Cybersecurity and Cyberwar (33 page)

There is an important concept behind all this. Simply writing the treaty will not mean everyone will automatically adhere to it. Indeed, there's never been a law written that someone didn't break. Murder is a crime and yet happens every day. Rather, the strategy is to begin to set common definitions and understandings that can then be used to create norms to shape behavior. Until you establish the baseline of what everyone is supposed to follow, you cannot
create incentives and rewards for following them and, in turn, identify and punish those who violate them.

In the end, many of these norms can move forward even if formal treaties aren't actually signed by all. As coalitions of nations form (as in the regional cybercrime treaty) and practices become more and more commonplace (like sharing data on emergent botnets), expectations of what is “normal” and “abnormal” behavior build and these expectations begin to matter. People and businesses no longer pollute the way they did back in the 1960s not simply because it's now against the law, but also because of the dirty looks and loss of brand reputation that now come if you are viewed as antienvironment.

These kinds of informal rules can even be created in darker realms, where good intent or worries about reputation matter less. During the Cold War, for instance, the CIA and the KGB certainly did not trust each other and competed hard to steal each other's secrets. But even these two spy agencies were able to come to certain understandings on how to keep their rivalry from escalating into war (for instance, Russian secret agents couldn't assassinate Americans and vice versa, but it was oddly kosher to kill each other's proxies in places like Nicaragua or Vietnam). Experiences like that lead some to believe that similar “red lines” might be possible in the cyber espionage, such as the back and forth that has so poisoned US-Chinese relations in recent years. The two sides might not be happy with the other stealing its secrets, but “There may be ways to get understandings between and among adult nations,”
says Michael Hayden
, the former director of the CIA.

A linchpin of this agenda of norm building, even in the absence of formal treaties, is to create a concept of greater responsibility for activities that emanate from a network. The idea is that if a universally respected and reliable body like a CERT or CDC informs a network that hostile packets or attacks are coming from it, that network must make an effort to stop the activity, even if the owner of a network didn't intend to send it or the identity of the attacker isn't known. The penalty in this arrangement is reciprocity. If the owner doesn't follow the norm, the other networks in the system no longer owe it the same kind of reciprocal exchanges that allow it to access the Internet smoothly. You violate the norm, you lose the privileges that come with it.

The parallel here is how nations over time were persuaded to take action against money laundering and terrorist financing. As international relations expert Robert Axelrod explains, “This is a market-based policy solution, not a solution requiring an enforcement body. Over time, as more and more backbone providers adopt the norm, it dries up the
swamp of sanctuaries
for bad behavior.” Axelrod adds that it might be a particularly useful mechanism for dealing with the thorny US-Chinese cyber relationship, “since it means we can ‘work with Beijing' to stop intrusions while not getting them on their hind legs by directly accusing them of the intrusions.”

The appeal of this strategy is that, historically, even the actors that are initially loathe to sign onto any formal treaties or agreements become more and more engaged with the underlying norms over time. As the rules spread and nonsignatories can't help but engage in the process, countries start to internalize the logic of cooperation. That is, they begin to act like rules are there, even if there are
no formal rules agreed
upon.

As this potential system of written and unwritten rules builds out, it will face the final, real test. If we can get international treaties and norms to cover issues of cyberattacks and digital attribution, can we also get them to cover the truly important problems, like the people who currently post more than one hundred years worth of Rick Astley songs and cat videos onto the Internet each day?

Toward the end of the Middle Ages, a new technology changed the world by spreading knowledge and communication to the masses. But like the Internet today, the printing press back then also spread disorder, sparking the Reformation and then a series of long wars that left Europe devastated and over eight million dead. Through this period, the governing structures of the old world, such as empires, confederations, and dukedoms, found that they couldn't keep up. In a process that crystallized at the 1648 Peace of Westphalia, the modern bureaucratic nation-state took over. Each nation's sovereignty was embodied by a government that monopolized legitimate force within these its borders and ensured that the national economy ran smoothly, setting up everything from national currency to taxes.

The governments of today's world are largely creations of these centuries past. The challenge is that much like the dukedoms and empires of old, the state as we once knew it is having a hard time keeping up with new actors and new technologies. Whether it's the rise of transnational threats like terrorism, the global financial crisis, climate change, and now cybersecurity, states are finding it difficult to control what happens within their borders as well as solve the new generation of global issues, where what happens beyond their borders is far more important.

In cybersecurity matters, the very structure of the Internet can work against the state. The diffuse and virtualized makeup of cyberspace means that there are real limits to the power of the state, which is traditionally derived from its control of a certain piece of territory. The Pirate Bay, for example, is a website that posts links to BitTorrent files, which are used for peer-to-peer sharing of large data. The problem is that many (if not most) of these files are supposed to be protected by copyright laws, traditionally written by and enforced within individual states. The Pirate Bay does not host the content itself, but merely links to files hosted by users throughout the world. Still, the legitimate owners of the copyrighted materials have repeatedly gone after The Pirate Bay. In response, The Pirate Bay moved both its physical servers and its domain, staying one step ahead. Initially, it shifted to Sweden (and the address changed from .com to .se), since Sweden did not have legal provisions for seizing domain names. When matters got tense in Sweden, The Pirate Bay shifted to a dynamically distributed system around the world. This meant that
no one government could seize
the contents of the website or the structure behind it.

It is not that governments are powerless. Indeed, many of the people involved in The Pirate Bay project have been arrested, and four were sentenced to short jail sentences. But again, the structure and norms worked against the state in its goal of control. After the arrests, a growing group of international volunteers stepped in to continue to manage the site.

