This group of almost 100 persons from around the world delivered the chairman’s report and the global strategic report in 2008 with a recommendation on cybersecurity and cybercrime legislation. I was the chairman for this group. After the four main working groups have since been established in order to make recommendations for new international legal responses to cybercrime, we have them for a comparative study on cybercrime, was adopted by the United Nations General Solution in its Resolution 65230. This study framework includes the topic, I quote, “with a view to examining options to strengthen existing and propose new national and international legal or other responses to cybercrime,” end of quote. The East-West Institute has on June 27, 2010, established a Cybercrime Legal Working Group in order to advance consideration of a treaty or a set of treaties on cybersecurity and cybercrime. The members are independent, nonpolitical, nonpartisan, global experts on cybersecurity and cybercrime. The working group is a follow-up of the HLEG work in Geneva and shall develop recommendations for potential new legal mechanisms on combating cybercrime and cyber attacks and develop a consensus building set of proposals related to international law. The United States and European Union have also established a working group in cybersecurity and cybercrime. Among the efforts, I quote, “advancing the Council of Europe Convention on Cybercrime, including a program to expand a session by all EU member states in collaboration to assist states outside the region in meeting its stan-
[ 2 00] Georgetown Journal of International Affairs
dards and become parties,” end of quote. And the fourth working group is a British Commonwealth working group established in 2011, and we will see what all these four working groups will deliver. Next slide, please. The proposal for an international criminal tribunal for cyberspace is ambitious. It may take some time, but whatever the outcome, something must be done. I started with a quotation and would like to end my presentation with a quotation. Another one, I quote, “Those who fail to anticipate the future are in for a rude shock when it arrives,” from Peter Grabosky of Australia. Thank you very much for your attention.
SHAWN
HENRY: Excellent. Thank you, Judge. Our final speaker here on our panel here this morning, Mr. Noboru Nakatani, Executive Director of INTERPOL’s Complex for Innovation in Singapore, effective here in April. Yes. He previously held the post of Director of Information Systems and Technology at INTERPOL’s General Secretary at Headquarters, was a Special Advisor to the Commissioner General of Japan’s National Police Agency, and while at the NPA also served as a Senior Assistant Director for Cybercrime as well as Executive Officer to the Minister of State and the Chairperson of the National Public Safety Commission. He will be talking about INTERPOL and how it assists its members in the cyber domain, on the heels of talking about our investigators, some of our legal issues, and then some of the judi-
PANEL 2
International Engagement on Cyber 2012
cial issues. Sir?
the airport and the seaport. And just remember the number of the record, NOBORU NAKATANI: Shawn, 24 million records in 2010 and 31 milthank you so much for your introduc- lion records at the end of 2011. tion. Good morning, ladies and gentleNext, please. Just to take a look at men. the number of searches conducted by Let me start my talk by speaking member countries, in 2010 our memabout what INTERPOL is, as I assume ber countries searched this database that some of you are not familiar with almost a half-billion times recording INTERPOL. Then I will talk about what more than 42,000 positive matches. INTERPOL has done to connect police What is important is that – oh, by the for a safer world, and, lastly, I would way, most frequent user in 2010 was like to talk about what INTERPOL will the United Kingdom. By 2011, that is do for a safer cyberspace. the United States. In 2012 so far, the Next slide, please. What we can do? United States is most frequent user. As our vision is connecting the police What is important is that this has turned for a safe world, INTERPOL facili- out to be very much effective tools to tates international cooperation, police combat transnational organized crime. cooperation by developing and then What if in the coming years, as a consedelivering a high-tech information ser- quence of tighter security of the physivices. Some people may see INTERPOL cal borders, thanks to the INTERPOL as the organization who has some sort SLTD travel document database, more of international special agent who car- criminals would go to voucher borders. ries a gun and then travels across the That is our concern. world to chase the criminals. That is Next, please. Cybersecurity. In fact, not the reality of the INTERPOL. That the use of the Internet has changed the type of INTERPOL will probably exist nature of the policing and national in the Hollywood movies only. In real- security as well. It is obvious that orgaity, INTERPOL is not the investigative nized crime groups use the internet organization who has authority to open in various ways to make profit. Orgathe case and then arrest the crimi- nized crime groups actually buy in cyber nals. What we ensure is that the police exports when needed; for instance, to community worldwide has access to the mask their crime. I can say that we have unique global databases of criminal and realized that internet is vulnerable. It is police information. Let me show you very easy to attack. It is very difficult to one of the unique databases we have secure. I even could say that it was not provided member countries, including designed to be secure. Cyber criminals the United States, of course, and how it are fully taking advantage of the vulnerworks for a safer world. abilities of the Internet and evading law Next, please. INTERPOL maintains enforcement investigations. I presume the only global repository of stolen and that most of you here are aware of it. lost travel docs. This database is popuCybersecurity is a global problem lated by our 119 member countries and and transnational problem. No nation used mainly for immigration process at can ignore it, but at the same time, no
[ 20 1 ]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
nation can solve the problems of cybersecurity on its own. Global problems need global solutions. Next, please. Then what are we supposed to do in this matter? We at INTERPOL don’t want to see cyberspace become more secure but less free as a result of tackling challenges of the cybersecurity. So this is a truly challenging issue. To respond to it INTERPOL decided to establish the INTERPOL Global Complex for Innovation, so as to better provide our member countries with cutting-edge tools to fight against 21st century crime, such as cybercrime
five key activity areas, as shown here. All areas can be more effective together than alone. In particular, international investigation support must be attained with the combination of other four areas. The challenges we are facing in cybercrime investigations are mainly attribution and consequences. It is very difficult to track back the computers used for crime and the very person behind click of mouse. It is very challenging. So in order for law enforcement to better bring cyber criminal into justice, it would be great if we would have internationally accepted or
There are no borders in cyberspace...
[yet] the governments will have to be accountable somehow. and digital crime. So this complex is now under construction in Singapore. The actual site of this complex is just across the U.S. Embassy in Singapore, just for your information. It is pretty much prime location. This complex will be fully operational in early 2014. Next, please. Complementing the General Secretary in France, this complex is focusing on the following four functions. You can see number one, number two, number three. So through these four functions, it is envisaged that police worldwide will be able to provide their citizens with the same level of safety on the street and on the internet as well. This is our vision. Next, please. Concerning the need expressed by our member countries, we envisioned the work of INTERPOL Global Complex to be grouped into
[ 2 02 ] Georgetown Journal of International Affairs
agreed cooperation which enforced the nations to be responsible for their residents as well as the cyberspace in their territory. Perhaps in this context, we may want to realize the notion, there are no borders in cyberspace, and that nations have only minimal law could be wrong. So the governments will have to be accountable somehow for these things. Next, please. In this context of the ICC initiative, we will take the multidisciplinary approach with the key word of “innovation for secure-free cyberspace,” the three piers. We will mention the third one, harmonizing global effort to fight against cybercrime. We don’t need to invent the wheel. We just tried to harmonize existing, ongoing effort taken by various countries, various regional and international organi-
PANEL 2
zations. We know that this is a very challenging job, but we should be very much optimistic to make it happen. Thank you.
SHAWN HENRY: All right. Great
International Engagement on Cyber 2012
you have the similar provision. When I wrote legislation on electronic payments, we took some of the EU legislation and also the EFD Act here in the U.S. and sort of married them in a sense. And there are provisions specifically. There are criminal provisions there that actually allow us to go after people, and it is actually an electronic fraud and forgery provision there, and, therefore, any processes of that crime basically can be seized and forfeited. So I can speak to my country; yes, I’ve made sure that’s there.
conversation here with some folks who clearly have expertise in this particular area. I think what I would like to do now, we have got a few minutes here to open it up to the audience and, again, I encourage you to take advantage of our experts here, subject-matter experts, to ask the questions as it relates to either the investigative issues, some of the legislative issues, judicial issues, or ATTENDEE: So the electronic assets INTERPOL generally. And I will start themselves can be forfeited? with my friend right here on the left. ZAHID JAMIL: Digital. It actually ATTENDEE: [Inaudible] from says electronic and digital. It doesn’t Chun Micro. have to be paper. It doesn’t have to be I have a question about electronic money. It doesn’t have to be checked. forfeiture. In your investigations and We define it as electronic digital payin your efforts to go after hackers as a ments. whole and all of the monies that they trade and they move out of systems, is ATTENDEE: And then my followthere no effort to regulate the alter- up would be, has there been any effort native payment channels or to create to go after the alternative payment legislation that would allow for the channels or money services businesses electronic forfeiture of the assets that that have been complacent in enabling are held by hackers and hacker com- the laundering of the funds associated munities? with cyber?
SHAWN HENRY: Who is your ZAHID JAMIL: Well, that surequestion to?
ATTENDEE: Anyone that wants to answer it.
[Laughter.]
ZAHID JAMIL: I can speak for my
country, for instance, and I can say in some of the Commonwealth countries,
ly resonates with one of the cases I was partially advising on with our law enforcement, where there was a money changer, not one, but the biggest money changer in the country, and there was an acquisition of terrorist financing. And not only was the regulatory aspect and the licensing that was shut down, but there was actual search, seizure, an operation that was conducted. And they
[ 20 3]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
found there was an parallel system that was running on the back of this license where it was electronic. It was all done through the Internet, and all the evidence was electronic. A lot of people lost money because of that because it just went up in the air, but, eventually, they tracked and traced money down. Those people have been convicted and there are parts of that case that are still ongoing.
ATTENDEE: Thank you. SHAWN HENRY: That’s a great
question. When you talk about threat mitigation and some of the things that we are talking about today, not necessarily the prevention side, but how do you mitigate the threat, impacting the infrastructure is critical and so in the physical world we look at money transfers and how do we impact the adversary by attacking the infrastructure. In financial world – or in the cyber world, rather, you see the exact same thing. In a similar related issue with the FBI, we actually seized domain names and were able to take over command and control servers for botnets and were actually able to impact the threat via seizure, search and seizure in that regard, where we targeted the infrastructure in particular. So a good question. Thank you very much. Another question from the audience? All right. We can only do one at a time now. Please don’t rush to the microphones. [Laughter.]
SHAWN HENRY: Let me ask a
Chip. One of the challenges that I see regularly in the cyber environment – and a couple of speakers today have alluded to, and that’s attribution. We see oftentimes we are able to identify a particular computer that is involved in some type of a cybercrime or a cyber network attack, but actually identifying the individuals behind that computer is a challenge. I am wondering from the Romanian perspective some of the efforts you have taken in trying to determine attribution against particular actors.
ADRIAN CIPRIAN MIRON:
Well, as I said, one of the reasons why cybercrime division was created, it needed to create a good partnership between the public and private sector, and this is a partnership that was built since 2000 with Internet service providers. So I think we can identify in real time – or real time, I am not sure what means real time in this matter – but anyway, we can identify people who try to hide behind an Internet IP address very, very quickly. In our efforts, we always try to find the best way and to learn from our international partners And I think in Europe things are working pretty well, and we always try to develop our relationship with the U.S. authorities. And we still have many things to do, I guess, in combatting the cybercrimes. We are pretty effective, but in preventing them, not quite, and I am not sure if we can actually prevent something at this level, but I am confident that in the near future we will try to find the best tool to fight this and to prevent it if possible.
question then, if I could, to Adrian. SHAWN HENRY: Good. Thank
[ 204 ] Georgetown Journal of International Affairs
PANEL 2
International Engagement on Cyber 2012
you. We have a question from the audience.
our perspective or from the FBI’s perspective – I guess I can’t say “our” anymore; that’s sad, it’s only been 10 days. The top priority within the FBI was ATTENDEE: Thank you. Jason always critical infrastructure as the most Healey from the Atlantic Council. significant in our clear defense conI have never worked law enforcement tractors, those that were contributing myself and so it’s a question as an out- to the national security of the country sider. And maybe this is to you, Shawn and actually the world, and I think our or Nakatani-san. Being an outsider, it partners were similar. So movies and seems like, for the authorities or energy the like are certainly something that’s to get involved on Internet policy and important and we’ve looked at. But in MPAA and RIAA kinds of takedowns, a priority perspective, critical infraI see headlines on that all of the time structure has always been a much more and have been for 10 or 15 years, very significant priority. much more so compared to the energy Please. authorizes or takedowns that we see for cybersecurity. Is that a valid opinion, or NOBORU NAKATANI: In terms am I just not seeing some things? So, to of the taking down the site, the internet summarize the question, are you as law site where it sits from, as you know, the enforcement able to do more if there IPR on the internet is simply pathetic. are movie downloads or music or fake And now the point is simply location goods than you are for cybersecurity? of actually where the internet providIf that is true, do you think that’s right, ers are, because now cloud computing and how can we try and achieve some of is everywhere. We don’t know where the success that we do for piracy? Thank the data is. So we need to find out who you. physically owns it and has it. Then in terms of the cloud computSHAWN HENRY: Well, I see them ing, at the end of the day, it depends as two separate issues with an overlap on the physical things, the routers... and some similarities. Certainly, when et cetera, and then all of these things you are talking about cyber intrusions, are located in the physical world. And we are talking about, in many casesm then those things are owned by somethe theft of intellectual property. As body, and the somebody is subject to it relates to Internet piracy and peo- the sovereignty of a specific governple that are hosting movies and the ment and the nation. So I would say like, from an investigator perspective, it unless nations are, in a way, responsible wasn’t our top priority. We were look- for something in their territory, taking ing at the people who were targeting. down something or protecting someWe were looking at the actual actors, the thing would be very much difficult. organized crime groups, the individuals That is my view. Thank you. that were targeting the infrastructure. If as a result part of that was piracy, cer- SHAWN HENRY: Zahid? tainly we would pursue that, but from
[ 20 5]
LAW ENFORCEMENT EFFORTS ACROSS NATIONAL BORDERS
ZAHID JAMIL: Yeah. I just want to I’d like you to also comment on that in say quickly that I think that’s an interesting observation, but also let me add: most of my experience with law enforcement being when you’ve got a crime being committed and you are looking at a jurisdiction where that specific type of crime is not criminalized because of the lack of legislation, one of the things lawyers started to – okay, so can we get him on IPR, can we get him on copyright, can we get him on trademark, can we find some other way. So we usually find that when we are going after those kind of actors, that is why copyright and cybercrime really go hand-in-hand with intellectual property. And so you see a fusion there, because if one doesn’t work, the other works, but to go after that person and take it on. A classic example, in an ICANN respect, for instance, it is the issue of resellers. They are not under contract, third parties out there. They may be in jurisdictions that it is not a crime what they are committing. Okay. So what do you do? If they are using, say, some entity, maybe ICANN or somebody else’s, trademark or logo illegally, bang, you’ve got a case. Let’s go after them on that basis.
particular, but I’d like to hear from all of you. Thank you.
JUDGE STEIN SCHJOLBERG:
My proposal for an international agreement of tribunal for cyberspace has been published. It is one part of the efforts that the East-West Institute Cybercrime Legal Working Group are pointing at. We have five main subjects: international criminal law for cyberspace, a global virtual task force for investigation and prosecution, an international criminal tribunal for cyberspace, cybersecurity issues, blocking out child pornography websites. So this is a process. It is published. I must admit that no government responded to it, absolutely not. But you know that globally, we are in a kind of deadlock. We have areas of our world that agree on the one approach. Other areas do not agree on the same approach, not to mention any kind of nations. So that is why it has been stated previously today it is very important to have dialogues, to have low-level dialogues that try to find a common platform for globally understanding either to expand the Council of Europe Convention on Cybercrime or to take SHAWN HENRY: We have time some part of it out or create a new one for one more question. I’ll start over or whatever, but we need dialogues between all these parties. And it will take here. some time. We need some experience, ATTENDEE: Thank you. Ann Lale- bad or good, but we hope in the end na, DTSV. My question is for the Judge that we will reach a global agreement on and Mr. Nakatani in particular, but I’d what kind of measures should be taken in cyberspace. like to hear from the entire panel. Could you please, Judge, elaborate on the reaction from governments to NOBORU NAKATANI: From my your concept of an international cyber- side, to be candid, I am not so much crime tribunal? And, Mr. Nakatani, familiar with the concept of interna-
[ 2 06 ] Georgetown Journal of International Affairs
PANEL 2
tional criminal tribunal for cyberspace. We just this morning met together and then this talk came up, but nevertheless, in the context of our new approach, our new initiative, which is the INTERPOL Global Complex for Innovation, actually this complex is designed to promote multi-stakeholder approach in terms of our fight against 21st century crime. So this kind of initiative is very much
International Engagement on Cyber 2012
welcomed and then I believe that we will develop this idea further after this conference or during this conference. Thank you.
SHAWN HENRY: Excellent. I am
going to have to wrap up here because we are at the end of our time. I would like everybody just to give a round of applause to our subject-matter experts.
[ 20 7 ]
Developing Countries’ Center for Cybercrime Law Helping developing countries meet the challenge of convergence and compatibility with the prevailing international standard and help bridge the cybercrime & cybersecurity legal and digital divide
www.dc4law.org contact@dc4law.org
Commercial Perspectives on Cyber Security Panel 3
Introductory Remarks
Hon. Julius Genachowski, Chairman of the Federal Communications Commission
April 10, 2012 Lohrfink Auditorium Georgetown University Washington, D.C.
Panel Chair
Eddie Schwartz, Chief Information Security Officer, RSA
Panelists
Robert Dix, Vice President, Government Affairs & Critical Infrastructure Protection, Juniper Dr. Robert Ghanea-Hercock, Chief Researcher, Security Futures Practice, British Telecom Innovate Rick Howard, iDefense General Manager, VeriSign Network Intelligence and Availability Jamie Barnett, Rear Admiral (Ret.), Chief, Public Safety and Homeland Security Bureau, FCC Scott Borg, Director and Chief Economist of the U.S. Cyber Consequences Unit (US-CCU)
Moderator
Dr. Catherine Lotrionte, Director, Institute for Law, Science & Global Security, Georgetown University [ 20 9]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
DR. CATHERINE LOTRION- ing the problem and solving it. I’m TE: So before we get started with our happy to be here with Admiral Jamie
Barnett, who has run our Public Safety and Homeland Security Bureau for the last 3 years and has been instrumental in the things that I’m going to talk about in these brief remarks, a head of what I know will be a terrific panel. I don’t know if Ambassador McConnell is here, but I should apologize publicly for being late yesterday. I did have a good reason, and we were able to announce it today, and it’s an initiative that it’s not unrelated to what we’re talking about at this conference, but we worked on some solutions to the problem of increasing Smart Phone theft, and if you don’t care about this in your cyber hats, you’ll care about it in your individual hats. The increasing rate of stolen Smart Phones is very scary. In Washington, D.C., it’s gone from about 8 percent of crimes 5 years ago to over 40 percent, similar statistics in New York and Philadelphia. And it makes sense, right? Smart Phones are minicomputers, they have tremendous value on the black market, and if someone can steal them, resell them, and they can be used on other networks, of course, they have value, and a rational thief will make use of that. So we announced today, with the wireless industry, that we’re moving forward in the United States with a database to block stolen cell phones on any network in the U.S. I have to say HON. JULIUS GENACHOWS- the U.S. wasn’t first in this. The GSMA KI: Thank you very much for the in Europe, the mobile association in introduction and then the much more Europe, has done this, and it’s actuimportant organizing this conference ally been very effective, particularly in and bringing together such a distin- the U.K., but we announced today with guished group of people from multiple the wireless industry that we’re doing parts of the ecosystem to focus on scop- this in the U.S., and so over the comthird panel, we have a special guest to give a few opening remarks and set it up for our next discussion. Since being sworn in as Chairman of the Federal Communications Commission, Julius Genachowski has focused the agency on unleashing the opportunities of wired and wireless broadband. He has successfully pursued policies to promote investment and job creation, drive innovation, foster competition, and empower consumers. During his tenure, the FCC developed and is implementing the National Broadband Plan, an ambitious strategy to harness the opportunities of highspeed Internet, promote U.S. global competitiveness, and bring the benefits of the 21st century communications to all Americans. The Commission adopted the landmark Connect America Fund, replacing legacy programs with new market-driven, incentive-based policies to achieve universal broadband, both wired and wireless. The Commission is also working to harness a new nationwide mobile emergency alerting system, which would include an interoperable nationwide mobile broadband network for first responders. Thank you for taking the time to come and give us a few remarks today. Over to the Chairman of the FCC.
