Cybersecurity and Cyberwar (32 page)

To be clear, not everyone is pushing equally hard for such a treaty. As Rex Hughes, an adviser to NATO, explains, when one asks the United States and its allies whether they want a cyber treaty, “The
official response is yes, we want there to be rules of the road and to apply the law of armed conflict. But
unofficially the answer is no
—countries that have advanced capabilities want to preserve that.”

There are two main reasons for this reticence. The first is a fear among the more advanced cyber powers like the United States that they will be tying their own hands, while others will then catch up, or even worse, just ignore the new laws. For instance, back in 2009 Russia floated the idea at the United Nations that the use of any cyber weapon by a state be preemptively banned, essentially trying to apply the model of arms control to cyberspace. Setting aside how exactly one would monitor a cyber weapons treaty violation (you can't count malware like you can count ICBMs), there was also a slight problem of bias built into the proposal. Russia has used nonstate “patriotic hacker” networks to conduct cyberattacks and would likely benefit rather than suffer from such an agreement that only limited the state side.

The second reason is the very different priorities leading states have in cyberspace. The United States, for example, views the Wild West behavior as akin to problems in the original American West, as theft and bad guys running amuck with no consequences. They would very much want any treaty to limit espionage that targets intellectual property and guards against attacks that go after more
vulnerable civilian infrastructure
. States like China and Russia, by contrast, view the Wild West behavior as the Western democracies trying to export their wild values.

Given these problems, advocates point to several parallels for how the international community might build a cyber treaty. Many have proposed the 1967 Outer Space Treaty as a model. Like cyberspace, outer space is a realm opened up by technology, used for all sorts of purposes, and no one nation can claim to own it. The treaty prohibits harmful interference of the peaceful exploration and use of outer space and bans the launch of nuclear weapons from space back onto Earth. A similar approach is the proposal to mimic the international community's regulation of the Antarctic, another realm not owned by any one state but previously at risk of being militarized. In the 1959 Antarctic treaty, governments agreed that no weapons are allowed below 60 degrees latitude south. A cyber treaty equivalent would similarly ban any nation from using weapons in this new global zone.

The challenge with such efforts is that for all the similarities, cyberspace is a different beast than space or the polar regions. Any treaty modeled after them would be difficult to agree to and almost impossible to enforce. While it's relatively easy to track who is doing what in outer space, cyberspace is accessible to all. Similarly, as a virtual world, there is no clear line on a map to delineate where cyber weapons can be used and where not, not to mention that identifying a weapon in cyberspace is quite different from the obvious violation of a battleship crossing the 60 degrees latitude line on a map.

While you can't just substitute the word “cyber” for “outer” or “polar” in these treaties and solve the problem, they still are useful models at a broader level. As Ron Deibert explains, “With those agreements, the aim is less about controlling certain classes of weapons, than it is about controlling expectations and developing a set of principles, rules and procedures, and norms about how states behave with respect to
an entire domain
.”

The goal of any initial cyber treaty effort should be to establish the basic building blocks, the key rules and values that all responsible parties can and should agree to. While there are clearly deep disagreements, there are mutual interests. All share an interest in making sure the Internet runs smoothly and cybercrime is controlled. Reflecting this, efforts should be made to expand the 2001 Council of Europe's Convention on Cybercrime. This treaty was originally intended to harmonize European nations' approaches to cybercrime, but with the United States, Canada, Japan, and South Africa also signing on, it holds the potential to evolve into a broader framework.

The strategy underpinning all of this has been described by Martha Finnemore, one of the world's leading thinkers on international cooperation, as a “grafting.” Rather than starting anew, adapt the horticulture technique of adding a new plant to the roots of an older plant. Build off of established frameworks and interests to
increase your chances of success
.

The idea is not merely to add new signatories to this one regional treaty but to expand the scope of international law and agreements. For instance, botnets are a scourge to all (even China, which is often reticent to join cyber agreements; as many as
70 percent
of the world's infected computers are in China), and efforts could be made to make building such a system illegal in all countries. To enable
this, a global network of the exciting and new national computer emergency response teams (CERTs) and cyber CDC equivalents could be created. This would aid in creating international standards and monitoring information on the health of the Internet and noting any emergent threats. The system would operate along the lines of how nuclear tests are globally monitored or how the International Civil Aviation Organization reduces risks for all fliers, by sharing information and setting common standards.

The plan, writes Jim Lewis of the Center for Strategic and International Studies, is slowly but surely “
moving from the Wild West
to the rule of law.” The value, though, should not be just judged by how it deals with cybercrime, but also by its knock-on effect on more potent threats. Cybercrime is often “the laboratory where
malicious payloads
and exploits used in cyber warfare are developed, and refined.” Expanding such treaties and agreements against cybercrime and other related behaviors would be good for everyone, all the way down to individual users of the Internet who would no longer pay that equivalent to a crime tax we talked about in
Part II
. But it also would have an added security effect against many of the more troublesome nonstate groups and feared cyberterrorists that are harder to deter, who rely on cybercrime as a lab, as they can't afford their own NSAs to build their own weapons.

Taking on the low-hanging fruit of cybercrime would also impact broader security, including even relations between states, by limiting one of the key aspects of offensive advantage, so destabilizing for global affairs. Those tasked with defending advanced networks (such as critical infrastructure operators, defense contractors, and government agencies) have noted that they spend vastly more time, effort, and money addressing generic problems like botnets, spam, and low-level worms that hit all users of the Internet than they do on the APTs that hold the potential for far greater harm.