Sophisticated actors with resources can play a fairly long game of whack-a-mole with governments, even in the face of determined foes and international cooperation. Perhaps the WikiLeaks case best illustrates what governments can and can't do. As we saw in
Part II
, American politicians reacted with horror to the documents released
by the transparency website. Vice President Joe Biden labeled WikiLeaks head Julian Assange a “high-tech terrorist,” while others wanted him labeled an “
enemy combatant
,” to be jailed in Guantánamo Bay prison
without traditional due process
. Likewise, under pressure from the US government and its allies, a number of private companies began to sever ties with WikiLeaks, hampering its ability to operate. Visa, MasterCard, and PayPal, for instance, suspended payments, preventing their customers from supporting the organization through the
traditional channels
.

These actions, though, again showed both the strength and the limits of state power. Assange was detained, but not by the United States, was not placed at Gitmo, and was not prosecuted for the supposed crimes the government was so angered by. Similarly, WikiLeaks quickly announced a new wikileaks.ch domain registered in Switzerland, resolving to an IP address in Sweden, which in turn redirected traffic to a server located in France but
registered in Australia
. The organization still exists and now accepts donations through a range of sources, including traditional credit card brands routed through the French advocacy organization Defense Fund Net Neutrality, which is less vulnerable to outside pressure, as it uses the very tools of the state against state blackmail (it routes donations through the
French national banking system
).

Ultimately, the power of the state is territorially linked, which means it is most effective where it can lash up to the physical side of the Internet. While determined, technically sophisticated organizations can often hide behind the jurisdictional ambiguity of the Internet, any that have a physical presence run the risk of playing on the state's home turf. It is through the physical and financial assets that can be seized, the offices that can be closed, and the individuals who can be harassed or imprisoned, that governments are able to exert their power. A good example of this is the series of Internet search companies that have agreed to remove references to the
1989 protests in Tiananmen Square
, so that they could maintain business offices in China.

But territoriality is not the only issue that matters for states. Another key characteristic is how private actors control most of the cyberspace infrastructure. Since the privatization of the Internet backbone, the “pipes” through which data flow belong to private actors. These national and international connections are regulated,
but many of them enjoy much more freedom than their telephonic ancestors. This dependence on private networks even includes traffic of the most critical national importance. Former US Director of National Intelligence Admiral Michael McConnell estimated that “
98 percent
of U.S. government communications, including classified communications, travel over civilian-owned-and-operated networks and systems.”

While many countries have sought to control the gateways between their country and the global Internet, its very structure means that they cannot segregate civilian from military or government. As we saw, this is not only relevant in terms of the ethics of offensive cyber operations, but it also means that states have a very difficult time getting the system to mold to their preferences. For example, in the old days the government could prioritize which phone calls would get through in a time of crisis. Today, in a world of Internet packet-based communication, a president's e-mail gets no more priority than a video of a baby dancing to “Gangnam Style.”

This arrangement creates a crucial ensuing dependency for cybersecurity. Governments depend on private industry for almost every component of their information infrastructure. But this also means that states rely on private industry to take on their shared responsibilities in securing this world.

For example, in
Part I
, we read about the failed hunt for the makers of the Conficker worm, who had created the world's largest botnet. All the powers of all the world's states could not run down the makers, even though they had penetrated networks that ranged from the British Parliament to the French Air Force. And yet equally compelling to the story of states being sidelined is the story of Conficker's mitigation. A global group composed representatives of private business as well as a range of volunteers, known as the Cabal, assembled to coordinate a countereffort. They ultimately were able to stymie the Conficker botnet by steering messages from the compromised computers in more than 160 countries into a safe “sinkhole.”

While the dynamic nature of the Cabal is held up by some as a success, the lack of a government role at its center is telling. Indeed, in a lessons-learned report drawn up by the group, the government role was summed up as “Zero involvement, zero activity,
zero knowledge
.”

And yet, is it all that surprising that neither the US military nor FBI was central to the mitigation of Conficker, given that it was really about identifying a vulnerability in a Windows operating system and then developing and distributing the patch? That's a job for Microsoft and its customers, not for the government.

There are some who believe that these very limitations and dependencies mean that the government's “zero involvement, zero activity, zero knowledge” role in the Conficker case is actually optimal. However, this ignores the reasons that we have governments in the first place, and, in turn, the responsibilities these governments owe to their citizens. The government must secure its own virtual systems in cyberspace that allow it to conduct its real-world operations of defense, communication, and so on. In turn, government can't simply ignore the security of the systems its citizens depend on, such as power generation, water treatment, hospitals, and other sectors. Indeed, even before the advent of the Internet, such sectors were more heavily monitored and regulated than the rest of the economy, reflecting their disproportionate social impact. The same should hold true today.

The challenge for governments is to understand how to foster information security without trying to fight the Internet's architecture and undermining the very benefits of cyberspace. States certainly shouldn't ignore their roles or responsibilities to their citizens, but they must also recognize the structural limitations of their power. Governments have valid concerns, but they no longer have direct control over most of the key sectors, as they are largely in private hands.

Cybersecurity is not a realm where the state can simply take over. Nor can it have “zero involvement” or “zero activity.” In finding the right balance, the most important strategy is attacking the third problem, the mentality of “zero knowledge” about the basic issues and responsibilities of cyberspace that we too often see in both the public and the private sectors.