[ 2 1 0] Georgetown Journal of International Affairs
PANEL 3
ing months we’re enabling consumers and carriers to call stolen cell phones to be rendered as worthless as an empty wallet. Also, the wireless carriers are going to enable automatic prompts on Smart Phones to enter passwords and to be able to lock them, and we’re launching an educational campaign so that consumers are aware of the applications that exist that allow them to remotely locate, lock, and wipe their devices, not
International Engagement on Cyber 2012
dangers, and the challenge is to tackle the dangers without undermining the opportunities. It’s not an easy challenge. One of the first steps, I think – and I know many of you have been working on this – is to break down the challenge into categories that allow for discussion and problem solving. And one division of the threats is into three categories of networks; it’s not the only way to look at it, but we found it instructive. The
If you shut down the Internet today you
would shut down our economy. That’s both the good news and the bad news. unrelated to cybersecurity, but let me talk about cybersecurity from the FCC’s perspective. Now, tackling the challenges of Internet security is, of course, extremely important, as everyone here agrees. It’s so important, not just because of the threats and not just because the threats are so big, but because the benefits and opportunities of the Internet are so big. So broadband Internet over wired and wireless networks has transformed our economy and society, opening up a new world of opportunity. Eight trillion dollars now are exchanged over these wired and wireless networks each year, growing. The Internet is driving productivity gains, economic growth, job creation. If you shut down the Internet already today, you would shut down our economic. That’s both the good news and the bad news, which is often the case with new technologies. They present vast new opportunities and new
first is government-owned networks. The second is the networks that sustain vertical industries like financial services in our energy grid. And the third is commercial networks, wired and wireless, which are what most Americans are using every day to send e-mails, pay bills, shop on line. Commercial networks are also increasingly integrated with the second category, vertical networks of critical infrastructure. And in more and more ways we’re seeing commercial networks integrated with the first, government-owned and operated networks. At the FCC, we’ve been focused on the third category, commercial networks, which I understand is a subject for the panel that will follow me, and as the nation’s expert agency on communications networks and technology, the FCC has always had as a fundamental part of our mission the security and reliability of commercial communica-
[ 21 1 ]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
tions networks. In developing strategies and initiatives that tackle the cyber threats while preserving the opportunities, we’ve sought to identify key values that have fueled the Internet’s growth and success. That means strategies that preserve Internet freedom in the open architecture of the Internet; it means preserving privacy; it means acknowledging that what some see as a fundamental divide between privacy and security is a false choice, that in fact they’re complementary and that we need to do both. A third key component for problem solving in this area is the multistakeholder model, symbolized in part by this conference. Solutions to cyber threats require the many stakeholders of the Internet community to work together and develop practical solutions to secure our networks. The goal is solutions, not regulation, and it’s important to keep focused on the goal. And the history of the Internet tells us that the multistakeholder model can produce real solutions to a vast array of challenges. With that in mind, let me describe two FCC cybersecurity initiatives. First small businesses in cybersecurity. Last year, working with the Small Business Administration, the Chamber of Commerce, the National Urban League, many private technology companies, we developed and released a cybersecurity tip sheet for small businesses describing a number of commonsense steps small businesses can take to increase their security. Password protecting your Wi Fi is one obvious example. Working with our partners, the FCC also released a tool, an easy to use tool, we call it a Small Biz Cyber Planner to help
[ 2 1 2 ] Georgetown Journal of International Affairs
small businesses develop a customized cyber plan, and along with our partners inside and outside government, we’re working to expand the distribution of this tool and the tips. Now, yes, this is low-hanging fruit, but it’s important, and it’s one of the points that I wanted to make, which is that there is a lot of low-hanging fruit to tackle in addressing cyber threats, and we can’t let the larger and more complex challenges keep us from making practical progress on low-hanging fruit. The second area of FCC activity, ISPs and cybersecurity. In March of last year, I tasked the FCC’s Communications Security, Reliability and Interoperability Council, we call it CSRIC, with making recommendations to help address three concrete challenges that our work and the work of others had identified in the cybersecurity area: botnets, domain name fraud, and Internet route hijacking secure BGP. This was a deliberate choice on how to proceed: one, deploying this advisory group for this purpose, that had been an advisory group that had been up and running for a number of years and had been a proven vehicle for bringing together different players from the private sector, different players from government agency in developing recommendations and solutions to problems; and the second thing is I gave them three concrete areas in which we wanted progress and solutions. I encouraged this approach to others. I fear that a “boil the ocean” approach is less likely to lead to material real-world progress and that sometimes in this area it’s what we naturally fall back on. Now, as I mentioned, CSRIC, our advisory council, is made up of indus-
PANEL 3
try leaders, academics, engineers, federal partners. Its membership includes companies working every day to build and expand Internet infrastructure and services from Verizon and Comcast to Amazon and Pay Pal. It includes experts like Internet pioneers Steve Crocker and Michael O’Rierdan. I saw Melissa Hathaway here earlier, and she was extremely helpful in this process. I don’t remember if Melissa was a member of CSRIC, an advisor. And it includes federal experts from multiple agencies as well as representatives from state and local public safety entities. We formed and tasked CSRIC in March of 2011, and last month CSRIC issued a series of smart practical recommendations on the three issues on which they were tasked to address. Solutions consisted with the principles I outlined earlier in these remarks. On botnets, CSRIC developed a voluntary U.S. anti-bot code of conduct to reduce the threat of bots in residential broadband networks. The code includes concrete steps to better detect bots in customer computers, to notify consumers when their computers have been infected, to educate consumers, and to remediate. On domain name fraud, CSRIC endorsed new steps toward implementing DNSSEC, as you’re all aware. In particular, CSRIC recommended that ISPs use DNSSEC to give their customers the ability to validate the services they use on the Internet. On Internet route hijacking secure BGP, the CSRIC report called on network operators to develop and adopt new technical standards that will secure Internet routing. Standards would establish an authoritative registry that
International Engagement on Cyber 2012
will enable ISPs to validate the authenticity of routing information, securing the foundation of trust between networks, which has been so essential to the Internet success. Now, CSRIC laid out a concrete plan for action in those three key areas, but we were able to accomplish more than that. In conjunction with the issuance of the CSRIC report, ISPs that serve roughly 80 percent of our country’s Internet users committed to implementing the recommendations, and today I’m pleased to announce that two more major broadband providers, Cablevision and Charter, have signed on, committing to implementing the recommendations as well, bringing the share of American broadband consumers who have enhanced online security to about 90 percent. Now, of course, technology continues to change, consumer behaviors continue to evolve, new cyber threats will develop. The bad guys won’t stop innovating, and that means the good guys can’t stop innovating either. I’m hopeful that the path and process we worked through can be an effective model more broadly, bringing together multiple stakeholders outside and inside government, charging them with solving concrete problems and honoring core values we want to preserve. Now, I hope that this panel might address some questions that we are asking ourselves. How can we increase the chances now of success of the botnet, DNSSEC, and Internet route hijacking initiatives? How do we measure performance? What are the metrics? What new threats are emerging as networks evolve and as mobile broadband becomes more ubiquitous? In what
[ 21 3]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
other areas can the FCC be part of the solution? I look forward to hearing the panel’s thoughts on these and other topics. Working together, I am confident that we can make a real difference in increasing the security of the Internet and harnessing its enormous opportunities; we have to. Thank you.
DR. CATHERINE LOTRIONTE: Short and sweet. So for our third
panel of the day, we’re going to hear from a variety of perspectives focused on the commercial aspects of cybersecurity. I want to introduce the moderator and chair for the panel, Mr. Eddie Schwartz. Eddie is Vice President and Chief Information Security Officer for RSA and has 25 years of experience in the information security field. He has advised a number of early stage security companies and has served on the executive committee for the Banking Information Technology Secretariat. Mr. Schwartz has a BIS in Information Security Management, and an MS in Information Technology Management from the George Mason University School of Management. Eddie, thank you very much for taking a lead on this panel, and I look forward to hearing what you have to say.
EDDIE SCHWARTZ: Thank you. All right, everyone, good afternoon, and welcome to our panel. I would like to start out by introducing my esteemed panelists, who are nicely in the order of speaking as well. First of all, Mr. Scott Borg, who is the Director and Chief Economist of the U.S. Cyber Consequences Unit. Mr. Robert Dix, but you can call him Bob,
[ 2 1 4 ] Georgetown Journal of International Affairs
is the Vice President of Government Affairs and Critical Infrastructure Protection for Juniper. Third is Mr. Rick Howard. He is the General Manager of the iDefense Business Unit at VeriSign Network Intelligence and Availability. Dr. Robert Ghanea-Hercock, Chief Researcher, Security Futures Practice, British Telecom Innovate. And finally, Rear Admiral (Retired) Jamie Barnett, Chief Public Safety and Homeland Security Bureau of the FCC. Thank you, gentlemen, for joining me here. I’m going to start out by making a few remarks to set the stage, and then each panelist will have a few minutes to talk about their perspectives on the issues that are of interest to them. After they do their presentations, other panelists may have some comments or choice words about some of the comments of the other panelists. I would encourage you during that time to think about any questions you may have because after these initial sessions, we’re going to open it up for discussion among everyone in the room, so, please, I encourage you to start thinking about anything that you’ve heard that you want to expand on, challenge, ask questions, take an opposing viewpoint or agreement, what have you. So our panel is on commercial perspectives in cybersecurity, and I think some of the things to think about here are, first of all, where we are today. Organizations, whether you’re in the government, commercial sector, we’ve all spent billions of dollars over the last few decades on cybersecurity. You could think about technology that we’ve invested in, people that we’ve trained, processes that we’ve created, things that we’ve done, and if you look around,
PANEL 3
though, today, sometimes it appears that it’s a bleak picture, whether it’s issues related to nation-sponsored attacks, criminal groups, the latest anonymous hacks, what have you, it feels like we’re failing in some way. We thought we were okay, but I guess we’re not. So what’s really going on here? For a long time, most of us that have been in this business have been trained in this notion of defense in depth, and I think many people took the defense aspect of that term a little bit too seriously. The defense seem to come out as this notion of sort of pre-breach tooling, if you will, and so let’s do every-
International Engagement on Cyber 2012
big breach last year – the new aspect is sort of, what do you do post-breach in an organization? So how do we start thinking about, what is the right balance between things that are designed to prevent bad things from happening, and how do we get visibility into the inevitable compromise that’s going to be happening to us? How do we take all of these data that we have within our organization and encourage other organizations, whether it’s the government, commercial entities such as some of the players that you see here today, to share that information? Once we have it, what do we do with it? What does big
What do you do post-breach in an organi-
zation? How do we get visibility into the inevitable compromise that’s going to be happening to us? thing we can to keep the bad guy out, let’s develop these complex processes, complex technologies, and throw all the investment at everything we can to stop bad things from happening, and we, as commercial vendors of technologies and as builders of these processes and as trainers of your security people, have certainly contributed to that as well in terms of encouraging you to do things and to invest in all of these things that are going to prevent bad things from happening, but we know, again, that this has been marginally effective related to advanced threats specifically. If we were to rethink defense in depth for today, there are a lot of things that, as many of you that have been breached or know organizations that have been breached – I joined RSA right after our
data mean in this context and what do you do with all that once you start to get it? What do we do about some of the competing interests that are out there? When we think about data sharing and we have law enforcement, intelligence, other priorities that are out there, and how do we develop a policy framework that’s appropriate? So a lot of questions on the table, and I know that our panelists are eager to talk about it. So what I’m going to do is start off by turning over the floor to Scott Borg, who is going to talk a little bit about his perspective on some of the commercial aspects of this problem.
SCOTT BORG: This has been a very impressive gathering with a lot of very important people, and I’m impressed,
[ 21 5]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
really genuinely impressed, by the assemblage of people here. I wanted to say that right away because I want to tell you about a very strange image that keeps coming to my mind as I’ve been listening to these discussions and comments both today and yesterday evening. I have the feeling, I’ve been having the feeling, that I’ve been listening to the tail of the dog talking about its ideas for wagging the dog. Now, if you’re the tail of the dog and you want to wag the dog, that could be a very commendable ambition – in this case I think it is – but there are at least three things you should be aware of. First of all, you should be aware that you’re the tail of the dog, not the dog’s nose or the dog’s head or the dog itself, and I’ll explain that a little bit. Second, you should be thinking about the dog and what the dog is doing; what’s going on here? And third, you should be thinking about where the dog is going, where the dog is headed next. If you want to change the behavior of the dog, if you want to redirect it, you should be thinking about where it’s galloping off to right now. Now, the dog in this case is global business activity, it’s the global economy, it’s all of those businesses out there that are creating value. The thing that’s directing the dog, the thing that determines where the dog is going, are the business opportunities in front of the dog, the business opportunities that the dog is off to cease, and these are business opportunities not just for the general creators of value that we all admire but also for potential cyber attackers. The government agencies and departments, the legal institutions, all of the different groups that are very
[ 2 1 6 ] Georgetown Journal of International Affairs
well represented here by very articulate spokespeople are so small compared to the global economy, they’re so small compared to the dog itself, that it’s really important for them, if they want to shape the behavior of that dog, to get a sense of proportion. If you’re in Washington, which is very much a company town, you’re associated with the U.S. Government, you feel like a big dog, you feel like you yourself are the big dog. If you’re in Silicon Valley, if you’re out there in the private sector, and you’re looking at the Federal Government and the Defense Department, it doesn’t look so big. The whole Federal Government and the whole Defense Department is maybe 5 percent of your market if you’re a global IT company. The activity of these businesses have been responsible for all of the deployment of information systems that the government and the Defense Department and everybody else uses. The economics of this has been responsible for where all the vulnerabilities are and what vulnerabilities are out there. The big thing that’s shaping this landscape and changing the way it’s going to look in the future are the seizing of these business opportunities. It’s not the new technology internal to security, it’s not any of the people that are speaking at this event that are shaping this. The landscape is being shaped by, as we move on, what can we do to create more value? We’ve had references as we’ve been talking to Smart Phones, to mobile devices, to all kinds of things that have come along that weren’t here 3, 4 years ago. In 2, 3 years from now, we will have a whole other set of things coming along with a whole new set of
PANEL 3
concerns, and they won’t have been things that we shaped or created, those of us in this room, they will be things that the developing world business has shaped. I will mention three things that will be shaping things, that have been shaping things already, and will even more in the years to come, to give you an idea of what I’m talking about. If you take a tour of our economy, our industries, you can find lots of places where there are facilities that are not being used very much of the time or to a very large extent. It’s particularly conspicuous on the Internet. We have a huge amount of capacity developed by companies like, say, Amazon to deal with the peak shopping days before Christmas and most of the rest of the year that capacity is not being utilized. We have recently discovered that via cloud computing Amazon can do everybody else’s computing with that unused capacity the rest of the year. We have electrical generation stations that are built to cope with peak demand in afternoons of really hot days, and the rest of the time most of that capacity is not being utilized. So we’re now using dynamic pricing to start shifting the utilization of that capacity from the peak times to the trough times, to the nights and other times when it’s not being used. They’re applying the same strategy now actually to parking in San Francisco, dynamic pricing to utilize that better and so on. We’re doing this throughout our economy. All of the cases where we’re doing this, it is being made possible by new information technology, and everywhere we’re deploying that technology, we’re creating new vulnerabilities. And a lot of the deployment of these new technologies,
International Engagement on Cyber 2012
a lot of the seizing of these business opportunities, is already being held back by security concerns; it’s the main thing that’s been holding back cloud computing. So security technology here is an enabler of value creation; it plays a role in the bigger picture, in the picture of where that big dog is going, and it’s an important role, but it needs to be seen in that context. Two other examples before I sit down here. There are eight, eight that my colleagues and I have been able to identify, and I’m just picking three to give you the flavor. Mobile information support means not being able to access information from wherever you are, it means pushing the information out to any employee to make that employee look like a genius, to give that employee the answers that that employee needs, the guidance they need, whether they’re a maintenance person, whether they’re a retail person, whether they’re a medical person, whatever they are. Again, this is something that is producing huge deployment of new information technology, it’s creating enormous vulnerabilities, it is being slowed down already by security concerns. It is one of the things shaping the landscape of security now and for quite a few years to come. Third one, information-rich markets. Traditional markets, the kind you learned about if you ever took ECON 101, commodity markets in effect, Adam Smith markets, from an information standpoint are very crude. Markets match customers with suppliers. Traditional markets matched customers with suppliers using only three variables: type of product, quantity,
[ 21 7 ]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
and price. So once you specified type of product, you’re only using quantity and price. That’s why supplyand-demand curves of the kind you’ve seen work. That’s not how we match customers and suppliers anymore in the modern economy; we do multivariable matching. We do multivariable matching, sometimes it’s automated, we do it all the time by just supplying customers with a huge amount more information about their suppliers, and vice versa. We build up profiles of suppliers and profiles of customers. We do better and better matching utilizing these. This is one of the biggest creators of value already and will continue to be for the years to come. This is an enormously powerful tool. The profits of Google, of Facebook, of companies like that, are just a tiny sliver of the new value being created by this. It’s not about targeted advertising. If it were about targeted advertising, we wouldn’t be able to explain how much money these companies are already making. It’s about better matches between customers and suppliers. Once again, this is creating whole new sets of vulnerabilities, new opportunities, and already it, too, is being slowed down by security concerns. A lot of what we hear about is “big data.” One of the big catchphrases right now in cybersecurity and in IT in general is about information-rich markets and utilizing them better. So in all of these cases, we’ve got a landscape that is changing, problems that are changing, security issues that are arising, old ones that are fading away, and it’s not being driven by the tail here that wants to wag the dog, it’s being driven by the onward rush of
[ 2 1 8 ] Georgetown Journal of International Affairs
the dog. So if want to be relevant, not talking about stuff the dog has already gone by, if we want to talk about what’s going to matter over the years to come, if we want to be dealing in any effective way with any of this, we really need to be talking about the big event here, we need to be talking about global business and where it’s headed. Thank you.
EDDIE SCHWARTZ: Bob Dix? ROBERT DIX:Thank you. First let
me say thank you to Catherine and the planning team for putting this conference together. I actually over last night and today have been somewhat encouraged by some of the honest dialogue that I have heard, some tip-toe jobs – [Laughter.]