These efforts are also valuable simply for their convening power. Discussions of seemingly intractable areas can deepen mutual understanding of the differing underlying assumptions and concerns that make them so difficult. They therefore increase the prospect for addressing some of these issues—or at least limit their negative effects—over time.

Grafting might also be the best strategy for tackling the challenge of where campaigns of cyber espionage have morphed into
intellectual property theft on a massive scale, otherwise described in corporate circles as “the China problem.” As we saw in
Part II
, massive value has been lost to China-based APTs that appear to be linked to both the Chinese military and state-owned enterprises.

Some have advocated such measures as criminal indictments, punishing trade sanctions, changing the terrorism code to allow the seizing the foreign assets of any companies that benefit from such secrets, or even licensing cyber “privateers” to hack back at such campaigns. The problem is that such concepts ignore the state-linked nature of these campaigns and the
politics of what might happen next
in the real world. Indicting Chinese generals, seizing Chinese government assets, and authorizing private cyber strikes could take an already poisoned US-Chinese relationship down an escalatory path. Even more, such proposals ignore a crucial dynamic. While most of the corporate victims certainly don't want to be stolen from, they also fear the escalations and worsened tensions these responses would cause more, greater valuing their access to the broader Chinese market.

Thus, while it certainly sounds appealing to call for “fighting fire with fire,” in both firefighting and cybersecurity it is actually better to try to snuff out the flames. This is where grafting comes back in again. While espionage is not against international law, intellectual property theft is contrary to both broader international laws and, even more important, the rules of the World Trade Organization. The WTO was created in 1995 to help foster international free trade, and China's joining in 2001 was crucial to its own economic boom. This dependency is why US Defense Department expert James Farwell believes that the best response is to change the nature of the game, by targeting the commercial side of cyber espionage in cases under the Trade Related Aspects of Intellectual Property Rights (TRIPS) agreement. “An internationally-recognized ruling, handed down in legal proceedings that found China guilty of intellectual-property theft or infringement, could render it liable for billions of dollars in compensation, expose it to multinational economic sanctions and cause it to be branded a ‘pirate state.'” Even more,
Farwell writes
, “As a nation whose strategic thinking focuses on playing for psychological advantage, China would find that result uncomfortable.”

Grafting through an international venue, especially one that China values, would also provide a place for China to feel its own
grievances can be aired. As we saw in
Part II
, China also feels it is under cyber siege. The
Global Times
, a regime mouthpiece newspaper, for instance, has argued that “
China should confront
the U.S. directly. China should gather, testify, and publish evidence of the U.S.' Internet intrusions.” Well, use of proper forums like the WTO would give the Chinese a place to put these accusations to the test.

These kinds of efforts show how even in the most contentious issues, where there seems to be little basis for agreement on what to do, there are still areas that can yield results. Beyond grafting, another strategic approach is to focus initially on
common terms and definitions
. For example, there may be wide disagreement on what constitutes an “attack,” but coming to agreement on the definition of certain types of attacks and targets could prove very useful. One study of the United States and China found that mutual agreement on what constitutes “critical infrastructure” might end up making it
easier to protect such infrastructure
. This is analogous to what happened in nuclear arms control discussions, during which the parties did not always agree, but found common interest in defining and then seeking to limit particular types of weapons that created an incentive to strike first or that destabilized relations, such as
missiles with multiple warheads
.

There is another important side-benefit to engaging in treaty- and law-building exercises, even at the level of noncommittal discussions. It can concentrate healthy attention on the issue
within
each government. It allows leaders to understand not just what the other side is thinking but also what their own agencies and communities might be doing and the potential consequences. This is something that most senior policymakers around the world are not sufficiently focused on at present. In the cyber realm, as in life, it is important not just to point a finger, but also to take a long look in the mirror.

As these efforts build over time, more thorny problems should be tackled. The cybercrime convention is certainly a valuable building block, but it really can't be extended to some of the more vexing issues of cyber warfare. For example, the lines of when and how a cyberattack becomes an act of war and who can and should be held responsible for it remain fuzzy. And this gray zone is certainly exploited by some states, such as in the Russian attacks on Estonia. Reaching any kind of international concord on these questions, even
at the most basic levels, would reduce the risks of miscalculation and unintended crises.

Facing that issue would also open up a much-needed discussion on whether the existing laws of armed conflict need to be updated for cyberspace, something that nations like the United States, Russia, and China don't yet agree on. But here again, it's not so simple. If the old laws do need to be updated, then where should we start? One key problem to wrestle with is how the current laws assume a strong distinction between military and civilian facilities. For example, if you are flying a bomber plane you can target an enemy's military vehicles, but you are supposed to do your utmost to avoid hitting civilian vehicles and try doubly hard not to hit special vehicles like ambulances. But this distinction isn't so clear-cut in cyberspace, where a network can simultaneously be both civilian and military.

Here too, there might be some hope for at least limited agreement. Nations may not agree on all the various definitions of threats, but expanded treaties might focus on the aspects that are viewed as threats to all. For example, while Russia's proposal to prevent any state use of cyber weapons was a nonstarter, there is an argument to be made “
to call Russia's bluff
” on where these weapons might be used by states, writes Jordan Schneider, a student of the issue at Yale University. Going after certain targets in cyberspace in a way that threatens not just the intended foe, but could also prove destructive for the entire global community, might be added to prohibited activities. As an illustration, banks don't have an extra special immunity in the old laws of war the way hospitals do. But they may need to be treated as a special case in the virtual side of any new laws. The international financial system is so integrated right now that “All states, save perhaps North Korea, would suffer greatly from the instability which would befall world markets should numbers be shifted in bank accounts and data wiped from
international financial servers
.”