My colleague Dr. Greg Austin and I wrote a short discussion paper titled “Cybersecurity: Crime Prevention or Warfare?” for the 49th Munich Security Conference which took place this February in Munich, Germany. We identified some of the top challenges pertaining to cybersecurity and outlined six policy action ideas. Given the recent revelations about the Chinese Army Unit 61398, I thought I would share some of our ideas.
Combating cyber crime
1. Lack of sharing of data on the nature, source and impacts of significant attacks at the operational and strategic level. In October 2012, the European Union published the first internationally standardized reporting on cyber crime intended to be applied to timely operational response. This EU publication is based on an evolving procedure for confidential reporting of cyber incidents to a trusted, independent intergovernmental entity. The nature and timing of these policy innovations reflects the very weak state of information sharing, both on the international and national levels, whether for an immediate response to prevent or stop an attack or for longer term strategic planning.
2. Lack of consensus on legal frameworks for combating cyber crime. There are big political divides in the international community on many aspects of cybersecurity. Russia and China are not willing to join the Budapest Convention on Cybercrime – the first international treaty to address computer and Internet crimes – on the grounds that the adoption of the treaty in its present form would violate their sovereignty. India has a critical constitutional problem that prevents it from signing the convention despite its inclination to cooperate with the West on key cybersecurity issues. The Council of Europe extended an invitation to India in 2009. The treaty aside, the practical application of existing international police cooperation (through Interpol or other mechanisms) and judicial cooperation (through extradition) is very weak and colored by political differences.
3. Early take-up by criminals of rapidly emerging technologies. A number of governments have not sought to prosecute organized crime networks that traffic in malware and hacking services as the size of the black market for these is increasing. Online hacking businesses appear to be emerging, with hackers selling their services to the highest bidder in a public manner, rather than just using known criminal associates. The increasing number and sophistication of cyber incidents puts great burdens on national police/justice systems and their international relationships. The development by India of special cyber courts and the gradual implementation by China of a policy of registering user identities may be important advances in this regard. Cooperation between the national CERTs of China, Japan and South Korea against patriotic hackers is an interesting precedent, as is the work of the Asia Pacific CERT (APCERT) and those of other regional organizations (EU and OIC).
Promoting strategic stability while preparing for cyber conflict
1. Strategic stability in cyberspace has been a low priority of governments. Most states have been preoccupied with defending against attacks, and some have been more concerned with the race to the technological frontiers, seeking to secure military advantages in cyberspace. There have been no active official forums working through the military-strategic issues of cyberspace in many key relationships (U.S.- China, India-Pakistan, Israel-Iran-GCC). With a few exceptions, the multilateral fora have been slow to adapt to the military security needs. The Collective Security Treaty Organization (CSTO) and the North Atlantic Treaty Organization (NATO) have made advances in computer network defense but have not fully addressed some of the bigger strategic aspects of cyberspace. The United States and Russia are reportedly working towards agreement on some cyber policies and China and the United States have agreed to talks broadly on the theme of military aspects of cybersecurity. There has been an astonishingly low level of public attention paid by governments to the implications of the use of Stuxnet. That type of attack appears to be just what U.S. Secretary of State Hillary Clinton had in mind when she declared on January 21, 2010: “Countries or individuals that engage in cyber attacks should face consequences and international condemnation.” She gave a very good reason: “In an interconnected world, an attack on one nation’s networks can be an attack on all.” She said that taking this position would help “create norms of behavior among states and encourage respect for the global networked commons.”
2. As a result of the low priority accorded by governments to strategic stability in cyberspace, there has been little attention to the impact of military cyber policies on these strategic relationships. For example,military related exploitation of cyber space has undermined many of the diplomatic gains in the U.S.-China relationship, with some leading Americans extending their public criticism of China from human rights abuser to state sponsor of intellectual property theft through cyber means. For its part, China sees U.S. and European attitudes to Internet-based rights advocacy against Chinese government interests with deep hostility. In this environment, there has only been a weak understanding of the international cyber interdependencies and how these affect strategic deterrence. There is little consensus on the technical aspects of strategic stability in cyberspace even as leading powers race to develop new military uses of cyberspace. The work of the Group of Governmental Experts in the United Nations has been useful, but it is moving too slowly and is hardly representative of either all key stakeholders or all key issues.