ROBERT DIX: – but, by and large,
a lot of honest dialogue, and I would argue that that’s what we need in this country today around this topic, and around the globe, is a true national honest dialogue about this challenge. Remember, the bad guys aren’t sitting around having meetings and discussions like this; they’re about their business. So cybersecurity truly is a shared responsibility, yet oftentimes the rhetoric doesn’t meet the reality. Present cyberspace policy review released in May of 2009 reaffirmed the need for the public and private sector to work together to meet this national and economic security challenge, yet today, even in discussions around this room at times, there are people in elected and appointed positions that
PANEL 3
would have you believe that businesses, including critical infrastructure owners and operators, are intentionally and maliciously ignoring risk and willfully putting their business viability and shareholder value, where appropriate, in jeopardy by failing to properly invest in the information systems and assets that they own. This has even extended to discussions that include the electric grid, water systems pipelines, et cetera. Does any rational or even reasonably intelligent person really believe that? Why do we continue to seem to want to
International Engagement on Cyber 2012
the discussion between last night and today has been around addressing that legal framework and identifying where the gaps are that we need to address. That’s a great step and I think the answer to the question about, “Where is that in the legislative initiatives that we’re dealing with today?” was a very insightful answer. I would argue that in some cases that this discussion has even been turned into an ideological dialogue about the role of government. Some are advocating a new burdensome bureaucratic
We read sometimes the headlines about
high-profile breaches. What we don’t read about is the hundreds of thousands of exploit attempts that are expelled every day. blame the victims and make our decisions based on hype and hysteria? We read sometimes the headlines about high-profile breaches. What we don’t read about is the hundreds of thousands of exploit attempts that are repelled every day by those of us that are in this business, largely delivering a resilient capability each day. There has been a failure in a responsibility to share relevant threat information to inform the risk management decisions oftentimes as a result of classification, antitrust, or other antiquated laws that inhibit the ability to actually collaborate on building situational awareness that would contribute to an ability to improve our detection, prevention, mitigation, and response, to issue timely, reliable, and actionable alerts and warnings, and even recommended protective measures. A lot of
regime of regulation and compliance over the private sector critical infrastructure owners and operators as a means to address this. I would argue that by the time we put something like that together, it will be obsolete, and it wouldn’t do anything to make it safe or more secure. In fact, what we need to do is protect the ability of the private sector to continue to invest in research and development and the innovation that is delivering solutions into the marketplace that provide us hope of meeting this challenge. I would argue that the market is delivering innovation at an unprecedented pace in our history. But to build on some of the comments that Scott made, part of the challenge, not all of it, but part of the challenge, is in technology adoption. We haven’t sufficiently made a business case for people to understand why they
[ 21 9]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
need to invest. This gets back to the issue of sharing information and building situational awareness. We need to have an honest discussion about the economic inhibitors to greater adoption of technology solutions. In today’s economic climate, if the decisions are around investing in inventory, investing in people, or investing in security, it’s a tough dialogue, a tough discussion, that people have to have. Additionally, we need to protect the ability of the private sector to be fast, nimble, and agile in responding to an ever-evolving and growing threat. In some of the discussion we’ve heard about working more closely with the ISPs. Heck, I have a chance of working with many of the folks in that community every day, and there’s an appetite there for being a part of the solution, it’s oftentimes characterized as part of the problem, but there are some inhibitors that we need to have an honest dialogue about addressing in order to make that work better. How about a national education awareness campaign that’s comprehensive and sustained? Instead of a 1-month effort Cybersecurity Awareness Month, how about a sustained national education awareness campaign that helps home users and small businesses, some of the work that the FCC is already doing and that others are doing to build that sustained and comprehensive capability to help people understand better how to protect themselves? Many of us have been involved in trying to build a true joint integrated, public-private operational capability around cyber to improve upon that detection, prevention, mitigation, and
[ 2 20] Georgetown Journal of International Affairs
response capability through enhanced situational awareness in times of steady state and times of escalation, a National Weather Service type capability with data feeds that provide us input in real time or near real time that give us a vision as to what’s going on in the network community. We have tried to integrate – by the way, the private sector conducted a pilot project and demonstrated an ability to share information across a number of critical infrastructure sectors, but when we tried to integrate that capability with our friends in the Department of Homeland Security, then all of a sudden the lawyers came to the front and said, “We can’t do that. If part of you are involved and all of you are not, there is a competitive advantage, there are antitrust issues, there are other issues,” and so we can’t do it. This has to be addressed, ladies and gentlemen. Tactics like secret classified exercises intended to scare people and drive the hype is not contributing to the solution around this situation and this subject. Many arguments have been made since last night and today that the theft of intellectual property presents one of the most significant global, national, and economic security threats to our mere existence. We have to take this seriously and we have to work together to address it. The FBI, DOD, and others claim cybersecurity is potentially becoming one of the greatest risks to our national security. Why aren’t we doing more to call out the perpetrators? It’s easier to blame the victims than it is to call out the perpetrators. Now, I understand some of the challenges of that, but, quite honestly, this is where we need to
PANEL 3
get with this dialogue. We hear a lot about supply chain risk management, yet as we sit here today, one of the challenges remains that our colleagues in government, as a result of cultural issues, driven by cost and schedule performance assessments, are buying from untrusted sources as we sit here today to save 5 cents on a widget. There are policy directions that we can implement around how we improve the ability to secure our supply chain both in the public sector and in the commercial sector. Frankly, the question has to be asked, if the DOD and NSA and DHS are not able to prevent intrusions and theft of sensitive information, then why do government decision-makers believe that industry is better equipped to do that on their own? I come back to where I started. This truly is a shared responsibility, and, frankly, as we’ve also discussed over the last day and a half, we have examples that we can point to that when we work together, that we will put down the veil of the impediments and the reasons and the excuses that when we actually identify risk and when we share relevant information, that we come to the table with ingenuity and innovation that has been part of the basic fundamental foundation of this country since it was formed. We can and we must do more. Our nation is counting on us to get it right. Thank you.
EDDIE SCHWARTZ: Rick Howard?
RICK
depressed.
HOWARD: Bob, I’m Okay?
Man, oh, man.
International Engagement on Cyber 2012
[Laughter.]
RICK HOWARD: Bob was talking
about doom and gloom kind of stuff. I want to talk about a couple of things that the commercial sector is doing right now that is having some success, but before I do, I always want to get a sense of how technical the audience is. This is a pretty mixed crowd. So show of hands, how many people have at least one Smart Phone on their person right now? [Show of hands.]
RICK HOWARD: How many peo-
ple have two? It can be any iPhone, Android. [Show of hands.]
RICK HOWARD: Oh, you’ve got two. Okay. How many have two and some sort of pad? [Show of hands.]
RICK HOWARD:
Okay, three. How many people have never written a letter by hand? [Laughter and show of hands.]
RICK HOWARD: Okay, this is
probably over your head, ma’am. Okay, so, all right. So I deem you guys are technical enough to understand what I’m going to talk about. In iDefense, we have this notion of a cybersecurity disrupter, and there is a collection of these things. These are new technologies, new policies, new ideas coming down the pipe in the next 10 years that
[ 221 ]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
are going to fundamentally change how we protect the enterprise. And for the last 15 years the way we’ve done it over and over again has been pretty much the same; the list of best practices have not changed that much. You’ve got a firewall, you’ve got an antivirus engine in the premise somewhere, you’ve got an intrusion detection system, and some other stuff, but that’s pretty much it. Okay? But in the last couple of years we’ve seen a couple of innovations that I want to talk about, and the first one is this notion of a perimeter defense is a myth, and everybody in this room
those 700 breaches we tracked last year, you will talk to each of those corporate leaders and you will see that they are pretty satisfied with the way they handled the breach in their own environments. You were one, we were one. We were pretty happy the way we handled it. So that’s the notion, that the perimeter is not sacrosanct, that you’re going to get breached at some point, and that just caused some innovation about how my customers have watched their networks. The one thing that we have seen change this last couple of years is that they have accepted that their perimeter
Confidence-building measures are very
important, and we have been turning to various international organizations to look at those. knows that that’s in the cybersecurity business, but what has changed in the last couple of years is that business leaders, commercial business leaders, are beginning to talk about it public and recognize it. And what I want to talk about is with all the breaches that went on last year, I think at iDefense we tracked 700 breaches, that’s just the stuff that was in the news, that’s not the things that are going on that no one has known about. That means you’re pretty much going to get owned by somebody. So that means the perimeter defense is not working, and we need to redefine what success here is with our perimeter defense. It’s whether or not you’ve been breached, but it’s whether or not that any damage was caused. Have they got in, have they taken your intellectual property, and have they gotten out? If you look at
[ 2 22 ] Georgetown Journal of International Affairs
is going to get breached, but now what we’re going to do now, if you make that assumption and you say that’s going to happen, what can you do instead? Most of my customers now are watching traffic as it leaves their network. They are building automation platforms to watch where documents leave different places, watch PowerPoint documents go to different places, and as they see that happening, they can decide and discover patterns that shouldn’t be there. Should Rick Howard be sending a Word document to someplace in China? And if that’s happening at 3:00 in the morning, maybe that shouldn’t be happening at all. And my customers are having huge success tracking that as the attacks are happening and shutting them down as they are happening. So we don’t have to have a perfect record at the perimeter, we have to kind of back
PANEL 3
up, take a hit, and then watch what happens and see if we can shut it down in action. So that’s number one. The second one that I’ve seen, and this is a new one, this has come up here in the last year. I was out at RSA a couple of weeks ago, I was a panel member to a pre-SSO conference, there are about 250 SSOs and CSOs and thought leaders that have been meeting at RSA for the last decade before RSA, and they did a poll of the audience, and they said, “How many people have established their own intelligence programs?” And what I mean by that, an intelligence program, I mean this is not buying somebody like iDefense intelligence services, this is they have established their own intelligence program inside their organization that is separate from the IT guys and separate from the security guys, a group of folks whose job it is to collect intelligence information from their own internal networks, from their signals capability, from all their hardware and software that’s running on their networks and collect sources from the outside in order to inform business leaders about how to protect their network. This is a new thing and it’s something that is very positive, I think. It’s a new development in our arsenal, it’s a new change to how we’re going to do it, it’s one of our cybersecurity disrupters. All right, so those are two things that I see positive for my commercial customers. They’ve decided that the perimeter defense is not sacrosanct and they are doing things about it and they are building intelligence capabilities inside their organizations to help them defend better. So I find that as positive. That’s all I’ve got.
International Engagement on Cyber 2012
EDDIE SCHWARTZ: Rick, do you remember the stat on how many people did set up their own?
RICK HOWARD: Thirty percent, thirty percent of the 250 did.
EDDIE
Thanks. Robert?
SCHWARTZ:
Okay.
DR. ROBERT GHANEA-HERCOCK: Okay. Thank you very much. EDDIE SCHWARTZ: Do you have your slides?
DR. ROBERT GHANEA-HERCOCK: Yeah. Thank you, Catherine,
for the invitation to speak. A little brief background. So British Telecommunications, I work for the major U.K. ISP, Worldstar global network provider and a major sort of security services provider. That’s the sales pitch over. [Laughter.]
DR. ROBERT GHANEA-HERCOCK: I’ll talk a little bit about some-
thing called project Saturn, which hopefully you’ll find interesting, but before we get to that point, I think the key issue is it was mentioned this morning, someone used the word “ecosystem.” Fundamentally, what we’re dealing with is a complex adaptive system, that’s what cybersecurity is. That’s why it’s a problem: it’s continuously adaptive. Whatever defenses we take, the adversaries, the bad guys, are adapting and will always adapt. Yeah? There is incentive, so there is a response, and
[ 223]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
the whole thing is a complex adaptive system. Until we have that in our mindset, we tend to take very much a linear polar-driven or single technical approach to it, and this is why we fail. That’s one dimension. A second dimension is, as was mentioned earlier by the panel, it’s a big data problem. I can tell you, so even just within our company, we’re dealing with petabytes of data, with log data, security data, of captured data. This is a lot of data. And if you’ve got a book of a petabyte, it will take you about a million years to read it. Okay? It wouldn’t go well on your Kindle.
much of a geek. But you get the idea. You can actually start to view the data. If you could go to the next slide, please. It gets more interesting. So this is an example of data from one of our observed networks, if you like. And we can start to build tools that actually drill down into that data and give you an intelligent view of what’s going on. One of the key aspects is that there are various intelligent algorithms underneath it that automatically process the data. The attacks are coming in real time, and the attacks themselves are automated, and so in that typical time, it can be 10-4 seconds, 10-5 seconds. I’m sorry, I’m bright, but I don’t think [Laughter.] in 10-5 seconds. 10-5 seconds I sometimes think in, but I’m not that fast. So DR. ROBERT GHANEA-HER- we’ve got to automate the defenses. COCK: So it’s a lot of data. It’s like Next slide, please. I apologize for the trying to find a needle in a haystack, small font. This is kind of deliberate, only it’s worse than that because it’s not so you can’t see that, but – a needle, it’s like a bent piece of straw in a haystack. It’s a slightly perturbed [Laughter.] piece of straw that’s the malware, that’s the problem. Yeah? So you can see DR. ROBERT GHANEA-HERthat there is a real technical dilemma COCK: But this is an analysis of some here for us to handle this. And, of of the log data from particular netcourse, you’ve got to do this in real works. This is real data, by the way. time, at low cost, that meets the needs And what you’re seeing here is sort of of your client. the tools we’ve got doing the automatic Can I have the next slide, please? analysis, the automatic categorization, So I manage a research program in what’s inside these – the malware inside our company, and this research pro- this particular network. If that doesn’t gram is trying to address some of these make sense, the next slide will. issues. We’re trying to throw some Right. Okay? Okay. smart techniques at the problem, how to address this complex adaptive systems [Laughter.] issue, but specifically how to deal with this big data problem, and we’ve built DR. ROBERT GHANEA-HERvarious visualizations, various toolkits. COCK: Hopefully even the policy peoIt’s a bit dull. I can tell you afterwards ple in the room can understand this. if you’re really interested, if you’re that
[ 22 4 ] Georgetown Journal of International Affairs
PANEL 3
International Engagement on Cyber 2012
[Laughter.]
shop is all about this issue of complex systems approaches to security. We also DR. ROBERT GHANEA-HER- used to run that event down in the Santa COCK: Sorry. Fe Institute, New Mexico. I should say the U.S. has a great resource there [Laughter.] in Santa Fe Institute that’s done some interesting, very interdisciplinary work, DR. ROBERT GHANEA-HER- so bringing biological metaphors, bioCOCK: Who went, “Boo”? logical models, looking at the sociology and the psychology, the economic [Laughter.] dimension of these kind of attack problems, so that there is some really good DR. ROBERT GHANEA-HER- research going on in the U.S., probably COCK: So you’ll notice there is a cer- much deeper and broader than we have tain asymmetry to the image. So basi- in the U.K. at the moment. There is a cally the red nodes are servers that have personal blog and a couple of links at got some kind of malware on, so we’ve the top. sensed or detected in that particular Thank you very much. client network, there was some malware in that particular node, and the green EDDIE SCHWARTZ: Thank you. nodes are the attacked nodes, and the Jamie? lines connecting them are basically – this is a few minute time period where JAMIE BARNETT: Thanks, you can see where the attack is coming Eddie. And, Catherine, thanks for from and where it’s going to. Okay? putting me on this august panel. I’m Now, I should say these visualizations glad Robert went right before me so I’m are real time, they’re dynamic. When not the only person on the panel that you have an analyst looking at this kind doesn’t have an American accent. of view, they can drill down into it, they can filter it, they can even track this in [Laughter.] real time. But at least you can see what’s going on. It’s no longer just bits and JAMIE BARNETT: And, Scott, bytes or IP addresses or very low-level I appreciate also being compared to a information. Yeah? So you begin to dog’s tail. As a federal regulator, that’s get a much higher level picture of what’s an anatomical step up for me. taking place. Okay, next slide. More details. So [Laughter.] you can drill down into that. Next slide, please. Okay. JAMIE BARNETT: So as a repreSo if you’re interested, afterwards sentative, I work for Chairman Genacatch me. I have a workshop in Lon- chowski, and really what my talk is going don. There is one in the Royal Society to be about is: What is a reasonable and this June. If you’re interested in com- helpful governmental role in securing ing along, speak to me, and that work- an industry that basically is 90 percent
[ 225]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
plus owned by the private sector? And the FCC doesn’t play a broad role here, we don’t do cyber defense, we don’t do cyber incidence, but we are very interested and always have been in the security and the reliability of communications networks. Now, in conversations that we had before this week and then last night, there has been a lot of discussion about a new legal framework for this, and I think that’s absolutely, as Bob mentioned this, I think there is a great deal to be said about that. And even before that, though, I would say we have to have some new mental models about cybersecurity. Right now we’re pulled between different poles, and it’s not just necessarily bipolar, you know, it’s truly a dilemma in a lot of different ways. The Internet must remain unfettered on the one hand, but we must secure the Internet on the other. We want to protect privacy on one hand, but we really don’t want anyone with the authority to protect privacy on the other. We want the Internet to be an engine of continued economic growth, free of regulations; on the other hand, we can’t sustain the loss of trillions of dollars over time from our economy. So we’re pulled by all of these things. So as far as new mental models – and, of course, I’m a Navy guy, so I’ve got to have an analogy to the sea, but I do think of the sea as an analogy. In the 1300s and 1400s, the Spanish and the Portuguese, building on work that the Arabic culture did at the time, developed new navigational devices, the astrolabe and in combination with a magnetic compass, in essence, it opened up commerce via the oceans, and the reason is that, sure, you could sail out, but you
[ 2 26 ] Georgetown Journal of International Affairs
always wanted to be able to come back, and so that increased the reliability a great deal, and opened up a global commons, and we still use the phrase today to talk about the wealth that it created, “My ship has come in.” It also opened up a brand-new trade that became very profitable, piracy. It was a great deal, and it continued and flourished really until the nations developed capabilities and laws internally, and then working with other nations to combat this. And we still have piracy today. I can’t recommend it to you as a profession because it’s just not as rewarding as it was at first. But the oceans are still an amazing commons, a source of commerce, and so perhaps as we look to mental models, we would have one that preserves openness and innovation but we really shouldn’t be afraid of guidelines, rules, conventions that provide sanity, protect privacy, property, and security. Now, in approaching this at the FCC, we really did think about the proper role of government, and we observed some key principles, and we would commend these to you. First, we want to ensure that the broadband economy remains the engine of innovation and growth, increasingly available to the public. Number two – and the Chairman made reference to this – sacrificing privacy or Internet openness for security is a false choice. We have to have all of that. We have to have openness, we have to have security, and we have to have privacy. Third, we really do believe that we must preserve the multistakeholder model to tackle Internet issues like cybersecurity. Stakeholders from across the ecosystem will need to work together on these problems and the problems that come
PANEL 3
in the future. Fourth, we should seek smart, practical, voluntary solutions through cooperative efforts to achieve cybersecurity wherever it is possible and effective. And then I know this is an international audience, but within the United States, and I suppose within other countries as well, the federal partners must work closely together really in a whole government approach. We need to bring all of our talents to bear. And we really can’t afford to leave anybody on the sideline on this or to pursue uncoordinated actions. And then, lastly, we must have metrics to determine whether what we’re doing is effective or not, something that may have been
International Engagement on Cyber 2012
these are just a representation of really some of the talent that we had, but the fact of the matter is there were 50 people that served on CSRIC and probably 100 people that worked on working groups below that, experts in all kind of fields, practitioners, from carriers and ISPs, academicians, advocacy groups, all sorts of people, coming together to work on these things. The Chairman mentioned the three things that they were looking at, I’m going to only spend just a moment on those, but going into maybe perhaps just a little bit more detail. If we could go to the next slide. All of these projects are voluntary. All of them really, I think, come from
We really can’t afford to leave anyone on the sideline on this.
lacking in other efforts. So the next slide, please. So for the FCC, this began with the National Broadband Plan a couple of years ago. One of the things that the National Broadband Plan called for was for the FCC to look at concrete threats that the FCC could do something about. This once again goes to the Chairman’s concept of not “boiling the ocean.” And we’ve also heard Frank Kramer and other people say this, is you have to scope this to things that can actually to be achieved and we can make real progress on. So what we did is put together our Communications Security, Reliability and Interoperability Council, let’s see, actually I saw Andy Ogielski here. We have other people perhaps in the audience who actually worked on this. So
the multistakeholder or industry-based, and so I think it’s a tremendous testimony to the industry that 90 percent how now signed up for it, and soon 90 percent of the – 90 percent of them have signed up, 90 percent of the public will be covered once they’re fully implemented. So in no particular order on the DNSSEC, very, I should say, well-developed. The problem is implementation and who goes first and how do we encourage that? And really what Steve Crocker and his group came up with was, “How do we advance this more quickly? What are the best practices for implementation?” And I might say there is still work to be done. I mean, what they came up with is not full DNSSEC implementation, what they’re in essence doing is the ISPs are making their DNS servers,
[ 227 ]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
DNSSEC, aware so that the user can actually validate the path, so to speak, and make sure that they’re not being spoofed or tricked. On Internet security net routing, here is an area where we’re not as welldeveloped. We’re not ready for complete full path validation. We can see it over the horizon. Standards still need to be developed. There is an expense to that part. Are there steps we can take now? And the answer basically that CSRIC came up with is yes. There are what I would call incremental but significant steps. And so here is the first of many people stepping up to the plate. The American Registry of Internet Numbers stepped up and said, “We will create the secure authoritative database.” The ISPs are saying, “We will register our address blocks and keep them dynamically up to date, and then we will start checking our routes against that registry. And what we hope that will do is eliminate a great deal of the, I guess you’d say, mistake in routing, and it should make us more aware of the malicious routing that comes up. And then, thirdly, the Anti-Bot Code of Conduct ISPs, just to spend a little bit of time on this, obviously we looked at what is going on internationally with that, we took a lot of information from the Germans, from the Japanese, and then particularly from the Australian iCode, and it follows in some ways, there is a lot of flexibility there. Basically it is making the consumer aware, detecting that there is infection, giving them options on ways to inform that. That’s not easy. I mean, if you get an e-mail from your ISP, do you read it? Do you think it’s spam? Do you think they’re trying to sell you something?
[ 2 28 ] Georgetown Journal of International Affairs
Telephone calls get ignored, So, I mean, that’s a big challenge, but this addresses some of those things. And then actually providing some tools for remediation, and then collaborating with one another to make sure that we learn as we go. So those are the three major things. We think that they’re major steps forward, but the CSRIC work actually doesn’t stop there. The next work and the continuing work of this group is to look at barriers to implementation. I have to tell you on Working Group 7 they pretty much said that since everybody is signing up for this, that there may not be that much of any barriers, but they definitely want to get to something that I mentioned before, and that is the metrics. How do we determine if these best practices, if this code are actually working? Because if it’s not working, then we need to evolve, innovate, and do something more. And the question that we have to ask, too, is: What happens if it doesn’t work? What are those things where there may be role for government working with industry to come up new solutions, and are there things that we have to? And so I know that we don’t like to talk about regulations, I don’t think we may need regulations in this because there is innovation, but there may be a role in the future, and I wouldn’t want to take that out as a possibility. For one thing, the possibility that’s out there sometimes helps people come together to figure out voluntary solutions. So thank you very much, and I appreciate it. And I’ll turn it back over to Eddie.
EDDIE SCHWARTZ: Thank you.
PANEL 3
At this point, if anyone has any questions they want to tee up for the panel, please step up to the microphones. In the meantime, I want to tee up my own question as a starter, and, again, please feel free to step up in the meantime. A number of you talked about the notion of success in various ways. Scott, you talked about economic growth, and Jamie talked about metrics, and Bob mentioned as well his version of success. Rick, you talked about success as well and the notion of security. And all of you said we need a better definition of success. I mean, what is it? I mean, like, Rick, in your mind, like what would be success from a commercial perspective if you were to rethink security today? I mean, what would that look like in your mind?
International Engagement on Cyber 2012
anymore. So if we just can accept that, then maybe the definition of success is, “What damage was done to us? Has our stock price gone down? Have we lost intellectual property? Has anybody been hurt in it in terms of your personnel because of some sort of personal information being leaked?” I think those are the kind of things we need to kind of get our hands around.
EDDIE SCHWARTZ: Should organizations be compelled to disclose breaches?
RICK HOWARD: Well, I’m not
supposed to even talk about stuff like that. [Laughter.]
RICK HOWARD: That’s a great EDDIE SCHWARTZ: All right. question. I guess I should have thrown it out there, but I didn’t think anybody would throw it back at me.
Scott, you talked about success in terms of economic growth, and you said, well, technology is running faster than security. So what do we do to be successful [Laughter.] as security people if we’re going to keep up with all that? I mean, we seem to be RICK HOWARD: No, I’ve been a constraint here. thinking about this for the last couple of months, especially in terms of the SCOTT BORG: So all of this is breach stuff. If you talk to any corpo- ongoing and we can track it in an ongorate leader, and you talk about, “Well, ing way, we can actually calculate risk, gee, what is our process for handling believe it or not, and we can estimate breach notifications?” they freak out. – we can actually come up with rough All right? The marketing people, the annualized expected loss numbers, we core com guys go, “We don’t want to can look at the value created by new tell anybody anything because that may information systems, and we can make bring shame, and our reputation may sure we’re just constantly creating a lot go down, and all that stuff.” But if you more value than we’re losing. Cyberlook at how many people have been security is now part of life all the time publicly breached and then add onto everywhere. that all the others that we don’t know about, there is probably no shame in it RICK HOWARD: Well, it’s a risk
[ 229]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
equation then, right?
SCOTT BORG: Yeah. RICK HOWARD: So does it matter that bad guys come down and compromise the janitor’s laptop, does that matter compared to maybe pulling out VeriSign’s intellectual property? You know, so that risk assessment has to be made.
steady state and during times of escalation. That’s a capability that I would bet most American people think we have today, and we don’t.
EDDIE SCHWARTZ: Isn’t that companies should – like individual organizations should do, or is that – like who should do that?
ROBERT DIX: No, I think that’s got to be a public-private activity that
SCOTT BORG: Yeah. It’s essential engages the Department of Homeland to always talk about the threats and the frequency or how soon they’re going to occur. It’s essential to always talk about the effect, the consequences, the effect on the value that we’re creating. And, by the way, if somebody is talking about protecting valued assets, we always know they’re protecting the wrong things. You don’t care what an asset costs, what it would cost to buy or create, you care about how much value you’re creating with that asset over time and how much less value you would create with a cyber attack. And we can quantify vulnerabilities as the degree to which we’re vulnerable to that consequence, we can actually make sense out of this.
ROBERT DIX: So there are basic
blocking and tackling elements here that I think factor into success and adding tools to the toolbox. The legal framework, how many times have we heard that, right? But why aren’t we doing it? I asked that question before and really didn’t get a good answer about that. That’s a dialogue that ought to be taking place. Secondly, creating an operational capability so we have visibility and situational awareness into what’s going on in the network during
[ 2 30] Georgetown Journal of International Affairs
Security, the backside folks that have the threat intelligence, the ISACs and other operational entities in the critical infrastructure community, other sources of data that can inform that process, a nerve center, a National Weather Service style capability that gives us visibility so that we can move towards a model of detection, prevention, and mitigation instead of today, where we spend so much of our time, energy, and resource in response and recovery, a sustained national education awareness campaign that addresses – I mean, there are some people in this room that have the empirical data, but it is estimated that 80 percent of the exploitable vulnerabilities are a result of no or poor cyber hygiene, hygiene, basic fundamental low-cost or no-cost things that people, small businesses, and even larger enterprises can be doing to protect themselves, so there are basic elements of blocking and tackling that we could be doing tomorrow. There are organizations like the National Cybersecurity Alliance and other nonprofits. How about if every member of Congress and every company and all of us in this together had a link on our homepage that directed people to information
PANEL 3
about how they could better protect themselves? What are those best practices? What are the tips that Jamie and his team have developed for small business? How do people get access to that to help raise this bar? Eighty percent is a big number, so even if we got half, we make it more expensive and more difficult for the bad guys to get access into the networks that they use to then do their thing. So there is basic blocking and tackling, Eddie, that I think we should be focusing our attention on, especially together in a shared responsibility.
EDDIE SCHWARTZ: Those are good success factors. Robert?
International Engagement on Cyber 2012
and have active participation when they are delivering more value than the cost of participating. You can actually figure out what people from private sector are getting as their return from participating, and you can figure out how much time and trouble, and cost, in other words, it’s taking to participate. When the balance is in their – when they’re gaining more than it’s costing them, they participate very actively, the operation thrives, and some of the ISACs are good examples of that. When it’s not working that way, when it’s costing them more than the return, they stop participating. It’s simple economics.
EDDIE SCHWARTZ: I actually
think it’s both. I think it’s both trust and return because I wouldn’t value DR. ROBERT GHANEA-HER- information from an unknown source, COCK: Yes. So on that point of so I have to trust the source, but I also whether or not this is a great idea, so think it has to have intrinsic value. in the U.K., as of last year, our Prime Minister initiated a program for the SCOTT BORG: And I translate the cyber hub, which is exactly this, to try trust into estimate of your risk and your and bring together the public and pri- cost. vate sector to create an intelligent realtime open information feed that tells RICK HOWARD: There are two you what’s going on across the state. things. One is that the commercial But we’ve got here all these points of organizations want government intelbuilding trust between the public and ligence, but they’re not going to wait private sector between the private sec- around forever to get that done, so tor entities that are competing, and the they’re already starting to form their bottom line there is trust. So the U.K. own groups. I mean, the ISACs are one government is trying to go down, act as way to do that, but there are other ways a facilitator to build that trust and to of combining across sector that people link the people together. are starting to think about, so they’re going to share that information. It’s SCOTT BORG: I would like to differ going to happen whether with the govthere. I don’t think the bottom line is ernment or not. trust. We did a little analysis of when private-public partnership and forums EDDIE SCHWARTZ: Yes, sir. and so on are working, and they work
[ 231 ]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
ROBERT DIX: Building on those tially constitute success, we’ve talked
a lot about like regulation legislation, purely defensive measures. On the other hand, Rick’s point about different organizations developing their own intelligence capabilities, that’s going a little bit beyond defense. I mean, part of it is preemptive, a lot of it is doing better at understanding who’s behind this. We’ve talked about a lot of responsibilities for those being attacked, but what would success look like in terms of coordination, public-private or private-private, towards more aggressive identification of the attackers? We have JAMIE BARNETT: Eddie, I would the example of the Rustock takedowns, say just one other thing on the success the Coreflood takedowns, a lot of which factor like that, this conference does was industry led or facilitated. What not address, I don’t think, spam or junk more can we do in that regard? facts or things like that. So, I mean, one factor of success, if Catherine has EDDIE SCHWARTZ: That’s a this in future years and we’re not talk- good point. Comments? ing about botnets, we’re not talking about these things, then some of the RICK HOWARD: I love that stothings we talk about here have, in fact, ry. What Microsoft is doing with that been successful. Those things were operation is fantastic. The only thing basically done by the multistakeholder they could do better is to do more. And group getting together, coming up with they’re doing it all pro bono. So what industry solutions, and spam hasn’t they really need is other folks to join in gone away, but it’s just not a factor for with those folks to help do that. I mean, they’re taking down how many botnets conferences anymore. a year? Three or four? And there are EDDIE SCHWARTZ: That’s good, 15,000 of them, though. So we need that’s a good point. Okay, we have a to ramp it up to about 1,000 botnets a month in order to get anything done, question in the audience? and maybe groups like this can get that ELI JONES: Yeah, sure. Eli Jones, kind of stuff going. I love what MicroVeriSign. Rick has not seated this ques- soft is doing, but we need to throw a lot more resources at it to be successful. tion through me. successes, I mean, Gavin and I, our two companies we compete vigorously in the marketplace, but we work in an organization called ICASI with a number of our other global partners in security instant response where we look at multivendor, multinational vulnerabilities, and we work together in real time to try and address those because it’s in the common interest of our companies and our global community. That’s a perfect example, and that’s private sector driven, private sector driven.
[Laughter.]
ELI JONES: So in terms of taking
another step off of what could poten-
[ 2 32 ] Georgetown Journal of International Affairs
ROBERT DIX: Isn’t it fair to say,
Rick, they’re not doing that by themselves?
PANEL 3
International Engagement on Cyber 2012
RICK HOWARD: No, they’re not nies or individuals, focused on botnets, doing it by themselves, no.
ROBERT DIX: There is a collab-
orative effort there that’s bringing law enforcement into that discussion along with the private sector entity, and as you and I know, because we worked on the project together, one of the things that sometimes we make the mistake is that folks in government, especially in the intelligence community and law enforcement community, think that those of us in industry are interested in sources and methods. We don’t care about that.
RICK HOWARD: Right. ROBERT DIX: We’re interesting in
tactics, techniques, and procedures that can help us inform risk management decisions. That’s very valuable information because similarly in the physical space, you cannot protect everything all the time. The same is true in cyber. Okay? So having the information helps us inform the risk management decisions, and as you know, when we actually have the ability to collaborate, analyze, correlate that data, we can make good decisions, we can issue alerts and warnings, we can even recommend protective measures when we have the ability to do that together.
and then how do we contribute the right data to them? Because it is going to be privileged government data at times, it’s going to be law enforcement data, but it’s also going to be companies like iDefense, it’s going to be, for example, what we do at EMC, we’re one of the 30 percent, just like you are, be able to provide our own very unique threat intelligence that we generate, and there are lots of other companies that are very successful at doing that, but if you take that and you give it to pockets of individuals that are focused on, for example, botnet takedowns or nation-state attribution or other types of tasks, they can make that useful. It’s only going to be useful, though, if it’s timely, it’s detailed, it’s shared in a secure manner, it’s trustworthy. I mean, there are different things that have to happen that are very, very difficult today. I mean, to your point, we have created some interesting commercial collaborative frameworks that have been very, very successful in this phase, but we need all of these elements to come together, and then we need people focused on these various challenges that are out there.
SCOTT BORG: Here is another
answer to your question of: What is success? If you want to understand your attackers, you need to look at who’s out there, how they can gain, what capabiliEDDIE SCHWARTZ: Yeah, I ties would be necessary for them to carry think there are a couple of issues. One out the attacks that would produce those is that we’re not putting the attack or gains, and what those capabilities cost. the attacker at the center of the prob- When we improve our defenses, we’re lem right now. So if you look at some upping the cost for the attackers. If we of these grand issues in this space, one can up the cost for the attackers beyond of them is, for example, how do we get what they gain, that’s success. groups of whether it’s private compa-
[ 233]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
EDDIE SCHWARTZ: Yes, sir.
this room have the same trajectory in terms of things that they’re doing. I’m JOHN MUIR: Yes, John Muir, from also involved with a group that’s having a Security Innovation Network. Two workshop in 2 weeks here in D.C. called related problems. One is both gov- the Cyber Security Research Institute, ernment and commerce are depen- it’s a bunch of different companies that dent upon advanced security solutions, are looking at the nexus among private which largely come from small com- companies, the government’s research panies. Small companies are having agenda, and university agenda, and enormous trouble getting venture capi- we’re inviting others to participate. I tal because of all the changes in the know you’ve heard about it. I mean, so economic scene, and that means it’s I think that there probably are gaps that harder for them to get going on solu- still need to be addressed, but I would tions to problems that are coming up. argue that there are outlets also. If the So there is a big lag between the time technology is interesting enough, give a problem is noticed and somebody me a call. I mean, I don’t know. builds a company and gets the technology there. The other related problem [Laughter.] is that the universities who do a lot of research by and large have great diffi- ATTENDEE: Go ahead, sir. culty commercializing or getting whatever research they’ve done out in a way JAMIE BARNETT: So not speakthat can be used by the public sector. ing for the FCC, this is just Jamie BarSo I would like some comments about nett, governmental guy talking. how we address those problems because there seems to be a real problem to RICK HOWARD: Actor extraortransition from innovation to imple- dinaire. mentation and how we fund that. [Laughter.] EDDIE SCHWARTZ: I guess I don’t necessarily agree with that state- JAMIE BARNETT: One of the ment entirely in the sense that – bring things I would be interested in is somesome of it our way. You know, in our thing that in essence generates more company we work with a number of incentives for those types of companies. universities. We have both, you know, I was very interested to read this week what I would call open source types of about basically rapid acquisition by the initiatives with a number of universi- government, those types of things to ties that we’re funding. We have private incentivize it. The other thing is I’m research that we’re doing with universi- not recommending there be any reguties designed to bring innovations to lation in this area. On the other hand, market. We are very interested in early- there may be things where government stage companies. We’re very interested can create I guess markets. So, for in all kinds of – you know, the entire instance, we all take 911 for granted; continuum, and I know that others in it’s been around since 1968, but the
[ 2 34 ] Georgetown Journal of International Affairs
PANEL 3
fact of the matter is that all came about as an FCC regulation where we said, “Okay, telecommunications company, we would like for you to offer that.” Now, that doesn’t mean that any government has to do that, and there are actually some counties in the United States that still don’t have 911, but it created something that wouldn’t have existed otherwise, the 911 industry, and the carriers and like that. Somebody has to pay for security, ultimately has to get paid on. What’s the best way to incentivize those innovative companies to provide that security? So incentives and creation of markets I think are the main things.
RICK HOWARD: And for strategic
stuff, I don’t have an answer for university permission, but for tactical stuff, we have so much success bringing smart interns in from really good colleges and throw them at a problem I don’t even know how to tell them about. I say, “Go solve this thing,” and 4 months later they solved it, and now they’re working for us. All right? So that part works very well. Excuse me. [Coughing.]
ROBERT DIX:
choked up about that. [Laughter.]
International Engagement on Cyber 2012
ANDREW
CUSHMAN:
Hi. Andrew Cushman, from Microsoft. I’ve got two questions, and one is easy and one is harder, and I’ll let you decide. [Laughter.]
ANDREW CUSHMAN: So what’s
the private sector, what’s the industry role in the state-on-state norms discussion? What should that be? Or should there be any role there? And secondly, when do you think that private industry, or if, is going to get into the active defense game? I mean, they’re into the intel game.
ROBERT DIX: And which question was which?
EDDIE
SCHWARTZ:
they’re both hard.
Yeah,
[Laughter.]
ROBERT DIX: Which was which? ANDREW CUSHMAN: Well, I
You’re kind of thought Rick might have an easy answer to the active defense, you know; that’s an easy follow-on next year at RSA, huh?
RICK HOWARD: I am, man, I’m [Laughter.] really emotional about it.
RICK HOWARD: I’ll let someone
JAMIE BARNETT: Those guys are else go first here. great, man.