3. The knowledge and stakeholder base relevant to strategic policy for cyberspace is fragmented in most countries into several groups, and even within these groups in some countries. There is the traditional strategic and diplomacy community (foreign affairs and defense), the technical specialists in signals intelligence and related fields, internal security agencies, law enforcement, emergency response, and then the very big category of the national and increasingly multinational private sector. The majority of countries are not capable of keeping up with advances in warfare in the information age through the traditional means of “arms purchases.”
Six Big Policy Action Ideas
Combating cyber crime
1. A Trusted Entity for Statistical Data Collection: There are dozens of public- and private-led cybersecurity data distribution forums in existence already, but the number, scope, and diversity makes for a complex environment where sharing information in an operationally-significant timeframe is very difficult. We lack the tools to measure the scope of security breaches around the world. Despite massive spending on cybersecurity, we do not really know how bad the situation is or whether countermeasures are having enough of an impact to turn the tide. We propose the creation of a private sector-led trusted entity to aggregate voluntarily submitted statistical data. The main focus here should be on collecting enough statistical data to start objectively quantifying where we are and tracking progress or backsliding over time
2. An international action plan against the “most wanted” cyber criminals: On the assumption that political differences preventing harmonization of legal systems will persist for many years, leading states (perhaps at G20 level but building on the G8 Working Group on High Tech Crime) should commit to a detailed action plan that has as its aim the arrest and prosecution of an agreed top ten list of most wanted cyber criminals. Such a process may need to be worked out in practical terms at the bilateral level, but the notion that all states must be accountable for bringing cyber criminals to justice requires widespread acceptance. The biggest deterrent against crime is punishment of the offenders.
3. An international process for standardization of procedures and exchange of information among national and regional CERTs and other first responders. States must commit politically to the creation of an effective international network of CERTs all operating according to common standards. Existing capacity building initiatives in regional CERTs (SCO, OSCE, EU, OIC) need to be conducted within a framework of some basic global standards. This can help counter the growing sophistication of international cyber crime, but it may also serve a “technical” substitute for treaty arrangements on cyber crime.
Promoting strategic stability while preparing for cyber conflict
1. There needs to be an explicit commitment by states to strategic stability in cyberspace within the framework of a fully articulated foreign policy and national security doctrine at the national level and this has to be grounded in a series of overlapping bilateral and multilateral understandings, including within alliances. A December 2012 authoritative study by the Cyber Conflict Studies Association, “Addressing Cyber Instability,” concluded that “the cyberspace domain is inherently unstable;” that “The current strategic cyber environment is marked by an inability to establish credible deterrence;” and that these conditions are “getting worse.” It said that Stuxnet is seen as the “new pinnacle of cyber threats.” It could be argued that countries have an obligation to redefine deterrence through talks with others, based on their specific military situations. This means adversarial pairs of countries or alliances that see themselves as involved in some military competition: U.S.-China, U.S.-Russia, NATO-Russia, India-Pakistan and Israel- Iran-GCC. Such strategic stability, however, is not confined to the military sphere and the discussion should include legal limits on cyber warfare, such as protection of innocent civilians.
2. Parliaments, business leaders and specialists in individual countries should undertake studies of the impact of their national military activities in cyberspace on their relationships with key allies, partners, competitors and/or adversaries. Such studies should be published and widely debated. Such studies would be a building block for the discussion foreshadowed in the paragraph above, and they would serve a wider purpose related to democratic consent, policy review and supervision, and – more simply – establishing a baseline of knowledge for all stakeholders. There are many theoretical studies in the public domain that don’t name countries, but there are few (if any) public studies of the impact of the military cyber policies of the United States on Chinese strategic policy, or vice versa. There are a number of studies on the impacts of cyber espionage, but few that address the impact on strategic stability, except in alarmist and simplistic terms.
3. Governments, research organizations and NGOs need to foster the emergence of more Track 2 processes on strategic cyber issues. This will have the effect of building a globally connected and globally oriented community, and encourage more consistency of cyber policy on the national level. This should also help to address weak capacities of most states when it comes to the military strategic aspects of cyberspace. On the one hand, this recommendation may appear superfluous because there is a global community of specialists around cyber technologies. In spite of that, however, there is not a strongly international community of specialists around military uses of cyberspace. The aim of creating a global community of specialists is not to imply automatic agreement or shared national interests, but it does imply a shared set of concepts and terminology and a common understanding of material facts.