[Laughter.]
EDDIE SCHWARTZ: Yes, sir.
EDDIE SCHWARTZ: Maybe you should answer your own question. [Laughter.]
[ 235]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
immune system, and I think ultimately
DR. ROBERT GHANEA-HER- the Internet is going to have something COCK: I’ll take the state one, that’s like an immune system within it in easy. It’s not our problem.
terms of very active, high-productive, self-organizing defensive capability, [Laughter.] because without it, it won’t function, not anything like the way we want it. DR. ROBERT GHANEA-HER- And every person in this room now is COCK: That’s government. That carrying pathogens, you all have viruses leaves the hard one for the rest. in you – yeah – but your body is coping, your body is coping with that. ANDREW CUSHMAN: Well, I do think that, given that much of the [Jamie Barnett coughing.] infrastructure is owned by the private sector, I do think that there is a role for [Laughter.] industry to play in that dialogue. ROBERT DIX: Aside from him, EDDIE SCHWARTZ: Well, could he’s dying, but – you define “active defense”? I mean, are you referring – [Laughter.]
ANDREW CUSHMAN: No, no, SCOTT BORG: In cyber, releasing no. Sorry. Active defense, I don’t have an answer for that.
EDDIE SCHWARTZ: Yeah, okay. ANDREW
the antibodies is illegal. If you design a piece of – a tool that will go out there and eat the malware, it is considered an attack on malware, and you will be prosecuted, in some places.
CUSHMAN: You know, there is the Computer Abuse and DR. ROBERT GHANEA-HERFraud Act; that applies to individuals as COCK: I didn’t say it was easy. well as to companies. ANDREW CUSHMAN: But I do EDDIE SCHWARTZ: If active think it’s interesting to think about perdefense are an issue, just like, for exam- haps a redefinition of “active defense” ple, botnet takedowns or other things or a broadening of that definition, that like that – if you were to describe creating terrain in cyberspace as a helpful defense, I DR. ROBERT GHANEA-HER- think that that’s easy to get – it’s a hard COCK: Actually, Eddie, on that point, problem, but it’s easy to get some focus and this raises a research question, on that perhaps. which is something we’ve been interested in, is the whole idea of immune RICK HOWARD: Are you suggestsystems. So all of our bodies have ing like – I’ve had this idea for a long an active defense capability, called an time, too, that the Internet should be [ 2 36 ] Georgetown Journal of International Affairs
PANEL 3
International Engagement on Cyber 2012
open and free and anonymous and all that for just general surfing, but if you want to do some sort of transaction, some sort of financial transaction, some sort of government transaction, that there should be some more rigor to who you are and all that kind of thing. Is that where you’re –
– and I’ve been saying this for a number of years, though – when you do the active defense thing, and even if you’re doing choke points and things, you do something actively, the enemy gets a vote. All right? So if you do something that – don’t think that he’s going to say, “Oh, well, gee, they did something, I’m done.” Okay? That’s not going ANDREW CUSHMAN: Well, that to happen. That means they’re going wasn’t necessarily what, but if you think reinvigorate their efforts to come after about terrain in a military perspective, you, and the case study for that is what choke points, that would be helpful to happened to HBGary this year, or last think about how you go and create that year. in what normally is considered a flat cyberspace. ANDREW CUSHMAN: Last year.
DR. ROBERT GHANEA-HER- RICK HOWARD: So they poked COCK: And then you’re getting into at the beehive and a whole government the whole world garden, iTunes dimensions, which has its own issues.
JAMIE BARNETT: And would
business goes under because of that. Right? So you’ve got to be careful of that.
you apply it to – I like asking him questions rather than him asking us questions.
ANDREW CUSHMAN: And then
[Laughter.]
[Laughter.]
I’ll just go ahead and continue the answer to –
JAMIE BARNETT: So would you ANDREW CUSHMAN: Industry, apply that concept to critical infrastructures then?
ANDREW CUSHMAN: The concept of building terrain?
JAMIE BARNETT: Terrain, uhhuh.
ANDREW CUSHMAN: Absolutely. And that might actually be the first place where you go and deploy that.
in the norms discussion, the state-onstate norms discussion, I do think that there is this notion of shared functional necessity. That’s where the agreement is going to be, the functional necessity to avoid something, and I think that industry has a voice there to help articulate that perhaps that might not be – that industry has a perspective to contribute that might help in rounding that out or in fleshing out that functional necessity.
RICK HOWARD: I will say, though RICK HOWARD: I think that’s [ 237 ]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
happening now. I mean – I’m sorry, go ahead.
here in Washington is one of the government wanting the private sector to support the government versus the govEDDIE SCHWARTZ: I was just ernment supporting the private sector. going to say, “I need your intellectual I’m wondering if you could “noodle” property. You give it to me.” that a little bit there as ,shouldn’t the private sector be the supported group [Laughter.] versus the supporting group; in other words, most of the information flow RICK HOWARD: I think it’s hap- should come from the government to pening now. I mean, at iDefense we’re the private sector because we do own tracking 18 different cyber espionage and operate the vast majority of all this sets. All right? And talking to different stuff versus the expectation of it going research groups, that number goes up the other direction? I would love to or goes down, depending on what it is, hear what you think about that. but we all have a sense of what the bad guys are doing, and what we have not JAMIE BARNETT: Yeah, Mark, done is gone to the “Let’s give it away to from my standpoint at the FCC, and everybody for free” kind of a thing yet. as I kind of alluded to in my talk, the front-line defense in the telecommuEDDIE SCHWARTZ: Unfortu- nications and the folks, the ISPs, the nately a lot of companies are doing that folks who operate the Internet, will whether we like it or not. always be in private hands, and so the FCC’s view has always been, “How do we RICK HOWARD: Yeah. organize that?” So if we can do things like CSRIC, voluntary, folks coming EDDIE SCHWARTZ: Mark? together, collaborating, bringing the good ideas forward, that’s great. In MARC SACHS: And, no, Eddie, other areas where for some reason the I’m not going to embarrass you. We’re market doesn’t supply the thing, maybe amongst friends, right? And if I was regulation does that, but it’s always, for on your panel, I would have to answer our end, for the telecommunications my own questions, so you guys get to industry, you guys are the front line, it’s answer. not the government is going to do it. So I don’t know if that applies completely [Laughter.] across the government, but I would say that was the FCC’s view. MARC SACHS: Marc Sachs, Verizon. Since the military was just brought RICK HOWARD: The answer I up as an analogy, one of the things we like, I think it’s a compromise. Okay. understand in the intelligence versus I don’t know where you went. There operations world is intelligence usually you are. supports operations, not the other way around. The conversation we’re having [Laughter.]
[ 2 38 ] Georgetown Journal of International Affairs
PANEL 3
International Engagement on Cyber 2012
following the correct procedure. Those can work. You know, one of those is superior in some contexts; the other, in other contexts. It’s necessary to think about how those two sides function and whether it’s appropriate. Most of the time in cyber, if you want the right answer and quick action, you don’t want to be worried too much about following ROBERT DIX: Although I think that all the right procedures. the premise you offer is correct because the missing element today is that threat RICK HOWARD: And also some intelligence to help inform the risk think the government has the really cool management decision-making process. data – And, quite honestly, one of the things that we ask, and even when we do these [Laughter.] exercises, in terms of the role of the government when we have an incident RICK HOWARD: Okay? And they of national or global consequence, is don’t, they don’t have that corner of stay out of the way, let us do our jobs, the market. We go back to commercial let us manage the network capabilities organizations forming their own inteland deliver the resilience that we deliver ligence outfits. I’ve got one financial every single day that people rely on and institution whose intelligence group is oftentimes take for granted. If we had so good that if they went commercial, access to that threat intelligence infor- they would compete with us directly. mation to help inform that, we would even be better at that risk management EDDIE SCHWARTZ: Absolutely. process and informing the decisionmaking that goes into those risk man- RICK HOWARD: Right? So we agement decisions. don’t need the government to give us that. It would be nice if they did. EDDIE SCHWARTZ: Absolutely. And the government severely overclassi- SCOTT BORG: It’s worse than that. fies the information that once it’s pro- Secrecy covers an enormous amount of vided to you, you sort of go, “Are you ignorance. kidding me?” A lot of that should be provided in a close to real-time manner RICK HOWARD: Yeah, that’s true, and shouldn’t be classified to the degree too. it is. It’s ridiculously classified. [Laughter.] SCOTT BORG: The emphasis in private sector is always on getting the right EDDIE SCHWARTZ: Yes, sir. answer and acting as quickly as possible. The emphasis in the government is on ERIC BURGER: Thank you. Eric
RICK HOWARD:
It’s situation dependent, so commercial is going to be the operator in some cases, government is going to be the facilitator, and it goes vice versa, and we haven’t come to that agreement yet, but I think that’s where it’s going to end up.
[ 239]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
Burger, from Georgetown. And no, Bob, I’m not going to talk about securing everything and then, which we should do. I’m actually – you know, we’ve heard a lot about the government and what the government should or shouldn’t do. We’ve heard a lot about industry and what industry should or shouldn’t do. And I’m actually looking at, what about that third pillar, you know, civil society, the users. What do you see, sort of the relation, what industry can do in the sense to support users? For example, if you look at the botnet work, some could say, “Well, that’s actually deep packet inspection. You’re doing a wiretap on what I’m doing, and by the way, it’s not really a botnet. I’ve just invented the next peer-to-peer network,” or, “No, really, Aunt Mabel’s computer really has been compromised. She has no clue. How do we turn it off?” “Oh, we’ve turned it off. Are we censoring? Are we shutting off the Internet for her?” And, you know, is this something that industry can address? And if so, I would love to hear your thoughts on how.
the street, you know, even people with high levels of education, even technical education, are still unaware of basic computer procedures that you need to defend yourself. And so we go back to the issue of, as you say, as vendors, what can we do to help protect people without intruding on their privacy or taking away anything from them? And in the U.K., after the dialogue, is then, can we do that and at the same time not be anticompetitive? So, for example, we give away an antivirus package with our broadband to most of our users, half of them don’t install it. It’s free, you know, they’re getting it completely for free, it just comes with it, you know, just click and install. I don’t know whether they’re afraid of it doing something else, but there is an educational process, but also then it goes back to policy. What does the law allow you to do that’s not anticompetitive but at the same time is going to help people?
RICK HOWARD: It’s not all doom
and gloom either. When I get that question, the first thing I tell them to do is upgrade your operating system because it’s better, the browsers are betDR. ROBERT GHANEA-HER- ter, so go there first and if you do that, COCK: Sometimes I do an address on you are better than most people that that topic, and my comparison is it’s are out there. So the industry has that basically that the end user is kind of like responsibility, Microsoft has done a Homer Simpson – great job, the Lenox platform has done a great job, to make the thing more [Laughter.] secure. Okay? So, yeah, do that.
DR. ROBERT GHANEA-HER- ATTENDEE: So that’s our responCOCK: – they really are clueless. I sibility. spend half my time educating people who have Ph.D.’s in basic hygiene, com- JAMIE BARNETT: I would like to puter hygiene. So it’s not – you know, thank you. I had a bet with Robert that forget about addressing the man in he couldn’t work Homer Simpson into
[ 2 4 0] Georgetown Journal of International Affairs
PANEL 3
this discussion, so – [Laughter and applause.]
JAMIE BARNETT: So I used to be the director of Naval education, I’m a big proponent of education, but I want to say this, this is one area where education is good, but it won’t get us all the way. And ultimately what I think what we’re seeing and we’re starting to hear from some of the ISPs, is in addition to the things that have driven Internet use in the past, which is basically speed and cost, we’re now seeing a market for security. And so I think ultimately people are going to be more, “Oh, my information, my banking, my purchases, pictures of my babies, are at risk, and I want somebody to protect that, and I’m willing to pay some amount per month to do that,” and so to the degree that security gets built in, and I know there are folks probably in the audience who have those innovations now and on the way, and I think ultimately the gap between what education will provide, innovation will make up the difference where it’s kind of built in, in the way that safety procedures and devices are built into my car.
International Engagement on Cyber 2012
property of a bank. The bank is allowed to use lethal force to stop their property from being taken or the lives being threatened, and it’s not just banks, there are lots of companies which when a perimeter is breached, lethal force can be used, you can track the person down and shoot them to death for what they’ve done. So the principle is there, number one. Number two, there may be this particular piece of legislation you’re concerned about. But there is something called the Constitution, and in there the government has something called letters of marque and reprisal. So the U.S. Government could actually authorize a company to conduct active defense and go out and do virtual lethal force on someone who was conducting those sorts of things. So is there a market there for that sort of thing? Is this where it’s going? If the government does not provide a response to companies whose billions of dollars of property are going out the window, as we’ve heard today, are left with trying to take action themselves. So I just want to push back a little bit and see if there is more to that than you were originally willing to accept. Thanks.
EDDIE SCHWARTZ: Thank you. SCOTT BORG: I don’t think any Okay. I think we have time for one more question?
of us were dismissing active defense. I think we are all pretty much supporters of active defense. What we were RANDY FORD: Okay. Thanks. bringing up were some of the obstacles Randy Ford, with Raytheon. I would that need to be overcome before we can like to push back on the panel’s – my implement that, and one of them is one perception of your dismissiveness of of the ones that you just identified. If this idea of active defense. You kind we had a government agency that was of blithely, “Oh, well, it would violate empowered to carry out certain kinds the computer fraud.” And so a bank, of active defense measures, I think most somebody walks in and tries to steal the of us would support that. Actually fig-
[ 241 ]
COMMERCIAL PERSPECTIVES ON CYBER SECURITY
uring out what the rules for that would be and how you would do it is very, very tricky.
RANDY FORD: That’s the trick.
ing Estonia were in the United States. If Estonia had been employing active defense, they would have been zapping huge numbers of American computers. It’s a tricky issue.
EDDIE SCHWARTZ: Yeah, or if RICK HOWARD: But I think they said we could just shoot anybody in any country we wanted and there would be no reprisals, I mean, that would be okay, too. I mean –
another government role, an international role – my fantasy wish list is an international botnet task force called “The Terminators.” Okay?
JAMIE BARNETT: Since I used [Laughter.] an oceanic and piratical analogy, I love your concept of letters of marque and we could have these privateers out there, and I didn’t push back with the idea of active defense at all, I mean, but the rules are that’s –
RICK HOWARD: And they have legal authority to pursue the bad guys through whatever country has signed up for it to their place of origin. That’s my Christmas fantasy.
EDDIE SCHWARTZ: Yeah, and EDDIE SCHWARTZ: I like that there would be a lot in between.
SCOTT BORG: Other complications, when Estonia was being attacked by massive denial of service, a very large portion of the computers attack-
[ 2 4 2 ] Georgetown Journal of International Affairs
one. So with that, we are going to conclude this panel. [Laughter and applause.]
International Collaborative Responses to Cyber Incidences Panel 4
Panel Chair
Gen. Michael Hayden (Ret.), Principal, Chertoff Group Former Director of the NSA and CIA
April 10, 2012 Lohrfink Auditorium Georgetown University Washington, D.C.
Panelists
Andrea Rigoni, Director-General, Global Cyber Security Center, Italy Dr. Gregory J. Rattray, Partner, Delta Risk Rt. Hon. Lord Reid of Cardowan, House of Lords Peiran Wang, Visitor Researcher, the Faculty of Law, Vrije Universiteit Brussel, PhD Candidate, East China Normal University, Shanghai, P.R. China Gavin Reid, Computer Security Incident Response, Cisco Systems Jaan Priisalu, Director, Estonian Information System’s Authority
Moderator
Dr. Catherine Lotrionte, Director, Institute for Law, Science & Global Security, Georgetown University
[ 243]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
DR. CATHERINE LOTRION- what could be done in order to protect TE: So for the last panel, the fourth ourselves from terrorists. panel, for today, the topic that will be addressed is the “International Collaborative Responses to Cyber Incidences.” The panel chair is General Michael Hayden, Principal, Chertoff Group, Former Director of NSA and CIA. General Michael Hayden became Director of the CIA in May of 2006, capping a career in service to the United States that included nearly forty years in the U.S. Air Force. He served at CIA until 2009. Earlier positions for General Hayden include serving as the Director of the National Security Agency and Chief of the Central Security Service. He was also the first Principal Deputy Director of National Intelligence. When he used to come and brief at the White House in that position, a number of staffers, including myself at the time at the White House, used to refer to him as “Here comes ‘P. Diddy.’” [Laughter.]
DR. CATHERINE LOTRIONTE: And he actually had a good sense
of humor because often he referred to himself as “P. Diddy.” I’ve known Michael Hayden for a long time, when I was at CIA and he was at NSA. I think he’s one of the most important thought leaders we have, even though he’s not in the government any longer, when he was in the government he certainly was. He changed the nature of what NSA did, and its business, after 9/11, and I saw that from the White House as we watched 9/11 happen, and it was Michael Hayden that came in and showed the world and the United States
[ 2 4 4 ] Georgetown Journal of International Affairs
Since then, he has also become deeply involved in the cybersecurity aspects, and the Chertoff Group has been doing just that, to push the thought leadership on these issues. So I’ve said, “Would you please be the chair of our last and final panel and not let anyone rest and get too tired, and have some very thoughtprovoking things to say or read?”
GEN. MICHAEL HAYDEN (Ret.): Thanks, Catherine. And
thank you for those very kind words, and thank you so much for the opportunity to chair a panel at 4:40 in the afternoon after a very – [Laughter.] – after a very intense day of intellectual engagement. Well, as Catherine said, the broad topic for this panel is international collaboration, and, frankly, I find that – and I’m very happy that I was selected for this particular panel because I find that very intriguing, and even with my own experiences at the two agencies. What does international collaboration really mean? We are all creatures of Westphalian thinking, Westphalian frameworks, Westphalian structures, Westphalian mindsets, and we’re taking those tools that we’ve inherited and trying to apply them to a domain, to a universe, that is boundless and borderless. And I must admit, I was involved in a variety of conversations as to, what does the clash of those two thought processes, Westphalian and a lack of boundaries, mean for concepts like sovereignty? Is it ended? Is it limited?
PANEL 4
Is it unchanged? And then when you even look at the question of international cooperation, our language traps us into prior patterns of thought. I mean, we native English speakers use “international” almost synonymously with “global,” but if you look at the root of “international,” it’s between nations, and, frankly, I don’t know that we can conclude at the beginning of our conversation that we’re talking about collaboration between nations as being the most essential kind of global cooperation that we’re looking at. So in an almost pernicious way, our language captures our thoughts before I think we’ve really engaged ourselves. So there is an awful lot to be discussed here, and I’m quite heartened to see that we will probably be picking up a few of the threads kind of left in the air by the last panel, and I fear we will leave our own collection of threads hanging in the air at the end of this panel as well. Now, we’ve got a wonderful panel. Let me be very brief in introducing the folks up here with me. Mr. Andrea Rigoni, Director-General of the Global Cyber Security Center in Italy. The Right Honourable Lord Reid of Cardowan, House of Lords, also of the Chertoff Group and former Home Secretary in the United Kingdom. Mr. Peiran Wang, visiting researcher, faculty of law at the Vrije University in Brussels, and also Ph.D. candidate at East China Normal University in Shanghai. Gavin Reid, Computer Security Incident Response at Cisco. Mr. Jaan Priisalu, from Estonia, who served as head of IT at Hansabank. And, finally, Dr. Greg Rattray, Partner in Delta Risk. And we will all come to this problem from where we have been. You will
International Engagement on Cyber 2012
see a variety of national perspectives, national lenses here. I look forward to the interchange, and I particularly look forward to the questions and the discussions that follow. So, Andrea?
ANDREA RIGONI: Thank you
very much. So thinking about international cooperation, I focus my attention on the national component, and unfortunately my center is based in Italy. We have a research center that we established two years ago, which is an example of a country where the general awareness on cybersecurity is quite high, but the government doesn’t have yet a national cybersecurity strategy. So with many countries in the world that are a critical part of the global system, interconnected without a national strategy for cybersecurity, it’s very difficult for these countries to address properly the international dimension. Now, I want to focus a little more the attention on this problem because it will help understanding how we can engage eventually these countries. And I am using not only the example of Italy but of many other developed and developing countries that are in a very similar situation. So the cybersecurity for many countries is not today a top priority, and with this, I mean that when they declare the importance of cybersecurity, they understand that it’s important, but at the end, when you look at their political agenda, cybersecurity is not there. And if you look carefully, this is also true for the European Union, that right now is addressing cybersecurity but as one of the components of the European digital agenda, and I will come later to this
[ 245]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
point because the coordination in incident response is one of the elements of the agenda. So one of the problems of these countries is that they are not able to figure out which is the right level of attention and the right level of commitment and the right level of investment for cybersecurity. And some of these countries are not able today, for example, to measure the impact of cyber attacks. So if I take again Italy as an example, Italy, 99.4 percent of the companies are small and medium enterprises, and for these companies it’s very difficult to monitor cybersecurity. So they do
pean digital providers, we are talking about Amazon, eBay, Google, Facebook, Apple: these are not European companies. So that’s another reason why international cooperation should start from raising the awareness of these countries, maybe sharing some data, maybe sharing some intelligence with them in order to help them understanding, which is the real risk they are facing. When we come to incident response, these are direct consequences. I mean, the incident response should be part of a mature defense strategy, in particular, in cybersecurity. You need to protect
How can a country like Italy properly
measure today the impact of cybersecurity attacks on the on the Italian economy? not report cybersecurity incidents, and I’m quite sure that most of them are not able to detect a security breach. So how a country like Italy can properly measure today the impact on the Italian economy of cybersecurity attacks? So how can they have the right weight in order to devote the right attention to cybersecurity? Looking at international dimension, I think that here international cooperation could help. I think that there are countries, like U.S., that are very interested in keeping a healthy collaboration with many countries because in cyberspace, the U.S. provides a lot of the Internet services. I’m considering in most of the European countries, and not only in Europe, most of the digital services are provided by U.S. companies. If I think of the top Euro-
[ 2 4 6 ] Georgetown Journal of International Affairs
your assets, you need to protect your infrastructures, but then you need to be ready to detect any abnormal activity or any breach, and the real successful organization is the one who is able to limit or know completely the impact of an incident. Now, most of the small and medium enterprises do not have an incident response capability. Most of the large companies have a security operation sensor or a computer emergency response team, but international standards in this area are not yet mature, so we are not able to say if these capabilities that both public and private organizations put in place are good, and even more interesting is that the cooperation between CERTs is not very broad. That’s why this is one of the priorities of the European Union. So
PANEL 4
one of the actions of the digital agenda is to first of all invite all EU member states to have a national CERT and for a national CERT, they mean essential point of contact for both the public and the private sector, for the private sector should be also the front door to the government. And also that they have to establish connections with a coordination entity in Brussels. And also I think this coordination entity should enforce building a full mesh network of connection between the CERTs. Now, where these CERTs are fading is the connection at the national level. Most of them at my center did many, many, many research projects in this area, and we saw that most of these CERTs have a one-way communication, so from the CERT to the constituency, government or private sector. Most of the feeds are coming from multinational companies, so they buy or they get access to open source databases or they get the information feeds from the private sector, but the other way around, in most cases does not work. This model is also implemented in developing countries. There is a strong push from the United Nations to help developing countries to establish their own computer emergency response teams. I know of twenty-five that have been built between Asia and Africa, and it’s built on this model. We are proposing on these at first to test at national level a two-way communication with a constituency. So we have seen some pilot projects that were started just a few months ago where these computer emergency response teams, they see the active participation of both government agencies and the private sector. So the employees of the CERT are provided
International Engagement on Cyber 2012
in part by the constituency, and this is helping in these pilot projects to create a tighter connection between all the entities involved. As soon as this model works at national level, connections between at the international level should be implemented. Now, here there is a problem at CERTs. Sometimes national CERTs are very generic organizations, and some of the issues are very, very specific and tied to a specific sector. Just to mention, I mean, problems that a bank is facing are quite different from the problems of a transportation company or a utility. Some sectors have a more natural approach to cooperation. And I’m mentioning utilities, they’re already used to work together. There is not a tight competition, as in other sectors, for example, the financial sector. So I think some of these examples should be used to develop new cooperative models where there is a real exchange of information coming both from the private sector and the government. I want to finish using one of the remarks of the previous director of CPNI in U.K., and he told me they established very successful information exchanges many years ago, sectorbased, and he said the way we have been able to engage the private sector, but not only the private sector, also the government agencies, was to start giving them real valuable data. That’s the way we used to ask for information, and after many years, I think they can say that this model was successful. Thank you very much.
GEN. MICHAEL HAYDEN (Ret.): Thank you. Lord Reid? [ 247 ]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
RT. HON. LORD REID OF CARDOWAN: Thank you, Mike. As Mike said, I had the honor of being a minister in Tony Blair’s cabinet nine times over, nine positions. Every time he had a problem I seemed to be the solution, and four of them covered the area of security. But I want to make plain right at the beginning, I’m not a Ph.D. in computing, I’m not a Ph.D. in electrical engineering or any other form of engineering. I suppose there’s an upside to this. I’m not a Ph.D. in sociology either. I am a Ph.D. in history, and this morning when Melissa Hathaway referred to Minerva, it struck me that if you could stand it at five o’clock in the afternoon, I would start with a quote from a German philosopher, Hegel, who said, “The owl of Minerva spreads its wings only at the coming of the dusk,” which is why I am a historian, because wisdom comes from hindsight. And I ask myself the question in the course of today, in fifty or a hundred years’ time, when people look back at our deliberations and have to write a book on what we knew about cyberspace, what would they say? And they would certainly say we did a lot of things, and they would almost certainly say we did a lot of talking, but if they were asked the question, “Yes, and what were the purpose of the things, and what was the subject of the conversation? What was the concept? What was the intellectual framework that framed the strategic moves forward, and what was the doctrine?” I think the book would be a very small one indeed. And that is what I want to refer to my remarks to today so that I don’t impinge upon the expertise
[ 2 4 8 ] Georgetown Journal of International Affairs
of those of you who are technologists or who are specialists in that area. I want to mention a couple ones that haven’t been mentioned a lot. One is resilience, and one is doctrines. And if you can bear with it, I have four slides, no more than four. If we can move on to the first, please. First of all, I want to mention two words which are on our title for the panel. The first one is “international” and the second one is “incidence.” On international, let me just repeat what Mike has just said. Sovereign bodies will remain powerful, there will be bilateral discussions, but cyberspace, if I can use that word, is a transnational environment. It is not just an international one, and transnational bodies, whether it be Anonymous or AQ, swarm throughout it, even as we speak. They won’t wait for the establishment of an international treaty or international institutions that take decades to fully function. We need something that promises speedier delivery and incorporates the capacity for constant innovation. Secondly, on incidents, I’m reminded that the British Prime Minister Harold Macmillan, who came through some tough times and several near wars, was asked what he feared most about being in government, and he said, “Events, dear boy. Events.” [Laughter.]
RT. HON. LORD REID OF CARDOWAN: Incidents, exactly.
In cyberspace, the plurality of incidents will be increased to the factor N in a cyber environment. Crisis properly defined – and I will come back to that
PANEL 4
– crisis will not be abnormal, they will be the norm in the cyberspace environment. There won’t be any business as usual. There will be no complete control of cyberspace. It’s not just a medium. It’s not just a means of communication. Personally, I’m not even happy with the latest phrase that has been used about a central nervous system, because that insinuates that it is somehow domestically incorporated. There is a huge existential matter to deal with in cyberspace that is far beyond any one central system; in a sense, it is an environment. It is the first manmade environment, and albeit manmade, it has returned us to a sort of state of nature, just like the sea or space or air. Rear Admiral Cox earlier on referred
International Engagement on Cyber 2012
is somebody in your institution who, if he commits an offense that would have committed fifty years ago would not have affected the strategic outcome of your private industry, it will now have a strategic effect in it. And thirdly, the third characteristic, it is changing by the second. So if we go to slide three, please, here in the home of a renowned legal establishment in Georgetown, I have to warn against what I regard the trap of legalism, not because I don’t believe in the rule of the law. I do. I’ve been a legislator for many, many years, but because I believe that there is a subversive effect of the cyberspace environment which renders all of our inherited laws, institutions, culture, and even diplomatic relations
Cyberspace is the first manmade environ-
ment... it has returned us to a state of nature, just like the sea or space or air. to the Portuguese and the Spanish empire developing mechanisms technology and the Laws of the Sea. I would remind you it took some three centuries to develop the Law of the Sea, and only because two powerful bodies, the French and the British, controlled it did they manage to impose that law. It is rather more difficult with nearly four billion people who are empowered by the Internet rather than two bodies. So we’re dealing with a new environment, and not only is it transnational, it is also diffused. It is deep. It is empowering people down the way. It means a mistake by a corporal is now a strategic mistake rather than a technical mistake, and every office in the country, there
between countries impotent to a less or greater extent, and unless we get the profundity of that change, as leaders in industry and in government, then we’re not going to find the focal point around which we can build international collaboration. Changes to historic circumstances create a disjunction between the inherited coucher laws, institutions, and methodology in the way that they did, for instance, when new forms of conflict gave us the crisis – and I call it a crisis – with the Geneva Convention regulations because they assumed a defined war between defined parties lasting for a defined time after which we would have defined arrangements
[ 249]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
and defined release of prisoners and everyone would go home. We’ve seen the inadequacy of that, which raises the huge problems surrounding Guantanamo Bay, surrounding control orders in the United Kingdom. Similarly, the cyberspace environment renders all of our old methodology more or less impotent. It doesn’t mean to say we shouldn’t be patching up technologically, it doesn’t mean to say we shouldn’t be trying to patch up legally, but it will not give us the central focus in order to get collaborative alliances of likeminded people. The law in itself is no challenge by a transnational environment populated by nearly two hundred sovereign bodies, states, and IGOs, intergovernment organizations, therefore have a five-byfive legal array to contend with in peace and war. This rests, in our assumption, on four western schools of jurisprudence and various states of obsolescence – classical, natural, Marxist, and positive jurisprudence all are weathering – but the ideals of normative justice in which we operate in our legal system mean nothing to rising powers elsewhere in the world, and yet we’re dealing with a transnational phenomena where countries far away from the United States and the United Kingdom and Europe will be empowered by the new cyber environment. So what I do today is not in any way to criticize attempts through conventional methodology to address this problem, but I do warn that it may lead us into a trap and a bit of, if not a cul-de-sac, at least a very, very long road. And I remind you it took something like sixty years to get the START Treaty on strategic weapons, and that involved two
[ 2 5 0] Georgetown Journal of International Affairs
major players, not four billion. So you can see the difficulties of getting a treaty or a law or a coucher by diplomatic means by using the old methodology. So I believe that we need a more realistic and fast evolving way of doing this, and introduce two things. Next slide, please. The concept of resilience to crisis owes its heritage to earlier understandings of networks in the national security communities, including that in the United States primarily and the United Kingdom, not least on the idea of net assessment. I want to introduce that in the briefest terms. There are two things I want to say. Crises are not catastrophes. Crisis properly defined are turning points for good or for bad; that is the Oxford Dictionary definition of a “crisis.” And secondly, resilience doesn’t mean bouncing back. Resilience has to mean the enduring power of a body or bodies for transformation, renewal, and recovery through the flux of interaction and the floor of events. I’ve got it up there from the Palgrave Dictionary. I agree with that, not least because I helped draft it from the institute. [Laughter.]
RT. HON. LORD REID OF CARDOWAN: So it agrees with my preju-
dices. But the important points about it, “resilience” is not an engineering definition. If we only bounce back during and after a crisis to where we were before, we will not keep pace with the innovation that is in the hem to the new cyberspace environment, and therefore learning becomes the important thing, and together these two ones produce a
PANEL 4
concept for an environment that faces incessant change. Next slide, please. The power of that concept becomes evident by developing doctrines to accelerate learning, avoiding the perils of misperception and self-deception. The military people here will know what doctrine means, and the jurists may know what it means, but let me just explain for those who think it means doctrinaire. It means the opposite. By “doctrine,” I mean a set of flexible, pragmatic, and empirically based gating principles to shape a response to unanticipated events or phenomena. Doctrines are used by, but not the monopoly of, the military or jurists or strategists, and the idea of the doctrine is critical to enabling collaboration when incidents cascade and mutate in cryptic combinations throughout networks. And here’s the point: declared doctrines, that is, the development of a doctrine which is declared openly, would facilitate not only the domestic discussion around some of the issues, which obviously differentiate and divide opinion in the United States, but also bring together capabilities across coalitions, perhaps in the first instance coalitions of the likeminded. It would not only be a speedier form of international collaboration but also the possibility of much more rapid coalition building than has been present in the last few decades. So in closing, I’ll just mention quickly three characteristics of such a doctrine. First, an environment beset not only by known risks but by uncertainty, decision-making has to be distributed so as not to overwhelm and discredit would-be competent authorities. However, inasmuch as distributing
International Engagement on Cyber 2012
risks and decision-making as virtues, assuming competencies will organize is rash. Doctrines enable the learning of competencies. Two, while decisions need to be taken rather than contemplated, decisive actions needs real capability options, and the acquisition of capabilities is evolving at colleges of competencies and technologies can be better organized and more productive, but few bodies – states, firms, NGOs – will be self-sufficient. That is why we need to do that together right across the international community and right across the sectors. And finally and crucially, the most important of the lot, underpinning all of what I’ve said will be the capacity for innovation. Decisive action, even during crisis, only buys time to learn. Unless the capacity for innovation is brought to bear in any incident, the likelihood is that there will be no option but to take a more costly turn for the worst. Time for learning must not be squandered. Innovative entrepreneurial-driven change is one of the essential features of the cyberspace environment. Anything which impedes that – and there were some references earlier on to that – is, in my view, something that ought to be looked upon very carefully indeed. Anything that enhances entrepreneurial innovative thought has implications for the way we recruit people in the public sector, has implications for whether we should subsidize big industries or small-medium size industries, in other words, one or two persons, to allow them to flourish, to success or to fail quickly, so they don’t turn itself in the concepts has always practical implications. But my contribution today is basi-
[ 251 ]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
cally to say unless we get that conceptual framework, I believe that if we go down the road only of treaties, only of bilaterals, or only of the delusion of an international law which will be cope holistically with the cyberspace environment, unless we put something that places as a focal point for that collaboration, we will minimize our chances of succeeding. Thank you, Michael. Cheers.
mechanisms, that China has no current strategy under the policy. It was ensured by the twelfth 5-year plan on the national defense. China’s government still attached the importance of cybersecurity, not only civilian but also military. On the civilian, the capabilities, one is warfare, which is a military one. The other is enhanced information-oriented co-capability based on the other ones, the ones that reached the development and the PEIRAN WANG: Thank you very manufacture. much. What’s the cyber threat from China’s Today my presentation including perspective? One, the most imporsubsections, one is China’s magnifica- tant involves the military, especially the tion of the cybersecurity. On cyberse- Revolution of the Military Affairs. The curity, in China it was put forward in other includes the computer virus and the 1980s. The first book is the left. cyber attacks, spam, system, and the Its name is – the title of the book is cyber espionage constitute a threat to Information Warfare. The author is the national security. Mr. Shindaiwa, who is a military officer On how to realize cybersecurity, one in PRA. The second is Restricted War. is the construction. The construction The cybersecurity is the objective of involves the security system. The other national strategy in China. There are is master the core technology. Between two official state documents. One is the the technology you get from China and State Information Development Strat- the western world, China’s concerns egy from 2006 to 2020. It was ensured are since the western world masters by the China Communist State Party all of the technology, once they take Central and State Council. advantage, the technological advantage On the cybersecurity and develop- to conquer China’s cyber, it’s very danment in China, China government gerous for the national security. leads two kinds. One is capability; one So sorry for the technology. is institution. From the institution, we can find there is almost about sixteen [Technical interruption.] departments that work the cybersecurity, meaning IT, Ministry of Infor- PEIRAN WANG: There is an mation and Industry Department and interview from the PLA Daily in this Ministry of Public Security and Minis- library, the Professor Zhang Yongfu. try of State Security, even the military, The core technology is monopolized, but there is no arrogance to prove especially involving the national and China has transdepartment magnetism the military security breach, which canbeyond cybersecurity. So I think may- not be imported or bought. Hence, we be it’s completed the management of must build robust basis of core tech-
[ 2 5 2] Georgetown Journal of International Affairs
PANEL 4
nology with our intellectual property, master fate in our hands. Who is the professor at PLA Information Technology University and the National Information Committee? In China, we cannot fight a law on the cybersecurity. Even this March, Mr. Xu Long, Deputy of the National People’s Congress – he is the president of a Guangdong Company, China Mobile. His solution is InfoSec law should be based on the clarified speculations, including legislation aim, sphere of application, InfoSec concept, scope, supervise administration, protection for system computer information, Internet information service, e-business security, information gather and the utilization, and legal responsibility. Under the department related to the cybersecurity, comprehensive is the Ministry of Industry and Information Technology and Ministry of Public Security. The second is called [speaking Chinese language]. The specific is so many. The Information Office to the State Council, Ministry of Culture; the State Administration of Radio, Film, and Television; Ministry of Education, Ministry of State Security, and Administration for the Protection of State Secrets. This is the national public cybersecurity incidence response system. We can see the top is MIIT. On this system, we can see the leadership is MIIT, and there is a – who leads the CNCERT. And the Ministry also promotes from the official website. We can list the function of the MIIT and the Ministry of Public Security. On the legislation of China cybersecurity, we can trace to 1994. I think the current fragile cybersecurity in China is the transdepart-
International Engagement on Cyber 2012
mental mechanism. The other is from the cyber nationalism. There are negative agendas to China’s participation in international cooperation. One is China’s cyber nationalism and China’s concerns on the cyber technology. China’s diplomacy respecting sovereignty and no intervention and on the international cooperation, China has some dilemma. One is how to find the solutions in line with international practice and its specific regulation. For the reason of international affairs and the international incident, China’s hike will be inspired by the nationalism to launch the reaction foreign website. There are two books on China’s nationalism. One is China Can Say No. The other is China Never Lost In Cyber War. It’s very popular the profile on the China cyberspace. It’s means “angry youth.” The cartoon is – there is the profile. One sentence is, “Fighting with U.S., I contribute one month’s wage. Fighting with Taiwan, the salary is one year. Fighting Japanese, I contribute my life.” In more recent, China published a paper, a book, on China Is Not Happy. It’s very nationalism. At the same time, there is a counter-viewpoint to be published in the other book, Who Are Unhappy in China? And I think there is so many diplomacy taboo for China on the international cooperation with the international community. And China’s concerns on cyber technology. Almost all of the Chinese experts are concerned with the cyber technology situation. And just an aside, Professor Zhang
[ 253]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
Yongfu, on China’s dilemma. On the Chinese, it’s well known in China, there is an international blog in China, and it’s on the concerns of most of state. Why? Because Chinese did not find a way to keep the social stability and protect the speech of freedom. I think in the recent five years, this problem is a concern by all the related stakeholders. In Brussels, in D.C., I asked some experts, “Could you tell me, do you have the evidence to support your argument that China launched the related events?” They cited only one IP address. I lost myself. Okay. I’m so sorry. I think if really it happened, it’s demonstrative, China’s technology level is backward than the western colleague, because you can track as if you’re on the bus, your pocket was stolen, and the thief was caught red-handed. What happened?
GEN. MICHAEL HAYDEN (Ret.): I don’t know, but perhaps the other folks can present and then you can continue.
PEIRAN WANG: Yeah. I’m so sorry.
GEN. MICHAEL HAYDEN (Ret.): No. Thank you very much. PEIRAN WANG: Thank you. GEN. MICHAEL (Ret.): Thank you.
HAYDEN
[Applause.]
GEN. MICHAEL (Ret.): Gavin?
HAYDEN
[ 2 5 4 ] Georgetown Journal of International Affairs
GAVIN REID: Luckily I printed. I did a non-cyber thing, I printed out my slides here so I can actually see them as I present. [Laughter.]
GAVIN REID: A couple of things
that came out of the last commercial session that I wanted to highlight, and one of them was talked about here, a couple of things that Bob Dix said. First, he mentioned that we’re really not successful in the private-public information sharing, and I’ll give you one. You know, I run a large incident response team, and I’ll give you one anecdote from that, and that’s that during what McAfee called the “Shady Rat” incident, which was purported to be from China, where there were hundreds of different – very broad-based attack, hundreds of different companies, private sector, everyone seemed to see a little bit of action from that particular activity, we and many others in the industry noticed it from the very beginning, but we were hampered by classification levels of any level of sharing, at least initially. And then when that broke down, when we could actually share information on that attack, we used the public-private mechanisms that were available to us, but we found that that still didn’t really stop a whole lot of people getting hacked. So I think that there is a lot of work to be done in that area and there is a lot of work to be done in the ability to operationalize intelligence. And I think if I could think of one thing that we need to do in that area, and that’s kind of what my talk will be about a little bit, and that’s
PANEL 4
we need to care a little more, we need to resource it a little bit more appropriately for the type of activities that we’re seeing. Can I go to the next slide? So I’m Gavin Reid. I lead Cisco’s Computer Security Incident Response Team. So I will provide you today a perspective that I got from the last decade of fighting on one of these cyber battlefronts. I lead this and have done investigations and lead probably one of the most connected and attacked companies in the world. I spend my day, day in, day out, working on issues when the best laid plans of mice and men go awry, when we’re not actually seeing things like they ought to happen except when they’ve been hacked. And I found that faced with fast-moving hard-tounderstand problems, humans have a tendency to overthink things, and they have some not-so-smart thinking. They have some sort of panic thinking, and Bob kind of mentioned this as well, and they tend to want to look for magic solutions. And I bet in that old day of looking at piracy on the sea, there was a lot of mysticism, a lot of things that actually didn’t really help that were used to try and protect against what people really didn’t understand. I would say that the whole cyber problem today was both predictable and natural; right? We have countries with areas of large concentrations of wealth and others with less. And my company is a lot more than Bob’s, hopefully that will help connect these different areas. We created one of the most permeable membranes ever made, the Internet, and we connected cash with criminals, spies with secrets, activists with issues, and the world stage as their backdrop.
International Engagement on Cyber 2012
Next slide, please. So it’s time we have a serious discussion about our expectations for computer security. We want push-button security. We want to replace IT headcount with technology, set it and forget it. Next slide. So vendors such as – and I’ll take blame here, such as myself – have been happy to sell magic robots that can come in, sit on autopilot and kill all kinds of bad stuff without human intervention, just like this Airsoft Roomba. Some of these technologies in fact can be very effective: antispam, antivirus, web security, can chug along, do their thing, firewall is another good one, independently very good at improving weak security postures. They target the same problem that everyone has, and they’re able to do so by virtue of the fact that everyone has the same basic security problems. The same spam gets blasted at everybody, the same ad servers are used to trick serving malware that whoever comes across it. We’ve become overreliant on technology when it comes to managing security and interpreting threats. With security technologies that we deploy, they are very, very effective at common problems, but they don’t do so well at detecting human-led multipartite attacks. Next slide. So let’s go back to 1987 and the movie Robocop. So in this case, the police office of, I think, Detroit was replaced or potentially going to be replaced with these automated robots. Now, the famous scene in the movie is where the bad guy gives a demo of their new robot. The bad guy in the movie gives a gun to an individual and tells them
[ 255]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
to pull the gun on the robot, a robotic cop springs to life and orders the individual to put the gun down. He throws away the gun, but the ED209, or automatic robot, keeps counting down, and everyone in the room panics, engineers frantically tearing apart control panels. And ED2009 shoots him anyway. What went wrong? They treated that tool as a replacement for a human being instead of a tool used by a human. It’s difficult to make a machine that can correctly do the reasoning needed to handle complex situations. I’m going to say that push-button security solutions often
maintain the cyber problem really isn’t all that complex. What we want to do is rigorously protect the important stuff. So we don’t need to protect everything. We need to decide what is important, right? You could put it akin to your wallet. People, if they’ve got their wallet, they put all their money in there, and they stick it in their pocket, and if they’re working in a bad neighborhood, they may put their hands in their pocket as they walk there to make sure their wallet is there. So work out what your wallet is and protect it. Rigorously protect your important stuff. Ensure
The cyber problem really isn’t all that
complex. What we want to do is rigorously protect the important stuff. fail the same way as ED2009 did. We set them on autopilot with factory default settings and expect them to handle our hard problems. Next slide. What automation can do very well, though, is a force multiplier for your security teams. It’s very well suited for gathering data about what’s happening on your network, it’s very well suited for executing repetitive tasks that your security team needs to do. Automation can be used to create an iterative security process, and out of the box many of these tools will get a lot of the common known threats. Automation is great when it extends your human reach, not replaces it. Next slide, please. So an idea here is that automatic security tools won’t really ask or answer the right questions for you. And I
[ 2 5 6 ] Georgetown Journal of International Affairs
for the important stuff you have good attribution and have people, not magic boxes, checking the efficacy of all that. Next slide, please. So a common question I’m asked on this is: How do you train people to be a security expert? And the short answer to that is you can’t really, right? We’ve found that IT expertise is actually more important for our investigators on our team than hands-on security experience. We recruit the best and the brightest from IT knowing that they will know how things work normally, and if they know how things work normally, if they know how applications work and networks work, then they can understand when they work abnormally, they can pick it out. And also they understand what the impact of their decisions are. If they ask an individual to do something, what that business impact
PANEL 4
might be to the company. One issue for us here in the United States is that IT, as a career, has become partially devalued, right? We don’t have our best and brightest going into IT with long-term career goals anymore, and that’s partly due to that same interconnectability that the Internet provided. Next slide. So have we been any good at doing this? I can only use my company as an example. Like have we actually put the resources and people into place to do this effectively? So using Cisco as an example – I can pick on us – we in the physical world really get security. The humans have got that. It’s pretty easy. They understand it. They don’t want to lose their wallet; they want to leave their wallet in their desk during the day and come back and find it’s still there. And so what we’ve done, we have 574 buildings at Cisco across the globe, and we have staffed about two thousand people to manage the physical security of those buildings. Now, if you compare that in the cyber area, we have conservatively about a quarter of a million endpoints, and then conservatively as well we’ve got about two hundred people working on cybersecurity at Cisco. And I talk to other CERT teams all the time, I’ve talked to most of the Fortune 50 and a lot of the Fortune 500, and I would to say that Cisco is an anomaly, that we’re really bad and everyone is really good, but unfortunately we’re at the leading edge of where we’ve seen investment in this area. Next slide, please. So don’t get me wrong, a network that’s protected only by automated security products is a lot better off than nothing at all. Left to their own
International Engagement on Cyber 2012
devices, most automated security tools will find many basic attacks. The problem is, is that these are simple attacks and they’re attacks that really no smart hacker would use. So to recap, the problem really isn’t all that complex. Verizon just released in their report, 97 percent of the reported cyber attacks could have been forded with easy controls. Understand where automation ends and people begin; look for tools that extend your team’s reach, not replace them, and use automation to fight automatic attacks; and use people to protect against attacks from sentient human beings. So thanks, everyone. I’ll leave you to look at this picture and work out if you can tell me what’s wrong with it. [Laughter.]
GAVIN REID: Thank you. [Applause.]
JAAN PRIISALU: Thank you.
Hello, ladies and gentleman. I am Jaan Priisalu and I’m coming from Estonia. And in 2007, I was the head of the IT security of the biggest bank, but starting from 2005, inside the bank with the security team, we were able actually to halve each year the loss of cybersecurity or stealing from the bank, and so we went to zero and I went out of business. [Laughter.]
JAAN PRIISALU: So now I am the
head of the agency that is responsible for our national cybersecurity. And the other thing, what we do in this agency is also developing and running the back-
[ 257 ]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
bone of the online government. And my message to you today says that we should use this technology to automate and to save our reaction time and try to fit in into twenty-four hours until we touch this person who is doing the crime. And when we see also why in Estonia the cybersecurity is important, in 2010 with this agency, we made the audit of the critical information and found out that 95 percent of critical service providers are depending on the IT. In one-third of those the dependency was critical, and in 10 percent of cases they didn’t have fallback. So if IT drops, we will lose those services. That’s it. And what does that state about this? You can say that economic prosperity is quite clearly important to people, and we have very big neighbor who is definitely ready actually to offer the administration service when our own government fails. So we are playing really with this nation. And why I think this is, is my personal experience. And related to the U.S., I can bring also two examples. One is this rogue digital that was recently sold when Mr. Tsastsin was brought – he’s going actually to be extradited today to the U.S., and it actually began a long time ago. And then what he did was really actually running the domain name service for the Russian Business Network, and it took really seven years. Another case, actually in this worldwide case in Atlanta, the response came within twenty-four hours and this guy was caught right away, so he didn’t actually have the time to clear his traces. And what we have seen also in the response to the cases is that all the things should be used in the proper
[ 25 8 ] Georgetown Journal of International Affairs
places. Like the CERTs in Estonia, what we use those CERT channels for verification whether we have a case or not, whether there is reason actually to use the law enforcement process because the law enforcement process is really expensive thing. So there is a point actually. Where is the borderline where you cannot actually continue with a CERT-level investigation? It’s personal data. If it touches a person, then it goes to the police. And I really believe that in this automation, we can actually build this, try to make out those kind of area gaps between the people. Now, today people are talking about the bureaucracy, building the big databases where the things are actually hidden. What I’m saying is simply let’s start actually from the signing of the official documents digitally and sending them and making the obligation for the people to accept those instead of the images on the papers. Let’s make it more secure and automated. And I really believe that we can bring in the technology, and it works. In bank, we were able to find out with the technology the organizers of the denial of service routinely in seven hours. So your own infrastructure is your best, I guess. You cannot buy these ideas from the market, no, what has the same quality as your own infrastructure. And also with officials, we went to the level that we knew actually three days before the actual fishing campaign started. So it is possible. Thank you. [Applause.]
DR.
GREGORY
RATTRAY:
PANEL 4
International Engagement on Cyber 2012
Greg, you and I talked before we began that we would probably have a pretty wide-ranging discussion, but your task would be to pull these threads together at the end.
here today, but essentially if we mean that this is a global environment, we’ve really got to do some of the things that General Hayden noted and get out of the notion of Westphalian sovereignty to do some of the things that are nec[Laughter.] essary. I also do believe, from my Air Force experience, that states will conGEN. MICHAEL HAYDEN tinue to compete, and there will be (Ret.): Yeah, so there will be no loose things that continue to occur in the ends when I’m done. environment that will be state based. So I like the word “global” instead GEN. MICHAEL HAYDEN of “international” for the reasons that (Ret.): Okay. both General Hayden and Lord Reid highlighted, which is it’s not all about [Laughter.] governments and their interactions, and nations and their interactions, DR. GREGORY RATTRAY: First but the private sector is essential, this I want to thank Catherine probably on has been much remarked upon, nottwo levels: first, for inviting me and ing Andrea Rigoni’s comments. You having the opportunity to speak, but know, in Italy, it’s U.S. companies, but for the yeoman’s work she’s performed they’re not U.S. companies, they’re over the last couple of years to pull this global companies. If you go to the conference together. You know, my leadership of Google or Microsoft, you remarks come in very last at the end of a know, they do not think of themselves, very full day. I will try to be pretty brief while they have certain legal restricand avoid sort of repeating others since tions for certain organizations, they are there has been so much that’s gone global companies and they are serving a before me and some of my key points global audience. have already been stolen even on this I want to note Microsoft has a global panel. security strategy and diplomacy team. Right? That’s an interesting concept, [Laughter.] that diplomacy is being conducted by a company, but if you think of MicroDR. GREGORY RATTRAY: One soft’s impact in this area, its impact of the things that I find challenging in is much larger than most countries my experience both in the U.S. Gov- or national governments in the globe, ernment – and I had the opportunity and I think their role in the diplomacy to serve ICANN as their Chief Secu- that attends collaboration – and I’m rity Advisor for a few years and I work going to turn to collaboration here in a a lot now with global companies – is in moment – is very important. America and in Washington it is hard The other challenge I think that to be an international thinker. I laud Washington and the United States has everybody that is spending their time which has been a powerful enabler of
[ 259]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
the country’s success over two centuries is its legalism. Our separation of the private sector from government proves very challenging, as has been discussed all day long related to getting the necessary collaboration because of our concern over things like antitrust and other aspects of how we separate the state from our private companies. Our ability to compete in cybersecurity is going to have to deal with that because in other areas of the globe, I observe a much more natural collaboration, Estonia being a prime example, but the United Kingdom, the Japanese, the Germans, that around the globe on cybersecurity because they don’t feel as bound up by the rules that may inhibit that interaction. So I would sort of note that as a fundamental challenge particularly for the United States. I did want to talk a little bit about collaboration, as the panel is about international collaboration. Collaboration is essential being that it doesn’t even function without collaboration. If you think of the nature of this distributed global network activity, this cell phone, when I go to a website, is interacting globally when it does that. The operating system is key to use a routing and a domain name system where pieces of that infrastructure are located all over the globe, and bits and bytes are traveling globally instantaneously. The governments enter into this with rules and regulations, and when there is malicious activity, the governments may enter in with the activity of law enforcement agencies and our national security agencies, but to great measure the private sector, at least in western countries, controls the operation of this very complicated system, and it takes a lot of collaboration.
[ 2 6 0] Georgetown Journal of International Affairs
How many people in the room know what the North American Network Operators Group is? And just sort of raise their hands. [Show of hands.]
DR. GREGORY RATTRAY: So
20 percent maybe? That’s probably optimistic in terms of the number of hands raised. That is a collaborative group of the network operators that just make sure the routing and other sorts of things that hook the network together function effectively. When things like I think many of you probably know that there was sort of a routing injection from Pakistan related to YouTube that had a significant disruptive effect on the global network for a very short period of time. Because of the informal collaboration in groups like these network operator groups that allowed them to know each other, call each other, figure out which routes were injected the wrong way and reroute traffic quickly, and these network operator groups basically exist in each region of the globe. I note this because this sort of effective sort of instinct to collaboration that exists of the operational level of the people that run the networks is something we need to leverage. Right? And I’m going to note a few examples of collaboration that I see effective globally, or at least between sets of nations and then talk about what’s good about that and a little bit about what’s bad. So first I wanted to note the botnet takedowns, which Melissa and others have described. I think this shows both global law enforcement cooperation, but I know that the Microsoft team that brought some of the suits also collabo-
PANEL 4
rated with university researchers and other security companies so that this was a very collaborative effort to characterize what was bad and get the legal basis for action, including internationally. So I think those sorts of things are important. I do this with some trepidation with Jaan sitting beside me, but the Estonian ability to handle the attacks back in 2007 was largely empowered by the serendipity that the regional European network operator meeting was happening in Thailand at the same time, so all the guys that needed to sort of turn off traffic from the botnets that were attacking Estonia happened to be in Thailand and could talk to each other and block that, and that was basically a
International Engagement on Cyber 2012
there eventually atrophied in terms of the spread of that worm, but I will note that we did have an effort, an effective effort, to reach out to the Chinese and the Chinese network center that runs the “.cn” domain name system quickly came online and was a collaborator in that network. And then I think probably the last sort of effective collaboration I’ll mention is this is sort of one that won’t get a lot of press because something bad didn’t happen, but many may know that Anonymous threatened to try to take down the root server system of the domain name system on the 31st of March. In the weeks prior, the not very transparent group of guys, called the Root Server Operators, all got togeth-
The Estonians are a model for... the natrue of the public-private coopration that’s necessary. private sector led activity. I think the Estonians are a model for, with their cyber defense and other activities, the nature of the public-private cooperation that’s necessary. I wanted to mention the fight against the Conficker worm, which had its successes and its lack of successes, but this was a worm that was going to use a domain name system to propagate. The domain name operators managed to block across 110 different countries the propagation of that worm for a period of time until given the nature of cyber threats it started to propagate by a peerto-peer mechanism as opposed to a use of the domain system as a mechanism, and the collaboration that was effective
er with their informal network. The weaker portions of the group were massively upgraded with tens of millions of dollars of just-in-time investment, and there was no problem. I actually think there wasn’t a significant attack, so what I want to note, however, is unbeknownst to many that some of these network operating collaboratives do act very effectively to deal with some cybersecurity threats. And believe me, I don’t think the cybersecurity landscape is getting nicer, but what I wanted to note is sort of a couple of good aspects of this sort of ad hoc private sector led collaboration and some of the challenges and where governments may fit in. First,
[ 261 ]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
these guys run the network, they can adapt and change the technology in real time in a way that governments don’t understand how to process it through organizations. And I could name names in the U.S. Government national security community. I imagine it’s similar across the globe. They also naturally reach globally, like I’ve noted. They’re not bound by the fact that any communication with the Chinese or the Iranians has to go through many layers of bureaucracy, they just pick up the phone to the guy that they know from the network operators group or the ICANN meeting and they talk to those guys and they go, “This is bad, you guys should stop it,” and that actually happens fairly often. What’s difficult about these things – and this gets to really the role of government – there is a lack of accountability. So if you run National Security Agency – and General Hayden and others can comment on this –
the role of regulation. My sense is let’s empower and enable first. I use regulation in a very light-handed way, if necessary, but that you should be trying to permit good activity first, because if there are barriers in the way of that, those are the first ones to take down, and at times put resources into some of these more effective private sector collaborations. Government investment and the private sector’s ability to do this, I actually think it will be money very well spent in terms of a few million dollars would go a long way compared to some of the – you know, the DOD information assurance budget is estimated at $7 billion, and that’s only a small portion of the government’s investment in cybersecurity. The thing you get back from it, if you’re the government, is some transparency. If you’re investing, you can ask for some insight into how they’re doing, as well as I think you need to get more measurement, and we need to [Laughter.] have better metrics around the degree of cybersecurity and who’s contributing DR. GREGORY RATTRAY: – to those things. you know, or you’re in the White House So the other thing I think we need to or on Capitol Hill, you want to give the do is draw these guys in. The environAmerican public some sense of control ment is extremely messy. Sometimes over the nature of security in this envi- these operators have the best underronment, and these public sector col- standing of when bad things start to laboratives don’t necessarily give you a happen. There is stability and crisis lot of transparency into why things keep management theme that’s run through functioning reasonably well. They also a lot of the remarks today. I think many times lack the sort of sustainment the ability of the governments to draw and resources necessary. on these collaboratives to understand So I will try to conclude quickly. whether something is sort of an anonyThere is where I think government mous non-state motivated, you know, can effectively collaborate with some of cyber dissonant attack versus this is the these groups. The government role is activity coming out of a nation-state, enabling. There is an important, not and the example that comes to mind polarized, but vigorous debate about is the events surrounding the botnet
[ 2 6 2] Georgetown Journal of International Affairs
PANEL 4
attacks that are attributed at times to North Korea in the July 2009 timeframe. I think we’ve got to worry about stability and crisis management, and governments do need to figure out the right way to draw widely but not disable some of these collaborative activities. So with that, I’ll conclude my remarks. And I think, should we open it up for questions?
International Engagement on Cyber 2012
venue for this. But given what you’ve suggested about what governments can and can’t do, how some of the cooperation that’s essential appears almost spontaneous from the outside, if not so from the inside, the importance of the private sector, where is the next place where folks, serious folks, get together to try to make more mature some of the ideas that we’ve laid out here? And I’d welcome any comment.
GEN. MICHAEL HAYDEN (Ret.): Thanks, Greg. Thank you very RT. HON. LORD REID OF much. CARDOWAN: Well, I suppose we’ll [Applause.]
all place our bets. [Laughter.]
GEN. MICHAEL HAYDEN (Ret.): I think because of the size of RT. HON. LORD REID OF the panel, Catherine has given us until CARDOWAN: I think, first of all, about ten after six for folks to ask questions. So I would ask folks, as questions occur to them, to appear at the microphones, and we’ll entertain any and all comers. While we’re waiting for that, I think we’ve succeeded in scoping the problem here – it’s hard – and we’ve laid down a few markers as to what might be some of the contours of a way forward, public and private, and perhaps not overemphasis on governmental solutions and so on. Boy, there are a million questions that come to mind, but the one that strikes me that might be useful is: Where do you think the next useful conversation takes place to move this forward? I mean, let me give you one and reject it, all right? When we get into a crisis regarding nuclear weapons in the Persian Gulf, somebody calls a meeting in New York – all right? – and gets 168, 170 of our best friends together to discuss it. Obviously probably not a good
the worst time to do it is when we have a crisis. So if something occurs in the Gulf or somewhere else, you get lots of politicians will immediately call lots of conferences and they will come together and there will be sort of innocent reactions. It follows logically from what I said, according to my views, that we have to do a lot deeper thinking about the question of the intellectual framework, the principles on which we establish strategy doctrine and so on. If I could pick one, I think – and I’m not, obviously, a member of the conservative government, but I think that William Hague’s initiative last year in London was worth doing. What came out of it was a lot of practical things regarding international collaboration; for instance, things like I don’t know if you have an equivalent here of what we call Yellow Pages in United Kingdom. It’s where all the local tradesmen are – you know, so if you need a plumber,
[ 263]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
you where to phone; if you need a cab, you know where to phone. If you were the subject of a cyber attack, who would you phone in Britain? You know, if you suspected France, for instance, just to unite everybody –
internationally to discussion, through the formation of doctrines, and I think the nearest I’ve seen to is the follow-up conference, the London conference, which I think is in Budapest this coming year; isn’t it?
[Laughter.]
ATTENDEE: Yeah.
RT. HON. LORD REID OF CAR- RT. HON. LORD REID OF CARDOWAN: – if you suspected France or DOWAN: Sorry. someone in France was cutting a cyber attack, I would know that you phone the prime minister of France because they have actually given him overall responsibility for cyber issues. It could be any one of six in Britain, and, I mean, that is not my words, that’s the words of the Minister, who was asked this question at the London conference. So actually the establishment of points of contact at a very simple tactical level, things like that came out in the London conference, but more importantly, Mike, the thing that came out of it was William Hague saying, “Look, I think these are the seven principles on which we should base international discussions and collaboration.” I’m not saying they were the right principles, I’m not saying we got farther down the road, but I think it was the beginnings of a discussion. It will be obvious from my prejudices, I do not think that you will get a treaty. Treaties are fine. I do not think you will get a legal international transnational legal solution for the reasons I explained, although you will get in the areas of the past convention and others. Everybody is against pedophilia, so you will get into areas like that. But dealing with the problem holistically, the establishment of principles, and from that, the openness domestically to discussion, and
[ 2 6 4 ] Georgetown Journal of International Affairs
GEN. MICHAEL HAYDEN (Ret.): Gavin, if we construct this
magic Rolodex of points of contact, kind of the Yellow Pages for cyber events, would you confine the individuals, the points of contacts, to governments, or would you put international entities in –
RT. HON. LORD REID OF CARDOWAN: I should have made that clear. Sorry. That conference, although it was convened by a politician, included academics, institutes, I think Cisco would have been there, and the private sector as well, and nobody had to commit to anything in advance.
GAVIN REID: Yeah. It really gets
to – INTERPOL does now twice a year a really good private-public sector partnership. It is an invite-only one, and it’s really driven been by law enforcement’s need to collaborate across the globe, and so various law enforcement departments that find that their bank has been broken into and stolen by people in a different geography find that they need that construct, and that need is actually pushing – you know, it may be the tail wagging the dog, but it’s actually pushing these sort of agendas and these
PANEL 4
relationships that are much more effective than theoretical ones that are talked about but not really enacted. So maybe the two shall meet at one point, the sort of operational and the legislative. And, again, I’m not even sure that that’s what’s needed at this point. I think that kind of misses the point. Really what we need is people to care a little more. When they care just as much as they care about physical security, then a lot of these problems go away. It’s not like we need some magic legislation to fix it. And certainly I’m a big proponent for letting prosecutors and district attorneys be able to prosecute crimes. I’m not a proponent at all for legislation that locks us into an outmoded model of trying to protect things that quickly gets lapped by the adversary. So I’m not sure that that conversation needs to happen as once. It’s going to happen across many points, and it’s going to be driven unfortunately to Lord Reid’s remark by necessity and need and people losing money.
International Engagement on Cyber 2012
either. [Laughter.]
RT. HON. LORD REID OF CARDOWAN: So let’s get rid of that.
But the key difference is the one that was mentioned here of accountability. You know, on questions of protection of privacy, protection of security of individuals, the government is what the people that are looked to, and in democracies, you have to be open and transparent and accountable. I actually think ministers have two careers. One is doing what is necessary, and the second is for the next ten years answering inquiries about why you did it. [Laughter.]
RT. HON. LORD REID OF CARDOWAN: And I’ve done one in Iraq,
Afghanistan, Rendition. There is one in the Leveson Inquiry coming up, but that is a measure of accountability, which is not the same as a private RT. HON. LORD REID OF company has. So that is why people say, CARDOWAN: I was struck by the “Now, we’ve got to think this through, comment in the last session, the gov- we’ve got to take it.” Added to that, ernment’s focus on process, their mea- yes, as Scott said, there is a bureaucratsure of merit is, “Have you followed the ic button because nobody gets sacked process?” when the private sector moves for saying no. I mean, have you seen forward. the British television series called Yes, Minister? Yeah, well, it’s not a comedy, RT. HON. LORD REID OF CAR- that’s a documentary. DOWAN: I just did not agree with that at all. [Laughter.] Yeah. You know, governments are bureaucratic. God knows I condemned RT. HON. LORD REID OF my own department when I took over CARDOWAN: So there is an eleas Home Secretary. It put it out there ment because we expect civil service in publicly, I thought it was so bad. By the Europe, not so much here, when ten way, private companies aren’t brilliant thousand people leave when the presi-
[ 265]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
dent comes in. Over there, when I left, four people left with me. You know, when Michael Chertoff left, it looks as though the whole Homeland Security Department left with him and joined Chertoff. [Laughter.]
RT. HON. LORD REID OF CARDOWAN: But because the British civil service and European civil service, they have to provide continuity, so asking them to do radical change the way that people whose whole life and instincts depend upon it in the private sector is very difficult, but we also bear the legitimate button of accountability.
RT. HON. LORD REID OF CARDOWAN: Thank you. We have some questions. Sir?
ATTENDEE: Yes. Well, Lord Reid,
I really enjoyed your framing the question with the transnational. It seemed to me that you first dismissed the possibility of collaboration, and then with your doctrinal approach, laid the framework to develop it, you know. So I just wanted to inquire as to what sort of an architecture are you thinking in terms of this transnational kind of approach down the road? I presume you’re not dismissing it entirely out of hand, but you’re looking a few years down the road as a possibility for this kind of thing. So that’s kind of –
RT. HON. LORD REID OF CARDOWAN: I’m not dismissing collaboration out of hand at all. What I was saying was I think the most effec-
[ 2 6 6 ] Georgetown Journal of International Affairs
tive forum of speedy – and by “speedy” I don’t mean tomorrow, but the most effective focal point for potential collaboration was through the development of what we call “doctrine.” That is a series of flexible principles. A) because I think you look at this transnational, it’s wide. You look at the diffuse empowerment of billions; it’s deep. You look at the constant innovation; it is changing every day. And a bit like God, it’s everywhere, and a bit like God, we stand in awe of it and we say, “Well, where do you start?” There are not even three persons to start distinguishing, you know? There’s just this thing out there. So we all go off and we technically patch up and we legally patch up and the politicians politically patch up, but where is the overall conceptual framework? Now, there are several you could aim for. One is an international treaty, one is international law, and for reasons I outlined, I don’t think they will work, yet not in my lifetime, not even my son’s lifetime. I mean not that long. Therefore, I was suggesting the way this could be approached as a focal point, as a handle on this whole thing, is for us to do what we would do if we were jurists or strategists or military people confronted with a series of potentially unanticipated events of new, we would go beyond drills, you know, not marching up and down, that’s necessary, but until a learning process and a doctrinal process, which is not doctrinaire, a set of principles. Once we’ve done that domestically, simultaneously we should be talking to others, perhaps like-minded nations, about the similarities in their doctrine, and it will give us something that is potentially
PANEL 4
International Engagement on Cyber 2012
achievable. Final point. When we got to deterrence, yet we got there because of a doctrine, it was called mutually assured destruction. Now, it was very difficult. It took sixty years for that doctrine to lead to a treaty, the START Treaty. It was nothing compared to the difficulties of cyber, because there were only two parties in it. There were the Soviets, and there was the United States effectively. Now we’re dealing with two hundred sovereign states, none of whom have a sovereignty that has not been undermined, democratic governments as well as Hosni Mubarak, by the nature of the diffuse power of the Internet. So doctrine I was espousing as a form of potential collaboration that’s speedier than any other way I can think of.
mand, Net Warfare. It is a remarkable thing – and we talked a bit about this at dinner last night – that the leaders were developing doctrine and how we should think about this. Frankly, within the American government, the leadership in American doctrinal thought right now, for reasons that are probably not accidental, is the Department of Defense. You heard from Secretary Lynn here earlier today. He has the seminal article on American thinking on things cyber, an imperative in foreign affairs now more than a year ago, and I tell audiences the most important line in that whole very good article, the most important line is the one under the title, it says, “By William Lynn, Deputy Secretary of Defense.” It wasn’t the Deputy Secretary of Commerce, it wasn’t the Deputy ATTENDEE: Well, that’s very help- Attorney General, it wasn’t the Deputy ful. Thank you. Secretary of Homeland Security, it was the Deputy Secretary of Defense. And GEN. MICHAEL HAYDEN so American thought, maybe by an acci(Ret.): Thank you. Another question dent of history, maybe by where we find here. ourselves more broadly, globally, right now, has got a very strong Department ATTENDEE: Yes, my name is Stan- of Defense flavor to it. That’s happened ley O’Neal, with the School of Foreign in the past. Service. I just had a question. So in the I compare what we’re doing now with United States, we’ve seen a push with the last great era of globalization, which the creation of Cyber Command, and I was European man’s discovery of the was curious, the international response western hemisphere, and an awful lot, that you may have seen to this new com- interestingly enough, of what happened mand, whether it’s copycats or whether then was in the private sector, East there is pushback on it, kind of the India Tea Company, Hudson Bay, for international reaction to it. example, acting a lot like states and having diplomacy, and frankly armed men GEN. MICHAEL HAYDEN coming forward into a new frontier. (Ret.): Let me start since I’m on the Now, that’s not determinative, I’m just American side and I was the director saying that there is a parallel there. And of what preceded Cyber Command in so there we are as Americans. I am really Joint Functional Component Com- curious, I think this is a great question:
[ 267 ]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
What impression does that make, has that made, in other countries? So we’ll just go from right to left. Andrea?
ception is that the only people who are involved in developing cyber thoughts, whether it’s opportunities or security, are the Cyber Command, I don’t have a problem with that. ANDREA RIGONI: In certain I would make one point. I think we countries like Italy, and Italy is not are at a point in history where security alone, this insulated at least the ques- being a hit on the bottom line is outdattion if the Department of Defense in ed, and I’ll tell you why. If I am right, our country should lead cybersecurity. that one of the central characteristics in And one of the arguments that they are approaching cyber, the cyber environusing is not only the Cyber Command ment, and a doctrine are outside of it, is here but also that in many countries, the need for constant innovative entremost of the investments and most of the preneurial thought and change, that is capabilities are in defense. If we look, also the central principle of economfor example, at the most advanced com- ic growth in the modern world. And puter emergency response teams that we therefore, rather than being a hit on the find in these countries are in defense, bottom line, the fact that that central and also another argument that they principle applies both to security and use is that they are more used to inter- growth should allow it to be a catalyst national cooperation thanks to NATO, to the bringing together of public and and so they know how to cooperate on private sectors and the recognition that security at an international level. So in the cyber environment in which we these are the arguments that I’ve heard. now live, there is no longer the artificial distinction between the two. OpportuGEN. MICHAEL HAYDEN nity and security are actually related in (Ret.): Very interesting. Lord Reid? a way they never were before we got into the cyber environment.
RT. HON. LORD REID OF CARDOWAN: Well, I certainly have no GEN. MICHAEL HAYDEN problem with Cyber Command, and I (Ret.): Thank you. Mr. Wang, the was interested this morning in hearing the outline of the various four components of it, but it’s also worth adding that of course in terms of lots of cybersecurity, the Department of Homeland Security has been put in charge and also worth noting that the assumption is that they can’t do it without the support of the intelligence agencies, and I have no doubt there will be other elements of the U.S. Government, which I am involved in some ways. So I wouldn’t like to give the impression that my per-
[ 2 6 8 ] Georgetown Journal of International Affairs
question about cyber command and the Chinese view towards that in the United States?
PEIRAN WANG: I think China’s
view on the United States Government, I think at first China has not enough capability to deal with the cybersecurity challenge, and whether from the technology of the capability, it’s even the legislation and the other things, China has enough experience in the technology to deal with it. So I think the
PANEL 4
cooperation is more important than the confrontation. But the current, several reports from the USCC and other institute of United States Government, and always China launches cyber attack and China cyber spy. What influences intention of China’s cooperation? And the second, in fact, China was attacked by the cyber is much more than United States, but the same to you. I don’t know why Chinese demonstrated. I’m the weak team. In recent, there is a hack organization that attacked the China government website due to against the China Internet blog, but I think such means will improve China’s further blog on the Internet, because China government has executed for the practical challenge. So I have to adapt to the more conservative approach to deal with it.
International Engagement on Cyber 2012
GEN. MICHAEL HAYDEN (Ret.): Okay. Greg, the last word. DR. GREGORY RATTRAY: You
know, I think we do need to recognize that others in the globe do see cyber formation of Cyber Command as a threatening development. As a former military officer, the imperative to do it for the reasons that Jaan just put are there. I’m not second-guessing the decision, but the perception globally – CSIS did a study of who’s the most threatening nation right after the formation of Cyber Command, and the U.S. managed to come out number one in that study. So I think the broader question is the militarization of cyberspace – right? – which many – and I am sympathetic – may see as inevitable, and therefore you need to deal effecGEN. MICHAEL HAYDEN tively with that, but the United States (Ret.): Thank you. Gavin? Jaan? and many of its friends and allies are the most empowered nations by the JAAN PRIISALU: Yeah. It was nature of – by a stable cyberspace that clear that everybody in the world where isn’t fraught with crime and disruptive cybersecurity knowledge consolidation activity, and I think we’ve got to worry was going on, so actually this creation of about the perceptions of things and the Cyber Command wasn’t really any then avoid arms racing sorts of phekind of surprise. The only surprise was nomena. So I just wanted to put the why it took so long. cautionary note in there that certainly my experience globally is a lot of ques[Laughter.] tions about, “Why Cyber Command? Should we have one, too?” And we cerJAAN PRIISALU: Now, it’s quite tainly see other nations creating similar clear that you have to be – now, what organizations. you’re doing in this game is you are building better working collective GEN. MICHAEL HAYDEN brain, so it is also clear that somewhere (Ret.): Great, thank you. Thank you you must actually situate this nucleus all very much. and you have to gather those people together to work together effectively. So [Applause.] it was very logical.
[ 269]
INTERNATIONAL COLLABORATIVE RESPONSES TO CYBER INCIDENCES
DR. CATHERINE LOTRIONTE: fied. I still think that we could do more.
Each year I become more impressed and certain that we can do more as I meet more and more of the individuals that come here and speak. So I will continue to try to impose myself on everybody and others and bring them again back here to come together and talk about the issues. I hope that with each year and a lot of other things happening in the meantime, that we all, the world of nations, I was told a long time ago, trained start making progress on some of the as an intelligence officer, but a boss difficult thorny issues that have been of mine, George Tenet at the time, raised today. So once again I want to thank everytold me that if there is something that bothers you or you have some kind of body, and I actually finished early today. gut sense of something, keep looking, Of course, we skipped a lot of bathroom keep asking questions, until you get to and coffee breaks, I’ve been told. the point where you’re satisfied. And so a couple of years ago when we were [Laughter.] discussing both – I was discussing with the private sector and the government DR. CATHERINE LOTRIONTE: the difficult questions of cybersecurity, But we will have a reception. So right I thought one of the hardest problems after we leave here, I would welcome would be international engagement on you back to where the registration tables the topic. So last year I convened the were for a reception to wrap it up today. first meeting and tried to make it as international as possible, and this year So thank you. Thank you very much. I tried to do it again. I’m still not satisThank you, General Hayden and Panel Number Four. We made it to the end of the day. So I am going to keep this brief. I want to thank, one, first our sponsors for today because it wouldn’t be possible for me to try to put this together, and, importantly, the speakers and the panelists that stuck with us the whole day, and you all that came and sat here and talked and asked questions and listened.
[ 2 70] Georgetown Journal of International Affairs
Presort Standard U.S. Postage PAID Port City, MD Permit No. 161
Georgetown Journal of International Affairs Edmund A. Walsh School of Foreign Service 301 Intercultural Center Washington, DC 20057
http :// journal . georgetown . edu